Professional Documents
Culture Documents
15 May 2013
Copyright 2013 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, and FortGuard, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions, and performance may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinets General Counsel, with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinets internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.
Visit these links for more information and documentation for your Fortinet products: Fortinet Knowledge Base - http://kb.fortinet.com Technical Documentation - http://docs.fortinet.com Training Services - http://campus.training.fortinet.com Technical Support - http://support.fortinet.com You can report errors or omissions in this or any Fortinet technical document to techdoc@fortinet.com.
Contents
Introduction Installing and Setup
Setting up a limited access administrator account Setting up and troubleshooting FortiGuard services Logging FortiGate system events to gather network traffic information Using SNMP to monitor the FortiGate unit Using FortiCloud to view log data and reports Using two ISPs for redundant Internet connections with distributed sessions Protect a web server on the DMZ network Adding a second FortiGate unit to improve reliability Setting up an explicit proxy for users on a private network Using port pairing to simplify transparent mode Adding packet capture to help troubleshooting 5 7 9 13 17 21 27 31 35 39 45 49 55 58 59 65 71 78 79 83 93 101 106 107 113 119
Wireless Networking
Providing remote users access to the internet and corporate network using FortiAP Setting up a FortiGate and FortiAP to provide wired and wireless Internet access Setting up guest wifi users with a captive portal
UTM Profiles
Visualizing and controlling the applications on your network using application control Configuring web filter overrides and local ratings Protecting a web server from vulnerabilities and DoS attacks using IPS
Blocking email/web traffic or files containing sensitive information Monitoring your network for undesirable behavior using client reputation Inspecting content on the network using flow-based UTM instead of proxy-based UTM Blocking large files from entering the network Blocking access to specific web sites Blocking HTTPS traffic with web filtering
125 131 135 141 145 149 153 155 161 169 175 183 198 199
Authentication
Providing single sign-on on a Windows AD network by adding a FortiGate
Introduction
This FortiGate Cookbook provides administrators who are new to FortiGate appliances with examples of how to implement many basic and advanced FortiGate configurations. FortiGate products offer administrators a wealth of features and functions for securing their networks, but to cover the entire scope of configuration possibilities would easily surpass this book. Fortunately, much more information can be obtained in the FortiOS Handbook. The latest version is available from the Fortinet Technical Documentation website at http://docs.fortinet.com. This cookbook contains a series of recipes that describe how to solve a problem. Each recipe begins with a description the configuration requirements, followed by a step-by-step solution, and concludes with results that show what should occur to verify the steps were completed successfully. This FortiGate Cookbook was written for FortiOS 5.0 patch 2 (FortiOS 5.0.2). A PDF copy of this document is available from the FortiGate Technical Documentation website at http://docs.fortinet.com/cookbook.html. You can also find earlier editions of the FortiGate Cookbook, that contains additional recipes and troubleshooting tips and video representations of some of the content in this book. You can send comments about this document and ideas for new recipes to techdoc@fortinet.com. New recipes may be published on the FortiGate Cookbook website and added to future versions.
Web-based Manager
Also called the Web Interface or Web UI, the FortiGate web-based manager is an advanced point and click, drag and drop interface that provides quick access to most FortiGate configuration settings and includes visual monitoring and management tools. Using the web-based manager you can add a security policy to monitor application activity on a network, view the results of this application monitoring policy, and then create additional policies or change the existing policy to block or limit the traffic produced by some applications. The web-based manager also provides a wide range of monitoring and reporting tools that provide detailed information about traffic and events occurring on the FortiGate unit. You access the web-based manager using HTTP or a secure HTTPS connection from any web browser. By default you can access the web-based manager by connecting to the FortiGate interface usually attached to a protected network. Configuration changes made from the web-based manager take effect immediately, without resetting the unit or interrupting service.
FortiExplorer
FortiExplorer provides a user-friendly and accessible tool that you can use to configure a FortiGate unit over a standard USB connection. You can install FortiExplorer software on a PC running Windows or Mac OS X and use a USB connection between the PC and your FortiGate unit. Use FortiExplorer to register your FortiGate unit, check for and perform FortiOS firmware updates, use the FortiExplorer configuration wizard to quickly set up the FortiGate unit and connect to the web-based manager or CLI.
Training
Fortinet Training Services provides a variety of training programs world-wide that orient you to your new equipment, and provides certifications to verify your knowledge level. For more on training services, visit the Fortinet Training Services web site at http://campus.training.fortinet.com.
1. Create a new administrative profile 2. Add a new administrator and assign the profile 3. Results
Internet
Internal Network
The admin profile controls what features of the FortiGate configuration the administrator can see and configure from web-based manager and CLI. You can add multiple profiles and assign users and administrators different profiles, depending on what they are tasked to do with the FortiGate unit.
10
Results
Log in to the FortiGate unit using the user name of Terry_White. As this administrator, you can and edit any element of the FortiGate unit pertaining to the firewall objects and security policies. You can also view the other administrator information. Note that any menu items for other features do not appear.
Go to Log & Report > Event Log > System. Verify that the login activity occurred.
Select the entry for more information on the administrator log in.
11
Go to System > Dashboard > Status, and view the System Information widget. The Current Administrator row indicates the current administrators and the number of administrators logged in.
Select Details for the Current Administrator to view all administrators logged in.
12
Internet FortiGuard
WAN 1
FortiGate
port 1
Internal Network
13
You can also view the FortiGuard connection status by going to System > Config > FortiGuard.
14
If the command cannot find the numeric IP address of www.fortiguard.com, then the FortiGate unit cannot connect to the configured DNS servers. Make sure that at least one security policy includes antivirus. If no security policies include antivirus, the antivirus database may not be updated. Verify that the FortiGate unit can communicate with the FortiGuard network. Go to System > Config > FortiGuard > Antivirus and IPS Options, you can select Update now to force an immediate update of the antivirus and IPS databases. After a few minutes, you can verify if the updates were successful. Test the availability of web filtering and email filtering lookups from System > Config > FortiGuard > Web Filtering and Email Filtering options by selecting Test Availability. If the test is not successful, try changing the port that is used for web filtering and email filtering lookups. The FortiGate unit uses port 53 or 8888 to communicate with the FortiGuard network and some ISPs may block one of these ports. Determine if there is anything upstream that might be blocking FortiGuard traffic, either on the network or on the ISPs network. Many firewalls block all ports by default, and often ISPs block low-numbered ports (such as 53). FortiGuard uses port 53 by default, so if it is being blocked, you need to either open the port or change the port used by the FortiGate unit.
15
Change the FortiGuard source port. It is possible ports that are used to contact the FortiGuard network are being changed before reaching FortiGuard, or on the return trip, before reaching your FortiGate unit. A possible solution for this is to use a fixed-port at the NAT firewall to ensure the port number remains the same. FortiGate units contact the FortiGuard Network by sending UDP packets with typical source ports of 1027 or 1031, and destination ports of 53 or 8888. The FDN reply packets would then have a destination port of 1027 or 1031. If your ISP blocks UDP packets in this port range, the FortiGate unit cannot receive the FDN reply packets. You can select a different source port range for the FortiGate unit to use.
If your ISP blocks the lower range of UDP ports (around 1024), you can configure your FortiGate unit to use higher-numbered ports such as 2048-20000, using the following CLI command: config system global
end set ip-src-port-range 2048-20000
Trial and error may be required to select the best source port range. You can also contact your ISP to determine the best range to use. Display the FortiGuard server list. The diagnose debug rating CLI command shows the list of FortiGuard servers that the FortiGate unit can connect to. The command should show more than one server.
16
1. Configure logging and event logging 2. Enable logging in the security policy 3. Results
Internet
WAN 1 172.20.120.123
FortiGate
port 1 192168.1.99
Internal Network
17
18
Results
To see information about network traffic processed by the FortiGate unit, go to Log & Report > Traffic Log > Forward Traffic.
19
20
Internet
Internal Network WAN 1 172.20.120.123
21
Under the SNMP version, create a new community. You need to add a host IP address where the SNMP manager is installed, 192.168.1.114/32, and select the port to receive SNMP request and send SNMP traps. You can also set the IP address/Netmask to 0.0.0.0/0.0.0.0 and the Interface to ANY so that any SNMP manager at any network connected to the FortiGate unit can use this SNMP community and receive traps from the FortiGate unit.
22
Step Three: Download the MIB files and configure the SNMP manager
Go to System > Config > SNMP to download FortiGate SNMP MIB. There are two MIB files for FortiGate units: the Fortinet MIB, and the FortiGate MIB. The Fortinet MIB contains traps, fields and information that is common to all Fortinet products. The FortiGate MIB contains traps, fields and information that is specific to FortiGate units. Configure the SNMP manager at 192.168.1.114 to receive traps from the FortiGate unit.
23
Results
This example uses SolarWinds SNMP trap viewer. In SolarWinds Toolset Launch Pad, go to SNMP > MIB Viewer and select Launch.
Select Select Device and enter the IP address of the FortiGate unit and the community string.
24
Perform an action to trigger a trap, for example, change the IP address of the DMZ interface in the FortiGate. Verify that the SNMP manager receives the trap.
View the UTM log by going to Log & Report > Event Log > System.
25
26
FortiCloud
Internet
WAN 1 172.20.120.123
FortiGate
port 1 192168.1.99
Internal Network
27
Once the account is created, you can launch the FortiCloud portal from the License Information widget.
28
Results
Go to System > Dashboard > Status. On the License Information widget, in the FortiCloud section, select Launch Portal. From the portal, you can see the log data and reports.
29
30
Using two ISPs for redundant Internet connections with distributed sessions
This example describes how to improve the reliability of a networks connection to the Internet by using two Internet connections. It also includes configuration of equal cost multi-path load balancing to make efficient use of these two Internet connections by distributing sessions to both, without allowing either one to become overloaded.
1. Configure connections to the two ISPs 2. Add security policies 3. Configure fail over detection and spillover load balancing 4. Results
Internet
ISP 1
WAN 2
ISP 2
Internal Network
31
32
Create a security policy for each interface connecting to their ISPs and the internal network.
Step Three: Configure fail over detection and spillover load balancing
Go to Router > Static > Settings. Create two new Dead Gateway Detection entries.
Set the Ping Interval and Failover Threshold to a smaller value for a more immediate reaction to a connection going down.
33
Go to Router > Static > Settings and set the ECMP Load Balancing Method to Spillover. The Spillover Threshold value is calculated in kbps (kilobit per second). However the bandwidth on interfaces is calculated in kBps (kilo Byte per second). For wan1 interface, Spillover Threshold = 100 kbps = 100000 bps 100000 bps = 102400 bps = 102400/8 Bps = 12800 Bps
Results
Go to Log & Report > Traffic Log > Forward Traffic to see network traffic from different source IP addresses flowing through both wan1 and wan2.
Disconnect the wan1 port on the FortiGate unit to see all traffic will automatically flow through the wan2 port unit wan1 is available again.
34
DMZ Network
FortiGate LAN
35
Your FortiGate unit may have an interface named DMZ. Using the DMZ interface is recommended but not required.
Each virtual IP will have the same address mapping from the public-facing interface to the DMZ interface. The difference is the port for each traffic type; (port 80 for HTTP and port 443 for HTTPS).
36
Create a security policy to allow HTTP and HTTPS traffic from the internal network to the DMZ interface and web server. Adding this policy reduces traffic on the wan1 interface by allowing traffic to pass directly from the Internal interface to the DMZ interface, rather than from the Internal interface, to the wan1 interface, then back in through the wan1 interface to the DMZ interface.
37
Results
External users can access the web server on the DMZ network from the internet using http://172.20.120.22 and https://172.20.120.22. Internal users can access the web server using http://10.10.10.22 and https://10.10.10.22.
Go to Policy > Monitor > Policy Monitor. Use the policy monitor to verify that traffic from the Internet and from the internal network is allowed to access the web server. This verifies that the policies are configured correctly.
The traffic log should shows sessions from the internal network and from the Internet accessing the web server on the DMZ network.
38
Internet
Switch
WAN 1
FortiGate Internal
FortiGate Internal
Switch
Internal Network
39
Step One: Add and connect the second FortiGate and configure HA
Go to System > Dashboard > Status. Change the host name of the primary FortiGate unit.
Go to System > Config > HA. Configure the HA settings for the primary FortiGate unit.
Go to System > Dashboard > Status. Change the host name of the backup FortiGate unit.
40
Go to System > Config > HA. Configure the HA settings for the backup FortiGate unit. Ensure that the Group Name and Password are the same as on the primary FortiGate unit.
41
Shut down the primary FortiGate unit, and see that traffic fails over to the backup FortiGate unit using a ping command.
42
The firmware will load on the primary FortiGate unit, and then on the backup unit. Go to Log & Report > Event Log > System.
Go to System > Dashboard > Status. Both FortiGate units have the new firmware installed.
43
44
1. Enable explicit web proxy on the internal interface 2. Configure the explicit web proxy for HTTP/HTTPS traffic 3. Add a security policy for proxy traffic 4. Results
Internet
port 3
FortiGate Explicit web proxy port 4 Internal Network
45
You may need to enable Explicit Proxy and WAN Opt. & Cache on the System Information widget before you proceed. Go to System > Dashboard > Status and select Enable for these options.
Step Two: Configure the explicit web proxy for HTT P/HTT PS traffic
Go to System > Network > Explicit Proxy and enable the http/https explicit web proxy.
Ensure to set the Default Firewall Policy Action to Deny. Later you will create a security policy for webproxy traffic with web cache enabled.
46
Results
Configure web browsers on the private network to connect using a proxy server. The IP address of the HTTP proxy server is 10.10.1.99 (the IP address of the FortiGate internal interface) and the port is 8080 (the default explicit web proxy port). Web browsers configured to use the proxy server are able to connect to the Internet. Go to Policy > Policy > Policy to see the ID of the policy (3) allowing webproxy traffic. Web proxy traffic is not counted by firewall policy.
47
48
Internet
Router
wan 1
FortiGate Internal
192.168.1.99/24
Management IP 192.168.1.100
Step One: Switch the FortiGate unit to transparent mode and add a static route
Go to System > Dashboard > Status. In the System Information widget, select Change beside the Operation mode.
Log into the FortiGate unit using the management IP 192.168.1.100. Go to System > Network > Routing Table and set a static route.
50
Go to Policy > Policy > Policy. Create a security policy that allows internal users to access the web server using HTTP and HTTPS.
51
Go to Policy > Policy > Policy. Create a security policy that allows connections from the web server to the internal users network and to the internet using any service.
Results
Connect to the web server from the internal network and surf the Internet from the server itself. Go to Log & Report > Traffic Log > Forward Traffic to verify that there is traffic from the internal to wan 1 interface.
52
Go to Policy > Monitor > Policy Monitor to see the active sessions.
53
54
1. Create a packet capture filter 2. Start the packet capture 3. Stop the packet capture 4. Results
Internal network
Internal 192.168.1.99/24
55
For this example, the FortiGate unit will capture 100 HTTP packets on the internal interface from/to host 192.168.1.200. Host(s) can be a single or multiple IPs separated by comma, IP range or subnet. Port(s) can be single or multiple separated by comma or range. Protocol can be simple, multiple separated by comma or range. Use 6 for TCP, 17 for UDP, 1 for ICMP.
56
Results
Open the pcap file with a pcap file viewer such as tcpdump or Wireshark. Depending on the kind of traffic you need to capture, you may adjust the settings in the filter to meet your needs.
Go to Log & Report > Event Log > System to verify that the packet capture file was successfully downloaded.
57
Wireless Networking
FortiOS WiFi networking provides a wide range of capabilities for integrating wireless networks into your organizations network architecture. Each WiFi network, or SSID, is represented by a virtual network interface to which you apply security policies, UTM features, traffic shaping, and so on, in the same way as for physical wired networks. You can create multiple WiFi networks to serve different groups of users. For example, you might have one network for your employees and another for guests or customers. Also, with the increase in use of Bring Your Own Devices (BYOD); smartphones, tablets and other mobile devices that use WiFi technology, wireless networks are becoming busier than ever and have to be monitored and accommodated accordingly. A network that requires only one WiFi access point is easily created with a FortiWiFi unit operating as a single thick Access Ppoint (AP). A thick AP such as a FortiWiFi unit contains the WiFi radio facility as well as access control and authentication functionality. A thin AP, such as a FortiAP unit contains only the radio facility and a microcontroller that receives commands and exchanges data with a WiFi controller. If you already have a FortiGate unit, adding a FortiAP unit as a thin AP managed by the FortiGate unit operating as a WiFi controller is a cost effective solution for adding WiFi to your network. The FortiOS WiFi controller feature is available on both FortiGate and FortiWiFi units. A FortiWiFi units WiFi controller also controls the units internal (Local WiFi) radio facility, treating it much like a built-in thin AP. Whenever multiple APs are required, a single FortiGate or FortiWiFi unit controlling multiple FortiAP units is best. A network of multiple thick APs would be more expensive and more complex to manage.
58
Providing remote users access to the internet and corporate network using FortiAP
In this example, users in a remote location such as a hotel, use FortiAP to securely connect to a corporate network and browse the Internet from behind the corporate firewall.
1. Configure the corporate SSID and security policies 2. Configure the FortiGate unit to connect and configure FortiAP 3. Authorize the remote FortiAP connection 4. Results
FortiAP
WLAN_1
Wireless Network
Internet
WLAN 1 Internal Network
FortiGate
Internal
59
Go to Firewall Objects > Address > Address. Create addresses for the remote users and the corporate network.
60
Go to Policy > Policy > Policy and create two security polices. Create a policy for remote wireless users to access the Internet.
Create a policy for remote wireless users to access the corporate network.
61
Step Tthee: Configure the FortiGate unit to connect, and configure FortiAP
Go to WiFi Controller > Managed Devices > Managed FortiAP. Right-click the FortiAP in the list and select Authorize.
With the FortiAP authorized with the FortiGate unit, you can use the FortiGate to configure the wireless settings for the FortiAP remotely.
Results
The remote user connects the FortiAP to the network connection at the hotel. They then connect to the RemoteWiFi wireless network. They will be able to access the corporate network and surf the Internet securely.
Go to WiFi Controller > Monitor > Client Monitor to see remote wireless users connected to the FortiAP unit.
When the remote wireless user connects to the corporate network, traffic appears in the log messages. Go to Log & Report > Traffic Log > Forward Traffic.
62
Selecting an entry for the WLAN_1 interface and internal destination interface shows traffic using RDP to connect to the corporate network.
Selecting an entry for the WLAN_1 interface and wan1 destination interface shows internet traffic.
63
64
Setting up a FortiGate and FortiAP to provide wired and wireless Internet access
This example sets up FortiAP to connect to the Internet using the FortiGate unit. Wireless and wired users will be on the same subnet and thus can share network resources.
1. Configure the FortiGate WAN 1 and LAN ports 2. Create an internal address range and security policy 3. Set up a wireless network with the FortiAP 4. Results
Internet WAN 1 172.20.120.226 FortiGate LAN 192.168.1.99/24 wireless network Internal network
FortiAP
65
Configure the LAN interface to use a static IP with a DHCP server enabled.
66
Go to Policy > Policy > Policy. Create a security policy allowing users on the wired network to access the Internet.
67
Go to WiFi Conroller > WiFi Network > SSID and create a new SSID. Ensure the Traffic Mode is set to Local bridge with FortiAPs Interface.
Go to WiFi Conroller > WiFi Network > Custom AP Profile. Select Create New and select My_SSID for Radio 1 and Radio 2.
68
Go to WiFi Conroller > Managed Access Points > Managed FortiAP. Edit the FortiAP in the Wireless Settings and select MyProfile for the AP Profile.
Results
Have the wifi users connect to My_SSID and they should be able to surf the internet. The wireless devices will be in the same subnet as the internal wired network. Go to WiFi Controller > Monitor > Client Monitor to see wifi users and their IP addresses. Go to Log & Report > Traffic Log > Forward Traffic and verify that wifi users accessing the internet with the same security policy as the wired network users.
69
70
Internet
Internal network
71
Connect the FortiAP to the DMZ interface and go to WiFi Controller > Managed Access Points > Managed FortiAP to authorize the FortiAP.
72
Go to Firewall Objects > Address > Address. Create addresses for internal wired network and guest wifi users.
73
Go to Policy > Policy > Policy. Create a security policy allowing wifi guest users accessing the internal network.
Create a security policy allowing wifi guest users accessing the Internet.
74
Go to System > Admin > Administrators. Create a new admin account for the receptionist using the new limited profile.
75
Results
When a guest requires access to the wireless network, the company receptionist logs into the FortiGate unit with their account. The receptionist creates guest user names on the FortiGate unit. Once logged in, they go to User & Device > User > Guest Management and create new user id.
The FortiGate unit generates a password for the user. This password is only valid for four hours.
Once this information is provided to the guest user, they can log in through the captive portal on the authentication page.
76
To verify that guest user logged in successfully, go to WiFi Controller > Monitor > Client Monitor.
Once authenticated, guest users can surf on the internet and can also access resources in the internal wired network. Go to Policy > Monitor > Policy Monitor and verify the active sessions.
77
78
1. Add BYODs to the FortiGate unit 2. Add schedules for time allowed for use of a BYOD 3. Add a device identity security policy 4. Results
Internet
wan 1 wifi
FortiWiFi
Internal wireless mobile devices internal network
79
Alternatively, got to System > Network Interface, and for the wireless interface, select Detect and Identify Devices. Devices not yet added may appear in the list. Double-click on the entry and enter an Alias to add it.
The BYOD information may not initially fill in on the table until the user connects with their device. Select Refresh if needed.
Step Two: Add schedules for time allowed for use of a BYOD
Go to Firewall Objects > Schedule > Recurring.
The schedule, when included with a security policy, will allow users to access the Internet with their personal wireless devices over lunch time hours. This schedule can also be used in other security policies as well as this application.
80
Create a new authentication rule that includes the wireless devices and the new schedule.
Results
Go to Log & Report > Traffic Log > Forward Traffic. When a mobile user connects during the lunch break, they can surf the Internet, as shown in the logs.
When the time in the schedule is reached, further surfing cannot continue. This does not appear in the logs, as only allowed traffic is logged. Evidence that the schedule and policy are working appears when attempting to connect to a web site, and possibly a few questions from the BYOD users.
81
82
1. Configure the FortiAP and SSIDs 2. Add addresses for the wireless networks and printer 3. Add service objects for printing 4. Add multicast security policies 5. Add inter-subnet security policies 6. Results
FortiAP
SSID 2 (WLAN 2) 20.20.20.1.24
FortiGate
LAN 192.168.1.99/24
83
Connect FortiAP to the DMZ interface. Go to WiFi Controller > Managed Access Points > Managed FortiAP and authorize the FortiAP.
84
Go to WiFi Controller > WiFi Network > SSID. Create an SSID for the network for wireless users.
85
Step Two: Add addresses for the wireless networks and printer
Go to Firewall Objects > Address > Address. Create addresses for the SSID 1, SSID 2 and AirPrint printer.
86
87
Create two policies to allow multicast traffic from the LAN and WLAN 2 for OS X computers.
88
89
Results
Print a document from an iOS device. Go to Log & Report > Traffic Log > Multicast Traffic to see the printing traffic passing through the FortiGate unit.
Go to Log & Report > Traffic Log > Forward Traffic and verify the entry with the IPP service.
90
Print a document from an OS X computer. Go to Log & Report > Traffic Log > Multicast Traffic to see the printing traffic passing through the FortiGate unit.
Go to Log & Report > Traffic Log > Forward Traffic and filter the destination interface for WLAN 2 traffic.
91
92
1. Configure the FortiAP and SSIDs 2. Add addresses for the wireless network 3. Add service objects for multicasting 4. Add multicast security policies 5. Add inter-subnet security policies 6. Results
Internal network OS x
FortiAP
SSID1 (WLAN 1 ) 10.10.10.1/24
DMZ 10.10.100.1/24
FortiGate LAN
192.168.1.99/24
Apple TV
93
Connect FortiAP to the DMZ interface. Go to WiFi Controller > Managed Access Points > Managed FortiAP and authorize the FortiAP.
94
Go to WiFi Controller > WiFi Network > SSID. Create an SSID for the network for wireless users.
Go to Firewall Objects > Address > Address. Create addresses for SSID 1.
95
96
Go to Policy > Policy > Multicast Policy. Create a policy to allow multicast traffic from the WLAN 1 and LAN for iOS devices to AppleTV.
Create policy allowing traffic from the iOS device to the Apple TV.
97
Results
Use Airplay from the iPad to stream video to the Apple TV. Go to Log & Report > Traffic Log > Multicast Traffic to see the multicast traffic between the WLAN 1 and LAN interfaces. Select and entry for more information.
98
Go to Log & Report > Traffic Log > Log Forward and filter on the policy id 6 and 7, that allow AirPlay traffic.
99
100
1. Create three virtual IPs 2. Add the virtual IPs to a group 3. Create a security policy to allow inbound traffic to the server 4. Results
Internet WAN 1 172.20.120.226 Open TCP ports 7882-7999, UDP port 2119 and 2995 for traffic from the Internet to the Server FortiGate LAN 192.168.1.99/24 Server 192.168.1.200
101
102
Step Three: Create a security policy to allow inbound traffic to the server
Go to Policy > Policy > Policy. Create a security policy allowing inbound connections to the server from the Internet.
103
Results
Go to Policy > Monitor > Policy Monitor to see the active sessions.
104
Go to Log & Report > Traffic Log > Forward Traffic to see the logged activity.
105
UT M Profiles
UTM profiles, including antivirus, web filtering, application control, intrusion protection (IPS), email filtering, and data leak prevention (DLP), apply core UTM security functions to traffic accepted by security policies. The FortiGate unit includes default UTM profiles for all of these security features. You can apply UTM features to traffic accepted by a security policy by selecting the default profiles for the UTM features that you want to apply. The default profiles are designed to provide basic protection. You can modify the default profiles, and group them, for your needs or create new ones. Creating multiple profiles means you can apply different levels of protection to different traffic types according to the security policies that accept the traffic. Endpoint control profiles are created to ensure that workstation computers, also known as endpoints, on your network meet the networks security requirements; otherwise, they are not permitted access. Enhanced by Fortinets FortiClient Endpoint Security software, FortiGate endpoint control can block or control access through the FortiGate unit for workstation computers depending on the security functions enabled on the computers and the applications running on them. After creating endpoint control profiles, you can add endpoint security profiles to security policies. The final UTM profile feature, vulnerability scanning is independent of security policies. By using vulnerability scanning, you can scan computers on your network for multiple vulnerabilities, and take action to remove those vulnerabilities.
106
Visualizing and controlling the applications on your network using application control
This example sets up application monitors in security policies to determine what applications are contributing to high bandwidth usage on the network or distractions for employees and blocking access from those applications. 1. Add an application control sensor 2. Add a security policy to use the application control sensor 3. Reviewing data from the application control monitor 4. Block high bandwidth applications 5. Add a security policy to use the block application control sensor 6. Results
Internet
Internal Network
107
Select Create New to add a new application filter. Ensure you set the Action to Monitor. At this stage in the process, you want to watch the application traffic to determine where problems, if any, are occurring.
108
Step Two: Add a security policy to use the application control sensor
Go to Policy > Policy > Policy. Edit the security policy allowing internal users to access the Internet and apply the application control sensor in the UTM Security Profiles section.
Step Three: Review the data from the application control monitor
Go to UTM > Monitor > Application Monitor.
109
Select on each blue bar to see further details on the usage statistics.
Go to Log & Report > Traffic Log > Forward Traffic. You can see the sensor is working and picking up on various application traffic.
110
Select Create New to add a new application filter. Select the options for streaming media, instant messaging clients, social media and peer-to-peer file sharing. Ensure you set the Action to Block.
Step Five: Add a security policy to use the block application control sensor
Go to Policy > Policy > Policy. Edit the security policy allowing internal users to access the Internet and apply the block application control sensor in the UTM Security Profiles section.
111
Results
Go to Log & Report > Traffic Log > Forward Traffic. You can see the sensor is working and blocking the selected application traffic.
112
1. Configure users and user groups 2. Configure rating overrides and web filter profiles 3. Edit security profile to include the web filter UTM profile 4. Results
Go to User & Device > User > User Group and add users to a group.
114
Go to UTM Security Profiles > Web Filter > Profile. Create web filter profile to allow the Web News and Streaming Media and Download categories.
Create a new profile to block the new Web news category, as well as Streaming Media and Download categories. Select the blue arrow to expand the Advanced Filter section. Enable Allow Blocked Override and Assign to Overrided_URLs profile.
115
Step Three: Edit the security profile to include the web filter UT M profile
Go to Policy > Policy > Policy. Edit the policy allowing outbound traffic from internal network and add the web filter profile .
Results
In a web browser, go to cnn.com. The FortiGate unit blocks the web site wth an override option.
116
Once successfully authenticated, you are guaranteed access for 15 minutes from your IP address only. This access will be for all allowed categories according to the Overrided_URLs web filter profile. Go to Log & Report > Traffic Log > Forward Traffic and filter the destination to the IP address of cnn.com (157.166.255.19)
117
118
Protecting a web server from vulnerabilities and DoS attacks using IPS
This example uses IPS to protect a web server by placing the web server on the internal network with a virtual IP, and creating a security policy that allows web access from the Internet to the server. IPS is added to the policy to protect the server from attacks.
1. Configure IPS to detect and protect against common attacks 2. Add a security profile that includes the IPS UTM profile 3. Add a DoS security policy using IPS 4. Results
Internal network
119
Step One: Configure IPS to detect and protect against common attacks
Go to UTM Security Profiles > Intrusion Protection > IPS Sensor. Create a new sensor.
120
Step Two: Add a security profile that includes the IPS UT M profile
Go to Policy > Policy > Policy. Edit the security policy allowing traffic to the web server from the Internet and add the new IPS sensor.
121
122
Results
Perform an DoS tcp_sync_flood attack to the web server IP address. The TCP sync session should be blocked when the threshold of 20 is reached. Note: Ensure you have the proper IP address of your web server. Otherwise you may be unwillingly causing a DoS attack on another server!
Go to Log & Report > UTM Security Log > Intrusion Protection.
123
124
1. Create a DLP file matching pattern filter 2. Setup a DLP sensor with sensor criteria 3. Create an address range for the internal network 4. Add a security profile that includes the DLP sensor 5. Results
Internet
WAN 1
FortiGate
125
Select Create New to add a filter to look for the file patterns.
126
Select Create New to add a filter to look for credit card number patterns.
Select Create New to add a filter to look for a corporate identifier, or watermark, in outgoing files.
127
Step Four: Add a security profile that includes the DLP sensor
Go to Policy > Policy > Policy. Create a security policy and enable the DLP sensor using the filters created.
Results
Upload a file containing a credit card number to a server on the Internet such as a local FTP server or web server. The FortiGate unit will block the file and prevent it from leaving the internal network. Go to Log & Report > Traffic Log > Forward Traffic and locate the blocked log entry.
128
Upload a watermarked file to a server on the Internet such as a local FTP server or web server. The FortiGate unit will block the file and prevent it from leaving the internal network. Go to Log & Report > Traffic Log > Forward Traffic and locate the blocked log entry.
Upload an exe file to a server on the Internet such as a local FTP server or web server. The FortiGate unit will block the file and prevent it from leaving the internal network. Go to Log & Report > Traffic Log > Forward Traffic and locate the blocked log entry.
129
130
Internet
Internal Network
131
Go to Policy > Policy > Policy. In the UTM Security Profiles section, enable the web filter profile. You can use the default profiles for data gathering purposes.
132
Results
Allow traffic to pass through the FortiGate unit for a day. Then go to User & Device > Client Reputation > Reputation Score to view the results. Each user by device that met the threshold set appears in the chart. With this information, you can see where potential problems may occur or potential security breaches are imminent.
Client reputation only highlights risky activity. It does not include tools to stop the behavior. Rather, client reputation is a tool that exposes risky behavior. When you uncover risky behavior that you are concerned about you can take additional action to stop it. That action could include adding more restrictive security policies to block the activity or increase UTM protection. You can also taking other measures outside your FortiGate unit to stop the activity.
133
134
1. Enable flow-based antivirus 2. Enable flow-based web filtering 3. Add a firewall policy to include the new UTM security profiles 4. Results
Internal Network
Internal
FortiGate
WAN 1
Internet Viruses
Viruses
135
136
Step Three: Add a firewall policy to include the new UT M security profiles
Go to Policy > Policy > Policy. Edit the policy allowing users to access the Internet and apply the flow-based profiles.
Results
To test the AV scanning, from a PC in the internal network, go to http://www.eicar.org and try to download a test file. The browser will time out and display a message similar to what is shown here from Google Chrome.
137
Go to Log & Report > Traffic Log > Forward Traffic to see the UTM profile is activated when attempting to download the file.
To test the web filtering, from a PC in the internal network, go to google.com. The FortiGate unit displays a block message.
138
Select the blue bar in the chart to see further details by user.
139
140
1. Setup a DLP sensor with file matching pattern filter 2. Add a security profile that includes the DLP sensor 3. Results
Internal network
LAN
Viruses/Spyware
FortiGate WAN 1
Internet
141
Step One: Setup a DLP sensor with file matching pattern filter
Go to UTM Security Profiles > Data Leak Prevention > Sensor. Create a new senor. To this sensor you will add the filters the FortiGate unit uses to check incoming files.
Select Create New to add a filter to look for a file size threshold.
142
Step Two: Add a security profile that includes the DLP sensor
Go to Policy > Policy > Policy. Create a security policy and enable the DLP sensor using the filters created.
143
Results
Any attempt to download a file larger than 10 MB is blocked. The FortiGate unit displays a replacement message explaining why the attempt failed.
Go to Log & Report > Traffic Log > Forward Traffic. Select an entry to see information on the blocked file.
144
1. Create a new web filter block list 2. Add the block list to a web filter profile 3. Add a security profile that includes the web filter UTM profile 4. Results
Internet
Block Site
WAN 1
FortiGate
LAN
Select Create New to enter a list of URLs you want to prevent users from accessing. Using the asterisk (*) as a wildcard in the URL, ensures any sub-domain for the site is also blocked.
146
Step Three: Add a security profile that includes the web filter UT M profile
Go to Policy > Policy > Policy. Edit the policy allowing outbound traffic from the internal network to include UTM security profiles and select the new profile.
Results
In a web browser, attempt to visit fortinet.com and docs.fortinet.com. In both cases, the FortiGate unit displays a message.
147
148
YouTube Facebook
In the Licence Information widget, verify that the FortiGate unit is connected to the FortiGuard servers. A green check mark should appear next to the services you are subscribed to.
150
151
Results
In a web browser, go to https://youtube.com. The web page is blocked and a FortiGate replacement message is put up in its place.
Go to System > Admin > Settings. Enable UTM Monitoring in the Display Options on GUI area.
If you chose DNS block or redirect, when you visit https://youtube.com, the browser will time out. FortiGuard will not display a message.
152
153
154
Protecting traffic between company headquarters and branch offices using IPsec VPN
This example uses a gateway-to-gateway IPsec VPN, and assumes that both offices have connections to the Internet with static IP addresses. This configuration uses a policy-based IPsec VPN.
1. Configure the HQ IPsec VPN Phase 1 and Phase 2 settings 2. Add HQ addresses for the local and remote LAN on the HQ FortiGate unit 3. Create an HQ IPsec security policy 4. Configure the Branch IPsec VPN Phase 1 and Phase 2 settings 5. Add Branch addresses for the local and remote LAN on the HQ FortiGate unit 6. Create an branch IPsec security policy 7. Results
wan1 172.20.120.123
FortiGate
IPsec
port3 172.20.120.141
Internet FortiGate
port1 192.168.1.99/24
port4 10.10.1.99/24
155
Step One: Configure the HQ IPsec VPN Phase 1 and Phase 2 settings
Go to VPN > IPsec > Auto Key (IKE). Select Create New Phase 1.
Go to VPN > IPsec > Auto Key (IKE). Select Create New Phase 2.
156
Step Two: Add HQ addresses for the local and remote LAN on the HQ FortiGate unit
Go to Firewall Objects > Address > Address. Create a local address and a remote LAN address.
157
Step Four: Configure the Branch IPsec VPN Phase 1 and Phase 2 settings
Go to VPN > IPsec > Auto Key (IKE). Select Create New Phase 1.
Go to VPN > IPsec > Auto Key (IKE). Select Create New Phase 2.
158
Step Five: Add Branch addresses for the local and remote LAN on the HQ FortiGate unit
Go to Firewall Objects > Address > Address. Create a local address and a remote LAN address.
159
Results
Go to VPN > Monitor > IPSec Monitor to verify the status of the VPN tunnel. It should be up.
A user on either of the office networks should be able to connect to any address on the other office network transparently. For example, from a PC on the Branch office with IP address 10.10.1.100 you should be able to ping a device on the Headquarters network with the IP address 192.168.1.114 and vice versa.
From the Headquarters FortiGate unit go to Log & Report > Traffic Log > Forward Traffic.
From the Branch FortiGate unit go to Log & Report > Traffic Log > Forward Traffic.
160
Providing remote users with access to a corporate network and Internet using SSL VPN
This example sets up remote users to connect to the corporate network using SSL VPN, and use the FortiGate UTM for surfing the Internet. During the connecting phase, the FortiGate unit will also verify that the remote users antivirus software is installed and current. 1. Create an SSL VPN tunnel for remote users 2. Create user definitions and add them to a group 3. Add an address for the local network 4. Add security profiles for access to the Internet and internal network 5. Set the FortiGate unit to verify users have current antivirus software 6. Results
Internet
WAN 1 172.20.120.123
sslroot browsing
FortiGate
Port 1 192.168.1.99/24
Internal Network
161
The full-access portal allows the use of tunnel mode and/or web mode. In this scenario we are using both modes.
Enable Split Tunneling is not enabled so that all internet traffic will go through the FortiGate unit and be subject to the corporate UTM profiles.
Select Create New in the Include Bookmarks area to add a bookmark for a remote desktop link/connection.
162
Go to User & Device > User > User Group. Add the user to a user group for SSL VPN connections.
163
Step Four: Add security profiles for access to the Internet and internal network
Go to Policy > Policy > Policy. Add a security policy allowing access to the internal network.
Add a security policy allowing access to the Internet. For this policy, the Incoming Interface is sslvpn tunnel interface and Outgoing Interface is wan1. This way, the remote SSL VPN users accessing the Internet through the FotiGate unit.
164
Step Five: Set the FortiGate unit to verify users have current antivirus software
Go to System > Status > Dashboard. In the CLI Console widget, enter the commands on the right to enable the host check for compliant antivirus software on the remote users computer.
Results
165
Go to VPN > Monitor > SSL-VPN to verify the list of SSL users. The Web Application description indicates that the user is using web mode.
166
Go to Log & Report > Traffic Log > Forward Traffic and view the details for the SSL entry.
Go to VPN > Monitor > SSL-VPN to verify the list of SSL users. The Tunnel description indicates that the user is using tunnel mode.
167
Go to Log & Report > Traffic Log > Forward Traffic and view the details for the SSL entry.
Go to Log & Report > Traffic Log > Forward Traffic. Internet access occurs simultaneously through the FortiGate unit.
168
Securing remote access to the office network using FortiClient IPsec VPN
This example sets up a remote user and user group to provide protected access to the corporate network. The remote users use the FortiClient Endpoint Protection software to connect to the VPN tunnel. This example sets up the user to access the internal network as well as access the Internet through the FortiGate unit, to provide a secure surfing experience using the FortiGate UTM features. 1. Create a new FortiClient user and add to a user group 2. Create an IPsec FortiClient VPN tunnel 3. Add addresses for the local LAN and remote FortiClient users 4. Create security policies for access to the internal network and Internet 5. Results
192.168.1.99/24
Internet
Internal Network
169
Step One: Create a new FortiClient user and add to a user group
Go to User & Device > User > User Definition. Create a new user.
Go to User & Device > User > User Group. Create a user group for FortiClient users and add user twhite.
170
Step Three: Add addresses for the local LAN and remote FortiClient users
Go to Firewall Objects > Address > Address.
Step Four: Create security policies for access to the internal network and Internet
Go to Policy > Policy > Policy. Create a security policy allowing remote FortiClient users to access the internal network.
171
Go to Policy > Policy > Policy. Create a security policy allowing remote FortiClient users to access the Internet securely through the FortiGate unit.
Results
Launch FortiClient and go to Remote Access and add new connection.
172
On the FortiGate unit, go to VPN > Monitor > IPsec Monitor to see the satus of the tunnel.
Verify the IP address assigned to the remote user by the FortiGate unit. which is 10.10.1.100. All hosts in the internal network should be accessible using the FortiClient VPN, to test this, ping an internal server set to IP 192.168.1.114 and logon to it using RDP.
Go to Log & Report > Traffic Log > Forward Traffic and filter by the policy ID controlling the FortiClient VPN traffic.
173
174
Securing remote access to the office network for an iOS device over IPsec VPN
This example sets up a remote user and user group to provide protected access to the corporate network. The remote users use their iPad to connect to the VPN tunnel. This example sets up the user to access the internal network as well as access the Internet through the FortiGate unit, to provide a secure surfing experience using the FortiGate UTM features. This example uses an iPad 2 running iOS 6.1.2. Menu options may vary for different iOS versions and devices.
1. Create a new user and add to a user group 2. Add addresses for the local LAN and remote users 3. Configure the IPsec VPN Phase 1 and Phase 2 settings 4. Create security policies for access to the internal network and Internet 5. Results
IPsec
Internal Network
175
Go to User & Device > User > User Group. Create a user group for ios users and add user twhite.
Step Two: Add addresses for the local LAN and remote users
Go to Firewall Objects > Address > Address.
176
Step Three: Configure the IPsec VPN Phase 1 and Phase 2 settings
Go to VPN > IPSec > Auto Key (IKE). Select Create Phase 1.
For the Mode, select Main. In the Advanced section select Enable IPsec Interface Mode and select 2 for the DH Group. Enable XAUTH and select the user group ios_group.
177
Go to VPN > IPSec > Auto Key (IKE). Select Create Phase 2.
Once you complete the tunnel configuration, go to System > Dashboard > Status and enter the commands here in the CLI widget.
178
Step Four: Create security policies for access to the internal network and Internet
Go to Policy > Policy > Policy. Create a security policy allowing remote iOS users to access the internal network.
Go to Policy > Policy > Policy. Create a security policy allowing remote ios users to access the Internet securely through the FortiGate unit.
179
Results
On the iPad, go to Settings > General > VPN and select Add VPN Configuration.
On the FortiGate unit, go to VPN > Monitor > IPsec Monitor and see the status of the tunnel.
Users on the internal network will be accessible using the iPad. Go to Log & Report > Traffic Log > Forward Traffic to see the traffic.
180
Remote iOS users can also access the internet securely via the FortiGate unit. Go to Log & Report > Traffic Log > Forward Traffic to see the traffic.
181
182
Redundant OSPF routing between two remote networks over IPsec VPN
This example sets up secure communication between two remote networks using redundant OSPF routes . 1. Create redundant IPSec tunnels on FortiGate 1 2. Create IP addresses for the IPsec interfaces on FortiGate 1 3. Configure OSPF on FortiGate 1 4. Configure firewall addresses on FortiGate 1 5. Configure security policies on FortiGate 1 6. Create redundant IPSec tunnels for FortiGate 2 7. Create IP addresses for the IPsec interfaces on FortiGate 2 8. Configure OSPF on FortiGate 2 9. Configure firewall addresses on FortiGate 2 10. Configure security policies on FortiGate 2 11. Results
OSPF
IPsec IPsec
Internet
OSPF
183
184
Go to VPN > IPsec > Auto Key (IKE). Select Create Phase 1 and create the secondary tunnel. Select Advanced and select Enable IPSec Interface Mode.
185
Select the arrow for wan2 to expand the list. Edit the secondary tunnel interface.
Select Create New in the Area section. Add the backbone area of 0.0.0.0.
186
Select Create New in the Networks section. Create the networks and select Area 0.0.0.0 for each one.
Select Create New in the Interfaces section. create primary and secondary tunnel interfaces. Set the Cost of 10 for the primary interface and 100 for the secondary interface.
187
188
189
190
Go to VPN > IPsec > Auto Key (IKE). Select Create Phase 1 and create the secondary tunnel. Select Advanced and select Enable IPSec Interface Mode.
191
Select the arrow for wan2 to expand the list. Edit the secondary tunnel interface.
Select Create New in the Area section. Add the backbone area of 0.0.0.0.
192
Select Create New in the Networks section. Create the networks and select Area 0.0.0.0 for each one.
Select Create New in the Interfaces section. create primary and secondary tunnel interfaces. Set the Cost of 10 for the primary interface and 100 for the secondary interface.
193
194
195
Results
Verify the primary and secondary IPSec vpn tunnel status on FortiGate1 and FortiGate2. Tunnels on both FortiGates should be UP. Go to VPN > Monitor > IPsec Monitor to verify the status.
Verify the routing table on FortiGate 1 and FortiGate 2. The primary OSPF route (the one with cost =10) appears on both FortiGates. Go to Router > Monitor > Routing Monitor. Type OSPF for the Type and select Apply Filter to verify OSPF route.
Verify that traffic flows via the primary tunnel. From a PC1 set to IP:10.20.1.100 behind FortiGate 1, run a tracert to a PC2 set to IP address 10.21.1.00 behind fortiGate 2 and vise versa. From PC1, you should see the traffic goes through 10.1.1.2 which is the primary tunnel interface IP set on FortiGate 2. From PC2, you should see the traffic goes through 10.1.1.1 which is the primary tunnel interface IP set on FortiGate 1.
196
The VPN network between the two OSPF networks uses the primary VPN connection. Disconnect the wan1 interface and confirm that the secondary tunnel will be used automatically to maintain a secure connection. Verify the IPSec vpn tunnels status on FortiGate 1 and FortiGate 2. Both FortiGates should show that primary tunnel is DOWN and secondary tunnel is UP. Go to VPN > Monitor > IPsec Monitor to verify the status.
Verify the routing table on FortiGate 1 and FortiGate 2. The secondary OSPF route (the one with cost =100) appears on both FortiGate units. Go to Router > Monitor > Routing Monitor. Type OSPF for the Type and select Apply Filter to verify OSPF route.
Verify that traffic flows via the secondary tunnel. From a PC1 set to IP:10.20.1.100 behind FortiGate 1, run a tracert to a PC2 set to IP:10.21.1.100 behind fortiGate 2 and vise versa. From PC1, you should see the traffic goes through 10.2.1.2 which is the secondary tunnel interface IP set on FortiGate 2. From PC2, you should see the traffic goes through 10.2.1.1 which is the secondary tunnel interface IP set on FortiGate 1.
197
Authentication
Authentication is the act of confirming the identity of a person or other entity. In the context of a private computer network, the identities of users or host computers must be established to ensure that only authorized parties can access the network. The FortiGate unit enables controlled network access and applies authentication to users of security policies and VPN clients. Identifying users and other computers (authentication) is a key part of network security. This chapter describes some basic configurations.
198
Internet
WAN 1 172.20.120.123
FortiGate
Port 1 192.168.1.99/24
Windows AD 192.168.1.114
Internal Network
199
200
Select the domains to monitor, and any users whose activity you do not wish to monitor.
201
Step Three: Configure the FortiGate unit to connect to the FSSO agent
On the FortiGate unit, go to User & Device > Authentication > Single SignOn. Enter this password used configuring the FSSO on the FortiGate unit in the previous step.
202
203
Results
Go to Log & Report > Traffic Log > Forward Traffic. As users log into the Windows AD system, the FortiGate collects their connection information.
204