Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Certification
Program
Lesson Overview
7 '
High-Level Features
'
'
'
, Setup Decisions
l
'
,
Basic Administration
_]
'
, Built-In Servers
N
'
•
•
•••
••
••
••
••
•
NAT Transparent
•
• update . fo~ t :guard . net Fc:11~r1GuRRCJ~
SUBSCRIPTION SERVICES
• TCP port 443 (SSL)
• Live queries: FortiGuard Web Filtering, DNS Filtering , and Antispam
• servi ce . f o rt: i g ua=d . net for proprietary protocol on UDP port 53 or 8888
• secu rewf . fort.ig uard . ne t for HTTPS over port 53 or 8888
CLI
Console, SSH, Telnet, GUI Widget
• ~----
·-·
Cf,., ... .-.~
................
··-··
.
.
'
-
--
~
'
-
.
_
........~.
-·- .
,_,,.,_
..........
_,..............
_,,,.
•• ww...
~ ...
....
~ --·~--
~.-
,_.,
._,_
,.
·- ·--·..,-
& -
,.
..........
. ......
.... ___,_
' ,.... ..... .
?:- ·~ ·~- ·~-----~I
- -· ..
;•
GUI ·- =
FortiExplorer, Web Browser (HTTP. HTTPS) "'.ii ~"" "'"" '" .4 .,.,
)
Administrator
I
Passwotd
Confirm Password
Use public key infrastructure (PKI) group
----:1
.- Fort:Mew > REST API Admin Comments Write a comml!nt
+ N~two'k > SSOA<lmin
Adminlsrrator Profile super_admln •
0 System y
Email Address
<> SMS
<> Two-factor Authentication
<> Restrict login to trusted hosts
<> Restr ict admin to guest account provisioning only
Cancel
k~ttrre Vl~!UtY
N~tv.~rk 0 Nt>!W ~wm O/!&i I0 t\Jl"Off'
'~
Cr.nifu;;ite,.; S)'$fCm 0Nn11,. «-P... v1 ni"'l!l!!,, 0 (.uf':nrr
Extemal Resout~~
~...ritv Prc.."'de- 0 Nor..: .,R.,...;.j o.1,5 Q Cv~:,;,n
~ Polit>• & 01.i«U
i Sl.oa nityFiof!!d v•~ 0 Nri~.- ~R(c.d fieti
Q VPN
\V/~Opl&<&c~ 0 Ntwi: ''!'R,,,..J fA·941,@frj
& U::!!r;. Ot:•Ace >
"='" \•/iFi~$>>::t<;hC<:0trol:Ct > '•VIFl&Swltch 0 N"t\E ~~~.~ !3·"~ 1.:11!1
to!! l QS&Rt1x:ir.
0- Mon!t()I" ', L _ ___.I
_ 0.-enide ll!e Timeoot •
• All FortiGate appliance models and some other Fortinet device types
• No maintainer procedure in VM , revert to snapshot or re-provision VM
• Only after hard power cycle
• Soft cycle (reboot) does not work for security reasons.
• Only during first 60 seconds after boot (varies by model)
• Tip: Copy serial number into the terminal buffer, then paste
• Only through hardware console port
• Requires physical access for security reasons
• If compliance/risk of physical access requires, maintainer can be disabled
• config sys global
• set admin-maintainer disable
• end
J µ sernarne
[PaS"sword
• RADIUS Accounting
""" (;I~ ., KTTP Gil PN:l O FMG-Acc..s
• LLDP Support ( CN"Nl>P ;<SSH O SNMP
( FTM 0 RO.JS Accounting
• Detecting an upstream Security Fabric r ForoTel<!me
FortiGate through LLDP Receive UOP 0 Use VOOtA Setting Enable ~-atiee
<> DHCPSerwr
F :::RTlnET ©Forline! Inc. All 27
Features Hidden by Default
• By default, some features like
System > Feature Visibility
1Pv6 are hidden on the GUI
• Hidden features a re not disabled ~.: Soc:.n.-F~tnc
IM fo't~l?H
• In Feature Visibility, select + Netm1I: [ C> A!MrlOtd Rlll.t.iig cI ~ ent'f StL Cl.IWlr'n •
0 $y5tem •
~----'=====
0 "'6 I <> ....,.,,,., ol
whether to hide or show groups Mrnni~;ra:tors
C11nfl:1V'C lhr foltr-.,;ng Pvt fe<"Jt1,re s frti"' o)
:.-. OUI net-\-Otkin,Erlace ai:Ectet ses.
of features commonly used :r1.14-tcd l'D~'S far admir+stra~cn, s;;Xc
IUl.tll~. fX!I Cy I U~es. S!:OJl l-y polo.es. al'ld
I0 O<.P o)
tl'fWlfl addressas. I <> CNS Fo11r o)
together. o) ol
....... ' I <> '"" o) ( C) Erd«1t1t Corcf'OI o)
F.c;:IJc.trrlO'IC MJ~a!:IU
I C'.) \MF Ccrr.rcller
1 ol I oe.•'«"- 01
Fo:-.G.ixJ 1C) li'CrAIO" PfttClllCU o)
...,,...,., ol
ol I 0 ---F"""' o)
l>j< ol
Ce~i'l(.r.t:s al
~ Pcti:y&.Obect>
al
I O Dvnl:lin & IP Rrp1.1:ali11n al
C. VPN
I <> Or.$ P•l<Y ol
-
& User S..Oe-.,c-e
.. ·MFI & S\'lld'I Corttolft
ol
Q
-+.-
"!I"•
lf 0
, ............. .
~·
~'.la e " a\•:'
· Ml~C./Ol•~t..,
DNS Pnomy O O
ONSSerwrs
Packet Captu(e
Cancel
SD·WAN
SD-WAN St• tusChe<k
SD·WAN Rules
Static Routes -Cr
..
I.ff"¥):
IW..t>(!IO'_,... · -~ ·~
I \r\Yite a commen: I or.~
•I Ol'G~tt>ff
c :.,,..,"(~
Description
lot.>:.
Match C ritena
)..f;:>~
~AA.C addrt'SS
J
.,..
>.tol~~~(l\ff
Al!l:t~&in ~ mn~~
P•l•(!V~t'-; M!ISk
Ro.t~il't' L_or
6 Hi@fjJ§llDI cr~bli: a~:.11 ~ Cancel
TRr~fri1 __op ct u~~v~u~ui-..;1 111!13 O:;:u-1:
SD·WAN T DNSZone T Domain Name T Type T View T ITL {seconds) - #of Entries
SD·WAN Rules
Static Routes
student.lab
training.lab
student.lab
training.lab
Master
Master
Shadow
Shadow
86400
86400
3
8 _J
To view DNS Servers in Network, you must make it
visible in System > Feature Visibility > DNS database.
Password Password
Confirm password
Cancel
Cancel
Ta s
- ·---
- -· ~-
~.
•
;4.;41rg11n111
...
...,......""'.~'
~ 1'"-•$ff'""
, O ~urn-IC
t..,..,..,
" ~"'-
, @...H~"""Wl/oH(~• •
' tIJ r..orAAoAt<. "110IO- •
• w:r '~-en...., '> (;) r-vfC4~wO'lllt
"'
Jl~l'•.t.o.•\ '
. ......... , @f')<!Of~lt.1111;0
"'
'
\
"""
Firewall Policies
Objectives
• Identify components of firewall policies
• Identify how FortiGate matches traffic to firewall policies
What Are Firewall Policies?
• Policies define:
• Which traffic matches them
• How to process traffic that matches
• When a new IP session packet arrives, FortiGate:
• Starts at the top of the list to look for a policy match
• Applies the first matching policy
• Implicit Deny
• No matching policy? Policy & Objects> 1Pv4 Policy
FortiGate drops packet
a dcfat.lt
m d i!({tt;I!
El d:e:i·n<;pection
m e1e(:t1.I!
C'Dd:1a1,.lt
d ac.0-11 cctian
Implicit Deny
n lrrpl ct Oert}• O Di~~l:id
Addresses
• 1Pv4, 1Pv6
Wil~cardFOON
• Virtual wire pair (1Pv4, 1Pv6) Addresses
Internet Service Oatabase
• Proxy
SeMees
• Multicast Schedules
Authentication Logging
Security Profile
F :::RTlnET © Fort1net Inc. All Rights Reserve<l. 6
Simplify-Interfaces and Zones
• Incoming Interface and Outgoing Interface can be interface(s) or a zone
• Zone: Logical group of interfaces
• To match policies with traffic, select one (or more) interfaces or any interface
•
Verify usemame and password
--
---
1
0 Username and password
Policy & Objects > 1Pv4 Policy Policy & Objects> 1Pv4 Policy
Select Entries x Selec:.t Entries
0 ~IT;_ra_in_in~g--------~ Name 0 ITcaining I
1 1~ill
Name Address lnte<nei Setvice Address User lflternet Ser\1ce
[ii port3 Incoming ln:rerface I iiiJ=='==========i
p0013 • I
Incoming Interface
:=---""=~~~~~~~~
• IQ Sean:h I+ l )!ii po1tl
i
· = Q,Sea"Ch
·J~
Outgoing Interface [ ~ po111 • outgoing lrnelface
Cl 'ITTERNET SERVICE (12)
Cl USER {2)
r====~=======~~===i Source ~ma?Or'l'~f\/S 'II AlibabaAlibaba.CIOtJd
Source .IOI LOCAL_SUBNET x Loe.al (2)
+
x & guest - AmazonAWS
Destination + Cisco ?.1erak1
+
& student I
Schedule
SeMee
.
IS
+
·I G Google.Google.Bot
O Google.Google.Cloud
Address User
Internet Service
=~----..IJ~
e ··~
~~o~kw~~~;::::::J ··'
Face~okWhlts._,p
•
• If Internet Service is selected as Destination: '..d::lres,niA<Cu s c:irncc 1>1 l'l1ota w t'! u~r""et §€'"-'CES
Gi FO!lb'e l ONS
1:1 FortirctFcrbCCol.d
Sct\et:Ule Ii at-rv~
• You cannot use Address in the Source
• You cannot select Service in the firewall policy
• Recurring • One-time
o Happens at the same time during specified day(s) o Happens only once
of the week
Policy & Objects> Schedules
Polley & Objects > Schedules
New Schedule
Nevi Schedule
Days li1I Sunday li1I Monday GO Tuesday1;11 Wednesday li1I Thursday b1i Friday 0 Saturday Start Date I 2019/05/17
All Day Start Time 0 Hour 22j ! Minute 1_s_ _
.._j
r12~0~19~ro~s=11=9==========-------i 1
Start Time 0 Hour O Minute 0I j End Date
;===========~ ~===========:
Stop Time Hour O =:J Minute l_o =:J Stop Time Hour ["7 1Minute [0
Pre-expiration event log ol'"C_N
l _u_m""be-r-of-d-
ay_s_
be_fo-re~l""1-"'l=------'====~I
Cancel Cancel
F :::RTlnET 14
Matching by Service
• Service determines matching transmission protocol (UDP, TCP, and so on) and port number
• Can be predefined or custom
• ALL matches all ports and protocols
EJ Genernl Q
!il All ANY O Visible t
Ii) All_TC!> TCP/t·6553S 0.0.0.0 O Vlslble 0
II) All...UDP UOP/1 ·65535 o.o.o.o ei Visible 0
Ii) All...ICMP ANY o Visible 0
ijj All_ICMP6 ANY e» Visible 0
o.o.o.o 2
Cl Fortinel Inc. All Rights Reserved. 15
Configuring Firewall Policies
Objectives
• Restrict access and make your network more secure using
security profiles
• Configure logging
Configuring Firewall Policies
System> Feature Visibility
• Mandatory policy name when creating on GUI
I <> Allo\•1 Unnamed Policies I ~
• Can relax the requirement by enabling Allow Unnamed Policies Relax the (equirement for every policy to
have a name when created in GUI.
Enabled by default
UST specify unique name- - ---' Highlights selected entry ict Entries
• Flat GUI view allows: r-
• Select by clicking
• Drag-and-drop
Name 0 lrraining I L
,
' \,,
}
Address
~ Search
User
I - -=:::::::=-- - - --
Internet Service
+ Create
Incoming Interface ii port3 I \ Cl ADDRESS (13)
Outgoing Interface ii port1 /' •'- ii all
ii
conf~g f~rewal: po:icy
Source ~ LOCAL_SUB.t;iET
I )(
FABRIC_OEVlCE
1 FORTINET
e dit ~ all
lIra
Destination )( ·' gmail.com
set naoce "Training''
+ ~ UNUX ETH1
set u~~d 22C4966e-47~7-51 ..
Schedule always ·I IRLoCAL SUBNET!
Service
~r-IDA
==
!il=A=-L-L.:...__======--_J
)C ~ LOCAL_WINOOWS
Universally Unique Identified (UUID)
L + ~ login.microsoft.com
Action ~ login.microsoftonline.com
~ ACCEPT 0 DENY
Security Profiles
AntMrus C) I - default - -
... "
Web Filter
DNS Filter
C) I ml default
C>
... "
Application Control C) IIll default
IPS C) Im default
SSL Inspection Im deep-inspection
logging Options
log Violation Traffic
log Allowed Traffic Security Events All Sessions
Generate logs when Session Starts C>
Capture Packets C>
~. a.II -·
~!~Y.~
J:i.--- -
.Cil F!f'. 0 DENY
[iJ Full_Access ~ LOCAL_SUBNET i;:i all ra always C1J ALL ~ ACCEPT ~ Enabled
IBport3 - port1 (1 · 3)
!il DNS
!:;) lan_1 lj) FTJ>
1 Web_FTP ~ ACCEPT ~ Enabled
a lan_2 lj) HTIP
.l.i.l l-t1TPS
'--~~~~~--tt--~~~~~~~~~~~--~ ---~~~~~~~
IAembe"' \i11l';\S
Members l:I Lan_1 (i) 111
li! HTTP
·• Lan_2
Iii "'WS
El port3 · port1 (1 · 3)
!1 Web.FTP a all ~ ACCEPT ~ Enabled
I El Address 8
'I:) LOCAL_SUBNET Subnet 10.0. 1.0124 ~ 'visible
ID Name Source Sc.hedu!e SeMee A.ction ID Name Source Destination I Schedule ISeNice Aetion
1 Full_Access ~ LOCAL_SUBNET ~ aO CO always J.i! ALL ..; ACCEPT CO always Ii! FTP 0
m
!;) all ii;! all DENY
Block_FTP !:ii all e all CO always J.i! FTP 0 DEMY .Ci.•.~ .Ci.1.A.J:.h ..; ACCEPT
Sourcelntertace ~port3 ~
+ Create New ; Edit I!! Delete Policy Lookup
Protocol I TCP :]
:==~~~~~~~~==:
ID Name Source Destination Schedule Service Action NAT Source I10.0.1.10 I
Source Port
:=:==================:
IOptional(l-65535) I
Oestination (fortinet.com
:==~~~~~~~~==:
I
10 Tra1n1ngl li/ LOCAL_SUBNET lii all CO aMtays !jJ ALL_ICMP _, ACCEPT O Enabled Destination Port [ 443 I
2 FTP Iii all JS all ra aMlays (i) FlP _, ACCEPT O Enabled
Search Cancel
3 Training2 li/ LOCAL""SUBNET
............ .......... ~-F_OJl!Q"l~~()[)l'J ~ ~_lvvay_s _r;i).A.~~)<: !~P. ., ACCEPT ~ E.n~~!ed
.IQ.'"'"b -~~es.~
ID Name Source Destination Schedule Service Action NAT
10 Tra ning 1 !"1l LOCAL_SUBl-IET i;;i all CO always !jJ ALL_ICMP ., ACCEPT
Meets protocol
requirements and
standards?
T Name;
!!ii Delete tl £dit IP £
- - - - 3Com.3CDaemon.FTP~Buffer.°""rfl~ S&rver Windov~ 0J Block •
Name Exempt_IPs Severity Tari
"No matching entries found .3Com.3CDaemonFTP-ServerJnformation.Di.scfosure ~ Clien~ WindO'NS 0J Block
~ 3Com.lntell{gent.Management.Center.loformatlon.Disclowre nm!! Server Windovvs 01 Block
3Com.OfficeConnectAOSL.Wirek:ss.Fire\vallRouter.Oc>S Ill&!!! Server Linux 0J Block
3ivx.MPEG4.File.Processing.8uffer.Overflow M•- I Client Windows 0J Block
3S·SmartGmbH.CODESYS.Web.5erw<.Buffer.°""rflov1 !i•••• Server Windo~vs 01 Block
3S.COOESYS.Gate"Y'1Y·Server.Heap.Buffer.Qve.rflow ~ Server WindO\\IS 0J Block
_I\
Default action
AtJtJ Fi!t~
+ Add Signatures 9 Delete , Eolt P C.xemptiOtls
x CS: Wn.:!O'o'n x Pr:itoci¥ HTTP x SCl'lcri':',-. Critic:il x T~t: ~'Qr 0 AddM!t~
~ i~~~f~
N~a~
m ~
e ~~]~ ===·E
:mx e ' . '
p .
t :l P
: s
~ ~~~~======~J
No matd\ing e1ltries found .:\S-S1NN.GT1"..bH.OODESVSW~bS«\w.Ruff"r.°"1
IPS Filters
AOKR.Bt.Xriet
""'" ¢
Adobo>\t;~-l!lut.Jn.1.Rc~r.nuilto.lJR:lCodoi..~.utlo.in
l-------------~-~~~------------~-IMOOU.crob3t.AM.~~errn.~'l'~f0ht.P;;r~vtti".OWrl "
_ _ _,__ Mctic.Aaob:iLeMP.Ccl.;o.~irc.Mieil'luiy.M:lc(up(ion
1
-ll!ml
•• •••
~
Servtl
All
All
~N
_o_m
_ at
_ch
_
---'-
iog
~ e_
ni
_·r_
ies
_ foo
_ _______________________
Fitter Details,___
n_
d , MoboAuclut.Gorlccn1'11:rhM.Si;)'k.O'·wtlaw
Serve(. Clict1l \'An:lwlll. fvb<:OS
SQrvcr. Clirnt \f!tn:'low~
• 1 116 >
F:::Rr1nEr 11
Configuring IPS Sensors
• Add rate-based signatures to block traffic when the threshold is exceeded during a
time period
• Track the traffic based on source or destination IP address
I
EnabCe
V
Signature
Apache.HTTPO.mod_http2.0oS
Threshold Duration (seconds) Track By Action Block Duration (min
j()() 1 Source IP 0- Block Exi>ires 4 Hour(s)
Name SERVER
IPS Signatures
. - - - - - - -..;.;
N;;:am
:;;e;;,.._ _ _ _ _ _....;8;;;;><,em
.;;,;'i;;
llt;,;l;.
Ps.,Seve
= •n•irv
..._l;;;a,,.
r<>;i;;•e.,
t ...,;S-., ;,;·iiie.__..o;;;s.___Acti
eIVIC ___.o;;,;n._...Pac
..-,ket logging Individual signature actions
4D.WebStar.TomcalPlugin.Remote.Buffer.Overflow 0 '===="'.. Server TCP, HTTP Windows , . Monitor 0 will override any filter-based
action.
IPS Filters
IPS Signatures
r Name ~IPs
3Com.3CDaemon.FTP.$eMr.lnformatlon.Oi>elosure 1
~
. Ta....,...t Service OS
Action Pad<el l.o\
' Client TCP. FTP Windows II Default 0
-
Edit IP Exemptions )(
el Block
+ Add Filter ; E r Delete
0 Reset
Filter Details Action Packet
Severity: ..... Default
Location: server el Block 0 ~ Quarantine
OS: Windows
Packet Lo in
Apply
,_,_Op6ons
NAT C>
P Pool ConllpXaHDn Use Dynamic P Pool
Pres.~~ Poff:
PrOlocol °""""'
<>
m- .,
S•c:wiy Protlle'S
Antl'Virus CJ
WtbF•er CJ
ONS Filler CJ
AppllcaUon Conlrol <>
PS
SSL lnSpecnon &
Minor SSL Traffic lo Interfaces CJ
lo In 0 Hons
Ii
..... .+. ~Add Filter
aJ
7 '
, Inspection Modes
' '
Web Filtering Basics
'
l
'
Additional Proxy-Based Web Filtering Features
'
r
'
,
DNS Filtering
8
'
DNS Response S
• Web Filter:
SYN • H':'TP 2 00
SYN/AC K
ACK I
~ ~
I
•
HTTP GET I
HTTP 200 g
I Web F i_
_ lte~r__ ,,,_..I
li),.,..,,
Security Profiles > Web Fiiter Polley & Objects > 1Pv4 Polley
Edftl'l>lcy
.,,.,
c.-...en:. Ctu..t ...e,cw<i;
- Name 0
lncom"'& lnttrflCO
Full,.Access
8 ~
0- 0 t .....1111 IJ "'""""
•
Destination
[ l?j Ill • x
0 C/> VM!IK
/\pp!y
• Description of categories: URt. ~Ol'e.,.ll'111 VOO'iltol ~""'!! ll'.l!h "1 l Utr 11111"f'f(fJ. of- t111,.ifi.:i'> u1i.Jlltn:
• www.fortiguard.com
....
:.: URL categories
Categories action :
.......................•.......•......•....
i
~--0 General Interest - Personal If VOi> "IC\lt' lt'Cl'l Qf.:l"lt ed O"t:'rri:I!' ettotien 11n·,i~:. ;.., )"OUI ~d'!in$trOI)!, )'0:1 C.:."1 cnl :o: \'C~·r
*···OGeneral Interest - Business 1.CMl'l ~ll'• .OM p.OCl;'l<Cfd hll~ tc !Jllh lll'fll,dllt.: lltC'C' 10 thli \'llcc:kc;d v.•11?1-p:i;i~. ")'la. !'ID <'l:lt
l-¢ve ~"'-""" 'rivi'c:ge:. s;'ec$e coitcc~ ~·G11r ~i.iCuotG1 -~o qch «>:e~~ t ) the wct~p~qc .
lj;a-n.;im~ : ~------~
P~s=·11ord: L
I c.:.i'"'"' I
Edrt Fifter
)
llreol Feeas
)
@ @@@
Dama.in Name FcMiGuard IP Address t.iiit..1are Hash
.QVPN )
C.tege<y
• Long-term or short-term policies
t :l•OC<o::::.< •o<O.
........ _
....,_... "t·•-··~ ,,,.._............... ~ .P.oe.
A hi
..,.
•••~-u,.t>t.••W.Jo
1nl-'11t1~~~:i!l(ln!_Q"
tmttl
"'
SSL Inspection in Web Categories ..,
.!.... ;;. r , ..
Showl 0 All
T-<:> Remotec·aregories
, I ~ t.ty-Ooma1nlist
'
•
F S:!RTlnET <1;) Fortinet Inc. All Rights Reserved. 22
Web Rating Override
• Override the rating applied to a host name by FortiGuard service
• Host name reassigned to a completely different category and uses that action
• Rating overrides are checked prior to contacting FortiGuard for a rating
Override to
F S:!RTlnET
Cancel
--
ort1net Inc. All
Custom Categories
• Additional customized
Security Profiles > Web Rating Overrides categories can be added
+ Cr•at• New -' °'' 11 D
URl Stal us
Custom Categories
Name I
Number of Ovenide URls Number of Web Filter Profile References
customl 0 1
custom2 0 1
Cancel
'- -
,,,,
• UHL
Filtering Services Availability % Check Again
veury
VVeb Filtering Q
AAti-SDam
Reque&t re-e\'llluat1on of a URL'S
category
EXEMPT
(from ALL further inspection)
Exempt
ortiGuar
URL Category Display Page
Filters
Filter
Block Block Block
• Is FortiGuard SONS service accessible for DNS filters? s e:: c.nsfilter-DJrotile <prcfile>
se:: weofilter-protile <prcfile>
:1 ex::
Policy & Objects > 1Pv4 Policy e~d
·I ,,
AntNirus <>
Web Filter C) I& default
se:: dr1sfilter-profile <p r o fil e>
se:.. ·w eo11 1 11 Ler - pro~ 111 e <prcfi le>
DNS Filter 001 E31 default • :icx::
Application Control <> e:id
<>
IPS
ProxY Options IE'!l default ,
·I ,
SSUSSH Inspection IEl certificate-inspection ·I
1
'\, Check Again
Web Fitterlng O
Anti-Spam 0
set we bfilte r-t i meout < -3 0 >
end
Request te·l!valuanon of a URL's category