Index: 1.

0
Use Case: Getting Started with the FortiGate Firewall
Objective Title: Introduction
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Getting Started with the FortiGate Firewall Lab

Today’s networks are highly complex environments with borders that are constantly changing.
In response to this highly complex environment, firewalls have become robust multi-functional
devices that counter an array of threats to your network.

In this workshop, participants learn the basics of how to install a FortiGate and use it to protect
a network.

FortiGate enables security-driven networking and consolidate industry-leading security

capabilities, such as SSL inspection, antivirus, web filtering, and application control. By doing
this, FortiGate meets the performance needs of highly scalable, hybrid IT architectures,
enabling organizations to reduce complexity and manage security risks.

FortiGate simplifies security complexity and provide visibility into applications, users, and
networks. FortiGate utilizes purpose-built security processing units (SPUs) and threat
intelligence services from FortiGuard Labs to deliver top-rated security and high performance
threat protection.
Index: 1.0 (a)
Use Case: Getting Started with the FortiGate Firewall
Objective Title: Topology
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Topology
Index: 1.0 (b)
Use Case: Getting Started with the FortiGate Firewall
Objective Title: Agenda
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Agenda
This lab includes the following topics.

Topic Time
Lab 2.0: FortiGate Installation 20 Minutes
Lab 3.0: Basic Routing and Firewall Policies 15 Minutes
Lab 4.0: Security Profiles 20 Minutes
Lab 5.0: Logging and Reporting 10 Minutes
Lab 6.0: CLI Basics 15 Minutes
Lab 7.0: Local User Authentication 20 Minutes
Lab 8.0: Setting up a Fortinet Security Fabric 10 Minutes
Index: 1.0 (c)
Use Case: Getting Started with the FortiGate Firewall
Objective Title: Instructions
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Instructions
Some of the lab exercises have a Solve button located at the bottom of the screen. If you click
Solve, a script runs that completes the exercise for you. If the exercise has a Stop and Think
question that includes hints, all hints will be shown when you click Solve. After the script runs,
you must click Continue to move on to the next exercise.
Unless otherwise indicated all username/passwords for the various web consoles are:

 Username: admin

 Password: Fortinet1!
Index: 2.0
Use Case: FortiGate Installation
Objective Title: New Objective
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

FortiGate Installation
In this lab, you install a FortiGate, called FGT-EDGE, between the internet and AcmeCorp’s
network.
The steps you complete to accomplish this lab are:
1. Connect to the FortiGate GUI
2. Add a default route
3. Select DNS servers
4. Set the system time
5. Manage administrator accounts
6. Configure private interfaces
Time to complete: 20 minutes
Index: 2.0 (a)
Use Case: FortiGate Installation
Objective Title: Connect to the FortiGate GUI
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Connect to the FortiGate GUI

Background

In this exercise, you connect to the FortiGate GUI and explore the pre-configured Management
interface.
Port1 on FGT-EDGE has been pre-configured to include the following settings, which are not
part of the default FortiGate configuration:

 IP/Netmask: 192.168.0.101/255.255.255.0

 Administrative Access: HTTPS, HTTP, PING, FMG-Access, SSH, and Security Fabric
Connection
A password was also set for the default admin account.

Tasks
1. Return to the Lab Activity Tab. Click FGT-EDGE in the sidebar menu under the Core
group, and then click on the HTTPS option to access the FGT-EDGE device.

2. Log in using the default admin account by entering the following credentials:
Username: admin
Password: Fortinet1!

3. You have access to the FortiGate GUI.

4. Click Network > Interfaces and select Management Network (port1). Click Edit. You can
also double-click the interface.

Note: Don’t change any of the settings currently configured for port 1.

5. The pre-configured settings appear under Address and Administrative Access.

6. Click Cancel to exit without changing any settings.

Stop and Think
Security best practices recommend configuring management interfaces with the minimal level
of administrative access required. The level of access is usually based on; the role of the
interface, accessibility to the interface, and the level of authority for users with access to that
interface.

Consider an organization which has the following infrastructure deployed:

 FortiGate management using FortiManager Cloud services

 FortiGate two-factor authentication via FortiToken Mobile
 Remote APs participating in the organization’s Security Fabric

Which of the following Administrative Access options should be enabled to meet the
requirements for the minimal level of access for the WAN interface? (Select all that apply)
----------------------- Hint 1 Section -----------------------

Hint: 1 Points: 2

Hint Text:

Hint 1
Security best practices suggest only the minimum necessary administrative access be made
available for an interface based on the role of the interface, accessibility to the interface, and
the level of authority for users capable of accessing that interface. For a WAN interface, which
of the following Administrative Access options in the FortiGate would not be considered
minimum necessary access?

Several of the available administrative access options are Fortinet specific:

 HTTP, HTTPS, and SSH: These administrative access controls are meant only for
administering the FortiGate firewall. They are not used for any other access such as
SSL-VPN. It is not recommended to use these access controls for an interface that is directly
accessible from outside your network such as the Internet.

 FMG-Access: Allows FortiManager, FortiManager Cloud, and FortiGate Cloud to

communicate with the FortiGate for central management. It’s recommended that
FortiManager access always be over private networks such as VPN or MPLS, however, with
the use of Fortinet Cloud services, it would be required to be available from the Internet
and would be considered minimum administrative access.

 FTM: Allows FortiToken Mobile to use push notifications to end users as part of two-factor
authentication. For remote users, this access would be required minimum administrative
 access.

 Security Fabric Connection: Allows communication between different devices that are part
of the Fortinet Security Fabric using either the FortiTelemetry or CAPWAP protocols.
Devices such as FortiGate, FortiAP, FortiSwitch, FortiAnalyzer, and FortiClient use these
protocols to communicate. Similar to FortiManager access, connectivity over the Internet
may be required if private connections are not available. In the use case of a Remote AP,
CAPWAP access from the Internet would be considered a minimum administrative access
requirement.

----------------------- Answer Section -----------------------

Answer: checkbox

Answer Text:

Answer
Correct: B & C

HTTP, HTTPS, and SSH are not considered minimum necessary administrative access. These
protocols should only be enabled on trusted or private interfaces.

FMG-Access uses the proprietary FortiGate to FortiManager Protocol (FGFM) and would be
required for FortiGate firewalls managed by FortiManager Cloud or FortiGate Cloud services.

Enabling FTM allows users outside the network to receive a push notification to the FortiToken
Mobile app as part of the two-factor authentication process and would be considered a
minimum necessary administrative access where this feature is being used.

Security Fabric Connection includes both the FortiTelemetry and CAPWAP protocols. CAPWAP
would be required for remote APs where a VPN connection cannot be established first such as
when installed at a home office and would be considered a minimum necessary administrative
access control in this type of configuration.
Answer Key:
✘ 1. HTTP, HTTPS, and SSH
✔ 2. FMG-Access
✔ 3. FTM and Security Fabric Connection
Index: 2.0 (b)
Use Case: FortiGate Installation
Objective Title: Add a Default Route
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Add a Default Route

Background
In this exercise, you add a default route to the FortiGate that the FortiGate uses to send traffic
outside of the internal network.

Tasks
1. Click Network > Static Routes and click Create New.

2. Set Destination to Subnet and leave the destination IP address set to 0.0.0.0/0.0.0.0.

3. Set Gateway Address to 100.65.0.254, which is the IP address you use to reach
AcmeCorp’s ISP.

4. Set Interface to ISP1 (port6), the internet-facing interface.

5. Click OK.

6. To test internet connectivity, click >_ in the top right-hand corner to connect to the CLI
console.

7. Type the command execute ping 8.8.8.8 and press Enter.

8. The FortiGate connects to the internet, producing an output similar to the screenshot
below:

9. Close the CLI console by clicking on the X in the upper right corner.
Index: 2.0 (c)
Use Case: FortiGate Installation
Objective Title: Select DNS Servers
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Select DNS Servers

Background
In this exercise, you configure FGT-EDGE to use a FortiGuard DNS server as the primary server
and the public Google DNS server as the secondary server.

Note: The default DNS settings use FortiGuard DNS servers as the primary and secondary
servers, which may be sufficient for networks that don’t have an internal DNS server.

Tasks
1. Click Network > DNS.

2. Set DNS Servers to Specify.

3. Leave Primary DNS Server as the default server.

4. Set Secondary DNS Server to 8.8.8.8, the IP address of the Google DNS server.

5. Select Apply.

Stop and Think

If the AcmeCorp network had an internal DNS server, would you configure it as the primary
server or the secondary?

----------------------- Hint 1 Section -----------------------

Hint: 1 Points: 2

Hint Text:

Hint
A FortiGate sends DNS requests to the primary server first, with the secondary server used as a
backup.

----------------------- Answer Section -----------------------

Answer: radio

Answer Text:

Answer
Correct: A

To make sure that the FortiGate sends DNS requests to the appropriate server, an internal
server should be set as the primary DNS server.

Answer Key:
✔ 1. Primary
✘ 2. Secondary
Index: 2.0 (d)
Use Case: FortiGate Installation
Objective Title: Set the System Time
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Set the System Time

Background
In this exercise, you configure the system time on FGT-EDGE to AcmeCorp’s local time zone,
Eastern Standard Time.

Note: For the purpose of this lab, you must select Eastern Standard Time. Making changes to
the time zone could disrupt the lab functionality.

Tasks
1. Click System > Settings.

2. Under System Time, select (GMT-5:00) Eastern Time (US & Canada).

3. Set Set Time to NTP.

4. Set Select server to FortiGuard.

5. Select Apply.
Index: 2.0 (e)
Use Case: FortiGate Installation
Objective Title: Configure Private Interfaces
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Configure Private Interfaces

Background
In AcmeCorp’s network, there are two additional FortiGate devices: FGT-ISFW and FGT-DC.
These devices connect to FGT-EDGE to reach the internet.

In this exercise, you configure two private interfaces on FGT-EDGE: port 4 that connects to
FGT-ISFW and port 3 that connects to FGT-DC.

Tasks
1. Click Network > Interfaces, select port4, and then click Edit.

2. Configure the following settings:

 Alias: EDGE_ISFW Network
 Role: LAN
 IP/Netmask: 10.10.30.14/255.255.255.248
 Administrative access: HTTPS, HTTP, PING, and Security Fabric Connection

Note: Enabling HTTPS access automatically enables HTTP access.

 3. Click OK.

4. Click Network > Interfaces, select port3, and select Edit.

5. Configure the following settings:

 Alias: EDGE_DC Network
 Role: LAN
 IP/Netmask: 10.10.30.6/255.255.255.248
 Administrative access: PING and Security Fabric Connection

6. Click OK.

Stop and Think

What else do you need to configure on FGT-EDGE to allow internet access for the networks
behind FGT-ISFW and FGT-DC? (Select all that apply)

----------------------- Hint 1 Section -----------------------

Hint: 1 Points: 2

Hint Text:

Hint
FGT-ISFW and FGT-DC are already configured to receive DNS server and system time settings
directly from FGT-EDGE, so you don’t need to configure them separately for the other FortiGate
devices.
----------------------- Answer Section -----------------------

Answer: checkbox

Answer Text:

Answer
Correct: B and C

In order to allow internet access for the networks behind FGT-ISFW and FGT-DC, there must be
static routes for these networks, as well as firewall policies to allow traffic to pass through
FGT-EDGE to the internet.

You will configure routing and firewall policies in the next objective.

Answer Key:
✘ 1. Additional DNS servers
✔ 2. Static routes for each network
✔ 3. Firewall policies to allow internet access
✘ 4. System times for the other FortiGate devices
Index: 3.0
Use Case: Basic Routing and Firewall Policies
Objective Title: New Objective
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Basic Routing and Firewall Policies

In AcmeCorp’s network, FGT-ISFW has two networks behind it: Sales (172.16.10.0/24) and
Finance (172.16.20.0/24). FGT-DC has one network behind it, DC (172.16.100.0/24).

In this lab, you configure basic routing and firewall policies on FGT-EDGE to allow devices on
these networks to connect to the internet.
The steps you complete to accomplish this lab are:
1. Create firewall addresses and an address group
2. Create additional static routes
3. Create firewall policies

Time to complete: 15 minutes

Index: 3.0 (a)
Use Case: Basic Routing and Firewall Policies
Objective Title: Create Firewall Addresses and an Address Group
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Create Firewall Addresses and an Address Group

Background
Firewall addresses define sources and destinations of network traffic and are used when
creating firewall policies. Address groups are used to group together firewall addresses that
require the same firewall policy.

In this exercise, you create three firewall addresses, one for each network. You also create a
firewall group that contains the addresses for the Sales and Finance networks.

Tasks
1. Click Policy & Objects > Addresses and then use the Create New drop-down menu to
select Address and create an address for the Sales network.

2. Configure the following settings:

 Name: Sales
 Type: Subnet
 IP/Netmask: 172.16.10.0/24
 Interface: any

3. Turn on Static route configuration.

4. Click OK.

5. Click Create New > Address to create an address for the Finance network.
6. Configure the following settings:
 Name: Finance
 Type: Subnet
 IP/Netmask: 172.16.20.0/24
 Interface: any

7. Turn on Static route configuration.

8. Click OK.

9. Click Create New > Address to create an address for the DC network.

10. Configure the following settings:

 Name: DC
 Type: Subnet
 IP/Netmask: 172.16.100.0/24
 Interface: any

11. Turn on Static route configuration.

12. Click OK.

13. Use the Create New drop-down menu to click Address Group.

14. Configure the following settings:

 Group name: Sales and Finance
  Type: Group
 Members: Finance and Sales

15. Turn on Static route configuration.

16. Click OK.

Stop and Think

By creating an address group that contains the addresses for both Sales and Finance, you can
now configure FGT-EDGE to treat traffic from both of these networks in the exact same way.
What reasons might there be to not use this group and instead have FGT-EDGE distinguish
between traffic from Sales and traffic from Finance? (Select all that apply)

----------------------- Hint 1 Section -----------------------

Hint: 1 Points: 2

Hint Text:

Hint 1
Using address groups makes it easier to configure multiple policies that all use the same
addresses, since to add or remove an address from these polices, you only need to make a
single edit to the group configuration.

----------------------- Hint 2 Section -----------------------

Hint: 2 Points: 2

Hint Text:
Hint 2
Firewall groups do not affect the Security Fabric topology views, so the two networks will
appear separately even if you use the firewall group.

----------------------- Answer Section -----------------------

Answer: checkbox

Answer Text:

Answer
Correct: B and D

Both security and routing requirements are reasons to have FGT-EDGE handle traffic differently
depending on whether it came from Sales or Finance.

Answer Key:
✘ 1. It’s easier to use individual addresses in all situations
✔ 2. The Finance network has greater security requirements
✘ 3. Both networks need to appear separately in the Security Fabric topology views
✔ 4. You wish to use different routing settings for the two networks
Index: 3.0 (b)
Use Case: Basic Routing and Firewall Policies
Objective Title: Create Additional Static Routes
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Create Additional Static Routes

Background
In this exercise, you create two static routes: one for Sales and Finance and one for DC.

Tasks
1. Click Network > Static Routes and click Create New to create a static route for Sales and
Finance.

2. Configure the following settings:

 Destination: Named Address
 Use the drop-down menu to select Sales and Finance
 Gateway Address: 10.10.30.10
 Interface: EDGE_ISFW Network (port4)
 Comments: Sales and Finance

3. Click OK.

4. Click Create New to create a static route for DC.

5. Configure the following settings:

 Destination: Named Address
  Use the drop-down menu to select DC
 Gateway Address: 10.10.30.2
 Interface: EDGE_DC Network (port3)
 Comments: DC

6. Click OK.

Stop and Think

True or false: Bob’s computer, located on the Finance network, now has internet access.

----------------------- Answer Section -----------------------

Answer: radio

Answer Text:

Answer
Correct: B

False. If you connect to Bob’s computer now, you aren’t able to access the internet. This is
because there is no firewall policy in place to allow traffic from the Finance network to pass
through FGT-EDGE.

Answer Key:
✘ 1. True
✔ 2. False
Index: 3.0 (c)
Use Case: Basic Routing and Firewall Policies
Objective Title: Create Firewall Policies
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Create Firewall Policies

Background
In this exercise, you create two firewall policies: one for Sales and Finance and one for DC.

Tasks
1. Click Policy & Objects > Firewall Policy and click Create New to create a policy for Sales
and Finance.

2. Configure the following settings:

 Name: Sales and Finance
 Incoming Interface: EDGE_ISFW Network (port4)
 Outgoing Interface: ISP1 (port6)
 Source: Sales and Finance
 Destination: all
 Service: ALL

3. Leave all other settings at the default.

4. Click OK.
5. Click Create New to create a policy for DC.

6. Configure the following settings:

 Name: DC
 Incoming Interface: EDGE_DC Network (port3)
 Outgoing Interface: ISP1 (port6)
 Source: DC
 Destination: all
 Service: ALL

7. Leave all other settings at the default.

8. Click OK.

9. In the top right-hand corner of the screen, click By Sequence. The policy list is now
displayed in the order FGT-EDGE uses to match traffic, with the default Implicit Deny
policy at the bottom.

10. Return to the Lab Activity Tab, click Bob in the sidebar menu under the Finance group,
and then click on the RDP option to access Bob’s workstation.

11. Run Chrome and click the browser bookmark Google.

 12. Bob’s computer has internet access.

13. Connect to FGT-EDGE and refresh the policy list. The Bytes column shows that the Sales
and Finance policy has traffic.

Stop and Think

True or false: FGT-EDGE is now applying security scanning, such as antivirus, to traffic from the
Sales, Finance, and DC network.

----------------------- Answer Section -----------------------

Answer: radio

Answer Text:

Answer
Correct: B

False. FGT-EDGE is processing traffic from these networks but, since no security profiles have
been enabled on the firewall policy, FGT-EDGE isn’t applying security scanning.

Answer Key:
✘ 1. True
✔ 2. False
Index: 4.0
Use Case: Security Profiles
Objective Title: New Objective
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Security Profiles

In this lab, you add security profiles to the Sales and Finance firewall policy on FGT-EDGE, so
that the FortiGate protects traffic from these two networks.

The steps you complete to accomplish this lab are:

1. Apply antivirus scanning and SSL inspection

2. Block social media with web filtering
3. Block Mozilla Firefox with application control

Time to complete: 20 minutes

Index: 4.0 (a)
Use Case: Security Profiles
Objective Title: Apply Antivirus Scanning and SSL Inspection
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Apply Antivirus Scanning and SSL Inspection

Background
In this exercise, you create an antivirus profile for Sales and Finance, to protect network traffic
from virus outbreaks. You also apply full SSL inspection, to allow FGT-EDGE to inspect encrypted
traffic.

When you apply full SSL inspection to traffic, network users may receive a security certificate
warning in their internet browser. In this exercise, Bob’s computer has been pre-configured to
prevent any warnings from appearing.

Tasks

1. Return to the FGT-EDGE tab.

2. Click Security Profiles > AntiVirus and click Create New.

3. Set Name to Sales and Finance.

4. Leave Detect Viruses as Block.

5. Leave Feature set as Flow-based. Flow-based inspection takes a snapshot of content

packets and uses pattern matching to identify security threats in the content.
Proxy-based inspection reconstructs content that passes through the FortiGate and
inspects the content for security threats.

6. Under Inspected Protocols, turn on all protocol options.

7. Under APT Protection Options, turn on Treat Windows Executables in Email
Attachments as Viruses and leave Include Mobile Malware Protection turned on.

8. Under Virus Outbreak Prevention, turn on Use FortiGate Outbreak Prevention

Database. This allows the FortiGate antivirus database to use third-party malware hash
signatures curated by the FortiGuard to block detected viruses before a FortiGuard
signature is available.

9. Click OK.

10. Click Policy & Object > Firewall Policy, click Sales and Finance, and click Edit.

11. Under Security Profiles, turn on AntiVirus. Use the drop-down menu to select the Sales
and Finance profile.

12. Use the SSL Inspection drop-down menu to select deep-inspection. This turns on full
SSL inspection, so FGT-EDGE can inspect encrypted traffic.
 13. Click OK.

14. Return to Bob’s workstation.

15. Run Chrome and click the browser bookmark EICAR. This website contains a file that you
can use to test your antivirus scanning.

16. Under Download area using the secure, SSL enabled protocol https, click eicar.com.

17. FGT-EDGE blocks the file from downloading.

Stop and Think

Would FGT-EDGE block the EICAR test file if you set SSL Inspection to certificate-inspection and
downloaded the file using HTTPS?

----------------------- Hint 1 Section -----------------------

Hint: 1 Points: 2

Hint Text:

Hint
When you apply the certificate-inspection profile, the FortiGate only inspects the header
information of the packets and not the contents.

You can apply the following security features when using SSL certificate inspection mode: web
filtering and application control. With web filtering, SSL certificate inspection doesn’t introduce
certificate errors and can be a useful alternative to full SSL inspection. With application control,
SSL certificate inspection can use the common name in the server certificate to identify an
application by certain signatures; however, most signatures require full SSL inspection.

----------------------- Answer Section -----------------------

Answer: radio

Answer Text:

Answer
Correct: B

No, in order to inspect encrypted traffic, you must use full SSL inspection.

Answer Key:
✘ 1. Yes
✔ 2. No
Index: 4.0 (b)
Use Case: Security Profiles
Objective Title: Block Social Networking with Web Filtering
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Block Social Networking with Web Filtering

Background
In this exercise, you block all websites identified as social networking sites by the FortiGuard
Web Filtering service.

Tasks
1. Return to the FGT-EDGE.

2. Click Security Profiles > Web Filter and click Create New.

3. Set Name to Sales and Finance.

4. Leave Feature set set to Flow-based.

5. Under FortiGuard category based filter, locate General Interest - Personal.

6. Select Social Networking and click Block.

 7. Click OK.

8. Click Policy & Object > Firewall Policy, click Sales and Finance, and click Edit.

9. Under Security Profiles, turn on Web Filter. Use the drop-down menu to select the
Sales and Finance profile.

10. Click OK.

11. Return to Bob’s Computer and click the browser bookmark Twitter.

12. FGT-EDGE blocks the website.

Stop and Think

If you wanted to allow access to Twitter while blocking other social network sites, what
methods could you use? (Select all that apply)
----------------------- Hint 1 Section -----------------------

Hint: 1 Points: 2

Hint Text:

Hint
You can use a static URL filter to block, allow, or monitor URLs by using patterns containing text,
regular expressions, or wildcard characters.

By using a web rating override, you can manually assign a specific website to a different
Fortinet category or a locally created category.

----------------------- Answer Section -----------------------

Answer: checkbox

Answer Text:

Answer
Correct: A, B, and C

You can use any of these three methods to allow access to Twitter while blocking other social
networking websites.

Answer Key:
✔ 1. Configure a static URL filter for Twitter
✔ 2. Using a web rating override to assign Twitter to a different category
✔ 3. Create another firewall policy to handle traffic to Twitter
✘ 4. There is no method to allow this
Index: 4.0 (c)
Use Case: Security Profiles
Objective Title: Block Mozilla Firefox with Application Control
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Block Mozilla Firefox with Application Control

Background
In this exercise, you block network users from using the browser Mozilla Firefox.

Tasks
1. Return to the FGT-EDGE.

2. Click Security Profiles > Application Control and click Create New.

3. Set Name to Sales and Finance.

4. Under Application and Filter Overrides, click Create New.

5. Leave Type set to Application and Action set to Block.

6. In the search bar, type Firefox and then press Enter.

7. Two signatures are found: Firefox.Update and HTTP.BROWSER_Firefox. Click Add All
Results.
8. Click OK.

9. Click OK to save the profile.

10. Click Policy & Object > Firewall Policy, click Sales and Finance, and click Edit.

11. Under Security Profiles, turn on Application Control. Use the drop-down menu to select
Sales and Finance.

12. Click OK.

13. Return to Bob's Computer and run Firefox.

14. Click the browser bookmark Google.

15. FGT-EDGE blocks the attempt.

Stop and Think
Can you use the security profiles you applied to the Sales and Finance firewall policy for the DC
firewall policy as well?

----------------------- Answer Section -----------------------

Answer: radio

Answer Text:

Answer
Correct: A

Yes, you can apply the same security profiles to all firewall policies on FGT-EDGE.

Answer Key:
✔ 1. Yes
✘ 2. No
Index: 4.0 (d)
Use Case: Security Profiles
Objective Title: Learn More About Security Profiles
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Learn More About Security Profiles

If you would like to learn more about using FortiGate security profiles, ask your instructor about
the Fortifying the Enterprise Network (NGFW Solution) course offered by the Fast Track
Program.
As security architects consider how to provide comprehensive threat protection for their
enterprises, including intrusion prevention, web filtering, anti-malware, and application control,
they face a major complexity hurdle managing these point products with no integration and
lack of visibility.

Participants who attend this workshop will learn how to:

 Reduce complexity with industry-leading security effectiveness

 Enhance visibility with automated action

 Simplify SSL performance and complexity issues for encrypted cloud access
Index: 5.0
Use Case: Logging and Reporting
Objective Title: New Objective
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Logging and Reporting

In this lab, you configure FortiGate local logging and view the logs generated from network
traffic.
The steps you complete to accomplish this lab are:
1. Configure log settings

2. Enable logging in the firewall policy

3. Generate traffic and view the logs

Time to complete: 10 minutes

Index: 5.0 (a)
Use Case: Logging and Reporting
Objective Title: Configure Log Settings
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Configure Log Settings

Background

In this exercise, you configure log settings for local logging.

Tasks
1. Return to the FGT-EDGE.

2. Click Log & Report > Log Settings.

3. Under Local Log, turn on Disk, Enable Local Reports, and Enable Historical FortiView.

4. Under Log Settings, set Event Logging and Local Traffic Log to All.

5. Under GUI Preferences, turn on both Resolve Hostnames and Resolve Unknown
Applications.
6. Click Apply.
Index: 5.0 (b)
Use Case: Logging and Reporting
Objective Title: Enable Logging in the Firewall Policy
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Enable Logging in the Firewall Policy

Background
Now that you configured local logging, you need to enable logging on a firewall policy to begin
to generate logs. Because logging all sessions uses more system resources, it is typically
recommended to log only security events. However, for this exercise, you configure the
FortiGate to log all sessions to make sure logging is working properly.

Tasks
1. Click Policy & Object > Firewall Policy, click Sales and Finance, and click Edit.

2. Under Logging Options, turn on Log Allowed Traffic and select All Sessions.

3. Turn on Generate Logs when Session Starts.

4. Click OK.
Index: 5.0 (c)
Use Case: Logging and Reporting
Objective Title: Generate Traffic and View the Logs
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Generate Traffic and View the Logs

Background

There are many types of logs you can view on a FortiGate. In this exercise, you will use the
following logs:
 Forward traffic: Logs about all network traffic permitted or denied by a firewall policy
 Events: Logs concerning administration management and FortiGate system activity
 Web filter: Logs generated when web filtering is applied to network traffic

Tasks

Forward Traffic
1. Return to Bob’s Computer.

2. Run Chrome and click the browser bookmark Google to generate internet traffic
through FGT-EDGE.

3. Return to the FGT-EDGE.

4. Click Log & Report > Forward Traffic.

5. On the top of the screen, click Add Filter. Select Source and then select 172.16.20.51,
the IP address of Bob's computer.

6. With the filter applied, the log shows the traffic from Bob’s computer. The traffic should
look similar to the following screenshot:
 7. Select one of the log entries and click Details, located in the top right-hand corner. The
FortiGate displays more information about the session.

Events
1. Log out of FGT-EDGE.

2. Attempt to log in with the admin account but do not enter a password.

3. The attempt fails.

Note: Only enter the wrong credentials once, to avoid FGT-EDGE locking the admin
account out after too many failed login attempts.
4. Log in using the correct credentials for the admin account (username: admin,
password: Fortinet1!).

5. Click Log & Report > Events. Click the tile for System Events.

6. The event log contains an entry for the failed login attempt.

7. Select the log entry and click Details to view more information.
Web Filter
1. Return to Bob’s Computer and click the browser bookmark Twitter. FGT-EDGE blocks
the website.

2. Retrun to FGT-EDGE.

3. Click Log & Report > Web Filter.

4. The web filter log contains an entry for when FGT-EDGE applied web filtering to block
Twitter.

5. Select the log entry and click Details to view more information.
Stop and Think
This exercise used local logging, with logs stored directly on FGT-EDGE. What reasons could
AcmeCorp have for using external logging, such as FortiGate Cloud or a FortiAnalyzer, instead of
local logging?

----------------------- Hint 1 Section -----------------------

Hint: 1 Points: 2

Hint Text:

Hint
FortiGate Cloud is a cloud-based infrastructure management and log retention service offered
by Fortinet. You can use it for both analytics and management of multiple FortiGate devices, as
well as FortiSwitch and FortiAP devices.

FortiAnalyzer offers advanced logging and reporting capabilities, centralized security analytics
across the Fortinet Security Fabric, and security automation via Fabric Connectors and
application programming interfaces (APIs). These use cases enable security teams to increase
efficiency, reduce risk, and improve total cost of ownership (TCO).

----------------------- Answer Section -----------------------

Answer: radio

Answer Text:

Answer
Correct: D

All three reasons would require the use of external logging.

Answer Key:
✘ 1. AcmeCorp is using a FortiGate model that doesn’t have a hard drive/storage space for
logs
✘ 2. AcmeCorp needs to aggregate logs from multiple FortiGate devices
✘ 3. AcmeCorp requires remote access to logs
✔ 4. All of the above
Index: 5.0 (d)
Use Case: Logging and Reporting
Objective Title: Learn More About Logging and Reporting
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Learn More About Logging and Reporting

If you would like to learn more about logging and reporting, as your instructor about the
Simplify SOC Operations for the Security Fabric with FortiAnalyzer course offered by the Fast
Track Program.
FortiAnalyzer, part of the Fortinet Security Fabric, address the complexity of operations that
security teams around the world face. FortiAnalyzer enables an organization to maximize the
impact and effectiveness of a lean security team. It does this by providing broad visibility and
control of an organization’s entire digital attack surface, an integrated solution reducing the
complexity of supporting multiple point products, and automating of security workflows
increases the speed of operation.
Participants who attend this workshop will learn how to:

 Understand the benefits of using FortiAnalyzer to simplify SOC operations.

 How to use playbooks to automate workflows in order reduce the workload on the
security team.
 How to use FortiGate event handlers to automate actions via automation stitches.
 How to work with analytics logs and generate custom reports
Index: 6.0
Use Case: CLI Basics
Objective Title: New Objective
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

CLI Basics
In this lab, you use the FortiGate CLI to add security profiles and logging to the DC firewall
policy. You also learn about tips for using the CLI.
The steps you complete to accomplish this lab are:
1. Connect to the CLI
2. Use basic commands
3. Configure the DC firewall policy
4. Examine traffic with packet sniffing
Time to complete: 15 minutes
Index: 6.0 (a)
Use Case: CLI Basics
Objective Title: Connect to the CLI
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Connect to the CLI

Background

In this exercise, you connect to the FortiGate three ways:

 The CLI console button in the GUI

 The drop-down menu available in the GUI for certain objects

 Connecting via SSH using a terminal emulator application such as PuTTY

Tasks

CLI Console Button

1. Connect to FGT-EDGE.

2. Click >_ in the top right-hand corner to connect to the CLI console.

3. Type the following command get system status and press Enter.

4. An output similar to the screenshot below appears, listing information about the
FortiGate:
 5. Close the CLI console screen.

Drop-Down Menu
1. Click Policy & Objects > Firewall Policy, right-click Sales and Finance, and use the
drop-down menu to select Edit in CLI.

2. The CLI console opens and shows the configuration for the firewall policy:
 3. Minimize Chrome.

Using SSH
1. Return to the Lab Activity Tab. Click FGT-EDGE in the sidebar menu under the Core
group, and then click on the SSH option

Note: This view is the same view you would have had you connected to FGT-EDGE using
a terminal emulator application such as PuTTY.

2. You are connected to the CLI.

Note: You did not have to provide credentials because the NSE Institute Portal
automatically passes the admin credentials to the FortiGate.

3. Type the following command: get system interface physical and press
Enter.

4. An output similar to the screenshot below appears, listing information about the
FortiGate physical interfaces:
Index: 6.0 (b)
Use Case: CLI Basics
Objective Title: Use Basic Commands
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Use Basic Commands

Background

In the previous objectives, you use the following CLI commands:

 get: Get information about the current configuration

 config: Configure objects and system settings

 execute: Execute static commands

Tasks

Using the get Command

1. Return to your browser tab with the GUI interface to the FGT-EDGE.

2. Click >_ to connect to the CLI console.

3. To view the get commands, type get ?

4. The commands shown are the top level commands. Additional sub-commands are
available for some of these commands, such as system.
5. To view the get system sub-commands, type get system ?
 6. To view the list of administrative users, type get system admin and press Enter.
The output lists all administrative users:

Using the config Command

1. In this exercise, you edit the bob-admin account. This account can't be edited if the user
is logged in. To check if bob-admin is logged in, click Dashboard > Status and locate the
Administrators widget. If bob-admin appears on the list, click the widget and select
Show active administrator sessions.

2. Select bob-admin and click Disconnect.

3. Click >_ to connect to the CLI console.

4. To view the config commands, type config ?

 5. To configure administrative accounts, type config system admin and press Enter.

6. Type edit bob-admin to configure Bob’s administrator account and press Enter.

7. Type show and press Enter to view the current configuration of the account.

8. Type set accprofile super_admin and press Enter to change the

administrative profile.

9. Type end and press Enter to save the configuration changes.

10. Close the CLI console.

11. To confirm the change, click System > Administrators. The Profile for bob-admin is now
super_admin.

Using the execute Command

1. Click >_ to connect to the CLI console.

2. To view the execute commands, type execute ?

3. To run a traceroute to the Fortinet website, type execute traceroute
www.fortinet.com and press Enter.

4. After a few moments, an output appears similar to the following screentshot:

Index: 6.0 (c)
Use Case: CLI Basics
Objective Title: Configure the DC Firewall Policy
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Configure the DC Firewall Policy

Background

In the previous objectives, you used the GUI to configure the Sales and Finance policy to include
security profiles and logging. In this exercise, you use the CLI to configure the DC policy to
include security profiles and logging. The security profiles you apply have been pre-configured
for use with the DC network.

Tasks
1. Click >_ to connect to CLI console.

2. Enter the following commands to add security profiles and logging:

config firewall policy

edit 2
set utm-status enable
set ssl-ssh-profile deep-inspection
set av-profile DC
set webfilter-profile DC
set application-list DC
set logtraffic all
end
3. Close the CLI console.

4. Click Policy & Objects > Firewall Policy. You can see the changes made to the DC policy
under Security Profiles and Log.
Index: 6.0 (d)
Use Case: CLI Basics
Objective Title: Examine Traffic With Packet Sniffing
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Examine Traffic With Packet Sniffing

Background

Packet sniffing allows you to gather information about specific packets passing through the
AcmeCorp network to help troubleshoot issues. To do this, you use the diagnose sniffer
CLI command.
The full syntax for the packet sniffing command is diagnose sniffer packet
<interface> <filter> <verbose> <count> <tsformat>. The parts of the
command are as follows:

 <interface>: an interface name or any for all interfaces

 <filter>: the selected filter

 <verbose>: the level of verbosity

 <count>: the number of packets the sniffer reads before stopping

 <tsformat>: the timestamp format

Only the interface value is required.
In the exercise, you use packet sniffing as part of the troubleshooting process and examine
traffic on any interface. You use the filter 'host 8.8.8.8 and icmp' to look for ICMP
traffic from the host IP address 8.8.8.8 (a Google public DNS server). You use verbose level 4, to
print the header of the packets with the interface name listed. You set count to 100 and use
the 1 timestamp format, to view absolute local time in yyyy-mm-dd hh:mm:ss.ms format.

Tasks
1. Click >_ to connect to CLI console.

2. Enter the command diagnose sniffer packet any 'host 8.8.8.8 and
icmp' 4 100 1 and press Enter.
3. Return to Bob’s Computer.

4. Open Command Prompt.

5. Type ping 8.8.8.8 and press Enter.

6. Return to the FGT-EDGE and view the CLI console.

7. An output similar to the following appears, showing information about the packets
generated by Bob’s computer. In order to exit out of this, press Ctrl + C.

8. The output shows both the ingress and egress interfaces on FGT-EDGE that ICMP traffic
flows through to reach 8.8.8.8 from Bob’s computer.
Index: 7.0
Use Case: Local User Authentication
Objective Title: New Objective
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Local User Authentication

In this lab, you configure local user and device authentication to provide greater visibility into
the users and devices on the AcmeCorp network. You also configure FGT-EDGE to create and
manage temporary guest accounts.
The steps you complete to accomplish this lab are:
1. Create user groups and accounts

2. Add authentication to the firewall policy

3. Manage administrator accounts

4. Configure guest accounts

Time to complete: 20 minutes

Index: 7.0 (a)
Use Case: Local User Authentication
Objective Title: Create User Groups and Accounts
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Create User Groups and Accounts

Background
In this exercise, you will be working on the FGT-EDGE to create two user groups: Sales and
Finance. Then you create user accounts for Alice and Bob, adding them to the appropriate
group.

Tasks
1. Click User & Authentication > User Groups and click Create New.

2. Set Name to Sales.

3. Set Type to Firewall.

4. Click OK.

5. Repeat the above steps to create a second group named Finance.

6. Click User & Authentication > User Definition and click Create New.
7. Set User Type to Local User.

8. Click Next.

9. Set Username to alice and Password to Fortinet1!

10. Click Next.

11. Leave Two-factor Authentication disabled.

12. Click Next.

13. Turn on User Group and select Sales.

14. Click Submit.

15. Click Create New to create a second user account.

16. Set User Type to Local User.

17. Click Next.
18. Set Username to bob and Password to Fortinet1!

19. Click Next.

20. Leave Two-factor Authentication disabled.

21. Click Next.

22. Turn on User Group and select Finance.

23. Click Submit.

Index: 7.0 (b)
Use Case: Local User Authentication
Objective Title: Add Authentication to the Firewall Policy
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Add Authentication to the Firewall Policy

Background
In this exercise, you add user authentication to the firewall policy Sales and Finance.

Tasks
1. Click Policy & Object > Firewall Policy, click Sales and Finance, and click Edit.

2. Click Source. In the right-hand menu, click User and select both Finance and Sales.

3. Click Close.

4. Click OK.

5. Return to Bob’s Computer.

6. Open Chrome and select the browser bookmark Google.

7. An authentication screen appears in a new tab. Enter the credentials for the bob
account and click Continue.
8. Once your authentication is complete, you can access the website.

9. Return to FGT-EDGE.

10. Click Dashboard > Users & Devices and click the Firewall Users widget to expand it. bob
appears on the list of connected users.
Index: 7.0 (c)
Use Case: Local User Authentication
Objective Title: Manage Administrator Accounts
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Manage Administrator Accounts

Background
In this exercise, you create a new administrator account for Bob, an AcmeCorp employee. This
account configuration includes a trusted host, so Bob can only access it from her assigned
computer on the network.

Tasks
1. Click System > Administrators and use the Create New dropdown menu to select
Administrator.

2. Configure the following settings:

 Username: bob-admin
 Type: Local User
 Password: Fortinet1!
 Confirm Password: Fortinet1!
 Administrator Profile: super_admin_readonly

3. Turn on Restrict login to trusted hosts.

4. Set Trusted Host 1 to 172.16.20.51/32, the IP address of Bob’s computer.

5. Click OK.

6. Use the dropdown menu in the top right of the screen to select Logout.

7. Enter the credentials for the bob-admin account.

8. The authentication attempt fails because the trusted host doesn’t match.

9. Return to Bob’s Computer.

10. Run Chrome and click the browser bookmark FGT-EDGE.

11. Enter the credentials for the bob-admin account.

12. When the message about FortiGate Setup appears, click Later.
 13. You can now access the FortiGate GUI with this account.

Stop and Think

While logged in using the bob-admin account, click System > Settings. You can view the system
settings but aren’t able to change any of them. Why is this?

----------------------- Hint 1 Section -----------------------

Hint: 1 Points: 2

Hint Text:

Hint
Administrator profiles define what the administrator can do when logged into the FortiGate.
There are several default profiles you can use, plus you can create new ones as required.

The default profiles are:

 super_admin: allows full read-write access to the entire FortiGate configuration
 prof_admin: allows read-write access to most of the FortiGate configuration, except for
routing, system settings, and endpoint control
 super_admin_readonly: allows read-only access to the entire FortiGate configuration
 prof_admin_readonly: allows read-only access to most of the FortiGate configuration,
except for routing, system settings, and endpoint control

To create, edit, and delete profiles, click System > Admin Profiles. You can’t delete the
super_admin profile.

Note: The read-only versions of the default admin profiles don’t appear on this page.

----------------------- Answer Section -----------------------

Answer: radio

Answer Text:

Answer
Correct: C

The bob account uses the super_admin_readonly admin profile, so when you are logged in
with this account, you can’t change any settings.

The default admin account used the super_admin admin profile, allowing you full read-write
access to the configuration when you log in with this account.

Answer Key:
✘ 1. The bob-admin account was configured incorrectly
✘ 2. Only the default admin account can change system settings
✔ 3. The administrator profile for the bob-admin account is restricted to read-only access
✘ 4. You can’t access system settings when a trusted host is required
Index: 7.0 (d)
Use Case: Local User Authentication
Objective Title: Configure Guest Accounts
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Configure Guest Accounts

Background

In this exercise, you create a guest user group, then configure the settings to create temporary
guest accounts.

Tasks
1. Click User & Authentication > User Groups and click Create New.

2. Set Name to Guests.

3. Set Type to Guest.

4. Under Guest Details, set Password to Specify.

5. Under Expiration, set Start Countdown to After First Login and Time to 30 seconds.
 Note: The password and expiration settings you use in this exercise are for testing
purposes.

6. Leave all other settings at the default.

7. Click OK.

8. Click User & Authentication > Guest Management and click Create New.

9. Set Password to Fortinet1! and Email to [email protected].

10. Click OK.

11. Click Policy & Objects > Firewall Policy. For the Sales and Finance policy, hover over the
Source column and then click the edit icon.

12. In the right-hand list, click User and select Guests.

13. Click Apply.

14. Click Dashboard > Users & Devices and expand the Firewall Users widget. Select bob
and click Deauthenticate.

15. Click OK.

16. Return to Bob’s Computer.

17. Open Chrome and select the browser bookmark Fortinet.

18. An authentication screen appears. Enter the credentials for the guest account.

19. Once your authentication is complete, you can access the website.
20. Return to the FGT-EDGE.

21. Click Dashboard > Users & Devices, and expand the Firewall Users widget.

22. If [email protected] appears on the list, select it, click Deauthenticate, then click
OK.

23. Return to Bob’s Computer and click Fortinet again. When prompted, enter the
credentials for the guest account.

24. Your authentication attempt fails.

25. Return to FGT-EDGE and click User & Authentication > Guest Management.

26. The account [email protected] is Expired.

Index: 8.0
Use Case: Setting up a Fortinet Security Fabric
Objective Title: New Objective
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Setting up a Fortinet Security Fabric

In this lab, you configure FGT-EDGE as the root FortiGate in a Fortinet Security Fabric that also
includes FGT-ISFW, FGT-DC, and a FortiAnalyzer.

The steps you complete to accomplish this lab are:

1. Create a Fabric connector to FortiAnalyzer
2. Create a Security Fabric group and authorize FGT-DC
3. Pre-authorize FGT-ISFW and add it to the Security Fabric
4. Authorize the FortiGate devices on FortiAnalyzer
Time to complete: 10 minutes
Index: 8.0 (a)
Use Case: Setting up a Fortinet Security Fabric
Objective Title: Create a Fabric Connector to FortiAnalyzer
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Create a Fabric Connector to FortiAnalyzer

Background

In the exercise, you create a Fabric connector on FGT-EDGE for the FortiAnalyzer.
Note: You can also add FortiAnalyzer as part of the process of creating a Security Fabric group,
which you will do in the next exercise.

Tasks
1. Return to the FGT-EDGE.

2. Click Security Fabric > Fabric Connectors. Under Core Network Security, select the
connector FortiAnalyzer Logging and click Edit.

3. Set Status to Enabled.

4. Set IP address to 192.168.0.121, the IP address of the FortiAnalyzer.

5. Click Test Connectivity. The Connection status is currently Unauthorized.

6. Set Upload option to Real Time.

7. Leave the other settings at the default.

8. Click OK.
9. A message appears about the FortiAnalyzer serial number. The correct number is
FAZ-VMTM19004582. If this matches the number that appears, click Accept.

10. The connector is now blue. The red downward arrow shows that it isn't connected,
because FGT-EDGE isn't authorized on the FortiAnalyzer. You will do this in a later step.
Index: 8.0 (b)
Use Case: Setting up a Fortinet Security Fabric
Objective Title: Create a Security Fabric Group and Authorize FGT-DC
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Create a Security Fabric Group and Authorize FGT-DC

Background
In this exercise, you configure FGT-EDGE as the root FortiGate in a Security Fabric group that
includes it and the FortiAnalyzer. You also authorize FGT-DC as a member of the Security Fabric
group. For this exercise, FGT-DC is pre-configured as a downstream Security Fabric device.

Tasks

1. Click Security Fabric > Fabric Connectors. Under Core Network Security, select Security
Fabric Setup and then click Edit.

2. Under Security Fabric Settings, set Status to Enabled.

3. Set Security Fabric role to Serve as Fabric Root.

4. Set Fabric name to Office Fabric.

5. Allow other Security Fabric devices to join shows the interfaces that allow access using
the Security Fabric Connection protocol. This includes the two interfaces connecting to
FGT-ISFW and FGT-DC, as well as the interface Management Network, which connects
to network containing the FortiAnalyzer.

6. Click OK.

7. The connector is now red.

8. On the right side of the screen, under Topology, is a message asking you to authorize a
device listed as FGVM01TM19002140. This is the serial number of FGT-DC. Click the
device and select Authorize to add FGT-DC to the Security Fabric.

9. Click Security Fabric > Logical Topology. The topology displays the Security Fabric,
including both FortiGate devices and FortiAnalyzer (the yellow icon in the box in the
lower left corner represents the FortiAnalyzer).
Index: 8.0 (c)
Use Case: Setting up a Fortinet Security Fabric
Objective Title: Pre-Authorize FGT-ISFW and Add it to the Security Fabric
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Pre-Authorize FGT-ISFW and Add it to the Security Fabric

Background
In this exercise, you pre-authorize FGT-ISFW as a Security Fabric device and then create a
Security Fabric connector on FGT-ISFW.

Pre-authorization simplifies the process of adding new FortiGate devices to a Security Fabric.

Goal or Tasks

1. On the FGT-EDGE.

2. Click Security Fabric > Fabric Connectors, select Security Fabric Setup, and click Edit.

3. Beside Pre-authorized devices, click Edit.

4. In the right-hand window, FGT-DC is listed as an authorized device. Below FGT-DC, click
+ to add FGT-ISFW.

5. Set Serial Number to FGVM01TM19002141 (the serial number of FGT-ISFW) and leave
Action set to Accept.
6. Click OK.

7. Click OK to save the Fabric connector.

8. Return to the Lab Activity Tab. Click FGT-ISFW in the sidebar menu under the Core
group, and then click on the HTTPS option to access the FGT-ISFW device. Log in using
username admin and password Fortinet1!

9. Click Security Fabric > Fabric Connectors. Select Security Fabric Setup and then click
Edit.

10. Under Security Fabric Settings, set Status to Enabled.

11. Set Security Fabric role to Join Existing Fabric.

12. Set Upstream FortiGate IP to 10.10.30.14, the IP address of port 4 on FGT-EDGE,

which connects to FGT-ISFW.

13. Set SAML Single Sign-On to Manual.

14. Click OK.

15. Return to the FGT-EDGE.

16. Click Security Fabric > Logical Topology. The topology displays all three FortiGate
devices.
Index: 8.0 (d)
Use Case: Setting up a Fortinet Security Fabric
Objective Title: Authorize the FortiGate Devices on FortiAnalyzer
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Authorize the FortiGate Devices on FortiAnalyzer

Background

In the exercise, you authorize the FortiGate devices on the FortiAnalyzer so that the
FortiAnalyzer will accept logs sent from these devices.

Tasks
For this objective, we will be working on the FortiAnalyzer.

1. Return to the Lab Activity Tab. Click FortiAnalyzer in the sidebar menu under the Data
Center group, and then click on the HTTPS option. Log in with the username admin and
the password Fortinet1!

2. In Select an ADOM, click root (3) Fabric.

3. Click Device Manager and click 3 Devices Unauthorized.

4. Select the devices and click Authorize.

5. Set Add the following device(s) to ADOM to root.

6. Click OK.

7. When the authorization process is complete, click Close.

8. The devices are now on the list of authorized devices.

 9. Return to the FGT-EDGE.

10. Click Security Fabric > Fabric Connectors. The FortiAnalyzer Logging connector has a
green arrow, showing that it is connected.

Stop and Think

True or false: you can pre-authorize a FortiGate device on the FortiAnalyzer before you
configure the FortiGate log settings?

----------------------- Answer Section -----------------------

Answer: radio

Answer Text:

Answer
True. From Device Manager on the FortiAnalyzer, you can click Add Device and enter
information about a FortiGate to pre-authorize it before configuring the FortiGate log settings.

Answer Key:
✔ 1. True
✘ 2. False
Index: 8.0 (e)
Use Case: Setting up a Fortinet Security Fabric
Objective Title: Learn More About the Fortinet Security Fabric
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Learn More About the Fortinet Security Fabric

If you would like to learn more about the Fortinet Security Fabric, as your instructor about the
Creating a Comprehensive Fortinet Security Fabric course offered by the Fast Track Program.
Today’s new world of networking requires a new approach to security that can do the
following: simply, yet intelligently, secure the entire infrastructure; deliver full visibility into
every viable network segment and the devices and endpoints behind them; and seamlessly
integrate with third-party solutions, enabling users to ubiquitously collect, share, and correlate
threat intelligence.

In this workshop, participants learn about the Fortinet Security Fabric, the first ever
architectural security approach designed to dynamically adapt to today’s evolving IT
infrastructure. This multi-layered approach provides broad, integrated, and automated
protection against sophisticated threats.

Participants who attend this workshop will learn how to:

 Introduce the Fortinet Security Fabric and the main business drivers
 Detail specific components that make up the Security Fabric
 Build a comprehensive solution to prevent, detect and respond to security incidents
using the broad, integrated, and automated approach
Index: 9.0
Use Case: Conclusion
Objective Title: New Objective
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

You have successfully completed the

Getting Started with the FortiGate Firewall
Hands-On Lab

Thank You

To get more information on this or other Fortinet solutions, please consider

looking at the NSE Training from Fortinet: https://training.fortinet.com/.

If you would like to learn more about the FortiGate, ask your instructor about the
following available workshops from the Fast Track Program:

 Creating a Comprehensive Fortinet Security Fabric

 Constructing a Security SD-WAN Architecture
 What’s New in FortiOS?
 Fortifying the Enterprise Network (NFGW Solution)
 Fortinet Teleworker Solution Engineered for Remote and Security
Productivity
 SD-Branch: Securing Your Ethernet Switching Infrastructure with
FortiSwitch, FortiAP, and FortiLink
 Attack and Defense Methodologies
 Cybersecurity for Safe, Reliable, Secure Industrial Control Systems (ICS)
 Security, Visibility, and Control of Public Cloud Infrastructure and
Workloads