Forti net Course 201 FCNSA- LAB GUIDE

Page 11

Lab 1 Initial Setup

Objectives

This lab will guide the student through the basic setup of the FortiGate unit and provide an initial orientation to the CLI and Web Config.

Tasks

In this lab, the following tasks will be completed:

• Exercise 1 Connecting the FortiGate unit • Exercise 2 Accessing the Command Line Interface (CLI) • Exercise 3 Accessing FortiGate Web Config • Exercise 4 Configuring Network Connectivity • Exercise 5 Exploring the CLI • Exercise 6 Configuring Global System Settings • Exercise 7 Configuring Administrative Users

Timing

Estimated time to complete this lab: 55 minutes

Exercise 1

Connecting the FortiGate unit

Page 12

1. Plug the Internet connection into the wan 1 port on the FortiGate unit. Verify that the WAN1 LED indicators on the front of the device (Link/Activity and 1011 00) are green .

2. Connect the PC 's network cable into the interna/1 interface of the FortiGate unit and make sure the corresponding INTERNAL LED indicators are green- This step is done in our setup!!

3.Access the wireless network 'NetworkY' using the key 'networkY!$' and connect the FortiGate 51 B by tel net to 192.168.1 OY.254 using ad min I netsafeY!$ as credentials .

Note: Use an IP address of 192.168.10Y.X/24.

Page 13

Note: In all labs , substitute Y with the number assigned by the instructor- it will be group/network number. X represents the student number- as agreed at the beginning of the course. Note: In the classroom lab environment, all addresses used are private addresses as outlined in RFC1918 . The want Internet subnet is actually a private address subnet and cannot be used in a real-world situation. Note: The internal interface on a FortiGate unit is a multi-port switching hub port with auto-MDX sensing so either a straight or cross-over cable can be used.

Exercise 2

Accessing the Command Line Interface (CLI)

1.When setting up a new FortiGate unit, establishing the connection to the CLI is generally the first step, even if many of the configuration changes are performed in Web Config. Use a serial cable to connect the serial port on the PC to the FortiGate console port that is located on the back of the device. If the PC is not equipped with a serial port, a USB to serial adapter (purchased separately) can be used to connect the PC to the FortiGate device.

2 .Start a terminal emulation program on the PC to connect to the FortiGate unit (such as Windows HyperTerminal or TeraTerm). The serial connection settings required are:

• 9600 bps • 8 bit data • no parity • 1 stop bit • no flow control

3 .At the FortiGate CLI login prompt, log in with username of admin (all lowercase). The default password on the device is blank.

4. Log in to the CLI once again and type the following command to display status information about the FortiGate unit:

ge t s ys tem status

The output displays the FortiGate unit serial number, firmware build, operational mode, and additional settings. Confirm that the firmware build on the FortiGate unit is 4.00 MR2, the required version for this course.

5 .Type the following command to see a full list of accepted objects for the ge t command:

get ?

Depending on objects and branches used with this command , there may be other sub-keywords and additional parameters to enter.

6 .Press the "up arrow" key to display the previous get system status command and try some of the control key sequences that are summarized below.

Previous command "up arrow" or CTRL+P

Next command "down arrow", or CTRL+N Beginning of line CTRL +A End of line CTRL +E Back one word CTRL +B Forward one word CTRL +F Delete cu rrent character CTRL+D Abort command and exit branch CTRL +C

Page 14

CTRL +C is context sensitive and in general , aborts the cu rrent command and moves up to the previous command branch level. If already at the root branch level , CTRL +C will force a logout of the current session and another login will be required .

7 .Type the following command and press the <tab> key 2 or 3 times.

e x e cu te <tab>

The command displays the list of available system util ity commands one at a time each time the <tab> key is pressed.

Note : Log back into the CLI if the admin login timeout has elapsed

8 .Type the following command to see the entire list of execute commands:

exe cute ?

9 .Enter the fol lowing CLI commands and compare the available keywords for each one:

config ? show ?

These two commands are closely related .

c on f ig begins the configuration mode while show displays the configuration . The only difference is show full - con f i gurati on . The default behavior of the show command is to only display the differences from the factory-default configuration.

10.Enter the following CLI commands to display the FortiGate unit's internal interface configuration settings and compare the output for each of them:

show sys tem interface internal show full - con f igur at i on sys tem inte r face internal

Only the first few characters need to be typed , optionally fol lowed by <tab> , to complete the command key word . Use this technique to reduce the number of keystrokes to enter information. CLI commands can be entered in an abbreviated form as long as enough characters are entered to ensure the un iqueness of the command keyword.

11 .Enter the CLI command below to display the factory set I P address of the FortiGate's internal interface.

show system i nterface internal

The internal in terface's IP address is 192 . 168 . lOY . 254. This address will be used later for HTTP/HTTPS administrative access to the FortiGate device.

Exercise 3

Accessing FortiGate Web Config

Page \5

To access Web Config using a standard Web browser, ensure that cookies and Javascript are enabled for proper rendering and display of the graphical user interface.

1 .Ensure that the IP addressing mode on the PC is set to static IP address . Use an IP address in 192.168.1 OY.X /24 format with a gateway of 192.168.1 OY.254 .

2 .Verify the PC settings using the ipconfig command from the Windows command prompt. The default gateway corresponds to the IP address of the internal interface on the FortiGate unit (1 92 .1 68 . 10Y.254 ).

3.0pen a web browser and type the following address to access the FortiGate Web Config interface. https : //192 . 168 .1 0Y . 254

Accept the self-signed certificate or security exemption if a security alert appears. HTTPS is the recommended protocol for administrative access to the FortiGate unit. Other available protocols include SSH, ping , SNMP, HTTP, and Telnet.

4 .At the login screen, enter the username of admin and the password netsafeY!$. Click Login.

5 .The Dashboard is displayed after a successful login . Before continuing with the rest of the initial configuration, explore the Dashboard page and find the following information:

Current Firmware Version Date and Time Serial Number Operation Mode

Other system details found on the Dashboard include the current CPU and memory usage, number of active sessions, alert messages, number of administrative users, and FortiGuard Services status.

6 .To avoid Web Config timeouts during the lab exercises, increase the idle timeout. Go to System> Admin> Settings. Increase the Idle Timeout to 60 minutes. Leave all other settings unchanged . Click Apply to save the changes.

7 .Before proceeding to the next exercise, ensure that the FortiGate unit is running the correct version of FortiOS firmware (FortiOS version 4.0 MR2) .

Note: If are not running the correct version , click Update for Firmware version on the Dashboard and browse to the firmware file available from the Fortinet Support site with a valid service contract.

Pag e 16

Exercise 4

Configuring Network Connectivity

The FortiGate unit's wan1 interface settings must be configured using one of the following addressing modes: DHCP, Manual (Static IP), or PPPoE. Complete the steps for the configuration that applies to the Internet setup on the computer being used to complete the exercise.

• If the network setup supports DHCP, complete the section Configuring the wan 1 Interface Using DHCP.

• If using PPPoE, complete the section Configuring the wan1 Interface Using PPPoE.

• If using static IP addresses, complete the section Configuring the wan1 interface Using Manual Assignments. (The lab setup supports manual assignment only- configure the WAN1 interface as below)

Configuring the wan1 Interface Using Manual Ass ignments

If the Internet setup on the student PC uses manuaiiP assignments, complete the steps below for the wan1 network configuration.

1. In Web Config, go to System > Network> Interface tab. Select the wan1 interface and click Edit .

On the Edit Interface page, configure the following settings:

Addressing mode Manual IP/Netmask Enter the IP address and netmask (as provided by a network administrator). For example: 192 . 168 . 2 . 10Y/255 . 255 . 255 . 0

Administrative access HTTPS

Click Apply.

2 .Click the Options tab to open Networking Options. In the Primary DNS Server field , enter the IP address of the DNS server given by the network administrator.(Use 4.2.2.2 ) If a second DNS server is available, enter its IP address in the Secondary DNS Serverfield . (Use 4.2.2.3) Click OK.

Note: Configuration changes get saved to the non-volatile flash memory when clicking OK in Web Config or when next or e nd is entered on the CLI. No explicit save command is required. For CLI configuration only, th is behavior can be changed to require an explicit save or to revert after a set period if an explicit save is not performed.

con fig syst em g loba l s et c f g - save <automatic/ma nual/ r eve r t > set c f g - r evert - timeout <600> (in seconds, only when cfg-save is revert)

3 .Go to the Router> Static > Static Route and click Create New to define a new static route entry for the default gateway. In the New Static Route window, leave the Destination/IP Mask settings at the default setting 0 . 0 . 0 . 0/0 . 0 . 0 . 0 .

Page 17

Select the the wan1 device from the list and enter the IP address for Gatewayas the default gateway device as provided by a network administrator (192.168.2.254). Leave the distance to the default of 10 . Click OK.

4 .From the CLI , type the following commands to view the interface settings for wan1:

config syst em interface edit wanl get end S.ln a DOS command prompt window use the nslookup command to verify the IP address of a web site . For example:

nslookup www . fortinet . com

6. Ping the IP address displayed through the command above using the following command in the CLI :

exec p i ng <I P addres s of web site>

7.To secure the wan2 interface from accidental usage, remove the IP address and administratively disable this port. The IP address can only be unset from the CLI . In the CLI , enter the following commands below to disable and clear the IP address of the wan2 interface:

config system interface edit wan2 set status down end

8. In Web Config , go to System >Network> Interface. Note that the interface list

will now display wan2 with a disabled status icon (red dot with "down arrow"). A display refresh may be needed to see the new status information.

9 .Enter the following commands to adjust the DHCP settings for the internal DHCP server on each of the two units.

conf i g system dhcp server edit 1 set default - gateway 192 . 168 . 10Y . 254 s~t dns - serverl 4 . 2.2.2 set dns - server2 4.2 . 2 . 1 set netmask 255 . 255 . 255 . 0 set interface internal config ip- range edit 1 set end- ip 192 . 168 . 10Y.220 set start - ip 192 .168.1 0Y . ll0 next end end

10. Enter the following CLI commands to modify the settings on the internal interface on the Forti Gate unit:

config system interface edit internal set allowaccess http https ping ssh telnet end

exit //to exit FG CLI

Pa ge 18

On the student PC, adjust the network settings to obtain an IP address automatically through DHCP and renew the IP address using the ipconfig /release and i pcon fig /renew commands from the DOS command prompt. To view the configuration of the configured DHCP server go to System > OHCP Server> Service. Select the internal DHCP server and click Edit or double-click the entry to view the settings for the pre-defined DHCP server. Note : The DHCP leases are preserved even when the Fortigate unit is rebooted. To clear all DHCP leases, disable and then re-enable the specific DHCP server.

11.To view the DHCP address leases, go to System > OHCP Server> Address Leases and locate the entry for the PC in the displayed list. As new PCs are connected to the trusted internal subnet, a list of all the DHCP address leases that have been assigned will be displayed.

Exercise 5

Exploring the CLI

1.To view the configuration of the FortiGate interfaces through the CLI , type the following command:

show s ystem interface

2 .To see verbose settings, type the following command:

show f ul l - con f iguration

3 .To view additional parameters for all interfaces, type the following command: get system interface

Compare the get command output with the output from the show command. The information from each is similar: get displays all settings and values , while show gives the syntax for the configuration.

4 .The FortiGate CLI is hierarchical, which means that some commands are only applicable at a certain level or context. To demonstrate the hierarchy, modify the wan1 interface to add additional administrative access to assist with troubleshooting during initial deployment. To add SSH access on the wan1 interface, type the following CLI commands:

c onfig s y s tem interface edit wanl set allowaccess https ping ssh next end

5 .Verify the changes by typing the following command: show syst em interface wan l

6 .Display the configuration of the DHCP server that provides I P addresses to the

PCs connected to the internal interface with the following commands:

show system dhcp server or show full system dhcp server get system dhcp server

7 .To inspect the DHCP leases in the CLI for the addresses distributed by the internal interface DHCP server, type the following command:

exec dhcp lease-list

Page 19

Other available DHCP CLI commands are listed below. Please do not run these commands at this time.

DHCP leases can be cleared with the following command:

exec dhcp lease-clear

DHCP leases can be refreshed with the following command:

exec interface dhcpclient-renew <interface name>

Exercise 6

Configuring Global System Settings

1.1n Web Config, go to System > Network> Options. Modify the following ONS Settings:

Primary DNS Server 4.2.2.1 Secondary DNS Server 4.2.2.2 Click Apply.

Note: For FortiGate 200A models and higher, the Primary ONS and Secondary ONS servers can only be configured manually. The factory defaults are set to Fortinet maintained DNS forwarders 208. 91. 112.53 and 208.91.112.52 respectively.

2 .Compare the output for the following DNS CLI commands:

show system dns get system dns

The output should correspond to the changes made in Step 1.

3 .For logging purposes, as well as to optimize FortiGuard updates, the FortiGate unit should be set to the correct time zone and NTP server synchronization should be enabled. Go to System >Dashboard> Status. In the System Information widget, click the [Change] link for System Time. Select the appropriate Time Zone. Enable Automatically adjust clock for daylight savings changes if required in the local area. Enable Synchronize with NTP Server. By default, pool. ntp. org will be used, or a local NTP server can be used if available. Click OK.

Pa ge 110

4.Display the current system time from the CLI by typing the following command:

exec u t e time

Type e xe c time ? to view the syntax to set the system time manually.

S.Verify that the date setting is correct by typing the following CLI command:

e x e c date

6.1n the System Information widget, click the [Change] link for Host Name and change the hostname of the FortiGate un it to NetworkY. Click OK. The new hostname will appear in the browser title bar at the next login or when the page is refreshed.

7.View the CLI equivalent commands for all the system settings configured in the above steps by typing the following command:

s how sys t em g l obal

Exercise 7

Configuring Administrative Users

1 .Go to System >Admin > Administrators to view the list of current administrators. Click to select the default admin administrator and click Edit ( ) or doubleclick the entry in the list. The factory default Trusted Host setting of o . 0 . o . 0 I 0 allows connections from any host address. Click Cancel to close the Edit Administrator page.

2.Ciick to select the default admin administrator and click Change Pasword ( ) The password for the admin account is netsafe Y!$, set the password to forti net. To save the changes, click OK.

3.Log back into Web Config using the new admin password.

4.To enhance administrative security, create a new administrator account that will be used for day-to-day administration of the FortiGate device and restrict the source IP connection with Trusted Hosts. Go to System >Admin > Administrators. Click Create New to assign a new administrator with the following settings:

Administrator adminX Type Regular Password fortinetX Trusted Host#1 192 . 168 . 10Y.0/2 4 Admin Profile super_admin

Click OK to save the changes. Note: Ping requests to this device are also restricted by the trusted host setting of the administrator account.

5. Go to System > Admin > Admin Profile Click Create New to define a new

Page Ill

admin profile called content-control as in the New Admin Profile window illustrated below. Limiting access only to the areas affecting content inspection helps to eliminate accidental errors that could adversely affect connectivity.

(jl -Q Dashboard

!±l·![§ Network Profile Name: ~~~~.;,-t~-~-·--·-::=~==~=-===~]

ci:J i;D DHCP Server

$ tiii Config

Access Control 0 None 0 Read Only 0 Read-Write

B l$ Admin

Administrators

©~ @ Central Management

- @ Settings

ffi-[gj Certificates

!±J··® Maintenance

Click OK

~

~

~

System Configuration

Network Configuration

Admin Users

FortiGuard Update

Maintenance

Router Configuration

Firewall Configuration

UTM Configuration

VPN Configuration

Auth Users

WAN Opt & Cache

Endpoint NAC

Log & Report

0 0 ()

0 0 0

0 0 0

0 0 ~~~)

0 0 0

0 @ 0 0 0 G

0 0 , .... \,_/

0 "' <.!J v

0 0 0 () 0 0

0 0 '-!i () 0 0

\:~"''"~«0K ·•·~-. ._.j h:_ .. ~""'Ji'.• · €ancel~., .. 4·· · ~···!

6 .Go to System >Admin >Administrators and create a new administrative account that uses the new content-control admin profile. Configure the new administrator account using the following settings: Click OK.

Administrator cadminX Type Regular Password 123456 Trusted Host #1 192.168 . lOY. 0/24 Admin Profile content-control

7 .To view the CLI configuration for administrative users and profiles, type the following commands:

show system admin show system accprofile

8 .Test the new administrative access login by logging out of the current Web Config session and logging in again as the new cadmin user. Try to access areas set to read only, for example, go to System> Network >Interface. The data will be able to be viewed but not edited.

The Trusted Host setting configured for adminX and cadminX will only allow access to PCs connected to the internal 19 2 . 168 . 1 o Y. o /2 4 subnet even if the correct password is entered.

Lab 2 Logging and Monitoring Objectives

In this exercise, system event logging will be configured.

Tasks

In this lab, you will complete the following tasks: • Exercise 1 Exploring Web Config Monitoring • Exercise 2 Configuring System Event Logging • Exercise 3 Exploring the FortiAnalyzer Interface • Exercise 4 Configuring Email Alerts (Optional)

Timing

Estimated time to complete this lab: 35 minutes

Exercise 1

Exploring Web Config Monitoring

1.Log in to Web Config on the FortiGate unit as admin. Go to System > Dashboard > Status.

2 .Locate the System Resources widget. Verify the CPU Usage and Memory Usage status dials.

3.Hover the mouse pointer over the System Resources title bar and click History.

4.A pop-up window appears showing a trace of past CPU usage, memory usage ,

Page 112

session, network utilization, virus, and intrusion history. In the System Resource History graph window, the time interval represented by each horizontal grid square can be selected from the pull-down menu to the right of Time Interval. The refresh rate of this window is automatically set to 1 /20th of the time interval. Click close

S.The Alert Message Console widget displays recent critical system events , such as system restart and firmware upgrade. Hover over the Alert Message Console title bar and click the History icon to view a pop-up window that displays the entire message list. Click Close.

Page 113

6. Log and DLP archive statistics are shown in the Log and Archive Statistics widget. Since there will have been little or no traffic through the FortiGate unit and no content inspection configured, theDLP Archive and Log statistics will be uninteresting at this time.

The Reset link in the top-right of the Statistics box will clear the current statistics counts.

HTTP 0 URL; visited

HTTPS 0 UR Ls vis ited

Emai l 0 em ails sent

Q emails received

FTP 0 UR.ls '·lisited

0 f iles up I oa ded

0 files dol·~nloaded

I f\'1 0 file transfers

0 chat sessions

0 messages

Total 0 B s ince last reset

log -- Average 9 KB (49 me;;;, ge ,;) per day since Ia st reset

Traffic 0 traffic allowed

0 traffic violated

fW 0 'liruses cau ght

IPS 0 attacks detected

E rnail 0 sparn s detected

Web 0 URLs blocked

DLP 0 data loss detected

Application Control 0 applicat ion co ntrol mess ages

Event 105 events occur red

Total 19 KB (105 messages ) since last reset

[Detail;]

[Detai ls]

[Detail s]

[Detai ls]

[Detai ls]

[Det.:;ils]

[Detai ls]

[D etails]

[Det.oi l:,]

[Detai ls]

[Deta ils]

[Detail,;]

[Detai ls]

7 .There will already be a number of sessions recorded by the FortiGate unit. Click the Details link on the Top Session widget to display more information about the sessions or click each graphical bar representing sessions per I P address. Test the function of the various icons in this window. There are icons for display refresh , page forward and back, column display filters , as well as clear session. Identify the Web Admin sessions in the Session table display by looking for the TCP sessions from the PC IP address to the IP address of the internal interface of the FortiGate unit. Click Return to re-display the graphical view of the Top Sessions widget.

8.Some widgets are not displayed by default. Add them to the dashboard by clicking Widgets and selecting from the pop-up window.

Exercise 2

Configuring System Event Logging

P a ge 114

1.Go to Log&Report > Log Config > Log Setting. Expand Remote Logging & Archiving and click to enable FortiAna/yzer.

Apply the following settings: IPAddress 1 92 . 168 . 2.25 Minimum log level Information

Note: Depending on the location of class, the instructor may direct students to a FortiAnalyzer unit at a different address.

Click Apply.

For initial testing purposes, the log level is set to the lowest and most verbose level , Information. In actual deployments, the level would more likely be set to Warning or Notification. Automatic discovery of a FortiAnalyzer unit with the Fortinet Discovery Protocol is only applicable when the FortiGate unit and the FortiAnalyzer unit are on the same broadcast domain (subnet). This would be a rare situation in an actual network but appropriate for a FortiGate 5000 series chassis when a FortiAnalyzer blade is used.

2.1n Remote Logging & Archiving, click Test Connectivity to register with the FortiAnalyzer device. A pop­up window displays to indicate a successful connection and registration process.

The FortiAnalyzer unit being used is configured to automatically accept and register all new FortiGate device connections. Alternate settings are to register only (and ignore logging messages) or ignore (manual registration) .

In an actual scenario, there would be additional configuration required at the FortiAnalyzer end to permit the necessary connection for manual device registration .

Click Close to exit from the FortiAnalyzer Connection Summary window.

3. While still in the Log Settings window, expand Local Logging & Archiving and confirm that Disk logging is enabled and that the Minimum log level is set to Information. If using a FortiGate device without a local hard drive, enable Memory logging instead.

4.0n the Log&Report > Log Config > Event Log page, click Enable and select all events.

Click Apply to save the changes.

The CLI settings for the logg ing destinations can be displayed with the following commands:

get log <destination> setting get log <destination> filter

Substitute <dest i na t ion> with either for t iana l y zer , disk or memo r y.

Note: There are different logging capabilities , depending on the destination . The keywords may also differ.

S.Test the logging setup with some simulated log messages sent to the logging destinations using the following CLI command:

d iagnose log test

Page 115

6. Go to Log&Report > Log Access. Select each log type from the Log Access menu item one at a time. Click Disk from the Log Access pages to view the entries for the test messages.

Exercise 3

Exploring the FortiAnalyzer Interface

1.Connect to a FortiAnalyzer by typing the following address in a web browser:

https : //192 . 168 . 2 . 25

Accept the self-signed certificate messages if they are displayed. Log in with the username admin and the password netsafe 1 !$.

After a successful login, the FortiAnalyzer Dashboard displays.

2 .In the FortiAnalyzer Web Config , go to Log&Archive >Log Browse> Log Browse. In the Log Browse window, expand No Group and expand the name of the student FortiGate device to verify that log messages are being received by the FortiAnalyzer unit. FortiGate device names are displayed as HostName(SeriaiNumber).

3.Expand a category in the list. Click Show Log File Names and the names of the log files will display. Select one of the log files and click Display ( ) to show the log entries in the file.

The log message view is pre-formatted to show selected items in columns. The messages are color­coded according to severity level.

4. Explore the log message display features in the Log Browse window. Click the Change Display Options link and click Raw to view the logs entries in raw format.

5.Log out of the FortiAnalyzer device.

Exercise 4

Configuring Email Alerts (Optional)

This exercise can only be completed if an online email account is available to test with.

1 .The FortiGate unit will be configured to send alert mail to a test mail account. In Web Config on the FortiGate unit, go to Log&Report >Log Config >Alert Email and use the following settings to omplete the Alert E-mail configuration :

SMTP server Email from Email to

Type the name or IP address of an online email account server. Type the sender's email address. Type the destination email address.

Page 116

Authentication Enable if the email server requires authentication and enter the sender's email address and account password . Interval Time 1 minute Send alert mail for the following Select Intrusion detected and Virus detected. Send alert email for logs based on severity Enable and select the Alert level from the minimum log level list. Click Apply to save the settings.

2. Click Test Connectivity. Test messages will be sent to the email account.

3.0pen the email client application and confirm that the test messages have been received . Alert emails can be sent based on selected event categories or simply on a log message threshold level. If a threshold level is used , the CLI contains additional interval hold-off timers for log levels above the selected threshold level.

Check the following CLI commands for the Alert Email configuration:

show system alertemail show alert email setting

Note: If the FortiGate unit collects more than one log message before an interval is reached , it combines the messages and sends out one alert email.

Page 117

Lab 3 Firewall Policies

Objectives

In this lab, firewall policy objects will be created and a new policy will be configured and tested.

Tasks

In this lab, you will complete the following tasks:

• Exercise 1 Creating Firewall Policy Objects • Exercise 2 Creating Firewall Policies • Exercise 3 Testing Firewall Policies • Exercise 4 Configuring Virtual IP Access • Exercise 5 Debug Flow

Timing

Estimated time to complete this lab: 45 minutes

Exercise 1

Creating Firewall Policy Objects

1 .In Web Config , go to Firewall> Address >Address. Click Create New and configure a new address object for the internal subnet IP using the following settings:

Address Name all-deptX Type Subnet/IP Range Subnet/IP Range 192.168.1 OY. 0/24 Interface Internal

Click OK to save.

2 .Work in 2 groups- delegate someone from your group to do this step and the one at point 3 :

·-··-- -·-·---···-- - ---------------------------...

Page j18

Go to Firewall > Service > Group. Click Create New to configure a new group with the services shown below.

To select the services for the web group, click the green arrows to move them between the Available Services and Members lists :

Group Name web Members DNS, HTTP, HTTPS, PING

Click OK to save the change.

3.Go to Firewall> Schedule> Recurring. Click Create New to configure a new recurring schedule using the following parameters:

Name office_hours Day Monday to Friday Start Hour: 08 Minute: 00 Stop Hour: 20 Minute: 00

Click OK.

Note: When using schedules, make sure that the system time is at the correct local setting. From the CLI type the exe c time command or go to System > Dashboard >Status in Web Config and view the System Information widget.

Exercise 2

Creating Firewall Policies

When creating firewall policies , keep in mind that the FortiGate device is a stateful firewall , therefore, a firewall pol icy only needs to be created for the direction of the originating traffic.

1.Go to Firewall > Policy> Policy, expand the internal-> wan 1 interface list. Select the default policy and click Edit (or double-click the entry) to view the factory settings. Click Cancer to return to the Policy List.

2. Disable this unrestricted policy by unchecking the internal-> wan1 policy in the Status column.

Note: It is useful to keep the default internal-> wan1 policy available for testing purposes since it will allow all traffic types from any address to any address to pass through the FortiGate device.

3 .Create a new firewall policy that will be used to provide general Internet access. Go to Firewall> Policy > Policy. Click Create New and configure the following settings:

Source Interface/Zone internal Source Address all-deptX Destination Interface/Zone wan1 Destination Address all

Schedule office hours Service web Action ACCEPT Log Allowed Traffic Enabled Enable NAT Enabled Comments General Internet access

Click OK after entering all the parameters.

Page 119

This new all-dept policy will be displayed in the section view of the Policy List under internal-> wan 1.

• C>ntral NO.T Table

• DJS Poli c·t

,- - • Sn iffAr Pnli r.y

• Protocol Options

~·~ Address

~ ·(0 Schedule

lih~] Traffic Shaper

<ll-113 Virtua l IP

lil-W Loaj ~::>alan ce

5 .All policies will be listed in Policy section once created. You can add count in column settings in order to see RX and TX traffic matched by each student policy(generate Internet traffic in order to see the changes). Try to enable and move(select the policy and use the Move button) the general internal-all to wan1-all policy before the students policy (in the top of the list) . In the Move Policy window, click Before and type the Policy 10 of the general Internet policy and click OK. The re-ordered policy list will be displayed. You can check that the general policy will match all students traffic(check counters by refreshing the policy widget) .

G.View the CLI configuration for the firewall policies created above:

s how f i r ewa l l pol i cy

View the CLI configuration for a single firewall policy:

s how firewall pol i cy <I D> Obtain the 10 number of the policy from the s how f i r ewall pol i cy output used above.

Important Points For Firewall Policy Configuration

P a ge I 20

• Policies are organized according to the direction of traffic from the originator of a request to the receiver of the request. Return traffic is automatically allowed back through due to the stateful nature of the FortiGate device. • Policies are matched to traffic in the order they appear in the policy list rather than by 10 number. • Policies should be listed from most exclusive to most inclusive so that the proper policies are matched. Matching is based on Source, Destination, Schedule, and Service settings.

Exercise 3

Testing Firewall Policies

1. Open a web browser and browse to a valid web site.

2.Go to System > Dashboard> Status. In the Top Sessions pane, click the bar on the chart for the student IP address to view the session details. (If this widget is not visible , click Widget> Top Sessions.) Locate the IP address for the student computer and HTTP port (TCP/80) and check the policy 10 column . Use the column filters to reduce the number of session entries displayed to TCP only.

Note: Be mindful of testing the firewall policy schedule outside of the specified hours.

3.Check the traffic log at Log&Report >Log Access> Traffic to see evidence of the FortiGate action, including the 10 of the policy being used.

4.Change the action for the policies to Deny and ensure that Log Violation Traffic is enabled.

5.Visit another web site. Access should be denied.

6 .Return to the traffic log at Log&Report >Log Access > Traffic to see evidence of the traffic violation.

7.Set the policy actions back to Accept.

8 .*IMPORTANT** Before proceeding to the next exercise, go to Firewall> Policy> Policy and re-enable the unrestricted policy by checking the policy in the Status column of the firewall Policy List.

Exercise 4

Configuring Virtual IP Access

1.Delegate someone from you team to do the steps from point 1 and point 3 A virtual IP that uses port forward ing will be created to make the Fortinet web server appear as if it was on the local subnet and not on a non-standard port. Go to Firewall> VirtuaiiP > VirtuaiiP. Click Create New and configure the virtuaiiP mapping as shown below. Use nslookup to verify the address for www. fortinet . com.

Name special-web

--------------------------------------------

External Interface Type External IP Address Mapped IP Address Port Forwarding Protocol External Service Port Map to Port

internal Static NAT 192 . 168.10Y.209 Enter the IP address of www . fortinet. com Enable TCP 8088 80

Click OK to save the changes.

2. To view the VIP settings through the CLI, enter the following command:

show firewall v ip

P a g I 21

3.Create a new firewall policy to provide a guest PC access to the web server with the following settings:

Source Interface I Zone Source Address Name Destination Interface I Zone Destination Address Name Schedule Service Action Log Allowed Traffic Enable NAT Comment

Click OK.

internal Any wan1 special-web office hours ANY ACCEPT Enabled Enabled Guest PC access to web server

Note: The Service setting for this policy is ANY. Due to the VIP port mapping, only the configured ports will be allowed so it is unnecessary to further restrict traffic with the Service setting.

4 .Position this policy at the top of the internal -> wan1 list as it has a narrower scope compared to the other policies.

Note: This guest PC would need to be further secured by limiting the user access to only the web browser and removing administrative access and the ability to run other programs. These additional measures are operating-system dependent

5 .In a new web browser window, access the following URL:

http: //19 2 .168.10Y. 2 09 : 8 08 8

If the special-web virtuaiiP operation is successful, the Fortinet web page displays.

G. Try to access the following URL using the regular HTTP port of 80:

ht t p : //192.168 . 10Y . 209

There should be no response.

- ·-- - ••M ··-- ---

Page I 22

7.To view the source and destination NAT mappings, enter the following CLI command:

get system s es sion l ist

Exercise 5

Debug Flow

1 .From the CLI , type the following command to clear the session table:

diag sys session clear

If connecting to the CLI using SSH or Telnet, a log in will be required.

2.Type the CLI commands shown below to configure the debug flow to trace the route selection and session establishment for an HTTP connection to www. f ort inet. com. Use nslookup to confirm the address for www. f ort ine t . com.

Enter the following commands:

di a g debug enable d iag debug fl ow fi lter addr <IP address of www.fort inet. com> d iag debug fl ow show console enable diag debug flow show function - name enable diag debug flow trace start 100

3.From a web browser connect to the following URL and observe the debug flow trace.

http : //www . fort i ne t . com

Depending on the FortiGate model being used, the output displayed may vary slightly.

SYN packet received :

id=36870 trace id=1 func=resolve _ ip_ tuple fast line=3395 ms g=" vd-root received a packet(pr oto=6 , 1 92.1 68 . 1 . 110 :1 8 4 9- >20 8. 70 . 202 . 2 25: 80) f rom inte rnal."

SYN sent and a new session is allocated :

id=36870 trace id=1 func=resolve ip tuple line=3522 msg=" allocate a new s essi on- 00000 483 "

Lookup for next-hop gateway address:

id=36870 trace id=1 func=vf ip4 route input line=1595

msg="find a route: gw- 192 . 168.3.254 via wan1 "

Source NAT, lookup next available port:

id=36 870 trace_id=1 func=get_ new_ addr line=1615 msg= " find SNAT : IP-192 . 168.3.10 , port - 44977 "

Matched firewall policy . Check to see which policy this session matches:

id=36870 trace id=1 func=fw forward handler line=463 msg= "Allowed by Policy- 1 : SNAT"

Apply source NAT:

i d=36870 trace id=1 func = ip session run_ tuple line=1840 msg=" SNAT 192.168.1.110 - >192 . 168.3 . 10:44977 "

SYN ACK received :

id=36870 trace id=2 func=resolve_ip_tupl e fast line=3395 msg ="vd- root received a packet (proto= 6 , 208 . 70.202.225 : 80 - >192 . 168.3.10:44977) from wanl. "

Found existing session ID. Identified as the reply direction:

ld=36870 trace_i d =2 func=resolve ip_tuple_fast line=3433 msg="Find an existing session, id- 00000483, reply direction"

Apply destination NAT to inverse source NAT action :

id=36 870 trace_id=2 func= ip_ session_ run tuple line=1854 msg= " DNAT 192.168 . 3 . 10:44977 - >192 . 168.1.110:1849 "

Lookup for next-hop gateway address for reply traffic:

id=36870 trace_ i d=2 func=vf_ip4 route input line=1595 msg=" find a route: gw- 192 . 168.1.110 via interna l "

ACK received:

id=36870 trace i d=3 func =resolve lp tuple fast line=3395

P ag e I 23

msg="vd- root received a packet(proto= 6 , 192.168.1.110 : 1849- >208 . 70 . 202 . 225 : 80) from internal ."

Match existing session in the original direction :

id=36870 trace id=3 func=resolve _ ip tuple fast line=3433 msg= " Find an existing session, id- 00000483, original direction "

Apply source NAT:

i d =36870 trace id=3 func=ip session run_ a l l _ tuple line=4378 msg= "SNAT 192.168 . 1 . 110- >192.168 . 3.1 0 : 44977 "

Receive data from client:

Page I 24

id=3 6870 trace i d=4 func =re s olve_ ip_tuple_ f a s t line=3395 msg="vd- roo t received a packet(pro t o=6 , 192 . 168.1 . 110 : 1849- >208 . 70 . 202 . 225 : 80) f rom internal. "

Match existing session in the original direction:

id=36870 trace id=4 func=resolve ip tuple_ fast line=3433 msg="Fi nd an exi sting session, id- 00000483 , or iginal direction "

Apply source NAT:

i d=3 6870 t ra c e i d =4 func=ip session run all tuple l ine=4378 msg= "SNAT 192 . 168.1.110 - >192.168.3.10:44977"

Receive data from server:

id=3 6870 trace_ id=S func=resolve_ip_tuple_ fast line=3395 msg=" vd- r oot re ceived a packet( proto= 6 , 208 . 70 . 202 .225 : 80 - >192 . 1 68 . 3 . 10 : 44977) from wan1. "

Match existing session in rep ly direction:

id=36870 trace i d =S func= r esolv e ip tuple fast line=3433 msg= " Find an existing s es sion , id- 00000483 , reply direction " Apply destination NAT to inverse source NAT action :

id=3 6870 trace id=S func=ip sess i on run_al l tuple line=4390 msg=" DNAT 192 . 168 . 3 . 10 :44 977 - >192.168 . 1.110:1 84 9"

4.Enter the following command to disable the debug flow trace :

diag debug flow trace s t op

5.Disable the special-web policy.

Lab 4 Authentication

Objectives

In this lab, a new policy to implement user authorization will be added for afterhours Internet web access. User disclaimer messages will also be added to the Internet-bound policies and sessions will be redirected to a specified URL.

Tasks

In this lab, the following tasks will be completed:

• Exercise 1 Creating an Identity-Based Firewall Policy • Exercise 2 Testing the Firewall Policy For Web Traffic • Exercise 3 Adding User Disclaimers and Redirecting URLs

Timing

Estimated time to complete this lab: 20 minutes

Exercise 1

Creating an Identity-Based Firewall Policy

1.1n Web Config, go to User> User> User. Click Create New and enter a user name and password. Click OK.

2.Go to User> User Group > User Group. Click Create New and create a group that includes the authorized user with the following settings:

auth-user Firewall

Pa ge I 25

Name Type Members Select the user created in step1 from the Available User Group list and move it to the Members list.

Click OK to save the changes.

3.Go to Firewall > Policy> Policy and configure a new policy with the following settings:

Click OK.

4.Move this new all-dept policy to the top of the internal-wan1 policy list.

5.Enable Authentication Keep-alive for the web traffic firewall policies using the CLI commands below.

config system global set au t h - keepalive enable end

Source Interface I Zone internal Source Address Name all-dept Destination Interface I Zone wan1 Destination Address Name all Schedule always Service web Action ACCEPT Log Allowed Traffic Enabled Enable NAT Enabled Enable Identity Based Policy Enabled

Click Add to create an Authentication Rule.

Move auth-user to the Selected User Groups List.

Move ANY to the Selected Services List.

Comment After-hours Internet web access

Note: Authentication keepalive extends the time of the session when traffic is present. In this mode it acts as an idle timer rather than a hard timeout.

Exercise 2

Testing the Firewall Policy For Web Traffic

1.1n a new web browser window, attempt to access a new web site. At the login prompt, enter the username and password of the user created in Exercise 1.

2.1n the Authentication Keepalive window, click the Logout link and attempt to browse to another web site.

3 When prompted to authenticate , enter an incorrect user name or password.

4.1n the Web Config , go to Log&Report >Log Access> Event. Locate event log messages for the firewall policy authentication events. Click the entry in the list to view the details. Note the log message level used for this

Pa ge I 26

type of event.

5.Ciear all authenticated sessions (be careful with this command on a live system!) with the following CLI command:

diagnose firewa l l iprope rese tauth

G.Re-connect to the web site , only this time enter the correct credentials. 7.From the CLI, view the IP addresses and users which have successfully authenticated to the FortiGate unit with the following CLI command :

d iagnose fir e wall iprope authuser

Exercise 3

Adding User Disclaimers and Redirecting URLs

1.1n Web Config go to Firewall> Policy> Policy and edit the authenticating alldept policy by modifying the following settings:

Enable Disclaimer and Redirect URL Redirect URL

Click OK.

Enable Enter the URL of a web page to be redirected to.

2.Ciear all authenticated sessions using the CLI command:

diagnose fi rewall iprope resetauth

3.1n a new web browser window, access a web site. When the first user disclaimer message appears. Click Yes, I agree.

When prompted by the authentication login page, log in as the user created in Exercise 1.

After logging in , an authentication keep-alive page opens. Click the new window link. This directs the user to the redirect URL specified in the firewall policy created in Step 1.

4 Go to System > Config > Replacement Message. Expand Authentication and click Edit to modify the Disclaimer Page. Replace the text the network access provider with the student name.

Click OK.

5.Ciear the authenticated sessions before each test with the following CLI command :

diagnose firewall iprope resetauth

G.Browse to a web page and note the change to the replacement message.

7.Examine the following CLI commands for the users, user groups, and for one

Page I 27

of the authentication firewall policies:

show user local show user g r oup show firewall policy <i d>

B.Go to Firewall> Policy> Policy and disable all the internal- wan1 policies except for the default all policy.

Lab 5 SSL VPN

Objectives

Page I 28

In this lab, an SSL VPN will configured to allow both web-only mode and tunnel mode access to public web sites.

Tasks

In this lab, the following tasks will be completed:

• Configuring SSL VPN for Full Access

Timing

Estimated time to complete this lab: 25 minutes

Exercise 1

Configuring SSL VPN for Full Access

1.Go to VPN > SSL > Config. Configure the following settings to enable the SSL VPN service:

Enable SSL-VPN Enable IP Pools Click [Edit] and add SSLVPN_TUNNEL_ADDR1 to the Selected list.

Leave all the other settings at default. Click Apply.

Click OK.

Configure authentication for an internal user to access the SSL VPN gateway service. Go to User> User> User. Click Create New and add a new user with the User Name of UserX and Password of 123456.

Page I 29

2 Create a new user group that includes the new local user. Go to User> User Group > User Group and click Create New. Configure the following settings:

Name Type Allow SSL-VPN Access Available Users/Groups

Click OK.

SSLVPN Firewall Enable and select the full-access portal from the list.

Move the Test SSL user from the Available Users/Groups list to the Members list

4.Create a new firewall policy to allow access to the SSL VPN and authenticate the user. Go to Firewall > Policy > Policy. Click Create New to configure a policy with the following settings:

Source Interface internal Source Address all Destination Interface wan 1 Destination Address all Action SSL-VPN SSL Client Certificate Restrictive Disabled

Click Add to configure a new identity-based policy with the following settings:

Available User Groups Move SSLVPN from the Available User Groups list to the Selected

Service Schedule Log Allowed Traffic

Click OK.

User Groups list. Move ANY from the Available Services list to the Selected Services list.

always Enabled

5.Move this SSLVPN policy to the top of the internal -> wan1 policy list.

6 .Test the SSL VPN by connecting to the portal by typing the following address in the web browser:

https : //192 . 168.10Y . 254 : 10443/

Confirm the first-time Security Alert that is displayed.

Note: By default, the SSL VPN gateway listens to port 10443. In an actual deployment, use port 443 as this port is typically open on Firewalls allowing easy remote access using SSL. This can be changed by going to System > Admin > Settings and changing the Web Admin HTIPS service from 443 to a different port number (for example , 8443) . Then , change the SSL VPN login port from 10443 to 443.

7.When prompted, log in as the Test SSL user with the password of 123456.

Page I 30

eleome to SSL VPN Service ~ ll!>

Time Logged In: testssl (( hour(s), 0 minutei.s), 21 second(s)) HTIP lnboundfOutoound Traffic: 0 tytes f 0 bytes HTIPS lnboundfOutbound Traffic : 0 tytes fO bytes

A I ~~ L_ _______________________________________ ~ F ortinet SSL VP::f Client plugin is 3ot imtalle d on your computer or it " ·d

is not up -to-date. (It is also possible that your brows!r setting blocks :i

If the connection fa ils , check the following :

the running of the plugin.) The plug;n io required for the tunnel mode .;.1 functi~n of :he SSL VPN client. j You need t~ have administrator right to do the Eirst time install. Once it

is installed, it works under nonnal Lser privilege and can be upgraded to newer version without administrator oriviJege.

• The Test SSL user is a member of the SSL VPN user group. • The SSLVPN user group is associated with the internal-> wan1 SSL VPN policy. • The SSL VPN policy is at the top of the policy list for internal-> wan1 . If after performing these checks, the connection still fails try re-entering the password in the local user configuration .

8.0n the portal page, click Add to create a new bookmark with the following details:

Name Fortinet Type HTTP/HTTPS Location http: I /www . fortinet. com Description Optional SSO Disabled Click OK.

9 .Click the newly created bookmark. A new window displays the selected web site. Note the URL of the web site in the web browser address bar:

htt p s: //192 . 168 .1 0Y . 2 54 : 10443/prox y/ht tp / www.fortinet . c om

The first part of the address, https : I I 192. 168 . lOY. 25 4 : 104 43, is the encrypted link to the FortiGate SSL VPN gateway.

The second part of the address, /proxy /http is the instruction to use the SSL VPN HTTP proxy.

The fina l part of the address, /www . fortinet. com, is the destination of the connection from the HTTP proxy. In this example, the connection is encrypted up to the SSL VPN gateway. The connection to the final destination from the HTTP proxy is unencrypted .

10.Examine the PC's current routing table by typing the following command from a DOS command prompt:

r out e pr i nt

Note that the current default gateway is 192. 168 . 1 OY . 2 54 .

Active Routes: Network Destination Netmask Gateway Interface Me tric

0 . 0.0 . 0 0 . 0 . 0 . 0 1 92 . 168 . 10Y . 254 192 . 168 . 10Y.xxx 10

11.1f this is the first time an SSL VPN tunnel is used on the PC, install the Forti net

Page I 31

SSL VPN Client plug-in for the browser. Click the Click here to download and install it link that appears in the Tunnel Model widget.

Download the client software to the PC desktop and close the web browser.

12.Run the installation application for the client software from the PC desktop.

13.Reopen the web browser and enter the address of the VPN portal:

https : //192 .168 . 10Y . 254 : 10443/

14. Click the Connect button in the Tunnel Mode widget. When the tunnel is active, the local interface fortissl will be listed as UP. Return to the routing table through the DOS prompt and note that the default gateway is now 10 . o. o. 1 , which is the local tunnel endpoint. Because split tunnelling is not enabled , a default route is displayed for the tunnel interface

Note: Split tunneling is a computer networking concept wh ich allows a VPN user to access a public network, for example, the Internet, and a local LAN or WAN at the same time, using the same physical network connection . This connection service is usually facilitated through a program such as a VPN client software application.

For example, a user connects to a corporate network using a remote access VPN software client and a hotel wireless network. The user with split tunneling enabled is able to connect to file servers, database servers, mail servers, and other servers on the corporate network through the VPN connection. In contrast, when the user connects to Internet resources , for example, web sites and FTP sites, the connection request doesn't go through the VPN link but rather through the wireless connection and out the gateway provided by the hotel network.

15. Open a new web browser window and attempt to connect to the following web site:

www . fortiguard . com

Note that the connection fails when tunnel mode is active. In addition to the SSL VPN policy, additional objects must be created to allow access from the ssl.root interface which is the source of all SSL VPN tunnel traffic.

16.To observe the cause of the configuration problem run a packet sniffer command in the CLI with the following filter and observe the output while trying to reload the webpage.

diag sniffer packet any "port 80 " 4

Page I 32

If not using DNS forwarding on the FortiGate and DNS queries are forwarded from the PC to external DNS servers, test using the servers IP address. Use the ns l ookup command to get the IP address of the server before testing in this case. TCP SYN packets should be observed incoming to the ssl.root interface. The ssl.root interface represents the clients from the SSL VPN tunnel. To allow these packets, this session must be accepted by creating a policy from the ssl.root interface to the wan1 interface. We also need to define a route back to the SSL VPN client for both RPF criteria and new session establishment.

17.Logout of the SSL VPN portal by clicking Logout .

18.Create a static route for the SSL VPN tunnel client IP address. In Web Config, go to Router> Static> Static Route and click Create New.

Configure the static route with following settings: Destination IPIMask 10 . o. o. 1 I 2 4 Device ssl.root

Leave the remaining default settings and click OK.

19 .Create a new firewall policy from the sslvpn tunnel interface , this time using a regular Accept action.

Source Interface sslvpn tunnel interface Source Address all Destination Interface wan1 Destination Address all Schedule always Service ANY Action ACCEPT Log Allowed Traffic Enabled Enable NAT Enabled

Click OK.

This new ssl.root -> wan1 policy will be displayed in the Policy list.

20.Log back into the SSL VPN portal and click Connect to activate the SSL VPN tunnel.

21.From the DOS prompt, confirm that the default route is now the tunnel endpoint (10. o . o . 1).

22.Connect directly to the following web site through the web browser:

www . fortiguard . com

The connection should be successful.

23 .Run the packet sniffer command once again to verify that the traffic from the ssl.root interface is now permitted.

24 .Disable the two SSL policies created in this lab.

------------~==~==~~==-=~~~~==------------ ----

Lab 6 Forti net Subscription Services

Objectives

Page I 33

In this exercise, access to the FortiGuard Distribution Network will be configured and services updated.

Note: This exercise can only be completed if the FortiGate unit has already been registered on the Forti net Support web site (h ttps : I / s upport . fo r tinet. c om).

Tasks

In this lab, the following task will be completed:

• Exercise 1 Enabling FortiGuard Services and Updates

Timing

Estimated time to complete this lab: 10 minutes

Exercise 1

Enabling FortiGuard Services and Updates

Page I 34

1.1n Web Config, go to System > Maintenance> FortiGuard to verify the details of the FortiGuard licensing entitlement for the FortiGate unit. What is the antivirus definition version, expiry, and last update attempt for the FortiGate unit?

If only the version field is showing, the FortiGate unit firmware was upgraded recently and there have been no further update attempts.

Note: In the classroom environment, the FortiGate unit is behind a NAT device. Port forwarding must be configured on the NAT device, otherwise the Push Update feature will not work.

2.0n the FortiGuard Distribution Network page, expand Antivirus and IPS Options and enable a scheduled update for every four hours. Click Apply.

3.Return to the AntiVirus and IPS Options and click Update Now to force the FortiGate unit to obtain the latest antivirus and IPS definitions. This action sends a request to an FDN server. After 3 to 5 minutes, if properly entitled and depending on Internet congestion, the FortiGate unit will receive and install updated definitions.

Wait a few minutes and return to System > Maintenance > FortiGuard and check for the new updates. Today's date should appear next to the [Update] link for both AV and IPS Definitions. The AV and IPS signature databases can also be updated either individually or together through the CLI using the following commands:

exec update-av Update AV engine/definitions exec update- ips Update IPS engine/definitions exec update-now Update now

Note: Antivirus and IPS updates can also be set to be pushed automatically to the FortiGate unit. To allow push updates, expand AntiVirus and IPS Options and enable Allow Push Update and set the update schedule required, for example, every 4 hours.

Note: The update-now command is only for updating antivirus and IPS definitions only and not for upgrading the system firmware.

4.View the CLI settings by entering the following commands in the CLI:

get system autoupdate schedule get system fortiguard

The defined FortiGuard autoupdate interval was set to 4 hours through Web Config but the CLI shows 4:60. This means that the additional minutes interval will be randomly picked from 0 to 59 minutes. This helps to spread out the request load on the FortiGuard server.

An exact hour and minute interval can be set through the CLI as illustrated in this example:

config system autoupdate schedule set t i me 4:0 end

Verify the change with:

show system autoupdate schedule

5. On the FortiGuard Distribution Network page, expand Web Filtering and Email Filtering Options and configure the following FortiGuard service settings:

Web Filter Cache Enabled Web Filter Cache TTL 1800 seconds (30 minutes) Antispam Cache enable Antis pam Cache TTL 900 seconds ( 15 minutes) Port Selection 53 (default)

Click Apply.

Page I 35

6.Confirm that the FortiGuard Services are reachable by expanding Web Filtering and Email Filtering Options once again and clicking Test Availability to establish connectivity between the FortiGate unit and the FDN server.

Note: By default, FortiGuard uses UDP/53, because this port is almost always open for DNS traffic. If there is another IPS device on the network that is decoding DNS data on port 53, the FortiGuard request/response may trigger an alert, as the data is encrypted. Change to UDP/8888 for FortiGuard communication and ensure upstream devices permit this traffic to pass.

7.Before proceeding to the next lab, save the changes to the FortiGate configuration .

Go to System > Dashboard > Status and in the System Information widget click the Backup link. Save the file to the local hard disk and change the backup file name to reflect that this backup was created at the end of Lab 7.

Page I 36

Lab 7 Antivirus Scanning

Objectives

In this exercise, global antivirus settings will be explored including:

• Ensuring that antivirus definitions are updated through the FortiGuardSubscription Services. • Enabling file pattern blocking. • Enabling Grayware scanning. • Setting up file quarantine with the FortiAnalyzer device. • Enabling antivirus scanning for web proxy server. • Customizing antivirus replacement messages.

Tasks

In this lab, the following tasks will be completed:

• Exercise 1 Configuring Global Antivirus Settings • Exercise 2 Configuring an Antivirus Profile • Exercise 3 Testing Antivirus Scanning for HTTP

Timing

Estimated time to complete this lab: 20 minutes

Exercise 1 Configuring Global Antivirus Settings

1.Confirm that the FortiGate Antivirus Database versions are up to-date. Go to

Page I 37

the FortiGuard Center web page at the following address:

www .fortiguard . com

Locate and note the current database version shown in the Update Center pane of the FortiGuard Center web page.

2.From Web Config, go to System > Maintenance > FortiGuard. Locate the A V Definitions version information for the FortiGate unit. This information can also be accessed from the License Information widget at System > Dashboard > Status.

The equivalent CLI commands are:

ge t system s tatus d iagnose autoupdate ve r s i ons

3. If required , update the AV definition versions by going to System> Maintenance> FortiGuard. Expand Antivirus and IPS Options. Click Update Now.

Note: The update may take several minutes to complete. In the meantime, continue with the lab. The equivalent CLI commands to invoke an FDN check and AV/IPS update are as follows :

exec update - av exec updat e - now

4. To help slow the spread of potentially malicious viruses and unauthorized program applications from being installed , all *. exe and *.com files will be blocked from being downloaded from the web, by FTP as well as all email attachments.

In Web Config , go to UTM >AntiVirus > File Filter. Select the builtin-patterns list and click Edit ( ) or double click the entry in the list. Expand File Patterns and select the *.exe and *. com file patterns. Click Enable .

Click OK.

5.Go to UTM >AntiVirus > Virus Database. Enable Grayware Detection to scan for malicious grayware-type installers. Click Apply.

G.File quarantine is available if the FortiGate unit model has an internal hard disk or if a FortiAnalyzer device is available. Go to UTM >AntiVirus > Quarantine and enable quarantine to Disk. (If using a FortiGate device without a hard disk, enable quarantine to the online FortiAnalyzer device.) Configure the quarantine settings as follows:

Quarantine Infected Files enable all protocols Quarantine Suspicious Files enable all protocols Quarantine Blocked Files enable all protocols Max Filesize to Quarantine 50 MB Disk Age Limit 168 hours (7 days) Low Disk Space Overwrite oldest file

Click Apply.

Page I 38

7 .Replacement messages are substituted for the infected file when the FortiGate antivirus engine detects a virus . Go to System > Config > Replacement Message. Expand HTTP. Click Edit ( ) to view the default Virus message and File block messages for HTTP.

Alternately, display the same Replacement Messages in the CLI with the following commands:

show system replacemsg http [http- virus/http- block/ ... ]

Note: Some replacement messages are stored in raw HTML code. Make sure that the correct syntax is used and preserve the existing HTML tags. An external HTML editor can be used to create the replacement message and then copy and paste the resulting HTML code into the FortiGate replacement message text windows.

Exercise 2

Configuring an Antivirus Profile

1.Go to UTM >Antivirus> Profile. Click Create New and assign the following settings to the profile:

Name Virus Scan File Filter Quarantine

Click OK.

Standard X Enable all protocols and Logging. Enable all protocols and Logging. Select builtin-patterns from the Options drop-down list. Enable all protocols.

2 .Go to Firewall> Policy> Policy. Modify the traffic policy for each student IP address to enable UTM. Enable Antivirus and select the Standard antivirus profile. A Protocol Options list must be selected when Antivirus is enabled . Select the default list.

Click OK.

Exercise 3

Testing Antivirus Scanning for HTTP

1.1n a web browser, type the following address:

http : //eicar . org

2.0n the page presented, click the Anti-Malware Test File link and attempt to download the eicar.com file.

Page I 39

This file does not contail a real virus but will trigger a virus or grayware signature and will be stopped by the FortiGate unit.

The HTTP Virus message is shown when the files that are infected or blocked have been quarantined . In the message that is displayed , there is a link to the Fortinet Virus Encyclopedia that provides information about the detected virus.

3.Go to Log&Report >Archive Access> Quarantine. The files that have been quarantined will be listed.

Note: There may be policies in place from previous exercises that could allow the files to be downloaded. If the above steps do not work, go to the firewall policies and ensure that all other policies other than the default are disabled.

4 .Go to Log&Report > Log Access > Antivirus. Click Disk to view the Antivirus event messages.

Lab 8 Web Filtering

Objectives

In this lab, web and content filtering will be configured. The interaction of local categories and overrides will also be examined.

Tasks

In this lab, the following tasks will be completed:

• Exercise 1 Configuring Local Web URL and Content Filtering • Exercise 2 Testing Web Category Filtering • Exercise 3 Web Filtering Overrides

Timing

Estimated time to complete this lab: 35 minutes

Exercise 1

Configuring Local Web URL and Content Filtering

1. Log in to Web Config as the admin user. To create a new URL filter, go to UTM >Web Filter> URL Filter. Click Create New and enter the name URL_ListX.

P a ge 140

Click OK.

2.1n the URL_List window, click Create New to define the following attributes for the URL filter.

URL Type Action Enable

Click OK.

''. *$ Reg ex Block enable

Note: "-*$means "at the beginning of the line"(") match any single character (.) followed by the same preceding match(*) until the end of the line ($) . There are many references on the web for Regular Expressions or Peri compatible regular expressions , for example, http : I /pe rldoc . perl . org or http : / / www . regex l ib.com/CheatSheet . aspx.

3 .Go to UTM > Web Filter> Profile.

Click Create New and enter the name URL_ProfileX. Enable HTTP, HTTPS, and Logging for Web URL Filter. Select the URL filter called URL_ListX from the Options list.

Click OK.

4 .Go to Firewall> Policy> Policy. Select the internal-> wan1 (for each student) policy and click Edit or double-click the entry.

5 .Click to enable UTM. Enable Web Filter and select the URL_ProfileX web filter profile. When Web Filter is enabled, a Protocol Options list must be selected. Select the default list and click OK.

6 .Open a new web browser window and browse to a random web site. Note that all web sites are now blocked and that the URL Filter Block Replacement Message is displayed .

Note: Web browser caching may interfere with web filtering. If the web site is not blocked , clear the cache in the web browser and try again .

7.Go to System> Config >Replacement Message. Expand HTTP. Edit the URL block message and add a custom message.

8.Go to UTM > Web Filter> URL Filter. Click to select the URL ListX filter and click Edit ( ) or double click the entry.

9.Ciick Create New and add the following filter:

URL Type Action Enable

www.fortinet.com Simple Allow enable

Click OK to save the changes.

10 .In the URL filter list click to select the new www. fo r t i net. com entry and click Move To ( ) to place this entry above the global blocking URL entry in the list.

11.Test access to www . fortinet. com.

12.0n the www. fortin e t . com web page, pick three words to add to a web

- ----------·--··-······

content filter and a phrase in which one of the words occurs.

Note: Ensure that the words selected do not appear as part of the graphics or flash movies on this web page. For example, chose technology, program, or partner.

Word 1 Word 2 Word 3 Phrase

Page I 41

13 .Go to UTM > Web Filter> Web Content Filter. Click Create New. Enter the name Content_FilterX and click OK. On the Content_ Filter page, click Create New and add Word 1 to the content pattern list as follows:

Action Block Pattern <Word 1 > Pattern Type Wildcard Language Western Score 5 Enable enabled Click OK.

14 .Go to UTM > Web Filter> Profile and edit URL_Profile. Enable HTTP and Logging for Web Content Filter. Select the Content_FilterX from the Options list Set the Threshold to 5.

Click OK to save the changes .

15.Reload www . fo r tine t. com to test that this page is blocked and that the Banned Word Block Replacement Message is displayed. (If the page appears , clear the cache on the browser and try again.)

16.Go to Log&Report >Log Access> Web Filter. Check the Disk log messages for the web content block entry .

17. Go to UTM > Web Filter> Web Content Filter. Click to select Content_FilterX and click Edit ( ). Click to select the Word 1 pattern and click Disable ( ) before continuing.

18.Ciick Create New to add Word 2 to the web content filter list as follows:

Action Pattern Pattern Type Language Score Enable

Block Type Word 2 using the form: / Word / i Regular Expression Western 5 enabled

The regular expression /word/ i is used to accept any combination of upper and lowercase letters.

19.Ciear the cache in the web browser and reload the www. fortinet . com web page to test that the page is blocked and the replacement message is displayed. View the log messages again to locate the entry for the web content block event.

20. Go to UTM > Web Filter> Web Content Filter. Click to select Content_FilterX and click Edit ( ). Click Create New to add an exempt pattern to the web content filter list as follows :

Action Pattern Pattern Type Language Enable

Click OK.

Exempt Type the phrase chosen earlier. Regular Expression Western enabled

Page I 42

21 .Test the access to www . fortinet . com. The web page should be displayed because of the exempt phrase.

22 .Add Word 3 to the web content filter list with a score of 5 and test. The page should still pass even if the threshold has been reached since the exempt phrase is tested first.

Exercise 2

Testing Web Category Filtering

1.Go to UTM > Web Filter> Profile. Click Create New and configure a new web filter profile called Category_ TestX.

2 .Expand FortiGuard Web Filtering. Click to enable HTTP, HTTPS and Logging and enable category blocking and logging as follows.

Potentially Liable Controversial Potentially Non-productive Potentially Bandwidth Consuming Potential Security Violating General Interest Business Oriented Others Unrated

Block and Log Block and Log Block and Log Block and Log Block and Log Block and Log Block and Log Block and Log Block and Log

3.Expand Advanced Filter and enable the settings as follows:

Rate Images by URL Strict Blocking Rate URLs by Domain and IP Address

Click OK to save the changes.

enable for HTTP enable for HTTP and HTTPS enable for HTTP and HTTPS

4 .Go to Firewall> Policy> Policy and edit the default internal-> wan1 policy. Change the web filter profile to Category_ TestX.

Page I 43

Click OK.

5 .Try to connect to a few different web sites. The FortiGuard Web Filtering Block Message should be displayed.

6.Go to System > Config > Replacement Message to configure a custom replacement message. Expand FortiGuard Web Filtering and edit the URL block message.

7.Go to UTM > Web Filter> Local Categories. Enter a new Local Category name of Local-1 and click Create New.

8.Go to UTM > Web Filter> Local Ratings. Click Create New to create new entries for some of the web sites visited previously that were blocked . Enter the URL of a web site. Expand Local Categories in the Category Rating table and enable the rating for Locai-X.

Click OK.

9.Go to UTM > Web Filter> Profile . Edit the Category_ TestX profile and expand FortiGuard Web Filtering. Expand Local Categories in the category table. Click to enable the Local-X category and set to Allow. Click to enable Log. Click OK to save the changes.

10.Try to visit a URL in the local category. Verify that other web sites not found in the local category are still blocked.

Note: Some parts of an allowed web page may be blocked if off-site URLs are used that are not in the allowed category.

Exercise 3

Web Filtering Overrides

1.Go to User> User Group > User Group. Click Create New and configure a new user group with the following settings:

Name Type Members lab.

Click OK.

web-override Firewall Enter the User Name of the sample user created in the Authentication

2.Go to UTM > Web Filter> Profile and edit the Category_ TestX profile. Expand FortiGuard Web Filtering and enable Allow Override for all categories.

3.Expand FortiGuard Web Filtering Overrides and enable HTTP and HTTPS. Set the following:

Override Scope I P Override Type Exact Domain Off-site URL Deny Override Time Constant/15 minutes User Group web-override

Page 144

Click OK.

Note: Do not use a web proxy, otherwise the Web Category Override web page will not work.

4.Try to visit a blocked category website. This time the blocked page replacement message will have an Override link. Click the Override link to view a Web Filter Block Override. Enter the user name of and the password of a sample user - You can create a new user from User> User - Create New menu. Note that other fields are grayed out as they are set by the override user group. After completing the required fields that will grant access to the desired website, click Continue.

5.Go to UTM > Web Filter > Override. Click to select User Overrides and click Edit ()(or double-click the entry) to view the web filter override list. Note the Expiry Date column of the dynamically added entries.

6 .Go to Log&Report > Log Access > Web Filter. Locate the log messages related to category blocking. Scroll or page down to locate the log messages from the URL and content filtering performed earlier in this lab.

7.Disable the web filter profile in the firewall policy.

Lab 9 Data Leak Prevention

Objectives

In this lab, the DLP features of the FortiGate unit will be tested to block the transmission of sensitive data outside the network. Users who attempt to send sensitive data outside the network will be banned from sending further email.

Tasks

In this lab, the following tasks will be completed:

• Exercise 1 Blocking Encrypted Files • Exercise 2 Blocking Leakage of Credit Card Information • Exercise 3 Blocking Oversize Files by Type • Exercise 4 DLP Banning and Quarantining

Timing

Estimate time to complete this lab: 40 minutes

Exercise 1 Blocking Encrypted Files

1. Download a copy of the dip-test-encrypt. zip file from Fortinet Online Campus at the following location:

ht tp : //c ampus. tr~ining.fortinet . com

Click Class Descriptions, then 201 - FortiGate I tab to access the file. Save the file a location on the local PC.

---- ----

Pag e I 45

2. In the Web Config , go to UTM >Data Leak Prevention > Rule. Create a new DLP rule called 81ock~Encrypted_RuleX with the following details:

Protocol: HTTP POST: Rule:

Click OK.

HTTP enabled File is encrypted

3 Go to UTM >Data Leak Prevention >Sensor. Create a new DLP Sensor called 81ock_EncryptedX. Enable logging and click Create New to define a new rule with the following details:

Action: Archive: Severity: Member Type: Enable 81ock_Encrypted_Rule. Click OK.

Block disable 1 (Lowest) Rule

4 .Edit the default internal-> wan1 policy. Enable UTM and DLP Sensor. Select the Block_EncryptedX DLP sensor. When a DLP Sensor is enabled, a Protocol Options list must be defined. Select the default list. Disable any other UTM elements that are enabled from previous exercises and click OK.

5.Using a web-based file transfer tool (for example, www. yousendi t. com or www. sendspace. com) attempt to send the dip-test-encrypt. zip file to an email address.

The DLP block replacement message should be presented.

6.Locate the DLP log entry for this action.

?.Change the extension on the file name to *.txt and attempt to send the file again. The file should still be blocked.

Exercise 2

Blocking Leakage of Credit Card Information

1.Go to UTM > Data Leak Prevention > Rule and locate the built-in DLP rule called HTTP- Visa­Mastercard. This rule has been designed to block any HTTP transfer that contains a Visa or Mastercard number in the message body. Edit the rule and note the regular expression used to identify the credit card number.

Enable HTTP GET. Enable the file option Scan archive contents.

Click OK.

2.Go to UTM >Data Leak Prevention > Sensor and create a new DLP sensor called Sensitive_DataX. Enable logging and create a new rule with the following details:

Action: Block

Archive: Severity: Member Type:

Enable HTTP- Visa-Mastercard. Click OK.

Full 1 (Lowest) Rule

Page I 46

3 .Go to Firewall> Policy> Policy and edit the default internal-> wan1 policy. Enable DLP sensor and select the Sensitive_DataX sensor from the list.

Click OK.

4. Test the ability to download a file called creditcards.xlsx containing credit card numbers from the Fortinet Online Campus at the following location: http : I /campus . training . fortinet . com

Click Class Descriptions, then 201 - FortiGate I tab to access the file. The DLP block replacement message should be presented when the file download is attempted .

S.Locate the full archived entry of the file on the FortiAnalyzer unit.

6.Locate the DLP log entry for this action.

Exercise 3

Blocking Oversize Files by Type

An alternate use of DLP is to control bandwidth usage by limiting the size of files of certain file-types. In this exercise compound rules will be used.

1. Go to UTM > Data Leak Prevention > Rule and create a new DLP rule called Big_FileX with the following details:

Protocol: HTTP HTTP-POST enabled HTTP-GET enabled Rule: Transfer Size >= 1 OOOKB Click OK.

2.Go to UTM >AntiVirus > File Filter and create a new file filter called No_MP3 to block files with a file name pattern of *.mp3.

3. Create a second DLP rule called MP3X with the following details:

Protocol: HTTP-POST HTTP-GET Rule: Click OK.

HTTP enabled enabled File type is found in No_MP3

4 .Go to UTM >Data Leak Prevention > Compound and create a compound called MP3_ CompoundX with the following details:

Protocol: HTTP HTTP-POST enabled HTTP-GET enabled Rules: Big_FileX MP3 Click OK. 5 Edit the Sensitive_DataX sensor to include the compound rule:

Action: Block Archive: Full Severity: 1 Member Type: Compound rule Enable the MP3_ CompoundX compound rule.

Click OK.

Page I 47

6.Attempt to download the file called big.mp3 from Fortinet Online Campus at the following location:

http : //campus . training . fortinet . com

Click Class Descriptions, then 201 - FortiGate I tab to access the file .

The DLP block replacement message should be presented when the file download is attempted.

7. Locate the full archived entry of the file on the FortiAnalyzer unit.

8.Locate the DLP log entry for this action.

Exercise 4

DLP Banning and Quarantining

1.Edit the DLP sensor called Sensitive_DataX and change the action for the HTTP-VISA-MASTERCARD rule to Ban.

2.Attempt to download the creditcard. xlsx file once again . The ~ser should be banned .

3.Go to User> Monitor> Banned User and locate the ban entry in the list. By looking at the user ban list, how can an administrator tell whether the entry is a ban entry and not a quarantine entry?

4 .Click Clear ( ) to remove the ban entry.

5 .Modify the Sensitive_DataX sensor to change the action for the No_Big_MP3 rule to Quarantine IP address. Set the expiry to 5 minutes.

6 .Attempt to download the big.mp3 file once again . The user should be quarantined . Check the banned user list once again and the locate the user entry. Note that the Application Protocol column is empty, indicating that the user is quarantined.

7.Disable the Sensitive_OataX DLP sensor in the student internal-> wan1 policy

Page I 48

Lab 10 Application Control

Objectives

In this lab, access to specific applications will be blocked using the Application Control features on the FortiGate unit.

Tasks

In this lab, the following tasks will be completed:

o Exercise 1 Creating an Application Control List o Exercise 2 Testing Application Control

Timing

Estimated time to complete this lab: 10 minutes

Exercise 1

Creating an Application Control List

1. In Web Config , go to UTM >Application Control> Application Control List. Create a new Application Control List called App_ Controi_LabX.

Click OK.

2.Create new application entries in the App_ Controi_LabX list as follows:

Category: Application : Action : Logging:

Category: Application : Action : Logging:

media YouTube.Download Pass Enabled

web Myspace Block Enabled

Page I 49

3.Go to Firewall > Policy> Policy and edit the default policy. Enable UTM, and Application Control. Select the App_ Controi_LabX control list. Click OK.

Exercise 2

Testing Application Control

1 .In a web browser, attempt to play a video on you t ube. c orn.

2 .Go to Log&Report >Log Access> Application Control and locate the log entry for this action .

3 .In a web browser, go to rnys p ace . corn .

4. Locate the log entry for this action in the Application Control log. Double-click the entry to view the details of the log entry.

5 .Edit the App_ Controi_LabX Application Control List and set the action for y ou tube . c orn to Block.

6 .In a web browser, attempt to play a video on you t ub e . corn once again.

7 .Locate the log entry for this action in the Application Control log . Double-click the entry to view the details of the log entry.