FortiGate Multi-Threat Security Systems

Jacob Chen
Fortinet Taiwan SE
 Fortigate

CLI (command line Interface), : console, telnet, ssh.
WEB GUI (Graphic User Interface), : Internet
Explorer http https (SSL).
 Fortigate
Route/NAT
Internal interface 192.168.1.99/24
https, http, ssh, ping
External interface 192.168.100.99/24
ping
 Console log in

Bits per second 9600

admin Enter Data bits 8

Fortigate-400 # Parity None
? command Stop bits 1

Flow control None

 Web Management
SSL (Default)
( , , , , )
Admin :
Name: admin
Password:
Fortigate ( )

IP (Route/NAT, transparent)
( ,


Route/NAT, Transparent Default Route
 Web Log In

1. IP 192.168.1.0 / 24 IP
2. Fortigate Internal port port1 (
)
3. https://192.168.1.99 WEBGUI fortigate
4. Name admin, Password , Login
 1
 2
 1 Route / NAT IP
 1 Route / NAT IP (contd)
Interface
1. IP
2. ping server IP
3.
4. OK ( Fortigate
)
5. ARP table,
Web GUI IP

Fortigate
 1 Route / NAT IP
(contd)

Keypad and
LCD Display

Fortigate LCD internal port IP

Address (FG-300 )
 1 Route / NAT IP
(contd)
Console CLI :

# config system interface

(interface)# edit internal
(internal)# set ip 10.1.1.254 255.255.255.0
(internal)# end
 1 Transparent IP

Transparent , IP
10.10.10.1
internal port port1( )

 1 Transparent IP
(contd)

Keypad and
LCD Display

Fortigate LCD management IP

Address (FG-300 )
 1 Transparent IP
(contd)
Console CLI :

# config system setting

(settings)# set opmode transparent
(settings)# set ip 10.1.1.254 255.255.255.0
(internal)# end
 1
Firewall -> Policy -> Create New
 1

1. Source interface inernal
2. Destination interface
external
3. Source Destination all
4. FG Route/NAT,
NAT, FG
Transparent
NAT

5. OK
 1

1. Source interface inernal
2. Destination interface
external
3. Source Destination all
4. FG Route/NAT,
NAT, FG
Transparent
NAT

5. OK
 1
SOHO , NAT

, Route/NAT
Transparent , .
 1
(Address)
Manual (static IP address)
DHCP
PPPoE

Https, Ping, Http, Telnet, SSH, SNMP
 1
Network - Interface Overview
 1
Network interface - Manual

Edit interface/Vlan
1. IP
2. ping server IP
3.
 1
Network Interface - DDNS

DDNS server
Domain, Username, password

 1
Network interface PPPoE

1. PPPoE
2. Retrieve default gateway from server
3. ping server
 1 Route / NAT, Transparent
Default Route

Route/NAT ,Fortigate
(NAT) .
Transparent , Fortigate (Gateway)
 Fortigate System

Maintenance
Troubleshooting

Configuration
settings
web filtering lists
spam filtering lists
 System Status
Fortigate
 Status Session

Status Transparent

Command
#Configsyssetting
(setting)#setopmodetransparent
 System - Network

802.1Q VLAN
Zones
DNS
 Network Interface Create New
VLAN

1. VLAN
2. VLAN ID (802.1Q)
3. VLAN IP
 Network DNS
fortigate Alert email URL blocking
DNS
Fortigate DNS relay DNS request ),
DNS fortigate
DNS server
 System - Config
Time -
Options
HA (High Available)
Admin
SNMP v1/v2c
Replacement Message
 System Config - Time

, .
log , FDS
 System Config - Options

, , ,
LCD , fail over
System Config - HA
System Config - SNMP v1/v2c
System Config - Fortimanager
 System - Admin
Administrators
Add administrator accounts (up to 12)
Access Profile
System Admin - Administrators
System Admin - Access Profile
 System - Maintenance
Backup & Restore
Update Center
Support
Shutdown
System Maintenance - Backup & Restore

System Maintenance - Contract
System Maintenance - Update Center
 System Maintenance - Support
http://support.fortinet.com
BUG
System Maintenance - Shutdown
 System Virtual Domain

NAT/Route Transparent , FortiGate

10 virtual domains
FortiGate 3016 ( ) up to 250 virtual domains
 Firmware (Web GUI)

D:\FortiGate\FortiOS v4.0\v4.0_Image\4.2\v4.2.2(291)FGT_200B-v400-build0291-FORTINET.out
 Firmware (Console)
1. Fortigate port1 internal port
2. TFTP Server
3. console fortigate serial port

 Router - Static

IP gateway
, default route
 Router - Policy

:
source address
protocol, service type, or port range
, ,
Incoming Interface and source IP
address


Ping server (DGD) outgoing
Interface
 Protocol Number

NAMENUMCODECOMMENT
HOPOPT0/*IPv6Hop-by-HopOption*/
ICMP1/*InternetControlMessage.*/
IGMP3/*InternetGroupManagement*/
IP4/*IPinIP(encapsulation)MTUsetting.*/
TCP6/*TransmissionControl*/
UDP17/*UserDatagram*/

 Router RIP
RIP version 1 (RFC 1058) and RIP version 2 (RFC 2453)
(Distance-vector) ,

(hop count)
(L3 device)
15 Hop
RIP version 2
RIP
netmask
 Routing Table List
Route/NAT
 . IPS Antivirus
 IPS
Signature
Anomaly
Enable IPS IPS
 IPS -

FortiASIC
protection profile
4500
ICSA
 IPS
IPS L3-L7
(ploicy) (UTM Protection Profile)
stateful engine
ASIC

, IPS
: , , , ,
,
IPS
IPS ( )
 IPS

IPS Anomaly
 IPS Profile
 IPS Policy
 Antivirus
Protection profile , policy
Protection profiles

HTTP / HTTPS
FTP
IMAP / IMAPS
POP3 / POP3S
SMTP / SMTPS
IM
NNTP

fragmented email oversized files email
IP
 AntiVirus
Anitvirus File Block
Anitvirus
Anitvirus
Protocol ( )
 Protocol Config - config
FortiGate 1-15% oversized
files email
email
bypass (oversized pass)
email

 ( )

 ( )


Log Config
Log Access
 Fortigate

(Log setting)
?
 3

1. FG-60B,FG-310B Hard disk,

memory. ,
Hard disk
2. log syslog
3. ,Level
information
 3

1. (Even Log)
 3 Policy AntiVirus

 3 IPS App. Control

 3 DoS WebFilter

 3 AntiSpam
 3 (DLP)

Remote Syslog Server
WebTrends Server
Local Disk
Memory Buffer
FortiAlanyzer Appliance

Select log types and filter
options for each location

, FortiAnalyzer


FortiGate log
Log header
Log body

1 2010-12-14 22:14:05 log_id=0021000002 type=traffic subtype=allowed

pri=notice status=accept vd="root" dir_disp=org tran_disp=snat
src=192.168.11.2 srcname=192.168.11.2 src_port=1163 dst=66.235.133.33
dstname=66.235.133.33 dst_port=80 tran_ip=220.134.20.85 tran_port=60429
service=80/tcp proto=6 app_type=N/A duration=129 rule=1 policyid=1 identidx=0
sent=1841 rcvd=829 shaper_drop_sent=0 shaper_drop_rcvd=0 perip_drop=0
shaper_sent_name="N/A" shaper_rcvd_name="N/A" perip_name="N/A"
sent_pkt=5 rcvd_pkt=6 vpn="N/A" src_int="internal" dst_int="wan1" SN=6648
app="N/A" app_cat="N/A" user="N/A" group="N/A" carrier_ep="N/A"

( fortigate )


SMTP
fortigate DNS





email
FortiAnalyzer

 . Fortigate

 . Fortigate

Fortigate# get sys int

 . Fortigate

-
(Secondary IP)
 . Fortigate

Fortigate# dia hard device nic

internal
internal
 . Fortigate

Fortigate - radius port, multicast forward

 . Fortigate

Fortigate -
Service Session timeout

Default timeout

timeout

 . Fortigate

Fortigate -

port 8080 Http Service,

Http Virus Scan

 . Fortigate

Fortigate -

 . Fortigate

IP-MAC -

IP
 . Fortigate

IP-MAC - IP MAC

IP
MAC


 . Fortigate

IP-MAC - IP MAC Binding

 . Fortigate

-OSPF

Area

connected

static route
 . Fortigate

-OSPF Area

area

OSPF

OSPF
 . Fortigate

Trouble Shooting -Sniffer

Fortigate# Diag sniffer packet internal internal interface

 . Fortigate

Trouble Shooting -Sniffer

Fortigate# Diag sniffer packet internal host 172.16.30.11

internal interface IP 172.16.30.11
 . Fortigate

Trouble Shooting -Sniffer

Fortigate# Diag sniffer packet internal tcp and port 80

internal interface TCP Port 80
 . Fortigate

Trouble Shooting
- system top

Fortigate# diag sys top

CPU
 . Fortigate

TroubleShooting -Netlink

Fortigate# diag netlink nei list fortigate arp table

 . Fortigate

TroubleShooting -SessionClear

Fortigate# diag sys session clear Fortigate

session
:

Fortigate# exec ping 168.95.1.1 Ping

Fortigate# exec trace 168.95.1.1 Trace route

Fortigate# exec reboot reboot
FortiNet
Fortinet

Product Information (www.fortinet.com)

FortiOS Release Notes
Knowledge Center (kc.fortinet.com)
Technical Forums (support.fortinet.com/forum)
FortiDocs (docs.fortinet.com)