100% found this document useful (1 vote)

769 views132 pages

Fortinet OT Security Lab Guide For FortiOS 7.2

Uploaded by

Hossein

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

100% found this document useful (1 vote)

769 views132 pages

Fortinet OT Security Lab Guide For FortiOS 7.2

Uploaded by

Hossein

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 132

DO NOT REPRINT

OT Security
Lab Guide
for FortiOS 7.2
DO NOT REPRINT
© FORTINET
Fortinet Training Institute - Library

https://training.fortinet.com

Fortinet Product Documentation

https://docs.fortinet.com

Fortinet Knowledge Base

https://kb.fortinet.com

Fortinet Fuse User Community

https://fusecommunity.fortinet.com/home

Fortinet Forums

https://forum.fortinet.com

Fortinet Product Support

https://support.fortinet.com

FortiGuard Labs

https://www.fortiguard.com

Fortinet Training Program Information

https://www.fortinet.com/nse-training

Fortinet | Pearson VUE

https://home.pearsonvue.com/fortinet

Fortinet Training Institute Helpdesk (training questions, comments, feedback)

https://helpdesk.training.fortinet.com/support/home

11/22/2022
DO NOT REPRINT
© FORTINET

TABLE OF CONTENTS

Network Topology 6
Lab 1: Introduction 7
Lab 2: Device Detection 8
VM Username and Passwords 8
Exercise 1: Configuring Device Detection on FortiGate 9
Configure FortiAnalyzer Logging on Edge-FortiGate (Root) 9
Configure the Security Fabric on Edge-FortiGate (Root) 10
Configure the Security Fabric on FortiGate-1 11
Authorize the Downstream FortiGate (FortiGate-1) on the Root FortiGate (Edge-
FortiGate) 12
Configure the Security Fabric on FortiGate-2 13
Authorize the Downstream FortiGate (FortiGate-2) on the Root FortiGate (Edge-
FortiGate) 14
Authorize All Security Fabric FortiGate Devices on FortiAnalyzer 15
Check the Security Fabric Deployment Result 16
Lab 3: Access Control 19
Exercise 1: Configuring Local Authentication 21
Configure Local Users 21
Configure Firewall Policy Authentication 22
Test the Policy-Based Authentication 23
Exercise 2: Configuring FSSO Authentication 25
Review the FSSO Configuration on FortiGate 25
Assign FSSO Users to a Firewall Policy 26
Test the User Authentication 27
Lab 4: Segmentation 29
Exercise 1: Configuring Microsegmentation 31
Configure a Software Switch on FortiGate-1 31
Manage Traffic Between PLC-1 and PLC-2 32
Configure a Software Switch on FortiGate-2 33
Exercise 2: Configuring Internal Segmentation 35
Configure Firewall Policies to Allow Traffic Between Floors 35
Lab 5: Protection 39
Exercise 1: Configuring Industrial Signatures 40
DO NOT REPRINT
© FORTINET
Generate Modbus Traffic 40
Review Logs 41
Generate IEC 104 Communication Traffic 42
Review Logs 42
Exercise 2: Configuring an Application Filter Sensor 44
Create an Application Sensor 44
Generate and Monitor Traffic 46
Lab 6: Logging and Monitoring Configuration 48
Exercise 1: Preparing Devices for Logs and Alerts 51
Configure Edge-FortiGate to Send Logs to FortiAnalyzer and FortiSIEM 51
Configure FortiAnalyzer 52
Configure a Rule on FortiSIEM for Incidents 54
Generate Logs 57
Exercise 2: Examining Logs and Events on FortiAnalyzer 59
Explore Log View 59
Use Log Filters 62
Create a Custom View 63
Explore FortiView 65
Explore FortiSOC 65
View OT Security Events and Incidents 66
Exercise 3: Configuring a Rule to Monitor Performance 69
Configure a Rule to Monitor Fuel Pump Server Temperature Sensors 69
Lab 7: Risk Assessment 82
Exercise 1: Running a Default Report 83
Exercise 2: Building a Chart-Based Report on a Log Search 88
Exercise 3: Executing Default Reports on FortiSIEM 94
Exercise 4: Building Reports From Analytics on FortiSIEM 98
Create a Report on Performance for OT Devices 98
Create a Report on Traffic for Purdue Level 1 Devices 101
Create a Report on Modbus and IEC 104 service 103
Create a Report on OT Security Events From FortiAnalyzer 105
Exercise 5: Building an OT Dashboard on FortiSIEM 109
Lab 8: Use Case 1 117
Exercise 1: Configuring Devices 120
Network Topology 120
Requirements 120
Exercise 2: Testing the Configuration 122
Lab 9: Use Case 2 124
Exercise 1: Configuring Devices 127
Network Topology 127
Requirements 127
DO NOT REPRINT
© FORTINET
Exercise 2: Testing the Configuration 130
DO Network
NOTTopology
REPRINT
© FORTINET
Network Topology

OT Security 7.2 Lab Guide 6

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Lab 1: Introduction

There is no lab associated with this lesson.

7 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Lab 2: Device Detection

In this lab, you will learn to configure the Fortinet Security Fabric with device detection. After you configure the
Security Fabric, you will access the physical and logical topology views.

Objectives
l Configure the Security Fabric on Edge-FortiGate (root), FortiGate-1, and FortiGate-2
l Use the Security Fabric topology views to have logical and physical views of your network topology

Time to Complete
Estimated: 30 minutes

VM Username and Passwords

VM Username Password

Linux-Client Supervisor password

Edge-FortiGate admin password

FortiGate-1 admin password

FortiGate-2 admin password

FortiAnalyzer admin password

FortiSIEM admin Fortinet1!

PLC-1 sysadmin Fortinet1!

PLC-2 sysadmin Fortinet1!

PLC-3 sysadmin Fortinet1!

Client sysadmin Fortinet1!

OT Security 7.2 Lab Guide 8

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 1: Configuring Device Detection on FortiGate

In this exercise, you will configure the Security Fabric between Edge-FortiGate (root), FortiGate-1 (leaf), and
FortiGate-2 (leaf).

Configure FortiAnalyzer Logging on Edge-FortiGate (Root)

You will configure the root of the Security Fabric to send all logs to FortiAnalyzer. These settings are automatically
replicated to all downstream devices when they become members of the Security Fabric.

To configure Edge-FortiGate (root) to send logs to FortiAnalyzer

1. Log in to the Edge-FortiGate GUI with the username admin and password password.
2. Click Security Fabric > Fabric Connectors.
3. Select FortiAnalyzer Logging, and then click Edit.
4. In the FortiAnalyzer Settings section, configure the following settings:

Field Value

Status Enable

IP address 10.1.3.210

Upload option Real Time

5. Click OK.
6. In the verification window that appears, click Accept.

9 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Configuring
REPRINT Device Detection on FortiGate Configure the Security Fabric on Edge-FortiGate (Root)

© FORTINET
A warning appears that states FortiGate isn’t authorized on FortiAnalyzer yet. You will
configure this authorization on FortiAnalyzer in a later step.

7. Click Close.

Configure the Security Fabric on Edge-FortiGate (Root)

You will configure the root of the Security Fabric tree.

To enable the Security Fabric connection on the Edge-FortiGate interfaces

1. On the Edge-FortiGate GUI, click Network > Interfaces.
2. Click port5, and then click Edit.
3. In the Network section, enable Device detection.

4. Click OK.

To enable the Security Fabric on Edge-FortiGate

1. On the Edge-FortiGate GUI, click Security Fabric > Fabric Connectors.
2. Click Security Fabric Setup, and then click Edit.
3. In the Security Fabric role field, select Serve as Fabric Root.
4. Configure the following settings:

Field Value

Status Enable

Security Fabric role Serve as Fabric Root

Fabric name fortinet

Allow other Security Fabric devices to join Enable, and then ensure that both interfaces (port1 and
port2) are selected.

OT Security 7.2 Lab Guide 10

Fortinet Technologies Inc.
DO Configure
NOTtheREPRINT
Security Fabric on FortiGate-1 Exercise 1: Configuring Device Detection on FortiGate

5. Click OK.

Configure the Security Fabric on FortiGate-1

You will configure a leaf of the Security Fabric tree.

To enable the Security Fabric connection on the FortiGate-1 interfaces

1. Log in to the FortiGate-1 GUI with the username admin and password password.
2. Click Network > Interfaces.
3. Click port1, and then click Edit.
4. In the Administrative Access section, select the Security Fabric Connection checkbox.
5. In the Network section, enable Device detection.
6. Click OK.

If the following warning appears, click OK:

To enable the Security Fabric on FortiGate-1 (leaf)

1. On the FortiGate-1 GUI, click Security Fabric > Fabric Connectors.
2. Click Security Fabric Setup, and then click Edit.
3. In the Security Fabric Settings section, in the Status field, select Enabled.
4. In the Security Fabric role field, confirm that Join Existing Fabric is selected.

11 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT
on
1: Configuring Device Detection
FortiGateREPRINT
Authorize the Downstream FortiGate (FortiGate-1) on the Root FortiGate
(Edge-FortiGate)

© FORTINET
5. In the Upstream FortiGate IP/FQDN field, make sure the IP address is 10.1.1.254.
6. In the Default admin profile field, select admin_no_access.

7. Click OK.
8. Click OK.

FortiAnalyzer logging is enabled after FortiTelemetry is enabled. FortiAnalyzer settings

are retrieved from the root Edge-FortiGate when FortiGate-1 connects to the root
Edge-FortiGate.

Authorize the Downstream FortiGate (FortiGate-1) on the Root FortiGate

(Edge-FortiGate)

You will authorize FortiGate-1 on the root Edge-FortiGate to join the Security Fabric.

To authorize the downstream FortiGate-1 on the root Edge-FortiGate

1. On the Edge-FortiGate GUI, click Security Fabric > Fabric Connectors.
2. In the Topology section, click the highlighted FortiGate serial number, and then click Authorize.

OT Security 7.2 Lab Guide 12

Fortinet Technologies Inc.
DO Configure
NOTtheREPRINT
Security Fabric on FortiGate-2 Exercise 1: Configuring Device Detection on FortiGate

3. In the Device Registration window, in the Devices field, ensure the FortiGate serial number is selected, and then
click Authorize.

If the serial number is not displayed, refresh the page, and then repeat step 2.

4. Click Close.

After authorization, FortiGate-1 appears in the Security Fabric topology section, which
means FortiGate-1 joined the Security Fabric successfully.

5. Hover over the FortiGate-1 icon to display a summary of the firewall settings, and then verify that it is correctly
registered in the Security Fabric.

Configure the Security Fabric on FortiGate-2

You will configure a leaf of the Security Fabric tree.

To enable the Security Fabric connection on the FortiGate-2 interfaces

1. Log in to the FortiGate-2 GUI with the username admin and password password.
2. Click Network > Interfaces.
3. Click port1, and then click Edit.
4. In the Administrative Access section, select the Security Fabric Connection checkbox.

13 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT
on
1: Configuring Device Detection
FortiGateREPRINT
Authorize the Downstream FortiGate (FortiGate-2) on the Root FortiGate
(Edge-FortiGate)

If the following warning appears, click OK:

To enable the Security Fabric on FortiGate-2 (leaf)

1. On the FortiGate-2 GUI, click Security Fabric > Fabric Connectors.
2. Click Security Fabric Setup, and then click Edit.
3. In the Security Fabric Settings section, in the Status field, select Enabled.
4. In the Security Fabric role field, confirm that Join Existing Fabric is selected.
5. In the Upstream FortiGate IP/FQDN field, make sure the IP address is 10.1.2.254.
6. In the Default admin profile field, select admin_no_access.
7. Click OK.
8. Click OK.

Authorize the Downstream FortiGate (FortiGate-2) on the Root FortiGate

(Edge-FortiGate)

You will authorize FortiGate-2 on the root Edge-FortiGate to join the Security Fabric.

To authorize the downstream FortiGate-2 on the root Edge-FortiGate

1. On the Edge-FortiGate GUI, click Security Fabric > Fabric Connectors.
2. In the Topology section, click the highlighted FortiGate serial number, and then click Authorize.

OT Security 7.2 Lab Guide 14

Fortinet Technologies Inc.
DO Authorize
NOTAllREPRINT
FortiAnalyzer
Security Fabric FortiGate Devices on Exercise 1: Configuring Device Detection on
FortiGate

3. In the Device Registration window, in the Devices field, ensure the FortiGate serial number is selected, and then
click Authorize.

If the serial number is not displayed, refresh the page, and then repeat step 2.

4. Click Close.

After authorization, FortiGate-2 appears in the Security Fabric topology section, which
means FortiGate-2 joined the Security Fabric successfully.

5. Hover over the FortiGate-2 icon to display a summary of the firewall settings, and then verify that it is correctly
registered in the Security Fabric.

Authorize All Security Fabric FortiGate Devices on FortiAnalyzer

You will authorize all Security Fabric devices on FortiAnalyzer.

To authorize Edge-FortiGate, FortiGate-1, and FortiGate-2 on FortiAnalyzer

1. Log in to the FortiAnalyzer GUI with the username admin and password password.
2. Click Device Manager.
3. In the Device & Groups section, click Unauthorized Devices.

15 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Configuring
REPRINT Device Detection on FortiGate Check the Security Fabric Deployment Result

All three FortiGate devices appear as unauthorized devices.

4. Select the Edge-FortiGate, FortiGate-1, and FortiGate-2 checkboxes, and then click Authorize.
5. Click OK to keep the default FortiGate device names.
6. In the Authorize Device wizard, click Close.
All three devices are added to the FortiAnalyzer root ADOM.

7. Wait a few seconds until the Logs status for all FortiGate devices turns green.

Check the Security Fabric Deployment Result

You will check the Security Fabric deployment result on the root Edge-FortiGate.

To check the Security Fabric on Edge-FortiGate

1. On the Edge-FortiGate GUI, click Dashboard > Status.
The Security Fabric widget displays all FortiGate devices in the Security Fabric.

2. On the Edge-FortiGate GUI, click Security Fabric > Physical Topology.

This page shows a visualization of access layer devices in the Security Fabric.

OT Security 7.2 Lab Guide 16

Fortinet Technologies Inc.
DO Check
NOT REPRINT
the Security Fabric Deployment Result Exercise 1: Configuring Device Detection on FortiGate

3. On the Edge-FortiGate GUI, click Security Fabric > Logical Topology.

This dashboard displays information about the interfaces that each device in the Security Fabric connects to.

17 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Configuring
REPRINT Device Detection on FortiGate Check the Security Fabric Deployment Result

OT Security 7.2 Lab Guide 18

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Lab 3: Access Control

In this lab, you will configure local authentication on FortiGate-1 and FortiGate-2.

This lab uses a demo environment to emulate the behavior of an active FSSO DC agent from the Linux-Client VM
using a Python script. Therefore, you will not configure a DC agent to send logon events from the Linux-Client VM.

Objectives
l Configure local authentication and apply it to policies
l Review the SSO configuration on FortiGate
l Test the transparent or automatic user identification by generating user logon events
l Monitor the SSO status and operation

Time to Complete
Estimated: 30 minutes

Prerequisites
Before you begin this lab, you must restore the initial configuration files to the FortiGate devices. The configuration
files are located on the desktop of the Linux-Client VM.

To restore the FortiGate-1 configuration file

1. Log in to the FortiGate-1 GUI at 10.1.1.1 with the username admin and password password.
2. In the upper-right corner of the screen, click admin, and then click Configuration > Restore.

3. Click Local PC, and then click Upload.

4. Click Desktop > Resources > Access_Control, select FortiGate-1_access_control.conf, and then click
Open.
5. Click OK.
6. Click OK to reboot.

19 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Lab
NOT REPRINT
3: Access Control

© FORTINET
To restore the FortiGate-2 configuration file
1. Log in to the FortiGate-2 GUI at 10.1.2.1 with the username admin and password password.
2. In the upper-right corner of the screen, click admin, and then click Configuration > Restore.

3. Click Local PC, and then click Upload.

4. Click Desktop > Resources > Access Control, select FortiGate-2_access_control.conf, and then click
Open.
5. Click OK.
6. Click OK to reboot.

To restore the Edge-FortiGate configuration file

1. On the Linux-Client VM, open a browser, and then log in to the Edge-FortiGate GUI at 10.1.5.254 with the
username admin and password password.
2. In the upper-right corner of the screen, click admin, and then click Configuration > Restore.

3. Click Local PC, and then click Upload.

4. Click Desktop > Resources > Access Control, select Edge-FortiGate_access_control.conf, and then
click Open.
5. Click OK.
6. Click OK to reboot.

OT Security 7.2 Lab Guide 20

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 1: Configuring Local Authentication

In this exercise, you will configure local users and use them as part of policy-based authentication to allow access
to programmable logic controllers (PLCs).

Configure Local Users

You will configure local users on FortiGate-1 and FortiGate-2.

To configure local users

1. Log in to the FortiGate-1 GUI with the username admin and password password.
2. Click User & Authentication > User Definition, and then click Create New.
3. Configure the following settings:

Field Value

User Type Local User

Username supervisor

Password password

4. Click Submit.
5. Click Create New.
6. Configure the following settings:

Field Value

User Type Local User

Username PLC1admin

Password password

7. Click Submit.
8. Log in to the FortiGate-2 GUI with the username admin and password password.
9. Click User & Authentication > User Definition > Create New.
10. Configure the following settings:

Field Value

User Type Local User

Username supervisor

Password password

21 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Configuring
REPRINT Local Authentication Configure Firewall Policy Authentication

Configure Firewall Policy Authentication

You will configure firewall policy authentication to allow authorized users to access the PLCs.

To configure firewall policies

1. On the FortiGate-1 GUI, click Policy & Objects > Firewall Policy.
2. Click Create New, and then configure the following settings:

Field Value

Name PLC-2_Access

Incoming Interface port1

Outgoing Interface Floor-1_Switch

Source all

supervisor (located under User)

Destination PLC-2

Service ALL

NAT disable

3. Click OK.
4. Click Create New, and then configure the following settings:

Field Value

Name PLC-1_Access

Incoming Interface port1

Outgoing Interface Floor-1_Switch

Source all

supervisor and PLC1admin (located under User)

Destination PLC-1

Service ALL

NAT disable

5. Click OK.
6. On the Linux-Client VM, close all browsers that are open.

OT Security 7.2 Lab Guide 22

Fortinet Technologies Inc.
DO Test
NOT REPRINT
the Policy-Based Authentication Exercise 1: Configuring Local Authentication

You will test the policy-based authentication from the Linux-Client VM.

To test the policy-based authentication

1. On the Linux-Client VM, open a browser, and then access PLC-1 at http://192.168.1.1.
FortiGate sends an authentication page for user authentication.

2. Type the username PLC1admin and password password, and then click Continue.

You are redirected to the PLC-1 web page.

3. Open another browser tab, and then open the PLC-2 web page at http://192.168.1.2.

Notice that you cannot connect to the PLC-2 page. This is because the user is already
registered with the IP address and is not allowed to access PLC-2.

4. Close the browser to clear the cache.

5. Log in to the FortiGate-1 GUI with the username admin and password password.
6. Click Dashboard > Users & Devices.
7. Expand Firewall Users.
8. If the PLC1admin user is still logged in, deauthenticate this user.
9. On the Linux-Client VM, close all browsers.
10. On the Linux-Client VM, open a new browser, and then access PLC-1 at http://192.168.1.1.

23 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Configuring
REPRINT Local Authentication Test the Policy-Based Authentication

11. Type the username supervisor and password password, and then click Continue.
You are redirected to the PLC-1 web page.

12. Open another browser tab, and then open the PLC-2 web page at http://192.168.1.2.

Notice that this time, you are not required to authenticate the user. Because the
supervisor user also has access to PLC-2, you can access PLC-2 without having to
authenticate the user.

OT Security 7.2 Lab Guide 24

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 2: Configuring FSSO Authentication

In this exercise, you will assign FSSO users to a firewall policy and test the user authentication to access PLCs
protected by FortiGate.

In the real world, you must configure FortiGate to identify users by polling their logon
events using an FSSO agent, and you must install and configure a collector agent.
FSSO agents are available on the Fortinet Support website
(http://support.fortinet.com).

For FortiGate to communicate and poll information from the FSSO collector agent,
you must assign the polled user to a firewall user group, and then add the user group
as a source on a firewall policy.

Finally, you can verify the user logon event that FortiGate collects. This event is
generated after a user logs in to the Windows Active Directory domain. Therefore, no
firewall authentication is required.

Review the FSSO Configuration on FortiGate

You will review the FSSO configuration and FSSO user groups on Edge-FortiGate. FSSO allows FortiGate to
automatically identify the users who connect using SSO. Then, you will add FSSO user groups to the firewall
policies.

To review the FSSO server and FSSO user group configuration on FortiGate
1. Log in to the Edge-FortiGate GUI with the username admin and password password.
2. Click Security Fabric > External Connectors.
3. Select TrainingDomain, and then click Edit.
4. In the upper-right corner, review the Endpoint/Identity status, and see that the status is Disconnected.
Leave the window open.

To run a script to simulate a user logon event

1. On the Linux-Client VM, open a terminal window, and then run the following commands to simulate a user logon
event:
cd Desktop/FSSO/
python2 fssoreplay.py -l 8000 -f sample.log

Keep the terminal window open. The script will continue to run in the background.

To review the FSSO connection and FSSO user groups

1. Continuing on the TrainingDomain window, click Apply & Refresh.

25 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Configuring
REPRINT FSSO Authentication Assign FSSO Users to a Firewall Policy

2. Select TrainingDomain, and then click Edit.

3. In the Users/Groups field, click View.

You can see the TRAININGAD/Management_Users monitored group.

4. Click X to close the Collector Agent Group Filters window.

5. Click OK.
A green up arrow confirms that communication with the FSSO collector agent is up.

To assign the FSSO user to an FSSO user group

1. On the Edge-FortiGate GUI, click User & Authentication > User Groups.
2. Click Create New, and then configure the following settings:

Field Value

Name Management

Type Fortinet Single Sign-On (FSSO)

Members TRAININGAD/Management_Users

The FSSO user is automatically listed because of the selected group type—FSSO.

3. Click OK.

Assign FSSO Users to a Firewall Policy

You will assign your FSSO user group as a source on a firewall policy. This allows you to control access to
network resources based on user identity.

To add the FSSO user group to the firewall policy

1. Log in to the Edge-FortiGate GUI with the username admin and password password.
2. Click Policy & Objects > Firewall Policy.
3. Click Create New, and then configure the following settings:

OT Security 7.2 Lab Guide 26

Fortinet Technologies Inc.
DO Test
NOT REPRINT
the User Authentication Exercise 2: Configuring FSSO Authentication

Name Floor-2_Access

Incoming Interface port5

Outgoing Interface port2

Source all

Management (located under User)

Destination all

Service ALL

NAT disable

Log Allowed Traffic All Sessions

4. Click OK.

Test the User Authentication

You will test the user authentication from the Linux-Client VM.

To test the user authentication

1. On the Linux-Client VM, open a new browser, and then access PLC-3 at http://192.168.2.1.
You are redirected to the PLC-3 web page without an authentication prompt.

2. Log in to the Edge-FortiGate GUI with the username admin and password password.
3. Click Log & Report > Forward Traffic.
4. Select a log, and then click Details to view more information about it.

27 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Configuring
REPRINT FSSO Authentication Test the User Authentication

OT Security 7.2 Lab Guide 28

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Lab 4: Segmentation

In this lab, you will configure microsegmentation with Edge-FortiGate, FortiGate-1, and FortiGate-2.

Objectives
l Configure software switches on FortiGate-1 and FortiGate-2
l Allow traffic between software switch members based on requirements

Time to Complete
Estimated: 30 minutes

Prerequisites
Before you begin this lab, you must restore the initial configuration files to the FortiGate devices. The configuration
files are located on the desktop of the Linux-Client VM.

To restore the FortiGate-1 configuration file

1. On the Linux-Client VM, open a browser, and then log in to the FortiGate-1 GUI at 10.1.1.1 with the username
admin and password password.
2. In the upper-right corner of the screen, click admin, and then click Configuration > Restore.

3. Click Local PC, and then click Upload.

4. Click Desktop > Resources > Segmentation, select FortiGate-1_segmentation.conf, and then click
Open.
5. Click OK.
6. Click OK to reboot.

To restore the FortiGate-2 configuration file

1. On the Linux-Client VM, open a browser, and then log in to the FortiGate-2 GUI at 10.1.2.1 with the username
admin and password password.
2. In the upper-right corner of the screen, click admin, and then click Configuration > Restore.

29 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Lab
NOT REPRINT
4: Segmentation

3. Click Local PC, and then click Upload.

4. Click Desktop > Resources > Segmentation, select FortiGate-2_segmentation.conf, and then click
Open.
5. Click OK.
6. Click OK to reboot.

To restore the Edge-FortiGate configuration file

3. Click Local PC, and then click Upload.

4. Click Desktop > Resources > Segmentation, select Edge-FortiGate_segmentation.conf, and then click
Open.
5. Click OK.
6. Click OK to reboot.

OT Security 7.2 Lab Guide 30

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 1: Configuring Microsegmentation

In this exercise, you will configure software switches on FortiGate-1 and FortiGate-2. You will use the software
switches to control traffic between devices that belong to the same broadcast domain. You will use firewall policies
to allow traffic based on the requirements.

Configure a Software Switch on FortiGate-1

You will configure a software switch on FortiGate-1. You will add port3 and port4 as members of the switch.

To configure a software switch on FortiGate-1

1. Connect over SSH to FortiGate-1.
2. Log in with the username admin and password password.
3. Enter the following commands to create a software switch:
config system switch-interface
edit Floor_1_Switch
set vdom root
set member port3 port4
set intra-switch-policy explicit
next
end
4. Enter the following commands to configure the switch interface:
config system interface
edit Floor_1_Switch
set ip 192.168.1.254 255.255.255.0
set allowaccess ping
next
end
5. Log in to the FortiGate-1 GUI with the username admin and password password.
6. Click Policy & Objects > Firewall Policy.
7. Click Create New, and then configure the following settings to allow Linux-Client access to PLC-1 and PLC-2:

Field Value

Name Linux_Client_To_PLC_Access

Incoming Interface port1

Outgoing Interface Floor_1_Switch

Source Linux-Client

Destination all

Service ALL

NAT disable

31 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Configuring
REPRINT Microsegmentation Manage Traffic Between PLC-1 and PLC-2

Manage Traffic Between PLC-1 and PLC-2

You configured a software switch and now PLC-1 and PLC-2 belong to the same broadcast domain. Now, you will
test the connectivity between PLC-1 and PLC-2.

To test the connection

1. Connect to the Linux-Client VM.
2. On the Linux-Client VM, open PuTTY.
3. Click PLC-1 to select the saved session, and then click Open.
4. Log in with the username sysadmin and password Fortinet1!.
5. Enter the following command to start a ping:
ping 192.168.1.2 (after a few seconds, press Ctrl+C to stop the ping)

6. Minimize the PuTTY window for PLC-1.

7. On the Linux-Client VM, open PuTTY, and then open the PLC-2 saved session.
8. Log in with the username sysadmin and password Fortinet1!.
9. Enter the following command to start a ping:
ping 192.168.1.1 (after a few seconds, press Ctrl+C to stop the ping)

You will notice that even if PLC-1 and PLC-2 are in the same broadcast domain, they
cannot ping each other.

To allow access from PLC-1 to PLC-2

1. Log in to the FortiGate-1 GUI with the username admin and password password.
2. Click Policy & Objects > Firewall Policy.
3. Click Create New, and then configure the following settings to allow access from PLC-1 to PLC-2:

Field Value

Name PLC-1_To_PLC-2

Incoming Interface port3

Outgoing Interface port4

Source all

Destination all

Service ALL

NAT disable

OT Security 7.2 Lab Guide 32

Fortinet Technologies Inc.
DO Configure
NOTaREPRINT
Software Switch on FortiGate-2 Exercise 1: Configuring Microsegmentation

To test the connection

1. Connect to the Linux-Client VM.
2. On the Linux-Client VM, open PuTTY.
3. Click PLC-1 to select the saved session, and then click Open.
4. Log in with the username sysadmin and password Fortinet1!.
5. Enter the following command to generate a ping:
ping 192.168.1.2 (after a few seconds, press Ctrl+C to stop the ping)

6. Minimize the PuTTY window for PLC-1.

7. On the Linux-VM, open PuTTY, and then open the PLC-2 saved session.
8. Log in with the username sysadmin and password Fortinet1!.
9. Enter the following command to generate a ping:
ping 192.168.1.1 (after a few seconds, press Ctrl+C to stop the ping)

Because you only have a policy that allows traffic from PLC-1 to PLC-2, the
communication is active from PLC-1 to PLC-2 only, but not the other way around.

Configure a Software Switch on FortiGate-2

You will configure a software switch on FortiGate-2. You will add port3 and port4 as members of the switch.

To configure a software switch on FortiGate-2

1. Connect over SSH to FortiGate-2.
2. Log in with the username admin and password password.
3. Enter the following commands to create a software switch:
config system switch-interface
edit Floor_2_Switch
set vdom root
set member port3 port4
set intra-switch-policy explicit
next
end
4. Enter the following commands to configure the switch interface:
config system interface
edit Floor_2_Switch
set ip 192.168.2.254 255.255.255.0
set allowaccess ping
next
end
5. Log in to the FortiGate-2 GUI with the username admin and password password.
6. Click Policy & Objects > Firewall Policy.

33 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Configuring
REPRINT Microsegmentation Configure a Software Switch on FortiGate-2

© FORTINET
7. Click Create New, and then configure the following settings to allow Linux-Client access to PLC-3 and the Client
VM:

Field Value

Name Linux_Client_Access

Incoming Interface port1

Outgoing Interface Floor_2_Switch

Source Linux-Client

Destination all

Service ALL

NAT disable

8. Click OK.

OT Security 7.2 Lab Guide 34

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 2: Configuring Internal Segmentation

In this exercise, you will manage the traffic from one floor to another using firewall policies on Edge-FortiGate.
Floor-1 and Floor-2 are already segmented using two different subnets and two different interfaces. Any
communication between the floors must be allowed by a supervisor on Edge-FortiGate.

Configure Firewall Policies to Allow Traffic Between Floors

You will configure firewall policies to allow traffic from the Client VM to PLC-2. You will also allow traffic from PLC-
1 to PLC-3. You will restrict the allowed traffic as much as possible to allow only essential traffic, to avoid security
risks.

To allow traffic from the Client VM to PLC-2

1. Log in to the FortiGate-2 GUI with the username admin and password password.
2. Click Policy & Objects > Firewall Policy.
3. Click Create New, and then configure the following settings to allow the Client VM access to PLC-2:

Field Value

Name Client_To_PLC-2

Incoming Interface Floor_2_Switch

Outgoing Interface port1

Source Client

Destination PLC-2

Service ALL

NAT disable

4. Click OK.
5. Log in to the Edge-FortiGate GUI with the username admin and password password.
6. Click Policy & Objects > Firewall Policy.
7. Click Create New, and then configure the following settings to allow the Client VM access to PLC-2:

Field Value

Name Client_To_PLC-2

Incoming Interface port2

Outgoing Interface port1

35 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Configuring
REPRINT Internal Segmentation Configure Firewall Policies to Allow Traffic Between Floors

Source Client

Destination PLC-2

Service ALL

NAT disable

Log Allowed Traffic All Sessions

8. Click OK.
9. Log in to the FortiGate-1 GUI with the username admin and password password.
10. Click Policy & Objects > Firewall Policy.
11. Click Create New, and then configure the following settings to allow the Client VM access to PLC-2:

Field Value

Name Client_To_PLC-2

Incoming Interface port1

Outgoing Interface Floor_1_Switch

Source Client

Destination PLC-2

Service ALL

NAT disable

12. Click OK.

To test the connection

1. Connect to the Linux-Client VM.
2. On the Linux-Client VM, open PuTTY.
3. Click CLIENT to select the saved session, and then click Open.
4. Log in with the username sysadmin and password Fortinet1!.
5. Enter the following command to generate a ping:
ping 192.168.1.2 (after a few seconds, press Ctrl+C to stop the ping)

To allow traffic from PLC-1 to PLC-3

1. On the FortiGate-1 GUI, click Policy & Objects > Firewall Policy.
2. Click Create New, and then configure the following settings to allow PLC-1 access to PLC-3:

OT Security 7.2 Lab Guide 36

Fortinet Technologies Inc.
DO Configure
NOTFirewall
REPRINT
Policies to Allow Traffic Between Floors Exercise 2: Configuring Internal Segmentation

Name PLC-1_To_PLC-3

Incoming Interface Floor_1_Switch

Outgoing Interface port1

Source PLC-1

Destination PLC-3

Service ALL

NAT disable

3. Click OK.
4. On the Edge-FortiGate GUI, click Policy & Objects > Firewall Policy.
5. Click Create New, and then configure the following settings to allow PLC-1 access to PLC-3:

Field Value

Name PLC-1_To_PLC-3

Incoming Interface port1

Outgoing Interface port2

Source PLC-1

Destination PLC-3

Service ALL

NAT disable

Log Allowed Traffic All Sessions

6. Click OK.
7. On the FortiGate-2 GUI, click Policy & Objects > Firewall Policy.
8. Click Create New, and then configure the following settings to allow PLC-1 access to PLC-3:

Field Value

Name PLC-1_To_PLC-3

Incoming Interface port1

Outgoing Interface Floor_2_Switch

Source PLC-1

Destination PLC-3

37 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Configuring
REPRINT Internal Segmentation Configure Firewall Policies to Allow Traffic Between Floors

Service ALL

NAT disable

9. Click OK.

To test the connection

1. Connect to the Linux-Client VM.
2. On the Linux-Client VM, open PuTTY.
3. Click PLC-1 to select the saved session, and then click Open.
4. Log in with the username sysadmin and password Fortinet1!.
5. Enter the following command to generate a ping:
ping 192.168.2.1 (after a few seconds, press Ctrl+C to stop the ping)

OT Security 7.2 Lab Guide 38

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Lab 5: Protection

In this lab, you will configure Edge-FortiGate to monitor industrial protocol signatures using application filters. You
will also create an application filter to allow specific signatures to pass through.

Objectives
l Configure an application filter to monitor industrial signatures
l Generate industrial signatures on PLCs and Client VMs
l Monitor logs for industrial traffic signatures
l Use application control to allow only specific signatures

Time to Complete
Estimated: 45 minutes

Prerequisites
You must complete the previous lab before you start this one. If you haven't done so, tell your instructor.

39 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 1: Configuring Industrial Signatures

In this exercise, you will perform basic industrial control system (ICS) honeypot communication by simulating
common industrial control protocols. You will generate Modbus TCP with Conpot from the Client VM to PLC-2.
You will log the traffic on Edge-FortiGate, and then review the logs.

Generate Modbus Traffic

You will configure application control on Edge-FortiGate. You will also generate Modbus TCP traffic from the
Client VM to PLC-2.

To configure application control

1. Connect over SSH to Edge-FortiGate.
2. Log in with the username admin and password password.
3. Enter the following commands to include industrial signatures:
config ips global
set exclude-signature none
end
4. Log in to the Edge-FortiGate GUI with the username admin and password password.
5. Click Policy & Objects > Firewall Policy.
6. Select the Client_To_PLC-2 policy, and then click Edit.
7. Enable Application Control, and then select the default profile.
8. Click OK.

To generate Modbus traffic

1. Connect to the Linux-Client VM.
2. On the Linux-Client VM, open PuTTY.
3. Click PLC-2 to select the saved session, and then click Open.
4. Log in with the username sysadmin and password Fortinet1!.
5. Enter the following command:
./Uploads/start-conpot.sh
6. Leave the PuTTY session open.
7. On the Linux-Client VM, open a new PuTTY window.
8. Click CLIENT to select the saved session, and then click Open.
9. Log in with the username sysadmin and password Fortinet1!.
10. Enter the following command:
./Uploads/synchronous_client_ext.py
11. Leave the PuTTY session open.

OT Security 7.2 Lab Guide 40

Fortinet Technologies Inc.
DO Review
NOTLogsREPRINT Exercise 1: Configuring Industrial Signatures

You will review logs being captured by Edge-FortiGate for the Modbus traffic that you generated.

To review logs
1. Log in to the Edge-FortiGate GUI with the username admin and password password.
2. Click Log & Report > Forward Traffic.
3. Review the log with the Modbus_Diagnostics signature.

41 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Configuring
REPRINT Industrial Signatures Generate IEC 104 Communication Traffic

You will start IEC 104 communication from PLC-1 to PLC-3, and then monitor the traffic.

To configure application control

1. Log in to the Edge-FortiGate GUI with the username admin and password password.
2. Click Policy & Objects > Firewall Policy.
3. Select the PLC-1_To_PLC-3 policy, and then click Edit.
4. Enable Application Control, and then select the default profile.
5. Click OK.

To generate IEC 104 traffic

1. Connect to the Linux-Client VM.
2. On the Linux-Client VM, open PuTTY.
3. Click PLC-3 to select the saved session, and then click Open.
4. Log in with the username sysadmin and password Fortinet1!.
5. Enter the following command:
cd Uploads/iecsim/
python3 demo_server.py 1000 2000
6. Leave the PuTTY session open.
7. On the Linux-Client VM, open a new PuTTY window.
8. Click PLC-1 to select the saved session, and then click Open.
9. Log in with the username sysadmin and password Fortinet1!.
10. Enter the following command:
cd Uploads/iecsim/
python3 demo_client.py 192.168.2.1 1000 1010
11. Leave the PuTTY session open.

After you run the Python command, notice the data model on PLC-3. You also
simulated a similar data model on PLC-1.

Review Logs

You will review the logs being captured by Edge-FortiGate for the IEC 104 traffic that you generated.

To review logs
1. Log in to the Edge-FortiGate GUI with the username admin and password password.
2. Click Log & Report > Security Events.
3. Review the security widgets, and then click the Application Control widget.
4. Review the logs for IEC traffic.

OT Security 7.2 Lab Guide 42

Fortinet Technologies Inc.
DO Review
NOTLogsREPRINT Exercise 1: Configuring Industrial Signatures

Press Ctrl+C to stop the scripts on the PLC-1, PLC-2, and PLC-3 PuTTY sessions
before beginning the next exercise.

43 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 2: Configuring an Application Filter Sensor

In this exercise, you will create an application sensor to allow only specific traffic and block all other traffic from
PLC-1 to PLC-3.

Create an Application Sensor

You will create an application sensor using signatures to allow IEC 104 transfer only. You will also block the
signature for the C_BO_NA_1 command.

To create an application sensor

1. Log in to the Edge-FortiGate GUI with the username admin and password password.
2. Click Security Profiles > Application Control > Create New.
3. In the Name field, type Allow_IEC-104_Transfer.
4. Under Categories, select Block for All Categories.
5. In the Application and Filter Overrides section, click Create New.
6. In the search field, type IEC.60870.5.104 to list all matching signatures.
7. Right-click the IEC.60870.5.104_Information.Transfer.C.BO.NA.1 signature to select it.
8. Click Add selected, and then click OK to save the filter.
9. Under Application and Filter Overrides, click Create New again.
10. Change the Action field to Monitor.
11. In the search field, type IEC.60870.5.104 to list all matching signatures.
12. Press Ctrl, and then select the following signatures:
IEC.60870.5.104_Control.Functions
IEC.60870.5.104_Control.Functions.STARTDT.ACT
IEC.60870.5.104_Control.Functions.STARTDT.CON
IEC.60870.5.104_Information.Transfer
13. Right-click each of the selected signatures, and then click Add selected.
14. Click OK to save the filter.

OT Security 7.2 Lab Guide 44

Fortinet Technologies Inc.
DO Create
NOT REPRINT
an Application Sensor Exercise 2: Configuring an Application Filter Sensor

15. Click OK.

45 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Configuring
REPRINT an Application Filter Sensor Generate and Monitor Traffic

© FORTINET
To apply an application sensor to a policy
1. Log in to the Edge-FortiGate GUI with the username admin and password password.
2. Click Policy & Objects > Firewall Policy.
3. Select the PLC-1_To_PLC-3 policy, and then click Edit.
4. Enable Application Control, and then select the Allow_IEC-104_Transfer profile.
5. Click OK.

Generate and Monitor Traffic

You will generate IEC 104 communication, and then review the logs.

To generate traffic
1. Connect to the Linux-Client VM.
2. On the Linux-Client VM, open PuTTY.
3. Click PLC-3 to select the saved session, and then click Open.
4. Log in with the username sysadmin and password Fortinet1!.
5. Enter the following command:
cd Uploads/iecsim/
python3 demo_server.py 1000 2000
6. Leave the PuTTY session open.
7. Connect to the Linux-Client VM.
8. On the Linux-Client VM, open PuTTY.
9. Click PLC-1 to select the saved session, and then click Open.
10. Log in with the username sysadmin and password Fortinet1!.
11. Enter the following command:
cd Uploads/iecsim/
python3 demo_client.py 192.168.2.1 1000 1010
12. Leave the PuTTY session open.

To review logs
1. Log in to the Edge-FortiGate GUI with the username admin and password password.
2. Click Log & Report > Security Events, then click the Application Control widget.
3. Review the logs for IEC traffic.

OT Security 7.2 Lab Guide 46

Fortinet Technologies Inc.
DO Generate
NOTandREPRINT
Monitor Traffic Exercise 2: Configuring an Application Filter Sensor

Press Ctrl+C to stop the scripts on the PLC-1 and PLC-3 PuTTY sessions before
beginning the next lab.

47 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Lab 6: Logging and Monitoring Configuration

In this lab, you will configure FortiGate to send logs to FortiAnalyzer and FortiSIEM. You will configure
FortiAnalyzer to accept logs from FortiGate, and configure a rule to monitor industrial protocols on FortiSIEM.

You will also configure FortiSIEM to monitor and send alerts for changes in the performance of industrial devices.
After you complete these exercises, you will understand how single and multiple pattern performance rules for
industrial devices work and how to create your own.

Objectives
l Configure FortiGate to send logs to both FortiAnalyzer and FortiSIEM
l Configure FortiAnalyzer to send security events to FortiSIEM
l Examine logs on FortiAnalyzer for industrial protocols and signatures
l Examine logs and alerts on FortiSIEM for industrial protocols and signatures
l Configure a performance single pattern rule on FortiSIEM to send alerts for industrial devices
l Enhance performance rules for multiple patterns to send alerts for industrial devices on FortiSIEM

Time to Complete
Estimated: 120 minutes

Prerequisites
Before you begin this lab, you must restore the initial configuration files to FortiAnalyzer and Edge-FortiGate. The
configuration files are located in the Resources folder on the desktop of the Linux-Client VM.

To restore the FortiAnalyzer configuration file

1. On the Linux-Client VM, open a browser, and then log in to the FortiAnalyzer GUI at 10.1.3.210 with the
username admin and password password.
2. Click System Settings.
3. In the System Information widget, in the System Configuration field, click the Restore icon.

OT Security 7.2 Lab Guide 48

Fortinet Technologies Inc.
DO NOT REPRINT Lab 6: Logging and Monitoring Configuration

4. Click Browse.
5. Click Desktop > Resources > Logging and Monitoring, and then select FortiAnalyzer_logging.dat.
You do not have to enter a password because the file is not encrypted.

6. Leave the Overwrite current IP and routing settings checkbox selected.

7. Click OK.

49 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Lab
NOT REPRINT
6: Logging and Monitoring Configuration

© FORTINET
To restore the Edge-FortiGate configuration file
1. On the Linux-Client VM, open a browser, and then log in to the Edge-FortiGate GUI at 10.1.5.254 with the
username admin and password password.
2. In the upper-right corner of the screen, click admin, and then click Configuration > Restore.

3. Click Local PC, and then click Upload.

4. Click Desktop > Resources > Logging and Monitoring, select Edge-FortiGate_logging.conf, and then
click Open.
5. Click OK.
6. Click OK to reboot.

Follow the directions in the lab guide and do not make changes to any other devices
unless your instructor tells you to.

OT Security 7.2 Lab Guide 50

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 1: Preparing Devices for Logs and Alerts

In this exercise, you will configure FortiGate to send logs to FortiAnalyzer and FortiSIEM. You will configure
FortiAnalyzer to accept logs from FortiGate, and configure an event handler to send events to FortiSIEM. You will
also configure a rule to monitor industrial protocols on FortiSIEM, by generating traffic from PLC simulations.

Configure Edge-FortiGate to Send Logs to FortiAnalyzer and FortiSIEM

You will configure FortiGate to send logs to both FortiAnalyzer and FortiSIEM.

To enable FortiAnalyzer logging on Edge-FortiGate

1. Log in to the Edge-FortiGate GUI with the username admin and password password.
2. On the Edge-FortiGate GUI, click Security Fabric > Fabric Connectors.
3. Click FortiAnalyzer logging, and then click Edit.
4. In the FortiAnalyzer Settings section, in the Status field, select Enabled.
5. Configure the following settings:

Field Value

IP address 10.1.3.210

Upload option Real Time

6. Click OK.
7. Click Accept.
8. Click Close.

A warning appears that states FortiGate isn’t yet authorized on FortiAnalyzer. You will
configure this authorization on FortiAnalyzer in a later step.

To enable syslog on Edge-FortiGate for FortiSIEM

1. On the Edge-FortiGate GUI, click Log & Report > Log Settings.
2. In the Remote Logging and Archiving section, enable Send logs to syslog.
3. In the IP Address/FQDN field, type 10.1.3.180.

4. Click Apply.
5. Click OK to dismiss the warning message.

51 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Preparing
REPRINTDevices for Logs and Alerts Configure FortiAnalyzer

Configure FortiAnalyzer

You will configure FortiAnalyzer to accept logs from FortiGate. You will also configure an event handler to send
events to FortiSIEM.

To accept a device registration request

1. Log in to the FortiAnalyzer GUI with the username admin and password password.
2. Click Device Manager.
3. In the Device & Groups section, click Unauthorized Devices.
4. Select the Edge-FortiGate checkbox, and then click Authorize.
5. Click OK, and then click Close.

To configure an event handler

1. Continuing on the FortiAnalyzer GUI, in the drop-down list on the left, click FortiSOC.
2. Click Handlers > Event Handler List.
3. Click Create New, and then in the Name field, type OT_Security_Events.
4. In the Log Type field, select Application Control (app-ctrl), and then in the Confirm Reset window, click OK.

5. In the Logs match field, select All, and then configure the following settings:

Field Value

Log Field Application Category (appcat)

Value Industrial

Generate Alert When 1, Exact, 1

Event Message Industrial_Application_Activity_Detected

OT Security 7.2 Lab Guide 52

Fortinet Technologies Inc.
DO Configure
NOTFortiAnalyzer
REPRINT Exercise 1: Preparing Devices for Logs and Alerts

Event Status Unhandled

Event Severity High

6. In the Notification section, select the Send Alert to Syslog Server checkbox, and then click + to configure the
syslog server settings.

7. In the Create New Syslog Server Settings window, configure the following settings:

Field Value

Name FortiSIEM

IP address (or FQDN) 10.1.3.180

Syslog Server Port 514

53 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Preparing
REPRINTDevices for Logs and Alerts Configure a Rule on FortiSIEM for Incidents

8. Click OK, and then in the drop-down list, select FortiSIEM as the syslog server.
9. Click OK to finish the event handler configuration.

Configure a Rule on FortiSIEM for Incidents

You will configure a rule on FortiSIEM to monitor industrial protocols and trigger an incident if a match is found.

To configure a rule to monitor industrial protocols

1. Log in to the FortiSIEM GUI with the username admin and password Fortinet1!.
2. Click Accept to dismiss the warning message.
3. Click the RESOURCES tab, and then expand the Protocols section on the left.
4. Click OT Ports.
Review the entries including Modbus and IEC.60870.5.104 ports.

5. Click Rules > Security > Operation Technology, and then click New.
6. In the Add New Rule window, under Step 1: General, in the Rule Name field, type Monitor Industrial
Protocols.
7. Select Step 2: Define Condition, and then leave the default time interval set to 300 seconds (5 minutes).
8. In the Subpattern field, click the pencil icon, type the name industrial_protocol_monitor, and then create
the following Filters:

Field Value

Attribute Destination TCP/UDP Port

Operator IN

Value Select CMDB > Protocols > OT Ports, add the OT Ports
group to Selections, and then click OK.

Next OR

Row +

OT Security 7.2 Lab Guide 54

Fortinet Technologies Inc.
DO Configure
NOTaREPRINT
Rule on FortiSIEM for Incidents Exercise 1: Preparing Devices for Logs and Alerts

Attribute Source TCP/UDP Port

Operator IN

Value Select CMDB > Protocols > OT Ports, add the OT Ports
group to Selections, and then click OK.

9. In the Aggregate section, use the Expression Builder in the Attribute field.
10. In the Function field, select COUNT, and then click +.
11. In the Event Attribute field, select Matched Events, click +, and then click Validate.
An Expression is valid message appears.

12. Close the window, and then click OK.

13. In the Operator field, select >=, and then type a value of 1.
14. In the Group By section, add the Source TCP/UDP Port, Destination TCP/UDP Port, Event Type, and
Reporting IP attributes, and then click Save.

55 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Preparing
REPRINTDevices for Logs and Alerts Configure a Rule on FortiSIEM for Incidents

15. Click Step 3: Define Action, set the Severity to 10 - HIGH, the Category to Security, and the Subcategory to
Lateral Movement.

16. In the Action section, click the pencil icon, in the Incident Title field, type Operational Technology, complete
the Incident Attributes and Triggered Attributes fields as shown in the following image, and then click Save.

OT Security 7.2 Lab Guide 56

Fortinet Technologies Inc.
DO Generate
NOTLogs REPRINT Exercise 1: Preparing Devices for Logs and Alerts

17. Click Save to save the rule.

18. Select the Active checkbox to enable the rule, and then in the Activation window, click Continue.

Generate Logs

You will generate Modbus and IEC 104 communication.

To generate Modbus traffic

1. Connect to the Linux-Client VM.
2. On the Linux-Client VM, open PuTTY.
3. Click PLC-2 to select the saved session, and then click Open.

57 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Preparing
REPRINTDevices for Logs and Alerts Generate Logs

© FORTINET
4. Log in with the username sysadmin and password Fortinet1!.
5. Enter the following command:
./Uploads/start-conpot.sh
6. Leave the PuTTY session open.

The output may report a failure to allocate a new port. This is because of the previous
lab. It should not impact the results to continue and generate Modbus traffic.

7. On the Linux-Client VM, open a new PuTTY window.

8. Click CLIENT to select the saved session, and then click Open.
9. Log in with the username sysadmin and password Fortinet1!.
10. Enter the following command:
./Uploads/synchronous_client_ext.py
11. Leave the PuTTY session open.

To generate IEC 104 traffic

1. On the Linux-Client VM, open a new PuTTY window.
2. Click PLC-3 to select the saved session, and then click Open.
3. Log in with the username sysadmin and password Fortinet1!.
4. Enter the following command:
cd Uploads/iecsim/
python3 demo_server.py 1000 2000
5. Leave the PuTTY session open.
6. On the Linux-Client VM, open a new PuTTY window.
7. Click PLC-1 to select the saved session, and then click Open.
8. Log in with the username sysadmin and password Fortinet1!.
9. Enter the following command:
cd Uploads/iecsim/
python3 demo_client.py 192.168.2.1 1000 2000
10. Leave the PuTTY session open.

Notice the data model on PLC-3 after running the Python command. You also
simulated a similar data model on PLC-1.

OT Security 7.2 Lab Guide 58

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 2: Examining Logs and Events on FortiAnalyzer

There are many ways to view logs and events on FortiAnalyzer. In this exercise, you will explore the following
different views and log management features:
l Log View
l FortiView
l FortiSOC

Because of simulated traffic limitations in this lab, not all views will be populated.

Explore Log View

Log View allows you to view traffic logs (also referred to as firewall policy logs), event logs, and security logs for
each device or for each log group, which is a feature we are not using in this lab.

When ADOMs are enabled, Log View displays information for each ADOM.

Log View displays log messages from analytics logs and archive logs.
l Historical logs and real-time logs in Log View are from analytics logs.
l Log Browse can display logs from both the current, active log file and any of the compressed log files.
You will examine traffic logs and security logs related to industrial protocols and signatures only.

59 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Examining
REPRINTLogs and Events on FortiAnalyzer Explore Log View

© FORTINET
To view logs in Log View
1. Log in to the FortiAnalyzer GUI with the username admin and password password.
2. Click Log View.
3. In the menu on the left, click FortiGate > Traffic.
4. Explore the different ways of viewing logs, such as real time, historical, and raw.
l On the right side of the GUI, click Tools > Real-time Log.

You should see traffic logs in real time and in the formatted view.

Note that you can click Pause to stop the traffic if you want to look at one or more logs without losing them
among all the real-time logs constantly dropping in. Click Resume to resume.

Real-time logs are temporarily considered compressed, but are indexed as soon as
FortiAnalyzer has available CPU and memory.

l Click Tools > Historical Log.

You should see formatted, historical logs according to the filters that are set. For example, All FortiGate
and Last 1 hour. Double-click a log to see more details.

OT Security 7.2 Lab Guide 60

Fortinet Technologies Inc.
DO Explore
NOTLogREPRINT
View Exercise 2: Examining Logs and Events on FortiAnalyzer

The indexing process may take a few minutes to show all historical logs.

You can view details about historical logs, because they have been indexed in the SQL
database.

l Click Tools > Display Raw.

You should see the raw logs (not formatted).

While logs are compressed, they are considered offline, and you cannot view details
about the logs in Log View (or FortiView). Also, you cannot customize the columns.

61 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Examining
REPRINTLogs and Events on FortiAnalyzer Explore Log View

© FORTINET
5. Click Tools > Formatted Log to return the view to formatted logs.
6. In the menu on the left, click Security to examine the security logs.
Security logs from FortiAnalyzer include antivirus, web filtering, application control, intrusion prevention, email
filtering, data leak prevention, SSL/SSH scan, and VoIP. The logs displayed on FortiAnalyzer are dependent
on the device type logging to it, the traffic, and the features that are enabled. In this lab, only web filter,
application control, and intrusion prevention logs are triggered.

You can also view security logs in real-time or historical views, and in raw or formatted
formats.

l Click Security > Application Control.

You should see all logs that match application control traffic. Double-click a log for more details.

Use Log Filters

You can use log filters to narrow down search results and locate specific logs.

Tips:
l If you are not sure what the correctly formed column name is, add the column name that you want to search for in the
Column Settings drop-down list.
l Ensure your time filter covers the logs that you are searching for.
l Ensure the device is set accordingly for the logs you want to return.
l Verify whether case-sensitive search is enabled or disabled (Tools).

OT Security 7.2 Lab Guide 62

Fortinet Technologies Inc.
DO Explore
NOTLogREPRINT
View Exercise 2: Examining Logs and Events on FortiAnalyzer

© FORTINET
l Ensure you are searching on the appropriate log type for the logs you want to return (for example, traffic, web filter,
application control, IPS, and so on).
l Ensure you are not in the raw log view, because you cannot filter on raw logs (only historical and real-time).
l Ensure you are not filtering on real-time logs if you want to search on historical logs.

To use log filters

1. Continuing on the FortiAnalyzer GUI, click Log View.
2. Locate the following logs:
l Application control logs on all FortiGate devices over the past hour with a specific application category (for
example, Industrial)

Ensure your time filter is set correctly (includes the time you have been generating
traffic).

Create a Custom View

You will create a custom view for industrial protocols and application categories.

To create a custom view

1. Continuing on the FortiAnalyzer GUI, click Log View > Security > Application Control.

Ensure your time filter is set correctly (includes the time you have been generating
traffic).

Set your time filters appropriately, and if required, increase the time range from 1 to 4
hours.

2. Click Add Filter, type Application, in the drop-down list, select Application Category, and then select
"Industrial".

63 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Examining
REPRINTLogs and Events on FortiAnalyzer Explore Log View

© FORTINET
3. Click Add Filter again, type Destination, in the drop-down list, select Destination Port, and then type "2404".
4. To the right of the filters, click the custom view icon.

5. In the Name field, type Industrial Applications and Protocols.

6. Click OK.

7. In the Custom View section, you can review the Industrial Applications and Protocols custom view.

OT Security 7.2 Lab Guide 64

Fortinet Technologies Inc.
DO Explore
NOTFortiView
REPRINT Exercise 2: Examining Logs and Events on FortiAnalyzer

You can view summaries of log data in FortiView in both tabular and graphical formats. For example, you can view
top applications and websites, top threats to your network, top sources of network traffic, and top destinations of
network traffic. For each summary view, you can drill down into details.

To view logs in FortiView

1. Click Log View > FortiView.
2. Examine (and experiment with) the following views and feel free to add notes:

Set your time filters appropriately!

Category View Notes

Applications & Websites Top Applications

Displays information about the top applications

being used on the network, including the application
name, category, and risk level.

Explore FortiSOC

FortiSoC provides events and incident management capabilities. You will review the OT security events that the
event handler created, and you will also create an incident for the OT security event.

65 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Examining
REPRINTLogs and Events on FortiAnalyzer Explore FortiSOC

© FORTINET
View OT Security Events and Incidents
You will view the OT security event that the event handler you configured in the first exercise created, and then
you will create an incident for the event.

To view events and create an incident

1. Click FortiView > FortiSOC.
2. Click Dashboards > Events to verify two OT_Security_Events.

3. Click Event Monitor > All Events, and then expand the Industrial event.
You should see at least two grouped events for the industrial category—one for the Modbus application and
one for IEC 104.

4. Double-click one of the events to view logs for the event, and then double-click the log again to view log details.

OT Security 7.2 Lab Guide 66

Fortinet Technologies Inc.
DO Explore
NOTFortiSOC
REPRINT Exercise 2: Examining Logs and Events on FortiAnalyzer

5. Click the back arrow icon to go back to All Events, select one of the events, right-click the event, and then click
Create New Incident to manually create an incident for the selected event.
6. In the Raise Incident window, configure the following settings:

Field Value

Incident Category Unauthorized Access

Severity High

Status New

Description Investigate: Industrial_Application_Activity_Detected

Assigned To admin

7. Click OK to create the incident.

A window appears, to confirm that the incident was created. The window will disappear by itself.

8. Click Incidents to view the incident table and verify the incident.
You should see an incident listed in the table.

67 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Examining
REPRINTLogs and Events on FortiAnalyzer Explore FortiSOC

9. Click Dashboards > Incidents to view the count and status of incidents on the Incidents dashboard.

OT Security 7.2 Lab Guide 68

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 3: Configuring a Rule to Monitor Performance

In this exercise, you will build a single pattern performance rule to monitor the temperature of some fuel pump
sensors, and trigger alerts if the average temperature over a 5-minute time period goes above or below a set
threshold (80 degrees Fahrenheit).

FortiSIEM collects temperature events every 60 seconds, and appear as:

Event Type: PH_DEV_MON_HW_TEMP

Raw Event Sample: [PH_DEV_MON_HW_TEMP]:[eventSeverity]=PHL_INFO,

[fileName]=deviceCustom.cpp,[lineNumber]=2227,[hostName]=Fuel
Server1,[hostIpAddr]=10.6.0.1,[hwComponentName]=CorePump,
[envTempDegF]=47,[phLogDetail]=

Configure a Rule to Monitor Fuel Pump Server Temperature Sensors

You will configure a rule to monitor fuel pump temperature sensors. You will also generate logs to trigger an
incident according to your rule.

To configure filters
1. Log in to the FortiSIEM GUI, click the ANALYTICS tab, and then clear the display filters.
2. Click the change field display icon beside the Run icon, and then click Clear All to clear any existing fields.
3. Click Apply, and then click Use Default.
4. In the Edit Filters and Time Range field, click the field, and when the Filter editor opens, click Clear All to clear
any existing conditions, and then add the following condition:

69 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: Configuring
REPRINT
Performance
a Rule to Monitor Configure a Rule to Monitor Fuel Pump Server Temperature
Sensors

Filter Event Attribute

Attribute Host IP

Operator IN

Value 10.6.0.1,10.6.0.2,10.6.0.3

NEXT AND

5. In the Row column associated with the condition, click + to add another row.
6. In the second condition row, configure the following settings:

Field Value

Attribute Event Type

Operator =

Value PH_DEV_MON_HW_TEMP

7. In the Time Range section, select Real Time.

8. Click Apply & Run.

To add and generate logs for fuel servers

1. On Linux-Client, open PuTTY, create a new SSH session to the FortiSIEM device using the Host Name
10.1.3.180 and Port 22, and then click Open.

OT Security 7.2 Lab Guide 70

Fortinet Technologies Inc.
DO Configure
NOTaREPRINT
Sensors
Rule to Monitor Fuel Pump Server Temperature Exercise 3: Configuring a Rule to Monitor
Performance

© FORTINET
2. Log in with the username root and password Fortinet1!.
3. Enter the following commands, and then when prompted, enter 1 for Option 1:
cd /root/labs/lab6/6_4

./runLab6_4.sh

This script adds three generic Linux devices to FortiSIEM and replays some temperature events.

On the CMDB tab, you can view the devices that were added: Fuel Server 1 – 10.6.0.1, Fuel Server 2 –
10.6.0.2, and Fuel Server 3 – 10.6.0.3.

To view logs
1. On the FortiSIEM GUI, you should see results from the Real Time search—review the raw event logs to see their
content.

71 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: Configuring
REPRINT
Performance
a Rule to Monitor Configure a Rule to Monitor Fuel Pump Server Temperature
Sensors

© FORTINET
The script may take a couple of minutes to process and display the logs. If you cannot
see logs on the FortiSIEM GUI, run the scripts again.

2. Edit the Group By and Display Fields section to match the following image, and then click Apply:

Use the Expression Builder to create the AVG(Temperature Fahrenheit) field for
the Group By and Display fields.

3. Perform the search again using a Relative time period of 10 minutes.

The results should be similar to the following example. Notice that for the same Host IP, Host Name, and
Hardware Component Name, the average temperature in Fahrenheit is now reported.

OT Security 7.2 Lab Guide 72

Fortinet Technologies Inc.
DO Configure
NOTaREPRINT
Sensors
Rule to Monitor Fuel Pump Server Temperature Exercise 3: Configuring a Rule to Monitor
Performance

To configure a rule
1. On the FortiSIEM GUI, click the ADMIN tab, click Settings, and then in the Analytics section, click Subcategory.

2. In the left pane, under Category, select Performance, and then in the Subcategory section, click Add.

3. In the new empty entry box, type Temperature Sensors, click the check mark icon, and then click Save All.

73 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: Configuring
REPRINT
Performance
a Rule to Monitor Configure a Rule to Monitor Fuel Pump Server Temperature
Sensors

If an empty entry is created above, click X to delete it.

4. Click the RESOURCES tab, and in the left pane, open the Rules tree, and then click Performance.

5. Click + at the top of the tree to create a new folder, in the Group field, type Fuel Pump, and then click Save.
6. Select the new Fuel Pump subgroup, and then click New to create a new rule.

OT Security 7.2 Lab Guide 74

Fortinet Technologies Inc.
DO Configure
NOTaREPRINT
Sensors
Rule to Monitor Fuel Pump Server Temperature Exercise 3: Configuring a Rule to Monitor
Performance

7. Under Step 1: General, in the Rule Name field, type Fuel Pump Temperature Alert, and then if you want,
type a description.

8. Click Step 2: Define Condition, and then leave the default time interval at 300 seconds (5 minutes).

75 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: Configuring
REPRINT
Performance
a Rule to Monitor Configure a Rule to Monitor Fuel Pump Server Temperature
Sensors

9. Click the pencil icon, and then in the Subpattern field, create the following Filters:

Field Value

Attribute Host IP

Operator IN

Value 10.6.0.1,10.6.0.2,10.6.0.3

NEXT AND

10. In the Row column associated with the condition, click + to add another row.
11. In the second condition row, configure the following settings:

Field Value

Attribute Event Type

Operator =

Value PH_DEV_MON_HW_TEMP

12. For the Aggregate condition, use the Expression Builder in the Attribute section.
13. In the Function drop-down list, select AVG, and then click +.
14. In the Event Attribute field, type Temperature, select Temperature Fahrenheit, click +, and then click
Validate.
An Expression is valid message appears.

OT Security 7.2 Lab Guide 76

Fortinet Technologies Inc.
DO Configure
NOTaREPRINT
Sensors
Rule to Monitor Fuel Pump Server Temperature Exercise 3: Configuring a Rule to Monitor
Performance

15. Close the message, and then click OK.

16. In the Operator field, select >=, and then type a value of 80 to complete the first row.
17. Add a second row to the Aggregate condition.
18. Use the Expression Builder with the following settings:

Field Value

Attribute COUNT(Matched Events)

Operator >=

Value 2

19. In the Group By section, add the Host IP, Host Name, and Hardware Component Name attributes, and then
click Save.

77 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: Configuring
REPRINT
Performance
a Rule to Monitor Configure a Rule to Monitor Fuel Pump Server Temperature
Sensors

20. Click Step 3: Define Action, set Severity to 10-HIGH, Category to Performance, and Subcategory to
Temperature Sensors.

21. In the Action: Undefined section, click the pencil icon, complete the Incident and Triggered Attributes as
shown in the following image, and then click Save:

OT Security 7.2 Lab Guide 78

Fortinet Technologies Inc.
DO Configure
NOTaREPRINT
Sensors
Rule to Monitor Fuel Pump Server Temperature Exercise 3: Configuring a Rule to Monitor
Performance

22. Click Save to save the rule.

23. Click the Active checkbox to enable the rule, and then in the activation window, click Continue.

To generate logs to test the rule

1. On the FortiSIEM CLI, enter 2 for Option 2 to replay new events.

79 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: Configuring
REPRINT
Performance
a Rule to Monitor Configure a Rule to Monitor Fuel Pump Server Temperature
Sensors

If the Lab 6.4 tool is not open, launch it again.

2. Wait for the Simulation - All Done! message (in approximately 3 minutes), and then enter 3 to Quit the script.

To view the incident triggered by the rule

1. On the FortiSIEM GUI, select the INCIDENTS tab to see if your new rule triggered an incident.

2. Select List by Incident to view the Events that triggered the incident.

OT Security 7.2 Lab Guide 80

Fortinet Technologies Inc.
DO Configure
NOTaREPRINT
Sensors
Rule to Monitor Fuel Pump Server Temperature Exercise 3: Configuring a Rule to Monitor
Performance

Review the incident (there should be an incident for Fuel Server 2 only) and notice the
incident Target and Details, and then click the Events tab to view the individual events
that triggered the rule.

81 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Lab 7: Risk Assessment

In this lab, you will generate a default report, build a chart based on a log search, and perform some diagnostic
checks on FortiAnalyzer. You will also create reports and dashboards for operational technology (OT) security on
FortiSIEM.

Objectives
l Generate a default report on FortiAnalyzer
l Run report diagnostics on FortiAnalyzer
l Build a chart-based report on a log search on FortiAnalyzer
l Execute default reports on FortiSIEM
l Create reports on FortiSIEM from analytics
l Create an OT dashboard on FortiSIEM

Time to Complete
Estimated: 75 minutes

Prerequisites
Before you begin this lab, you must complete the previous lab. If you haven't done so, tell your instructor.

Follow the directions in the lab guide and do not make changes to any other devices
unless the course instructor tells you to.

OT Security 7.2 Lab Guide 82

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 1: Running a Default Report

In this exercise, you will run one of the default reports on demand. This will allow you to see the report
immediately. You will also run diagnostics for this report.

Because of simulated traffic limitations in this lab, not all report fields are populated.

To generate a default report

1. Log in to the FortiAnalyzer GUI with the username admin and password password.
2. Click Reports.
3. Click Report Definitions > All Reports.
This page provides all available default reports.

4. Double-click the Application Risk and Control report.

5. Click the Settings tab, and then in the Time Period field, select Today.

83 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Running
REPRINT
a Default Report

Ensure your time filter is set correctly (includes the time you have been generating
traffic).

6. Click Apply.
7. Click the Generated Reports tab, and then click Run Report to run the report on demand.

8. When the report is ready, view the report in HTML format.

9. Scroll down, click Application Risk Definition, and then review the Risk Rating for applications.

10. Scroll down, and then click Key Applications Crossing The Network.

OT Security 7.2 Lab Guide 84

Fortinet Technologies Inc.
DO NOT REPRINT Exercise 1: Running a Default Report

The report shows key industrial applications going through your network.

11. Click Application Categories.

You can view the latest available applications in the industrial category by clicking the
http://fortiguard.com/appcontrol link.

12. Scroll down, click Files/File Types Transferred by Applications, and then review the contents of the File Name
column to see the industrial application data.

85 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Running
REPRINT
a Default Report

To run diagnostics on a report

1. Return to the FortiAnalyzer GUI, right-click the report you just ran, and then select Retrieve Diagnostic.
2. Save the file to your downloads folder.
3. Open the rpt_status.log file in Notepad++.
4. Scroll down to the Report Summary section, and then record the following information:

HCACHE building time

Rendering time

Total time

For example:

5. Return to the FortiAnalyzer GUI, and then click All Reports.

6. Double-click the Application Risk and Control report.
7. Click the Settings tab, and then select the Enable Auto-cache checkbox.

OT Security 7.2 Lab Guide 86

Fortinet Technologies Inc.
DO NOT REPRINT Exercise 1: Running a Default Report

FortiAnalyzer updates the HCACHE when new logs come in and new log tables generate. If you do not
enable auto-cache, the report generates the HCACHE for the current log tables only. Remember, you are
currently generating traffic in your lab.

8. Click Apply.
9. Run the report again, and then run diagnostics again.
What is the output this time?

HCACHE building time

Rendering time

Total time

For example:

Although your lab environment does not have a large number of logs, you can still see that by enabling auto-
cache, the report builds faster. This is more noticeable if you have higher log volumes.

87 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 2: Building a Chart-Based Report on a Log
Search

In this exercise, you will create a chart based on the industrial application category, add the chart to a report, and
then run the report.

To create a chart based on a log search

1. Log in to the FortiAnalyzer GUI with the username admin and password password.
2. Click Log View.
3. Click FortiGate > Security > Application Control.
4. Click Last 1 Hour, and then in the drop-down list, select Last 7 Days to change the duration.
5. Click Add Filter, type Application, and then select Application Category.
6. Click "Industrial" as the filter value.

Ensure your time filter is set correctly (includes the time you have been generating traffic).

7. Click the custom view icon to save the current view as a custom view.

Although a custom view isn't required to build a chart, it's a nice feature that allows you
to save your filtered searches. The custom view option is available only in the historical
log view.

8. In the Name field, type OT_Security_Logs, and then click OK.

OT Security 7.2 Lab Guide 88

Fortinet Technologies Inc.
DO NOT REPRINT Exercise 2: Building a Chart-Based Report on a Log Search

Ensure your time filter is set correctly (includes the time you have been generating
traffic).

9. In your OT_Security_Logs custom view, click the custom view icon, and then click More Columns.

89 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Building
REPRINT
a Chart-Based Report on a Log Search

© FORTINET
10. In Column Settings, select the Application Risk and File Name column names, and then click OK.
11. In your OT_Security_Logs custom view, click the tools icon, and then click Chart Builder.

Chart Builder is available only in the historical log view.

The dataset query is generated in advance based on your search filters. The Preview window indicates what
the results will look like in a report.

12. Configure the following settings to fine-tune your results:

Field Value

Name OT_Security_Chart

Columns Select:
l Date/Time
l Level
l Application
l Application Risk
l File Name
This setting allows you to select only five columns. If other columns are
selected by default, deselect them.

Group By Date/Time

Order By Application

Show Limit 200

13. Click Preview.

The dataset query updates based on your modifications. Review the following example of a dataset query:

OT Security 7.2 Lab Guide 90

Fortinet Technologies Inc.
DO NOT REPRINT Exercise 2: Building a Chart-Based Report on a Log Search

14. View the preview, and then click Save.

Your dataset and chart are created.

To run a report on the custom chart

1. Continuing on the FortiAnalyzer GUI, click Log View > Reports.
2. Click All Reports, and then click Report > Create New.
3. Configure the following settings:

Field Value

Name Operational_Technology _Report

Create from Blank

4. Click OK.
5. Click Settings.
6. In the Time Period field, select Today.
7. Click the Editor tab, and then click Insert Chart.

8. Click the second Chart drop-down list, in the text field, start typing OT_Security_Chart, and then when it
appears in the list, select it.

9. Click OK.
10. Click Apply.

91 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Building
REPRINT
a Chart-Based Report on a Log Search

© FORTINET
11. Optionally, try inserting one of the Traffic macros:
a. Click to insert your cursor below the chart you just added to the layout.
b. Click Insert Macro.
c. In the inserted macro drop-down list, scroll up to the Traffic section, and then select any of the default macros.
For example, you can select the Highest Risk Application with Highest Session Count macro.

d. Click Apply.

12. Click the Generated Reports tab, and then click Run Report.
13. In the Format column, click HTML or PDF to view the report.

OT Security 7.2 Lab Guide 92

Fortinet Technologies Inc.
DO NOT REPRINT Exercise 2: Building a Chart-Based Report on a Log Search

You successfully created a report based on a chart and dataset created from a filtered search result.

93 OT Security 7.2 Lab Guide

In this exercise, you will run one of the default reports on demand. You will explore the opening and running of
reports from the report tree. You will explore a default report on all incidents. FortiSIEM is placed in Purdue level
3.5, and it will trigger incidents based on events for devices from level 0 to 5. The All incidents report provides an
incident summary from all Purdue levels. You will also learn how to schedule a report on FortiSIEM.

To run a report from the report tree

1. Log in to the FortiSIEM GUI, and then click the RESOURCES tab.
2. Click Reports > Incidents.
3. In the main window, select All Incidents.
4. Click Run.
The Run window opens.

5. On the Report Time Range tab, select Relative, in the Last field, type 7, and then in the drop-down list, select
Days.
6. Click OK.
The report automatically runs and populates the results in a new tab on the ANALYTICS tab.

Review the results. Results may vary.

To schedule a report
1. Click the RESOURCES tab.
2. Click Reports > Incidents.
3. Select All Incidents.
4. Click More.
5. In the More drop-down list, select Schedule.

OT Security 7.2 Lab Guide 94

Fortinet Technologies Inc.
DO NOT REPRINT Exercise 3: Executing Default Reports on FortiSIEM

6. Configure the following settings (you must click Next to view some of the settings), and then click OK:

Field Value

Time Zone Local

Report time range Relative, last 7 Days

Schedule Time Range (Start Time:) Set this field to 10 minutes ahead of the current time, and
then make sure Local is selected.

Schedule Recurrence Pattern Once

Output Format PDF

Notification Copy to a remote directory

Keep report for 2 hours

The remote directory to save reports is already configured. The Scheduled column for the All Incidents
report indicates that a report is scheduled.

7. Click the ADMIN tab, and then click Settings > Analytics > Scheduled Report > Scheduled Report Copy to
review the settings of the remote directory.

95 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: Executing
REPRINTDefault Reports on FortiSIEM

The FortiSIEM _Reports folder is on the desktop of the Linux-Client VM.

To explore other options to schedule a report

1. On the FortiSIEM GUI, click the RESOURCES tab.
2. Click Reports > Incidents.
3. Select the All Incidents report, and then in the lower section, click the Schedule tab (you may need to click the up
arrow in the lower-right corner of the GUI to see this).

Notice the existing report schedule is already present.

4. Click +.
Notice that the same Schedule dialog box shown above opens.

5. Click Cancel.
6. Click the scheduled entry Scheduled for:<date>.
Both the pencil and trash icons become active.

7. Click the pencil icon to modify the schedule of the report.

Do not delete the schedule for the report.

8. After 10 minutes, verify the delivery of the scheduled report to the FortiSIEM_Reports folder on the desktop of the
Linux-Client VM.

OT Security 7.2 Lab Guide 96

Fortinet Technologies Inc.
DO NOT REPRINT Exercise 3: Executing Default Reports on FortiSIEM

The All Incidents report should be available in PDF format after approximately 10 minutes.

97 OT Security 7.2 Lab Guide

In this exercise, you will learn to save reports from the ANALYTICS tab. You will create search filters to capture
events on various OT, security, and performance events, and then save them as reports.

To create a custom report folder for OT

1. On the FortiSIEM GUI, click the RESOURCES tab.
2. Click Reports.
3. Click + to create a new report group.
4. In the Group field, type Operational Technology.
5. Click Save.

Create a Report on Performance for OT Devices

You will build search filters to capture the temperature performance of fuel pump servers, add aggregate log data
for average temperatures, and then save it as a report.

To configure search filters and save a report

1. On the FortiSIEM GUI, click the ANALYTICS tab, and then click the search field.
The Filter editor opens.

2. Click the Clear All button to clear any existing conditions, and then add the following condition:

OT Security 7.2 Lab Guide 98

Fortinet Technologies Inc.
DO Create
NOT REPRINT
a Report on Performance for OT Devices Exercise 4: Building Reports From Analytics on FortiSIEM

Filter Event Attribute

Attribute Host IP

Operator IN

Value 10.6.0.1,10.6.0.2,10.6.0.3

NEXT AND

3. In the Row column associated with the condition, click + to add another row.
4. In the second condition row, configure the following settings:

Field Value

Attribute Event Type

Operator =

Value PH_DEV_MON_HW_TEMP

5. In the Time Range section, select Relative, in the Last field, type 1, select Day in the drop-down list, and then
click Apply.
6. Click the change field display icon beside the Run icon.
7. In the Group By and Display Fields window, click Clear All to clear any existing fields, and then configure the
display fields with the following attributes:
l Reporting IP
l Event Type
l Hardware Component Name
l AVG(Temperature Fahrenheit)
l COUNT(Matched Events)

99 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT4: Building
REPRINT
Reports From Analytics on FortiSIEM Create a Report on Performance for OT Devices

Use Expression Builder where required.

8. Click Apply & Run.

The search results should look similar to the following example:

Results may vary, because of log simulation.

Event Name is not an attribute that you can search for—it appears automatically when
the Event Type attribute is selected.

9. In the upper-left corner, click Actions, and then click Save as Report to save the results as a report.
The default report name is Search Result - <report interval>.

10. Replace the Report Name with OT_Device_Performance.

11. Select the Save Definition checkbox, and then in the Save To section, select the Operational Technology
folder.
12. Select the Save Results checkbox, in the for field, select 1 and Days, and then click OK to save the report.

OT Security 7.2 Lab Guide 100

Fortinet Technologies Inc.
DO Create
NOT REPRINT
a Report on Traffic for Purdue Level 1 Devices Exercise 4: Building Reports From Analytics on FortiSIEM

A window should appear that confirms the report was saved successfully.

The window disappears automatically. You can view the saved report in the Reports > Operational
Technology folder.

Create a Report on Traffic for Purdue Level 1 Devices

You will build search filters to capture security events from Purdue level 1 devices (traffic from PLC-1 to PLC-3),
and then save it as a report.

To configure search filters and save a report

1. On the FortiSIEM GUI, click the ANALYTICS tab, and then click the search field.
The Filter editor opens.

2. Click Clear All to clear any existing conditions, and then add the following condition:

Field Value

Filter Event Attribute

Attribute Source IP

Operator =

Value 192.168.1.1

NEXT AND

101 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT4: Building
REPRINT
Reports From Analytics on FortiSIEM Create a Report on Traffic for Purdue Level 1 Devices

© FORTINET
3. In the Row column associated with the condition, click + to add another row.
4. In the second condition row, configure the following settings:

Field Value

Attribute Destination IP

Operator =

Value 192.168.2.1

5. In the Time Range section, select Relative, in the Last field, type 1, in the drop-down list, select Day, and then
click Apply.
6. In the Group By and Display Fields window, click Clear All to clear any existing fields, and then configure the
display fields with the following attributes:
l Reporting Device
l Event Type
l Source IP > Display AS > PLC-1
l Destination IP > Display AS > PLC-3
l Service Name
l COUNT(Matched Events)

7. Click Apply & Run.

The search results should look like the following example:

OT Security 7.2 Lab Guide 102

Fortinet Technologies Inc.
DO Create
NOT REPRINT
a Report on Modbus and IEC 104 service Exercise 4: Building Reports From Analytics on FortiSIEM

Event Name is not an attribute that you can search for—it appears automatically when
the Event Type attribute is selected.

8. In the upper-left corner, click Actions, and then click Save as Report to save the results as a report.
The default report name is Search Result - <report interval>.

9. Replace the Report Name with Traffic From PLC-1 to PLC-3 - Purdue Level 1_Security
Events.
10. Select the Save Definition checkbox, and then in the Save To section, select the Operational Technology
folder.
11. Select the Save Results checkbox, in the for field, select 1 and Days, and then click OK to save the report.

Create a Report on Modbus and IEC 104 service

You will build search filters to capture security events for Modbus and IEC 104 service, and then save it as a
report.

To configure search filters and save a report

1. On the FortiSIEM GUI, continuing on the ANALYTICS tab, click the search field.
The Filter editor opens.

2. Click Clear All to clear any existing conditions, and then add the following condition:

Field Value

Filter Event Attribute

Attribute Destination TCP/UDP Port

Operator IN

103 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT4: Building
REPRINT
Reports From Analytics on FortiSIEM Create a Report on Modbus and IEC 104 service

Value Click CMDB > Protocols > OT Ports, add the OT Ports
group to Selections, and then click OK.

NEXT OR

3. In the Row column associated with the condition, click + to add another row.
4. In the second condition row, configure the following settings:

Field Value

Attribute Source TCP/UDP Port

Operator IN

Value Click CMDB > Protocols > OT Ports, add the OT Ports
group to Selections, and then click OK.

5. In the Time Range section, select Relative, in the Last field, type 1, in the drop-down list, select Day, and then
click Apply.
6. In the Group By and Display Fields window, click Clear All to clear any existing fields, and then configure the
display fields with the following attributes:
l Reporting Vendor
l Service Name
l Event Type
l COUNT(Matched Events)

OT Security 7.2 Lab Guide 104

Fortinet Technologies Inc.
DO Create
NOT REPRINT
a Report on OT Security Events From FortiAnalyzer Exercise 4: Building Reports From Analytics on FortiSIEM

Event Name is not an attribute that you can search for—it appears automatically when
the Event Type attribute is selected.

8. In the upper-left corner, click Actions, , and then click Save as Report to save the results as a report.
The default report name is Search Result - <report interval>.

9. Replace the Report Name with MODBUS and IEC104_OT_Security_Events.

10. Select the Save Definition checkbox, and then in the Save To section, select the Operational Technology
folder.
11. Select the Save Results checkbox, in the for field, select 1 and Days, and then click OK to save the report.

Create a Report on OT Security Events From FortiAnalyzer

You will build search filters to capture security events that FortiAnalyzer (IP 10.1.3.210) reports, and you will add
display fields to display the application risk level, and then save it as a report.

To configure search filters and save a report

1. On the FortiSIEM GUI, continuing on the ANALYTICS tab, click the search field.
The Filter editor opens.

2. Click Clear All to clear any existing conditions, and then add the following condition:

105 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT4: Building
REPRINT
Reports From Analytics on FortiSIEM Create a Report on OT Security Events From FortiAnalyzer

Filter Event Attribute

Attribute Reporting IP

Operator =

Value 10.1.3.210

NEXT AND

3. In the Row column associated with the condition, click + to add another row.
4. In the second condition row, configure the following settings:

Field Value

Attribute Application Group Name

Operator =

Value Industrial

5. In the Time Range section, select Relative, in the Last field, type 1, in the drop-down list, select Day, and then
click Apply.
6. In the Group By and Display Fields window, click Clear All to clear any existing fields, and then configure the
display fields with the following attributes:
l Reporting IP
l Application Group Name
l Application Risk
l Application Name
l Service Name
l COUNT(Matched Events)

OT Security 7.2 Lab Guide 106

Fortinet Technologies Inc.
DO Create
NOT REPRINT
a Report on OT Security Events From FortiAnalyzer Exercise 4: Building Reports From Analytics on FortiSIEM

7. Click Apply & Run.

The search results should look like the following example:

8. In the upper-left corner, click Actions, and then click Save as Report to save the results as a report.
The default report name is Search Result - <report interval>.

9. Replace the Report Name with FortiAnalyzer_OT_Security_Events_Application_Risk_

Assessment.
10. Select the Save Definition checkbox, and then in the Save To section, select the Operational Technology
folder.

107 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT4: Building
REPRINT
Reports From Analytics on FortiSIEM Create a Report on OT Security Events From FortiAnalyzer

© FORTINET
11. Select the Save Results checkbox, in the for field, select 1 and Days, and then click OK to save the report.
12. Navigate to the RESOURCES > Reports > Operational Technology folder to view all four reports.

You will use these reports in the next exercise to build an OT dashboard.

OT Security 7.2 Lab Guide 108

In this exercise, you will create a custom dashboard by adding dashboard widgets for OT.

To create a custom dashboard folder

1. On the FortiSIEM GUI, click the DASHBOARD tab.
2. In the Application Server Dashboard drop-down menu, select New.

The Create Dashboard Folder window opens.

4. In the Name field, type Operational Technology, and then click Save.

The Operational Technology group opens, and is added to the dashboard drop-down list.

To add widget dashboards

1. In the Operational Technology dashboard group, to the right of the dashboard drop-down list, click +.

The Create New Dashboard window opens.

2. In the Name field, type OT/IoT.

3. In the Type field, select Widget Dashboard.
4. Click Save.

109 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT5: Building
REPRINT
an OT Dashboard on FortiSIEM

The OT/IoT widget is created, and the main window displays an empty widget.

5. On the OT/IoT tab, click +.

The Report selector window appears.

6. Click the Reports folder, and then select the Incidents folder.
7. Select the All Incidents report, and then when the right arrow icon appears, click the icon to add the All Incidents
report widget.

8. Hover over the title bar of the All Incidents widget, on the right side, click the settings icon, and then click Edit
Settings.

OT Security 7.2 Lab Guide 110

Fortinet Technologies Inc.
DO NOT REPRINT Exercise 5: Building an OT Dashboard on FortiSIEM

If the Display Settings fields are empty, click Save, and then click the widget settings
icon again to open the widget settings. The Display Settings fields should now be
populated. Network lag can cause this issue, which you may not experience.

10. On the OT/IoT tab, click + again, and add the report widgets from the Operational Technology folder, in the
following order:
l OT_Device_Performance
l FortiAnalyzer_OT_Security_Events_Application_Risk_Assessment
l MODBUS and IEC104_OT_Security_Events
l Traffic From PLC-1 to PLC-3 - Purdue Level 1_Security Events

111 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT5: Building
REPRINT
an OT Dashboard on FortiSIEM

10. Hover over the title bar of the OT_Device_Performance widget, and then on the right, click the settings icon to edit
the settings.
11. Adjust the widget settings to match the following image, and then click Save:

If the Display Settings fields in the widget settings are empty, click Save, and then
click the widget settings icon again to open the widget settings. The Display Settings
fields should now be populated. Network lag can cause this issue, which you may not
experience.

12. Hover over the title bar of the FortiAnalyzer_OT_Security_Events_Application_Risk_Assessment widget, and
then on the right, click the settings icon to edit the settings.
13. Adjust the widget settings to match the following image, and then click Save:

OT Security 7.2 Lab Guide 112

Fortinet Technologies Inc.
DO NOT REPRINT Exercise 5: Building an OT Dashboard on FortiSIEM

14. Hover over the title bar of the MODBUS and IEC104_OT_Security_Events widget, and on the right side, click the
settings icon to edit the settings.
15. Adjust the widget settings to match the following image, and then click Save:

113 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT5: Building
REPRINT
an OT Dashboard on FortiSIEM

16. Hover over the title bar of the Traffic From PLC-1 to PLC-3 - Purdue Level 1_Security Events widget, and then
on the right, click the settings icon to edit the settings.
17. Adjust the widget settings to match the following image, and then click Save:

OT Security 7.2 Lab Guide 114

Fortinet Technologies Inc.
DO NOT REPRINT Exercise 5: Building an OT Dashboard on FortiSIEM

18. Review the Operational Technology > OT/IOT dashboard, which appears similar to the following image:

115 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT5: Building
REPRINT
an OT Dashboard on FortiSIEM

Results may vary, because of log simulation.

OT Security 7.2 Lab Guide 116

In this lab, you will configure Fortinet devices based on requirements that a customer provides. The lab is
preconfigured with IP addresses.

Objectives
l Complete all tasks to configure the network based on customer requirements

Time to Complete
Estimated: 150 minutes

Prerequisites
Before you begin this lab, you must restore the initial configuration files to the FortiGate devices. The configuration
files are located on the desktop of the Linux-Client VM.

To restore the FortiGate-1 configuration file

1. Log in to the FortiGate-1 GUI at 10.1.1.1 with the username admin and password password.
2. In the upper-right corner of the screen, click admin, and then click Configuration > Restore.

3. Click Local PC, and then click Upload.

4. Click Desktop > Resources > Use Case-1, select FortiGate-1_usecase1.conf, and then click Open.
5. Click OK.
6. Click OK to reboot.

To restore the FortiGate-2 configuration file

1. Log in to the FortiGate-2 GUI at 10.1.2.1 with the username admin and password password.
2. In the upper-right corner of the screen, click admin, and then click Configuration > Restore.

117 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Lab
NOT REPRINT
8: Use Case 1

3. Click Local PC, and then click Upload.

4. Click Desktop > Resources > Use Case-1, select FortiGate-2_usecase1.conf, and then click Open.
5. Click OK.
6. Click OK to reboot.

To restore the FortiAnalyzer configuration file

4. Click Browse.
5. Click Desktop > Resources > Use Case-1, and then select FortiAnalyzer_usecase1.dat.

OT Security 7.2 Lab Guide 118

Fortinet Technologies Inc.
DO NOT REPRINT Lab 8: Use Case 1

6. Leave the Overwrite current IP and routing settings checkbox selected.

7. Click OK.

To restore the Edge-FortiGate configuration file

3. Click Local PC, and then click Upload.

4. Click Desktop > Resources > Use Case-1, select Edge-FortiGate_usecase1.conf, and then click Open.
5. Click OK.
6. Click OK to reboot.

119 OT Security 7.2 Lab Guide

In this exercise, you will configure the OT network based on the following basic customer requirements:
l Achieve microsegmentation within floors
l Implement segmentation between floors
l Implement access control to limit access to Fortinet devices and PLCs
l Allow only Modbus traffic between PLCs based on requirements
l Log traffic on FortiGate and FortiAnalyzer

Network Topology

Review the current configuration before proceeding to the next step. You have basic connectivity from Fortinet
products to FortiManager so that you can perform license verification. Do not make changes to the policies that
allow this traffic.

Requirements

To configure basic connectivity

Ensure that Linux-Client is able to access the following devices without access control:

OT Security 7.2 Lab Guide 120

Fortinet Technologies Inc.
DO Requirements
NOT REPRINT Exercise 1: Configuring Devices

To achieve microsegmentation within floors

l On Floor-1, make sure that PLC-1 and PLC-2 are in the same broadcast domain.
l Allow only ping traffic from PLC-1 to PLC-2.
l Do not allow any other traffic between PLC-1 and PLC-2.
l On Floor-2, make sure that PLC-3 and the Client VM are in the same broadcast domain.
l Configure FortiGate-1 to allow the Client VM to send all traffic to PLC-3.
l Allow only ping traffic from PLC-3 to the Client VM.

To segment floors
l Ensure that all traffic between floors is controlled through Edge-FortiGate.
l Allow Linux-Client to access PLC-1, PLC-2, PLC-3, and the Client VM over SSH without access control.

To implement access control

Create the following local users on Edge-FortiGate:

Username Password

supervisor supervisor

jradmin jradmin

sradmin sradmin

client1 client1

Create policies to allow traffic from the Linux-Client VM to the following devices using access control:
l Allow supervisor to access PLC-1, PLC-2, PLC-3, and the Client VM over HTTP.
l Allow jradmin to access PLC-3 over HTTP.
l Allow sradmin to access all PLCs on Floor-1 over HTTP.
l Allow client1 to access the Client VM over HTTP.

To log traffic
Configure the devices so that Edge-FortiGate can send logs in real time to FortiAnalyzer for storage and reporting.

To protect the OT network

l Allow all Modbus traffic from the Client VM to PLC-2, except for traffic that matches the Modbus_
Exception.Illegal.Function signature.
l Log all traffic from the Client VM to PLC-2.

121 OT Security 7.2 Lab Guide

Make sure you complete all of the configuration steps before you test the configuration.

To test basic connectivity

From the Linux-Client VM, you must be able to access the following devices:
l FortiGate-1 at 10.1.1.1 over HTTP and SSH
l FortiGate-2 at 10.1.2.1 over HTTP and SSH
l FortiAnalyzer at http://10.1.3.210 over HTTP and SSH

To test internal segmentation

l You must not be able to ping PLC-3 from PLC-1.
l You must not be able to ping the Client VM from PLC-1.
l PLC-3 must not be able to ping any devices on Floor-1.
l Linux-Client must be able to connect to PLC-1, PLC-2, PLC-3, and the Client VM over SSH.

To test microsegmentation within floors

l You should be able to ping PLC-2 from PLC-1.
l You must not be able to ping PLC-1 from PLC-2.
l You should be able to ping the Client VM from PLC-3.
l You should be able to ping and connect over SSH to PLC-3 from the Client VM.

To test access control

l On the Linux-Client VM, when you access PLC-1, PLC-2, PLC-3, and the Client VM over HTTP, you must receive a
login prompt.
l The following users must be able to access the allowed devices over HTTP only:

Username Allowed devices over HTTP

supervisor PLC1, PLC-2, PLC-3, and the Client VM

jradmin PLC-3

sradmin PLC-1 and PLC-2

client1 The Client VM

After you are logged in with one user, if you do not see another login prompt, do the
following:

1. Click Dashboard > Users & Devices, and then expand Firewall Users to
deauthenticate the user.
2. Close all browsers to clear the caches.

OT Security 7.2 Lab Guide 122

Fortinet Technologies Inc.
DO NOT REPRINT Exercise 2: Testing the Configuration

© FORTINET
To test application filter and logging
1. Connect to the Linux-Client VM.
2. Open PuTTY.
3. Click PLC-2 to select the saved session, and then click Open.
4. Log in with the username sysadmin and password Fortinet1!.
5. Enter the following command:
./Uploads/start-conpot.sh

If you receive an error when you try to run the script, this may be due to a previous
session. Enter the docker ps command to check the process ID of the running script,
and then enter the docker kill <container_id> command to stop the script.

6. Leave the PuTTY session open.

7. Connect to the Linux-Client VM.
8. On the Linux-Client VM, open PuTTY.
9. Click Client to select the saved session, and then click Open.
10. Log in with the username sysadmin and password Fortinet1!.
11. Enter the following command:
./Uploads/synchronous_client_ext.py
12. Leave the PuTTY session open.
13. Log in to the FortiAnalyzer GUI with the username admin and password password.
14. Click Log View.
15. Click FortiGate > Security > Application Control.
16. Ensure that you see the following results:

123 OT Security 7.2 Lab Guide

In this lab, you will configure Fortinet devices based on requirements provided by a customer. The lab is
preconfigured with IP addresses.

Objectives
l Complete all tasks to configure the network based on customer requirements

Time to Complete
Estimated: 150 minutes

Prerequisites
Before you begin this lab, you must restore the initial configuration files to the FortiGate devices. The configuration
files are located on the desktop of the Linux-Client VM.

To restore the FortiGate-1 configuration file

1. Log in to the FortiGate-1 GUI at 10.1.1.1 with the username admin and password password.
2. In the upper-right corner of the screen, click admin, and then click Configuration > Restore.

3. Click Local PC, and then click Upload.

4. Click Desktop > Resources > Use Case-2, select FortiGate-1_usecase2.conf, and then click Open.
5. Click OK.
6. Click OK to reboot.

To restore the FortiGate-2 configuration file

1. Log in to the FortiGate-2 GUI at 10.1.2.1 with the username admin and password password.
2. In the upper-right corner of the screen, click admin, and then click Configuration > Restore.

OT Security 7.2 Lab Guide 124

Fortinet Technologies Inc.
DO NOT REPRINT Lab 9: Use Case 2

3. Click Local PC, and then click Upload.

4. Click Desktop > Resources > Use Case-2, select FortiGate-2_usecase2.conf, and then click Open.
5. Click OK.
6. Click OK to reboot.

To restore the FortiAnalyzer configuration file

4. Click Browse.
5. Click Desktop > Resources > Use Case-2, and then select FortiAnalyzer_usecase2.dat.

125 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Lab
NOT REPRINT
9: Use Case 2

6. Leave the Overwrite current IP and routing settings checkbox selected.

7. Click OK.

To restore the Edge-FortiGate configuration file

3. Click Local PC, and then click Upload.

4. Click Desktop > Resources > Use Case-2, select Edge-FortiGate_usecase2.conf, and then click Open.
5. Click OK.
6. Click OK to reboot.

OT Security 7.2 Lab Guide 126

In this exercise, you will configure the OT network based on the following basic customer requirements:
l Configure administrator accounts on the FortiGate devices
l Configure microsegmentation within Floor-1
l Implement segmentation between floors
l Implement access control to limit access to Fortinet devices and PLCs
l Allow only IEC-104 traffic between PLCs based on requirements
l Log traffic on FortiGate, FortiAnalyzer, and FortiSIEM

Network Topology

Review the current configuration before proceeding to the next step. You will have basic connectivity from Fortinet
products to FortiManager so that you can perform license verification. Do not make changes to the policies that
allow this traffic.

Requirements

To configure administrator accounts

Create the following administrator accounts on FortiGate-1 and FortiGate-2:

127 OT Security 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Configuring
REPRINT Devices Requirements

supervisor fortinet Super admin

admin_1 fortinet Super admin read-only

To configure basic connectivity

Ensure that the Linux-Client can access the following devices without access control:
l FortiGate-1
l FortiGate-2
l FortiAnalyzer
l FortiSIEM

To achieve microsegmentation within floors

l On Floor-1, make sure that PLC-1 and PLC-2 are in the same broadcast domain.
l Allow only ICMP and SSH traffic from PLC-2 to PLC-1.
l Do not allow any other traffic between PLC-1 and PLC-2.
l On Floor-2, make sure that PLC-3 and the Client VM are in the same broadcast domain.
l Allow all traffic between PLC-3 and the Client VM without using firewall policies.

To segment floors
l Ensure that all traffic between floors is controlled through Edge-FortiGate.
l Configure firewall policies and routes to allow Linux-Client to access PLC-1, PLC-2, PLC-3, and the Client VM over
SSH without access control.

To implement access control

Create the following local users on Edge-FortiGate:

Username Password

supervisor supervisor

jradmin jradmin

sradmin sradmin

Create policies to allow traffic from the Linux-Client VM to the following devices using access control:
l Allow supervisor to access PLC-1, PLC-2, PLC-3, and the Client VM over HTTP.
l Allow jradmin to access PLC-1 over HTTP.
l Allow sradmin to access PLC-3 on Floor-2 over HTTP.

To log traffic
Configure devices so that Edge-Fortigate can:

OT Security 7.2 Lab Guide 128

Fortinet Technologies Inc.
DO Requirements
NOT REPRINT Exercise 1: Configuring Devices

To protect the OT network

l Allow and monitor only IEC-104 traffic from PLC-2 to PLC-3, except traffic that matches the IEC.60870.5.104_
Information.Transfer.C.BO.NA.1 signature.
l Block all other industrial signatures from PLC-2 to PLC-3.
l Log all traffic from PLC-2 to PLC-3.

129 OT Security 7.2 Lab Guide

Make sure you have completed all of the configuration steps before testing the configuration.

To configure administrator accounts

l You must be able to log in to FortiGate-1 and FortiGate-2 with the username supervisor and password
fortinet.
l After you log in, you must have read and write access to all features on the FortiGate devices.
l You must be able to log in to FortiGate-1 and FortiGate-2 with the username admin_1 and password fortinet.
l After you log in, you must have read-only access to all features on the FortiGate devices.

To test basic connectivity

To test microsegmentation within floors

l From PLC-2, you should be able to ping and connect over SSH to PLC-1.
l You must not be able to ping PLC-2 from PLC-1.
l You should be able to send any traffic between PLC-3 and the Client VM.
l Firewall policies on FortiGate-2 must not allow or deny traffic between PLC-3 and the Client VM.

To test internal segmentation

To test access control

Username Allowed devices over HTTP

supervisor PLC1, PLC-2, PLC-3, and the Client VM

jradmin PLC-1

sradmin PLC-3

OT Security 7.2 Lab Guide 130

Fortinet Technologies Inc.
DO NOT REPRINT Exercise 2: Testing the Configuration

© FORTINET
If you do not see another login prompt after you are logged in with one user, do the
following:
1. Click Dashboard > Users & Devices, and then expand Firewall Users to
deauthenticate the user.
2. Close all browsers to clear the caches.

To test application filter and logging

1. Connect to the Linux-Client VM.
2. On the Linux-Client VM, open PuTTY.
3. Click PLC-3 to select the saved session, and then click Open.
4. Log in with the username sysadmin and password Fortinet1!.
5. Enter the following command:
cd Uploads/iecsim/
python3 demo_server.py 1000 2000
6. Leave the PuTTY session open.
7. Connect to the Linux-Client VM.
8. On the Linux-Client VM, open PuTTY.
9. Click PLC-2 to select the saved session, and then click Open.
10. Log in with the username sysadmin and password Fortinet1!.
11. Enter the following command:
cd Uploads/iecsim/
python3 demo_client.py 192.168.2.1 1000 1010
12. Leave the PuTTY session open.
13. Log in to the FortiAnalyzer GUI with the username admin and password password.
14. Click Log View.
15. In the menu on the left, click FortiGate > Security > Application Control.
16. Ensure that you see the following result:

131 OT Security 7.2 Lab Guide

No part of this publication may be reproduced in any form or by any means or used to make any
derivative such as translation, transformation, or adaptation without permission from Fortinet Inc.,
as stipulated by the United States Copyright Act of 1976.
Copyright© 2022 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

FortiGate 7.6 Administrator Lab Guide
No ratings yet
FortiGate 7.6 Administrator Lab Guide
251 pages
NSE7 - OT Security FortiOS 7.2 - Study Guide
100% (2)
NSE7 - OT Security FortiOS 7.2 - Study Guide
317 pages
(FCSS Cloud - NSE7) - Public Cloud Security Fortigate 7.2 - Study Guide
No ratings yet
(FCSS Cloud - NSE7) - Public Cloud Security Fortigate 7.2 - Study Guide
194 pages
(FCSS SASE) - FortiSASE Administrator FortiSASE 24 - Study Guide
100% (1)
(FCSS SASE) - FortiSASE Administrator FortiSASE 24 - Study Guide
171 pages
Fortinet Fortigate Infrastructure Lab Guide For Fortios 72
100% (1)
Fortinet Fortigate Infrastructure Lab Guide For Fortios 72
126 pages
FortiGate 7.4 Administrator Instructor Guide
No ratings yet
FortiGate 7.4 Administrator Instructor Guide
15 pages
FortiGate Security 7.2 Study Guide-Online-12
No ratings yet
FortiGate Security 7.2 Study Guide-Online-12
18 pages
Network Access Control Reference Architecture: Rick Leclerc Solutions Architect January 29, 2020
No ratings yet
Network Access Control Reference Architecture: Rick Leclerc Solutions Architect January 29, 2020
15 pages
Do Not Reprint © Fortinet: Fortimanager Lab Guide
No ratings yet
Do Not Reprint © Fortinet: Fortimanager Lab Guide
182 pages
FortiSwitchOS-7.2.0-FortiLink Guide-FortiSwitch Devices Managed by FortiOS 7.2
No ratings yet
FortiSwitchOS-7.2.0-FortiLink Guide-FortiSwitch Devices Managed by FortiOS 7.2
240 pages
B Fortinet Fortisoar Administrator Study Guide For Fortisoar 73
No ratings yet
B Fortinet Fortisoar Administrator Study Guide For Fortisoar 73
310 pages
Introduction To The Threat Landscape 2.0 Lesson Scripts
No ratings yet
Introduction To The Threat Landscape 2.0 Lesson Scripts
39 pages
Enterprise FW 03-Security Fabric
No ratings yet
Enterprise FW 03-Security Fabric
31 pages
Fortinet Fortigate Security Lab Guide For Fortios 72
100% (1)
Fortinet Fortigate Security Lab Guide For Fortios 72
204 pages
NSE 8 Immersion: Course Description
No ratings yet
NSE 8 Immersion: Course Description
2 pages
How To Setup FortiGate Firewall To Access The Internet
No ratings yet
How To Setup FortiGate Firewall To Access The Internet
7 pages
VDOM Configuration
No ratings yet
VDOM Configuration
7 pages
FortiGate Sec 02 Security Fabric
No ratings yet
FortiGate Sec 02 Security Fabric
39 pages
Lab 2: Security Fabric: Do Not Reprint © Fortinet
No ratings yet
Lab 2: Security Fabric: Do Not Reprint © Fortinet
27 pages
Fortinet OT Security@CCNA - SECURITY
No ratings yet
Fortinet OT Security@CCNA - SECURITY
318 pages
Fortinet Advanced Analytics Lab Guide For Fortisiem 63
No ratings yet
Fortinet Advanced Analytics Lab Guide For Fortisiem 63
224 pages
FortiAnalyzer Best Practices Guide
No ratings yet
FortiAnalyzer Best Practices Guide
18 pages
LAB 05 Fortinet Single Sign-On Configuration
No ratings yet
LAB 05 Fortinet Single Sign-On Configuration
10 pages
FortiGate Security 7.0 Study Guide-Online H
No ratings yet
FortiGate Security 7.0 Study Guide-Online H
628 pages
(FCP Sec Ops - NSE6) - FortiSOAR Administrator 7.0 - Study Guide
No ratings yet
(FCP Sec Ops - NSE6) - FortiSOAR Administrator 7.0 - Study Guide
290 pages
(FCSS SASE) - FortiSASE Administrator FortiSASE 23 - Study Guide
No ratings yet
(FCSS SASE) - FortiSASE Administrator FortiSASE 23 - Study Guide
149 pages
Fortinet Fortiedr Lab Guide For Fortiedr 50
No ratings yet
Fortinet Fortiedr Lab Guide For Fortiedr 50
104 pages
(FCP Sec Ops - NSE5) - FortiEDR 5.0 - Study Guide
100% (1)
(FCP Sec Ops - NSE5) - FortiEDR 5.0 - Study Guide
257 pages
FortiGate Authentication
No ratings yet
FortiGate Authentication
77 pages
NSE5 FMG Prep
No ratings yet
NSE5 FMG Prep
121 pages
Implementacion Firewall Fortinet
No ratings yet
Implementacion Firewall Fortinet
63 pages
(FCSS Cloud) - Public Cloud Security Architect FortiOS 7.6 - Study Guide
100% (2)
(FCSS Cloud) - Public Cloud Security Architect FortiOS 7.6 - Study Guide
237 pages
OT Security 7.2 Exam Description
No ratings yet
OT Security 7.2 Exam Description
3 pages
NSE7 - Advanced Analytics FortiSIEM 6.3 - Study Guide
No ratings yet
NSE7 - Advanced Analytics FortiSIEM 6.3 - Study Guide
476 pages
FortiNAC Quiz - Attempt Review
0% (1)
FortiNAC Quiz - Attempt Review
3 pages
Fortianalyzer: Device Registration and Communication
No ratings yet
Fortianalyzer: Device Registration and Communication
41 pages
LAB 08 Web Filtering
No ratings yet
LAB 08 Web Filtering
19 pages
Fortigate Advanced Routing 50
No ratings yet
Fortigate Advanced Routing 50
176 pages
Fortigate Fortiwifi and Fortiap Configuration Guide 56
No ratings yet
Fortigate Fortiwifi and Fortiap Configuration Guide 56
205 pages
(FCP Sec Ops - NSE5) - FortiAnalyzer Analyst 7.2 - Study Guide
No ratings yet
(FCP Sec Ops - NSE5) - FortiAnalyzer Analyst 7.2 - Study Guide
209 pages
FortiOS 7.4.1 CLI Reference
No ratings yet
FortiOS 7.4.1 CLI Reference
2,190 pages
FortiOS 6.4.0 Hardening Your FortiGate
No ratings yet
FortiOS 6.4.0 Hardening Your FortiGate
28 pages
FortiAnalyzer Administrator
No ratings yet
FortiAnalyzer Administrator
2 pages
Install and Configure FortiGate Default Certificate
100% (1)
Install and Configure FortiGate Default Certificate
3 pages
FortiNAC-7.2 F-FortiGate Endpoint Management Integration Guide
No ratings yet
FortiNAC-7.2 F-FortiGate Endpoint Management Integration Guide
42 pages
FortiAuthenticator Study Guide
No ratings yet
FortiAuthenticator Study Guide
480 pages
Fortinet Solutions RSSO - RADIUS Single Sign On
100% (1)
Fortinet Solutions RSSO - RADIUS Single Sign On
27 pages
FortiGate 7.4 Operator Lesson Scripts
100% (1)
FortiGate 7.4 Operator Lesson Scripts
33 pages
LAB 04 Firewall Authentication
No ratings yet
LAB 04 Firewall Authentication
17 pages
Student Guide FortiWeb 5.8.1
100% (2)
Student Guide FortiWeb 5.8.1
43 pages
FortiDDoS Admin Guide
No ratings yet
FortiDDoS Admin Guide
24 pages
FortiNAC Demo Walkthrough
No ratings yet
FortiNAC Demo Walkthrough
13 pages
NSE7 - Enterprise Firewall FortiOS 6.4 - Study Guide
100% (1)
NSE7 - Enterprise Firewall FortiOS 6.4 - Study Guide
533 pages
60LAB Fotigate
No ratings yet
60LAB Fotigate
226 pages
Mastering Active Directory
From Everand
Mastering Active Directory
VICTOR P HENDERSON
No ratings yet
Cse Hol SF 7.0.1 Ga
No ratings yet
Cse Hol SF 7.0.1 Ga
78 pages
Laboratorio 13
No ratings yet
Laboratorio 13
17 pages
Enterprise Firewall 7.4 Administrator Study Guide-Online-251-275
No ratings yet
Enterprise Firewall 7.4 Administrator Study Guide-Online-251-275
25 pages
Lab Guide
No ratings yet
Lab Guide
95 pages
Cyber Security Courseware With Tools & Labsetup - Santosh Chaluvadi
No ratings yet
Cyber Security Courseware With Tools & Labsetup - Santosh Chaluvadi
55 pages
MUT3
No ratings yet
MUT3
17 pages
ĐỀ THI THỬ SỐ 47 (2019-2020)
No ratings yet
ĐỀ THI THỬ SỐ 47 (2019-2020)
6 pages
Octnov 23
No ratings yet
Octnov 23
3 pages
Unit 12 PDF
No ratings yet
Unit 12 PDF
38 pages
Literature Review On Airline Reservation System PDF
100% (1)
Literature Review On Airline Reservation System PDF
8 pages
Ansa TC Sim White Paper
No ratings yet
Ansa TC Sim White Paper
16 pages
Programmable Machine Pre History - MechMachTheor - May2001
No ratings yet
Programmable Machine Pre History - MechMachTheor - May2001
15 pages
Pipex: Summary: This Project Is The Discovery in Detail and by Programming of A UNIX Mechanism That You Already Know
No ratings yet
Pipex: Summary: This Project Is The Discovery in Detail and by Programming of A UNIX Mechanism That You Already Know
8 pages
BSC BSC Cs Electronic Science Semester 1 2022 April Semiconductor Devices and Basic Electronic Systems 2019 Pattern
No ratings yet
BSC BSC Cs Electronic Science Semester 1 2022 April Semiconductor Devices and Basic Electronic Systems 2019 Pattern
2 pages
2 Network Media
No ratings yet
2 Network Media
19 pages
Zebra ZE500™: User Guide
No ratings yet
Zebra ZE500™: User Guide
170 pages
ML Powered NGFW Customer Presentation PDF
No ratings yet
ML Powered NGFW Customer Presentation PDF
68 pages
Pine Labs POS - Troubleshooting Guide-HRPL-1
No ratings yet
Pine Labs POS - Troubleshooting Guide-HRPL-1
14 pages
IC200ALG260
No ratings yet
IC200ALG260
7 pages
Maritime RST MSRP Partner PDF
No ratings yet
Maritime RST MSRP Partner PDF
48 pages
Password Strength Tester Ijariie20152
No ratings yet
Password Strength Tester Ijariie20152
12 pages
Configure Route Redistribution Between EIGRP and OSPF
No ratings yet
Configure Route Redistribution Between EIGRP and OSPF
16 pages
Reasoning Mains Checklist - 1
No ratings yet
Reasoning Mains Checklist - 1
73 pages
Introduction To Microprocessor: Advance Technology
No ratings yet
Introduction To Microprocessor: Advance Technology
13 pages
Module 2 Unit 4 Lesson 5 Homework
No ratings yet
Module 2 Unit 4 Lesson 5 Homework
5 pages
IC5 - Level - 3 - Teacher's Edition Teaching Notes - pdf-237-244
No ratings yet
IC5 - Level - 3 - Teacher's Edition Teaching Notes - pdf-237-244
8 pages
Harony P6 Past Papers Final 2023 Edited
No ratings yet
Harony P6 Past Papers Final 2023 Edited
314 pages
1400-304-004 Rev - 2
No ratings yet
1400-304-004 Rev - 2
14 pages
AVEVA Hull & Outfitting 12.1.SP4.56 Partial Fix Release 80460 Windows 7
No ratings yet
AVEVA Hull & Outfitting 12.1.SP4.56 Partial Fix Release 80460 Windows 7
517 pages
Concepts of Genetics 11th Edition Full Download
No ratings yet
Concepts of Genetics 11th Edition Full Download
411 pages
EMM Procedure - 1. Initial Attach (Part 2) (En)
No ratings yet
EMM Procedure - 1. Initial Attach (Part 2) (En)
25 pages
Sans Emea Curriculum Overview Catalogue 2020
No ratings yet
Sans Emea Curriculum Overview Catalogue 2020
20 pages
I Want A Research Paper On Gasless Transactions Using The Gas Station Network and Multi Chain Access
No ratings yet
I Want A Research Paper On Gasless Transactions Using The Gas Station Network and Multi Chain Access
9 pages
HTML
No ratings yet
HTML
4 pages