Network Security Management

© Copyright Fortinet Inc. All rights reserved.

Introduction to Fortigate
FortiGuard Subscription Services

• Internet connection and contract required

• Provided by FortiGuard Distribution Network
o Major data centers in North America, Asia, and Europe
o FortiGate prefers data center in nearest time zone, but will adjust by server load
• Package updates : FortiGuard Antivirus and IPS
o Update.fortiguard.net
o TCP port 443 (SSL)
• Live queries : FortiGuard Web Filtering and Antispam
o Service.fortiguard.net
o Proprietary protocol on UDP port 53 or 8888

3
Modes of Operation
NAT
• FortiGate is an OSI Layer 3
router
• Interfaces have IP Address
• Packet are routed by IP
Tranparent
• FortiGate is an OSI Layer 2
switch or bridge
• Interfaces do not have IPs
• Cannot route packets, only
forward or not
4
Operation Modes & the OSI Model

5
Factory Default Settings

 Port 1 / internal interface IP : 192.168.1.99/24

 PING, HTTP, HTTPS, and SSH protocol management enabled
 Built-in DHCP Server is enabled on port 1 / internal interface
 Default Login :
User : admin
Password : (blank)
o Both are case sensitive
o Modify the default (blank)
root password!

6
Resetting a Lost admin Password
User : maintainer
Password : bcpb<serial-number>
All letters in <serial-number> must be upper case “FGT60..” etc.

 All FortiGate models and some other Fortinet device types

 Only aftert hard power cycle
 Only during first 30 seconds after boot
 Only through hardware console port
o Requires physical access for security reasons
o If compliance/risk of physical access requires, maintainer can be disabled
config sys global
set admin-maintainer disable
end
7
 Admnistrator Profiles

 System > Administrator

8
Administrator Profiles : Permissions

None Read Read-Write

System Configuration × × √
Network Configuration × × √
Firewall Configuration × √ ×
VPN Configuration √ × ×
WiFi Controller √ × ×
Log & Report × √ ×

9
Administrator Profiles : Hierarchy

10
Administrative Access : Trusted Sources

 Administrative access
is denied for
connections coming
from IP addresses that
are not in any of the
trusted host subnets

11
 Features Hidden by Default
• By default, some features like IPv6 are hidden
in GUI
• Hide/show via System > Feature Visibiliy

12
Link Aggregation

 Bundles several physical

ports to form a single
point-to-point logical
channel with greater
bandwidth
o Increases redundancy
for higher availability

13
Interface IPs

 In NAT mode, interfaces can’t be

used until they have an IP
address
o Manually assigned
o Automatic
• DHCP
• PPPoE

Exceptions: One-Arm Sniffer or

FortiSwitch

14
 Interface Role Compared to Alias
 Role defines groups of interface settings
typically together
o Avoid accidental misconfiguration
o Four types :
• WAN
• LAN
• DMZ
• Undefined (show all settings)
o Not in list of Policies

 Alias is nickname for interface

o Used in list policies to label interfaces
by purpose

15