FortiGate I

Introduction to Fortinet Unified Threat Management

FortiGate 5.2.1 Last Modified: December 5, 2023 1

Objectives

• Identify major features of FortiGate

• Differentiate between FortiGuard queries & packages
• Choose an operation mode
• Restrict administration to access via management networks
• Create administrator accounts with specific permissions
• Reset a lost “admin” password
• Back up and restore configuration files
• Install new FortiGate firmware
• Run the built-in DNS server on an interface
• Run the built-in DHCP server on an interface

2
Traditional Network Security

VPN
Intrusion Prevention
Application Control
Web Filtering
WAN Optimization
Antispam
Antivirus
Firewall

Many single-purpose systems

to cope with variety of threats

3
FortiGate Capabilities

VPN
Intrusion Prevention
Application Control
Web Filtering
WAN Optimization
Antispam
Antivirus
FortiGate Firewall
and more…

One FortiGate provides

comprehensive security
and networking

4
Platform Design

FortiGuard Subscription Services

Web
Firewall Antivirus
Filter
IPS …

FortiOS

FortiASIC Optimized Hardware

5
FortiGuard Subscription Services

• Internet connection & contract required

• Provided by FortiGuard Distribution Network (FDN)
o Major data centers in North America, Asia, and Europe
• Or, from FDN via your FortiManager
o FortiGate prefers data center in nearest time zone,
but will adjust by server load
• Package updates: FortiGuard Antivirus & IPS
o update.fortiguard.com
o TCP port 443 (SSL)
• Live queries: FortiGuard Web Filtering & Antispam
o service.fortiguard.net
o Proprietary protocol on UDP port 53 or 8888

6
Modes of Operation

NAT Transparent

• FortiGate is an OSI Layer 3 • FortiGate is an OSI Layer 2

router switch or bridge
• Interfaces have IP addresses • Interfaces do not have IPs
• Packets are routed by IP • Cannot route packets, only
forward or not

7
 Operation Modes & the OSI Model

N
A
T

N
A
T
Transp.

8
Factory Default Settings

• ‘port1’ / ‘internal’ interface IP: 192.168.1.99/24

• PING, HTTP, HTTPS protocols management enabled
• Built-in DHCP server is enabled on ‘port1’ / ‘internal’ interface
o Not supported on all models
• Default login:
User: admin
Password: (blank)
o Both case sensitive
o Modify this default
“root” password!

9
Resetting a Lost “admin” Password

User: maintainer
Password: bcpb<serial-number>
All letters in <serial-number> must be upper case: “FGT60…” etc.

• All FortiGate models & some other Fortinet device types

• Only after hard power cycle
o Soft cycle (reboot) does not work for security reasons
• Only during first 15-30 seconds after boot (varies by model)
o Tip: Copy serial number into terminal buffer, then paste
• Only via hardware console port
o Requires physical access for security reasons
o If compliance/risk of physical access requires, maintainer can be disabled
config sys global
set admin-maintainer disable
end

10
Console Port

• Each FortiGate ships with a console cable

• Console connection requires terminal emulator
o PuTTY
o Tera Term
• Type varies by model
o Older models: Serial port w/ null model cable
o Newer models
• RJ-45 port w/ RJ-45-to-serial cable, or
• USB 2 port to FortiExplorer

11
Administration Methods

GUI
FortiExplorer, Web Browser (HTTP, HTTPS)

CLI
Console, SSH, Telnet, GUI Widget

12
FortiExplorer

• Manages FortiGate/FortiWifi, FortiSwitch, FortiAP

o Full GUI/CLI access
• Exception: Limited configuration & model options on iOS
• Available on Windows, Mac OS X, iPod, iPad, iPhone
o See Release Notes for supported versions
o Available on support.fortinet.com and the Apple App Store
• Connect using USB 2 cable
o Standard 30-pin cable
o On models with only USB 2 console port, FortiExplorer required

13
FortiExplorer

14
Administrator Profiles

15
Administrator Profiles: Permissions

None Read Read-Write

System Configuration
Network Configuration
Firewall Configuration
VPN Configuration
WiFi Configuration
etc.

16
Administrator Profiles: Hierarchy

super_admin custom_profile1 prof_admin

Full global access Partial global access Full access in virtual domain

Partial access in VDOM

custom_profile2

17
Two-Factor Authentication

Password (one factor)

+
FortiToken (two factor)

18
Other Two-Factor Authentication

19
Administrative Access: Trusted Sources

• FortiGate will not respond to administration traffic except

from these IPs/subnets

20
Administrative Access: Ports

• Port numbers are customizable

• Only using secure access methods is recommended

21
Administrative Access: Protocols

• Each interface’s
management
protocols
enabled separately
o Separate IPv4 & IPv6
o IPv6 options hidden
by default

22
Features Hidden by Default

• Some features are CLI-only (diagnose debug etc.)

• By default, some features are hidden in the GUI
o Hidden features are not disabled
• Hide/show via:
o Dashboard widget (primary features only)
o Full list hidden/shown via System > Config > Features

23
Features Hidden by Default: Security Features

• NGFW
o Next Generation Firewall
o Line Speed Inspection
• ATP
o Advanced Threat Protection
o Focuses on protecting PCs
• WF
o Web Filtering
• Full UTM
o All inspection profiles

24
Interface IPs

• In NAT mode, interfaces cannot be used until they have an IP

o Manually assigned
o Via DHCP
o Via PPPoE
(configure via CLI)
• Except one-arm or
FortiAP link

25
FortiGate as a DHCP Server

• Per interface setup

26
DHCP Server: IP Reservation

• Reservations re-assign IP address to the same host

o To reserve, select IP address or choose existing DHCP lease
o Identify reservation as either:
• Regular (over Ethernet)
• Over IPSec
• FortiGate uses host’s MAC address to look up its IP address in
reservation table

27
DHCP Logs

28
FortiGate as a DNS Server

• Resolves DNS lookups from internal network

o Enabled per interface
o Not appropriate for Internet service due to load
• One DNS database can be shared by all FortiGate interfaces
o Can be separate per VDOM
• Resolution methods:
o Forward to System DNS — Relay requests to next server (in DNS settings)
o Non-recursive — Use FortiGate DNS database only; drop unresolvable
queries
o Recursive — Use FortiGate DNS database; relay unresolvable queries to
next server (in DNS settings)

29
DNS Forwarding

• Control of DNS without maintaining a database

o GUI allows setting to Forward only
o CLI allows Forward, Recursive and Non-recursive behavior

30
DNS Database: Configuration

• Add DNS zones

o Each zone has its own domain name
o Format defined by RFC 1034 and 1035
• Add DNS entries to each zone
o Host name
o IP address it resolves to
o Types supported:
• IPv4 address (A) or IPv6 address (AAAA)
• Name server (NS)
• Canonical name (CNAME)
• Mail exchange (MX) server
• IPv4 (PTR) or IPv6 (PTR)

31
Static Gateway

• Must be at least 1 default gateway

• If interface is DHCP or PPPoE, then gateway can be added
dynamically

32
Configuration Files

• Configuration can be saved to an external file

o Optional encryption
o Can back up automatically
• Upon logout
• Not available on all models
• To restore a previous configuration, upload file
o Reboots FortiGate

33
Configuration File Format

Plain Text Build Number Encrypted

#config-version=FWF60D-5.00-FW-build252-
131031:opmode=0:vdom=0:user=admin#conf_file_ver=1048892595416027 #FGBK|3|FWF60D|5|00|252|
5734#buildno=0252#global_vdom=1

Model
Firmware Major Version

• Only has non-default & important settings (smaller file size)

• Header has device details
• After header, encrypted file is not readable
• Restoring configuration
o Encrypted? Same device/model + build + password required
o Unencrypted? Same model required
• Different build OK if upgrade path is supported

34
Per VDOM Configuration Files

• Usually, backup is complete

• If virtual domains (VDOMs) are enabled,
you can back up VDOMs individually (i.e. partial backup)

35
Upgrade

1. Back up configuration (full config backup from CLI)

2. Download copy of current firmware in case reversion is needed
3. Have physical access, or terminal server connected to local
console, in case reversion is needed
4. READ RELEASE NOTES (upgrade path, bug information)
5. Upgrade

36
Downgrade

1. Get pre-upgrade configuration file

2. Download copy of current firmware in case reversion is needed
3. Have physical access, or terminal server connected to local console,
in case reversion is needed
4. READ RELEASE NOTES (Does downgrade preserve config?)
5. Downgrade
6. If required, upload configuration that matches firmware version

37
Upgrade via FortiExplorer

38
Review

 Key FortiGate features

 FortiGuard services
 Administrators and permissions
 Operating mode differences
 Basic network settings
 Console ports
 How to show and hide features in the GUI
 Configuration backup and restoration
 Upgrade and downgrade
 Built-in DHCP and DNS servers

39