FGT Security Lab Guide For Fortios 72
FGT Security Lab Guide For Fortios 72
© FORTINET
FortiGate Security
Lab Guide
for FortiOS
7.2
DO NOT REPRINT
© FORTINET
Fortinet Training Institute - Library
https://training.fortinet.com
https://docs.fortinet.com
https://kb.fortinet.com
https://fusecommunity.fortinet.com/home
Fortinet Forums
https://forum.fortinet.com
https://support.fortinet.com
FortiGuard Labs
https://www.fortiguard.com
https://www.fortinet.com/nse-training
https://home.pearsonvue.com/fortinet
https://helpdesk.training.fortinet.com/supp
ort/home
8/30/2022
DO NOT REPRINT
© FORTINET
TABLE OF CONTENTS
Change Log 7
Network Topology 8
Lab 1: FortiGate Introduction 9
VM Usernames and Passwords 9
Exercise 1: Working With the CLI 10
Explore the CLI 10
Exercise 2: Generating Configuration Backups 13
Restore a Configuration From a Backup 13
Back Up and Encrypt a Configuration File 15
Restore an Encrypted Configuration Backup 16
Compare the Headers of Two Configuration Files 16
Exercise 3: Configuring Administrator Accounts 19
Configure a User Administrator Profile 19
Create an Administrator Account 20
Test the New Administrator Account 20
Restrict Administrator Access 21
Test the Restricted Access 21
Lab 2: Firewall Policies 23
Exercise 1: Creating Firewall Address Objects and Firewall Policies 27
Create Firewall Address Objects 27
Create a Firewall Policy 27
Test the Firewall Policy and View the Generated Logs 28
Exercise 2: Reordering Firewall Policies and Firewall Policy Actions 30
Create a Firewall Policy 30
Test the Reordering of a Firewall Policy 31
Exercise 3: Applying ISDB Objects as Destinations 34
Review the ISDB 34
Configure a Firewall Policy Destination as an ISDB Object 34
Test the Internet Service Firewall Policy 35
Exercise 4: Using Policy Lookup 37
Enable Existing Firewall Policies 37
Set Up and Test the Policy Lookup Criteria 37
Reorder the Firewall Policies 38
DO NOT REPRINT
© FORTINET
Retest Policy Lookup After Reordering the Firewall Policies 39
Lab 3: NAT 41
Exercise 1: Configuring DNAT Settings Using a VIP 44
Create a VIP 44 Create a Firewall Policy 45 Test the VIP
Firewall Policy 46 Test SNAT 47 Exercise 2: Using Dynamic NAT With IP Pools
49 Create an IP Pool 49 Edit a Firewall Policy to Use the IP Pool 50
Test Dynamic NAT With IP Pools 51 Exercise 3: Configuring Central SNAT
52 Configure a Central SNAT Policy 54 Review the
Firewall Policy 55 Test Central SNAT 56 Exercise 4:
Configuring and Testing DNAT and VIPs 58 Create DNAT
and VIPs 58 Verify the Firewall Policy Settings 59 Test DNAT and VIPs 60
Lab 4: Firewall Authentication 62 Exercise 1:
Configuring Remote Authentication 64 Configure an LDAP Server on
FortiGate 64 Assign an LDAP User Group to a Firewall Group 65 Add the Remote
User Group to the Firewall Policy 68 Authenticate and Monitor the Authentication
69 Remove the User Group From the Firewall Policy 70 Lab 5:
Log Configuration and Monitoring 72 Exercise 1:
Configuring Log Settings 75 Configure Log Settings 75 Configure
Threat Weight 77 Exercise 2: Enabling Logging on Firewall Policies
79 Enable Logging on a Firewall Policy 79 Exercise 3:
Monitoring Logs Through Email Alerts 82 Configure Email
Alerts 82 Generate Traffic 82 Generate Traffic Through FIT
82 Generate Traffic Through Nikto
84
View Email Alerts 85
Exercise 4: Viewing Logs on the FortiGate GUI 87
View Logs From the Log & Report Menu 87 View Forward Traffic Logs 87
DO NOT REPRINT
© FORTINET
View Security Profile Logs 89
View and Filter IPS Logs 90 View Logs in
FortiView 91 Lab 6: Certificate Operations
93 Exercise 1: Configuring Full SSL Inspection on
Outbound Traffic 96 Configure SSL
Inspection 96 Enable SSL Inspection on a Firewall Policy
97 Install the Fortinet_CA_SSL Certificate 97 Test Full SSL
Inspection 101 Exercise 2: Configuring Full SSL Inspection on Inbound Traffic
102 Configure a Virtual IP and Firewall Policy
102 Install the Training CA Certificate 103 Configure Inbound Full SSL
Inspection 109 Lab 7: Web Filtering 114 Exercise 1:
Configuring FortiGuard Web Filtering 117 Review the
FortiGate Settings 117 Determine Web Filter Categories 118 Configure a
FortiGuard Category-Based Web Filter 120 Apply the Web Filter Profile to a Firewall
Policy 122 Test the Web Filter 123 Create a Web Rating Override 125
Test the Web Rating Override126 Exercise 2: Setting Up Web Filtering Authentication
127 Set Up the Authenticate Action 127
Define Users and Groups 128 Test the Authenticate Action 129 Lab 8:
Application Control 131 Exercise 1:
Controlling Application Traffic 134 Configure
Filter Overrides 134 Apply the Application Control Profile to the Firewall Policy
136 Test the Application Control Profile 137 Configure Application
Overrides 138 Test Application Overrides 139 View Logs
139 Exercise 2:
Controlling Application Bandwidth Usage 140 Modify the
Application Override Action 140 Configure a
Traffic Shaping Policy 141 Test Traffic
Shaping 144
Exercise 3: Implementing Application Control in NGFW Policy-Based Mode 147
Enable Policy-Based NGFW Mode 147
Configure SSL Inspection and Central SNAT Policies 147
DO NOT REPRINT
© FORTINET
Configure the Security Policy and Test Application Control 149
Lab 9: Antivirus 152
Exercise 1: Using Antivirus Scanning in Proxy-Based Inspection Mode 154
Change the Antivirus Profile Inspection Mode 154
Enable the Antivirus Profile on a Firewall Policy 155
Test the Antivirus Configuration 155
Test an Alternate Download Method 156
View the Antivirus Logs 157
Enable SSL Inspection on a Firewall Policy 158
Exercise 2: Configuring Flow-Based Antivirus Scanning 160
Change the Antivirus Profile Inspection Mode 160
Change the FortiGate Inspection Mode 161
Test the Flow-Based Antivirus Profile 161
View the Antivirus Logs 163
Test the Machine learning (AI) scan 163
Lab 10: IPS and DoS 166
Exercise 1: Blocking Known Exploits 168
Configure IPS Inspection 168
Apply an IPS Sensor to a VIP Firewall Policy 169
Generate Attacks From the Linux Server 172
Monitor the IPS 172
Exercise 2: Using Rate-Based IPS Signatures 174
Apply Rate-Based Signatures 174
Test the Rate-Based Signature 175
Exercise 3: Mitigating a DoS Attack 178
Create a DoS Policy 178
Test the DoS Policy 179
Lab 11: Security Fabric 181
Exercise 1: Configuring the Security Fabric on Local-FortiGate and ISFW 186
Configure FortiAnalyzer Logging on Local-FortiGate (Root) 186
Configure the Security Fabric on Local-FortiGate (Root) 187
Configure the Security Fabric on ISFW 189
Authorize ISFW (Downstream) on Local-FortiGate (Root) 191
Check the Security Fabric Deployment Result 192
Exercise 2: Configuring the Security Fabric on Local-FortiGate and Remote-
FortiGate 194
Configure the Security Fabric on Remote-FortiGate (Downstream)
194 Authorize Remote-FortiGate (Downstream) on Local-FortiGate (Root) 195
Check the Security Fabric Deployment Result 196 Exercise 3: Running the
Security Rating 199 Run the Security Rating on the Local-
FortiGate (Root) 199
DO
CNhaOngeTLogREPRINT
© FORTINET
Change Log
This table includes updates to the FortiGate Security 7.2 Lab Guide dated 6/13/2022 to the updated
document version dated 8/30/2022.
Change Location
Objectives
Access the FortiGate CLI
Back up and restore configuration files
Locate the FortiGate model and FortiOS firmware build in a configuration
file Create a new administrator user
Restrict administrator access
Time to Complete
Estimated: 25 minutes
VM Username Password
This command displays basic status information about FortiGate. The output includes the FortiGate
device serial number, operation mode, and so on. When the More prompt appears on the CLI, perform
one of the following actions:
Action Command
To exit Type q.
This command shows all options that the CLI will accept after the # get command. Depending on
the command, you may need to enter additional words to completely specify a configuration option.
7. Try some of the control key sequences shown in the following table:
© FORTINET
Action Command
This command lists all options that the CLI accepts after the execute command.
10. Press the space bar, and then press the Tab key three times.
Each time you press the Tab key, the CLI replaces the second word with the next possible option for the
execute command, in alphabetical order.
You can abbreviate most commands. In lessons and labs, many of the
commands that you see are in abbreviated form. For example, instead of typing
execute, you can type exe.
Use this technique to reduce the number of keystrokes that are required to enter a
command. Often, experts can configure FortiGate faster using the CLI than using
the GUI.
If there are other commands that start with the same characters, your
abbreviation must be long enough to be specific, so that FortiGate can
distinguish them.
Otherwise, the CLI displays an error message about ambiguous commands.
11. On a new line, enter the following command to view the port3 interface configuration (hint: try using the
shortcuts you just learned about):
show system interface port3
© FORTINET
Stop and think!
The show full-configuration command displays all the configuration settings for the interface. The
show command displays only those values that are different from the default values.
The first time that you log in, you may need to click and drag the screen from
the bottom to bring up the login prompt.
2. On the Local-Client VM, open a browser, and then log in to the Local-FortiGate GUI at 10.0.1.254 with
the username admin and password password.
You can also access the Local-FortiGate GUI from the bookmarks bar in the
Mozilla Firefox browser.
All lab exercises were tested running Firefox on the Local-Client and Remote-Client
VMs. To get consistent results, you should use Firefox to access both the internet
and the FortiGate GUIs in this virtual environment.
3. In the upper-right corner of the screen, click admin, and then click Configuration > Restore.
© FORTINET
4. Click Upload to select the backup configuration file from your local
PC.
5. Click Desktop > Resources > FortiGate-Security > Introduction > local-initial.conf, and then click
Open.
6. Click OK.
7. Click OK to reboot.
After your browser uploads the configuration, FortiGate reboots automatically. This takes approximately
30– 45 seconds.
8. When the Local-FortiGate GUI login page reappears after reboot, log in with the username admin and
password
password.
9. Click Network > Interfaces, and then verify that the network interface settings were restored.
10. Click Network > Static Routes, click the + sign to expand the IPv4 routes, and then verify that the default
route was restored.
CIoNnfigTuration Backups
File
© FORTINET
Always back up the configuration before making changes to FortiGate (even if the change seems minor or
unimportant). There is no undo. You should carefully consider the pros and cons of an encrypted backup before
you begin encrypting backups. While your configuration, including things like private keys, remains private, an
encrypted file hampers troubleshooting because Fortinet Support cannot read the file. Consider saving backups
in plaintext, and storing them in a secure place instead.
You will create an encrypted file with the backup of the FortiGate current configuration.
5. Click OK.
6. Select Save File, and then click Cancel.
The Firefox browser saves the encrypted configuration file in the Downloads folder, by default. Ensure
that you record the password and store it in a secure place.
You can access downloaded files by clicking the blue down arrow in the upper-
right corner of the browser.
ERncErypPtedRCoInNfiguTration Backup
Backups
© FORTINET
Restore an Encrypted Configuration Backup
Restoring from a backup enables you to return FortiGate to a previous configuration. As a word of caution, if
you cannot recall the password required to decrypt an encrypted backup, you will not be able to restore
FortiGate to the backup. Ensure that you record the password and store it in a secure place.
You will restore the configuration backup that you created in the previous procedure.
If you require assistance, or to verify your work, use the step-by-step instructions that follow.
After you complete the challenge, see Compare the Headers of Two Configuration Files on page 16.
When you troubleshoot issues, or when you restore FortiGate to an earlier OS version or build, it is useful to
know where to find the version and build number in a configuration file. This task shows you where to find this
information.
You will open and compare two configuration files using Notepad++.
CIoNnfigTuration Backups
Files
© FORTINET
2. Click File > Open, and then browse to the Downloads folder to open the encrypted configuration
file.
3. Click File > Open, and then browse to the initial configuration file:
Desktop\Resources\FortiGate-Security\Introduction\local-initial.conf
© FORTINET
In both the cleartext and encrypted configuration files, the top line acts as a
header, and lists the firmware and model that this configuration belongs to.
In this exercise, you will work with administrator profiles and administrator user accounts. An administrator
profile is a role that is assigned to an administrator user that defines what the user is permitted to do on the
FortiGate GUI and CLI.
You will create a new user administrator profile that has read-only access for most of the configuration settings.
ARdmiEnisPtratRor AIcNcouTnt
Accounts
© FORTINET
Create an Administrator Account
You will create a new administrator account. You will assign the account to the administrator profile you created
in the previous procedure. The administrator will have read-only access to most of the configuration settings.
Field Value
Username Security
Password fortinet
Administrator names and passwords are case sensitive. You can't include
characters, such as < > ( ) # ", in an administrator account name
You will confirm that the new administrator account has read-write access to only the security
profiles configuration.
AIdNminTistrator Accounts
© FORTINET
2. Log back in to the Local-FortiGate GUI with the username Security and password fortinet.
3. In the FortiGate Setup window, click Later.
4. Enable Don't show again, and then click OK to close the FortiOS introduction window.
5. Explore the permissions that are listed in the GUI.
You should see that this account can configure only security profiles.
You will restrict access for FortiGate administrators. Only administrators connecting from a trusted subnet are
allowed access. This is useful if you must restrict the access points that administrators connect to FortiGate
from.
You will verify that a Security administrator outside the 10.200.3.0/24 subnet can't access FortiGate.
theTResRtricEtedPAcRcesIsNT
Accounts
© FORTINET
What is the result this
time?
Stop and think!
Why were you able to log in using the admin account and not the Security account from the Local-
Client VM directly connecting to the Local-FortiGate GUI?
This is because Trusted Host is set on the Security administrator account but not on the admin
account.
5. On the Local-FortiGate CLI, log in with the username admin and password password.
6. Enter the following CLI commands to add 10.0.1.0/24 as the second trusted IP subnet (Trusted Host 2) to
the
Security administrator account:
config system admin
edit Security
set trusthost2
10.0.1.0/24
end
Objectives
Configure firewall objects and firewall policies
Configure source and destination matching in firewall
policies Apply service and schedule objects to a firewall
policy Configure firewall policy logging options
Reorder firewall policies
Read and understand
logs
Use policy lookup to find
a matching policy
Time to Complete
Estimated: 25 minutes
5. Click OK to reboot.
5. Click OK to reboot.
5. Click OK to reboot.
At its core, FortiGate is a firewall, so almost everything that it does to your traffic is related to your firewall
policies.
By default, FortiGate has many preconfigured, well-known address objects in the factory default
configuration. However, if those objects don’t meet the needs of your organization, you can configure more.
Name LOCAL_SUBNET
Type Subnet
IP/Netmask 10.0.1.0/24
Interface any
5. Click OK.
First, you will disable the existing firewall policy. Then, you will create a more specific firewall policy using
the firewall address object that you created in the previous procedure. You will also select specific services
and configure log settings.
Name Internet_Access
Source LOCAL_SUBNET
Destination all
Schedule always
Action ACCEPT
NAT <enable>
3. Leave all other settings at the default values, and then click OK to save the changes.
When you create firewall policies, remember that FortiGate is a stateful firewall. As
a result, you need to create only one firewall policy that matches the direction of
the traffic that initiates the session.
Now that you configured the firewall policy, you will test it by passing traffic through it and viewing the
generated logs.
When sessions close, there is a separate log entry for the amount of data that was sent and received.
Enabling Generate Logs when Session Starts in the firewall policy will generate
twice the amount of log messages. You should use this option only when this level
of detail is absolutely necessary.
When you click Show Matching Logs in the firewall policy, it adds the Policy
UUID
filter in the forward traffic logs.
When you remove the Policy UUID filter, the logs are displayed unfiltered. You will use the logs in
upcoming labs.
In this exercise, you will create a new firewall policy with more specific settings, such as the source, destination,
and service, and you will set the action to DENY. Then, you will move this firewall policy above the existing
firewall policies and observe the behavior that reordering the firewall policies creates.
You will create a new firewall policy to match a specific source, destination, and service, and you will set the
action to DENY.
After you have performed these steps, see Test the Reordering of a Firewall Policy on page
31.
© FORTINET
Field Value
Name Block_Ping
Source LOCAL_SUBNET
Destination LINUX_ETH1
Schedule always
Service PING
Tip: Type the service name in the search box to quickly find it, and
then click the service object to add it to the policy.
Action DENY
Now that your configuration is ready, you will test it by moving the Block_Ping firewall policy above the
Internet_ Access firewall policy. The objective is to confirm that, after you reorder the firewall policies, the
following occurs:
Traffic is matched to a more specific firewall
policy. The policy ID remains the same.
To confirm traffic matches a more granular firewall policy after reordering the
policies
1. On the Local-Client VM, open a terminal.
2. Ping the destination address (LINUX_ETH1) that you configured in the Block_Ping firewall policy.
ping 10.200.1.254
Why are you still able to ping the destination address, even though you just configured a policy to block it?
The ping should still work because it matches the ACCEPT policy and not the DENY policy that you
created. The Block_Ping policy was never checked because the traffic matched the policy at the top
(Internet_ Access). This demonstrates the behavior that FortiGate looks for a matching policy, beginning
at the top.
3. Leave the terminal window open and running.
4. On the Local-FortiGate GUI, click Policy & Objects > Firewall
Policy.
© FORTINET
5. Hover over the Name column.
A settings icon appears beside Name.
6. Click the settings icon, scroll down to the Select Columns section, select the ID column, and then click
Apply.
7. Drag the ID column to the left of the Name column, so it becomes the first column in the
table. Note the current ID values for both the Internet_Access and Block_Ping firewall
policies.
8. In the ID column, drag the Block_Ping firewall policy up, and place it above the Internet_Access firewall
policy. When you move the Block_Ping policy up, the ID value remains the same.
© FORTINET
If the changes that you made are not displayed, refresh the page. Alternatively,
you can log out of the FortiGate GUI, and then log back in.
9. On the Local-Client VM, review the terminal window that is running the continuous
ping. You should see that the pings now fail.
This demonstrates the outcome of the policy reordering. After moving the more granular policy above the
general access policy, the traffic is matched to the more granular policy and, based on the DENY action,
the traffic stops being processed.
You can use ISDB objects to allow or deny traffic to well-known internet destinations, without having to
configure the IP addresses, protocols, or ports that those destinations use in the firewall policy.
In this exercise, you will apply an ISDB object as the destination criteria in a firewall policy to block traffic to a
well- known internet service.
5. Click Return.
You will modify an existing firewall policy and use an ISDB object as a destination.
Type the internet service object name in the search box to quickly find it, and then
click the object to add it to the policy.
ISRDBINObjTects as Destinations
Policy
© FORTINET
7. Click OK.
Now that you configured the firewall policy, you will test it by passing traffic through it.
© FORTINET
Stop and think!
FortiGate checks for the matching policy from top to bottom. Facebook is blocked by the ID 4 firewall
policy because the destination is set to Facebook-Web. Twitter is allowed by the ID 3 firewall policy,
which allows internet access.
2. On the Local-FortiGate GUI, click Log & Report > Forward Traffic.
You should see many policy violation logs that the Block_Facebook policy
reported.
3. On the Local-FortiGate GUI, click Policy & Objects > Firewall Policy, right-click the Block_Facebook
firewall policy, select Set Status, and then click Disable.
In this exercise, you will use the policy lookup feature to find a matching firewall policy based on input
criteria.
As required in the previous exercises, most of the configured firewall policies are currently disabled. Now, you
will enable some of the existing firewall policies.
policies. If you require assistance, or to verify your work, use the step-by-step instructions that
follow.
After you have performed these steps, see Set Up and Test the Policy Lookup Criteria on page 37.
To enable existing firewall policies
1. Connect to the Local-FortiGate GUI, and then log in with the username admin and password password.
2. Click Policy & Objects > Firewall Policy.
3. Right-click the Fortinet firewall policy, select Set Status, and then click Enable.
4. Right-click the Full_Access firewall policy, select Set Status, and then click Enable.
You will set up the policy lookup criteria. FortiGate searches and highlights the matching firewall policy based
on your input criteria.
Field Value
theRFireEwaPll PRolicIieNs T
Lookup
© FORTINET
Field Value
Protocol TCP
Source 10.0.1.100
Destination fortinet.com
3. Click Search.
The search matches the Full_Access policy, but does not match the more specific Fortinet firewall policy.
In the search criteria, the source address is set to 10.0.1.100. This source address is not included in the
Fortinet firewall policy; therefore, the search does not match the Fortinet firewall policy.
5. Click Search.
This time, the search matches the Fortinet firewall policy, in which the destination is set to the FQDN
address object.
You will reorder the firewall policies. You will move the Block_Facebook firewall policy above the Full_Access
policy.
policy. If you require assistance, or to verify your work, use the step-by-step instructions that follow.
After you have performed these steps, see Retest Policy Lookup After Reordering the Firewall Policies
on page 39.
PPoliRcy LIoNokuTp
Policies
© FORTINET
To reorder the firewall policies
1. Continuing on the Local-FortiGate GUI, click Policy & Objects > Firewall Policy.
2. From the ID column, drag the Block_Facebook firewall policy above the Full_Access firewall
policy. The order of the firewall policies should match the following example:
You will retest the policy lookup feature after reordering the firewall policies.
Protocol TCP
Source 10.0.1.10
Destination facebook.com
3. Click Search.
Why did the search not match the more specific policy,
The search matches the Full_Access policy, but does not match the more specific Block_Facebook
policy because it is disabled.
© FORTINET
4. Right-click the Block_Facebook firewall policy, select Set Status, and then click
Enable.
5. Click Policy Lookup.
Make sure all the settings match the settings you configured in step 2.
6. Click Search.
This time the search matches the more specific policy, Block_Facebook.
You can use network address translation (NAT) to perform source NAT (SNAT) and destination NAT (DNAT)
for the traffic passing through FortiGate. There are two ways to configure SNAT and DNAT:
Firewall policy NAT
Central NAT
In this lab, you will examine how to configure and test firewall policy for DNAT using virtual IP (VIP), and SNAT
using IP pool. You will configure and test SNAT using the central SNAT policy, and DNAT using the DNAT
policy and VIPs.
Objectives
Configure DNAT settings using a VIP
Configure SNAT settings using overload IP
pools Configure a central NAT policy for SNAT
Configure DNAT and VIPs for DNAT
Time to Complete
Estimated: 50 minutes
Make sure that you restore the correct configuration on each FortiGate using
the following steps. Failure to restore the correct configuration on each
FortiGate will prevent you from doing the lab exercises.
5. Click OK to reboot.
5. Click OK to reboot.
In this exercise, you will examine how to configure a VIP for the Local-Client VM. Then, you will create an
egress- to-ingress firewall policy and apply the VIP. This allows internet connections to the Local-Client VM.
You will also verify the DNAT and SNAT behavior using CLI commands.
Create a VIP
For DNAT on FortiGate, you use a VIP as the destination address field of a firewall policy.
You will configure the VIP to map the Local-Client VM (10.0.1.10) to 10.200.1.200, which is part of the
port1 subnet. To refer to the lab diagram, see Network Topology on page 8.
To create a VIP
1. Connect to the Local-FortiGate GUI, and then log in with the username admin and password
password.
2. Click Policy & Objects > Virtual IPs.
3. Click Create New, and then select Virtual IP.
4. Configure the following settings:
Field Value
Name VIP-INTERNAL-HOST
Interface port1
This port is connected to the internet with IP address 10.200.1.1/24.
© FORTINET
5. Click OK.
You will configure a new firewall policy using the VIP that you just created as the destination
address.
Name Web-Server-Access
Source all
Destination VIP-INTERNAL-HOST
Tip: This is listed under the VIRTUAL IP/SERVER section.
Schedule always
Action ACCEPT
theTVIPRFirEewPall
VIP
PRolicIyNT
4. In the Firewall/Network Options section, disable NAT.
5. In the Logging Options section, enable Log Allowed Traffic, and then select All
© FORTINET Sessions.
6. Click OK.
Now that you have configured a firewall policy with the VIP as the destination, you can test your VIP by
accessing it from the Remote-Client VM, which is behind the Remote-FortiGate internal network. A Linux
machine acts as a router between the two FortiGate devices, and routes the traffic from the Remote-FortiGate to
the Local-FortiGate. For more information, see Network Topology on page 8.
You will also test how the source address is translated by the VIP when traffic leaves the Local-Client VM.
© FORTINET
To test VIPs (DNAT)
1. On the Remote-Client VM, open a browser, and then browse to the following
URL:
http://10.200.1.200
If the VIP operation is successful, a simple web page opens.
2. On the Local-FortiGate CLI, log in with the username admin and password password.
3. Enter the following command to check the destination NAT entries in the session table:
get system session list
The following example shows a sample output:
Local-FortiGate# get system session list
PROTO EXPIRE SOURCE SOURCE-NAT DESTINATION DESTINATION-NAT
tcp 3594 10.200.3.1:49478 - 10.200.1.200:80 10.0.1.10:80
You will notice that the destination address 10.200.1.200 is translated to 10.0.1.10, which is
the mapping you configured in the VIP.
The HTTP session may have been deleted by the time you run the get
system session list command. You can repeat steps 1–3 to generate a
new HTTP connection and, therefore, another HTTP session through Local-
FortiGate.
Test SNAT
As a result of the VIP (which is a static NAT), FortiGate uses the VIP external address as the NAT IP address
when performing SNAT for the ingress-to-egress direction of the traffic, provided the matching outgoing
firewall policy has NAT enabled. That is, FortiGate doesn't use the egress interface address.
To test SNAT
1. Return to the Local-FortiGate CLI session, and then enter the following command to clear any existing
sessions:
diagnose sys session clear
This clears the session to the Local-FortiGate from the Local-Client VM.
The outgoing connections from the Local-Client VM are now translated with the
VIP address 10.200.1.200, instead of the firewall egress interface IP address
(10.200.1.1).
This is a behavior for SNAT when using a static NAT VIP. That is, when you enable NAT on a policy, the
external address of a static NAT VIP takes precedence over the destination interface IP address if the
source address of the connections matches the VIP internal address.
Currently, Local-FortiGate translates the source IP address of all traffic generated from the Local-Client VM to
10.200.1.200 because the internal address of the VIP matches the address of Local-Client, and the VIP is a
static NAT VIP.
In this exercise, you will examine how to create an IP pool, apply it to the ingress-to-egress firewall policy,
and verify the SNAT address using CLI commands.
Create an IP Pool
You will create an IP pool from the range of public IP addresses available on the egress port (port1).
To create an IP pool
1. Connect to the Local-FortiGate GUI, and then log in with the username admin and password
password.
2. Click Policy & Objects > IP Pools.
3. Click Create New, and then configure the following settings:
Field Value
Name INTERNAL-HOST-EXT-IP
Type Overload
4. Click OK.
© FORTINET
Edit a Firewall Policy to Use the IP Pool
You will apply the IP pool to change the behavior from static NAT to dynamic NAT on the ingress-to-egress
firewall policy.
Field Value
NAT <enable>
4. Click the + sign that appeared when you clicked Use Dynamic IP Pool, and then in the right pane, click
INTERNAL-HOST-EXT-IP.
Your configuration will look similar to the following example:
5. Click OK.
© FORTINET
Test Dynamic NAT With IP Pools
Now that your configuration is ready, you can test dynamic NAT with IP pools by browsing to a few external
sites on the internet. If successful, you will see that the Local-Client VM IP address (10.0.1.10) is translated to
the IP pool address of 10.200.1.100.
You built the filter to match sessions sourced from 10.0.1.10. This way, when you
run the diagnose sys session clear CLI command, it clears only the
sessions sourced from 10.0.1.10. As a result, your SSH session is not
disconnected. This is why it is important to build the session filter before using the
session clear command.
3. On the Local-Client VM, open a few browser tabs, and connect to a few websites, such as:
www.fortinet.com
www.yahoo.com
www.bbc.com
4. On the Local-FortiGate CLI, enter the following command to verify the SNAT address that the sessions are
using:
get system session list
The following image shows a sample output:
Notice that the SNAT address is now 10.200.1.100, as configured in the IP pool, and the IP pool
has overridden the static NAT VIP.
In this exercise, you will examine how to configure a central SNAT policy and test it.
Prerequisites
Before beginning this lab, you must restore a configuration for central NAT to Local-FortiGate.
Make sure to restore the correct configuration for Local-FortiGate using the
following steps. Failure to restore the correct configuration on Local-FortiGate will
prevent you from doing the lab exercise.
© FORTINET
5. Click OK to reboot.
When enabling central NAT, you must first remove VIP and IP pool references
from the existing firewall policies.
For example, if you try to enable central NAT without removing VIP and IP
pool references from the existing firewall policies, you will see the following
error:
To prevent this error from occurring during this exercise, the following changes
were made as part of the configuration restoration:
The IP pool was removed from the Full_Access firewall policy (policy ID 1), and
the VIP address was removed from the Web-Server-Access firewall policy
(policy ID 2), because central NAT can be enabled only if none of the firewall
policies have IP pools and VIPs associated with them.
The VIP you added in a previous exercise to test the firewall policy SNAT
was removed.
Central NAT was enabled.
You will notice all the changes listed above after you load local-
central- nat.conf in the firewall.
aRCenEtraPl SNRATINPolTicy
© FORTINET
Configure a Central SNAT Policy
You will configure a central SNAT policy using the IP pool you created in the previous exercise.
NAT <enable>
Protocol any
© FORTINET
3. Keep the default values for the remaining settings, and then click OK to save the changes.
SNEATPRINT
© FORTINET
There is no option for enabling NAT or using IP pools. In central NAT mode, the
SNAT policy controls whether or not NAT is used.
4. Click Cancel.
Now that your configuration is ready, you will test the behavior of the central SNAT policy.
© FORTINET
The following image shows a sample
output:
Notice that the SNAT address is now 10.200.1.100, which matches the IP pool configured in the
central SNAT policy.
Field Value
Field Value
NAT Enabled
In this exercise, you will examine how to configure and test the behavior of central DNAT.
Field Value
Name Central-DNAT
Interface port1
© FORTINET
5. Click OK.
You will verify the firewall policy settings for the egress-to-ingress firewall policy.
In central NAT mode, you don't reference VIPs in firewall policies. As soon as you
create the VIP object, FortiGate automatically creates a rule in the kernel for DNAT
to occur.
5. Scroll to the bottom of the page, and then ensure that Enable this policy is enabled.
6. Click OK.
aRndEVIPPs RINT
VIPs
© FORTINET
Test DNAT and VIPs
You will test DNAT and VIPs by accessing the Local-Client VM.
2. On the Local-FortiGate CLI, log in with the username admin and password
password.
3. Enter the following command to check the destination NAT entries in the session
table:
get system session list
The following example shows a sample output:
The HTTP session may have been deleted by the time you run the get
system session list command. You can repeat steps 1–3 to generate a
new HTTP connection and, therefore, another HTTP session through Local-
FortiGate.
4. On
the Local-Client VM, open a few browser tabs, and connect to a few websites, such as:
www.fortinet.com
www.yahoo.com
www.bbc.com
5. Return to the Local-FortiGate CLI session, and then verify the SNAT IP address that those sessions are
using:
get system session list
The following example shows a sample output:
Notice that the SNAT address is still 10.200.1.100, as configured in the central SNAT policy using IP
pool. That is, the DNAT and VIP object you created did not override the central SNAT policy. This behavior
is similar to firewall policy NAT configured with IP pool.
© FORTINET
If both the central SNAT policy and DNAT and VIP object are defined, FortiGate
uses the NAT address configured in the central SNAT policy to perform SNAT.
To summarize, when you configure a VIP for a host, the following occurs in
firewall policy NAT mode:
If the outgoing policy has NAT enabled, FortiGate uses the external
address defined in the VIP as the NAT IP.
If the outgoing policy references an IP pool, FortiGate uses the external
address defined in the IP pool as the NAT IP.
In central NAT mode, FortiGate uses the address configured in the SNAT policy as
the NAT IP. This address can be the egress interface address or the IP pool
external address.
You will also configure a captive portal, so that users who connect to the network are prompted for their
login credentials (active authentication).
Objectives
Configure server-based password authentication with an LDAP
server
Time to Complete
Estimated: 20 minutes
5. Click OK to reboot.
You can configure FortiGate to point to a preconfigured FortiAuthenticator acting as an LDAP server for
server- based password authentication.
Name External_Server
Username uid=adadmin,cn=Users,dc=trainingAD,dc=training,dc=lab
You are using the credentials of an LDAP user called adadmin
to authenticate to the LDAP server.
RIeNmoTte Authentication
Group
© FORTINET
Password
Field Training!
Value This is the password preconfigured for the adadmin user. You must use
it to be able to bind.
You should see a message indicating that the connection was successful.
5. Click OK.
You will assign an LDAP user group (AD_users) that includes two users (aduser1 and aduser2) to a firewall
user group, called Remote-users, on FortiGate. By doing this, you will be able to configure firewall policies to
act on the firewall user group.
Usually, groups are used to more effectively manage individuals who have a shared relationship.
The Remote-users firewall group is preconfigured for you. However, you must
modify it to add the users from the remote LDAP server you configured in the
previous procedure.
© FORTINET
Take the Expert Challenge!
On Local-FortiGate (10.0.1.254), assign the Active Directory user group called AD_users to
the FortiGate firewall user group called Remote-users.
If you require assistance, or to verify your work, use the step-by-step instructions that
follow. After you have completed this exercise, see Configuring Remote Authentication on
page 64.
RIeNmoTte Authentication
Group
© FORTINET
AD_users has a green check mark beside it, which indicates that it was
added.
5. Click OK.
The users in this Active Directory group are now included in the FortiGate Remote-users firewall user
group. Only users from the remote LDAP server that match this user group entry can authenticate.
6. Click OK.
© FORTINET
Add the Remote User Group to the Firewall Policy
Now that you have added the LDAP server to the Remote-users firewall user group, you can add the group to
a firewall policy. This allows you to control access to network resources, because policy decisions are made
for the group as a whole.
Field Value
3. In the Security Profiles section, enable Web Filter, and then select Category_Monitor.
This web filter was preconfigured and is set to block the following categories: Potentially
Liable, Adult/Mature Content, and Security Risk.
4. In the Logging Options section, ensure Log Allowed Traffic is enabled, and then select All
Sessions.
5. Click OK.
Where:
<LDAP server name> is External_Server (case-
sensitive)
<LDAP user name> is aduser1
<password> is Training!
A message like the following example should appear to indicate that authentication was
successful:
RIeNmoTte Authentication
© FORTINET
3. Close the Local-FortiGate CLI window.
You will authenticate through the firewall policy as aduser1. This user is a member of the Remote-users
group on FortiGate. Then, you will monitor the authentication.
Notice that the blocked page displays a replacement message that includes useful information, such as the
URL and Category.
© FORTINET
You will see aduser1 listed along with other information, such as User Group and IP
Address.
While the config user setting CLI command determines how long a user
authenticating through the captive portal can remain authenticated, you can choose
to manually revoke a captive portal user authentication by selecting the user in the
Firewall User Monitor list, and then clicking Deauthenticate. After the user is
deauthenticated, the user disappears from the list, because it is reserved for active
users only.
This deauthenticates the user. The user must log in again to access the resources protected by the
firewall policy.
You will remove the user group assigned to the firewall policy for authentication.
RIeNmoTte Authentication
Policy
© FORTINET
Objectives
Configure logging on FortiGate
Configure threat weight
Monitor logs through alert emails
View logs on the Local-FortiGate
GUI
Time to Complete
Estimated: 35 minutes
Configuring log settings does not generate logs directly on FortiGate. Instead, log settings define if, where,
and how a log is stored.
The objective of this exercise is to prepare the log settings on Local-FortiGate. For the purposes of this lab,
this includes:
Enabling disk logging, so that logs are stored locally on FortiGate
Enabling historical FortiView, so that more than only real-time information is captured in the FortiView
dashboards Configuring event logging for all activity, to track and monitor events that occur on FortiGate
Disabling local traffic logging, to prevent filling up the disk too quickly with traffic going directly to and from
FortiGate Configuring FortiGate to resolve host names, so that FortiGate performs reverse DNS lookups for all IP
addresses, and makes it easier to search logs
If you require assistance, or to verify your work, use the step-by-step instructions that
follow. After you complete the challenge, see Configuring Log Settings on page 75.
Field Value
Disk <enable>
LoRg SEettPingRs
Settings
© FORTINET
4. In the Log Settings section, make sure the following settings are
configured:
Field Value
Event Logging All
Event logs provide all the system information that FortiGate generates
(they are not caused by traffic passing through firewall policies). However,
it is a good practice to track and monitor events that occur on FortiGate.
These logs record traffic directly to and from FortiGate, and can fill up your
disk quickly if not properly managed and monitored. For the purposes of this
lab, leave all checkboxes associated with local traffic log options cleared.
Field Value
© FORTINET
6. Click Apply.
To prioritize solving the most relevant issues easily, you can configure severity levels for IPS signatures, web
categories, and applications that are associated with a threat weight (or score). Threat weight allows you to set
the risk values for low, medium, high, and critical levels, and then apply a threat weight to specific categories.
The objective of this task is to set the following categories to a critical status:
Malicious Websites
Hacking
Explicit Violence
Pornography
You will use threat weight later, when you search for logs at a specific threat weight.
WPeigRht INT
Settings
© FORTINET
3. In the Risk Level Values section, record the value associated with the Critical risk
level. You will use this information later to search for logs, using the risk level value as
a filter.
4. Click Apply.
For the purposes of this lab, two firewall policies were created for you. However, you must now configure
these firewall policies for logging.
After you complete the challenge, see Monitoring Logs Through Email Alerts on page 82.
PTolicy
© FORTINET
IPS default
4. In the Logging Options section, enable Log Allowed Traffic, and then select All
Sessions. Remember, you will not receive any logs if Log Allowed Traffic is not enabled.
5. Click OK.
You successfully enabled logging on your firewall policy. Later in this lab, you will test these log settings.
© FORTINET
Security profiles Profile
AntiVirus default
3. In the Logging Options section, enable Log Allowed Traffic, and then select All
Sessions. Remember, you will not receive any logs if Log Allowed Traffic is not enabled.
4. Click OK.
You successfully enabled logging on your firewall policy. Later in this lab, you will test these log
settings.
Because you can’t always be physically at the FortiGate, you can monitor events by setting up email alerts.
Email alerts provide an efficient and direct method of notifying an administrator of events.
An SMTP mail server is required for email alerts to operate. Because configuring a
mail server is out of scope for this lab, one was configured for you. You can view the
email service configuration on the Local-FortiGate GUI by clicking System >
Settings, and then scrolling down to the Email Service configuration.
Generate Traffic
The traffic you generate will go through Local-FortiGate. You already enabled
thetools
You will use two different security policydifferent
to create on the IPS firewall
types policy and logging for all sessions.
of traffic.
© FORTINET
In this lab, you will direct the traffic that FIT generates through Local-FortiGate. The FIT is behind port3 on
Local- FortiGate. The traffic from FIT will go through the Full Access firewall policy. For more information, see
Network Topology on page 8.
You configured the Full Access firewall policy to include the following security policies and logging options:
Because the traffic that FIT generates originates from the IP address of the FIT VM
(10.0.1.20), all these logs show the same source IP address. This is a limitation
of the lab environment. In a real-world scenario, there will likely be many different
source IP addresses for your traffic.
4. Leave the PuTTY session open (you can minimize it) so traffic continues to
generate.
Tr RaffiEc Do not close the FIT PuTTY session or traffic will stop
generating.
You will direct the traffic that Nikto generates through Local-FortiGate. Nitko is running on the Linux VM, and
the traffic will go through the egress-to-ingress firewall policy named IPS. For more information, see Network
Topology on page 8.
You configured the IPS firewall policy to include the following security policy and logging options:
Because the traffic that Nikto generates originates from the IP address of the Linux
VM where Nikto is installed (10.200.1.254), all these logs show the same source
IP address. This is a limitation of the lab environment. In a real-world scenario, there
will likely be many different source IP addresses for your traffic.
© FORTINET
4. Leave the PuTTY session open (you can minimize it) so traffic continues to
generate. This will run for the remainder of the lab.
Now that traffic is being sent through FortiGate, you can check the [email protected] email to see if any
alerts were generated based on that traffic. You configured the email alert to generate an alert every minute
when an intrusion is detected by the IPS security profile on the IPS firewall policy, and when the web filter
security profile blocks traffic on the Full Access firewall policy.
The log message that accompanies an alert provides more details about the traffic that caused the alert.
2. Select the inbox of the [email protected] email account, and then click Get Messages.
You should see a message in the admin inbox with a subject of "Message meets Alert condition". If no
email appears in the inbox, wait 30 seconds, and then click Get Messages again.
3. Open any email alert, and then review the log message.
As you can see, the log message is in raw format. In the web filter example below (you may receive a
different log message), the log message header provides the type (utm) and subtype (webfilter).
The log message body provides information about the web filter security profile that was applied to the
traffic
© FORTINET
(Category-block-and-warning), the action it took (blocked), and the category description of the
traffic (Malicious Websites).
4. Open another email alert, and then record the following information from a single web filter
log:
Field Value
date
time
logid
subtype
level
sessionid
profile
catdesc
crscore
You will locate this log on the Local-FortiGate GUI in the next exercise.
5. Select the email of the log you recorded by clicking the star icon to the left of the email
subject. The star icon turns yellow.
If you want to review more email alerts, click Get Messages in your admin inbox
again. You configured your email alert to send messages that meet the alert condition
every one minute.
You will examine the logs, on the Local-FortiGate GUI, that are based on the traffic you generated from the
FIT VM and Nikto.
All logs that are related to security profiles are tracked in the forward traffic logs, so you can search all
forward traffic in one place. This is helpful if you are looking to see all activity from a specific address, security
feature, or traffic. Security profile logs are still tracked separately in the GUI, but only appear when logs exist.
© FORTINET
Filter Value
This filters on all web activity greater than or equal to the critical (50) risk
level.
If the information that you are filtering on does not appear in the table, you may need
to add the related column to the table. To do so, right-click any column in the table,
and then select the column you want to add. For example, to view the Threat Score
column, add Threat Score. At the bottom of the list, click Apply to refresh the table
with the new column.
© FORTINET
5. View both the Details and Security tabs to see the information that is available.
If this menu item does not display, you can refresh the page, or log out of the
Local- FortiGate GUI and log in again.
2. Use log filters to locate the log in the email alert that you recorded in Monitoring Logs Through Email Alerts on
page 82.
Which filter would best return the specific log you are seeking? For example, filters based on log subtype
or crscore will most likely return too many logs, which makes the search inefficient.
© FORTINET
3. After you locate the log, double-click the entry to view the log details.
As you can see, the log details in the alert email are the same as the log details on the GUI. The only
difference is the format—alert emails provide the log detail information in raw format, while the GUI
provides the log detail information in a formatted view.
After you complete the challenge, see Viewing Logs on the FortiGate GUI on page 87.
This takes you to the FortiGuard website, where you can gather more information about the specific
attack, such as the description of the attack, affected products, impact, and recommended actions.
© FORTINET
View Logs in FortiView
FortiView is a comprehensive monitoring system for your network that integrates real-time and historical data
into a single view on FortiGate.
2. Use the search settings to display the web activity in a different way, for example, you can do the
following:
Click Settings.
In the FortiGate field, select All FortiGates, and then in the Visualization field, click Bubble
Chart.
Use the Sort By drop-down menu to display the information by Threat Score, Sessions, Browsing Time,
or
Bytes.
inRFoErtiVPiewRINT
GUI
© FORTINET
Close both the FIT and LINUX PuTTY sessions to stop log
generation.
Objectives
Configure and enable full SSL inspection on outbound
traffic Import an external web server certificate
Configure and enable full SSL inspection on inbound traffic
Time to Complete
Estimated: 40 minutes
Make sure that you restore the correct configuration on each FortiGate, using
the following steps. Failure to restore the correct configuration on each
FortiGate will prevent you from doing the lab exercises.
5. Click OK to reboot.
5. Click OK to reboot.
In this exercise, you will configure and enable full SSL inspection on all outbound traffic.
By default, FortiGate includes four security profiles for SSL/SSH inspection: certificate-inspection,
custom- deep-inspection, deep-inspection, and no-inspection. You can modify the settings for the
custom-deep- inspection profile only. The other profiles are read-only. Because this exercise involves
configuring full SSL inspection on FortiGate, you will configure a new SSL/SSH inspection profile for this
purpose.
© FORTINET
6. Click OK.
You must enable SSL inspection on a firewall policy to start inspecting SSL traffic. However, you cannot
enable SSL inspection by itself. You must enable one or more additional security profiles in the firewall policy.
When you enable SSL inspection, this configures how you want FortiGate to handle encrypted traffic, and then
you must configure which traffic you want FortiGate to inspect. For the purposes of this lab, you will enable the
default web filter security profile.
4. In the Logging Options section, enable Log Allowed Traffic, and then select All Sessions.
5. Click OK.
FortiGate includes an SSL certificate, named Fortinet_CA_SSL, that you can use for full SSL inspection. It is
signed by a certificate authority (CA) named FortiGate CA, which is not public. Because the CA is not public,
each time a user connects to an HTTPS site, the browser displays a certificate warning. This is because the
browser receives certificates signed by FortiGate, which is a CA it does not know and trust. You can avoid this
warning by downloading the Fortinet_CA_SSL certificate and installing it on all workstations as a public
authority.
In this procedure, you will first test access to an HTTPS site without the Fortinet_CA_SSL certificate
installed. Then, you will install the Fortinet_CA_SSL certificate and test access to the HTTPS site again.
FoRrtinEet_PCAR_SISNL CTertificate
Traffic
© FORTINET
https://salesforce.com
2. Click Advanced.
Notice the certificate warning. This appears because the browser receives certificates signed by the
FortiGate CA private key, and the corresponding CA certificate is not in the Local-Client certificate store.
3. Leave the browser tab open, and then continue to the next procedure. Do not click Accept the Risk
and Continue.
4. In Firefox, in the upper-right corner, click the Open menu icon, and then click
Settings.
© FORTINET
FoRrtinEet_PCAR_SISNL CTertificate
Traffic
© FORTINET
7. In the Certificate Manager window, click the Authorities tab, and then click
Import.
© FORTINET
Now that you added the Fortinet_CA_SSL certificate to your browser, you will not receive certificate
warnings when you access a secure site.
The CA that signed this certificate is not public, but the browser does not issue a certificate warning for it
because you added it as a trusted authority in the previous exercise.
https://salesforce.com
This time, you are passed through to the site without certificate warnings.
In this exercise, you will import an external web server certificate to Local-FortiGate, and then configure full
SSL inspection to protect a web server with an antivirus profile.
First, you will configure a virtual IP to map an external IP address to the internal IP address of the web
server. Then, you will configure a firewall policy to allow access to the virtual IP.
After you complete the challenge, see Install the Training CA Certificate on page
103.
To configure a virtual IP
1. Connect to the Local-FortiGate GUI, and then log in with the username admin and password
password.
2. Click Policy & Objects > Virtual IPs.
3. Click Create New, and then select Virtual IP.
4. Configure the following settings:
Field Value
Name VIP-WEB-SERVER
Interface port1
© FORTINET
Field
Value
External IP address/range
Source all
Destination VIP-WEB-SERVER
Service ALL
NAT <disabled>
3. Click OK.
You will verify access to the web server URL, and then install the CA certificate on Firefox to eliminate
certificate errors.
TrRainEingPCARCeIrtNificaTte
Traffic
© FORTINET
Take the Expert Challenge!
On the Remote-Client VM, verify that you have access to the web server using
https://lab.webserver.
Using Firefox, review the web server certificate details and identify the certificate issuer.
Install the CA certificate in the Firefox Authorities certificate store. The certificate file is located in
Desktop > Resources > FortiGate-Security > Certificate-Operations > CA.crt.
Make sure certificate-related warning messages no longer appear before proceeding to the next
section.
If you require assistance, or to verify your work, use the step-by-step instructions that
follow.
After you complete the challenge, see Configure Inbound Full SSL Inspection on page 109
.
To verify access
1. On the Remote-Client VM, open a new browser tab, and then access the web server
using
https://lab.webserver.
A security warning appears.
© FORTINET
TrRainEingPCARCeIrtNificaTte
Traffic
© FORTINET
© FORTINET
TrRainEingPCARCeIrtNificaTte
Traffic
© FORTINET
4. In the Certificate Manager window, click the Authorities tab, and then click
Import.
5. Click Desktop > Resources > FortiGate-Security > Certificate-Operations > CA.crt, and then click
Select. The Downloading Certificate window opens.
© FORTINET
7. Click OK.
8. Restart Firefox.
9. Go to https://lab.webserver, and then verify that the security warning is no longer
displayed.
On Local-FortiGate, you will configure and enable full SSL inspection on all inbound traffic destined to the web
server, using the default certificate. You will also observe the changes to the end-user browser session on
Remote-Client. Then, you will import the external web server certificate on Local-FortiGate, and use it to
perform full SSL inspection to eliminate security errors.
Field Value
Name Inbound_SSL_Inspection
© FORTINET
4. Click OK.
5. Click Policy & Objects > Firewall Policy.
6. Edit the Web_Server_Access policy.
7. In the Inspection Mode field, select Proxy-based.
8. In the Security Profiles section, enable the following security
profiles:
AntiVirus default
9. Click OK.
A security warning is displayed. If you do not receive a security warning, refresh the page (F5). This
forces Firefox to update its local cache.
© FORTINET
© FORTINET
To inspect the encrypted traffic, Local-FortiGate must proxy the connection between Remote-Client and
the web server. To do this, FortiGate must use its own certificate (FortiGate_SSL), which is not a trusted
certificate. It is also not issued for the host name you are using in the URL to access the secure website.
While this does verify that Local-FortiGate is inspecting the encrypted traffic, you must perform a few
more configuration steps to make sure the correct certificate is being used, to eliminate any security
errors on the end-user side.
© FORTINET PKCS#12 (.p12 file extension) is an archive file format used to bundle a
certificate with its private key. It is usually protected using a password.
The Webserver.p12 file contains the web server certificate and private key.
8. In the Password field, type fortinet, and then type the same password in the Confirm
Password field.
9. Click Create.
The certificate and key are imported.
Objectives
Configure web filtering on FortiGate
Apply the FortiGuard category-based option for web
filtering Troubleshoot the web filter
Read and interpret web filter log entries
Time to Complete
Estimated: 25 minutes
5. Click OK to reboot.
Then, you must configure a category-based web filter security profile on FortiGate, and apply the security
profile on a firewall policy to inspect the HTTP traffic.
Finally, you can test different actions taken by FortiGate according to the website rating.
You will review the inspection mode and license status according to the uploaded settings. You will also list
the FortiGuard Distribution Servers (FDS) that your FortiGate uses to send the web filtering requests.
Because of the reboot following the restoration of the configuration file, the web filter
license status may be Unavailable. In this case, navigate to System > FortiGuard,
in the Filtering section, click Test Connectivity to force an update, and then click
OK to confirm.
WRebEFilPter RCatIeNgorTies
Filtering
© FORTINET
To configure web filter categories, you must first identify how specific websites are categorized by the
FortiGuard service.
© FORTINET
2. Use the Web Filter Lookup tool to search for the following
URL:
www.twitter.com
This is one of the websites you will use later to test your web filter.
3. Use the Web Filter Lookup tool again to find the web filter category for the following
websites:
© FORTINET
www.skype.com
www.ask.com
www.bing.com
You will test your web filter using these websites also.
The following table shows the category assigned to each URL, as well as the action you will configure
your FortiGate to take based on your web filter security profile:
You will review the default web filtering profile, and then configure the FortiGuard category-based filter.
© FORTINET
Unrated Block
© FORTINET
The Edit Filter dialog box opens, which allows you to modify the warning interval.
9. Keep the default setting of five minutes, and then click OK.
10. Click OK.
Now that you configured the web filter profile, you must apply this security profile to a firewall policy in order to
start inspecting web traffic.
You will also enable the logs to store and analyze the security events that the web traffic generates.
© FORTINET
Take the Expert Challenge!
On the Local-FortiGate GUI, apply the web filter profile to the existing Full_Access firewall policy.
Make sure that logging is also enabled and set to Security Events.
If you require assistance, or to verify your work, use the step-by-step instructions that
follow. After you complete the challenge, see Test the Web Filter on page 123.
For the purposes of this lab, you will test the web filter security profile you configured for each
category.
FEilterPRINT
Filtering
© FORTINET
The get webfilter status and diagnose debug rating commands show the list of FDSs that
your FortiGate uses to send web filtering requests. In normal operations, FortiGate sends the rating
requests only to the server at the top of the list. Each server is probed for round-trip time (RTT) every two
minutes.
Stop and think!
Why does only one IP address from your network appear in the server list?
Your lab environment uses a FortiManager at 10.0.1.241, which is configured as a local FDS. It
contains a local copy of the FDS web rating database.
FortiGate sends the rating requests to FortiManager instead of the public FDS. For this reason, the output
of the command above lists the FortiManager IP address only.
© FORTINET
URL www.bing.com
REatinPg ORveIrrNide T
Filtering
© FORTINET
3. Click OK.
You will test the web rating override you created in the previous procedure.
First, you will confirm that the override category for www.bing.com is set to Malicious Websites. Then, you
will set the action for this FortiGuard category to Authenticate.
3. Double-click www.bing.com to verify the rating override, and confirm the category and
subcategory.
Field Value
4. Click Cancel.
GProRupsINT
Authentication
© FORTINET
Field Value
5. Click OK.
6. Click OK.
To create a user
1. Continuing on the Local-FortiGate GUI, click User & Authentication > User
Definition.
2. Click Create New.
3. In the User Type field, select Local User.
4. Click Next, and then configure the following settings:
Field Value
Username student
Password fortinet
5. Click Next.
6. Click Next.
7. Enable User Group, and then in the drop-down list, select Override_Permissions.
8. Click Submit.
The student user is created.
SRettEingPUpRWeIbNFilTtering Authentication
© FORTINET
Test the Authenticate Action
You will test access to a website using the authenticate action, and then analyze the logs that the security
events create.
2. Click Proceed.
You might receive a certificate warning at this stage. This is normal and is the result
of using a self-signed certificate. Accept the warning message to proceed with the
remainder of the procedure (click Advanced, and then click Accept the Risk and
Continue).
theTAutRhenEticaPte
Authentication
© FORTINET
Username student
Password fortinet
4. Click Continue.
This website now displays correctly.
According to the logs, http://www.bing.com was initially blocked, but after you clicked Proceed
and authenticated, the logs show a different action: passthrough.
However, for this website, you changed the subcategory to Malicious Websites.
Objectives
Configure and test application control in NGFW profile
mode Configure and test application control in NGFW
policy mode Read and understand application control logs
Time to Complete
Estimated: 30 minutes
The configuration file for this exercise has the application control categories set to Monitor (except for
Unknown Applications). This allows the applications to pass, but also records a log message.
There are 111 cloud-based application signatures available in the application control
signatures database that require deep inspection. The number beside the cloud icon
in each category represents the number of cloud application signatures in a specific
category. The number of cloud applications increases as new applications are added
to this list.
CRonEtroPllingRApIpNlicaTtion Traffic
© FORTINET
4. In the Application and Filter Overrides section, click Create New to add a filter
override.
5. On the Add New Override page, in the Type field, select Filter.
6. Click + to add a filter.
7. Under BEHAVIOR, click Excessive-Bandwidth.
8. Click OK.
Your configuration should look similar to the following image. The Action should be set to Block.
9. Click OK.
© FORTINET
Apply the Application Control Profile to the Firewall Policy
Now that you configured the application control profile, you will apply it to the firewall policy.
After you complete the challenge, see Test the Application Control Profile on page 137.
CRonEtroPllingRApIpNlicaTtion Traffic
© FORTINET
Test the Application Control Profile
You will test the application control profile by going to the application that you blocked in the application
override configuration.
2. Return to the browser tab where you are logged in to the Local-FortiGate GUI, and then click
Security Profiles >
Application Control.
3. Edit the default application sensor again.
4. In the Options section at the bottom of the page, enable Replacement Messages for HTTP-
based Applications.
5. Click OK.
6. Open a new browser tab, and then go to the following URL: http://abc.go.com.
FortiGate should display a block message—it can take up to two minutes for the block page to
appear because of the change in configuration.
ARppliEcatPionROveIrNrideTs
Traffic
© FORTINET
Configure Application Overrides
You will configure application overrides. The application overrides take precedence over filter overrides
and application categories.
After you complete the challenge, see Test Application Overrides on page 139.
CRonEtroPllingRApIpNlicaTtion Traffic
© FORTINET
This application control profile is already applied to a firewall policy that is scanning
all outbound traffic. You do not need to reapply the application control profile for the
changes to take effect.
You will test the application control profile by going to the application that you allowed.
View Logs
You will view the logs for the test you just performed.
To view logs
1. Return to the browser tab where you are logged in to the Local-FortiGate GUI, and then click Log &
Report >
Security Events.
2. Under Summary, click Application Control.
3. Use the Application Name log filter, and then search for
ABC.Com. You will see log messages with the action set to block.
5. Click Log & Report > Forward Traffic, and then search and view the log information for ABC.Com.
You can see more details about the log, including translated IP, bytes sent, bytes received, action,
and application.
In this exercise, you will configure and apply traffic shaping to an application to limit its bandwidth
consumption.
You will add the application override for the Vimeo application to the application control profile. Then, you
will apply traffic shaping in the next procedure.
For the purposes of this lab, setting the action to Monitor ensures all
application control events are logged.
© FORTINET
Configure a Traffic Shaping Policy
You will configure a traffic shaping policy using the preconfigured traffic shaper to limit the bandwidth usage of
the Vimeo application.
After you complete the challenge, see Test Traffic Shaping on page 144.
3. Click Policy & Objects > Traffic Shaping, and then click Traffic Shaping Policies.
4. Click Create New.
Field Value
Name Application_Traffic_Shaper_Policy
Source all
Destination all
Service ALL
aRTraEfficPShRapinIgNPoTlicy
Usage
© FORTINET
Field Value
Application Vimeo
Tip: Type Vimeo in the search box in the right pane to locate it easily.
© FORTINET
6. Click OK.
The Shared Shaper option limits the bandwidth from ingress-to-egress. It is useful
for limiting uploading bandwidth. The Reverse Shaper limits the bandwidth from
egress- to-ingress. It is useful for limiting downloading or streaming bandwidth.
You must ensure that the matching criteria aligns with the firewall policy or
policies that you want to apply traffic shaping to.
© FORTINET
Test Traffic Shaping
If your classroom uses a virtual lab, the underlying hardware is shared, so the
amount of available bandwidth for internet access varies according to other
simultaneous use. The traffic shaper is set to a very low value to make sure that the
difference in behavior is easily noticeable. In real networks, this setting would be set
to a higher value.
3. Return to the browser tab where you are logged in to the Local-FortiGate GUI, and then click Policy &
Objects >
Traffic Shaping > Traffic Shapers.
4. Review the Bandwidth Utilization and Dropped Bytes columns for the
VIMEO_SHAPER. You might need to refresh the FortiGate GUI to view the statistics on
Traffic Shapers.
You will notice the bandwidth used by the Vimeo application, and that FortiGate is dropping the packets
that exceed the configured bandwidth in the traffic shaper.
Monitor statistics are current as of the time that you requested the GUI page, so
make sure to view them while a video is downloading. Also, refresh the page a few
times to get the results.
© FORTINET
8. Click Apply.
9. Review the logs to display basic information about the Traffic Shaper
policy.
© FORTINET
In this exercise, you will enable policy-based NGFW mode on FortiGate, and then implement application control
in the security policy to explicitly allow access to only the LinkedIn web application and block access to all other
web applications.
You will change the NGFW mode on Local-FortiGate from profile-based to policy-based.
Changing NGFW modes removes the existing firewall policies and central SNAT. To
pass traffic in policy-based NGFW mode, FortiGate requires three types of policies to
be configured. This is unlike a profile-based NGFW mode setup, where only one
policy is required.
You will modify the default SSL inspection policy to use the deep-inspection SSL inspection profile, and
then create a central SNAT policy.
4. Click OK.
© FORTINET
REPRINT
Configure the Security Policy and Test Application Control
You will create a security policy to apply the application signature required to allow access to the LinkedIn
web application and block access to all other web applications.
Field Value
Name Allow_LinkedIn
Source all
Destination all
Application LinkedIn
DNS
Tip: Type LinkedIn in the search box in the right pane to locate it easily.
5. Click OK.
3. Return to your browser tab where you are logged in to the Local-FortiGate GUI.
4. Click Log & Report > Security Events.
5. Under Summary, click Application Control.
6. Review the logs that allowed access to the LinkedIn web application.
© FORTINET
REPRINT
In this lab, you will examine how to configure, use, and monitor antivirus scanning on Local-FortiGate in both
flow- based and proxy-based inspection modes.
Objectives
Configure antivirus scanning in both flow-based and proxy-based inspection
modes Understand FortiGate antivirus scanning behavior
Scan multiple protocols
Read and understand antivirus logs
Understand machine learning (AI)
scan
Time to Complete
Estimated: 25 minutes
5. Click OK to reboot.
In this exercise, you will examine how to use antivirus in proxy-based inspection mode to understand how
FortiGate performs antivirus scanning. You will observe the behavior of antivirus scanning, with and without
deep inspection, to understand the importance of performing full-content inspection.
You will change the inspection mode in the default antivirus profile, which is applied on the firewall policy,
to inspect traffic.
6. Click OK.
Feature set is an option to specify the type of antivirus profile applied to a firewall
policy. Flow-based antivirus profiles offer higher throughput performance, while
proxy- based profiles are useful to mitigate stealthy malicious code.
© FORTINET
Enable the Antivirus Profile on a Firewall Policy
By default, flow-based inspection mode is enabled on the FortiGate firewall policy. You will change the
inspection mode from flow-based to proxy-based.
After you complete the challenge, see Test the Antivirus Configuration on page 155.
The Protocol Options profile provides the required settings to hold traffic in
proxy while the inspection process is carried out. The default profile is
preconfigured to follow the standardized parameters for the common protocols
used in networking.
7. Keep the default values for the remaining settings, and click OK to save the changes..
You will download the EICAR test file to your Local-Client VM. The EICAR test file is an industry-standard
virus used to test antivirus detection without causing damage. The file contains the following characters:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
DPowRnloIaNd MTethod
Mode
© FORTINET
To test the antivirus configuration
1. On the Local-Client VM, open a new web browser tab, and then access the following
website:
http://10.200.1.254/test_av.html
2. In the Download area section, download any EICAR sample file.
FortiGate should block the download attempt, and insert a replacement message similar to the
following example:
FortiGate shows the HTTP virus message when it blocks or quarantines infected files.
You will test the proxy-based antivirus configuration using the Save Link As method to download the EICAR
text file.
© FORTINET
4. On your desktop, right-click the eicar.com.txt downloaded file, click Open With Other Application,
click
Notepad++, and then click Select to open the file you downloaded.
Is the content of the file what it's supposed to be?
Stop and think!
Remember, you are using proxy-based inspection mode. When a firewall policy inspection mode is set to
proxy, traffic flowing through the policy is buffered by FortiGate for inspection. This means that FortiGate
holds the packets for a file, email message, or web page until the entire payload is inspected for violations
(virus, spam, or malicious web links). After FortiOS has finished the inspection, FortiGate either releases
the payload to the destination (if traffic is clean) or drops and replaces it with a message (if the traffic
contains violations). FortiGate injects the block message into the partially downloaded file. The client can
use Notepad to open and view the file.
5. Close Notepad++.
6. Delete the downloaded eicar.com.txt file from the desktop.
The purpose of logs is to help you monitor your network traffic, locate problems, establish baselines, and
make adjustments to network security, if necessary.
3. Select the Security tab to view security logs, which provide information more specific to security events, such
as filename, virus or botnet, and reference.
4. To view antivirus security logs, click Log & Report > Security Events > AntiVirus.
Policy
Enable SSL Inspection on a Firewall Policy
© FORTINET
So far, you have tested unencrypted traffic for antivirus scanning. In order for FortiGate to inspect the
encrypted traffic, you must enable deep inspection on the firewall policy. After you enable this feature,
FortiGate can inspect SSL traffic using a technique similar to a man-in-the-middle (MITM) attack.
To test antivirus scanning without SSL inspection enabled on the firewall policy
1. On the Local-Client VM, open a web browser, and then go to the following website:
https://10.200.1.254/test_av.html
2. Click Advanced.
3. Click Accept the Risk and Continue.
4. In the Download areasection, download the eicar.com sample file.
FortiGate should not block the file, because you did not enable full SSL inspection.
© FORTINET FortiGate should block the download and replace it with a message. If it doesn't, you may need to clear
your cache. In Firefox, click Preferences > Privacy & Security. Scroll to History, click Clear History, and
ensure the time range to clear is set to Everything. Click Clear Now.
In this exercise, you will convert the inspection mode on the firewall policy and the antivirus profile to flow-
based inspection mode. Then, you will perform a test to download a file located on an FTP server. You will
view the logs and summary information related to the antivirus scanning. Finally, you will test the machine
learning detection feature on Fortigate.
You will change the inspection mode in the default antivirus profile, which is applied on the firewall policy,
to inspect traffic including FTP.
5. Click OK.
© FORTINET
Change the FortiGate Inspection Mode
By default, flow-based inspection mode is enabled on the FortiGate firewall policy. In this exercise, you
will change the inspection mode from proxy-based to flow-based.
5. In the Protocol Options field, verify that the default profile is selected.
6. In the Security Profiles section, verify that the default AntiVirus profile is
selected.
7. Click OK.
ARntiIviNrusTProfile
Scanning
© FORTINET
3. On the Remote site side of the application (right), right-click the eicar.com file, and then select
Download.
The client should display an error message that the server terminated the connection. FortiGate sends
the replacement message as a server response.
In flow-based inspection mode, FortiGate does not buffer traffic flowing through the
policy. If FortiGate detects a violation in the traffic, it sends a reset packet to the
receiver, which terminates the connection, and prevents the payload from being
sent successfully.
© FORTINET
View the Antivirus Logs
You will check and confirm the logs for the test you just performed.
By default, machine learning detection is enabled on FortiGate and it detects zero-day attacks. In this
exercise, you will disable machine learning detection and then download an unknown malware from the FTP
server. Then you will enable machine learning detection and download the same file again to test the machine
learning detection scan.
leParnRingIN(AI)Tscan
Scanning
© FORTINET
To disable machine learning detection
1. On the Local-FortiGate CLI, log in with the username admin and password password.
2. Enter the following commands to disable machine learning detection:
config antivirus settings
set machine-learning-detection disable
end
3. On the Local-Client VM, open the FileZilla FTP
client software from the desktop.
4. Click the Site Manager icon in the upper-left corner,
and then select Linux.
5.On the Remote site side of the application (right), right-click the 1132999808 file, and then select Download.
You will see that the download completed successfully.
You will see that the download failed this time because the AI engine terminated the file
transfer.
© FORTINET A zero-day attack is malware that is new, unknown, and therefore, does not have
an existing associated signature. Files detected by a machine learning scan are
identified with the W32/AI.Pallas.Suspicious signature.
Objectives
Protect your network against known attacks using IPS
signatures Use rate-based signatures to block brute force
attacks
Mitigate and block DoS attacks
Time to Complete
Estimated: 40 minutes
5. Click OK to reboot.
You will configure an IPS sensor that includes the signatures for known attacks based on different severity
levels.
© FORTINET
8. In the search bar, delete medium, and then type
high.
9. Click the SEV object to select the high severity filter.
You will apply the new IPS sensor to a firewall policy that allows external access to the web server running on
the Local-Client.
© FORTINET
Take the Expert Challenge!
On the Local-FortiGate GUI, do the
following:
Configure a new virtual IP to map the external IP 10.200.1.200 to the internal IP 10.0.1.10,
using port1 as the external interface. Name the virtual IP VIP-WEB-SERVER.
Create a new firewall policy to allow all inbound traffic to the virtual IP, and enable the WEBSERVER
IPS sensor. Name the firewall policy Web_Server_Access_IPS.
If you require assistance, or to verify your work, use the step-by-step instructions that
follow.
After you complete the challenge, see Generate Attacks From the Linux Server on page
172
To create a virtual IP
1. Continuing on the Local-Fortigate GUI, click Policy & Objects > Virtual
IPs.
2. Click Create New > Virtual IP.
3. Configure the following settings:
Field Value
Name VIP-WEB-SERVER
Interface port1
4. Click OK.
Name Web_Server_Access_IPS
Source all
Destination VIP-WEB-SERVER
© FORTINET
Field Value
Schedule always
Service ALL
Action ACCEPT
NAT disabled
3. In the Security Profiles section, enable IPS and, in the drop-down list, select
WEBSERVER. The policy should look like the following example:
Configuring full SSL inspection would significantly increase the time required to
complete this lab. Therefore, for the purposes of this exercise, you will not configure
full SSL inspection.
4. Click OK.
FPromRthIeNLinTux Server
Exploits
© FORTINET
Generate Attacks From the Linux Server
You will run a Perl script to generate attacks from the Linux server located in front of the Local-
FortiGate.
4. Leave the PuTTY session open (you can minimize it) so traffic continues to generate.
Do not close the LINUX PuTTY session or traffic will stop generating.
You will check the IPS logs to monitor for known attacks being detected and dropped by the Local-
FortiGate.
© FORTINET
None of the affected products are currently installed on the Local-Client. This
information is important to make a note of before you tune the WEBSERVER IPS
sensor. If the affected products aren't installed, is it really necessary to inspect
those packets?
You will create a new IPS sensor, and enable and configure the appropriate signature to detect and block
FTP brute force attacks. You will then apply the IPS sensor to all outbound traffic on Local-FortiGate.
Field Value
Threshold 5
BIaNsedTIPS Signatures
© FORTINET
Field
Value
Duration (seconds)
11. Type FTP.Login.Brute.Force in the search field, and then press
Enter.
30
12. Right-click FTP.Login.Brute.Force, and then click Add Selected.
13. Track By
Click OK.
The configuration should look like the following image:
Source IP
You will use a custom bash script to generate invalid login attempts to the FTP server located on the Linux
VM. You will then verify your configuration using the IPS logs.
A typical brute force attack uses a dictionary of usernames and passwords. In this
scenario, the script uses an incorrect username and password to flood the FTP
server with invalid login attempts. The 530 Login incorrect responses from
the FTP server should be enough to trigger the signature.
BEasePd SRignIaNtureT
Signatures
© FORTINET
To run the bash script
1. On the Local-Client VM, open a terminal window.
2. Change the working directory to cd Desktop/Resources/FortiGate-Security/Intrusion-
Prevention-System.
3. Execute the bash script.
bash bruteFTP.sh
4. Wait for the script to finish, and then leave the terminal window open in the background.
Why are there only six log entries, when the script generated 10 login
attempts?
Stop and think!
You configured the FTP.Login.Brute.Force rate-based signature with a threshold of 5. The IPS
signature action was triggered only after this threshold was met.
BIaNsedTIPS Signatures
© FORTINET
Note that for Attempt 4, the server response is 530 Login incorrect. However, for Attempt 5, the
error message is 421 Service not available, remote server has closed connection. This
is where the rate-based signature action triggers, and the FTP client connections are reset. The same error
message repeats until the script ends with Attempt 10.
You will create a DoS policy to detect and block an ICMP flood attack.
After you complete the challenge, see Test the DoS Policy on page 179.
Name ICMP_Floods
Services ALL
© FORTINET
7. Click OK.
You will generate an ICMP flood from the Linux VM. This will trigger the DoS policy on the Local-
FortiGate.
The command option -f causes the ping utility to run continuously, and not wait
for replies between ICMP echo requests. It also requires super-user privileges.
4. Enter password.
For every ping sent, the SSH session displays a period.
theTDoSRPoElicPy
Attack
© FORTINET
5. Leave the SSH connection open with the ping running (you can minimize the window).
Objectives
Configure the Security Fabric on Local-FortiGate (root) and ISFW (downstream)
Configure the Security Fabric on Local-FortiGate (root) and Remote-FortiGate (downstream)
Use the Security Fabric topology views to examine the logical and physical views of your network
topology Run the Security Fabric rating checks on the root FortiGate and apply a recommendation
Time to Complete
Estimated: 45 minutes
Topology
In this lab, you will learn how to configure the Security Fabric on all FortiGate devices in the topology. Local-
FortiGate and Remote-FortiGate are connected through an IPsec tunnel. Local-FortiGate is the root FortiGate
in the Security Fabric, and Remote-FortiGate and ISFW are downstream FortiGate devices. FortiAnalyzer is
behind Local-FortiGate and will be used in the Security Fabric.
Make sure you restore the correct configuration on each FortiGate, using
the following steps. Failure to restore the correct configuration on each
FortiGate will prevent you from doing the lab exercise.
5. Click OK to reboot.
5. Click OK to reboot.
5. Click OK to reboot.
4. In the System Information section, click the icon to restore from an existing
configuration.
5. Clear the Overwrite current IP and routing settings checkbox, and then click
Browse.
6. Browse to Desktop > Resources > FortiGate-Security > Security-Fabric, select FAZ-SF.dat, and then
click
Select.
7. Click OK.
8. Wait until FortiAnalyzer restarts.
You will configure the root of the Security Fabric to send all logs to FortiAnalyzer. These settings will
be automatically replicated to all downstream devices when they become members of the Security
Fabric.
© FORTINET
REPRINT
5. Edit the settings so they match the following
image:
6. Click OK.
7. In the verification window that appears, click
Accept.
8. Verify that the status of Security Fabric > Fabric Connectors > FortiAnalyzer Logging is
up.
6. Click OK.
7. Click Network > Interfaces, and then expand port1.
8. Click the To-Remote-HQ2 interface, and then click Edit.
9. In the Administrative Access section, select the Security Fabric Connection
checkbox.
10. Click OK.
Field Value
© FORTINET
6. Click OK.
If you require assistance, or to verify your work, use the step-by-step instructions that follow.
After you complete the challenge, see To enable the Security Fabric on ISFW (downstream) on
page 190.
© FORTINET
6. Click OK.
7. Click Network > Interfaces.
8. Click port3, and then click Edit.
9. In the Administrative Access section, select the Security Fabric Connection
checkbox.
10. In the Network section, enable Device detection.
11. Click OK to save the changes.
4. In the Security Fabric role field, confirm that Join Existing Fabric is
selected.
5. Verify that the Upstream FortiGate IP is set to 10.0.1.254.
6. In the Default admin profile field, select super_admin.
7. In the Management IP/FQDN field, click Specify, and then type
10.0.1.200. Your configuration should look like the following example:
© FORTINET
REPRINT
8. Click OK.
9. Click OK to confirm the settings.
3. In the Device Registration window, click Authorize, and then click Close.
4. Hover over the ISFW icon to display a summary of the firewall settings, and then verify that it is correctly
registered in the Security Fabric.
You will check the Security Fabric deployment result on Local-FortiGate (root).
© FORTINET
REPRINT
Your topology view might not match exactly what is shown in this example.
If you require assistance, or to verify your work, use the step-by-step instructions that follow.
You will configure Remote-FortiGate to join the Security Fabric as a downstream FortiGate over the IPsec
VPN.
© FORTINET
REPRINT
4. In the Security Fabric role field, ensure that Join Existing Fabric is
selected.
5. In the Upstream FortiGate IP field, type 10.10.10.1.
6. In the Default admin profile field, select super_admin.
7. In the Management IP/FQDN field, click Specify, and then type
10.10.10.3. Your configuration should look like the following example:
8. Click OK.
9. Click OK to confirm.
4. In the Device Registration window, click Authorize, and then click Close.
You will check the Security Fabric deployment result on the root, Local-FortiGate.
© FORTINET
REPRINT
You may need to click the Update Now button to refresh the topology. Your topology view might not
match what is shown in this example.
You may need to click the Update Now button to refresh the
topology.
You can generate some traffic from the Linux VMs to have them shown in
the topology.
When you make changes through the Security Posture page, FortiGate generates
two configuration revisions for each change you make. Because FortiGate can
store only a limited number of revisions, if you make multiple changes through the
security rating, you may lose some of the revisions needed for other labs.
If you lose any revisions that you make for the labs, contact the instructor
for assistance.
You will run a security rating check, which analyzes the Security Fabric deployment, and then identifies
potential vulnerabilities and highlights best practices. You must run the Security Fabric rating on the root
FortiGate in the Security Fabric.
oInNtheTLocal-FortiGate (Root)
Rating
© FORTINET
Your Security Posture widget might not match what is shown in this
example.
You can expand each scorecard section to view recommendations for each
section.
© FORTINET
You may need to zoom out this page to see all details.
3. In the Security Control column, expand Failed, and then select Administrative
Access. The Apply option appears with recommendations that the wizard can apply.
oInNtheTLocal-FortiGate (Root)
Rating
© FORTINET
If you can't see the Apply button, zoom out on the web page to view the full
page.
6. Click View Diff to view the configuration changes that the wizard applied to Local-
FortiGate.
7. Click Close.
8. Click Security Fabric > Security Rating.
9. Click Run Now to get the new Security Posture
score.
You will notice the Security Posture widget displays information from the most recent security rating
check.
© FORTINET
When you run a Security Fabric rating, your organization's Security Fabric receives
a Security Fabric score. The score is positive or negative, and a higher score
represents a more secure network. The score is based on how many checks your
network passes and fails, as well as the severity level of these checks.
You can repeat steps 2–7 for all other sections and devices to
apply recommendations, which will improve your Security Fabric
score.
Your security rating scores might not match what is shown in this
example.
No part of this publication may be reproduced in any form or by any means or used to make any
derivative such as translation, transformation, or adaptation without permission from Fortinet
Inc., as stipulated by the United States Copyright Act of 1976.
Copyright© 2022 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or
company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal
conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet
enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to
certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be
binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event
does Fortinet make any commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking
statements herein are not accurate. Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet
reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.