Download - Fortigate Training

Transcript
Page 1: Fortigate Training

FortiGate Multi-Threat Security Systems Administration, Content Inspection and Basic VPN

Page 2: Fortigate Training

Prerequisites

• Introductory-level network security experience• Basic understanding of core network security and firewall

concepts

Page 3: Fortigate Training

Agenda

• Introduction• Overview and System Setup• FortiGuard Subscription Services• Logging and Alerts• Firewall Policies• Basic VPN• Authentication• Antivirus• Spam Filtering• Web Filtering

Page 4: Fortigate Training

Agenda

• Introduction• Overview and System Setup• FortiGuard Subscription Services• Logging and Alerts• Firewall Policies• Basic VPN• Authentication• Antivirus• Spam Filtering• Web Filtering

Page 5: Fortigate Training

Lesson 1Overview and System Setup

Page 6: Fortigate Training

Unified Threat Management

• One device Firewall, intrusion protection, antivirus and more

• Centralized management

Page: 7

Page 7: Fortigate Training

Fortinet Solution

• FortiGate platform• FortiGuard Subscription Services• Management, reporting, analysis products

Page: 8

Page 8: Fortigate Training

FortiGate

• Application-level services Antivirus, intrusion protection, antispam, web content filtering

• Network-level services Firewall, IPSec and SSL VPN, traffic shaping

• Management, reporting, analysis products Authentication, logging, reporting, secure administration, SNMP

Page: 8

Page 9: Fortigate Training

FortiGate Portfolio

• SOHO FortiGate 30B, 50B, 51B, 60B, 100A, 110C, 111C Protect smaller deployments

• Medium-Sized Enterprises FortiGate 200A, 224B, 300A, 400A, 500A, 800 Meet demands of mission critical enterprise applications

• Large-Sized Enterprises and Carriers FortiGate 1000A, 3016B, 3600A, 3810A, 5020, 5050, 5140 High performance and reliability

Page: 9-10

Page 10: Fortigate Training

FortiGuard

• Dynamic updates Antivirus, intrusion protection, web filtering, antispam

• Updated 24x7x365• Data centers around the world

Secure, high availability locations

Page: 10

Page 11: Fortigate Training

FortiManager

• Manage all Fortinet products from a centralized console• Minimize administration effort

Deploying, configuring and maintaining devices

Page: 10

Page 12: Fortigate Training

FortiAnalyzer

• Centralized analysis and reporting Aggregate and analyze log data from multiple devices

• Comprehensive view of network usage Identify and address vulnerabilities Monitor compliance

• Quarantine and content archiving

Page: 10

Page 13: Fortigate Training

FortiMail

• Multi-layered email security Advanced spam filtering, antivirus

• Facilitate regulatory compliance

Page: 11

Page 14: Fortigate Training

FortiClient

• Security for desktops, laptops, mobile devices Personal firewall, IPSec VPN, antivirus, antispam, web content

filtering

• FortiGuard keeps FortiClient up-to-date

Page: 11

Page 15: Fortigate Training

Firewall Basics

• Controls flow of traffic between networks of different trust level

• Allow good information through but block intrusions, unauthorized users or malicious traffic

• Rules to allow or deny traffic

Page: 12

Page 16: Fortigate Training

Firewall Basics

Internet

Trusted corporate networkUntrusted network

Firewall

Page: 12

Page 17: Fortigate Training

Common Firewall Features

• Block unwanted incoming traffic• Block prohibited outgoing traffic• Block traffic based on content• Allow connections to an internal network• Reporting• Authentication

Page: 13

Page 18: Fortigate Training

Types of Firewalls

• Packet filter firewall Inspects incoming and outgoing packets If matches rules, perform action

• Stateful firewall Examines headers and content of packet Holds attributes of connection in memory Packet forwarded if connection already established and tracked

• Improved performance

• Application layer (proxy-based) firewall Stands between protected and unprotected network Repackages messages into new packets allowed into network

Page: 14

Page 19: Fortigate Training

Network Address Translation

• Map private reserved IP addresses into public IP addresses Local network uses different set of addresses

• NAT device routes response to proper destination• Single agent between public and private network• Conserve IP addresses

One public address used to represent group of computers

• Organization uses own internal IP addressing schemes

Page: 16

Page 20: Fortigate Training

Dynamic NAT

• Private IP address mapped from a pool of public IP addresses

• Masks internal network configuration• Private network can use private IP addresses invalid on

Internet but useful internally

Page: 16

Page 21: Fortigate Training

Static NAT

• Private IP address mapped to a public IP addresses Public address always the same

• Allow internal host to have a private IP address but still be reachable over the Internet Web server

Page: 16

Page 22: Fortigate Training

FortiGate Capabilities

• Firewall Policies to allow or deny traffic

• UTM Features: Antivirus

• Multiple techniques

Antispam• Detect, tag, block, and quarantine spam

Web Filtering• Control access to inappropriate web content

Intrusion Protection• Identify and record suspicious traffic

Page: 17

Page 23: Fortigate Training

FortiGate Capabilities

• UTM Features (continued): Application Control

• Manage bandwidth use

Data Leak Prevention• Prevents transmission of sensitive information

Page: 17-18

Page 24: Fortigate Training

FortiGate Capabilities

• Virtual Domains Single FortiGate functions as multiple units

• Traffic Shaping Control available bandwidth and priority of traffic

• Secure VPN Ensure confidentiality and integrity of transmitted data

• WAN Optimization Improve performance and security

• High Availability Two or more FortiGates operate as a cluster

Page: 18-19

Page 25: Fortigate Training

FortiGate Capabilities

• Endpoint Compliance Use FortiClient End Point Security in network

• Logging Historical and current analysis of network usage

• User Authentication Control access to resources

Page: 18-19

Page 26: Fortigate Training

FortiGate Unit Description

• CPU Intel processor

• FortiASIC processor Offload intensive processing

• DRAM• Flash memory

Store firmware images

• Hard drive Logs, quarantine, archives

• Interfaces WAN, DMZ, Internal

Page: 20

Page 27: Fortigate Training

FortiGate Unit Description

• Serial console port Management access

• USB port USB drives or modem

• Wireless FortiWifi devices can use wireless communications

• Modem• Module slot bays

Blade card installed in a chassis

• PC card slot PCMCIA card slot for expansion

Page: 20-21

Page 28: Fortigate Training

FortiGate Front View (51B)

Page: 22

Page 29: Fortigate Training

FortiGate Back View (51B)

Page: 23

Page 30: Fortigate Training

Operating Modes

• NAT/Route Mode Default configuration Each FortiGate unit is visible to network it is connected to Interfaces are on different subnets Unit functions as a firewall

Page: 24

Page 31: Fortigate Training

Operating Modes – NAT/Route

Internet

Router

WAN1204.23.1.5

Internal192.168.1.99

DMZ10.10.10.1

10.10.10.2

192.168.1.3

NAT mode policies control traffic between internal and external networks.

Routing policies control traffic between internal

networks.

Page: 24

Page 32: Fortigate Training

Operating Modes

• Transparent Mode FortiGate unit is invisible to the network All interfaces are on the same subnet Use FortiGate without altering IP infrastructure

Page: 25

Page 33: Fortigate Training

Operating Modes – Transparent

Internet

Router

10.10.10.2

10.10.10.3

204.23.1.5

Gateway to public network

WAN1

InternalHub or switch

Page: 25

Page 34: Fortigate Training

Device Administration

• Web Config Configure and monitor device through web browser

• CLI Command line interface

Page: 26

Page 35: Fortigate Training

Web Config

Page: 26

Page 36: Fortigate Training

Web Config Menu

Page: 28

Page 37: Fortigate Training

System Information

Page: 29

Page 38: Fortigate Training

License Information

Page: 29

Page 39: Fortigate Training

CLI Console

Page: 29

Page 40: Fortigate Training

System Resources

Page: 30

Page 41: Fortigate Training

Unit Operation

Page: 30

Page 42: Fortigate Training

Alert Message Console

Page: 30

Page 43: Fortigate Training

Top Sessions

Page: 31

Page 44: Fortigate Training

Top Viruses

Page: 31

Page 45: Fortigate Training

Top Attacks

Page: 32

Page 46: Fortigate Training

Traffic History

Page: 32

Page 47: Fortigate Training

Statistics

Page: 33

Page 48: Fortigate Training

Online Help

Page: 34-35

Page 49: Fortigate Training

Topology Viewer

Page: 36

Page 50: Fortigate Training

Command Line Interface (CLI)

Page: 37

Page 51: Fortigate Training

CLI Command Structure

• Commands config

• Objects config system

• Branches config system interface

• Tables edit port1

• Parameters set ip 172.20.110.251 255.255.255.0

Page: 38-44

Page 52: Fortigate Training

CLI Basics

• Command help ? config ? config system ?

• Command completion ? or <tab> c? config + <space> + <tab>

• Recalling commands or

Page: 45

Page 53: Fortigate Training

CLI Basics

• Editing commands <CTRL> + <key>

• Line continuation use \ at end of each line

• Command abbreviation get system status g sy st

• IP address formats 192.168.1.1 255.255.255.0 192.168.1.1/24

Page: 46

Page 54: Fortigate Training

Administrative Users

• Responsible for configuration and operation• Default: admin

Full read/write control Can not be renamed Default password blank

• System administrator Assigned super_admin profile

• Regular administrator Access profile other than super_admin Access configurable

Page: 47

Page 55: Fortigate Training

Interface Addressing

• Number of physical interfaces varies per model• Interface addresses configurable

Static DHCP PPPoE

Page: 48-51

Page 56: Fortigate Training

DNS

• Some functions use DNS Alert email, URL blocking, etc

• Lower end models can retrieve automatically One interface must use DHCP Can provide DNS forwarding

Page: 52

Page 57: Fortigate Training

Configuration Backup and Restore

• Different locations Local PC FortiManager FortiGuard Management Service USB disk

• Can be encrypted Required to backup VPN certificates

Page: 53

Page 58: Fortigate Training

Firmware Upgrades

• File must be obtained from Fortinet• Apply upgrade

Web Config CLI FortiGuard Management Service

Page: 54

Page 59: Fortigate Training

Lab

• Connecting to Command Line Interface• Connecting to Web Config• Configuring Network Connectivity• Exploring the CLI• Configuring Global System Settings• Configuring Administrative Users

Page: 55

Page 60: Fortigate Training

Agenda

• Introduction• Overview and System Setup• FortiGuard Subscription Services• Logging and Alerts• Firewall Policies• Basic VPN• Authentication• Antivirus• Spam Filtering• Web Filtering

Page 61: Fortigate Training

Lesson 2FortiGuard Subscription Services

Page 62: Fortigate Training

FortiGuard Subscription Services

• Continuously updated security Antivirus Intrusion Protection Web Filtering Antispam

• Delivered through FortiGuard Distribution Network

Page: 75

Page 63: Fortigate Training

FortiGuard Distribution Network

• Secure, high availability data centers• Updated methods

Manual Push Pull Customized frequency

• Devices continuously updated• Device connects to FortiGuard Service Point

Page: 75-76

Page 64: Fortigate Training

Connecting to FortiGuard Serversservice.fortiguard.net

DNS

FortiGuard Server 1

FortiGuard Server 2

FortiGate

Page: 77

Page 65: Fortigate Training

Connecting to FortiGuard Serversservice.fortiguard.net

DNS

FortiGuard Server 1

FortiGuard Server 2

FortiGate

Page: 77

Page 66: Fortigate Training

Connecting to FortiGuard Serversservice.fortiguard.net

DNS

FortiGuard Server 1

FortiGuard Server 2

FortiGate

Page: 77

Page 67: Fortigate Training

Connecting to FortiGuard Serversservice.fortiguard.net

DNS

FortiGuard Server 1

FortiGuard Server 2

FortiGate

Page: 77

Page 68: Fortigate Training

Connecting to FortiGuard Serversservice.fortiguard.net

DNS

FortiGuard Server 1

FortiGuard Server 2

FortiGate

Page: 77

Page 69: Fortigate Training

Connecting to FortiGuard Serversservice.fortiguard.net

DNS

FortiGuard Server 1

FortiGuard Server 2

FortiGate

Page: 77

Page 70: Fortigate Training

Connecting to FortiGuard Serversservice.fortiguard.net

DNS

FortiGuard Server 1

FortiGuard Server 2

FortiGate

Page: 77

Page 71: Fortigate Training

Connecting to FortiGuard Servers

DNS

FortiGuard Server 1

FortiGuard Server 2

FortiGate

service.fortiguard.net

Page: 77

Page 72: Fortigate Training

FortiGuard Antivirus Service

• Latest virus defenses New and evolving viruses Spyware Malware

• Automated updates

Page: 78

Page 73: Fortigate Training

FortiGuard Intrusion Protection System Service

• Latest defenses against network-level threats• Library of signatures• Engines

Anomaly inspection Deep packet inspection Full content inspection Activity inspection

• Supports behavior-based heuristics

Page: 79

Page 74: Fortigate Training

FortiGuard Web Filtering Service

• Hosted web URL filtering service• FortiGuard Rating Server

Billions of web page addresses Regulate and block harmful, inappropriate and dangerous content

• FortiGuard Web Filtering Service Regulate web activities to meet policy and compliance CIPA Compliance

Page: 80

Page 75: Fortigate Training

FortiGuard Antispam Service

• Reduce spam at network perimeter• Global filters

Sender reputation database (FortiIP) Spam signature database (FortiSig) Constantly updated

• Local filters Banned words Local white and black lists Heuristic rules Bayesian training (in FortiMail)

Page: 81-82

Page 76: Fortigate Training

FortiGuard Subscription Service Licensing

Page: 83

Page 77: Fortigate Training

Scheduled Updates

• Check for updates at defined times Once every 1 to 23 hours Once a day Once a week

• Must be able to connect to FortiGuard Distribution Network using HTTPS on port 443 Use override server address option may be used

Page: 84

Page 78: Fortigate Training

Push Updates

• FortiGuard Distribution Network notifies FortiGate units with push enabled FortiGate will request update

• Use push in addition to scheduled updates Receive updates sooner

• If configuring push through a NAT device, configure port forwarding

Page: 85-87

Page 79: Fortigate Training

Manual Updates

• Update antivirus and IPS definitions• Download definition file• Copy to computer used to connect to Web Config

Page: 88

Page 80: Fortigate Training

Caching

• Available for web filtering and antispam• Improves performance• Uses small % of system memory• Least recently used IP or URL deleted when cache full• Time to Live (TTL) controls time in cache

Page: 89

Page 81: Fortigate Training

FortiGuard Web Filtering Categories

• Wide range of categories to filter upon Specify action for each category Allow, Block, Log, Allow Override

• Enabled through protection profile

Page: 90-91

Page 82: Fortigate Training

FortiGuard Antispam Controls

• Filter email based on type IMAP, POP3, SMTP

• Filtering options enabled through protection profile

Page: 92

Page 83: Fortigate Training

Configuring FortiGuard Using the CLI

• CLI can be used to configure communications with FortiGuard Distribution Network Override default connection settings

• config system fortiguard

Page: 93

Page 84: Fortigate Training

FortiGuard Center

• Online knowledge base and resource Spyware, virus, IPS, web filtering, antispam attack library Vulnerabilities Submit spam and dangerous URLs

• Timely threat and vulnerability information Updated around the clock

Page: 94-95

Page 85: Fortigate Training

Lab

• Enabling FortiGuard Services and Updates

Page: 96

Page 86: Fortigate Training

Agenda

• Introduction• Overview and System Setup• FortiGuard Subscription Services• Logging and Alerts• Firewall Policies• Basic VPN• Authentication• Antivirus• Spam Filtering• Web Filtering

Page 87: Fortigate Training

Lesson 3Logging and Alerts

Page 88: Fortigate Training

Logging and Alerts

• Track down and pinpoint problems• Monitor network and Internet traffic• Monitor normal traffic

Establish baselines Identify changes for optimal performance

Page: 101

Page 89: Fortigate Training

Log Storage Locations

• Local hard disk FortiGate must have hard disk

• FortiAnalyzer Device for log collection, analysis and storage

• System Memory Overwrites older logs when capacity reached Logs lost when FortiGate reset or loses power

• Syslog Forward logs to remote computer

• FortiGuard Analysis Service Subscription-based web service

Page: 101-105

Page 90: Fortigate Training

Logging Levels• Emergency

System unstable• Alert

Immediate action required• Critical

Functionality affected• Error

Error condition exists, functionality could be affected• Warning

Functionality could be affected• Notification

Normal event• Information

General info about system operations• Debug

Primarily used as a support function

Page: 106-107

Page 91: Fortigate Training

Log Types

• Traffic Traffic between source and destination interface Only generated when session table entry expires

• Event Management activity

• AntiVirus Virus incidents

• Web Filter Web content blocking actions

• Attack Attacks detected and blocked

Page: 108

Page 92: Fortigate Training

Log Types

• AntiSpam Records detected spam

• Data Leak Prevention Records data that matches pre-defined sensitive patterns

• Application Control IM/P2P

• Records IM and P2P information

VoIP• Logs SCCP violations

Content• Logs metadata

Page: 108-109

Page 93: Fortigate Training

Configuring Logging

• Select location and level• Enable log generation

Protection profile• Antivirus, web filtering, FortiGuard web filtering, spam filtering, IPS,

IM/P2P and VoIP

Event log• Management, system and VPN activities

Firewall policy• Log Allowed Traffic

Page: 110-114

Page 94: Fortigate Training

Viewing Log Files

• Log&Report > Log Access• Remote or Memory tabs

Local Disk if available

• Formatted or Raw view• Select columns to display• Filter messages

Page: 115-118

Page 95: Fortigate Training

Content Archiving

• Store session transaction data HTTP FTP NNTP IM (AIM, ICQ, MSN, Yahoo!) Email (POP3, IMAP, SMTP)

• Only available with FortiAnalyzer unit• Summary

Archives content metadata

• Full Copies of files or email messages

Page: 119-121

Page 96: Fortigate Training

Alert Email

• Send notification upon detection of a defined event• Requires one DNS server configured• Up to 3 recipients

Page: 122

Page 97: Fortigate Training

SNMP

• Report system information and forward to SNMP manager• Access SNMP traps from any FortiGate configured for SNMP• Read-only implementation• Fortinet-proprietary MIB available

Or use Fortinet-supported standard MIB

• Add SNMP Communities 8 SNMP managers per community

Page: 123-126

Page 98: Fortigate Training

Lab

• Exploring Web Config Monitoring• Configuring System Event Logging• Exploring the FortiAnalyzer Interface• Configuring Email Alerts• SNMP Setup (Optional)

Page: 127

Page 99: Fortigate Training

Agenda

• Introduction• Overview and System Setup• FortiGuard Subscription Services• Logging and Alerts• Firewall Policies• Basic VPN• Authentication• Antivirus• Spam Filtering• Web Filtering

Page 100: Fortigate Training

Lesson 4Firewall Policies

Page 101: Fortigate Training

Firewall Policies

• Control traffic passing through FortiGate What to do with connection request?

• Packet analyzed, content compared to policy ACCEPT DENY

• Source, destination and service must match policy Policy directs action

• Protection profile used with policy Apply protection settings

• Logging enabled to view connections using policy

Page: 137

Page 102: Fortigate Training

Policy Matching

• Searches policy list for matching policy Based on source and destination

• Starts at top of the list and searches down for match First match is applied Arrange policies from more specific to more general

• Policies configured separately for each virtual domain• Move policies in list to influence order evaluated

Page: 138-141

Page 103: Fortigate Training

User Authentication to Firewall Policies

• User challenged to identify themselves before using policy Before matching policies not requiring authentication

• Available for policies with: Action set to ACCEPT SSL VPN

• Authentication methods Username + Password Digital certificates LDAP RADIUS TACACS+ Active Directory

• FSAE required

Page: 142

Page 104: Fortigate Training

Authentication Protocols

• Protocol used to issue authentication challenge specified• Firewall policy must include protocol

HTTP HTTPS Telnet FTP

Page: 142

Page 105: Fortigate Training

Creating Policies

• Source and destination address• Schedule• Service• Action• NAT• Options

Protection profile Logging Authentication Traffic shaping Disclaimers

Page: 143

Page 106: Fortigate Training

Firewall Addresses

• Added to source and destination address Match source and destination IP address of packets received

• Default of ALL Represents any IP address on the network

• Address configured with name, IP address and mask Also use FQDN Must be unique name

• Groups can be used to simplify policy creation and management

Page: 144-148

Page 107: Fortigate Training

Firewall Schedules

• Control when policies are active or inactive• One-time schedule

Activate or deactivate for a specified period of time

• Recurring schedule Activate or deactivate at specified times of the day or week

Page: 149-150

Page 108: Fortigate Training

Firewall Services

• Determine types of communications accepted or denied• Predefined services applied to policy

Custom service if not on predefined list

• Group services to simplify policy creation and management

Page: 151-153

Page 109: Fortigate Training

Network Address Translation (NAT)

• Translate source address and port of packets accepted by policy

Page: 154

Page 110: Fortigate Training

Network Address Translation (NAT)

Page: 154

internal wan1

10.10.10.1

Internet

Client FortiGate Server

172.16.1.1

Page 111: Fortigate Training

Network Address Translation (NAT)

Page: 154

internal wan1

10.10.10.1

Internet

Client FortiGate Server

172.16.1.1

Firewall Policy with NAT enabledwan1 IP: 192.168.2.2

Page 112: Fortigate Training

Network Address Translation (NAT)

Page: 154

internal wan1

10.10.10.1

Internet

Client FortiGate Server

172.16.1.1

Firewall Policy with NAT enabledwan1 IP: 192.168.2.2

Source IP: 10.10.10.1

Source Port: 1025Destination IP:

172.16.1.1Destination Port: 80

Page 113: Fortigate Training

Network Address Translation (NAT)

Page: 154

internal wan1

10.10.10.1

Internet

Client FortiGate Server

172.16.1.1

Firewall Policy with NAT enabledwan1 IP: 192.168.2.2

Source IP: 10.10.10.1

Source Port: 1025Destination IP:

172.16.1.1Destination Port: 80

Source IP: 192.168.2.2

Source Port: 30912Destination IP:

172.16.1.1Destination Port: 80

Page 114: Fortigate Training

Network Address Translation (NAT)

Page: 154

internal wan1

10.10.10.1

Internet

Client FortiGate Server

172.16.1.1

Firewall Policy with NAT enabledwan1 IP: 192.168.2.2

Source IP: 10.10.10.1

Source Port: 1025Destination IP:

172.16.1.1Destination Port: 80

Source IP: 192.168.2.2

Source Port: 30912Destination IP:

172.16.1.1Destination Port: 80

Original New

Page 115: Fortigate Training

Dynamic IP Pool

• Translate source address to an IP address randomly selected from addresses in IP pool

Page: 155

Page 116: Fortigate Training

Dynamic IP Pool

Page: 155

internal wan1

10.10.10.1

Internet

Client FortiGate Server

172.16.1.1

Page 117: Fortigate Training

Dynamic IP Pool

Page: 155

internal wan1

10.10.10.1

Internet

Client FortiGate Server

172.16.1.1Firewall Policy with NAT + IP Pool

IP Pool wan1: 172.16.12.12-172.16.12.12

Page 118: Fortigate Training

Dynamic IP Pool

Page: 155

internal wan1

10.10.10.1

Internet

Client FortiGate Server

172.16.1.1Firewall Policy with NAT + IP Pool

IP Pool wan1: 172.16.12.12-172.16.12.12

Source IP: 10.10.10.1

Source Port: 1025Destination IP:

172.16.1.1Destination Port: 80

Page 119: Fortigate Training

Dynamic IP Pool

Page: 155

internal wan1

10.10.10.1

Internet

Client FortiGate Server

172.16.1.1Firewall Policy with NAT + IP Pool

IP Pool wan1: 172.16.12.12-172.16.12.12

Source IP: 10.10.10.1

Source Port: 1025Destination IP:

172.16.1.1Destination Port: 80

Source IP: 172.16.12.12

Source Port: 30957Destination IP:

172.16.1.1Destination Port: 80

Page 120: Fortigate Training

Dynamic IP Pool

Page: 155

internal wan1

10.10.10.1

Internet

Client FortiGate Server

172.16.1.1Firewall Policy with NAT + IP Pool

IP Pool wan1: 172.16.12.12-172.16.12.12

Source IP: 10.10.10.1

Source Port: 1025Destination IP:

172.16.1.1Destination Port: 80

Source IP: 172.16.12.12

Source Port: 30957Destination IP:

172.16.1.1Destination Port: 80

Original New

Page 121: Fortigate Training

Fixed Port

• Prevent NAT from translating the source port Some applications do not function correctly if source port translated

• If Dynamic Pool not enabled, policy with Fixed Port can only allow one connection to that service at a time

Page: 156

Page 122: Fortigate Training

Fixed Port

Page: 156

internal wan1

10.10.10.1

Internet

Client FortiGate Server

172.16.1.1

Page 123: Fortigate Training

Fixed Port

Page: 156

internal wan1

10.10.10.1

Internet

Client FortiGate Server

172.16.1.1Firewall Policy with NAT + IP Pool + Fixed Port

IP Pool wan1: 172.16.12.12-172.16.12.12

Page 124: Fortigate Training

Fixed Port

Page: 156

internal wan1

10.10.10.1

Internet

Client FortiGate Server

172.16.1.1Firewall Policy with NAT + IP Pool + Fixed Port

IP Pool wan1: 172.16.12.12-172.16.12.12

Source IP: 10.10.10.1

Source Port: 1025Destination IP:

172.16.1.1Destination Port: 80

Page 125: Fortigate Training

Fixed Port

Page: 156

internal wan1

10.10.10.1

Internet

Client FortiGate Server

172.16.1.1Firewall Policy with NAT + IP Pool + Fixed Port

IP Pool wan1: 172.16.12.12-172.16.12.12

Source IP: 10.10.10.1

Source Port: 1025Destination IP:

172.16.1.1Destination Port: 80

Source IP: 172.16.12.12

Source Port: 1025Destination IP:

172.16.1.1Destination Port: 80

Page 126: Fortigate Training

Fixed Port

Page: 156

internal wan1

10.10.10.1

Internet

Client FortiGate Server

172.16.1.1Firewall Policy with NAT + IP Pool + Fixed Port

IP Pool wan1: 172.16.12.12-172.16.12.12

Source IP: 10.10.10.1

Source Port: 1025Destination IP:

172.16.1.1Destination Port: 80

Source IP: 172.16.12.12

Source Port: 1025Destination IP:

172.16.1.1Destination Port: 80

Original New

Page 127: Fortigate Training

Virtual IPs

• Allow connections using NAT firewall policies• Addresses in packets are remapped and forwarded

Client address does not appear in packet server receives

• Upon reply, session table used to determine what destination address should be mapped to

Page: 157-158

Page 128: Fortigate Training

DNAT

• NAT not selected in firewall policy Policy performs destination network address translation (DNAT)

• Accepts packet from external network intended for specific address, translates destination address to IP on another network

Page: 159

Page 129: Fortigate Training

DNAT

Page: 159

wan1 dmz

10.10.10.1

192.168.1.100

10.10.10.2

Internet

Client

Server

Server

Page 130: Fortigate Training

DNAT

Page: 159

wan1 dmz

10.10.10.1

192.168.1.100

10.10.10.2

Internet

Client

Server

Server

Firewall Policy withDestination Address VIP

VIP, Static NATInterface Wan1

Address 172.16.1.1 192.168.1.100

Page 131: Fortigate Training

DNAT

Page: 159

wan1 dmz

10.10.10.1

192.168.1.100

10.10.10.2

Internet

Client

Server

Server

Firewall Policy withDestination Address VIP

VIP, Static NATInterface Wan1

Address 172.16.1.1 192.168.1.100Source IP: 10.10.10.1

Source Port: 1025Destination IP:

172.16.1.1Destination Port: 80

Page 132: Fortigate Training

DNAT

Page: 159

wan1 dmz

10.10.10.1

192.168.1.100

10.10.10.2

Internet

Client

Server

Server

Firewall Policy withDestination Address VIP

VIP, Static NATInterface Wan1

Address 172.16.1.1 192.168.1.100Source IP: 10.10.10.1

Source Port: 1025Destination IP:

172.16.1.1Destination Port: 80

Source IP: 172.16.12.12

Source Port: 1025Destination IP: 192.168.1.100

Destination Port: 80

Page 133: Fortigate Training

DNAT

Page: 159

wan1 dmz

10.10.10.1

192.168.1.100

10.10.10.2

Internet

Client

Server

Server

Firewall Policy withDestination Address VIP

VIP, Static NATInterface Wan1

Address 172.16.1.1 192.168.1.100Source IP: 10.10.10.1

Source Port: 1025Destination IP:

172.16.1.1Destination Port: 80

Original New

Source IP: 172.16.12.12

Source Port: 1025Destination IP: 192.168.1.100

Destination Port: 80

Page 134: Fortigate Training

DNAT

Page: 159

wan1 dmz

10.10.10.1

192.168.1.100

10.10.10.2

Internet

Client

Server

Server

Page 135: Fortigate Training

DNAT

Page: 159

wan1 dmz

10.10.10.1

192.168.1.100

10.10.10.2

Internet

Client

Server

Server

Firewall Policy with NAT

Page 136: Fortigate Training

DNAT

Page: 159

wan1 dmz

10.10.10.1

192.168.1.100

10.10.10.2

Internet

Client

Server

Server

Firewall Policy with NAT

Source IP: 192.168.1.100

Source Port: 1025Destination IP:

10.10.10.2Destination Port: 80

Page 137: Fortigate Training

DNAT

Page: 159

wan1 dmz

10.10.10.1

192.168.1.100

10.10.10.2

Internet

Client

Server

Server

Firewall Policy with NAT

Source IP: 192.168.1.100

Source Port: 1025Destination IP:

10.10.10.2Destination Port: 80

Source IP: 172.16.1.1.

Source Port: 1025Destination IP:

10.10.10.2Destination Port: 80

Page 138: Fortigate Training

DNAT

Page: 159

wan1 dmz

10.10.10.1

192.168.1.100

10.10.10.2

Internet

Client

Server

Server

Firewall Policy with NAT

Source IP: 192.168.1.100

Source Port: 1025Destination IP:

10.10.10.2Destination Port: 80

Source IP: 172.16.1.1.

Source Port: 1025Destination IP:

10.10.10.2Destination Port: 80

OriginalNew

Page 139: Fortigate Training

Server Load Balancing

• Dynamic one-to-many NAT mapping• External IP address translated to a mapped IP address

Determine by load balancing algorithm

• External IP address not always translated to same mapped IP address

Page: 160

Page 140: Fortigate Training

Server Load Balancing

Page: 160

wan1 dmz

10.10.10.1

Client

FortiGate

Server

10.10.10.2

Client

10.10.10.3

Client

Internet Internet Internet

Server Server

Page 141: Fortigate Training

Server Load Balancing

Page: 160

wan1 dmz

10.10.10.1

Client

FortiGate

Server

10.10.10.2

Client

10.10.10.3

Client

Internet Internet Internet

Server Server

Firewall Policy withDestination Address VIP

VIP, ServerLBInterface Wan1

Address 172.16.1.1 192.168.1.100 192.168.1.101 192.168.1.200

Page 142: Fortigate Training

Server Load Balancing

Page: 160

wan1 dmz

10.10.10.1

Client

FortiGate

Server

10.10.10.2

Client

10.10.10.3

Client

Internet Internet Internet

Server Server

Firewall Policy withDestination Address VIP

VIP, ServerLBInterface Wan1

Address 172.16.1.1 192.168.1.100 192.168.1.101 192.168.1.200

Source IP: 10.10.10.3

Source Port: 1025Destination IP:

172.16.1.1Destination Port: 80

Page 143: Fortigate Training

Server Load Balancing

Page: 160

wan1 dmz

10.10.10.1

Client

FortiGate

Server

10.10.10.2

Client

10.10.10.3

Client

Internet Internet Internet

Server Server

Firewall Policy withDestination Address VIP

VIP, ServerLBInterface Wan1

Address 172.16.1.1 192.168.1.100 192.168.1.101 192.168.1.200

Source IP: 10.10.10.3

Source Port: 1025Destination IP:

172.16.1.1Destination Port: 80

Page 144: Fortigate Training

Server Load Balancing

Page: 160

wan1 dmz

10.10.10.1

Client

FortiGate

Server

10.10.10.2

Client

10.10.10.3

Client

Internet Internet Internet

Server Server

Firewall Policy withDestination Address VIP

VIP, ServerLBInterface Wan1

Address 172.16.1.1 192.168.1.100 192.168.1.101 192.168.1.200

Source IP: 10.10.10.3

Source Port: 1025Destination IP:

172.16.1.1Destination Port: 80

Source IP: 10.10.10.3

Source Port: 1025Destination IP: 192.168.1.200

Destination Port: 80

Page 145: Fortigate Training

Server Load Balancing

Page: 160

wan1 dmz

10.10.10.1

Client

FortiGate

Server

10.10.10.2

Client

10.10.10.3

Client

Internet Internet Internet

Server Server

Firewall Policy withDestination Address VIP

VIP, ServerLBInterface Wan1

Address 172.16.1.1 192.168.1.100 192.168.1.101 192.168.1.200

Source IP: 10.10.10.3

Source Port: 1025Destination IP:

172.16.1.1Destination Port: 80

Source IP: 10.10.10.3

Source Port: 1025Destination IP: 192.168.1.200

Destination Port: 80

Original New

Page 146: Fortigate Training

Protection Profiles

• Control all content filtering• Group of protection settings applied to traffic

Types and levels of protection customized for each policy

• Enables settings for: Protocol Recognition Anti-Virus IPS Web Filtering Spam Filtering Data Leak Prevention Sensor Application Control Logging

Page: 161

Page 147: Fortigate Training

Default Protection Profiles

• Strict Maximum protection

• Scan Applies virus scanning to HTTP, FTP, IMAP, POP3, SMTP

• Web Applies virus scanning and web content blocking to HTTP

• Unfiltered No scanning, blocking or IPS

Page: 162-172

Page 148: Fortigate Training

Traffic Shaping

• Control bandwidth available to traffic processed by firewall policy Which policies have higher priority?

• Improve quality of bandwidth-intensive traffic Does NOT increase total bandwidth available

Page: 173

Page 149: Fortigate Training

Token Bucket Filter

• Dampening function Delays traffic by buffering bursts Does not schedule traffic

• Configured rate is never exceeded

Page: 174

Page 150: Fortigate Training

Token Bucket Filter Mechanism

• Bucket has specified capacity Tokens added to bucket at mean rate

• If bucket fills, new tokens discarded• Bucket requests number of tokens equal to packet size• If not enough tokens in bucket, packet buffered• Flow will never send packets more quickly than capacity of

the bucket• Overall transmission rate does not exceed rate tokens placed

in bucket

Page: 175

Page 151: Fortigate Training

Token Bucket Filter Mechanism

Page: 175

Destination Network

FortiGate unit

End users

Token bucket

Regulator

Buffer

Page 152: Fortigate Training

Token Bucket Filter Mechanism

Page: 175

Destination Network

FortiGate unit

End users

Token bucket

Regulator

Data packets

Buffer

Page 153: Fortigate Training

Token Bucket Filter Mechanism

Page: 175

Destination Network

FortiGate unit

End users

Token bucket

Regulator

Data packets

Tokens

Buffer

Page 154: Fortigate Training

Token Bucket Filter Mechanism

Page: 175

Destination Network

FortiGate unit

End users

Token bucket

Regulator

Data packets

Tokens

Buffer

Page 155: Fortigate Training

Token Bucket Filter Mechanism

Page: 175

Destination Network

FortiGate unit

End users

Token bucket

Regulator

Data packets

Tokens

Buffer

Page 156: Fortigate Training

Token Bucket Filter Mechanism

Page: 175

Destination Network

FortiGate unit

End users

Token bucket

Regulator

Data packets

Tokens

Buffer

Page 157: Fortigate Training

Traffic Shaping Considerations

• Attempt to normalize traffic peaks Prioritize certain flows over others

• Physical limitation to how much data can be buffered Packets may be dropped, sessions affected

• Performance on one traffic flow may be sacrificed to guarantee performance on another

• Not effective in high-traffic situations Where traffic exceeds FortiGate unit’s capacity Packets must be received for being subject to shaping

• If shaping not applied to policy, default is high priority

Page: 176-177

Page 158: Fortigate Training

Disclaimers

• Accept disclaimer before connecting• Use with authentication or protection profile• Can redirect to a URL after authentication

Page: 178

Page 159: Fortigate Training

Lab

• Creating Firewall Policy Objects• Configuring Firewall Policies• Testing Firewall Policies• Configuring Virtual IP Access• Debug Flow

Page: 179

Page 160: Fortigate Training

Agenda

• Introduction• Overview and System Setup• FortiGuard Subscription Services• Logging and Alerts• Firewall Policies• Basic VPN• Authentication• Antivirus• Spam Filtering• Web Filtering

Page 161: Fortigate Training

Lesson 5Basic VPN

Page 162: Fortigate Training

Virtual Private Networks (VPN)

• Use public network to provide access to private network• Confidentiality and integrity of data• Authentication, encryption and restricted access

Page: 195

Page 163: Fortigate Training

FortiGate VPN

• Secure Socket Layer (SSL) VPN Access through web browser

• Point-to-Point Tunneling Protocol (PPTP) Windows standard

• Internet Protocol Security (IPSec) VPN Dedicated VPN software required Well suited for legacy applications (not web-based)

Page: 195-196

Page 164: Fortigate Training

SSL VPN Operating Modes

• Web-only mode Web browser only Secure connection between browser and FortiGate unit FortiGate acts as gateway

• Authenticates users

• Tunnel mode VPN software downloaded as ActiveX control FortiGate unit assigns client IP address from range of reserved

addresses

Page: 197-199

Page 165: Fortigate Training

User Accounts

• Must have user account assigned to SSL VPN user group• Users must authenticate

Username + Password RADIUS TACACS+ LDAP Digital certificates

• User group provides access to firewall policy• Split tunneling available

Only traffic destined for tunnel routed over VPN

Page: 200-202

Page 166: Fortigate Training

Web-Only Configuration

• Enable SSL VPN• Create user accounts

Assign to user group

• Create firewall policy• Setup logging (optional)

Page: 204

Page 167: Fortigate Training

Tunnel Mode Configuration

• Enable SSL VPN• Specify tunnel IP range• Create user group• Create firewall policy

Page: 205

Page 168: Fortigate Training

SSL VPN Settings

• Tunnel IP Range Reserve range of IPs for SSL VPN clients

• Server Certificate, Require Client Certificate Certificates must be installed

• Encryption Key Algorithm• Idle Time-out• Client Authentication Time-Out

CLI only

• Portal Message• Advanced

DNS and WINS Servers

Page: 206-208

Page 169: Fortigate Training

Firewall Policies

• At least one SSL VPN firewall policy required• Specify originating IP address• Specify IP address of intended recipient or network• Configuration steps:

Specify source and destination IP address Specify level of encryption Specify authentication method Bind user group to policy

Page: 209

Page 170: Fortigate Training

Firewall Addresses

• Web-only mode Predefined source address of ALL Destination IP address where remote client needs to access

• Entire private network, range of private IPs, private IP of host

• Tunnel model Source is range of IP addresses that can be connected to FortiGate

• Restrict who can access FortiGate

Destination IP address where remote client needs to access• Entire private network, range of private IPs, private IP of host

Page: 209

Page 171: Fortigate Training

Configuring Web-Only Firewall Policies

• Specify destination IP address Name Type Subnet/IP range Interface

• Define policy Action: SSL-VPN Add user group

Page: 210-212

Page 172: Fortigate Training

Configuring Tunnel-Mode Firewall Policies

• Specify source IP addresses Addresses that can connect to FortiGate

• Specify destination IP address Addresses clients need to access

• Specify level of encryption• Specify authentication type• Bind user group to policy• ssl.root

Page: 213-218

Page 173: Fortigate Training

SSL VPN Bookmarks

• Hyperlinks to frequently accessed applications Web-only mode

• FortiGate forwards connection request to servers• VPN > SSL > Portal

Page: 219-221

Page 174: Fortigate Training

Connecting to the SSL VPN

• https://<FortiGate_IP_address>:10443 Port customizable

• SSL-VPN Web Portal page displayed Bookmarks

• What appears is pre-determined by administrator’s settings in User > User Group and VPN > SSL > Portal > Settings

Page: 222

Page 175: Fortigate Training

Connecting to the SSL VPN

Page: 222

Page 176: Fortigate Training

Connecting to the SSL VPN

Page 177: Fortigate Training

PPTP VPN

• Point-to-Point (PPP) authentication protocol PPP software operates on tunneled links

• Encapsulates PPP packets within IP packets Not cryptographically protected

• PPTP packets not authenticated or integrity protected• FortiGate unit assigns client IP address from reserved range

Assigned IP used for duration of connection

• FortiGate unit disassembles PPTP packet and forwards to correct computer on internal network

Page: 223

Page 178: Fortigate Training

PPTP VPN

• FortiGate unit can act as PPTP server• FortiGate unit can forward PPTP packets to PPTP server

Page: 224

Page 179: Fortigate Training

FortiGate Unit as PPTP Server

Page: 224

Internet

PPTP Clients Internal Network

FortiGate

Page 180: Fortigate Training

FortiGate Unit Forwards Traffic to PPTP Server

Page: 225

Internet

PPTP Clients Internal Network

FortiGatePPTP Server

Page 181: Fortigate Training

PPTP Server Configuration

• Configure user authentication for PPTP clients• Enable PPTP on FortiGate unit• Configure PPTP server• Configure client

Page: 226

Page 182: Fortigate Training

PPTP Pass-Through Configuration

• Configuration required to forward PPTP packets to PPTP server

• Define virtual IP that points to PPTP server• Configure firewall policy• Configure client

Page: 227

Page 183: Fortigate Training

IPSec VPN

• Industry standard set of protocols• Layer 3

Applications do not need to be designed to use IPSec

• IP packets encapsulated with IPSec packets Header of new packet refers to end point of tunnel

• Phase 1 Establish connection Authenticate VPN peer

• Phase 2 Establish tunnel

Page: 228

Page 184: Fortigate Training

IPSec Protocols

• Authentication Header (AH) Authenticate identity of sender Integrity of data Entire packet signed

• Encapsulating Security Payload (ESP) Encrypts data Signs data only

Page: 229

Page 185: Fortigate Training

Authentication Header (AH)

Page: 229

Original IP Header

Authentication Header

DataTCP Header

Authenticated

Page 186: Fortigate Training

Encapsulating Security Payload (ESP)

Page: 229

New IP Header

ESP Header

Original IP Header

TCP Header DataESP

Trailer

ESP Authentication

Trailer

Encrypted

Authenticated

Page 187: Fortigate Training

Modes of Operation

• Tunnel mode Entire IP packet encrypted and/or authenticated Packet then encapsulated for routing

• Transport mode Only data in packet encrypted and/or authenticated Header not modified or encrypted

Page: 230

Page 188: Fortigate Training

Security Association (SA)

• Defines bundle of algorithms and parameters Encrypt and authenticate one-directional data flow

• Agreement between two computers about the data exchanged and protected

Page: 230

Page 189: Fortigate Training

Internet Key Exchange (IKE)

• Allows two parties to setup SAs Secret keys

• Uses Internet Security Association Key Management Protocol (ISAKMP) Framework for establishing SAs

• Two distinct phases Phase 1 Phase 2

Page: 231

Page 190: Fortigate Training

Phase 1

• Authenticate computer involved in transaction• Negotiate SA policy between computers• Perform Diffie-Hellman key exchange• Set up secure tunnel• Main mode (three exchanges)

Algorithms used agreed upon Generate secret keys and nonces Other side’s identity verified

• Aggressive mode (one exchange) Everything needed to complete exchange

Page: 231

Page 191: Fortigate Training

Phase 2

• Negotiate SA parameters to set up secure tunnel• Renegotiate SAs regularly

Page: 232

Page 192: Fortigate Training

Gateway-to-Gateway Configuration

• Tunnel between two separate private networks• All traffic encrypted by firewall policies• FortiGate units at both ends must be in NAT/Route mode

Page: 234

Page 193: Fortigate Training

Gateway-to-Gateway Configuration

Page: 234

Internet

Site 1

FortiGate 1

Site 2

FortiGate 2

Page 194: Fortigate Training

Gateway-to-Gateway Configuration

• FortiGate receives connection request from remote peer Uses IPSec phase 1 parameters

• Establish secure connection• Authenticate peer

• If policy permits, tunnel established Uses IPSec phase 2 parameters Applies policy

• Configuration steps Define phase 1 parameters Define phase 2 parameters Create firewall policies

Page: 234

Page 195: Fortigate Training

Defining Phase 1 Parameters

Page: 235-236

Page 196: Fortigate Training

Authenticating the FortiGate Unit

• Authenticate itself to remote peers• Pre-shared key

All peers must use same key

• Digital certificates Must be installed on peer and FortiGate

Page: 237-238

Page 197: Fortigate Training

Authenticating Remote Clients

• Permit access using trusted certificates FortiGate configured for certificate authentication

• Permit access using peer identifier• Permit access using pre-shared key

Each peer or client must have user account

• Permit access using peer identifier and pre-shared key Each peer or client must have user account

Page: 239

Page 198: Fortigate Training

XAuth Authentication

• Separate exchange at end of phase 1 Increased security

• Draws on existing FortiGate user group definitions• FortiGate can be XAuth server or XAuth client

Page: 239

Page 199: Fortigate Training

IKE Negotiation Parameters

Page: 240-242

Page 200: Fortigate Training

Defining Phase 2 Parameters

Page: 243-246

Page 201: Fortigate Training

Firewall Policies

• Policies needed to control services and direction of traffic• Firewall addresses needed for each private network• Policy-Based VPN

Specify interface to private network, remote peer and VPN tunnel Single policy for inbound, outbound or both direction

• Route-Based VPN Requires ACCEPT policy for each direction Creates Virtual IPSec interface on interface connecting to remote

peer

Page: 247-250

Page 202: Fortigate Training

Lab

• Configuring SSL VPN for Full Access (Web Portal and Tunnel Mode)

• Configuring a Basic Gateway-to-Gateway VPN

Page: 251

Page 203: Fortigate Training

Agenda

• Introduction• Overview and System Setup• FortiGuard Subscription Services• Logging and Alerts• Firewall Policies• Basic VPN• Authentication• Antivirus• Spam Filtering• Web Filtering

Page 204: Fortigate Training

Lesson 6Authentication

Page 205: Fortigate Training

Authentication

• User or administrator prompted to identify themselves Only allowed individuals perform actions

• Can be configured for: Any firewall policy with action of ACCEPT PPTP and L2TP VPNs Dial-up IPSEC VPN set up as XAuth server Dial-up VPN accepting user group as peer ID

Page: 263

Page 206: Fortigate Training

Authentication Methods

• Local user User names and passwords used to authenticate stored on

FortiGate

• Remote Use existing systems to authenticate

• RADIUS• LDAP• PKI• Windows Active Directory• TACACS+

Page: 264-265

Page 207: Fortigate Training

Users and User Groups

• Authentication based on user groups User created User added to groups

• User Account created on FortiGate or external authentication server

• User group Users or servers as members Specify allowed groups for each resource requiring authentication Group associated with protection profile

Page: 266-267

Page 208: Fortigate Training

User Group Types

• Firewall Access to firewall policy that requires authentication FortiGate request user name and password (or certificate)

• Directory Service Allow access to users in DS groups already authenticated

• Single sign on

Requires FSAE

• SSL VPN Access to firewall policy that requires SSL VPN authentication

Page: 268-270

Page 209: Fortigate Training

Authentication overrides

• Require access to blocked site Override block for period of time

• Link to authenticate presented

Page: 271

Page 210: Fortigate Training

Authentication Settings

Page: 272

Page 211: Fortigate Training

PKI Authentication

• Valid certificate required• SSL used for secure connection• Trusted certificates installed on FortiGate and client

Page: 273

Page 212: Fortigate Training

RADIUS Authentication

• User credentials sent to RADIUS server for authentication• Shared key used to encrypt data exchanged• Primary and secondary servers identified on FortiGate unit

Page: 274

Page 213: Fortigate Training

LDAP Authentication

• User credentials sent to LDAP server for authentication• LDAP servers details identified on FortiGate

Page: 275

Page 214: Fortigate Training

TACACS+ Authentication

• User credentials sent to TACACS+ server for authentication• Choice of authentication types:

Auto ASCII PAP CHAP MSCHAP

Page: 276

Page 215: Fortigate Training

Microsoft Active Directory Authentication

• Transparently authenticate users Fortinet Server Authentication Extensions (FSAE) passes

authentication information to FortiGate Sign in once to Windows, no authentication prompts from FortiGate

Page: 277

Page 216: Fortigate Training

FSAE Components

• Domain Controller Agent Installed on every domain controller Monitors user logons, sends to Collector Agent

• Collector Agent Installed on at least one domain controller Sends information collected to FortiGate

Page: 278

Page 217: Fortigate Training

FSAE Configuration on Microsoft AD

• Configure Microsoft AD user groups All members of a group have same access level FSAE only send Domain Local Security Group and Global Security

Group to FortiGate

• Configure Collector Agent settings Domain controllers to monitor

• Global Ignore list Exclude system accounts

• Group filters Control logon information sent to FortiGate

Page: 279-280

Page 218: Fortigate Training

FSAE Configuration on FortiGate

• Configure Collector Agents FortiGate to access at least one collector agent Up to five can be listed

• Configure user groups AD groups added to FortiGate user groups

• Configure firewall policy• Allow guests

Users not listed in AD Protection profile for FSAE firewall police

Page: 281

Page 219: Fortigate Training

Labs

• Firewall Policy Authentication• Adding User Disclaimers and Redirecting URLs

Page: 282

Page 220: Fortigate Training

Agenda

• Introduction• Overview and System Setup• FortiGuard Subscription Services• Logging and Alerts• Firewall Policies• Basic VPN• Authentication• Antivirus• Spam Filtering• Web Filtering

Page 221: Fortigate Training

Lesson 7Antivirus

Page 222: Fortigate Training

Antivirus

• Detect and eliminate viruses, worms and spyware• Scan HTTP and FTP traffic• Scan SMTP, POP3, IMAP

Page: 289

Page 223: Fortigate Training

Antivirus Elements

• File filter File pattern and file type recognition

• Virus scan Virus definitions kept up-to-date through FortiGuard Subscription

Services

• Grayware• Heuristics

Detect virus-like behavior

Page: 289-290

Page 224: Fortigate Training

File Filter

• File pattern Name, extension or pattern Built-in patterns or custom

• File type Analyze file to determine type Types pre-configured

• Actions Allow Block

• Replacement message sent

Page: 291

Page 225: Fortigate Training

Enabling File Filtering

Page: 292

Page 226: Fortigate Training

File Name Pattern Filtering

Page: 295

Page 227: Fortigate Training

File Type Filtering

Page: 296

Page 228: Fortigate Training

File Pattern Filtering

Page: 297

Page 229: Fortigate Training

Virus Scan

• Virus definitions used to detect and eliminate threats Updated regularly FortiGuard Subscription Services license required

Page: 298

Page 230: Fortigate Training

Updating Antivirus Definitions

Page: 299

Page 231: Fortigate Training

Grayware

• Unsolicited commercial software Often installed without consent

• Scans for grayware in enabled categories Categories and content updated regularly

Page: 300

Page 232: Fortigate Training

Grayware Categories

• Adware Pop-up advertising content

• Browser Helper Objects Add capabilities to browser

• Dialers Unwanted calls through modem or Internet connection

• Downloaders Retrieve files

• Games• Hacker Tools

Subvert network and host security

Page: 301-303

Page 233: Fortigate Training

Grayware Categories

• Hijackers Manipulate settings

• Jokes• Key loggers

Log input for later retrieval

• Misc Uncategorized (multiple functionalities)

• NMT (Network Management Tool) Cause network disruption

• P2P File exchanges containing viruses

Page: 301-303

Page 234: Fortigate Training

Grayware Categories

• Plugins Add additional features to an existing application

• Remote Administration Tools (RAT) Remotely change or monitor a computer on a network

• Toolbars Augment capabilities of browser

Page: 301-303

Page 235: Fortigate Training

Spyware

• Component of adware Track user activities online Report activities to central server Target advertising based on online habits

Page: 304-305

Page 236: Fortigate Training

Quarantine

• Quarantine blocked or infected files FortiGate unit with hard drive FortiAnalyzer

• Files uploaded to Fortinet for analysis

Page: 306-307

Page 237: Fortigate Training

Proxies

• Intercepts all connection requests and responses• Buffers and scans response before flushing to client• Splicing

Prevent client from timing out Server sends part of response to client while buffering Final part sent if response is clean FTP uploads, email protocols (SMTP, POP3, IMAP)

• Client comforting Prevent timeout while files buffered and scanned by FortiGate Can provide visual status to user that progress being made HTTP and FTP downloads

Page: 308

Page 238: Fortigate Training

Scanning Options

Page: 309-310

Page 239: Fortigate Training

Lab

• Configuring Global Antivirus Settings• Configuring a Protection Profile• Testing Protection Profile Settings for HTTP/FTP Antivirus

Scanning

Page: 311

Page 240: Fortigate Training

Agenda

• Introduction• Overview and System Setup• FortiGuard Subscription Services• Logging and Alerts• Firewall Policies• Basic VPN• Authentication• Antivirus• Spam Filtering• Web Filtering

Page 241: Fortigate Training

Lesson 8Spam Filtering

Page 242: Fortigate Training

Spam Filtering

• Manage unsolicited bulk email Detect spam messages Identify transmissions from known/suspected spam servers

Page: 321

Page 243: Fortigate Training

Spam Filtering Methods

• IP address check Verify source IP address again list of known spammers

• URL check Extract URLs and verify against list of spam sources

• Email checksum check Calculate checksum of message and verify against list of known

spam messages

• Spam submission Inform FortiGuard

• Black/White list Check incoming IP and email addresses against known list SMTP only

Page: 322-323

Page 244: Fortigate Training

Spam Filtering Methods

• HELO DNS lookup Check source domain name against registered IP address in DNS

• Return email DNS check Check incoming return address domain against registered IP in

DNS

• Banned word Check email against banned word list

• MIME headers check Check MIME headers against list

• DNSBL and ORDBL Check email against configured servers

Page: 322-323

Page 245: Fortigate Training

FortiGuard Antispam Global Filters

• FortiIP sender IP reputation database Reputation of IP based on properties related to address

• Email volume from a sender Compare sender’s recent volume with historical pattern

• FortiSig Spam signature database FortiSig1

• Spamvertised URLs FortiSig2

• Spamvertised email addresses FortiSig3

• Spam checksums

• FortiRule Heuristic rules FortiMail only

Page: 324-325

Page 246: Fortigate Training

Customized Filters

• Compliment FortiGuard• Banned word lists• Local black/white list• Heuristic rules• Bayesian

FortiMail only

Page: 325

Page 247: Fortigate Training

Enabling Antispam

Page: 326

Page 248: Fortigate Training

Spam Actions

• Tag or discard spam email Add custom text to subject or instead MIME header and value

• Only discard if SMTP and virus check enabled• Spam actions logged

Page: 327

Page 249: Fortigate Training

Banned Word

• Block messages containing specific words or patterns Values assigned to matches If threshold exceeded, messages marked as spam

• Perl regular expressions and wildcards can be used

Page: 328-334

Page 250: Fortigate Training

Black/White List

• IP address filtering Compare IP address of sender to IP address list If match, action is taken

• Email address filtering Compare email address of sender to email address list If match, action is taken

Page: 335

Page 251: Fortigate Training

Configuring IP Address List

Page: 336-338

Page 252: Fortigate Training

Configuring Email Address List

Page: 339-342

Page 253: Fortigate Training

MIME Headers Check

• MIME headers added to email Describe content type and encoding

• Malformed headers can fool spam or virus filters• Compare MIME header key-value of incoming email to list

If match, action is taken

Page: 343

Page 254: Fortigate Training

DNSBL and ORDBL

• Published lists of suspected spammers• Add subscribed servers

Define action

Page: 344

Page 255: Fortigate Training

FortiMail Antispam

• Enhanced set of features for detecting and blocking spam Some techniques not available in FortiGate

• Stand-alone antispam system Can be second layer in addition to FortiGate

• Legacy virus protection• Email quarantine

Page: 345

Page 256: Fortigate Training

Agenda

• Introduction• Overview and System Setup• FortiGuard Subscription Services• Logging and Alerts• Firewall Policies• Basic VPN• Authentication• Antivirus• Spam Filtering• Web Filtering

Page 257: Fortigate Training

Lesson 9Web Filtering

Page 258: Fortigate Training

Web Filtering

• Process web content to block inappropriate or malicious content

• Categorized content 76 categories 40 million domains Billions of web pages Automated updates

• Check web addresses against list• Customizable

Page: 349

Page 259: Fortigate Training

Order of Filtering

• URL Filtering Exempt, Block, Allow

• FortiGuard Web Filtering• Content Exempt

Customizable

• Content Block Customizable

• Script Filter

Page: 349

Page 260: Fortigate Training

Web Content Block

• Block specific words or patterns Score assigned to pattern Page blocked if greater than threshold Perl regular expressions or wildcards can be used

Page: 350-353

Page 261: Fortigate Training

Web Content Block

Page: 352

Page 262: Fortigate Training

Web Content Exemption

• Override web content block Even if banned words appear

Page: 354-357

Page 263: Fortigate Training

Web Content Exemption

Page: 356

Page 264: Fortigate Training

Enabling Web Filtering

Page: 358

Page 265: Fortigate Training

URL Filter

• Block specific pages Displays replacement message

• Text, regular expressions and wildcards can be used

Page: 359-362

Page 266: Fortigate Training

URL Filter

Page: 361

Page 267: Fortigate Training

FortiGuard Web Filter

• Managed web filtering solution Web pages rated and categorized

• Determines category of site Follows firewall policy

• Allow, block, log, or override• Ratings based on:

Text analysis Exploitation of web structure Human raters

Page: 363

Page 268: Fortigate Training

Web Filtering Categories

• Categories based on suitability for enterprises, schools, and home Potentially liable Controversial Potentially non-productive Potentially bandwidth consuming Potential security risks General interest Business oriented Others

Page: 364

Page 269: Fortigate Training

Web Filtering Classes

• Classify web page based on media type or source Further refine web access Prevent finding material

• Classes Cached contents Image search Audio search Video search Multimedia search Spam URL Unclassified

Page: 365

Page 270: Fortigate Training

Enabling FortiGuard Web Filtering

Page: 366

Page 271: Fortigate Training

Enabling FortiGuard Web Filtering Options

Page: 367-368

Page 272: Fortigate Training

Web Filtering Overrides

• Give user ability to override firewall filter block Administrative overrides User overrides

• Override permissions configured at user group level or with override rules

• User group level overrides Group of users have same level of overrides Assumes authentication enabled on policy

• Override rules Fine granularity Access domain, directory or category

Page: 369

Page 273: Fortigate Training

Allowing Override at User Group Level

Page: 370

Page 274: Fortigate Training

Configuring Override Rules (Directory or Domain)

Page: 371-372

Page 275: Fortigate Training

Configuring Override Rules (Category)

Page: 373

Page 276: Fortigate Training

Web Filtering Override Page

Page: 375

Page 277: Fortigate Training

Web Filtering Authentication Page

Page: 375

Page 278: Fortigate Training

Local Ratings

• Administrator controlled block of web sites• Per protection profile basis

Page: 376

Page 279: Fortigate Training

Local Categories

• Administrator controlled block on group of web sites• Per protection profile basis

Page: 377

Page 280: Fortigate Training

Thank you for attending

.