DO NOT REPRINT FORTINET
FortiGate I Student Guide for FortiGate 5.2.1
DO NOT REPRINT FORTINET FortiGate I Student Guide for FortiGate 5.2.1 Last Updated: 30 April 2015
Fortinet®, FortiGate®, and FortiGuard® are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks, registered or otherwise, of Fortinet. All other product or company names may be trademarks of their respective owners. Copyright © 2002 - 2015 Fortinet, Inc. All rights reserved.may Contents and termsinare by Fortinet without prior notice. No part of this publication be reproduced anysubject form ortobychange any means or used to make any derivative such as translation, transformation, or adaptation without permission from Fortinet, Inc., as stipulated by the United States Copyright Act of 1976.
DO NOT REPRINT FORTINET
Table of Contents VIRTUAL LAB BASICS ......... .......... .......... ................. .......... ................. ..........7 Topology..................................................................................................................................8 Logging In ...............................................................................................................................8 Disconnections/Timeouts .............................................................................................................................13
Transferring Files to the VM....................................................................................................13 Using HTML5 Instead of Java ................................................................................................13 Screen Resolution...................................................................................................................14 International Keyboards..........................................................................................................14 Troubleshooting Tips ..............................................................................................................15
INTRODUCTION TO FORTINET UTM........... .......... .......... ................. .......... ......17
Lab 1: Initial Setup and Configuration.....................................................................................17 Objectives.....................................................................................................................................................17 Time to Complete .........................................................................................................................................17 Exercise 1 (Optional) Configuring Network Interfaces on the Student & Remote FortiGate .......................18 Exercise 2 Exploring the Command Line Interface......................................................................................20 Exercise 3 Restoring a Configuration from Backup .....................................................................................22 Exercise 4 Making Configuration Backups ..................................................................................................24
Lab 2: Administrative Access..................................................................................................25 Objectives.....................................................................................................................................................25 Time to Complete .........................................................................................................................................25 Exercise 1 Administrators, Passwords, and Permissions ............................................................................26 Exercise 2 Restricting Administrator Access ...............................................................................................28
LOGGING & MONITORING.......... .......... .......... ................. .......... ................. ....29 Lab 1: Status Monitor and Event Log .....................................................................................29 Objectives.....................................................................................................................................................29 Time to Complete .........................................................................................................................................29 Exercise 1 Using the GUI's Status Monitor..................................................................................................30 Exercise 2 Event Log & Logging Options ....................................................................................................33
Lab 2: Remote Monitoring.......................................................................................................35
DO NOT REPRINT FORTINET Objectives.....................................................................................................................................................35 Time to Complete .........................................................................................................................................35 Exercise 1 Remote Logging & SNMP Monitoring ........................................................................................36
FIREWALL POLICIES ......... .......... .......... ................. .......... ................. .......... ..38 Lab 1: Firewall Policy ..............................................................................................................38 Objectives.....................................................................................................................................................38 Time to Complete .........................................................................................................................................38 Exercise 1 Exercise 2 Exercise 3 Exercise 4 Exercise 5
Creating Firewall Objects & Rules .............................................................................................39 Policy Actions ............................................................................................................................41 Access through Virtual IPs.........................................................................................................43 Dynamic NAT with IP Pools .......................................................................................................46 Device Identification...................................................................................................................48
FIREWALL AUTHENTICATION.......... .......... .......... ................. .......... ................50 Lab 1: User Authentication......................................................................................................50 Objectives.....................................................................................................................................................50 Time to Complete .........................................................................................................................................50 Exercise 1 Authentication via a Firewall Policy............................................................................................51 Exercise 2 Captive Portals ..........................................................................................................................54
SSL VPN ......... .......... .......... ................. .......... ................. .......... .......... .......56 Lab 1: SSL VPN ......................................................................................................................56 Objectives.....................................................................................................................................................56 Time to Complete .........................................................................................................................................56 Exercise 1 SSL VPN for Web Access .........................................................................................................57 Exercise 2 Testing Authentication ...............................................................................................................59 Exercise 3 Accessing Resources Beyond Different Interfaces ....................................................................61
BASIC IPSEC VPN .......................................................................................62 Lab 1: IPsec VPN....................................................................................................................62 Objectives.....................................................................................................................................................62 Time to Complete .........................................................................................................................................62 Exercise 1 Site-to-Site IPsec VPN...............................................................................................................63
EXPLICIT WEB PROXY .......... .......... .......... ................. .......... ................. ........66 Lab 1: Explicit Web Proxy .......................................................................................................66 Objectives.....................................................................................................................................................66 Time to Complete .........................................................................................................................................66 Exercise 1 Configuring the Explicit Web Proxy ............................................................................................67 Exercise 2 Using a PAC File .......................................................................................................................70
DO NOT REPRINT FORTINET ANTIVIRUS .......... .......... .......... ................. .......... ................. .......... .......... .....73 Lab 1: Antivirus Scanning .......................................................................................................73 Objectives.....................................................................................................................................................73 Time to Complete .........................................................................................................................................73 Exercise 1 Antivirus & Block pages .............................................................................................................74 Exercise 2 Flow vs Proxy scanning .............................................................................................................76
WEB FILTERING .......... ........... .......... ................ ........... ................ .......... .......77 Lab 1: Web Filtering................................................................................................................77 Lab Objectives..............................................................................................................................................77 Time to Complete .........................................................................................................................................77 Exercise 1 FortiGuard Web Filtering ...........................................................................................................78 Exercise 2 Web Profile Overrides ................................................................................................................81
APPLICATION CONTROL ......... .......... ........... ................ .......... ................. ......82 Lab 1: Application Identification ..............................................................................................82 Objectives.....................................................................................................................................................82 Time to Complete .........................................................................................................................................82 Exercise 1 Creating an Application Control List ...........................................................................................83 Exercise 2 Limiting YouTube Traffic ............................................................................................................84 Exercise 3 Fine Tuning Web Site Access ....................................................................................................85
APPENDIX A: ADDITIONAL RESOURCES.......... .......... .......... ................. .........86 APPENDIX B: PRESENTATION SLIDES......... ........... .......... ................ ........... ...87 Module 1: Introduction to Fortinet Unified Threat Management.............................................88 Module 2: Logging and Monitoring .........................................................................................126 Module 3: Firewall Policies .....................................................................................................162 Module 4: Firewall Authentication...........................................................................................231 Module 5: SSL VPN ................................................................................................................273 Module 6: Basic IPsec VPN ....................................................................................................305 Module 7: Antivirus..................................................................................................................337 Module 8: Explicit Proxy..........................................................................................................369 Module 9: Web Filtering ..........................................................................................................407
DO NOT REPRINT FORTINET Module 10: Application Control...............................................................................................433
DO NOT REPRINT
Virtual Lab Basics Topology
FORTINET
Virtual Lab Basics In this class, you will use a virtual lab fo r hands-on exercises. This section explains how to connect to the lab and its virtual machines. It also shows the topology of the virtual machines in the lab. Note: If your trainer asks you to use a different lab, such as devices physically located in your classroom, please ignore thisknow section. Thislab applies to the virtual accessed through the Internet. If you do not which to use,only please ask your lab trainer.
FortiGate I Student Guide
7
DO NOT REPRINT
Virtual Lab Basics Topology
FORTINET Topology port2 10.200.1.241 FortiManager IN-L OCAL W 10.0.1.10
FortiAnalyz er
port1 10.0.1.241
port1 10.0.1.210 port3 10.200.1.210
10.0.1.254/24 port3
port2 10.200.2.1/24
LOCAL port1 10.200.1.1/24
10.200.2.254 eth2
LINUX 10.200.1.254 eth1
eth4 10.200.4.254
eth3 10.200.3.254
10.200.4.1/24 port5
REMOTE 10.200.3.1/24 port4
eth0
WIN-REMOTE 10.0.2.10
port6 10.0.2.254/24
Logging In 1.
Run the System Checker. This will fully verify both: • •
compatibility with the virtual lab environment's software, and that your computer can connect
It can also diagnose problems with your Java Virtual Machine, firewall, or web proxy. Use the URL for your location. North America/South America: https://remotelabs.training.fortinet.com/training/syscheck/?location=NAM-West
FortiGate I Student Guide
8
DO NOT REPRINT
Virtual Lab Basics Logging In
FORTINET Europe/Middle East/Africa: https://remotelabs.training.fortinet.com/training/syscheck/?location=Europe Asia/Pacific: https://remotelabs.training.fortinet.com/training/syscheck/?location=APAC If a security confirmation dialog appears, click Run.
If your computer successfully connects to the virtual lab, the result messages for the browser and network checks will each display a check mark icon. Continue to the next step. If a browser test fails, this will affect y our ability to acce ss the virtual lab environment. If a network test fails, this will affect the usab ility of the virtual lab env ironment. For solution s, either click the Support Knowledge Base link or ask your trainer. 2.
With the user name and password from your trainer, log into the URL for the virtual lab. Either:
FortiGate I Student Guide
9
DO NOT REPRINT
Virtual Lab Basics Logging In
FORTINET https://remotelabs.training.fortinet.com/
https://virtual.mclabs.com/
3.
If prompted, select the time zone for your location, then click Update. This ensures that your class schedule is accurate.
4.
Click Enter Lab.
A list of virtual machines that exist in your virtual lab should appear.
FortiGate I Student Guide
10
DO NOT REPRINT
Virtual Lab Basics Logging In
FORTINET From this page, you can access the console of any of your virtual devices by either: • •
clicking on the device’s square, or selecting System > Open.
FortiGate I Student Guide
11
DO NOT REPRINT
Virtual Lab Basics Logging In
FORTINET 5.
Click K2-Win-Student to open a connection to that server.
A new window should open within a few seconds. (Depending on your account’s preferences, the window may be a Java applet. If this fails, you may need change browser settings to allow Java to run on this web site. You also may need to review and accept an SSL certificate.)
Depending on the virtual machine, the applet provides access to either the GUI or a text-based CLI. Connections to Windows machines will use a Remote Desktop-like GUI. The applet should automatically log in, then display the Windows desktop. For most lab exercises, you will connect to this VM.
FortiGate I Student Guide
12
DO NOT REPRINT
Virtual Lab Basics Transferring Files to the VM
FORTINET Disconnections/Timeouts If your computer’s connection with the virtual machine times out or if you are accidental ly disconnected, to regain access, return to the initial window/tab that contains your session’s list of VMs and open the VM again. If your session frequently times out or does not connect, ask your instructor.
Transferring Files to the VM When using the Java applet to connect to a VM, you can drag-and-drop files from your computer to the VM. For example, if you have a FortiGate configuration file that you want to upload to your lab VM, you could create it on your computer, then drag it into the Java application window that is connected to the Windows VM. Usually the destination folder is C:Uploads. Alternatively, if you store files in a cloud service such as Dropbox or SugarSync, you can use the web browser to download them to your VM instead.
Using HTML5 Instead of Java When you open a VM, your browser may download and use a Java application to connect to the virtual lab’s VM. This means that Java must be installed, updated, and enabled in your browser. Alternatively, you can use HTML5 instead. Click the Settings button, then select Use Java Client . Click Save & Disconnect, then log in again. (To use this preference, your browser must allow cookies.)
FortiGate I Student Guide
13
DO NOT REPRINT
Virtual Lab Basics Screen Resolution
FORTINET When connecting to a VM, your browser should then open a display in a new window or tab.
Screen Resolution Some Fortinet devices' user interfaces require a minimum screen size. In the Java client, to configure the screen resolution, click the arrow at the top of the window.
In the HTML 5 client, to configure scre en resolution, open the System menu.
International Keyboards If characters in your language don’t display correctly, keyboard mappings may not be correct.
FortiGate I Student Guide
14
DO NOT REPRINT
Virtual Lab Bas ics Troubleshooting Tips
FORTINET To solve this in the HTML 5 client, open the Keyboard menu at the top of the window. Choose to either display an on-screen keyboard, or send text from your computer to the VM's clipboard.
To solve this in the Java client, copy and paste between your computer and the Java applet. This sends special characters or combinations using the keyboard icon at the top of the applet window.
Troubleshooting Tips •
•
•
If the HTML 5 client does not work, try the Java client instead. Remembering this preference requires that your browser allow cookies. Do not connect to the virtual lab environment through a low-bandwidth or high-latency connection, including VPN tunnels or wireless such as 3G or Wi-Fi. For best performance, use a stable broadband connection such as a LAN. Do not disable or block Java applets. On Mac OS X since early 2014, to improve security, Java has been disabled by default. In your browser, you must allow Java for this web site. On Windows, if the Java applet is allowed and successfully downloads, but does not appear to launch, you can open the Java console while troubleshooting. To do this, open the Control Panel, click Java, and change the Java console setting to be Show console. Network firewalls can also block Java executables. Note: JavaScript is not the sa me as Java.
FortiGate I Student Guide
15
DO NOT REPRINT
Virtual Lab Bas ics Troubleshooting Tips
FORTINET
•
•
•
•
Prepare your computer's settings: o
Disable screen savers
o
Change the power saving scheme so that your computer is always on, and does not go to sleep or hibernate
If disconnected unexpectedly from any of the virtual machines (or from the virtual lab portal), please attempt to reconnect. If unable to reconnect, please notify the instructor. If during the labs, particularly when reloading configuration files, you see a message similar to the one shown below, the VM is waiting for a response to the authentication server.
To retry immediately, go to the console and enter the CLI command: exec update-now
FortiGate I Student Guide
16
DO NOT REPRINT Introduction to For tinet UTM
Lab 1: Initial Setup and C onfiguration
FORTINET
Introduction to Fortinet UTM Lab 1: Initial Setup and Configuration This lab will provide an in itial orientation to FortiGate's administrative GUI and CLI, and (if necessary) will guide you through basic se tup. Additionally, this lab will gui de you through how to pro perly backup and restore a configuration file. If you see this:
it indicates that FortiGate VM is waiting for a response from the license authentication server. Typically this happens after reboot, after yo u upload a new FortiGat e configuration file. If that server was rebooting or connectivity was interru pted, for exampl e, at the same time that FortiG ate VM was rebooting and sending the request, then the server may not have received the request. FortiGate VM will periodically retry, but you can ma nually initiate an immed iate retry. To force an immediate license authentication retry, go to FortiGate's CLI and enter: execute update-now
Objectives •
Configure FortiGate network interfaces and a default route for administrative access via your lab network, such as with web browser, Telnet or SSH client
•
Distinguish between encrypted vs. non-encrypted configuration backups
•
Back up and restore configuration files
•
Find the FortiGate model and FortiOS firmware build information inside a configuration file
Time to Complete Estimated: 15 minutes
FortiGate I Student Guide
17
DO NOT REPRINT Introduction to For tinet UTM
Lab 1: Initial Setup and C onfiguration
FORTINET Exercise 1 (Optional) Configuring Network Interfaces on the Student & Remote FortiGate Before proceeding, please ask your instructor if these steps are required for your specific classroom. You must do this exercise only if your lab environment was initialized with blank FortiGate images. 1.
Open the console of the F ortiGate that is named Student.
2.
At the login prompt, enter the username admin (all lower case). Leave the password blank.
3.
To be able to access the Student FortiGate's GUI, you must first configure the port3 interface. Assign its IP address, and specifically allow HTTP connections to the GUI: conf system interface edit port3 set ip 10.0.1.254/24 set allowaccess http end
After you enter the 'end' command, FortiGate saves its running configuration in RAM, and also saves it to the flash disk. HTTPS or SSH are recommended for administrative access to FortiGate because those protocols provide authentication and encryption. Other available protocols include SSH, PING, SNMP, HTTP and Telnet. 4.
Verify that you've entered your configuration correctly by entering this command: show system interface
Alternatively, you can enter a shorter form: show sys int
5.
On the Windows se rver, open Firefox. Go to the URL that is the FortiGate' s IP address on port3: http://10.0.1.254
6.
If a security warning appears, accept the FortiGate’s self-signed certificate. The login page should appear. If it does not, ask your instructor before continuing. Note: To access the FortiGate GUI, your web b rowser must support cookies and JavaScript. These are requ ired for correct behavior and display.
7.
Open the console of the FortiGa te that is named Remote.
8.
At the login prompt, enter the username admin (all lower case). Leave the password blank.
9.
Enter the following CLI commands to set the port4 IP address and access control settings for your device. conf system interface
FortiGate I Student Guide
18
DO NOT REPRINT Introduction to For tinet UTM
Lab 1: Initial Setup and C onfiguration
FORTINET edit port4 set ip 10.200.3.1/24 set allowaccess http ping end
10. Verify that a valid default gateway route exists: show router static
If there is no static route for port4, enter the commands below to set it. (Routing will be explained in more detail in a later lesson.) conf route static edit 0 set device port4 set gateway 10.200.3.254 end
11. Verify that you have entered your configuration correctly. show system interface show router static
You can't connect to the Remote FortiGate's GUI yet. Before you can do that, you must first configure the FortiGate named Student with a route and a firewall policy that allows and routes that management traffic to the FortiGate named Remote. You will add this configuration in a la ter lab exercise.
FortiGate I Student Guide
19
DO NOT REPRINT Introduction to For tinet UTM
Lab 1: Initial Setup and C onfiguration
FORTINET Exercise 2 Exploring the Command Line Interface 1.
Open the console of the FortiGate that is named Student.
2.
At the login prompt, enter the username admin (all lower case). Leave the password blank.
3.
Enter the command to display basic status information about that FortiGate: get system status
Output shows the Fort iGate's serial numb er, firmw are version, operation mode, and other information. 4.
Verify that the firmware version is the correct one for this class.
5.
Enter the following, then press the Return key: get ?
Note: The ? character is not displayed on the screen.
This shows all words that the CLI will accept next after the get command. When the --More — prompt appears in the CLI, either press the spacebar key to continue scrolling, press the Enter key to scroll one line at a time, or press the Q key to exit. Depending on the command, you may need to enter additional words to completely specify a configuration object. 6.
Press the up arrow key. This display s the previous get system status command. Try some of the other control key sequences that are summarized below. Previouscommand
uparrow,orCTRL+P
Nextcommand
downarrow,orCTRL+N
Beginningofline End line of Back one word Forwardoneword
CTRL+A CTRL+E CTRL+B CTRL+F
Deletecurrentcharacter
CTRL+D
Clear screen
CTRL+L
Abort command and exit
CTRL+C
CTRL+C is context sensitive, but usually, it aborts the curre nt command. If you were in a subcommand, it returns you to the parent command. Otherwise, it will terminate your current administrative session. To continue, you must log in again. 7.
Enter the command: execute ?
This lists all words that the CLI will accept next after the execute command.
FortiGate I Student Guide
20
DO NOT REPRINT Introduction to For tinet UTM
Lab 1: Initial Setup and C onfiguration
FORTINET 8.
Type: execute
then press the Tab key 3 times. The first time you press the Tab key, notice that the CLI adds the next word in the command. It is the first word in the list from the previous step. Each time that you press the Tab key after that, notice that the CLI replaces tha t word with the next possib le word in the list, in alphab etical order, until you press the spacebar key. This indicates that you have sel ected that word , and are ready to enter the next word (if any). 9.
Enter the following CLI commands. config ? show ?
Compare the list of valid next words for each one. Notice that there are some differences in the CLI structure for each command, including show full-configuration. config enters settings. show displays configuration differences from the firmware’s default settings only, unless you enter show full-configuration.
10. Enter the CLI commands to display the FortiGate’s port3 interface configuration. Compare the output for each. Only the characters shown in bold typeface must be typed. If you want to auto-complete each word in the command (in order to verify that it is unambiguous, for example), press the Tab key after the characters in bold. show system interface port3 show full-configuration system interface port3
Tip: Almost all commands can be abbreviated. In presentations and labs, many of the commands that you see will be in abbreviated form. Use this technique to reduce the number of keystrokes that are required to enter a command. In this way, experts can often configure a FortiGate faster via CLI than GUI. If there are other commands that start with the same characters, your abbreviation must be long enough to be specific, so that FortiGate can distinguish them. Otherwise, the CLI will display an error message about ambiguous commands.
FortiGate I Student Guide
21
DO NOT REPRINT Introduction to For tinet UTM
Lab 1: Initial Setup and C onfiguration
FORTINET Exercise 3 Restoring a Configuration from Backup 1.
On the Win-Student server, open Firefox. Connect to the Student FortiGate's GUI, and log in as admin. http://10.0.1.254/ Note: All the lab exercises were fully tested running Mozilla Firefox in Win-Student and Win-Remote servers. For the thisInternet reason,and and the to get consistent results, we virtual recommend it as the browser to access FortiGate GUIs from this environment.
2.
Go to System > Dashboard > Status. In the System Information row, click the Restore link. A dialog should appear where you can select which configuration backup file to restore. (If your lab started with blank FortiGate images whose IP address you needed to configure in Exercise 1, then this FortiGate is not yet configured with the host name STUDENT as shown in the image. This should appear after you upload a configuration in the next step.)
3.
Click the button that enables you to select which backup file to restore. (The name of this button varies by browser.)
Select the file named ResourcesIntroductionstudent-initial.conf , then click Restore. This file is the prerequisite configuration for the next lab. After your browser uploads the configuration, the FortiGate will automatically reboot. The length of the restoration process varies by how complex the configuration is. More complex FortiGate I Student Guide
22
DO NOT REPRINT Introduction to For tinet UTM
Lab 1: Initial Setup and C onfiguration
FORTINET configurations take more time to parse and valid ate. Most configurations take FortiGate less than 1 minute to validate and then reboot. 4.
Refresh the web page and log in again to the GU I on the Student FortiGate. Go to System > Network > Interface and then Router > Static > Static Route. Verify that the network interface settings and default route were restored.
5.
Go to System > Network > DNS Server . Review the student and remote DNS zones. •
•
In the Student DNS zone, verify the IPv4 Address (A) records and Pointer (PTR) records for the student FortiGate device (10.0.1.254) and the Windows server (10.0.1.10). In the Remote DNS zone, check the IPv4 Address (A) records and Pointer (PTR) records for the Remote FortiGate device (10.200.3.1) and the Windows host (10.0.2.10).
By providing a DNS server to your management network, FortiGate enables you access these devices in your lab by using a domain name instead of their IP address. To do this, the Windows server should be configured to use the Student FortiGate's port3 IP address as its DNS server. 6.
On the Windows server, open a command prompt. Use the following commands to verify the DNS lookup results. nslookup server.student.lab 10.0.1.254 nslookup fgt.student.lab 10.0.1.254 nslookup pc.remote.lab 10.0.1.254 nslookup fgt.remote.lab 10.0.1.254
Note: The parameters of the nslookup command are: nslookup [-option] [hostname] [server]
7.
Open a web br owser. Go to t hese URLs to verify that you can use domain names to reach the GUI of both the Student and Remote FortiGate: •
http://fgt.student.lab
•
http://fgt.remote.lab
FortiGate I Student Guide
23
DO NOT REPRINT Introduction to For tinet UTM
Lab 1: Initial Setup and C onfiguration
FORTINET Exercise 4 Making Configuration Backups 1.
On the Win-Student server, open a browser and log in to the Student FortiGate's GUI: https://fgt.student.lab
2.
Go to System > Dashboard > Status. In the System Information widget, click the Backup link.
3.
Select Encrypt configuration file, enter the password fortinet, then click the Backup button to save the encrypted configuration file to the desktop with the filename student-initial-enc.conf. (You may need to modi fy the web browse r’s settings to pro mpt you for the location to sav e files. For Firefox, go to Tools > Options > General then select Always ask me where to save files.) Caution: Always back up the configura tion file before ch anging your device (even if the change seems minor or unimportant). There is no “undo.” Restoring a backup will allow you to quickly revert changes if you discover problems. To distinguish between files from multiple FortiGates, use a naming convention such as their host names.
4.
In the System Information widget, click Restore. Select the file that you downloaded in the previous step (student-initial-enc.conf ), then click the Restore button. Notice that this time, you must enter the password fortinet because this file is passwordencrypted.
5.
Using Notepad or Notepad++, open the file student-initial.conf. In another instance of WordPad, open the file student-initial-enc.conf and compare the details in both. Note: In both the normal and encrypted configuration the top of the file acts as a header, describing the firmware and model information this configuration belongs to.
FortiGate I Student Guide
24
DO NOT REPRINT Introduction to Fortinet UTM
Lab 2: Administrative Access
FORTINET Lab 2: Administrative Access In this lab, you will create and modify a dministrative access permissions.
Objectives •
Create a new administrative user
•
Restrict administrative access
Time to Complete Estimated: 10 minutes
FortiGate I Student Guide
25
DO NOT REPRINT Introduction to Fortinet UTM
Lab 2: Administrative Access
FORTINET Exercise 1 Administrators, Passwords, and Permissions 1.
On the Win-Student server, open a browser and log in to the Student FortiGate's GUI: https://fgt.student.lab
2.
Go to System > Admin > Settings and select Enable Password Policy . Configure these settings: Minimum Length: 8 MustContain:
Enable 1 Upper Case Letter 1 Numerical Digit
Enable Password Expiration:
Enable 90 days
Click Apply to save the changes. 3.
Log out of the GUI.
4.
Log in again. Due to the password policy that you just configured, FortiGate should prompt you to enter a new administrator password. Enter a new password that meets the requirements.
5.
6.
Go to System > Admin > Admin Profile. Create a new profile called Security_Admin_Profile. Set Security Profile Configuration to Read-Write, but set all other permissions to Read Only. Click OK to save the changes. Go to System > Admin > Administrators. Click Create New to add a new administrator account that is named Security_Admin. In Admin Profile, select the profile created in the previous step. This limits that administrator’s access. They will only able to modify and create security profiles. Note: Administrator names and passwords are case-sensitive. You cannot include characters such as < > ( ) # ' in an administrator account name or password. Spaces are allowed, but not as the first or last character. To enter spaces in a name or password via the CLI, you must enclose each in straight quotes ( ' ). Caution: For convenience in the lab , you will no t set the password of the ac count named admin. However, in real networks, you should always set administrator passwords, make them strong, and change them often. Click OK to save the changes.
7.
Go to System > Dashboard > Status. In the System Information widget, to view the configuration for administrator accounts and profiles, enter: show system admin show system accprofile
FortiGate I Student Guide
26
DO NOT REPRINT Introduction to Fortinet UTM
Lab 2: Administrative Access
FORTINET 8.
Log out of the admin account's GUI session.
9.
Log in as Security_Admin with its password.
10. Test this administrator’s access: try to create or modify settings on the Student FortiGate that are not allowed by that account's profile. You should see that this account can only configure security profiles.
FortiGate I Student Guide
27
DO NOT REPRINT Introduction to Fortinet UTM
Lab 2: Administrative Access
FORTINET Exercise 2 Restricting Administrator Access 1.
On the Win-Student server, open a browser and go to the Remote FortiGate's GUI: http://fgt.remote.lab Log in as the admin account (all lower case) with no password.
2.
Go to System > Admin > Administrators. Edit the admin account and enable the setting Restrict this Admin Login from Trusted Hosts Only. Set Trusted Host #1 to the address 10.0.2.0/24. Click OK to save the changes.
3.
Try connecting to the GUI of the Remote FortiGate again. What is the result this time? Because you are connecting from the 10.200.1.1 address (because of NAT on the Student FortiGate) you should notice that you can't connect any more since you restricted logins to specific source IP addresses in Trusted Hosts.
4.
Attempt to ping 10.200.3.1. You should notice that FortiGate also doesn't respond to ping anymore. This is also blocked by the restriction on source IP.
5.
Open the console of the Remote FortiGate devi ce. Enter the following CLI comman ds to add 10.200.0.0/16 as the second trusted IP address (Trusted Host #2) of the admin account: conf sys admin edit admin set trusthost2 10.200.0.0/16 end
6.
Try to ping the Remote FortiGate and access its GUI again. Access should be restored.
7.
Go to System > Dashboard > Status. In the System Information widget, in the Current Administrator row, click the Details link. The GUI should display a list of administrators currently logged in to the FortiGate.
8.
By default, each source IP address can attempt to log in up to 3 times. If th ey fail 3 times, they are locked out for 60 seconds. To help improve the overall password security, use the CLI to decrease the maximum number of attempts and increase the lockout timer: config system global set admin-lockout-threshold 2 set admin-lockout-duration 100 end
FortiGate I Student Guide
28
DO NOT REPRINT Logging & Monitoring
Lab 1: Status Monitor and Event Log
FORTINET
Logging & Monitoring Lab 1: Status Monitor and Event Log In this lab, you will work with FortiGate's event log and monitoring.
Objectives •
Enable logging of system events
•
Locate event logs for specific information
Time to Complete Estimated: 10 minutes
FortiGate I Student Guide
29
DO NOT REPRINT Logging & Monitoring
Lab 1: Status Monitor and Event Log
FORTINET Exercise 1 Using the GUI's Status Monitor 1.
On the Windows server, open a web browser. Go to the URL that is port3's IP address on the FortiGate named Student, and log in as admin. http://10.0.1.254/
2.
Go to System > Dashboard > Status and locate the System Resources widget. This widget provides a snapshot overview of the overall resource utilization on the FortiGate
3.
Some widgets are not displayed on the dashboard by default. Click Widget to display the list of widgets available to add to the dashboard.
If not already added, click the All Session widget from the pop-up window to add it to the dashboard. Close the widget list window. Widgets can be remov ed from the page simply by cl ick the X in the upper left corner of each one. 4.
Hover the mouse over the title bar of the System Resources widget and click Edit to create a custom widget.
Configure these settings: Custom Widget Name:
System Resource History
ViewType:
Historical
TimePeriod:
Last60minutes
FortiGate I Student Guide
30
DO NOT REPRINT Logging & Monitoring
Lab 1: Status Monitor and Event Log
FORTINET A line chart appears in a new custom System Resource History widget showing a trace of CPU, memory and sessions over the past hour. The refresh rate of this window is automatically set to 1/20 of the time period (interval) configured. 5.
The Alert Message Console widget displays recent system events, such as system restart and firmware upgrade. Hover the mouse over the title bar of the Alert Message Console widget and click History to view the entire message list.
Note: If there are no alerts yo u can reboot the Forti Gate in order to see one. To do so, connect to the CLI and use the command exe reboot 6.
At the top of the dashboard, click Dashboard and select Add Dashboard.
Enter any name of you r choice for the new das hboard and select the single column display.
FortiGate I Student Guide
31
DO NOT REPRINT Logging & Monitoring
Lab 1: Status Monitor and Event Log
FORTINET
The new dashboard will show up as a selectable menu option on the right hand side
7.
Next add the All Sessions widget on your new dashboard. Click the edit icon in the title bar of the All Sessions widget and observe the different ways in which sessions can be reported. For example, by top Destination Address, top Applications etc. You can also select to display the top sessions by Source and Destination interfaces. Create your own customized Top Sessions widget and examine the sessions that are listed. Some widgets are only allowed to appear on 1 dashboard at a time. For example, System Information cannot be added to this new dashboard until the widget is removed from the Status dashboard.
8.
Test the functionality of the refresh, page forward, and page back icons in this window. You may need to generate some additional traffic in order to properly test these functions.
9.
Click Dashboard and select Reset Dashboards to reset all the dashboards to the default.
FortiGate I Student Guide
32
DO NOT REPRINT Logging & Monitoring
Lab 1: Status Monitor and Event Log
FORTINET Exercise 2 Event Log & Logging Options 1.
From the Student FortiGate CLI, check the overall status of the FortiGate:
2.
Verify the Log hard disk status. If it is set to Available proceed to Step 3. If the status appears as Need Format, enter the following command to format the drive.
get system status
execute formatlogdisk
When prompted to continue, type “ y” and wait for the system to reboot. Once the system has restarted, check the log disk settings by executing the following command: config log disk setting get
You should observe that the status is enabled. 3.
Repeat the previous steps on the Remote FortiGate device.
4.
Return to the Student FortiGate device and log out of the GUI. When logging bac k in, use an incorrect password once and then use the correct password to log back in again. Go to Log & Report > Event Log > System and examine the log to find the invalid password event.
5.
Go to Policy & Objects > Objects > Address, and create a new firewall address using the following settings: Name:
fortinet
Type:
FQDN
FQDN:
www.fortinet.com
Leave the remaining settings at their defaults and click OK to save the changes. 6.
Next go to Log & Report > Event Log > System and review the log entries.
7.
Go to Log & Report > Log Config > Log Setting and uncheck the option System activity event.
FortiGate I Student Guide
33
DO NOT REPRINT Logging & Monitoring
Lab 1: Status Monitor and Event Log
FORTINET
Click Apply to save the changes. Different types of log entries fall into different categories. Only enable logging for the activity(s) that you need to moni tor. This avoid s filling the logs with information you do not need, and consuming unnecessary system resources. 8.
Go to Policy & Objects > Objects > Address and create another firewall address entry. Go to Log & Report > Event Log > System and review the log entries again. Note that the entries are no longer visible for this activity. With this option deselected in the Event Logging settings, you will no longer see ent ries in the log for administrators logging on/off or making changes to the unit’s configuration. Other types of log entries will still appear.
9.
Go to Log & Report > Log Config > Log Settings and re-enable System activity event. When changes are made to your firewall, it best to have a log event for that in case it is necessary to find out when something was changed, and by whom.
FortiGate I Student Guide
34
DO NOT REPRINT
Logging & Monitoring Lab 2: Remote Monitoring
FORTINET Lab 2: Remote Monitoring The aim of this lab is for students to set up logging to a remote device and monitoring of the FortiGate unit’s behavior. It can be advantageous to use remote monitoring instead of local monitoring in order to reduce resource usage. For example, while the GUI widgets provide useful displays of your system information, they also carry a significant resource cost and should be used sparingly.
Objectives •
Enabling monitoring by Syslog and SNMP servers
Time to Complete Estimated: 10 minutes
FortiGate I Student Guide
35
DO NOT REPRINT
Logging & Monitoring Lab 2: Remote Monitoring
FORTINET Exercise 1 Remote Logging & SNMP Monitoring The Linux server in your lab environment has been pre-configured to accept syslog messages. 1.
From the CLI on the Student FortiGate, enter the following commands to set up logging to the syslog server: conf log syslogd setting set status enable set facility local6 set server 10.200.1.254 end
2.
Repeat the above step from the CLI on the remote FortiGate device.
3.
On the Win-Student server, open the putty.exe application. Open an SSH session to the Linux server (10.200.1.254 ).
Log in as root and with the password password. 4.
Run the following command to monitor the FortiGate syslog messages which are mapped to their own file by the local6 facility.
5.
Leave the SSH window open and return to the student FortiGate device and generate some log entries:
tail –f /var/log/fortinet
FortiGate I Student Guide
36
DO NOT REPRINT
Logging & Monitoring Lab 2: Remote Monitoring
FORTINET •
Attempt to log in with invalid credentials
•
Make a minor configuration change
6.
From the GUI on the Student FortiGate, go System > Config > SNMP to enable SNMP monitoring. Select Enable for the SNMP Agent at the top, then click Apply.
7.
Create a new SNMP v3 security name using the settings displayed below. Set the Auth password to fortinet . Set the Notification host to 10.200.1.254.
Click OK. 8.
Go to System > Network > Interfaces and edit port1. Confirm that SNMP is enabled under the Administrative Access settings. If it is not enabled you will need to enable it first, then click OK to save the changes.
9.
Leave the SSH window open that is currently running the tail command and run putty again to open a new SSH connection to the LINUX host (10.200.1.254). Next, execute the following snmpwalk command to find and display all of the monitoring options that a device presents through SNMP: snmpwalk -v 3 -a sha -A fortinet -u training -l authNoPriv 10.200.1.1
A tree listing of all the options available to monitor this FortiGate VM device will be displayed. To make it easier to view the information available, you may also append >snmp.test to the command entered above. This will save the output to a file named ‘snmp.test’. Enter the command view snmp.test to view the output file.
FortiGate I Student Guide
37
DO NOT REPRINT
Firewall Policies Lab 1: Firewall Policy
FORTINET
Firewall Policies Lab 1: Firewall Policy Objectives •
Configure firewall policies configurable in FortiOS
•
Configure source match options available in FortiOS firewall policies
•
Apply different firewall object types of Address, Service and Schedule
•
Configure firewall policy logging options
•
Configure NAT
•
Configure Source NAT settings using Overload IP Pools
•
Configure Destination NAT settings using Virtual IPs
•
Configure firewall polic ies based on device types
•
Reorder firewall policies
•
Use CLI commands to review your configuration and perform status checks
Time to Complete Estimated: 40 minutes
FortiGate I Student Guide
38
DO NOT REPRINT
Firewall Policies Lab 1: Firewall Policy
FORTINET Exercise 1 Creating Firewall Objects & Rules 1.
On the Win-Student server, open a web browser. Go to the GUI for the FortiGate named Student, and log in as admin. http://10.0.1.254/
2.
Restore the configuration file that is required by this lab: ResourcesFirewall-PoliciesStudentstudent-policy.conf
3.
FortiGate will reboot. From the GUI on the Student FortiGate device, go to Policy & Objects > Objects > Addresses and create the following address object: Name:
STUDENT_INTERNAL
Type:
Subnet
Subnet/IP Range:
10.0.1.0/24
Interface:
Any
Once the settings have been entered, click OK to save the changes. 4.
The unrestricted port3→port1 policy will need to be temporarily disabled in the policy list. To do this, go to Policy & Objects > Policy > IPv4, right-click the unrestricted port3→port1 policy and select Status > Disable.
5.
Next click Create New to add a new firewall policy to provide general Internet access from the internal network. Configure these settings: IncomingInterface: SourceAddress: Outgoing Interface: DestinationAddress:
port3 STUDENT_INTERNAL port1 all
Schedule:
always
Service:
HTTP,HTTPS,DNS, ALL_ICMP,SSH (Hold down the CTRL-key to select multiple services.)
Action:
ACCEPT
Enable NAT:
Enabled
Use Destination Interface Address:
Enabled
Log Options:
Enable Log all Session s and select Generate Log s when Session Starts
Comments:
GeneralInternetaccess
When creating firewall policies, remember that FortiGate is a stateful firewall. As a result, you only need to cre ate one firewall pol icy that matche s the direction of the traffic that initiates the session. Once the policy settings have been entered, click OK to save the changes.
FortiGate I Student Guide
39
DO NOT REPRINT
Firewall Policies Lab 1: Firewall Policy
FORTINET 6.
On the Windows server, open a web browser and connect to various external web sites.
7.
From the GUI on the Student FortiGate device, go to Log & Report > Traffic Log > Forward Traffic and identify the log entries for your Internet browsing traffic. With the current settings you should have many 0 byte log messages with action start. These are the session start logs. When sessions close you will have a separate log entry for the amount of data sent and received Logging session starts generates twice the amount of log messages. This option should only be used when this level of detail is absolutely necessary.
8.
From the CLI, enter the following command to see the source NAT action. #get system session list
Sample Output: STUDENT # get sys session list PROTO EXPIRE SOURCE DESTINATION-NAT tcp
3600
10.0.1.10:3677
SOURCE-NAT
-
DESTINATION
10.0.1.254:22
-
tcp
3587
10.0.1.10:3717
10.200.1.1:64133 72.30.38.140:80
-
tcp
3570
10.0.1.10:3681
10.200.1.1:64097 69.171.228.70:80 -
tcp
3577
10.0.1.10:3710
10.200.1.1:64126 74.125.228.92:80 -
tcp
3587
10.0.1.10:3708
10.200.1.1:64124 74.125.228.92:80 -
tcp
3587
10.0.1.10:3706
10.200.1.1:64122 66.94.245.1:80
-
tcp
2274
10.0.1.10:3608
10.200.1.1:64024 10.200.1.254:22
-
tcp
3587
10.0.1.10:3712
10.200.1.1:64128 80.239.217.66:80 -
tcp
3566
10.0.1.10:3679
10.200.1.1:64095 74.125.227.24:80 -
Note that FortiGate is app lying a new source address: that of the destination interface port1 (10.200.1.1).
FortiGate I Student Guide
40
DO NOT REPRINT
Firewall Policies Lab 1: Firewall Policy
FORTINET Exercise 2 Policy Actions 1.
Use the same steps you performed earlier to create a second firewall policy. Use Create New and leave the policy in its default position. Configure these settings: IncomingInterface:
port3
SourceAddress:
STUDENT_INTERNAL
OutgoingInterface:
port1
Destination Address:
Click Create and configure the following: Name: LINUX_ETH1 Type: Subnet Subnet / IP Range: 10.200.1.254/32 Click OK.
Schedule:
always
Service:
PING (Tip: type the name in the search box)
Action: LogViolationTraffic:
DENY Enabled
Click OK to save the changes. 2.
From the Windows serv er, open a command prompt. Ping the port1 gatew ay. ping –t 10.200.1.254
If you have not changed the rule ordering, the ping should still work because it matches the ACCEPT policy and not the DENY policy that you just created. This demonstrates the behavior of policy ordering. The second policy was never checked because the traffic matched the first policy. Leave this window open and perform the next step. 3.
Click the Seq.# for the DENY policy created previously and drag it up to position it before the General Internet Access policy.
4.
Return to the Windows server and examine the DOS command prompt win dow still runnin g the continuous ping. You should observe that this traffic is now blocked and the replies appear as “Request timed out”. Enter CTRL-C to end the ping command.
5.
From the GUI on the Student FortiGate device, go to Log & Report > Traffic Log > Forward Traffic and identify the log entries for your Ping traffic. With the current settings you should have one entry for the Ping traffic which was allowed followed by many 0 byte log messages for the violation traffic.
6.
To stop your logs from filling up with 0 byte log mess ages, you may en able the followi ng setting from the CLI to create a session table entry for denied traffic and blocking packets belonging to this session. config system settings set ses-denied-traffic enable end
FortiGate I Student Guide
41
DO NOT REPRINT
Firewall Policies Lab 1: Firewall Policy
FORTINET This setting will reduce the amount of logging entries caused by the violation traffic. Notice how the time between log entries increases.
FortiGate I Student Guide
42
DO NOT REPRINT
Firewall Policies Lab 1: Firewall Policy
FORTINET Exercise 3 Access through Virtual IPs In this lab, you will configure a virtual IP address to allow Internet connections to the Windows server located at 10.0.1.10. 1.
Go to Policy & Objects > Objects > Virtual IPs. Click Create New to add a new virtual IP mapping: Name: ExternalInterface:
VIP_INTERNAL_HOST port1
Type:
Static NAT
External I P A ddress/Range:
10.200.1.200 - 10.200.1.200
Mapped IP Address/Range:
10.0.1.10
Click OK to save the changes. 2.
Create a new firew all policy to prov ide access to the web se rver. Configure these settings: IncomingInterface:
port1
SourceAddress:
all
OutgoingInterface:
port3
DestinationAddress:
VIP_INTERNAL_HOST
Schedule:
always
Service:
HTTP, HTTPS
Action:
ACCEPT
LogO ptions:
EnableL ogallSessionsandselectGenerateL ogs when Session Starts
EnableNAT: Comments:
Disabled(default) Publicaccesstowebserver
Click OK to save the changes. 3.
The firewall is stateful so any existing sessions will not use this new firewall policy until they time out or are cleared. The sessions can be cleared individually from the session widget on the Status page or from the CLI by executing the following:
4.
Connect to the console of the remote host, open a web browser and access the following URL:
diag sys session clear
http://10.200.1.200 If the virtual IP operation is successful a simple web page appears.
FortiGate I Student Guide
43
DO NOT REPRINT
Firewall Policies Lab 1: Firewall Policy
FORTINET 5.
From the CLI on the Student FortiGate, check the destination NAT entries in the session table: #get system session list
Sample Output: STUDENT # get sys session list PROTO EXPIRE SOURCE DESTINATION-NAT
tcp
6.
3537
10.200.3.1:62426
SOURCE-NAT
DESTINATION
10.200.1.200:80
10.0.1.10:80
On the Windows server, open a web browse r and connect to a few externa l web sites. Now examine the session information again as follows: #get system session list
Sample Output: STUDENT # get sys session list PROTO EXPIRE SOURCE DESTINATION-NAT
SOURCE-NAT
DESTINATION
tcp
3591
10.0.1.10:3995
10.200.1.200:3995 66.94.241.1:80
-
tcp
3590
10.0.1.10:3977
10.200.1.200:3977 72.30.38.140:80
-
tcp
3553
10.0.1.10:3965
10.200.1.200:3965 184.150.187.83:80 -
tcp
3592
10.0.1.10:3998
10.200.1.200:3998 74.125.228.92:80 -
tcp
3584
10.0.1.10:3969
10.200.1.200:3969 69.171.237.16:80 -
tcp
3596
10.0.1.10:4001
10.200.1.200:4001 208.91.113.80:80 -
tcp -
3590
10.0.1.10:3983
10.200.1.200:3983 216.115.100.102:80
tcp -
3590
10.0.1.10:3979
10.200.1.200:3979 216.115.100.103:80
tcp -
3590
10.0.1.10:3987
10.200.1.200:3987 216.115.100.102:80
tcp 3590 10.0.1.10:3981 216.115.100.103:80 -
10.200.1.200:3981
tcp 3590 10.0.1.10:3985 216.115.100.102:80 -
10.200.1.200:3985
tcp
1013
10.0.1.10:3608
10.200.1.1:64024 10.200.1.254:22
tcp -
3589
10.0.1.10:3976
10.200.1.200:3976 72.30.38.140:80
FortiGate I Student Guide
-
44
DO NOT REPRINT
Firewall Policies Lab 1: Firewall Policy
FORTINET tcp
3591
10.0.1.10:3996
10.200.1.200:3996 184.150.187.99:80 -
tcp
3554
10.0.1.10:3967
10.200.1.200:3967 74.125.228.65:80 -
tcp -
3590
10. 0.1.10:3990
10.200.1.200:3990 216.115.100.103:80
tcp -
3591
10.0.1.10:3978
10.200.1.200:3978 216.115.100.103:80
tcp
3590
10.0.1.10:3980
10.200.1.200:3980 216.115.100.103:80
-
Note that the outg oing connections from the Windows server are now being NATe d with the VIP address as opposed to the firewall address. This is a behavior of the source NAT (SNAT) VIP. That is, when you enable SNAT on a policy, a VIP static NAT takes priority over the destination interface IP address.
FortiGate I Student Guide
45
DO NOT REPRINT
Firewall Policies Lab 1: Firewall Policy
FORTINET Exercise 4 Dynamic NAT with IP Pools Currently, the Student FortiGate translates the source IP address of all traffic generated from the Windows server 10.200.1.200 because of the source NAT translation in the VIP. Now you will apply an IP address pool to change the behavior from static NAT to dynamic NAT. 1.
On the Student FortiGate's GUI, go to Policy & Objects > Objects > IP Pools. Create a new IP pool: Name: Type External IP Range/Subnet:
INTERNAL_HOST_EXT_IP Overload 10.200.1.100
Once the policy settings have been entere d click OK to save the changes. 2.
Go to Policy & Objects > Policy > IPv4, and right-click the outgoing General Internet Access policy. Select Copy Policy, then right-click the same policy again and select Paste > Above.
3.
Select the new copy of the General Internet Access policy and confi gure these settings: IncomingInterface:
port3
SourceAddress:
STUDENT
OutgoingInterface:
port1
DestinationAddress:
all
Schedule:
always
Service:
ALL
Action:
ACCEPT
LogO ptions:
EnableL og all Sessions and select Generate Logs when Session Starts
EnableNAT:
Enabled
Use Dynamic IP Pool:
INTERNAL_HOST_EXT_IP
Comments:
WindowsServersourceNAToverride
Click OK to save the changes. Verify that you have enabled it. 4.
FortiGate does stateful inspection, so any existing ses sions will not use this new firewall policy until they time out or you manually clear the session table. You can do this either individually from the session widget on the dashboard, or clear the entire list from the CLI: diag sys session filter src 10.0.1.10 diag sys session clear
5.
Connect to a few web site s such as http://yahoo.com/. From the CLI on the Student FortiGate, verify the source NAT IP address that those sessions are using: # get system session list
FortiGate I Student Guide
46
DO NOT REPRINT
Firewall Policies Lab 1: Firewall Policy
FORTINET Sample Output: STUDENT # get system session list PROTO EXPIRE SOURCE DESTINATION-NAT
SOURCE-NAT
DESTINATION
tcp -
3599
10.0.1.10:3963
10.200.1.100:64379 74.125.225.126:443
tcp
3599
10.0.1.10:3961
10.200.1.100:64377 74.125.225.111:443
tcp
3552
10.0.1.10:3953
10.200.1.100:64369 76.74.133.167:80 -
tcp -
3597
10.0.1.10:3956
10.200.1.100:64372 74.125.225.118:80
tcp -
3597
10.0.1.10:3954
10.200.1.100:64370 74.125.225.117:80
tcp
3598
10.0.1.10:3959
10.200.1.100:64375 199.7.57.72:80
tcp
16
10.0.1.10:3948
10.200.1.100:64364 66.36.238.121:22 -
tcp -
3598
10.0.1.10:3958
10.200.1.100:64374 209.85.225.84:443
tcp -
3599
10.0.1.10:3962
10.200.1.100:64378 74.125.225.99:443
tcp -
0
10.0.1.10:3960
10.200.1.100:64376 98.139.200.238:80
tcp -
3597
10.0.1.10:3955
10.200.1.100:64371 74.125.225.118:80
-
-
Notice that the source NAT address is now 10.200.1.100 as configured in the VIP pool, and the IP pool has overridden the static NAT VIP.
FortiGate I Student Guide
47
DO NOT REPRINT
Firewall Policies Lab 1: Firewall Policy
FORTINET Exercise 5 Device Identification 1.
Disable all outgoing policies except for the General Internet Access policy.
2.
From the Windows server, run a continu ous ping to 10.200.1.2 54.
3.
Edit the outgoing general Internet access policy. Select Source Device Type and choose a type that will not match your Windows server, such as Linux PC. Click OK. FortiGate will notify you that this action enables device identification on the source interface. Click OK to accept this change. Return to the continuous ping. You should observer this traffic is blocked. Try browsing the Internet and confirm the firewall blocks this traffic.
4.
Go to your Forward Traffic log. You should observer that there are no logging entries. This is because the traffic matches the implicit deny policy and logging is not enabled by default. Edit the implicit deny policy and enable log violation traffic. Return to the Forward Traffic log and confirm there are logging entries for the denied traffic.
5.
Edit the outgoing general Internet access policy and change the Source Device Type to Windows PC to match your Windows server host. Return to the continuous ping, started earlier. You should observer this traffic is allowed. Try browsing the Intern et and conf irm that the fire wall allows this tra ffic.
6.
Go to User & Device > Device > Device Definition and review the details of your detected host device. This is a dynamic device list. FortiGate may update its list of dev ices and cache them to the flash disk to speed up detection. diag user device list
7.
Clear the device from the CLI and then verify that it's removed: diag user device clear diag user device list
8.
From the Windows server, visit a few web sites. This will generate traffic so that device identification can detect the hos t. Usually, it will use the HTTP User-Agent: header.
9.
Display the device list again, and look for the internal host. diag user device list
10. Perform a show from the CLI to confirm there are no devices in the configuration file. show user device
11. From the GUI, go to User & Device > Device > Device Definition . Edit your device from the device list. Add an alias called myDevice. This creates a static device in the configuration file. Click OK to save the change. Perform the following show command to confirm that the device now appears in the configuration file as a permanent device. show user device
FortiGate I Student Guide
48
DO NOT REPRINT
Firewall Policies Lab 1: Firewall Policy
FORTINET 12. Go to User & Device > Device > Device Group. Note that your device is already a member of several predefined device groups. Click Create New and add a new device group called myDevGroup. Add myDevice to the Members list and click OK. Note that your device is still a member of the predefined groups and is now a member of the custom group myDevGroup. 13. Return to the outgoing general internet access policy and configure it to use your permanent device or static device group. Check that your traffic is unaffected by this change.
FortiGate I Student Guide
49
DO NOT REPRINT
Firewall Authentication Lab 1: User Authentication
FORTINET
Firewall Authentication Lab 1: User Authentication In this lab, you will learn how to authenticate users with FortiGate.
Objectives •
Create an authentication policy
•
Manage user authentication
•
Track user login events
•
Monitor active users
•
Enable the captive portal
•
Exempt some users from the captive portal
Time to Complete Estimated: 20 minutes
FortiGate I Student Guide
50
DO NOT REPRINT
Firewall Authentication Lab 1: User Authentication
FORTINET Exercise 1 Authentication via a Firewall Policy 1.
On the Win-Student computer, open the Windows CLI and type the followin g command Use_External_DNS
You should see output similar to the following image.
2.
Open a web browser. Go to the GUI for the FortiGate named Student, and log in as admin. http://10.0.1.254/
3.
Restore the configuration file that is required by this lab: ResourcesFirewall-AuthenticationStudentstudent-auth.conf FortiGate will reboot.
4.
Log in again. Review the user configuration for this lab. Go to User & Device > User > User Definition to review the local user settings Go to User & Device > User Group > User to review the user group configuration.
Note: should findisthat there isDo 1 user, 1 groupeither and 2of firewall policies. The secondYou firewall policy disabled. not change the firewall policies at this time.
5. Go to the System > Network > DNS Server and delete the entry for port3. 6. Confirm tha t the user is prop erly configured by using the CLI command diag test auth local training Student F0rtinet
The command should return a successful result if the proper configuration has been loaded.
Note: The second character in Fortinet (the password) is a zero 0, and not a letter. Note: Both the username and password are always case sensitive, on a FortiGate. 7.
On the Win-Student server, open a web browser and connect to a new web site. You should observe that the website does not display and you receive a timeout.
8.
Open a command prompt and try to ping a website by its domain name. For example:
FortiGate I Student Guide
51
DO NOT REPRINT
Firewall Authentication Lab 1: User Authentication
FORTINET http://www.hotmail.com/ You should find that the computer is unable to resolve the hostname to an IP address. 9.
On the Student FortiGate's GUI, go to Policy & Objects > Policy > IPv4 and review the outgoing port3 → port1 firewall policy with authentication configured. Add DNS as an allowed service and apply the change to that policy. Go back to the windows command prompt and attempt to ping by name again. Now the behavior is that the hostname can be resolved but the ping still times out because the policy does not allow ICMP.
Note: FortiGate allows DNS to pass through the policy even though authentication has not succeeded yet. 10. On the Win-Student server, open a web browser. Connect to a new web site. At the login prompt, enter the following credentials: Username:
Student
Password:
F0rtinet
You should observe that after suc cessful authentication, FortiGate redirects your browser to the web site that you requested. 11. On the Student FortiGate, go to User & Device > Monitor > Firewall to view the details of the authenticated user along with some details about their IP address, how much traffic they have sent, what method of authentication was used and so on. If you right-click the columns at the top, you can find more information that can be added to the display. 12. Go to System > Network > DNS Server . Add a new DNS service entry for port3 that is set to Forward to System DNS. 13. On the Win-Student computer, open the Windows CLI and type the following command Use_Internal_DNS
You should see output similar to this:
14. From the CLI, view the IP addresses and users which have successfully authenticated to t he FortiGate unit with the following command: diag firewall auth list
Clear all authenticated sessions with the following command: diag firewall auth clear
FortiGate I Student Guide
52
DO NOT REPRINT
Firewall Authentication Lab 1: User Authentication
FORTINET Caution: Be careful when using this command on a FortiGate in a real network. It will clear all authenticated users.
FortiGate I Student Guide
53
DO NOT REPRINT
Firewall Authentication Lab 1: User Authentication
FORTINET Exercise 2 Captive Portals
Note: Verify that you are no t authenticated through the FortiGate befo re you begin. Use either the User Monitor in the GUI or the CLI command from the previous exercise in order to de-authenticate. 1.
On the Student FortiGate's GUI, go to Policy & Objects > Policy > IPv4. Edit the second policy (which does not have authentication enabled and is slightly greyed out currently) and enable it. You can go into the policy select Enable this policy at the bottom and t hen apply the change, or right click the Seq # and select Enable.
2.
On the Windows desktop, open a web browser and connect to a new web site You should observe that, unlike before, FortiGate doesn't ask you to authenticate. However, you can still access the website even though the first policy has authentication enabled. This illustrates the behavior of authentication and how it interacts with the Firewall policies. The source for the first policy is your IP AND all users in the training group. You have not authenticated yet, so your traffic does not match the source for that policy. The second policy will match all IPs and has no authentication options enabled, so it matches your traffic and allows the connection through. Since FortiGate found a policy match with just the source IP, it does not force a login.
3.
On the Student FortiGate's GUI, go to System > Network > Interfaces and edit the port 3 interface. Set the Security Mode to Captive Portal and click OK to save the change
4.
Open a web browser and connect to a new web site FortiGate should prompt you to log in. Use the same credentials as the previous exercise. Note: If you are not prompted to login, refer to step 1
5.
On the Student FortiGate's GUI, go to Policy & Objects > Policy > IPv4. Edit the first firewall policy. Change the source to STUDENT_ FALSE and the group to training.
Note: STUDNT_FALSE has the IP 10.0.1.100 so it does not match the IP of the Win-Student computer. 6.
On the Student FortiGate's GUI, go to User & Device > Monitor > Firewall . De-authenticate your user session.
FortiGate I Student Guide
54
DO NOT REPRINT
Firewall Authentication Lab 1: User Authentication
FORTINET 7.
Open a web browser and connect to a new web site. FortiGate should not prompt you to login, but show a disclaimer instead. Look at the firewall policies in the CLI. You should find that the second policy with the captive portal is suppressed. config firewall policy show end
This means that even though port3 has captive portal enabled for all traffic that is behind it, any traffic that matches the second firewall policy will not receive the captive portal to authenticate.
FortiGate I Student Guide
55
DO NOT REPRINT
SSL VPN Lab 1: SSL VPN
FORTINET
SSL VPN Lab 1: SSL VPN In this lab, you will manage user groups and portals for the SSL VPN.
Objectives •
Configure and connect to an SSL VPN
•
Enable authentication security
•
Configure a firewall policies for access to private network resources
Time to Complete Estimated: 30 minutes
FortiGate I Student Guide
56
DO NOT REPRINT
SSL VPN Lab 1: SSL VPN
FORTINET Exercise 1 SSL VPN for Web Access 1.
On the Win-Student server, open a web browser. Go to the GUI for the FortiGate named Student, and log in as admin. http://10.0.1.254/
2.
Restore the configuration file that is required by this lab: ResourcesSSL-VPNStudentstudent-ssl.conf .
3.
FortiGate will reboot. When the device has rebooted, review the SSL VPN configuration access for this lab. Go to Policy & Objects > Policy > IPv4 and examine the ssl.root→port1 firewall policy.
4.
Edit this policy to view its components. Configure these settings: IncomingInterface: Source Address:
ssl.root all
SourceUser(s):
Training_One
OutgoingInterface:
Port1
5.
Under VPN > SSL > Settings, review the authentication rules at the bottom. This allows all users that authorized to login, access to the web-acess portal.
6.
To observe the effect of this policy you will now access the SSL VPN. On the Win-Remote computer, open a web browser and access the SSL VPN by browsing to: https://10.200.1.1/ Accept the security warnings for the self-signed certificate and log in using the following credentials: Username:
Student
Password:
F0rtinet
You should notice that you are successfully able to log in, but the web portal is currently in default settings. You will now configure the web-access portal which is selected in the SSL VPN policy. 7. 8.
Log out and return to the Win-Student computer. In the GUI of the Student FortiGate, go to VPN > SSL > Portals and select web-access and Edit to modify the setti ngs for this portal. Crea te the followin g bookmarks for the internal server. First Bookmark:
FortiGate I Student Guide
57
DO NOT REPRINT
SSL VPN Lab 1: SSL VPN
FORTINET Category:
Test
Name:
Linux Website
Type:
HTTP/HTTPS
URL:
10.200.1.254
Click OK. Second Bookmark:
Category: Name:
Test StudentComputerWebsite
Type:
RDP
Host:
10.0.1.10
Click OK. Click OK at the bottom of the page to save the bookmarks on this portal. 9.
Test the SSL VPN access agai n from the W in-Remote computer by browsing to: https://10.200.1.1 You should now observe that you have two bookmarks listed.
10. Select the “Linux Website” bookmark and examine the items listed below to understand how the web access functions. Note: Do not use the Student computer website yet. It will be tested in the next exercise.
Note the URL of the web site in the browser address bar: https://10.200.1.1/proxy/http/10.200.1.254/ The first part of the address is the encrypted link to the FortiGate SSL VPN gateway: https://10.200.1.1/ The second part of the address is the instruction to use the SSL VPN HTTP proxy: .../proxy/http...
The final part of the address is the destination of the connection from the HTTP proxy: .../ 10.200.1.254/
In this example, the connection is encrypted up to the SSL VPN gateway. The connection to the final destination from the HTTP proxy is in clear text. 11. Return to the Win-Student computer and from the GUI on the Student FortiGate, go to VPN > Monitor > SSL-VPN Monitor . Locate the details of the SSL VPN connection. Note the User, Source IP and Begin Time. Log the user out by selecting their name and clicking Delete.
FortiGate I Student Guide
58
DO NOT REPRINT
SSL VPN Lab 1: SSL VPN
FORTINET Exercise 2 Testing Authentication 1.
On the Win-Remote computer, open a web browser. Start the SSL VPN by going to: https://10.200.1.1 When prompted, log in to the SSL VPN using the following credentials: Username:
Student2
Password: F0rtinet You should receive a permission denied failure message. 2.
Go to the CLI of the Student FortiGate. Locally test user authentication. diag test auth local Training_Two Student2 F0rtinet
This user should successfully authenticate. Together with the behavior you observed in the previous step, this means that while FortiGate can confirm the user and group information, that user is not authorized to login to the SSL VPN portal. 3.
To allow those users to login, go to the firewall policies. Edit the ssl.root→port1 policy by adding Training_Two as an additional source user group.
4.
To observe the effect of these changes, access the SSL VPN again. Login with both the S tudent and Student2 users. What do you see when you login? You should see the same portal as in the previous exercise. Why? The portal mapping rules have all users acce ssing the web-access portal.
5.
Under VPN > SSL > Settings create a new mapping for a user group and portal: Users/Group:
Training_Two
Portal
full-access
After adding the mapping rule, click OK to go back to the settings page, then click APPLY to save the changes.
FortiGate I Student Guide
59
DO NOT REPRINT
SSL VPN Lab 1: SSL VPN
FORTINET Note: If you cl ick OK but do not click APPLY, then FortiGate will not save the changes you make to the portal mapping rules. 6.
Logout out of the SSL VPN portal (if you haven’t already) and login again. Be sure to use the Student2 user credentials from step 1. You should now observe that the portal established is the full-access portal, which has different widgets and options enabled then the web-access portal.
FortiGate I Student Guide
60
DO NOT REPRINT
SSL VPN Lab 1: SSL VPN
FORTINET Exercise 3 Accessing Resources Beyond Different Interfaces 1.
Log out of the SSL VPN portal (if you haven’t already) and login again. Be sure to use the Student user credentials.
2.
Now click the “Student Computer Websi te” bookmark, created back in exercis e 1. FortiGate should display an access error. Why? All traffic generated by users of the SSL VPN on this FortiGate will srcinate from the ssl.root interface. This includes both Web and Tunnel mode traffic. The host IP, 10.0.1.10, is behind port3 and there is no firewall policy that allows traffic ssl.root→port3.
3.
Next go to Policy & Objects > Policy > IPv4 and create a firewall policy with the following settings: IncomingInterface: Source Address:
4.
ssl.root all
SourceUser(s):
Training_One,Training_Two
OutgoingInterface:
port3
DestinationAddress
STUDENT_INTERNAL
Schedule
always
Service
ALL
Action
Accept
Go back to the SSL VPN portal and select the “Student Computer Website” again. FortiGate should now allow the web site to display because traffic is now allowed to pass from
5.
ssl.root to port3. Log out of the SSL VPN portal.
6.
In your browser enter the IP 10.0.1.10 The browser's connection will timeout because there is no access to the Win-Student computer from the Win-Remote computer.
7.
Log back into the SSL VPN portal as student2. Once the login has finished, activate the SSL VPN Tunnel Note: To do thi s, you mu st install the SSL VPN adapter.
8.
In your browser, go to: http://10.0.1.10/ The website should display properly this time. FortiGate is now sending traffic across the SSL VPN tunnel, rathe r than sending it to the default gateway .
FortiGate I Student Guide
61
DO NOT REPRINT
Basic IPsec VPN Lab 1: IPsec VPN
FORTINET
Basic IPsec VPN Lab 1: IPsec VPN In this lab, you will configure an IPsec VPN on the FortiGate using both interface-based and policybased modes.
Objectives •
Demonstrate the differences between interface and policy-based VPNs
•
Explain IPsec VPN configuration options
Time to Complete Estimated: 30 minutes
FortiGate I Student Guide
62
DO NOT REPRINT
Basic IPsec VPN Lab 1: IPsec VPN
FORTINET Exercise 1 Site-to-Site IPsec VPN 1.
On the Win-Student server, open a web browser. Go to the GUI for the FortiGate named Student, and log in as admin. http://10.0.1.254/
2.
Restore the configuration file that is required by this lab: ResourcesBasic-IPsec-VPNStudentstudent-ipsec.conf .
3.
The Student FortiGate will reboot. Go to the GUI for the FortiGate named Remote, and log in as admin. http://10.200.3.1/
4.
Restore the configuration file that is required by this lab: ResourcesBasic-IPsec-VPNRemoteremote-ipsec.conf . The Remote FortiGate will reboot.
5.
When the Student FortiGate has rebooted, on the Windows server, open a command prompt. Run a continuous ping to the Win-Remote computer:
6.
From the GUI on the Student FortiGate, go to VPN > Monitor > IPsec Monitor and examine the tunnel status.
ping -t 10.0.2.10
You should observe a tunnel named remote with the destination 10.200.3.1 and the status is currently up. This is the tunnel that the Student FortiGate established with the Remote FortiGate. 7.
Review the firewall policy port3 → remote. View the Count column so that you can see the packets and bytes per policy. Observe that the counter is incrementing for the port3→remote policy. What is the interface remote? Go to System > Network > Interface and note the blue arrow head associated with port1. If you expand this you will be able to see the remote interface and the type for this interface which is set to Tunnel Interface.
8.
Go to VPN > IPsec > Auto Key (IKE) and review the IPsec configuration. Note the Phase 1 and Phase 2 IKE objects. Edit the Phase1 IKE object remote. Select Advanced to view all the settings. Note that IPsec Interface Mode is selected. You can also view this from the CLI: conf vpn ipsec phase1-interface show
The Phase1 IKE object is the IPsec interface referenced in the interface list and firewall policy. How is the traffic getting to this policy? Traffic arrives at the FortiGate on the ingress interface. For new connections, FortiGate performs a routing lookup to select the egress interface and gateway, and then there is a lookup in the firew all policy to find a matchi ng rule. Egress is determined by the routing tabl e
FortiGate I Student Guide
63
DO NOT REPRINT
Basic IPsec VPN Lab 1: IPsec VPN
FORTINET lookup, and therefore FortiGate selects the remote interface. A route is driving the traffic to the IPsec interface. 9.
Go to Router > Monitor and view the current routing table. You will observe a static route to the destination 10.0.2.0/24 pointing to the remote interface. This is an example of the route-based VPN configuration. The alternative is the policy-based VPN which we will review next. Usually, route-based VPNs are preferred, but there are a few ex ceptions where you would need to use a policy-based VPN. These will be discussed later.
10. Open a web brows er on the Windows server. Connect to the GUI on the Remote FortiGate device. 11. Go to VPN > Monitor > IPsec Monitor and examine the tunnel status from the Remote FortiGate device. You should observe a tunnel named student with the destination 10.200.1.1 and the Status is up. This is the t unnel that this FortiGate established with the Student FortiGate. 12. Go to System > Network > Interface. Notice there is no tunnel sub -interface for port4. 13. Go to Route > Monitor and view the current routing table. Notice that there is no specific route for 10.0.2.0/24; there is only a default route. How is the traffic entering the tunnel then? 14. Review the firewall policy that exists on the Remote FortiGate device. Note that there is a policy from port6 to port4 for address 10.0.2.0/24 (REMOTE_INTERNAL) to address 10.0.1.0/24 (STUDENT INTERNAL) with action IPsec. Edit this policy to view its settings. The policy subtype is IPsec, and it uses the VPN Tunnel called student. It also has permissions to allow traffic inbound as well as outbound. We will look at these settin gs later. How is the traffic matching this policy? On the Student FortiGate, a static route was sending traffic to the IPsec virtual interface. Here there is no static route. Instead, the policy setting is sending traffic to the VPN. The IPsec policy matches traffic from 10.0.2.0/24 to 10.0.1.0/24 and forwards it the tunnel student. 15. From the Remote FortiGate device, go to VPN > IPsec > Auto Key (IKE) and review the IPsec configuration. Note the Phase 1 and Phase 2 IKE objects. You can also view these settings from the CLI: conf vpn ipsec phase1-interface conf vpn ipsec phase2-interface
16. Edit the Phase1 IKE object remote and select Advanced to view all the settings. Note that IPsec Interface Mode is not selected. The Phase1 IKE object is the IPsec tunnel referenced in the IPsec firewall policy. Here we are using policy-based on the Remote FortiGate device and interface-based on the Student FortiGate device. The type we use is of local significance therefore we can mix them, as is the case in this example. 17. From the remote Windows desktop, attempt to run a co ntinuous ping to: 10.0.1.10. You should observe this ping fails. Can you identify why?
FortiGate I Student Guide
64
DO NOT REPRINT
Basic IPsec VPN Lab 1: IPsec VPN
FORTINET If the VPN is in tunnel mode, then FortiGate uses only 1 firewall policy to allow both incoming and outgoing traffic. But if the policy is in interface mode, then you must have 2 separate VPN firewall policies: one to allow inbound, and one to allow outbound communication. On the Student FortiGate, we have only configured the outgoing policy. The VPN is in interface mode. So FortiGate drops the new incoming connection: there is no firewall policy to allow it. 18. Return to the Student FortiGate. Add the missing firewall policy. You should observe that the ping now succeeds.
FortiGate I Student Guide
65
DO NOT REPRINT
Explicit Web P roxy Lab 1: Explicit Web Pr oxy
FORTINET
Explicit Web Proxy Lab 1: Explicit Web Proxy In this lab, you will learn how to configure FortiGate to be an explicit web proxy.
Objectives •
Configure a FortiGate as an explicit web proxy
•
Use a PAC file to configure the Internet browser to use the web proxy
•
Exempt some servers from the pro xy
•
Display the list of current web proxy users
Time to Complete Estimated: 30 minutes
FortiGate I Student Guide
66
DO NOT REPRINT
Explicit Web P roxy Lab 1: Explicit Web P roxy
FORTINET Exercise 1 Configuring the Explicit Web Proxy 1.
On the Win-Student server, open a web browser. Go to the GUI for the FortiGate named Student, and log in as admin. http://10.0.1.254/
2.
Restore the configuration file that is required by this lab: ResourcesExplicit-Web-ProxyStudentstudent-wp.conf
3. 4.
Go to System > Dashboard > Status. In the Features widget, enable Explicit Proxy. Click Apply. Go to System > Network > Explicit Proxy and enable HTTP / HTTPS web proxy.
5.
Go to System > Network > Interfaces and edit port3. Enable the option Enable Explicit Web Proxy. Click OK.
6.
Go to Policy & Objects > Policy > Explicit Proxy . Click Create New. Add this explicit proxy policy: ExplicitProxyType SourceA ddress
Web STUDENT_INTERNAL
OutgoingInterface
port1
DestinationAddress
all
Action
AUTHENTICATE
Add this authentication rule: SourceUser(s) Schedule
Student always
Click OK to save it. 7.
Open Mozilla Firefox. Click the Open menu icon on the top right corner. Select Options:
8.
Go to the Advanced > Network tab and click Settings:
FortiGate I Student Guide
67
DO NOT REPRINT
Explicit Web P roxy Lab 1: Explicit Web P roxy
FORTINET
9.
Select manual proxy con figuration and enter: HTTPProxy Port
10.0.1.254 8080
Enable the optio n Use this proxy serve r for all protocols. Additionally, add the subnet 10.0.1.0/24 to the No Proxy for list. This list contains the names, IP addresses and subnet of web sites that will be exempted from using the proxy:
Click OK.
FortiGate I Student Guide
68
DO NOT REPRINT
Explicit Web P roxy Lab 1: Explicit Web P roxy
FORTINET 10. Try to browse any web site. FortiGate will ask you for authentication. Use these credentials: UserName Password
Student F0rtinet
After that, you should have Internet access through the explicit web proxy.
Note: The second character in Fortinet (the password) is a zero 0, and not a letter. Both the username and password are always case sensitive. 11. While browsing different web sites, type the following CLI command to check the list of active web proxy users: # diagnose wad user list
You can also check this list from the GUI, by going to User & Device > Monitor > Firewall . 12. Type these CLI commands to list some web proxy sessions: diagnose sys session filter clear diagnose sys session filter dport 8080 diagnose sys session list
You can also use the grep command to display only the source and destination IP addresses and ports for each session: diagnose sys session list | grep hook=pre
Why is the source IP address of all those sessio ns 10.0.1.10? Why is the destination IP address of all those sessions 10.0.1.254? Why don’t we see any public IP address listed in those sessions? 13. While browsing a HTTP site, type these other commands to list another set of proxy sessions: diagnose sys session filter clear diagnose sys session filter dport 80 diagnose sys session list | grep hook=out
Why is the source IP address o f all these sessions 10.200.1.1? Why don’t we see the IP address of Windows server (10.0.1.10)? Tip: In the case of explicit web proxy, for each connection to a web site, two sessions are created with the FortiGate: one from the client to the proxy, and another one from the proxy to the server.
FortiGate I Student Guide
69
DO NOT REPRINT
Explicit Web P roxy Lab 1: Explicit Web P roxy
FORTINET Exercise 2 Using a PAC File 1.
Log in to the Student FortiGate's GUI.
2.
Go to System > Network > Explicit Proxy . Enable the option PAC, then click the pencil icon to edit the PAC file:
3.
Select the file proxy.pac in the folder ResourcesExplicit-Web-Proxy . Click Import, then Apply. Click the pencil icon again to look at the imported PAC file:
Click Apply to save all the changes in the explicit proxy configuration. Note: The second line in the PAC file specifies that the browser will not use a proxy to reach the servers in the subnet 10.0.0.0/8. The next line configures the browser to use the FortiGate proxy for any other subnet or URL. FortiGate I Student Guide
70
DO NOT REPRINT
Explicit Web P roxy Lab 1: Explicit Web P roxy
FORTINET 4.
Open Mozilla Firefox options again. Select the Advanced > Network tab and click Settings. Select the option Automatic proxy configuration URL then type: http://10.0.1.254:8080/proxy.pac
Click OK. 5.
Close Firefox and open it again. Try to browse any web site in the Internet. The traffic will go through the FortiGate proxy. If FortiGate asks you to authenticate, use the same Student account.
6.
Connect now a web site in the network 10.0.0.0/8. The browser will not use the proxy and will send the HTTP request directly to the server. Try with this server: http://10.200.1.254 It is not working. There is something missing in the FortiGate configuration. Do you know what it is?
7.
Go to Policy & Objects > Policy > IPv4 add the following firewall policy: Incoming Interface
port3
SourceA ddress
STUDENT_INTERNAL
Outgoing Interface
port1
Destination Address
All
Schedule
Always
Service
ALL
Action
ACCEPT
NAT
Enabled
FortiGate I Student Guide
71
DO NOT REPRINT
Explicit Web P roxy Lab 1: Explicit Web P roxy
FORTINET 8.
Try to access http://10.200.1.254 one more time. It should work now.
9.
To finish the lab exercise, disable the proxy in Mozilla. Go to Options one more time, select Advanced > Network , click Settings, and select No proxy.
Click OK to save the change.
FortiGate I Student Guide
72
DO NOT REPRINT
Antivirus Lab 1: Antivirus Scanning
FORTINET
Antivirus Lab 1: Antivirus Scanning In this lab, you will work with both flow -based and proxy-based antivirus scanning.
Objectives •
Configure flow-based and proxy-based antivirus scanning
•
Understand FortiGate antivirus scanning behavior
•
Scan multiple protocols
•
Insert replacement messages in multiple protocols
Time to Complete Estimated: 30 minutes
FortiGate I Student Guide
73
DO NOT REPRINT
Antivirus Lab 1: Antivirus Scanning
FORTINET Exercise 1 Antivirus & Block pages 1.
On the Win-Student server, open a web browser. Go to the GUI for the FortiGate named Student, and log in as admin. http://10.0.1.254/
2.
Restore the configuration file that is required by this lab: ResourcesAntivirusStudentstudent-av.conf
3.
FortiGate will reboot. When the FortiGate has rebooted, go to Policy& Objects > Policy > IPv4 and edit the port3→port1 policy. You will notice that an antivirus profile is in place, as well as a Protocol Options and SSL/SSH Profile. Those last 2 profiles cannot be disabled, only changed.
4.
Examine the antivirus profile that has be en enabled on the firew all policy (defa ult). This profile defines the behavior for virus scanning on the traffic that matches policies using that profile .
5.
Verify that the inspection mode is Proxy, to block viruses, and that HTTP p rotocol pickup is enabled.
6.
Now examine the proxy options profiles enab led on the firewall pol icy (default). This profile determines how FortiGate’s proxies identify protocols. Ensure that HTTP is set to port 80
7.
Finally, examine the SSL/SSH profile enabled on the firewall policy (default). This profile determines how encrypted traffic, like HTTPS will be handled.
8.
Configure the profile to inspect certificate details.
9.
Go to System > Config > Replacement Message. From the top right-hand corner select Extended View and under Security modify the Virus Block Page. The HTML editor that is display ed allows you to see the changes as you are making them. If you do not want to use the standard block pages, you can modify them. Click Save shown above the editor window to apply any changes.
10. From the virtual WIN-Student host, launch a web browser and access the following web site: http://eicar.org 11. On the EICAR web page, click Download ANTI MALWARE TESTFILE (located in th e top rig hthand corner of the page) and then click the Download link that appears on the left. Download the any of the EICAR sample files from the section Download area using the standard HTTP protocol. FortiGate should block the download attempt, and instead ins ert a replacement message similar to the following (should also include any customization you made earlier):
FortiGate I Student Guide
74
DO NOT REPRINT
Antivirus Lab 1: Antivirus Scanning
FORTINET
The EICAR file is an industry-standard used to test antivirus detection with an undamaging test file. The file contains the following characters: X5O!P%@AP[4PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
12. FortiGate shows the HTTP virus message when it blocks or quarantines infected files. In the message that is displayed, click the link to the Fortinet Virus Encyclopedia to view information about the detected virus. 13. From the GUI on Student FortiGate, go to Log & Report > Traffic Log > Forward Traffic and locate the antivirus event messages. In order to view summary information of the antivirus activity, add the Advanced Threat Protection Statistics widget to the dashboard. 14. On the EICAR web page, click Download ANTI MALWARE TESTFILE and then click the Download link that appears on the left. This time, select the eicar.com file from the Download area using the secure SSL enabled protocol HTTPS section. Your download should succeed. FortiGate should not block the file, because we have not enabled full SSL inspection. 15. To enable inspection of SSL encrypted traffic on the Student FortiGate unit, go to Policy & Objects > Policy > SSL/SSH In spection, edit the default profile, set the Inspection Mode to Full SSL Inspection and make sure that HTTPS is enabled and set to port 443. Click Apply. 16. To ensure that there are no existing sessions prior to deep scanning the communication exchange, connect to the CLI of the Student FortiGate and enter the following command: diag sys session filter dport 443 diag sys session clear
This will clear out all the HTTPS(port 443) sessions on the firewall, in case the webserver did not properly close down the communications. 17. Return to th e EICAR web page and attempt to down load the eicar.com file from the Download area using the secu re SSL enabled protoco l HTTPS section. This time, FortiGate should block the download and replace it with a messag e. If it doesn't, you may need to clear your cache. In Firefox, select History > Clear Recent History > Everything . 18. In order to see the block page you will need to allow the certificate warning. Encrypted protocols are designed to prevent eavesdropping.
FortiGate I Student Guide
75
DO NOT REPRINT
Antivirus Lab 1: Antivirus Scanning
FORTINET Exercise 2 Flow vs Proxy scanning 1.
On the Win-Student server, open a web browser. Go to the GUI for the FortiGate named Student, and log in as admin. http://10.0.1.254/
2.
Edit the default Antivirus profile, and set the inspection mode to Flow,
3.
On the Win-Student computer, open the FileZilla FTP client software.
4. 5.
Connect to 10.200.1.254. Leave the username and password blank to use anonymous FTP. On the Remote side, open the pub folder and download the file named eicar.com. The client should display an error message that the server aborted the connection.
6.
On the GUI of the Student FortiGate, locate the logs for the detectio n of this file. With Flow based virus scanning, data from the file has already been sent to the client so no immediate block message/page may be possible , depending on the protoco l being scanned .
FortiGate I Student Guide
76
DO NOT REPRINT
Web Filtering Lab 1: Web Filtering
FORTINET
Web Filtering Lab 1: Web Filtering In this lab, you will configure web filterin g to block specific categories of content. The interaction of local categories and overrides will also be demonstrated.
Lab Objectives •
Enable and use web filtering on a FortiGate device
•
Troubleshoot and configure FortiGuard Category filtering
•
Read and interpret web filter log entries
•
Work with proxy and flow-based web filtering
•
Monitor blocked categories
•
Work with and configure Web Rating Overrides
•
Configure W eb Profile Overrides
Time to Complete Estimated: 30 minutes
FortiGate I Student Guide
77
DO NOT REPRINT
Web Filtering Lab 1: Web Filtering
FORTINET Exercise 1 FortiGuard Web Filtering 1.
On the Win-Student server, open a web browser. Go to the GUI for the FortiGate named Student, and log in as admin. http://10.0.1.254/
2.
Restore the configuration file that is required by this lab: ResourcesWeb-FilteringStudentstudent-wf.conf .
2.
3.
FortiGate will reboot. When the FortiGate device has rebooted go to System > Status and under License information check the FortiGuard Services Web Filtering status to ensure that the license has been validated. A green check mark should be displayed. In the GUI on the Student FortiGate device, go to Security Profiles > Web Filter and review the settings of the default web filter profile. Verify that the Inspection Mode is set to Proxy. Under FortiGuard Categories right-click and expand the web category Potentially Liable. The category and all the sub categories inside should have the action set to Authenticate. Expand Adult/Mature Content . You should find that Other Adult Material and Pornography are blocked while all other sub-categories are set to Monitor. Expand Bandwidth Consuming. The category and all sub categories inside should have the action set to Warning. Expand Security Risk. The category and all sub categories inside should have the action set to Block.
4.
All of the General Interest categories and sub-categories should be set to Monitor. Go to Policy & Objects > Policy > IPv4 and edit the outing port3→port1 policy. In addition to a web filter profile, Proxy options and SSL/SSH Inspection profile have also been enabled. Review the settings in the assigned Proxy options and SSL/SSH Profiles.
5.
From the CLI on the Student FortiGate device, check the low-level status information of the web filtering service by entering the following command: diag debug rating
The command diag debug rating shows the list of FDS servers for web filtering that the FortiGate is using to send requests. FortiGate normally sends rating requests to the server on the top of the list. Each server is probed for RTT every 2 minutes. Note: Your lab environment uses a FortiManager as a loca l FDS server. It c ontains a local copy of the FDS web rating database. The FortiGate devices have been configured to send the rating requests to the FortiManager instead of the public FDS servers. For this reason, the output of the above command lists only the FortiManager IP address. 6.
On the Win-Student computer, open a web browser, and go to: http://www.bing.com
FortiGate I Student Guide
78
DO NOT REPRINT
Web Filtering Lab 1: Web Filtering
FORTINET You should receive a bloc k page.
7.
Verify that the rating of the website www.bing.com is NOT pornography by going to the URL http://www.fortiguard.com/static/webfiltering.html and checking. You will find that Bing is not rated as pornography and that the category it belongs to has a monitor action rath er than block.
8.
From the CLI on the Student FortiGate, examine the FortiG ate's behavior: diag debug application url 255 diag debug enable
Access the website www.bing.com again. The diagnostic output will indicates that the URL matches a local rating. 9.
In the GUI on the Student FortiGate device, go to Security Profiles > Advanced > Web Rating override You will find and entry for www.bing.com which assigned the category of Pornography.
10. Edit the Rating override for www.bing.com and set the category to Potentially Liable and the subcategory to Proxy Avoidance. 11. access the website http://www.bing.com again This time, the blo ck page will give you the op tion to P roceed. Click Proceed and enter the following user credentials
User: Student Password: F0rtinet Note: If you receive a certificate war ning, be sure to allow it.
12. In the GUI on the Student FortiGate device, go to Log & Report > Security Log > Web Filter .
FortiGate I Student Guide
79
DO NOT REPRINT
Web Filtering Lab 1: Web Filtering
FORTINET If you examine the actions taken in the logs you will find that initially a Block action shows up. However, more recent logs show a different action. 13. Edit the web filter profile and se lect Flow-based. A notification is displayed as follows:
Click OK on this pop-up and then click Apply at the bottom of the profile. 14. Test the behavior of the flow based inspection by connecting to www.bing.com again. 15. Go to Security Profiles > Advanced > Web Rating override and delete the entry for: http://www.bing.com Access www.bing.com again. 16. In the GUI on the Student FortiGate device, go to Security profiles > Monitor > Web Monitor . Review the output. You can click on the charts in ord er to get additiona l information on wha t is being displayed. Note: If you not have the Monitor menu then this feature is disabled in the GUI and must be enabled from the CLI: config system global set gui-utm-monitors enable end
FortiGate I Student Guide
80
DO NOT REPRINT
Web Filtering Lab 1: Web Filtering
FORTINET Exercise 2 Web Profile Overrides 1.
On the Win-Student computer, open a new browse r windows and visit: www.youtube.com FortiGate should block this.
2.
In the GUI on the Student FortiGate, go to Security Profiles > Web Filter Set the inspection mode to Proxy.
3.
Enable Allow blocked Override and configure the following options •
Apply to Group(s): Override_Perm issions
•
Assign to Profile: monitor_all
•
Scope: IP
•
Duration Mode: Constant
•
Duration: 0 days, 0 hours, 15 minutes
Click Apply to save the changes 4.
Visit the website www.youtube.com again. You will find that at the bottom of the page there is an override link.
5.
Click Override and enter the following user credentials User: Student2 Password: F0rtinet FortiGate should now allow you to access the web site.
6.
In the GUI on the Student FortiGate device, go to Log & Report > Security Logs > Web Filter Compare the current pass-through entries for YouTube with the older block entries. Notice that the web profile that is reported as being used is different.
FortiGate I Student Guide
81
DO NOT REPRINT
Application Control Lab 1: Application Identification
FORTINET
Application Control Lab 1: Application Identification In this lab, you will use the application control feature to prope rly identify an application.
Objectives •
Configure Application Control in the student lab environment
•
Read and understand application control logs
•
Enable and Monitor traffic shaping through Application Control
•
Use Application control to Fine tune Internet Access
Time to Complete Estimated: 30 minutes
FortiGate I Student Guide
82
DO NOT REPRINT
Application Control Lab 1: Application Identification
FORTINET Exercise 1 Creating an Application Control List 1.
On the Win-Student server, open a web browser. Go to the GUI for the FortiGate named Student, and log in as admin. http://10.0.1.254/
2.
Restore the configuration file that is required by this lab: ResourcesApplication-ControlStudentstudent-app.conf
2.
FortiGate will reboot. Log in again. Go to Security Profiles > Application Control > Application Sensor. Review the default application control sensor. (Verify that you are selecting the sensor named default.)
3.
On the Edit Application Sensor page, check the settings for the following rules:
Application Override
Myspace
Category
Video/Audio
The action for this should show as being Block. 4.
Go to Policy > Policy > Policy and edit the port3→port1 policy. Verify that Application Control is turned on and that the default application control sensor is selected.
5.
Enable the Security Profiles monitors: config sys global set gui-utm-monitor enable end
Go to http://www/.youtube.com. On the YouTube web site, try to play a video. While the video is playing, go the GUI of the FortiGate and check the application monitor in Security Profiles > Monitor > Application Monitor . If your browser does not show the application monitor, you may need to refresh the page or log in to the FortiGate again. 6.
On the Win-Student computer, open a new web browser window. Go to http://www.myspace.com/. You should observe that you cannot connect to this s ite. It times out.
7.
Go to Security Profiles > Application Control > Application Sensor and check the default sensor again. At the bottom of the profile enable Replacement messages for HTTP-based application.
8.
Go to the MySpace web site again. Now FortiGate should display a block message.
9.
Go to Log & Report > Traffic Log > Forward Traffic and view the log information to confirm that this action was correctly logge d.
10. From the web browser, try to go to: http://proxite.us On the proxy web page, scroll down to the bottom and enter the URL of MySpace.com. Click Go. You should observe FortiGate does allow some connectivity to the site. How can you stop this? Create a new rule in the sensor to block the Proxy category. FortiGate I Student Guide
83
DO NOT REPRINT
Application Control Lab 1: Application Identification
FORTINET Exercise 2 Limiting YouTube Traffic 1.
On the Student FortiGate's GUI, go to Policy & Objects > Objects > Traffic Shapers and look at the YouTube_Shaper traffic shaper. Look closely at the Maximum amount of allowed bandwidth.
2.
Go to Security Profiles > Application Control > Application Sensor and edit the default profile. Add an Application Override for Youtube, set the action to Traffic Shaping and have it use YouTube_Shaper.
3.
Clear the web browser cache and re-open it. Connect to the YouTube web site again and stream the same video that you did before. This will probably result in much different experience. Note: If your classroom is using a virtual lab, the underlying hardware is shared, and so the amount of available bandwidth for Internet access varies by usage by other simultaneous use. The traffic shaper is set to a very low value in order to make sure that the difference in behavior is easily noticeable. In real networks, this setting would be greater.
4.
Check the traffic shaper monitor in Policy & Objects > Monitor > Traffic Sh aper Monitor . In the upper right corn, change Report by to Current Bandwidth. Note: Monitor statistics are current as of the time that you requ ested the GUI pag e, so make sure to view them while a video is downloading. The page does not constantly refresh, so in order to do thi s, click Refresh in the upper right.
FortiGate I Student Guide
84
DO NOT REPRINT
Application Control Lab 1: Application Identification
FORTINET Exercise 3 Fine Tuning Web Site Access 1.
On the Win-Student computer, open a browser window. Go to: http://translate.google.com
2.
Go to Security Profiles > Application Control > Application Sensor and edit the default profile. Add an application override for Google.Translate. Set the action to Reset.
3.
Refresh the Google Translate page. FortiGate should insert a replacement message from application control about the application being blocked.
4.
Go to Security Profiles > Application Control > Application Sensor and edit the default profile. Disable replacement messages for HTTP-based applications, then click OK.
5.
Refresh the Google Translate page. The browser should display an error message, telling you that the connection was reset. Note: Depending on which browser you use for the test the wording and nature of the error will vary.
6.
Open a browser window. Go to http://www.myspace.com Since there is no longer an HTTP-based block message enabled, the 2 signatures will behave differently based on the configured action.
7.
Go to Security Profiles > Application Control > Application Sensor and edit the default profile. Enable replacement messages for HTTP-bas ed applications, then click OK.
8.
Refresh both websites. This time, the browser should display a block message.
9.
Access Google Translate over HTTPS: https://translate.google.com This connection should succeed. In order for thi s signature to detect access over encrypted communications (HTTPS), SSL inspection must be enabled.
FortiGate I Student Guide
85
DO NOT REPRINT
Appendix A: Additional Resources
FORTINET
Appendix A: Additional Resources Training Services
http://training.fortinet.com
Technical Documentation
http://help.fortinet.com
Knowledge Base
http://kb.fortinet.com
Forums
https://support.fortinet.com/forum
Customer Service & Support
https://support.fortinet.com
FortiGuard Threat Research & Response
http://www.fortiguard.com
FortiGate I Student Guide
86
DO NOT REPRINT
Appendix B: Presentation Slides
FORTINET
Appendix B: Presentation Slides
FortiGate I Student Guide
87
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
In this lesson, we will show FortiGate administration basics. This includes how – and where – FortiGate fits into your existing network architecture.
FortiGate Student I Guide
88
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
After completing this lesson, you should have these practical skills in FortiGate administration fundamentals, such as how to log in, m ake administrator accounts, do basic network settings, and how to use your FortiGate’s GUI or CLI. You’ll also be able to set up FortiGate to act as your local network’s DNS or DHCP server. Lab exercises can help you to test and reinforce your skills.
FortiGate Student I Guide
89
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
(slide contains animation) A FortiGate is a “Unified Threat Management” device, but what exactly does this mean? Well, if we look at a typical network security solution, multiple single-purpose devices are used. Each performs a specific task. There is: (click) • • • • • • • •
One device acting as the firewall Another device that scans for viruses Another device filtering email One device to optimize WAN usage Another device to filter web sites One device for application control One device for intrusion prevention Another device to provide VPN access
That is a lot of different devices. Most likely, they all have different vendors. All of this can introduce unwanted complexity, and many potential points of failure.
FortiGate Student I Guide
90
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
So how is FortiGate different? FortiGate provides a comprehensive approach to security. It even includes some basic accessory network services such as authentication and DHCP. All this and more is combined into a single device. That way, you can reconfigure your network and security deployment by simply accessing one device. Cabling and interfaces between 10 devices? Gone. And it’s all from a single vendor. Per-module licensing? Gone. If you’re familiar with Cisco ASA, you may even expect multiple management interfaces. This, too, is simpler on FortiGate. Regardless of whether you are building a VPN or applying antivirus, you can configure it all from one unified GUI or CLI. How can FortiGate do so m any things? Shouldn’t separate functions be divided among different devices for performance reasons? In some cases, yes. High load of one specific workload may be worth a dedicated device. And Fortinet offers several. But now you have the choice – you can specialize if your network requires it.
FortiGate Student I Guide
91
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
In this architecture diagram, you can see how FortiGate UTM platforms add strength without compromising on flexibility – they are still internally modular. Plus: •
•
•
Devices add duplication. Sometimes, dedication doesn’t mean efficiency. If it’s overloaded, can 1 device borrow free RAM on 9 others? Do you want to configure policies, logging, and routing on 10 separate devices? Does 10 times the duplication bring you 10 times the benefit? Or is it a hassle? FortiGate hardware isn’t just off-the-shelf. It’s carrier-grade. Underneath, most FortiGate models have 1 or more specialized circuits called ASICs that are engineered by Fortinet. For example, a CP or NP chip handles cryptography and packet forwarding more efficiently. Compared to a singlepurpose device with only a CPU, FortiGate can have dramatically better performance. (The exception? Virtualization platforms – VMware, Citrix Xen, Microsoft, or Oracle Virtual Box – have general-purpose vCPUs. But virtualization might be worthwhile due to other benefits, such as distributed computing and cloud-based security.) FortiGate is flexible. If all you need is firewalling and antivirus, FortiGate won’t require you to waste CPU, RAM, and electricity on others. In each firewall policy, UTM modules can be enabled or disabled. You won’t pay more to add VPN seat licenses later, either. What requires a subscription? Only FortiGuard subscription services.
FortiGate Student I Guide
92
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
FortiGuard subscription services give your FortiGate access to 24 x7 security updates powered by Fortinet’s researchers. Your FortiGate uses FortiGuard in 2 ways: • •
By periodically requesting packages that contain a new engine and many signatures, or By querying the FDN on an individual URL or host name
Queries are real-time – that is, FortiGa te asks the FDN every time it scans for spam or filte red web sites. Also, queries use UDP for transport – they are connectionless and the protocol is not designed for fault tolerance, but speed. So they require that your FortiGate have a reliable Internet connection. Downloaded packages like antivirus and IPS, however, aren’t that frequent. They use TCP for reliable transport. And their associated FortiGate features continue to function even if FortiGate does not have reliable Internet connectivity. Keep in m ind, though, that you should still avoid interruptions. If your FortiGate must try repeatedly to download updates, it can’t detect new threats during that time.
FortiGate Student I Guide
93
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
So now we’ve seen a simplified overview of the software architecture. What about the network architecture? Where does FortiGate fit in? When you deploy a FortiGate, you can choose on the dashboard between two modes: NAT or transparent. • •
In NAT mode, FortiGate forwards packets based on Layer 3, like a router. Each of its logical network interfaces have an IP address. In transparent mode, FortiGate forwards packets at Layer 2, like a switc h. So except for the management interface, its interfaces have no IP address.
Interfaces can be exceptions to the router vs. switch operation mode on an individual basis, however. We’ll show these later.
FortiGate Student I Guide
94
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
What does that mean for your traffic, in terms of the 7-layer OSI model? Which operation mode should you choose? NAT mode is the most common choice. In NAT mode, the destination address is the FortiGate’s address. Typically FortiGate will rewrite the destination address, and/or port number and source address in the IP network layer, into the server’s private network address before forwarding the packet – in other words, it will apply NAT and port forwarding. Depending on your presentation and application layer protocols, it might also: • Terminate SSL or TLS sessions so back-end servers don’t need to decrypt • Modify the addresses in the application layer headers, such as the “Host:” and “X-Forwarded-For:” in the HTTP header So NAT mode works well for edge or gateway security, where you divide your private IPv4 network from an external network such as guest Wi-Fi or the Internet. In transparent mode, the destination address is the server’s address – not a FortiGate’s interface. As a result, it usually doesn’t need to rewrite encapsulated layers – with the exception of TCP SYNrelated analysis. Only the MAC address in the frame is rewritten. So in complex IP environments such as MSSP or mobile phone carriers, this simplifies deployment. Only the management interface needs an IP address. But because network-facing interfaces don’t have an IP address, you m ust verify that your topology doesn’t have any loops at Layer 2 – Ethernet.
FortiGate Student I Guide
95
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
NAT mode is the default operation m ode. What are the other default settings? Once you’ve removed your FortiGate from its box, what do you do next? Let’s see how to set up a FortiGate. Attach your computer’s network cable to port1 or the internal switch ports (depending on your model) to begin setup. There is a DHCP server on that interface, so if your computer’s network settings have DHCP enabled, your computer should automatically get an IP, and you can begin setup quickly. Every FortiGate or FortiWifi device has these same default settings. (Note that FortiAP is not the same. It’s covered in a separate lesson.) To access the GUI on FortiGate or FortiWifi, open a web browser and go to http://192.168.1.99. Remember: The default login is publicly available knowledge. Never leave its default password blank! Your network is only as secure as your FortiGate’s “admin” account. Before you connect your FortiGate to your overall network, you should set a complex password. You should also restrict it so that FortiGate allows administrative connections only from your local console or management subnet.
FortiGate Student I Guide
96
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
What happens if you forget the password for your “admin” account, or a hostile employee changes it? This recovery method is on all FortiGate devices, and even some non-FortiGate devices like FortiMail. It’s a temporary account, only available through the local console port, and only after a hard reboot – disrupting power by unplugging or switching off the power, then restoring it. FortiGate must be physically shut off, then turned back on – not simply rebooted through the CLI. That’s the difference between a hard boot and a soft boot. Even then, the “maintainer” login will only be available for login for about 30 seconds after boot completes. If you can’t ensure physical security, or have compliance requirements, you can disable the “maintainer” account. Use caution: if you disable “maintainer” and then lose your “admin” password, you cannot recover access to your FortiGate.
FortiGate Student I Guide
97
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
All FortiGate models have a console port. This provides CLI access without a network. • • •
On older models, it’s a serial port. A standard null modem cable can be used to connect the serial port to your computer’s serial port. On newer models, it’s an RJ-45 port. Access by connecting an RJ-45-to-serial cable from your computer’s serial port to the RJ-45 port on the FortiGate. In some newer models, the console port is a USB2 port. In that case, you’ll plug in the USB cable, then open FortiExplorer.
Each device ships with its appropriate cable. Serial ports on computers are becoming less common. If your computer have one, you can purchase a USB-to-serial adapter.
FortiGate Student I Guide
98
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
Most features are available in both the GUI and CLI. There are a few exceptions. Reports can’t be viewed in the CLI, for example, and diagnostic commands for power users are usually not in the GUI. What if you don’t want to use the GUI? There is also a CLI. As you become more familiar with FortiGate, and especially if you want to script its configuration, you may want to use it in addition. You can access the CLI via either the JavaScript widget in the GUI named “C LI Console,” or via a terminal emula tor such as Tera Term (http://ttssh2.sourceforge.jp/index.html.en) or PuTTY (http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html). Your terminal emulator can connect via the network – SSH or telnet – or the local console port. SNMP and some other administrative protocols are also supported, but they are not used for basic setup. Let’s focus on setup now.
FortiGate Student I Guide
99
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
As an alternative GUI during setup, you can plug in your smart phone, and use FortiExplorer. FortiExplorer isn’t a complete configuration tool for all devic es. Its focus is deplo yment – configuring network addresses and routing. After that, your FortiGate can be integrated into the network, and you can continue by configuring firewall policies, security profiles and other features.
FortiGate Student I Guide
100
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
There are a few supported platforms for the FortiExplorer software. This is what FortiExplorer looks like when you are running it on a Windows laptop. On the left side, you can see that FortiExplorer can fully update device firmware and configure its network settings so that FortiGate is prepared for you to plug it into your network.
FortiGate Student I Guide
101
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
Whichever method you use, start by logging in as “admin”. Begin by creating accounts for other administrators. It’s not shown here, but alternatively, instead of creating accounts on FortiGate itself, you could configure FortiGate to query a remote authentication server. You could also require personal certificates, authenticated via your PKI certificate authority, instead of passw ords. Choose strong, complex passwords. For example, you could use multiple interleaved words with varying capitalization, and randomly insert numbers and punctuation. Do not use short passwords, nor passwords that contain names, dates, or words that exist in any dictionary. These will be very weak against brute force attacks. To audit the strength of your passwords, use tools such as l0phtcrack (http://www.l0phtcrack.com/) or John the Ripper (http://www.openwall.com/john/). Risk of attackers brute forcing your firewall is especially high if you connect the management port to the Internet. In order to restrict access to specific features, you can assign permissions.
FortiGate Student I Guide
102
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
When assigning permissions in an access profile, you can specify read-and-write, read-only, or no access to each area. By default, there is a special profile named “super_admin”, which is used by the account named “admin”. It cannot be changed. It provides full access to everything, making the “admin” account similar to a root superuser account. “prof_admin” is another default profile. It also provides full access, but unlike “super_admin”, it only applies to its virtual domain – not the global settings of the FortiGate. Also, its permissions can be changed. You aren’t required to use a default profile. You could, for example, create a profile named “auditor_access” with read-only permissions. Restricting a person’s permissions to those necessary for his or her job is a good best practice, because even if that account is compromised, the comprom ise is not complete. To do this, create administrative access profiles, then select the appropriate profile when configuring an account.
FortiGate Student I Guide
103
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
What are the effects of access profiles? It’s actually more than just read or write access. Depending on the type of access profile that you assign, each administrator may not be able to access the entire FortiGate. For example, you could configure an account that can only view log messages. Administrators may not be able to access global settings outside their assigned virtual domain, either. (Virtual domains, by the way, are a way of subdividing the resources and configurations on a single FortiGate. VDOMs are shown in another lesson.) Administrators with a smaller scope of permissions cannot create, or even view, accounts with more permissions. So, for example, an admin istrator using the “prof_admin” or a custom profile can not see – nor reset the password of – accounts that use the “super_admin” profile.
FortiGate Student I Guide
104
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
To further secure access to your network security, use two-factor authentication. Two factor authentication just means that instead of only using one way to verify your identity – typically a password or personal certificate – you verify identity in two ways. In the example shown here, “twofactor” would mean a password plus an RSA randomly generated number from a FortiToken that is synchronized with FortiGate.
FortiGate Student I Guide
105
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
FortiToken is not the only option if you want to use two-factor authentication. Remember, “two-factor authentication” literally only m eans that you use two methods to verify the person’s identity. Alternatively, FortiGate can send an email to the administrator’s address, or send a text message. To be able to do this, you must first configure FortiGate with the settings of a mail server that it can use to send email, or an SMS server. The mail server can be configured under “System > Config > Messaging Servers” in the GUI, or the CLI. SMS settings however are CLI-only.
FortiGate Student I Guide
106
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
Another way to secure your FortiGate is to define which hosts or subnets are trusted sources of login attempts. Define all three, for all accounts. (If you leave any IPv4 address as 0.0.0.0/0, this means to allow connections from any source IP – obviously not what you want.) Notice that each account can define its management host or subnet differently. This is especially useful if you will be setting up virtual domains on your FortiGate, where the VDOM’s administrators may not even belong to the same organization.. Now try to access FortiGate’s GUI or CLI from an external IP. Does it work? No. Your web browser or terminal emulator won’t receive a response. Not even to a ping. Unless you connect from the network administrators’ subnet, FortiGate won’t allow you to even try to log in. So external brute force is impossible. So is discovery by ICMP.
FortiGate Student I Guide
107
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
You may also want to customize the administrative protocols’ port numbers. You can also choose whether to allow concurrent sessions. This can be used to prevent accidentally overwriting settings if you usually keep multiple browser tabs open, or accidentally leave a CLI session open without saving the settings, then begin a GUI session and accidentally edit the same settings, for example.
FortiGate Student I Guide
108
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
We’ve defined the management subnet – that is, the trusted hosts – for each administrator account. How do you enable or disable management protocols? This is specific to each interface. For example, if your administrators connect to FortiGate only from port1, you should disable all administrative access on all other ports. This prevents brute force attempts, and also insecure access. For better security, it always best to only use secure, encrypted methods of access. Some protocols – such as telnet, ICMP, HTTP, and SNMP version 1 – don’t have encryption or even authentication. So they should never be enabled on public, untrusted networks. IPv4 and IPv6 protocols are separate. It’s possible, for example, to have both IPv4 and IPv6 addresses on an interface, but only respond to pings on IPv6. However, IPv6 is hidden in the GUI by default. How do you show IPv6 settings?
FortiGate Student I Guide
109
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
FortiGate has hundreds of features. If you don’t use all of them, hiding features that you don’t use makes it easier to focus on your work. Hiding a feature in the GUI does not disable it . It is still functional, and still can be configured via CLI. (In fact, many diagnostic features are only available in the CLI.) Some advanced or less commonly used features, such as IPv6, are hidden by default. There are 2 ways to show hidden features: • Use the “Features” widget on the dashboard, or • Go to “System > Con fig > Features”
FortiGate Student I Guide
110
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
The “Features” widget shows and hides features by bulk presets. • •
NGFW shows features for line speed inspection, with no added latency. This hides all UTM options that can potentially slow down traffic. ATP shows features for advanced threat protection that focus on protecting endpoint computers.
• •
WF shows features for web filtering. Full UTM is a pr esent that shows almost all UTM features.
Load balancing and a few others aren’t enabled here, though. So if the “Features” widget does not show the feature you’re looking for, go to “System > Config > Features” instead.
FortiGate Student I Guide
111
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
Once you have administrator accounts, they can configure the network interfaces. Remember: When the FortiGate device is in NAT/route mode, every interface that handles traffic usually must have an IP address. This is so that packets with this interface will have a source and destination at the IP layer. There are 3 ways to do this: • •
assign a static IP, or automatically retrieve one, via either DHCP or PPPoE
As we mentioned earlier, there are 2 exceptions. Other, less commonly used are “One-Arm Sniffer” and “Dedicate to FortiAP”. Unlike how interfaces are usually in NAT mode, these aren’t assigned an address. • “One-Arm Sniffer” is an interface in promiscuous mode . As a result, regardless of each packet’s destination address, FortiGate can inspect all traffic that arrives. So although the overall FortiGate is in NAT mode, acting as a router, this specific interface does not. It receives traffic, but cannot send. There are more considerations, which are in the IPS lesson. • “Dedicate to FortiAP” creates both an access point controller and DHCP server. Clients connecting to SSIDs managed through this interface receive an IP address from the pool on this interface.
FortiGate Student I Guide
112
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
Wireless clients aren’t the only ones that can use FortiGate as their DHCP server. Select the “Manual” option, enter a static IP, then enable the DHCP server option. Options for the builtin DHCP server will appear.
FortiGate Student I Guide
113
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
For the built-in DHCP server, you can reserve specific IP addresses for devices with specific MAC addresses. Those devices will always receive the same lease, unless the number of devices exceeds the size of the IP pool.
FortiGate Student I Guide
114
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
For detailed information about the MAC addresses and the corresponding IPs, you can look in the router subsection of the event log, or in the DHCP Monitor, which you can find in the System menu.
FortiGate Student I Guide
115
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
Like with DHCP, you can also configure FortiGate to act as your local DNS server. A local DNS server can improve performance for your FortiMail or other devices that use DNS queries frequently. If your FortiGate offers DHCP to your local network, DHCP can be used configure those hosts to use FortiGate itself as both the gateway and DNS server. FortiGate can answer DNS queries in one of 3 ways: • by relaying all queries – that is, acting as a DNS relay instead of a DNS server • by relaying queries only the queries it can’t resolve to your ISP’s DNS server, • by returning a null response if it can’t resolve queries itself. You can enable and configure DNS separately on each interface.
FortiGate Student I Guide
116
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
If you choose the DNS forwarding option, you can control DNS queries within your own network without having to setup a separate DNS server.
FortiGate Student I Guide
117
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
If you choose to have your DNS server resolve queries, or you choose a split DNS, you must set up a DNS database on your FortiGate. This defines the host names that FortiGate will resolve queries for. Use zone file syntax outlined by RFCs 1034 and 1035.
FortiGate Student I Guide
118
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
Lastly, before you can integrate FortiGate in your network, FortiGate m ust have a default gateway. If FortiGate gets its IP address through a dynamic method such as DHCP or PPPoE, then it will also retrieve the default gateway. Otherwise you must configure a static route. Without this, the FortiGate will not be able to respond to packets outside the subnets directly attached to its own interfaces. It probably also won’t be able to connect to FortiGuard for updates, and may not properly route traffic. Routing details are covered in another lesson. For now, you should usually make sure that FortiGate has a route that matches all packets (destination is 0.0.0.0/0), and forwards them through the network interface that is connected to the Internet, to the IP address of the next router. Routing completes the basic network settings that are required before you can configure firewall policies.
FortiGate Student I Guide
119
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
Now that FortiGate has basic network settings and administrative accounts, let’s show how to back up the configuration. You can encrypt configuration files with a password, if necessary. Besides securing the privacy of your configuration, it also has some effects you may not expect. Once encrypted, the configuration file cannot be decrypted without the password and a FortiGate of the sam e model and firmware . This means that if you send an encrypted configuration file to Fortinet Technical Support, even if you give them the password, they still cannot load your configuration until they get access to the same model of FortiGate. This can cause unnecessary delays when resolving your ticket. Even if the configuration is not encrypted as a whole, each passwords is encrypted individually. So in many cases, encrypting the entire configuration file may not be necessary.
FortiGate Student I Guide
120
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
If you open the configuration file in a text editor, you’ll see that both encrypted and unencrypted configuration files contain a clear text header that contains some basic information about the device. The diagram here shows what information it includes. To restore an encrypted configuration, you must upload it to the same model of FortiGate, with the same firmware version, then provide the password. To restore an unencrypted configuration file, you are only required to match the model. If the firmware is different, FortiGate will attempt to upgrade the configuration, similar to how it uses upgrade scripts on the existing configuration when upgrading firmware. Usually, the configuration file only contains non-default settings, plus a few default yet crucial settings. This minimizes the size of the backup, which could otherwise be several MB in size.
FortiGate Student I Guide
121
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
If you enable virtual domains, subdividing the resources and configuration of your FortiGate, each VDOM administrator can back up and restore their own configurations. You don’t have to back up the entire FortiGate configuration. VDOM details are discussed in a separate lesson.
FortiGate Student I Guide
122
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
Upgrading the firmware on a FortiGate is simple. The easiest method is to click the “Update” link on the “System Information” widget on the dashboard, then choose a firmware file that you have downloaded from support.fortinet.com. If you want to make a “clean install” by overwriting both the existing firmware and its current configuration, you can do this via the local console CLI, within the boot loader menu, while FortiGate is rebooting. However, this is not the usual method.
FortiGate Student I Guide
123
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
You can also downgrade firmware. Since settings change in each firmware version, you should have a configuration file in the syntax that is compatible with the firmware. Remember to read the release notes. Sometimes a downgrade between firmware versions that preserves the configuration is not possible, such as when the OS changed from 32-bit to 64-bit. In that situation, the only way to downgrade is to format the disk, then reinstall. Once you’ve determined the downgrade is possible, verify everything again, then start the downgrade. After it completes, restore a configuration backup that is compatible with that version. Why should you keep emergency firmware and physical access? Old firmware versions don’t know how to convert future configurations. Also, when upgrading via a path that is not supported by the configuration translation scripts, you might lose all settings except basic access settings such as administrator accounts and network interface IP addresses. Another rare but possible scenario is that the firmware could be corrupted when you are uploading it. For all of those reasons, you should always have local console access during an upgrade, in case of emergency. However, in practice, if you read the Release Notes and have a reliable connection to the GUI or CLI, it should not usually be necessary.
FortiGate Student I Guide
124
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
Remember your initial setup via FortiExplorer? You can also use it to download firmware, then install it on your FortiGate.
FortiGate Student I Guide
125
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
To review, these are the topics that we just talked about. We showed how FortiGate can replace multiple single-purpose devices yet increase power efficiency and throughput. We explained the differences between FortiGuard services, and how those are part of the UTM architecture. We showed how to configure administrator accounts, permissions, and how to harden administrative access. We also explained how to choose the operation mode based upon the behavior you need for each network interface, how to configure the network settings, and finally how to back up the configuration and install firmware.
FortiGate Student I Guide
126
DO NOT REPRINT
Logging & Monitoring
FORTINET
In this lesson, we will look at how to monitor your FortiGate, and how to log its system events and network traffic. Since you are implementing a security solution, it is important to know how to appropriately monitor the device’s operation. It is vital to have logging and monitoring configured properly and to know how to read the output. Otherwise if you encounter issues, you won’t have any messages from FortiGate to help you find out what is happening in your network.
FortiGate Student I Guide
127
DO NOT REPRINT
Logging & Monitoring
FORTINET
By the end of this lesson, you’ll be able to: Describe log severity levels Identify where logs are stored Describe the different types of logs Understand log structure and behavior Configure log settings Understand the impact of logs on resources Describe how to view log messages, and finally Describe how to search and interpret log message
FortiGate Student I Guide
128
DO NOT REPRINT
Logging & Monitoring
FORTINET
The basic purpose of logs is to help you monitor your network traffic levels, track down problems, establish baselines and a lot more. Think of your own internal organization, where it is highly probable that more than one administrator has access to your FortiGate device. Since it is not practical to block other administrators from making changes to your FortiGate configuration, you can simply view the log files to find out what is happening on the device—including any changes that were made. Logs help provide you with the big picture so you can make adjustments to your network security, if necessary. Keep in mind that some organizations have legal requirements when it comes to logging, so it is important to be aware of your organization’s policies during configuration.
FortiGate Student I Guide
129
DO NOT REPRINT
Logging & Monitoring
FORTINET
Each log entry includes a log level that ranges in order of importance from Debug to Emergency. In total there are eight levels. Debug, the lowest level, puts additional information into the event log and is worthless unless you are actively investigating something. Debug is only needed to log diagnostic data, puts more strain on the CPU resources, and requires additional resources to create. Generally the lowest level you want to use is Information. You and your organization’s policies dictate what needs to be logged.
FortiGate Student I Guide
130
DO NOT REPRINT
Logging & Monitoring
FORTINET
You can choose to store logs in a variety of places both on and off the device. Locally, the FortiGate device has memory and many devices have a built-in hard drive. Externally, you can store logs on Syslog Servers, FortiCloud, SNMP, or a FortiAnanlyzer device.
FortiGate Student I Guide
131
DO NOT REPRINT
Logging & Monitoring
FORTINET
As an external logging device for FortiGate, a FortiAnalyzer or FortiManager is simply viewed as an IP with which the FortiGate can communicate. As a result, you can place a FortiAnalyzer or FortiManager within the same network as a FortiGate, or outside of it. However, a Fortigate can communicate with a FortiAnalyzer or FortiManager only if it is registered device. So long as the FortiGate is properly registered with the FortiAnalyzer or FortiManager, it accepts incoming logs. Communication between the Fortigate and FortiAnalyzer or FortiManager is done via SSL encrypted OFTP traffic, so when a log message is generated, it can be safely transmitted across an unsecure network.
FortiGate Student I Guide
132
DO NOT REPRINT
Logging & Monitoring
FORTINET
So far, we’ve discussed FortiAnalyzer and FortiManager as interchangeable external logging devices for the FortiGate. While configuring the FortiGate to send logs to a FortiAnalyzer or FortiGate is identical—they share a common hardware and software platform—the FortiAnalyzer and FortiManager actually have different capabilities that are worth noting. Both take log entries, but a FortiManager’s primary purpose is to centrally manage multiple FortiGate devices. As such, it has a flat limit imposed on the amount of logs it can receive in a day, regardless of the model. On the other hand, the FortiAnalyzer’s primary purpose is to store and analyze logs, so the log limit is much higher (though the limit is model-dependent). Even the smallest FortiAnalyzer can handle more logs per day than any FortiManager. But at the most basic level, what you can do with the logs received on a FortiManager is no different than what you can do with logs received on a FortiAnalyzer. The FortiGate has 2 methods for transmitting the log events. There is the store-and-upload option, as well as real time.
FortiGate Student I Guide
133
DO NOT REPRINT
Logging & Monitoring
FORTINET
You can configure logging to either a FortiAnalyzer or FortiManager through the GUI or CLI. In the GUI, it is done under Log & Report > Log Config > Log Settings. Here, each device must be set up separately, one at a time. In the CLI, you can configure up to three separate FortiAnalyzer or FortiManager devices at the same time. The options in the GUI only relate to the ‘config log fortianalyzer setting’, not fortianalyzer2 or fortianalyzer3. You may need a setup like this for redundancy or for some other requirement. Keep in mind that generating logs requires resources, so the impact of sending logs to multiple locations ultimately depends on how many logs you are creating.
FortiGate Student I Guide
134
DO NOT REPRINT
Logging & Monitoring
FORTINET
Another external logging option you can use is FortiCloud. FortiCloud is a subscription-based service, offered by Fortinet, that offers long term storage of logs as well as provides reporting functionality. It’s a similar idea to FortiAnalyzer, but more advantageous for smaller setups, where purchasing a dedicated logging appliance isn’t feasible. Every FortiGate comes with a free one month trial. You can activate your free trial from the GUI and link it to your FortiCare user and start sending logs. Be sure to read any documentation on the website if you are considering the subscription-based option.
FortiGate Student I Guide
135
DO NOT REPRINT
Logging & Monitoring
FORTINET
On the FortiGate, all logs are split up into three different log types. These are traffic logs, event logs, and security logs. Each log type is further split up into sub-types. Traffic logs contain Forward, Local, Invalid and Multicast. The Forward log contains information about traffic either accepted or rejected by a firewall policy. Local traffic is traffic directly to/from the FortiGate, and includes logging into the GUI, as well as FortiGuard queries. Invalid packets are the logs thrown away before they even get to a firewall policy. Event logs contain System, User, and Router/VPN/WanOpt &Cache/Wifi sub-types. System events are related to system operations, such as automatic updates of the AV/IPS definitions and people logging into the GUI. User contains logon/off events for users hitting firewall policies. Router/VPN/WanOpt
&Cache/Wifi contain log entries related to the specific feature. For example, Router contains BGP or RIP log entries and VPN contains IPSec and SSLVPN log entries. Finally, Security logs contain log entries based on the security profile type. For example, Antivirus, Web Filter, and Intrusion Protection to name a few. Security logs only show specific sub-types if logs are created within it.
FortiGate Student I Guide
136
DO NOT REPRINT
Logging & Monitoring
FORTINET
The Log & Report section of the FortiGate GUI includes the three log types: Traffic, Event, and (if configured), Security. The Traffic Log contains events about packets. The Event Log contains admin or system activity events. The Security Log contains m essages related to security profiles activated on firewall policies. By default, most of the events related to security appear in the Forward Traffic log—a sub-type of the Traffic Log. This is for performance: fewer log files is less CPU intensive. The exception to this is DLP and Intrusion Scanning. Events such as these always appear in the Security Log section.
FortiGate Student I Guide
137
DO NOT REPRINT
Logging & Monitoring
FORTINET
To inspect your logs through the GUI, go to the Log & Report section and select the log type to view. In the upper right corner of the window, you can switch between viewing the logs from different locations if the FortiGate is set up to log to multiple locations. It is not recommended to configure your firewall to actively inspect traffic without creating a log entry about it.
FortiGate Student I Guide
138
DO NOT REPRINT
Logging & Monitoring
FORTINET
This chart illustrates the expected behavior when you enable different logging options. The first column, Policy Log Setting, shows the log setting on the Firewall policy: No Log, Log Security Events, or Log all Sessions. The second column shows whether an Antivirus, Web Filter, or Email security profile is enabled or disabled. Remember, DLP and IPS profiles always generate logs in the Security Log section. The last column shows the behavior. If you enable any profiles on your policy and logging is not enabled, you will not get logs of any kind—even if the profile is configured to block the traffic. So if you apply a security profile, it’s important to remember to consider the logging setting.
FortiGate Student I Guide
139
DO NOT REPRINT
Logging & Monitoring
FORTINET
When viewing the logs, you might encounter a high volume of log messages, depending on your configuration. This makes it difficult to locate a specific log or log type, especially during an investigation. In order to negotiate the logs more efficiently, you can set up various filters. The more information you specify in the filter, the easier it is to find the precise log entry. Filters are configured for each column of data you choose to display. By default only a subset of the information appears in the log table. Make sure to configure the table columns for your own requirements.
FortiGate Student I Guide
140
DO NOT REPRINT
Logging & Monitoring
FORTINET
Every log message you view has a standard layout comprised of two sections: a header and a body. The header contains the same information regardless of the log. The body, however, changes from one type of log message to another. This is because there is some data common to all logs, like a date and time, while other data is event dependent.
FortiGate Student I Guide
141
DO NOT REPRINT
Logging & Monitoring
FORTINET
Let’s take a closer look at the header in this is an example of a raw log entry. While the output is not as structured as it appears in the GUI, the information contained in a raw log file is the same. As you can see in the header, aside from the date, time, and log ID attributes, you can see the that log type is UTM, the sub-type is DLP, and the severity level is Warning. The attributes in the header (such as log type and sub-type) are common to every log, but the data aligned to it can be different. For example, the header can contain a log type of Event and sub-type of System instead of what you see in the example above. Accordingly, the information in the header of the log directly effects the data contained in the associated body of the log. Note that if you log to a 3rd party device, such as a Syslog server, you need to know how to set up your filters in order to find what you need in your log messages. You can find a document that contains all the logs and their layouts from the Fortinet docs web site at http://docs.fortinet.com .
FortiGate Student I Guide
142
DO NOT REPRINT
Logging & Monitoring
FORTINET
Now lets take a closer look at the body of a log. The body provides the specifics of the log m essage and helps you understand what actually happened. In the above log, we can see the action taken by the FortiGate device when it encountered the traffic through the status attribute. Here, the status is Deny, which means the FortiGate prevented this particular piece of traffic from passing. The value indicated by policyid field provides useful information about the policy this traffic passed through (which firewall rule was used).
FortiGate Student I Guide
143
DO NOT REPRINT
Logging & Monitoring
FORTINET
Rather than look at raw logs or logs through the GUI, you can also display log messages from the CLI. This allows you to set up a number of filters on the logs that display and capture the output to a file and send it via the options you specify, such as FTP.
FortiGate Student I Guide
144
DO NOT REPRINT
Logging & Monitoring
FORTINET
Monitoring your logs is critical, as it allows you to review the progress of an attack, whether afterwards or while in progress, and address the issue quickly. How the attack unfolds may reveal weaknesses in your preparations. There are three ways you can monitor logs: Alert Emails, Alert Message Console, and SNMP.
FortiGate Student I Guide
145
DO NOT REPRINT
Logging & Monitoring
FORTINET
Since you can’t always be physically at the device, you can monitor logs by setting up Alert emails. Alert emails are set up similar to any log device. First you decide “what” is going in to them (a filter) and then “where” it is going.
FortiGate Student I Guide
146
DO NOT REPRINT
Logging & Monitoring
FORTINET
In order to set up an alert email, the first thing you need to do is configure an SMTP server to allow for communication between the server and the FortiGate device. This can only be done in the CLI. This allows you to configure your alert email settings in the GUI through the Log & Report > Log Config > Alert E-mail menu. Without configuring an SMTP server that will receive the email, the alert email option does not appear in the GUI.
FortiGate Student I Guide
147
DO NOT REPRINT
Logging & Monitoring
FORTINET
Another log monitoring option is the alert message console. The Alert Message Console is a GUI widget that you can enable on the System dashboard. Here, instead of the alerts being emailed to administrators like in Alert emails, they appear directly in the widget on the System page when you log in to the FortiGate. You can configure the widget to set up the events you want to appear as alerts, the number of alerts, and even the name of the widget itself. For example, you can have multiple alert widgets on the dashboard with different names all displaying different types of alerts. Once an alert appears in the Alert Message Console it remains until acknowledged. Once you confirm the event did not impact anything, you acknowledge it, and it is removed from your list — it no longer appears as something that requires further attention.
FortiGate Student I Guide
148
DO NOT REPRINT
Logging & Monitoring
FORTINET
Another method of monitoring logs is through an SNMP manager. In order to use this method, you require the Management Information Base (MIB) file. A MIB is a text file that describes a list of SNMP data objects that are used by the SNMP manager. These MIBs provide inform ation the SNMP manager needs to interpret the SNMP trap, event, and query messages sent by the FortiGate device SNMP agent. They can be loaded into any SNMP software so that you can set up automatic queries to the device in order to discover operational status. You can obtain CPU, memory levels, the cause for the last spam detection, and more. A FortiGate device can support SNMP v1, v2 and v3. You can obtain the MIB files either on the Support website or directly from the FortiGate GUI through the System > Config > SNMP men u.
FortiGate Student I Guide
149
DO NOT REPRINT
Logging & Monitoring
FORTINET
Setting up the necessary SNMP options is fairly straight forward from the GUI. Simply enable and define the service as you would any other SNMP monitored device and then enable your protocol options and methods of monitoring. What can be monitored with the different options is exactly the same. SNMP v3 offers some additional security over the previous two versions of the protocol, like traffic encryption and authentication.
FortiGate Student I Guide
150
DO NOT REPRINT
Logging & Monitoring
FORTINET
In the GUI, under Log & Report > Log Config > Log Settings, you can enable different locations for log storage. You can also configure the different kind of traffic you want to appear in the Local traffic log. Finally, you can configure the GUI preferences. Resolving IPs to host names requires the FortiGate to perform DNS lookups for all the IPs. If your DNS is not working or running slowly, this can impact your ability to look through the logs as the requests will timeout.
FortiGate Student I Guide
151
DO NOT REPRINT
Logging & Monitoring
FORTINET
Using the CLI to configure log settings provides you with more flexibility and options than the GUI. From the CLI, you can configure up to three separate FortiAnalyzers and Syslog servers, options not available in the GUI. There is also the ability to set up logging to Webtrends, a 3rd party service. The information you require for configuring the log settings is dependent on the logging option you configure: disk, FortiAnalyzer, FortiGuard, memory, Syslog, or Webtrends.
FortiGate Student I Guide
152
DO NOT REPRINT
Logging & Monitoring
FORTINET
Firewall policies also have logging options you can configure. The policy setting determines if and when a log message is generated for traffic passing through a particular firewall policy. The settings under Log Settings in the GUI and the ‘config log’ command in the CLI determine where the FortiGate stores the log messages it creates.
FortiGate Student I Guide
153
DO NOT REPRINT
Logging & Monitoring
FORTINET
It’s important to remember that creating logs is not “free”—it does weigh on your system. The more logs that get generated, the heavier the toll on your CPU and memory resources. Storing logs for a period of time also requires disk space, as does accessing them. So before configuring logging, make sure its worth the extra resources and that your system can handle the influx. Also important to note is logging behavior with UTM profiles. UTM profiles create log events when traffic is detected. Depending on the amount of traffic you have and logging settings that are enabled, your traffic logs can easily become a problem that will ultimately impact the performance of your firewall. There is an option in the CLI that removes some of the information stored in the traffic log: set brieftraffic-format enabled. By executing this command, you can free up resources on the firewall.
FortiGate Student I Guide
154
DO NOT REPRINT
Logging & Monitoring
FORTINET
In configuring the Event log settings, remember that Event logs are not caused by traffic passing through firewall policies. For example, VPNs going up and down or routing protocol activity are not caused by traffic passing through a firewall policy. One exception might be the user log. This does not record information about traffic through firewall policies directly, but it does record user logon/logoff events on traffic that passes through policies. Event logs provide all of the system information generated by the FortiGate device, such as administrator logins, configuration changes made by administrators, user activity, and daily operations of the device. So what you enable depends on what features you are implementing and what information you need to get out of the logs. You can enable what events you want to log through the Log & Report > Log Config > Log Settings menu.
FortiGate Student I Guide
155
DO NOT REPRINT
Logging & Monitoring
FORTINET
There is also a daily log monitor section. This displays the number of logs generated over time as well as the log type. This allows you to see where your FortiGate device is using most of its resources and if any trends are occurring. You can drill down through these logs and obtain further information by clicking any of the days.
FortiGate Student I Guide
156
DO NOT REPRINT
Logging & Monitoring
FORTINET
Each function of the FortiGate device has an equivalent “Monitor” menu item in the GUI. This allows you to take a view, at any given moment, how the feature is performing. The Security functions have a monitor option like the rest, but you need to enable it from the CLI before it appears. With a lot of security activity this could impact your CPU, so it’s disabled by default.
FortiGate Student I Guide
157
DO NOT REPRINT
Logging & Monitoring
FORTINET
One example of a GUI monitor is the Security Profiles monitor, found in the GUI under Security Profiles > Monitor. It has sub-sections for each security feature to highlight recent activity, such as AV Monitor, Web Monitor, and Application Monitor to name a few. This gives you a snapshot of what is happening with that particular option. Almost every menu has this option.
FortiGate Student I Guide
158
DO NOT REPRINT
Logging & Monitoring
FORTINET
Another means of monitoring is through the widgets on the status page. Many can be customized to show the same type of information in multiple ways. If you click the pencil icon in the upper right corner of the widget, you can configure any of the available settings for that widget. You can add some widgets to the same dashboard multiple times, with each instance displaying different information.
FortiGate Student I Guide
159
DO NOT REPRINT
Logging & Monitoring
FORTINET
By default, there are a number of different dashboards available. Each one has a different name with a different collection of widgets to provide different types of information. Each user has their own dashboard setup and layout, so if one user deletes a dashboard and rearranges the widgets on the Status page, it will not impact any of the other users. You can alter a user’s permissions to not allow them to make changes to their dashboard and use this to restrict their access.
FortiGate Student I Guide
160
DO NOT REPRINT
Logging & Monitoring
FORTINET
One other area you may want to monitor, purely for diagnostics, is the crash logs, available through the CLI. The FortiGate is like a computer, with different processes that handle different things, like DHCP or web filtering for example. Any time a process is closed for any reason, the crash log records this as a crash. If there is an abnormal termination of a process, you can look at the crash logs and find out the conditions that caused it. A normal and fairly common thing to see in the crash log are entries for Scanunitd, which is the process responsible for virus scanning. Any time the definitions package is updated, that process needs to close down in order to apply the new package. This is a normal shutdown and appears with a status of zero, which indicates a normal shut down with no abnormalities.
FortiGate Student I Guide
161
DO NOT REPRINT
Logging & Monitoring
FORTINET
In this lesson, we covered log severity levels; storage locations; log types and subtypes; log structure and behavior; log settings; viewing logs messages; and monitoring, reading, and interpreting log messages.
FortiGate Student I Guide
162
DO NOT REPRINT
Firewall Policies
FORTINET
In this lesson, we will show you how to pass traffic through FortiGate, and explain how that works. At its core, FortiGate is a firewall, so almost everything that it does to your traffic is linked into your firewall rules.
FortiGate Student I Guide
163
DO NOT REPRINT
Firewall Policies
FORTINET
After this lesson, you should be able to properly identify the different components used in a firewall policy. You’ll be able to configure firewall policies and arrange them to correctly match traffic.
FortiGate Student I Guide
164
DO NOT REPRINT
Firewall Policies
FORTINET
You’ll also be able to apply UTM and other features through the firewall policy, test your policies, and monitor traffic passing through them.
FortiGate Student I Guide
165
DO NOT REPRINT
Firewall Policies
FORTINET
To begin, let’s talk about what firewall policies are. Firewall policies define which traffic matches, and what FortiGate will do if it does. Should the traffic be allowed? This is decided first based on simple criteria such as the source. Then, if the policy itself does not block the traffic, FortiGate begins more computationally expensive UTM inspection, such as application control and web-filtering, if you’ve chosen it in the policy. Those scans could block the traffic if, for example, it contains a virus. Otherwise, the traffic is allowed. Will NAT be applied? Authentication required? Firewall policies also determine that. Once processing is finished, FortiGate forwards the packet towards its destination.
FortiGate Student I Guide
166
DO NOT REPRINT
Firewall Policies
FORTINET
When a packet arrives, how does FortiGate find a matching policy? Each policy has match criteria, which you can define using objects: • Ingress and egress interfaces • Source and destination, by IP a ddress, device ID, or use r • •
Network service(s) (that is, IP protocol and port number) Schedule
Once FortiGate finds a matching policy, it applies its settings for packet processing. Is antivirus scanning applied? Will source NAT be applied? For example, if you want to block incoming FTP to all but a few FTP servers, you would define the addresses of your FTP servers, and select those as the destination, and select FTP as the service. You probably wouldn’t specify a source (often any location on the Internet is allowed) nor schedule (usually FTP servers are always available, day or night). Finally, you would set the Action setting to Accept. This might be enough, but often, you’ll want m ore thorough security. Here, the policy also authenticates the user, scans for viruses, limits the bandwidth consumption, and logs blocked connection attempts.
FortiGate Student I Guide
167
DO NOT REPRINT
Firewall Policies
FORTINET
Firewall policies appear in an organized list. It’s either organized into a section view, or global view. Usually, it will appear in section view. Each section contains policies for that ingress-egress pair. Alternatively, you can choose to view your policies as a single comprehensive list, by selecting Global View at the top of the page. Policy sequence numbers define the order in which rules are processed. Policy IDs are identifiers. By default sequence numbers are displayed on the GUI. CLI commands, however, use policy ID: edit. This may confuse the administrator in to modifying the wrong policy. To avoid such errors add the policy ID to the GUI using the column settings.
FortiGate Student I Guide
168
DO NOT REPRINT
Firewall Policies
FORTINET
In some cases, you won’t have a choice of which view, though. If you use multiple source/destination interfaces or the ‘any’ interface, policies cannot be separated into sections by interface pairs – some would be triplets or more. So instead, policies are then always displayed in a single list. It is ordered primarily by the policy sequence number. To help you remember the use of each interface, you can give them aliases. For example, you could call port1 “WAN.” This can help to make your list of policies easier to comprehend.
FortiGate Student I Guide
169
DO NOT REPRINT
Firewall Policies
FORTINET
Remember that we mentioned that only the “first” matching policy applies? Moving your policies into the correct position is important. It affects which traffic is blocked or allowed. In the applicable interface pair’s section, FortiGate will look for a matching policy, beginning at the top. So usually, you should put more specific policies at the top. Otherwise, more general policies will match the traffic first, and your more granular policies will never be applied. Here, we’re moving a policy that only matches Windows SMB traffic above the more general “accept everything from everywhere” policy. Otherwise, FortiGate would always apply the first matching policy – the “accept everything” policy – and never reach the “block SMB” policy. How does FortiGate determine if a packet matches a policy? Let’s look at that next.
FortiGate Student I Guide
170
DO NOT REPRINT
Firewall Policies
FORTINET
Each policy matches traffic and applies security by referring to objects such as addresses and profiles that you’ve defined. What about other firewall policy types? Do IPv6 policies exist? Yes. And they use slightly different objects that are relevant to their type. In this lesson, we’re discussing IPv4 firewall policies and SSL/SSH inspection. They are the most common use case.
FortiGate Student I Guide
171
DO NOT REPRINT
Firewall Policies
FORTINET
To begin describing how FortiGate finds a policy for each packet, let’s start with the interface pairs. We showed them in section view. Packets arrive on an ingress interface; routing determines the egress. Both interfaces must match the policy’s interface criteria in order for it to be a successful match. In each policy, you must select both a source and destination interface, even it is ‘any’. So if a packet arrives on port4, but you only have policies for between port1 WAN ingress and port2 DMZ, for example, the packet would not match your policies and therefore be dropped due to the implicit deny policy at the end of the list, even if the packet did match the egress port of ‘any’. Interfaces may be grouped into logical zones. For example, you could group port7 to port10 as a LAN zone. This generally simplifies pol icy configuration, except that an interface in a zone cannot be referenced individually. So if you must subdivide a zone, don’t. Instead, select multiple source and destination interfaces in the firewall policy.
FortiGate Student I Guide
172
DO NOT REPRINT
Firewall Policies
FORTINET
The next match criteria that FortiGate will consider is the packet’s source. In each firewall policy, you therefore must select a source address object. Optionally, you can refine your definition of the source by also selecting a user, group and/or a specific device. If you organization allows BYOD (that is, Bring Your Own Device), then a combination of all three provides a much more granular match. In earlier releases of FortiOS 5, sub-policies were used for authentication (also called identity) and device identification. Also, it was either-or: you could not use both types in the same rule. In 5.2, you can now use both user and device definitions together, in the same firewall policy.
FortiGate Student I Guide
173
DO NOT REPRINT
Firewall Policies
FORTINET
Using Source Device Type causes the FortiGate to enable device identification on the source interface(s) of that policy.
FortiGate Student I Guide
174
DO NOT REPRINT
Firewall Policies
FORTINET
There are two device identification techniques: agentless and agent-based. • Agentless uses traffic from the device: the MAC address OUI, TCP fingerprint, and HTTP “User-Agent:” header. Devices are indexed by their MAC address. • Agent-based uses FortiClient. FortiClient sends information to FortiGate, and the device tracked by its FortiClient UID.
FortiGate Student I Guide
175
DO NOT REPRINT
Firewall Policies
FORTINET
Device Definitions shows the list of detected devices. You can also define static entries. Detected devices are saved to the FortiGate’s flash. Therefore on restart, the FortiGate knows devices already identified, and does not have to re-categorize each device. The user displayed in the device inform ation is just a tag, it cannot be used as a means of identity for an authentication policy.
FortiGate Student I Guide
176
DO NOT REPRINT
Firewall Policies
FORTINET
The CLI command ‘diag user device list’ shows a more detailed listing than User & Devices > Device > Device Definitions, including the detection method.
FortiGate Student I Guide
177
DO NOT REPRINT
Firewall Policies
FORTINET
FortiClient devices have a unique id which can be used as an index for the device. This is instead of the MAC address, which may be problematic when a device has multiple MAC addresses (such as servers or virtual machines), or where there is no Layer 2 visibility of that device.
FortiGate Student I Guide
178
DO NOT REPRINT
Firewall Policies
FORTINET
FortiGate can control FortiClient settings via the profile and registration.
FortiGate Student I Guide
179
DO NOT REPRINT
Firewall Policies
FORTINET
License Information on the FortiGate GUI dashboard shows the registered devices. W indows and Mac FortiClient installers are also available from this dashboard widget.
FortiGate Student I Guide
180
DO NOT REPRINT
Firewall Policies
FORTINET
Once a FortiClient registers itself with a FortiGate, you’ll be able to see its UID on the endpoint control device list.
FortiGate Student I Guide
181
DO NOT REPRINT
Firewall Policies
FORTINET
You may configure the default FortiClient profile or add additional profiles. New profiles applied to devices or users override the default.
FortiGate Student I Guide
182
DO NOT REPRINT
Firewall Policies
FORTINET
Once you’ve configured the settings, FortiGate will send them back to FortiClient.
FortiGate Student I Guide
183
DO NOT REPRINT
Firewall Policies
FORTINET
FortiClient is the agent-based approach for source device type.
FortiGate Student I Guide
184
DO NOT REPRINT
Firewall Policies
FORTINET
To reduce the total number of firewall policies in RAM, and simplify administration, you can group service and address objects, then reference that group in the firewall policy, instead of selecting multiple objects each time or making multiple policies. You can also group virtual IPs.
FortiGate Student I Guide
185
DO NOT REPRINT
Firewall Policies
FORTINET
Here, all three source selectors identify the user group, device type, and specific subnet. This would not have been possible in previous firmware versions. Remember, user and device are optional objects. They are used here so that the policy is more specific. If you wanted the policy to match more traffic, you could leave them undefined.
FortiGate Student I Guide
186
DO NOT REPRINT
Firewall Policies
FORTINET
In earlier releases of FortiOS 5, if traffic matched an identity sub-policy, by default, FortiGate simply blocked traffic that failed authentication. It would not ‘fall through’ to try the next authentication rule unless you had explicitly enabled the option “fall-through-unauthenticated”. But in this release, FortiGate uses the fall-through behavior by default.
FortiGate Student I Guide
187
DO NOT REPRINT
Firewall Policies
FORTINET
Like the packet’s source, FortiGate also checks the destination address for a match. Address objects may be a host name, IP subnet or range. If you enter an FQDN as the address object, make sure that you’ve configured your FortiGate with DNS settings. FortiGate uses DNS to resolve those host names to IP addresses, which are what actually appear in the IP header. Geographic addresses, which are groups or ranges of addresses allocated to a country, may be selected instead. These objects are updated via FortiGuard.
FortiGate Student I Guide
188
DO NOT REPRINT
Firewall Policies
FORTINET
Schedules add a time element to the policy. For example, a policy allowing backup software may activate at night, or a remote address may be allowed for testing purposes and a schedule provides a test window.
FortiGate Student I Guide
189
DO NOT REPRINT
Firewall Policies
FORTINET
Another criterion that FortiGate uses to match policies is the packet’s service. At the IP layer, protocol numbers (for TCP, UDP, SCTP, etc.) and source and destination ports together define each network service. Generally, only a destination port (that is, the server’s “listening port”) is defined. Some legacy applications may use a specific source port, but in most modern ap plications, the source port is randomly determined at transmission time, and therefore is not a reliable way to define the service. For example, the predefined service object named HTTP is TCP destination port 80; HTTPS is TCP destination port 443. However, the source ports are ephemeral, and therefore not defined.
FortiGate Student I Guide
190
DO NOT REPRINT
Firewall Policies
FORTINET
We’ve just shown several component objects that can be re-used as you make policies. W hat if you want to delete an object? If it’s being used, you can’t. First, you must reconfigure the objects that are currently using it. The GUI provides a simple way to find out where in the FortiGate’s configuration an object is being referenced. See the numbers in the Ref. column? They are the number of places where that object is being used. The number is actually a link, so if you click it, you can see which objects use it.
FortiGate Student I Guide
191
DO NOT REPRINT
Firewall Policies
FORTINET
We’ve just shown how policies are matched. Let’s look a little beyond that now, to slightly before policies, and to the scans they can use, as well as packet egress. What happens when a packet first arrives on a FortiGate network interface? Step 1 is packet ingress. • If a Denial of Service sensor is selected in the policy, it takes effect. Because it’s applied so early, DoS packets don’t receive other scans, and therefore don’t consume unnecessary CPU or RAM. • At the IP layer, the packet’s CRC is checked for a match with the CRC in the header to make sure that the packet wasn’t corrupted in transmission. • IPSec session-related packets are sent to either the kernel or hardware for payload decryption. • Destination NAT is ap plied before routing. • If this is a new session, or routing information has changed, FortiGate will make a routing lookup.
FortiGate Student I Guide
192
DO NOT REPRINT
Firewall Policies
FORTINET
Step 2 is stateful inspection. • Is this traffic destined for the FortiGate itself, such as the administrative GUI, SSL VPN, authentication, DNS quers, or FortiGuard? • Is this traffic that should be forwarded by a policy’s established session, or that should be checked for a •
policy match? Does the traffic require a session helper to open dynamic ports, re write addresses in application layer headers, etc.?
FortiGate Student I Guide
193
DO NOT REPRINT
Firewall Policies
FORTINET
Step 3 is content inspection. FortiGate applies the sec urity profiles that you selec ted in the policy her e. There are two mains types of content inspection: • Flow-based • Proxy-based The order of inspection is important. The next step applies only if traffic is not blocked by the previous step.
FortiGate Student I Guide
194
DO NOT REPRINT
Firewall Policies
FORTINET
Step 4 is packet egress. • Should FortiGate route the packet to an IPsec VPN virtual interface, before it is rerouted to a physical interface? • Should FortiGate apply source NAT? •
Which interface should the packet depart from?
FortiGate Student I Guide
195
DO NOT REPRINT
Firewall Policies
FORTINET
If you enable session starts, FortiGate will create a traffic log when the session begins. But remember that increasing logging decreases performance. So use it only where necessary. Once a firewall policy closes an IP session, if you have enabled logging in the policy, FortiGate will generate traffic logs. During the session, if a security profile detects a violation, FortiGate will record the attack log immediately. To reduce the amount of log messages generated and improve performance, you can enable a session table entry of dropped traffic. This option is in the CLI, and is called ‘ses-denied-traffic’. If the GUI option session starts is not displayed, your FortiGate device does not have internal storage. This option is in the CLI, regardless of internal storage, and is called ‘set logtraffic-start enable’.
FortiGate Student I Guide
196
DO NOT REPRINT
Firewall Policies
FORTINET
Once the first packet – assuming it is not dropped – establishes an IP session, FortiGate enters it in its session table. If subsequent packets are received before the session times out, hashing function lookups up the applicable policy for scans or NAT that it should apply to incoming packets. You can use the monitor section in order to determine how much traffic is matching each firewall policy.
FortiGate Student I Guide
197
DO NOT REPRINT
Firewall Policies
FORTINET
The session table can also be viewed from the CLI. Firewall perform ance of connections per session and maximum number of connections are indicated by the session table. But keep in mind that if your FortiGate contains FortiASIC NP chips designed to accelerate processing, without loading the CPU, this may not be completely accurate. The session table reflects what is known to and processed by the CPU.
FortiGate Student I Guide
198
DO NOT REPRINT
Firewall Policies
FORTINET
Since the session table has a finite amount of RAM that it can use on your FortiGate, adjusting the session time to live (TTL) can improve performance. There are global default timers, session state timers, and timers configurable in firewall objects.
FortiGate Student I Guide
199
DO NOT REPRINT
Firewall Policies
FORTINET
In this example, you can see the session TTL, which reflects how long FortiGate can receive no packets until it will remove the session from its table. Proto_state for TCP is taken from its state machine, which we’ll talk about next. Traffic shaping manages your bandwidth. Traffic counters are the overall counters for the session, and determine how much data was sent and received. NAT actions are also tracked.
FortiGate Student I Guide
200
DO NOT REPRINT
Firewall Policies
FORTINET
In the previous slide, rem ember that the session table contained a number that indicated the connection’s current TCP state. These are the states of the TCP state machine. They are single digit values, but proto_state is always shown as two digits. This is because when proxy based inspection is used, which is discussed later, two connections are establish with the proxy: one to the client, and one to the server. If there are too many connections in the SYN state for long periods of time, this indicates a SYN flood, which you can mitigate with DoS policies. UDP is a stateless protocol. So it doesn’t technically have states like TCP. However, the session table does use the stat e column to track uni directional UDP as state 0, and bidi rectional USP as state 1.
FortiGate Student I Guide
201
DO NOT REPRINT
Firewall Policies
FORTINET
Before looking at the session table, first build a filter. To look at our test connection you can filter on ‘dst’ 10.200.1.254 and ‘dport’ 80.
FortiGate Student I Guide
202
DO NOT REPRINT
Firewall Policies
FORTINET
Here we see the corresponding session table entry. Here you can see the routing and NAT actions that apply to the traffic.
FortiGate Student I Guide
203
DO NOT REPRINT
Firewall Policies
FORTINET
In addition to security scans, firewall policies also determine what network address (NAT) or port address translation (PAT) to apply to each packet. NAT and PAT, also known as NAPT, translate internal, typically private, IP addresses, to external, typically public or Internet, IP addresses. In FortiOS, NAT and traffic forwarding are configured in the same firewall policy. However, diagnostics clearly show NAT and forwarding as separate actions. The NAT option in a firewall policy, and IP Pools, are source NAT settings and objects. Virtual IPs are destination NAT objects.
FortiGate Student I Guide
204
DO NOT REPRINT
Firewall Policies
FORTINET
The default source NAT option uses the egress interface address. This is a many-to-one NAT. In other words, port address translation is used and connections are tracked using the srcinal source address and source port combinations, and allocated source port. This is the same behavior as the overload IP Pool type, discussed later. Optionally, you may select fixed port in which case the source port translation is disabled. With fixed port, if two or more connections require the same source port for a single IP address, only one connection can establish.
FortiGate Student I Guide
205
DO NOT REPRINT
Firewall Policies
FORTINET
If you use an IP pool, the source address is translated to an address from that pool rather than the egress interface address. The larger the number of addresses in the pool, the greater the number of connections can be supported. The default IP pool type is overload, here there is a many-to-one/few relationship and port translation is used.
FortiGate Student I Guide
206
DO NOT REPRINT
Firewall Policies
FORTINET
One-to-one differs in the sense that there is a single mapping of an internal address to external address. Port address translation is not required in this case. See the circled example showing the same source ports on ingress and egress? Mappings are not fixed. They are allocated on a first-come first-serve basis. If there are no more addresses available, a connection will be refused as shown in the debug flow.
FortiGate Student I Guide
207
DO NOT REPRINT
Firewall Policies
FORTINET
This example uses a fixed port range IP pool. The internal address range 10.0.1.10-10.0.1.11 maps to the external address range 10.200.1.7-10.200.1.8. This configuration provides an explicit relationship between internal and external ranges, and disables port address translation.
FortiGate Student I Guide
208
DO NOT REPRINT
Firewall Policies
FORTINET
These two CLI outputs illustrate the behavior difference between the port block allocation type, and the default overload type. Using hping, a rogue client generates many SYN packets per second. In the first example, the port block allocation type limits the client to 64 connections for that IP pool. Other users will not be impacted by the rogue client. In the second example, the overload type imposes no limits, and the rogue client uses many more connections in the session table. Other users will now be impacted.
FortiGate Student I Guide
209
DO NOT REPRINT
Firewall Policies
FORTINET
Virtual IPs (VIPs) are destination NAT objects. For sessions matching a VIP, the destination address is translated: usually a public Internet address is translated to a server’s private network address. Select VIPs in the firewall policy’s destination address field. The default VIP type is static NAT. This is a one-to-one mapping which applies for incoming and outgoing connections. That is, an outgoing policy with NAT enabled would use the VIP address instead of the egress interface address. This behavior, however, can be overridden by use of an IP pool. The static NAT VIP can be restricted to forward only certain ports. For example, connections to the external IP on port 8080 map to the internal IP on port 80. From the CLI, you can select the NAT type to load-balance and server-load-balance. Plain load balancing distributes connections from an external IP address to multiple internal addresses. The later builds on that mechanism, using a virtual server and real servers, and provides session persistence and server availability check mechanisms. VIPs should be routable to the external facing (ingress) interface. FortiOS responds to ARP requests for VIP, and IP Pool, objects. ARP responses are configurable.
FortiGate Student I Guide
210
DO NOT REPRINT
Firewall Policies
FORTINET
In this example, connections to the VIP 200 .200.200.222 are NATed to the internal host 10.10.10.10. Because this is static NAT, all NATed outgoing connections from 10.10.10.10 will use the VIP address in the packet’s destination field, not the egress interface’s address.
FortiGate Student I Guide
211
DO NOT REPRINT
Firewall Policies
FORTINET
For feature completeness, you can use a central NAT table. This is disabled by default. To enable it from the GUI, go to System > Config > Features. In the CLI, use: conf sys global set gui-central-nat-table enable end
In this case, the source NAT action is defined in a central table. If no central NAT rule exists, then the default action of destination interface address is used. Central NAT rules also allow control over source port usage.
FortiGate Student I Guide
212
DO NOT REPRINT
Firewall Policies
FORTINET
Some application layer protocols are not fully independent of the lower layers such as the network or transport layer. If the session helper detects a such a pattern, it may make changes to the application headers or create expected secondary connections. A good example is where an application has both a control and a data/media channel, such as with FTP. Firewalls will typically allow the control channel and rely on the session helpers to handle the dynamic data/media transmission connections. When more advanced application tracking and control is required, an Application Layer Gateway (ALG) can be used. The VoIP profile is an example of an ALG.
FortiGate Student I Guide
213
DO NOT REPRINT
Firewall Policies
FORTINET
In this example, the media recipient address in the SIP SDP payload is modified to reflected the NATed IP address.
FortiGate Student I Guide
214
DO NOT REPRINT
Firewall Policies
FORTINET
Traffic shaping (also called quality of service (QoS)) can be applied in firewall policy and used to manage the bandwidth used by each service or application. FortiGate can count the packet rates of ingress and egress to police traffic. Note that these apply equally to TCP and UDP, and UDP protocols may not recover as gracefully from packet loss. ToS/DSCP flags, if used, can map packets to a specific transmission queue. For additional information, see the Traffic Shaping FortiOS Handbook.
FortiGate Student I Guide
215
DO NOT REPRINT
Firewall Policies
FORTINET
Two types of traffic shapers can be configured: Shared and Per-IP. A shared shaper applies a total bandwidth to all traffic using that shaper: The scope can be per-policy or for all policies referencing that shaper.
FortiGate Student I Guide
216
DO NOT REPRINT
Firewall Policies
FORTINET
FortiGates equipped with Network Processors (NP) offload packet handling from the CPU. For each new IP session, the first packet always goes to the CPU. If the session can be offloaded to an available NP, the kernel sends session information to the NP. All subsequent packets in that session are forwarded by the NP and not the CPU, so their transmission is accelerated. When the last packet is sent or received, such as a TCP FIN or TCP RST signal, the NP returns this session to the CPU, which handles tear down. Non-eligible sessions remain on the CPU. Typically, this includes policies that have a security profile enabled. IP fragments are also non-eligible. “diagnose” CLI commands , such as “diag packet sniff” and “diag debug flow”, run on the CPU. They will not show packets handled by an NP. To ensure accurate output for these commands, you can temporarily disable NPU offload in each firewall policy so that the packets are handled by the CPU and therefore received by the troubleshooting command.
FortiGate Student I Guide
217
DO NOT REPRINT
Firewall Policies
FORTINET
As a UTM, one of the most important features that a firewall policy can apply is security profiles such as IPS and antivirus. These profiles inspect each packet in traffic flows where the session has already been conditionally accepted by the firewall policy. When inspecting traffic, FortiGate can use one of two methods: flow- or proxy-based. Different security features are supported by each type.
FortiGate Student I Guide
218
DO NOT REPRINT
Firewall Policies
FORTINET
In proxy-based scans, we’re typically meaning a transparent proxy. It’s called “transparent” because at the IP layer, FortiGate is not the destination address, yet FortiGate intercepts the traffic anyway. In TCP connections, FortiGate’s proxy generates the SYN ACK to the client and comp letes the three-way handshake with the client before creating a second, new connection to the server. If the payload is less than the oversize limit, the proxy buffers transmitted files/email for inspectio n before continuing transmission. The proxy analyzes and may change headers such as HTTP “Host:” and URI for web filtering. If a security profile decides to block the connection, the proxy can send a replacement message to the client. This adds latency to the overall transmission speed.
FortiGate Student I Guide
219
DO NOT REPRINT
Firewall Policies
FORTINET
Proxy options affect the content inspection proxy. Settings include port numbers, oversize file action and threshold, and client comforting (where the proxy transmits packets slowly while it continues to buffer and scan).
FortiGate Student I Guide
220
DO NOT REPRINT
Firewall Policies
FORTINET
How are flow-based scans different? There is no proxy. If you are familiar with the TCP flow analysis of Wireshark, then that is essentially what the flow engine sees. Packets are buffered, analyzed, and forwarded as they are received. The same signatures used for proxy-based techniques apply to flow-based, therefore the detection rate is potentially the same. Original traffic is unaltered consequently advanced features which modify content, such as safe search enforcement, are not supported.
FortiGate Student I Guide
221
DO NOT REPRINT
Firewall Policies
FORTINET
A SSL/SSH inspection profile contains settings for decrypting these protocols, which is required in order to scan their content. Otherwise, viruses could be transmitted via HTTPS or SMTPS, for example, without detection. For SSH, inspection allows the FortiGate to intercept connections and control protocol commands. For example, using an SSH tunnel, a client could port forward any other protocol across an SSH connection. Using an SSH profile, FortiGate can block the “Port-Forward” command.
FortiGate Student I Guide
222
DO NOT REPRINT
Firewall Policies
FORTINET
When troubleshooting firewall policies, you need to underst and how the traffic should flow. Typically there are many firewall policies. What is the ingress/egress interface? What is actually happening to the traffic/application? Is it slow? Is it failing to connect? These can help to define which troubleshooting steps you need to take.
FortiGate Student I Guide
223
DO NOT REPRINT
Firewall Policies
FORTINET
One of the most fundamental network debugging tools is packet capture, or “sniffing.” The syntax of the CLI command is ‘diag sniff packet interface filter level’. The interface is the name of the physical or logical interface; if your account has the access profile super_admin, you can specify the ‘any’ interface. The filters are similar to ‘tcpdump’ on Linux. For level, you can choose from 1 to 6 depending on your requirements. The only output options are the payloads in ASCII and Hexadecimal format. To completely decode the packet and view its content, save the output to a plain text file, convert it to .pcap format, then open it with Wireshark.
FortiGate Student I Guide
224
DO NOT REPRINT
Firewall Policies
FORTINET
Here are some ge neral examples. Much more can be learnt by reading the man page fo r tcpdump.
FortiGate Student I Guide
225
DO NOT REPRINT
Firewall Policies
FORTINET
If your model of FortiGate has internal storage, you can capture packets from the GUI. Looking at the content of the packets can help you to see what is abnormal. The options in the GUI are the same as those from the CLI. To run a trace, specify a source interface and a filter. What is the main advantage over the CLI? You can download the output in a file format which can be read by Wireshark, without having to use a conversion script. Any packet capture filter should be very specific in order to avoid writing large amounts of data to disk which will affect performance.
FortiGate Student I Guide
226
DO NOT REPRINT
Firewall Policies
FORTINET
Before, we mentioned that a packet capture does not show why FortiGate may have dropped a packet. This is the purpose of the packet flow. This is an example of ‘diag debug flow’. The first lines enable it, and enable it to print to console. Next, the filters define which IP address and port numbers to trace the flow fow; ‘addr’ implies both source and destination, and ‘port 80’ typically captures HTTP.
FortiGate Student I Guide
227
DO NOT REPRINT
Firewall Policies
FORTINET
Here is output for the previous example, for the three way handshake. • Virtual domain ‘root’ receives a packet: the protocol is TCP; destination port 80; source IP 10.0.1.10; destination IP 10.200.1.1. The packet is received on interface ‘port3’. • FortiOS identifies this a new session because it does not match any entries in its current session table. • • • • • •
FortiOS performs a routing lookup, as this the first packet of the connection; gateway 10.200.1.254 (in this case the destination) is found on interface ‘port1’. For the firewall policy match, the interfaces are ‘port3’ to ‘port1’. The hashing function is used for the policy lookup. The connection matches policy ID 1 with source NAT enabled. The source address and port for all packets in this connection will NAT to 10.200.1.1:39738. The packet is sent to IPS module. In this case, the IPS security profile is enabled on the firewall policy. Next, the reply (SYN/ACK) is received. This is identified as reply traffic for an existing connection. For the first reply packet, a routing lookup occurs. Next, the client send the ACK. This is identified as belonging to an existing connection.
FortiGate Student I Guide
228
DO NOT REPRINT
Firewall Policies
FORTINET
The retransmission of SYN packets is a good indicator of the firew all blocking a connection. However, we don’t know for sure. We could look at the traffic logs, if logging was enabled for the deny policy. What else could we use, though? The packet flow.
FortiGate Student I Guide
229
DO NOT REPRINT
Firewall Policies
FORTINET
Combining debug flow and packet sniffer, we now see which firewall action is blocking this traffic.
FortiGate Student I Guide
230
DO NOT REPRINT
Firewall Policies
FORTINET
To review, here’s all the topics we covered in this lesson.
FortiGate Student I Guide
231
DO NOT REPRINT
Firewall Authentication
FORTINET
In this lesson, we will show you how to use authentication on the firewall policies of a FortiGate. Normal firewall policies involve separating devices based on the IP address or subnet involved. Adding authentication to firewall policies, however, provides a mechanism to make decisions on not just where the device is, but who is using the device.
FortiGate Student I Guide
232
DO NOT REPRINT
Firewall Authentication
FORTINET
After completing this lesson, you should have a solid understanding of the mechanics of authentication on a FortiGate as well as some practical skills configuring firewall authentication.
FortiGate Student I Guide
233
DO NOT REPRINT
Firewall Authentication
FORTINET
Traditional firewalling grants network access by authenticating the source IP address only. This is inadequate, as the firewall cannot determine who is using the device to which it is granting access. This can pose a security risk. Authentication allows action based on the user, not just the IP address. In this way, inspection rules follow individuals across multiple devices.
FortiGate Student I Guide
234
DO NOT REPRINT
Firewall Authentication
FORTINET
Not all available methods of authentication can be used for firewall authentication (for example, certificate-based authentication cannot be used). You can, however, use local password authentication, remote password authentication, and two-factor authentication. Two-factor authentication is slightly different from the others, as it is enabled on top of an existing method—it cannot be enabled without first configuring one of the other methods. In this lesson, we will discuss all three available methods.
FortiGate Student I Guide
235
DO NOT REPRINT
Firewall Authentication
FORTINET
The first and simplest m ethod of authentication is Local Password Authentication. User account information (user name and password) is stored locally on the FortiGate device, so there is no lookup to an external server for user validation. Local Password Authentication is the simplest method of authentication to configure, since you only need access to the FortiGate. Other methods of authentication are more complex, as they involve configuring the exchange of information between the FortiGate and a remote server as well as configuring the various users and user groups on the server itself. Troubleshooting in those situations becomes more complicated, as you need to examine both the FortiGate and external server. With Local Password Authentication, you need only examine the FortiGate.
FortiGate Student I Guide
236
DO NOT REPRINT
Firewall Authentication
FORTINET
The second method of authentication is remote server authentication (or server-based password authentication). This includes any form of authentication where the final decision on user credentials is made by an external server—not the FortiGate. This method is desirable when multiple FortiGate devices need to authenticate the same users or user groups. With remote server authentication, user information is sent from the FortiGate to a remote server. The remote server then evaluates the inform ation it receives and sends a response. The server response is examined by FortiGate and consults its configuration to deal with the traffic. However, it is the server — not the FortiGate — that has final authority over evaluating the user credentials. With Remote Server Authentication, the FortiGate does not store all (or, in the case of some configurations, any) of the user information locally.
FortiGate Student I Guide
237
DO NOT REPRINT
Firewall Authentication
FORTINET
Multiple protocols are supported for remote user authentication, including POP3, RADIUS (includes server authentication and the single sign on m ethod, RSSO), LDAP, and TACACS+. Single sign on (SSO) methods, such as FSSO, NTML, and RSSO, are also supported for remote user authentication.
FortiGate Student I Guide
238
DO NOT REPRINT
Firewall Authentication
FORTINET
With a FortiGate, you can implement Single Sign On (SSO) using FSSO and RSSO. SSO allows a single login event to be used for all authentication and access situations. Without SSO, if a user logs in to a Wi-Fi network, they will need to log in through a firewall policy separately when they try to pass traffic. SSO links multiple authentication events to a single event.
FortiGate Student I Guide
239
DO NOT REPRINT
Firewall Authentication
FORTINET
One remote server authentication protocol worth mentioning is POP3, as the login credentials the remote server accepts is different from most other authentication protocols. Most other authentication protocols user the user name. POP3 servers, however, authenticate users based on email address. Some POP3 servers require the full email with domain ([email protected]), others require the suffix only, while still others accept both formats. This is determined by the configuration of the server itself and is not a setting on the FortiGate. You can only configure POP3 authentication though the CLI. You can also use LDAP to validate with email, rather than the user name.
FortiGate Student I Guide
240
DO NOT REPRINT
Firewall Authentication
FORTINET
The third, and fin al, method of auth entication for firewa lls — which is really just an exte nsion of an existing authentication method — is two-factor authentication. Traditional user authentication requires your user name plus something you know, such as a password. The weakness with this traditional method of authentication is that if someone obtains your user name, they only need your password to compromise your account. Furthermore, since people tend to use the same password across multiple accounts (some sites with more security vulnerabilities than others), accounts are vulnerable to attack, regardless of password strength. Two-factor authentication, on the other hand, requires something you know, such as a password, and something you have, such as a token. This increases the complexity for an attacker to compromise an account, as it puts less importance on often-vulnerable passwords. With this authentication method, security is split between two different options: both a password and a key of some kind.
FortiGate Student I Guide
241
DO NOT REPRINT
Firewall Authentication
FORTINET
One-time passwords are one such method you can use with Two-Factor Authentication as “something you have”. FortiToken and FortiToken Mobile (hardware and software respectively) both generate one-time passwords. The passwords for both FortiToken and FortiToken Mobile generate every 60 seconds. You can deliver OTP through alternative m ethods, other than providing the end user with a token or mobile app. For example, you can send an OTP through email or through an SMS phone message. It is very important that FortiTokens are synchronized with the FortiGate. Otherwise FortiGate cannot predict the correct string to use.
FortiGate Student I Guide
242
DO NOT REPRINT
Firewall Authentication
FORTINET
Tokens use a specific algorithm to generate a one-time password. The algorithm consists of: a seed, which is a randomly-generated number that does not change in time, and the time, which is obtained from an internal, accurate, clock Both seed and time go through an algorithm that generates a one-time password on the token. The OTP has a short life span, usually measured in seconds (60 seconds for a FortiToken, possibly more/less for other RSA key generators). Once th e life span ends, for examp le after 60 seco nds, a new one generates. With two-factor authentication using a token, the user must first log in with a static password followed by the OTP (or code) generated by the token. A validation server (a FortiGate) receives the user’s credentials and validates the static password first. The validation server then proceeds to validate the OTP. It does so by re-gene rating the same OTP using the seed and system time (which is synchronized with the one on the token) and comparing it with the one received from the user. If the static password is valid, and the one-time password matches, the user is successfully authenticated. Again, both the token and the validation server must use the same seed and have synchronized system clocks. As such, it is crucial that you configure your FortiGate’s date/time properly or link it to an NTP server.
FortiGate Student I Guide
243
DO NOT REPRINT
Firewall Authentication
FORTINET
To use a FortiToken, you must first register it on a FortiGate device. Whether it’s a hardware or software token, a serial number is used to provide the FortiGate with details on the initial seed value. If you are using FortiToken Mobile, each FortiGate (and FortiGate VM) allows for two free activations. More than this requires the purchase of activations codes for additional mobile tokens from Fortinet. You cannot register FortiTokens on more than one FortiGate. A deployment like that requires the use of a central FortiAuthenticator. In that case, the FortiTokens are registered on the FortiAuthenticator and not the FortiGate. FortiGate uses FortiAuthenticator as its validation server, which allows the same FortiToken to be used for access on multiple FortiGate devices.
FortiGate Student I Guide
244
DO NOT REPRINT
Firewall Authentication
FORTINET
Not all types of authentication involve prompting the user to enter their login credentials. While active authentication (used with LDAP, RADIUS, Local Password Authentication, and TACACS+) prompts the user to manually enter credentials, passive authentication (used with FSSO, RSSO, and NTLM) determines user information without ever asking the user to log in. Passive authentication, therefore, occurs transparently for the user.
FortiGate Student I Guide
245
DO NOT REPRINT
Firewall Authentication
FORTINET
Active authentication prompts the user based on: the protocol of the traffic they use to try and pass through a firewall, and the firewall policy itself The policy must specify the authentication protocols allowed, such as HTTP/S, FTP, and Telnet. If the policy that has authentication enabled does not allow at least one of the supported protocols for obtaining user credentials, the user will not be able to authenticate. Passive authentication determines the user identity behind the scenes and does not require any specific services to be allowed within the policy.
FortiGate Student I Guide
246
DO NOT REPRINT
Firewall Authentication
FORTINET
You can enable both active and passive authentication. If both active and passive authentication are enabled and a user’s credentials can be determined through passive means, then the user will never receive a login prompt, regardless of the order of any firewall policies. This is because there is no need to prompt the user for active authentication credentials when passive authentication can determine who they are. W hen active and passive authentication methods are combined, active authentication is intended to be used as a backup only for when passive authentication fails. No one method of authentication is considered more important than another. The first method that can determine a user name for any traffic is the deciding factor. Ultimately that determines how the traffic is handled.
FortiGate Student I Guide
247
DO NOT REPRINT
Firewall Authentication
FORTINET
A firewall policy defines and matches traffic going from the source to the destination. An IP address is required as part of the policy configuration for the source and destination. User, user group, and device information can be enabled as well. If enabled, they become part of the source definition for that policy. Accordingly, a source is comprised of source address(es)+source user(s)/group(s)+source device(s).
FortiGate Student I Guide
248
DO NOT REPRINT
Firewall Authentication
FORTINET
No service (with the exception of DNS) is allowed through the firewall policy prior to successful user authentication. DNS is allowed because it is a base protocol and will most likely be required to initially see proper authentication protocol traffic. Hostname resolution is almost always a requirement for any protocol. However, the DNS service must still be defined as allowed within the policy in order for it to pass. In the following example, Policy #1 allows users to use external DNS servers on the other side of port2 in order to resolve host names, prior to successful authentication. Therefore, the DNS traffic is allowed through even before authentication happens. It is also allowed if authentication is unsuccessful, as users need to be able to try to authenticate again. Any service that includes DNS would function the same way, like the default ‘ALL’ service. Policy #2, on the other hand, never allows DNS traffic, even after successful authentication. The HTTP service is TCP port 80 and does not include DNS (UDP port 53).
FortiGate Student I Guide
249
DO NOT REPRINT
Firewall Authentication
FORTINET
In this example, assuming active authentication is used, any initial traffic from the 10.10.1.0/24 subnet will not match policy #1. Policy 1 looks at the IP as well as the user information, and since the user has not authenticated there is no match. Next, a check is made against policy #2. There is a match and traffic is allowed with no need to authenticate. When only active authentication is used, if all possible policies that could match the source IP have authentication enabled, then the user will receive a login prompt (assuming they use an acceptable login protocol). In other words, if policy #2 also had authentication enabled, the users would receive login prompts. If passive authentication is used and it can successfully obtain user details, then traffic form 10.10.1.0/24 with users that belong to the guest-group will apply to policy #1 even though policy #2 does not have authentication enabled.
FortiGate Student I Guide
250
DO NOT REPRINT
Firewall Authentication
FORTINET
If you want all users connecting to the network to authenticate through active authentication, you can enable the captive portal. With captive portal, network interfaces perform authentication at the interface level—regardless of the firewall policy that allows it or the port that it ultimately leaves by (authentication being enabled or disabled on the policy is not a factor). Essentially, a captive portal is a convenient way to authenticate web users on wired or Wi-Fi networks through an HTML form that requests the user’s name and password. You can host a captive portal on a FortiGate device or an external authentication server. The captive portal setting must be enabled on the Ingress interface of the traffic. Captive portals are not compatible with interfaces in DHCP mode.
FortiGate Student I Guide
251
DO NOT REPRINT
Firewall Authentication
FORTINET
Using the previous example, with captive portal enabled on port 1 all traffic from behind port 1 would receive a login prompt, not just the users in the 10.10.1.0/24 subnet or traffic that may be going somewhere other then port 2. Passive authentication never requires a captive portal, since it obtains user details differently. Only active authentication methods can use the captive portal feature (depending on the configuration).
FortiGate Student I Guide
252
DO NOT REPRINT
Firewall Authentication
FORTINET
A firewall policy can have the captive portal suppressed. When suppressed, traffic that matches the source and destination are not presented with the captive portal page. The captive-portal-exempt setting must be enabled in the CLI for each firewall policy and only applies to traffic that matches that policy. The security-exempt-list CLI setting, however, applies those sources at all times, regardless of the firewall policy settings. Depending on the configuration, one option or the other usually results in simplifying your configuration more. Use the option that best fits the requirements of the situation and results in less confusion or ongoing maintenance. You can create and configure security exempt lists only from the CLI. However, you can enable them through the GUI settings.
FortiGate Student I Guide
253
DO NOT REPRINT
Firewall Authentication
FORTINET
You can enable disclaimers to be used in conjunction with captive portal, if desired. Disclaimers are not considered authentication or a captive portal, but the two tend to go hand-in-hand. With the authentication and disclaimer setting, the disclaimer appears before the user authenticates and acts as a reminder of the rules for the network. Under this setting, users must accept the terms in the disclaimer in order to proceed with the authentication process. Neither a security exemption list nor a captive portal exemption on a firewall can bypass a disclaimer.
FortiGate Student I Guide
254
DO NOT REPRINT
Firewall Authentication
FORTINET
Any time FortiGate is required to jump into the traffic stream (with authentication pages or disclaimers for example), you can modify the particulars of the block page through the GUI. Editing HTML-related block message requires knowledge of HTML, to ensure proper positioning and look of the page. The default layout is the Simple View, which hides most of the replacement messages. Use Extended View to show all editable replacement messages.
FortiGate Student I Guide
255
DO NOT REPRINT
Firewall Authentication
FORTINET
An authentication timeout ensures users do not authenticate and then stay in memory indefinitely. If users stay in memory forever, it would eventually lead to memory exhaustion. There are three options for timeout behavior: • • •
IDLE – Looks at the packets from the hosts IP. If there are no packets generated by the host device in the configured timeframe then the user is logged out. HARD – Time is an absolute value. Regardless of the user’s behavior, the timer starts as soon as the user authenticates and expires after the configured value. NEW SESSION – Even if traffi c is bein g generated on existing commu nications channels, the authentication expires if no new sessions are created through the firewall from the host device, within the configured timeout.
Choose the type of timeout that best suits the needs of authentication in your environment.
FortiGate Student I Guide
256
DO NOT REPRINT
Firewall Authentication
FORTINET
We’ve mentioned users and user groups several times in this lesson. Now, we’ll take a closer look at how both users and user groups are used by FortiGate for firewall authentication. Before that, however, we’ll give a short refresher on how you create users and groups on an external server, which is useful if Remote Password Authentication is used as a method of authentication.
FortiGate Student I Guide
257
DO NOT REPRINT
Firewall Authentication
FORTINET
LDAP is a standard remote authentication protocol currently supported by the FortiGate device. The behavior of LDAP is defined through multiple RFCs. LDAP is an application protocol for distributed directory information services. It can also be viewed as a database that contains user accounts, among other things. The structure of this database is similar to a tree that contains entries (or objects) in each branch. Each of these objects has a unique identifier, which is called the distinguished name (or DN). The objects also have attributes, and each attribute has a name and one or more values. This structure is defined in what is called a “directory schema”.
FortiGate Student I Guide
258
DO NOT REPRINT
Firewall Authentication
FORTINET
The hierarchy of an LDAP schema is not required to hold any resem blance to the organization. However, generally the name conventions used and the group structure match with the name of the company and corporate hierarchy very closely.
FortiGate Student I Guide
259
DO NOT REPRINT
Firewall Authentication
FORTINET
On the top, we have the root or DC. This is where an LDAP tree always starts, with any schema. After that the groups are defined using C, OU, and/or O. The exact behavior and options used depend on the schema and what exactly is being defined. At the end of the tree is the UID, which contains specific details about a particular user. The full path to find a user contains all of the information necessary in order to locate a user within the tree structure. This means you will need the DN (somewhere to start), the group information (C, OU, O), and the UID.
FortiGate Student I Guide
260
DO NOT REPRINT
Firewall Authentication
FORTINET
What you enter for the LDAP configuration depends heavily on the server’s schema and security settings. Windows Active Directory is very common. “Common Name Identifier” is the attribute name to look up in order to find the user name. Some schemas will call this UID, Active Directory calls it ‘sAMAccountName’ or sometimes ‘cn’. “Distinguished Name” identifies the top of the tree to look in. Generally this will be a DC value. The “Bind Type” setting will vary, depending on the security settings of the LDAP server. Normally, this will need to be ‘Regular’, with the credentials being for a user, that is authorized perform LDAP queries.
FortiGate Student I Guide
261
DO NOT REPRINT
Firewall Authentication
FORTINET
To see if a user’s credentials can successfully authenticate or not, you must use the CLI or enable to authentication on a firewall policy. The GUI will only test if the initial LDAP connection to the server is successful or not. Because the GUI only tests success/failure, either look at the server logs or run a packet sniff to see both sides of the LDAP comm unications so you can find out exactly what is happening. Exact output will vary depending the Hierarchy of the LDAP server that was queried. “diagnose test authserver” can be used to test most (not all) methods of authentication.
FortiGate Student I Guide
262
DO NOT REPRINT
Firewall Authentication
FORTINET
RADIUS doesn’t have the same kind of behavior as LDAP, as there is no tree structure to consider. Normal authentication queries with the RADIUS protocol begin with an Access-Request being sent from the FortiGate to the RADIUS server. Valid responses to this are “Access-Accept” and “AccessReject” (yes and no effectively). If Two-Factor Authentication is enabled on the server, it will come back with an “Access-Challenge” message, where it is essentially looking for more information. Any other response from the server is not considered to be a valid response.
FortiGate Student I Guide
263
DO NOT REPRINT
Firewall Authentication
FORTINET
RADIUS configuration on a FortiGate is straightforward. The servers location needs to be defined along with the secret that was set up in order for the server to allow remote queries. Backup servers (with separate secrets) can be defined in case the primary server fails.
FortiGate Student I Guide
264
DO NOT REPRINT
Firewall Authentication
FORTINET
Testing RADIUS is m uch the same as LDAP. The GUI can test the connection to the server, but not a user login. Make sure that authentication is operational prior to implementing it on any of your firewall policies. Like LDAP, it reports success, failure, and group membership details depending on the server’s response. Deeper troubleshooting requires server access.
FortiGate Student I Guide
265
DO NOT REPRINT
Firewall Authentication
FORTINET
Now that we’ve examined how to create users on the LDAP or RADIUS server, lets look at how to create the firewall users and groups on the FortiGate. This is the first step to authentication: creating firewall users and groups. You can create firewall authentication users through the Users & Devices > User > User Definition page of the FortiGate GUI. A wizards walks you through the creation process. You are required to define the type of user (Local or Remote) and the user credentials. For remote authentication, you must select the server to authenticate as well. There are other optional settings available, such as adding contact information , enabling Two-Factor Authentication, or adding the user to a User Group.
FortiGate Student I Guide
266
DO NOT REPRINT
Firewall Authentication
FORTINET
Once you’ve made user accounts, you can assign firewall policies to them. But rather than assign firewall policies to act on individual users, you can put users into groups with policies making decisions based on the group itself. These groups are known as user groups. By assigning individual users to the appropriate user groups, you can control access to network resources. You can define both local and remote user groups on a FortiGate device. There are four user group types: • • • •
Firewall Fortinet Single Sign On (FSSO) Guest, and RADIUS Single Sign On (RSSO)
The firewall user groups do not need to match any sort of group that may already exist on a server. The firewall user groups exist solely to make configuration of firewall policies easier. Note that most authentication types have the option to make decisions based on the individual user, rather than just user groups.
FortiGate Student I Guide
267
DO NOT REPRINT
Firewall Authentication
FORTINET
As mentioned, one of the four user group types is Guest. Guest groups are user groups that exclusively contain temporary user accounts (the whole account, not just the password), and are most commonly used in wireless networks. Guest accounts expire after a predetermined amount of time. You can automatically create guest users on the fly, or manual create them through an admin user. You can create special admin users that only have access to create and manage guest user accounts.
FortiGate Student I Guide
268
DO NOT REPRINT
Firewall Authentication
FORTINET
You can configure user groups through the FortiGate GUI under User & Device > User > User Group. You must specify the user group type, the local users that belong to the group, and the remote authentication server(s) that contain the users that belong to the user group. User groups simplify your configuration if you want to treat specific users in the same way. For example, if you want to provide all Accountants with access to the same network resources. If you want to treat all users differently, you would need to add all users to firewall policies separately.
FortiGate Student I Guide
269
DO NOT REPRINT
Firewall Authentication
FORTINET
Once you’ve created firewall users and groups, you can move on to configuring the policies. IP information is part of the source definition for a policy in combination with any configured user and groups specified. Just because a user is in a group does not mean they can only be referenced by using the group.
FortiGate Student I Guide
270
DO NOT REPRINT
Firewall Authentication
FORTINET
After creating firewall policies, you can monitor access of your firewall users. To keep track of who is authenticated through the firewall policies there is a User Monitor section in the GUI located under User & Device > Monitor > Firewall. The User Monitor screen displays who has authenticated through the firewall policies of your FortiGate device at any given moment. It does not include administrators, because they are not authenticating through firewall policies that allow traffic — they are logging directly into the FortiGate. This feature also allows you to de-authenticate a user or multiple users simultaneously.
FortiGate Student I Guide
271
DO NOT REPRINT
Firewall Authentication
FORTINET
There are no events logged for successful or failed login attempts through a firewall policy. Users that log in successfully show up in the monitor. Those that do not are prevented from passing through the firewall. Once a user is successfully logged in, all further logs generated from the host automatically begin to contain their user information. Default reports and charts are set up so that the source adjusts to be the user or the IP if there is no authentication. You can find the list of possible log events that can show up in the Log & Report > Event Log > User section in the Log Message Reference Guide on the doc.fortinet.com website.
FortiGate Student I Guide
272
DO NOT REPRINT
Firewall Authentication
FORTINET
In this lesson, we discussed: • •
Authentication, what it is and how it works Three methods of authentication, specifically Local Password Authentication, Remote Password Authentication, and Two-Factor Authentication
• • • • • • •
The different authentication protocols One-time passwords and tokens Authentication types (active and passive) Authentication policies Captive Portal and disclaimers Authentication ti meout Users/user groups, both in regards to an external LDAP or RADIUS server and through the FortiGate, and How to monitor firewall users
•
FortiGate Student I Guide
273
DO NOT REPRINT
SSL VPN
FORTINET
In this lesson, we will show you how to use and configure SSL VPN. SSL VPNs are an easy way of providing access to your private network for remote users.
FortiGate Student I Guide
274
DO NOT REPRINT
SSL VPN
FORTINET
After completing this lesson, you should have these practical skills that you can use to configure an SSL VPN for your organization.
FortiGate Student I Guide
275
DO NOT REPRINT
SSL VPN
FORTINET
A virtual private network enables users to remotely and securely access private resources as if they were locally connected. It is generally used to transmit private information safely between LANs separated by an untrusted public network such as the Internet, so it is not only implemented for providing access to mobile users, but also for interconnecting geographically disperse networks across the Internet. The user data travelling inside a VPN tunnel is encrypted, so it cannot be intercepted by unauthorized users. VPNs also use security methods to ensure that only authorized users can establish the VPN and access the private network’s resources.
FortiGate Student I Guide
276
DO NOT REPRINT
SSL VPN
FORTINET
The most common type of VPNs are SSL VPN and IPsec VPN. SSL VPNs are commonly used to secure web transactions. Clients connect to a web portal and log in. It is essentially meant to connect a PC to a private network. This approach is simple in that users only need a regular web browser to connect and are not usually required to install any kind of special software or go through a com plex setup. They simply need to access an HTTPS web site and log in. This makes SSL VPN an ideal solution for users who are either not technically skilled, or who need to connect from public computers. IPsec is also used to connect a PC to a private network. However, there are some important differences. Firstly, SSL VPN access is through a web portal, whereas IPsec is not. Finally, IPsec is a standard protocol supported by most vendors, so a VPN session can be established not only between two FortiGate devices, but also between different vendor devices. By comparison, SSL VPN can only be established between a client PC and an end device. In this lesson, we are going to focus on SSL VPN.
FortiGate Student I Guide
277
DO NOT REPRINT
SSL VPN
FORTINET
Web-only mode is used to connect using HTTPS to the FortiGate device from any browser. Once connected, users need credentials in order to pass an authentication check. Once authenticated, users are presented with a portal that contains possible resources for them to access. Different users can have different portals with different resources and access permissions. One of the widgets contains links to all or some of the resources available for the user to access. Another widget allows users to type the URL or IP address of the server they want to reach. A Webonly SSL VPN user makes use of these two widgets to access the internal network. The main advantage of Web-only mode is that it is clientless. This means the user is not required to install any client VPN software to obtain access. However, Web-only mode has two main disadvantages: First, all interaction with the internal network must be done from the browser exclusively (through the web portal). External network applications running on the user’s PC cannot send data across the VPN. Second, a limited number of protocols are supported, such as HTTP/HTTPS, FTP, RDP, SMB/CIFS, SSH, Telnet, VNC, Ping.
FortiGate Student I Guide
278
DO NOT REPRINT
SSL VPN
FORTINET
Tunnel mode access begins in much the same way as Web-only mode. Users must connect to the FortiGate through HTTPS and successfully authenticate. They are then presented with a web page that has various options, including a widget to activate tunnel mode. By clicking “Connect”, a tunnel is established between the PC and the FortiGate device. Inside the tunnel, IP traffic is encapsulated over HTTPS and sent to the other side. The FortiGate device receives the traffic and de-encapsulates the IP packets, forwarding them to the private network as if they srcinated from the inside. The main advantage of Tunnel mode over W eb-only mode is that, once the VPN is established, any IP network application running on the client can send traffic across the tunnel. The main disadvantage is that this requires the installation of a VPN software client, which requires administrative privileges. If the VPN client is not installed when the user accesses the SSL VPN web portal, the “Tunnel Mode” widget offers the option to download and install it.
FortiGate Student I Guide
279
DO NOT REPRINT
SSL VPN
FORTINET
Tunnel mode can operate in two different ways: with and without Split Tunneling enabled. When Split Tunneling is disabled, all IP traffic generated by the client’s PC (including Internet traffic) is routed across the SSL tunnel to the FortiGate. This sets up the FortiGate as the default gateway for the host. You can use this method in order to apply UTM features to the traffic on those SSL VPN clients or to monitor or restrict internet access. This adds more latency and bandwidth usage. When Split Tunneling is enabled, only traffic destined for the private network(s) behind the FortiGate gets routed across the tunnel.
FortiGate Student I Guide
280
DO NOT REPRINT
SSL VPN
FORTINET
There are two methods to connect to an SSL VPN tunnel. The first method is through a browser. The limitation is that the browser window or tab with the SSL VPN portal must remain open in order to keep the tunnel up. The second method is through a standalone SSL VPN client. Using an SSL VPN client means the browser is not necessary to maintain the tunnel, but it also means you have to install an SSL VPN client. When the SSL VPN client is installed, a virtual network adapter called fortissl is added to the user’s PC. This virtual adapter dynamically receives an IP address from the FortiGate device each time a new VPN is established. All packets sent by the client use this virtual IP address as the source address.
FortiGate Student I Guide
281
DO NOT REPRINT
SSL VPN
FORTINET
Because tunnel mode requires installing a virtual network adapter, which requires administrative level access to accomplish, it is not always a feasible method to use. For those situations where tunnel mode isn’t practical and web-only mode isn’t flexible enough, there is a web-only extension called port forward mode. Rather than use a virtual adapter to create a tunnel with an IP separate from the local IP, port forward uses a Java applet to set up a local proxy that is accessed by connecting to the loopback address.
FortiGate Student I Guide
282
DO NOT REPRINT
SSL VPN
FORTINET
Between web-only and tunnel mode, tunnel mode is the most versatile, as it supports any IP application. However, it requires admin/root privileges to install a VPN client. You can get a direct tunnel connection either through a browser or by using the standalone VPN client. Web-only, on the other hand, is clientless, but does not support all the IP applications like tunnel mode. You can connect only through a browser—and only through one connected to the SSL VPN portal. Port Forward (an extension of Web-only) supports some additional IP applications, but it requires users to change the application configuration to send the IP traffic to a Java applet acting as a local proxy. The final decision about which mode to use depends on many factors, such as technical knowledge of the users, type of network applications, and if admin access to the user’s PCs is possible or not.
FortiGate Student I Guide
283
DO NOT REPRINT
SSL VPN
FORTINET
When users log into to their individual portal, there is an option that allows them to create their own bookmarks (known as frequently used connections). An administrator must enable the user bookmark option, and once enabled, users can create and modify their own bookmarks from the portal. Administrators have the ability to view and delete bookmarks the remote user has added to their SSL VPN login in the GUI under VPN > SSL > Personal Bookmarks. This allows administrators to monitor and remove any unwanted bookmarks that do not meet with corporate policy From the CLI of the FortiGate, administrators can create bookmarks for different users. These bookmarks appear even if the user bookm ark option is disabled in the portal, as that option only effects the users ability to create and modify their own bookmarks.
FortiGate Student I Guide
284
DO NOT REPRINT
SSL VPN
FORTINET
Depending on the type of bookmark an administrator wants to create, they may need to enter additional information during configuration, such as URLs for websites, and folders for FTP sites to name a few. Only three types of bookmarks can be used if employing the Port Forwarding method (an extension for web-only mode): citrix, portforward, and rdpnative. Citrix and RDP native are specific for that kind of traffic. Portforward is a generic type of bookmark that you can customize to suit the traffic.
FortiGate Student I Guide
285
DO NOT REPRINT
SSL VPN
FORTINET
Instead of just adding bookmarks on a per-user basis, administrators can also add bookmarks on a per-portal basis. This allows bookmarks to appear for all users who log in to that particular portal. These bookmarks use the exact same configuration options that personal bookmarks do, but can be configured from the GUI, rather than the CLI. Users cannot modify administrator-added bookmarks, whether they are created on a per-user or per-portal basis.
FortiGate Student I Guide
286
DO NOT REPRINT
SSL VPN
FORTINET
To add flexibility to your SSL VPN deployment, you may consider configuring “Realms”. Realms are custom login pages, usually for user groups, such as your Accounting team and your Sales team, but can be for individual users as well. With realms, users and user groups can access different portals based on the URL they enter. This is unlike a default deployment, where SSL VPN login is handled by going directly to the FortiGate’s IP address. With different portals, you can customize each login page separately as well as limit concurrent user logins separately. Example of Realms on a FortiGate: HTTPS://192.168.1.1 HTTPS://192.168.1.1/Accounting HTTPS://192.168.1.1/TechnicalSupport HTTPS://192.168.1.1/Sales
FortiGate Student I Guide
287
DO NOT REPRINT
SSL VPN
FORTINET
Since SSL VPNs are methods for people outside your network to connect to resources inside your network, you must take appropriate m easures to ensure the safety and security of the information in your network. There are m ultiple options and settings available to help secure SSL VPN access. In this lesson, we’ll cover client integrity checking and restricting host connection addresses.
FortiGate Student I Guide
288
DO NOT REPRINT
SSL VPN
FORTINET
When a user connects to your network through SSL VPN, a portal is established between your network and the user PC. The VPN session is secured natively in two ways: the connection is encrypted and the user must log in with their credentials, such as a user name and password. However, you can configure additional security checks to increase the security of the connection. One method of increasing your security is through client integrity checking. Client integrity ensures, to some extent, that the connecting computer is secure by checking whether specific security software, such as antivirus or firewall software, is installed and running. This feature only supports Microsoft Windows clients, as it accesses the Windows Security Center to perform its checks. Alternatively, you can customize this feature to check the status of other applications by using their Globally Unique Identifier (GUID). The GUID is a unique ID in the Windows Configuration Registry that identifies each Windows application. Client Integrity can also check the current software and signature versions for the antivirus and firewall applications.
FortiGate Student I Guide
289
DO NOT REPRINT
SSL VPN
FORTINET
The Client Integrity check is performed when the VPN is still establishing—just after user authentication has finished. If the required software is not running on the client’s PC, the VPN connection attempt is rejected even with valid user credentials. Client Integrity is enabled per web portal and only by using CLI commands. The list of recognized software along with the associated registry key value is available through the CLI. Software is split into three categories: AntiVirus (av), Firewall(fw), and Custom. Custom is used for customized or proprietary software that an organization may require. Administrators can only configure these settings through the CLI. The disadvantage of enabling Client Integrity checking is that it can result in a lot of administrative overhead. First, all users must have their security software updated in order to successfully establish a connection. Second, software updates can result in a change to the registry key values, which can also prevent a user from successfully connecting. As such, administrators must have in depth knowledge of the Windows operating system and subsequent registry behavior in order to properly make extended use of, as well as maintain, this feature.
FortiGate Student I Guide
290
DO NOT REPRINT
SSL VPN
FORTINET
The second method you can use to help secure SSL VPN access is restricting host connection addresses. Setting up IP restriction rules can be very useful when considering proper security configuration. Not all IPs need, or should be allowed, access to the login page. This method allows you to set up rules to restrict access from specific IPs. One simple rule is to allow or disallow traffic based on Geographic IP addresses. The default logic allows all IPs to connect. From the CLI, you can configure the VPN SSL setting to disallow specific IPs.
FortiGate Student I Guide
291
DO NOT REPRINT
SSL VPN
FORTINET
To monitor remote user connections, you can view the SSL VPN Monitor table, accessible through the GUI under VPN > Monitor > SSL VPN Monitor. This table shows all the SSL VPN users currently connected to the FortiGate device. It displays the user names, IP addresses, and connection times. In the table, a subsession row below a user means the user has brought up an SSL VPN tunnel. No subsession row below the user means the user is only connected to the web portal page. Whether the VPN tunnel is activated with the Web Portal widget or the standalone client, they appear the same way in the SSL VPN Monitor table.
FortiGate Student I Guide
292
DO NOT REPRINT
SSL VPN
FORTINET
When an SSL VPN is disconnected, either by the user or through the SSL VPN idle setting, all associated sessions in the FortiGate session table are deleted. This prevents reuse of authenticated SSL VPN sessions (not yet expired) after the initial user terminates the tunnel. The SSL VPN user idle setting is not associated with the firewall authentication timeout setting. It is a separate idle option specifically for SSL VPN users. A remote user is considered idle when the FortiGate does not see any packets or activity from the user within the configured timeout period.
FortiGate Student I Guide
293
DO NOT REPRINT
SSL VPN
FORTINET
There are four mandatory steps that must be followed in order to configure SSL VPN. The fifth step is optional and only necessary to allow access to internal resources. Configuration does not need to be done strictly in this order. However there are several places where, if certain options are not configured ahead of time, you are prevented from making further configurations.
FortiGate Student I Guide
294
DO NOT REPRINT
SSL VPN
FORTINET
The first step is to create the accounts and user groups for the SSL VPN clients. User and group creation was previously covered in the Firewall Authentication module. All the FortiGate authentications methods, with the exception of the Remote Password Authentication using the FSSO protocol, can be used for SSL VPN authentication. This includes Local Password Authentication and Remote Password Authentication (using the LDAP, RADIUS, TACACS+, and POP3 protocols). Two-Factor Authentication, with or without FortiToken, is also supported.
FortiGate Student I Guide
295
DO NOT REPRINT
SSL VPN
FORTINET
The second step is to configure the portal. A portal is simply a webpage that contains tools and resource links for the users to access. Options on the portal can be enabled or disabled to allow or deny access. Options such as tunnel mode, links for downloading FortiClient, predefined bookmarks, and more. You can individually configure and link each portal to a specific user group and/or user so they only have access to required resources. There are several different theme options that provide different color coding to the portals as well.
FortiGate Student I Guide
296
DO NOT REPRINT
SSL VPN
FORTINET
This is a sample of an SSL VPN portal page after the user logs in. It contains various widgets, based on the configuration of the portal. The “Bookm arks” and “Connection Tool” widgets are for web-only mode. The “Tunnel Mode” widget activates tunnel mode through the browser. The standalone client can link into that directly, though the user must have access to a portal that contains the client.
FortiGate Student I Guide
297
DO NOT REPRINT
SSL VPN
FORTINET
The third step to configuring SSL VPN is to configure the general settings. First, we’ll talk about the connection settings specifically, and then later, the tunnel mode client settings, and the authentication portal mapping settings. As with any other HTTPS web site, the SSL VPN portal presents a digital certificate when users are connecting. By default, the presented certificated is self-signed, which triggers the browser to show a certificate warning. To avoid the warning, you should use a digital certificate signed by a Certificate Authority (CA) known to the browser. Alternatively, you can load the digital certificate into the browser as a trusted authority. Certificates are covered in more detail in the ‘Certificate Operations’ lesson. By default, an inactive SSL VPN is disconnected after 300 seconds (5 minutes) of inactivity. You can change this timeout through Idle Logout settings in the GUI. Note that it is separate from the authentication idle timeout discussed in the firewall authentication lesson. Also by default, the port for the SSL VPN portal is 443, which means that users need to connect using HTTPS to the IP address of the FortiGate device and to port 443 (which is also the standard port for the administration HTTPS protocol).
FortiGate Student I Guide
298
DO NOT REPRINT
SSL VPN
FORTINET
In a default configuration, the SSL VPN login portal and the administrator login for HTTPS both use port 443. This is convenient because users do not need to specify the port in their browser. For example, https://www.example.com/ automatically uses port 443 in any browser. This is considered a valid setup on the FortiGate because you generally don’t access the SSL VPN login through every interface. Likewise you generally don’t enable administrative access on every interface of your FortiGate. So even though the ports m ay overlap, the interfaces that each one uses to access may not. If SSL VPN and HTTPS admin access both use the same port, and are both enabled on the same interface, only the SSL VPN login portal will appear. In order to have access to both on the same interface, you need to change the port number for one of the services. This will effect the port number for that service on all interfaces.
FortiGate Student I Guide
299
DO NOT REPRINT
SSL VPN
FORTINET
Once you set up your SSL VPN connection settings, you can define your Tunnel Mode settings. W hen users connect, the tunnel is assigned an IP address. You can choose to use the default range or create your own range. The IP range determines how many users can connect concurrently. DNS Servers will only be effective if DNS traffic is sent over the VPN tunnel. Generally this will only be the case when split tunnel mode is disabled and all traffic is being sent from the client PC across the tunnel.
FortiGate Student I Guide
300
DO NOT REPRINT
SSL VPN
FORTINET
The last part of step three is to set up the authentication rules that map users to the appropriate portal and realm. These settings allow different groups of users to access different portals and/or realms. The default rule applies to the root realm and must be present, otherwise an error message appears that prevents any setting changes from being saved. In the above example, accountants and teachers only have access to their own realms. If they need access to the root realm to see the student portal, you would need to add an additional authentication rule.
FortiGate Student I Guide
301
DO NOT REPRINT
SSL VPN
FORTINET
The fourth, and last, mandatory step to configure SSL VPN involves creating firewall policies for login. SSL VPN traffic on the FortiGate uses a virtual interface called SSL.. Each VDOM contains a different virtual interface based on it’s name. By default, if VDOMs are not enabled then the device operates with a single VDOM called root. VDOMs are covered in more detail in the FCNSP module on Virtual Networking. In order to activate and successfully log in to the SSL VPN portal, there must be a firewall policy that goes from the SSL VPN interface to the interface that is listening for the SSL VPN login, that includes all of the users/groups that can log in as the source. If there are multiple interfaces listening for a login than all of them must be specified, either with different policies or in the same policy. Without a policy like this, no login portal is presented to users.
FortiGate Student I Guide
302
DO NOT REPRINT
SSL VPN
FORTINET
In this example, there are three different user groups that log in remotely: Teachers, Accountants, and Students. In order to enable authentication, you must create a firewall policy with the source interface as ssl.root that includes those three groups for the source. That firewall policy will enable the login portal and allow those groups to authenticate. It will also allow those groups to access resources and bookmarks that are beyond the wan1 interface. Without a firewall policy that is SSL. to the interface that the user is trying to connect from, no login portal will be presented. If there are resources behind other interfaces that tunnel mode users need access to, then you need to create additional policies that allow traffic from ssl.root to exit those interfaces. If resources inside are allowed to initiate traffic to hosts on the other side of the SSL Tunnel, then policies need to be in place to allow that.
FortiGate Student I Guide
303
DO NOT REPRINT
SSL VPN
FORTINET
As an optional step, you can create firewall policies for traffic to the internal network. Any traffic that gets generated by the users of the SSL VPN exits from the ssl. interface. This includes not only tunnel mode traffic, but traffic generated by the widgets on the web portal page. The firewall policy discussed in step four allows login and access to external resources. As such, policies should be created to allow users access to resources inside the network.
FortiGate Student I Guide
304
DO NOT REPRINT
SSL VPN
FORTINET
In this lesson, we discussed: • • •
What SSL VPN is and how it operates Differences of SSL VPN vs. IPsec VPN Web-only mode, tunnel mode (including split tunneling), and port forwarding
• • • • •
Methods of connecting to SSL VPN tunnels Portals, bookmarks and realms Securing SSL VPN access through client integrity checking and restricting host connection access Monitoring SSL VPN users Configuring SSL VPN
FortiGate Student I Guide
305
DO NOT REPRINT
Basic IPsec VPN
FORTINET
In this lesson, we will show you how to set up site-to -site IPsec VPN. VPNs are heavily used in today’s IT infrastructure to join private corporate networks across the Internet. IPsec is an RFC standard. W hether you have FortiGate devices only or mix in another vendor’s devices, the principles are essentially the same.
FortiGate Student I Guide
306
DO NOT REPRINT
Basic IPsec VPN
FORTINET
After completing this lesson, you should have these practical skills that you can use to set up a simple IPsec tunnel for a site-to-site VPN. During this, we will explain how to choose between configuring a policy-based or route-based VPN. You will also learn how to verify the status of each tunnel.
FortiGate Student I Guide
307
DO NOT REPRINT
Basic IPsec VPN
FORTINET
A Virtual Private Network (VPN) allows people in remote places – separated by the Internet – to securely access resources on your local network. For example, if workers are traveling or working from home, you can use a VPN to give LAN access to them. You can also use a VPN to interconnect multiple campuses. There are multiple types of VPN: PPTP, L2TP, SSL VPN, and IPsec are popular choices. • PPTP is fast, but security is weak, and easily defeated. • IPsec requires a gateway or installation of client software. So it is more complic ated to set up for mobile users than SSL VPN, where they can simply utilize their web browser instead. • SSL VPN is designed for tunnels between a single client and a LAN, not between entire offices. Because of this, ma ny networ ks now use a combin ation of SS L VPN – for mobile u ser access – and Ipsec or L2TP – for tunnels between offices. Often, “tunnel” is used as a synonym for “VPN,” although not all VPNs technically are tunnels, as we will see in a minute.
FortiGate Student I Guide
308
DO NOT REPRINT
Basic IPsec VPN
FORTINET
When should you use IPsec? What is it? It is a vendor-neutral standard set of protocols used to join two physically distinct LANs, as if they were a single logical LAN, despite being separated by the Internet. In theory, RFC 2409 and 4305 do support null encryption – that is, you can make VPNs wh ich not encrypt traffic. The RFCs also support null data integrity. But does that provide any advantages over plain traffic? No. No one can trust traffic that may have had an attack injected by an attacker. Rarely do people want data sent by an unknown person. Most people also want private network data, such as credit card transactions and medical records, to remain private. So in reality, regardless of vendor, IPsec VPNs almost always have settings for 3 important benefits: •Authentication, to verify the identity of at least the initiator (and sometimes also the responder); •Data integrity, or HMAC, to prove that encapsulated data has not been tampered with as it traverses a potentially hostile network; •Confidentiality , or encryption, to ensure that only the intended recipient can read the message. And, of course VPNs have virtual routing and network settings to use when joined to the remote LAN.
FortiGate Student I Guide
309
DO NOT REPRINT
Basic IPsec VPN
FORTINET
When we say “the IPsec protocol,” what layers & protocols are we talking about? IPsec injects itself above the third layer: IP. What’s encapsulated? It depends on the mode. IPsec can operate in two modes: transport mode, or tunnel mode. • Transport mode directly encapsulates what would usually be the fourth layer (TCP transport, for
•
example) and above. Once the IPsec encapsulation is removed, there is no additional routing layer left. That’s why it’s also called “direct peer-to-peer” or “client-to-client”. So this mode is not technically a “tunnel,” even though many people use the word “VPN” and “tunnel” interchangeably. (“Tunneling” technically means encapsulating an IP packet inside another IP packet.) Transport mode does not traverse NAT well – especially carrier-grade symmetric NAT – and depending on the case, may require NAT Traversal, ALG or hole punching, or may not work. This is because port numbers are inside the encrypted ESP payload. Tunnel mode is a true tunnel. Encapsulation first adds a second IP layer, then the srcinal transport layer (TCP, UDP, etc.). The second IP layer contains a private network that is routable on the remote network. Once the IPsec packet reaches the remote LAN, and is “unwrapped,” the packet can continue on its journey.
To fit an IPsec packet into the frame, when FortiGate applies ESP, one payload may be split in order to fit into two packets. So you don’t need to adjust frame MTU. But this does mean that you might need more bandwidth for VPN traffic.
FortiGate Student I Guide
310
DO NOT REPRINT
Basic IPsec VPN
FORTINET
Let’s look at the 2 methods of encapsulation: Which should you choose? Why might some extra bandwidth be needed? Why is NAT traversal necessary? Blue underlined parts of each packet are additional bits that are required by ESP. It varies by transport vs. tunnel mode. Relative to a non-IPsec packet, notice that the green Layer 4 transport area of the frame is now shorter. Remember, the 1500 byte default fram e MTU has not changed. Payload length is variable, and filled with padding. So this doesn’t always matter. But if the additional ESP bits cause the packet payload to not fit, then FortiGate must split the payload into multiple frames. IKE is in separate packets, too, and also requires additional bits to be transmitted. You are trading some bandwidth for: • Security and, • Routability (in the case of tunnel mode) Notice that after you remove the VPN-related headers, a transport mode packet can’t be transmitted any further – it has no second IP header inside. So it’s not routable. That’s OK if the packet is decrypted at an endpoint such as the FortiGate itself (think of encrypted Syslog tunnels, and some special cases such as multicast, GRE-IPSec and L2TP-IPSec for Windows/Android clients), but not usually if there are more router hops until the packet reaches its destination. For those purposes, you’ll need tunnel mode instead. Notice, too, that TCP or UDP port numbers are inside the ESP payload. They will be encrypted. So NAT can’t rewrite them for port forwarding or port overloading.
FortiGate Student I Guide
311
DO NOT REPRINT
Basic IPsec VPN
FORTINET
Because encapsulation styles and other settings vary, and any mism atches cause VPNs to fail, starting with FortiOS 5.2, there are VPN templates. You can use these to simplify VPN setup – reducing the guesswork about what settings are compatible between devices. But sometimes you may need to create a tunnel manually, or pass it though a NAT device. So let’s show you how.
FortiGate Student I Guide
312
DO NOT REPRINT
Basic IPsec VPN
FORTINET
If you’re passing your VPN through NAT devices such as firewalls, it helps to know which protocols to allow. Really, “IPsec” means three separate protocols. • IKE, which is used to authenticate peers, exchange keys, and negotiate the encryption and checksums that will be used; essentially, it is the “control channel”, AH, which is the “authentication header” – the checksums that verify the integrity of the data ESP, which is the “encapsulated security payload” – the encrypted payload, essentially, the “data channel” So if you need to pass IPsec traffic through another firewall, remember: allowing just 1 protocol or port number is not enough. • •
Note that although the IPsec RFC mentions AH, it does not offer encryption, an important benefit. So it is not used by FortiGate. As a result, you don’t need to allow IP protocol 51. To make a VPN, configure matching settings on both ends – whether the VPN is between 2 FortiGates, or between a FortiGate and FortiClient, or between a 3rd party device and a FortiGate. If the settings don’t match, tunnel setup will fail.
FortiGate Student I Guide
313
DO NOT REPRINT
Basic IPsec VPN
FORTINET
Let’s talk about how FortiGate starts an IPsec tunnel. If you’re creating a custom VPN tunnel, it will help you to understand which settings to use, and how tunnels work.
FortiGate Student I Guide
314
DO NOT REPRINT
Basic IPsec VPN
FORTINET
On FortiGate, there are two ways a packet can initiate an IPsec VPN: by matching a route, or by matching a policy. (In our old documentation, route-based used to be called “interface-based,” and policy-based used to be called “tunnel-based.”) How do you know when to use policy-based or routed-based? Generally, try to use route-based. It offers more flexibility and control. We can implement very complex routing scenarios, such as where tunneled traffic is required to be routed with policy-based routing, or if you require GRE-over-IPsec. In comparison, policy-based VPNs must be used when the FortiGate is in transparent mode, or if the other peer requires L2TP-over-IPsec.
FortiGate Student I Guide
315
DO NOT REPRINT
Basic IPsec VPN
FORTINET
In addition to different limitations, how to configure them is different. • Ina route-based VPN, FortiGate automatically adds a virtual interface with that name. Two firewall policies with the action ACCEPT are usually required: one for sessions srcinating on the local network, and another for sessions from the remote network. You also need to route the VPN traffic to the virtual network interface. (Usually, you’ll use a static route.) •
Ina policy-based VPN, only one firewall policy with the action IPSEC is required. The policy is bidirectional. By default, the GUI hides policy-based VPNs. To show policy-based VPN settings, use the CLI setting “ set gui-policy-based-ipsec enable”.
Both sides of your VPN don’t need to be configured in the same route-based or policy-based mode. You can configure one peer as routed-based, and the other as policy-based. But the Phase 1 and 2 settings must match.
FortiGate Student I Guide
316
DO NOT REPRINT
Basic IPsec VPN
FORTINET
If you have a simple case – like the site-to-s ite scenario in this le sson – use the VPN wizard. But if you need to tailor your VPN settings, you can still make a custom VPN. When making a route-based VPN, one additional step is usually required: you must also create a route to direct VPN traffic to the new virtual interface for IPsec. (If you use the wizard, though, this is done automatically.)
FortiGate Student I Guide
317
DO NOT REPRINT
Basic IPsec VPN
FORTINET
When the VPN wizard is completed, FortiGate automatically creates many of the required objects: • Addresses and address groups • Static routes • Policies • Phase 1 and Phase 2 settings To immediately check the status of your tunnel, click “Show Tunnel List.” This can be your first test of whether your VPN is working.
FortiGate Student I Guide
318
DO NOT REPRINT
Basic IPsec VPN
FORTINET
How does FortiGate bring up a VPN? Let’s begin by talking about Internet Key Exchange – also called IKE – Phase I. This is when each endpoint of the tunnel – the initiator and the responder – connect and begin to set up the VPN. When they first connect, the channel is not secure yet. An attacker in the middle could intercept unencrypted keys. And both ends have no strong guarantee of each other’s identity, either. So how can they exchange sensitive private keys? They can’t. First, both ends have to create a temporary secure channel. They’ll use this to protect strong authentication, and negotiate the “real” keys for the “real” tunnel later. Let’s show how this works.
FortiGate Student I Guide
319
DO NOT REPRINT
Basic IPsec VPN
FORTINET
(slide uses animation) This is Phase 1, where peers say hello and create an IKE SA that defines a temporary secure channel. (click) What is an SA? A security association is simply the algorithms and parameters used to encrypt and authenticate data between 2 points. Se ttings m ust agree . Otherwise the Phase 1 will fail. (Each side wouldn’t be able to decrypt or authenticate traffic from the other.) As you can see, which settings are used can be inflexible – what we call “aggressive mode” – or somewhat flexible – what we call “main mode.” Details are in the advanced IPsec lesson. (click) In Phase 1, FortiGate IKE SAs are a secure channel that are used for: • The Diffie-Hellman keys that will be used by Phase 2, and • To build the final ESP tunnels.
FortiGate Student I Guide
320
DO NOT REPRINT
Basic IPsec VPN
FORTINET
At the end of Phase I, FortiGate uses the Diffie-Hellman method. It uses the public key (that both ends know) plus a mathematical factor called a “nonce” in order to generate a common private key.
This is crucial. With Diffie-Hellman, even if an attacker can listen in to the messages containing the public keys, they cannot det ermine the secret key. This is why it works even with a weakly authenticated IKE channel, where a user name and password and FortiToken have not been exchanged, for example. The new private key is used to calculate additional keys: for symmetric encryption and authentication.
FortiGate Student I Guide
321
DO NOT REPRINT
Basic IPsec VPN
FORTINET
If your VPN must pass through a NAT device, as we mentioned, ESP encryption would normally prevent the NAT device from being able to read and remap the port numbers inside. To solve this, Phase I was extended. It added NAT traversal, also called “NAT-T.” When NAT-T is enabled in both ends, peers can detect any NAT device along the path. If NAT is found, then: • •
Both Phase 2 and remaining Phase 1 packets change to UDP port 4500 FortiGate and client encapsulate ESP within UDP port 4500
So if you have two FortiGates that are behind, for example, an ISP modem that has NAT, you will probably need to enable this setting.
FortiGate Student I Guide
322
DO NOT REPRINT
Basic IPsec VPN
FORTINET
Once details such as dead peer detection, NAT, and symmetric keys have been determined, your FortiGate is ready to establish the “real” SA – that is, IPsec SA which defines the ESP channel that will be used to encapsulate and transmit data through the VPN. It does this via IKE Phase II. There can be 1 tunnel for Phase I, but 2 or more tunnels for Phase II. Let’s see how.
FortiGate Student I Guide
323
DO NOT REPRINT
Basic IPsec VPN
FORTINET
Once Phase 1 has established a somewhat secure channel and private keys, Phase 2 begins. Phase 2 negotiates security parameters for the IPsec SA – not to be confused with the IKE SA. It is this IPsec SA – not IKE – that ESP will use to tra nsmit data between LANs. IKE Phase 2 does not end once ESP begins. Phase 2 periodically renegotiates cryptography. This maintains security. Also, if you enable Perfect Forward Secrecy, each time the Phase 2 session key expires, FortiGate will use Diffie-Hellman to recalculate a new common secret key. So even if the same encryption algorithms are selected each time, the ESP tunnel will be changing to use a different private key, making it much harder for an attacker to crack the tunnel. Each Phase 1 can have multiple Phase 2. When would this happen? For example, you may want to use different encryption keys for each subnet whose traffic is crossing the tunnel. How does FortiGate select which Phase 2 to use? The Quick Mode setting. Additionally, most traffic is two-way traffic. So this means there are usually two tunnels, and two ESP SAs: one for each direction.
FortiGate Student I Guide
324
DO NOT REPRINT
Basic IPsec VPN
FORTINET
During Phase 2, we must configure a pair of settings called Quick Mode Selectors. They identify and direct traffic to the appropriate Phase 2 if there are multiple. In other words, it allows granular SAs. Selectors behave similarly to a firewall policy. VPN traffic must match selectors in one of the Phase 2 SAs. If it does not, the traffic is dropped. When configuring selectors, specify the source and destination IP subnet that will m atch each Phase 2. You can also specify the protocol number, and source and destination ports for the allowed traffic. In point-to-point VPNs, such as when connecting a branch office FortiGate to headquarters’ FortiGate, both sides’ configuration must mirror each o ther. Quick mode selectors for dial-up VPNs are different, and details are in the advanced IPsec lesson.
FortiGate Student I Guide
325
DO NOT REPRINT
Basic IPsec VPN
FORTINET
Once all settings are configured, each tim e that a host on your local LAN sends a packet where the destination is on the remote LAN, FortiGate should automatically bring up the VPN tunnel. It should remain available for some time, as long as the tunnel is being used.
FortiGate Student I Guide
326
DO NOT REPRINT
Basic IPsec VPN
FORTINET
If you need detailed control of your VPN, such as for IKE version 2, you can still configure it manually.
FortiGate Student I Guide
327
DO NOT REPRINT
Basic IPsec VPN
FORTINET
If you are configuring a custom VPN, you can start from the wizard. Click Custom VPN Tunnel (No Template). Configure the remote FortiGate’s WAN IP address, and indicate which network interface on this local FortiGate is the gateway that leads to it. FortiGate will use this to connect to the other end. If your peers use pre-shared keys for the initial (IKE) authentication, both peers must be configured with the same pre-shared key. For Phase 1, choose which encryption and authentication to propose, and so on. They should match, too. If peers can’t agree on IKE security, even Phase 1 won’t be established. So if in doubt, make sure Phase 1 and Phase 2 settings on both FortiGates match.
FortiGate Student I Guide
328
DO NOT REPRINT
Basic IPsec VPN
FORTINET
You already identified the other FortiGate’s WAN IP (the “Remote Gateway”), so now also indicate your local FortiGate’s WAN IP. Remember: during IKE, each side must have some way to identify its peer so that it can label the IKE SA. Once Phase 1 completes, Phase 2 begins. This sets up the ESP tunnels that will be used for actual data transfer. For each subnet on each end of the VPN, you can specify different levels of ESP security. For example, connections to the Finance LAN might need larger key sizes and stronger authentication. To do this, configure multiple Phase 2 entries. For simplicity, here, we show only one Phase 2: the “Local Address” is our LAN, and the “Remote Address” is the remote LAN. Remember that if traffic doesn’t match an IPsec SA, the IPsec engine will drop the packet. Usually, it’s more intuitive to filter traffic w ith firewall policies. So if you don’t want to use SA filte ring, you can just set the quick mode selectors to be 0.0.0.0/0.
FortiGate Student I Guide
329
DO NOT REPRINT
Basic IPsec VPN
FORTINET
If you used the wizard for everything, it would have created routes and policies suitable for a route-based VPN. What if you, for example, have a FortiGate in transparent mode? Remember, first, you must enable the GUI to show policy-based IPsec options. Configure your phases as before, then create a policy. W hen policy-based VPN settings are visible, an additional “Action” setting is available when you configure a policy. Choose “IPsec.” Then choose the policy-mode tunnel settings. If you enable “Allow traffic to be initiated from the remote site,” you only need to make one policy. It will govern both directions.
FortiGate Student I Guide
330
DO NOT REPRINT
Basic IPsec VPN
FORTINET
With a route-based VPN, firewall policies are different. • There are two policies usually, not one. • The interface doesn’t match wan1; it matches the virtual interface, which in this example is named “HQ-to-Branch.” The VPN wizard is the easiest way to make these. If you did that, you can skip this step. But if you want to manually set up a VPN, use these as exam ples.
FortiGate Student I Guide
331
DO NOT REPRINT
Basic IPsec VPN
FORTINET
In route-based VPN, you need to route VPN traffic destined for the remote LAN to the IPsec interface. If you used the wizard, this was created for you, automatically. (In a policy-based VPN, traffic is routed to wan1 or another external interface instead. Since there is usually a default route, which routes all non-local packets towards the Internet, that’s why policy-based VPNs can usually skip this step.) To do this, usually you’ll add a static route.
FortiGate Student I Guide
332
DO NOT REPRINT
Basic IPsec VPN
FORTINET
In the GUI, there is a tool to monitor the status of your IPsec VPNs. Through this tool, you can see how much traffic has passed through each tunnel. You can also start and stop individual tunnels, and get additional details. If the tunnel is up, there will be a green arrow appearing next to its name. If it is down or not in use, then a red arrow is displayed. For example, here, simply by looking at the “remote Gateway” column, you can find a misconfiguration problem: the IP should be an interface on the remote FortiGate, not a subnet IP. So it is impossible to bring up.
FortiGate Student I Guide
333
DO NOT REPRINT
Basic IPsec VPN
FORTINET
This example shows 3 different VPN tunnels: Client_VPN, Home_VPN, and Office_VPN. The phase 1 Office_VPN appears twice because it has two separate phase 2 associated with the same phase 1. The other VPNs have one Phase 2 per Phase 1. For each phase 2, we can see the phase 1 name, key life remaining time, status and the quick mode selectors.
FortiGate Student I Guide
334
DO NOT REPRINT
Basic IPsec VPN
FORTINET
If your tunnel is not starting, it helps to know the expected behavior. This varies by type. This outlines the steps. Depending on whether you are creating a route (interface-based) or policy-based VPN, FortiGate will use a different mechanism. One common mista ke is to configure a poli cy-based VPN, but to set the action to “ACC EPT” – and this causes FortiGate to egress clear text packets, not encrypted ones. Another common mistake is to route eggressing packets to the wrong port. Remember, route-based VPNs must egress through the virtual interface, not the WAN.
FortiGate Student I Guide
335
DO NOT REPRINT
Basic IPsec VPN
FORTINET
Like with any feature, IPsec uses some system resources. Requirements vary by the number of VPNs. Strong cryptography involving large key sizes can increase resource usage noticeably. Many models of FortiGate have specialized FortiASIC chips to increase IPsec cryptographic performance, so especially if you have many tunnels simultaneously, check that your configuration offloads cryptography to these chips where possible. In some cases, you m ay be able to offload incoming traffic to one ASIC, and outgoing traffic to another ASIC. Details are in the hardware acceleration lesson.
FortiGate Student I Guide
336
DO NOT REPRINT
Basic IPsec VPN
FORTINET
To review, these are the topics we’ve talked about. We presented an overview of the IPsec technology, which includes Internet Key Exchange, phase 1, phase 2, Diffie-Hellman and Quick Mode Selectors. We also showed the difference between policy-based and route-based VPNs, and how to use the VPN monitor.
FortiGate Student I Guide
337
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
In this lesson, we will show you how to use antivirus scanning on a FortiGate. Since antivirus scanning is one of the features that, depending on your configuration and chosen signature database, can use significant RAM, we will also show you how to resolve “conserve mode.”
FortiGate Student I Guide
338
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
After completing this lesson, you should have these practical skills. Not only will you be able to configure antivirus, but you should have a better understanding of how virus scanning works, along with knowledge of some tools to help you optimize memory usage on your FortiGate.
FortiGate Student I Guide
339
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
How old are viruses? In 1949, John Von Neumann gave lectures at the University of Illinois about what he called “self-replicating automata.” On ARPANET, the precursor to the Internet, the first virus, named Creeper, was detected in 1971. Since then, malicious software has evolved into many types. Technically, although we often refer to all malware as viruses, not every piece of unwanted software behaves like a virus – malware is not always self-replicating, and sometimes users willingly install it. To include viruses, worms, Trojans, spyware and all others, we now use the term “malware.” Malware can be divided into 2 major types: viruses, which infect the computer and spread on their own (generally via an exploit), such as Flash ad banners whose binaries contain buffer overflow code grayware which requires some kind of user interaction but convinces them that the benefit outweighs the cost, such as browser toolbars that also track the user’s activity and insert its own ads into web pages
FortiGate Student I Guide
340
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
Within the category of viruses, there are 2 important subtypes: Trojans such as Zeus, like the literary Trojan horse, trick users into letting down their defenses and installing them, and then often use the network to spread via email or instant message. Worms, such as Conficker and Code Red, spread by connecting to open ports on the network and exploiting misconfigurations or other vulnerabilities in those daemons A Trojan can infect the same host multiple times, but that happens when another copy arrives from an external source. The local copy of the software doesnot try to re-infect the computer. Are all viruses malicious? By definition, yes. But some white hat hackers and academics have written beneficial worm-like software. It spreads via the same exploits, but then cleans infections and/or patches the host. For example, Creeper was followed by Reaper, which removed Creeper from infected systems.
FortiGate Student I Guide
341
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
Regardless of how the virus spreads, once installed, a virus is somehow malicious. What makes it malicious? Its behavior. (This is one of the reasons, by the way, that security analysts use sandboxing such as FortiSandbox to discover new viruses. Looking at which C functions a virus contains, for example, cannot find all viruses. Forensics lab must see which functions actually execute, and what the effects are.) Most people are familiar with spyware, adware, and rootkits. Malware could also be: Ransomware such as the CryptoLocker worm is fairly new. The software holds the computer hostage, often encrypting critical user data with a password or secret key, until the victim pays the extortionist. Key loggers record key strokes and return them to a remote location – including sending administrator logins and personal email addresses for executives. Mass mailers transform computers into open relay mail servers for the botnet, often managed via a remote command and control, sending spam for hire. These are often operated by organized crime syndicates.
FortiGate Student I Guide
342
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
Just as viruses have evolved many vectors for spreading, they also have evolved many techniques for evading antivirus engines and manual analysis. Viruses can encrypt their payloads, or change the exact code. As a result, when comparing a signature to the binary sample, the two therefore aren’t an exact, bit-bybit match. So in order to detect the virus, the engine must be able to either: match flexibly, or ignore the changeable parts of the code, and match only based on the polymorphic or metamorphic engine.
FortiGate Student I Guide
343
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
Now that you know some different ways that viruses spread and evade detection, what are some methods that FortiGate uses to find and block them?
FortiGate Student I Guide
344
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
At the host level, a host-based antivirus software such as FortiClient helps. But hostbased antivirus can’t be installed on routers. Guest Wi-Fi networks and ISP customers also might not have antivirus software installed. So how can you protect them? And how can you protect your own network from these botnets? The solution is to implement antivirus in your network security – on your FortiGate. Just like viruses have many ways that they try to avoid detection, FortiGate has many techniques that it can use to detect them. Let’s explain each method.
FortiGate Student I Guide
345
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
The first, fastest, simplest way to detect malware is if it exactly matches a signature. Grayware is not technically a virus; remember, it is often bundled with innocuous software, but it does have unwanted side effects, so it is categorized as malware. Often, grayware can be detected this way, with a simple FortiGuard Antivirus signature. But for the reasons we just described, viruses usually cannot be detected this way.
FortiGate Student I Guide
346
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
What is another way that FortiGate can use to detect viruses? It can look for attributes that viruses usually have – in other words, it can apply heuristics. Heuristics are based on probability, so they increase the possibility of false positives, but they also can detect zero-day viruses – viruses that are new and unknown, and therefore no signature exists yet. That is the tradeoff. If your network is a frequent target for virus-writers, enabling heuristics may be worth the performance cost because it can help you to detect a virus before the outbreak begins. By default, when the antivirus scan’s heuristic engine detects a virus-like characteristic, it will log the file as “Suspicious” – but will not block it. Suspicious files can be treated differently from a positive match with a virus or grayware signature: you can choose whether to block or allow suspicious files. When should you disable heuristic blocking vs. configure the antivirus scan to only log detections? Windows operating system updates often modify the registry. Viruses often do this, too, however. So, for example, you might apply heuristics scans to Windows updates, but block suspicious behavior in all other connections.
FortiGate Student I Guide
347
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
Remember, if the antivirus scan’s heuristic engine finds a suspicious file, it may not always be a virus. So you might want to configure a separate action for it, or a separate policy where heuristics is disabled for connections that you know will trigger false positives. To configure the action that FortiGate will take if the scan finds a suspicious file, use these CLI commands.
FortiGate Student I Guide
348
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
What if heuristics is too uncertain? What if you need a more sophisticated, more certain way to detect malware, and to find zero-day viruses? You can integrate your antivirus scans with FortiSandbox. For environments that require more iron-clad certainty, FortiSandbox executes the file within a protected environment, then examines the effects of the software to see if it is dangerous. For example, let’s say you have 2 files. Both alter the system registry, and are therefore suspicious. One is a driver installation – its behavior is normal – but the second file installs a virus that connects to a botnet command and control server. Sandboxing would reveal the difference. Then, you can submit a sample of the new virus to FortiGuard security researchers, and quickly receive and deploy a FortiGuard Antivirus or IPS update to defend your network against this new threat.
FortiGate Student I Guide
349
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
In order for FortiGate to sandbox files, it must be able to send them to either a FortiSandbox device or a FortiCloud sandboxing account. What is the primary difference between the two? FortiCloud has limits imposed on the amount of data that can be transmitted. Each account has a quota. FortiSandbox limitations vary by the model’s capabilities. On FortiSandbox, you also must configure it to accept input from your FortiGate or FortiMail.
FortiGate Student I Guide
350
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
Whether you use FortiSandbox to discover new viruses, or one is discovered by your own security team, the next step is to develop a signature to detect it so that your FortiGates can begin to block it. New viruses can be submitted to FortiGuard’s security research team manually or automatically, via FortiSandbox or FortiCloud Sandbox. If you want to submit a new virus manually, go to the FortiGuard web site. Upload the file for scanning. If the virus does not currently exist in any of the FortiGuard Antivirus databases, the web site will report it as being “clean”. You will then have the option to submit the sample to FortiGuard analysts. They will develop a signature for it, as well as engine modifications (if necessary), and this will be in the next update that your FortiGate and FortiMail devices download from FortiGuard. In addition to protecting your own network, this obviously also helps to ensure that others’ networks won’t be infected either. By being part of a united security community, you can help to stop botnets from growing into large threats. This has benefits for you, and not just your neighbors. If your neighbors aren’t infected, your network won’t need to spend as much CPU, RAM, and bandwidth on fighting spam, worms, DDoS attacks, and other threats.
FortiGate Student I Guide
351
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
Now that we’ve discussed the types of scans, let’s talk about the engines that use them. They don’t behave the same way. FortiGate has traditional proxies, which break up each session into particular states which it analyzes, but it can also analyze traffic as a more continuous packet flow. Let’s discuss how to choose between those two types of engine.
FortiGate Student I Guide
352
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
One of the factors when choosing an antivirus engine is speed. Software that is installed on endpoints such as FortiClient can usually schedule scans for later, pause the current scan, or scan only with spare CPU cycles when the computer is idle. In other words, time is not a factor. But on a network device, this is not possible. FortiGate must scan quickly to avoid a session or connection timeout. FortiGate will allow up to 30 seconds for a scan to complete. If it takes longer then that, then a process called a “watchdog” terminates the scan, and allows the traffic to pass. Also, FortiGate creates an event log saying that scanunit “crashed” with a Signal 14. It’s not a real crash – it’s not abnormal behavior exactly – but because the scan is terminated before completing. From the software’s perspective, that’s technically a crash, so the event log records it as one. As you can see, speed is an important factor in network antivirus scans. With that in mind, let’s consider the two engines.
FortiGate Student I Guide
353
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
Depending on the protocol, FortiGate may be able to use either: • an implicit proxy, or • an explicit proxy – that is, a proxy that clients must indicate that they want to use. Usually, you’ll use an implicit proxy. Clients to connect through the proxy’s IP, not to it. As long traffic is routed through FortiGate, the proxy transparently intercepts that traffic, without configuring the clients. Each proxy parses that protocol’s commands. Traffic usually must arrive on the expected port, and conform to the specification. (A proxy cannot scan a protocol that it does not listen for, or understand.) For example, in an SMTP session, an SMTP proxy know each valid stage: the client uses the MAIL FROM: command to specify the sender, RCPT TO: for the recipient, DATA for the message, etc. When scanning for viruses, the SMTP proxy known the DATA command – which is the part that may contain a virus payload – before it passes that data to a scanunitd child process. Especially for larger files, this can add noticeable latency: FortiGate must buffer the entire file (or wait until the oversize limit is reached) first before scanning. So if your file limit is large, consider the setting Comfort Clients. While buffering the file, the proxy will slowly retransmit some data until it can complete the buffer, and finish the scan. This prevents a connection or session timeout. What’s the disadvantage? Very small viruses in the first bytes could infect the client before the scan result is available. Disable client comforting if very high security is required.
FortiGate Student I Guide
354
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
What is another way to reduce latency? Use the flow-based engine instead. It doesn’t analyze sessions in discrete protocol stages. The flow-based engine scans the packets as a continuous stream, looking for viral payloads regardless of surrounding protocol details. Depending on your model, some flow-based operations may be performed by a specialized FortiASIC chip, further improving performance. But flow-based scans can’t support all features that proxy-based scans can. The flow-based engine doesn’t operate according to the rules of the protocol. This means that even if the scan later detects a virus, the flow-based engine may have already forwarded packets where it should have inserted a block message. So the client may think it is a network error, and try again. Also, much like a proxy with client comforting enabled, the flow-based engine forwards packets at the same time as scanning the payload. The result? The client may already have received most of a virus by the time that the scan drops the connection. Like with client comforting, if your environment requires very high security, you may want to avoid this option. Regardless of which engine you use, the scan techniques will give similar detection rates. How can you choose between the scan engines? If performance is your top priority, thencomforting flow-baseddisabled is more appropriate. If security is your priority, proxy-based – with client – is more appropriate.
FortiGate Student I Guide
355
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
Both engines buffer up to your specified file size limit. The default is 10 MB. It’s large enough for most files except movies. If your FortiGate model has more RAM, though, you may be able to increase this threshold. Without a limit, very large files could exhaust scan memory. So this threshold balances risk vs. performance. Is this tradeoff unique to FortiGate, or to a specific model? No. Regardless of vendor or model, you must make a choice. This is due to the difference between scans in theory, that have no limits, and scans on real-world devices that have finite RAM. In order to detect 100% of malware regardless of file size, a firewall would need infinitely large RAM – something that no device has in the real world. Most viruses are very small. So percentage-wise – unless many viruses are Trojans appended to the very end of a large file – changing this value doesn’t impact security very much. This table shows a typical tradeoff. You can see that even with a 5 MB threshold, only 0.14% of spyware passes through. But after billions of packets, several hosts may require disinfection.
FortiGate Student I Guide
356
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
So what is the recommended buffer limit? It varies by model and configuration. Adjust “oversize” for your unique network for optimal performance. A smaller buffer minimizes proxy latency and (for both engines) RAM usage, but that may allow viruses may pass through undetected. With a buffer that’s too large, clients may notice transmission timeouts. Balance the two. If you aren’t sure how large of a buffer you need, temporarily enable “oversize-log” to see if this is frequent, and whether the large files are important to allow. Files that are too large for the maximum buffer size cannot be completely scanned. And the default is to allow files to pass. This is because large files are often harmless, and many networks have antivirus software installed on endpoints, so this minimizes unnecessary help desk calls. But if you require a very secure environment, or if your endpoints have no antivirus software, you can change this setting – on a per-protocol basis – so that FortiGate blocks oversized files. If oversized files are blocked, then your endpoints are safe. You won’t need the logs about oversize files for forensics. So you may be able to improve performance slightly by disabling “oversize-log.”
FortiGate Student I Guide
357
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
Relatedly, large files are often compressed. From the scan’s perspective, this is light encryption. It won’t match signatures. So FortiGate must decompress the file in order to scan it. When decompressing, FortiGate must first identify the compression algorithm. Some archive types can be correctly identified using only the header. Also, FortiGate must check whether the file is password-protected. If the archive is protected with a password, FortiGate can’t decompress it, and therefore can’t scan it. FortiGate then decompresses files into RAM. Just like other large files, this buffer has a maximum size: “uncompress-oversize-limit”. Increasing this limit may decrease performance, but allows you to scan larger compressed files. If an archive is nested – for example, if an attacker is trying to circumvent your scans by putting a ZIP file inside the ZIP file – FortiGate will try to undo all layers of compression. By default, FortiGate will attempt to uncompress and scan up to 12 layers deep, but you can configure it to scan up to 100 layers deep. Often, you shouldn’t increase this setting, though. It increases RAM usage, and if a file is repeatedly compressed more than 12 times, it is almost always a virus anyway.
FortiGate Student I Guide
358
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
Let’s review briefly. If the buffer is full, the antivirus scan has a simple behavior. FortiGate will, depending on your setting, either block or pass the file. Since FortiGate doesn’t have the entire file, it would be impossible to determine whether or not the file contains a virus.
FortiGate Student I Guide
359
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
If the file has been completely transmitted – that is, FortiGate reaches the byte that marks the end of the file (EoF) – then FortiGate decompresses the file (if applicable) and uses these scans, in this order. The virus scan is first, because the results have high certainty and the computations are fast. Heuristics, which are less certain, are applied last.
FortiGate Student I Guide
360
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
If you consider all of the settings together, this is the complete decision tree that FortiGate uses for antivirus scans.
FortiGate Student I Guide
361
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
When an attacker releases a new virus into the wild, like with all antivirus software, your FortiGate must be updated with a matching signature so that it can detect it. Most organizations don’t have the personnel to dedicate to writing antivirus signatures, 24 hours a day, 7 days a week. Even if you do, it is usually beneficial to share security knowledge and workload. A FortiGuard Antivirus service contract provides your FortiGate with access to the latest signatures and detection engines from Fortinet’s security research team.
FortiGate Student I Guide
362
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
You can update your FortiGate’s antivirus signatures and engines via either push, pull, or both methods. (If temporary packet loss, for example, interferes with the push method, also enabling pull as a backup method helps to ensure that your FortiGate will not miss any updates.) Regardless of which method you select, virus scanning must be enabled in at least one firewall policy. Otherwise, FortiGate will not download any updates. Alternatively, you can download packages from the Fortinet Technical Support web site, and then manually upload them to your FortiGate.
FortiGate Student I Guide
363
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
“diagnose autoupdate status” shows your automatic update options, just like System > Config > FortiGuard does on the GUI.
FortiGate Student I Guide
364
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
It’s worth noting that there is an additional feature to the FortiGuard Antivirus service: when FortiGate detects connections of infected computers to a botnet’s command and control servers – sometimes this is an IRC channel, or sometimes this is a darknet web server – FortiGate can block those connections. The setting is in the antivirus profile. The FortiGuard security research team compiles and maintains a list of known botnet command and control server IP addresses. FortiGate downloads this via FortiGuard Antivirus and IPS updates.
FortiGate Student I Guide
365
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
Multiple FortiGuard Antivirus databases exist. Support varies by FortiGate model. All FortiGate devices have the “regular” database, which only contains signatures for viruses that are “in the wild” – that is, viruses detected in recent months or submitted by Fortinet users and partners. It is the smallest database, and therefore results in the fastest scans, but does not detect all known viruses. Some models support the “extended” database, which detects viruses that have not been detected for some time. Vulnerable platforms are still common, and/or these viruses could be an issue later due to portable hard disks, periodic connectivity, and other reasons. The most powerful models and FortiClient support the “extreme” database. It is intended for high security environments, and detects all known viruses, including for legacy operating systems such as DOS, Windows3.x, Win95, Windows 98, and so on.
FortiGate Student I Guide
366
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
Via the CLI, you can choose which database your FortiGate will use.
FortiGate Student I Guide
367
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
Once you have chosen an antivirus database, in order to use antivirus scans, you’ll also need to configure an antivirus profile. These profiles contain settings for the inspection mode (that is, the proxy or flow-based engines), and define what FortiGate should do if it detects an infected file. Proxy options also specify the proxies’ listening port numbers for various unencrypted protocols. You can scan HTTP, for example, even if the connection doesn’t occur on the IANA standard TCP port 80. But what about encrypted protocols? Encryption is a popular method for attackers to circumvent security. So as you would expect, FortiGate can scan encrypted protocols. But that isn’t configured here.
FortiGate Student I Guide
368
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
For secure protocols (HTTPS, FTPS, etc.), the proxies are configured in a different profile type: the so-called SSL inspection profiles. Encrypted protocols can be inspected to a greater or lesser extent, depending on what you select. ‘SSL Certificate inspection’ only validates certificate information, such as the issuing CA. This type cannot inspectthe contents of the traffic, which are insidethe encrypted payload. ‘Full SSL Inspection’ validates the certificate, but also decrypts the payloads for antivirus scanning. Because this method uses an authorized man-in-the-middle (MITM) attack, clients will detect the inspection. Users may need to either override the SSL validation failure, or install your CA certificate. Certificate-based inspection is described in detail in another lesson.
FortiGate Student I Guide
369
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
Virus scanning statics can be found on the FortiGate dashboard, on the “Advanced Threat Protection Statistics” widget. If your FortiGate is submitting files for sandboxing, then it keeps statistics about the number of files submitted, and the results of those scans. These statistics are separate from files that are scanned locally on the FortiGate.
FortiGate Student I Guide
370
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
When the antivirus scan detects a virus, by default, it creates a log about what virus was detected, and by which method. It also provides a link to more information on the FortiGuard web site.
FortiGate Student I Guide
371
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
If the antivirus logs are empty, this doesn’t mean your network has no outbreak. Before, we showed how to pass a file if it is too large for scan buffers, is passwordencrypted, or has too many layers of nested compression. Logging can be disabled for those. We also explained the flow-based engine, and client comforting by the proxy-based engine. Even if FortiGate detected a virus and reset the connection, some or all of the virus could have been transmitted before then. And when choosing an antivirus database, we said that if you trade some security for better performance, some viruses may pass through. We also explained zero-day exploits. If any of that happens, how can you submit a sample of a suspected virus, or get information on how to disinfect those hosts? Visit the FortiGuard web site, http://www.fortiguard.com. In the example here, this antivirus signature is only in the “extended” database for FortiClient. What does this mean? Unless you have a FortiGate model that canuse the “extreme” database, and you have enabled it, your firewall would not have been able to detect that specific virus. If you have vulnerable Android hosts, and FortiClient was installed, theyrecommended would have been safe. But if they were not protected, you would need to apply the action to disinfect them.
FortiGate Student I Guide
372
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
If your antivirus scans are not functioning as you expect, where should you begin troubleshooting? Verify that FortiGuard updates are enabled, and that you have selected antivirus profiles in your firewall policies. Updates won’t occur if there is no firewall policy that uses them, and antivirus scans won’t occur unless a firewall policy applies them. If automatic updates are enabled, the next thing to examine is whether those scheduled update requests are succeeding. For that, use the command “diagnose autoupdate version”. It shows details about the antivirus engine and databases, IPS engine and definitions, geography-to-IP mappings database, and other features. It also shows your FortiGuard contract status – FortiGate won’t be able to download updates if it’s not authorized – and when the last update was attempted, and succeeded.
FortiGate Student I Guide
373
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
Both manual and automatic updates to FortiGuard packages trigger FortiGate to check if the version is newer. If the version available is equal toor less than the version installed, then to prevent accidental downgrades, it will not apply the update. To turn off the version check, you can use this command with the “enable” flag. If a specific signature is causing false positives, you can use this command to temporarily disable the version check, and revert the database. After you have resolved the issue with Fortinet Technical Support, make sure to run this command again but with the “disable” flag instead.
FortiGate Student I Guide
374
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
If your FortiGate’s RAM usage is high, the next thing to examine is the event log. Look for messages about “conserve mode.” Conserve mode occurs when FortiGate does not have enough RAM available to properly handle traffic. UTM such as antivirus is not required to be enabled for conserve mode to occur, but UTM inspection does increasememory usage beyond simple firewall policies. In other words, conserve mode is more possible when antivirus or IPS is enabled. You can determine whether antivirus is using much of the memory by running the command “diagnose sys top”. There are a few categories of RAM conservation. Let’s show the difference.
FortiGate Student I Guide
375
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
Kernel conservation mode is when FortiOS specifically does not have enough memory available. There’s no single cause, but it could be processes simultaneously opening too many files, too much information on the stack, etc. System conservation mode indicates a lack of RAM for processes and daemons such as miglogd. The threshold is whenever the overall memory usage reaches about 80%. Once triggered, FortiGate will not exit thismode until memory has dropped by 10% to approximately 70%. Proxy conservation mode is when the transparent UTM proxy runs out of available sockets. The maximum number of proxied connectionsvaries by model. In kernel conservation, the behavior is not configurable. It is a critical lack of RAM. But behavior for system and proxy RAM conservation is configurable. Let’s see the settings that you can use.
FortiGate Student I Guide
376
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
‘av-fail-open’ is the CLI setting that controls FortiGate’s behavior while it is in system conserve mode. Depending on your configuration and traffic types, each option may be more or less effective at freeing RAM.
FortiGate Student I Guide
377
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
If ‘av-failopen-session’ is enabled, then FortiGate will act according to the ‘avfailopen’ setting. Otherwise, by default, it will block new sessions until RAM becomes available.
FortiGate Student I Guide
378
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
During kernel conservation mode, FortiGate attempts to reclaim memory that is not in use. In an operating system, when a process releases memory, it is not immediately reclaimed. There is a “garbage collector” memory daemonthat periodically finds unused pointers. As part of this process, FortiGate drops any sessions that the proxy considers idle. While FortiGate is in this type of conserve mode, all new sessions will pass through the FortiGate without any UTM inspection, because the operating system does not have enough memory to do so.
FortiGate Student I Guide
379
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
Because logging itself requires some RAM, depending on the type of conserve mode, log messages may not always immediately appear. Kernel conserve mode especially may not appear easily. Creating a log entry takes up memory. While in conserve mode, your FortiGate’s operating system is doing everything possible to prevent RAM usage from increasing. Trying to create a log entry while conserve mode is active would be counterproductive. If your FortiGate is in one of the three conserve modes, how can you correct it?
FortiGate Student I Guide
380
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
This shows the shared memory diagnostic. It indicates what type of conserve mode (if any) your FortiGate is in. It also provides a quick summary of how much shared memory is being used on your FortiGate. The antivirus database is one of the things on your FortiGate that uses shared memory, so if this is very high, you can try to solve the problem by switching from the “extended” signature database to the “regular” database, for example. Notice that this command doesn’t show kernel conserve mode, however. How can you determine how much kernel memory is used?
FortiGate Student I Guide
381
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
‘diagnose firewall iprope state’ has a section right at the beginning with an entry for ‘av_break’. Normally, the ‘av_break’ option will be ‘pass/off’. But if FortiGate is currently in kernel conserve mode, this command will show ‘av_break=pass/pass’. If this is very common, and you’ve checked your configuration, you may need to examine the traffic levels and protocol types. Your network may have grown or changed in important ways, and need a more powerful model capable of supporting the added or changed traffic. Much of the other output of this command is dictated by the settings for ‘av-failopen’ and ‘av-failopen-session’ and will change based on the configured options.
FortiGate Student I Guide
382
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
To review what we discussed, here is a list. We showed: • Some different Malware terminology and what they meant • The different types of scanning that can be enabled on a FortiGate • Sandboxing and how that can be used. • • • • • • • • • •
Blocking botnet connection The difference between proxy and flow based virus scanning The different Antivirus databases The behavior of oversized files The order of operations within the virus scanning engine How to handle an undetected piece of malware Some details about virus scanning encrypted traffic How to read virus detection logs What conserve mode is Some of the memory diagnostics that are available on a FortiGate
FortiGate Student I Guide
383
DO NOT REPRINT
Explicit Proxy
FORTINET
In this lesson, we will show you how your web browsers can use FortiGate as an explicit proxy.
FortiGate Student I Guide
384
DO NOT REPRINT
Explicit Proxy
FORTINET
After completing this lesson, you should have these practical skills. You will learn how to configure both FortiGate and the web browsers that will use it as an explicit proxy. Since you can alternatively an explicit proxy instead. use an implicit proxy, we will also explain why in some cases you might want
FortiGate Student I Guide
385
DO NOT REPRINT
Explicit Proxy
FORTINET
A proxy receives or intercepts requests from a client to a server. If allowed, and if no cache is available, it forwards the request to the server on behalf of the client. Two sessions are created: one from the client to the proxy, and another one from the proxy to the server. How is this different from an implicit proxy, sometimes called a transparent proxy?
FortiGate Student I Guide
386
DO NOT REPRINT
Explicit Proxy
FORTINET
An implicit proxy server does not require any configuration change on the clients. Clients continue to use the web just like they would without a proxy. Clients send requests to IP address and port number. proxy intercepts the client’s requests transparently – the thatweb is, atserver’s the IP layer, the destination address The doesn’t change. Does this mean that implicit proxies don’t require any configuration changes, anywhere? Not necessarily. Usually, both incoming and outgoing traffic is routed through FortiGate. As a result, web browsing is already being routed through FortiGate, where it can be intercepted by the transparent proxy. But if clients’ traffic isn’t currently routed through FortiGate, then you must reconfigure routing so that the packets will be routed through FortiGate, where the implicit proxy can intercept.
FortiGate Student I Guide
387
DO NOT REPRINT
Explicit Proxy
FORTINET
How is an explicit proxy different? With explicit proxy servers, you must configure clients to send the requests to the proxy’s IP address, not the site’s need servers. But because clients are specifically sending web traffic to your FortiGate, though, you web shouldn’t to reconfigure any routers. Methods vary by web browser or other HTTP client.
FortiGate Student I Guide
388
DO NOT REPRINT
Explicit Proxy
FORTINET
How do you configure users’ web browsers to use an explicit web proxy? In large networks, you won’t configure the browser settings individually, on each computer; instead, for example, you may use an Active Directory login script or roaming profile. Alternatively, you can configure browsers to use an explicit proxy by installing PAC file, or using the web proxy autodiscovery protocol (WAPD). Let’s look at each.
FortiGate Student I Guide
389
DO NOT REPRINT
Explicit Proxy
FORTINET
With manual configuration, you must provide one proxy’s FQDN or IP address. It is limited to only one proxy. If you to want to For exempt specific IP addresses, subnets from usingto the proxy, you can add them a list. those destinations, the browser will and sendFQDNs requests directly the web servers.
FortiGate Student I Guide
390
DO NOT REPRINT
Explicit Proxy
FORTINET
The second possible method is a standard explicit auto-configuration file, called a PAC file. A PAC file contains instructions that tell the browser when to use a proxy, and which proxy to use, depending on the destination. This method supports use of multiple proxy servers. To deploy the PAC file, first you must install it on an HTTP server that the clients can reach. (Your FortiGate can act as the HTTP server for the PAC file.) Then you must configure all browsers with the PAC file’s URL. Again, in larger networks, you usually won’t do this individually; instead, you will use your domain to define the PAC file’s URL.
FortiGate Student I Guide
391
DO NOT REPRINT
Explicit Proxy
FORTINET
What does a PAC file contain? A PAC file is a JavaScript. When browsers run it, determines whether the request will be proxied, and what layer.the addresses should be in packets, including in the URL and “Host:” header at the Layer 7 HTTP In this example: • The PAC file allows any connection to example.com to bypass the proxy. • Connections to servers in the 10.0.0.0/24 subnet use the proxy named fastproxy.example.com – whose FQDN is resolved to an IP address by a DNS query at the time of the request, so it could be separate for clients on the private vs. public network. • All other requests are mad e through proxy.example.com.
FortiGate Student I Guide
392
DO NOT REPRINT
Explicit Proxy
FORTINET
Browsers can automatically discover the URL where the PAC files is located via the web proxy autodiscovery protocol. There server.are two methods you can use to do this. One is to use a DNS server; the other is to use a DHCP Most browsers try the DHCP method first. If it fails, they try the DNS method.
FortiGate Student I Guide
393
DO NOT REPRINT
Explicit Proxy
FORTINET
(slide contains animation) With the DHCP method, th e browser sends a DHCPINFORM request to the DHCP server. The DHCP server replies with PAC file’s URL. (click) The browser downloads the PAC file.
FortiGate Student I Guide
394
DO NOT REPRINT
Explicit Proxy
FORTINET
(slide contains animation) The DNS method is very similar; differences are in the required PAC URL. First, the browser queries the DNS server to resolve the FQDN wpad.. (click) The DNS server replies with the IP address of the web server (in this case, a FortiGate) where the browser can download the PAC file. This method always uses TCP port 80 and the PAC file name wpad.dat. (click) The browser downloads the PAC file, then accesses the web through the proxies indicated in the PAC file.
FortiGate Student I Guide
395
DO NOT REPRINT
Explicit Proxy
FORTINET
Usually, you will enable the proxy to cache responses from web servers. A web cache stores responses from web servers so that the next time a client requests the same thing, FortiGate send thebandwidth cached content, of forwarding theWe request and waiting for caching the response.can Thisquickly reduces WAN usage,instead server load, and delay. will review how web works in the next slides.
FortiGate Student I Guide
396
DO NOT REPRINT
Explicit Proxy
FORTINET
(slide contains animation) If you’ve enabled caching, when the client makes a request, the proxy checks first if the URL that the client requested is already in memory. (click) If it is not, the proxy forwards the request to the server. When it responds, FortiGate stores the response in memory – that is, it adds content to its cache. (click) The proxy also forwards a copy of the content to the client.
FortiGate Student I Guide
397
DO NOT REPRINT
Explicit Proxy
FORTINET
(slide contains animation) If any client using FortiGate’s proxy requests the exact same URL… (click) FortiGate will recognize it, and immediately forward a copy of that content from the cache to the client. Unless the content on the server has changed, the proxy does not need to request content from the server again, so from the client’s perspective, each response after the initial request is faster. Notice that because dynamic URLs are not exactly the same, and their content may be personalized for each client, dynamic URLs are usually not cached.
FortiGate Student I Guide
398
DO NOT REPRINT
Explicit Proxy
FORTINET
Given that cache consumes system resources, do you want all users to be able to use the cache? You can configure FortiGate’s HTTP proxy to allow access only to authenticated users that belong to specific cookies.user groups. Authentication can be either based on either source IP address or HTTP session How should you decide which to use? IP-based authentication requires less RAM to remember the authenticated sessions. However, it should only be used when each user has a different IP address from the perspective of the source address in the IP header. If your users are behind source NAT, such as with a remote office that uses Internet sharing, use HTTP session-based authentication instead. In this mode, each browser inserts an HTTP cookie in its requests. The cookie identifies the user’s sessions. This method requires slightly more RAM because FortiGate must remember all session cookies. However, it can even differentiate the same person using multiple accounts – multiple tabs in multiple browsers.
FortiGate Student I Guide
399
DO NOT REPRINT
Explicit Proxy
FORTINET
What does the traffic flow look like when a user authenticates with the explicit proxy, using HTTP session-based authentication? If a usertoconnects and the requestlogin doesn’t have anyThe associated session, first FortiGate replies the browser, requesting credentials. browserauthentication prompts the user to authenticate, and remembers the authenticated state by storing a cookie. If the same user makes more requests later, the browser automatically sends the same cookie again. FortiGate identifies the user via a lookup in its table of current session cookies, so the user does not need to authenticate for every request – only the first ti me.
FortiGate Student I Guide
400
DO NOT REPRINT
Explicit Proxy
FORTINET
These are the steps for configuring a FortiGate as an explicit web proxy. We will show the details of each step next.
FortiGate Student I Guide
401
DO NOT REPRINT
Explicit Proxy
FORTINET
By default, the explicit web proxy settings are hidden in the GUI. To show them, in the dashboard’s Features widget, enable explicit proxy.
FortiGate Student I Guide
402
DO NOT REPRINT
Explicit Proxy
FORTINET
Once explicit proxy settings are visible in the GUI, you can enable and configure them. You can configure the TCP port where the proxy is listening, edit and upload the PAC file, and choose the default action that FortiGate will take if there is any traffic that doesn’t match a proxy policy. We will talk about the proxy policies later.
FortiGate Student I Guide
403
DO NOT REPRINT
Explicit Proxy
FORTINET
After enabling the explicit web proxy globally, you must specify which on which interfaces the proxy will listen for connections.
FortiGate Student I Guide
404
DO NOT REPRINT
Explicit Proxy
FORTINET
The next step is to create explicit proxy policies to specify which traffic and users are allow to use the proxy. Starting from FortiOS 5.2, policies for explicit proxy are configured in a different configuration section than the regular firewall policies. Proxy traffic can be inspected. We can do antivirus, web filtering, application control and IPS inspection. Additionally, the use of web caching can be enabled or disabled per policy. When the proxy traffic m atches a proxy policy, the FortiGate take one of three possible actions: Accept the traffic, deny it, or request authentication before accepting it.
FortiGate Student I Guide
405
DO NOT REPRINT
Explicit Proxy
FORTINET
If you select authentication as the action, you will be presented with the option to add authentication rules. These rules specify which users and users groups are allowed, and what kind of inspection is going to be done over each of them.
FortiGate Student I Guide
406
DO NOT REPRINT
Explicit Proxy
FORTINET
Authentication for the explicit proxy behaves differently than it usually does for firewall policies. With the explicit proxy, FortiGate will not “fall through” to try the next authentication rule. FortiGate always applies the first policy Itthat matches all criteria: the source IP first address, the destination IP address, and the outgoing interface. doesn’t evaluate any policy after the match, even if the user failed to authenticate with the first rule. Let’s look at an example next.
FortiGate Student I Guide
407
DO NOT REPRINT
Explicit Proxy
FORTINET
In this example, the first proxy policy matches traffic from 10.0.1.0/24. It only allows the user named Student. The second policy allows traffic – without authentication – only if the source address matches 10.0.0.0/8. With this configuration, if traffic arrives from the 10.0.1.0/24 subnet, and that user has not authenticated yet, then FortiGate prompts the user to authenticate. Traffic from that source IP address always matches the first policy, and FortiGate does not continue to evaluate other policies in the list after it finds a match. So FortiGate never applies the second policy for that subnet – only for the rest of 10.0.0.0/8.
FortiGate Student I Guide
408
DO NOT REPRINT
Explicit Proxy
FORTINET
In the CLI, if you disable the setting “strict-guest”, then all users that do not belong to any user group in the proxy policy will be treated as if they belong to a group named “SSO_guest_user”. In this way, you can control their access even if the users cannot authenticate.
FortiGate Student I Guide
409
DO NOT REPRINT
Explicit Proxy
FORTINET
Like with firewall policies, when creating proxy policies, you use firewall address objects to specify the source and destination. With HTTP, the destination may appear in both the IPthe header’s andindicating the HTTPpossibly header’s “Host: ” field. They aren’t always the same. Usually, “Host:”destination header is afield, FQDN, an Apache virtual host; it is not usually an IP address. But at the IP layer, the destination field always contains an IP address. So if you are matching by using the “IP Range” object, keep in mind which layer you are matching, and the effects of NAT at both layers. Are IP addresses and domain names the only way you can use to match traffic with a proxy rule? No. One type of firewall address object can only be used in proxy policies: the URL pattern object type. The proxy can match policies based on the requested URL (not only the destination IP address). URL address objects are used for that purpose.
FortiGate Student I Guide
410
DO NOT REPRINT
Explicit Proxy
FORTINET
In this example of the use of an URL Address object, the first proxy policy allows unrestricted access to the URL update.microsoft.com. No authentication is required. All other traffic would match the second policy, which enforces authentication when accessing any other URL.
FortiGate Student I Guide
411
DO NOT REPRINT
Explicit Proxy
FORTINET
If you are using the WPAD DNS method to configure the browser, you may need to edit the PAC file to indicate the file name and listening port number. As we explained before, the DNS method always assumes that the PAC file is located at: http://:80/wpad.dat So if your clients use the DNS method, you must configure FortiGate to offer the PAC file named wpad.dat, and to listen for requests for it on port 80.
FortiGate Student I Guide
412
DO NOT REPRINT
Explicit Proxy
FORTINET
Also, you must check that the Local Domain Name setting is properly configured. This indicates which requests that FortiGate will reply to; FortiGate will only reply if clients’ requests for the WPAD file match the FortiGate’s own HTTP “Host:” header.
FortiGate Student I Guide
413
DO NOT REPRINT
Explicit Proxy
FORTINET
Once the web proxy is working, you can monitor which users that are connected to it – that is, the proxy’s session table. You can do this from the GUI, or from the CLI by using the command: diagnose wad user list You can also remove all entries from the list of users that are currently authenticated with the proxy.
FortiGate Student I Guide
414
DO NOT REPRINT
Explicit Proxy
FORTINET
Here is a review of what we discussed. We reviewed some explicit web proxy concepts. We also showed how to configure and monitor a FortiGate acting as an we explicit web proxy, and how to configure web browsers to use the proxy. Dependingthat on is your situation, explained that some configuration choices require more RAM, and require specific FortiGate port numbers. Finally, we showed how to see which users are currently authenticated with the explicit proxy.
FortiGate Student I Guide
415
DO NOT REPRINT
Web Filtering
FORTINET
In this lesson, we will show you how to filter users’ access to web sites, which is one of the most commonly used features employed by network administrators.
FortiGate Student I Guide
416
DO NOT REPRINT
Web Filtering
FORTINET
After completing this lesson, you should have these practical skills. This will give you an understanding of the various options that are available to manage and track web content. Familiarity with website design and behavior, as well as the HTTP protocol are useful to understanding this module.
FortiGate Student I Guide
417
DO NOT REPRINT
Web Filtering
FORTINET
Web filtering is simply a means of controlling, or tracking, the websites people visit. There are many reasons why a network administrator would want to do this: preserve employee productivity; prevent network congestion where valuable bandwidth is used for non-business purposes; prevent loss or exposure of confidential information; decrease exposure to web-based threats; limit legal liability when employees access or download inappropriate or offensive material; prevent copyright infringement caused by employees downloading or distributing copyrighted materials; prevent children from viewing inappropriate material.
FortiGate Student I Guide
418
DO NOT REPRINT
Web Filtering
FORTINET
Proxy-based web filtering is achieved using a transparent proxy intercepting traffic between the client and server, and setting up a man-in-the-middle. Proxy-based provides he the most flexibility and configuration options for inspecting web traffic because it intercepts at Layer 7, as such som e features are only available to you when using proxy-based inspection. Greater control comes at a cost, it is also the most resource intensive in terms of memory and CPU usage, resulting in the slowest throughput. That said, it is widely used and is a very strong solution on appropriately scaled systems.
FortiGate Student I Guide
419
DO NOT REPRINT
Web Filtering
FORTINET
Flow-based web filtering is achieved by caching traffic intercepted traffic between the client and server, analyzing the TCP flow: hence flow-based. It provides less flexibility and configuration options for inspecting web traffic, when compared to proxy-based, because it intercepts at Layer 3 and works with the Layer 4 data. It does not recover actual files, as the proxy does, so content cannot be sent to scanunit.
FortiGate Student I Guide
420
DO NOT REPRINT
Web Filtering
FORTINET
Rather than looking at the HTTP protocol, another option is to filter the DNS request that occur prior to an HTTP Get request. This has the advantage of being very lightweight, but at a cost because it lacks the precision of HTTP filtering. Every protocol will generate DNS requests in order to resolve a hostname, therefore this kind of filtering will impact all of the higher level protocols that depend on DNS, not just web traffic. For example, it could apply FortiGuard categories to DNS requests for FTP servers. Very few web filtering features are possible beyond hostname filtering, due to the amount of data available at the point of inspection.
FortiGate Student I Guide
421
DO NOT REPRINT
Web Filtering
FORTINET
Inspection mode is set in the web filter profile. When changing mode, the options displayed will change because they are dependent on the inspection mode. When a web filter profile using proxy inspection mode is selected in your firewall policy, a proxy options profile must also be defined. The proxy options profile defines proxy behaviors as well as the ports to be inspected for web or DNS traffic. HTTPS inspection port numbers, and other settings related to the handling of SSL, are defined separately in the SSL/SSH inspection profile.
FortiGate Student I Guide
422
DO NOT REPRINT
Web Filtering
FORTINET
Let’s summarize the different modes. Proxy-based caches traffic, so it can cause a noticeable delay depending on the file size, oversize limit and connection speed. It does, however, support a greater number of web filtering features. Flow-based has a much higher throughput rate, compared to proxybased, because it does not cache data so there is no transmission delay. DNS-based is very lightweight because it handles only the nameserver lookup, but suffers from accuracy issues because it does not see the full URL.
FortiGate Student I Guide
423
DO NOT REPRINT
Web Filtering
FORTINET
DNS web filtering looks at the nameserver response which typically occurs when you connect to a website. Proxy and flow-based web filtering booth look for the HTTP 200 response returned when you successfully access the website. Handling the response, as opposed to the DNS request or HTTP Get, confirms the site is present.
FortiGate Student I Guide
424
DO NOT REPRINT
Web Filtering
FORTINET
Static URL filte ring is enabled in the web filter profil e. Entries in the URL filter list are checked aga inst the website that is visited. If a match is found, then the configured action is taken. If there is no match, then the FortiGate will move on to the next check enabled. Patterns set to the type “Simple” are exact text matches. Patterns set to the type “Wildcard” allow for some flexibility in the text pattern by allowing wildcard characters and partial matching to occur. Patterns set to the type “Reg. Expression” allows for the use of PCRE regular expressions to be used.
FortiGate Student I Guide
425
DO NOT REPRINT
Web Filtering
FORTINET
When a user visits a website, the FortiGate looks at the URL list for a matching entry. In this example, the website matches the 3 rd entry (using same list as the previous slide). This entry is a simple type, so the match must be an exact one. There is no option for a partial match with a simple pattern. In this case the action is to block the website so the user is presented with a block page, rather then the website they were expecting to see.
FortiGate Student I Guide
426
DO NOT REPRINT
Web Filtering
FORTINET
Rather than block or allow websites individually like Static URL filtering, FortiGuard Category filtering looks at the category that a website has been rated with. Action is taken based on that category, not the URL itself. FortiGuard Category filtering is a live service that requires a connection to the FortiGuard network and active contract in order to operate. If the contract expires, there is a 7 day grace period to renew the contract before services will be cut off. Rather then communicating to the FortiGuard network to receive a websites category, larger FortiManager models can be used instead. FortiGuard Category filtering and Static URL filtering have different lists of possible actions that can be configured. The impact of selecting different actions will be covered later on.
FortiGate Student I Guide
427
DO NOT REPRINT
Web Filtering
FORTINET
When a user visits a web site, you can use the FortiGuard live service to find out the category for the URL and allow or block access by category. This is a great way to perform bulk URL filtering without having to individually define each web site. After the 7 day grace period the FortiGate will not be able to rate websites and every visit will be treated as a rating error. In the event of a rating error for a website there are only 2 options, block or allow.
FortiGate Student I Guide
428
DO NOT REPRINT
Web Filtering
FORTINET
FortiGuard category filtering is enabled in the GUI, through the Web Filter profile. Categories and subcategories are listed and can have the action to take defined individually. Actions are assigned through right clicking the mouse and selecting from a menu. If the feature is enabled and the unit does not have a valid contract then a warning will be displayed in the GUI.
FortiGate Student I Guide
429
DO NOT REPRINT
Web Filtering
FORTINET
The FortiGate can maintain a list of recent web site rating responses in memory, so if the URL is one that the device already knows about it will not have to send back a rating request. Two ports are available for the unit to query FortiGuard with, port 53 and port 8888. Port 53 is the default since this is also the port number used for DNS which is almost guaranteed to be open. However, any kind of inspection will reveal that this traffic is not DNS and prevent the service from working. In this case, you can switch to the alternate port 8888, but this port is not guaranteed to be open in all networks so you will need to check this before setting this up. Port 80 is an option for FortiGuard communications, but only if you are using a FortiManager, rather then the FortiGuard network.
FortiGate Student I Guide
430
DO NOT REPRINT
Web Filtering
FORTINET
Caching responses reduces the amount of time it takes to establish a rating for a website. Packets operate on the scale of millise conds at the fastest with Seconds, not being unu sual. Memory checking is orders of magnitude faster (nanoseconds). This timeout defaults to 15 seconds but can be adjusted as high as 30 seconds if necessary.
FortiGate Student I Guide
431
DO NOT REPRINT
Web Filtering
FORTINET
Web site categories are determined by both automatic and human methods. The FortiGuard team has automatic web crawlers that look at various aspects of the website in order to come up with a rating. There are also people who examine websites and look into rating requests in order to determine categories.
FortiGate Student I Guide
432
DO NOT REPRINT
Web Filtering
FORTINET
There is always the possibility for errors in rating, or a scenario where you simply do not agree with the rating a site has been given. In this case, you can use the web portal to contact the FortiGuard filtering team to submit a web site for a new rating, or to get it rated if it is not already in the database.
FortiGate Student I Guide
433
DO NOT REPRINT
Web Filtering
FORTINET
The ‘Warning’ action is only an option when using FortiGuard Category filtering and only with Proxymode inspection. It is not available with Static URL filtering. When someone visits a website that is in a Category with an action of warning, they are presented with a page that warns them they may not wish to visit this website. They are given a choice to go to the website anyway, or go back to the previous website.
FortiGate Student I Guide
434
DO NOT REPRINT
Web Filtering
FORTINET
The ‘Authenticate’ action is only an option when using FortiGuard Category filtering and only with Proxymode inspection. It is not available with Static URL filtering. The authentication action blocks all websites that are in that category, unless a successful passcode is entered. This is not user authentication and putting in proper credential will not result in any kind of login. The username/password pair is used in the same way a key is used to open a locked door. Once this has been done successfully, access is allowed to that category for the amount of tim e that has been configured. This will allow the user to visit any other websites that are in the same category for however long has been configured. They will not be prompted again when visiting a second (or third) website in the same category, so long as the timer has not expired.
FortiGate Student I Guide
435
DO NOT REPRINT
Web Filtering
FORTINET
The ‘Exempt’ action is only an option when using Static URL filtering. It is not available with FortiGuard category filtering. The exempt action is used in order to bypass issues that may be caused by other checks. Sometimes FortiGuard category filtering is not granular enough, sometimes a file you need is being caught by virus scanning. Exempt gives the ability to bypass one or more checks or all further checks.
FortiGate Student I Guide
436
DO NOT REPRINT
Web Filtering
FORTINET
These actions are possible with FortiGuard Category filtering and Static URL filtering. Regardless of which feature they are used with, the resulting action will be the same. •
Allow – Effectively defines the website as being trusted. Access to the site is permitted and no log message is generated to record this.
• •
Monitor – Access to the website is permitted and a log message is generated to record the event Block – Prevents access to the website and displays a block pa ge to the user instead.
Log message generation is subject to firewall policy, specifically the “Logging Option” setting.
FortiGate Student I Guide
437
DO NOT REPRINT
Web Filtering
FORTINET
When using FortiGuard category filtering, one option to allow or block access to a website is to make a web rating override and define the website to be in a category other then what FortiGuard puts it into. Web ratings are only for hostnames, no URLs or wildcard characters are allowed. Category filtering is not granular, like static URL filtering. If you have a category that is blocked (or allowed) and you need to make an exception for a particular website, this is one option that is available to you. If the contract expires, and the 7 day grace period passes, web rating overrides will be not be effective. All website categories will be still be considered rating errors.
FortiGate Student I Guide
438
DO NOT REPRINT
Web Filtering
FORTINET
Since FortiGuard category filtering is not granular and performs actions based on the category the websites are in there may be times when an exception needs to be made for a single website. Rather then unblock a potentially unwanted category access can be provided an a site-by-site basis. The reverse can also be true, with the majority of websites in a category being fine, but a single one needs blocking. Changing the category does not automatically result in a different action for the website. This will depend on the settings within the Web Filter profile at the time the user is accessing that web site.
FortiGate Student I Guide
439
DO NOT REPRINT
Web Filtering
FORTINET
Custom categories can be created and used in conjunction with Web rating overrides. If the predefined categories within FortiGuard are not suitable for the situation, additional customized categories can be added. These custom categories can be added and deleted as needed, so long as they are not in use. A category is considered to be used if there are any Web rating overrides that have been configured to us it. It will also be considered in use if there is an action associated with that category other then ‘Allow’ in any web filter profile.
FortiGate Student I Guide
440
DO NOT REPRINT
Web Filtering
FORTINET
FortiGuard quota can be used to limit the time users spend on web sites, based on the categorization. Quota cannot redirect you once the web site is loaded in the browser. For example, if you had 45 seconds left on your quota and you visited a web site, it would likely finish loading before 45 seconds was done. You could then spend 20 minutes browsing the information you received. You could not get blocked or notified until the next attempt to access another one of these web sites. The reason for this is that the connection to the web site is not generally a live stream. Once you receive the information, the connection is closed.
FortiGate Student I Guide
441
DO NOT REPRINT
Web Filtering
FORTINET
Quota’s are configured just below where you configure the Category actions in the Web filter profile. There can be multiple quotas (timers) configured within this section. Each one can either be linked to a single category, or multiple. If the Quota applies to multiple categories then it is not that amount for each individual category, the timer applies to all of the categories that are specified.
FortiGate Student I Guide
442
DO NOT REPRINT
Web Filtering
FORTINET
Some Features on the FortiGate can’t provide direct user feedback. FortiGuard quota won’t provide any feedback to the user until they exceed the quota they have been given, unless the Fortinet bar is enabled. The Fortinet Bar injects a Java applet which uses a communications port to talk to the FortiGate and get additional information from features that would otherwise provide no direct user feedback. FortiGuard quota provides a count down. Other features that can’t do block pages (IE: application control) will show block events in the top bar. HTTPS pages are a lot more sensitive to injected data, so it’s not possible to reliably insert data, so the Fortinet Bar is only available for HTTP websites.
FortiGate Student I Guide
443
DO NOT REPRINT
Web Filtering
FORTINET
Enforcing safe search can be done for Google, Bing and Yahoo. Safe search is an option that some search engines have in order to apply their filters to the search results that are displayed. This way even if Safe Search is disabled in the browser, the FortiGate will make sure the query is subject to whatever settings the service decides. All the FortiGate can do is ensure that it is enabled. It cannot dictate the behavior of this, as this task is up to the search engine providers. It works by looking for the Safe Search string when you submit a search. If it is not there, the FortiGate unit will modify the request to include it. This way, even if it is not enabled locally in the browser, it gets applied to the request as it passes through the FortiGate. YouTube EDU filtering is also available. This is a service offered by YouTube to educational institutions. When you create an account with them they provide you with an identifier. Unlike normal Safe Search, this does not append the URL, but adds an HTTP header into the packets. This identifies your school to YouTube when people visit. Within your YouTube EDU account, you can configure the filters and settings in order to limit video access.
FortiGate Student I Guide
444
DO NOT REPRINT
Web Filtering
FORTINET
There are several different components to web filtering, and when they are enabled, the inspection order follows these steps. The local static URL filter occurs first. Second, FortiGuard category filtering determines a rating. Finally advanced filters take place, like Safe search or removing Active X components. After all the checks are done the information is handed off internally for virus scanning.
FortiGate Student I Guide
445
DO NOT REPRINT
Web Filtering
FORTINET
Here’s a look at the web filter profile. Up at the top you can enable FortiGuard and assign the actions to the various web site categories. If you scroll down towards the bottom you will find the more advanced options that can be enabled, like Safe Search and Static URL filtering. Once you have enabled and saved the settings you require, you will need to apply the profile to your firewall policy to activate the options.
FortiGate Student I Guide
446
DO NOT REPRINT
Web Filtering
FORTINET
Web profile overrides change the rules that will be used to inspect traffic. Enabling them allows authorized users to enter a passcode that will change the Web filter profile that inspects there traffic to another profile. Proper configuration would mean this new profile had elevated access permissions and allow additional websites. The new profile will be used to inspect ALL of their web traffic from that point on, until the timer expires. Authentication must be enabled in order to use this. Once web profile overrides are enabled, the FortiGuard block page will show an override link that users can select in order to active this override. • • • •
Apply to Groups – Select the user credentials that allow overrides. Assign to Profile – Which Web profile will be used, after a successful override. Scope – Who will be effected by the override. Duration – How long the override will last.
FortiGate Student I Guide
447
DO NOT REPRINT
Web Filtering
FORTINET
How the FortiGate handles HTTPS traffic is decided based on the settings of the SSL Inspection profile that is applied to the Firewall Policy. SSL Certificate Inspection reads only unencrypted data from the hello message, whereas Full SSL Inspection will proxy SSL, allowing for full content inspection. SSL and Certificates are covered in more detail in the Certificate Operations module.
FortiGate Student I Guide
448
DO NOT REPRINT
Web Filtering
FORTINET
This is an example of the log message generated as a result of applying a web filter profile on a firewall policy. Access details include information about the FortiGuard quota and category (if those are enabled), which web filter profile was used to inspect the traffic, the URL and more details about the event.
FortiGate Student I Guide
449
DO NOT REPRINT
Web Filtering
FORTINET
You can also view the raw log data by selecting the “Download Raw Log” button at the top right of the GUI. When the downloaded file is opened, it will be a plain text file in a syslog format.
FortiGate Student I Guide
450
DO NOT REPRINT
Web Filtering
FORTINET
List of IPs to use for FortiGuard comes back from update server (FortiGuard Distribution Network or FortiManager). •
Weight – Based on the difference in timezone between the FortiGate and this server (modified by traffic)
• • • •
RTT – Return Trip Time Flags – D (IP retu rned from DN S), I (Con tract server contacted), T (being timed), F (fail ed) TZ – Server timezone Curr Lost – current number of consecutive lost packets (in a row, resets to 0 when 1 packet succeeds) Total Lost – total number of lost packets
•
List is a variable length, depending on the FortiGuard Distribution Network, but approximately 10 total IPs is the average.
FortiGate Student I Guide
451
DO NOT REPRINT
Web Filtering
FORTINET
Logs can be used to determine the decision made by the FortiGate but this depends on the configured settings. The firewall policy may not be set to log or the action could be set to accept. In both of those cases no log event will be generated to record the decision. This diagnostic shows the full URL in the output. In order to have it fit some of the output was chopped off from this page. The source of the request, the hostname, URL, user (if authentication is enabled), the profile used to examine the URL can all be determined by reading the output.
FortiGate Student I Guide
452
DO NOT REPRINT
Web Filtering
FORTINET
Here is a review of what we discussed. We showed: • An overview of we b filtering functionality • Explained the different types and modes for web filtering • How static URL filtering works • How FortiGuard category filtering works • • • • • • • • •
How to submit a website for rating Different actions that can be associated with accessing a website How to do a rating override and create a custom category Applying a quota to a category Introduced the Fortinet Bar Showed how it’s possible to force safe search with some common websites Explained the order of the checks involved with inspecting websites Explained how to configure a web profile override Finally we covered the basics of inspecting HTTPS traffic
FortiGate Student I Guide
453
DO NOT REPRINT
Application Control
FORTINET
In this lesson, you will learn about how to control network applications – beyond simply blocking or allowing a port number.
FortiGate Student I Guide
454
DO NOT REPRINT
Application Control
FORTINET
After completing this lesson, you should have these practical skills to apply application control, keep it up-to-date, and monitor what applications are being used on your network. Lab exercises can help you to reinforce what you’ve learned.
FortiGate Student I Guide
455
DO NOT REPRINT
Application Control
FORTINET
Application control detects applications – often, ones that waste bandwidth – and allows you to monitor and/or block the traffic. Like other UTM inspection, to use application control, you must first set it up. Unlike other forms of UTM, such as web filtering or antivirus, application control isn’t applied by a proxy. It uses IPSEngine. So it doesn’t operate bybuilt-in protocol states. It matches patterns in the entire byte stream of the packet.
By comparison, when applying web filtering and antivirus via HTTP proxy, the proxy first parses HTTP and removes the protocol, and then scans only the payload inside. Why does FortiGate use a flow-based scan for application control?
FortiGate Student I Guide
456
DO NOT REPRINT
Application Control
FORTINET
Because proxies can’t easily detect peer-to-peer applications. When HTTP and other protocols were designed, they were designed to be easy to trace. In that way, administrators could easily give access to single servers behind NA T devices such as routers and, later, firewalls. But when peer-to-peer applications were designed, they had to be able to work without assistance – or cooperation – from the network administrators. In order to achieve this, the designers made them skilled at bypassing firewalls, and incredibly hard to detect. Port randomization, pinholes, and changing encryption patterns are some of the techniques that P2P protocols use. These techniques make them difficult to bock via firewall policy, and also make them difficult to proxy .
FortiGate Student I Guide
457
DO NOT REPRINT
Application Control
FORTINET
Let’s show how this works. Here is a traditional, client-server architecture. There may be many clients of popular sites, but often, such as with an office file server, it’s just between one client and one server. Traditional downloads use a defined protocol over a standard port number. Whether it’s from a web or FTP site, the download is from a single IP address, to a single IP address. So blocking this kind of traffic is easy: you only need one firewall policy. But it’s more difficult for peer-to-p eer downloads. W hy?
FortiGate Student I Guide
458
DO NOT REPRINT
Application Control
FORTINET
Peer-to-peer downloads divide each file among multiple (theoretically unlimited) peers. Each peer delivers part of the file. Interestingly, where many clients is a disadvantage for client-server architectures, it is an advantage for peer-to-peer: as the number of peers increases to n, the file is delivered n times faster. Because popularity increases the speed of delivery – unlike traditional client-server architecture, where popularity could effectively cause a denial of service attack on the server – some software, such as BitTorrent distributions of Linux, and games distributing new patches, leverage this advantage.Even if each client has little bandwidth, together, they can offer more bandwidth for the download than many powerful servers. Conversely, in order to download the file, this also means that the requesting peer can consume much more bandwidth per second than it could from only a single server. Even if there is only one peer on your network, it can consume unusually large amounts. And because the protocols are usually evasive, and there will be many sessions to many peers, they are difficult to completely block. In a DHCP LAN or guest Wi-Fi, where the inside peerdoesn’t have a static IP address or even predictable physical location, it can be extremely difficult to find and stop.
FortiGate Student I Guide
459
DO NOT REPRINT
Application Control
FORTINET
So how does application control block these applications, and more? It scans packets passing through the FortiGate, and looks for patterns. A particular application, such as Google Talk, is identified by matching known patterns to its transmission patterns. So obviously it can only be accurately identified if this stream is unique somehow. Not every application behaves in a unique way. Many reuse pre-existing, standard protocols and communications methods. For example, many video games such as World of Warcraft now use the BitTorrent protocol to distribute game patches. Application control only scans the network traffic. Application control doesn’t scan software installed on the client; this would require software to be installed on the endpoint, such as a FortiScan agent. So it won’t detect softwareuntil it starts and connects to the network. Application control does not use FortiGate’s proxies. So unlike some other UTM profiles, you can’t switch between proxy- and flow-based inspection.
FortiGate Student I Guide
460
DO NOT REPRINT
Application Control
FORTINET
Before you try to control applications, it’s important to understand how that works. How does application control detect the newest applications, and changes to those application protocols? To do this, you can configure your FortiGate to automatically update its application control signature database, in the same way that it polls FortiGuard for new IPS signatures. The extended IPS signature package includes more application control signatures. So if you don’t find the ones you need initially, you can enable that option to download more.
FortiGate Student I Guide
461
DO NOT REPRINT
Application Control
FORTINET
To view the signatures that your FortiGate has downloaded, click the ‘View Application Signatures” link in the application control profile. Remember, if you did not enable download of the extended IPS database, FortiGuard may have more signatures available that you do not see in the GUI. To see those, visit the FortiGuard web site.
FortiGate Student I Guide
462
DO NOT REPRINT
Application Control
FORTINET
On the FortiGuard web site, you can read details about each signature’s related application. Let’s look at an example. This is the article for Google Talk. It is an instant messenger, so Fortinet has put it in the “Collaboration” category. The article mentions that Google Talk, like many instant messengers now, uses the Jabber protocol. So if you block the application, the logs may show the Jabber protocol, even though the application that the user has installed is named Google Talk. If there are any special requirements in order to scan or block the application, the article provides some advice. But it’s always wise to search the Internet for more information, and to make test policies and observe the behavior. At the top of the page, you’ll also notice a risk rating…
FortiGate Student I Guide
463
DO NOT REPRINT
Application Control
FORTINET
When building an application control signature, FortiGuard’s security research team eva luates the application and assigns a risk level. It is based on the types of security risk. The rating is Fortinetspecific, and not related to CVSS or other external systems. If you aren’t aware of specific software, this information can help you to decide if it would be wise to block the software or not.
FortiGate Student I Guide
464
DO NOT REPRINT
Application Control
FORTINET
If there are new applications that you need to control, and the latest update doesn’t have any definitions for them, you can ask FortiGuard to add them. Remember, though, that not all applicationscan be uniquely defined. That is to say, there must be something about the traffic that can be used to differentiate it from other similar traffic: traffic that occurs on the same port, or via the same protocol.
FortiGate Student I Guide
465
DO NOT REPRINT
Application Control
FORTINET
Once you have a signature, the next step is to define your settings to control it. Do this in an application sensor. Then, to apply your application control settings, select the profile in the firewall policy . Like any other security profile, these settings are not global. FortiGate will only apply them to traffic governed by the firewall policy where you’ve selected an application control profile. This allows granular control.
FortiGate Student I Guide
466
DO NOT REPRINT
Application Control
FORTINET
Did you see these two at the end of the list of categories? They are catch-all categories: • ‘All Other Known Applications’ • ‘All Other Unknown Applications’ ‘All Other Known Applications’ matches traffic that can be identified, but that, in the profile, you did not explicitly enable. This is because some categories are only directly configurable through the CLI: the ones that are in the extended IPS database. ‘All Other Unknown Applications’ matches traffic that could not be identified. Application control will create a log entry that says the traffic is an ‘Unknown Application’. Depending on: • how many rare applications your users have • which IPS database you are using (remember, the default IPS database can identify fewer rare applications than the extended one) this might cause many log entries. Frequent log entries decrease performance.
FortiGate Student I Guide
467
DO NOT REPRINT
Application Control
FORTINET
Once you’ve applied application control, FortiGate will start to scan packets for matches. It will do this in a specific order. There are two major sections to the application control profile: • ‘Categories’ is at the top • ‘Application Overrides’ below ‘Categories First, IPSEngine examines the traffic stream for a signature match. If you’ve configured any overrides, application control considers those first. It looks for a matching override starting at the top of the list, like firewall policies. If no matching override exists, then application control applies the action that you’ve configured for applications in your selected categories. Multiple overrides for the same signature cannot be created.
FortiGate Student I Guide
468
DO NOT REPRINT
Application Control
FORTINET
Both categories’ and overrides’ actions are configurable. • • •
Allow – Simply passes the traffic Monitor – Passes the traffic, but also records a log message Block – Drops the detected traffic without notifying the cl ient, and rec ords a log messa ge
• •
Reset – Resets the TCP connection, and records a log message Traffic Shaping – Rate limits the application so that it doesn’t deprive more important traffic of bandwidth, and also record a log message
Which is the correct action to select? It depends on the application. If an application requires feedback to prevent instability or other unwanted behavior, then you might use ‘Reset’ instead of ‘Block’. If you need to allow the application but prevent it from starving other applications of bandwidth, then traffic shaping might be a good choice. Otherwise, the most efficient use of FortiGate resources to simply block.
FortiGate Student I Guide
469
DO NOT REPRINT
Application Control
FORTINET
Order of scans is introduced in the firewall policies lesson. But here is a review of the third phase: where application control occurs. Application control is later than many of FortiGate’s other scans and actions, such as for VPN ingress and DoS. But within UTM, it is one of the first scans. So if traffic is blocked by application control, FortiGate never does later scans like web filtering or antivirus, even if those profiles use flow-based inspection from IPSEngine, just like application control. But if you have configured application control to allow the traffic – not block it or reset the TCP connection – then FortiGate will proceed to the next scans: email filtering, web filtering, and antivirus. Because each scan can have exemptions, this has some interesting effects.
FortiGate Student I Guide
470
DO NOT REPRINT
Application Control
FORTINET
Here is an example of how several UTM features could work together, overlap, or as substitutes, on the same traffic. In this profile, application control (in general) blocks the categories Social.Media and Video/Audio. For those applications, FortiGate responds with application control’s HTTP block message. (It’s slightly different than web filtering’s HTTP block message.) But at the bottom of this profile, there are some exceptions. Instead of blocking, application control applies traffic shaping to Facebook and YouTube. After the application control scan is done, FortiGate begins other scans, such as web filtering. This, too, could block Facebook and YouTube, but it would use its own message. Also, web filtering doesn’t check the list of application control overrides. So even if an application control override allows and rate limits an app, web filtering could still block it. Similarly, static URL filtering has its own ‘Exempt’ action, which bypasses all subsequent security checks. However, application control occurs before web filtering, so that web filtering exemption can’t bypass application control.
FortiGate Student I Guide
471
DO NOT REPRINT
Application Control
FORTINET
For HTTP-based applications, application control can provide some feedback to the user about why their application was blocked. This is called a “block page”, and it’s similar to the one you can configure for URLs that you block via FortiGuard Web Filtering. The block page says: • • • • • • • •
which signature detected the application (in this case, HTTP.Browser_Firefox) the signature’s category (Web.Others) the URL that was specifically blocked (in this case, the index page of msn.com), since a web page can be assembled from multiple URLs the client’s source IP (10.0.1.10) the server’s destination IP (23.101.196.141) user name (if authentication is enabled) the UUID of the policy governing the traffic and the FortiGate’s host name
The last two pieces of information can help you to find which FortiGate blocked the page, even if you have a large network with many FortiGates securing different segments.
FortiGate Student I Guide
472
DO NOT REPRINT
Application Control
FORTINET
If an application is necessary, but youdo need to prevent it from impacting bandwidth for more sensitive streaming applications such as video conferencing, then – instead of blocking it entirely – you can rate limit the application. Shaping traffic via application control is very useful when you are trying to limit traffic that uses the same TCP or UDP port numbers as a mission-critical application. Some high-traffic web sites such as YouTube can be throttled in this way.
FortiGate Student I Guide
473
DO NOT REPRINT
Application Control
FORTINET
Let’s say that you have enabled application control because users have been complaining that the network is slow. During peak times, you notice that there is no bandwidth remaining. Application control – with the ‘Monitor’ action selected – showed that many users were using YouTube, and it correlated to periods of bandwidth saturation. How could you solve this? With web filtering, you can see that www.youtube.com is often accessed, but it doesn’t analyze the function of each URL. And it can’t apply traffic shaping. Alternatively, since YouTube generates large volumes of traffic, you could use application control signatures with a traffic shaping action. Let’s examine the details of how that could work.
FortiGate Student I Guide
21
474
DO NOT REPRINT
Application Control
FORTINET
Not all URL requests to www.youtube.com are for video. Your browser makes several HTTP requests for: • the web page itself • Images • Scripts and style sheets • Video and all of them have separate URLs. If you analyze a site like YouTube, the web pages themselves doesn’t use much bandwidth. Mostly, the culprit is the video. But since it is all transported via the same protocol (HTTPS), and the URLs contain dynamically generated alphanumeric strings: • traditional firewall policies can’t block or throttle it by port number/protocol, which are all the same • web filtering cannot apply traffic shaping With application control, you can rate limit only the videos. This prevents users from saturating your network bandwidth while still allowing them to access the other content on the site, such as for comments or sharing links.
FortiGate Student I Guide
475
DO NOT REPRINT
Application Control
FORTINET
At the bottom of the application sensor, there are more options that affect how application control functions. ‘Deep Inspection of Cloud Applications’ does not enable SSL Inspection. Many applications are switching to HTTPS-only, so remember that for those, you will also need an SSL/SSH inspection profile. This includes many popular ones, such as Twitter. If the application is encrypted, and you haven’t enabled SSL/SSH inspection, then application control won’t be able to recognize the application. If you choose to enable ‘Allow and Log DNS Traffic’, be aware that you should only do it for short periods, such as during an investigation. Leaving this option enabled for long periods can impact performance and cause premature disk failure. One log is created per packet. So depending on the application, and how often it queries DNS servers, this can use significant system resources. ‘Replacement Messages for HTTP-based Applications’ allows you to replace blocked content with an explanation for the user’s benefit. Application control can also link into the Fortinet Bar, if that has been enabled. With non-HTTP applications, however, you can only drop the packets or reset the TCP connection.
FortiGate Student I Guide
476
DO NOT REPRINT
Application Control
FORTINET
If you have logging enabled, you can use it to discover which applications are being used on your network, and details about them. Look in Log & Report > Security Log > Application Control. In this example, application control detected a client attempting to access Facebook. The configured action was to monitor the traffic. We know this because the ‘Action’ indicates ‘pass,’ so we know FortiGate didn’t block the traffic. But the action wasn’t to simply allow the traffic without logging, either, which we know because the log message exists. To view details about the log message, click its entry. The application name is a link to the FortiGuard encyclopedia web site. If you were unaware of the application, and don’t know what type of risks it presents, you could click the link to read more.
FortiGate Student I Guide
477
DO NOT REPRINT
Application Control
FORTINET
If you look in the forward traffic log, where firewall policies record activity, you’ll also find a summary of traffic where FortiGate applied application control. Again, this is because application control is applied by a firewall policy. To find which policy applied application control, you can use either the ‘Policy ID’ or the ‘Policy UUID’ fields of this log message.
FortiGate Student I Guide
478
DO NOT REPRINT
Application Control
FORTINET
To review, here is what we discussed. We discussed: • How application control identifies traffic • Why some traffic, especially peer-to-peer, is hard to block without application control • FortiGuard’s 5-point rating system for application control signatures • • • • •
How to submit requests for additional applications How to configure an application control sensor When to shape traffic Order of operations for the application control and IPSEngine processes How to read logs to discover which applications have been detected, and which action FortiGate applied
FortiGate Student I Guide
479
FortiGate I Student Guide for FortiGate 5.2.1
DO NOT REPRINT FORTINET FortiGate I Student Guide for FortiGate 5.2.1 Last Updated: 30 April 2015
Fortinet®, FortiGate®, and FortiGuard® are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks, registered or otherwise, of Fortinet. All other product or company names may be trademarks of their respective owners. Copyright © 2002 - 2015 Fortinet, Inc. All rights reserved.may Contents and termsinare by Fortinet without prior notice. No part of this publication be reproduced anysubject form ortobychange any means or used to make any derivative such as translation, transformation, or adaptation without permission from Fortinet, Inc., as stipulated by the United States Copyright Act of 1976.
DO NOT REPRINT FORTINET
Table of Contents VIRTUAL LAB BASICS ......... .......... .......... ................. .......... ................. ..........7 Topology..................................................................................................................................8 Logging In ...............................................................................................................................8 Disconnections/Timeouts .............................................................................................................................13
Transferring Files to the VM....................................................................................................13 Using HTML5 Instead of Java ................................................................................................13 Screen Resolution...................................................................................................................14 International Keyboards..........................................................................................................14 Troubleshooting Tips ..............................................................................................................15
INTRODUCTION TO FORTINET UTM........... .......... .......... ................. .......... ......17
Lab 1: Initial Setup and Configuration.....................................................................................17 Objectives.....................................................................................................................................................17 Time to Complete .........................................................................................................................................17 Exercise 1 (Optional) Configuring Network Interfaces on the Student & Remote FortiGate .......................18 Exercise 2 Exploring the Command Line Interface......................................................................................20 Exercise 3 Restoring a Configuration from Backup .....................................................................................22 Exercise 4 Making Configuration Backups ..................................................................................................24
Lab 2: Administrative Access..................................................................................................25 Objectives.....................................................................................................................................................25 Time to Complete .........................................................................................................................................25 Exercise 1 Administrators, Passwords, and Permissions ............................................................................26 Exercise 2 Restricting Administrator Access ...............................................................................................28
LOGGING & MONITORING.......... .......... .......... ................. .......... ................. ....29 Lab 1: Status Monitor and Event Log .....................................................................................29 Objectives.....................................................................................................................................................29 Time to Complete .........................................................................................................................................29 Exercise 1 Using the GUI's Status Monitor..................................................................................................30 Exercise 2 Event Log & Logging Options ....................................................................................................33
Lab 2: Remote Monitoring.......................................................................................................35
DO NOT REPRINT FORTINET Objectives.....................................................................................................................................................35 Time to Complete .........................................................................................................................................35 Exercise 1 Remote Logging & SNMP Monitoring ........................................................................................36
FIREWALL POLICIES ......... .......... .......... ................. .......... ................. .......... ..38 Lab 1: Firewall Policy ..............................................................................................................38 Objectives.....................................................................................................................................................38 Time to Complete .........................................................................................................................................38 Exercise 1 Exercise 2 Exercise 3 Exercise 4 Exercise 5
Creating Firewall Objects & Rules .............................................................................................39 Policy Actions ............................................................................................................................41 Access through Virtual IPs.........................................................................................................43 Dynamic NAT with IP Pools .......................................................................................................46 Device Identification...................................................................................................................48
FIREWALL AUTHENTICATION.......... .......... .......... ................. .......... ................50 Lab 1: User Authentication......................................................................................................50 Objectives.....................................................................................................................................................50 Time to Complete .........................................................................................................................................50 Exercise 1 Authentication via a Firewall Policy............................................................................................51 Exercise 2 Captive Portals ..........................................................................................................................54
SSL VPN ......... .......... .......... ................. .......... ................. .......... .......... .......56 Lab 1: SSL VPN ......................................................................................................................56 Objectives.....................................................................................................................................................56 Time to Complete .........................................................................................................................................56 Exercise 1 SSL VPN for Web Access .........................................................................................................57 Exercise 2 Testing Authentication ...............................................................................................................59 Exercise 3 Accessing Resources Beyond Different Interfaces ....................................................................61
BASIC IPSEC VPN .......................................................................................62 Lab 1: IPsec VPN....................................................................................................................62 Objectives.....................................................................................................................................................62 Time to Complete .........................................................................................................................................62 Exercise 1 Site-to-Site IPsec VPN...............................................................................................................63
EXPLICIT WEB PROXY .......... .......... .......... ................. .......... ................. ........66 Lab 1: Explicit Web Proxy .......................................................................................................66 Objectives.....................................................................................................................................................66 Time to Complete .........................................................................................................................................66 Exercise 1 Configuring the Explicit Web Proxy ............................................................................................67 Exercise 2 Using a PAC File .......................................................................................................................70
DO NOT REPRINT FORTINET ANTIVIRUS .......... .......... .......... ................. .......... ................. .......... .......... .....73 Lab 1: Antivirus Scanning .......................................................................................................73 Objectives.....................................................................................................................................................73 Time to Complete .........................................................................................................................................73 Exercise 1 Antivirus & Block pages .............................................................................................................74 Exercise 2 Flow vs Proxy scanning .............................................................................................................76
WEB FILTERING .......... ........... .......... ................ ........... ................ .......... .......77 Lab 1: Web Filtering................................................................................................................77 Lab Objectives..............................................................................................................................................77 Time to Complete .........................................................................................................................................77 Exercise 1 FortiGuard Web Filtering ...........................................................................................................78 Exercise 2 Web Profile Overrides ................................................................................................................81
APPLICATION CONTROL ......... .......... ........... ................ .......... ................. ......82 Lab 1: Application Identification ..............................................................................................82 Objectives.....................................................................................................................................................82 Time to Complete .........................................................................................................................................82 Exercise 1 Creating an Application Control List ...........................................................................................83 Exercise 2 Limiting YouTube Traffic ............................................................................................................84 Exercise 3 Fine Tuning Web Site Access ....................................................................................................85
APPENDIX A: ADDITIONAL RESOURCES.......... .......... .......... ................. .........86 APPENDIX B: PRESENTATION SLIDES......... ........... .......... ................ ........... ...87 Module 1: Introduction to Fortinet Unified Threat Management.............................................88 Module 2: Logging and Monitoring .........................................................................................126 Module 3: Firewall Policies .....................................................................................................162 Module 4: Firewall Authentication...........................................................................................231 Module 5: SSL VPN ................................................................................................................273 Module 6: Basic IPsec VPN ....................................................................................................305 Module 7: Antivirus..................................................................................................................337 Module 8: Explicit Proxy..........................................................................................................369 Module 9: Web Filtering ..........................................................................................................407
DO NOT REPRINT FORTINET Module 10: Application Control...............................................................................................433
DO NOT REPRINT
Virtual Lab Basics Topology
FORTINET
Virtual Lab Basics In this class, you will use a virtual lab fo r hands-on exercises. This section explains how to connect to the lab and its virtual machines. It also shows the topology of the virtual machines in the lab. Note: If your trainer asks you to use a different lab, such as devices physically located in your classroom, please ignore thisknow section. Thislab applies to the virtual accessed through the Internet. If you do not which to use,only please ask your lab trainer.
FortiGate I Student Guide
7
DO NOT REPRINT
Virtual Lab Basics Topology
FORTINET Topology port2 10.200.1.241 FortiManager IN-L OCAL W 10.0.1.10
FortiAnalyz er
port1 10.0.1.241
port1 10.0.1.210 port3 10.200.1.210
10.0.1.254/24 port3
port2 10.200.2.1/24
LOCAL port1 10.200.1.1/24
10.200.2.254 eth2
LINUX 10.200.1.254 eth1
eth4 10.200.4.254
eth3 10.200.3.254
10.200.4.1/24 port5
REMOTE 10.200.3.1/24 port4
eth0
WIN-REMOTE 10.0.2.10
port6 10.0.2.254/24
Logging In 1.
Run the System Checker. This will fully verify both: • •
compatibility with the virtual lab environment's software, and that your computer can connect
It can also diagnose problems with your Java Virtual Machine, firewall, or web proxy. Use the URL for your location. North America/South America: https://remotelabs.training.fortinet.com/training/syscheck/?location=NAM-West
FortiGate I Student Guide
8
DO NOT REPRINT
Virtual Lab Basics Logging In
FORTINET Europe/Middle East/Africa: https://remotelabs.training.fortinet.com/training/syscheck/?location=Europe Asia/Pacific: https://remotelabs.training.fortinet.com/training/syscheck/?location=APAC If a security confirmation dialog appears, click Run.
If your computer successfully connects to the virtual lab, the result messages for the browser and network checks will each display a check mark icon. Continue to the next step. If a browser test fails, this will affect y our ability to acce ss the virtual lab environment. If a network test fails, this will affect the usab ility of the virtual lab env ironment. For solution s, either click the Support Knowledge Base link or ask your trainer. 2.
With the user name and password from your trainer, log into the URL for the virtual lab. Either:
FortiGate I Student Guide
9
DO NOT REPRINT
Virtual Lab Basics Logging In
FORTINET https://remotelabs.training.fortinet.com/
https://virtual.mclabs.com/
3.
If prompted, select the time zone for your location, then click Update. This ensures that your class schedule is accurate.
4.
Click Enter Lab.
A list of virtual machines that exist in your virtual lab should appear.
FortiGate I Student Guide
10
DO NOT REPRINT
Virtual Lab Basics Logging In
FORTINET From this page, you can access the console of any of your virtual devices by either: • •
clicking on the device’s square, or selecting System > Open.
FortiGate I Student Guide
11
DO NOT REPRINT
Virtual Lab Basics Logging In
FORTINET 5.
Click K2-Win-Student to open a connection to that server.
A new window should open within a few seconds. (Depending on your account’s preferences, the window may be a Java applet. If this fails, you may need change browser settings to allow Java to run on this web site. You also may need to review and accept an SSL certificate.)
Depending on the virtual machine, the applet provides access to either the GUI or a text-based CLI. Connections to Windows machines will use a Remote Desktop-like GUI. The applet should automatically log in, then display the Windows desktop. For most lab exercises, you will connect to this VM.
FortiGate I Student Guide
12
DO NOT REPRINT
Virtual Lab Basics Transferring Files to the VM
FORTINET Disconnections/Timeouts If your computer’s connection with the virtual machine times out or if you are accidental ly disconnected, to regain access, return to the initial window/tab that contains your session’s list of VMs and open the VM again. If your session frequently times out or does not connect, ask your instructor.
Transferring Files to the VM When using the Java applet to connect to a VM, you can drag-and-drop files from your computer to the VM. For example, if you have a FortiGate configuration file that you want to upload to your lab VM, you could create it on your computer, then drag it into the Java application window that is connected to the Windows VM. Usually the destination folder is C:Uploads. Alternatively, if you store files in a cloud service such as Dropbox or SugarSync, you can use the web browser to download them to your VM instead.
Using HTML5 Instead of Java When you open a VM, your browser may download and use a Java application to connect to the virtual lab’s VM. This means that Java must be installed, updated, and enabled in your browser. Alternatively, you can use HTML5 instead. Click the Settings button, then select Use Java Client . Click Save & Disconnect, then log in again. (To use this preference, your browser must allow cookies.)
FortiGate I Student Guide
13
DO NOT REPRINT
Virtual Lab Basics Screen Resolution
FORTINET When connecting to a VM, your browser should then open a display in a new window or tab.
Screen Resolution Some Fortinet devices' user interfaces require a minimum screen size. In the Java client, to configure the screen resolution, click the arrow at the top of the window.
In the HTML 5 client, to configure scre en resolution, open the System menu.
International Keyboards If characters in your language don’t display correctly, keyboard mappings may not be correct.
FortiGate I Student Guide
14
DO NOT REPRINT
Virtual Lab Bas ics Troubleshooting Tips
FORTINET To solve this in the HTML 5 client, open the Keyboard menu at the top of the window. Choose to either display an on-screen keyboard, or send text from your computer to the VM's clipboard.
To solve this in the Java client, copy and paste between your computer and the Java applet. This sends special characters or combinations using the keyboard icon at the top of the applet window.
Troubleshooting Tips •
•
•
If the HTML 5 client does not work, try the Java client instead. Remembering this preference requires that your browser allow cookies. Do not connect to the virtual lab environment through a low-bandwidth or high-latency connection, including VPN tunnels or wireless such as 3G or Wi-Fi. For best performance, use a stable broadband connection such as a LAN. Do not disable or block Java applets. On Mac OS X since early 2014, to improve security, Java has been disabled by default. In your browser, you must allow Java for this web site. On Windows, if the Java applet is allowed and successfully downloads, but does not appear to launch, you can open the Java console while troubleshooting. To do this, open the Control Panel, click Java, and change the Java console setting to be Show console. Network firewalls can also block Java executables. Note: JavaScript is not the sa me as Java.
FortiGate I Student Guide
15
DO NOT REPRINT
Virtual Lab Bas ics Troubleshooting Tips
FORTINET
•
•
•
•
Prepare your computer's settings: o
Disable screen savers
o
Change the power saving scheme so that your computer is always on, and does not go to sleep or hibernate
If disconnected unexpectedly from any of the virtual machines (or from the virtual lab portal), please attempt to reconnect. If unable to reconnect, please notify the instructor. If during the labs, particularly when reloading configuration files, you see a message similar to the one shown below, the VM is waiting for a response to the authentication server.
To retry immediately, go to the console and enter the CLI command: exec update-now
FortiGate I Student Guide
16
DO NOT REPRINT Introduction to For tinet UTM
Lab 1: Initial Setup and C onfiguration
FORTINET
Introduction to Fortinet UTM Lab 1: Initial Setup and Configuration This lab will provide an in itial orientation to FortiGate's administrative GUI and CLI, and (if necessary) will guide you through basic se tup. Additionally, this lab will gui de you through how to pro perly backup and restore a configuration file. If you see this:
it indicates that FortiGate VM is waiting for a response from the license authentication server. Typically this happens after reboot, after yo u upload a new FortiGat e configuration file. If that server was rebooting or connectivity was interru pted, for exampl e, at the same time that FortiG ate VM was rebooting and sending the request, then the server may not have received the request. FortiGate VM will periodically retry, but you can ma nually initiate an immed iate retry. To force an immediate license authentication retry, go to FortiGate's CLI and enter: execute update-now
Objectives •
Configure FortiGate network interfaces and a default route for administrative access via your lab network, such as with web browser, Telnet or SSH client
•
Distinguish between encrypted vs. non-encrypted configuration backups
•
Back up and restore configuration files
•
Find the FortiGate model and FortiOS firmware build information inside a configuration file
Time to Complete Estimated: 15 minutes
FortiGate I Student Guide
17
DO NOT REPRINT Introduction to For tinet UTM
Lab 1: Initial Setup and C onfiguration
FORTINET Exercise 1 (Optional) Configuring Network Interfaces on the Student & Remote FortiGate Before proceeding, please ask your instructor if these steps are required for your specific classroom. You must do this exercise only if your lab environment was initialized with blank FortiGate images. 1.
Open the console of the F ortiGate that is named Student.
2.
At the login prompt, enter the username admin (all lower case). Leave the password blank.
3.
To be able to access the Student FortiGate's GUI, you must first configure the port3 interface. Assign its IP address, and specifically allow HTTP connections to the GUI: conf system interface edit port3 set ip 10.0.1.254/24 set allowaccess http end
After you enter the 'end' command, FortiGate saves its running configuration in RAM, and also saves it to the flash disk. HTTPS or SSH are recommended for administrative access to FortiGate because those protocols provide authentication and encryption. Other available protocols include SSH, PING, SNMP, HTTP and Telnet. 4.
Verify that you've entered your configuration correctly by entering this command: show system interface
Alternatively, you can enter a shorter form: show sys int
5.
On the Windows se rver, open Firefox. Go to the URL that is the FortiGate' s IP address on port3: http://10.0.1.254
6.
If a security warning appears, accept the FortiGate’s self-signed certificate. The login page should appear. If it does not, ask your instructor before continuing. Note: To access the FortiGate GUI, your web b rowser must support cookies and JavaScript. These are requ ired for correct behavior and display.
7.
Open the console of the FortiGa te that is named Remote.
8.
At the login prompt, enter the username admin (all lower case). Leave the password blank.
9.
Enter the following CLI commands to set the port4 IP address and access control settings for your device. conf system interface
FortiGate I Student Guide
18
DO NOT REPRINT Introduction to For tinet UTM
Lab 1: Initial Setup and C onfiguration
FORTINET edit port4 set ip 10.200.3.1/24 set allowaccess http ping end
10. Verify that a valid default gateway route exists: show router static
If there is no static route for port4, enter the commands below to set it. (Routing will be explained in more detail in a later lesson.) conf route static edit 0 set device port4 set gateway 10.200.3.254 end
11. Verify that you have entered your configuration correctly. show system interface show router static
You can't connect to the Remote FortiGate's GUI yet. Before you can do that, you must first configure the FortiGate named Student with a route and a firewall policy that allows and routes that management traffic to the FortiGate named Remote. You will add this configuration in a la ter lab exercise.
FortiGate I Student Guide
19
DO NOT REPRINT Introduction to For tinet UTM
Lab 1: Initial Setup and C onfiguration
FORTINET Exercise 2 Exploring the Command Line Interface 1.
Open the console of the FortiGate that is named Student.
2.
At the login prompt, enter the username admin (all lower case). Leave the password blank.
3.
Enter the command to display basic status information about that FortiGate: get system status
Output shows the Fort iGate's serial numb er, firmw are version, operation mode, and other information. 4.
Verify that the firmware version is the correct one for this class.
5.
Enter the following, then press the Return key: get ?
Note: The ? character is not displayed on the screen.
This shows all words that the CLI will accept next after the get command. When the --More — prompt appears in the CLI, either press the spacebar key to continue scrolling, press the Enter key to scroll one line at a time, or press the Q key to exit. Depending on the command, you may need to enter additional words to completely specify a configuration object. 6.
Press the up arrow key. This display s the previous get system status command. Try some of the other control key sequences that are summarized below. Previouscommand
uparrow,orCTRL+P
Nextcommand
downarrow,orCTRL+N
Beginningofline End line of Back one word Forwardoneword
CTRL+A CTRL+E CTRL+B CTRL+F
Deletecurrentcharacter
CTRL+D
Clear screen
CTRL+L
Abort command and exit
CTRL+C
CTRL+C is context sensitive, but usually, it aborts the curre nt command. If you were in a subcommand, it returns you to the parent command. Otherwise, it will terminate your current administrative session. To continue, you must log in again. 7.
Enter the command: execute ?
This lists all words that the CLI will accept next after the execute command.
FortiGate I Student Guide
20
DO NOT REPRINT Introduction to For tinet UTM
Lab 1: Initial Setup and C onfiguration
FORTINET 8.
Type: execute
then press the Tab key 3 times. The first time you press the Tab key, notice that the CLI adds the next word in the command. It is the first word in the list from the previous step. Each time that you press the Tab key after that, notice that the CLI replaces tha t word with the next possib le word in the list, in alphab etical order, until you press the spacebar key. This indicates that you have sel ected that word , and are ready to enter the next word (if any). 9.
Enter the following CLI commands. config ? show ?
Compare the list of valid next words for each one. Notice that there are some differences in the CLI structure for each command, including show full-configuration. config enters settings. show displays configuration differences from the firmware’s default settings only, unless you enter show full-configuration.
10. Enter the CLI commands to display the FortiGate’s port3 interface configuration. Compare the output for each. Only the characters shown in bold typeface must be typed. If you want to auto-complete each word in the command (in order to verify that it is unambiguous, for example), press the Tab key after the characters in bold. show system interface port3 show full-configuration system interface port3
Tip: Almost all commands can be abbreviated. In presentations and labs, many of the commands that you see will be in abbreviated form. Use this technique to reduce the number of keystrokes that are required to enter a command. In this way, experts can often configure a FortiGate faster via CLI than GUI. If there are other commands that start with the same characters, your abbreviation must be long enough to be specific, so that FortiGate can distinguish them. Otherwise, the CLI will display an error message about ambiguous commands.
FortiGate I Student Guide
21
DO NOT REPRINT Introduction to For tinet UTM
Lab 1: Initial Setup and C onfiguration
FORTINET Exercise 3 Restoring a Configuration from Backup 1.
On the Win-Student server, open Firefox. Connect to the Student FortiGate's GUI, and log in as admin. http://10.0.1.254/ Note: All the lab exercises were fully tested running Mozilla Firefox in Win-Student and Win-Remote servers. For the thisInternet reason,and and the to get consistent results, we virtual recommend it as the browser to access FortiGate GUIs from this environment.
2.
Go to System > Dashboard > Status. In the System Information row, click the Restore link. A dialog should appear where you can select which configuration backup file to restore. (If your lab started with blank FortiGate images whose IP address you needed to configure in Exercise 1, then this FortiGate is not yet configured with the host name STUDENT as shown in the image. This should appear after you upload a configuration in the next step.)
3.
Click the button that enables you to select which backup file to restore. (The name of this button varies by browser.)
Select the file named ResourcesIntroductionstudent-initial.conf , then click Restore. This file is the prerequisite configuration for the next lab. After your browser uploads the configuration, the FortiGate will automatically reboot. The length of the restoration process varies by how complex the configuration is. More complex FortiGate I Student Guide
22
DO NOT REPRINT Introduction to For tinet UTM
Lab 1: Initial Setup and C onfiguration
FORTINET configurations take more time to parse and valid ate. Most configurations take FortiGate less than 1 minute to validate and then reboot. 4.
Refresh the web page and log in again to the GU I on the Student FortiGate. Go to System > Network > Interface and then Router > Static > Static Route. Verify that the network interface settings and default route were restored.
5.
Go to System > Network > DNS Server . Review the student and remote DNS zones. •
•
In the Student DNS zone, verify the IPv4 Address (A) records and Pointer (PTR) records for the student FortiGate device (10.0.1.254) and the Windows server (10.0.1.10). In the Remote DNS zone, check the IPv4 Address (A) records and Pointer (PTR) records for the Remote FortiGate device (10.200.3.1) and the Windows host (10.0.2.10).
By providing a DNS server to your management network, FortiGate enables you access these devices in your lab by using a domain name instead of their IP address. To do this, the Windows server should be configured to use the Student FortiGate's port3 IP address as its DNS server. 6.
On the Windows server, open a command prompt. Use the following commands to verify the DNS lookup results. nslookup server.student.lab 10.0.1.254 nslookup fgt.student.lab 10.0.1.254 nslookup pc.remote.lab 10.0.1.254 nslookup fgt.remote.lab 10.0.1.254
Note: The parameters of the nslookup command are: nslookup [-option] [hostname] [server]
7.
Open a web br owser. Go to t hese URLs to verify that you can use domain names to reach the GUI of both the Student and Remote FortiGate: •
http://fgt.student.lab
•
http://fgt.remote.lab
FortiGate I Student Guide
23
DO NOT REPRINT Introduction to For tinet UTM
Lab 1: Initial Setup and C onfiguration
FORTINET Exercise 4 Making Configuration Backups 1.
On the Win-Student server, open a browser and log in to the Student FortiGate's GUI: https://fgt.student.lab
2.
Go to System > Dashboard > Status. In the System Information widget, click the Backup link.
3.
Select Encrypt configuration file, enter the password fortinet, then click the Backup button to save the encrypted configuration file to the desktop with the filename student-initial-enc.conf. (You may need to modi fy the web browse r’s settings to pro mpt you for the location to sav e files. For Firefox, go to Tools > Options > General then select Always ask me where to save files.) Caution: Always back up the configura tion file before ch anging your device (even if the change seems minor or unimportant). There is no “undo.” Restoring a backup will allow you to quickly revert changes if you discover problems. To distinguish between files from multiple FortiGates, use a naming convention such as their host names.
4.
In the System Information widget, click Restore. Select the file that you downloaded in the previous step (student-initial-enc.conf ), then click the Restore button. Notice that this time, you must enter the password fortinet because this file is passwordencrypted.
5.
Using Notepad or Notepad++, open the file student-initial.conf. In another instance of WordPad, open the file student-initial-enc.conf and compare the details in both. Note: In both the normal and encrypted configuration the top of the file acts as a header, describing the firmware and model information this configuration belongs to.
FortiGate I Student Guide
24
DO NOT REPRINT Introduction to Fortinet UTM
Lab 2: Administrative Access
FORTINET Lab 2: Administrative Access In this lab, you will create and modify a dministrative access permissions.
Objectives •
Create a new administrative user
•
Restrict administrative access
Time to Complete Estimated: 10 minutes
FortiGate I Student Guide
25
DO NOT REPRINT Introduction to Fortinet UTM
Lab 2: Administrative Access
FORTINET Exercise 1 Administrators, Passwords, and Permissions 1.
On the Win-Student server, open a browser and log in to the Student FortiGate's GUI: https://fgt.student.lab
2.
Go to System > Admin > Settings and select Enable Password Policy . Configure these settings: Minimum Length: 8 MustContain:
Enable 1 Upper Case Letter 1 Numerical Digit
Enable Password Expiration:
Enable 90 days
Click Apply to save the changes. 3.
Log out of the GUI.
4.
Log in again. Due to the password policy that you just configured, FortiGate should prompt you to enter a new administrator password. Enter a new password that meets the requirements.
5.
6.
Go to System > Admin > Admin Profile. Create a new profile called Security_Admin_Profile. Set Security Profile Configuration to Read-Write, but set all other permissions to Read Only. Click OK to save the changes. Go to System > Admin > Administrators. Click Create New to add a new administrator account that is named Security_Admin. In Admin Profile, select the profile created in the previous step. This limits that administrator’s access. They will only able to modify and create security profiles. Note: Administrator names and passwords are case-sensitive. You cannot include characters such as < > ( ) # ' in an administrator account name or password. Spaces are allowed, but not as the first or last character. To enter spaces in a name or password via the CLI, you must enclose each in straight quotes ( ' ). Caution: For convenience in the lab , you will no t set the password of the ac count named admin. However, in real networks, you should always set administrator passwords, make them strong, and change them often. Click OK to save the changes.
7.
Go to System > Dashboard > Status. In the System Information widget, to view the configuration for administrator accounts and profiles, enter: show system admin show system accprofile
FortiGate I Student Guide
26
DO NOT REPRINT Introduction to Fortinet UTM
Lab 2: Administrative Access
FORTINET 8.
Log out of the admin account's GUI session.
9.
Log in as Security_Admin with its password.
10. Test this administrator’s access: try to create or modify settings on the Student FortiGate that are not allowed by that account's profile. You should see that this account can only configure security profiles.
FortiGate I Student Guide
27
DO NOT REPRINT Introduction to Fortinet UTM
Lab 2: Administrative Access
FORTINET Exercise 2 Restricting Administrator Access 1.
On the Win-Student server, open a browser and go to the Remote FortiGate's GUI: http://fgt.remote.lab Log in as the admin account (all lower case) with no password.
2.
Go to System > Admin > Administrators. Edit the admin account and enable the setting Restrict this Admin Login from Trusted Hosts Only. Set Trusted Host #1 to the address 10.0.2.0/24. Click OK to save the changes.
3.
Try connecting to the GUI of the Remote FortiGate again. What is the result this time? Because you are connecting from the 10.200.1.1 address (because of NAT on the Student FortiGate) you should notice that you can't connect any more since you restricted logins to specific source IP addresses in Trusted Hosts.
4.
Attempt to ping 10.200.3.1. You should notice that FortiGate also doesn't respond to ping anymore. This is also blocked by the restriction on source IP.
5.
Open the console of the Remote FortiGate devi ce. Enter the following CLI comman ds to add 10.200.0.0/16 as the second trusted IP address (Trusted Host #2) of the admin account: conf sys admin edit admin set trusthost2 10.200.0.0/16 end
6.
Try to ping the Remote FortiGate and access its GUI again. Access should be restored.
7.
Go to System > Dashboard > Status. In the System Information widget, in the Current Administrator row, click the Details link. The GUI should display a list of administrators currently logged in to the FortiGate.
8.
By default, each source IP address can attempt to log in up to 3 times. If th ey fail 3 times, they are locked out for 60 seconds. To help improve the overall password security, use the CLI to decrease the maximum number of attempts and increase the lockout timer: config system global set admin-lockout-threshold 2 set admin-lockout-duration 100 end
FortiGate I Student Guide
28
DO NOT REPRINT Logging & Monitoring
Lab 1: Status Monitor and Event Log
FORTINET
Logging & Monitoring Lab 1: Status Monitor and Event Log In this lab, you will work with FortiGate's event log and monitoring.
Objectives •
Enable logging of system events
•
Locate event logs for specific information
Time to Complete Estimated: 10 minutes
FortiGate I Student Guide
29
DO NOT REPRINT Logging & Monitoring
Lab 1: Status Monitor and Event Log
FORTINET Exercise 1 Using the GUI's Status Monitor 1.
On the Windows server, open a web browser. Go to the URL that is port3's IP address on the FortiGate named Student, and log in as admin. http://10.0.1.254/
2.
Go to System > Dashboard > Status and locate the System Resources widget. This widget provides a snapshot overview of the overall resource utilization on the FortiGate
3.
Some widgets are not displayed on the dashboard by default. Click Widget to display the list of widgets available to add to the dashboard.
If not already added, click the All Session widget from the pop-up window to add it to the dashboard. Close the widget list window. Widgets can be remov ed from the page simply by cl ick the X in the upper left corner of each one. 4.
Hover the mouse over the title bar of the System Resources widget and click Edit to create a custom widget.
Configure these settings: Custom Widget Name:
System Resource History
ViewType:
Historical
TimePeriod:
Last60minutes
FortiGate I Student Guide
30
DO NOT REPRINT Logging & Monitoring
Lab 1: Status Monitor and Event Log
FORTINET A line chart appears in a new custom System Resource History widget showing a trace of CPU, memory and sessions over the past hour. The refresh rate of this window is automatically set to 1/20 of the time period (interval) configured. 5.
The Alert Message Console widget displays recent system events, such as system restart and firmware upgrade. Hover the mouse over the title bar of the Alert Message Console widget and click History to view the entire message list.
Note: If there are no alerts yo u can reboot the Forti Gate in order to see one. To do so, connect to the CLI and use the command exe reboot 6.
At the top of the dashboard, click Dashboard and select Add Dashboard.
Enter any name of you r choice for the new das hboard and select the single column display.
FortiGate I Student Guide
31
DO NOT REPRINT Logging & Monitoring
Lab 1: Status Monitor and Event Log
FORTINET
The new dashboard will show up as a selectable menu option on the right hand side
7.
Next add the All Sessions widget on your new dashboard. Click the edit icon in the title bar of the All Sessions widget and observe the different ways in which sessions can be reported. For example, by top Destination Address, top Applications etc. You can also select to display the top sessions by Source and Destination interfaces. Create your own customized Top Sessions widget and examine the sessions that are listed. Some widgets are only allowed to appear on 1 dashboard at a time. For example, System Information cannot be added to this new dashboard until the widget is removed from the Status dashboard.
8.
Test the functionality of the refresh, page forward, and page back icons in this window. You may need to generate some additional traffic in order to properly test these functions.
9.
Click Dashboard and select Reset Dashboards to reset all the dashboards to the default.
FortiGate I Student Guide
32
DO NOT REPRINT Logging & Monitoring
Lab 1: Status Monitor and Event Log
FORTINET Exercise 2 Event Log & Logging Options 1.
From the Student FortiGate CLI, check the overall status of the FortiGate:
2.
Verify the Log hard disk status. If it is set to Available proceed to Step 3. If the status appears as Need Format, enter the following command to format the drive.
get system status
execute formatlogdisk
When prompted to continue, type “ y” and wait for the system to reboot. Once the system has restarted, check the log disk settings by executing the following command: config log disk setting get
You should observe that the status is enabled. 3.
Repeat the previous steps on the Remote FortiGate device.
4.
Return to the Student FortiGate device and log out of the GUI. When logging bac k in, use an incorrect password once and then use the correct password to log back in again. Go to Log & Report > Event Log > System and examine the log to find the invalid password event.
5.
Go to Policy & Objects > Objects > Address, and create a new firewall address using the following settings: Name:
fortinet
Type:
FQDN
FQDN:
www.fortinet.com
Leave the remaining settings at their defaults and click OK to save the changes. 6.
Next go to Log & Report > Event Log > System and review the log entries.
7.
Go to Log & Report > Log Config > Log Setting and uncheck the option System activity event.
FortiGate I Student Guide
33
DO NOT REPRINT Logging & Monitoring
Lab 1: Status Monitor and Event Log
FORTINET
Click Apply to save the changes. Different types of log entries fall into different categories. Only enable logging for the activity(s) that you need to moni tor. This avoid s filling the logs with information you do not need, and consuming unnecessary system resources. 8.
Go to Policy & Objects > Objects > Address and create another firewall address entry. Go to Log & Report > Event Log > System and review the log entries again. Note that the entries are no longer visible for this activity. With this option deselected in the Event Logging settings, you will no longer see ent ries in the log for administrators logging on/off or making changes to the unit’s configuration. Other types of log entries will still appear.
9.
Go to Log & Report > Log Config > Log Settings and re-enable System activity event. When changes are made to your firewall, it best to have a log event for that in case it is necessary to find out when something was changed, and by whom.
FortiGate I Student Guide
34
DO NOT REPRINT
Logging & Monitoring Lab 2: Remote Monitoring
FORTINET Lab 2: Remote Monitoring The aim of this lab is for students to set up logging to a remote device and monitoring of the FortiGate unit’s behavior. It can be advantageous to use remote monitoring instead of local monitoring in order to reduce resource usage. For example, while the GUI widgets provide useful displays of your system information, they also carry a significant resource cost and should be used sparingly.
Objectives •
Enabling monitoring by Syslog and SNMP servers
Time to Complete Estimated: 10 minutes
FortiGate I Student Guide
35
DO NOT REPRINT
Logging & Monitoring Lab 2: Remote Monitoring
FORTINET Exercise 1 Remote Logging & SNMP Monitoring The Linux server in your lab environment has been pre-configured to accept syslog messages. 1.
From the CLI on the Student FortiGate, enter the following commands to set up logging to the syslog server: conf log syslogd setting set status enable set facility local6 set server 10.200.1.254 end
2.
Repeat the above step from the CLI on the remote FortiGate device.
3.
On the Win-Student server, open the putty.exe application. Open an SSH session to the Linux server (10.200.1.254 ).
Log in as root and with the password password. 4.
Run the following command to monitor the FortiGate syslog messages which are mapped to their own file by the local6 facility.
5.
Leave the SSH window open and return to the student FortiGate device and generate some log entries:
tail –f /var/log/fortinet
FortiGate I Student Guide
36
DO NOT REPRINT
Logging & Monitoring Lab 2: Remote Monitoring
FORTINET •
Attempt to log in with invalid credentials
•
Make a minor configuration change
6.
From the GUI on the Student FortiGate, go System > Config > SNMP to enable SNMP monitoring. Select Enable for the SNMP Agent at the top, then click Apply.
7.
Create a new SNMP v3 security name using the settings displayed below. Set the Auth password to fortinet . Set the Notification host to 10.200.1.254.
Click OK. 8.
Go to System > Network > Interfaces and edit port1. Confirm that SNMP is enabled under the Administrative Access settings. If it is not enabled you will need to enable it first, then click OK to save the changes.
9.
Leave the SSH window open that is currently running the tail command and run putty again to open a new SSH connection to the LINUX host (10.200.1.254). Next, execute the following snmpwalk command to find and display all of the monitoring options that a device presents through SNMP: snmpwalk -v 3 -a sha -A fortinet -u training -l authNoPriv 10.200.1.1
A tree listing of all the options available to monitor this FortiGate VM device will be displayed. To make it easier to view the information available, you may also append >snmp.test to the command entered above. This will save the output to a file named ‘snmp.test’. Enter the command view snmp.test to view the output file.
FortiGate I Student Guide
37
DO NOT REPRINT
Firewall Policies Lab 1: Firewall Policy
FORTINET
Firewall Policies Lab 1: Firewall Policy Objectives •
Configure firewall policies configurable in FortiOS
•
Configure source match options available in FortiOS firewall policies
•
Apply different firewall object types of Address, Service and Schedule
•
Configure firewall policy logging options
•
Configure NAT
•
Configure Source NAT settings using Overload IP Pools
•
Configure Destination NAT settings using Virtual IPs
•
Configure firewall polic ies based on device types
•
Reorder firewall policies
•
Use CLI commands to review your configuration and perform status checks
Time to Complete Estimated: 40 minutes
FortiGate I Student Guide
38
DO NOT REPRINT
Firewall Policies Lab 1: Firewall Policy
FORTINET Exercise 1 Creating Firewall Objects & Rules 1.
On the Win-Student server, open a web browser. Go to the GUI for the FortiGate named Student, and log in as admin. http://10.0.1.254/
2.
Restore the configuration file that is required by this lab: ResourcesFirewall-PoliciesStudentstudent-policy.conf
3.
FortiGate will reboot. From the GUI on the Student FortiGate device, go to Policy & Objects > Objects > Addresses and create the following address object: Name:
STUDENT_INTERNAL
Type:
Subnet
Subnet/IP Range:
10.0.1.0/24
Interface:
Any
Once the settings have been entered, click OK to save the changes. 4.
The unrestricted port3→port1 policy will need to be temporarily disabled in the policy list. To do this, go to Policy & Objects > Policy > IPv4, right-click the unrestricted port3→port1 policy and select Status > Disable.
5.
Next click Create New to add a new firewall policy to provide general Internet access from the internal network. Configure these settings: IncomingInterface: SourceAddress: Outgoing Interface: DestinationAddress:
port3 STUDENT_INTERNAL port1 all
Schedule:
always
Service:
HTTP,HTTPS,DNS, ALL_ICMP,SSH (Hold down the CTRL-key to select multiple services.)
Action:
ACCEPT
Enable NAT:
Enabled
Use Destination Interface Address:
Enabled
Log Options:
Enable Log all Session s and select Generate Log s when Session Starts
Comments:
GeneralInternetaccess
When creating firewall policies, remember that FortiGate is a stateful firewall. As a result, you only need to cre ate one firewall pol icy that matche s the direction of the traffic that initiates the session. Once the policy settings have been entered, click OK to save the changes.
FortiGate I Student Guide
39
DO NOT REPRINT
Firewall Policies Lab 1: Firewall Policy
FORTINET 6.
On the Windows server, open a web browser and connect to various external web sites.
7.
From the GUI on the Student FortiGate device, go to Log & Report > Traffic Log > Forward Traffic and identify the log entries for your Internet browsing traffic. With the current settings you should have many 0 byte log messages with action start. These are the session start logs. When sessions close you will have a separate log entry for the amount of data sent and received Logging session starts generates twice the amount of log messages. This option should only be used when this level of detail is absolutely necessary.
8.
From the CLI, enter the following command to see the source NAT action. #get system session list
Sample Output: STUDENT # get sys session list PROTO EXPIRE SOURCE DESTINATION-NAT tcp
3600
10.0.1.10:3677
SOURCE-NAT
-
DESTINATION
10.0.1.254:22
-
tcp
3587
10.0.1.10:3717
10.200.1.1:64133 72.30.38.140:80
-
tcp
3570
10.0.1.10:3681
10.200.1.1:64097 69.171.228.70:80 -
tcp
3577
10.0.1.10:3710
10.200.1.1:64126 74.125.228.92:80 -
tcp
3587
10.0.1.10:3708
10.200.1.1:64124 74.125.228.92:80 -
tcp
3587
10.0.1.10:3706
10.200.1.1:64122 66.94.245.1:80
-
tcp
2274
10.0.1.10:3608
10.200.1.1:64024 10.200.1.254:22
-
tcp
3587
10.0.1.10:3712
10.200.1.1:64128 80.239.217.66:80 -
tcp
3566
10.0.1.10:3679
10.200.1.1:64095 74.125.227.24:80 -
Note that FortiGate is app lying a new source address: that of the destination interface port1 (10.200.1.1).
FortiGate I Student Guide
40
DO NOT REPRINT
Firewall Policies Lab 1: Firewall Policy
FORTINET Exercise 2 Policy Actions 1.
Use the same steps you performed earlier to create a second firewall policy. Use Create New and leave the policy in its default position. Configure these settings: IncomingInterface:
port3
SourceAddress:
STUDENT_INTERNAL
OutgoingInterface:
port1
Destination Address:
Click Create and configure the following: Name: LINUX_ETH1 Type: Subnet Subnet / IP Range: 10.200.1.254/32 Click OK.
Schedule:
always
Service:
PING (Tip: type the name in the search box)
Action: LogViolationTraffic:
DENY Enabled
Click OK to save the changes. 2.
From the Windows serv er, open a command prompt. Ping the port1 gatew ay. ping –t 10.200.1.254
If you have not changed the rule ordering, the ping should still work because it matches the ACCEPT policy and not the DENY policy that you just created. This demonstrates the behavior of policy ordering. The second policy was never checked because the traffic matched the first policy. Leave this window open and perform the next step. 3.
Click the Seq.# for the DENY policy created previously and drag it up to position it before the General Internet Access policy.
4.
Return to the Windows server and examine the DOS command prompt win dow still runnin g the continuous ping. You should observe that this traffic is now blocked and the replies appear as “Request timed out”. Enter CTRL-C to end the ping command.
5.
From the GUI on the Student FortiGate device, go to Log & Report > Traffic Log > Forward Traffic and identify the log entries for your Ping traffic. With the current settings you should have one entry for the Ping traffic which was allowed followed by many 0 byte log messages for the violation traffic.
6.
To stop your logs from filling up with 0 byte log mess ages, you may en able the followi ng setting from the CLI to create a session table entry for denied traffic and blocking packets belonging to this session. config system settings set ses-denied-traffic enable end
FortiGate I Student Guide
41
DO NOT REPRINT
Firewall Policies Lab 1: Firewall Policy
FORTINET This setting will reduce the amount of logging entries caused by the violation traffic. Notice how the time between log entries increases.
FortiGate I Student Guide
42
DO NOT REPRINT
Firewall Policies Lab 1: Firewall Policy
FORTINET Exercise 3 Access through Virtual IPs In this lab, you will configure a virtual IP address to allow Internet connections to the Windows server located at 10.0.1.10. 1.
Go to Policy & Objects > Objects > Virtual IPs. Click Create New to add a new virtual IP mapping: Name: ExternalInterface:
VIP_INTERNAL_HOST port1
Type:
Static NAT
External I P A ddress/Range:
10.200.1.200 - 10.200.1.200
Mapped IP Address/Range:
10.0.1.10
Click OK to save the changes. 2.
Create a new firew all policy to prov ide access to the web se rver. Configure these settings: IncomingInterface:
port1
SourceAddress:
all
OutgoingInterface:
port3
DestinationAddress:
VIP_INTERNAL_HOST
Schedule:
always
Service:
HTTP, HTTPS
Action:
ACCEPT
LogO ptions:
EnableL ogallSessionsandselectGenerateL ogs when Session Starts
EnableNAT: Comments:
Disabled(default) Publicaccesstowebserver
Click OK to save the changes. 3.
The firewall is stateful so any existing sessions will not use this new firewall policy until they time out or are cleared. The sessions can be cleared individually from the session widget on the Status page or from the CLI by executing the following:
4.
Connect to the console of the remote host, open a web browser and access the following URL:
diag sys session clear
http://10.200.1.200 If the virtual IP operation is successful a simple web page appears.
FortiGate I Student Guide
43
DO NOT REPRINT
Firewall Policies Lab 1: Firewall Policy
FORTINET 5.
From the CLI on the Student FortiGate, check the destination NAT entries in the session table: #get system session list
Sample Output: STUDENT # get sys session list PROTO EXPIRE SOURCE DESTINATION-NAT
tcp
6.
3537
10.200.3.1:62426
SOURCE-NAT
DESTINATION
10.200.1.200:80
10.0.1.10:80
On the Windows server, open a web browse r and connect to a few externa l web sites. Now examine the session information again as follows: #get system session list
Sample Output: STUDENT # get sys session list PROTO EXPIRE SOURCE DESTINATION-NAT
SOURCE-NAT
DESTINATION
tcp
3591
10.0.1.10:3995
10.200.1.200:3995 66.94.241.1:80
-
tcp
3590
10.0.1.10:3977
10.200.1.200:3977 72.30.38.140:80
-
tcp
3553
10.0.1.10:3965
10.200.1.200:3965 184.150.187.83:80 -
tcp
3592
10.0.1.10:3998
10.200.1.200:3998 74.125.228.92:80 -
tcp
3584
10.0.1.10:3969
10.200.1.200:3969 69.171.237.16:80 -
tcp
3596
10.0.1.10:4001
10.200.1.200:4001 208.91.113.80:80 -
tcp -
3590
10.0.1.10:3983
10.200.1.200:3983 216.115.100.102:80
tcp -
3590
10.0.1.10:3979
10.200.1.200:3979 216.115.100.103:80
tcp -
3590
10.0.1.10:3987
10.200.1.200:3987 216.115.100.102:80
tcp 3590 10.0.1.10:3981 216.115.100.103:80 -
10.200.1.200:3981
tcp 3590 10.0.1.10:3985 216.115.100.102:80 -
10.200.1.200:3985
tcp
1013
10.0.1.10:3608
10.200.1.1:64024 10.200.1.254:22
tcp -
3589
10.0.1.10:3976
10.200.1.200:3976 72.30.38.140:80
FortiGate I Student Guide
-
44
DO NOT REPRINT
Firewall Policies Lab 1: Firewall Policy
FORTINET tcp
3591
10.0.1.10:3996
10.200.1.200:3996 184.150.187.99:80 -
tcp
3554
10.0.1.10:3967
10.200.1.200:3967 74.125.228.65:80 -
tcp -
3590
10. 0.1.10:3990
10.200.1.200:3990 216.115.100.103:80
tcp -
3591
10.0.1.10:3978
10.200.1.200:3978 216.115.100.103:80
tcp
3590
10.0.1.10:3980
10.200.1.200:3980 216.115.100.103:80
-
Note that the outg oing connections from the Windows server are now being NATe d with the VIP address as opposed to the firewall address. This is a behavior of the source NAT (SNAT) VIP. That is, when you enable SNAT on a policy, a VIP static NAT takes priority over the destination interface IP address.
FortiGate I Student Guide
45
DO NOT REPRINT
Firewall Policies Lab 1: Firewall Policy
FORTINET Exercise 4 Dynamic NAT with IP Pools Currently, the Student FortiGate translates the source IP address of all traffic generated from the Windows server 10.200.1.200 because of the source NAT translation in the VIP. Now you will apply an IP address pool to change the behavior from static NAT to dynamic NAT. 1.
On the Student FortiGate's GUI, go to Policy & Objects > Objects > IP Pools. Create a new IP pool: Name: Type External IP Range/Subnet:
INTERNAL_HOST_EXT_IP Overload 10.200.1.100
Once the policy settings have been entere d click OK to save the changes. 2.
Go to Policy & Objects > Policy > IPv4, and right-click the outgoing General Internet Access policy. Select Copy Policy, then right-click the same policy again and select Paste > Above.
3.
Select the new copy of the General Internet Access policy and confi gure these settings: IncomingInterface:
port3
SourceAddress:
STUDENT
OutgoingInterface:
port1
DestinationAddress:
all
Schedule:
always
Service:
ALL
Action:
ACCEPT
LogO ptions:
EnableL og all Sessions and select Generate Logs when Session Starts
EnableNAT:
Enabled
Use Dynamic IP Pool:
INTERNAL_HOST_EXT_IP
Comments:
WindowsServersourceNAToverride
Click OK to save the changes. Verify that you have enabled it. 4.
FortiGate does stateful inspection, so any existing ses sions will not use this new firewall policy until they time out or you manually clear the session table. You can do this either individually from the session widget on the dashboard, or clear the entire list from the CLI: diag sys session filter src 10.0.1.10 diag sys session clear
5.
Connect to a few web site s such as http://yahoo.com/. From the CLI on the Student FortiGate, verify the source NAT IP address that those sessions are using: # get system session list
FortiGate I Student Guide
46
DO NOT REPRINT
Firewall Policies Lab 1: Firewall Policy
FORTINET Sample Output: STUDENT # get system session list PROTO EXPIRE SOURCE DESTINATION-NAT
SOURCE-NAT
DESTINATION
tcp -
3599
10.0.1.10:3963
10.200.1.100:64379 74.125.225.126:443
tcp
3599
10.0.1.10:3961
10.200.1.100:64377 74.125.225.111:443
tcp
3552
10.0.1.10:3953
10.200.1.100:64369 76.74.133.167:80 -
tcp -
3597
10.0.1.10:3956
10.200.1.100:64372 74.125.225.118:80
tcp -
3597
10.0.1.10:3954
10.200.1.100:64370 74.125.225.117:80
tcp
3598
10.0.1.10:3959
10.200.1.100:64375 199.7.57.72:80
tcp
16
10.0.1.10:3948
10.200.1.100:64364 66.36.238.121:22 -
tcp -
3598
10.0.1.10:3958
10.200.1.100:64374 209.85.225.84:443
tcp -
3599
10.0.1.10:3962
10.200.1.100:64378 74.125.225.99:443
tcp -
0
10.0.1.10:3960
10.200.1.100:64376 98.139.200.238:80
tcp -
3597
10.0.1.10:3955
10.200.1.100:64371 74.125.225.118:80
-
-
Notice that the source NAT address is now 10.200.1.100 as configured in the VIP pool, and the IP pool has overridden the static NAT VIP.
FortiGate I Student Guide
47
DO NOT REPRINT
Firewall Policies Lab 1: Firewall Policy
FORTINET Exercise 5 Device Identification 1.
Disable all outgoing policies except for the General Internet Access policy.
2.
From the Windows server, run a continu ous ping to 10.200.1.2 54.
3.
Edit the outgoing general Internet access policy. Select Source Device Type and choose a type that will not match your Windows server, such as Linux PC. Click OK. FortiGate will notify you that this action enables device identification on the source interface. Click OK to accept this change. Return to the continuous ping. You should observer this traffic is blocked. Try browsing the Internet and confirm the firewall blocks this traffic.
4.
Go to your Forward Traffic log. You should observer that there are no logging entries. This is because the traffic matches the implicit deny policy and logging is not enabled by default. Edit the implicit deny policy and enable log violation traffic. Return to the Forward Traffic log and confirm there are logging entries for the denied traffic.
5.
Edit the outgoing general Internet access policy and change the Source Device Type to Windows PC to match your Windows server host. Return to the continuous ping, started earlier. You should observer this traffic is allowed. Try browsing the Intern et and conf irm that the fire wall allows this tra ffic.
6.
Go to User & Device > Device > Device Definition and review the details of your detected host device. This is a dynamic device list. FortiGate may update its list of dev ices and cache them to the flash disk to speed up detection. diag user device list
7.
Clear the device from the CLI and then verify that it's removed: diag user device clear diag user device list
8.
From the Windows server, visit a few web sites. This will generate traffic so that device identification can detect the hos t. Usually, it will use the HTTP User-Agent: header.
9.
Display the device list again, and look for the internal host. diag user device list
10. Perform a show from the CLI to confirm there are no devices in the configuration file. show user device
11. From the GUI, go to User & Device > Device > Device Definition . Edit your device from the device list. Add an alias called myDevice. This creates a static device in the configuration file. Click OK to save the change. Perform the following show command to confirm that the device now appears in the configuration file as a permanent device. show user device
FortiGate I Student Guide
48
DO NOT REPRINT
Firewall Policies Lab 1: Firewall Policy
FORTINET 12. Go to User & Device > Device > Device Group. Note that your device is already a member of several predefined device groups. Click Create New and add a new device group called myDevGroup. Add myDevice to the Members list and click OK. Note that your device is still a member of the predefined groups and is now a member of the custom group myDevGroup. 13. Return to the outgoing general internet access policy and configure it to use your permanent device or static device group. Check that your traffic is unaffected by this change.
FortiGate I Student Guide
49
DO NOT REPRINT
Firewall Authentication Lab 1: User Authentication
FORTINET
Firewall Authentication Lab 1: User Authentication In this lab, you will learn how to authenticate users with FortiGate.
Objectives •
Create an authentication policy
•
Manage user authentication
•
Track user login events
•
Monitor active users
•
Enable the captive portal
•
Exempt some users from the captive portal
Time to Complete Estimated: 20 minutes
FortiGate I Student Guide
50
DO NOT REPRINT
Firewall Authentication Lab 1: User Authentication
FORTINET Exercise 1 Authentication via a Firewall Policy 1.
On the Win-Student computer, open the Windows CLI and type the followin g command Use_External_DNS
You should see output similar to the following image.
2.
Open a web browser. Go to the GUI for the FortiGate named Student, and log in as admin. http://10.0.1.254/
3.
Restore the configuration file that is required by this lab: ResourcesFirewall-AuthenticationStudentstudent-auth.conf FortiGate will reboot.
4.
Log in again. Review the user configuration for this lab. Go to User & Device > User > User Definition to review the local user settings Go to User & Device > User Group > User to review the user group configuration.
Note: should findisthat there isDo 1 user, 1 groupeither and 2of firewall policies. The secondYou firewall policy disabled. not change the firewall policies at this time.
5. Go to the System > Network > DNS Server and delete the entry for port3. 6. Confirm tha t the user is prop erly configured by using the CLI command diag test auth local training Student F0rtinet
The command should return a successful result if the proper configuration has been loaded.
Note: The second character in Fortinet (the password) is a zero 0, and not a letter. Note: Both the username and password are always case sensitive, on a FortiGate. 7.
On the Win-Student server, open a web browser and connect to a new web site. You should observe that the website does not display and you receive a timeout.
8.
Open a command prompt and try to ping a website by its domain name. For example:
FortiGate I Student Guide
51
DO NOT REPRINT
Firewall Authentication Lab 1: User Authentication
FORTINET http://www.hotmail.com/ You should find that the computer is unable to resolve the hostname to an IP address. 9.
On the Student FortiGate's GUI, go to Policy & Objects > Policy > IPv4 and review the outgoing port3 → port1 firewall policy with authentication configured. Add DNS as an allowed service and apply the change to that policy. Go back to the windows command prompt and attempt to ping by name again. Now the behavior is that the hostname can be resolved but the ping still times out because the policy does not allow ICMP.
Note: FortiGate allows DNS to pass through the policy even though authentication has not succeeded yet. 10. On the Win-Student server, open a web browser. Connect to a new web site. At the login prompt, enter the following credentials: Username:
Student
Password:
F0rtinet
You should observe that after suc cessful authentication, FortiGate redirects your browser to the web site that you requested. 11. On the Student FortiGate, go to User & Device > Monitor > Firewall to view the details of the authenticated user along with some details about their IP address, how much traffic they have sent, what method of authentication was used and so on. If you right-click the columns at the top, you can find more information that can be added to the display. 12. Go to System > Network > DNS Server . Add a new DNS service entry for port3 that is set to Forward to System DNS. 13. On the Win-Student computer, open the Windows CLI and type the following command Use_Internal_DNS
You should see output similar to this:
14. From the CLI, view the IP addresses and users which have successfully authenticated to t he FortiGate unit with the following command: diag firewall auth list
Clear all authenticated sessions with the following command: diag firewall auth clear
FortiGate I Student Guide
52
DO NOT REPRINT
Firewall Authentication Lab 1: User Authentication
FORTINET Caution: Be careful when using this command on a FortiGate in a real network. It will clear all authenticated users.
FortiGate I Student Guide
53
DO NOT REPRINT
Firewall Authentication Lab 1: User Authentication
FORTINET Exercise 2 Captive Portals
Note: Verify that you are no t authenticated through the FortiGate befo re you begin. Use either the User Monitor in the GUI or the CLI command from the previous exercise in order to de-authenticate. 1.
On the Student FortiGate's GUI, go to Policy & Objects > Policy > IPv4. Edit the second policy (which does not have authentication enabled and is slightly greyed out currently) and enable it. You can go into the policy select Enable this policy at the bottom and t hen apply the change, or right click the Seq # and select Enable.
2.
On the Windows desktop, open a web browser and connect to a new web site You should observe that, unlike before, FortiGate doesn't ask you to authenticate. However, you can still access the website even though the first policy has authentication enabled. This illustrates the behavior of authentication and how it interacts with the Firewall policies. The source for the first policy is your IP AND all users in the training group. You have not authenticated yet, so your traffic does not match the source for that policy. The second policy will match all IPs and has no authentication options enabled, so it matches your traffic and allows the connection through. Since FortiGate found a policy match with just the source IP, it does not force a login.
3.
On the Student FortiGate's GUI, go to System > Network > Interfaces and edit the port 3 interface. Set the Security Mode to Captive Portal and click OK to save the change
4.
Open a web browser and connect to a new web site FortiGate should prompt you to log in. Use the same credentials as the previous exercise. Note: If you are not prompted to login, refer to step 1
5.
On the Student FortiGate's GUI, go to Policy & Objects > Policy > IPv4. Edit the first firewall policy. Change the source to STUDENT_ FALSE and the group to training.
Note: STUDNT_FALSE has the IP 10.0.1.100 so it does not match the IP of the Win-Student computer. 6.
On the Student FortiGate's GUI, go to User & Device > Monitor > Firewall . De-authenticate your user session.
FortiGate I Student Guide
54
DO NOT REPRINT
Firewall Authentication Lab 1: User Authentication
FORTINET 7.
Open a web browser and connect to a new web site. FortiGate should not prompt you to login, but show a disclaimer instead. Look at the firewall policies in the CLI. You should find that the second policy with the captive portal is suppressed. config firewall policy show end
This means that even though port3 has captive portal enabled for all traffic that is behind it, any traffic that matches the second firewall policy will not receive the captive portal to authenticate.
FortiGate I Student Guide
55
DO NOT REPRINT
SSL VPN Lab 1: SSL VPN
FORTINET
SSL VPN Lab 1: SSL VPN In this lab, you will manage user groups and portals for the SSL VPN.
Objectives •
Configure and connect to an SSL VPN
•
Enable authentication security
•
Configure a firewall policies for access to private network resources
Time to Complete Estimated: 30 minutes
FortiGate I Student Guide
56
DO NOT REPRINT
SSL VPN Lab 1: SSL VPN
FORTINET Exercise 1 SSL VPN for Web Access 1.
On the Win-Student server, open a web browser. Go to the GUI for the FortiGate named Student, and log in as admin. http://10.0.1.254/
2.
Restore the configuration file that is required by this lab: ResourcesSSL-VPNStudentstudent-ssl.conf .
3.
FortiGate will reboot. When the device has rebooted, review the SSL VPN configuration access for this lab. Go to Policy & Objects > Policy > IPv4 and examine the ssl.root→port1 firewall policy.
4.
Edit this policy to view its components. Configure these settings: IncomingInterface: Source Address:
ssl.root all
SourceUser(s):
Training_One
OutgoingInterface:
Port1
5.
Under VPN > SSL > Settings, review the authentication rules at the bottom. This allows all users that authorized to login, access to the web-acess portal.
6.
To observe the effect of this policy you will now access the SSL VPN. On the Win-Remote computer, open a web browser and access the SSL VPN by browsing to: https://10.200.1.1/ Accept the security warnings for the self-signed certificate and log in using the following credentials: Username:
Student
Password:
F0rtinet
You should notice that you are successfully able to log in, but the web portal is currently in default settings. You will now configure the web-access portal which is selected in the SSL VPN policy. 7. 8.
Log out and return to the Win-Student computer. In the GUI of the Student FortiGate, go to VPN > SSL > Portals and select web-access and Edit to modify the setti ngs for this portal. Crea te the followin g bookmarks for the internal server. First Bookmark:
FortiGate I Student Guide
57
DO NOT REPRINT
SSL VPN Lab 1: SSL VPN
FORTINET Category:
Test
Name:
Linux Website
Type:
HTTP/HTTPS
URL:
10.200.1.254
Click OK. Second Bookmark:
Category: Name:
Test StudentComputerWebsite
Type:
RDP
Host:
10.0.1.10
Click OK. Click OK at the bottom of the page to save the bookmarks on this portal. 9.
Test the SSL VPN access agai n from the W in-Remote computer by browsing to: https://10.200.1.1 You should now observe that you have two bookmarks listed.
10. Select the “Linux Website” bookmark and examine the items listed below to understand how the web access functions. Note: Do not use the Student computer website yet. It will be tested in the next exercise.
Note the URL of the web site in the browser address bar: https://10.200.1.1/proxy/http/10.200.1.254/ The first part of the address is the encrypted link to the FortiGate SSL VPN gateway: https://10.200.1.1/ The second part of the address is the instruction to use the SSL VPN HTTP proxy: .../proxy/http...
The final part of the address is the destination of the connection from the HTTP proxy: .../ 10.200.1.254/
In this example, the connection is encrypted up to the SSL VPN gateway. The connection to the final destination from the HTTP proxy is in clear text. 11. Return to the Win-Student computer and from the GUI on the Student FortiGate, go to VPN > Monitor > SSL-VPN Monitor . Locate the details of the SSL VPN connection. Note the User, Source IP and Begin Time. Log the user out by selecting their name and clicking Delete.
FortiGate I Student Guide
58
DO NOT REPRINT
SSL VPN Lab 1: SSL VPN
FORTINET Exercise 2 Testing Authentication 1.
On the Win-Remote computer, open a web browser. Start the SSL VPN by going to: https://10.200.1.1 When prompted, log in to the SSL VPN using the following credentials: Username:
Student2
Password: F0rtinet You should receive a permission denied failure message. 2.
Go to the CLI of the Student FortiGate. Locally test user authentication. diag test auth local Training_Two Student2 F0rtinet
This user should successfully authenticate. Together with the behavior you observed in the previous step, this means that while FortiGate can confirm the user and group information, that user is not authorized to login to the SSL VPN portal. 3.
To allow those users to login, go to the firewall policies. Edit the ssl.root→port1 policy by adding Training_Two as an additional source user group.
4.
To observe the effect of these changes, access the SSL VPN again. Login with both the S tudent and Student2 users. What do you see when you login? You should see the same portal as in the previous exercise. Why? The portal mapping rules have all users acce ssing the web-access portal.
5.
Under VPN > SSL > Settings create a new mapping for a user group and portal: Users/Group:
Training_Two
Portal
full-access
After adding the mapping rule, click OK to go back to the settings page, then click APPLY to save the changes.
FortiGate I Student Guide
59
DO NOT REPRINT
SSL VPN Lab 1: SSL VPN
FORTINET Note: If you cl ick OK but do not click APPLY, then FortiGate will not save the changes you make to the portal mapping rules. 6.
Logout out of the SSL VPN portal (if you haven’t already) and login again. Be sure to use the Student2 user credentials from step 1. You should now observe that the portal established is the full-access portal, which has different widgets and options enabled then the web-access portal.
FortiGate I Student Guide
60
DO NOT REPRINT
SSL VPN Lab 1: SSL VPN
FORTINET Exercise 3 Accessing Resources Beyond Different Interfaces 1.
Log out of the SSL VPN portal (if you haven’t already) and login again. Be sure to use the Student user credentials.
2.
Now click the “Student Computer Websi te” bookmark, created back in exercis e 1. FortiGate should display an access error. Why? All traffic generated by users of the SSL VPN on this FortiGate will srcinate from the ssl.root interface. This includes both Web and Tunnel mode traffic. The host IP, 10.0.1.10, is behind port3 and there is no firewall policy that allows traffic ssl.root→port3.
3.
Next go to Policy & Objects > Policy > IPv4 and create a firewall policy with the following settings: IncomingInterface: Source Address:
4.
ssl.root all
SourceUser(s):
Training_One,Training_Two
OutgoingInterface:
port3
DestinationAddress
STUDENT_INTERNAL
Schedule
always
Service
ALL
Action
Accept
Go back to the SSL VPN portal and select the “Student Computer Website” again. FortiGate should now allow the web site to display because traffic is now allowed to pass from
5.
ssl.root to port3. Log out of the SSL VPN portal.
6.
In your browser enter the IP 10.0.1.10 The browser's connection will timeout because there is no access to the Win-Student computer from the Win-Remote computer.
7.
Log back into the SSL VPN portal as student2. Once the login has finished, activate the SSL VPN Tunnel Note: To do thi s, you mu st install the SSL VPN adapter.
8.
In your browser, go to: http://10.0.1.10/ The website should display properly this time. FortiGate is now sending traffic across the SSL VPN tunnel, rathe r than sending it to the default gateway .
FortiGate I Student Guide
61
DO NOT REPRINT
Basic IPsec VPN Lab 1: IPsec VPN
FORTINET
Basic IPsec VPN Lab 1: IPsec VPN In this lab, you will configure an IPsec VPN on the FortiGate using both interface-based and policybased modes.
Objectives •
Demonstrate the differences between interface and policy-based VPNs
•
Explain IPsec VPN configuration options
Time to Complete Estimated: 30 minutes
FortiGate I Student Guide
62
DO NOT REPRINT
Basic IPsec VPN Lab 1: IPsec VPN
FORTINET Exercise 1 Site-to-Site IPsec VPN 1.
On the Win-Student server, open a web browser. Go to the GUI for the FortiGate named Student, and log in as admin. http://10.0.1.254/
2.
Restore the configuration file that is required by this lab: ResourcesBasic-IPsec-VPNStudentstudent-ipsec.conf .
3.
The Student FortiGate will reboot. Go to the GUI for the FortiGate named Remote, and log in as admin. http://10.200.3.1/
4.
Restore the configuration file that is required by this lab: ResourcesBasic-IPsec-VPNRemoteremote-ipsec.conf . The Remote FortiGate will reboot.
5.
When the Student FortiGate has rebooted, on the Windows server, open a command prompt. Run a continuous ping to the Win-Remote computer:
6.
From the GUI on the Student FortiGate, go to VPN > Monitor > IPsec Monitor and examine the tunnel status.
ping -t 10.0.2.10
You should observe a tunnel named remote with the destination 10.200.3.1 and the status is currently up. This is the tunnel that the Student FortiGate established with the Remote FortiGate. 7.
Review the firewall policy port3 → remote. View the Count column so that you can see the packets and bytes per policy. Observe that the counter is incrementing for the port3→remote policy. What is the interface remote? Go to System > Network > Interface and note the blue arrow head associated with port1. If you expand this you will be able to see the remote interface and the type for this interface which is set to Tunnel Interface.
8.
Go to VPN > IPsec > Auto Key (IKE) and review the IPsec configuration. Note the Phase 1 and Phase 2 IKE objects. Edit the Phase1 IKE object remote. Select Advanced to view all the settings. Note that IPsec Interface Mode is selected. You can also view this from the CLI: conf vpn ipsec phase1-interface show
The Phase1 IKE object is the IPsec interface referenced in the interface list and firewall policy. How is the traffic getting to this policy? Traffic arrives at the FortiGate on the ingress interface. For new connections, FortiGate performs a routing lookup to select the egress interface and gateway, and then there is a lookup in the firew all policy to find a matchi ng rule. Egress is determined by the routing tabl e
FortiGate I Student Guide
63
DO NOT REPRINT
Basic IPsec VPN Lab 1: IPsec VPN
FORTINET lookup, and therefore FortiGate selects the remote interface. A route is driving the traffic to the IPsec interface. 9.
Go to Router > Monitor and view the current routing table. You will observe a static route to the destination 10.0.2.0/24 pointing to the remote interface. This is an example of the route-based VPN configuration. The alternative is the policy-based VPN which we will review next. Usually, route-based VPNs are preferred, but there are a few ex ceptions where you would need to use a policy-based VPN. These will be discussed later.
10. Open a web brows er on the Windows server. Connect to the GUI on the Remote FortiGate device. 11. Go to VPN > Monitor > IPsec Monitor and examine the tunnel status from the Remote FortiGate device. You should observe a tunnel named student with the destination 10.200.1.1 and the Status is up. This is the t unnel that this FortiGate established with the Student FortiGate. 12. Go to System > Network > Interface. Notice there is no tunnel sub -interface for port4. 13. Go to Route > Monitor and view the current routing table. Notice that there is no specific route for 10.0.2.0/24; there is only a default route. How is the traffic entering the tunnel then? 14. Review the firewall policy that exists on the Remote FortiGate device. Note that there is a policy from port6 to port4 for address 10.0.2.0/24 (REMOTE_INTERNAL) to address 10.0.1.0/24 (STUDENT INTERNAL) with action IPsec. Edit this policy to view its settings. The policy subtype is IPsec, and it uses the VPN Tunnel called student. It also has permissions to allow traffic inbound as well as outbound. We will look at these settin gs later. How is the traffic matching this policy? On the Student FortiGate, a static route was sending traffic to the IPsec virtual interface. Here there is no static route. Instead, the policy setting is sending traffic to the VPN. The IPsec policy matches traffic from 10.0.2.0/24 to 10.0.1.0/24 and forwards it the tunnel student. 15. From the Remote FortiGate device, go to VPN > IPsec > Auto Key (IKE) and review the IPsec configuration. Note the Phase 1 and Phase 2 IKE objects. You can also view these settings from the CLI: conf vpn ipsec phase1-interface conf vpn ipsec phase2-interface
16. Edit the Phase1 IKE object remote and select Advanced to view all the settings. Note that IPsec Interface Mode is not selected. The Phase1 IKE object is the IPsec tunnel referenced in the IPsec firewall policy. Here we are using policy-based on the Remote FortiGate device and interface-based on the Student FortiGate device. The type we use is of local significance therefore we can mix them, as is the case in this example. 17. From the remote Windows desktop, attempt to run a co ntinuous ping to: 10.0.1.10. You should observe this ping fails. Can you identify why?
FortiGate I Student Guide
64
DO NOT REPRINT
Basic IPsec VPN Lab 1: IPsec VPN
FORTINET If the VPN is in tunnel mode, then FortiGate uses only 1 firewall policy to allow both incoming and outgoing traffic. But if the policy is in interface mode, then you must have 2 separate VPN firewall policies: one to allow inbound, and one to allow outbound communication. On the Student FortiGate, we have only configured the outgoing policy. The VPN is in interface mode. So FortiGate drops the new incoming connection: there is no firewall policy to allow it. 18. Return to the Student FortiGate. Add the missing firewall policy. You should observe that the ping now succeeds.
FortiGate I Student Guide
65
DO NOT REPRINT
Explicit Web P roxy Lab 1: Explicit Web Pr oxy
FORTINET
Explicit Web Proxy Lab 1: Explicit Web Proxy In this lab, you will learn how to configure FortiGate to be an explicit web proxy.
Objectives •
Configure a FortiGate as an explicit web proxy
•
Use a PAC file to configure the Internet browser to use the web proxy
•
Exempt some servers from the pro xy
•
Display the list of current web proxy users
Time to Complete Estimated: 30 minutes
FortiGate I Student Guide
66
DO NOT REPRINT
Explicit Web P roxy Lab 1: Explicit Web P roxy
FORTINET Exercise 1 Configuring the Explicit Web Proxy 1.
On the Win-Student server, open a web browser. Go to the GUI for the FortiGate named Student, and log in as admin. http://10.0.1.254/
2.
Restore the configuration file that is required by this lab: ResourcesExplicit-Web-ProxyStudentstudent-wp.conf
3. 4.
Go to System > Dashboard > Status. In the Features widget, enable Explicit Proxy. Click Apply. Go to System > Network > Explicit Proxy and enable HTTP / HTTPS web proxy.
5.
Go to System > Network > Interfaces and edit port3. Enable the option Enable Explicit Web Proxy. Click OK.
6.
Go to Policy & Objects > Policy > Explicit Proxy . Click Create New. Add this explicit proxy policy: ExplicitProxyType SourceA ddress
Web STUDENT_INTERNAL
OutgoingInterface
port1
DestinationAddress
all
Action
AUTHENTICATE
Add this authentication rule: SourceUser(s) Schedule
Student always
Click OK to save it. 7.
Open Mozilla Firefox. Click the Open menu icon on the top right corner. Select Options:
8.
Go to the Advanced > Network tab and click Settings:
FortiGate I Student Guide
67
DO NOT REPRINT
Explicit Web P roxy Lab 1: Explicit Web P roxy
FORTINET
9.
Select manual proxy con figuration and enter: HTTPProxy Port
10.0.1.254 8080
Enable the optio n Use this proxy serve r for all protocols. Additionally, add the subnet 10.0.1.0/24 to the No Proxy for list. This list contains the names, IP addresses and subnet of web sites that will be exempted from using the proxy:
Click OK.
FortiGate I Student Guide
68
DO NOT REPRINT
Explicit Web P roxy Lab 1: Explicit Web P roxy
FORTINET 10. Try to browse any web site. FortiGate will ask you for authentication. Use these credentials: UserName Password
Student F0rtinet
After that, you should have Internet access through the explicit web proxy.
Note: The second character in Fortinet (the password) is a zero 0, and not a letter. Both the username and password are always case sensitive. 11. While browsing different web sites, type the following CLI command to check the list of active web proxy users: # diagnose wad user list
You can also check this list from the GUI, by going to User & Device > Monitor > Firewall . 12. Type these CLI commands to list some web proxy sessions: diagnose sys session filter clear diagnose sys session filter dport 8080 diagnose sys session list
You can also use the grep command to display only the source and destination IP addresses and ports for each session: diagnose sys session list | grep hook=pre
Why is the source IP address of all those sessio ns 10.0.1.10? Why is the destination IP address of all those sessions 10.0.1.254? Why don’t we see any public IP address listed in those sessions? 13. While browsing a HTTP site, type these other commands to list another set of proxy sessions: diagnose sys session filter clear diagnose sys session filter dport 80 diagnose sys session list | grep hook=out
Why is the source IP address o f all these sessions 10.200.1.1? Why don’t we see the IP address of Windows server (10.0.1.10)? Tip: In the case of explicit web proxy, for each connection to a web site, two sessions are created with the FortiGate: one from the client to the proxy, and another one from the proxy to the server.
FortiGate I Student Guide
69
DO NOT REPRINT
Explicit Web P roxy Lab 1: Explicit Web P roxy
FORTINET Exercise 2 Using a PAC File 1.
Log in to the Student FortiGate's GUI.
2.
Go to System > Network > Explicit Proxy . Enable the option PAC, then click the pencil icon to edit the PAC file:
3.
Select the file proxy.pac in the folder ResourcesExplicit-Web-Proxy . Click Import, then Apply. Click the pencil icon again to look at the imported PAC file:
Click Apply to save all the changes in the explicit proxy configuration. Note: The second line in the PAC file specifies that the browser will not use a proxy to reach the servers in the subnet 10.0.0.0/8. The next line configures the browser to use the FortiGate proxy for any other subnet or URL. FortiGate I Student Guide
70
DO NOT REPRINT
Explicit Web P roxy Lab 1: Explicit Web P roxy
FORTINET 4.
Open Mozilla Firefox options again. Select the Advanced > Network tab and click Settings. Select the option Automatic proxy configuration URL then type: http://10.0.1.254:8080/proxy.pac
Click OK. 5.
Close Firefox and open it again. Try to browse any web site in the Internet. The traffic will go through the FortiGate proxy. If FortiGate asks you to authenticate, use the same Student account.
6.
Connect now a web site in the network 10.0.0.0/8. The browser will not use the proxy and will send the HTTP request directly to the server. Try with this server: http://10.200.1.254 It is not working. There is something missing in the FortiGate configuration. Do you know what it is?
7.
Go to Policy & Objects > Policy > IPv4 add the following firewall policy: Incoming Interface
port3
SourceA ddress
STUDENT_INTERNAL
Outgoing Interface
port1
Destination Address
All
Schedule
Always
Service
ALL
Action
ACCEPT
NAT
Enabled
FortiGate I Student Guide
71
DO NOT REPRINT
Explicit Web P roxy Lab 1: Explicit Web P roxy
FORTINET 8.
Try to access http://10.200.1.254 one more time. It should work now.
9.
To finish the lab exercise, disable the proxy in Mozilla. Go to Options one more time, select Advanced > Network , click Settings, and select No proxy.
Click OK to save the change.
FortiGate I Student Guide
72
DO NOT REPRINT
Antivirus Lab 1: Antivirus Scanning
FORTINET
Antivirus Lab 1: Antivirus Scanning In this lab, you will work with both flow -based and proxy-based antivirus scanning.
Objectives •
Configure flow-based and proxy-based antivirus scanning
•
Understand FortiGate antivirus scanning behavior
•
Scan multiple protocols
•
Insert replacement messages in multiple protocols
Time to Complete Estimated: 30 minutes
FortiGate I Student Guide
73
DO NOT REPRINT
Antivirus Lab 1: Antivirus Scanning
FORTINET Exercise 1 Antivirus & Block pages 1.
On the Win-Student server, open a web browser. Go to the GUI for the FortiGate named Student, and log in as admin. http://10.0.1.254/
2.
Restore the configuration file that is required by this lab: ResourcesAntivirusStudentstudent-av.conf
3.
FortiGate will reboot. When the FortiGate has rebooted, go to Policy& Objects > Policy > IPv4 and edit the port3→port1 policy. You will notice that an antivirus profile is in place, as well as a Protocol Options and SSL/SSH Profile. Those last 2 profiles cannot be disabled, only changed.
4.
Examine the antivirus profile that has be en enabled on the firew all policy (defa ult). This profile defines the behavior for virus scanning on the traffic that matches policies using that profile .
5.
Verify that the inspection mode is Proxy, to block viruses, and that HTTP p rotocol pickup is enabled.
6.
Now examine the proxy options profiles enab led on the firewall pol icy (default). This profile determines how FortiGate’s proxies identify protocols. Ensure that HTTP is set to port 80
7.
Finally, examine the SSL/SSH profile enabled on the firewall policy (default). This profile determines how encrypted traffic, like HTTPS will be handled.
8.
Configure the profile to inspect certificate details.
9.
Go to System > Config > Replacement Message. From the top right-hand corner select Extended View and under Security modify the Virus Block Page. The HTML editor that is display ed allows you to see the changes as you are making them. If you do not want to use the standard block pages, you can modify them. Click Save shown above the editor window to apply any changes.
10. From the virtual WIN-Student host, launch a web browser and access the following web site: http://eicar.org 11. On the EICAR web page, click Download ANTI MALWARE TESTFILE (located in th e top rig hthand corner of the page) and then click the Download link that appears on the left. Download the any of the EICAR sample files from the section Download area using the standard HTTP protocol. FortiGate should block the download attempt, and instead ins ert a replacement message similar to the following (should also include any customization you made earlier):
FortiGate I Student Guide
74
DO NOT REPRINT
Antivirus Lab 1: Antivirus Scanning
FORTINET
The EICAR file is an industry-standard used to test antivirus detection with an undamaging test file. The file contains the following characters: X5O!P%@AP[4PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
12. FortiGate shows the HTTP virus message when it blocks or quarantines infected files. In the message that is displayed, click the link to the Fortinet Virus Encyclopedia to view information about the detected virus. 13. From the GUI on Student FortiGate, go to Log & Report > Traffic Log > Forward Traffic and locate the antivirus event messages. In order to view summary information of the antivirus activity, add the Advanced Threat Protection Statistics widget to the dashboard. 14. On the EICAR web page, click Download ANTI MALWARE TESTFILE and then click the Download link that appears on the left. This time, select the eicar.com file from the Download area using the secure SSL enabled protocol HTTPS section. Your download should succeed. FortiGate should not block the file, because we have not enabled full SSL inspection. 15. To enable inspection of SSL encrypted traffic on the Student FortiGate unit, go to Policy & Objects > Policy > SSL/SSH In spection, edit the default profile, set the Inspection Mode to Full SSL Inspection and make sure that HTTPS is enabled and set to port 443. Click Apply. 16. To ensure that there are no existing sessions prior to deep scanning the communication exchange, connect to the CLI of the Student FortiGate and enter the following command: diag sys session filter dport 443 diag sys session clear
This will clear out all the HTTPS(port 443) sessions on the firewall, in case the webserver did not properly close down the communications. 17. Return to th e EICAR web page and attempt to down load the eicar.com file from the Download area using the secu re SSL enabled protoco l HTTPS section. This time, FortiGate should block the download and replace it with a messag e. If it doesn't, you may need to clear your cache. In Firefox, select History > Clear Recent History > Everything . 18. In order to see the block page you will need to allow the certificate warning. Encrypted protocols are designed to prevent eavesdropping.
FortiGate I Student Guide
75
DO NOT REPRINT
Antivirus Lab 1: Antivirus Scanning
FORTINET Exercise 2 Flow vs Proxy scanning 1.
On the Win-Student server, open a web browser. Go to the GUI for the FortiGate named Student, and log in as admin. http://10.0.1.254/
2.
Edit the default Antivirus profile, and set the inspection mode to Flow,
3.
On the Win-Student computer, open the FileZilla FTP client software.
4. 5.
Connect to 10.200.1.254. Leave the username and password blank to use anonymous FTP. On the Remote side, open the pub folder and download the file named eicar.com. The client should display an error message that the server aborted the connection.
6.
On the GUI of the Student FortiGate, locate the logs for the detectio n of this file. With Flow based virus scanning, data from the file has already been sent to the client so no immediate block message/page may be possible , depending on the protoco l being scanned .
FortiGate I Student Guide
76
DO NOT REPRINT
Web Filtering Lab 1: Web Filtering
FORTINET
Web Filtering Lab 1: Web Filtering In this lab, you will configure web filterin g to block specific categories of content. The interaction of local categories and overrides will also be demonstrated.
Lab Objectives •
Enable and use web filtering on a FortiGate device
•
Troubleshoot and configure FortiGuard Category filtering
•
Read and interpret web filter log entries
•
Work with proxy and flow-based web filtering
•
Monitor blocked categories
•
Work with and configure Web Rating Overrides
•
Configure W eb Profile Overrides
Time to Complete Estimated: 30 minutes
FortiGate I Student Guide
77
DO NOT REPRINT
Web Filtering Lab 1: Web Filtering
FORTINET Exercise 1 FortiGuard Web Filtering 1.
On the Win-Student server, open a web browser. Go to the GUI for the FortiGate named Student, and log in as admin. http://10.0.1.254/
2.
Restore the configuration file that is required by this lab: ResourcesWeb-FilteringStudentstudent-wf.conf .
2.
3.
FortiGate will reboot. When the FortiGate device has rebooted go to System > Status and under License information check the FortiGuard Services Web Filtering status to ensure that the license has been validated. A green check mark should be displayed. In the GUI on the Student FortiGate device, go to Security Profiles > Web Filter and review the settings of the default web filter profile. Verify that the Inspection Mode is set to Proxy. Under FortiGuard Categories right-click and expand the web category Potentially Liable. The category and all the sub categories inside should have the action set to Authenticate. Expand Adult/Mature Content . You should find that Other Adult Material and Pornography are blocked while all other sub-categories are set to Monitor. Expand Bandwidth Consuming. The category and all sub categories inside should have the action set to Warning. Expand Security Risk. The category and all sub categories inside should have the action set to Block.
4.
All of the General Interest categories and sub-categories should be set to Monitor. Go to Policy & Objects > Policy > IPv4 and edit the outing port3→port1 policy. In addition to a web filter profile, Proxy options and SSL/SSH Inspection profile have also been enabled. Review the settings in the assigned Proxy options and SSL/SSH Profiles.
5.
From the CLI on the Student FortiGate device, check the low-level status information of the web filtering service by entering the following command: diag debug rating
The command diag debug rating shows the list of FDS servers for web filtering that the FortiGate is using to send requests. FortiGate normally sends rating requests to the server on the top of the list. Each server is probed for RTT every 2 minutes. Note: Your lab environment uses a FortiManager as a loca l FDS server. It c ontains a local copy of the FDS web rating database. The FortiGate devices have been configured to send the rating requests to the FortiManager instead of the public FDS servers. For this reason, the output of the above command lists only the FortiManager IP address. 6.
On the Win-Student computer, open a web browser, and go to: http://www.bing.com
FortiGate I Student Guide
78
DO NOT REPRINT
Web Filtering Lab 1: Web Filtering
FORTINET You should receive a bloc k page.
7.
Verify that the rating of the website www.bing.com is NOT pornography by going to the URL http://www.fortiguard.com/static/webfiltering.html and checking. You will find that Bing is not rated as pornography and that the category it belongs to has a monitor action rath er than block.
8.
From the CLI on the Student FortiGate, examine the FortiG ate's behavior: diag debug application url 255 diag debug enable
Access the website www.bing.com again. The diagnostic output will indicates that the URL matches a local rating. 9.
In the GUI on the Student FortiGate device, go to Security Profiles > Advanced > Web Rating override You will find and entry for www.bing.com which assigned the category of Pornography.
10. Edit the Rating override for www.bing.com and set the category to Potentially Liable and the subcategory to Proxy Avoidance. 11. access the website http://www.bing.com again This time, the blo ck page will give you the op tion to P roceed. Click Proceed and enter the following user credentials
User: Student Password: F0rtinet Note: If you receive a certificate war ning, be sure to allow it.
12. In the GUI on the Student FortiGate device, go to Log & Report > Security Log > Web Filter .
FortiGate I Student Guide
79
DO NOT REPRINT
Web Filtering Lab 1: Web Filtering
FORTINET If you examine the actions taken in the logs you will find that initially a Block action shows up. However, more recent logs show a different action. 13. Edit the web filter profile and se lect Flow-based. A notification is displayed as follows:
Click OK on this pop-up and then click Apply at the bottom of the profile. 14. Test the behavior of the flow based inspection by connecting to www.bing.com again. 15. Go to Security Profiles > Advanced > Web Rating override and delete the entry for: http://www.bing.com Access www.bing.com again. 16. In the GUI on the Student FortiGate device, go to Security profiles > Monitor > Web Monitor . Review the output. You can click on the charts in ord er to get additiona l information on wha t is being displayed. Note: If you not have the Monitor menu then this feature is disabled in the GUI and must be enabled from the CLI: config system global set gui-utm-monitors enable end
FortiGate I Student Guide
80
DO NOT REPRINT
Web Filtering Lab 1: Web Filtering
FORTINET Exercise 2 Web Profile Overrides 1.
On the Win-Student computer, open a new browse r windows and visit: www.youtube.com FortiGate should block this.
2.
In the GUI on the Student FortiGate, go to Security Profiles > Web Filter Set the inspection mode to Proxy.
3.
Enable Allow blocked Override and configure the following options •
Apply to Group(s): Override_Perm issions
•
Assign to Profile: monitor_all
•
Scope: IP
•
Duration Mode: Constant
•
Duration: 0 days, 0 hours, 15 minutes
Click Apply to save the changes 4.
Visit the website www.youtube.com again. You will find that at the bottom of the page there is an override link.
5.
Click Override and enter the following user credentials User: Student2 Password: F0rtinet FortiGate should now allow you to access the web site.
6.
In the GUI on the Student FortiGate device, go to Log & Report > Security Logs > Web Filter Compare the current pass-through entries for YouTube with the older block entries. Notice that the web profile that is reported as being used is different.
FortiGate I Student Guide
81
DO NOT REPRINT
Application Control Lab 1: Application Identification
FORTINET
Application Control Lab 1: Application Identification In this lab, you will use the application control feature to prope rly identify an application.
Objectives •
Configure Application Control in the student lab environment
•
Read and understand application control logs
•
Enable and Monitor traffic shaping through Application Control
•
Use Application control to Fine tune Internet Access
Time to Complete Estimated: 30 minutes
FortiGate I Student Guide
82
DO NOT REPRINT
Application Control Lab 1: Application Identification
FORTINET Exercise 1 Creating an Application Control List 1.
On the Win-Student server, open a web browser. Go to the GUI for the FortiGate named Student, and log in as admin. http://10.0.1.254/
2.
Restore the configuration file that is required by this lab: ResourcesApplication-ControlStudentstudent-app.conf
2.
FortiGate will reboot. Log in again. Go to Security Profiles > Application Control > Application Sensor. Review the default application control sensor. (Verify that you are selecting the sensor named default.)
3.
On the Edit Application Sensor page, check the settings for the following rules:
Application Override
Myspace
Category
Video/Audio
The action for this should show as being Block. 4.
Go to Policy > Policy > Policy and edit the port3→port1 policy. Verify that Application Control is turned on and that the default application control sensor is selected.
5.
Enable the Security Profiles monitors: config sys global set gui-utm-monitor enable end
Go to http://www/.youtube.com. On the YouTube web site, try to play a video. While the video is playing, go the GUI of the FortiGate and check the application monitor in Security Profiles > Monitor > Application Monitor . If your browser does not show the application monitor, you may need to refresh the page or log in to the FortiGate again. 6.
On the Win-Student computer, open a new web browser window. Go to http://www.myspace.com/. You should observe that you cannot connect to this s ite. It times out.
7.
Go to Security Profiles > Application Control > Application Sensor and check the default sensor again. At the bottom of the profile enable Replacement messages for HTTP-based application.
8.
Go to the MySpace web site again. Now FortiGate should display a block message.
9.
Go to Log & Report > Traffic Log > Forward Traffic and view the log information to confirm that this action was correctly logge d.
10. From the web browser, try to go to: http://proxite.us On the proxy web page, scroll down to the bottom and enter the URL of MySpace.com. Click Go. You should observe FortiGate does allow some connectivity to the site. How can you stop this? Create a new rule in the sensor to block the Proxy category. FortiGate I Student Guide
83
DO NOT REPRINT
Application Control Lab 1: Application Identification
FORTINET Exercise 2 Limiting YouTube Traffic 1.
On the Student FortiGate's GUI, go to Policy & Objects > Objects > Traffic Shapers and look at the YouTube_Shaper traffic shaper. Look closely at the Maximum amount of allowed bandwidth.
2.
Go to Security Profiles > Application Control > Application Sensor and edit the default profile. Add an Application Override for Youtube, set the action to Traffic Shaping and have it use YouTube_Shaper.
3.
Clear the web browser cache and re-open it. Connect to the YouTube web site again and stream the same video that you did before. This will probably result in much different experience. Note: If your classroom is using a virtual lab, the underlying hardware is shared, and so the amount of available bandwidth for Internet access varies by usage by other simultaneous use. The traffic shaper is set to a very low value in order to make sure that the difference in behavior is easily noticeable. In real networks, this setting would be greater.
4.
Check the traffic shaper monitor in Policy & Objects > Monitor > Traffic Sh aper Monitor . In the upper right corn, change Report by to Current Bandwidth. Note: Monitor statistics are current as of the time that you requ ested the GUI pag e, so make sure to view them while a video is downloading. The page does not constantly refresh, so in order to do thi s, click Refresh in the upper right.
FortiGate I Student Guide
84
DO NOT REPRINT
Application Control Lab 1: Application Identification
FORTINET Exercise 3 Fine Tuning Web Site Access 1.
On the Win-Student computer, open a browser window. Go to: http://translate.google.com
2.
Go to Security Profiles > Application Control > Application Sensor and edit the default profile. Add an application override for Google.Translate. Set the action to Reset.
3.
Refresh the Google Translate page. FortiGate should insert a replacement message from application control about the application being blocked.
4.
Go to Security Profiles > Application Control > Application Sensor and edit the default profile. Disable replacement messages for HTTP-based applications, then click OK.
5.
Refresh the Google Translate page. The browser should display an error message, telling you that the connection was reset. Note: Depending on which browser you use for the test the wording and nature of the error will vary.
6.
Open a browser window. Go to http://www.myspace.com Since there is no longer an HTTP-based block message enabled, the 2 signatures will behave differently based on the configured action.
7.
Go to Security Profiles > Application Control > Application Sensor and edit the default profile. Enable replacement messages for HTTP-bas ed applications, then click OK.
8.
Refresh both websites. This time, the browser should display a block message.
9.
Access Google Translate over HTTPS: https://translate.google.com This connection should succeed. In order for thi s signature to detect access over encrypted communications (HTTPS), SSL inspection must be enabled.
FortiGate I Student Guide
85
DO NOT REPRINT
Appendix A: Additional Resources
FORTINET
Appendix A: Additional Resources Training Services
http://training.fortinet.com
Technical Documentation
http://help.fortinet.com
Knowledge Base
http://kb.fortinet.com
Forums
https://support.fortinet.com/forum
Customer Service & Support
https://support.fortinet.com
FortiGuard Threat Research & Response
http://www.fortiguard.com
FortiGate I Student Guide
86
DO NOT REPRINT
Appendix B: Presentation Slides
FORTINET
Appendix B: Presentation Slides
FortiGate I Student Guide
87
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
In this lesson, we will show FortiGate administration basics. This includes how – and where – FortiGate fits into your existing network architecture.
FortiGate Student I Guide
88
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
After completing this lesson, you should have these practical skills in FortiGate administration fundamentals, such as how to log in, m ake administrator accounts, do basic network settings, and how to use your FortiGate’s GUI or CLI. You’ll also be able to set up FortiGate to act as your local network’s DNS or DHCP server. Lab exercises can help you to test and reinforce your skills.
FortiGate Student I Guide
89
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
(slide contains animation) A FortiGate is a “Unified Threat Management” device, but what exactly does this mean? Well, if we look at a typical network security solution, multiple single-purpose devices are used. Each performs a specific task. There is: (click) • • • • • • • •
One device acting as the firewall Another device that scans for viruses Another device filtering email One device to optimize WAN usage Another device to filter web sites One device for application control One device for intrusion prevention Another device to provide VPN access
That is a lot of different devices. Most likely, they all have different vendors. All of this can introduce unwanted complexity, and many potential points of failure.
FortiGate Student I Guide
90
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
So how is FortiGate different? FortiGate provides a comprehensive approach to security. It even includes some basic accessory network services such as authentication and DHCP. All this and more is combined into a single device. That way, you can reconfigure your network and security deployment by simply accessing one device. Cabling and interfaces between 10 devices? Gone. And it’s all from a single vendor. Per-module licensing? Gone. If you’re familiar with Cisco ASA, you may even expect multiple management interfaces. This, too, is simpler on FortiGate. Regardless of whether you are building a VPN or applying antivirus, you can configure it all from one unified GUI or CLI. How can FortiGate do so m any things? Shouldn’t separate functions be divided among different devices for performance reasons? In some cases, yes. High load of one specific workload may be worth a dedicated device. And Fortinet offers several. But now you have the choice – you can specialize if your network requires it.
FortiGate Student I Guide
91
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
In this architecture diagram, you can see how FortiGate UTM platforms add strength without compromising on flexibility – they are still internally modular. Plus: •
•
•
Devices add duplication. Sometimes, dedication doesn’t mean efficiency. If it’s overloaded, can 1 device borrow free RAM on 9 others? Do you want to configure policies, logging, and routing on 10 separate devices? Does 10 times the duplication bring you 10 times the benefit? Or is it a hassle? FortiGate hardware isn’t just off-the-shelf. It’s carrier-grade. Underneath, most FortiGate models have 1 or more specialized circuits called ASICs that are engineered by Fortinet. For example, a CP or NP chip handles cryptography and packet forwarding more efficiently. Compared to a singlepurpose device with only a CPU, FortiGate can have dramatically better performance. (The exception? Virtualization platforms – VMware, Citrix Xen, Microsoft, or Oracle Virtual Box – have general-purpose vCPUs. But virtualization might be worthwhile due to other benefits, such as distributed computing and cloud-based security.) FortiGate is flexible. If all you need is firewalling and antivirus, FortiGate won’t require you to waste CPU, RAM, and electricity on others. In each firewall policy, UTM modules can be enabled or disabled. You won’t pay more to add VPN seat licenses later, either. What requires a subscription? Only FortiGuard subscription services.
FortiGate Student I Guide
92
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
FortiGuard subscription services give your FortiGate access to 24 x7 security updates powered by Fortinet’s researchers. Your FortiGate uses FortiGuard in 2 ways: • •
By periodically requesting packages that contain a new engine and many signatures, or By querying the FDN on an individual URL or host name
Queries are real-time – that is, FortiGa te asks the FDN every time it scans for spam or filte red web sites. Also, queries use UDP for transport – they are connectionless and the protocol is not designed for fault tolerance, but speed. So they require that your FortiGate have a reliable Internet connection. Downloaded packages like antivirus and IPS, however, aren’t that frequent. They use TCP for reliable transport. And their associated FortiGate features continue to function even if FortiGate does not have reliable Internet connectivity. Keep in m ind, though, that you should still avoid interruptions. If your FortiGate must try repeatedly to download updates, it can’t detect new threats during that time.
FortiGate Student I Guide
93
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
So now we’ve seen a simplified overview of the software architecture. What about the network architecture? Where does FortiGate fit in? When you deploy a FortiGate, you can choose on the dashboard between two modes: NAT or transparent. • •
In NAT mode, FortiGate forwards packets based on Layer 3, like a router. Each of its logical network interfaces have an IP address. In transparent mode, FortiGate forwards packets at Layer 2, like a switc h. So except for the management interface, its interfaces have no IP address.
Interfaces can be exceptions to the router vs. switch operation mode on an individual basis, however. We’ll show these later.
FortiGate Student I Guide
94
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
What does that mean for your traffic, in terms of the 7-layer OSI model? Which operation mode should you choose? NAT mode is the most common choice. In NAT mode, the destination address is the FortiGate’s address. Typically FortiGate will rewrite the destination address, and/or port number and source address in the IP network layer, into the server’s private network address before forwarding the packet – in other words, it will apply NAT and port forwarding. Depending on your presentation and application layer protocols, it might also: • Terminate SSL or TLS sessions so back-end servers don’t need to decrypt • Modify the addresses in the application layer headers, such as the “Host:” and “X-Forwarded-For:” in the HTTP header So NAT mode works well for edge or gateway security, where you divide your private IPv4 network from an external network such as guest Wi-Fi or the Internet. In transparent mode, the destination address is the server’s address – not a FortiGate’s interface. As a result, it usually doesn’t need to rewrite encapsulated layers – with the exception of TCP SYNrelated analysis. Only the MAC address in the frame is rewritten. So in complex IP environments such as MSSP or mobile phone carriers, this simplifies deployment. Only the management interface needs an IP address. But because network-facing interfaces don’t have an IP address, you m ust verify that your topology doesn’t have any loops at Layer 2 – Ethernet.
FortiGate Student I Guide
95
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
NAT mode is the default operation m ode. What are the other default settings? Once you’ve removed your FortiGate from its box, what do you do next? Let’s see how to set up a FortiGate. Attach your computer’s network cable to port1 or the internal switch ports (depending on your model) to begin setup. There is a DHCP server on that interface, so if your computer’s network settings have DHCP enabled, your computer should automatically get an IP, and you can begin setup quickly. Every FortiGate or FortiWifi device has these same default settings. (Note that FortiAP is not the same. It’s covered in a separate lesson.) To access the GUI on FortiGate or FortiWifi, open a web browser and go to http://192.168.1.99. Remember: The default login is publicly available knowledge. Never leave its default password blank! Your network is only as secure as your FortiGate’s “admin” account. Before you connect your FortiGate to your overall network, you should set a complex password. You should also restrict it so that FortiGate allows administrative connections only from your local console or management subnet.
FortiGate Student I Guide
96
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
What happens if you forget the password for your “admin” account, or a hostile employee changes it? This recovery method is on all FortiGate devices, and even some non-FortiGate devices like FortiMail. It’s a temporary account, only available through the local console port, and only after a hard reboot – disrupting power by unplugging or switching off the power, then restoring it. FortiGate must be physically shut off, then turned back on – not simply rebooted through the CLI. That’s the difference between a hard boot and a soft boot. Even then, the “maintainer” login will only be available for login for about 30 seconds after boot completes. If you can’t ensure physical security, or have compliance requirements, you can disable the “maintainer” account. Use caution: if you disable “maintainer” and then lose your “admin” password, you cannot recover access to your FortiGate.
FortiGate Student I Guide
97
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
All FortiGate models have a console port. This provides CLI access without a network. • • •
On older models, it’s a serial port. A standard null modem cable can be used to connect the serial port to your computer’s serial port. On newer models, it’s an RJ-45 port. Access by connecting an RJ-45-to-serial cable from your computer’s serial port to the RJ-45 port on the FortiGate. In some newer models, the console port is a USB2 port. In that case, you’ll plug in the USB cable, then open FortiExplorer.
Each device ships with its appropriate cable. Serial ports on computers are becoming less common. If your computer have one, you can purchase a USB-to-serial adapter.
FortiGate Student I Guide
98
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
Most features are available in both the GUI and CLI. There are a few exceptions. Reports can’t be viewed in the CLI, for example, and diagnostic commands for power users are usually not in the GUI. What if you don’t want to use the GUI? There is also a CLI. As you become more familiar with FortiGate, and especially if you want to script its configuration, you may want to use it in addition. You can access the CLI via either the JavaScript widget in the GUI named “C LI Console,” or via a terminal emula tor such as Tera Term (http://ttssh2.sourceforge.jp/index.html.en) or PuTTY (http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html). Your terminal emulator can connect via the network – SSH or telnet – or the local console port. SNMP and some other administrative protocols are also supported, but they are not used for basic setup. Let’s focus on setup now.
FortiGate Student I Guide
99
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
As an alternative GUI during setup, you can plug in your smart phone, and use FortiExplorer. FortiExplorer isn’t a complete configuration tool for all devic es. Its focus is deplo yment – configuring network addresses and routing. After that, your FortiGate can be integrated into the network, and you can continue by configuring firewall policies, security profiles and other features.
FortiGate Student I Guide
100
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
There are a few supported platforms for the FortiExplorer software. This is what FortiExplorer looks like when you are running it on a Windows laptop. On the left side, you can see that FortiExplorer can fully update device firmware and configure its network settings so that FortiGate is prepared for you to plug it into your network.
FortiGate Student I Guide
101
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
Whichever method you use, start by logging in as “admin”. Begin by creating accounts for other administrators. It’s not shown here, but alternatively, instead of creating accounts on FortiGate itself, you could configure FortiGate to query a remote authentication server. You could also require personal certificates, authenticated via your PKI certificate authority, instead of passw ords. Choose strong, complex passwords. For example, you could use multiple interleaved words with varying capitalization, and randomly insert numbers and punctuation. Do not use short passwords, nor passwords that contain names, dates, or words that exist in any dictionary. These will be very weak against brute force attacks. To audit the strength of your passwords, use tools such as l0phtcrack (http://www.l0phtcrack.com/) or John the Ripper (http://www.openwall.com/john/). Risk of attackers brute forcing your firewall is especially high if you connect the management port to the Internet. In order to restrict access to specific features, you can assign permissions.
FortiGate Student I Guide
102
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
When assigning permissions in an access profile, you can specify read-and-write, read-only, or no access to each area. By default, there is a special profile named “super_admin”, which is used by the account named “admin”. It cannot be changed. It provides full access to everything, making the “admin” account similar to a root superuser account. “prof_admin” is another default profile. It also provides full access, but unlike “super_admin”, it only applies to its virtual domain – not the global settings of the FortiGate. Also, its permissions can be changed. You aren’t required to use a default profile. You could, for example, create a profile named “auditor_access” with read-only permissions. Restricting a person’s permissions to those necessary for his or her job is a good best practice, because even if that account is compromised, the comprom ise is not complete. To do this, create administrative access profiles, then select the appropriate profile when configuring an account.
FortiGate Student I Guide
103
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
What are the effects of access profiles? It’s actually more than just read or write access. Depending on the type of access profile that you assign, each administrator may not be able to access the entire FortiGate. For example, you could configure an account that can only view log messages. Administrators may not be able to access global settings outside their assigned virtual domain, either. (Virtual domains, by the way, are a way of subdividing the resources and configurations on a single FortiGate. VDOMs are shown in another lesson.) Administrators with a smaller scope of permissions cannot create, or even view, accounts with more permissions. So, for example, an admin istrator using the “prof_admin” or a custom profile can not see – nor reset the password of – accounts that use the “super_admin” profile.
FortiGate Student I Guide
104
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
To further secure access to your network security, use two-factor authentication. Two factor authentication just means that instead of only using one way to verify your identity – typically a password or personal certificate – you verify identity in two ways. In the example shown here, “twofactor” would mean a password plus an RSA randomly generated number from a FortiToken that is synchronized with FortiGate.
FortiGate Student I Guide
105
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
FortiToken is not the only option if you want to use two-factor authentication. Remember, “two-factor authentication” literally only m eans that you use two methods to verify the person’s identity. Alternatively, FortiGate can send an email to the administrator’s address, or send a text message. To be able to do this, you must first configure FortiGate with the settings of a mail server that it can use to send email, or an SMS server. The mail server can be configured under “System > Config > Messaging Servers” in the GUI, or the CLI. SMS settings however are CLI-only.
FortiGate Student I Guide
106
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
Another way to secure your FortiGate is to define which hosts or subnets are trusted sources of login attempts. Define all three, for all accounts. (If you leave any IPv4 address as 0.0.0.0/0, this means to allow connections from any source IP – obviously not what you want.) Notice that each account can define its management host or subnet differently. This is especially useful if you will be setting up virtual domains on your FortiGate, where the VDOM’s administrators may not even belong to the same organization.. Now try to access FortiGate’s GUI or CLI from an external IP. Does it work? No. Your web browser or terminal emulator won’t receive a response. Not even to a ping. Unless you connect from the network administrators’ subnet, FortiGate won’t allow you to even try to log in. So external brute force is impossible. So is discovery by ICMP.
FortiGate Student I Guide
107
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
You may also want to customize the administrative protocols’ port numbers. You can also choose whether to allow concurrent sessions. This can be used to prevent accidentally overwriting settings if you usually keep multiple browser tabs open, or accidentally leave a CLI session open without saving the settings, then begin a GUI session and accidentally edit the same settings, for example.
FortiGate Student I Guide
108
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
We’ve defined the management subnet – that is, the trusted hosts – for each administrator account. How do you enable or disable management protocols? This is specific to each interface. For example, if your administrators connect to FortiGate only from port1, you should disable all administrative access on all other ports. This prevents brute force attempts, and also insecure access. For better security, it always best to only use secure, encrypted methods of access. Some protocols – such as telnet, ICMP, HTTP, and SNMP version 1 – don’t have encryption or even authentication. So they should never be enabled on public, untrusted networks. IPv4 and IPv6 protocols are separate. It’s possible, for example, to have both IPv4 and IPv6 addresses on an interface, but only respond to pings on IPv6. However, IPv6 is hidden in the GUI by default. How do you show IPv6 settings?
FortiGate Student I Guide
109
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
FortiGate has hundreds of features. If you don’t use all of them, hiding features that you don’t use makes it easier to focus on your work. Hiding a feature in the GUI does not disable it . It is still functional, and still can be configured via CLI. (In fact, many diagnostic features are only available in the CLI.) Some advanced or less commonly used features, such as IPv6, are hidden by default. There are 2 ways to show hidden features: • Use the “Features” widget on the dashboard, or • Go to “System > Con fig > Features”
FortiGate Student I Guide
110
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
The “Features” widget shows and hides features by bulk presets. • •
NGFW shows features for line speed inspection, with no added latency. This hides all UTM options that can potentially slow down traffic. ATP shows features for advanced threat protection that focus on protecting endpoint computers.
• •
WF shows features for web filtering. Full UTM is a pr esent that shows almost all UTM features.
Load balancing and a few others aren’t enabled here, though. So if the “Features” widget does not show the feature you’re looking for, go to “System > Config > Features” instead.
FortiGate Student I Guide
111
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
Once you have administrator accounts, they can configure the network interfaces. Remember: When the FortiGate device is in NAT/route mode, every interface that handles traffic usually must have an IP address. This is so that packets with this interface will have a source and destination at the IP layer. There are 3 ways to do this: • •
assign a static IP, or automatically retrieve one, via either DHCP or PPPoE
As we mentioned earlier, there are 2 exceptions. Other, less commonly used are “One-Arm Sniffer” and “Dedicate to FortiAP”. Unlike how interfaces are usually in NAT mode, these aren’t assigned an address. • “One-Arm Sniffer” is an interface in promiscuous mode . As a result, regardless of each packet’s destination address, FortiGate can inspect all traffic that arrives. So although the overall FortiGate is in NAT mode, acting as a router, this specific interface does not. It receives traffic, but cannot send. There are more considerations, which are in the IPS lesson. • “Dedicate to FortiAP” creates both an access point controller and DHCP server. Clients connecting to SSIDs managed through this interface receive an IP address from the pool on this interface.
FortiGate Student I Guide
112
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
Wireless clients aren’t the only ones that can use FortiGate as their DHCP server. Select the “Manual” option, enter a static IP, then enable the DHCP server option. Options for the builtin DHCP server will appear.
FortiGate Student I Guide
113
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
For the built-in DHCP server, you can reserve specific IP addresses for devices with specific MAC addresses. Those devices will always receive the same lease, unless the number of devices exceeds the size of the IP pool.
FortiGate Student I Guide
114
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
For detailed information about the MAC addresses and the corresponding IPs, you can look in the router subsection of the event log, or in the DHCP Monitor, which you can find in the System menu.
FortiGate Student I Guide
115
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
Like with DHCP, you can also configure FortiGate to act as your local DNS server. A local DNS server can improve performance for your FortiMail or other devices that use DNS queries frequently. If your FortiGate offers DHCP to your local network, DHCP can be used configure those hosts to use FortiGate itself as both the gateway and DNS server. FortiGate can answer DNS queries in one of 3 ways: • by relaying all queries – that is, acting as a DNS relay instead of a DNS server • by relaying queries only the queries it can’t resolve to your ISP’s DNS server, • by returning a null response if it can’t resolve queries itself. You can enable and configure DNS separately on each interface.
FortiGate Student I Guide
116
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
If you choose the DNS forwarding option, you can control DNS queries within your own network without having to setup a separate DNS server.
FortiGate Student I Guide
117
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
If you choose to have your DNS server resolve queries, or you choose a split DNS, you must set up a DNS database on your FortiGate. This defines the host names that FortiGate will resolve queries for. Use zone file syntax outlined by RFCs 1034 and 1035.
FortiGate Student I Guide
118
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
Lastly, before you can integrate FortiGate in your network, FortiGate m ust have a default gateway. If FortiGate gets its IP address through a dynamic method such as DHCP or PPPoE, then it will also retrieve the default gateway. Otherwise you must configure a static route. Without this, the FortiGate will not be able to respond to packets outside the subnets directly attached to its own interfaces. It probably also won’t be able to connect to FortiGuard for updates, and may not properly route traffic. Routing details are covered in another lesson. For now, you should usually make sure that FortiGate has a route that matches all packets (destination is 0.0.0.0/0), and forwards them through the network interface that is connected to the Internet, to the IP address of the next router. Routing completes the basic network settings that are required before you can configure firewall policies.
FortiGate Student I Guide
119
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
Now that FortiGate has basic network settings and administrative accounts, let’s show how to back up the configuration. You can encrypt configuration files with a password, if necessary. Besides securing the privacy of your configuration, it also has some effects you may not expect. Once encrypted, the configuration file cannot be decrypted without the password and a FortiGate of the sam e model and firmware . This means that if you send an encrypted configuration file to Fortinet Technical Support, even if you give them the password, they still cannot load your configuration until they get access to the same model of FortiGate. This can cause unnecessary delays when resolving your ticket. Even if the configuration is not encrypted as a whole, each passwords is encrypted individually. So in many cases, encrypting the entire configuration file may not be necessary.
FortiGate Student I Guide
120
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
If you open the configuration file in a text editor, you’ll see that both encrypted and unencrypted configuration files contain a clear text header that contains some basic information about the device. The diagram here shows what information it includes. To restore an encrypted configuration, you must upload it to the same model of FortiGate, with the same firmware version, then provide the password. To restore an unencrypted configuration file, you are only required to match the model. If the firmware is different, FortiGate will attempt to upgrade the configuration, similar to how it uses upgrade scripts on the existing configuration when upgrading firmware. Usually, the configuration file only contains non-default settings, plus a few default yet crucial settings. This minimizes the size of the backup, which could otherwise be several MB in size.
FortiGate Student I Guide
121
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
If you enable virtual domains, subdividing the resources and configuration of your FortiGate, each VDOM administrator can back up and restore their own configurations. You don’t have to back up the entire FortiGate configuration. VDOM details are discussed in a separate lesson.
FortiGate Student I Guide
122
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
Upgrading the firmware on a FortiGate is simple. The easiest method is to click the “Update” link on the “System Information” widget on the dashboard, then choose a firmware file that you have downloaded from support.fortinet.com. If you want to make a “clean install” by overwriting both the existing firmware and its current configuration, you can do this via the local console CLI, within the boot loader menu, while FortiGate is rebooting. However, this is not the usual method.
FortiGate Student I Guide
123
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
You can also downgrade firmware. Since settings change in each firmware version, you should have a configuration file in the syntax that is compatible with the firmware. Remember to read the release notes. Sometimes a downgrade between firmware versions that preserves the configuration is not possible, such as when the OS changed from 32-bit to 64-bit. In that situation, the only way to downgrade is to format the disk, then reinstall. Once you’ve determined the downgrade is possible, verify everything again, then start the downgrade. After it completes, restore a configuration backup that is compatible with that version. Why should you keep emergency firmware and physical access? Old firmware versions don’t know how to convert future configurations. Also, when upgrading via a path that is not supported by the configuration translation scripts, you might lose all settings except basic access settings such as administrator accounts and network interface IP addresses. Another rare but possible scenario is that the firmware could be corrupted when you are uploading it. For all of those reasons, you should always have local console access during an upgrade, in case of emergency. However, in practice, if you read the Release Notes and have a reliable connection to the GUI or CLI, it should not usually be necessary.
FortiGate Student I Guide
124
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
Remember your initial setup via FortiExplorer? You can also use it to download firmware, then install it on your FortiGate.
FortiGate Student I Guide
125
DO NOT REPRINT
Introduction to Fortinet UTM
FORTINET
To review, these are the topics that we just talked about. We showed how FortiGate can replace multiple single-purpose devices yet increase power efficiency and throughput. We explained the differences between FortiGuard services, and how those are part of the UTM architecture. We showed how to configure administrator accounts, permissions, and how to harden administrative access. We also explained how to choose the operation mode based upon the behavior you need for each network interface, how to configure the network settings, and finally how to back up the configuration and install firmware.
FortiGate Student I Guide
126
DO NOT REPRINT
Logging & Monitoring
FORTINET
In this lesson, we will look at how to monitor your FortiGate, and how to log its system events and network traffic. Since you are implementing a security solution, it is important to know how to appropriately monitor the device’s operation. It is vital to have logging and monitoring configured properly and to know how to read the output. Otherwise if you encounter issues, you won’t have any messages from FortiGate to help you find out what is happening in your network.
FortiGate Student I Guide
127
DO NOT REPRINT
Logging & Monitoring
FORTINET
By the end of this lesson, you’ll be able to: Describe log severity levels Identify where logs are stored Describe the different types of logs Understand log structure and behavior Configure log settings Understand the impact of logs on resources Describe how to view log messages, and finally Describe how to search and interpret log message
FortiGate Student I Guide
128
DO NOT REPRINT
Logging & Monitoring
FORTINET
The basic purpose of logs is to help you monitor your network traffic levels, track down problems, establish baselines and a lot more. Think of your own internal organization, where it is highly probable that more than one administrator has access to your FortiGate device. Since it is not practical to block other administrators from making changes to your FortiGate configuration, you can simply view the log files to find out what is happening on the device—including any changes that were made. Logs help provide you with the big picture so you can make adjustments to your network security, if necessary. Keep in mind that some organizations have legal requirements when it comes to logging, so it is important to be aware of your organization’s policies during configuration.
FortiGate Student I Guide
129
DO NOT REPRINT
Logging & Monitoring
FORTINET
Each log entry includes a log level that ranges in order of importance from Debug to Emergency. In total there are eight levels. Debug, the lowest level, puts additional information into the event log and is worthless unless you are actively investigating something. Debug is only needed to log diagnostic data, puts more strain on the CPU resources, and requires additional resources to create. Generally the lowest level you want to use is Information. You and your organization’s policies dictate what needs to be logged.
FortiGate Student I Guide
130
DO NOT REPRINT
Logging & Monitoring
FORTINET
You can choose to store logs in a variety of places both on and off the device. Locally, the FortiGate device has memory and many devices have a built-in hard drive. Externally, you can store logs on Syslog Servers, FortiCloud, SNMP, or a FortiAnanlyzer device.
FortiGate Student I Guide
131
DO NOT REPRINT
Logging & Monitoring
FORTINET
As an external logging device for FortiGate, a FortiAnalyzer or FortiManager is simply viewed as an IP with which the FortiGate can communicate. As a result, you can place a FortiAnalyzer or FortiManager within the same network as a FortiGate, or outside of it. However, a Fortigate can communicate with a FortiAnalyzer or FortiManager only if it is registered device. So long as the FortiGate is properly registered with the FortiAnalyzer or FortiManager, it accepts incoming logs. Communication between the Fortigate and FortiAnalyzer or FortiManager is done via SSL encrypted OFTP traffic, so when a log message is generated, it can be safely transmitted across an unsecure network.
FortiGate Student I Guide
132
DO NOT REPRINT
Logging & Monitoring
FORTINET
So far, we’ve discussed FortiAnalyzer and FortiManager as interchangeable external logging devices for the FortiGate. While configuring the FortiGate to send logs to a FortiAnalyzer or FortiGate is identical—they share a common hardware and software platform—the FortiAnalyzer and FortiManager actually have different capabilities that are worth noting. Both take log entries, but a FortiManager’s primary purpose is to centrally manage multiple FortiGate devices. As such, it has a flat limit imposed on the amount of logs it can receive in a day, regardless of the model. On the other hand, the FortiAnalyzer’s primary purpose is to store and analyze logs, so the log limit is much higher (though the limit is model-dependent). Even the smallest FortiAnalyzer can handle more logs per day than any FortiManager. But at the most basic level, what you can do with the logs received on a FortiManager is no different than what you can do with logs received on a FortiAnalyzer. The FortiGate has 2 methods for transmitting the log events. There is the store-and-upload option, as well as real time.
FortiGate Student I Guide
133
DO NOT REPRINT
Logging & Monitoring
FORTINET
You can configure logging to either a FortiAnalyzer or FortiManager through the GUI or CLI. In the GUI, it is done under Log & Report > Log Config > Log Settings. Here, each device must be set up separately, one at a time. In the CLI, you can configure up to three separate FortiAnalyzer or FortiManager devices at the same time. The options in the GUI only relate to the ‘config log fortianalyzer setting’, not fortianalyzer2 or fortianalyzer3. You may need a setup like this for redundancy or for some other requirement. Keep in mind that generating logs requires resources, so the impact of sending logs to multiple locations ultimately depends on how many logs you are creating.
FortiGate Student I Guide
134
DO NOT REPRINT
Logging & Monitoring
FORTINET
Another external logging option you can use is FortiCloud. FortiCloud is a subscription-based service, offered by Fortinet, that offers long term storage of logs as well as provides reporting functionality. It’s a similar idea to FortiAnalyzer, but more advantageous for smaller setups, where purchasing a dedicated logging appliance isn’t feasible. Every FortiGate comes with a free one month trial. You can activate your free trial from the GUI and link it to your FortiCare user and start sending logs. Be sure to read any documentation on the website if you are considering the subscription-based option.
FortiGate Student I Guide
135
DO NOT REPRINT
Logging & Monitoring
FORTINET
On the FortiGate, all logs are split up into three different log types. These are traffic logs, event logs, and security logs. Each log type is further split up into sub-types. Traffic logs contain Forward, Local, Invalid and Multicast. The Forward log contains information about traffic either accepted or rejected by a firewall policy. Local traffic is traffic directly to/from the FortiGate, and includes logging into the GUI, as well as FortiGuard queries. Invalid packets are the logs thrown away before they even get to a firewall policy. Event logs contain System, User, and Router/VPN/WanOpt &Cache/Wifi sub-types. System events are related to system operations, such as automatic updates of the AV/IPS definitions and people logging into the GUI. User contains logon/off events for users hitting firewall policies. Router/VPN/WanOpt
&Cache/Wifi contain log entries related to the specific feature. For example, Router contains BGP or RIP log entries and VPN contains IPSec and SSLVPN log entries. Finally, Security logs contain log entries based on the security profile type. For example, Antivirus, Web Filter, and Intrusion Protection to name a few. Security logs only show specific sub-types if logs are created within it.
FortiGate Student I Guide
136
DO NOT REPRINT
Logging & Monitoring
FORTINET
The Log & Report section of the FortiGate GUI includes the three log types: Traffic, Event, and (if configured), Security. The Traffic Log contains events about packets. The Event Log contains admin or system activity events. The Security Log contains m essages related to security profiles activated on firewall policies. By default, most of the events related to security appear in the Forward Traffic log—a sub-type of the Traffic Log. This is for performance: fewer log files is less CPU intensive. The exception to this is DLP and Intrusion Scanning. Events such as these always appear in the Security Log section.
FortiGate Student I Guide
137
DO NOT REPRINT
Logging & Monitoring
FORTINET
To inspect your logs through the GUI, go to the Log & Report section and select the log type to view. In the upper right corner of the window, you can switch between viewing the logs from different locations if the FortiGate is set up to log to multiple locations. It is not recommended to configure your firewall to actively inspect traffic without creating a log entry about it.
FortiGate Student I Guide
138
DO NOT REPRINT
Logging & Monitoring
FORTINET
This chart illustrates the expected behavior when you enable different logging options. The first column, Policy Log Setting, shows the log setting on the Firewall policy: No Log, Log Security Events, or Log all Sessions. The second column shows whether an Antivirus, Web Filter, or Email security profile is enabled or disabled. Remember, DLP and IPS profiles always generate logs in the Security Log section. The last column shows the behavior. If you enable any profiles on your policy and logging is not enabled, you will not get logs of any kind—even if the profile is configured to block the traffic. So if you apply a security profile, it’s important to remember to consider the logging setting.
FortiGate Student I Guide
139
DO NOT REPRINT
Logging & Monitoring
FORTINET
When viewing the logs, you might encounter a high volume of log messages, depending on your configuration. This makes it difficult to locate a specific log or log type, especially during an investigation. In order to negotiate the logs more efficiently, you can set up various filters. The more information you specify in the filter, the easier it is to find the precise log entry. Filters are configured for each column of data you choose to display. By default only a subset of the information appears in the log table. Make sure to configure the table columns for your own requirements.
FortiGate Student I Guide
140
DO NOT REPRINT
Logging & Monitoring
FORTINET
Every log message you view has a standard layout comprised of two sections: a header and a body. The header contains the same information regardless of the log. The body, however, changes from one type of log message to another. This is because there is some data common to all logs, like a date and time, while other data is event dependent.
FortiGate Student I Guide
141
DO NOT REPRINT
Logging & Monitoring
FORTINET
Let’s take a closer look at the header in this is an example of a raw log entry. While the output is not as structured as it appears in the GUI, the information contained in a raw log file is the same. As you can see in the header, aside from the date, time, and log ID attributes, you can see the that log type is UTM, the sub-type is DLP, and the severity level is Warning. The attributes in the header (such as log type and sub-type) are common to every log, but the data aligned to it can be different. For example, the header can contain a log type of Event and sub-type of System instead of what you see in the example above. Accordingly, the information in the header of the log directly effects the data contained in the associated body of the log. Note that if you log to a 3rd party device, such as a Syslog server, you need to know how to set up your filters in order to find what you need in your log messages. You can find a document that contains all the logs and their layouts from the Fortinet docs web site at http://docs.fortinet.com .
FortiGate Student I Guide
142
DO NOT REPRINT
Logging & Monitoring
FORTINET
Now lets take a closer look at the body of a log. The body provides the specifics of the log m essage and helps you understand what actually happened. In the above log, we can see the action taken by the FortiGate device when it encountered the traffic through the status attribute. Here, the status is Deny, which means the FortiGate prevented this particular piece of traffic from passing. The value indicated by policyid field provides useful information about the policy this traffic passed through (which firewall rule was used).
FortiGate Student I Guide
143
DO NOT REPRINT
Logging & Monitoring
FORTINET
Rather than look at raw logs or logs through the GUI, you can also display log messages from the CLI. This allows you to set up a number of filters on the logs that display and capture the output to a file and send it via the options you specify, such as FTP.
FortiGate Student I Guide
144
DO NOT REPRINT
Logging & Monitoring
FORTINET
Monitoring your logs is critical, as it allows you to review the progress of an attack, whether afterwards or while in progress, and address the issue quickly. How the attack unfolds may reveal weaknesses in your preparations. There are three ways you can monitor logs: Alert Emails, Alert Message Console, and SNMP.
FortiGate Student I Guide
145
DO NOT REPRINT
Logging & Monitoring
FORTINET
Since you can’t always be physically at the device, you can monitor logs by setting up Alert emails. Alert emails are set up similar to any log device. First you decide “what” is going in to them (a filter) and then “where” it is going.
FortiGate Student I Guide
146
DO NOT REPRINT
Logging & Monitoring
FORTINET
In order to set up an alert email, the first thing you need to do is configure an SMTP server to allow for communication between the server and the FortiGate device. This can only be done in the CLI. This allows you to configure your alert email settings in the GUI through the Log & Report > Log Config > Alert E-mail menu. Without configuring an SMTP server that will receive the email, the alert email option does not appear in the GUI.
FortiGate Student I Guide
147
DO NOT REPRINT
Logging & Monitoring
FORTINET
Another log monitoring option is the alert message console. The Alert Message Console is a GUI widget that you can enable on the System dashboard. Here, instead of the alerts being emailed to administrators like in Alert emails, they appear directly in the widget on the System page when you log in to the FortiGate. You can configure the widget to set up the events you want to appear as alerts, the number of alerts, and even the name of the widget itself. For example, you can have multiple alert widgets on the dashboard with different names all displaying different types of alerts. Once an alert appears in the Alert Message Console it remains until acknowledged. Once you confirm the event did not impact anything, you acknowledge it, and it is removed from your list — it no longer appears as something that requires further attention.
FortiGate Student I Guide
148
DO NOT REPRINT
Logging & Monitoring
FORTINET
Another method of monitoring logs is through an SNMP manager. In order to use this method, you require the Management Information Base (MIB) file. A MIB is a text file that describes a list of SNMP data objects that are used by the SNMP manager. These MIBs provide inform ation the SNMP manager needs to interpret the SNMP trap, event, and query messages sent by the FortiGate device SNMP agent. They can be loaded into any SNMP software so that you can set up automatic queries to the device in order to discover operational status. You can obtain CPU, memory levels, the cause for the last spam detection, and more. A FortiGate device can support SNMP v1, v2 and v3. You can obtain the MIB files either on the Support website or directly from the FortiGate GUI through the System > Config > SNMP men u.
FortiGate Student I Guide
149
DO NOT REPRINT
Logging & Monitoring
FORTINET
Setting up the necessary SNMP options is fairly straight forward from the GUI. Simply enable and define the service as you would any other SNMP monitored device and then enable your protocol options and methods of monitoring. What can be monitored with the different options is exactly the same. SNMP v3 offers some additional security over the previous two versions of the protocol, like traffic encryption and authentication.
FortiGate Student I Guide
150
DO NOT REPRINT
Logging & Monitoring
FORTINET
In the GUI, under Log & Report > Log Config > Log Settings, you can enable different locations for log storage. You can also configure the different kind of traffic you want to appear in the Local traffic log. Finally, you can configure the GUI preferences. Resolving IPs to host names requires the FortiGate to perform DNS lookups for all the IPs. If your DNS is not working or running slowly, this can impact your ability to look through the logs as the requests will timeout.
FortiGate Student I Guide
151
DO NOT REPRINT
Logging & Monitoring
FORTINET
Using the CLI to configure log settings provides you with more flexibility and options than the GUI. From the CLI, you can configure up to three separate FortiAnalyzers and Syslog servers, options not available in the GUI. There is also the ability to set up logging to Webtrends, a 3rd party service. The information you require for configuring the log settings is dependent on the logging option you configure: disk, FortiAnalyzer, FortiGuard, memory, Syslog, or Webtrends.
FortiGate Student I Guide
152
DO NOT REPRINT
Logging & Monitoring
FORTINET
Firewall policies also have logging options you can configure. The policy setting determines if and when a log message is generated for traffic passing through a particular firewall policy. The settings under Log Settings in the GUI and the ‘config log’ command in the CLI determine where the FortiGate stores the log messages it creates.
FortiGate Student I Guide
153
DO NOT REPRINT
Logging & Monitoring
FORTINET
It’s important to remember that creating logs is not “free”—it does weigh on your system. The more logs that get generated, the heavier the toll on your CPU and memory resources. Storing logs for a period of time also requires disk space, as does accessing them. So before configuring logging, make sure its worth the extra resources and that your system can handle the influx. Also important to note is logging behavior with UTM profiles. UTM profiles create log events when traffic is detected. Depending on the amount of traffic you have and logging settings that are enabled, your traffic logs can easily become a problem that will ultimately impact the performance of your firewall. There is an option in the CLI that removes some of the information stored in the traffic log: set brieftraffic-format enabled. By executing this command, you can free up resources on the firewall.
FortiGate Student I Guide
154
DO NOT REPRINT
Logging & Monitoring
FORTINET
In configuring the Event log settings, remember that Event logs are not caused by traffic passing through firewall policies. For example, VPNs going up and down or routing protocol activity are not caused by traffic passing through a firewall policy. One exception might be the user log. This does not record information about traffic through firewall policies directly, but it does record user logon/logoff events on traffic that passes through policies. Event logs provide all of the system information generated by the FortiGate device, such as administrator logins, configuration changes made by administrators, user activity, and daily operations of the device. So what you enable depends on what features you are implementing and what information you need to get out of the logs. You can enable what events you want to log through the Log & Report > Log Config > Log Settings menu.
FortiGate Student I Guide
155
DO NOT REPRINT
Logging & Monitoring
FORTINET
There is also a daily log monitor section. This displays the number of logs generated over time as well as the log type. This allows you to see where your FortiGate device is using most of its resources and if any trends are occurring. You can drill down through these logs and obtain further information by clicking any of the days.
FortiGate Student I Guide
156
DO NOT REPRINT
Logging & Monitoring
FORTINET
Each function of the FortiGate device has an equivalent “Monitor” menu item in the GUI. This allows you to take a view, at any given moment, how the feature is performing. The Security functions have a monitor option like the rest, but you need to enable it from the CLI before it appears. With a lot of security activity this could impact your CPU, so it’s disabled by default.
FortiGate Student I Guide
157
DO NOT REPRINT
Logging & Monitoring
FORTINET
One example of a GUI monitor is the Security Profiles monitor, found in the GUI under Security Profiles > Monitor. It has sub-sections for each security feature to highlight recent activity, such as AV Monitor, Web Monitor, and Application Monitor to name a few. This gives you a snapshot of what is happening with that particular option. Almost every menu has this option.
FortiGate Student I Guide
158
DO NOT REPRINT
Logging & Monitoring
FORTINET
Another means of monitoring is through the widgets on the status page. Many can be customized to show the same type of information in multiple ways. If you click the pencil icon in the upper right corner of the widget, you can configure any of the available settings for that widget. You can add some widgets to the same dashboard multiple times, with each instance displaying different information.
FortiGate Student I Guide
159
DO NOT REPRINT
Logging & Monitoring
FORTINET
By default, there are a number of different dashboards available. Each one has a different name with a different collection of widgets to provide different types of information. Each user has their own dashboard setup and layout, so if one user deletes a dashboard and rearranges the widgets on the Status page, it will not impact any of the other users. You can alter a user’s permissions to not allow them to make changes to their dashboard and use this to restrict their access.
FortiGate Student I Guide
160
DO NOT REPRINT
Logging & Monitoring
FORTINET
One other area you may want to monitor, purely for diagnostics, is the crash logs, available through the CLI. The FortiGate is like a computer, with different processes that handle different things, like DHCP or web filtering for example. Any time a process is closed for any reason, the crash log records this as a crash. If there is an abnormal termination of a process, you can look at the crash logs and find out the conditions that caused it. A normal and fairly common thing to see in the crash log are entries for Scanunitd, which is the process responsible for virus scanning. Any time the definitions package is updated, that process needs to close down in order to apply the new package. This is a normal shutdown and appears with a status of zero, which indicates a normal shut down with no abnormalities.
FortiGate Student I Guide
161
DO NOT REPRINT
Logging & Monitoring
FORTINET
In this lesson, we covered log severity levels; storage locations; log types and subtypes; log structure and behavior; log settings; viewing logs messages; and monitoring, reading, and interpreting log messages.
FortiGate Student I Guide
162
DO NOT REPRINT
Firewall Policies
FORTINET
In this lesson, we will show you how to pass traffic through FortiGate, and explain how that works. At its core, FortiGate is a firewall, so almost everything that it does to your traffic is linked into your firewall rules.
FortiGate Student I Guide
163
DO NOT REPRINT
Firewall Policies
FORTINET
After this lesson, you should be able to properly identify the different components used in a firewall policy. You’ll be able to configure firewall policies and arrange them to correctly match traffic.
FortiGate Student I Guide
164
DO NOT REPRINT
Firewall Policies
FORTINET
You’ll also be able to apply UTM and other features through the firewall policy, test your policies, and monitor traffic passing through them.
FortiGate Student I Guide
165
DO NOT REPRINT
Firewall Policies
FORTINET
To begin, let’s talk about what firewall policies are. Firewall policies define which traffic matches, and what FortiGate will do if it does. Should the traffic be allowed? This is decided first based on simple criteria such as the source. Then, if the policy itself does not block the traffic, FortiGate begins more computationally expensive UTM inspection, such as application control and web-filtering, if you’ve chosen it in the policy. Those scans could block the traffic if, for example, it contains a virus. Otherwise, the traffic is allowed. Will NAT be applied? Authentication required? Firewall policies also determine that. Once processing is finished, FortiGate forwards the packet towards its destination.
FortiGate Student I Guide
166
DO NOT REPRINT
Firewall Policies
FORTINET
When a packet arrives, how does FortiGate find a matching policy? Each policy has match criteria, which you can define using objects: • Ingress and egress interfaces • Source and destination, by IP a ddress, device ID, or use r • •
Network service(s) (that is, IP protocol and port number) Schedule
Once FortiGate finds a matching policy, it applies its settings for packet processing. Is antivirus scanning applied? Will source NAT be applied? For example, if you want to block incoming FTP to all but a few FTP servers, you would define the addresses of your FTP servers, and select those as the destination, and select FTP as the service. You probably wouldn’t specify a source (often any location on the Internet is allowed) nor schedule (usually FTP servers are always available, day or night). Finally, you would set the Action setting to Accept. This might be enough, but often, you’ll want m ore thorough security. Here, the policy also authenticates the user, scans for viruses, limits the bandwidth consumption, and logs blocked connection attempts.
FortiGate Student I Guide
167
DO NOT REPRINT
Firewall Policies
FORTINET
Firewall policies appear in an organized list. It’s either organized into a section view, or global view. Usually, it will appear in section view. Each section contains policies for that ingress-egress pair. Alternatively, you can choose to view your policies as a single comprehensive list, by selecting Global View at the top of the page. Policy sequence numbers define the order in which rules are processed. Policy IDs are identifiers. By default sequence numbers are displayed on the GUI. CLI commands, however, use policy ID: edit
FortiGate Student I Guide
168
DO NOT REPRINT
Firewall Policies
FORTINET
In some cases, you won’t have a choice of which view, though. If you use multiple source/destination interfaces or the ‘any’ interface, policies cannot be separated into sections by interface pairs – some would be triplets or more. So instead, policies are then always displayed in a single list. It is ordered primarily by the policy sequence number. To help you remember the use of each interface, you can give them aliases. For example, you could call port1 “WAN.” This can help to make your list of policies easier to comprehend.
FortiGate Student I Guide
169
DO NOT REPRINT
Firewall Policies
FORTINET
Remember that we mentioned that only the “first” matching policy applies? Moving your policies into the correct position is important. It affects which traffic is blocked or allowed. In the applicable interface pair’s section, FortiGate will look for a matching policy, beginning at the top. So usually, you should put more specific policies at the top. Otherwise, more general policies will match the traffic first, and your more granular policies will never be applied. Here, we’re moving a policy that only matches Windows SMB traffic above the more general “accept everything from everywhere” policy. Otherwise, FortiGate would always apply the first matching policy – the “accept everything” policy – and never reach the “block SMB” policy. How does FortiGate determine if a packet matches a policy? Let’s look at that next.
FortiGate Student I Guide
170
DO NOT REPRINT
Firewall Policies
FORTINET
Each policy matches traffic and applies security by referring to objects such as addresses and profiles that you’ve defined. What about other firewall policy types? Do IPv6 policies exist? Yes. And they use slightly different objects that are relevant to their type. In this lesson, we’re discussing IPv4 firewall policies and SSL/SSH inspection. They are the most common use case.
FortiGate Student I Guide
171
DO NOT REPRINT
Firewall Policies
FORTINET
To begin describing how FortiGate finds a policy for each packet, let’s start with the interface pairs. We showed them in section view. Packets arrive on an ingress interface; routing determines the egress. Both interfaces must match the policy’s interface criteria in order for it to be a successful match. In each policy, you must select both a source and destination interface, even it is ‘any’. So if a packet arrives on port4, but you only have policies for between port1 WAN ingress and port2 DMZ, for example, the packet would not match your policies and therefore be dropped due to the implicit deny policy at the end of the list, even if the packet did match the egress port of ‘any’. Interfaces may be grouped into logical zones. For example, you could group port7 to port10 as a LAN zone. This generally simplifies pol icy configuration, except that an interface in a zone cannot be referenced individually. So if you must subdivide a zone, don’t. Instead, select multiple source and destination interfaces in the firewall policy.
FortiGate Student I Guide
172
DO NOT REPRINT
Firewall Policies
FORTINET
The next match criteria that FortiGate will consider is the packet’s source. In each firewall policy, you therefore must select a source address object. Optionally, you can refine your definition of the source by also selecting a user, group and/or a specific device. If you organization allows BYOD (that is, Bring Your Own Device), then a combination of all three provides a much more granular match. In earlier releases of FortiOS 5, sub-policies were used for authentication (also called identity) and device identification. Also, it was either-or: you could not use both types in the same rule. In 5.2, you can now use both user and device definitions together, in the same firewall policy.
FortiGate Student I Guide
173
DO NOT REPRINT
Firewall Policies
FORTINET
Using Source Device Type causes the FortiGate to enable device identification on the source interface(s) of that policy.
FortiGate Student I Guide
174
DO NOT REPRINT
Firewall Policies
FORTINET
There are two device identification techniques: agentless and agent-based. • Agentless uses traffic from the device: the MAC address OUI, TCP fingerprint, and HTTP “User-Agent:” header. Devices are indexed by their MAC address. • Agent-based uses FortiClient. FortiClient sends information to FortiGate, and the device tracked by its FortiClient UID.
FortiGate Student I Guide
175
DO NOT REPRINT
Firewall Policies
FORTINET
Device Definitions shows the list of detected devices. You can also define static entries. Detected devices are saved to the FortiGate’s flash. Therefore on restart, the FortiGate knows devices already identified, and does not have to re-categorize each device. The user displayed in the device inform ation is just a tag, it cannot be used as a means of identity for an authentication policy.
FortiGate Student I Guide
176
DO NOT REPRINT
Firewall Policies
FORTINET
The CLI command ‘diag user device list’ shows a more detailed listing than User & Devices > Device > Device Definitions, including the detection method.
FortiGate Student I Guide
177
DO NOT REPRINT
Firewall Policies
FORTINET
FortiClient devices have a unique id which can be used as an index for the device. This is instead of the MAC address, which may be problematic when a device has multiple MAC addresses (such as servers or virtual machines), or where there is no Layer 2 visibility of that device.
FortiGate Student I Guide
178
DO NOT REPRINT
Firewall Policies
FORTINET
FortiGate can control FortiClient settings via the profile and registration.
FortiGate Student I Guide
179
DO NOT REPRINT
Firewall Policies
FORTINET
License Information on the FortiGate GUI dashboard shows the registered devices. W indows and Mac FortiClient installers are also available from this dashboard widget.
FortiGate Student I Guide
180
DO NOT REPRINT
Firewall Policies
FORTINET
Once a FortiClient registers itself with a FortiGate, you’ll be able to see its UID on the endpoint control device list.
FortiGate Student I Guide
181
DO NOT REPRINT
Firewall Policies
FORTINET
You may configure the default FortiClient profile or add additional profiles. New profiles applied to devices or users override the default.
FortiGate Student I Guide
182
DO NOT REPRINT
Firewall Policies
FORTINET
Once you’ve configured the settings, FortiGate will send them back to FortiClient.
FortiGate Student I Guide
183
DO NOT REPRINT
Firewall Policies
FORTINET
FortiClient is the agent-based approach for source device type.
FortiGate Student I Guide
184
DO NOT REPRINT
Firewall Policies
FORTINET
To reduce the total number of firewall policies in RAM, and simplify administration, you can group service and address objects, then reference that group in the firewall policy, instead of selecting multiple objects each time or making multiple policies. You can also group virtual IPs.
FortiGate Student I Guide
185
DO NOT REPRINT
Firewall Policies
FORTINET
Here, all three source selectors identify the user group, device type, and specific subnet. This would not have been possible in previous firmware versions. Remember, user and device are optional objects. They are used here so that the policy is more specific. If you wanted the policy to match more traffic, you could leave them undefined.
FortiGate Student I Guide
186
DO NOT REPRINT
Firewall Policies
FORTINET
In earlier releases of FortiOS 5, if traffic matched an identity sub-policy, by default, FortiGate simply blocked traffic that failed authentication. It would not ‘fall through’ to try the next authentication rule unless you had explicitly enabled the option “fall-through-unauthenticated”. But in this release, FortiGate uses the fall-through behavior by default.
FortiGate Student I Guide
187
DO NOT REPRINT
Firewall Policies
FORTINET
Like the packet’s source, FortiGate also checks the destination address for a match. Address objects may be a host name, IP subnet or range. If you enter an FQDN as the address object, make sure that you’ve configured your FortiGate with DNS settings. FortiGate uses DNS to resolve those host names to IP addresses, which are what actually appear in the IP header. Geographic addresses, which are groups or ranges of addresses allocated to a country, may be selected instead. These objects are updated via FortiGuard.
FortiGate Student I Guide
188
DO NOT REPRINT
Firewall Policies
FORTINET
Schedules add a time element to the policy. For example, a policy allowing backup software may activate at night, or a remote address may be allowed for testing purposes and a schedule provides a test window.
FortiGate Student I Guide
189
DO NOT REPRINT
Firewall Policies
FORTINET
Another criterion that FortiGate uses to match policies is the packet’s service. At the IP layer, protocol numbers (for TCP, UDP, SCTP, etc.) and source and destination ports together define each network service. Generally, only a destination port (that is, the server’s “listening port”) is defined. Some legacy applications may use a specific source port, but in most modern ap plications, the source port is randomly determined at transmission time, and therefore is not a reliable way to define the service. For example, the predefined service object named HTTP is TCP destination port 80; HTTPS is TCP destination port 443. However, the source ports are ephemeral, and therefore not defined.
FortiGate Student I Guide
190
DO NOT REPRINT
Firewall Policies
FORTINET
We’ve just shown several component objects that can be re-used as you make policies. W hat if you want to delete an object? If it’s being used, you can’t. First, you must reconfigure the objects that are currently using it. The GUI provides a simple way to find out where in the FortiGate’s configuration an object is being referenced. See the numbers in the Ref. column? They are the number of places where that object is being used. The number is actually a link, so if you click it, you can see which objects use it.
FortiGate Student I Guide
191
DO NOT REPRINT
Firewall Policies
FORTINET
We’ve just shown how policies are matched. Let’s look a little beyond that now, to slightly before policies, and to the scans they can use, as well as packet egress. What happens when a packet first arrives on a FortiGate network interface? Step 1 is packet ingress. • If a Denial of Service sensor is selected in the policy, it takes effect. Because it’s applied so early, DoS packets don’t receive other scans, and therefore don’t consume unnecessary CPU or RAM. • At the IP layer, the packet’s CRC is checked for a match with the CRC in the header to make sure that the packet wasn’t corrupted in transmission. • IPSec session-related packets are sent to either the kernel or hardware for payload decryption. • Destination NAT is ap plied before routing. • If this is a new session, or routing information has changed, FortiGate will make a routing lookup.
FortiGate Student I Guide
192
DO NOT REPRINT
Firewall Policies
FORTINET
Step 2 is stateful inspection. • Is this traffic destined for the FortiGate itself, such as the administrative GUI, SSL VPN, authentication, DNS quers, or FortiGuard? • Is this traffic that should be forwarded by a policy’s established session, or that should be checked for a •
policy match? Does the traffic require a session helper to open dynamic ports, re write addresses in application layer headers, etc.?
FortiGate Student I Guide
193
DO NOT REPRINT
Firewall Policies
FORTINET
Step 3 is content inspection. FortiGate applies the sec urity profiles that you selec ted in the policy her e. There are two mains types of content inspection: • Flow-based • Proxy-based The order of inspection is important. The next step applies only if traffic is not blocked by the previous step.
FortiGate Student I Guide
194
DO NOT REPRINT
Firewall Policies
FORTINET
Step 4 is packet egress. • Should FortiGate route the packet to an IPsec VPN virtual interface, before it is rerouted to a physical interface? • Should FortiGate apply source NAT? •
Which interface should the packet depart from?
FortiGate Student I Guide
195
DO NOT REPRINT
Firewall Policies
FORTINET
If you enable session starts, FortiGate will create a traffic log when the session begins. But remember that increasing logging decreases performance. So use it only where necessary. Once a firewall policy closes an IP session, if you have enabled logging in the policy, FortiGate will generate traffic logs. During the session, if a security profile detects a violation, FortiGate will record the attack log immediately. To reduce the amount of log messages generated and improve performance, you can enable a session table entry of dropped traffic. This option is in the CLI, and is called ‘ses-denied-traffic’. If the GUI option session starts is not displayed, your FortiGate device does not have internal storage. This option is in the CLI, regardless of internal storage, and is called ‘set logtraffic-start enable’.
FortiGate Student I Guide
196
DO NOT REPRINT
Firewall Policies
FORTINET
Once the first packet – assuming it is not dropped – establishes an IP session, FortiGate enters it in its session table. If subsequent packets are received before the session times out, hashing function lookups up the applicable policy for scans or NAT that it should apply to incoming packets. You can use the monitor section in order to determine how much traffic is matching each firewall policy.
FortiGate Student I Guide
197
DO NOT REPRINT
Firewall Policies
FORTINET
The session table can also be viewed from the CLI. Firewall perform ance of connections per session and maximum number of connections are indicated by the session table. But keep in mind that if your FortiGate contains FortiASIC NP chips designed to accelerate processing, without loading the CPU, this may not be completely accurate. The session table reflects what is known to and processed by the CPU.
FortiGate Student I Guide
198
DO NOT REPRINT
Firewall Policies
FORTINET
Since the session table has a finite amount of RAM that it can use on your FortiGate, adjusting the session time to live (TTL) can improve performance. There are global default timers, session state timers, and timers configurable in firewall objects.
FortiGate Student I Guide
199
DO NOT REPRINT
Firewall Policies
FORTINET
In this example, you can see the session TTL, which reflects how long FortiGate can receive no packets until it will remove the session from its table. Proto_state for TCP is taken from its state machine, which we’ll talk about next. Traffic shaping manages your bandwidth. Traffic counters are the overall counters for the session, and determine how much data was sent and received. NAT actions are also tracked.
FortiGate Student I Guide
200
DO NOT REPRINT
Firewall Policies
FORTINET
In the previous slide, rem ember that the session table contained a number that indicated the connection’s current TCP state. These are the states of the TCP state machine. They are single digit values, but proto_state is always shown as two digits. This is because when proxy based inspection is used, which is discussed later, two connections are establish with the proxy: one to the client, and one to the server. If there are too many connections in the SYN state for long periods of time, this indicates a SYN flood, which you can mitigate with DoS policies. UDP is a stateless protocol. So it doesn’t technically have states like TCP. However, the session table does use the stat e column to track uni directional UDP as state 0, and bidi rectional USP as state 1.
FortiGate Student I Guide
201
DO NOT REPRINT
Firewall Policies
FORTINET
Before looking at the session table, first build a filter. To look at our test connection you can filter on ‘dst’ 10.200.1.254 and ‘dport’ 80.
FortiGate Student I Guide
202
DO NOT REPRINT
Firewall Policies
FORTINET
Here we see the corresponding session table entry. Here you can see the routing and NAT actions that apply to the traffic.
FortiGate Student I Guide
203
DO NOT REPRINT
Firewall Policies
FORTINET
In addition to security scans, firewall policies also determine what network address (NAT) or port address translation (PAT) to apply to each packet. NAT and PAT, also known as NAPT, translate internal, typically private, IP addresses, to external, typically public or Internet, IP addresses. In FortiOS, NAT and traffic forwarding are configured in the same firewall policy. However, diagnostics clearly show NAT and forwarding as separate actions. The NAT option in a firewall policy, and IP Pools, are source NAT settings and objects. Virtual IPs are destination NAT objects.
FortiGate Student I Guide
204
DO NOT REPRINT
Firewall Policies
FORTINET
The default source NAT option uses the egress interface address. This is a many-to-one NAT. In other words, port address translation is used and connections are tracked using the srcinal source address and source port combinations, and allocated source port. This is the same behavior as the overload IP Pool type, discussed later. Optionally, you may select fixed port in which case the source port translation is disabled. With fixed port, if two or more connections require the same source port for a single IP address, only one connection can establish.
FortiGate Student I Guide
205
DO NOT REPRINT
Firewall Policies
FORTINET
If you use an IP pool, the source address is translated to an address from that pool rather than the egress interface address. The larger the number of addresses in the pool, the greater the number of connections can be supported. The default IP pool type is overload, here there is a many-to-one/few relationship and port translation is used.
FortiGate Student I Guide
206
DO NOT REPRINT
Firewall Policies
FORTINET
One-to-one differs in the sense that there is a single mapping of an internal address to external address. Port address translation is not required in this case. See the circled example showing the same source ports on ingress and egress? Mappings are not fixed. They are allocated on a first-come first-serve basis. If there are no more addresses available, a connection will be refused as shown in the debug flow.
FortiGate Student I Guide
207
DO NOT REPRINT
Firewall Policies
FORTINET
This example uses a fixed port range IP pool. The internal address range 10.0.1.10-10.0.1.11 maps to the external address range 10.200.1.7-10.200.1.8. This configuration provides an explicit relationship between internal and external ranges, and disables port address translation.
FortiGate Student I Guide
208
DO NOT REPRINT
Firewall Policies
FORTINET
These two CLI outputs illustrate the behavior difference between the port block allocation type, and the default overload type. Using hping, a rogue client generates many SYN packets per second. In the first example, the port block allocation type limits the client to 64 connections for that IP pool. Other users will not be impacted by the rogue client. In the second example, the overload type imposes no limits, and the rogue client uses many more connections in the session table. Other users will now be impacted.
FortiGate Student I Guide
209
DO NOT REPRINT
Firewall Policies
FORTINET
Virtual IPs (VIPs) are destination NAT objects. For sessions matching a VIP, the destination address is translated: usually a public Internet address is translated to a server’s private network address. Select VIPs in the firewall policy’s destination address field. The default VIP type is static NAT. This is a one-to-one mapping which applies for incoming and outgoing connections. That is, an outgoing policy with NAT enabled would use the VIP address instead of the egress interface address. This behavior, however, can be overridden by use of an IP pool. The static NAT VIP can be restricted to forward only certain ports. For example, connections to the external IP on port 8080 map to the internal IP on port 80. From the CLI, you can select the NAT type to load-balance and server-load-balance. Plain load balancing distributes connections from an external IP address to multiple internal addresses. The later builds on that mechanism, using a virtual server and real servers, and provides session persistence and server availability check mechanisms. VIPs should be routable to the external facing (ingress) interface. FortiOS responds to ARP requests for VIP, and IP Pool, objects. ARP responses are configurable.
FortiGate Student I Guide
210
DO NOT REPRINT
Firewall Policies
FORTINET
In this example, connections to the VIP 200 .200.200.222 are NATed to the internal host 10.10.10.10. Because this is static NAT, all NATed outgoing connections from 10.10.10.10 will use the VIP address in the packet’s destination field, not the egress interface’s address.
FortiGate Student I Guide
211
DO NOT REPRINT
Firewall Policies
FORTINET
For feature completeness, you can use a central NAT table. This is disabled by default. To enable it from the GUI, go to System > Config > Features. In the CLI, use: conf sys global set gui-central-nat-table enable end
In this case, the source NAT action is defined in a central table. If no central NAT rule exists, then the default action of destination interface address is used. Central NAT rules also allow control over source port usage.
FortiGate Student I Guide
212
DO NOT REPRINT
Firewall Policies
FORTINET
Some application layer protocols are not fully independent of the lower layers such as the network or transport layer. If the session helper detects a such a pattern, it may make changes to the application headers or create expected secondary connections. A good example is where an application has both a control and a data/media channel, such as with FTP. Firewalls will typically allow the control channel and rely on the session helpers to handle the dynamic data/media transmission connections. When more advanced application tracking and control is required, an Application Layer Gateway (ALG) can be used. The VoIP profile is an example of an ALG.
FortiGate Student I Guide
213
DO NOT REPRINT
Firewall Policies
FORTINET
In this example, the media recipient address in the SIP SDP payload is modified to reflected the NATed IP address.
FortiGate Student I Guide
214
DO NOT REPRINT
Firewall Policies
FORTINET
Traffic shaping (also called quality of service (QoS)) can be applied in firewall policy and used to manage the bandwidth used by each service or application. FortiGate can count the packet rates of ingress and egress to police traffic. Note that these apply equally to TCP and UDP, and UDP protocols may not recover as gracefully from packet loss. ToS/DSCP flags, if used, can map packets to a specific transmission queue. For additional information, see the Traffic Shaping FortiOS Handbook.
FortiGate Student I Guide
215
DO NOT REPRINT
Firewall Policies
FORTINET
Two types of traffic shapers can be configured: Shared and Per-IP. A shared shaper applies a total bandwidth to all traffic using that shaper: The scope can be per-policy or for all policies referencing that shaper.
FortiGate Student I Guide
216
DO NOT REPRINT
Firewall Policies
FORTINET
FortiGates equipped with Network Processors (NP) offload packet handling from the CPU. For each new IP session, the first packet always goes to the CPU. If the session can be offloaded to an available NP, the kernel sends session information to the NP. All subsequent packets in that session are forwarded by the NP and not the CPU, so their transmission is accelerated. When the last packet is sent or received, such as a TCP FIN or TCP RST signal, the NP returns this session to the CPU, which handles tear down. Non-eligible sessions remain on the CPU. Typically, this includes policies that have a security profile enabled. IP fragments are also non-eligible. “diagnose” CLI commands , such as “diag packet sniff” and “diag debug flow”, run on the CPU. They will not show packets handled by an NP. To ensure accurate output for these commands, you can temporarily disable NPU offload in each firewall policy so that the packets are handled by the CPU and therefore received by the troubleshooting command.
FortiGate Student I Guide
217
DO NOT REPRINT
Firewall Policies
FORTINET
As a UTM, one of the most important features that a firewall policy can apply is security profiles such as IPS and antivirus. These profiles inspect each packet in traffic flows where the session has already been conditionally accepted by the firewall policy. When inspecting traffic, FortiGate can use one of two methods: flow- or proxy-based. Different security features are supported by each type.
FortiGate Student I Guide
218
DO NOT REPRINT
Firewall Policies
FORTINET
In proxy-based scans, we’re typically meaning a transparent proxy. It’s called “transparent” because at the IP layer, FortiGate is not the destination address, yet FortiGate intercepts the traffic anyway. In TCP connections, FortiGate’s proxy generates the SYN ACK to the client and comp letes the three-way handshake with the client before creating a second, new connection to the server. If the payload is less than the oversize limit, the proxy buffers transmitted files/email for inspectio n before continuing transmission. The proxy analyzes and may change headers such as HTTP “Host:” and URI for web filtering. If a security profile decides to block the connection, the proxy can send a replacement message to the client. This adds latency to the overall transmission speed.
FortiGate Student I Guide
219
DO NOT REPRINT
Firewall Policies
FORTINET
Proxy options affect the content inspection proxy. Settings include port numbers, oversize file action and threshold, and client comforting (where the proxy transmits packets slowly while it continues to buffer and scan).
FortiGate Student I Guide
220
DO NOT REPRINT
Firewall Policies
FORTINET
How are flow-based scans different? There is no proxy. If you are familiar with the TCP flow analysis of Wireshark, then that is essentially what the flow engine sees. Packets are buffered, analyzed, and forwarded as they are received. The same signatures used for proxy-based techniques apply to flow-based, therefore the detection rate is potentially the same. Original traffic is unaltered consequently advanced features which modify content, such as safe search enforcement, are not supported.
FortiGate Student I Guide
221
DO NOT REPRINT
Firewall Policies
FORTINET
A SSL/SSH inspection profile contains settings for decrypting these protocols, which is required in order to scan their content. Otherwise, viruses could be transmitted via HTTPS or SMTPS, for example, without detection. For SSH, inspection allows the FortiGate to intercept connections and control protocol commands. For example, using an SSH tunnel, a client could port forward any other protocol across an SSH connection. Using an SSH profile, FortiGate can block the “Port-Forward” command.
FortiGate Student I Guide
222
DO NOT REPRINT
Firewall Policies
FORTINET
When troubleshooting firewall policies, you need to underst and how the traffic should flow. Typically there are many firewall policies. What is the ingress/egress interface? What is actually happening to the traffic/application? Is it slow? Is it failing to connect? These can help to define which troubleshooting steps you need to take.
FortiGate Student I Guide
223
DO NOT REPRINT
Firewall Policies
FORTINET
One of the most fundamental network debugging tools is packet capture, or “sniffing.” The syntax of the CLI command is ‘diag sniff packet interface filter level’. The interface is the name of the physical or logical interface; if your account has the access profile super_admin, you can specify the ‘any’ interface. The filters are similar to ‘tcpdump’ on Linux. For level, you can choose from 1 to 6 depending on your requirements. The only output options are the payloads in ASCII and Hexadecimal format. To completely decode the packet and view its content, save the output to a plain text file, convert it to .pcap format, then open it with Wireshark.
FortiGate Student I Guide
224
DO NOT REPRINT
Firewall Policies
FORTINET
Here are some ge neral examples. Much more can be learnt by reading the man page fo r tcpdump.
FortiGate Student I Guide
225
DO NOT REPRINT
Firewall Policies
FORTINET
If your model of FortiGate has internal storage, you can capture packets from the GUI. Looking at the content of the packets can help you to see what is abnormal. The options in the GUI are the same as those from the CLI. To run a trace, specify a source interface and a filter. What is the main advantage over the CLI? You can download the output in a file format which can be read by Wireshark, without having to use a conversion script. Any packet capture filter should be very specific in order to avoid writing large amounts of data to disk which will affect performance.
FortiGate Student I Guide
226
DO NOT REPRINT
Firewall Policies
FORTINET
Before, we mentioned that a packet capture does not show why FortiGate may have dropped a packet. This is the purpose of the packet flow. This is an example of ‘diag debug flow’. The first lines enable it, and enable it to print to console. Next, the filters define which IP address and port numbers to trace the flow fow; ‘addr’ implies both source and destination, and ‘port 80’ typically captures HTTP.
FortiGate Student I Guide
227
DO NOT REPRINT
Firewall Policies
FORTINET
Here is output for the previous example, for the three way handshake. • Virtual domain ‘root’ receives a packet: the protocol is TCP; destination port 80; source IP 10.0.1.10; destination IP 10.200.1.1. The packet is received on interface ‘port3’. • FortiOS identifies this a new session because it does not match any entries in its current session table. • • • • • •
FortiOS performs a routing lookup, as this the first packet of the connection; gateway 10.200.1.254 (in this case the destination) is found on interface ‘port1’. For the firewall policy match, the interfaces are ‘port3’ to ‘port1’. The hashing function is used for the policy lookup. The connection matches policy ID 1 with source NAT enabled. The source address and port for all packets in this connection will NAT to 10.200.1.1:39738. The packet is sent to IPS module. In this case, the IPS security profile is enabled on the firewall policy. Next, the reply (SYN/ACK) is received. This is identified as reply traffic for an existing connection. For the first reply packet, a routing lookup occurs. Next, the client send the ACK. This is identified as belonging to an existing connection.
FortiGate Student I Guide
228
DO NOT REPRINT
Firewall Policies
FORTINET
The retransmission of SYN packets is a good indicator of the firew all blocking a connection. However, we don’t know for sure. We could look at the traffic logs, if logging was enabled for the deny policy. What else could we use, though? The packet flow.
FortiGate Student I Guide
229
DO NOT REPRINT
Firewall Policies
FORTINET
Combining debug flow and packet sniffer, we now see which firewall action is blocking this traffic.
FortiGate Student I Guide
230
DO NOT REPRINT
Firewall Policies
FORTINET
To review, here’s all the topics we covered in this lesson.
FortiGate Student I Guide
231
DO NOT REPRINT
Firewall Authentication
FORTINET
In this lesson, we will show you how to use authentication on the firewall policies of a FortiGate. Normal firewall policies involve separating devices based on the IP address or subnet involved. Adding authentication to firewall policies, however, provides a mechanism to make decisions on not just where the device is, but who is using the device.
FortiGate Student I Guide
232
DO NOT REPRINT
Firewall Authentication
FORTINET
After completing this lesson, you should have a solid understanding of the mechanics of authentication on a FortiGate as well as some practical skills configuring firewall authentication.
FortiGate Student I Guide
233
DO NOT REPRINT
Firewall Authentication
FORTINET
Traditional firewalling grants network access by authenticating the source IP address only. This is inadequate, as the firewall cannot determine who is using the device to which it is granting access. This can pose a security risk. Authentication allows action based on the user, not just the IP address. In this way, inspection rules follow individuals across multiple devices.
FortiGate Student I Guide
234
DO NOT REPRINT
Firewall Authentication
FORTINET
Not all available methods of authentication can be used for firewall authentication (for example, certificate-based authentication cannot be used). You can, however, use local password authentication, remote password authentication, and two-factor authentication. Two-factor authentication is slightly different from the others, as it is enabled on top of an existing method—it cannot be enabled without first configuring one of the other methods. In this lesson, we will discuss all three available methods.
FortiGate Student I Guide
235
DO NOT REPRINT
Firewall Authentication
FORTINET
The first and simplest m ethod of authentication is Local Password Authentication. User account information (user name and password) is stored locally on the FortiGate device, so there is no lookup to an external server for user validation. Local Password Authentication is the simplest method of authentication to configure, since you only need access to the FortiGate. Other methods of authentication are more complex, as they involve configuring the exchange of information between the FortiGate and a remote server as well as configuring the various users and user groups on the server itself. Troubleshooting in those situations becomes more complicated, as you need to examine both the FortiGate and external server. With Local Password Authentication, you need only examine the FortiGate.
FortiGate Student I Guide
236
DO NOT REPRINT
Firewall Authentication
FORTINET
The second method of authentication is remote server authentication (or server-based password authentication). This includes any form of authentication where the final decision on user credentials is made by an external server—not the FortiGate. This method is desirable when multiple FortiGate devices need to authenticate the same users or user groups. With remote server authentication, user information is sent from the FortiGate to a remote server. The remote server then evaluates the inform ation it receives and sends a response. The server response is examined by FortiGate and consults its configuration to deal with the traffic. However, it is the server — not the FortiGate — that has final authority over evaluating the user credentials. With Remote Server Authentication, the FortiGate does not store all (or, in the case of some configurations, any) of the user information locally.
FortiGate Student I Guide
237
DO NOT REPRINT
Firewall Authentication
FORTINET
Multiple protocols are supported for remote user authentication, including POP3, RADIUS (includes server authentication and the single sign on m ethod, RSSO), LDAP, and TACACS+. Single sign on (SSO) methods, such as FSSO, NTML, and RSSO, are also supported for remote user authentication.
FortiGate Student I Guide
238
DO NOT REPRINT
Firewall Authentication
FORTINET
With a FortiGate, you can implement Single Sign On (SSO) using FSSO and RSSO. SSO allows a single login event to be used for all authentication and access situations. Without SSO, if a user logs in to a Wi-Fi network, they will need to log in through a firewall policy separately when they try to pass traffic. SSO links multiple authentication events to a single event.
FortiGate Student I Guide
239
DO NOT REPRINT
Firewall Authentication
FORTINET
One remote server authentication protocol worth mentioning is POP3, as the login credentials the remote server accepts is different from most other authentication protocols. Most other authentication protocols user the user name. POP3 servers, however, authenticate users based on email address. Some POP3 servers require the full email with domain ([email protected]), others require the suffix only, while still others accept both formats. This is determined by the configuration of the server itself and is not a setting on the FortiGate. You can only configure POP3 authentication though the CLI. You can also use LDAP to validate with email, rather than the user name.
FortiGate Student I Guide
240
DO NOT REPRINT
Firewall Authentication
FORTINET
The third, and fin al, method of auth entication for firewa lls — which is really just an exte nsion of an existing authentication method — is two-factor authentication. Traditional user authentication requires your user name plus something you know, such as a password. The weakness with this traditional method of authentication is that if someone obtains your user name, they only need your password to compromise your account. Furthermore, since people tend to use the same password across multiple accounts (some sites with more security vulnerabilities than others), accounts are vulnerable to attack, regardless of password strength. Two-factor authentication, on the other hand, requires something you know, such as a password, and something you have, such as a token. This increases the complexity for an attacker to compromise an account, as it puts less importance on often-vulnerable passwords. With this authentication method, security is split between two different options: both a password and a key of some kind.
FortiGate Student I Guide
241
DO NOT REPRINT
Firewall Authentication
FORTINET
One-time passwords are one such method you can use with Two-Factor Authentication as “something you have”. FortiToken and FortiToken Mobile (hardware and software respectively) both generate one-time passwords. The passwords for both FortiToken and FortiToken Mobile generate every 60 seconds. You can deliver OTP through alternative m ethods, other than providing the end user with a token or mobile app. For example, you can send an OTP through email or through an SMS phone message. It is very important that FortiTokens are synchronized with the FortiGate. Otherwise FortiGate cannot predict the correct string to use.
FortiGate Student I Guide
242
DO NOT REPRINT
Firewall Authentication
FORTINET
Tokens use a specific algorithm to generate a one-time password. The algorithm consists of: a seed, which is a randomly-generated number that does not change in time, and the time, which is obtained from an internal, accurate, clock Both seed and time go through an algorithm that generates a one-time password on the token. The OTP has a short life span, usually measured in seconds (60 seconds for a FortiToken, possibly more/less for other RSA key generators). Once th e life span ends, for examp le after 60 seco nds, a new one generates. With two-factor authentication using a token, the user must first log in with a static password followed by the OTP (or code) generated by the token. A validation server (a FortiGate) receives the user’s credentials and validates the static password first. The validation server then proceeds to validate the OTP. It does so by re-gene rating the same OTP using the seed and system time (which is synchronized with the one on the token) and comparing it with the one received from the user. If the static password is valid, and the one-time password matches, the user is successfully authenticated. Again, both the token and the validation server must use the same seed and have synchronized system clocks. As such, it is crucial that you configure your FortiGate’s date/time properly or link it to an NTP server.
FortiGate Student I Guide
243
DO NOT REPRINT
Firewall Authentication
FORTINET
To use a FortiToken, you must first register it on a FortiGate device. Whether it’s a hardware or software token, a serial number is used to provide the FortiGate with details on the initial seed value. If you are using FortiToken Mobile, each FortiGate (and FortiGate VM) allows for two free activations. More than this requires the purchase of activations codes for additional mobile tokens from Fortinet. You cannot register FortiTokens on more than one FortiGate. A deployment like that requires the use of a central FortiAuthenticator. In that case, the FortiTokens are registered on the FortiAuthenticator and not the FortiGate. FortiGate uses FortiAuthenticator as its validation server, which allows the same FortiToken to be used for access on multiple FortiGate devices.
FortiGate Student I Guide
244
DO NOT REPRINT
Firewall Authentication
FORTINET
Not all types of authentication involve prompting the user to enter their login credentials. While active authentication (used with LDAP, RADIUS, Local Password Authentication, and TACACS+) prompts the user to manually enter credentials, passive authentication (used with FSSO, RSSO, and NTLM) determines user information without ever asking the user to log in. Passive authentication, therefore, occurs transparently for the user.
FortiGate Student I Guide
245
DO NOT REPRINT
Firewall Authentication
FORTINET
Active authentication prompts the user based on: the protocol of the traffic they use to try and pass through a firewall, and the firewall policy itself The policy must specify the authentication protocols allowed, such as HTTP/S, FTP, and Telnet. If the policy that has authentication enabled does not allow at least one of the supported protocols for obtaining user credentials, the user will not be able to authenticate. Passive authentication determines the user identity behind the scenes and does not require any specific services to be allowed within the policy.
FortiGate Student I Guide
246
DO NOT REPRINT
Firewall Authentication
FORTINET
You can enable both active and passive authentication. If both active and passive authentication are enabled and a user’s credentials can be determined through passive means, then the user will never receive a login prompt, regardless of the order of any firewall policies. This is because there is no need to prompt the user for active authentication credentials when passive authentication can determine who they are. W hen active and passive authentication methods are combined, active authentication is intended to be used as a backup only for when passive authentication fails. No one method of authentication is considered more important than another. The first method that can determine a user name for any traffic is the deciding factor. Ultimately that determines how the traffic is handled.
FortiGate Student I Guide
247
DO NOT REPRINT
Firewall Authentication
FORTINET
A firewall policy defines and matches traffic going from the source to the destination. An IP address is required as part of the policy configuration for the source and destination. User, user group, and device information can be enabled as well. If enabled, they become part of the source definition for that policy. Accordingly, a source is comprised of source address(es)+source user(s)/group(s)+source device(s).
FortiGate Student I Guide
248
DO NOT REPRINT
Firewall Authentication
FORTINET
No service (with the exception of DNS) is allowed through the firewall policy prior to successful user authentication. DNS is allowed because it is a base protocol and will most likely be required to initially see proper authentication protocol traffic. Hostname resolution is almost always a requirement for any protocol. However, the DNS service must still be defined as allowed within the policy in order for it to pass. In the following example, Policy #1 allows users to use external DNS servers on the other side of port2 in order to resolve host names, prior to successful authentication. Therefore, the DNS traffic is allowed through even before authentication happens. It is also allowed if authentication is unsuccessful, as users need to be able to try to authenticate again. Any service that includes DNS would function the same way, like the default ‘ALL’ service. Policy #2, on the other hand, never allows DNS traffic, even after successful authentication. The HTTP service is TCP port 80 and does not include DNS (UDP port 53).
FortiGate Student I Guide
249
DO NOT REPRINT
Firewall Authentication
FORTINET
In this example, assuming active authentication is used, any initial traffic from the 10.10.1.0/24 subnet will not match policy #1. Policy 1 looks at the IP as well as the user information, and since the user has not authenticated there is no match. Next, a check is made against policy #2. There is a match and traffic is allowed with no need to authenticate. When only active authentication is used, if all possible policies that could match the source IP have authentication enabled, then the user will receive a login prompt (assuming they use an acceptable login protocol). In other words, if policy #2 also had authentication enabled, the users would receive login prompts. If passive authentication is used and it can successfully obtain user details, then traffic form 10.10.1.0/24 with users that belong to the guest-group will apply to policy #1 even though policy #2 does not have authentication enabled.
FortiGate Student I Guide
250
DO NOT REPRINT
Firewall Authentication
FORTINET
If you want all users connecting to the network to authenticate through active authentication, you can enable the captive portal. With captive portal, network interfaces perform authentication at the interface level—regardless of the firewall policy that allows it or the port that it ultimately leaves by (authentication being enabled or disabled on the policy is not a factor). Essentially, a captive portal is a convenient way to authenticate web users on wired or Wi-Fi networks through an HTML form that requests the user’s name and password. You can host a captive portal on a FortiGate device or an external authentication server. The captive portal setting must be enabled on the Ingress interface of the traffic. Captive portals are not compatible with interfaces in DHCP mode.
FortiGate Student I Guide
251
DO NOT REPRINT
Firewall Authentication
FORTINET
Using the previous example, with captive portal enabled on port 1 all traffic from behind port 1 would receive a login prompt, not just the users in the 10.10.1.0/24 subnet or traffic that may be going somewhere other then port 2. Passive authentication never requires a captive portal, since it obtains user details differently. Only active authentication methods can use the captive portal feature (depending on the configuration).
FortiGate Student I Guide
252
DO NOT REPRINT
Firewall Authentication
FORTINET
A firewall policy can have the captive portal suppressed. When suppressed, traffic that matches the source and destination are not presented with the captive portal page. The captive-portal-exempt setting must be enabled in the CLI for each firewall policy and only applies to traffic that matches that policy. The security-exempt-list CLI setting, however, applies those sources at all times, regardless of the firewall policy settings. Depending on the configuration, one option or the other usually results in simplifying your configuration more. Use the option that best fits the requirements of the situation and results in less confusion or ongoing maintenance. You can create and configure security exempt lists only from the CLI. However, you can enable them through the GUI settings.
FortiGate Student I Guide
253
DO NOT REPRINT
Firewall Authentication
FORTINET
You can enable disclaimers to be used in conjunction with captive portal, if desired. Disclaimers are not considered authentication or a captive portal, but the two tend to go hand-in-hand. With the authentication and disclaimer setting, the disclaimer appears before the user authenticates and acts as a reminder of the rules for the network. Under this setting, users must accept the terms in the disclaimer in order to proceed with the authentication process. Neither a security exemption list nor a captive portal exemption on a firewall can bypass a disclaimer.
FortiGate Student I Guide
254
DO NOT REPRINT
Firewall Authentication
FORTINET
Any time FortiGate is required to jump into the traffic stream (with authentication pages or disclaimers for example), you can modify the particulars of the block page through the GUI. Editing HTML-related block message requires knowledge of HTML, to ensure proper positioning and look of the page. The default layout is the Simple View, which hides most of the replacement messages. Use Extended View to show all editable replacement messages.
FortiGate Student I Guide
255
DO NOT REPRINT
Firewall Authentication
FORTINET
An authentication timeout ensures users do not authenticate and then stay in memory indefinitely. If users stay in memory forever, it would eventually lead to memory exhaustion. There are three options for timeout behavior: • • •
IDLE – Looks at the packets from the hosts IP. If there are no packets generated by the host device in the configured timeframe then the user is logged out. HARD – Time is an absolute value. Regardless of the user’s behavior, the timer starts as soon as the user authenticates and expires after the configured value. NEW SESSION – Even if traffi c is bein g generated on existing commu nications channels, the authentication expires if no new sessions are created through the firewall from the host device, within the configured timeout.
Choose the type of timeout that best suits the needs of authentication in your environment.
FortiGate Student I Guide
256
DO NOT REPRINT
Firewall Authentication
FORTINET
We’ve mentioned users and user groups several times in this lesson. Now, we’ll take a closer look at how both users and user groups are used by FortiGate for firewall authentication. Before that, however, we’ll give a short refresher on how you create users and groups on an external server, which is useful if Remote Password Authentication is used as a method of authentication.
FortiGate Student I Guide
257
DO NOT REPRINT
Firewall Authentication
FORTINET
LDAP is a standard remote authentication protocol currently supported by the FortiGate device. The behavior of LDAP is defined through multiple RFCs. LDAP is an application protocol for distributed directory information services. It can also be viewed as a database that contains user accounts, among other things. The structure of this database is similar to a tree that contains entries (or objects) in each branch. Each of these objects has a unique identifier, which is called the distinguished name (or DN). The objects also have attributes, and each attribute has a name and one or more values. This structure is defined in what is called a “directory schema”.
FortiGate Student I Guide
258
DO NOT REPRINT
Firewall Authentication
FORTINET
The hierarchy of an LDAP schema is not required to hold any resem blance to the organization. However, generally the name conventions used and the group structure match with the name of the company and corporate hierarchy very closely.
FortiGate Student I Guide
259
DO NOT REPRINT
Firewall Authentication
FORTINET
On the top, we have the root or DC. This is where an LDAP tree always starts, with any schema. After that the groups are defined using C, OU, and/or O. The exact behavior and options used depend on the schema and what exactly is being defined. At the end of the tree is the UID, which contains specific details about a particular user. The full path to find a user contains all of the information necessary in order to locate a user within the tree structure. This means you will need the DN (somewhere to start), the group information (C, OU, O), and the UID.
FortiGate Student I Guide
260
DO NOT REPRINT
Firewall Authentication
FORTINET
What you enter for the LDAP configuration depends heavily on the server’s schema and security settings. Windows Active Directory is very common. “Common Name Identifier” is the attribute name to look up in order to find the user name. Some schemas will call this UID, Active Directory calls it ‘sAMAccountName’ or sometimes ‘cn’. “Distinguished Name” identifies the top of the tree to look in. Generally this will be a DC value. The “Bind Type” setting will vary, depending on the security settings of the LDAP server. Normally, this will need to be ‘Regular’, with the credentials being for a user, that is authorized perform LDAP queries.
FortiGate Student I Guide
261
DO NOT REPRINT
Firewall Authentication
FORTINET
To see if a user’s credentials can successfully authenticate or not, you must use the CLI or enable to authentication on a firewall policy. The GUI will only test if the initial LDAP connection to the server is successful or not. Because the GUI only tests success/failure, either look at the server logs or run a packet sniff to see both sides of the LDAP comm unications so you can find out exactly what is happening. Exact output will vary depending the Hierarchy of the LDAP server that was queried. “diagnose test authserver” can be used to test most (not all) methods of authentication.
FortiGate Student I Guide
262
DO NOT REPRINT
Firewall Authentication
FORTINET
RADIUS doesn’t have the same kind of behavior as LDAP, as there is no tree structure to consider. Normal authentication queries with the RADIUS protocol begin with an Access-Request being sent from the FortiGate to the RADIUS server. Valid responses to this are “Access-Accept” and “AccessReject” (yes and no effectively). If Two-Factor Authentication is enabled on the server, it will come back with an “Access-Challenge” message, where it is essentially looking for more information. Any other response from the server is not considered to be a valid response.
FortiGate Student I Guide
263
DO NOT REPRINT
Firewall Authentication
FORTINET
RADIUS configuration on a FortiGate is straightforward. The servers location needs to be defined along with the secret that was set up in order for the server to allow remote queries. Backup servers (with separate secrets) can be defined in case the primary server fails.
FortiGate Student I Guide
264
DO NOT REPRINT
Firewall Authentication
FORTINET
Testing RADIUS is m uch the same as LDAP. The GUI can test the connection to the server, but not a user login. Make sure that authentication is operational prior to implementing it on any of your firewall policies. Like LDAP, it reports success, failure, and group membership details depending on the server’s response. Deeper troubleshooting requires server access.
FortiGate Student I Guide
265
DO NOT REPRINT
Firewall Authentication
FORTINET
Now that we’ve examined how to create users on the LDAP or RADIUS server, lets look at how to create the firewall users and groups on the FortiGate. This is the first step to authentication: creating firewall users and groups. You can create firewall authentication users through the Users & Devices > User > User Definition page of the FortiGate GUI. A wizards walks you through the creation process. You are required to define the type of user (Local or Remote) and the user credentials. For remote authentication, you must select the server to authenticate as well. There are other optional settings available, such as adding contact information , enabling Two-Factor Authentication, or adding the user to a User Group.
FortiGate Student I Guide
266
DO NOT REPRINT
Firewall Authentication
FORTINET
Once you’ve made user accounts, you can assign firewall policies to them. But rather than assign firewall policies to act on individual users, you can put users into groups with policies making decisions based on the group itself. These groups are known as user groups. By assigning individual users to the appropriate user groups, you can control access to network resources. You can define both local and remote user groups on a FortiGate device. There are four user group types: • • • •
Firewall Fortinet Single Sign On (FSSO) Guest, and RADIUS Single Sign On (RSSO)
The firewall user groups do not need to match any sort of group that may already exist on a server. The firewall user groups exist solely to make configuration of firewall policies easier. Note that most authentication types have the option to make decisions based on the individual user, rather than just user groups.
FortiGate Student I Guide
267
DO NOT REPRINT
Firewall Authentication
FORTINET
As mentioned, one of the four user group types is Guest. Guest groups are user groups that exclusively contain temporary user accounts (the whole account, not just the password), and are most commonly used in wireless networks. Guest accounts expire after a predetermined amount of time. You can automatically create guest users on the fly, or manual create them through an admin user. You can create special admin users that only have access to create and manage guest user accounts.
FortiGate Student I Guide
268
DO NOT REPRINT
Firewall Authentication
FORTINET
You can configure user groups through the FortiGate GUI under User & Device > User > User Group. You must specify the user group type, the local users that belong to the group, and the remote authentication server(s) that contain the users that belong to the user group. User groups simplify your configuration if you want to treat specific users in the same way. For example, if you want to provide all Accountants with access to the same network resources. If you want to treat all users differently, you would need to add all users to firewall policies separately.
FortiGate Student I Guide
269
DO NOT REPRINT
Firewall Authentication
FORTINET
Once you’ve created firewall users and groups, you can move on to configuring the policies. IP information is part of the source definition for a policy in combination with any configured user and groups specified. Just because a user is in a group does not mean they can only be referenced by using the group.
FortiGate Student I Guide
270
DO NOT REPRINT
Firewall Authentication
FORTINET
After creating firewall policies, you can monitor access of your firewall users. To keep track of who is authenticated through the firewall policies there is a User Monitor section in the GUI located under User & Device > Monitor > Firewall. The User Monitor screen displays who has authenticated through the firewall policies of your FortiGate device at any given moment. It does not include administrators, because they are not authenticating through firewall policies that allow traffic — they are logging directly into the FortiGate. This feature also allows you to de-authenticate a user or multiple users simultaneously.
FortiGate Student I Guide
271
DO NOT REPRINT
Firewall Authentication
FORTINET
There are no events logged for successful or failed login attempts through a firewall policy. Users that log in successfully show up in the monitor. Those that do not are prevented from passing through the firewall. Once a user is successfully logged in, all further logs generated from the host automatically begin to contain their user information. Default reports and charts are set up so that the source adjusts to be the user or the IP if there is no authentication. You can find the list of possible log events that can show up in the Log & Report > Event Log > User section in the Log Message Reference Guide on the doc.fortinet.com website.
FortiGate Student I Guide
272
DO NOT REPRINT
Firewall Authentication
FORTINET
In this lesson, we discussed: • •
Authentication, what it is and how it works Three methods of authentication, specifically Local Password Authentication, Remote Password Authentication, and Two-Factor Authentication
• • • • • • •
The different authentication protocols One-time passwords and tokens Authentication types (active and passive) Authentication policies Captive Portal and disclaimers Authentication ti meout Users/user groups, both in regards to an external LDAP or RADIUS server and through the FortiGate, and How to monitor firewall users
•
FortiGate Student I Guide
273
DO NOT REPRINT
SSL VPN
FORTINET
In this lesson, we will show you how to use and configure SSL VPN. SSL VPNs are an easy way of providing access to your private network for remote users.
FortiGate Student I Guide
274
DO NOT REPRINT
SSL VPN
FORTINET
After completing this lesson, you should have these practical skills that you can use to configure an SSL VPN for your organization.
FortiGate Student I Guide
275
DO NOT REPRINT
SSL VPN
FORTINET
A virtual private network enables users to remotely and securely access private resources as if they were locally connected. It is generally used to transmit private information safely between LANs separated by an untrusted public network such as the Internet, so it is not only implemented for providing access to mobile users, but also for interconnecting geographically disperse networks across the Internet. The user data travelling inside a VPN tunnel is encrypted, so it cannot be intercepted by unauthorized users. VPNs also use security methods to ensure that only authorized users can establish the VPN and access the private network’s resources.
FortiGate Student I Guide
276
DO NOT REPRINT
SSL VPN
FORTINET
The most common type of VPNs are SSL VPN and IPsec VPN. SSL VPNs are commonly used to secure web transactions. Clients connect to a web portal and log in. It is essentially meant to connect a PC to a private network. This approach is simple in that users only need a regular web browser to connect and are not usually required to install any kind of special software or go through a com plex setup. They simply need to access an HTTPS web site and log in. This makes SSL VPN an ideal solution for users who are either not technically skilled, or who need to connect from public computers. IPsec is also used to connect a PC to a private network. However, there are some important differences. Firstly, SSL VPN access is through a web portal, whereas IPsec is not. Finally, IPsec is a standard protocol supported by most vendors, so a VPN session can be established not only between two FortiGate devices, but also between different vendor devices. By comparison, SSL VPN can only be established between a client PC and an end device. In this lesson, we are going to focus on SSL VPN.
FortiGate Student I Guide
277
DO NOT REPRINT
SSL VPN
FORTINET
Web-only mode is used to connect using HTTPS to the FortiGate device from any browser. Once connected, users need credentials in order to pass an authentication check. Once authenticated, users are presented with a portal that contains possible resources for them to access. Different users can have different portals with different resources and access permissions. One of the widgets contains links to all or some of the resources available for the user to access. Another widget allows users to type the URL or IP address of the server they want to reach. A Webonly SSL VPN user makes use of these two widgets to access the internal network. The main advantage of Web-only mode is that it is clientless. This means the user is not required to install any client VPN software to obtain access. However, Web-only mode has two main disadvantages: First, all interaction with the internal network must be done from the browser exclusively (through the web portal). External network applications running on the user’s PC cannot send data across the VPN. Second, a limited number of protocols are supported, such as HTTP/HTTPS, FTP, RDP, SMB/CIFS, SSH, Telnet, VNC, Ping.
FortiGate Student I Guide
278
DO NOT REPRINT
SSL VPN
FORTINET
Tunnel mode access begins in much the same way as Web-only mode. Users must connect to the FortiGate through HTTPS and successfully authenticate. They are then presented with a web page that has various options, including a widget to activate tunnel mode. By clicking “Connect”, a tunnel is established between the PC and the FortiGate device. Inside the tunnel, IP traffic is encapsulated over HTTPS and sent to the other side. The FortiGate device receives the traffic and de-encapsulates the IP packets, forwarding them to the private network as if they srcinated from the inside. The main advantage of Tunnel mode over W eb-only mode is that, once the VPN is established, any IP network application running on the client can send traffic across the tunnel. The main disadvantage is that this requires the installation of a VPN software client, which requires administrative privileges. If the VPN client is not installed when the user accesses the SSL VPN web portal, the “Tunnel Mode” widget offers the option to download and install it.
FortiGate Student I Guide
279
DO NOT REPRINT
SSL VPN
FORTINET
Tunnel mode can operate in two different ways: with and without Split Tunneling enabled. When Split Tunneling is disabled, all IP traffic generated by the client’s PC (including Internet traffic) is routed across the SSL tunnel to the FortiGate. This sets up the FortiGate as the default gateway for the host. You can use this method in order to apply UTM features to the traffic on those SSL VPN clients or to monitor or restrict internet access. This adds more latency and bandwidth usage. When Split Tunneling is enabled, only traffic destined for the private network(s) behind the FortiGate gets routed across the tunnel.
FortiGate Student I Guide
280
DO NOT REPRINT
SSL VPN
FORTINET
There are two methods to connect to an SSL VPN tunnel. The first method is through a browser. The limitation is that the browser window or tab with the SSL VPN portal must remain open in order to keep the tunnel up. The second method is through a standalone SSL VPN client. Using an SSL VPN client means the browser is not necessary to maintain the tunnel, but it also means you have to install an SSL VPN client. When the SSL VPN client is installed, a virtual network adapter called fortissl is added to the user’s PC. This virtual adapter dynamically receives an IP address from the FortiGate device each time a new VPN is established. All packets sent by the client use this virtual IP address as the source address.
FortiGate Student I Guide
281
DO NOT REPRINT
SSL VPN
FORTINET
Because tunnel mode requires installing a virtual network adapter, which requires administrative level access to accomplish, it is not always a feasible method to use. For those situations where tunnel mode isn’t practical and web-only mode isn’t flexible enough, there is a web-only extension called port forward mode. Rather than use a virtual adapter to create a tunnel with an IP separate from the local IP, port forward uses a Java applet to set up a local proxy that is accessed by connecting to the loopback address.
FortiGate Student I Guide
282
DO NOT REPRINT
SSL VPN
FORTINET
Between web-only and tunnel mode, tunnel mode is the most versatile, as it supports any IP application. However, it requires admin/root privileges to install a VPN client. You can get a direct tunnel connection either through a browser or by using the standalone VPN client. Web-only, on the other hand, is clientless, but does not support all the IP applications like tunnel mode. You can connect only through a browser—and only through one connected to the SSL VPN portal. Port Forward (an extension of Web-only) supports some additional IP applications, but it requires users to change the application configuration to send the IP traffic to a Java applet acting as a local proxy. The final decision about which mode to use depends on many factors, such as technical knowledge of the users, type of network applications, and if admin access to the user’s PCs is possible or not.
FortiGate Student I Guide
283
DO NOT REPRINT
SSL VPN
FORTINET
When users log into to their individual portal, there is an option that allows them to create their own bookmarks (known as frequently used connections). An administrator must enable the user bookmark option, and once enabled, users can create and modify their own bookmarks from the portal. Administrators have the ability to view and delete bookmarks the remote user has added to their SSL VPN login in the GUI under VPN > SSL > Personal Bookmarks. This allows administrators to monitor and remove any unwanted bookmarks that do not meet with corporate policy From the CLI of the FortiGate, administrators can create bookmarks for different users. These bookmarks appear even if the user bookm ark option is disabled in the portal, as that option only effects the users ability to create and modify their own bookmarks.
FortiGate Student I Guide
284
DO NOT REPRINT
SSL VPN
FORTINET
Depending on the type of bookmark an administrator wants to create, they may need to enter additional information during configuration, such as URLs for websites, and folders for FTP sites to name a few. Only three types of bookmarks can be used if employing the Port Forwarding method (an extension for web-only mode): citrix, portforward, and rdpnative. Citrix and RDP native are specific for that kind of traffic. Portforward is a generic type of bookmark that you can customize to suit the traffic.
FortiGate Student I Guide
285
DO NOT REPRINT
SSL VPN
FORTINET
Instead of just adding bookmarks on a per-user basis, administrators can also add bookmarks on a per-portal basis. This allows bookmarks to appear for all users who log in to that particular portal. These bookmarks use the exact same configuration options that personal bookmarks do, but can be configured from the GUI, rather than the CLI. Users cannot modify administrator-added bookmarks, whether they are created on a per-user or per-portal basis.
FortiGate Student I Guide
286
DO NOT REPRINT
SSL VPN
FORTINET
To add flexibility to your SSL VPN deployment, you may consider configuring “Realms”. Realms are custom login pages, usually for user groups, such as your Accounting team and your Sales team, but can be for individual users as well. With realms, users and user groups can access different portals based on the URL they enter. This is unlike a default deployment, where SSL VPN login is handled by going directly to the FortiGate’s IP address. With different portals, you can customize each login page separately as well as limit concurrent user logins separately. Example of Realms on a FortiGate: HTTPS://192.168.1.1 HTTPS://192.168.1.1/Accounting HTTPS://192.168.1.1/TechnicalSupport HTTPS://192.168.1.1/Sales
FortiGate Student I Guide
287
DO NOT REPRINT
SSL VPN
FORTINET
Since SSL VPNs are methods for people outside your network to connect to resources inside your network, you must take appropriate m easures to ensure the safety and security of the information in your network. There are m ultiple options and settings available to help secure SSL VPN access. In this lesson, we’ll cover client integrity checking and restricting host connection addresses.
FortiGate Student I Guide
288
DO NOT REPRINT
SSL VPN
FORTINET
When a user connects to your network through SSL VPN, a portal is established between your network and the user PC. The VPN session is secured natively in two ways: the connection is encrypted and the user must log in with their credentials, such as a user name and password. However, you can configure additional security checks to increase the security of the connection. One method of increasing your security is through client integrity checking. Client integrity ensures, to some extent, that the connecting computer is secure by checking whether specific security software, such as antivirus or firewall software, is installed and running. This feature only supports Microsoft Windows clients, as it accesses the Windows Security Center to perform its checks. Alternatively, you can customize this feature to check the status of other applications by using their Globally Unique Identifier (GUID). The GUID is a unique ID in the Windows Configuration Registry that identifies each Windows application. Client Integrity can also check the current software and signature versions for the antivirus and firewall applications.
FortiGate Student I Guide
289
DO NOT REPRINT
SSL VPN
FORTINET
The Client Integrity check is performed when the VPN is still establishing—just after user authentication has finished. If the required software is not running on the client’s PC, the VPN connection attempt is rejected even with valid user credentials. Client Integrity is enabled per web portal and only by using CLI commands. The list of recognized software along with the associated registry key value is available through the CLI. Software is split into three categories: AntiVirus (av), Firewall(fw), and Custom. Custom is used for customized or proprietary software that an organization may require. Administrators can only configure these settings through the CLI. The disadvantage of enabling Client Integrity checking is that it can result in a lot of administrative overhead. First, all users must have their security software updated in order to successfully establish a connection. Second, software updates can result in a change to the registry key values, which can also prevent a user from successfully connecting. As such, administrators must have in depth knowledge of the Windows operating system and subsequent registry behavior in order to properly make extended use of, as well as maintain, this feature.
FortiGate Student I Guide
290
DO NOT REPRINT
SSL VPN
FORTINET
The second method you can use to help secure SSL VPN access is restricting host connection addresses. Setting up IP restriction rules can be very useful when considering proper security configuration. Not all IPs need, or should be allowed, access to the login page. This method allows you to set up rules to restrict access from specific IPs. One simple rule is to allow or disallow traffic based on Geographic IP addresses. The default logic allows all IPs to connect. From the CLI, you can configure the VPN SSL setting to disallow specific IPs.
FortiGate Student I Guide
291
DO NOT REPRINT
SSL VPN
FORTINET
To monitor remote user connections, you can view the SSL VPN Monitor table, accessible through the GUI under VPN > Monitor > SSL VPN Monitor. This table shows all the SSL VPN users currently connected to the FortiGate device. It displays the user names, IP addresses, and connection times. In the table, a subsession row below a user means the user has brought up an SSL VPN tunnel. No subsession row below the user means the user is only connected to the web portal page. Whether the VPN tunnel is activated with the Web Portal widget or the standalone client, they appear the same way in the SSL VPN Monitor table.
FortiGate Student I Guide
292
DO NOT REPRINT
SSL VPN
FORTINET
When an SSL VPN is disconnected, either by the user or through the SSL VPN idle setting, all associated sessions in the FortiGate session table are deleted. This prevents reuse of authenticated SSL VPN sessions (not yet expired) after the initial user terminates the tunnel. The SSL VPN user idle setting is not associated with the firewall authentication timeout setting. It is a separate idle option specifically for SSL VPN users. A remote user is considered idle when the FortiGate does not see any packets or activity from the user within the configured timeout period.
FortiGate Student I Guide
293
DO NOT REPRINT
SSL VPN
FORTINET
There are four mandatory steps that must be followed in order to configure SSL VPN. The fifth step is optional and only necessary to allow access to internal resources. Configuration does not need to be done strictly in this order. However there are several places where, if certain options are not configured ahead of time, you are prevented from making further configurations.
FortiGate Student I Guide
294
DO NOT REPRINT
SSL VPN
FORTINET
The first step is to create the accounts and user groups for the SSL VPN clients. User and group creation was previously covered in the Firewall Authentication module. All the FortiGate authentications methods, with the exception of the Remote Password Authentication using the FSSO protocol, can be used for SSL VPN authentication. This includes Local Password Authentication and Remote Password Authentication (using the LDAP, RADIUS, TACACS+, and POP3 protocols). Two-Factor Authentication, with or without FortiToken, is also supported.
FortiGate Student I Guide
295
DO NOT REPRINT
SSL VPN
FORTINET
The second step is to configure the portal. A portal is simply a webpage that contains tools and resource links for the users to access. Options on the portal can be enabled or disabled to allow or deny access. Options such as tunnel mode, links for downloading FortiClient, predefined bookmarks, and more. You can individually configure and link each portal to a specific user group and/or user so they only have access to required resources. There are several different theme options that provide different color coding to the portals as well.
FortiGate Student I Guide
296
DO NOT REPRINT
SSL VPN
FORTINET
This is a sample of an SSL VPN portal page after the user logs in. It contains various widgets, based on the configuration of the portal. The “Bookm arks” and “Connection Tool” widgets are for web-only mode. The “Tunnel Mode” widget activates tunnel mode through the browser. The standalone client can link into that directly, though the user must have access to a portal that contains the client.
FortiGate Student I Guide
297
DO NOT REPRINT
SSL VPN
FORTINET
The third step to configuring SSL VPN is to configure the general settings. First, we’ll talk about the connection settings specifically, and then later, the tunnel mode client settings, and the authentication portal mapping settings. As with any other HTTPS web site, the SSL VPN portal presents a digital certificate when users are connecting. By default, the presented certificated is self-signed, which triggers the browser to show a certificate warning. To avoid the warning, you should use a digital certificate signed by a Certificate Authority (CA) known to the browser. Alternatively, you can load the digital certificate into the browser as a trusted authority. Certificates are covered in more detail in the ‘Certificate Operations’ lesson. By default, an inactive SSL VPN is disconnected after 300 seconds (5 minutes) of inactivity. You can change this timeout through Idle Logout settings in the GUI. Note that it is separate from the authentication idle timeout discussed in the firewall authentication lesson. Also by default, the port for the SSL VPN portal is 443, which means that users need to connect using HTTPS to the IP address of the FortiGate device and to port 443 (which is also the standard port for the administration HTTPS protocol).
FortiGate Student I Guide
298
DO NOT REPRINT
SSL VPN
FORTINET
In a default configuration, the SSL VPN login portal and the administrator login for HTTPS both use port 443. This is convenient because users do not need to specify the port in their browser. For example, https://www.example.com/ automatically uses port 443 in any browser. This is considered a valid setup on the FortiGate because you generally don’t access the SSL VPN login through every interface. Likewise you generally don’t enable administrative access on every interface of your FortiGate. So even though the ports m ay overlap, the interfaces that each one uses to access may not. If SSL VPN and HTTPS admin access both use the same port, and are both enabled on the same interface, only the SSL VPN login portal will appear. In order to have access to both on the same interface, you need to change the port number for one of the services. This will effect the port number for that service on all interfaces.
FortiGate Student I Guide
299
DO NOT REPRINT
SSL VPN
FORTINET
Once you set up your SSL VPN connection settings, you can define your Tunnel Mode settings. W hen users connect, the tunnel is assigned an IP address. You can choose to use the default range or create your own range. The IP range determines how many users can connect concurrently. DNS Servers will only be effective if DNS traffic is sent over the VPN tunnel. Generally this will only be the case when split tunnel mode is disabled and all traffic is being sent from the client PC across the tunnel.
FortiGate Student I Guide
300
DO NOT REPRINT
SSL VPN
FORTINET
The last part of step three is to set up the authentication rules that map users to the appropriate portal and realm. These settings allow different groups of users to access different portals and/or realms. The default rule applies to the root realm and must be present, otherwise an error message appears that prevents any setting changes from being saved. In the above example, accountants and teachers only have access to their own realms. If they need access to the root realm to see the student portal, you would need to add an additional authentication rule.
FortiGate Student I Guide
301
DO NOT REPRINT
SSL VPN
FORTINET
The fourth, and last, mandatory step to configure SSL VPN involves creating firewall policies for login. SSL VPN traffic on the FortiGate uses a virtual interface called SSL.
FortiGate Student I Guide
302
DO NOT REPRINT
SSL VPN
FORTINET
In this example, there are three different user groups that log in remotely: Teachers, Accountants, and Students. In order to enable authentication, you must create a firewall policy with the source interface as ssl.root that includes those three groups for the source. That firewall policy will enable the login portal and allow those groups to authenticate. It will also allow those groups to access resources and bookmarks that are beyond the wan1 interface. Without a firewall policy that is SSL.
FortiGate Student I Guide
303
DO NOT REPRINT
SSL VPN
FORTINET
As an optional step, you can create firewall policies for traffic to the internal network. Any traffic that gets generated by the users of the SSL VPN exits from the ssl.
FortiGate Student I Guide
304
DO NOT REPRINT
SSL VPN
FORTINET
In this lesson, we discussed: • • •
What SSL VPN is and how it operates Differences of SSL VPN vs. IPsec VPN Web-only mode, tunnel mode (including split tunneling), and port forwarding
• • • • •
Methods of connecting to SSL VPN tunnels Portals, bookmarks and realms Securing SSL VPN access through client integrity checking and restricting host connection access Monitoring SSL VPN users Configuring SSL VPN
FortiGate Student I Guide
305
DO NOT REPRINT
Basic IPsec VPN
FORTINET
In this lesson, we will show you how to set up site-to -site IPsec VPN. VPNs are heavily used in today’s IT infrastructure to join private corporate networks across the Internet. IPsec is an RFC standard. W hether you have FortiGate devices only or mix in another vendor’s devices, the principles are essentially the same.
FortiGate Student I Guide
306
DO NOT REPRINT
Basic IPsec VPN
FORTINET
After completing this lesson, you should have these practical skills that you can use to set up a simple IPsec tunnel for a site-to-site VPN. During this, we will explain how to choose between configuring a policy-based or route-based VPN. You will also learn how to verify the status of each tunnel.
FortiGate Student I Guide
307
DO NOT REPRINT
Basic IPsec VPN
FORTINET
A Virtual Private Network (VPN) allows people in remote places – separated by the Internet – to securely access resources on your local network. For example, if workers are traveling or working from home, you can use a VPN to give LAN access to them. You can also use a VPN to interconnect multiple campuses. There are multiple types of VPN: PPTP, L2TP, SSL VPN, and IPsec are popular choices. • PPTP is fast, but security is weak, and easily defeated. • IPsec requires a gateway or installation of client software. So it is more complic ated to set up for mobile users than SSL VPN, where they can simply utilize their web browser instead. • SSL VPN is designed for tunnels between a single client and a LAN, not between entire offices. Because of this, ma ny networ ks now use a combin ation of SS L VPN – for mobile u ser access – and Ipsec or L2TP – for tunnels between offices. Often, “tunnel” is used as a synonym for “VPN,” although not all VPNs technically are tunnels, as we will see in a minute.
FortiGate Student I Guide
308
DO NOT REPRINT
Basic IPsec VPN
FORTINET
When should you use IPsec? What is it? It is a vendor-neutral standard set of protocols used to join two physically distinct LANs, as if they were a single logical LAN, despite being separated by the Internet. In theory, RFC 2409 and 4305 do support null encryption – that is, you can make VPNs wh ich not encrypt traffic. The RFCs also support null data integrity. But does that provide any advantages over plain traffic? No. No one can trust traffic that may have had an attack injected by an attacker. Rarely do people want data sent by an unknown person. Most people also want private network data, such as credit card transactions and medical records, to remain private. So in reality, regardless of vendor, IPsec VPNs almost always have settings for 3 important benefits: •Authentication, to verify the identity of at least the initiator (and sometimes also the responder); •Data integrity, or HMAC, to prove that encapsulated data has not been tampered with as it traverses a potentially hostile network; •Confidentiality , or encryption, to ensure that only the intended recipient can read the message. And, of course VPNs have virtual routing and network settings to use when joined to the remote LAN.
FortiGate Student I Guide
309
DO NOT REPRINT
Basic IPsec VPN
FORTINET
When we say “the IPsec protocol,” what layers & protocols are we talking about? IPsec injects itself above the third layer: IP. What’s encapsulated? It depends on the mode. IPsec can operate in two modes: transport mode, or tunnel mode. • Transport mode directly encapsulates what would usually be the fourth layer (TCP transport, for
•
example) and above. Once the IPsec encapsulation is removed, there is no additional routing layer left. That’s why it’s also called “direct peer-to-peer” or “client-to-client”. So this mode is not technically a “tunnel,” even though many people use the word “VPN” and “tunnel” interchangeably. (“Tunneling” technically means encapsulating an IP packet inside another IP packet.) Transport mode does not traverse NAT well – especially carrier-grade symmetric NAT – and depending on the case, may require NAT Traversal, ALG or hole punching, or may not work. This is because port numbers are inside the encrypted ESP payload. Tunnel mode is a true tunnel. Encapsulation first adds a second IP layer, then the srcinal transport layer (TCP, UDP, etc.). The second IP layer contains a private network that is routable on the remote network. Once the IPsec packet reaches the remote LAN, and is “unwrapped,” the packet can continue on its journey.
To fit an IPsec packet into the frame, when FortiGate applies ESP, one payload may be split in order to fit into two packets. So you don’t need to adjust frame MTU. But this does mean that you might need more bandwidth for VPN traffic.
FortiGate Student I Guide
310
DO NOT REPRINT
Basic IPsec VPN
FORTINET
Let’s look at the 2 methods of encapsulation: Which should you choose? Why might some extra bandwidth be needed? Why is NAT traversal necessary? Blue underlined parts of each packet are additional bits that are required by ESP. It varies by transport vs. tunnel mode. Relative to a non-IPsec packet, notice that the green Layer 4 transport area of the frame is now shorter. Remember, the 1500 byte default fram e MTU has not changed. Payload length is variable, and filled with padding. So this doesn’t always matter. But if the additional ESP bits cause the packet payload to not fit, then FortiGate must split the payload into multiple frames. IKE is in separate packets, too, and also requires additional bits to be transmitted. You are trading some bandwidth for: • Security and, • Routability (in the case of tunnel mode) Notice that after you remove the VPN-related headers, a transport mode packet can’t be transmitted any further – it has no second IP header inside. So it’s not routable. That’s OK if the packet is decrypted at an endpoint such as the FortiGate itself (think of encrypted Syslog tunnels, and some special cases such as multicast, GRE-IPSec and L2TP-IPSec for Windows/Android clients), but not usually if there are more router hops until the packet reaches its destination. For those purposes, you’ll need tunnel mode instead. Notice, too, that TCP or UDP port numbers are inside the ESP payload. They will be encrypted. So NAT can’t rewrite them for port forwarding or port overloading.
FortiGate Student I Guide
311
DO NOT REPRINT
Basic IPsec VPN
FORTINET
Because encapsulation styles and other settings vary, and any mism atches cause VPNs to fail, starting with FortiOS 5.2, there are VPN templates. You can use these to simplify VPN setup – reducing the guesswork about what settings are compatible between devices. But sometimes you may need to create a tunnel manually, or pass it though a NAT device. So let’s show you how.
FortiGate Student I Guide
312
DO NOT REPRINT
Basic IPsec VPN
FORTINET
If you’re passing your VPN through NAT devices such as firewalls, it helps to know which protocols to allow. Really, “IPsec” means three separate protocols. • IKE, which is used to authenticate peers, exchange keys, and negotiate the encryption and checksums that will be used; essentially, it is the “control channel”, AH, which is the “authentication header” – the checksums that verify the integrity of the data ESP, which is the “encapsulated security payload” – the encrypted payload, essentially, the “data channel” So if you need to pass IPsec traffic through another firewall, remember: allowing just 1 protocol or port number is not enough. • •
Note that although the IPsec RFC mentions AH, it does not offer encryption, an important benefit. So it is not used by FortiGate. As a result, you don’t need to allow IP protocol 51. To make a VPN, configure matching settings on both ends – whether the VPN is between 2 FortiGates, or between a FortiGate and FortiClient, or between a 3rd party device and a FortiGate. If the settings don’t match, tunnel setup will fail.
FortiGate Student I Guide
313
DO NOT REPRINT
Basic IPsec VPN
FORTINET
Let’s talk about how FortiGate starts an IPsec tunnel. If you’re creating a custom VPN tunnel, it will help you to understand which settings to use, and how tunnels work.
FortiGate Student I Guide
314
DO NOT REPRINT
Basic IPsec VPN
FORTINET
On FortiGate, there are two ways a packet can initiate an IPsec VPN: by matching a route, or by matching a policy. (In our old documentation, route-based used to be called “interface-based,” and policy-based used to be called “tunnel-based.”) How do you know when to use policy-based or routed-based? Generally, try to use route-based. It offers more flexibility and control. We can implement very complex routing scenarios, such as where tunneled traffic is required to be routed with policy-based routing, or if you require GRE-over-IPsec. In comparison, policy-based VPNs must be used when the FortiGate is in transparent mode, or if the other peer requires L2TP-over-IPsec.
FortiGate Student I Guide
315
DO NOT REPRINT
Basic IPsec VPN
FORTINET
In addition to different limitations, how to configure them is different. • Ina route-based VPN, FortiGate automatically adds a virtual interface with that name. Two firewall policies with the action ACCEPT are usually required: one for sessions srcinating on the local network, and another for sessions from the remote network. You also need to route the VPN traffic to the virtual network interface. (Usually, you’ll use a static route.) •
Ina policy-based VPN, only one firewall policy with the action IPSEC is required. The policy is bidirectional. By default, the GUI hides policy-based VPNs. To show policy-based VPN settings, use the CLI setting “ set gui-policy-based-ipsec enable”.
Both sides of your VPN don’t need to be configured in the same route-based or policy-based mode. You can configure one peer as routed-based, and the other as policy-based. But the Phase 1 and 2 settings must match.
FortiGate Student I Guide
316
DO NOT REPRINT
Basic IPsec VPN
FORTINET
If you have a simple case – like the site-to-s ite scenario in this le sson – use the VPN wizard. But if you need to tailor your VPN settings, you can still make a custom VPN. When making a route-based VPN, one additional step is usually required: you must also create a route to direct VPN traffic to the new virtual interface for IPsec. (If you use the wizard, though, this is done automatically.)
FortiGate Student I Guide
317
DO NOT REPRINT
Basic IPsec VPN
FORTINET
When the VPN wizard is completed, FortiGate automatically creates many of the required objects: • Addresses and address groups • Static routes • Policies • Phase 1 and Phase 2 settings To immediately check the status of your tunnel, click “Show Tunnel List.” This can be your first test of whether your VPN is working.
FortiGate Student I Guide
318
DO NOT REPRINT
Basic IPsec VPN
FORTINET
How does FortiGate bring up a VPN? Let’s begin by talking about Internet Key Exchange – also called IKE – Phase I. This is when each endpoint of the tunnel – the initiator and the responder – connect and begin to set up the VPN. When they first connect, the channel is not secure yet. An attacker in the middle could intercept unencrypted keys. And both ends have no strong guarantee of each other’s identity, either. So how can they exchange sensitive private keys? They can’t. First, both ends have to create a temporary secure channel. They’ll use this to protect strong authentication, and negotiate the “real” keys for the “real” tunnel later. Let’s show how this works.
FortiGate Student I Guide
319
DO NOT REPRINT
Basic IPsec VPN
FORTINET
(slide uses animation) This is Phase 1, where peers say hello and create an IKE SA that defines a temporary secure channel. (click) What is an SA? A security association is simply the algorithms and parameters used to encrypt and authenticate data between 2 points. Se ttings m ust agree . Otherwise the Phase 1 will fail. (Each side wouldn’t be able to decrypt or authenticate traffic from the other.) As you can see, which settings are used can be inflexible – what we call “aggressive mode” – or somewhat flexible – what we call “main mode.” Details are in the advanced IPsec lesson. (click) In Phase 1, FortiGate IKE SAs are a secure channel that are used for: • The Diffie-Hellman keys that will be used by Phase 2, and • To build the final ESP tunnels.
FortiGate Student I Guide
320
DO NOT REPRINT
Basic IPsec VPN
FORTINET
At the end of Phase I, FortiGate uses the Diffie-Hellman method. It uses the public key (that both ends know) plus a mathematical factor called a “nonce” in order to generate a common private key.
This is crucial. With Diffie-Hellman, even if an attacker can listen in to the messages containing the public keys, they cannot det ermine the secret key. This is why it works even with a weakly authenticated IKE channel, where a user name and password and FortiToken have not been exchanged, for example. The new private key is used to calculate additional keys: for symmetric encryption and authentication.
FortiGate Student I Guide
321
DO NOT REPRINT
Basic IPsec VPN
FORTINET
If your VPN must pass through a NAT device, as we mentioned, ESP encryption would normally prevent the NAT device from being able to read and remap the port numbers inside. To solve this, Phase I was extended. It added NAT traversal, also called “NAT-T.” When NAT-T is enabled in both ends, peers can detect any NAT device along the path. If NAT is found, then: • •
Both Phase 2 and remaining Phase 1 packets change to UDP port 4500 FortiGate and client encapsulate ESP within UDP port 4500
So if you have two FortiGates that are behind, for example, an ISP modem that has NAT, you will probably need to enable this setting.
FortiGate Student I Guide
322
DO NOT REPRINT
Basic IPsec VPN
FORTINET
Once details such as dead peer detection, NAT, and symmetric keys have been determined, your FortiGate is ready to establish the “real” SA – that is, IPsec SA which defines the ESP channel that will be used to encapsulate and transmit data through the VPN. It does this via IKE Phase II. There can be 1 tunnel for Phase I, but 2 or more tunnels for Phase II. Let’s see how.
FortiGate Student I Guide
323
DO NOT REPRINT
Basic IPsec VPN
FORTINET
Once Phase 1 has established a somewhat secure channel and private keys, Phase 2 begins. Phase 2 negotiates security parameters for the IPsec SA – not to be confused with the IKE SA. It is this IPsec SA – not IKE – that ESP will use to tra nsmit data between LANs. IKE Phase 2 does not end once ESP begins. Phase 2 periodically renegotiates cryptography. This maintains security. Also, if you enable Perfect Forward Secrecy, each time the Phase 2 session key expires, FortiGate will use Diffie-Hellman to recalculate a new common secret key. So even if the same encryption algorithms are selected each time, the ESP tunnel will be changing to use a different private key, making it much harder for an attacker to crack the tunnel. Each Phase 1 can have multiple Phase 2. When would this happen? For example, you may want to use different encryption keys for each subnet whose traffic is crossing the tunnel. How does FortiGate select which Phase 2 to use? The Quick Mode setting. Additionally, most traffic is two-way traffic. So this means there are usually two tunnels, and two ESP SAs: one for each direction.
FortiGate Student I Guide
324
DO NOT REPRINT
Basic IPsec VPN
FORTINET
During Phase 2, we must configure a pair of settings called Quick Mode Selectors. They identify and direct traffic to the appropriate Phase 2 if there are multiple. In other words, it allows granular SAs. Selectors behave similarly to a firewall policy. VPN traffic must match selectors in one of the Phase 2 SAs. If it does not, the traffic is dropped. When configuring selectors, specify the source and destination IP subnet that will m atch each Phase 2. You can also specify the protocol number, and source and destination ports for the allowed traffic. In point-to-point VPNs, such as when connecting a branch office FortiGate to headquarters’ FortiGate, both sides’ configuration must mirror each o ther. Quick mode selectors for dial-up VPNs are different, and details are in the advanced IPsec lesson.
FortiGate Student I Guide
325
DO NOT REPRINT
Basic IPsec VPN
FORTINET
Once all settings are configured, each tim e that a host on your local LAN sends a packet where the destination is on the remote LAN, FortiGate should automatically bring up the VPN tunnel. It should remain available for some time, as long as the tunnel is being used.
FortiGate Student I Guide
326
DO NOT REPRINT
Basic IPsec VPN
FORTINET
If you need detailed control of your VPN, such as for IKE version 2, you can still configure it manually.
FortiGate Student I Guide
327
DO NOT REPRINT
Basic IPsec VPN
FORTINET
If you are configuring a custom VPN, you can start from the wizard. Click Custom VPN Tunnel (No Template). Configure the remote FortiGate’s WAN IP address, and indicate which network interface on this local FortiGate is the gateway that leads to it. FortiGate will use this to connect to the other end. If your peers use pre-shared keys for the initial (IKE) authentication, both peers must be configured with the same pre-shared key. For Phase 1, choose which encryption and authentication to propose, and so on. They should match, too. If peers can’t agree on IKE security, even Phase 1 won’t be established. So if in doubt, make sure Phase 1 and Phase 2 settings on both FortiGates match.
FortiGate Student I Guide
328
DO NOT REPRINT
Basic IPsec VPN
FORTINET
You already identified the other FortiGate’s WAN IP (the “Remote Gateway”), so now also indicate your local FortiGate’s WAN IP. Remember: during IKE, each side must have some way to identify its peer so that it can label the IKE SA. Once Phase 1 completes, Phase 2 begins. This sets up the ESP tunnels that will be used for actual data transfer. For each subnet on each end of the VPN, you can specify different levels of ESP security. For example, connections to the Finance LAN might need larger key sizes and stronger authentication. To do this, configure multiple Phase 2 entries. For simplicity, here, we show only one Phase 2: the “Local Address” is our LAN, and the “Remote Address” is the remote LAN. Remember that if traffic doesn’t match an IPsec SA, the IPsec engine will drop the packet. Usually, it’s more intuitive to filter traffic w ith firewall policies. So if you don’t want to use SA filte ring, you can just set the quick mode selectors to be 0.0.0.0/0.
FortiGate Student I Guide
329
DO NOT REPRINT
Basic IPsec VPN
FORTINET
If you used the wizard for everything, it would have created routes and policies suitable for a route-based VPN. What if you, for example, have a FortiGate in transparent mode? Remember, first, you must enable the GUI to show policy-based IPsec options. Configure your phases as before, then create a policy. W hen policy-based VPN settings are visible, an additional “Action” setting is available when you configure a policy. Choose “IPsec.” Then choose the policy-mode tunnel settings. If you enable “Allow traffic to be initiated from the remote site,” you only need to make one policy. It will govern both directions.
FortiGate Student I Guide
330
DO NOT REPRINT
Basic IPsec VPN
FORTINET
With a route-based VPN, firewall policies are different. • There are two policies usually, not one. • The interface doesn’t match wan1; it matches the virtual interface, which in this example is named “HQ-to-Branch.” The VPN wizard is the easiest way to make these. If you did that, you can skip this step. But if you want to manually set up a VPN, use these as exam ples.
FortiGate Student I Guide
331
DO NOT REPRINT
Basic IPsec VPN
FORTINET
In route-based VPN, you need to route VPN traffic destined for the remote LAN to the IPsec interface. If you used the wizard, this was created for you, automatically. (In a policy-based VPN, traffic is routed to wan1 or another external interface instead. Since there is usually a default route, which routes all non-local packets towards the Internet, that’s why policy-based VPNs can usually skip this step.) To do this, usually you’ll add a static route.
FortiGate Student I Guide
332
DO NOT REPRINT
Basic IPsec VPN
FORTINET
In the GUI, there is a tool to monitor the status of your IPsec VPNs. Through this tool, you can see how much traffic has passed through each tunnel. You can also start and stop individual tunnels, and get additional details. If the tunnel is up, there will be a green arrow appearing next to its name. If it is down or not in use, then a red arrow is displayed. For example, here, simply by looking at the “remote Gateway” column, you can find a misconfiguration problem: the IP should be an interface on the remote FortiGate, not a subnet IP. So it is impossible to bring up.
FortiGate Student I Guide
333
DO NOT REPRINT
Basic IPsec VPN
FORTINET
This example shows 3 different VPN tunnels: Client_VPN, Home_VPN, and Office_VPN. The phase 1 Office_VPN appears twice because it has two separate phase 2 associated with the same phase 1. The other VPNs have one Phase 2 per Phase 1. For each phase 2, we can see the phase 1 name, key life remaining time, status and the quick mode selectors.
FortiGate Student I Guide
334
DO NOT REPRINT
Basic IPsec VPN
FORTINET
If your tunnel is not starting, it helps to know the expected behavior. This varies by type. This outlines the steps. Depending on whether you are creating a route (interface-based) or policy-based VPN, FortiGate will use a different mechanism. One common mista ke is to configure a poli cy-based VPN, but to set the action to “ACC EPT” – and this causes FortiGate to egress clear text packets, not encrypted ones. Another common mistake is to route eggressing packets to the wrong port. Remember, route-based VPNs must egress through the virtual interface, not the WAN.
FortiGate Student I Guide
335
DO NOT REPRINT
Basic IPsec VPN
FORTINET
Like with any feature, IPsec uses some system resources. Requirements vary by the number of VPNs. Strong cryptography involving large key sizes can increase resource usage noticeably. Many models of FortiGate have specialized FortiASIC chips to increase IPsec cryptographic performance, so especially if you have many tunnels simultaneously, check that your configuration offloads cryptography to these chips where possible. In some cases, you m ay be able to offload incoming traffic to one ASIC, and outgoing traffic to another ASIC. Details are in the hardware acceleration lesson.
FortiGate Student I Guide
336
DO NOT REPRINT
Basic IPsec VPN
FORTINET
To review, these are the topics we’ve talked about. We presented an overview of the IPsec technology, which includes Internet Key Exchange, phase 1, phase 2, Diffie-Hellman and Quick Mode Selectors. We also showed the difference between policy-based and route-based VPNs, and how to use the VPN monitor.
FortiGate Student I Guide
337
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
In this lesson, we will show you how to use antivirus scanning on a FortiGate. Since antivirus scanning is one of the features that, depending on your configuration and chosen signature database, can use significant RAM, we will also show you how to resolve “conserve mode.”
FortiGate Student I Guide
338
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
After completing this lesson, you should have these practical skills. Not only will you be able to configure antivirus, but you should have a better understanding of how virus scanning works, along with knowledge of some tools to help you optimize memory usage on your FortiGate.
FortiGate Student I Guide
339
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
How old are viruses? In 1949, John Von Neumann gave lectures at the University of Illinois about what he called “self-replicating automata.” On ARPANET, the precursor to the Internet, the first virus, named Creeper, was detected in 1971. Since then, malicious software has evolved into many types. Technically, although we often refer to all malware as viruses, not every piece of unwanted software behaves like a virus – malware is not always self-replicating, and sometimes users willingly install it. To include viruses, worms, Trojans, spyware and all others, we now use the term “malware.” Malware can be divided into 2 major types: viruses, which infect the computer and spread on their own (generally via an exploit), such as Flash ad banners whose binaries contain buffer overflow code grayware which requires some kind of user interaction but convinces them that the benefit outweighs the cost, such as browser toolbars that also track the user’s activity and insert its own ads into web pages
FortiGate Student I Guide
340
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
Within the category of viruses, there are 2 important subtypes: Trojans such as Zeus, like the literary Trojan horse, trick users into letting down their defenses and installing them, and then often use the network to spread via email or instant message. Worms, such as Conficker and Code Red, spread by connecting to open ports on the network and exploiting misconfigurations or other vulnerabilities in those daemons A Trojan can infect the same host multiple times, but that happens when another copy arrives from an external source. The local copy of the software doesnot try to re-infect the computer. Are all viruses malicious? By definition, yes. But some white hat hackers and academics have written beneficial worm-like software. It spreads via the same exploits, but then cleans infections and/or patches the host. For example, Creeper was followed by Reaper, which removed Creeper from infected systems.
FortiGate Student I Guide
341
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
Regardless of how the virus spreads, once installed, a virus is somehow malicious. What makes it malicious? Its behavior. (This is one of the reasons, by the way, that security analysts use sandboxing such as FortiSandbox to discover new viruses. Looking at which C functions a virus contains, for example, cannot find all viruses. Forensics lab must see which functions actually execute, and what the effects are.) Most people are familiar with spyware, adware, and rootkits. Malware could also be: Ransomware such as the CryptoLocker worm is fairly new. The software holds the computer hostage, often encrypting critical user data with a password or secret key, until the victim pays the extortionist. Key loggers record key strokes and return them to a remote location – including sending administrator logins and personal email addresses for executives. Mass mailers transform computers into open relay mail servers for the botnet, often managed via a remote command and control, sending spam for hire. These are often operated by organized crime syndicates.
FortiGate Student I Guide
342
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
Just as viruses have evolved many vectors for spreading, they also have evolved many techniques for evading antivirus engines and manual analysis. Viruses can encrypt their payloads, or change the exact code. As a result, when comparing a signature to the binary sample, the two therefore aren’t an exact, bit-bybit match. So in order to detect the virus, the engine must be able to either: match flexibly, or ignore the changeable parts of the code, and match only based on the polymorphic or metamorphic engine.
FortiGate Student I Guide
343
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
Now that you know some different ways that viruses spread and evade detection, what are some methods that FortiGate uses to find and block them?
FortiGate Student I Guide
344
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
At the host level, a host-based antivirus software such as FortiClient helps. But hostbased antivirus can’t be installed on routers. Guest Wi-Fi networks and ISP customers also might not have antivirus software installed. So how can you protect them? And how can you protect your own network from these botnets? The solution is to implement antivirus in your network security – on your FortiGate. Just like viruses have many ways that they try to avoid detection, FortiGate has many techniques that it can use to detect them. Let’s explain each method.
FortiGate Student I Guide
345
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
The first, fastest, simplest way to detect malware is if it exactly matches a signature. Grayware is not technically a virus; remember, it is often bundled with innocuous software, but it does have unwanted side effects, so it is categorized as malware. Often, grayware can be detected this way, with a simple FortiGuard Antivirus signature. But for the reasons we just described, viruses usually cannot be detected this way.
FortiGate Student I Guide
346
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
What is another way that FortiGate can use to detect viruses? It can look for attributes that viruses usually have – in other words, it can apply heuristics. Heuristics are based on probability, so they increase the possibility of false positives, but they also can detect zero-day viruses – viruses that are new and unknown, and therefore no signature exists yet. That is the tradeoff. If your network is a frequent target for virus-writers, enabling heuristics may be worth the performance cost because it can help you to detect a virus before the outbreak begins. By default, when the antivirus scan’s heuristic engine detects a virus-like characteristic, it will log the file as “Suspicious” – but will not block it. Suspicious files can be treated differently from a positive match with a virus or grayware signature: you can choose whether to block or allow suspicious files. When should you disable heuristic blocking vs. configure the antivirus scan to only log detections? Windows operating system updates often modify the registry. Viruses often do this, too, however. So, for example, you might apply heuristics scans to Windows updates, but block suspicious behavior in all other connections.
FortiGate Student I Guide
347
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
Remember, if the antivirus scan’s heuristic engine finds a suspicious file, it may not always be a virus. So you might want to configure a separate action for it, or a separate policy where heuristics is disabled for connections that you know will trigger false positives. To configure the action that FortiGate will take if the scan finds a suspicious file, use these CLI commands.
FortiGate Student I Guide
348
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
What if heuristics is too uncertain? What if you need a more sophisticated, more certain way to detect malware, and to find zero-day viruses? You can integrate your antivirus scans with FortiSandbox. For environments that require more iron-clad certainty, FortiSandbox executes the file within a protected environment, then examines the effects of the software to see if it is dangerous. For example, let’s say you have 2 files. Both alter the system registry, and are therefore suspicious. One is a driver installation – its behavior is normal – but the second file installs a virus that connects to a botnet command and control server. Sandboxing would reveal the difference. Then, you can submit a sample of the new virus to FortiGuard security researchers, and quickly receive and deploy a FortiGuard Antivirus or IPS update to defend your network against this new threat.
FortiGate Student I Guide
349
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
In order for FortiGate to sandbox files, it must be able to send them to either a FortiSandbox device or a FortiCloud sandboxing account. What is the primary difference between the two? FortiCloud has limits imposed on the amount of data that can be transmitted. Each account has a quota. FortiSandbox limitations vary by the model’s capabilities. On FortiSandbox, you also must configure it to accept input from your FortiGate or FortiMail.
FortiGate Student I Guide
350
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
Whether you use FortiSandbox to discover new viruses, or one is discovered by your own security team, the next step is to develop a signature to detect it so that your FortiGates can begin to block it. New viruses can be submitted to FortiGuard’s security research team manually or automatically, via FortiSandbox or FortiCloud Sandbox. If you want to submit a new virus manually, go to the FortiGuard web site. Upload the file for scanning. If the virus does not currently exist in any of the FortiGuard Antivirus databases, the web site will report it as being “clean”. You will then have the option to submit the sample to FortiGuard analysts. They will develop a signature for it, as well as engine modifications (if necessary), and this will be in the next update that your FortiGate and FortiMail devices download from FortiGuard. In addition to protecting your own network, this obviously also helps to ensure that others’ networks won’t be infected either. By being part of a united security community, you can help to stop botnets from growing into large threats. This has benefits for you, and not just your neighbors. If your neighbors aren’t infected, your network won’t need to spend as much CPU, RAM, and bandwidth on fighting spam, worms, DDoS attacks, and other threats.
FortiGate Student I Guide
351
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
Now that we’ve discussed the types of scans, let’s talk about the engines that use them. They don’t behave the same way. FortiGate has traditional proxies, which break up each session into particular states which it analyzes, but it can also analyze traffic as a more continuous packet flow. Let’s discuss how to choose between those two types of engine.
FortiGate Student I Guide
352
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
One of the factors when choosing an antivirus engine is speed. Software that is installed on endpoints such as FortiClient can usually schedule scans for later, pause the current scan, or scan only with spare CPU cycles when the computer is idle. In other words, time is not a factor. But on a network device, this is not possible. FortiGate must scan quickly to avoid a session or connection timeout. FortiGate will allow up to 30 seconds for a scan to complete. If it takes longer then that, then a process called a “watchdog” terminates the scan, and allows the traffic to pass. Also, FortiGate creates an event log saying that scanunit “crashed” with a Signal 14. It’s not a real crash – it’s not abnormal behavior exactly – but because the scan is terminated before completing. From the software’s perspective, that’s technically a crash, so the event log records it as one. As you can see, speed is an important factor in network antivirus scans. With that in mind, let’s consider the two engines.
FortiGate Student I Guide
353
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
Depending on the protocol, FortiGate may be able to use either: • an implicit proxy, or • an explicit proxy – that is, a proxy that clients must indicate that they want to use. Usually, you’ll use an implicit proxy. Clients to connect through the proxy’s IP, not to it. As long traffic is routed through FortiGate, the proxy transparently intercepts that traffic, without configuring the clients. Each proxy parses that protocol’s commands. Traffic usually must arrive on the expected port, and conform to the specification. (A proxy cannot scan a protocol that it does not listen for, or understand.) For example, in an SMTP session, an SMTP proxy know each valid stage: the client uses the MAIL FROM: command to specify the sender, RCPT TO: for the recipient, DATA for the message, etc. When scanning for viruses, the SMTP proxy known the DATA command – which is the part that may contain a virus payload – before it passes that data to a scanunitd child process. Especially for larger files, this can add noticeable latency: FortiGate must buffer the entire file (or wait until the oversize limit is reached) first before scanning. So if your file limit is large, consider the setting Comfort Clients. While buffering the file, the proxy will slowly retransmit some data until it can complete the buffer, and finish the scan. This prevents a connection or session timeout. What’s the disadvantage? Very small viruses in the first bytes could infect the client before the scan result is available. Disable client comforting if very high security is required.
FortiGate Student I Guide
354
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
What is another way to reduce latency? Use the flow-based engine instead. It doesn’t analyze sessions in discrete protocol stages. The flow-based engine scans the packets as a continuous stream, looking for viral payloads regardless of surrounding protocol details. Depending on your model, some flow-based operations may be performed by a specialized FortiASIC chip, further improving performance. But flow-based scans can’t support all features that proxy-based scans can. The flow-based engine doesn’t operate according to the rules of the protocol. This means that even if the scan later detects a virus, the flow-based engine may have already forwarded packets where it should have inserted a block message. So the client may think it is a network error, and try again. Also, much like a proxy with client comforting enabled, the flow-based engine forwards packets at the same time as scanning the payload. The result? The client may already have received most of a virus by the time that the scan drops the connection. Like with client comforting, if your environment requires very high security, you may want to avoid this option. Regardless of which engine you use, the scan techniques will give similar detection rates. How can you choose between the scan engines? If performance is your top priority, thencomforting flow-baseddisabled is more appropriate. If security is your priority, proxy-based – with client – is more appropriate.
FortiGate Student I Guide
355
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
Both engines buffer up to your specified file size limit. The default is 10 MB. It’s large enough for most files except movies. If your FortiGate model has more RAM, though, you may be able to increase this threshold. Without a limit, very large files could exhaust scan memory. So this threshold balances risk vs. performance. Is this tradeoff unique to FortiGate, or to a specific model? No. Regardless of vendor or model, you must make a choice. This is due to the difference between scans in theory, that have no limits, and scans on real-world devices that have finite RAM. In order to detect 100% of malware regardless of file size, a firewall would need infinitely large RAM – something that no device has in the real world. Most viruses are very small. So percentage-wise – unless many viruses are Trojans appended to the very end of a large file – changing this value doesn’t impact security very much. This table shows a typical tradeoff. You can see that even with a 5 MB threshold, only 0.14% of spyware passes through. But after billions of packets, several hosts may require disinfection.
FortiGate Student I Guide
356
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
So what is the recommended buffer limit? It varies by model and configuration. Adjust “oversize” for your unique network for optimal performance. A smaller buffer minimizes proxy latency and (for both engines) RAM usage, but that may allow viruses may pass through undetected. With a buffer that’s too large, clients may notice transmission timeouts. Balance the two. If you aren’t sure how large of a buffer you need, temporarily enable “oversize-log” to see if this is frequent, and whether the large files are important to allow. Files that are too large for the maximum buffer size cannot be completely scanned. And the default is to allow files to pass. This is because large files are often harmless, and many networks have antivirus software installed on endpoints, so this minimizes unnecessary help desk calls. But if you require a very secure environment, or if your endpoints have no antivirus software, you can change this setting – on a per-protocol basis – so that FortiGate blocks oversized files. If oversized files are blocked, then your endpoints are safe. You won’t need the logs about oversize files for forensics. So you may be able to improve performance slightly by disabling “oversize-log.”
FortiGate Student I Guide
357
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
Relatedly, large files are often compressed. From the scan’s perspective, this is light encryption. It won’t match signatures. So FortiGate must decompress the file in order to scan it. When decompressing, FortiGate must first identify the compression algorithm. Some archive types can be correctly identified using only the header. Also, FortiGate must check whether the file is password-protected. If the archive is protected with a password, FortiGate can’t decompress it, and therefore can’t scan it. FortiGate then decompresses files into RAM. Just like other large files, this buffer has a maximum size: “uncompress-oversize-limit”. Increasing this limit may decrease performance, but allows you to scan larger compressed files. If an archive is nested – for example, if an attacker is trying to circumvent your scans by putting a ZIP file inside the ZIP file – FortiGate will try to undo all layers of compression. By default, FortiGate will attempt to uncompress and scan up to 12 layers deep, but you can configure it to scan up to 100 layers deep. Often, you shouldn’t increase this setting, though. It increases RAM usage, and if a file is repeatedly compressed more than 12 times, it is almost always a virus anyway.
FortiGate Student I Guide
358
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
Let’s review briefly. If the buffer is full, the antivirus scan has a simple behavior. FortiGate will, depending on your setting, either block or pass the file. Since FortiGate doesn’t have the entire file, it would be impossible to determine whether or not the file contains a virus.
FortiGate Student I Guide
359
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
If the file has been completely transmitted – that is, FortiGate reaches the byte that marks the end of the file (EoF) – then FortiGate decompresses the file (if applicable) and uses these scans, in this order. The virus scan is first, because the results have high certainty and the computations are fast. Heuristics, which are less certain, are applied last.
FortiGate Student I Guide
360
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
If you consider all of the settings together, this is the complete decision tree that FortiGate uses for antivirus scans.
FortiGate Student I Guide
361
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
When an attacker releases a new virus into the wild, like with all antivirus software, your FortiGate must be updated with a matching signature so that it can detect it. Most organizations don’t have the personnel to dedicate to writing antivirus signatures, 24 hours a day, 7 days a week. Even if you do, it is usually beneficial to share security knowledge and workload. A FortiGuard Antivirus service contract provides your FortiGate with access to the latest signatures and detection engines from Fortinet’s security research team.
FortiGate Student I Guide
362
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
You can update your FortiGate’s antivirus signatures and engines via either push, pull, or both methods. (If temporary packet loss, for example, interferes with the push method, also enabling pull as a backup method helps to ensure that your FortiGate will not miss any updates.) Regardless of which method you select, virus scanning must be enabled in at least one firewall policy. Otherwise, FortiGate will not download any updates. Alternatively, you can download packages from the Fortinet Technical Support web site, and then manually upload them to your FortiGate.
FortiGate Student I Guide
363
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
“diagnose autoupdate status” shows your automatic update options, just like System > Config > FortiGuard does on the GUI.
FortiGate Student I Guide
364
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
It’s worth noting that there is an additional feature to the FortiGuard Antivirus service: when FortiGate detects connections of infected computers to a botnet’s command and control servers – sometimes this is an IRC channel, or sometimes this is a darknet web server – FortiGate can block those connections. The setting is in the antivirus profile. The FortiGuard security research team compiles and maintains a list of known botnet command and control server IP addresses. FortiGate downloads this via FortiGuard Antivirus and IPS updates.
FortiGate Student I Guide
365
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
Multiple FortiGuard Antivirus databases exist. Support varies by FortiGate model. All FortiGate devices have the “regular” database, which only contains signatures for viruses that are “in the wild” – that is, viruses detected in recent months or submitted by Fortinet users and partners. It is the smallest database, and therefore results in the fastest scans, but does not detect all known viruses. Some models support the “extended” database, which detects viruses that have not been detected for some time. Vulnerable platforms are still common, and/or these viruses could be an issue later due to portable hard disks, periodic connectivity, and other reasons. The most powerful models and FortiClient support the “extreme” database. It is intended for high security environments, and detects all known viruses, including for legacy operating systems such as DOS, Windows3.x, Win95, Windows 98, and so on.
FortiGate Student I Guide
366
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
Via the CLI, you can choose which database your FortiGate will use.
FortiGate Student I Guide
367
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
Once you have chosen an antivirus database, in order to use antivirus scans, you’ll also need to configure an antivirus profile. These profiles contain settings for the inspection mode (that is, the proxy or flow-based engines), and define what FortiGate should do if it detects an infected file. Proxy options also specify the proxies’ listening port numbers for various unencrypted protocols. You can scan HTTP, for example, even if the connection doesn’t occur on the IANA standard TCP port 80. But what about encrypted protocols? Encryption is a popular method for attackers to circumvent security. So as you would expect, FortiGate can scan encrypted protocols. But that isn’t configured here.
FortiGate Student I Guide
368
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
For secure protocols (HTTPS, FTPS, etc.), the proxies are configured in a different profile type: the so-called SSL inspection profiles. Encrypted protocols can be inspected to a greater or lesser extent, depending on what you select. ‘SSL Certificate inspection’ only validates certificate information, such as the issuing CA. This type cannot inspectthe contents of the traffic, which are insidethe encrypted payload. ‘Full SSL Inspection’ validates the certificate, but also decrypts the payloads for antivirus scanning. Because this method uses an authorized man-in-the-middle (MITM) attack, clients will detect the inspection. Users may need to either override the SSL validation failure, or install your CA certificate. Certificate-based inspection is described in detail in another lesson.
FortiGate Student I Guide
369
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
Virus scanning statics can be found on the FortiGate dashboard, on the “Advanced Threat Protection Statistics” widget. If your FortiGate is submitting files for sandboxing, then it keeps statistics about the number of files submitted, and the results of those scans. These statistics are separate from files that are scanned locally on the FortiGate.
FortiGate Student I Guide
370
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
When the antivirus scan detects a virus, by default, it creates a log about what virus was detected, and by which method. It also provides a link to more information on the FortiGuard web site.
FortiGate Student I Guide
371
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
If the antivirus logs are empty, this doesn’t mean your network has no outbreak. Before, we showed how to pass a file if it is too large for scan buffers, is passwordencrypted, or has too many layers of nested compression. Logging can be disabled for those. We also explained the flow-based engine, and client comforting by the proxy-based engine. Even if FortiGate detected a virus and reset the connection, some or all of the virus could have been transmitted before then. And when choosing an antivirus database, we said that if you trade some security for better performance, some viruses may pass through. We also explained zero-day exploits. If any of that happens, how can you submit a sample of a suspected virus, or get information on how to disinfect those hosts? Visit the FortiGuard web site, http://www.fortiguard.com. In the example here, this antivirus signature is only in the “extended” database for FortiClient. What does this mean? Unless you have a FortiGate model that canuse the “extreme” database, and you have enabled it, your firewall would not have been able to detect that specific virus. If you have vulnerable Android hosts, and FortiClient was installed, theyrecommended would have been safe. But if they were not protected, you would need to apply the action to disinfect them.
FortiGate Student I Guide
372
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
If your antivirus scans are not functioning as you expect, where should you begin troubleshooting? Verify that FortiGuard updates are enabled, and that you have selected antivirus profiles in your firewall policies. Updates won’t occur if there is no firewall policy that uses them, and antivirus scans won’t occur unless a firewall policy applies them. If automatic updates are enabled, the next thing to examine is whether those scheduled update requests are succeeding. For that, use the command “diagnose autoupdate version”. It shows details about the antivirus engine and databases, IPS engine and definitions, geography-to-IP mappings database, and other features. It also shows your FortiGuard contract status – FortiGate won’t be able to download updates if it’s not authorized – and when the last update was attempted, and succeeded.
FortiGate Student I Guide
373
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
Both manual and automatic updates to FortiGuard packages trigger FortiGate to check if the version is newer. If the version available is equal toor less than the version installed, then to prevent accidental downgrades, it will not apply the update. To turn off the version check, you can use this command with the “enable” flag. If a specific signature is causing false positives, you can use this command to temporarily disable the version check, and revert the database. After you have resolved the issue with Fortinet Technical Support, make sure to run this command again but with the “disable” flag instead.
FortiGate Student I Guide
374
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
If your FortiGate’s RAM usage is high, the next thing to examine is the event log. Look for messages about “conserve mode.” Conserve mode occurs when FortiGate does not have enough RAM available to properly handle traffic. UTM such as antivirus is not required to be enabled for conserve mode to occur, but UTM inspection does increasememory usage beyond simple firewall policies. In other words, conserve mode is more possible when antivirus or IPS is enabled. You can determine whether antivirus is using much of the memory by running the command “diagnose sys top”. There are a few categories of RAM conservation. Let’s show the difference.
FortiGate Student I Guide
375
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
Kernel conservation mode is when FortiOS specifically does not have enough memory available. There’s no single cause, but it could be processes simultaneously opening too many files, too much information on the stack, etc. System conservation mode indicates a lack of RAM for processes and daemons such as miglogd. The threshold is whenever the overall memory usage reaches about 80%. Once triggered, FortiGate will not exit thismode until memory has dropped by 10% to approximately 70%. Proxy conservation mode is when the transparent UTM proxy runs out of available sockets. The maximum number of proxied connectionsvaries by model. In kernel conservation, the behavior is not configurable. It is a critical lack of RAM. But behavior for system and proxy RAM conservation is configurable. Let’s see the settings that you can use.
FortiGate Student I Guide
376
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
‘av-fail-open’ is the CLI setting that controls FortiGate’s behavior while it is in system conserve mode. Depending on your configuration and traffic types, each option may be more or less effective at freeing RAM.
FortiGate Student I Guide
377
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
If ‘av-failopen-session’ is enabled, then FortiGate will act according to the ‘avfailopen’ setting. Otherwise, by default, it will block new sessions until RAM becomes available.
FortiGate Student I Guide
378
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
During kernel conservation mode, FortiGate attempts to reclaim memory that is not in use. In an operating system, when a process releases memory, it is not immediately reclaimed. There is a “garbage collector” memory daemonthat periodically finds unused pointers. As part of this process, FortiGate drops any sessions that the proxy considers idle. While FortiGate is in this type of conserve mode, all new sessions will pass through the FortiGate without any UTM inspection, because the operating system does not have enough memory to do so.
FortiGate Student I Guide
379
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
Because logging itself requires some RAM, depending on the type of conserve mode, log messages may not always immediately appear. Kernel conserve mode especially may not appear easily. Creating a log entry takes up memory. While in conserve mode, your FortiGate’s operating system is doing everything possible to prevent RAM usage from increasing. Trying to create a log entry while conserve mode is active would be counterproductive. If your FortiGate is in one of the three conserve modes, how can you correct it?
FortiGate Student I Guide
380
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
This shows the shared memory diagnostic. It indicates what type of conserve mode (if any) your FortiGate is in. It also provides a quick summary of how much shared memory is being used on your FortiGate. The antivirus database is one of the things on your FortiGate that uses shared memory, so if this is very high, you can try to solve the problem by switching from the “extended” signature database to the “regular” database, for example. Notice that this command doesn’t show kernel conserve mode, however. How can you determine how much kernel memory is used?
FortiGate Student I Guide
381
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
‘diagnose firewall iprope state’ has a section right at the beginning with an entry for ‘av_break’. Normally, the ‘av_break’ option will be ‘pass/off’. But if FortiGate is currently in kernel conserve mode, this command will show ‘av_break=pass/pass’. If this is very common, and you’ve checked your configuration, you may need to examine the traffic levels and protocol types. Your network may have grown or changed in important ways, and need a more powerful model capable of supporting the added or changed traffic. Much of the other output of this command is dictated by the settings for ‘av-failopen’ and ‘av-failopen-session’ and will change based on the configured options.
FortiGate Student I Guide
382
DO NOT REPRINT
Antivirus & Conserve Mode
FORTINET
To review what we discussed, here is a list. We showed: • Some different Malware terminology and what they meant • The different types of scanning that can be enabled on a FortiGate • Sandboxing and how that can be used. • • • • • • • • • •
Blocking botnet connection The difference between proxy and flow based virus scanning The different Antivirus databases The behavior of oversized files The order of operations within the virus scanning engine How to handle an undetected piece of malware Some details about virus scanning encrypted traffic How to read virus detection logs What conserve mode is Some of the memory diagnostics that are available on a FortiGate
FortiGate Student I Guide
383
DO NOT REPRINT
Explicit Proxy
FORTINET
In this lesson, we will show you how your web browsers can use FortiGate as an explicit proxy.
FortiGate Student I Guide
384
DO NOT REPRINT
Explicit Proxy
FORTINET
After completing this lesson, you should have these practical skills. You will learn how to configure both FortiGate and the web browsers that will use it as an explicit proxy. Since you can alternatively an explicit proxy instead. use an implicit proxy, we will also explain why in some cases you might want
FortiGate Student I Guide
385
DO NOT REPRINT
Explicit Proxy
FORTINET
A proxy receives or intercepts requests from a client to a server. If allowed, and if no cache is available, it forwards the request to the server on behalf of the client. Two sessions are created: one from the client to the proxy, and another one from the proxy to the server. How is this different from an implicit proxy, sometimes called a transparent proxy?
FortiGate Student I Guide
386
DO NOT REPRINT
Explicit Proxy
FORTINET
An implicit proxy server does not require any configuration change on the clients. Clients continue to use the web just like they would without a proxy. Clients send requests to IP address and port number. proxy intercepts the client’s requests transparently – the thatweb is, atserver’s the IP layer, the destination address The doesn’t change. Does this mean that implicit proxies don’t require any configuration changes, anywhere? Not necessarily. Usually, both incoming and outgoing traffic is routed through FortiGate. As a result, web browsing is already being routed through FortiGate, where it can be intercepted by the transparent proxy. But if clients’ traffic isn’t currently routed through FortiGate, then you must reconfigure routing so that the packets will be routed through FortiGate, where the implicit proxy can intercept.
FortiGate Student I Guide
387
DO NOT REPRINT
Explicit Proxy
FORTINET
How is an explicit proxy different? With explicit proxy servers, you must configure clients to send the requests to the proxy’s IP address, not the site’s need servers. But because clients are specifically sending web traffic to your FortiGate, though, you web shouldn’t to reconfigure any routers. Methods vary by web browser or other HTTP client.
FortiGate Student I Guide
388
DO NOT REPRINT
Explicit Proxy
FORTINET
How do you configure users’ web browsers to use an explicit web proxy? In large networks, you won’t configure the browser settings individually, on each computer; instead, for example, you may use an Active Directory login script or roaming profile. Alternatively, you can configure browsers to use an explicit proxy by installing PAC file, or using the web proxy autodiscovery protocol (WAPD). Let’s look at each.
FortiGate Student I Guide
389
DO NOT REPRINT
Explicit Proxy
FORTINET
With manual configuration, you must provide one proxy’s FQDN or IP address. It is limited to only one proxy. If you to want to For exempt specific IP addresses, subnets from usingto the proxy, you can add them a list. those destinations, the browser will and sendFQDNs requests directly the web servers.
FortiGate Student I Guide
390
DO NOT REPRINT
Explicit Proxy
FORTINET
The second possible method is a standard explicit auto-configuration file, called a PAC file. A PAC file contains instructions that tell the browser when to use a proxy, and which proxy to use, depending on the destination. This method supports use of multiple proxy servers. To deploy the PAC file, first you must install it on an HTTP server that the clients can reach. (Your FortiGate can act as the HTTP server for the PAC file.) Then you must configure all browsers with the PAC file’s URL. Again, in larger networks, you usually won’t do this individually; instead, you will use your domain to define the PAC file’s URL.
FortiGate Student I Guide
391
DO NOT REPRINT
Explicit Proxy
FORTINET
What does a PAC file contain? A PAC file is a JavaScript. When browsers run it, determines whether the request will be proxied, and what layer.the addresses should be in packets, including in the URL and “Host:” header at the Layer 7 HTTP In this example: • The PAC file allows any connection to example.com to bypass the proxy. • Connections to servers in the 10.0.0.0/24 subnet use the proxy named fastproxy.example.com – whose FQDN is resolved to an IP address by a DNS query at the time of the request, so it could be separate for clients on the private vs. public network. • All other requests are mad e through proxy.example.com.
FortiGate Student I Guide
392
DO NOT REPRINT
Explicit Proxy
FORTINET
Browsers can automatically discover the URL where the PAC files is located via the web proxy autodiscovery protocol. There server.are two methods you can use to do this. One is to use a DNS server; the other is to use a DHCP Most browsers try the DHCP method first. If it fails, they try the DNS method.
FortiGate Student I Guide
393
DO NOT REPRINT
Explicit Proxy
FORTINET
(slide contains animation) With the DHCP method, th e browser sends a DHCPINFORM request to the DHCP server. The DHCP server replies with PAC file’s URL. (click) The browser downloads the PAC file.
FortiGate Student I Guide
394
DO NOT REPRINT
Explicit Proxy
FORTINET
(slide contains animation) The DNS method is very similar; differences are in the required PAC URL. First, the browser queries the DNS server to resolve the FQDN wpad.
FortiGate Student I Guide
395
DO NOT REPRINT
Explicit Proxy
FORTINET
Usually, you will enable the proxy to cache responses from web servers. A web cache stores responses from web servers so that the next time a client requests the same thing, FortiGate send thebandwidth cached content, of forwarding theWe request and waiting for caching the response.can Thisquickly reduces WAN usage,instead server load, and delay. will review how web works in the next slides.
FortiGate Student I Guide
396
DO NOT REPRINT
Explicit Proxy
FORTINET
(slide contains animation) If you’ve enabled caching, when the client makes a request, the proxy checks first if the URL that the client requested is already in memory. (click) If it is not, the proxy forwards the request to the server. When it responds, FortiGate stores the response in memory – that is, it adds content to its cache. (click) The proxy also forwards a copy of the content to the client.
FortiGate Student I Guide
397
DO NOT REPRINT
Explicit Proxy
FORTINET
(slide contains animation) If any client using FortiGate’s proxy requests the exact same URL… (click) FortiGate will recognize it, and immediately forward a copy of that content from the cache to the client. Unless the content on the server has changed, the proxy does not need to request content from the server again, so from the client’s perspective, each response after the initial request is faster. Notice that because dynamic URLs are not exactly the same, and their content may be personalized for each client, dynamic URLs are usually not cached.
FortiGate Student I Guide
398
DO NOT REPRINT
Explicit Proxy
FORTINET
Given that cache consumes system resources, do you want all users to be able to use the cache? You can configure FortiGate’s HTTP proxy to allow access only to authenticated users that belong to specific cookies.user groups. Authentication can be either based on either source IP address or HTTP session How should you decide which to use? IP-based authentication requires less RAM to remember the authenticated sessions. However, it should only be used when each user has a different IP address from the perspective of the source address in the IP header. If your users are behind source NAT, such as with a remote office that uses Internet sharing, use HTTP session-based authentication instead. In this mode, each browser inserts an HTTP cookie in its requests. The cookie identifies the user’s sessions. This method requires slightly more RAM because FortiGate must remember all session cookies. However, it can even differentiate the same person using multiple accounts – multiple tabs in multiple browsers.
FortiGate Student I Guide
399
DO NOT REPRINT
Explicit Proxy
FORTINET
What does the traffic flow look like when a user authenticates with the explicit proxy, using HTTP session-based authentication? If a usertoconnects and the requestlogin doesn’t have anyThe associated session, first FortiGate replies the browser, requesting credentials. browserauthentication prompts the user to authenticate, and remembers the authenticated state by storing a cookie. If the same user makes more requests later, the browser automatically sends the same cookie again. FortiGate identifies the user via a lookup in its table of current session cookies, so the user does not need to authenticate for every request – only the first ti me.
FortiGate Student I Guide
400
DO NOT REPRINT
Explicit Proxy
FORTINET
These are the steps for configuring a FortiGate as an explicit web proxy. We will show the details of each step next.
FortiGate Student I Guide
401
DO NOT REPRINT
Explicit Proxy
FORTINET
By default, the explicit web proxy settings are hidden in the GUI. To show them, in the dashboard’s Features widget, enable explicit proxy.
FortiGate Student I Guide
402
DO NOT REPRINT
Explicit Proxy
FORTINET
Once explicit proxy settings are visible in the GUI, you can enable and configure them. You can configure the TCP port where the proxy is listening, edit and upload the PAC file, and choose the default action that FortiGate will take if there is any traffic that doesn’t match a proxy policy. We will talk about the proxy policies later.
FortiGate Student I Guide
403
DO NOT REPRINT
Explicit Proxy
FORTINET
After enabling the explicit web proxy globally, you must specify which on which interfaces the proxy will listen for connections.
FortiGate Student I Guide
404
DO NOT REPRINT
Explicit Proxy
FORTINET
The next step is to create explicit proxy policies to specify which traffic and users are allow to use the proxy. Starting from FortiOS 5.2, policies for explicit proxy are configured in a different configuration section than the regular firewall policies. Proxy traffic can be inspected. We can do antivirus, web filtering, application control and IPS inspection. Additionally, the use of web caching can be enabled or disabled per policy. When the proxy traffic m atches a proxy policy, the FortiGate take one of three possible actions: Accept the traffic, deny it, or request authentication before accepting it.
FortiGate Student I Guide
405
DO NOT REPRINT
Explicit Proxy
FORTINET
If you select authentication as the action, you will be presented with the option to add authentication rules. These rules specify which users and users groups are allowed, and what kind of inspection is going to be done over each of them.
FortiGate Student I Guide
406
DO NOT REPRINT
Explicit Proxy
FORTINET
Authentication for the explicit proxy behaves differently than it usually does for firewall policies. With the explicit proxy, FortiGate will not “fall through” to try the next authentication rule. FortiGate always applies the first policy Itthat matches all criteria: the source IP first address, the destination IP address, and the outgoing interface. doesn’t evaluate any policy after the match, even if the user failed to authenticate with the first rule. Let’s look at an example next.
FortiGate Student I Guide
407
DO NOT REPRINT
Explicit Proxy
FORTINET
In this example, the first proxy policy matches traffic from 10.0.1.0/24. It only allows the user named Student. The second policy allows traffic – without authentication – only if the source address matches 10.0.0.0/8. With this configuration, if traffic arrives from the 10.0.1.0/24 subnet, and that user has not authenticated yet, then FortiGate prompts the user to authenticate. Traffic from that source IP address always matches the first policy, and FortiGate does not continue to evaluate other policies in the list after it finds a match. So FortiGate never applies the second policy for that subnet – only for the rest of 10.0.0.0/8.
FortiGate Student I Guide
408
DO NOT REPRINT
Explicit Proxy
FORTINET
In the CLI, if you disable the setting “strict-guest”, then all users that do not belong to any user group in the proxy policy will be treated as if they belong to a group named “SSO_guest_user”. In this way, you can control their access even if the users cannot authenticate.
FortiGate Student I Guide
409
DO NOT REPRINT
Explicit Proxy
FORTINET
Like with firewall policies, when creating proxy policies, you use firewall address objects to specify the source and destination. With HTTP, the destination may appear in both the IPthe header’s andindicating the HTTPpossibly header’s “Host: ” field. They aren’t always the same. Usually, “Host:”destination header is afield, FQDN, an Apache virtual host; it is not usually an IP address. But at the IP layer, the destination field always contains an IP address. So if you are matching by using the “IP Range” object, keep in mind which layer you are matching, and the effects of NAT at both layers. Are IP addresses and domain names the only way you can use to match traffic with a proxy rule? No. One type of firewall address object can only be used in proxy policies: the URL pattern object type. The proxy can match policies based on the requested URL (not only the destination IP address). URL address objects are used for that purpose.
FortiGate Student I Guide
410
DO NOT REPRINT
Explicit Proxy
FORTINET
In this example of the use of an URL Address object, the first proxy policy allows unrestricted access to the URL update.microsoft.com. No authentication is required. All other traffic would match the second policy, which enforces authentication when accessing any other URL.
FortiGate Student I Guide
411
DO NOT REPRINT
Explicit Proxy
FORTINET
If you are using the WPAD DNS method to configure the browser, you may need to edit the PAC file to indicate the file name and listening port number. As we explained before, the DNS method always assumes that the PAC file is located at: http://
FortiGate Student I Guide
412
DO NOT REPRINT
Explicit Proxy
FORTINET
Also, you must check that the Local Domain Name setting is properly configured. This indicates which requests that FortiGate will reply to; FortiGate will only reply if clients’ requests for the WPAD file match the FortiGate’s own HTTP “Host:” header.
FortiGate Student I Guide
413
DO NOT REPRINT
Explicit Proxy
FORTINET
Once the web proxy is working, you can monitor which users that are connected to it – that is, the proxy’s session table. You can do this from the GUI, or from the CLI by using the command: diagnose wad user list You can also remove all entries from the list of users that are currently authenticated with the proxy.
FortiGate Student I Guide
414
DO NOT REPRINT
Explicit Proxy
FORTINET
Here is a review of what we discussed. We reviewed some explicit web proxy concepts. We also showed how to configure and monitor a FortiGate acting as an we explicit web proxy, and how to configure web browsers to use the proxy. Dependingthat on is your situation, explained that some configuration choices require more RAM, and require specific FortiGate port numbers. Finally, we showed how to see which users are currently authenticated with the explicit proxy.
FortiGate Student I Guide
415
DO NOT REPRINT
Web Filtering
FORTINET
In this lesson, we will show you how to filter users’ access to web sites, which is one of the most commonly used features employed by network administrators.
FortiGate Student I Guide
416
DO NOT REPRINT
Web Filtering
FORTINET
After completing this lesson, you should have these practical skills. This will give you an understanding of the various options that are available to manage and track web content. Familiarity with website design and behavior, as well as the HTTP protocol are useful to understanding this module.
FortiGate Student I Guide
417
DO NOT REPRINT
Web Filtering
FORTINET
Web filtering is simply a means of controlling, or tracking, the websites people visit. There are many reasons why a network administrator would want to do this: preserve employee productivity; prevent network congestion where valuable bandwidth is used for non-business purposes; prevent loss or exposure of confidential information; decrease exposure to web-based threats; limit legal liability when employees access or download inappropriate or offensive material; prevent copyright infringement caused by employees downloading or distributing copyrighted materials; prevent children from viewing inappropriate material.
FortiGate Student I Guide
418
DO NOT REPRINT
Web Filtering
FORTINET
Proxy-based web filtering is achieved using a transparent proxy intercepting traffic between the client and server, and setting up a man-in-the-middle. Proxy-based provides he the most flexibility and configuration options for inspecting web traffic because it intercepts at Layer 7, as such som e features are only available to you when using proxy-based inspection. Greater control comes at a cost, it is also the most resource intensive in terms of memory and CPU usage, resulting in the slowest throughput. That said, it is widely used and is a very strong solution on appropriately scaled systems.
FortiGate Student I Guide
419
DO NOT REPRINT
Web Filtering
FORTINET
Flow-based web filtering is achieved by caching traffic intercepted traffic between the client and server, analyzing the TCP flow: hence flow-based. It provides less flexibility and configuration options for inspecting web traffic, when compared to proxy-based, because it intercepts at Layer 3 and works with the Layer 4 data. It does not recover actual files, as the proxy does, so content cannot be sent to scanunit.
FortiGate Student I Guide
420
DO NOT REPRINT
Web Filtering
FORTINET
Rather than looking at the HTTP protocol, another option is to filter the DNS request that occur prior to an HTTP Get request. This has the advantage of being very lightweight, but at a cost because it lacks the precision of HTTP filtering. Every protocol will generate DNS requests in order to resolve a hostname, therefore this kind of filtering will impact all of the higher level protocols that depend on DNS, not just web traffic. For example, it could apply FortiGuard categories to DNS requests for FTP servers. Very few web filtering features are possible beyond hostname filtering, due to the amount of data available at the point of inspection.
FortiGate Student I Guide
421
DO NOT REPRINT
Web Filtering
FORTINET
Inspection mode is set in the web filter profile. When changing mode, the options displayed will change because they are dependent on the inspection mode. When a web filter profile using proxy inspection mode is selected in your firewall policy, a proxy options profile must also be defined. The proxy options profile defines proxy behaviors as well as the ports to be inspected for web or DNS traffic. HTTPS inspection port numbers, and other settings related to the handling of SSL, are defined separately in the SSL/SSH inspection profile.
FortiGate Student I Guide
422
DO NOT REPRINT
Web Filtering
FORTINET
Let’s summarize the different modes. Proxy-based caches traffic, so it can cause a noticeable delay depending on the file size, oversize limit and connection speed. It does, however, support a greater number of web filtering features. Flow-based has a much higher throughput rate, compared to proxybased, because it does not cache data so there is no transmission delay. DNS-based is very lightweight because it handles only the nameserver lookup, but suffers from accuracy issues because it does not see the full URL.
FortiGate Student I Guide
423
DO NOT REPRINT
Web Filtering
FORTINET
DNS web filtering looks at the nameserver response which typically occurs when you connect to a website. Proxy and flow-based web filtering booth look for the HTTP 200 response returned when you successfully access the website. Handling the response, as opposed to the DNS request or HTTP Get, confirms the site is present.
FortiGate Student I Guide
424
DO NOT REPRINT
Web Filtering
FORTINET
Static URL filte ring is enabled in the web filter profil e. Entries in the URL filter list are checked aga inst the website that is visited. If a match is found, then the configured action is taken. If there is no match, then the FortiGate will move on to the next check enabled. Patterns set to the type “Simple” are exact text matches. Patterns set to the type “Wildcard” allow for some flexibility in the text pattern by allowing wildcard characters and partial matching to occur. Patterns set to the type “Reg. Expression” allows for the use of PCRE regular expressions to be used.
FortiGate Student I Guide
425
DO NOT REPRINT
Web Filtering
FORTINET
When a user visits a website, the FortiGate looks at the URL list for a matching entry. In this example, the website matches the 3 rd entry (using same list as the previous slide). This entry is a simple type, so the match must be an exact one. There is no option for a partial match with a simple pattern. In this case the action is to block the website so the user is presented with a block page, rather then the website they were expecting to see.
FortiGate Student I Guide
426
DO NOT REPRINT
Web Filtering
FORTINET
Rather than block or allow websites individually like Static URL filtering, FortiGuard Category filtering looks at the category that a website has been rated with. Action is taken based on that category, not the URL itself. FortiGuard Category filtering is a live service that requires a connection to the FortiGuard network and active contract in order to operate. If the contract expires, there is a 7 day grace period to renew the contract before services will be cut off. Rather then communicating to the FortiGuard network to receive a websites category, larger FortiManager models can be used instead. FortiGuard Category filtering and Static URL filtering have different lists of possible actions that can be configured. The impact of selecting different actions will be covered later on.
FortiGate Student I Guide
427
DO NOT REPRINT
Web Filtering
FORTINET
When a user visits a web site, you can use the FortiGuard live service to find out the category for the URL and allow or block access by category. This is a great way to perform bulk URL filtering without having to individually define each web site. After the 7 day grace period the FortiGate will not be able to rate websites and every visit will be treated as a rating error. In the event of a rating error for a website there are only 2 options, block or allow.
FortiGate Student I Guide
428
DO NOT REPRINT
Web Filtering
FORTINET
FortiGuard category filtering is enabled in the GUI, through the Web Filter profile. Categories and subcategories are listed and can have the action to take defined individually. Actions are assigned through right clicking the mouse and selecting from a menu. If the feature is enabled and the unit does not have a valid contract then a warning will be displayed in the GUI.
FortiGate Student I Guide
429
DO NOT REPRINT
Web Filtering
FORTINET
The FortiGate can maintain a list of recent web site rating responses in memory, so if the URL is one that the device already knows about it will not have to send back a rating request. Two ports are available for the unit to query FortiGuard with, port 53 and port 8888. Port 53 is the default since this is also the port number used for DNS which is almost guaranteed to be open. However, any kind of inspection will reveal that this traffic is not DNS and prevent the service from working. In this case, you can switch to the alternate port 8888, but this port is not guaranteed to be open in all networks so you will need to check this before setting this up. Port 80 is an option for FortiGuard communications, but only if you are using a FortiManager, rather then the FortiGuard network.
FortiGate Student I Guide
430
DO NOT REPRINT
Web Filtering
FORTINET
Caching responses reduces the amount of time it takes to establish a rating for a website. Packets operate on the scale of millise conds at the fastest with Seconds, not being unu sual. Memory checking is orders of magnitude faster (nanoseconds). This timeout defaults to 15 seconds but can be adjusted as high as 30 seconds if necessary.
FortiGate Student I Guide
431
DO NOT REPRINT
Web Filtering
FORTINET
Web site categories are determined by both automatic and human methods. The FortiGuard team has automatic web crawlers that look at various aspects of the website in order to come up with a rating. There are also people who examine websites and look into rating requests in order to determine categories.
FortiGate Student I Guide
432
DO NOT REPRINT
Web Filtering
FORTINET
There is always the possibility for errors in rating, or a scenario where you simply do not agree with the rating a site has been given. In this case, you can use the web portal to contact the FortiGuard filtering team to submit a web site for a new rating, or to get it rated if it is not already in the database.
FortiGate Student I Guide
433
DO NOT REPRINT
Web Filtering
FORTINET
The ‘Warning’ action is only an option when using FortiGuard Category filtering and only with Proxymode inspection. It is not available with Static URL filtering. When someone visits a website that is in a Category with an action of warning, they are presented with a page that warns them they may not wish to visit this website. They are given a choice to go to the website anyway, or go back to the previous website.
FortiGate Student I Guide
434
DO NOT REPRINT
Web Filtering
FORTINET
The ‘Authenticate’ action is only an option when using FortiGuard Category filtering and only with Proxymode inspection. It is not available with Static URL filtering. The authentication action blocks all websites that are in that category, unless a successful passcode is entered. This is not user authentication and putting in proper credential will not result in any kind of login. The username/password pair is used in the same way a key is used to open a locked door. Once this has been done successfully, access is allowed to that category for the amount of tim e that has been configured. This will allow the user to visit any other websites that are in the same category for however long has been configured. They will not be prompted again when visiting a second (or third) website in the same category, so long as the timer has not expired.
FortiGate Student I Guide
435
DO NOT REPRINT
Web Filtering
FORTINET
The ‘Exempt’ action is only an option when using Static URL filtering. It is not available with FortiGuard category filtering. The exempt action is used in order to bypass issues that may be caused by other checks. Sometimes FortiGuard category filtering is not granular enough, sometimes a file you need is being caught by virus scanning. Exempt gives the ability to bypass one or more checks or all further checks.
FortiGate Student I Guide
436
DO NOT REPRINT
Web Filtering
FORTINET
These actions are possible with FortiGuard Category filtering and Static URL filtering. Regardless of which feature they are used with, the resulting action will be the same. •
Allow – Effectively defines the website as being trusted. Access to the site is permitted and no log message is generated to record this.
• •
Monitor – Access to the website is permitted and a log message is generated to record the event Block – Prevents access to the website and displays a block pa ge to the user instead.
Log message generation is subject to firewall policy, specifically the “Logging Option” setting.
FortiGate Student I Guide
437
DO NOT REPRINT
Web Filtering
FORTINET
When using FortiGuard category filtering, one option to allow or block access to a website is to make a web rating override and define the website to be in a category other then what FortiGuard puts it into. Web ratings are only for hostnames, no URLs or wildcard characters are allowed. Category filtering is not granular, like static URL filtering. If you have a category that is blocked (or allowed) and you need to make an exception for a particular website, this is one option that is available to you. If the contract expires, and the 7 day grace period passes, web rating overrides will be not be effective. All website categories will be still be considered rating errors.
FortiGate Student I Guide
438
DO NOT REPRINT
Web Filtering
FORTINET
Since FortiGuard category filtering is not granular and performs actions based on the category the websites are in there may be times when an exception needs to be made for a single website. Rather then unblock a potentially unwanted category access can be provided an a site-by-site basis. The reverse can also be true, with the majority of websites in a category being fine, but a single one needs blocking. Changing the category does not automatically result in a different action for the website. This will depend on the settings within the Web Filter profile at the time the user is accessing that web site.
FortiGate Student I Guide
439
DO NOT REPRINT
Web Filtering
FORTINET
Custom categories can be created and used in conjunction with Web rating overrides. If the predefined categories within FortiGuard are not suitable for the situation, additional customized categories can be added. These custom categories can be added and deleted as needed, so long as they are not in use. A category is considered to be used if there are any Web rating overrides that have been configured to us it. It will also be considered in use if there is an action associated with that category other then ‘Allow’ in any web filter profile.
FortiGate Student I Guide
440
DO NOT REPRINT
Web Filtering
FORTINET
FortiGuard quota can be used to limit the time users spend on web sites, based on the categorization. Quota cannot redirect you once the web site is loaded in the browser. For example, if you had 45 seconds left on your quota and you visited a web site, it would likely finish loading before 45 seconds was done. You could then spend 20 minutes browsing the information you received. You could not get blocked or notified until the next attempt to access another one of these web sites. The reason for this is that the connection to the web site is not generally a live stream. Once you receive the information, the connection is closed.
FortiGate Student I Guide
441
DO NOT REPRINT
Web Filtering
FORTINET
Quota’s are configured just below where you configure the Category actions in the Web filter profile. There can be multiple quotas (timers) configured within this section. Each one can either be linked to a single category, or multiple. If the Quota applies to multiple categories then it is not that amount for each individual category, the timer applies to all of the categories that are specified.
FortiGate Student I Guide
442
DO NOT REPRINT
Web Filtering
FORTINET
Some Features on the FortiGate can’t provide direct user feedback. FortiGuard quota won’t provide any feedback to the user until they exceed the quota they have been given, unless the Fortinet bar is enabled. The Fortinet Bar injects a Java applet which uses a communications port to talk to the FortiGate and get additional information from features that would otherwise provide no direct user feedback. FortiGuard quota provides a count down. Other features that can’t do block pages (IE: application control) will show block events in the top bar. HTTPS pages are a lot more sensitive to injected data, so it’s not possible to reliably insert data, so the Fortinet Bar is only available for HTTP websites.
FortiGate Student I Guide
443
DO NOT REPRINT
Web Filtering
FORTINET
Enforcing safe search can be done for Google, Bing and Yahoo. Safe search is an option that some search engines have in order to apply their filters to the search results that are displayed. This way even if Safe Search is disabled in the browser, the FortiGate will make sure the query is subject to whatever settings the service decides. All the FortiGate can do is ensure that it is enabled. It cannot dictate the behavior of this, as this task is up to the search engine providers. It works by looking for the Safe Search string when you submit a search. If it is not there, the FortiGate unit will modify the request to include it. This way, even if it is not enabled locally in the browser, it gets applied to the request as it passes through the FortiGate. YouTube EDU filtering is also available. This is a service offered by YouTube to educational institutions. When you create an account with them they provide you with an identifier. Unlike normal Safe Search, this does not append the URL, but adds an HTTP header into the packets. This identifies your school to YouTube when people visit. Within your YouTube EDU account, you can configure the filters and settings in order to limit video access.
FortiGate Student I Guide
444
DO NOT REPRINT
Web Filtering
FORTINET
There are several different components to web filtering, and when they are enabled, the inspection order follows these steps. The local static URL filter occurs first. Second, FortiGuard category filtering determines a rating. Finally advanced filters take place, like Safe search or removing Active X components. After all the checks are done the information is handed off internally for virus scanning.
FortiGate Student I Guide
445
DO NOT REPRINT
Web Filtering
FORTINET
Here’s a look at the web filter profile. Up at the top you can enable FortiGuard and assign the actions to the various web site categories. If you scroll down towards the bottom you will find the more advanced options that can be enabled, like Safe Search and Static URL filtering. Once you have enabled and saved the settings you require, you will need to apply the profile to your firewall policy to activate the options.
FortiGate Student I Guide
446
DO NOT REPRINT
Web Filtering
FORTINET
Web profile overrides change the rules that will be used to inspect traffic. Enabling them allows authorized users to enter a passcode that will change the Web filter profile that inspects there traffic to another profile. Proper configuration would mean this new profile had elevated access permissions and allow additional websites. The new profile will be used to inspect ALL of their web traffic from that point on, until the timer expires. Authentication must be enabled in order to use this. Once web profile overrides are enabled, the FortiGuard block page will show an override link that users can select in order to active this override. • • • •
Apply to Groups – Select the user credentials that allow overrides. Assign to Profile – Which Web profile will be used, after a successful override. Scope – Who will be effected by the override. Duration – How long the override will last.
FortiGate Student I Guide
447
DO NOT REPRINT
Web Filtering
FORTINET
How the FortiGate handles HTTPS traffic is decided based on the settings of the SSL Inspection profile that is applied to the Firewall Policy. SSL Certificate Inspection reads only unencrypted data from the hello message, whereas Full SSL Inspection will proxy SSL, allowing for full content inspection. SSL and Certificates are covered in more detail in the Certificate Operations module.
FortiGate Student I Guide
448
DO NOT REPRINT
Web Filtering
FORTINET
This is an example of the log message generated as a result of applying a web filter profile on a firewall policy. Access details include information about the FortiGuard quota and category (if those are enabled), which web filter profile was used to inspect the traffic, the URL and more details about the event.
FortiGate Student I Guide
449
DO NOT REPRINT
Web Filtering
FORTINET
You can also view the raw log data by selecting the “Download Raw Log” button at the top right of the GUI. When the downloaded file is opened, it will be a plain text file in a syslog format.
FortiGate Student I Guide
450
DO NOT REPRINT
Web Filtering
FORTINET
List of IPs to use for FortiGuard comes back from update server (FortiGuard Distribution Network or FortiManager). •
Weight – Based on the difference in timezone between the FortiGate and this server (modified by traffic)
• • • •
RTT – Return Trip Time Flags – D (IP retu rned from DN S), I (Con tract server contacted), T (being timed), F (fail ed) TZ – Server timezone Curr Lost – current number of consecutive lost packets (in a row, resets to 0 when 1 packet succeeds) Total Lost – total number of lost packets
•
List is a variable length, depending on the FortiGuard Distribution Network, but approximately 10 total IPs is the average.
FortiGate Student I Guide
451
DO NOT REPRINT
Web Filtering
FORTINET
Logs can be used to determine the decision made by the FortiGate but this depends on the configured settings. The firewall policy may not be set to log or the action could be set to accept. In both of those cases no log event will be generated to record the decision. This diagnostic shows the full URL in the output. In order to have it fit some of the output was chopped off from this page. The source of the request, the hostname, URL, user (if authentication is enabled), the profile used to examine the URL can all be determined by reading the output.
FortiGate Student I Guide
452
DO NOT REPRINT
Web Filtering
FORTINET
Here is a review of what we discussed. We showed: • An overview of we b filtering functionality • Explained the different types and modes for web filtering • How static URL filtering works • How FortiGuard category filtering works • • • • • • • • •
How to submit a website for rating Different actions that can be associated with accessing a website How to do a rating override and create a custom category Applying a quota to a category Introduced the Fortinet Bar Showed how it’s possible to force safe search with some common websites Explained the order of the checks involved with inspecting websites Explained how to configure a web profile override Finally we covered the basics of inspecting HTTPS traffic
FortiGate Student I Guide
453
DO NOT REPRINT
Application Control
FORTINET
In this lesson, you will learn about how to control network applications – beyond simply blocking or allowing a port number.
FortiGate Student I Guide
454
DO NOT REPRINT
Application Control
FORTINET
After completing this lesson, you should have these practical skills to apply application control, keep it up-to-date, and monitor what applications are being used on your network. Lab exercises can help you to reinforce what you’ve learned.
FortiGate Student I Guide
455
DO NOT REPRINT
Application Control
FORTINET
Application control detects applications – often, ones that waste bandwidth – and allows you to monitor and/or block the traffic. Like other UTM inspection, to use application control, you must first set it up. Unlike other forms of UTM, such as web filtering or antivirus, application control isn’t applied by a proxy. It uses IPSEngine. So it doesn’t operate bybuilt-in protocol states. It matches patterns in the entire byte stream of the packet.
By comparison, when applying web filtering and antivirus via HTTP proxy, the proxy first parses HTTP and removes the protocol, and then scans only the payload inside. Why does FortiGate use a flow-based scan for application control?
FortiGate Student I Guide
456
DO NOT REPRINT
Application Control
FORTINET
Because proxies can’t easily detect peer-to-peer applications. When HTTP and other protocols were designed, they were designed to be easy to trace. In that way, administrators could easily give access to single servers behind NA T devices such as routers and, later, firewalls. But when peer-to-peer applications were designed, they had to be able to work without assistance – or cooperation – from the network administrators. In order to achieve this, the designers made them skilled at bypassing firewalls, and incredibly hard to detect. Port randomization, pinholes, and changing encryption patterns are some of the techniques that P2P protocols use. These techniques make them difficult to bock via firewall policy, and also make them difficult to proxy .
FortiGate Student I Guide
457
DO NOT REPRINT
Application Control
FORTINET
Let’s show how this works. Here is a traditional, client-server architecture. There may be many clients of popular sites, but often, such as with an office file server, it’s just between one client and one server. Traditional downloads use a defined protocol over a standard port number. Whether it’s from a web or FTP site, the download is from a single IP address, to a single IP address. So blocking this kind of traffic is easy: you only need one firewall policy. But it’s more difficult for peer-to-p eer downloads. W hy?
FortiGate Student I Guide
458
DO NOT REPRINT
Application Control
FORTINET
Peer-to-peer downloads divide each file among multiple (theoretically unlimited) peers. Each peer delivers part of the file. Interestingly, where many clients is a disadvantage for client-server architectures, it is an advantage for peer-to-peer: as the number of peers increases to n, the file is delivered n times faster. Because popularity increases the speed of delivery – unlike traditional client-server architecture, where popularity could effectively cause a denial of service attack on the server – some software, such as BitTorrent distributions of Linux, and games distributing new patches, leverage this advantage.Even if each client has little bandwidth, together, they can offer more bandwidth for the download than many powerful servers. Conversely, in order to download the file, this also means that the requesting peer can consume much more bandwidth per second than it could from only a single server. Even if there is only one peer on your network, it can consume unusually large amounts. And because the protocols are usually evasive, and there will be many sessions to many peers, they are difficult to completely block. In a DHCP LAN or guest Wi-Fi, where the inside peerdoesn’t have a static IP address or even predictable physical location, it can be extremely difficult to find and stop.
FortiGate Student I Guide
459
DO NOT REPRINT
Application Control
FORTINET
So how does application control block these applications, and more? It scans packets passing through the FortiGate, and looks for patterns. A particular application, such as Google Talk, is identified by matching known patterns to its transmission patterns. So obviously it can only be accurately identified if this stream is unique somehow. Not every application behaves in a unique way. Many reuse pre-existing, standard protocols and communications methods. For example, many video games such as World of Warcraft now use the BitTorrent protocol to distribute game patches. Application control only scans the network traffic. Application control doesn’t scan software installed on the client; this would require software to be installed on the endpoint, such as a FortiScan agent. So it won’t detect softwareuntil it starts and connects to the network. Application control does not use FortiGate’s proxies. So unlike some other UTM profiles, you can’t switch between proxy- and flow-based inspection.
FortiGate Student I Guide
460
DO NOT REPRINT
Application Control
FORTINET
Before you try to control applications, it’s important to understand how that works. How does application control detect the newest applications, and changes to those application protocols? To do this, you can configure your FortiGate to automatically update its application control signature database, in the same way that it polls FortiGuard for new IPS signatures. The extended IPS signature package includes more application control signatures. So if you don’t find the ones you need initially, you can enable that option to download more.
FortiGate Student I Guide
461
DO NOT REPRINT
Application Control
FORTINET
To view the signatures that your FortiGate has downloaded, click the ‘View Application Signatures” link in the application control profile. Remember, if you did not enable download of the extended IPS database, FortiGuard may have more signatures available that you do not see in the GUI. To see those, visit the FortiGuard web site.
FortiGate Student I Guide
462
DO NOT REPRINT
Application Control
FORTINET
On the FortiGuard web site, you can read details about each signature’s related application. Let’s look at an example. This is the article for Google Talk. It is an instant messenger, so Fortinet has put it in the “Collaboration” category. The article mentions that Google Talk, like many instant messengers now, uses the Jabber protocol. So if you block the application, the logs may show the Jabber protocol, even though the application that the user has installed is named Google Talk. If there are any special requirements in order to scan or block the application, the article provides some advice. But it’s always wise to search the Internet for more information, and to make test policies and observe the behavior. At the top of the page, you’ll also notice a risk rating…
FortiGate Student I Guide
463
DO NOT REPRINT
Application Control
FORTINET
When building an application control signature, FortiGuard’s security research team eva luates the application and assigns a risk level. It is based on the types of security risk. The rating is Fortinetspecific, and not related to CVSS or other external systems. If you aren’t aware of specific software, this information can help you to decide if it would be wise to block the software or not.
FortiGate Student I Guide
464
DO NOT REPRINT
Application Control
FORTINET
If there are new applications that you need to control, and the latest update doesn’t have any definitions for them, you can ask FortiGuard to add them. Remember, though, that not all applicationscan be uniquely defined. That is to say, there must be something about the traffic that can be used to differentiate it from other similar traffic: traffic that occurs on the same port, or via the same protocol.
FortiGate Student I Guide
465
DO NOT REPRINT
Application Control
FORTINET
Once you have a signature, the next step is to define your settings to control it. Do this in an application sensor. Then, to apply your application control settings, select the profile in the firewall policy . Like any other security profile, these settings are not global. FortiGate will only apply them to traffic governed by the firewall policy where you’ve selected an application control profile. This allows granular control.
FortiGate Student I Guide
466
DO NOT REPRINT
Application Control
FORTINET
Did you see these two at the end of the list of categories? They are catch-all categories: • ‘All Other Known Applications’ • ‘All Other Unknown Applications’ ‘All Other Known Applications’ matches traffic that can be identified, but that, in the profile, you did not explicitly enable. This is because some categories are only directly configurable through the CLI: the ones that are in the extended IPS database. ‘All Other Unknown Applications’ matches traffic that could not be identified. Application control will create a log entry that says the traffic is an ‘Unknown Application’. Depending on: • how many rare applications your users have • which IPS database you are using (remember, the default IPS database can identify fewer rare applications than the extended one) this might cause many log entries. Frequent log entries decrease performance.
FortiGate Student I Guide
467
DO NOT REPRINT
Application Control
FORTINET
Once you’ve applied application control, FortiGate will start to scan packets for matches. It will do this in a specific order. There are two major sections to the application control profile: • ‘Categories’ is at the top • ‘Application Overrides’ below ‘Categories First, IPSEngine examines the traffic stream for a signature match. If you’ve configured any overrides, application control considers those first. It looks for a matching override starting at the top of the list, like firewall policies. If no matching override exists, then application control applies the action that you’ve configured for applications in your selected categories. Multiple overrides for the same signature cannot be created.
FortiGate Student I Guide
468
DO NOT REPRINT
Application Control
FORTINET
Both categories’ and overrides’ actions are configurable. • • •
Allow – Simply passes the traffic Monitor – Passes the traffic, but also records a log message Block – Drops the detected traffic without notifying the cl ient, and rec ords a log messa ge
• •
Reset – Resets the TCP connection, and records a log message Traffic Shaping – Rate limits the application so that it doesn’t deprive more important traffic of bandwidth, and also record a log message
Which is the correct action to select? It depends on the application. If an application requires feedback to prevent instability or other unwanted behavior, then you might use ‘Reset’ instead of ‘Block’. If you need to allow the application but prevent it from starving other applications of bandwidth, then traffic shaping might be a good choice. Otherwise, the most efficient use of FortiGate resources to simply block.
FortiGate Student I Guide
469
DO NOT REPRINT
Application Control
FORTINET
Order of scans is introduced in the firewall policies lesson. But here is a review of the third phase: where application control occurs. Application control is later than many of FortiGate’s other scans and actions, such as for VPN ingress and DoS. But within UTM, it is one of the first scans. So if traffic is blocked by application control, FortiGate never does later scans like web filtering or antivirus, even if those profiles use flow-based inspection from IPSEngine, just like application control. But if you have configured application control to allow the traffic – not block it or reset the TCP connection – then FortiGate will proceed to the next scans: email filtering, web filtering, and antivirus. Because each scan can have exemptions, this has some interesting effects.
FortiGate Student I Guide
470
DO NOT REPRINT
Application Control
FORTINET
Here is an example of how several UTM features could work together, overlap, or as substitutes, on the same traffic. In this profile, application control (in general) blocks the categories Social.Media and Video/Audio. For those applications, FortiGate responds with application control’s HTTP block message. (It’s slightly different than web filtering’s HTTP block message.) But at the bottom of this profile, there are some exceptions. Instead of blocking, application control applies traffic shaping to Facebook and YouTube. After the application control scan is done, FortiGate begins other scans, such as web filtering. This, too, could block Facebook and YouTube, but it would use its own message. Also, web filtering doesn’t check the list of application control overrides. So even if an application control override allows and rate limits an app, web filtering could still block it. Similarly, static URL filtering has its own ‘Exempt’ action, which bypasses all subsequent security checks. However, application control occurs before web filtering, so that web filtering exemption can’t bypass application control.
FortiGate Student I Guide
471
DO NOT REPRINT
Application Control
FORTINET
For HTTP-based applications, application control can provide some feedback to the user about why their application was blocked. This is called a “block page”, and it’s similar to the one you can configure for URLs that you block via FortiGuard Web Filtering. The block page says: • • • • • • • •
which signature detected the application (in this case, HTTP.Browser_Firefox) the signature’s category (Web.Others) the URL that was specifically blocked (in this case, the index page of msn.com), since a web page can be assembled from multiple URLs the client’s source IP (10.0.1.10) the server’s destination IP (23.101.196.141) user name (if authentication is enabled) the UUID of the policy governing the traffic and the FortiGate’s host name
The last two pieces of information can help you to find which FortiGate blocked the page, even if you have a large network with many FortiGates securing different segments.
FortiGate Student I Guide
472
DO NOT REPRINT
Application Control
FORTINET
If an application is necessary, but youdo need to prevent it from impacting bandwidth for more sensitive streaming applications such as video conferencing, then – instead of blocking it entirely – you can rate limit the application. Shaping traffic via application control is very useful when you are trying to limit traffic that uses the same TCP or UDP port numbers as a mission-critical application. Some high-traffic web sites such as YouTube can be throttled in this way.
FortiGate Student I Guide
473
DO NOT REPRINT
Application Control
FORTINET
Let’s say that you have enabled application control because users have been complaining that the network is slow. During peak times, you notice that there is no bandwidth remaining. Application control – with the ‘Monitor’ action selected – showed that many users were using YouTube, and it correlated to periods of bandwidth saturation. How could you solve this? With web filtering, you can see that www.youtube.com is often accessed, but it doesn’t analyze the function of each URL. And it can’t apply traffic shaping. Alternatively, since YouTube generates large volumes of traffic, you could use application control signatures with a traffic shaping action. Let’s examine the details of how that could work.
FortiGate Student I Guide
21
474
DO NOT REPRINT
Application Control
FORTINET
Not all URL requests to www.youtube.com are for video. Your browser makes several HTTP requests for: • the web page itself • Images • Scripts and style sheets • Video and all of them have separate URLs. If you analyze a site like YouTube, the web pages themselves doesn’t use much bandwidth. Mostly, the culprit is the video. But since it is all transported via the same protocol (HTTPS), and the URLs contain dynamically generated alphanumeric strings: • traditional firewall policies can’t block or throttle it by port number/protocol, which are all the same • web filtering cannot apply traffic shaping With application control, you can rate limit only the videos. This prevents users from saturating your network bandwidth while still allowing them to access the other content on the site, such as for comments or sharing links.
FortiGate Student I Guide
475
DO NOT REPRINT
Application Control
FORTINET
At the bottom of the application sensor, there are more options that affect how application control functions. ‘Deep Inspection of Cloud Applications’ does not enable SSL Inspection. Many applications are switching to HTTPS-only, so remember that for those, you will also need an SSL/SSH inspection profile. This includes many popular ones, such as Twitter. If the application is encrypted, and you haven’t enabled SSL/SSH inspection, then application control won’t be able to recognize the application. If you choose to enable ‘Allow and Log DNS Traffic’, be aware that you should only do it for short periods, such as during an investigation. Leaving this option enabled for long periods can impact performance and cause premature disk failure. One log is created per packet. So depending on the application, and how often it queries DNS servers, this can use significant system resources. ‘Replacement Messages for HTTP-based Applications’ allows you to replace blocked content with an explanation for the user’s benefit. Application control can also link into the Fortinet Bar, if that has been enabled. With non-HTTP applications, however, you can only drop the packets or reset the TCP connection.
FortiGate Student I Guide
476
DO NOT REPRINT
Application Control
FORTINET
If you have logging enabled, you can use it to discover which applications are being used on your network, and details about them. Look in Log & Report > Security Log > Application Control. In this example, application control detected a client attempting to access Facebook. The configured action was to monitor the traffic. We know this because the ‘Action’ indicates ‘pass,’ so we know FortiGate didn’t block the traffic. But the action wasn’t to simply allow the traffic without logging, either, which we know because the log message exists. To view details about the log message, click its entry. The application name is a link to the FortiGuard encyclopedia web site. If you were unaware of the application, and don’t know what type of risks it presents, you could click the link to read more.
FortiGate Student I Guide
477
DO NOT REPRINT
Application Control
FORTINET
If you look in the forward traffic log, where firewall policies record activity, you’ll also find a summary of traffic where FortiGate applied application control. Again, this is because application control is applied by a firewall policy. To find which policy applied application control, you can use either the ‘Policy ID’ or the ‘Policy UUID’ fields of this log message.
FortiGate Student I Guide
478
DO NOT REPRINT
Application Control
FORTINET
To review, here is what we discussed. We discussed: • How application control identifies traffic • Why some traffic, especially peer-to-peer, is hard to block without application control • FortiGuard’s 5-point rating system for application control signatures • • • • •
How to submit requests for additional applications How to configure an application control sensor When to shape traffic Order of operations for the application control and IPSEngine processes How to read logs to discover which applications have been detected, and which action FortiGate applied
FortiGate Student I Guide
479
Fortigate Vm Specs
Sales Agents or give it a trial spin. How to Buy Demos & Free Trials Live Chat. FortiGate VM Overview Page 8 VM Installation for FortiOS 5.0 FortiGate VM. After the trial license expires, functionality is disabled until you upload a license file. Registering FortiGate VM with Customer Service & Support To obtain the FortiGate VM license file you must first register your FortiGate VM with Customer Service & Support. To download the FortiVoice-VM.ovf.zip package: 1. FortiGate-VM is a full-featured FortiGate packaged as a virtual appliance. FortiGate-VM virtual appliance is ideal for monitoring. FortiGate-VM can be orchestrated in software-defined environments to provide agile. Eight great virtual appliances for VMware, free for. Oct 05, 2013 SSL-VPN on Fortigate-VM I' m trying to test the SSL-VPN feature on a Fortigate-VM in trial mode (so no license yet). Should this work? I think I' ve configured everything correctly, but I don' t get a login-page when I go to the url of the fortigate-vm. In IE, I get nothing. In firefox, I get an error: ssl_error_no_cypher_overlap.
Nepal Bike Trial License Youtube
FortiGate-VM FortiADC-VM FortiAnalyzer-VM FortiAuthenticator-VM FortiCache-VM FortiRecorder-VM. FortiGate® Virtual Appliances Consolidated Security for Virtualized Environments Complete end-to-end security ecosystem for the Software Defined Data Center. Fortinet enables. Unlimited User License Yes Yes Yes Yes System Performance. Fortigate vm lic file found at docs.fortinet.com. Fortigate Vm License Keygen load a photo. Extras like secure password and key file creation. The trial version is limited to 14 days. Instead, the NetExtender Windows client is automatically installed on a remote user's PC by an ActiveX control when using the Internet Explorer browser, or with the XPCOM plugin when using Firefox. On MacOS systems, supported browsers use Java controls to automatically install NetExtender from the Virtual Office portal.