0% found this document useful (0 votes)
30 views28 pages

Fortigate

Fortinet is an American cybersecurity company founded in 2000, known for its FortiGate firewall and various security services. The document outlines FortiGate features, configuration procedures, inspection modes, and management of interfaces, users, and policies. It also covers advanced topics such as routing, NAT, web filtering, and SSL inspection, providing detailed instructions for setup and management.

Uploaded by

leandro
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
30 views28 pages

Fortigate

Fortinet is an American cybersecurity company founded in 2000, known for its FortiGate firewall and various security services. The document outlines FortiGate features, configuration procedures, inspection modes, and management of interfaces, users, and policies. It also covers advanced topics such as routing, NAT, web filtering, and SSL inspection, providing detailed instructions for setup and management.

Uploaded by

leandro
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 28

Fortigate

• Fortinet.

• An American multinational corporation headquartered in California.


• It develops and markets cybersecurity software and appliances and services, such as firewalls, anti-virus,
intrusion prevention and endpoint security.
• Was founded in 2000 by brothers Ken and Michael.
• The company's first product was FortiGate, a firewall, later adding wireless access points, sandboxing, and
messaging security.
• The company went public in November 2009, raising $156 million through an initial public offering.

• Fortinet FortiGate Features:


• Static and Dynamic Routing (OSPF, RIP,….)
• Security Policies
• NAT
• SSL Decryption/Inspection
• UTM (Anti- Virus, IPS, Application Control, Web Filter, Endpoint Control)
• Integration with active directory and two Factor Authentication
• File Blocking
• Email Filter
• Client RAVPN
• Site to Site VPN
• Traffic Shaping

• Lab topology.

Firewalls Page 1
• Basic configuration.
• Edit the vm settings with one cpu and 1G RAM.
• Default username admin , no password.
• # config system interface
• # edit port1
• # set mode static
• # set ip 60.0.0.100 255.0.0.0 (the default is 192.168.1.99)
• # set allowaccess http https ping telnet
• # end
• # execute ping 60.0.0.200
• Then open browser http://60.0.0.100
• To get the system serial number
• # get system status
• To change the host name, System Time, Password Policy……..
• System, Settings, ….

• Inspection Modes.
• Proxy
• Proxy inspection involves buffering traffic and examining it as a whole before determining an action.
• The process of having the whole of the data to analyze allows for the examination of more points of data than
the flow-based method.
• Flow-based
• As each packet of the traffic arrives it is processed and forwarded without waiting for the complete file or
web page.
• This inspection method examines the file as it passes through the FortiGate unit without any buffering.

• NGFW Modes:
• Flow-based mode.
- Admin must create an application or web profile, then link it to the policy.
• Policy-based mode.
- You can add applications and web filtering categories directly to a policy without having to first create and
configure Application Control or Web Filtering profiles.
• To change the default admin password.
• System, Administrators,
• To reset admin lost password.

Firewalls Page 2
• To reset admin lost password.
• First, Shutdown the firewall
• Login to the console within 60 sec with the username "maintainer" and the password "bcpbdeviceserial"
• # config system admin
• # edit admin
• # set password the-password
• # end
• # exit
• # after login with new password: #execute reboot
• To configure admin profiles.
• System, Admin profiles

• Interfaces.
• To configure interfaces.
• Network, interfaces
• Interface types:
• Aggregate Interfaces
- Link aggregation (IEEE 802.3ad) enables you to bind two or more physical interfaces together to form an
aggregated (combined) link.
- This new link has the bandwidth of all the links combined.
- If a link in the group fails, traffic is transferred automatically to the remaining interfaces with the only
noticeable effect being a reduced bandwidth.
- Support of the IEEE standard 802.3ad for link aggregation is available on some models.
- An interface is available to be an aggregate interface if:
it is a physical interface, not a VLAN interface or subinterface
it is not already part of an aggregate or redundant interface
it is in the same VDOM as the aggregated interface. Aggregate ports cannot span multiple VDOMs
it does not have an IP address and is not configured for DHCP or PPPoE
it is not referenced in any security policy, VIP, IP Pool or multicast policy
it is not an HA heartbeat interface
• Redundant interfaces
- Traffic is only going over one interface at any time.
- This differs from an aggregated interface where traffic is going over all interfaces for distribution of
increased bandwidth.
- An interface is available to be in a redundant interface if:
it is a physical interface, not a VLAN interface
it is not already part of an aggregated or redundant interface
it is in the same VDOM as the redundant interface
it has no defined IP address
is not configured for DHCP or PPPoE
it has no DHCP server or relay configured on it
it does not have any VLAN subinterfaces
it is not referenced in any security policy, VIP, or multicast policy
it is not monitored by HA
• Loopback interfaces.
- A logical interface that is always up (no physical link dependency).
- The attached subnet is always present in the routing table.
 VLAN interface (Sub-interface)
- To configure a sub-interface.
- Network, interfaces, Create New, Interface
Name: Guest
Firewalls Page 3
Name: Guest
Type: VLAN
VLAN ID: 7
IP: Manual, 10.0.0.100/255.0.0.0
PING
ok
- When 2 or more VLANs are configured on one interface, they must be separated by zoning.
- Switch interface connected to the firewall must be trunk and configured with dot1.q
• Software switch.
- A virtual switch that is implemented at the software, or firmware level, rather than the hardware level.
- Can be used to simplify communication between devices connected to different FortiGate interfaces.
- You can place the FortiGate interface connected to an internal network on the same subnet as your wireless
interfaces.
- Similar to a hardware switch, a software switch functions like a single interface.
- A software switch has one IP address; all of the interfaces in the software switch are on the same subnet.
- Traffic between devices connected to each interface are not regulated by security policies.
- To create a software switch interface
System > Network > Interface and select Create New.
Type: Software Switch.
In the Physical Interface Members option, select the interfaces to include.
Configure the remaining interface settings
Select OK.

• Zone.
• Zones are a mechanism that was created to help in the administration of the firewalls.
• Zones provide the option of logically grouping multiple virtual and physical FortiGate firewall interfaces.
• The zones can then be used to apply security policies to control the incoming and outgoing traffic on those
interfaces.
• This helps to keep the administration of the firewall simple and maintain consistency.
• To configure zones to separate sub interfaces from each other on the sub interface.
• System, Network, interfaces, Create New zone,

Firewalls Page 4
• To configure DNS.
• Network, DNS

• To run DHCP Service on an interface or sub-interface.


• Network, interfaces, Edit an interface, Enable DHCP server
• For monitoring DHCP events.
• Monitor, DHCP Monitor

• To authenticate a user on an interface before any access.


• Create a group.
• User & Device, User Groups, Create New, Name: Local-G1, Type: Firewall
• Then create a user and link it to the group.
• User & Device, User Definition, Create New
Local User, Next, type username and password, Next, Next, Enable and select the group: Local-G1
• Enable Captive portal on a specific interface for this group.
• System, Network, Interfaces, Edit an interface, Security Mode: Captive Portal, Local, Restricted to Groups,
Local-G1
• To create a guest group for guest users that can access the network for a temp time.
User & Device, User, User Groups, Create New
Name: Guest-G1
Type: Guest, UserID: Email (so user will enter its email as a username)
Password: Auto-Generate or specify
Start Countdown:
- On Account Creation or After First login, then define the expire time
Deselect Enable Sponsor - company , ok

• To create a guest account member of that guest group.


• User & Device, User, Guest Management, Select the Guest Group, Create New, ……., ok
Firewalls Page 5
• User & Device, User, Guest Management, Select the Guest Group, Create New, ……., ok
• Account will be generated and ready to be sent to the user via e-mail

• To Force user De-authentication.


• Monitor, Firewall User Monitor, ~ a user, De-authenticate
• ---------------------------------------------------------------------------------------------------------------------
• Routing.
• To add a static route.
• Network, Static Roues, Create new, specify the destination, next hop address, outgoing interface
• 0.0.0.0/0.0.0.0 for default route, and ISP ip is the next hop.
• To configure ospf routing.
• Configure OSPF.
• Network, OSPF, in the Router ID type the firewall ip facing the router, Apply
• Area, create new, for area 0 type 0.0.0.0, ok
• In network define networks that will be advertised, 30.0.0.0/8 , 60.0.0.0/8
• To advertise the static or other routing protocols routes with ospf updates.
• Network, OSPF, Advanced options, Redistribute, static
• O*E2 means that this ospf route was learned from other routing method and then injected in ospf updates.
• To advertise the default route with ospf updates.
• Network, OSPF, Advanced options, Inject Default Route , Always
• To view routing table.
• Monitor, Routing Monitor

• To back up, Restore, Shutdown or Restart the firewall.


• At the top most right area in the browser, click Admin, Configuration, Backup, LocalPC, Backup.
(you can protect the file with a password)
• The FortiGate configuration revision option enables the user to maintain multiple versions of the
configuration file on the device
• To upgrade the firmware.
• System, Firmware version, update, browse,

• NAT.
• PAT.
• Edit access policy, Use Outgoing Interface Address : this is for PAT configuration
• For test.
Try telnet or http on aremote firewall, then go to that firewall: Dashboard, Status, Administrators

Firewalls Page 6
Try telnet or http on aremote firewall, then go to that firewall: Dashboard, Status, Administrators
• To view nat table
get system session list
• Dynamic NAT
• Policy & Objects, IP Pools, add, Type: Overload for Dynamic NAT
• Static NAT
• Policy & Objects, IP Pools, add, Type: One-to-One for static outgoing NAT
• In access policy select when the source is the internal ip and the destination all, select NAT with this pool

• To publish a service as web.


- Policy and Objects, virtual IPs, create new, Virtual IP,
- In interfaces choose the external interface
- In the external ip type our public ip
- In the mapped ip address type the server internal ip.
- Then choose the protocol and external and mapped (internal) port number, or press OK for all protocols.

Firewalls Page 7
- Then create a policy to allow external users to access that external port.
- Source interface : the external interface
- Destination interface: internal interface
- Source address: all
- Destination address: the created virtual ip.
- Choose the protocol for ex. Http and turn off NAT
If you for ex listening on the external interface on port 8080 and is mapped to 80, the policy must permit
connection to port 80 not 8080
- To monitor connections.
- FortiView, All Sessions
----------------------------------------------------------------------------------------------------------------
• Objects.
• To add object of ip or ip range.
• Policy & Objects, Addresses, create new, in subnet / ip range type the ip/mask
• You can add an address group to hold multiple addresses
• To add object of a service.
• Policy & Objects, Objects, services, create new
• Also you can create a schedule.
• Policy & Objects, Objects, services, create new

• Access Policy.
• If implicit firewall policies feature is disabled, so by default all traffic is allowed.
• By default, all traffic is denied between networks connected to the firewall. (the default policy)
• Ensure that Implicit Firewall Policies feature is enabled.
• System, Feature Visibility, Implicit Firewall Policies
• Policy & Objects, IPv4 Policy, Create new
• Specify the Src interface(s), Src address (create to create an object), Dst interface(s), Dst address, service
In logging options choose All sessions
• To monitor a policy and view active sessions.
• Log & Report, Forward Traffic,
• Learning Mode.

Firewalls Page 8
• When you set the action in a security policy to the LEARN mode, you'll accept and monitor all traffic on the
policy.
• Then, you can view an assessment report to understand how your security policies are being used in detail.
• To decide which traffic you need to block, you have to monitor all the traffic.
• All security profiles will be disabled automatically on the policy when it is in learning mode.
• To view the logging report.
• Log&Report, Logging Report, Report Summary or table of contents, user productivity, web usage


• Filtering based on user devices or endpoints used (BYOD).
• Allows users to bring their own mobile devices.
• Can be enabled per interface, so users connected to this interface their devices must be defined.
• Edit an interface: Network, Interfaces, Networked Devices, Device Detection
• To view discovered devices.
• User & device, Device Inventory.
• To view device group for detected devices.
• User & device, Custom Devices & Groups, .
• To create a new group that include more groups: Create New
• To control the discovered devices to allow or block.
• Edit a policy, in source Device Type select a default group or your created group.

• Web Filtering.

Firewalls Page 9
• Web Filtering.
• Ensure that these features are enabled: System, Feature Visibility,Web Filter
• To create a web filter profile.
• Security Profiles, Web Filter, + to add a new one
• Categories can be used if a license exist
• To use a manual static URLs.
• Under static URL filter , Enable URL Filter, Create
• To configure the action for each category or a sub category.
• Security Profiles, Web Filter, FortiGuard Categories, ~ a category or a sub category and choose an action
• To find the category and the action for a specific url.
• System, Fortiguard, Request re-evaluation of a URL's category
• To link this profile to the firewall policy.
• Edit the policy, enable Web Filter and choose the profile.
• When we enable web filter, it also enables proxy option, so secure web sites will get a security error message
if https inspection is not enabled on the firewall.
• To log users sessions.
• System, Feature Visibility, Local Reports
• Log & Report, Forward Traffic

• Https inspection.
• Enabled by default when web filter, antivirus, application filter is enabled.
• First turn off Web Filter and SSL/SSH Inspection from policies.
• Enable certificate feature.
• System, Feature Visibility, Certificates
• To configure and export the firewall certificate.
• System, Certificates, Local CA Certificates, choose the local self signed certificate called
Fortinet_CA_SSL, Download
• Then import this certificate at user's Trusted Root Certification Authority or
in browser Advanced, Encryption, Authorities, Import, Trust this CA to identity web sites
• To configure the ssl inspection profile.
• Security Profiles, SSL/SSH Inspection,
use an existing profile as deep-inspection or click + to add a new profile ssl_prof1

• Enable SSL Inspection of:


- Multiple Clients Connecting to Multiple Servers
Use this option for generic policies where the destination is unknown.
- Protecting SSL Server
Use this option when setting up a profile customized for a specific SSL server with a specific certificate.
• Inspection Method
- SSL Certificate Inspection
Only inspects the certificate, not the contents of the traffic.
- Full SSL Inspection
Inspects all of the traffic.

HTTPS
Exempt from SSL Inspection: To choose exempted categories from ssl decryption
Allow Invalid SSL Certificates (Check the box to enable the passing of traffic with invalid certificate)
Apply
• To link that ssl policy to the security policy
• Edit the Security Policy, security profiles, SSL/SSH Inspection, select deep-inspection or ssl_prof1
Firewalls Page 10
• Edit the Security Policy, security profiles, SSL/SSH Inspection, select deep-inspection or ssl_prof1
• Also select a web profile

• Antivirus within a policy.


• Ensure that anti-virus feature is enabled.
• System, Feature Visibility, Anti Virus
• Create an anti virus profile.
• Security Profiles, Antivirus, edit the default or + to create one, Full, Block, Apply
- FortiGuard virus outbreak prevention.
▪ Allows the FortiGate antivirus database to be subsidized with third-party malware hash signatures curated by
the FortiGuard.
▪ Uses checksums to filter files in order to detect and prevent quick virus outbreaks.
▪ Because it usually takes at least a few hours for FortiGuard to develop and push signatures and a virus
outbreak can do a lot of damage within that time period.
▪ This method proves to be quite effective using hash values of probable virus files.
▪ The hash signatures are obtained from external sources such as VirusTotal, Symantec, Kaspersky, and other
third-party websites and services.
▪ This feature provides the mechanism for antivirus to query the FortiGuard with the hash of a scanned file.
▪ If the FortiGuard returns a match from its many curated signature sources, the scanned file is deemed to be
malicious.
▪ The feature requires license
System, FortiGuard, Outbreak Prevention
• To link this profile to the firewall policy.
• Edit the policy, enable Antivirus, choose the profile.
• For malware test file, visit eicar.org, download antimalware testfile, download

• IPS inspection.
• Ensure that IPS feature is enabled.
• System, Feature Visibility, Intrusion Protection
• View IPS Signatures to view signatures of a profile
• To create a new profile.
• Security Profiles, Intrusion Protection, + to create a new one,
• Then edit a policy and link that IPS profile.
• For monitoring.
• Log & Report, Intrusion Prevention

• Blocking a specific application.


• Blocking micro applications like Facebook games, chat, videos may require https decryption.
• Ensure that application control feature is enabled.
• System, Feature Visibility, application control
• Security profiles, Application control , + to create a new application policy, All categories will be shown ,
you can configure the action per every one.
• Press Add signatures to choose a micro application, Add Filter, Name, select the micro application(s) for ex
AnyDesk
• Edit a policy, in application control, select that policy.
Firewalls Page 11
• Edit a policy, in application control, select that policy.
• -----------------------------------------------------------------------------------------------------------
• Linking Fortigate firewall with active directory for user authentication.
• Add AD server to the firewall.
• User & Device, LDAP Servers, Create New
Name: AD
Server IP: 30.0.0.8
Server Port: 389
Common Name Identifier: sAMAccountName
Distinguished Name: DC=test,DC=local
Bind Type: Regular [email protected] then type the password
Test, Ok
• Define AD groups will be used in policies.
• User & Device, User, User Groups, Create New
Name: Group1
Type: Firewall
Under Remote Groups , Add, AD, ~ a group, Add Selected
• To filter based on user identity (Active Authentication: user will enter username and password).
• Edit a policy, in Source user select Group1,

• VPN.
• VPN site2site.
• Ensure that VPN feature is enabled.
• System, Feature Visibility, VPN
• VPN, IPSec Tunnel Templates, click a template, view to view its details that must be configured on the other
side.
• To create a vpn tunnel.
• VPN, IPSec Tunnels, Create New, type a name Site2, Site to Site, Fortigate, No NAT between sites
• IP Address: 60.0.0.150
• Outgoing Interface: outside
• Authentication Method: pre-shared key, type the key, Next

• Local Interface: inside


• Local Subnets: 30.0.0.0/8
• Remote Subnets: 20.0.0.0/8
• Internet Access: None
• The Share WAN option allows the remote subnet to browse the Internet via this FortiGate.
• The Force to use remote WAN option will send all Internet browsing traffic to the remote VPN gateway.
• The remote gateway must be configured with the Share WAN option enabled.
• An access policy will be automatically created to allow access between the 2 sites networks.
• To control - Edit or Delete current Tunnels.
• VPN, IPSec Tunnels
• For Monitoring.
• Monitor, IPSec Monitor
• SSL RAVPN Tunnel mode and web mode.
• Both modes can be enabled together.
• Web Tunnel mode.
• Ensure that VPN feature is enabled.
• System, Feature Visibility, VPN

Firewalls Page 12
• System, Feature Visibility, VPN
• Create a remote ssl tunnel
• VPN, SSL, Portals, Create New
Name: SSL_VPN_Web
• To limit the user for only one session.
• Limit Users to One SSL-VPN Connection at a Time
• Deselect Enable Tunnel Mode
• Select Enable Web Mode
• Deselect Enable FortiClient Download
• In Predefined Bookmarks, Create New,

• Tunnel mode and web mode at the same time.


• Create a network object for ip addresses that will be assigned to VPN users to access the network.
• Policy & Objects, Objects, Addresses, Create New
Name: SSL_VPN_Pool
Type: IP Range
19.0.0.1-19.0.0.100
ok

• Create local users and groups for local authentication.


• Users & Device, User, User Groups to create a group, User Definition to create a local user

• VPN, SSL VPN Portals, Create New


Name: SSL_VPN_Tunnel
Select Enable Web Mode and keep all web options checked.
Select Enable Tunnel Mode
Select Enable Split Tunneling
Routing Address: Local-net
Source IP Pools: SSL_VPN_Pool
• Tunnel Mode Client Options
• Allow client to save password
• You can save the credentials, you must enable the function on BOTH FortiClient and FortiGate.
• Allow client to connect automatically
• To automatically connect once a user login to Windows.
• Allow client to keep connections alive
When enabled, the FortiClient should try to reconnect once it detects the VPN connection is down
unexpectedly (not manually disconnected by user)."
• Also create bookmarks if needed

Firewalls Page 13
• To enable ssl service.
• VPN, SSL VPN Settings, select the listening interface outside interface
• Allow access from any host
• Logout users when inactive for specified period
• In Address Range: Specify custom IP ranges and select SSL_VPN_Pool

• Then create access policy to allow RAVPN user access the network.
• Press No SSL-VPN policies exist…….to create that policy.

• Incoming interface will be the ssl.root (this is the tunnel interface)


• Outgoing interface will be the lan interface.
• Source address: SSL_VPN_Pool
• Destination Address: Local-net
• Service: ALL or select a specific one.
• Turn off NAT.
• If there is a conflict with the 443 admin access, you can change it to for e 10443
• Server certificate: Fortinet_Factory
• On client computer: https://60.0.0.100:10443

• To install the FortiClient SSLVPN.


• Login https://60.0.0.100:10443, under Tunnel mode, at the end press the link Click Here To download and
install…
• After installation, Refresh the Page to connect.

• To monitor logged in users.


• VPN, Monitor, SSL-VPN Monitor

• Traffic shaping.
• Means rate limiting user session bandwidth.
• Use speedtest.net for testing.
• A bandwidth can be defined per ip or shared between all ip addresses in the policy.
• Shared Shaper affects uploads or outbound traffic.
• Reverse Shaper affects downloads or inbound traffic.

Firewalls Page 14
• Ensure that this feature is enabled.
• System, Feature Visibility, Traffic Shaping
• Policy & Objects, Traffic Shapers, Create New, Per-IP, .5m_per_ip, 512
• Then create a shaping policy
• Policy & Objects, Traffic Shaping Policy, Create New

• Managing certificates.
• System, Certificates, Local Certificates, Generate, FGT1, ID Type: Domain Name, fgt1.test.local, fill-in other
fields, Key Type: RSA, Key Size: 512, Ok

Firewalls Page 15

• Or select Online SCEP, then type the url of the server http://30.0.0.8/certsrv/mscep/mscep.dll and password
• Then select that request, download, open the file with WordPad, copy its contents, to get a certificate from
the CA server.
• After a certificate is generated, install it into the firewall.
• System, Certificates, Local Certificates, Import
• To import the CA certificate to the firewall.
• System, Certificates, Import CA Certificates, Local PC, browse the ca cert
• To link the certificate imported with the vpn ssl.
• VPN, SSL, Settings, Server Certificate,

• Forticloud feature.
• A cloud based web reporting service that is offered by fortinet.
• Allow firewall to send security events to the cloud, so admins can view it without accessing the firewall.
• To create an account.
• Dashboard, Main, FortiCloud, Activate FortiCloud, Create Account, (use mailinator for test)
• An email will be sent to complete the registration.
• By default you will have 100 GB free.
• To configure logs to be sent to the forticloud.
• Log & Report, Log Settings, Send Logs to FortiCloud, Test connectivity
• To view forticloud logs

Firewalls Page 16

• Launch Portal

• Virtual Domains (VDOM)


• The capability for virtualizing the appliance to multiple virtual appliance.

• Each one has its own interfaces, Routing table, policies,...


• Once enabled, a default virtual firewall called root is created that every thing (interfaces, Routing table,
policies,...) is associated to.
• To enable the virtual domain feature (By command line)
• FTG1# config system global
• FTG1(global)# set vdom-admin enable
• FTG1(global)# end y
• Then login again to the firewall, Global, System, VDOM, VDOM to list virtual domains created.
• Also go to interfaces to check which VDOM it is connected to.
• To create a new VDOM.
• Global, System, VDOM, Create New, FTG2, Ok
• To link an interface to that VDOM.
• Global, Config, Network, Interfaces, Edit the interface, Virtual Domain, choose the VDOM

Firewalls Page 17
• Global, Config, Network, Interfaces, Edit the interface, Virtual Domain, choose the VDOM
• To manage VDOMs.
• Global, System, VDOM,

• Endpoint Control feature.


• Provides endpoint security on computers regardless where they are.
• So you can control how can they access applications, web sites from any where.
• Needs the client to install a program called forticlient (supported on Mac and Win computers).
• Can also be used as a VPN ssl or IPSec connection application for users.
• Also acts as an anti-virus program.
• When a win or Mac computer wants to connect to the internet it must register and install the forticlient and
also must register on the fortigate.
• Registration is needed to apply the endpoint control profile.
• Configure endpoint control feature.
• System, Feature Visibility, Endpoint Control
• System, Network, Interfaces, Edit internal interface, Administrative Access, FortiTelemetry
Admission Control, Enforce FortiClient Compliance Check.
• Configuring the FortiClient Profile
• Security Profiles, FortiClient Compliance and edit the default profile.

• on the client computer try to browse the internet with IE.


• After program is installed and sig updates are downloaded, open the program and press Register to Fortigate
If the firewall doesn't appear, type its ip manually and go, then you will receive a confirm that the device is
registered, click profile details to view details, Accept
• To view forticlient registrations.
• User & Device, Device Inventory

• Passive authentication.
• Add AD server to the firewall.
• User & Device, LDAP Servers, Create New
Name: AD
Server IP: 30.0.0.8
Server Port: 389
Common Name Identifier: sAMAccountName
Distinguished Name: DC=test,DC=local
Bind Type: Regular [email protected] then type the password
Test, Ok

• On DC install FSSO, username: .\Administrator, next, next, Advanced, Next, install……., finish
• Open FSSO, 30.0.0.8 - 8002, next, select domain test.local, select users tyo monitor, DC Agent mode, finish

• After DC restart, start, all programs, Fortinet single sign on configuration


• Authentication, Require authenticated connection from Fortigate, then type the password with fortigate
• Set directory access information tab, advanced settings, username: administrator, passowrd: domain pass
• Set group filters, add, advanced, add, DC=local, add selected container, Click DC=local, default filter, ok,
• Apply, save & close

• On firewall
• User & Device, Single Sign-On, Create New,
• Group tab to select a group
Firewalls Page 18
• Group tab to select a group

• User & Device, User Groups, AD_domain_users, Members, select Domain users group

• Then in the access policy in the source select that sso group

Firewalls Page 19

• Open FSSO configuration on DC, show logon users

• DLP (Data Leak Prevention).


• Used to define which data you need to filter.
• Can detect file regard its extension.
• DLP examines your network traffic for data patterns you specify.
• DLP is not available in flow-based inspection.
• Change the flow-based inspection to proxy at System, Settings
• System, Feature Visibility, DLP
• Security Profiles, Data Leak Prevention, + to Create a new profile, DLP_Prof, Create New for a new rule,
select Message or File according to what you want to filter, change the action to Block.

Firewalls Page 20

• To link that DLP profile to the policy.


• Edit a policy, Security Profiles, DLP Sensor,
• On client try to download a pdf file at http://www.pdf995.com/samples/

• SNMP
• System, SNMP, SNMP Agent,

• Then enable SNMP on the interface.


• Network, Interfaces

Firewalls Page 21
• Packet capture.
• Network, Packet capture, Create New,

• Then start capturing

• Then stop capturing and download the captured file.

• Virtual wire pair.


• Consists of two interfaces that have no IP addresses and all traffic received by one interface in the pair can
only be forwarded out the other; as controlled by firewall policies.
• Interfaces used in a virtual wire pair cannot be used for admin access
• Network > Interfaces and select Create New > Virtual Wire Pair.

• Policy & Objects, IPv4 Virtual Wire Pair Policy, create a policy will allow users on the internal network to
connect to the server.
• Select the direction that traffic is allowed to flow

Firewalls Page 22

• High Availability.

• A dedicated link between the 2 firewalls must exist for ensuring activity and synchronizing configuration

Firewalls Page 23
• A dedicated link between the 2 firewalls must exist for ensuring activity and synchronizing configuration
changes between firewalls.
• Firewalls must be with the same model and the same OS version, same security features.
• If a monitored interface fails, the cluster reorganizes to re-establish a link to the network of that interface and
to continue operating with no disruption of network traffic.
• You cannot monitor interfaces that contain an internal switch, VLAN sub interfaces, IPsec VPN interfaces.
• Wait until a cluster is up and running and all interfaces are connected before enabling interface monitoring.
• Monitor interfaces connected to networks that process high priority traffic so that the cluster maintains
connections to these networks if a failure occurs.
• Avoid configuring interface monitoring for all interfaces.
• A/P (Active-Passive)
• Only one is active.
• Configure the primary unit, then the secondary
• System, HA, change the Mode to Active/Passive.
• The active one will have higher priority 150 (the Default is 128).
• Type a Group Name and a password (Must be the same on the other side).
• Select Enable Session Pick-up to synchronize all active sessions data to the other firewall (also check on
other one).
• Check enable for only the heartbeat interface that is connected to the other firewall with the same priority for
ex 50.
• Select the outside interface for monitoring the link
• Monitoring after configuration.
• System, HA
• To view the cluster logs.
• Log & Report, HA Events
• To remove a firewall from the cluster.
• System, HA, Remove device from HA cluster

• A/A (Active-Active)
• Both firewalls are active load balancing traffic between them.
• On the master firewall:
• System, Dashboard, Status, HA Status, Configure, change the Mode to Active/Active.
• All other settings is the same as Active/Passive
• All configuration will be done on the active unit.
• The master firewall here means that configuration must be done on it
• To remove a firewall from the cluster
• System, HA, ~ the slave, Remove Device From HA Cluster
• Then go back to the Standalone
• Removing a firewall from a cluster will remove the configurations from the interfaces. [ never do that remotely]
• #show system interface
Firewalls Page 24
• #show system interface

• Detailed sequence of a 3 way handshake connection:


 SYN sent to Master Internal interface has Virtual MAC address Internal (V_MAC_Inter)
 SYN is redistributed to Slave Internal Interface. Source MAC is (Phy_MAC_inter) and Dest MAC is Slave
Internal Physical MAC address ( Phy_MAC_Inter)
 SYN is forwarded from internal interface to External Interface to the external switch connected to the Server
 SYN/ACK sent from Server to Master External interface
 SYN/ACK redistributed to Slave (source MAC address is Master virtual MAC address (Phy_MAC_external)
and destination MAC address is the Slave external physical MAC (Phy_MAC_Exter)
 SYN/ACK is forwarded from Slave External interface to Internal Interface toward internal switch to Client
 ACK is sent from Client to Master Internal interface
 ACK redistributed to Slave
 ACK forwarded from internal interface to external interface toward external switch to Server.
 TCP 3 way hand-shake completes
• Note : Client and Server do not know about the existence of Slave Fortigate.

• Redundant Internet with SD-WAN.

Firewalls Page 25
• This allows you to load balance your Internet traffic between multiple ISP links and provides redundancy for
your network’s Internet connection if your primary ISP is unavailable.
• Connect the Internet-facing ports (WAN ports) on the FortiGate to your ISP devices.

• Remove these interface from routes and policies.


Before you can configure FortiGate interfaces as SD-WAN members, you must remove or redirect existing
configuration references to those interfaces in routes and security policies
• Network > Static Routes and delete any routes that use WAN1 or WAN2.

• Policy & Objects > IPv4 Policy and delete any policies that use WAN1 or WAN2.

• Creating the SD-WAN interface


• Network > SD-WAN and set Status to Enable.
• Under SD-WAN Interface Members, select + and select wan1. Set the Gateway to the default gateway for
this interface. This is usually the default gateway IP address of the ISP that this interface is connected to.
Repeat these steps to add wan2.

Firewalls Page 26

• Network > Interfaces and verify that the virtual interface for SD-WAN appears in the interface list.
• You can expand SD-WAN to view the ports that are included in the SD-WAN interface.

• Configuring SD-WAN load balancing.


• Network > SD-WAN Rules and edit the rule named sd-wan.
• In the Load Balancing Algorithm field, select Volume, and prioritize WAN1 to serve more traffic.
• In the example, the ISP connected to WAN1 is a 40Mb link, and the ISP connected to WAN2 is a 10Mb link,
so we balance the weight 75% to 25%

• Creating a static route for the SD-WAN interface

Firewalls Page 27

• Configuring a security policy for SD-WAN

Firewalls Page 28

You might also like