Fortigate
Fortigate
• Fortinet.
• Lab topology.
Firewalls Page 1
• Basic configuration.
• Edit the vm settings with one cpu and 1G RAM.
• Default username admin , no password.
• # config system interface
• # edit port1
• # set mode static
• # set ip 60.0.0.100 255.0.0.0 (the default is 192.168.1.99)
• # set allowaccess http https ping telnet
• # end
• # execute ping 60.0.0.200
• Then open browser http://60.0.0.100
• To get the system serial number
• # get system status
• To change the host name, System Time, Password Policy……..
• System, Settings, ….
• Inspection Modes.
• Proxy
• Proxy inspection involves buffering traffic and examining it as a whole before determining an action.
• The process of having the whole of the data to analyze allows for the examination of more points of data than
the flow-based method.
• Flow-based
• As each packet of the traffic arrives it is processed and forwarded without waiting for the complete file or
web page.
• This inspection method examines the file as it passes through the FortiGate unit without any buffering.
• NGFW Modes:
• Flow-based mode.
- Admin must create an application or web profile, then link it to the policy.
• Policy-based mode.
- You can add applications and web filtering categories directly to a policy without having to first create and
configure Application Control or Web Filtering profiles.
• To change the default admin password.
• System, Administrators,
• To reset admin lost password.
Firewalls Page 2
• To reset admin lost password.
• First, Shutdown the firewall
• Login to the console within 60 sec with the username "maintainer" and the password "bcpbdeviceserial"
• # config system admin
• # edit admin
• # set password the-password
• # end
• # exit
• # after login with new password: #execute reboot
• To configure admin profiles.
• System, Admin profiles
• Interfaces.
• To configure interfaces.
• Network, interfaces
• Interface types:
• Aggregate Interfaces
- Link aggregation (IEEE 802.3ad) enables you to bind two or more physical interfaces together to form an
aggregated (combined) link.
- This new link has the bandwidth of all the links combined.
- If a link in the group fails, traffic is transferred automatically to the remaining interfaces with the only
noticeable effect being a reduced bandwidth.
- Support of the IEEE standard 802.3ad for link aggregation is available on some models.
- An interface is available to be an aggregate interface if:
it is a physical interface, not a VLAN interface or subinterface
it is not already part of an aggregate or redundant interface
it is in the same VDOM as the aggregated interface. Aggregate ports cannot span multiple VDOMs
it does not have an IP address and is not configured for DHCP or PPPoE
it is not referenced in any security policy, VIP, IP Pool or multicast policy
it is not an HA heartbeat interface
• Redundant interfaces
- Traffic is only going over one interface at any time.
- This differs from an aggregated interface where traffic is going over all interfaces for distribution of
increased bandwidth.
- An interface is available to be in a redundant interface if:
it is a physical interface, not a VLAN interface
it is not already part of an aggregated or redundant interface
it is in the same VDOM as the redundant interface
it has no defined IP address
is not configured for DHCP or PPPoE
it has no DHCP server or relay configured on it
it does not have any VLAN subinterfaces
it is not referenced in any security policy, VIP, or multicast policy
it is not monitored by HA
• Loopback interfaces.
- A logical interface that is always up (no physical link dependency).
- The attached subnet is always present in the routing table.
VLAN interface (Sub-interface)
- To configure a sub-interface.
- Network, interfaces, Create New, Interface
Name: Guest
Firewalls Page 3
Name: Guest
Type: VLAN
VLAN ID: 7
IP: Manual, 10.0.0.100/255.0.0.0
PING
ok
- When 2 or more VLANs are configured on one interface, they must be separated by zoning.
- Switch interface connected to the firewall must be trunk and configured with dot1.q
• Software switch.
- A virtual switch that is implemented at the software, or firmware level, rather than the hardware level.
- Can be used to simplify communication between devices connected to different FortiGate interfaces.
- You can place the FortiGate interface connected to an internal network on the same subnet as your wireless
interfaces.
- Similar to a hardware switch, a software switch functions like a single interface.
- A software switch has one IP address; all of the interfaces in the software switch are on the same subnet.
- Traffic between devices connected to each interface are not regulated by security policies.
- To create a software switch interface
System > Network > Interface and select Create New.
Type: Software Switch.
In the Physical Interface Members option, select the interfaces to include.
Configure the remaining interface settings
Select OK.
• Zone.
• Zones are a mechanism that was created to help in the administration of the firewalls.
• Zones provide the option of logically grouping multiple virtual and physical FortiGate firewall interfaces.
• The zones can then be used to apply security policies to control the incoming and outgoing traffic on those
interfaces.
• This helps to keep the administration of the firewall simple and maintain consistency.
• To configure zones to separate sub interfaces from each other on the sub interface.
• System, Network, interfaces, Create New zone,
Firewalls Page 4
• To configure DNS.
• Network, DNS
• NAT.
• PAT.
• Edit access policy, Use Outgoing Interface Address : this is for PAT configuration
• For test.
Try telnet or http on aremote firewall, then go to that firewall: Dashboard, Status, Administrators
Firewalls Page 6
Try telnet or http on aremote firewall, then go to that firewall: Dashboard, Status, Administrators
• To view nat table
get system session list
• Dynamic NAT
• Policy & Objects, IP Pools, add, Type: Overload for Dynamic NAT
• Static NAT
• Policy & Objects, IP Pools, add, Type: One-to-One for static outgoing NAT
• In access policy select when the source is the internal ip and the destination all, select NAT with this pool
Firewalls Page 7
- Then create a policy to allow external users to access that external port.
- Source interface : the external interface
- Destination interface: internal interface
- Source address: all
- Destination address: the created virtual ip.
- Choose the protocol for ex. Http and turn off NAT
If you for ex listening on the external interface on port 8080 and is mapped to 80, the policy must permit
connection to port 80 not 8080
- To monitor connections.
- FortiView, All Sessions
----------------------------------------------------------------------------------------------------------------
• Objects.
• To add object of ip or ip range.
• Policy & Objects, Addresses, create new, in subnet / ip range type the ip/mask
• You can add an address group to hold multiple addresses
• To add object of a service.
• Policy & Objects, Objects, services, create new
• Also you can create a schedule.
• Policy & Objects, Objects, services, create new
• Access Policy.
• If implicit firewall policies feature is disabled, so by default all traffic is allowed.
• By default, all traffic is denied between networks connected to the firewall. (the default policy)
• Ensure that Implicit Firewall Policies feature is enabled.
• System, Feature Visibility, Implicit Firewall Policies
• Policy & Objects, IPv4 Policy, Create new
• Specify the Src interface(s), Src address (create to create an object), Dst interface(s), Dst address, service
In logging options choose All sessions
• To monitor a policy and view active sessions.
• Log & Report, Forward Traffic,
• Learning Mode.
Firewalls Page 8
• When you set the action in a security policy to the LEARN mode, you'll accept and monitor all traffic on the
policy.
• Then, you can view an assessment report to understand how your security policies are being used in detail.
• To decide which traffic you need to block, you have to monitor all the traffic.
• All security profiles will be disabled automatically on the policy when it is in learning mode.
• To view the logging report.
• Log&Report, Logging Report, Report Summary or table of contents, user productivity, web usage
•
• Filtering based on user devices or endpoints used (BYOD).
• Allows users to bring their own mobile devices.
• Can be enabled per interface, so users connected to this interface their devices must be defined.
• Edit an interface: Network, Interfaces, Networked Devices, Device Detection
• To view discovered devices.
• User & device, Device Inventory.
• To view device group for detected devices.
• User & device, Custom Devices & Groups, .
• To create a new group that include more groups: Create New
• To control the discovered devices to allow or block.
• Edit a policy, in source Device Type select a default group or your created group.
• Web Filtering.
Firewalls Page 9
• Web Filtering.
• Ensure that these features are enabled: System, Feature Visibility,Web Filter
• To create a web filter profile.
• Security Profiles, Web Filter, + to add a new one
• Categories can be used if a license exist
• To use a manual static URLs.
• Under static URL filter , Enable URL Filter, Create
• To configure the action for each category or a sub category.
• Security Profiles, Web Filter, FortiGuard Categories, ~ a category or a sub category and choose an action
• To find the category and the action for a specific url.
• System, Fortiguard, Request re-evaluation of a URL's category
• To link this profile to the firewall policy.
• Edit the policy, enable Web Filter and choose the profile.
• When we enable web filter, it also enables proxy option, so secure web sites will get a security error message
if https inspection is not enabled on the firewall.
• To log users sessions.
• System, Feature Visibility, Local Reports
• Log & Report, Forward Traffic
• Https inspection.
• Enabled by default when web filter, antivirus, application filter is enabled.
• First turn off Web Filter and SSL/SSH Inspection from policies.
• Enable certificate feature.
• System, Feature Visibility, Certificates
• To configure and export the firewall certificate.
• System, Certificates, Local CA Certificates, choose the local self signed certificate called
Fortinet_CA_SSL, Download
• Then import this certificate at user's Trusted Root Certification Authority or
in browser Advanced, Encryption, Authorities, Import, Trust this CA to identity web sites
• To configure the ssl inspection profile.
• Security Profiles, SSL/SSH Inspection,
use an existing profile as deep-inspection or click + to add a new profile ssl_prof1
HTTPS
Exempt from SSL Inspection: To choose exempted categories from ssl decryption
Allow Invalid SSL Certificates (Check the box to enable the passing of traffic with invalid certificate)
Apply
• To link that ssl policy to the security policy
• Edit the Security Policy, security profiles, SSL/SSH Inspection, select deep-inspection or ssl_prof1
Firewalls Page 10
• Edit the Security Policy, security profiles, SSL/SSH Inspection, select deep-inspection or ssl_prof1
• Also select a web profile
• IPS inspection.
• Ensure that IPS feature is enabled.
• System, Feature Visibility, Intrusion Protection
• View IPS Signatures to view signatures of a profile
• To create a new profile.
• Security Profiles, Intrusion Protection, + to create a new one,
• Then edit a policy and link that IPS profile.
• For monitoring.
• Log & Report, Intrusion Prevention
• VPN.
• VPN site2site.
• Ensure that VPN feature is enabled.
• System, Feature Visibility, VPN
• VPN, IPSec Tunnel Templates, click a template, view to view its details that must be configured on the other
side.
• To create a vpn tunnel.
• VPN, IPSec Tunnels, Create New, type a name Site2, Site to Site, Fortigate, No NAT between sites
• IP Address: 60.0.0.150
• Outgoing Interface: outside
• Authentication Method: pre-shared key, type the key, Next
Firewalls Page 12
• System, Feature Visibility, VPN
• Create a remote ssl tunnel
• VPN, SSL, Portals, Create New
Name: SSL_VPN_Web
• To limit the user for only one session.
• Limit Users to One SSL-VPN Connection at a Time
• Deselect Enable Tunnel Mode
• Select Enable Web Mode
• Deselect Enable FortiClient Download
• In Predefined Bookmarks, Create New,
• Then create access policy to allow RAVPN user access the network.
• Press No SSL-VPN policies exist…….to create that policy.
• Traffic shaping.
• Means rate limiting user session bandwidth.
• Use speedtest.net for testing.
• A bandwidth can be defined per ip or shared between all ip addresses in the policy.
• Shared Shaper affects uploads or outbound traffic.
• Reverse Shaper affects downloads or inbound traffic.
Firewalls Page 14
• Ensure that this feature is enabled.
• System, Feature Visibility, Traffic Shaping
• Policy & Objects, Traffic Shapers, Create New, Per-IP, .5m_per_ip, 512
• Then create a shaping policy
• Policy & Objects, Traffic Shaping Policy, Create New
• Managing certificates.
• System, Certificates, Local Certificates, Generate, FGT1, ID Type: Domain Name, fgt1.test.local, fill-in other
fields, Key Type: RSA, Key Size: 512, Ok
Firewalls Page 15
•
• Or select Online SCEP, then type the url of the server http://30.0.0.8/certsrv/mscep/mscep.dll and password
• Then select that request, download, open the file with WordPad, copy its contents, to get a certificate from
the CA server.
• After a certificate is generated, install it into the firewall.
• System, Certificates, Local Certificates, Import
• To import the CA certificate to the firewall.
• System, Certificates, Import CA Certificates, Local PC, browse the ca cert
• To link the certificate imported with the vpn ssl.
• VPN, SSL, Settings, Server Certificate,
• Forticloud feature.
• A cloud based web reporting service that is offered by fortinet.
• Allow firewall to send security events to the cloud, so admins can view it without accessing the firewall.
• To create an account.
• Dashboard, Main, FortiCloud, Activate FortiCloud, Create Account, (use mailinator for test)
• An email will be sent to complete the registration.
• By default you will have 100 GB free.
• To configure logs to be sent to the forticloud.
• Log & Report, Log Settings, Send Logs to FortiCloud, Test connectivity
• To view forticloud logs
Firewalls Page 16
•
• Launch Portal
Firewalls Page 17
• Global, Config, Network, Interfaces, Edit the interface, Virtual Domain, choose the VDOM
• To manage VDOMs.
• Global, System, VDOM,
• Passive authentication.
• Add AD server to the firewall.
• User & Device, LDAP Servers, Create New
Name: AD
Server IP: 30.0.0.8
Server Port: 389
Common Name Identifier: sAMAccountName
Distinguished Name: DC=test,DC=local
Bind Type: Regular [email protected] then type the password
Test, Ok
• On DC install FSSO, username: .\Administrator, next, next, Advanced, Next, install……., finish
• Open FSSO, 30.0.0.8 - 8002, next, select domain test.local, select users tyo monitor, DC Agent mode, finish
• On firewall
• User & Device, Single Sign-On, Create New,
• Group tab to select a group
Firewalls Page 18
• Group tab to select a group
• User & Device, User Groups, AD_domain_users, Members, select Domain users group
• Then in the access policy in the source select that sso group
Firewalls Page 19
•
Firewalls Page 20
•
• SNMP
• System, SNMP, SNMP Agent,
Firewalls Page 21
• Packet capture.
• Network, Packet capture, Create New,
• Policy & Objects, IPv4 Virtual Wire Pair Policy, create a policy will allow users on the internal network to
connect to the server.
• Select the direction that traffic is allowed to flow
Firewalls Page 22
•
• High Availability.
• A dedicated link between the 2 firewalls must exist for ensuring activity and synchronizing configuration
Firewalls Page 23
• A dedicated link between the 2 firewalls must exist for ensuring activity and synchronizing configuration
changes between firewalls.
• Firewalls must be with the same model and the same OS version, same security features.
• If a monitored interface fails, the cluster reorganizes to re-establish a link to the network of that interface and
to continue operating with no disruption of network traffic.
• You cannot monitor interfaces that contain an internal switch, VLAN sub interfaces, IPsec VPN interfaces.
• Wait until a cluster is up and running and all interfaces are connected before enabling interface monitoring.
• Monitor interfaces connected to networks that process high priority traffic so that the cluster maintains
connections to these networks if a failure occurs.
• Avoid configuring interface monitoring for all interfaces.
• A/P (Active-Passive)
• Only one is active.
• Configure the primary unit, then the secondary
• System, HA, change the Mode to Active/Passive.
• The active one will have higher priority 150 (the Default is 128).
• Type a Group Name and a password (Must be the same on the other side).
• Select Enable Session Pick-up to synchronize all active sessions data to the other firewall (also check on
other one).
• Check enable for only the heartbeat interface that is connected to the other firewall with the same priority for
ex 50.
• Select the outside interface for monitoring the link
• Monitoring after configuration.
• System, HA
• To view the cluster logs.
• Log & Report, HA Events
• To remove a firewall from the cluster.
• System, HA, Remove device from HA cluster
• A/A (Active-Active)
• Both firewalls are active load balancing traffic between them.
• On the master firewall:
• System, Dashboard, Status, HA Status, Configure, change the Mode to Active/Active.
• All other settings is the same as Active/Passive
• All configuration will be done on the active unit.
• The master firewall here means that configuration must be done on it
• To remove a firewall from the cluster
• System, HA, ~ the slave, Remove Device From HA Cluster
• Then go back to the Standalone
• Removing a firewall from a cluster will remove the configurations from the interfaces. [ never do that remotely]
• #show system interface
Firewalls Page 24
• #show system interface
Firewalls Page 25
• This allows you to load balance your Internet traffic between multiple ISP links and provides redundancy for
your network’s Internet connection if your primary ISP is unavailable.
• Connect the Internet-facing ports (WAN ports) on the FortiGate to your ISP devices.
• Policy & Objects > IPv4 Policy and delete any policies that use WAN1 or WAN2.
Firewalls Page 26
•
• Network > Interfaces and verify that the virtual interface for SD-WAN appears in the interface list.
• You can expand SD-WAN to view the ports that are included in the SD-WAN interface.
Firewalls Page 27
•
Firewalls Page 28