Professional Documents
Culture Documents
Page: 7
Fortinet Solution
FortiGate platform
FortiGuard Subscription Services
Management, reporting, analysis products
Page: 8
FortiGate
Application-level services
Antivirus, intrusion protection, antispam, web content filtering
Network-level services
Firewall, IPSec and SSL VPN, traffic shaping
Management, reporting, analysis products
Authentication, logging, reporting, secure administration, SNMP
Page: 8
FortiGate Portfolio
SOHO
FortiGate 30B, 50B, 51B, 60B, 100A, 110C, 111C
Protect smaller deployments
Medium-Sized Enterprises
FortiGate 200A, 224B, 300A, 400A, 500A, 800
Meet demands of mission critical enterprise applications
Large-Sized Enterprises and Carriers
FortiGate 1000A, 3016B, 3600A, 3810A, 5020, 5050, 5140
High performance and reliability
Page: 9-10
FortiGuard
Dynamic updates
Antivirus, intrusion protection, web filtering, antispam
Updated 24x7x365
Data centers around the world
Secure, high availability locations
Page: 10
FortiManager
Manage all Fortinet products from a centralized console
Minimize administration effort
Deploying, configuring and maintaining devices
Page: 10
FortiAnalyzer
Centralized analysis and reporting
Aggregate and analyze log data from multiple devices
Comprehensive view of network usage
Identify and address vulnerabilities
Monitor compliance
Quarantine and content archiving
Page: 10
FortiMail
Multi-layered email security
Advanced spam filtering, antivirus
Facilitate regulatory compliance
Page: 11
FortiClient
Security for desktops, laptops, mobile devices
Personal firewall, IPSec VPN, antivirus, antispam, web content
filtering
FortiGuard keeps FortiClient up-to-date
Page: 11
Firewall Basics
Controls flow of traffic between networks of different trust
level
Allow good information through but block intrusions,
unauthorized users or malicious traffic
Rules to allow or deny traffic
Page: 12
Firewall Basics
Internet
Firewall
Page: 12
Common Firewall Features
Block unwanted incoming traffic
Block prohibited outgoing traffic
Block traffic based on content
Allow connections to an internal network
Reporting
Authentication
Page: 13
Types of Firewalls
Packet filter firewall
Inspects incoming and outgoing packets
If matches rules, perform action
Stateful firewall
Examines headers and content of packet
Holds attributes of connection in memory
Packet forwarded if connection already established and tracked
Improved performance
Application layer (proxy-based) firewall
Stands between protected and unprotected network
Repackages messages into new packets allowed into network
Page: 14
Network Address Translation
Map private reserved IP addresses into public IP addresses
Local network uses different set of addresses
NAT device routes response to proper destination
Single agent between public and private network
Conserve IP addresses
One public address used to represent group of computers
Organization uses own internal IP addressing schemes
Page: 16
Dynamic NAT
Private IP address mapped from a pool of public IP
addresses
Masks internal network configuration
Private network can use private IP addresses invalid on
Internet but useful internally
Page: 16
Static NAT
Private IP address mapped to a public IP addresses
Public address always the same
Allow internal host to have a private IP address but still be
reachable over the Internet
Web server
Page: 16
FortiGate Capabilities
Firewall
Policies to allow or deny traffic
UTM Features:
Antivirus
Multiple techniques
Antispam
Detect, tag, block, and quarantine spam
Web Filtering
Control access to inappropriate web content
Intrusion Protection
Identify and record suspicious traffic
Page: 17
FortiGate Capabilities
UTM Features (continued):
Application Control
Manage bandwidth use
Data Leak Prevention
Prevents transmission of sensitive information
Page: 17-18
FortiGate Capabilities
Virtual Domains
Single FortiGate functions as multiple units
Traffic Shaping
Control available bandwidth and priority of traffic
Secure VPN
Ensure confidentiality and integrity of transmitted data
WAN Optimization
Improve performance and security
High Availability
Two or more FortiGates operate as a cluster
Page: 18-19
FortiGate Capabilities
Endpoint Compliance
Use FortiClient End Point Security in network
Logging
Historical and current analysis of network usage
User Authentication
Control access to resources
Page: 18-19
FortiGate Unit Description
CPU
Intel processor
FortiASIC processor
Offload intensive processing
DRAM
Flash memory
Store firmware images
Hard drive
Logs, quarantine, archives
Interfaces
WAN, DMZ, Internal
Page: 20
FortiGate Unit Description
Serial console port
Management access
USB port
USB drives or modem
Wireless
FortiWifi devices can use wireless communications
Modem
Module slot bays
Blade card installed in a chassis
PC card slot
PCMCIA card slot for expansion
Page: 20-21
FortiGate Front View (51B)
Page: 22
FortiGate Back View (51B)
Page: 23
Operating Modes
NAT/Route Mode
Default configuration
Each FortiGate unit is visible to network it is connected to
Interfaces are on different subnets
Unit functions as a firewall
Page: 24
Operating Modes NAT/Route
Internal
192.168.1.99
192.168.1.3
WAN1 Routing policies control
204.23.1.5 traffic between internal
Internet
networks.
Router
DMZ
10.10.10.1
10.10.10.2
Page: 24
Operating Modes
Transparent Mode
FortiGate unit is invisible to the network
All interfaces are on the same subnet
Use FortiGate without altering IP infrastructure
Page: 25
Operating Modes Transparent
WAN1
204.23.1.5 10.10.10.2
Internet
Router Internal
Hub or switch
10.10.10.3
Page: 25
Device Administration
Web Config
Configure and monitor device through web browser
CLI
Command line interface
Page: 26
Web Config
Page: 26
Web Config Menu
Page: 28
System Information
Page: 29
License Information
Page: 29
CLI Console
Page: 29
System Resources
Page: 30
Unit Operation
Page: 30
Alert Message Console
Page: 30
Top Sessions
Page: 31
Top Viruses
Page: 31
Top Attacks
Page: 32
Traffic History
Page: 32
Statistics
Page: 33
Online Help
Page: 34-35
Topology Viewer
Page: 36
Command Line Interface (CLI)
Page: 37
CLI Command Structure
Commands
config
Objects
config system
Branches
config system interface
Tables
edit port1
Parameters
set ip 172.20.110.251 255.255.255.0
Page: 38-44
CLI Basics
Command help
?
config ?
config system ?
Command completion
? or <tab>
c?
config + <space> + <tab>
Recalling commands
or
Page: 45
CLI Basics
Editing commands
<CTRL> + <key>
Line continuation
use \ at end of each line
Command abbreviation
get system status g sy st
IP address formats
192.168.1.1 255.255.255.0
192.168.1.1/24
Page: 46
Administrative Users
Responsible for configuration and operation
Default: admin
Full read/write control
Can not be renamed
Default password blank
System administrator
Assigned super_admin profile
Regular administrator
Access profile other than super_admin
Access configurable
Page: 47
Interface Addressing
Number of physical interfaces varies per model
Interface addresses configurable
Static
DHCP
PPPoE
Page: 48-51
DNS
Some functions use DNS
Alert email, URL blocking, etc
Lower end models can retrieve automatically
One interface must use DHCP
Can provide DNS forwarding
Page: 52
Configuration Backup and Restore
Different locations
Local PC
FortiManager
FortiGuard Management Service
USB disk
Can be encrypted
Required to backup VPN certificates
Page: 53
Firmware Upgrades
File must be obtained from Fortinet
Apply upgrade
Web Config
CLI
FortiGuard Management Service
Page: 54
Lab
Connecting to Command Line Interface
Connecting to Web Config
Configuring Network Connectivity
Exploring the CLI
Configuring Global System Settings
Configuring Administrative Users
Page: 55
Agenda
Introduction
Overview and System Setup
FortiGuard Subscription Services
Logging and Alerts
Firewall Policies
Basic VPN
Authentication
Antivirus
Spam Filtering
Web Filtering
Lesson 2
FortiGuard Subscription Services
FortiGuard Subscription Services
Continuously updated security
Antivirus
Intrusion Protection
Web Filtering
Antispam
Delivered through FortiGuard Distribution Network
Page: 75
FortiGuard Distribution Network
Secure, high availability data centers
Updated methods
Manual
Push
Pull
Customized frequency
Devices continuously updated
Device connects to FortiGuard Service Point
Page: 75-76
Connecting to FortiGuard Servers
service.fortiguard.net FortiGuard Server 1
DNS
FortiGuard Server 2
FortiGate
Page: 77
Connecting to FortiGuard Servers
service.fortiguard.net FortiGuard Server 1
DNS
FortiGuard Server 2
FortiGate
Page: 77
Connecting to FortiGuard Servers
service.fortiguard.net FortiGuard Server 1
DNS
FortiGuard Server 2
FortiGate
Page: 77
Connecting to FortiGuard Servers
service.fortiguard.net FortiGuard Server 1
DNS
FortiGuard Server 2
FortiGate
Page: 77
Connecting to FortiGuard Servers
service.fortiguard.net FortiGuard Server 1
DNS
FortiGuard Server 2
FortiGate
Page: 77
Connecting to FortiGuard Servers
service.fortiguard.net FortiGuard Server 1
DNS
FortiGuard Server 2
FortiGate
Page: 77
Connecting to FortiGuard Servers
service.fortiguard.net FortiGuard Server 1
DNS
FortiGuard Server 2
FortiGate
Page: 77
Connecting to FortiGuard Servers
service.fortiguard.net FortiGuard Server 1
DNS
FortiGuard Server 2
FortiGate
Page: 77
FortiGuard Antivirus Service
Latest virus defenses
New and evolving viruses
Spyware
Malware
Automated updates
Page: 78
FortiGuard Intrusion Protection System Service
Page: 79
FortiGuard Web Filtering Service
Hosted web URL filtering service
FortiGuard Rating Server
Billions of web page addresses
Regulate and block harmful, inappropriate and dangerous content
FortiGuard Web Filtering Service
Regulate web activities to meet policy and compliance
CIPA Compliance
Page: 80
FortiGuard Antispam Service
Reduce spam at network perimeter
Global filters
Sender reputation database (FortiIP)
Spam signature database (FortiSig)
Constantly updated
Local filters
Banned words
Local white and black lists
Heuristic rules
Bayesian training (in FortiMail)
Page: 81-82
FortiGuard Subscription Service Licensing
Page: 83
Scheduled Updates
Check for updates at defined times
Once every 1 to 23 hours
Once a day
Once a week
Must be able to connect to FortiGuard Distribution Network
using HTTPS on port 443
Use override server address option may be used
Page: 84
Push Updates
FortiGuard Distribution Network notifies FortiGate units with
push enabled
FortiGate will request update
Use push in addition to scheduled updates
Receive updates sooner
If configuring push through a NAT device, configure port
forwarding
Page: 85-87
Manual Updates
Update antivirus and IPS definitions
Download definition file
Copy to computer used to connect to Web Config
Page: 88
Caching
Available for web filtering and antispam
Improves performance
Uses small % of system memory
Least recently used IP or URL deleted when cache full
Time to Live (TTL) controls time in cache
Page: 89
FortiGuard Web Filtering Categories
Wide range of categories to filter upon
Specify action for each category
Allow, Block, Log, Allow Override
Enabled through protection profile
Page: 90-91
FortiGuard Antispam Controls
Filter email based on type
IMAP, POP3, SMTP
Filtering options enabled through protection profile
Page: 92
Configuring FortiGuard Using the CLI
CLI can be used to configure communications with
FortiGuard Distribution Network
Override default connection settings
config system fortiguard
Page: 93
FortiGuard Center
Online knowledge base and resource
Spyware, virus, IPS, web filtering, antispam attack library
Vulnerabilities
Submit spam and dangerous URLs
Timely threat and vulnerability information
Updated around the clock
Page: 94-95
Lab
Enabling FortiGuard Services and Updates
Page: 96
Agenda
Introduction
Overview and System Setup
FortiGuard Subscription Services
Logging and Alerts
Firewall Policies
Basic VPN
Authentication
Antivirus
Spam Filtering
Web Filtering
Lesson 3
Logging and Alerts
Logging and Alerts
Track down and pinpoint problems
Monitor network and Internet traffic
Monitor normal traffic
Establish baselines
Identify changes for optimal performance
Page: 101
Log Storage Locations
Local hard disk
FortiGate must have hard disk
FortiAnalyzer
Device for log collection, analysis and storage
System Memory
Overwrites older logs when capacity reached
Logs lost when FortiGate reset or loses power
Syslog
Forward logs to remote computer
FortiGuard Analysis Service
Subscription-based web service
Page: 101-105
Logging Levels
Emergency
System unstable
Alert
Immediate action required
Critical
Functionality affected
Error
Error condition exists, functionality could be affected
Warning
Functionality could be affected
Notification
Normal event
Information
General info about system operations
Debug
Primarily used as a support function
Page: 106-107
Log Types
Traffic
Traffic between source and destination interface
Only generated when session table entry expires
Event
Management activity
AntiVirus
Virus incidents
Web Filter
Web content blocking actions
Attack
Attacks detected and blocked
Page: 108
Log Types
AntiSpam
Records detected spam
Data Leak Prevention
Records data that matches pre-defined sensitive patterns
Application Control
IM/P2P
Records IM and P2P information
VoIP
Logs SCCP violations
Content
Logs metadata
Page: 108-109
Configuring Logging
Select location and level
Enable log generation
Protection profile
Antivirus, web filtering, FortiGuard web filtering, spam filtering, IPS,
IM/P2P and VoIP
Event log
Management, system and VPN activities
Firewall policy
Log Allowed Traffic
Page: 110-114
Viewing Log Files
Log&Report > Log Access
Remote or Memory tabs
Local Disk if available
Formatted or Raw view
Select columns to display
Filter messages
Page: 115-118
Content Archiving
Store session transaction data
HTTP
FTP
NNTP
IM (AIM, ICQ, MSN, Yahoo!)
Email (POP3, IMAP, SMTP)
Only available with FortiAnalyzer unit
Summary
Archives content metadata
Full
Copies of files or email messages
Page: 119-121
Alert Email
Send notification upon detection of a defined event
Requires one DNS server configured
Up to 3 recipients
Page: 122
SNMP
Report system information and forward to SNMP manager
Access SNMP traps from any FortiGate configured for SNMP
Read-only implementation
Fortinet-proprietary MIB available
Or use Fortinet-supported standard MIB
Add SNMP Communities
8 SNMP managers per community
Page: 123-126
Lab
Exploring Web Config Monitoring
Configuring System Event Logging
Exploring the FortiAnalyzer Interface
Configuring Email Alerts
SNMP Setup (Optional)
Page: 127
Agenda
Introduction
Overview and System Setup
FortiGuard Subscription Services
Logging and Alerts
Firewall Policies
Basic VPN
Authentication
Antivirus
Spam Filtering
Web Filtering
Lesson 4
Firewall Policies
Firewall Policies
Control traffic passing through FortiGate
What to do with connection request?
Packet analyzed, content compared to policy
ACCEPT
DENY
Source, destination and service must match policy
Policy directs action
Protection profile used with policy
Apply protection settings
Logging enabled to view connections using policy
Page: 137
Policy Matching
Searches policy list for matching policy
Based on source and destination
Starts at top of the list and searches down for match
First match is applied
Arrange policies from more specific to more general
Policies configured separately for each virtual domain
Move policies in list to influence order evaluated
Page: 138-141
User Authentication to Firewall Policies
User challenged to identify themselves before using policy
Before matching policies not requiring authentication
Available for policies with:
Action set to ACCEPT
SSL VPN
Authentication methods
Username + Password
Digital certificates
LDAP
RADIUS
TACACS+
Active Directory
FSAE required
Page: 142
Authentication Protocols
Protocol used to issue authentication challenge specified
Firewall policy must include protocol
HTTP
HTTPS
Telnet
FTP
Page: 142
Creating Policies
Source and destination address
Schedule
Service
Action
NAT
Options
Protection profile
Logging
Authentication
Traffic shaping
Disclaimers
Page: 143
Firewall Addresses
Added to source and destination address
Match source and destination IP address of packets received
Default of ALL
Represents any IP address on the network
Address configured with name, IP address and mask
Also use FQDN
Must be unique name
Groups can be used to simplify policy creation and
management
Page: 144-148
Firewall Schedules
Control when policies are active or inactive
One-time schedule
Activate or deactivate for a specified period of time
Recurring schedule
Activate or deactivate at specified times of the day or week
Page: 149-150
Firewall Services
Determine types of communications accepted or denied
Predefined services applied to policy
Custom service if not on predefined list
Group services to simplify policy creation and management
Page: 151-153
Network Address Translation (NAT)
Translate source address and port of packets accepted by
policy
Page: 154
Network Address Translation (NAT)
10.10.10.1 172.16.1.1
Page: 154
Network Address Translation (NAT)
10.10.10.1 172.16.1.1
Firewall Policy with NAT enabled
wan1 IP: 192.168.2.2
Page: 154
Network Address Translation (NAT)
10.10.10.1 172.16.1.1
Firewall Policy with NAT enabled
wan1 IP: 192.168.2.2
Source IP:
10.10.10.1
Source Port: 1025
Destination IP:
172.16.1.1
Destination Port: 80
Page: 154
Network Address Translation (NAT)
10.10.10.1 172.16.1.1
Firewall Policy with NAT enabled
wan1 IP: 192.168.2.2
Page: 154
Network Address Translation (NAT)
10.10.10.1 172.16.1.1
Firewall Policy with NAT enabled
wan1 IP: 192.168.2.2
Original New
Page: 154
Dynamic IP Pool
Translate source address to an IP address randomly
selected from addresses in IP pool
Page: 155
Dynamic IP Pool
10.10.10.1 172.16.1.1
Page: 155
Dynamic IP Pool
10.10.10.1 172.16.1.1
Firewall Policy with NAT + IP Pool
IP Pool wan1: 172.16.12.12-172.16.12.12
Page: 155
Dynamic IP Pool
10.10.10.1 172.16.1.1
Firewall Policy with NAT + IP Pool
IP Pool wan1: 172.16.12.12-172.16.12.12
Source IP:
10.10.10.1
Source Port: 1025
Destination IP:
172.16.1.1
Destination Port: 80
Page: 155
Dynamic IP Pool
10.10.10.1 172.16.1.1
Firewall Policy with NAT + IP Pool
IP Pool wan1: 172.16.12.12-172.16.12.12
Page: 155
Dynamic IP Pool
10.10.10.1 172.16.1.1
Firewall Policy with NAT + IP Pool
IP Pool wan1: 172.16.12.12-172.16.12.12
Original New
Page: 155
Fixed Port
Prevent NAT from translating the source port
Some applications do not function correctly if source port translated
If Dynamic Pool not enabled, policy with Fixed Port can only
allow one connection to that service at a time
Page: 156
Fixed Port
10.10.10.1 172.16.1.1
Page: 156
Fixed Port
10.10.10.1 172.16.1.1
Firewall Policy with NAT + IP Pool + Fixed Port
IP Pool wan1: 172.16.12.12-172.16.12.12
Page: 156
Fixed Port
10.10.10.1 172.16.1.1
Firewall Policy with NAT + IP Pool + Fixed Port
IP Pool wan1: 172.16.12.12-172.16.12.12
Source IP:
10.10.10.1
Source Port: 1025
Destination IP:
172.16.1.1
Destination Port: 80
Page: 156
Fixed Port
10.10.10.1 172.16.1.1
Firewall Policy with NAT + IP Pool + Fixed Port
IP Pool wan1: 172.16.12.12-172.16.12.12
Page: 156
Fixed Port
10.10.10.1 172.16.1.1
Firewall Policy with NAT + IP Pool + Fixed Port
IP Pool wan1: 172.16.12.12-172.16.12.12
Original New
Page: 156
Virtual IPs
Allow connections using NAT firewall policies
Addresses in packets are remapped and forwarded
Client address does not appear in packet server receives
Upon reply, session table used to determine what destination
address should be mapped to
Page: 157-158
DNAT
NAT not selected in firewall policy
Policy performs destination network address translation (DNAT)
Accepts packet from external network intended for specific
address, translates destination address to IP on another
network
Page: 159
DNAT
Server
10.10.10.2
192.168.1.100
Server
10.10.10.1
Client
Page: 159
DNAT
Server
10.10.10.2
Page: 159
DNAT
Server
10.10.10.2
Page: 159
DNAT
Server
10.10.10.2
Page: 159
DNAT
Server
10.10.10.2
Page: 159
Original New
DNAT
Server
10.10.10.2
192.168.1.100
Server
10.10.10.1
Client
Page: 159
DNAT
Server
10.10.10.2
192.168.1.100
Server
10.10.10.1
Client
Page: 159
DNAT
Server
Source IP:
192.168.1.100
10.10.10.2 Source Port: 1025
Destination IP:
10.10.10.2
Destination Port: 80
192.168.1.100
Server
10.10.10.1
Client
Page: 159
DNAT
Server
Source IP:
172.16.1.1.
Source IP:
192.168.1.100
10.10.10.2 Source Port: 1025 Source Port: 1025
Destination IP: Destination IP:
10.10.10.2 10.10.10.2
Destination Port: 80 Destination Port: 80
192.168.1.100
Server
10.10.10.1
Client
Page: 159
New Original
DNAT
Server
Source IP:
172.16.1.1.
Source IP:
192.168.1.100
10.10.10.2 Source Port: 1025 Source Port: 1025
Destination IP: Destination IP:
10.10.10.2 10.10.10.2
Destination Port: 80 Destination Port: 80
192.168.1.100
Server
10.10.10.1
Client
Page: 159
Server Load Balancing
Dynamic one-to-many NAT mapping
External IP address translated to a mapped IP address
Determine by load balancing algorithm
External IP address not always translated to same mapped
IP address
Page: 160
Server Load Balancing
wan1 dmz
FortiGate
Internet Internet Internet
Page: 160
Server Load Balancing
wan1 dmz
FortiGate
Internet Internet Internet
Firewall Policy with
Destination Address VIP
VIP, ServerLB
Interface Wan1
Address 172.16.1.1
192.168.1.100
192.168.1.101
192.168.1.200
10.10.10.1 10.10.10.2 10.10.10.3
Client Client Client Server Server Server
Page: 160
Server Load Balancing
wan1 dmz
FortiGate
Internet Internet Internet
Firewall Policy with
Destination Address VIP
VIP, ServerLB
Interface Wan1
Address 172.16.1.1
192.168.1.100
192.168.1.101
192.168.1.200
10.10.10.1 10.10.10.2 10.10.10.3
Client Client Client Server Server Server
Source IP:
10.10.10.3
Source Port: 1025
Destination IP:
172.16.1.1
Destination Port: 80
Page: 160
Server Load Balancing
wan1 dmz
FortiGate
Internet Internet Internet
Firewall Policy with
Destination Address VIP
VIP, ServerLB
Interface Wan1
Address 172.16.1.1
192.168.1.100
192.168.1.101
192.168.1.200
10.10.10.1 10.10.10.2 10.10.10.3
Client Client Client Server Server Server
Source IP:
10.10.10.3
Source Port: 1025
Destination IP:
172.16.1.1
Destination Port: 80
Page: 160
Server Load Balancing
wan1 dmz
FortiGate
Internet Internet Internet
Firewall Policy with
Destination Address VIP
VIP, ServerLB
Interface Wan1
Address 172.16.1.1
192.168.1.100
192.168.1.101
192.168.1.200
10.10.10.1 10.10.10.2 10.10.10.3
Client Client Client Server Server Server
Page: 160
Server Load Balancing
wan1 dmz
FortiGate
Internet Internet Internet
Firewall Policy with
Destination Address VIP
VIP, ServerLB
Interface Wan1
Address 172.16.1.1
192.168.1.100
192.168.1.101
192.168.1.200
10.10.10.1 10.10.10.2 10.10.10.3
Client Client Client Server Server Server
Page: 160
Original New
Protection Profiles
Control all content filtering
Group of protection settings applied to traffic
Types and levels of protection customized for each policy
Enables settings for:
Protocol Recognition
Anti-Virus
IPS
Web Filtering
Spam Filtering
Data Leak Prevention Sensor
Application Control
Logging
Page: 161
Default Protection Profiles
Strict
Maximum protection
Scan
Applies virus scanning to HTTP, FTP, IMAP, POP3, SMTP
Web
Applies virus scanning and web content blocking to HTTP
Unfiltered
No scanning, blocking or IPS
Page: 162-172
Traffic Shaping
Control bandwidth available to traffic processed by firewall
policy
Which policies have higher priority?
Improve quality of bandwidth-intensive traffic
Does NOT increase total bandwidth available
Page: 173
Token Bucket Filter
Dampening function
Delays traffic by buffering bursts
Does not schedule traffic
Configured rate is never exceeded
Page: 174
Token Bucket Filter Mechanism
Bucket has specified capacity
Tokens added to bucket at mean rate
If bucket fills, new tokens discarded
Bucket requests number of tokens equal to packet size
If not enough tokens in bucket, packet buffered
Flow will never send packets more quickly than capacity of
the bucket
Overall transmission rate does not exceed rate tokens placed
in bucket
Page: 175
Token Bucket Filter Mechanism
Token bucket
Destination Network
Regulator
End users
Buffer
FortiGate unit
Page: 175
Token Bucket Filter Mechanism
Token bucket
Data packets
Destination Network
Regulator
End users
Buffer
FortiGate unit
Page: 175
Token Bucket Filter Mechanism
Tokens
Token bucket
Data packets
Destination Network
Regulator
End users
Buffer
FortiGate unit
Page: 175
Token Bucket Filter Mechanism
Tokens
Token bucket
Data packets
Destination Network
Regulator
End users
Buffer
FortiGate unit
Page: 175
Token Bucket Filter Mechanism
Tokens
Token bucket
Data packets
Destination Network
Regulator
End users
Buffer
FortiGate unit
Page: 175
Token Bucket Filter Mechanism
Tokens
Token bucket
Data packets
Destination Network
Regulator
End users
Buffer
FortiGate unit
Page: 175
Traffic Shaping Considerations
Attempt to normalize traffic peaks
Prioritize certain flows over others
Physical limitation to how much data can be buffered
Packets may be dropped, sessions affected
Performance on one traffic flow may be sacrificed to
guarantee performance on another
Not effective in high-traffic situations
Where traffic exceeds FortiGate units capacity
Packets must be received for being subject to shaping
If shaping not applied to policy, default is high priority
Page: 176-177
Disclaimers
Accept disclaimer before connecting
Use with authentication or protection profile
Can redirect to a URL after authentication
Page: 178
Lab
Creating Firewall Policy Objects
Configuring Firewall Policies
Testing Firewall Policies
Configuring Virtual IP Access
Debug Flow
Page: 179
Agenda
Introduction
Overview and System Setup
FortiGuard Subscription Services
Logging and Alerts
Firewall Policies
Basic VPN
Authentication
Antivirus
Spam Filtering
Web Filtering
Lesson 5
Basic VPN
Virtual Private Networks (VPN)
Use public network to provide access to private network
Confidentiality and integrity of data
Authentication, encryption and restricted access
Page: 195
FortiGate VPN
Secure Socket Layer (SSL) VPN
Access through web browser
Point-to-Point Tunneling Protocol (PPTP)
Windows standard
Internet Protocol Security (IPSec) VPN
Dedicated VPN software required
Well suited for legacy applications (not web-based)
Page: 195-196
SSL VPN Operating Modes
Web-only mode
Web browser only
Secure connection between browser and FortiGate unit
FortiGate acts as gateway
Authenticates users
Tunnel mode
VPN software downloaded as ActiveX control
FortiGate unit assigns client IP address from range of reserved
addresses
Page: 197-199
User Accounts
Must have user account assigned to SSL VPN user group
Users must authenticate
Username + Password
RADIUS
TACACS+
LDAP
Digital certificates
User group provides access to firewall policy
Split tunneling available
Only traffic destined for tunnel routed over VPN
Page: 200-202
Web-Only Configuration
Enable SSL VPN
Create user accounts
Assign to user group
Create firewall policy
Setup logging (optional)
Page: 204
Tunnel Mode Configuration
Enable SSL VPN
Specify tunnel IP range
Create user group
Create firewall policy
Page: 205
SSL VPN Settings
Tunnel IP Range
Reserve range of IPs for SSL VPN clients
Server Certificate, Require Client Certificate
Certificates must be installed
Encryption Key Algorithm
Idle Time-out
Client Authentication Time-Out
CLI only
Portal Message
Advanced
DNS and WINS Servers
Page: 206-208
Firewall Policies
At least one SSL VPN firewall policy required
Specify originating IP address
Specify IP address of intended recipient or network
Configuration steps:
Specify source and destination IP address
Specify level of encryption
Specify authentication method
Bind user group to policy
Page: 209
Firewall Addresses
Web-only mode
Predefined source address of ALL
Destination IP address where remote client needs to access
Entire private network, range of private IPs, private IP of host
Tunnel model
Source is range of IP addresses that can be connected to FortiGate
Restrict who can access FortiGate
Destination IP address where remote client needs to access
Entire private network, range of private IPs, private IP of host
Page: 209
Configuring Web-Only Firewall Policies
Specify destination IP address
Name
Type
Subnet/IP range
Interface
Define policy
Action: SSL-VPN
Add user group
Page: 210-212
Configuring Tunnel-Mode Firewall Policies
Page: 213-218
SSL VPN Bookmarks
Page: 219-221
Connecting to the SSL VPN
https://<FortiGate_IP_address>:10443
Port customizable
SSL-VPN Web Portal page displayed
Bookmarks
What appears is pre-determined by administrators settings in
User > User Group and VPN > SSL > Portal > Settings
Page: 222
Connecting to the SSL VPN
Page: 222
Connecting to the SSL VPN
PPTP VPN
Page: 223
PPTP VPN
Page: 224
FortiGate Unit as PPTP Server
Internet
FortiGate
Page: 224
FortiGate Unit Forwards Traffic to PPTP Server
Internet
PPTP
FortiGate
Server
Page: 225
PPTP Server Configuration
Page: 226
PPTP Pass-Through Configuration
Page: 227
IPSec VPN
Page: 228
IPSec Protocols
Page: 229
Authentication Header (AH)
Original IP Authentication
TCP Header Data
Header Header
Authenticated
Page: 229
Encapsulating Security Payload (ESP)
Encrypted
ESP
New IP ESP Original IP ESP
TCP Header Data Authentication
Header Header Header Trailer
Trailer
Authenticated
Page: 229
Modes of Operation
Tunnel mode
Entire IP packet encrypted and/or authenticated
Packet then encapsulated for routing
Transport mode
Only data in packet encrypted and/or authenticated
Header not modified or encrypted
Page: 230
Security Association (SA)
Page: 230
Internet Key Exchange (IKE)
Page: 231
Phase 1
Page: 231
Phase 2
Page: 232
Gateway-to-Gateway Configuration
Page: 234
Gateway-to-Gateway Configuration
Internet
FortiGate 1 FortiGate 2
Site 1 Site 2
Page: 234
Gateway-to-Gateway Configuration
Page: 234
Defining Phase 1 Parameters
Page: 235-236
Authenticating the FortiGate Unit
Page: 237-238
Authenticating Remote Clients
Page: 239
XAuth Authentication
Page: 239
IKE Negotiation Parameters
Page: 240-242
Defining Phase 2 Parameters
Page: 243-246
Firewall Policies
Page: 247-250
Lab
Page: 251
Agenda
Introduction
Overview and System Setup
FortiGuard Subscription Services
Logging and Alerts
Firewall Policies
Basic VPN
Authentication
Antivirus
Spam Filtering
Web Filtering
Lesson 6
Authentication
Authentication
Page: 263
Authentication Methods
Local user
User names and passwords used to authenticate stored on
FortiGate
Remote
Use existing systems to authenticate
RADIUS
LDAP
PKI
Windows Active Directory
TACACS+
Page: 264-265
Users and User Groups
Page: 266-267
User Group Types
Firewall
Access to firewall policy that requires authentication
FortiGate request user name and password (or certificate)
Directory Service
Allow access to users in DS groups already authenticated
Single sign on
Requires FSAE
SSL VPN
Access to firewall policy that requires SSL VPN authentication
Page: 268-270
Authentication overrides
Page: 271
Authentication Settings
Page: 272
PKI Authentication
Page: 273
RADIUS Authentication
Page: 274
LDAP Authentication
Page: 275
TACACS+ Authentication
Page: 276
Microsoft Active Directory Authentication
Page: 277
FSAE Components
Page: 278
FSAE Configuration on Microsoft AD
Page: 279-280
FSAE Configuration on FortiGate
Page: 281
Labs
Page: 282
Agenda
Introduction
Overview and System Setup
FortiGuard Subscription Services
Logging and Alerts
Firewall Policies
Basic VPN
Authentication
Antivirus
Spam Filtering
Web Filtering
Lesson 7
Antivirus
Antivirus
Page: 289
Antivirus Elements
File filter
File pattern and file type recognition
Virus scan
Virus definitions kept up-to-date through FortiGuard Subscription
Services
Grayware
Heuristics
Detect virus-like behavior
Page: 289-290
File Filter
File pattern
Name, extension or pattern
Built-in patterns or custom
File type
Analyze file to determine type
Types pre-configured
Actions
Allow
Block
Replacement message sent
Page: 291
Enabling File Filtering
Page: 292
File Name Pattern Filtering
Page: 295
File Type Filtering
Page: 296
File Pattern Filtering
Page: 297
Virus Scan
Page: 298
Updating Antivirus Definitions
Page: 299
Grayware
Page: 300
Grayware Categories
Adware
Pop-up advertising content
Browser Helper Objects
Add capabilities to browser
Dialers
Unwanted calls through modem or Internet connection
Downloaders
Retrieve files
Games
Hacker Tools
Subvert network and host security
Page: 301-303
Grayware Categories
Hijackers
Manipulate settings
Jokes
Key loggers
Log input for later retrieval
Misc
Uncategorized (multiple functionalities)
NMT (Network Management Tool)
Cause network disruption
P2P
File exchanges containing viruses
Page: 301-303
Grayware Categories
Plugins
Add additional features to an existing application
Remote Administration Tools (RAT)
Remotely change or monitor a computer on a network
Toolbars
Augment capabilities of browser
Page: 301-303
Spyware
Component of adware
Track user activities online
Report activities to central server
Target advertising based on online habits
Page: 304-305
Quarantine
Page: 306-307
Proxies
Page: 308
Scanning Options
Page: 309-310
Lab
Page: 311
Agenda
Introduction
Overview and System Setup
FortiGuard Subscription Services
Logging and Alerts
Firewall Policies
Basic VPN
Authentication
Antivirus
Spam Filtering
Web Filtering
Lesson 8
Spam Filtering
Spam Filtering
Page: 321
Spam Filtering Methods
IP address check
Verify source IP address again list of known spammers
URL check
Extract URLs and verify against list of spam sources
Email checksum check
Calculate checksum of message and verify against list of known
spam messages
Spam submission
Inform FortiGuard
Black/White list
Check incoming IP and email addresses against known list
SMTP only
Page: 322-323
Spam Filtering Methods
Page: 322-323
FortiGuard Antispam Global Filters
FortiIP sender IP reputation database
Reputation of IP based on properties related to address
Email volume from a sender
Compare senders recent volume with historical pattern
FortiSig
Spam signature database
FortiSig1
Spamvertised URLs
FortiSig2
Spamvertised email addresses
FortiSig3
Spam checksums
FortiRule
Heuristic rules
FortiMail only
Page: 324-325
Customized Filters
Compliment FortiGuard
Banned word lists
Local black/white list
Heuristic rules
Bayesian
FortiMail only
Page: 325
Enabling Antispam
Page: 326
Spam Actions
Page: 327
Banned Word
Page: 328-334
Black/White List
IP address filtering
Compare IP address of sender to IP address list
If match, action is taken
Email address filtering
Compare email address of sender to email address list
If match, action is taken
Page: 335
Configuring IP Address List
Page: 336-338
Configuring Email Address List
Page: 339-342
MIME Headers Check
Page: 343
DNSBL and ORDBL
Page: 344
FortiMail Antispam
Page: 345
Agenda
Introduction
Overview and System Setup
FortiGuard Subscription Services
Logging and Alerts
Firewall Policies
Basic VPN
Authentication
Antivirus
Spam Filtering
Web Filtering
Lesson 9
Web Filtering
Web Filtering
Page: 349
Order of Filtering
URL Filtering
Exempt, Block, Allow
FortiGuard Web Filtering
Content Exempt
Customizable
Content Block
Customizable
Script Filter
Page: 349
Web Content Block
Page: 350-353
Web Content Block
Page: 352
Web Content Exemption
Page: 354-357
Web Content Exemption
Page: 356
Enabling Web Filtering
Page: 358
URL Filter
Page: 359-362
URL Filter
Page: 361
FortiGuard Web Filter
Page: 363
Web Filtering Categories
Page: 364
Web Filtering Classes
Page: 365
Enabling FortiGuard Web Filtering
Page: 366
Enabling FortiGuard Web Filtering Options
Page: 367-368
Web Filtering Overrides
Page: 369
Allowing Override at User Group Level
Page: 370
Configuring Override Rules (Directory or Domain)
Page: 371-372
Configuring Override Rules (Category)
Page: 373
Web Filtering Override Page
Page: 375
Web Filtering Authentication Page
Page: 375
Local Ratings
Page: 376
Local Categories
Page: 377
Thank you for attending
.