FortiGate - 201 PDF

FortiGate Multi-Threat Security Systems I
Administration, Content Inspection and VPNs
Student Training Guide

Course 201
www.fortinet.com
Student Guide for FortiOS 5.0 (Revision C)
Course 201
01-50000-0201-20130215-C
© Copyright 2013 Fortinet, Inc. All rights reserved. No part of this publication including text, examples,
diagrams, or illustrations may be reproduced, transmitted, or translated in any form or by any means,
electronic, mechanical, manual, optical, or otherwise, for any purpose, without prior written permission of
Fortinet, Inc.
Trademarks
Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient,
FortiGate, FortiGate Unified Threat Management System, FortiGuard, FortiGuard-Antispam, FortiGuard-
Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet, FortiOS,
FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are
trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies
and products mentioned herein may be the trademarks of their respective owners.
Course 201 – Administration, Content Inspection and VPNs
MODULE 1:
Introduction to Fortinet Unified Threat Management .................................................................................. 1
MODULE 2:
Logging and Monitoring ................................................................................................................................. 16
MODULE 3:
Firewall Policies ............................................................................................................................................... 29
MODULE 4:
Local User Authentication ............................................................................................................................. 50
MODULE 5:
SSL VPN ............................................................................................................................................................ 59
MODULE 6:
IPSec VPN ......................................................................................................................................................... 71
MODULE 7:
Antivirus ............................................................................................................................................................ 82
MODULE 8:
Email Filtering .................................................................................................................................................. 93
01-50000-0201-20130215-C i
MODULE 9:
Web Filtering .................................................................................................................................................. 105
MODULE 10:
Application Control ....................................................................................................................................... 120
01-50000-0201-20130215-C ii
Course 201 - Administration, Content Inspection and VPNs Introduction
Introduction to Fortinet Unified Threat

Management
Module 1
© 2013 Fortinet Training Services. This training may not be recorded in any medium, disclosed, copied, reproduced or
1 distributed to anyone without prior written consent of an authorized representative of Fortinet. Rev. 20130215-C
Module Objectives
• By the end of this module, participants will be able to:

» Identify the major features of the FortiGate Unified Threat Management appliance
» Access and use the FortiGate unit’s administration interfaces
» Create administrators
» Work with configuration files
1
01-50000-0201-20130215-C
Traditional Network Security Solutions
VPN
Intrusion Prevention
Application Control
Web Filtering
WAN Optimization
Antispam
Antivirus
Firewall
• Many single purpose systems needed to

cope with a variety of threats
Fortinet Solution
VPN
Intrusion Prevention
Application Control
Web Filtering
WAN Optimization
Antispam
Antivirus
Firewall
and more…
• One device provides a comprehensive

security and networking solution
2
01-50000-0201-20130215-C
Fortinet Solution
FortiGuard Subscription Services
Web
Firewall AV
Filter
IPS …
FortiOS
Hardware
Security
Automated
and network-level
Specialized update
operating
Purpose-driven service
services
system
hardware
FortiGate Unit Capabilities
1
1
Application
WAN
Intrusion
DataAntivirus
Secure
Email
High
Endpoint
1
1 Dynamic
Logging and
Traffic
Virtual
Web control
optimization
leak prevention
prevention
VPN
filtering
availability
Firewall
compliance
Wireless routing
Authentication
reporting
shaping
filtering
domains
3
01-50000-0201-20130215-C
Fortinet Appliances
FortiWifi FortiAP FortiVoice FortiCarrier
FortiAnalyzer FortiMail FortiBridge FortiGate-ONE
FortiManager FortiWeb FortiSwitch FortiDB
FortiClient FortiScan
FortiGuard Subscription Services
• Global Update service for AV/IPS (update.fortiguard.com)

• Global Live service for FortiGuard WF/AS (service.fortiguard.net)
• FortiGate unit will prefer servers nearby
» Calculates server “distance” based on time zones
• Major server centers in North America as well as Asia and Europe
• Nearest servers are preferred but will adjust based on server load
4
01-50000-0201-20130215-C
Device Factory Defaults
• ‘Port1’ or ‘Internal’ interface will have an IP of 192.168.1.99

• ‘Port1’ or ‘Internal’ interface will have a DHCP server set up and
enabled (on devices that support DHCP Servers)
• Default login will always be:
user: admin
password: (blank)
• Usernames and passwords are BOTH case sensitive
Device Administration
Web GUI CLI
10
5
01-50000-0201-20130215-C
Admin Profiles
11
Admin Profiles
Read Read-Write
System Configuration
Network Configuration Admin
Firewall Configuration
UTM Configuration
Profile
VPN Configuration
etc.
12
6
01-50000-0201-20130215-C
Administrators
Full access Custom access Full access within

a single virtual
domain
super_admin custom prof_admin

profile profile profile
13
Administrator Trusted Hosts
14
7
01-50000-0201-20130215-C
Administrator Authentication
Username and Password (one factor)

+
FortiToken (two factor)
15
Administrator Authentication
16
8
01-50000-0201-20130215-C
Device Configuration
• Device configuration settings can be saved to

an external file
»Optional encryption
• The file can be restored to rollback device to a
previous configuration
17
Per VDOM Configuration File
18
9
01-50000-0201-20130215-C
Interface IPs
• Every used interface on the unit must have an IP assigned (in NAT
mode) using one of three methods:
» Manual IP, DHCP assigned, PPPoE (CLI only)
19
Static Gateway
• There must be at least one default gateway

• If an interface is DHCP or PPPoE, then a gateway can be added
to the routing dynamically
20
10
01-50000-0201-20130215-C
DHCP Server - Setup
Interface and Mode

Selection
IP and DNS
Configuration
Advanced DHCP Configuration

Reserved IPs, WINS, etc.
21
DHCP Server – IP Reservation
• IP address reserved and always assigned to the same DHCP host

» Select an IP address or choose an existing DHCP lease to add to the reserved list
» Identify the IP address reservation as either DHCP over Ethernet or DHCP over
IPSec
• MAC address of the DHCP host is used to look up the IP address in
the IP reservation table
22
11
01-50000-0201-20130215-C
DHCP Activity
23
FortiGate DNS Server
• Resolve DNS lookups from an internal network

• Methods to set up DNS for each interface:
» Forward-only: DNS requests sent to the DNS servers configured for the unit
» Non-recursive: DNS requests resolved using a FortiGate DNS database and
unresolved DNS requests are dropped
» Recursive: DNS requests will be resolved using a FortiGate DNS database and
any unresolved DNS requests will be relayed to DNS servers configured for the
unit
• One DNS database can be shared by all the FortiGate interfaces
» If VDOMs are enabled, a DNS database needs be created in each VDOM
24
12
01-50000-0201-20130215-C
DNS Server Configuration
• DNS zones need to be added when configuring the DNS database

» Each zone has its own domain name
» Zone format defined by RFC 1034 and1035
• DNS entries are added to each zone
» An entry includes a hostname and the IP address it resolves to
» Each entry also specifies the type of DNS entry
• IPv4 address (A) or an IPv6 address (AAAA)
• name server (NS)
• canonical name (CNAME)
• mail exchange (MX) name
• IPv4 (PTR) or IPv6 (PTR)
25
Firmware Upgrade Steps
• Step 1: Backup and store old configuration (Full config backup from CLI)
• Step 2: Have copy of old firmware available
• Step 3: Have disaster recovery option on standby (especially if remote)
• Step 4: READ THE RELEASE NOTES (upgrade path, bug information)
• Step 5: Double check everything
• Step 6: Upgrade
26
13
01-50000-0201-20130215-C
Firmware Downgrade Steps
• Step 1: Locate pre-upgrade configuration file

• Step 2: Have copy of old firmware available
• Step 3: Have disaster recovery option on standby (especially if remote)
• Step 4: READ THE RELEASE NOTES (is a downgrade possible?)
• Step 5: Double check everything
• Step 6: Downgrade (all settings except those needed for access are lost)
• Step 7: Restore pre-upgrade configuration
27
Labs
• Lab 1: Initial Setup and Configuration

» Ex 1: Configuring Network Interfaces
» Ex 2: Exploring the Command Line Interface
» Ex 3: Restoring Configuration Files
» Ex 4: Performing Configuration Backups
(OPTIONAL)
• Lab 2: Administrative Access
» Ex 1: Profiles and Administrators
» Ex 2: Restricting Administrator Access
28
14
01-50000-0201-20130215-C
Classroom Lab Topology
29
15
01-50000-0201-20130215-C
Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring
Logging and Monitoring

Module 2
Module Objectives
• By the end of this module participants will be able to:

» Define the storage location for log information
» Enable logging for different FortiGate unit events
» View and search logs
» Monitor log activity
» Understand RAW log output
» Customize widgets on the dashboard
16
01-50000-0201-20130215-C
Logging and Monitoring
• Logging and monitoring are key

elements in maintaining devices
on the network
» Monitor network and Internet traffic
» Track down and pinpoint problems
» Establish baselines
Logging Severity Levels
• Administrators define the severity level at which the FortiGate unit

records log information
• All messages at, or above, the minimum severity level will be logged
» Emergency = System unstable
» Alert = Immediate action required
» Critical = Functionality affected
» Error = Error exists that can affect functionality
» Warning = Functionality could be affected
» Notification = Info about normal events
» Information = General system information (default)
» Debug = Debug log messages
17
01-50000-0201-20130215-C
Log Storage Locations
Memory and
Hard drive
Syslog SNMP
Local logging
Remote logging
Log Types and Subtypes
• Traffic Log
» Forward (Traffic passed/blocked by Firewall policies)
» Local (Traffic aimed directly at, or created by FortiGate device)
» Invalid (Packets considered invalid/malformed and dropped)
• Event Log
» System (System related events)
» Router, VPN, User, WanOpt & Cache, Wifi
• UTM Security Log
» Antivirus, Web Filter, Intrusion Protection, etc.
18
01-50000-0201-20130215-C
Log Structure and Behavior
• Options for log behavior:

» UTM consolidated into Forward Traffic log
» UTM separated into individual logs
• utm-incident-traffic-log
config sys global
set utm-incident-traffic-log [enable|disable]
end
» If log allowed traffic is disabled on the policy, then a UTM event enabled traffic
logging for that session
» Behavior is not configurable and only on, pre 5.0
• Logs consolidated into Traffic Log is recommend for performance
» Multiple individual log files are harder on CPU then one
Traffic Log – Log Generation
utm-incident-
Log Traffic UTM Function Extended-utm Behavior
traffic-log
Enabled Disabled (traffic does not N/A N/A Traffic log generated by kernel (like
go to UTM) today). All new UTM fields empty.
Enabled Enabled (traffic goes to Disabled Either UTM Events generate logs in traffic log
UTM) All traffic through policy generates traffic
log
Disabled Enabled (traffic goes to Disabled Enabled UTM Events generate logs in traffic log
UTM) Only traffic that has a UTM even occur
generates traffic logs
Disabled Enabled (traffic goes to Disabled Disabled Only UTM events generates logs in the
UTM) traffic log (no other traffic logs)
Disabled Enabled (traffic goes to Enabled Enabled UTM Events generate logs in utm log
UTM) Only traffic that has a UTM even occur
generates traffic logs
19
01-50000-0201-20130215-C
Viewing Log Messages
Log Viewer Filtering
• Use Filter Settings to customize the display of log messages to

show specific information in log messages
» Reduce the number of log entries that are displayed
» Easily locate specific information
10
20
01-50000-0201-20130215-C
Log Severity Level
• Log severity level indicated in the level field of the log message
date=2012-09-10 time=13:00:30 logid=0100032001

type=event subtype=system level=information
vd="root" user="admin" ui=http(10.0.1.10)
action=login status=success reason=none
profile="super_admin" msg="Administrator admin
logged in successfully from http(10.0.1.10)"
information = normal event
11
Viewing Log Messages (Raw)
• Fields in each log message are arranged into two groups:

» Log header (common to all log messages)
date=2012-11-13 time=11:17:56 logid=0000000009
type=traffic subtype=forward level=notice vd=root
» Log body (varies per log entry type)
srcip=172.16.78.32 srcport=900 srcintf=unknown-0
dstip=1.1.1.32 dstport=800 dstintf=unknown-0
dstcountry="Australia" srccountry="Reserved"
service=800/tcp wanoptapptype=cifs duration=20
policyid=100 user="test user" group="test group"
identidx=200 wanin=400 wanout=300 lanin=200 lanout=100
12
21
01-50000-0201-20130215-C
» Log header
date=2012-08-30 time=12:55:06 log_id=32001 type=utm
subtype=dlp eventtype=dlp level=warning vd=“root”
filteridx=0
y
» Log body
nl
policyid=12345 identidx=67890 sessionid=312 epoch=0
eventid=0 user="user" group="group" srcip=1.1.1.1
srcport=2560 srcintf="lo" dstip=2.2.2.2 dstport=5120
O
dstintf="port1" service=mm1 …….
The type and subtype fields = log file that message is

recorded in (for example, UTM > Data Leak Prevention or
Traffic > Forward Traffic)
13
» Log body
srcip=172.16.78.32 srcport=900 srcintf=unknown-0
dstip=1.1.1.32 dstport=800 dstintf=unknown-0
dstcountry="Australia" srccountry="Reserved"
service=800/tcp wanoptapptype=cifs duration=20
policyid=100 user="test user" group="test group"
identidx=200 wanin=400 wanout=300 lanin=200 lanout=100
hostname="host" url="www.abcd.com" msg="Data Leak
Prevention Testing Message" action=block severity=0
infection="carrier end point filter"
policyid = id number of firewall policy matching the session
14
22
01-50000-0201-20130215-C
» Log body
srcip=172.16.78.88 srcname=host srcport=0 srcintf=unknown-0
dstip=229.118.95.200 dstport=0 dstintf=unknown-0 sessionid=0
status=deny user="test user" group="test group" policyid=0
dstcountry="Reserved" srccountry="Reserved" trandisp=snat+dnat
tranip=0.0.0.0 tranport=0 transip=0.0.0.0 transport=0
service=other proto=0 appid=1 app="AIM" appcat="IM"
applist=unknown-1 duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0
rcvdpkt=0 vpn="vpn0" shapersentname="shaper sent name"
shaperdropsentbyte=16843009 shaperrcvdname="shaper rcvd name"
shaperdroprcvdbyte=16843009 shaperperipname="perip name"
shaperperipdropbyte=16843009 devtype="iPad" osname="linux"
osversion="ver" unauthuser="user" unauthusersource="none"
collectedemail="mail" mastersrcmac=02:02:02:02:02:02
srcmac=01:01:01:01:01:01
status = action taken by the FortiGate unit

15
Alert Email
• Send notification to email address upon

detection of defined event
• Identify SMTP server name
• Configure at least one DNS server
• Up to three recipients per mail server
16
23
01-50000-0201-20130215-C
SNMP
SNMP agent Fortinet MIB
Managed device SNMP manager
• Traps received by agent sent to SNMP manager

• Configure FortiGate unit interface for SNMP access
• Compile and load Fortinet-supplied MIBs into SNMP
manager
• Create SNMP communities to allow connection from
FortiGate unit to SNMP manager
17
Event Logging
18
24
01-50000-0201-20130215-C
Event Log
19
Monitor
20
25
01-50000-0201-20130215-C
Monitor
• Monitor sub-menus found in GUI for all main function menus

• User-friendly display of monitored information
• View activity of a specific feature being monitored such as Firewall,
VPN, Router, Wi-Fi, etc.
• UTM monitoring can be enabled via System > Admin > Settings
21
Monitor
• Example: UTM Security Profiles Monitor

» Includes all UTM features
• AV Monitor
» Recent and top virus activity
• Web Monitor
» Top blocked FortiGuard categories
• Application Monitor
» Most used applications
•…
22
26
01-50000-0201-20130215-C
Status Page – Custom Widgets
• Many widgets can have their settings altered to display different

information
» The same widget can be added multiple times to the same dashboard showing
different information
23
Labs
• Lab 1: Status Monitor and Event Log

» Ex 1: Exploring the GUI Status Monitor
» Ex 2: Event Log and Logging Options
(OPTIONAL)
• Lab 2: Remote Monitoring
» Ex 1: Remote Syslog and SNMP Monitoring
24
27
01-50000-0201-20130215-C
25
28
01-50000-0201-20130215-C
Course 201 - Administration, Content Inspection and VPNs Firewall Policies
Firewall Policies
Module 3
Module Objectives

» Identify the components used in a firewall policy
» Create firewall objects
» Create Address and Device Identity policies and manage the order of their
processing
» Monitor traffic through policies
29
01-50000-0201-20130215-C
Firewall Policies
Incoming and outgoing interfaces

Source and destination IP addresses
Services
Schedules
Action = ACCEPT
• Firewall policies include the
instructions used by the FortiGate
Authentication
device to determine what to do with a
connection request
Threat Traffic Logging • Packet analyzed, content compared to
Management Shaping
policy, action performed
Types of Policies
• Address
» Policy match based on IPs
• User Identity
» Policy match based on authentication information (user)
• Device Identity
» Policy match based on OS
30
01-50000-0201-20130215-C
Firewall Actions
Traffic matches a policy
Policy Action
Accept Deny
Traffic does not match a Policy
Deny
Firewall Policy Elements - Address Subtype
31
01-50000-0201-20130215-C
Firewall Policy Elements – User Identity Subtype
Firewall Policy Elements - Device Identity Subtype
• OS identity device based on packet behavior and details

» MAC address (Forti-Device only), DHCP VCI, TCP SYN Fingerprint, HTTP
UserAgent
» Identification rules updated with FortiGuard definitions
8
32
01-50000-0201-20130215-C
Device Identification (BYOD)
• Device detection is dependent on it being enabled in the interface via

the device-identification command
config system interface
edit "port1"
set device-identification (enable|disable*)
set device-user-identification (enable*|disable)
end
• Per-VDOM settings on what to detect
config system network-visibility
• Global setting of the device types FortiOS detects is hardcoded
• Devices can be manually identified in the config

config user device
edit “me”
set mac-address
set type “type name”
set user “user name”
end
• Once the device is created it can be added to a device group
config user device-group
10
33
01-50000-0201-20130215-C
• Captive Portal options:

» Device identification (default)
» Email collection (attach an email to the device)
» FortiClient download (force FortiClient install)
11
• Device-identify
» Identifies the device through the HTTP user-agent
12
34
01-50000-0201-20130215-C
• Email-collection
» Used in conjunction with device type Collected Emails
» Collects an email to be associated with the device
13
config sys setting

set email-portal-check-dns [enable|disable]
14
35
01-50000-0201-20130215-C
• User & Devices > Device > Device

diag user device list
15
• Each device-identity policy entry may have one or more devices,

device-groups or device categories specified
• 3 possible actions:
» Accept (the default)
» Deny
» Captive portal
• UTM options are only available when the action is Accept
16
36
01-50000-0201-20130215-C
Firewall Address objects
• The FortiGate device compares the source and destination address in

the packet to the policies on the device
» Default of ALL addresses available
• Addresses in policies configured with:
» Name for display in policy list
» IP address and mask
» FQDN if desired (DNS used to resolve)
• Use Country to create addresses based on geographical location
• Create address groups to simplify administration
17
Firewall Interfaces
Incoming Outgoing
Interface Interface
• Select Incoming Interface to identify the interface or zone on which

packets are received
» Select an individual interface or ANY to match all interfaces as the source
• Select Outgoing Interface to identify the interface or zone to which
packets are forwarded
» Select an individual interface or ANY to match all interfaces as the source
18
37
01-50000-0201-20130215-C
Firewall Service Objects
Packet Firewall Policy
Protocol and Port

= Protocol and Port
• FortiGate unit uses Services to determine the types of communication accepted or denied
• Default of ALL services available
• Select a Service from predefined list on FortiGate unit or create a custom service
• Web Proxy Service also available if Incoming Interface is set to web-proxy
• Group Services and Web Proxy Service Group to simplify administration
19
Traffic Logging
Accept Deny
Log Allowed Traffic Log Violation Traffic
20
38
01-50000-0201-20130215-C
Network Address Translation (Source NAT)
11.12.13.14
Firewall policy
with NAT enabled
wan1 IP address: 200.200.200.200
wan1
200.200.200.200
Source IP address:
200.200.200.200
internal
Source port: 30912
10.10.10.1
Destination IP address:
11.12.13.14
Source IP address: Destination Port: 80
10.10.10.1
Source port: 1025
11.12.13.14
Destination Port: 80
21
NAT Dynamic IP Pool (Source Nat)
11.12.13.14
Firewall policy
with NAT + IP pool enabled
wan1 IP pool: 200.200.200.2-200.200.200.10
wan1
200.200.200.200
Source IP address:
200.200.200.?
internal Source port: 30957
10.10.10.1
11.12.13.14
Source IP address:
10.10.10.1
Source port: 1025
11.12.13.14
22
39
01-50000-0201-20130215-C
Central NAT Table
• Allows creation of NAT rules and NAT mappings set up by the

global firewall table
• Control port translation instead of allowing the system to assign
them randomly
23
Central NAT Table
24
40
01-50000-0201-20130215-C
Traffic Shaping
• Traffic shaping controls which policies

have higher priority when large
amounts of data is passing through
the FortiGate unit
• Normalize traffic bursts by prioritizing
certain flows over others
HTTP
FTP
IM
25
Source NAT IP Address and Port
• Session table identifies IP and port with NAT applied
26
41
01-50000-0201-20130215-C
Fixed Port (Source NAT)
11.12.13.14
Firewall policy
with NAT + IP pool enabled + fixed port (CLI only)
wan1 IP pool: 200.200.200.201
wan1
200.200.200.200
Source IP address:
200.200.200.201
internal Source port: 1025
10.10.10.1
Source IP address: 11.12.13.14
10.10.10.1 Destination Port: 80
Source port: 1025
11.12.13.14
27
Virtual IPs (Destination NAT)
Firewall policy 11.12.13.14

with destination address virtual IP + Static NAT
wan1 IP address: 200.200.200.200
wan1
Source IP address:
internal 11.12.13.14
10.10.10.10
200.200.200.222
VIP translates destination

200.200.200.222 -> 10.10.10.10
28
42
01-50000-0201-20130215-C
Virtual IPs (Destination NAT)
Firewall policy 11.12.13.14

with destination address virtual IP + Static NAT
wan1 IP address: 200.200.200.200
wan1
• Used to allow connections through a FortiGate
using NAT firewall policies
Source IP address:
internal 11.12.13.14
» FortiGate unit can respond to ARP requests on a
10.10.10.10
network for a server that is installed
Destination on another
IP address:
200.200.200.200
network Destination Port: 80
» Used for (1) Server Redundancy and Load Balancing;
(2) IPSec VPN site-to-site with identical subnets at
VIP translates destination
both sites;
200.200.200.200 -> etc.
10.10.10.10
» VIP Group: A group of Virtual IPs for ease-of-use
29
Local-In Firewall Policies
• Policies designed for traffic that is localized to the FortiGate unit

» Central management
» Update announcement
» NetBIOS forward
• Destination address of firewall policies for local-in traffic is limited to the
FortiGate interface IP and secondary IP addresses
• Can create local-in firewall policies for IPv4 and IPv6 (CLI Only)
30
43
01-50000-0201-20130215-C
Threat Management
31
Threat Management – Client Reputation
32
44
01-50000-0201-20130215-C
UTM Proxy Options - File Size
• File size is checked against

Firewall Policy preset thresholds
• If larger than threshold
Enable UTM (Policy> UTM Proxy Options >
Common Options > Block
Oversized File/Email >
UTM Proxy Options Threshold) and action set to
block, file is rejected
• If larger than threshold and
Oversize File/Email action set to allow,
Pass or Block uncompressed file must fit
+ within memory buffer
Threshold » If not, by default no further
scanning operations
performed
33
Traffic Shapers
Shared Traffic Shaper Per-IP Traffic Shaper
Guaranteed Bandwidth
Maximum Bandwidth
Maximum Bandwidth Maximum Bandwidth
Maximum Bandwidth
34
45
01-50000-0201-20130215-C
Traffic Shapers
Shared Traffic Shaper Per-IP Traffic Shaper
Maximum Bandwidth
• Traffic shapers apply Guaranteed Bandwidth

Guaranteed Bandwidth and Maximum Bandwidth values to addresses
Maximum Bandwidth
affected by policyMaximum Bandwidth
» Share values between all IP address affected by the
policy
» Values applied toGuaranteed
each IP address affected by the
Bandwidth
Maximum Bandwidth
policy
35
DoS Policies
• DoS policies identify network traffic

that does not fit known or common
patterns of behavior DoS Policy Firewall Policy
» If determined to be an attack,
action in DoS sensor is taken
• DoS policies applied before firewall
policies
» If traffic passes DoS sensor, it
continues to firewall policies
36
46
01-50000-0201-20130215-C
Endpoint Control
Up to date ?
Disallowed software
installed ?
37
Firewall Object Usage
• Allows for faster changes to settings

• The Reference column allows administrators to determine where
the object is being used
» Navigate directly to the appropriate edit page
38
47
01-50000-0201-20130215-C
Object Tagging
• Simplifies firewall policy object management

» Useful for administering multiple VDOMs
» Easier to find and access specific firewall policies within specific VDOMs
• Available for firewall policies, address objects, IPS predefined
signatures and application entries/filters
• Objects can provide useful organizational information
39
Monitor
• View policy usage by active sessions, bytes or packets

• Policy > Monitor > Policy Monitor
40
48
01-50000-0201-20130215-C
Labs
• Lab 1: Firewall Policy

» Ex 1: Creating Firewall Objects and Rules
» Ex 2: Policy Action
» Ex 3: Configuring Virtual IP Access
» Ex 4: Configuring IP Pools
(OPTIONAL)
• Lab 2: Traffic Log
» Ex 1: Enabling Traffic Logging
» Ex 2: Device Policies
41
42
49
01-50000-0201-20130215-C
Course 201 - Administration, Content Inspection and VPNs Local User Authentication
Local User Authentication

Module 4
Module Objectives

» Describe the authentication mechanisms available through the FortiGate device
» Create local users and user groups
» Create identity-based policies to enable local user authentication
» Monitor active users
» Check authentication Log entries
50
01-50000-0201-20130215-C
Authentication
• The identity of users and host computersA
?
A
must be established to ensure that only A
A
authorized parties can access the networkA
• The FortiGate unit provides network access

control and applies authentication to users
of firewall policies and VPN clients
Local User Authentication
• Local user authentication is based on usernames and passwords

stored locally on the FortiGate unit
• An administrator creates local user accounts on the FortiGate device
» For each account, a user name and password is stored
» Two-factor authentication can be enabled on a per user basis
51
01-50000-0201-20130215-C
User Authentication via Remote Server
• The FortiGate unit must be configured to access the external servers

used to authenticate the users
• Administrators can create an account for the user locally and specify
the server to verify the password or
• Administrators can add the authentication server to a user group
» All users in that server become members of the group
User Authentication via Remote Server
Digital Directory
RADIUS LDAP certificates Services TACACS+
Remote Users
52
01-50000-0201-20130215-C
User Groups
Active
Paris Visitors Directory
Firewall Guest User Group Directory Service

User Group User Group
• User groups are assigned one of four group types: Firewall, Fortinet Single Sign on
(FSSO), Guest and Radius Single Sign on (RSSO)
• Firewall user groups provide access to firewall policies that require authentication
• Directory Service user groups used to allow single sign on for Active Directory or Novell
eDirectory users
Identity-Based Policies
Policy
• Identity-based policies are
enabled to require firewall Enable Identity Based Policy
authentication
• Authentication rules identify the
?
Authentication Rule
users and user groups that will
be forced to authenticate User/Group
» Also defines other aspects of
authentication, including services, Services
schedules, UTM, logging and
traffic shaping Schedules
Logging
Threat management
Traffic Shaping
53
01-50000-0201-20130215-C
Disclaimers
• Displays the Disclaimer Agreement page

before the user authenticates Policy
» User must accept the disclaimer to
proceed with the authentication process
» Once authenticated, the user is directed to Enable Disclaimer
the original destination
Authentication Timeout
• Timeout values specify how long an

authenticated connection can be idle
before the user must authenticate again
» User Authentication Timeout controls
the firewall authentication timer
• Default value is 5 minutes
» SSL VPN Idle Timeout controls the
SSL VPN user authentication timer
• Default value 300 seconds (5
minutes)
10
54
01-50000-0201-20130215-C
Password Policy
Minimum Length: 8 to 64 characters

Must Contain: Uppercase letters
Lowercase letters
Numerical digits
Non-alphanumeric characters
Password Expiration: X days
Apply to: Administrators
IPSec Preshared Key
• Set a password policy to enforce higher standards for both the length and complexity
of passwords
• Policies can be applied to administrator password and IPSec VPN preshared keys
11
Two-Factor Authentication
• A one-time password can be delivered to the user through various

methods:
» FortiToken: Every 60 seconds, the token generates a 6-digit code based on a
unique serial number, seed and GMT time
» Email: The one-time password is sent to user’s configured email address after
successful password authentication
» SMS phone message: The one-time password sent through email to the user’s
SMS provider. The email address pattern varies by provider.
12
55
01-50000-0201-20130215-C
Two-Factor Authentication
13
Policy Configuration
14
56
01-50000-0201-20130215-C
User Monitor
• Displays logged in users, groups, policy ID being

used, time left before inactivity timeout, IP, the
amount of traffic sent by user, and the
authentication method
» Also used to terminate authentication sessions
15
Labs
• Lab 1: User Authentication

» Ex 1: Identity-based Firewall Policy
16
57
01-50000-0201-20130215-C
17
58
01-50000-0201-20130215-C
Course 201 - Administration, Content Inspection and VPNs SSL VPN
SSL VPN
Module 5
Module Objectives

» Identify the VPN technologies available on the FortiGate device
» Configure the SSL VPN operating modes
» Define user restrictions
» Setup SSL VPN portals
» Configure firewall policies and authentication rules for SSL VPNs
59
01-50000-0201-20130215-C
Virtual Private Networks (VPN)
• Secure tunnel over an insecure network

• Use when there is the need to transmit private data over a public
network
• PC based, suitable for use when traveling
FortiGate VPN
SSL VPN IPSec VPN

•Typically used to secure •Well suited for network-
web transactions based legacy applications
VPN
•HTTPS link created to •Secure tunnel created
securely transmit between two host devices
application data between •IPSec VPN can be
client and server configured between
•Client signs on through FortiGate unit and most
secure web page (SSL third-party IPSec VPN
VPN portal) on the devices or clients
FortiGate device
60
01-50000-0201-20130215-C
SSL VPN Web-Only Mode
1. Connection of remote user to SSL VPN portal

(HTTPS Web Site)
2. Tunnel created
3. User authentication
4. Portal Web page presented
5. Click bookmark to access resource
SSL VPN Tunnel Mode
1. Connection of remote user to SSL VPN Portal

(HTTPS Web Site)
2. Tunnel created
3. Authenticate
4. Portal Web page presented
5. Access Resources
61
01-50000-0201-20130215-C
User Groups
• Web mode and tunnel mode both require a firewall policy for
authentication
»Tunnel mode requires additional policies to allow internal network
access
• Mode(s) user has access to is determined by authentication policy
» Determines the portal page users are presented
Authentication
Username and Password (one factor)

+
FortiToken (two factor)
62
01-50000-0201-20130215-C
SSL VPN Server Certificate
• Certificate presented to client initiating SSL VPN session

• FortiGate device uses a self-signed certificate by default
• User certificates issued by trusted Certificate Authority to avoid web

browser security warnings
Encryption Key Algorithm
• Level of encryption used for SSL VPN connections

» High, Default, Low
• The default setting is RC4 (128 bits) and higher
• If set to High, SSL VPN connections with clients that cannot meet this
standard will fail
10
63
01-50000-0201-20130215-C
Web Portal Interface
• Web page displayed when client logs into SSL VPN

• Includes widgets to access functionality on the portal (such as
bookmarks and connection tools)
• Software download option for tunnel mode
• Default SSL VPN web portal page is accessible at:
https://<FortiGate IP address>
11
Full-Access Web Portal Interface
12
64
01-50000-0201-20130215-C
Tunnel Mode Split-Tunneling
• Only traffic destined for the tunnel IP range network will be routed over
the SSL VPN
• If access to another inside network is desired, the client will need to
create a static route pointing to their own SSL VPN interface
» Associated firewall policies must exist
13
Client Integrity Checking
• SSL VPN gateway checks client system

• Detects client protection applications (for example, antivirus and
personal firewall)
• Determines state of applications (active/inactive, current version
number and signature updates)
• Examples include: Cisco Network Admission Control (NAC), MS
Network Access Protection (NAP), Trusted Computing Group’s
(TCG) Trusted Network Connect
14
65
01-50000-0201-20130215-C
Client Host Checking
• Relies on external vendors to ensure client integrity (not

implemented by all SSL VPN vendors)
• Requires administrators to determine appropriate version/signature
versions and policy
» Easily outdated, limiting the protection provided
• Checks to see if required software is installed on the connecting
PC, otherwise connection is refused
• CLI only
config vpn ssl web portal
edit (portal name)
set host-check [av|av-fw|custom|fw]
set host-check-interval [# seconds]
end
15
SSL VPN Tunnel Mode Connection
• A new network connection called fortissl is created

• The connection obtains a virtual IP address
» This virtual adapter becomes the preferred default route if split tunneling is
disabled
• The web portal page will display the status of the SSL VPN client
ActiveX control
• The portal web page must remain open for the tunnel to function
16
66
01-50000-0201-20130215-C
SSL VPN Client Port Forward
• Port Forward mode extends applications supported by Web

Application Mode
• Application Types (some examples):
» PortForward: for generic port forward application
» Citrix: for Citrix server web interface access
» RDPNative: for Microsoft Windows native RDP client over port forward
» etc.
17
SSL-VPN Policy De-Authentication
• Firewall policy authentication session is associated with SSL VPN

tunnel session
• Forces expiration of firewall policy authentication session when
associated SSL VPN tunnel session is ended by user
» Prevents reuse of authenticated SSL VPN firewall policies (not yet expired) by a
different user after the initial user terminates their SSL VPN tunnel session
18
67
01-50000-0201-20130215-C
SSL VPN Access Modes
Web Mode Tunnel Mode Port Forward Mode
• No client software • Uses FortiGate-specific • Java applet works as a

required (web browser client downloaded to PC local proxy to intercept
only) (ActiveX or Java applet) specific TCP port traffic
then encrypt in SSL
• Reverse proxy rewriting • Requires admin/root
of HTTP, HTTPS, FTP, privilege to install layer- • Downloaded to client PC
SAMBA (CIFS) 3 tunnel adaptor and installed without
admin/root privileges
• Java applets for RDP,
VNC, TELNET, SSH • Client App must point to
Java applet
19
Configuration
• Step 1: Configure the Settings

» IP Pool, Certificate, Port, …
» VPN > SSL > Config
• Step 2: Configure your Portals for user access
» Web or Tunnel mode access, bookmarks, …
» VPN > SSL > Portal
• Step 3: Decide Split Tunneling or not
» In Portal Config
• Step 4: Setup Firewall VPN policy for access
20
68
01-50000-0201-20130215-C
Configuration
21
Labs
• Lab 1: SSL VPN

» Ex 1: Configuring SSL VPN for Web Access
» Ex 2: Configuring SSL VPN for Tunnel Mode
22
69
01-50000-0201-20130215-C
23
70
01-50000-0201-20130215-C
Course 201 - Administration, Content Inspection and VPNs IPSec VPN
IPSec VPN
Module 6
Module Objectives

» Define the architectural components of IPSec VPN
» Define the protocols used as part of an IPSec VPN
» Identify the phases of Internet Key Exchange (IKE)
» Identify the FortiGate unit IPSec VPN modes
» Configure IPSec VPN on the FortiGate unit
71
01-50000-0201-20130215-C
IPSec VPN
Private network
Data
confidential
Data has
integrity
Sender
authenticated
IPSec VPN
• IPSec is a set of standard protocols and services used to encrypt data so

that it cannot be read or tampered with as it travels across a network
• Provides:
» Authentication of the sender
» Confidentiality of data
» Proof that data has not been tampered with
72
01-50000-0201-20130215-C
IPSec VPN
• IPSec VPN operates at the network layer (layer 3)

» Encryption occurs transparently to the upper layers
» Applications do not need to be designed to use IPSec
• IPSec VPN can protect upper layer protocols (such as TCP) but
the complexity and overhead of the exchange is increased
» For example, IPSec cannot depend on TCP to manage reliability and
fragmentation
Internet Key Exchange
• Internet Key Exchange (IKE) allows the parties involved in a

transaction to set up their Security Associations
• Phase 1 authenticates the parties involved and sets up a secure
channel to enable the key exchange
• Phase 2 negotiates the IPSec parameters to define an IPSec tunnel
73
01-50000-0201-20130215-C
Phase 1
• IKE Phase 1 performs the following:

» Authenticates and protects the parties involved in the IPSec transaction
• Can use pre-exchanged keys or digital certificates
» Negotiates a matching SA policy between the computers to protect the
exchange
» Performs a Diffie-Hellman exchange
• The keys derived from this exchange are used in Phase 2
» Sets up a secure channel to negotiate Phase 2 parameters
Defining Phase 1 Parameters
KB IDs:
11657
13574
74
01-50000-0201-20130215-C
Phase 2
• IKE Phase 2 performs the following:

» Negotiates IPSec SA parameters
• Protected by existing IKE SA
» Renegotiates IPSec SAs regularly to ensure security
» Optionally, additional Diffie-Hellman exchange may be performed
Defining Phase 2 Parameters
10
75
01-50000-0201-20130215-C
Interface Mode
• Creates a virtual IPSec network interface that applies encryption

or decryption as needed to any traffic that it carries
» Also known as Route-Based
• Create two firewall policies between the virtual IPSec interface and
the interface that connects to the private network
• The firewall policy action is ACCEPT
• Needs static routes over VPN tunnels
• Required if dynamic routing, GRE over IPSec or altering of
incoming subnet is needed
11
Tunnel Mode
• Easy to configure, single internal → external firewall policy

supports bi-directional traffic
• Policy action is IPSec, Phase1 tunnel selected
• IPSec policies should be located first in your policy list
• Vulnerable to errors in quickmodes or policies
• Order of policies is very important
12
76
01-50000-0201-20130215-C
Tunnel Versus Interface Mode
Tunnel • Less configuration involved

• Dependent on policy order for proper operation
Mode • Less granular
• Required for GRE over IPSec

• Required if manipulation of packet source IPs is
Interface necessary
• Required to have FortiGate unit participate in
Mode dynamic routing communication over the IPSec
connection
• More control
13
Overlapping Subnets
• Site-to-site route-based VPN configurations sometimes experience a

problem where private subnet addresses at each end of the
connection are the same
• After a tunnel is established, hosts on each side can communicate with
hosts on other side using the mapped IP addresses
» Use NAT with IP Pool
• Interface mode can NAT both the incoming and outgoing traffic
• Tunnel mode can only NAT outgoing traffic
14
77
01-50000-0201-20130215-C
IPSec Topologies (Site-to-Site)
Headquarters
Site-to-site
Branch office
15
IPSec VPN Monitor
• Monitor activity on IPSec VPN tunnels

» Stop and start tunnels
» Display address, proxy IDs, timeout information
• Green arrow indicates that the negotiations were successful and
tunnel is UP
• Red arrow means tunnel is DOWN or not in use
16
78
01-50000-0201-20130215-C
IPSec VPN Monitor
17
Configuration
• Step 1: Configure Phase 1

» Choose interface to listen for connections
» Choose remote location
» Choose advanced options (DH Group, XAUTH, ..)
• Step 2: Configure Phase 2
» Possibility for multiple Phase 2s on a single Phase 1 tunnel
• Step 3: Create Firewall VPN policy(s)
» May need more than 1 policy to allow all the access required
18
79
01-50000-0201-20130215-C
Configuration
19
Labs
• Lab 1: IPSec VPN

» Ex 1: Site to Site IPSec VPN
20
80
01-50000-0201-20130215-C
21
81
01-50000-0201-20130215-C
Course 201 - Administration, Content Inspection and VPNs Antivirus
Antivirus
Module 7
Module Objectives

» Describe conserve mode conditions and AV system behavior
» Define the virus scanning techniques used on the FortiGate unit
» Identify the differences between file-based and flow-based virus scanning
» Configure quarantine options
» Define firewall policies using antivirus profiles
» Update FortiGuard Services
82
01-50000-0201-20130215-C
Conserve Mode
• What is conserve mode?

• System self protection measure when facing local resource exhaustion
» When entering conserve mode the FortiGate unit activates protection measures in
order to recover memory space
» Once enough memory is recovered, the system leaves the conserve mode state
and releases the protection measures
• Two types: regular and kernel
• Search “conserve mode” at: http://kb.fortinet.com
» KB Article IDs: FD33103, 11076, 10209
Conserve Mode
• Regular conserve mode is depletion of shared memory

» Used mainly by proxies (to store the buffered data) but also by buffers (logging,
quarantining)
• Impact (configurable)
» Established sessions remain unchanged
» New sessions are not inspected
• Fail-open action applies to stream and proxy-based inspection
83
01-50000-0201-20130215-C
AV Fail-Open
• There are currently two conditions that can cause the FortiGate unit to
operate in AV fail-open mode:
» The system is low on memory and has entered conserve mode
» The individual proxy pool is full (no free connections are available)
• With the first condition, low memory, the av-failopen setting will be
applied
» The default for this setting is Pass
AV Fail-Open
• The system enters conserve mode when the amount of free

shared memory is less than approximately 20%
» Goes back to non-conserve mode when this value increases to
approximately 30%
» Log entry details actual amount of memory
config system global

set av-failopen
idledrop drop idle connections
off off
one-shot one-shot
pass pass
84
01-50000-0201-20130215-C
AV Fail-Open
• The second condition occurs when the individual proxy pool

is full (default disable)
» The action will depend on the av-failopen-session settings
• If the av-failopen-session is enabled and the free
connections in the proxy connection pool reaches zero
» Protocol reverts back to the av-failopen settings
• If the av-failopen-session is disabled and the limit is
reached, all sessions will be blocked for the proxy
Antivirus
• Detect and eliminate viruses,

worms, Trojans and spyware in
real-time
Antivirus
» Stop threats before they enter the
network
• Scans HTTP and FTP traffic as well
as incoming and outgoing SMTP,
POP3 and IMAP email
• Internet Content Adaption Protocol
(ICAP) support
» FortiGate unit acts as ICAP client to
communicate with ICAP servers that
the FortiGate unit can utilize for
offloading AV scanning services
» First enable in Admin Settings, then
configure under UTM Security
Profiles > ICAP
85
01-50000-0201-20130215-C
Antivirus Scanning Order
.jpg
File File Virus File Grayware Heuristics

size Name scan type
pattern
Proxy-Based Scanning
• Antivirus proxy buffers the

file as it arrives
• Once transmission is
complete, virus scanner
examines the file
• Higher detection and
accuracy rate
• Comfort Clients can be used
to avoid timeouts
10
86
01-50000-0201-20130215-C
Flow-Based Scanning
• File is scanned on a
packet-by-packet basis as
it passes through the
FortiGate unit
• Faster scanning, but lower
accuracy rate
» Difficulty in catching virus
variants
• Only available on certain
models
• Non-proxy scanning
11
Virus Scanning
Regular
Extended
Extreme
Flow-based
12
87
01-50000-0201-20130215-C
Unknown Viruses
• Sometimes a virus may go undetected because

it is not in the signature database
» To submit a virus go to:
http://www.fortiguard.com/antivirus/virus_scanner.html
13
Known Virus
• Sometimes viruses will get through because the

proper antivirus scan options are not enabled
» FortiGuard Subscription Service contains information on
which database a virus is in
14
88
01-50000-0201-20130215-C
Heuristics Scanning
Virus-like attribute
+ Virus-like attribute
+ Virus-like attribute
> Heuristic threshold
• FortiGate unit tests for “virus-like behavior” Suspicious

• Virus-like attributes are totaled and if greater
than a threshold, the file is marked as
suspicious
» Use CLI command to block suspicious files
• Possibility of false positives
15
Antivirus Profiles
16
89
01-50000-0201-20130215-C
UTM Proxy Options
17
Quarantine
• Infected, blocked or
suspicious files can be
quarantined to the hard
drive on the FortiGate
unit or to the
FortiAnalyzer device
» Files quarantined based
on their protocol
? Local hard drive
» Information regarding
quarantined files is
displayed in the logs FortiAnalyzer
18
90
01-50000-0201-20130215-C
Logs
19
Labs
• Lab 1: Antivirus Scanning

» Ex 1: Antivirus Testing
20
91
01-50000-0201-20130215-C
21
92
01-50000-0201-20130215-C
Course 201 - Administration, Content Inspection and VPNs Email Filtering
Email Filtering
Module 8
Module Objectives

» Identify the email filtering methods used on the FortiGate device
» Configure banned word, IP address and email address filters
» Define firewall policies using email filter profiles
» Identify the differences between the email filtering capabilities of the FortiGate and
FortiMail units
93
01-50000-0201-20130215-C
Email Filtering
• FortiGate unit can detect and

manage spam email
Email filtering
SPAM?
Spam Actions
• Tag to add a custom Tag Discard

phrase/word to subject line
Subject: Free Stuff
or a MIME header and
value to body of an email
message for use in back
end or client filtering Subject: [SPAM] Free Stuff
• Discard to immediately
drop the SMTP connection
if spam is detected
94
01-50000-0201-20130215-C
Email Filtering Methods
• The FortiGate unit uses a number of techniques to help detect spam

» Some use the FortiGuard Antispam service and require a subscription
» Others use DNS servers or filters created on the device
» Heuristic check
» Manually configured options
Email Filtering Order (SMTP)
DNSBL & ORDBL

MIME Header
IP BWL Check FortiGuard IP
Email BWL
HELO DNS
Banned word IP BWL Check Banned word

(on Body) (Receive Header) (on Subject)
Return Email DNS

FortiGuard URL
FortiGuard Checksum
DNSBL & ORDBL
(Receive Header)
95
01-50000-0201-20130215-C
Email Filtering Order (POP3 and IMAP)
MIME Header Banned Word

IP BWL Check
Email BWL (on Subject)
Banned word
Return Email DNS (on Body)
FortiGuard IP
FortiGuard URL
FortiGuard Checksum
DNSBL & ORDBL
FortiGuard IP Address Check
• Connecting IP address is checked

• FortiGuard is a reputation database
» IP behavior is tracked
» More queries about an IP’s activity to the FortiGuard network makes the
reputation worse
» IPs have a score 1-9
• 1 is permanently black listed
• 9 is permanently white listed (Fortinet Server IPs only)
• Less than 3 is considered spam
96
01-50000-0201-20130215-C
FortiGuard URL and Email Address Check
Visit our web site at www.acme.com to

learn more about this great offer or
send an email to deals@acme.com.
• What language or character set is the email in?

» KB Article ID: FD32502
FortiGuard Email Checksum Check
Our online
pharmacy offers
great prices on hash
all your
prescription
• The FortiGate unit medications.
sends a hash of
the email message
to the FortiGuard
Antispam Service
• FortiGuard
Antispam Service
compares the hash
received to hashes
of known spam
messages
10
97
01-50000-0201-20130215-C
IP Address Black/White List (BWL)
• The FortiGate unit compares the IP address of the sender of an

email message to the IP addresses specified in the email filter
profile
» An administrator can add to or edit the IP addresses and configure the action
to take
• Possible actions on a match
» Spam (use spam action)
» Clear (consider Not Spam)
» Reject (SMTP Only)
11
Email Address Black/White List (BWL)
• The FortiGate unit From: bsmith@acme.com

Mark as Spam
compares the email
Mark as Clear
address of the sender of
an email message to the
email addresses specified
in the email filter profile
» An administrator can add
to or edit the email
addresses and configure
the action to take
» Wild card and regular
expressions can be used
to define the email
address
12
98
01-50000-0201-20130215-C
HELO DNS Lookup
Received: from mail.acme.com (10.10.10.1)

DNS
by classroom.fortinet.com with SMTP;
30 Sept 2012 02:27:02 -0000
13
HELO DNS Lookup
• Performs an A record lookup of SMTP HELO details to

confirm it resolves to an IP address
• Domain specified in the email should resolve to an IP
• Does NOT perform any kind of comparison to sender’s IP
14
99
01-50000-0201-20130215-C
Return Email DNS Check
• Confirms that sending email domain from the reply-to field resolves to
an IP Address
» Domain the email gets sent to, should resolve to an IP
• Does NOT perform any kind of comparison to sender’s IP
15
Banned Word Check
Banned words
• FortiGate unit blocks Let us fill all your prescription
Drugs
email based on words or drugs. Visit our online pharmacy
Score=10
for great prices on prescription
patterns in the message medications. We offer the widest
• A weight is assigned to selection of popular drugs. Pharmacy
Score=5
any banned words in the
message Prescription
Score=5
• If threshold is exceeded,
the message is marked
Threshold=18
as spam
10 +5 +5 =20
• Can define Banned
words using Wildcards
and regular expressions
16
100
01-50000-0201-20130215-C
MIME Headers Check
• The FortiGate unit can check the MIME header information of

incoming email messages
» If a match is found in the header list configured on the device, the
corresponding action is taken
• Configured through CLI only
» config spamfilter mheader
17
DNSBL and ORDBL Check
• The FortiGate unit can compare the IP address or domain

name of incoming email message against third-party DNSBL
and ORDBL lists
» Match IP addresses or domain names of known spammers
• Configured through CLI only
» config spamfilter dnsbl
» config spamfilter ordbl
18
101
01-50000-0201-20130215-C
Request Removal From FortiGuard
• Spam filtering is best effort so there can be false positives that

occur periodically
» Submit details to the Spam department at:
www.fortiguard.com/antispam/antispam.html
19
FortiGuard Email Filtering Options
Cache
• Caching reduces IP address:
FortiGuard requests; 10.10.10.1
can improve
URL:
performance www.acme.com
• Small % of system
memory dedicated to Message
checksum:
cache x65Fsd34c
• Query results cached
until TTL setting is
reached
• Alternate port 8888 for
access to FortiGuard
servers
20
102
01-50000-0201-20130215-C
Email Filter Profile
21
Labs
• Lab 1: Email Filtering

» Ex 1: Configuring FortiGuard AntiSpam
22
103
01-50000-0201-20130215-C
23
104
01-50000-0201-20130215-C
Course 201 - Administration, Content Inspection and VPNs Web Filtering
Web Filtering
Module 9
Module Objectives

» Identify the web filtering mechanisms used on the FortiGate device
» Create web content and URL filters
» Configure FortiGuard Web Filtering
» Configure FortiGuard Web Filtering exemptions and rating overrides
» Define firewall policies using web filter profiles
105
01-50000-0201-20130215-C
Web Filtering
• Means of controlling the web content that a user is able to view

» Preserve employee productivity
» Prevent network congestion where valuable bandwidth is used for non-business
purposes
» Prevent loss or exposure of confidential information
» Decrease exposure to web-based threats
» Limit legal liability when employees access or download inappropriate or offensive
material
» Prevent copyright infringement caused by employees downloading or distributing
copyrighted materials
» Prevent children from viewing inappropriate material
Proxy-Based Web Filtering
• Proxy based solution that communicates between client and server

• Inspects full URL
• Allows for customizable block pages to display when sites are
prevented
• Most resource intensive option
• Lowest throughput
• Most options available in Advanced section
106
01-50000-0201-20130215-C
Proxy-Based Web Filtering
• Select inspection mode in web filter profile
Flow-Based Web Filtering
• Non-proxy solution that uses IPS engine to perform inspection

• High throughput
• Inspects full URL
• FortiGuard Web Filtering override will not apply when flow-based
inspection is enabled
• Few Advanced options available
107
01-50000-0201-20130215-C
Flow-Based Web Filtering
DNS-Based Web Filtering
• DNS-proxy solution that uses DNS queries to decide access

• DNS queries redirected to FortiGuard SDNS server
• Very lightweight
• SSL inspection never required
• Cannot inspect URL, only hostname (DNS)
• Supports URL Filtering and FortiGuard Category only
• No individual block pages, can redirect to a portal
• Web site access by IP means no DNS lookup
108
01-50000-0201-20130215-C
DNS-Based Web Filtering
When Does Filtering Activate?
www.acme.com
DNS Request
DNS Response
!
TCP 3-Way Handshake
HTTP GET
! HTTP 200
10
109
01-50000-0201-20130215-C
HTTP Inspection Order
EXEMPT (from ALL further inspection) Block Page
Exempt Block
URL
Web URL Allow FortiGuard
Filter Filter
Block Allow
Block Page
Allow
Block Advanced Content
Block Page
Filter Filter
Allow Block
Block Page
Allow
Block
Block Page Virus Scan Display Page
11
Types of Web Filtering
• Proxy-Based
» Highly secure
» Traffic is cached
• Flow-Based
» High throughput
» No caching
» Not as secure
• DNS-Based
» Very lightweight
» Hostname filtering only
» No advanced options, URL and FortiGuard only
12
110
01-50000-0201-20130215-C
Web Content Filtering
• Allow or block web pages Drugs

Score=10
containing specific words or Create Pattern list in
patterns the CLI Pharmacy
» Wildcards or regular Score=5
expressions used to
Prescription
define patterns Score=5
• Scores for matched patterns
are added Threshold=18
» If greater than threshold, 10 +5 +5 =20
FortiGate unit performs
configured action Block or Exempt
» If pattern appears
multiple times on web
page, score is only
counted once
www.acme.com
13
Web URL Filtering
• Control web access by allowing or blocking URLs

» Text, wildcards or regular expressions can be used to define the URL patterns
» If no URL match on list, go on to next enabled check
• Possible web URL filter actions are:
» Allow
» Block
» Monitor
» Exempt
14
111
01-50000-0201-20130215-C
Web URL Filtering
URL Filter list www.example.com
URL: www.mypage.com/index.html www.abc.com
www.mypage.com/index.html
Block
Allow
Monitor
Exempt
www.mypage.com
15
Forcing Safe Search
• Safe Search is used by search sites to prevent explicit web sites and
images from appearing in search results
• FortiGate unit rewrites the search URL to include the required codes to
enable Safe Search
» Supported for Google, Bing and Yahoo!
» Does not force strict safe search
• Youtube EDU available
» Instructions for Youtube will include value to enter on FortiGate unit
16
112
01-50000-0201-20130215-C
FortiGuard Category Filter
URL: www.mypage.com Categories
Allow
Block
Monitor
Warning
Authenticate
www.mypage.com
17
• The FortiGate unit accesses the FortiGuard Distribution Server to

determine the category of a requested page
» Action is taken based on selection in web filtering profile
• Web filter rating determined by:
» Human rater
» Text analysis
» Exploitation of web structure
18
113
01-50000-0201-20130215-C
• Split into multiple categories and sub-categories

• Layout will switch periodically as the Internet changes
• New categories and sub-categories are released and compatible with
updated firmware
» Older firmware has new values mapped to existing categories
19
FortiGuard Caching
• Most web sites are visited over and over again

» FortiGate unit can remember what the response was
• Caching improves performance by reducing FortiGate unit requests to
FortiGuard servers
» Cache checked before sending request to FortiGuard server
» TTL settings controls the number of seconds query results are cached
• Small amount of FortiGate unit system memory dedicated to the cache
» Default is 2% used for cache, can be increased to 15% from CLI
• Port 53 used for FortiGuard communications
» Alternate port number of 8888 can used
• KB Article IDs: 11779, FD32121, FD30088

20
114
01-50000-0201-20130215-C
FortiGuard Usage Quotas
Category:
“Games” Quota Games
“Games” Quota • Quotas allow access to specific categories for a

specific length of time (calculated separately for
each quota configured)
• If authentication is enabled, quota is automatically
based on the user, otherwise IP is used
“Games” Quota • Can only apply to categories with actions: Monitor,
Warn or Authenticate
21
Rating Submissions
• Requests for rating of a web site, or to have a web site’s rating

re-evaluated can be submitted by accessing:
» http://www.fortiguard.com/ip_rep.php
22
115
01-50000-0201-20130215-C
Rating Override
Rating override Category:

General Organizations
www.acme.com
Sub-Category: Information and Computer Security
23
Rating Override
• Can override the rating applied to a hostname by FortiGuard

Subscription Services
» Hostname reassigned to a completely different category and uses that action
• Override applies to FortiGate unit only
» Changes not submitted to FortiGuard Subscription Services
• Hostnames only
» google.com
» www.google.com
» www.google.com/index.html
24
116
01-50000-0201-20130215-C
Local Categories
• Rename and deletion of sub-categories only in CLI

config webfilter ftgd-local-cat
delete “<cat_name>”
rename “<cat_name>” to “<cat_name>”
25
Warning Action
Action = Warning (right click in the GUI)
Web Filtering Warning Page
26
117
01-50000-0201-20130215-C
Authenticate Action
Marketing
www.hackthissite.org
27
Web Filter Profiles
Web filter profile:

• Web filtering, FortiGuard
web filtering and advanced
filtering options enabled
through web filtering
profiles
• Profile in turn applied to
firewall policy
» Any traffic being
examined by the policy
will have the web
filtering operations
applied to it
28
118
01-50000-0201-20130215-C
Labs
• Lab 1: Web Filtering

» Ex 1: FortiGuard Web Filtering
29
30
119
01-50000-0201-20130215-C
Course 201 - Administration, Content Inspection and VPNs Application Control
Application Control
Module 10
Module Objectives

» Define application control lists
» Define firewall policies using application control lists
120
01-50000-0201-20130215-C
Application Control
• Application control is used to detect and take actions on network traffic

based on the application generating the traffic
» Facebook, Skype, Gmail etc.
• Can detect application traffic even if contained within other protocols
• Supports a large number of applications and categories
• DiffServ per application filter
• Supports shared and per-IP traffic shaping for application control
Application Control List
• An application control list defines the applications that will be

subject to inspection
• For each application, the administrator can specify whether to
pass or block the application traffic in addition to other settings
• Default rule set is very restrictive, must perform an AV/IPS update
in order to obtain new rules
121
01-50000-0201-20130215-C
Adding to the List
• Requests for additional or revised application control

coverage can be submitted using FortiClient or by accessing:
» http://www.fortiguard.com/applicationcontrol/appform.html
Application Control Profile
Application control profile
• Application control options are enabled through

application control sensors
• Sensor in turn is applied to firewall policy
» Any traffic being examined by the policy will have the
application control operations applied to it
122
01-50000-0201-20130215-C
Example: Facebook Application Control
Example: Facebook Application Control
• Application “Facebook.app_ID” allows specific Facebook app rule

• Each Facebook app assigned unique name and ID
» http://apps.facebook.com/app name/
• For new Facebook apps not yet in application list:
F-SBID( --name "Facebook.App.XXX"; --protocol tcp; --
service HTTP; --flow from_client; --parsed_type
HTTP_GET; --pattern " /app_name/"; --no_case; --context
uri; --within xx,context; --pattern
"apps.facebook.com"; --no_case; --context host; )
123
01-50000-0201-20130215-C
Order of Operations
• Processed from the top down

• First match action is applied
• Can be single application or picked from a set of
options to apply to multiple applications
Implicit Rules
• Matches traffic against every application control signature
• Matches traffic that does not conform to any application control

signature
10
124
01-50000-0201-20130215-C
Creating a Filter Rule
11
Categories
• Full list of categories and descriptions is available at:

» http://www.fortiguard.com/applicationcontrol/appcontrol.html
• Update if using
» Signatures change and update
12
125
01-50000-0201-20130215-C
Proper Identification
13
How Does My Software Actually Work?
? ?
?
?
14
126
01-50000-0201-20130215-C
Under the Hood
• Application control looks at packets and performs

a pattern match comparison to determine traffic
• Does not perform any kind of scanning of either
system
» Only reports that packets match an enabled pattern
15
Peer-to-Peer Detection
• Traditional file transfer

» 1 Client
» 1 Server
16
127
01-50000-0201-20130215-C
• Peer-to-peer transfer
» 1 Client
» N Servers
17
Why is P2P traffic so

difficult to detect?
18
128
01-50000-0201-20130215-C
Labs
• Lab 1: Application Identification

» Ex 1: Creating an Application Control list
19
20
129
01-50000-0201-20130215-C
Student Lab Guide

Course 201
www.fortinet.com
Student Lab Guide for FortiOS 5.0 (Revision C)
Course 201
01-50000-0201-20130215-C
© Copyright 2013 Fortinet, Inc. All rights reserved. No part of this publication including text, examples,
diagrams, or illustrations may be reproduced, transmitted, or translated in any form or by any means,
electronic, mechanical, manual, optical, or otherwise, for any purpose, without prior written permission of
Fortinet, Inc.
Trademarks
Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient,
FortiGate, FortiGate Unified Threat Management System, FortiGuard, FortiGuard-Antispam, FortiGuard-
Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet, FortiOS,
FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are
trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies
and products mentioned herein may be the trademarks of their respective owners.
 Table of Contents
VIRTUAL LAB ENVIRONMENT BASICS ....................................................................................... 3

Topology for Labs ......................................................................................................................................................................................... 3
Logging in to the Virtual Lab Environment ....................................................................................................................................... 4
CLASSROOM LAB CONFIGURATION.......................................................................................... 8
MODULE 1 ............................................................................................................................... 9
Lab 1: Initial Setup and Configuration ................................................................................................................................ 9

Exercise 1 (Optional) Configuring Network Interfaces on Student and Remote FortiGate Devices .................. 10
Exercise 2 Exploring the Command Line Interface .................................................................................................................... 12
Exercise 3 Restoring Configuration Files on the Student and Remote FortiGate Devices ....................................... 14
Exercise 4 Performing Configuration Backups ............................................................................................................................ 16
Lab 2: Administrative Access ............................................................................................................................................... 18

Exercise 1 Profiles and Administrators .......................................................................................................................................... 18
Exercise 2 Restricting Administrator Access ............................................................................................................................... 20
MODULE 2 ............................................................................................................................. 21
Lab 1: Status Monitor and Event Log ................................................................................................................................. 21

Exercise 1 Exploring the GUI Status Monitor ............................................................................................................................... 21
Exercise 2 Event Log and Logging Options ................................................................................................................................... 23
Lab 2: Remote Monitoring ..................................................................................................................................................... 25

Exercise 1 Remote Syslog Logging and SNMP Monitoring ..................................................................................................... 25
MODULE 3 ............................................................................................................................. 28
Lab 1: Firewall Policy .............................................................................................................................................................. 28

Exercise 1 Creating Firewall Objects and Rules .......................................................................................................................... 28
Exercise 2 Policy Action ......................................................................................................................................................................... 30
Exercise 3 Configuring Virtual IP Access ........................................................................................................................................ 31
Exercise 4 Configuring IP Pools .......................................................................................................................................................... 34
Lab 2: Traffic Log ...................................................................................................................................................................... 36

Exercise 1 Enabling Traffic Logging ................................................................................................................................................. 36
Exercise 2 Device Policies ..................................................................................................................................................................... 37
Page |1
01-50000-0201-20130215-C
 Table of Contents
MODULE 4 ............................................................................................................................. 42
Lab 1: User Authentication .................................................................................................................................................... 42

Exercise 1 Identity-based Firewall Policy ...................................................................................................................................... 42
MODULE 5 ............................................................................................................................. 44
Lab 1: SSL VPN ............................................................................................................................................................................ 44

Exercise 1 Configuring SSL VPN for Web Access ........................................................................................................................ 44
Exercise 2 Configuring SSL VPN for Tunnel Mode ..................................................................................................................... 48
MODULE 6 ............................................................................................................................. 51
Lab 1: IPSec VPN ........................................................................................................................................................................ 51

Exercise 1 Site to Site IPsec VPN ........................................................................................................................................................ 51
MODULE 7 ............................................................................................................................. 54
Lab 1: Antivirus Scanning ...................................................................................................................................................... 54

Exercise 1 Antivirus Testing ................................................................................................................................................................ 54
MODULE 8 ............................................................................................................................. 57
Lab 1: Email Filtering .............................................................................................................................................................. 57

Exercise 1 Configuring FortiGuard AntiSpam .............................................................................................................................. 57
MODULE 9 ............................................................................................................................. 59
Lab 1: Web Filtering................................................................................................................................................................. 59

Exercise 1 FortiGuard Web Filtering................................................................................................................................................ 59
MODULE 10 ........................................................................................................................... 63
Lab 1: Application Identification ........................................................................................................................................ 63

Exercise 1 Creating an Application Control List .......................................................................................................................... 63
APPENDIX A: ADDITIONAL RESOURCES .................................................................................. 65
Page |2
01-50000-0201-20130215-C
 Virtual Lab Environment Basics
This section provides details of the virtual lab environment that will be used for the hands-on labs in
this course. Steps are included for connecting to the virtual environment along with troubleshooting
tips to help students easily navigate the lab configuration.
Alert: The following section is only applicable to the Fortinet hosted virtual lab
environment. Please ignore this section if you are using an alternate classroom lab
environment unless otherwise directed by your trainer. If you are uncertain, consult your
trainer to find out which lab setup documentation you must follow.
The network diagram below shows the configuration of the virtual environment that students will use
in the course.
Page |3
01-50000-0201-20130215-C
1. Run the TrueLab System Checker to verify the compatibility of your computer with the virtual
lab environment.
Use the URL that is specific to your location.
Americas:
http://truelab.hatsize.com/syscheck
EMEA:
http://truelab.hatsize.com/syscheck/frankfurt/
APAC:
http://truelab.hatsize.com/syscheck/singapore/
Click Run if a security warning window appears.
The TrueLab System Checker will determine whether a connection can be established from
the PC to the TrueLab environment. It can also help troubleshoot connectivity problems
related to the Java Virtual Machine, company firewall, or proxy server.
If the PC is successfully able to connect to the TrueLab virtual lab environment a Success
message will be displayed.
Page |4
01-50000-0201-20130215-C
If a status of Failed is displayed, verify the on-screen messages to identify potential problem
areas or click the Troubleshooter link to help diagnose any problems that were encountered.
For assistance with troubleshooting speak to your instructor.
2. If a status of SUCCESS is displayed, log in to the virtual lab portal by browsing to the
following URL:
Americas:
http://remotelabs.training.fortinet.com/
EMEA:
http://virtual.mclabs.com/
Enter the username and password provided by the instructor and click LOGIN.
3. Select the time zone for your location from the drop-down menu and click UPDATE.
By selecting the proper time zone you ensure that the class schedule is accurate.
Page |5
01-50000-0201-20130215-C
4. The virtual lab Java applet is launched. Select a resolution for the applet and click Open to
access the Windows 2003 Server device in the virtual lab environment. This will serve as the
primary student machine for the classroom exercises.
Note: If for any reason the connection to the virtual Windows 2003 Server is lost, regain
access by selecting Operations > Disconnect and then Operations > Connect to Primary from
the menu.
5. To connect to other virtual machines in this environment go to Operations > Connect to

Secondary and select one of the available machines in the list.
The instructor will provide a description of each of the virtual systems available to you in the
virtual lab environment.
Page |6
01-50000-0201-20130215-C
Troubleshooting Tips
 It is not recommended to connect to the virtual lab environment using a wireless (Wi-Fi)
connection or a VPN tunnel. For optimal performance, connect to the lab environment
through a dedicated LAN connection.
 Ensure that the company network or firewall policies are not blocking Java applets.
 Students should ensure that the following settings are configured on their computer:
− Screen savers should be disabled on the computer
− The Power Scheme used on the computer should be set to Always on
− In the Java Control Panel (located in the Windows Control Panel) ensure that Java
console is set to Show console. It is recommended that the Java console be left open
as it often provides useful logs for troubleshooting.
 If you get disconnected unexpectedly from any of the virtual machines (or from the virtual
lab portal) please reattempt a connection. If unable to reconnect repeatedly after multiple
attempts, please notify the instructor.
 If during the labs, particularly when reloading configuration files, you see a message
similar to the one shown below, go to the console and enter the following CLI command:
execute update-now
This message indicates that the FGT VM is waiting for a response from the authentication
server. The command ‘execute update-now’ will resend the request and force a response.
Page |7
01-50000-0201-20130215-C
 Classroom Lab Configuration
The following diagram illustrates the classroom network configuration that will be used for the labs in
this course. Each student has an identical lab environment and has full control of their lab devices.
Each student will manage the following devices:
− Windows 2003 Server (student working device)
− 2 FortiGate devices
− Windows XP
− Linux Server
Page |8
01-50000-0201-20130215-C
 Lab 1: Initial Setup and Configuration
This first lab will provide an initial orientation to the CLI and administrative GUI and will guide the
student through the basic setup of the FortiGate unit. This lab will demonstrate how to properly
backup and restore a configuration file, as well as manipulate administrative access to a FortiGate
unit.
− Distinguish between an encrypted and non-encrypted configuration file
− Describe how to back up and restore configuration files
− Recognize model and build information inside a configuration file
Estimated time to complete this lab: 15 minutes
Page |9
01-50000-0201-20130215-C
The steps below only need to be performed if your virtual lab set-up has been started from a blank
FortiGate image. Before proceeding, please check with your instructor to confirm if these steps are
required for your particular classroom lab configuration.
1. Connect to the console of the Student FortiGate device (in the virtual lab applet, go to
Operations > Connect to Secondary > Student) and at the login screen, enter the default
username of admin (all lowercase) and leave the password blank.
2. To access the Student FortiGate device using the GUI, you must first modify the port3
interface settings by executing the following CLI commands:
conf system interface
edit port3
set ip 10.0.1.254/24
set allowaccess http
end
You have now configured the port3 interface with a proper IP address and device access
settings.
3. Enter the following command to check your configuration:

show system interface
4. Open a web browser and enter the following URL to access the GUI for the Student
FortiGate device:
http://10.0.1.254
Accept the FortiGate unit’s self-signed certificate or security exemption if a security warning
appears.
HTTPS is the recommended protocol for administrative access to the FortiGate unit. Other
available protocols include SSH, PING, SNMP, HTTP and Telnet.
Note: To access the FortiGate GUI using a standard web browser, cookies and JavaScript
must be enabled for proper rendering and display of the graphical user interface.
P a g e | 10
01-50000-0201-20130215-C
The login page of the Student FortiGate device should now be displayed. Please do not log
in at this point. You will have the opportunity to explore the FortiGate unit’s GUI in a later
exercise.
If you are not presented with a login page, check with your Instructor before proceeding.
5. Connect to the console of the Remote FortiGate device (in the virtual lab applet, go to
Operations > Connect to Secondary > Remote) and at the login screen, enter the default
username of admin (all lowercase) and leave the password blank.
6. Enter the following CLI commands to set the port4 IP address and access control settings for
your device.
conf system interface
edit port4
set ip 10.200.3.1/24
set allowaccess http
end
7. You will also need to set a route to allow connections from your remote Windows Server host.
Execute the following commands to set this static route. (Routing will be explained in more
detail in a later section.)
conf route static
edit 0
set device port4
set gateway 10.200.3.254
end
8. Enter the following commands to check your configuration:

show system interface
show router static
At this stage, you will not be able to connect to the Remote FortiGate device until you have
configured your Student FortiGate device with routing information and a firewall policy to
allow that management traffic. This configuration will be added later.
P a g e | 11
01-50000-0201-20130215-C
In this exercise, students will be introduced to the FortiGate unit’s command line interface (CLI).
1. Connect to the console of the Student FortiGate device and at the Fortigate-VM prompt, and
at the login screen log in with the default username of admin (all lowercase) and no
password.
2. Type the following command to display status information about the FortiGate unit:
get system status
The output displays the FortiGate unit serial number, firmware build, operational mode, and
additional settings.
Confirm that the firmware build is the correct version for this class.
3. Type the following command to see a full list of accepted objects for the get command:
get ?
Note: The ? character is not displayed on the screen.
At the --More-- prompt in the CLI, press the spacebar to continue scrolling or <enter> to
scroll one line at a time. Press <q> to exit.
Depending on objects and branches used with this command, there may be other sub-
keywords and additional parameters to enter.
4. Press the up arrow key to display the previous get system status command and try
some of the control key sequences that are summarized below.
Previous command up arrow, or CTRL+P
Next command down arrow, or CTRL+N
Beginning of line CTRL+A
End of line CTRL+E
Back one word CTRL+B
Forward one word CTRL+F
Delete current character CTRL+D
Abort command and exit branch CTRL+C
Clear screen CTRL+L
CTRL+C is context sensitive and in general aborts the current command and moves up to
the previous command branch level. If already at the root branch level, CTRL+C will force a
logout of the current session and another login will be required.
P a g e | 12
01-50000-0201-20130215-C
5. Type the following command and press the <tab> key 2 or 3 times.
execute <tab>
The command displays the list of available system utility commands one at a time each time
the <tab> key is pressed.
6. Type the following command to see the entire list of execute commands:
execute ?
7. Enter the following CLI commands and compare the available keywords for each one:
config ?
show ?
config begins the configuration mode while show displays the configuration. The only
difference is show full-configuration. The default behavior of the show command is
to only display the differences from the factory-default configuration.
8. Enter the following CLI commands to display the FortiGate unit’s internal interface
configuration settings and compare the output for each of them:
show system interface port3
show full-configuration system interface port3
Only the characters shown in bold type face need to be typed, optionally followed by <tab>,
to complete the command key word. Use this technique to reduce the number of keystrokes
to enter information. CLI commands can be entered in an abbreviated form as long as
enough characters are entered to ensure the uniqueness of the command keyword.
P a g e | 13
01-50000-0201-20130215-C
From the Windows Server, you first will need to connect to each FortiGate device and restore the
configuration files that are needed to complete the upcoming exercises.
1. From the GUI on the Student FortiGate device go to System > Dashboard > Status. Under
System Information, click Restore.
2. Browse the Desktop and navigate to the Resources > Module1 folder.
Select the file student-initial.conf and click Restore.
P a g e | 14
01-50000-0201-20130215-C
After restoring the configuration the FortiGate unit will automatically reboot and the following
dialog is displayed:
The length of the boot process is affected by how complex the configuration is. The more
complicated the configuration, the longer it will take to parse it and complete the boot process.
Most configurations take less than 1 minute to complete the reboot process.
3. Reconnect to the GUI on the Student FortiGate device and verify the restored configuration.
 Go to System > Network > Interface and check your network interfaces.
 Go to Router > Static > Static Route and check your default route.
4. Execute the following steps to check and test the Student and Remote FortiGate device DNS
configuration. This configuration will be used to simplify access to the lab devices.
− Go to System > Admin > Settings and under Display Options on GUI verify that DNS
Database is selected.
− Go to System > Network > DNS Server and review the student and remote DNS
zones.
− In the student DNS zone, verify the IPv4 Address records and Pointer records for the
Student FortiGate device and the Windows Server (10.0.1.10).
− In the Remote DNS zone, check the IPv4 Address records and Pointer records for the
Remote FortiGate device and the Windows host (10.0.2.10).
5. From a DOS command prompt on the virtual Windows Server, execute the following
commands to verify the DNS lookup functionality. DNS requests are being sent to port3, and
recursive DNS requests are allowed on this interface.
nslookup server.student.lab 10.0.1.254
nslookup fgt.student.lab 10.0.1.254
nslookup pc.remote.lab 10.0.1.254
nslookup fgt.remote.lab 10.0.1.254
Note: The parameters of the nslookup command are:

nslookup [-option] [hostname] [server]
P a g e | 15
01-50000-0201-20130215-C
6. In a web browser on the virtual Windows Server, connect to the following web pages to verify
that the GUI of the Student and Remote FortiGate devices can be accessed using their DNS
hostnames:
http://fgt.student.lab
http://fgt.remote.lab
1. Connect to the GUI on the Student FortiGate device by accessing the URL:
https://fgt.student.lab
2. Go to System > Dashboard > Status and under System Information, click Backup.
Select Encrypt configuration file and enter the password: fortinet. Click Backup and
save the encrypted configuration file to the Desktop with the filename student-initial-enc.conf.
Caution: When backing up the FortiGate unit’s configuration, be sure to use a naming
convention that you understand and which identifies both the date and the device
information. Every time that you log in and make changes to your device (even if the
change seems minor or insignificant), you should ALWAYS make a backup of the
configuration file. This will always be the best form of protection against problems.
P a g e | 16
01-50000-0201-20130215-C

3. Next try restoring the encrypted configuration file. Browse the Desktop and navigate to the
file student-initial-enc.conf and click Restore.
This time you will need to enter the password fortinet as this file is encrypted.
Using WordPad, open the file student-initial.conf. In another instance of WordPad, open the
file remote-enc.conf and compare the details in both.
Note: In both the normal and encrypted configuration the top of the file acts as a
header, describing the firmware and model information this configuration belongs
to.
P a g e | 17
01-50000-0201-20130215-C
 Lab 2: Administrative Access
The aim of this lab will be to demonstrate how to create and modify administrative access
permissions.
– Identify the steps to create a new administrative user
– Recognize the options to restrict administrative access
1. From the GUI on the Student FortiGate device, go to System > Admin > Settings and select
Enable Password Policy.
Configure the password policy using the following settings:
Minimum length: 8
Must Contain: Enable

1 Upper Case Letter
1 Numerical Digit
Enable Password Expiration: Enable
90 days
Leave all other parameters at their default settings and click Apply.
P a g e | 18
01-50000-0201-20130215-C
2. Log out of the GUI then log back in again and you will be prompted to enter a new
administrator password. Enter a new password that meets the requirements configured
above.
3. Next, go to System > Admin > Admin Profile and create a new Admin profile called
UTM_Admin_Profile. Set UTM Security Configuration to Read-Write and set all other
permissions to Read Only.
4. Go to System > Admin > Administrators to create a new Admin user. Set Admin Profile to
the new profile you created in the previous step. By doing this, you are limiting this Admin
user’s access so that they will only able to modify and create UTM profiles.
Note: Administrator names and passwords are case-sensitive. You cannot include the
< > ( ) # ” characters in an administrator name or password. Spaces are allowed, but
not as the first or last character. Spaces in a name or password can be confusing and
require the use of quotes to enter the name in the CLI.
To view the configuration for administrative users and profiles, type the following CLI
commands:
show system admin
show system accprofile
5. Log out of the GUI on the Student FortiGate device and log back in using the UTM-only
Admin user created earlier. The warning message “You do not have permission to access
the requested page” is displayed. Close the No Access dialog box.
6. Test this administrator’s access by attempting to create or modify various settings on the
Student FortiGate device.
For convenience in the labs, the admin password will not be set in the configuration files
used in the subsequent modules.
P a g e | 19
01-50000-0201-20130215-C
1. On the Remote FortiGate device, edit the admin account and enable the setting Restrict this
Admin Login from Trusted Hosts Only. Set Trusted Host #1 to the address 10.0.2.0/24.
Now, try connecting to the GUI of the Remote FortiGate device again. What is the result this
time?
Because you are connecting from the 10.200.1.1 address (because of NAT on the
Student FortiGate device) you should notice that you are no longer able to connect to the
device since restricting the connecting source IP using Trusted Hosts.
2. Attempt to ping the IP address 10.200.3.1. You should note that the ping no longer
responds. This type of access is also affected by the restriction on source IP which we have
configured above.
3. Go to the console of the Remote FortiGate device and enter the following CLI commands to
add 10.200.0.0/16 as the second trusted IP address (Trusted Host #2) of the admin
account:
conf sys admin
edit admin
set trusthost2
end
4. Test the GUI and ping access again to the IP address 10.200.3.1. You should now be
able to connect to the GUI of the Remote device and ping it as well.
5. Go to System > Dashboard > Status and under System Information, click Details for Current
Administrator.
The administrators currently logged in to the FortiGate unit are displayed.
6. By default, an administrator has a maximum of three attempts to log in to their account

before they are locked out for 60 seconds. The source IP address is taken into account by
the attempt counter.
The number of login attempts and the lockout period can be configured through the CLI. To
help improve the overall password security, the maximum number of attempts can be
decreased and the lockout timer can be increased using the following CLI commands:
config system global
set admin-lockout-threshold 2
set admin-lockout-duration 100
end
P a g e | 20
01-50000-0201-20130215-C
 Lab 1: Status Monitor and Event Log
The aim of this lab is for students to work with the event log and monitoring on a FortiGate unit.
– Identify and properly enable logging of system events
– Locate event logs for specific information
1. From the GUI of the Student FortiGate device, go to System > Dashboard > Status and
locate the System Resources widget.
2. Some widgets are not displayed on the dashboard by default. Click Widget to display the list
of widgets available to add to the dashboard. Click the Log and Archive Statistics widget from
the pop-up window to add it to the dashboard.
Close the widget list window.
P a g e | 21
01-50000-0201-20130215-C
3. Hover the mouse over the title bar of the System Resources widget and click Edit to create a
custom widget.
Configure a custom widget with the following details:
Custom Widget Name: System Resource History

View Type: Historical
Time Period: Last 60 minutes
A line chart appears in a new custom System Resource History widget showing a trace of
past CPU and memory usage.
The refresh rate of this window is automatically set to 1/20 of the time period (interval)
configured.
4. The Alert Message Console widget displays recent system events, such as system restart
and firmware upgrade.
Hover the mouse over the title bar of the Alert Message Console widget and click History to
view the entire message list.
Scroll to the bottom of the window and click Close.
5. Go to System > Dashboard and add a new dashboard. Enter any name of your choice for
the new dashboard and select the single column display.
P a g e | 22
01-50000-0201-20130215-C
6. Next add the Top Sessions widget on your new dashboard. Click the edit icon in the title bar
of the Top Sessions widget and observe the different ways in which Top Sessions can be
reported. For example, by top destination address, top applications etc. You can also select
to display the top sessions by Source and Destination interfaces. Create your own
customized Top Sessions widget and examine the sessions that are listed.
7. Test the functionality of the refresh, page forward, and page back icons in this window. You
may need to generate some additional traffic in order to properly test these functions.
8. Click Dashboard and select Reset Dashboards to re-display the default dashboard.
1. In this lab we will be working with local logging to the disk. On a new device you will first
need to format the hard drive.
From the Student FortiGate CLI, execute the following command to check the system status.
get system status
Verify the Log hard disk status. If it is set to Available proceed to Step 2, if the status
appears as Need format, enter the following command:
execute formatlogdisk
The device will reboot when this task is complete.
2. Once the system has restarted, check the log disk settings by executing the following
command:
config log disk setting
get
You should observe that the status is enabled and SQL logging is enabled for all log types.
3. Repeat the previous steps on the Remote FortiGate device.
4. Return to the Student FortGate device and log out of the GUI. When logging back in, use an
incorrect password once and then use the correct password.
Log back in again with the correct password then go to Log & Report > Event Log > System
and examine the log to find the bad password event.
5. Go to Firewall Objects > Address > Address, and create a new firewall address in the
configuration. For example, set Type to FQDN and set the FQDN value to
www.fortinet.com.
P a g e | 23
01-50000-0201-20130215-C
6. Next go to Log & Report > Event Log > System and review the log entries.
7. Go to Log & Report > Log Config > Log Setting and uncheck the option System activity event.
Click Apply.
Different types of log entries fall into different categories. Only enable logging for the
activity(s) that you need to monitor. Otherwise your logs will become cluttered with
information that is of no use to you.
8. Go to Firewall Objects > Address > Address and create another firewall address entry. Go to
Log & Report > Event Log > System and review the log entries again.
Note that the entries are no longer visible for this activity. With this option deselected in the
Event Logging settings, you will no longer see entries in the log for Admin users logging
on/off or making changes to the unit’s configuration. Other types of log entries will still appear.
9. Go to Log & Report > Log Config > Log Settings and re-enable System activity event.
P a g e | 24
01-50000-0201-20130215-C
 Lab 2: Remote Monitoring
The aim of this lab is for students to set up logging to a remote device and monitoring of the
FortiGate unit’s behavior. It can be advantageous to use remote monitoring instead of local
monitoring in order to reduce resource usage. For example, while the GUI widgets provide useful
displays of your system information, they also carry a significant resource cost and should be used
sparingly.
– Enabling monitoring from a syslog and SNMP device
The LINUX host in your student lab environment has been pre-configured for you to allow remote
syslog.
1. From the CLI on the Student FortiGate device enter the following commands to set up
logging to the syslog server:
conf log syslogd setting
set status enable
set facility local6
set server 10.200.1.254
end
2. To generate a few sample test log messages enter the command:

diag log test
3. Repeat the previous steps from the CLI on the Remote FortiGate device.
P a g e | 25
01-50000-0201-20130215-C
4. From the virtual Windows Server desktop launch the putty.exe application and open an SSH
session to the LINUX host (10.200.1.254).
Log in as root and with the password: password.
5. Run the following command to monitor the FortiGate unit syslog messages which are
mapped to their own file by the local6 facility.
tail –f /var/log/fortinet
6. Leave the SSH window open and return to the Student FortiGate device and generate some
log entries by doing the following:
− Attempt to log in with invalid credentials
− Make a minor configuration change
7. From the GUI on the Student FortiGate device, go System > Config > SNMP to enable
SNMP monitoring. Select Enable for the SNMP Agent then click Apply.
P a g e | 26
01-50000-0201-20130215-C
8. Create a new SNMP v3 security name using the settings displayed below. Set the Auth
password to fortinet.
Click OK.
9. Go to System > Network > Interface and edit port1. Enable SNMP under Administrative
Access settings.
10. Leave the SSH window open that is currently running the Tail command and open a new
SSH connection to the LINUX host.
Type the following command:
snmpwalk -v 3 -a sha -A fortinet -u training -l authNoPriv
10.200.1.1
Review the output of this command.

To make it easier to view the information available, you may also append > snmp.test to
the command entered above. This will save the output to file. You can then view the output
using the command: view snmp.test.
P a g e | 27
01-50000-0201-20130215-C
 Lab 1: Firewall Policy
The aim of this lab is for students to work with firewall policies and examine the FortiGate unit
behavior when policies are re-ordered.
– Describe the various actions that can be set in a firewall policy
– Demonstrate policy order
1. From the Windows Server, you first will need to connect to the Student FortiGate device and
restore the configuration file that is needed for this lab.
 Connect to the GUI on the Student FortiGate device (10.0.1.254) and restore the following
configuration file: Resources\Module3\student-policy.conf.
The Student FortiGate device will reboot.
2. From the GUI on the Student FortiGate device, go to Firewall Objects > Address > Address
and create the following address object:
Address Name: STUDENT_INTERNAL
Type: Subnet
Subnet/IP Range: 10.0.1.0/255.255.255.0
Interface : Any
P a g e | 28
01-50000-0201-20130215-C
3. The unrestricted port3port1 policy will need to be temporarily disabled in the policy list. To
do this, go to Policy > Policy > Policy, right-click the unrestricted port3port1 policy and
select Status > Disable.
4. Next click Create New to add a new firewall policy to provide general Internet access from
the internal network. Configure the following settings:
Policy Type: Firewall
Policy Subtype: Address
Incoming Interface: port3
Source Address: STUDENT_INTERNAL
Outgoing Interface: port1
Destination Address: all
Schedule: always
Service: Multiple: HTTP, HTTPS, DNS, ALL_ICMP, SSH
Action: ACCEPT
Log Allowed Traffic: Enabled
Enable NAT: Enabled
Use Destination Interface Address: Enabled
Comments: General Internet access
When creating firewall policies, keep in mind that the FortiGate device is a stateful firewall,
therefore, a firewall policy only needs to be created for the direction of the originating traffic.
5. From the virtual Windows Server desktop, open a web browser and connect to various
external web servers.
6. On the Student FortiGate device go to Policy > Policy and right-click any of the column
headings. Select Column Settings > Count to display a packet and bytes count for each rule
in the policy list display. Move this column accordingly for easier viewing.
P a g e | 29
01-50000-0201-20130215-C
7. From the CLI, enter the following command to see the source NAT action.
#get system session list
Sample Output:
STUDENT # get sys session list
PROTO EXPIRE SOURCE SOURCE-NAT DESTINATION DESTINATION-NAT

tcp 3600 10.0.1.10:3677 - 10.0.1.254:22 -
tcp 3587 10.0.1.10:3717 10.200.1.1:64133 72.30.38.140:80 -
tcp 3570 10.0.1.10:3681 10.200.1.1:64097 69.171.228.70:80 -
tcp 3577 10.0.1.10:3710 10.200.1.1:64126 74.125.228.92:80 -
tcp 3587 10.0.1.10:3708 10.200.1.1:64124 74.125.228.92:80 -
tcp 3587 10.0.1.10:3706 10.200.1.1:64122 66.94.245.1:80 -
tcp 2274 10.0.1.10:3608 10.200.1.1:64024 10.200.1.254:22 -
tcp 3587 10.0.1.10:3712 10.200.1.1:64128 80.239.217.66:80 -
tcp 3566 10.0.1.10:3679 10.200.1.1:64095 74.125.227.24:80 -
Note that the new source address being applied is that of the destination interface
port1(10.200.1.1).
1. Use the same steps you performed earlier to create a second firewall policy. Configure the
following settings:

Destination Address: Click Create and configure the following:
Category: Address
Name: LINUX_ETH1
Subnet / IP Range: 10.200.1.254/255.255.255.255
Schedule: always
Service: PING
Action: DENY
Log Violation Traffic: Enabled
P a g e | 30
01-50000-0201-20130215-C
2. From the Windows Server, open a DOS command prompt and ping the port1 gateway as
follows.
ping –t 10.200.1.254
Provided you have not changed the rule ordering, the ping should still work as it matches the
ACCEPT policy and not the DENY policy just created. This demonstrates the behavior of
policy ordering. The second policy was never checked because the traffic matched the first
policy.
3. From the GUI on the Student FortiGate device, go to Policy > Policy > Policy and right-click
any of the column headings. Select Column Settings > ID. Move this column accordingly for
easier viewing. By default only the sequence number of the firewall policy is displayed in the
GUI.
4. Next, click the Seq.# for the DENY policy created previously and drag this policy upwards to
position it before the General Internet access policy.
5. Return to the Windows Server and examine the DOS command prompt window still running
the continuous ping. You should observe that this traffic is now blocked.
In this exercise, a virtual IP address will be configured to allow remote Internet connections to
the Windows Server located at 10.0.1.10.
1. Go to Firewall Objects > Virtual IP > Virtual IP and create a new virtual IP mapping with the
following details:
Name: VIP_WIN2K3
External Interface: port1
Type: Static NAT
External IP Address/Range: 10.200.1.200
Mapped IP Address/Range: 10.0.1.10
P a g e | 31
01-50000-0201-20130215-C
2. Next, create a new firewall policy to provide access to the web server. Configure the
following settings:

Source Address: all
Destination Address: VIP_WIN2K3
Schedule: always
Service: HTTP
Action: ACCEPT
Enable NAT: Disabled (default)
Comments: Public access to web server
3. The firewall is stateful so any existing sessions will not use this new firewall policy until they
time out or are cleared. The sessions can be cleared individually from the session widget on
the status page or from the CLI by executing the following:
diag sys session clear
4. Connect to the console of the remote Windows host. (From the virtual lab applet, go to
Operations > Connect to Secondary > WinXP to connect to the console of your WINXP host.)
On the WinXP desktop, open a web browser and access the following URL:
http://10.200.1.200
If the virtual IP operation is successful a web page is displayed.
5. From the CLI on the Student FortiGate device, check the destination NAT entries in the
session table by using the following command:
Sample Output:

tcp 3537 10.200.3.1:62426 10.200.1.200:80 10.0.1.10:80
P a g e | 32
01-50000-0201-20130215-C
6. On the virtual Windows Server desktop open a web browser and connect to a few external
web sites. Now examine the session information again as follows:
Sample Output:

tcp 3591 10.0.1.10:3995 10.200.1.200:3995 66.94.241.1:80 -
tcp 3590 10.0.1.10:3977 10.200.1.200:3977 72.30.38.140:80 -
tcp 3553 10.0.1.10:3965 10.200.1.200:3965 184.150.187.83:80 -
tcp 3592 10.0.1.10:3998 10.200.1.200:3998 74.125.228.92:80 -
tcp 3584 10.0.1.10:3969 10.200.1.200:3969 69.171.237.16:80 -
tcp 3596 10.0.1.10:4001 10.200.1.200:4001 208.91.113.80:80 -
tcp 3590 10.0.1.10:3983 10.200.1.200:3983 216.115.100.102:80 -
tcp 3590 10.0.1.10:3979 10.200.1.200:3979 216.115.100.103:80 -
tcp 3590 10.0.1.10:3987 10.200.1.200:3987 216.115.100.102:80 -
tcp 3590 10.0.1.10:3981 10.200.1.200:3981 216.115.100.103:80 -
tcp 3590 10.0.1.10:3985 10.200.1.200:3985 216.115.100.102:80 -
tcp 1013 10.0.1.10:3608 10.200.1.1:64024 10.200.1.254:22 -
tcp 3589 10.0.1.10:3976 10.200.1.200:3976 72.30.38.140:80 -
tcp 3591 10.0.1.10:3996 10.200.1.200:3996 184.150.187.99:80 -
tcp 3554 10.0.1.10:3967 10.200.1.200:3967 74.125.228.65:80 -
tcp 3590 10.0.1.10:3990 10.200.1.200:3990 216.115.100.103:80 -
tcp 3591 10.0.1.10:3978 10.200.1.200:3978 216.115.100.103:80 -
tcp 3590 10.0.1.10:3980 10.200.1.200:3980 216.115.100.103:80 -
Note that the outgoing connections from the Windows Server are now being NATed with the
VIP address as opposed to the firewall address. This is a behavior of the static NAT VIP.
That is, when SNAT is enabled on a policy, a VIP static NAT takes priority over the
destination interface IP address.
P a g e | 33
01-50000-0201-20130215-C
Currently, all traffic generated from the Windows Server through the Student FortiGate
device has a translated source IP address of 10.200.1.200 because of the static NAT
translation in the VIP.
In this exercise, an IP address pool will be applied to a new rule which will override this
behavior.
1. From the GUI on the Student FortiGate device, go to Firewall Objects > Virtual IP > IP Pool
and create a new IP pool using the following settings:
Name: WIN2K3_EXT_IP
External IP Range/Subnet: 10.200.1.100
2. Go to Policy > Policy > Policy, and right-click the outgoing General Internet access policy.
Select Copy Policy then right-click the same policy again and select Paste > Above.
3. Select the new copy of the General Internet access policy and configure the following
settings:
Source Address: WIN2K3
Schedule: always
Service: ALL
Action: ACCEPT
Enable NAT: Enabled
Use Dynamic IP Pool: WIN2K3_EXT_IP
Comments: Windows Server source NAT override
Click OK to save the policy and verify that you have enabled it.
4. The firewall is stateful so any existing sessions will not use this new firewall policy until they
time out or are cleared. The sessions can be cleared individually from the session widget on
the status page or from the CLI by executing the following:
P a g e | 34
01-50000-0201-20130215-C
5. Connect to a few external web sites and then examine the session table to check the source
NAT used. From the CLI on the Student FortiGate device enter the following command to
verify the source NAT IP address:
# get system session list
Sample Output:
STUDENT # get system session list
tcp 3599 10.0.1.10:3963 10.200.1.100:64379 74.125.225.126:443 -
tcp 3599 10.0.1.10:3961 10.200.1.100:64377 74.125.225.111:443 -
tcp 3552 10.0.1.10:3953 10.200.1.100:64369 76.74.133.167:80 -
tcp 3597 10.0.1.10:3956 10.200.1.100:64372 74.125.225.118:80 -
tcp 3597 10.0.1.10:3954 10.200.1.100:64370 74.125.225.117:80 -
tcp 3598 10.0.1.10:3959 10.200.1.100:64375 199.7.57.72:80 -
tcp 16 10.0.1.10:3948 10.200.1.100:64364 66.36.238.121:22 -
tcp 3598 10.0.1.10:3958 10.200.1.100:64374 209.85.225.84:443 -
tcp 3599 10.0.1.10:3962 10.200.1.100:64378 74.125.225.99:443 -
tcp 0 10.0.1.10:3960 10.200.1.100:64376 98.139.200.238:80 -
tcp 3597 10.0.1.10:3955 10.200.1.100:64371 74.125.225.118:80 -
Observe that the source NAT address is now 10.200.1.100 as configured in the VIP pool,
therefore the order of precedence is IP Pool > Static-NAT VIP > Destination Interface.
P a g e | 35
01-50000-0201-20130215-C
 Lab 2: Traffic Log
The aim of this lab is to read traffic logs and become familiar with its contents.
– Demonstrate how to enable traffic logging
– Read and understand traffic log entries
1. Go to Policy > Policy > Policy and click the Seq.# of the DENY policy that you created
previously. Drag this policy to position it BEFORE the Window Server Source NAT Override
policy.
2. Edit the DENY policy and verify that Log Violation Traffic is enabled.
3. From the Windows Server, open a DOS command prompt and ping the port1 gateway as
follows.
ping –t 10.200.1.254
Provided you have positioned the rule correctly this traffic should be blocked, and timeout.
4. From the GUI on the Student FortiGate device, go to Log & Report > Traffic Log > Forward
Traffic to examine the log entries. You should observe violation traffic entries.
5. Edit the DENY policy and change the action to ACCEPT.
From the Windows Server, you should observe that the ping now succeeds.
6. From the GUI on the Student FortiGate device, go to Log & Report > Traffic Log > Forward
Traffic.
The log entries will no longer show violation traffic, but summaries of the ping traffic that
passed.
P a g e | 36
01-50000-0201-20130215-C
In this exercise you will create a Firewall policy that uses email captive portal. Once the device is
learnt, access to a test web server should be given to the device
1. From the Windows host, you first will need to connect to the Student FortiGate device and
restore the configuration file needed for this exercise.
Restore the following configuration file: Resources\Delta\delta-student-initial.conf.
2. Edit the outgoing port3 to port3 firewall policy using the following settings:
Policy Subtype: Device Identity
Enable NAT: Enabled. Select Use Destination Interface.
Next click Create New under Configure Authentication Rules and create the following sub-
policies:
Sub-policy 1:

Device: Linux PC
Schedule: always
Service: HTTP
Action: Captive Portal and enable Email Address Collection
P a g e | 37
01-50000-0201-20130215-C
Sub-policy 2:

Device: Collected Emails
Schedule: always
Service: HTTP, HTTPS, ALL_ICMP, SSH, SMTP, POP3, FTP
Action: ACCEPT
Click OK.
3. Use drag-and-drop to reorder the sub-policies. The captive portal policy should be last in the
sub-policy list because this rule should only be matched if the device has not already been
identified.
In this example, the first web traffic from the client matches the email captive portal rule, the
subsequent traffic matches the collected email device object as we now have this information.
Note when saving this policy you will be informed that device identification will be enabled on
port3.
Click OK.
P a g e | 38
01-50000-0201-20130215-C
4. Check the device policy and sub-policies.
5. You will now test the device policy on the Student FortiGate device. First execute the
following CLI commands to disable the email DNS check for the captive portal. (This step is
required for the purposes of this lab.)
config system settings
set email-portal-check-dns disable
end
6. From your web browser, connect to: http://10.200.1.254.

What happens? Well if you followed the example as given, nothing should happen because
you have only allowed Linux PCs and you are connecting from the Windows PC.
From the CLI use debug flow to confirm this.

diag debug flow filter addr 10.200.1.254
diag debug flow show func en
diag debug flow show cons en
diag debug enable
diag debug flow trace start 20
The following message is displayed: “Denied by forward policy check”.
P a g e | 39
01-50000-0201-20130215-C
7. Edit the captive portal sub policy and add Windows PC as a second device type.
8. From your web browser, connect to: http://10.200.1.254 again.

You should now get to the portal. Accept the conditions and enter your email address when
prompted.
You should now be redirected to the web site.
9. Go to User & Device > Device > Device Definition and check the new device.
This device is a dynamic device. These devices may update and are stored to the flash to
speed up detection.
diag user device list
10. Clear the device from the CLI and reload the web page as follows:
diag user device clear
You should observe that you are redirected to the email portal again. Accept the conditions
and enter your email address.
11. Perform a show from the CLI to confirm there are no devices in the configuration file.
show user device
12. From the GUI, go to User & Device > Device > Device Definition and edit your device from
the device list. Add an alias called myDevice. This creates a static device in the configuration
file.
Perform the following show command to confirm that the device now appears in the
configuration file.
show user device
P a g e | 40
01-50000-0201-20130215-C
13. Go to User & Device > Device > Device Group. Note that your device is already a member
of several predefined device groups.
Click Create New and add a new device group called myDevGroup. From the Members
drop-down list, select myDevice.
Note that your device is still a member of the predefined groups and is now a member of the
custom group myDevGroup.
14. From your PC, test that you can open an FTP connection to 10.200.1.254.
Open a DOS prompt on your Windows PC. Once you have connected, close the FTP
connection.
15. Now add a sub-policy to your firewall device policy blocking FTP.
Edit the device policy and create the following sub-policy:
Sub-policy 3:
Destination: LINUX_ETH1
Device: myDevGroup
Schedule: always
Service: FTP
Action: Deny
Log Violation Traffic: Enable
Use drag-and-drop to reorder the sub-policies so that this policy is first in the list.
Click OK.
16. From your PC test that you can open an FTP connection to 10.200.1.254.
You should observe that the connection now fails to establish.
View the traffic logs and find the deny entry.
17. Go to one of your Dashboards and add the Device Type distribution widget. Since we only
have a single device to test in our lab environment, the graph is less effective.
P a g e | 41
01-50000-0201-20130215-C
 Lab 1: User Authentication
The aim of this lab is to introduce students to user authentication management on the FortiGate unit.
– Create an identity-based policy
– Manage user authentication
configuration file: Resources\Module4\student-auth.conf.
2. When the device has rebooted review the user configuration for this lab.
 Go to User & Device > User > User to review the local user settings
 Go to User & Device > User Group > User Group to review the user group configuration.
P a g e | 42
01-50000-0201-20130215-C
 Lab 1: User Authentication
3. On the virtual Windows Server desktop, open a web browser and connect to a new web site.
At the login prompt, enter the following credentials:
Username: student
Password: F0rtinet
You should observe that after successful authentication, you are redirected to your
destination web site.
4. From the GUI on the Student FortiGate device go to Policy > Policy > Policy and review the
outgoing firewall policy with authentication configured.
5. Next, open a putty.exe session and try to ping or connect via SSH to 10.200.1.254. Log in
as root with the password: password.
What happens?
You should observe that this fails even though there is an accept rule for this traffic. This
highlights an important behavior of identity policies. The service becomes a permission and
not a selector, therefore, in our example the identity policy matches all outgoing traffic
regardless of service. The service is then allowed if it is set for the user.
There are two ways to correct this. Either add ALL_ICMP and SSH to the identify policy rule
for the training user group, or move the regular policy before the identity policy.
Make your configuration change and retest.
6. Go to User & Device > Monitor > Firewall to view the details of the authenticated user along
with the policy used to authenticate this user.
7. Next go to Log & Report > Event Log > User and then Log & Report > Traffic Log > Forward
Traffic.
Locate the log messages for the firewall policy authentication events. The details for the entry
are displayed in the lower pane of the Event Log window.
Notice that the user’s name “student” is now included in the log messages.
8. From the CLI, view the IP addresses and users which have successfully authenticated to the
FortiGate unit with the following command:
diagnose firewall iprope authuser
Clear all authenticated sessions with the following command:

diagnose firewall iprope resetauth
Caution: Be careful using this command on a live FortiGate system.
P a g e | 43
01-50000-0201-20130215-C
 Lab 1: SSL VPN
The aim of this lab for students to work with and manage user groups and portals for the SSL VPN.
– Configure and connect to an SSL VPN.
– Enable various authentication security options
configuration file: Resources\Module5\student-ssl.conf.
2. When the device has rebooted review the SSL VPN configuration access for this lab. First
look at the firewall polices. You will find a port1port3 policy for SSL VPN. This policy also
has sub-policies. Expand this policy in order to view the sub-policies.
3. Open this SSL VPN policy and look at the objects making up this policy. Observe the Policy
Type of VPN and the Policy Subtype of SSL-VPN. Also note the Destination address and the
SSL-VPN Authentication Rules.
Open the first rule (sub-policy), and notice that this allows users in the training group to
access the web-access SSL-VPN portal.
P a g e | 44
01-50000-0201-20130215-C
 Lab 1: SSL VPN
4. To observe the effect of this policy you will now access the SSL VPN. On the virtual external
Windows host (WINXP) desktop, open a web browser and access the SSL VPN by browsing
to the following URL: https://10.200.1.1.
Accept the security warnings for the self-signed certificate and log in using the following
credentials:
Username: student
Password: F0rtinet
You should notice that you are successfully able to log in however, the web portal is currently
in default settings. We will now configure the web-access portal which is selected in the SSL
VPN policy. Log out and return to your Windows Server host.
5. Go to VPN > SSL > Portal and from the drop-down list displayed in the top right hand corner,
select web-access to edit this portal. Verify that Include Bookmarks is selected and then
create the following bookmarks in the table for the internal server.
Bookmark for HTTP:
Category: Test
Name: HTTP/HTTPS
Type: HTTP/HTTPS
Location: 10.0.1.10
Click OK.
Bookmark for RDP:
Category: Test
Name: RDP
Type: RDP
Location: 10.0.1.10
Click OK. Add a Portal Message then click Apply to save the changes. Select View Portal to
review your changes.
6. Test the SSL VPN access again from the external Windows host (WINXP) by browsing to:
https://10.200.1.1
You should now observe that you have two book marks listed.
P a g e | 45
01-50000-0201-20130215-C
 Lab 1: SSL VPN
7. Select the HTTP/HTTPS bookmark and examine the items listed below to understand how
the web access functions.
 Note the URL of the web site in the browser address bar:
https://10.200.1.1/proxy/http/10.0.1.10/
 The first part of the address is the encrypted link to the FortiGate SSL VPN gateway:
https://10.200.1.1/
 The second part of the address is the instruction to use the SSL VPN HTTP
proxy: .../proxy/http...
 The final part of the address is the destination of the connection from the HTTP
proxy: .../10.0.1.10/
In this example, the connection is encrypted up to the SSL VPN gateway. The connection to
the final destination from the HTTP proxy is in clear text.
8. Return to the virtual Windows Server device and from the GUI on the Student FortiGate
device, go to VPN > Monitor > SSL-VPN Monitor. Locate the details of the SSL VPN
connection.
Note the User, Source IP and Begin Time.
9. Go to Log & Report > Event Log > VPN and view the corresponding log entry. Look for the
“SSL tunnel established” message.
10. From the external Windows XP host, log out of the SSL VPN connection. Return to the log
and look for the “SSL tunnel shutdown” message.
P a g e | 46
01-50000-0201-20130215-C
 Lab 1: SSL VPN
11. The firewall policy is required for the SSL VPN access. Find the firewall policy for SSL VPN
access and examine its components.
Note from the policy list that this policy has a sub-policy. Edit this policy to view its contents.
Policy Type: VPN

Policy Subtype: SSL-VPN
Remote Address: all
Local Interface: port3
Local Protected Subnet: WIN2K3
SSL Client Certificate Restrictive: Disabled
The policy is incoming, that is from the external network to the internal network.
The policy subtype is SSL VPN which indicates further processing besides only accepting the
traffic.
Under Configure SSL-VPN Authentication Rules, edit the first rule to view its contents.
You will notice that this rule contains many settings including User(s), Schedule, Service and
SSL-VPN Portal. Select Cancel to close the edit window for this sub-policy.
In the next exercise, we will be adding on to this policy to allow tunnel access.
P a g e | 47
01-50000-0201-20130215-C
 Lab 1: SSL VPN
In this exercise you will edit the current SSL policy adding a new sub-rule for a second user
configured for tunnel mode.
1. Edit the SSL VPN policy and under Configure SSL-VPN Authentication Rules, create a new
sub-policy for a full-access portal using the following settings:
Group(s): training
Schedule: always
Service ALL
SSL-VPN Portal: full-access
When you have added this sub-policy select OK to save the changes.
2. To observe the effect of this sub-policy you will now access the SSL VPN again. From the
virtual external Windows host (WINXP) desktop, open a web browser and access the SSL
VPN by browsing to the following URL:
https://10.200.1.1
When prompted, log in to the SSL VPN using the following credentials:
Username: student
Password: F0rtinet
3. What do you see when you login?

You should see the same portal as in the previous exercise. Why?
The training user group is associated with both sub-policies therefore the first one matching
the web-access portal is applied.
You could move the rule so that the rule for the full-access portal is first in the list however,
this will end up affecting all users in that group. Instead, edit the sub-rule created in step 1
above and set the user group to training2.
Apply the changes.
P a g e | 48
01-50000-0201-20130215-C
 Lab 1: SSL VPN
4. In the web browser on the virtual remote Windows host, connect to the SSL VPN portal once
again at the following address:
https://10.200.1.1
Note that you may need to clear the web browser’s cache if the login window is not displayed.
Log in to the SSL VPN using the following credentials:
Username: student2
Password: F0rtinet2
You should now observe that the portal established is the full-access portal.
Note: If using the SSL VPN client available with FortiClient, you do not need to log
in via the portal.
5. In the Tunnel Mode panel, click Connect. You should see a link status of UP and the bytes
sent and received incrementing.
6. On the virtual remote Windows host, open a DOS command prompt and perform the
following:
ipconfig
Note down your assigned IP address for reference.
Note that the ‘fortissl’ adapter has an IP address. Where does this IP address come
from? Display the routing information by entering the following command:
route print
Note the low metric routes and observe that there is a route to 10.0.1.10. Where did this
come from?
Run a continuous ping to 10.0.1.10 as follows.

ping –t 10.0.1.10
P a g e | 49
01-50000-0201-20130215-C
 Lab 1: SSL VPN
7. From the GUI on the Student FortiGate device observe the following:
− VPN > Monitor > SSL-VPN Monitor shows client connections and the IP allocated to
the tunnel connection
8. In the firewall policy list, modify the column settings to show Count so that you can see the
packets and bytes per policy (click any of the column headings and select Column Settings >
Count). Move this column accordingly for easier viewing.
Notice that there is traffic associated with the incoming rule from the ssl.<vdom name>
interface. This rule is created automatically. This traffic is the incoming traffic from your SSL
VPN client.
Where does your assigned address come from?
9. Go VPN > SSL > Portal to access the SSL VPN portal configuration. Edit the full-access
portal.
Within the Enable Tunnel Mode options, note the IP Pool used which refers to a firewall
address object.
10. Go to Firewall Objects to look up that firewall address object. What are the values of that
object?
The object defines an address range that matches your assigned address, so this is how IP
addresses are configured and assigned to SSL VPN clients.
Where does the route to 10.0.1.10 come from?
HINT: Look at the Destination address of the address of the SSL VPN policy.
You will observe that the address object values for WIN2K3 are 10.0.1.10/32, so this is
where the SSL VPN client route came from.
With this present configuration, the SSL VPN client is split tunneling. This means that only
traffic to the specific destination behind the firewall is tunneled, and all other traffic goes to
the default gateway.
What configuration change would you need to make to give the client a default route into the
tunnel?
Disable split tunneling in the full-access portal which means a default route is pushed to the
client forcing all traffic into the tunnel.
P a g e | 50
01-50000-0201-20130215-C
 Lab 1: IPSec VPN
The aim of this lab for students to configure an IPSec VPN on the FortiGate device using both
interface-based and policy-based modes.
– Configure and implement interface and policy-based IPSec VPNs
– Demonstrate the differences between interface and policy-based VPNs
– Explain IPSec VPN configuration options
1. From the Windows Server, you first will need to connect to the Student and Remote
FortiGate devices and restore the configuration files that are needed for this lab.
 Connect to the GUI on the Student FortiGate device (10.0.1.254) and restore the
following configuration file: Resources\Module6\student-ipsec.conf.
 Connect to the GUI on the Remote FortiGate device (10.200.3.1) and restore the
following configuration file: Resources\Module6\remote-ipsec.conf.
The Remote FortiGate device will reboot.
2. When the Student FortiGate device has rebooted, open a DOS command prompt from the
virtual Windows Server and run a continuous ping to the remote Windows XP host as
follows:
ping -t 10.0.2.10
P a g e | 51
01-50000-0201-20130215-C
3. From the GUI on the Student FortiGate device, go to VPN > Monitor > IPsec Monitor and
examine the tunnel status.
You should observe a tunnel named remote with the destination 10.200.3.1 and the status
is currently up. This is the tunnel that is established to the Remote FortiGate device.
4. From the Student FortiGate device review the firewall policy. Modify the column settings to
show Count so that you can see the packets and bytes per policy.
Observe that the counter is incrementing for the port3 > remote policy.
What is the interface remote?
Go to System > Network > Interface and note the blue arrow head associated with port1. If
you expand this you will be able to see the remote interface and the type for this interface
which is set to Tunnel.
5. Go to VPN > IPsec > Auto Key (IKE) and review the IPsec configuration. Note the Phase 1
and Phase 2 IKE objects.
Edit the Phase1 IKE object remote. Select Advanced to view all the settings. Note that IPsec
Interface Mode is selected.
The Phase1 IKE object is the IPsec interface referenced in the interface list and firewall
policy. How is the traffic getting to this policy?
Traffic arrives at the FortiGate unit on the ingress interface. For new connections, a routing
lookup is performed to select the egress interface and gateway, and then there is a lookup in
the firewall policy to find a matching rule. It is the routing lookup that selects the egress, and
therefore, the remote interface is selected in this case. So a route is driving the traffic to the
IPsec interface.
6. Go to Router > Monitor and view the current routing table. You will observe a static route to
the destination 10.0.2.0/24 pointing to the remote interface.
This is an example of the route-based VPN configuration. The alternative is the policy base
VPN which we will review next.
Generally, the route-based VPN is the preferred approach however there are a few
exceptions where you would need to use the policy-based VPN. These will be discussed
later.
7. Open a web browser on the Windows Server and connect to the GUI on the Remote
FortiGate device.
8. Go to VPN > Monitor > IPsec Monitor and examine the tunnel status from the Remote
FortiGate device. You should observe a tunnel named student with the destination
10.200.1.1 and the status is up.
This is the tunnel that is established to the Student FortiGate device.
P a g e | 52
01-50000-0201-20130215-C
9. Still on the Remote FortiGate device, go to System > Network > Interface and note there is
no tunnel sub-interface for port4.
10. Go to Route > Monitor and view the current routing table. You will observe that there is no
route to the 10.0.2.0/24 destination, there is only a default route.
How is the traffic entering the tunnel then?
11. Review the firewall policy that exists on the Remote FortiGate device. Note that there is a
policy from port6 to port4 for address 10.0.2.0/24 to address 10.0.1.0/24 with action
IPsec.
Edit this policy to view its settings.
The policy action is IPsec, and it uses the tunnel student. It also has permissions to allow
outbound and allow inbound. We will look at these settings later.
How is the traffic matching this policy?
On the Student FortiGate device, a static route was sending traffic to the IPSec interface.
Here there is no static route and the traffic is being sent to the tunnel using the policy action,
hence policy-based.
The IPSec policy matches traffic from 10.0.2.0/24 to 10.0.1.0/24 and forwards it the
tunnel student.
12. From the Remote FortiGate device, go to VPN > IPsec > Auto Key (IKE) and review the
IPSec configuration. Note the Phase 1 and Phase 2 IKE objects.
13. Edit the Phase1 IKE object remote and select Advanced to view all the settings. Note that
IPSec Interface Mode is not selected.
The Phase1 IKE object is the IPSec tunnel referenced in the IPSec firewall policy. Here we
are using policy-based on the Remote FortiGate device and interface-based on the Student
FortiGate device. The type we use is of local significance therefore we can mix them, as is
the case in this example.
14. From the remote Windows host, attempt to run a continuous ping to: 10.0.1.10.
You should observe this ping fails. Identify why?
The IPsec action policy controls inbound and outbound traffic within the same policy;
however for interface-based IPsec, regular accept policies are used.
In the Student FortiGate device we have only configured the outgoing policy and this is why
the new incoming connection is dropped.
15. Return to the Student FortiGate device and add the missing rule.
P a g e | 53
01-50000-0201-20130215-C
 Lab 1: Antivirus Scanning
The aim of this lab is to work with both flow-based and proxy-based Antivirus scanning.
– Configure flow-based and proxy-based antivirus scanning
– Test FortiGate unit AV scanning behavior
configuration file: Resources\Module7\student-utm.conf.
2. When the FortiGate device has rebooted go to UTM Security Profiles > AntiVirus > Profile
and edit the default profile.
Configure the following details to enable AV scanning on HTTP:
Inspection Mode: Proxy

Virus Scan and Removal: Select HTTP and deselect all other settings
P a g e | 54
01-50000-0201-20130215-C
3. Go to Policy > Policy > Policy and edit the port3port1 policy. Confirm that Use Standard
UTM Profiles is enabled and turn on AntiVirus. Ensure that the default antivirus profile is
selected.
4. Next go to Policy > Policy > UTM Proxy Options and examine the UTM proxy options.
The default profile is displayed. These settings determine how FortiOS handles each
protocol. For example, which port numbers to use, whether to use client comforting, or
whether to perform deep SSL inspection and so on.
5. Go to System > Config > Replacement Message. From the top right-hand corner select
Extended View and under UTM modify the Virus Block Page.
The HTML editor that is displayed allows you to see the changes as you are making them.
Click Save shown above the editor window to apply your changes.
6. On the virtual Windows Server desktop, launch a web browser and access the following web
site:
http://eicar.org
7. On the Eicar web page, click Download Anti Malware Test File (located in the top right-hand
corner of the page) and then click the Download link that appears on the left.
Download the eicar.com file from the section Download area using the standard protocol http.
The download attempt will be blocked by the FortiGate unit and a replacement message will
be displayed similar to the following (should also include any customization you made
earlier):
The Eicar file is an industry-standard used to test antivirus detection. The file contains the
following characters:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
8. The HTTP virus message is shown when infected files are blocked or have been quarantined.
In the message that is displayed, click the link to the Fortinet Virus Encyclopedia to view
information about the detected virus.
P a g e | 55
01-50000-0201-20130215-C
9. From the GUI on Student FortiGate device, go to Log & Report > Traffic Log > Forward
Traffic and locate the antivirus event messages.
Alternately, go to UTM Security Profiles > Monitor > AV Monitor to view details of the log
event. If the AV monitor is not displayed in the GUI, go to System > Admin > Settings and
select UTM Monitors from the Display Options on GUI area.
10. On the Eicar web page, click Download Anti Malware Test File and then click the Download
link that appears on the left. This time, select the eicar.com file from the Download area
using the secure, SSL enabled protocol https section.
The download should be successful.
11. To enable inspection of SSL encrypted traffic on the Student FortiGate unit, go to Policy >
Policy > UTM Proxy Options and edit the default profile. Under SSL Inspection Options,
enable the protocol HTTPS on port 443.
12. To ensure that there are no existing sessions prior to deep scanning the communication
exchange, connect to the CLI of the Student FortiGate unit and enter the following command:
diag sys session filter dport 443
13. Return to the Eicar web page and attempt to download the eicar.com file from the Download
area using the secure SSL enabled protocol https section.
This time, the download will be blocked by the FortiGate unit and the replacement message
will be displayed. (If this is not the case, you may need to clear your recent browsing history
as the object may be cached.)
14. Go to UTM Security Profiles > Antivirus > Profile and change the Inspection Mode for the
default Antivirus Profile to Flow-based.
Try downloading the eicar.com file again. What happens now when the virus is detected?
Go to Log & Report > Traffic Log > Forward Traffic and examine the logs again. Ensure the
event was detected.
P a g e | 56
01-50000-0201-20130215-C
 Lab 1: Email Filtering
The aim of this lab is for students to work with email filtering.
− Enable and use email filtering on a FortiGate unit
− Modify inspection rules to black or white list emails (using banned word, IP, email etc.)
− Read and interpret email log entries
1. From the Windows Server, you will first need to connect to the Student FortiGate device and
restore the configuration file that is needed for this lab. This module uses the same config as
in Module 7.
configuration file: Resources\ Module7\student-utm.conf.
2. When the FortiGate device has rebooted go to UTM Security Profiles > Email Filter > Profile
and edit the default email filtering profile. Select Enable Spam Detection and Filtering to
enable it then click Apply. Configure the following settings:
SMTP Spam Action: Tagged
FortiGuard Spam Filtering: Enable IP Address Check
Enable URL Check
Click Apply.
P a g e | 57
01-50000-0201-20130215-C
 Lab 1: Email Filtering
3. By default FortiGuard services are enabled. Go to System > Config > FortiGuard and check
the status of the service. (If you are using the hosted virtual lab environment you will need to
change the service port to UDP 8888).
4. Go to Policy > Policy > Policy and edit the port3port1 outgoing policy. Under UTM Security
Profiles, turn on Email Filter and ensure that the default email filter profile is selected.
In the steps that follow, you will generate and send test spam emails to your Microsoft
Outlook user@internal.lab inbox. In the classroom lab environment, you will initiate the spam
generation using a script called smtpmboxgen.pl which is provided in the Resources\Module8
folder. Details for using this script will be provided in the steps that follow.
5. From the Windows server, open a command prompt and change directory to the
C:\Documents and Settings\Administrator\Desktop\Resources\Module8 folder as follows:
CD C:\Documents and Settings\Administrator\Desktop\Resources\Module8
Next run the spam script by entering the following:

C:\Documents and Settings\Administrator\Desktop\Resources\Module8> smtpmboxgen.pl
6. From your Microsoft Outlook mail client, check the email inbox. Review the tagged spam and
the corresponding logging events.
7. Next, enable Banned Word Check in the default spam filter profile by entering the following
CLI commands:
config spamfilter profile
edit "default"
set spam-filtering enable
set options bannedword spamfsip spamfsurl
set spam-bword-table 1
end
8. Run the following commands in the CLI to review the configured banned words.
config spam bword
show
Notice the use of both regular expression and wild cards in that list.
9. Generate a message that will be caught by the banned words configured, for example,
training. Remember that some banned words apply only to the subject line, others apply only
to the body and others apply to both.
A banned word is only scored once, for example if a banned word has a score 10 and yet the
word occurs four times in the message body, it will only still be assigned a count of 10.
10. Go to Log & Report > UTM Security Log > Email Filter and review the email filtering log
entries.
P a g e | 58
01-50000-0201-20130215-C
 Lab 1: Web Filtering
The aim of this lab is for students to configure web filtering to block specific categories of web
content. The interaction of local categories and overrides will also be demonstrated.
− Enable and use web filtering on a FortiGate device
− Select the most effective method for blocking or allowing a web site
− Read and interpret web filter log entries
1. From the Windows Server, you will first need to connect to the Student FortiGate device and
restore the configuration file that is needed for this lab. This module uses the same config as
in Module 7.
configuration file: Resources\ Module7\student-utm.conf.
2. When the FortiGate device has rebooted go to System > Status and under License
information check the FortiGuard Services Web Filtering status.
P a g e | 59
01-50000-0201-20130215-C
3. From the CLI on the Student FortiGate device, check the low-level status information of the
web filtering service by entering the following command:
diag debug rating
The command diag debug rating shows the list of FDS servers for web filtering that the
FortiGate unit is using to send requests. Rating requests are only sent to the server on the
top of the list in normal operation. Each server is probed for RTT every 2 minutes.
The diag debug rating flags indicate the server status as explained below:
− D indicates the server was found via the DNS lookup of the hostname. If the
hostname returns more than one IP address, all of them will be flagged with 'D' and
will be used first for INIT requests before falling back to the other servers.
− I indicates the server to which the last INIT request was sent.
− F signifies the server has not responded to requests and is considered to have failed.
− T signifies server is currently being timed.
4. In the GUI on the Student FortiGate device, go to UTM Security Profiles > Web Filter >
Profile and review the settings of the default web filter profile. Select this profile using drop-
down listed in the upper right-hand corner of the Edit Web Filter Profile window.
5. Verify that the Inspection Mode is set to Proxy and enable FortiGuard Categories.
For the web categories listed below, set the Authenticate action to the training user group.
You will need to right-click each Group or Category name that is listed below in order to
make this change.
• Potentially Liable
• Adult/Mature Content
• Security Risk
Next set the following web categories to Warning and accept the default Warning Interval
value:
• Bandwidth Consuming
• Unrated
Click Apply to save your changes.
6. Go to Policy > Policy > Policy and edit the outing port3port1 policy. Under UTM Security
Profile, turn on Web Filter and ensure that the default UTM profile is selected.
P a g e | 60
01-50000-0201-20130215-C
7. From a web browser on the virtual Windows Server, connect to a web site that is usually
blocked by the training policy and verify that the blocked message is displayed.
A FortiGuard replacement message should be displayed.
8. Go to System > Config > Replacement Message. Select FortiGuard Block Page and change
the text of the URL block message to customize it. Click Save to apply your changes.
9. Revisit the same web site and ensure that the customized FortiGuard Block Page Blocked
message is displayed.
10. Next, in the web browser, attempt to connect to a web site category with an Authenticate
action. For example:
A Web Page Blocked message is displayed again, this time with a Proceed button.
11. Click Proceed to view the Web Filter Block Override page. Enter the username student and
the password F0rtinet and click Continue.
The web page should now be displayed.
12. From the GUI on the Student FortiGate device, go Log & Report > Traffic Log > Forward
Traffic and locate the log messages related to the web filtering activity.
13. In the following step, you will configure an access quota for a couple of categories. Quotas
allow access to web resources for a specified length of time. Go to UTM Security Profiles >
Web Filter > Profile and edit the default web filter profile.
14. Expand Quota on Categories with Monitor, Warning and Authenticate Actions and click
Create New to create new quotas. Select the categories (same as in Step 4) to be assigned
quotas and set the quota time value to 5 minutes.
P a g e | 61
01-50000-0201-20130215-C
15. From a web browser on the Windows Server, attempt to visit a blocked category web site
again.
16. Click the Proceed link on the Web Page Blocked page. Authenticate on the Web Filter Block
Override page using the username student and the password F0rtinet and click Continue.
Once authenticated properly, the quota timer is initiated. To view the current quota timer
value, go to UTM Security Profiles> Monitor > FortiGuard Quota. If the AV monitor is not
displayed in the GUI, go to System > Admin > Settings and select UTM Monitors from the
Display Options on GUI area.
When the daily quota value is reached the FortiGuard replacement message will be
displayed again.
17. From the GUI on the Student FortiGate device go Log & Report > Traffic Log > Forward
Traffic and locate the log messages related to the web filtering activity.
18. Edit the default profile, expand Quota on Categories with Monitor, Warning and Authenticate
Actions and delete the quotas on the selected categories.
19. Still in the web filter profile and select flow-based. A notification is displayed as follows:
Click OK and then click Apply.
20. Test the behavior of the flow based inspection by connecting to a web site that is usually
blocked. Check the log entry for this blocked request.
P a g e | 62
01-50000-0201-20130215-C
 Lab 1: Application Identification
The aim of this lab is for students to use the application control feature to properly identify a given
application.
– Configure application control in the student lab environment
– Read and understand application control logs
1. Go to UTM Security Profiles > Application Control > Application Sensor and review the
default application control sensor.(Ensure you are selecting the sensor named default.)
2. On the Edit Application Sensor page, check the settings for the following rules:
Application: Youtube
Application: Myspace
Check the actions for the filters. What are the expected actions of these sensors?
Traffic shaping is enabled for Youtube and these applications use a shared traffic shaper
which is capped at 1 Mbps. Connections to Myspace are blocked.
Before proceeding place both of these signatures at the top of the list.
3. Go to Policy > Policy > Policy and edit the port3port1 policy. Ensure that Application
Control is turned ON and that the default Application Control sensor is selected.
P a g e | 63
01-50000-0201-20130215-C
4. You will now test the application control configuration. From the virtual Windows Server,
open a web browser and connect to YouTube.
5. On the YouTube web site, attempt to play a few videos.

Check the traffic shaper monitor in Firewall Objects > Monitor > Traffic Shaper Monitor.
Check the application monitor in UTM Security Profiles > Monitor > Application Monitor.
6. From the virtual Windows Server, open a web browser and connect to Myspace.
You should observe that you cannot connect to this site.
7. Go to UTM Security Profiles > Application Control > Application Sensor and edit the default
sensor again. Click Create New to add a new application filter and select Specify
Applications.
8. In the search field shown above the Application Name column enter Facebook. A window
displays with a description of the application including popularity, and a reference link that
you can click to obtain more rating information from the FortiGuard Center.
Set Action to block and ensure that this new signature is place at the top of the list.
Test that this site is now blocked and view the log information (Log & Report > Traffic Log >
Forward Traffic) to confirm that this action was correctly logged. The status of the connection
should be displayed as deny.
9. Return the web browser, and attempt to access the following web site:
http://proxite.us
10. On the proxy web page, scroll down to the bottom and enter the URL of MySpace. Click Go.
You should observe this does allow some connectivity to the site. What action can be taken
to stop this?
You can create a new rule in the sensor to block the Proxy category.
P a g e | 64
01-50000-0201-20130215-C
1. Fortinet Documentation : http://docs.fortinet.com

The documentation web site contains all Fortinet manuals, white papers and guides for
Fortinet products.
2. Fortinet Knowledge Base: http://kb.fortinet.com

This site is useful for finding working examples and tips for Fortinet products.
3. Fortinet Web Site: http://www.fortinet.com

The Fortinet web site contains all hardware and product specifications.
4. FortiGuard Web Site: http://www.fortiguard.com

This site is suitable for finding information about the FortiGuard Subscription Services.
5. FortiCare Web Site: https://support.fortinet.com

The FortiCare web site is used to interface with Fortinet support, register devices you have
purchased and download firmware updates.
6. Fortinet User Forums: http://support.fortinet.com/forum/

These are user-led and run forums that discuss many different topics surrounding the use of
Fortinet devices.
P a g e | 65
01-50000-0201-20130215-C

FortiGate - 201 PDF

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

FortiGate - 201 PDF

Diunggah oleh

Hak Cipta:

Format Tersedia

FortiGate Multi-Threat Security Systems I

Administration, Content Inspection and VPNs

Student Training Guide

Introduction to Fortinet Unified Threat Management .................................................................................. 1

Logging and Monitoring ................................................................................................................................. 16

Firewall Policies ............................................................................................................................................... 29

Local User Authentication ............................................................................................................................. 50

SSL VPN ............................................................................................................................................................ 59

IPSec VPN ......................................................................................................................................................... 71

Email Filtering .................................................................................................................................................. 93

Web Filtering .................................................................................................................................................. 105

Application Control ....................................................................................................................................... 120

Introduction to Fortinet Unified Threat

• By the end of this module, participants will be able to:

Traditional Network Security Solutions

• Many single purpose systems needed to

• One device provides a comprehensive

FortiGuard Subscription Services

FortiGate Unit Capabilities

FortiWifi FortiAP FortiVoice FortiCarrier

FortiAnalyzer FortiMail FortiBridge FortiGate-ONE

FortiManager FortiWeb FortiSwitch FortiDB

FortiGuard Subscription Services

• Global Update service for AV/IPS (update.fortiguard.com)

Device Factory Defaults

• ‘Port1’ or ‘Internal’ interface will have an IP of 192.168.1.99

Web GUI CLI

Full access Custom access Full access within

super_admin custom prof_admin

Administrator Trusted Hosts

Username and Password (one factor)

• Device configuration settings can be saved to

Per VDOM Configuration File

• There must be at least one default gateway

DHCP Server - Setup

Interface and Mode

Advanced DHCP Configuration

DHCP Server – IP Reservation

• IP address reserved and always assigned to the same DHCP host

FortiGate DNS Server

• Resolve DNS lookups from an internal network

DNS Server Configuration

• DNS zones need to be added when configuring the DNS database

Firmware Upgrade Steps

Firmware Downgrade Steps

• Step 1: Locate pre-upgrade configuration file

• Lab 1: Initial Setup and Configuration

Classroom Lab Topology

Logging and Monitoring

• By the end of this module participants will be able to:

Logging and Monitoring

• Logging and monitoring are key

Logging Severity Levels

• Administrators define the severity level at which the FortiGate unit

Log Storage Locations

Log Types and Subtypes

Log Structure and Behavior

• Options for log behavior:

Traffic Log – Log Generation

Viewing Log Messages

Log Viewer Filtering

• Use Filter Settings to customize the display of log messages to

Log Severity Level