FortiGate I Student Guide-Online V6

April 28, 2017 | Author: radix82 | Category: N/A
Share Embed Donate


Short Description

Download FortiGate I Student Guide-Online V6...

Description

FortiGate I Student Guide for FortiGate 5.2.1

FortiGate I Student Guide for FortiGate 5.2.1 Last Updated: 26 May 2016

®

®

®

Fortinet , FortiGate , and FortiGuard are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks, registered or otherwise, of Fortinet. All other product or company names may be trademarks of their respective owners. Copyright © 2002 - 2016 Fortinet, Inc. All rights reserved. Contents and terms are subject to change by Fortinet without prior notice. No part of this publication may be reproduced in any form or by any means or used to make any derivative such as translation, transformation, or adaptation without permission from Fortinet, Inc., as stipulated by the United States Copyright Act of 1976.

Table of Contents VIRTUAL LAB BASICS................................................................................ 7 Topology ............................................................................................................................8 Logging In...........................................................................................................................8 Disconnections/Timeouts............................................................................................................................................13

Transferring Files to the VM ................................................................................................13 Using HTML5 Instead of Java .............................................................................................13 Screen Resolution ..............................................................................................................14 International Keyboards......................................................................................................14 Troubleshooting Tips..........................................................................................................15

INTRODUCTION TO FORTINET UTM ............................................................. 17 Lab 1: Initial Setup and Configuration .................................................................................17 Objectives ......................................................................................................................................................................17 Time to Complete .........................................................................................................................................................17 Exercise 1 (Optional) Configuring Network Interfaces on the Student & Remote FortiGate ..........................18 Exercise 2 Exploring the Command Line Interface ...............................................................................................20 Exercise 3 Restoring a Configuration from Backup...............................................................................................22 Exercise 4 Making Configuration Backups .............................................................................................................24

Lab 2: Administrative Access ..............................................................................................25 Objectives ......................................................................................................................................................................25 Time to Complete .........................................................................................................................................................25 Exercise 1 Administrators, Passwords, and Permissions ....................................................................................26 Exercise 2 Restricting Administrator Access ..........................................................................................................28

LOGGING & MONITORING........................................................................... 29 Lab 1: Status Monitor and Event Log ..................................................................................29 Objectives ......................................................................................................................................................................29 Time to Complete .........................................................................................................................................................29 Exercise 1 Using the GUI's Status Monitor..............................................................................................................30 Exercise 2 Event Log & Logging Options ................................................................................................................33

Lab 2: Remote Monitoring ..................................................................................................35

Objectives ......................................................................................................................................................................35 Time to Complete .........................................................................................................................................................35 Exercise 1 Remote Logging & SNMP Monitoring ..................................................................................................36

FIREWALL POLICIES .................................................................................. 38 Lab 1: Firewall Policy ..........................................................................................................38 Objectives ......................................................................................................................................................................38 Time to Complete .........................................................................................................................................................38 Exercise 1 Creating Firewall Objects & Rules ........................................................................................................39 Exercise 2 Policy Actions ...........................................................................................................................................41 Exercise 3 Access through Virtual IPs .....................................................................................................................43 Exercise 4 Dynamic NAT with IP Pools ...................................................................................................................46 Exercise 5 Device Identification ................................................................................................................................48

FIREWALL AUTHENTICATION....................................................................... 50 Lab 1: User Authentication .................................................................................................50 Objectives ......................................................................................................................................................................50 Time to Complete .........................................................................................................................................................50 Exercise 1 Authentication via a Firewall Policy.......................................................................................................51 Exercise 2 Captive Portals .........................................................................................................................................53

SSL VPN ................................................................................................ 55 Lab 1: SSL VPN..................................................................................................................55 Objectives ......................................................................................................................................................................55 Time to Complete .........................................................................................................................................................55 Exercise 1 SSL VPN for Web Access ......................................................................................................................56 Exercise 2 Testing Authentication ............................................................................................................................58 Exercise 3 Accessing Resources Beyond Different Interfaces ............................................................................60

BASIC IPSEC VPN .................................................................................... 61 Lab 1: IPsec VPN................................................................................................................61 Objectives ......................................................................................................................................................................61 Time to Complete .........................................................................................................................................................61 Exercise 1 Site-to-Site IPsec VPN ............................................................................................................................62

EXPLICIT W EB PROXY ............................................................................... 64 Lab 1: Explicit Web Proxy ...................................................................................................64 Objectives ......................................................................................................................................................................64 Time to Complete .........................................................................................................................................................64 Exercise 1 Configuring the Explicit Web Proxy .......................................................................................................65 Exercise 2 Using a PAC File......................................................................................................................................68

ANTIVIRUS ...................................................................................................71 Lab 1: Antivirus Scanning ..................................................................................................... 71 Objectives.....................................................................................................................................................71 Time to Complete .........................................................................................................................................71 Exercise 1 Antivirus & Block pages .............................................................................................................72 Exercise 2 Flow vs Proxy scanning .............................................................................................................74

WEB FILTERING ...........................................................................................75 Lab 1: Web Filtering ............................................................................................................. 75 Lab Objectives ..............................................................................................................................................75 Time to Complete .........................................................................................................................................75 Exercise 1 FortiGuard Web Filtering ...........................................................................................................76 Exercise 2 Web Profile Overrides ................................................................................................................80

APPLICATION CONTROL................................................................................81 Lab 1: Application Identification ............................................................................................ 81 Objectives.....................................................................................................................................................81 Time to Complete .........................................................................................................................................81 Exercise 1 Creating an Application Control List ...........................................................................................82 Exercise 2 Limiting DailyMotion Traffic ........................................................................................................83 Exercise 3 Fine Tuning Web Site Access ....................................................................................................84

APPENDIX A: ADDITIONAL RESOURCES........................................................85 APPENDIX B: PRESENTATION SLIDES............................................................86 Module 1: Introduction to Fortinet Unified Threat Management ........................................... 87 Module 2: Logging and Monitoring ....................................................................................... 125 Module 3: Firewall Policies ................................................................................................... 161 Module 4: Firewall Authentication......................................................................................... 232 Module 5: SSL VPN ............................................................................................................. 272 Module 6: Basic IPsec VPN ................................................................................................. 304 Module 7: Antivirus ............................................................................................................... 336 Module 8: Explicit Proxy ....................................................................................................... 368 Module 9: Web Filtering ....................................................................................................... 406

Module 10: Application Control ...........................................................................................432

 Virtual Lab Basics Topology

Virtual Lab Basics In this class, you will use a virtual lab for hands-on exercises. This section explains how to connect to the lab and its virtual machines. It also shows the topology of the virtual machines in the lab. Note: If your trainer asks you to use a different lab, such as devices physically located in your classroom, please ignore this section. This applies only to the virtual lab accessed through the Internet. If you do not know which lab to use, please ask your trainer.

FortiGate I Student Guide

7

 Virtual Lab Basics Topology

Topology port2 10.200.1.241 FortiManager

W IN-LOCAL 10.0.1.10

port1 10.0.1.241

FortiAnalyzer

port1 10.0.1.210 port3 10.200.1.210

10.0.1.254/24 port3

port2 10.200.2.1/24

LOCAL port1 10.200.1.1/24

10.200.2.254 eth2

LINUX 10.200.1.254 eth1

eth4 10.200.4.254

eth3 10.200.3.254

10.200.4.1/24 port5

REMOTE 10.200.3.1/24 port4

eth0

W IN-REMOTE 10.0.2.10

port6 10.0.2.254/24

Logging In 1.

Run the System Checker. This will fully verify both:  

compatibility with the virtual lab environment's software, and that your computer can connect

It can also diagnose problems with your Java Virtual Machine, firewall, or web proxy. Use the URL for your location. North America/South America: https://remotelabs.training.fortinet.com/training/syscheck/?location=NAM -West

FortiGate I Student Guide

8

 Virtual Lab Basics Logging In

Europe/Middle East/Africa: https://remotelabs.training.fortinet.com/training/syscheck /?location=Europe Asia/Pacific: https://remotelabs.training.fortinet.com/training/syscheck/?location=APAC If a security confirmation dialog appears, click Run.

If your computer successfully connects to the virtual lab, the result messages for the browser and network checks will each display a check mark icon. Continue to the next step. If a browser test fails, this will affect your ability to access the virtual lab environment. If a network test fails, this will affect the usability of the virtual lab environment. For solutions, either click the Support Knowledge Base link or ask your trainer. 2.

With the user name and password from your trainer, log into the URL for the virtual lab. Either:

FortiGate I Student Guide

9

 Virtual Lab Basics Logging In

https://remotelabs.training.fortinet.com/

https://virtual.mclabs.com/

3.

If prompted, select the time zone for your location, then click Update. This ensures that your class schedule is accurate.

4.

Click Enter Lab.

A list of virtual machines that exist in your virtual lab should appear.

FortiGate I Student Guide

10

 Virtual Lab Basics Logging In

From this page, you can access the console of any of your virtual devices by either:  

clicking on the device’s square, or selecting System > Open.

FortiGate I Student Guide

11

 Virtual Lab Basics Logging In

5.

Click K2-Win-Student to open a connection to that server.

A new window should open within a few seconds. (Depending on your account’s preferences, the window may be a Java applet. If this fails, you may need change browser settings to allow Java to run on this web site. You also may need to review and accept an SSL certificate.)

Depending on the virtual machine, the applet provides access to either the GUI or a text-based CLI. Connections to Windows machines will use a Remote Desktop-like GUI. The applet should automatically log in, then display the Windows desktop. For most lab exercises, you will connect to this VM.

FortiGate I Student Guide

12

 Virtual Lab Basics Transferring Files to the VM

Disconnections/Timeouts If your computer’s connection with the virtual mac hine times out or if you are accidentally disconnected, to regain access, return to the initial window/tab that contains your session’s list of VMs and open the VM again. If your session frequently times out or does not connect, ask your instructor.

Transferring Files to the VM When using the Java applet to connect to a VM, you can drag-and-drop files from your computer to the VM. For example, if you have a FortiGate configuration file that you want to upload to your lab VM, you could create it on your computer, then drag it into the Java application window that is connected to the Windows VM. Usually the destination folder is C:\Uploads. Alternatively, if you store files in a cloud service such as Dropbox or SugarSy nc, you can use the web browser to download them to your VM instead.

Using HTML5 Instead of Java When you open a VM, your browser may download and use a Java application to connect to the virtual lab’s VM. This means that Java must be installed, updated, and enabled in your browser. Alternatively, you can use HTML5 instead. Click the Settings button, then select Use Java Client. Click Save & Disconnect, then log in again. (To use this preference, your browser must allow cookies.)

FortiGate I Student Guide

13

 Virtual Lab Basics Screen Resolution

When connecting to a VM, your browser should then open a display in a new window or tab.

Screen Resolution Some Fortinet devices' user interfaces require a minimum screen size. In the Java client, to configure the screen resolution, click the arrow at the top of the window.

In the HTML 5 client, to configure screen resolution, open the System menu.

International Keyboards If characters in your language don’t display correctly, keyboard mappings may not be correct.

FortiGate I Student Guide

14

 Virtual Lab Basics Troubleshooting Tips

To solve this in the HTML 5 client, open the Keyboard menu at the top of the window. Choose to either display an on-screen keyboard, or send text from your computer to the VM's clipboard.

To solve this in the Java client, copy and paste between your computer and the Java applet. This sends special characters or combinations using the keyboard icon at the top of the applet window.

Troubleshooting Tips 

If the HTML 5 client does not work, try the Java client instead. Remembering this preference requires that your browser allow cookies.



Do not connect to the virtual lab environment through a low-bandwidth or high-latency connection, including VPN tunnels or wireless such as 3G or Wi-Fi. For best performance, use a stable broadband connection such as a LAN.



Do not disable or block Java applets. On Mac OS X since early 2014, to improve security, Java has been disabled by default. In your browser, you must allow Java for this web site. On Windows, if the Java applet is allowed and successfully downloads, but does not appear to launch, you can open the Java console while troubleshooting. To do this, open the Control Panel, click Java, and change the Java console setting to be Show console. Network firewalls can also block Java executables. Note: JavaScript is not the same as Java.

FortiGate I Student Guide

15

 Virtual Lab Basics Troubleshooting Tips



Prepare your computer's settings: o

Disable screen savers

o

Change the power saving scheme so that your computer is always on, and does not go to sleep or hibernate



If disconnected unexpectedly from any of the virtual machines (or from the virtual lab portal), please attempt to reconnect. If unable to reconnect, please notify the instructor.



If during the labs, particularly when reloading configuration files, you see a message similar to the one shown below, the VM is waiting for a response to the authentication server.



To retry immediately, go to the console and enter the CLI command: exec update-now

FortiGate I Student Guide

16

 Introduction to Fortinet UTM

Lab 1: Initial Setup and Configuration

Introduction to Fortinet UTM Lab 1: Initial Setup and Configuration This lab will provide an initial orientation to FortiGate's administrative GUI and CLI, and (if necessary) will guide you through basic setup. Additionally, this lab will guide you through how to properly backup and restore a configuration file. If you see this:

it indicates that FortiGate VM is waiting for a response from the license authentication server. Typically this happens after reboot, after you upload a new FortiGate configuration file. If that server was rebooting or connectivity was interrupted, for example, at the same time that FortiGate VM was rebooting and sending the request, then the server may not have received the request. FortiGate VM will periodically retry, but you can manually initiate an immediate retry. To force an immediate license authentication retry, go to FortiGate's CLI and enter: execute update-now

Objectives 

Configure FortiGate network interfaces and a default route for administrative access via your lab network, such as with web browser, Telnet or SSH client



Distinguish between encrypted vs. non-encrypted configuration backups



Back up and restore configuration files



Find the FortiGate model and FortiOS firmware build information inside a configuration file

Time to Complete Estimated: 15 minutes

FortiGate I Student Guide

17

 Introduction to Fortinet UTM

Lab 1: Initial Setup and Configuration

Exercise 1 (Optional) Configuring Network Interfaces on the Student & Remote FortiGate Before proceeding, please ask your instructor if these steps are required for your specific classroom. You must do this exercise only if your lab environment was initialized with blank FortiGate images. 1.

Open the console of the FortiGate that is named Student.

2.

At the login prompt, enter the username admin (all lower case). Leave the password blank.

3.

To be able to access the Student FortiGate's GUI, you must first configure the port3 interface. Assign its IP address, and specifically allow HTTP connections to the GUI: conf system interface edit port3 set ip 10.0.1.254/24 set allowaccess http end After you enter the "end" command, FortiGate saves its running configuration in RAM, and also saves it to the flash disk. HTTPS or SSH are recommended for administrative access to FortiGate because t hose protocols provide authentication and encryption. Other available protocols include SSH, PING, SNMP, HTTP and Telnet.

4.

Verify that you've entered your configuration correctly by entering this command: show system interface Alternatively, you can enter a shorter form: show sys int

5.

On the Windows server, open Firefox. Go to the URL that is the FortiGate's IP address on port3: http://10.0.1.254

6.

If a security warning appears, accept the FortiGate’s self-signed certificate. The login page should appear. If it does not, ask your instructor before continuing. Note: To access the FortiGate GUI, your web browser must support cookies and JavaScript. These are required for correct behavior and display.

7.

Open the console of the FortiGate that is named Remote.

8.

At the login prompt, enter the username admin (all lower case). Leave the password blank.

9.

Enter the following CLI commands to set the port4 IP address and access control settings for your device. conf system interface

FortiGate I Student Guide

18

 Introduction to Fortinet UTM

Lab 1: Initial Setup and Configuration

edit port4 set ip 10.200.3.1/24 set allowaccess http ping end 10. Verify that a valid default gateway route exists: show router static If there is no static route for port4, enter the commands below to set it. (Routing will be explained in more detail in a later lesson.) conf route static edit 0 set device port4 set gateway 10.200.3.254 end 11. Verify that you have entered your configuration correctly. show system interface show router static You can't connect to the Remote FortiGate's GUI yet. Before you can do that, you must first configure the FortiGate named Student with a route and a firewall policy that allows and routes that management traffic to the FortiGate named Remote. You will add this configuration in a later lab exercise.

FortiGate I Student Guide

19

 Introduction to Fortinet UTM

Lab 1: Initial Setup and Configuration

Exercise 2 Exploring the Command Line Interface 1.

Open the console of the FortiGate that is named Student.

2.

At the login prompt, enter the username admin (all lower case). Leave the password blank.

3.

Enter the command to display basic status information about that FortiGate: get system status Output shows the FortiGate's serial number, firmware version, operation mode, and other information.

4.

Verify that the firmware version is the correct one for this class.

5.

Enter the following, then press the Return key: get ? Note: The ? character is not displayed on the screen.

This shows all words that the CLI will accept next after the get command. When the --More— prompt appears in the CLI, either press the spacebar key to continue scrolling, press the Enter key to scroll one line at a time, or press the Q key to exit. Depending on the command, you may need to enter additional words to completely specify a configuration object. 6.

Press the up arrow key. This displays the previous get system status command. Try some of the other control key sequences that are summarized below. Previous command

up arrow, or CTRL+P

Next command

down arrow, or CTRL+N

Beginning of line

CTRL+A

End of line

CTRL+E

Back one word

CTRL+B

Forward one word

CTRL+F

Delete current character

CTRL+D

Clear screen

CTRL+L

Abort command and exit

CTRL+C

CTRL+C is context sensitive, but usually, it aborts the current command. If you were in a subcommand, it returns you to the parent command. Otherwise, it will terminate your current administrative session. To continue, you must log in again. 7.

Enter the command: execute ? This lists all words that the CLI will accept next after the execute command.

FortiGate I Student Guide

20

 Introduction to Fortinet UTM

8.

Lab 1: Initial Setup and Configuration

Type: execute then press the Tab key 3 times. The first time you press the Tab key, notice that the CLI adds the next word in the command. It is the first word in the list from the previous step. Each time that you press the Tab key after that, notice that the CLI replaces that word with the next possible word in the list, in alphabetical order, until you press the spacebar key. This indicates that you have selected that word, and are ready to enter the next word (if any).

9.

Enter the following CLI commands. config ? show ? Compare the list of valid next words for each one. Notice that there are some differences in the CLI structure for each command, including show full-configuration. config enters settings. show displays configuration differences from the firmware’s default settings only, unless you enter show full-configuration.

10. Enter the CLI commands to display the FortiGate’s port3 interface configuration. Compare the output for each. Only the characters shown in bold typeface must be typed. If you want to auto-complete each word in the command (in order to verify that it is unambiguous, for example), press the Tab key after the characters in bold. show system interface port3 show full-configuration system interface port3 Note: Almost all commands can be abbreviated. In presentations and labs, many of the commands that you see will be in abbreviated form. Use this technique to reduce the number of keystrokes that are required to enter a command. In this way, experts can often configure a FortiGate faster via CLI than GUI. If there are other commands that start with the same characters, your abbreviation must be long enough to be specific, so that FortiGate can distinguish them. Otherwise, the CLI will display an error message about ambiguous commands.

FortiGate I Student Guide

21

 Introduction to Fortinet UTM

Lab 1: Initial Setup and Configuration

Exercise 3 Restoring a Configuration from Backup 1.

On the Win-Student server, open Firefox. Connect to the Student FortiGate's GUI, and log in as admin. http://10.0.1.254/ Note: All the lab exercises were fully tested running Mozilla Firefox in Win-Student and Win-Remote servers. For this reason, and to get consistent results, we recommend it as the browser to access the Internet and the FortiGate GUIs from this virtual environment.

2.

Go to System > Dashboard > Status. In the System Information row, click the Restore link. A dialog should appear where you can select which configuration backup file to restore. (If your lab started with blank FortiGate images whose IP address you needed to configure in Exercise 1, then this FortiGate is not yet configured with the host name STUDENT as shown in the image. This should appear after you upload a configuration in the next step.)

3.

Click the button that enables you to select which backup file to restore. (The name of this button varies by browser.)

Select the file named Resources\Introduction\student-initial.conf, then click Restore. This file is the prerequisite configuration for the next lab. After your browser uploads the configuration, the FortiGate will automatically reboot. The length of the restoration process varies by how complex the configuration is. More complex FortiGate I Student Guide

22

 Introduction to Fortinet UTM

Lab 1: Initial Setup and Configuration

configurations take more time to parse and validate. Most configurations take FortiGate less than 1 minute to validate and then reboot. 4.

Refresh the web page and log in again to the GUI on the Student FortiGate. Go to System > Network > Interface and then Router > Static > Static Route. Verify that the network interface settings and default route were restored.

5.

Go to System > Network > DNS Server. Review the student and remote DNS zones. 

In the Student DNS zone, verify the IPv4 Address (A) records for the student FortiGate device (10.0.1.254) and the Windows server (10.0.1.10).



In the Remote DNS zone, check the IPv4 Address (A) records for the Remote FortiGate device (10.200.3.1) and the Windows host (10.0.2.10).

By providing a DNS server to your management network, FortiGate enables you acces s these devices in your lab by using a domain name instead of their IP address. To do this, the Windows server should be configured to use the Student FortiGate's port3 IP address as its DNS server. 6.

On the Windows server, open a command prompt. Use the following commands to verify the DNS lookup results. nslookup server.student.lab 10.0.1.254 nslookup fgt.student.lab 10.0.1.254 nslookup pc.remote.lab 10.0.1.254 nslookup fgt.remote.lab 10.0.1.254 Note: The parameters of the nslookup command are: nslookup [-option] [hostname] [server]

7.

Open a web browser. Go to these URLs to verify that you can use domain names to reach the GUI of both the Student and Remote FortiGate: 

http://fgt.student.lab



http://fgt.remote.lab

FortiGate I Student Guide

23

 Introduction to Fortinet UTM

Lab 1: Initial Setup and Configuration

Exercise 4 Making Configuration Backups 1.

On the Win-Student server, open a browser and log in to the Student FortiGate's GUI: https://fgt.student.lab

2.

Go to System > Dashboard > Status. In the System Information widget, click the Back up link.

3.

Select Encrypt configuration file, enter the password fortinet, then click the Back up button to save the encrypted configuration file to the desktop with the filename student-initial-enc.conf. (You may need to modify the web browser’s settings to prompt you for the location to save files. For Firefox, go to Tools > Options > General then select Always ask me where to save files.) Caution: Always back up the configuration file before changing your device (even if the change seems minor or unimportant). There is no “undo.” Restoring a backup will allow you to quickly revert changes if you discover problems. To distinguish between files from multiple FortiGates, use a naming convention such as their host names.

4.

In the System Information widget, click Restore. Select the file that you downloaded in the previous step (student-initial-enc.conf), then click the Restore button. Notice that this time, you must enter the password fortinet because this file is passwordencrypted.

5.

Using Notepad or Notepad++, open the file student-initial.conf. In another instance of Notepad, open the file student-initial-enc.conf and compare the details in both. Note: In both the normal and encrypted configuration the top of the file acts as a header, describing the firmware and model information this configuration belongs to.

FortiGate I Student Guide

24

 Introduction to Fortinet UTM

Lab 2: Administrative Access

Lab 2: Administrative Access In this lab, you will create and modify administrative access permissions.

Objectives 

Create a new administrative user



Restrict administrative access

Time to Complete Estimated: 10 minutes

FortiGate I Student Guide

25

 Introduction to Fortinet UTM

Lab 2: Administrative Access

Exercise 1 Administrators, Passwords, and Permissions 1.

On the Win-Student server, open a browser and log in to the Student FortiGate's GUI: https://fgt.student.lab

2.

Go to System > Admin > Settings and select Enable Password Policy. Configure these settings: Minimum Length:

8

Must Contain:

Enable 1 Upper Case Letter 1 Numerical Digit

Enable Password Expiration:

Enable 90 days

Click Apply to save the changes. 3.

Log out of the GUI.

4.

Log in again. Due to the password policy that you just configured, FortiGate should prompt you to enter a new administrator password. Enter a new password that meets the requirements.

5.

Go to System > Admin > Admin Profile. Create a new profile called Security_Admin_Profile. Set Security Profile Configuration to Read-Write, but set all other permissions to Read Only. Click OK to save the changes.

6.

Go to System > Admin > Administrators. Click Create New to add a new administrator account that is named Security_Admin. In Admin Profile, select the profile created in the previous step. This limits that administrator’s access. They will only able to modify and create security profiles. Note: Administrator names and passwords are case-sensitive. You cannot include characters such as < > ( ) # " in an administrator account name or password. Spaces are allowed, but not as the first or last character. To enter spaces in a name or password via the CLI, you must enclose each in straight quotes ( ' ). Caution: For convenience in the lab, you will not set the password of the account named admin. However, in real networks, you should always set administrator passwords, make them strong, and change them often. Click OK to save the changes.

7.

Go to System > Dashboard > Status. In the CLI Console widget, to view the configuration for administrator accounts and profiles, enter: show system admin show system accprofile

FortiGate I Student Guide

26

 Introduction to Fortinet UTM

8.

Log out of the admin account's GUI session.

9.

Log in as Security_Admin with its password.

Lab 2: Administrative Access

10. Test this administrator’s access: try to create or modify settings on the Student FortiGate that are not allowed by that account's profile. You should see that this account can only configure security profiles.

FortiGate I Student Guide

27

 Introduction to Fortinet UTM

Lab 2: Administrative Access

Exercise 2 Restricting Administrator Access 1.

On the Win-Student server, open a browser and go to the Remote FortiGate's GUI: http://fgt.remote.lab Log in as the admin account (all lower case) with no password.

2.

Go to System > Admin > Administrators. Edit the admin account and enable the setting Restrict this Admin Login from Trusted Hosts Only. Set Trusted Host #1 to the address 10.0.2.0/24. Click OK to save the changes.

3.

Try connecting to the GUI of the Remote FortiGate again. What is the result this time? Because you are connecting from the 10.200.1.1 address (because of NAT on the Student FortiGate) you should notice that you can't connect any more since you restricted logins to specific source IP addresses in Trusted Hosts.

4.

Attempt to ping 10.200.3.1. You should notice that FortiGate also doesn't respond to ping anymore. This is also blocked by the restriction on source IP.

5.

Open the console of the Remote FortiGate device. Enter the following CLI commands to add 10.200.0.0/16 as the second trusted IP address (Trusted Host #2) of the admin account: conf sys admin edit admin set trusthost2 10.200.0.0/16 end

6.

Try to ping the Remote FortiGate and access its GUI again. Access should be restored.

7.

Go to System > Dashboard > Status. In the System Information widget, in the Current Administrator row, click the Details link. The GUI should display a list of administrators currently logged in to the FortiGate.

8.

By default, each source IP address can attempt to log in up to 3 times. If they fail 3 times, they are locked out for 60 seconds. To help improve the overall password security, use the CLI to decrease the maximum number of attempts and increase the lockout timer: config system global set admin-lockout-threshold 2 set admin-lockout-duration 100 end

FortiGate I Student Guide

28

 Logging & Monitoring

Lab 1: Status Monitor and Event Log

Logging & Monitoring Lab 1: Status Monitor and Event Log In this lab, you will work with FortiGate's event log and monitoring.

Objectives 

Enable logging of system events



Locate event logs for specific information

Time to Complete Estimated: 10 minutes

FortiGate I Student Guide

29

 Logging & Monitoring

Lab 1: Status Monitor and Event Log

Exercise 1 Using the GUI's Status Monitor 1.

On the Windows server, open a web browser. Go to the URL that is port3's IP address on the FortiGate named Student, and log in as admin. http://10.0.1.254/

2.

Go to System > Dashboard > Status and locate the System Resources widget. This widget provides a snapshot overview of the overall resource utilization on the FortiGate

3.

Some widgets are not displayed on the dashboard by default. Click Widget to display the list of widgets available to add to the dashboard.

If not already added, click the Interface History widget from the pop-up window to add it to the dashboard. (Depending on the screen resolution, the default Status dashboard will use a twocolumn layout. In this case, the All Sessions widget cannot be added because it requires a onecolumn layout.) Close the widget list window. Widgets can be removed from the page simply by click the X in the upper left corner of each one. 4.

Hover the mouse over the title bar of the System Resources widget and click Edit to create a custom widget.

Configure these settings: Custom Widget Name:

System Resource History

View Type:

Historical

FortiGate I Student Guide

30

 Logging & Monitoring

Time Period:

Lab 1: Status Monitor and Event Log

Last 60 minutes

A line chart appears in a new custom System Resource History widget showing a trace of CPU, memory and sessions over the past hour. The refresh rate of this window is automatically set to 1/20 of the time period (interval) configured. 5.

The Alert Message Console widget displays recent system events, such as system restart and firmware upgrade. Hover the mouse over the title bar of the Alert Message Console widget and click History to view the entire message list.

Note: If there are no alerts, you can reboot the FortiGate in order to see one. To do this, connect to the CLI and use the command exec reboot. 6.

At the top of the dashboard, click Dashboard and select Add Dashboard.

Enter any name of your choice for the new dashboard and select the single column display.

FortiGate I Student Guide

31

 Logging & Monitoring

Lab 1: Status Monitor and Event Log

The new dashboard will show up as a selectable menu option on the right hand side

7.

Next add the All Sessions widget on your new dashboard. Click the edit icon in the title bar of the All Sessions widget and observe the different ways in which sessions can be reported. For example, by top Destination Address, top Applications etc. You can also select to display the top sessions by Source and Destination interfaces. Create your own customized Top Sessions widget and examine the sessions that are listed. Some widgets are only allowed to appear on 1 dashboard at a time. For example, System Information cannot be added to this new dashboard until the widget is removed from the Status dashboard.

8.

Test the functionality of the refresh, page forward, and page back icons in this window. You may need to generate some additional traffic in order to properly test these functions.

9.

Click Dashboard and select Reset Dashboards to reset all the dashboards to the default.

FortiGate I Student Guide

32

 Logging & Monitoring

Lab 1: Status Monitor and Event Log

Exercise 2 Event Log & Logging Options 1.

From the Student FortiGate CLI, check the overall status of the FortiGate: get system status

2.

Verify the Log hard disk status. If it is set to Available proceed to Step 3. If the status appears as Need Format, enter the following command to format the drive. execute formatlogdisk When prompted to continue, type “y” and wait for the system to reboot. Once the system has restarted, check the log disk settings by executing the following command: config log disk setting get You should observe that the status is enabled.

3.

Repeat the previous steps on the Remote FortiGate device.

4.

Return to the Student FortiGate device and log out of the GUI. When logging back in, use an incorrect password once and then use the correct password to log back in again. Go to Log & Report > Event Log > System and examine the log to find the invalid password event.

5.

Go to Policy & Objects > Objects > Address, and create a new firewall address using the following settings: Name:

fortinet

Type:

FQDN

FQDN:

www.fortinet.com

Leave the remaining settings at their defaults and click OK to save the changes. 6.

Next go to Log & Report > Event Log > System and review the log entries.

7.

Go to Log & Report > Log Config > Log Setting and uncheck the option System activity event.

FortiGate I Student Guide

33

 Logging & Monitoring

Lab 1: Status Monitor and Event Log

Click Apply to save the changes. Different types of log entries fall into different categories. Only enable logging for the activity(s) that you need to monitor. This avoids filling the logs with information you do not need, and consuming unnecessary system resources. 8.

Go to Policy & Objects > Objects > Address and create another firewall address entry. Go to Log & Report > Event Log > System and review the log entries again. Note that the entries are no longer visible for this activity. With this option deselected in the Event Logging settings, you will no longer see entries in the log for administrators logging on/off or making changes to the unit’s configuration. Other types of log entries will still appear.

9.

Go to Log & Report > Log Config > Log Settings and re-enable System activity event. When changes are made to your firewall, it best to have a log event for that in case it is necessary to find out when something was changed, and by whom.

FortiGate I Student Guide

34

 Logging & Monitoring

Lab 2: Remote Monitoring

Lab 2: Remote Monitoring The aim of this lab is for students to set up logging to a remote device and monitoring of the FortiGate unit’s behavior. It can be advantageous to use remote monitoring instead of local monitoring in order to reduce resource usage. For example, while the GUI widgets provide useful displays of your system information, they also carry a significant resource cost and should be used sparingly.

Objectives 

Enabling monitoring by Syslog and SNMP servers

Time to Complete Estimated: 10 minutes

FortiGate I Student Guide

35

 Logging & Monitoring

Lab 2: Remote Monitoring

Exercise 1 Remote Logging & SNMP Monitoring The Linux server in your lab environment has been pre-configured to accept syslog messages. 1.

From the CLI on the Student FortiGate, enter the following commands to set up logging to the syslog server: conf log syslogd setting set status enable set facility local6 set server 10.200.1.254 end

2.

Repeat the above step from the CLI on the remote FortiGate device.

3.

On the Win-Student server, open the putty.exe application. Open an SSH session to the Linux server (10.200.1.254).

Log in as root and with the password password. 4.

Run the following command to monitor the FortiGate syslog messages which are mapped to their own file by the local6 facility. tail –f /var/log/fortinet

5.

Leave the SSH window open and return to the student FortiGate device and generate some log entries:

FortiGate I Student Guide

36

 Logging & Monitoring



Attempt to log in with invalid credentials



Make a minor configuration change

Lab 2: Remote Monitoring

6.

From the GUI on the Student FortiGate, go System > Config > SNMP to enable SNMP monitoring. Select Enable for the SNMP Agent at the top, then click Apply.

7.

Create a new SNMP v3 security name using the settings displayed below. Set the Auth password to fortinet. Set the Notification host to 10.200.1.254.

Click OK. 8.

Go to System > Network > Interfaces and edit port1. Confirm that SNMP is enabled under the Administrative Access settings. If it is not enabled you will need to enable it first, then click OK to save the changes.

9.

Leave the SSH window open that is currently running the tail command and run putty again to open a new SSH connection to the LINUX host (10.200.1.254). Next, execute the following snmpwalk command to find and display all of the monitoring options that a device presents through SNMP: snmpwalk -v 3 -a sha -A fortinet -u training -l authNoPriv 10.200.1.1 A tree listing of all the options available to monitor this FortiGate VM device will be displayed. To make it easier to view the information available, you may also append >snmp.test to the command entered above. This will save the output to a file named ‘snmp.test’. Enter the command view snmp.test to view the output file.

FortiGate I Student Guide

37

 Firewall Policies Lab 1: Firewall Policy

Firewall Policies Lab 1: Firewall Policy Objectives 

Configure firewall policies configurable in FortiOS



Configure source match options available in FortiOS firewall policies



Apply different firewall object types of Address, Service and Schedule



Configure firewall policy logging options



Configure NAT



Configure Source NAT settings using Overload IP Pools



Configure Destination NAT settings using Virtual IPs



Configure firewall policies based on device types



Reorder firewall policies



Use CLI commands to review your configuration and perform status checks

Time to Complete Estimated: 40 minutes

FortiGate I Student Guide

38

 Firewall Policies Lab 1: Firewall Policy

Exercise 1 Creating Firewall Objects & Rules 1.

On the Win-Student server, open a web browser. Go to the GUI for the FortiGate named Student, and log in as admin. http://10.0.1.254/

2.

Restore the configuration file that is required by this lab: Resources\Firewall-Policies\Student\student-polic y.conf FortiGate will reboot.

3.

From the GUI on the Student FortiGate device, go to Policy & Objects > Objects > Addresses and create the following address object: Name:

STUDENT_INTERNAL

Type:

Subnet

Subnet/IP Range:

10.0.1.0/24

Interface:

Any

Once the settings have been entered, click OK to save the changes. 4.

Temporarily disable the unrestricted port3→port1 policy. To do this, go to Policy & Objects > Policy > IPv4, right-click the unrestricted port3→port1 policy in its Status column, then mark the Disable check box

5.

Click Create New to add a new firewall policy to provide general Internet access from the internal network. Configure these settings: Incoming Interface:

port3

Source Address:

STUDENT_INTERNAL

Outgoing Interface:

port1

Destination Address:

all

Schedule:

always

Service:

HTTP, HTTPS, DNS, ALL_ICMP, SSH (Hold down the CTRL-key to select multiple services.)

Action:

ACCEPT

NAT:

On

Use Outgoing Interface Address:

Enabled

Log Options:

Enable Log all Sessions and select Generate Logs when Session Starts

Comments:

General Internet access

When creating firewall policies, remember that FortiGate is a stateful firewall. As a result, you only need to create one firewall policy that matches the direction of the traffic that initiates the session. Once the policy settings have been entered, click OK to save the changes. FortiGate I Student Guide

39

 Firewall Policies Lab 1: Firewall Policy

6.

On the Windows server, open a web browser and connect to various external web sites.

7.

On the Student FortiGate's GUI, go to Log & Report > Traffic Log > Forward Traffic and identify the log entries for your Internet browsing traffic. With the current settings you should have many 0 byte log messages with action start. These are the session start logs. When sessions close you will have a separate log entry for the amount of data sent and received Logging session starts generates twice the amount of log messages. This option should only be used when this level of detail is absolutely necessary.

8.

From the CLI, enter the following command to see the source NAT action. #get system session list Sample output: STUDENT # get sys session list PROTO EXPIRE SOURCE DESTINATION-NAT

SOURCE-NAT

DESTINATION

tcp

3600

10.0.1.10:3677

-

10.0.1.254:22

tcp

3587

10.0.1.10:3717

10.200.1.1:64133 72.30.38.140:80

tcp

3570

10.0.1.10:3681

10.200.1.1:64097 69.171.228.70:80 -

tcp

3577

10.0.1.10:3710

10.200.1.1:64126 74.125.228.92:80 -

tcp

3587

10.0.1.10:3708

10.200.1.1:64124 74.125.228.92:80 -

tcp

3587

10.0.1.10:3706

10.200.1.1:64122 66.94.245.1:80

-

tcp

2274

10.0.1.10:3608

10.200.1.1:64024 10.200.1.254:22

-

tcp

3587

10.0.1.10:3712

10.200.1.1:64128 80.239.217.66:80 -

tcp

3566

10.0.1.10:3679

10.200.1.1:64095 74.125.227.24:80 -

-

Note that FortiGate is applying a new source address: that of the destination interface port1 (10.200.1.1).

FortiGate I Student Guide

40

 Firewall Policies Lab 1: Firewall Policy

Exercise 2 Policy Actions 1.

Use the same steps you performed earlier to create a second firewall policy. Use Create New and leave the policy in its default position. Configure these settings: Incoming Interface:

port3

Source Address:

STUDENT_INTERNAL

Outgoing Interface:

port1

Destination Address:

Click Create and configure the following: Name: LINUX_E TH1 Type: Subnet Subnet / IP Range: 10.200.1.254/32 Click OK.

Schedule:

always

Service:

PING (Tip: Type the name in the search box.)

Action:

DENY

Log Violation Traffic:

Enabled

Click OK to save the changes. 2.

From the Windows server, open a command prompt. Ping the port1 gateway. ping –t 10.200.1.254 If you have not changed the rule ordering, the ping should still work because it matches the ACCEPT policy and not the DENY policy that you just created. This demonstrates the behavior of policy ordering. The second policy was never checked because the traffic matched the first policy. Leave this window open and perform the next step.

3.

Click the Seq.# for the DENY policy created previously and drag it up to position it before the General Internet Access policy.

4.

Return to the Windows server and examine the DOS command prompt window still running the continuous ping. You should observe that this traffic is now blocked and the replies appear as “Request timed out”. Enter CTRL-C to end the ping command.

5.

From the GUI on the Student FortiGate device, go to Log & Report > Traffic Log > Forward Traffic and identify the log entries for your Ping traffic. With the current settings you should have one entry for the Ping traffic which was allowed followed by many 0 byte log messages for the violation traffic.

6.

To stop your logs from filling up with 0 byte log messages, you may enable the following setting from the CLI to create a session table entry for denied traffic and blocking packets belonging to this session. config system settings set ses-denied-traffic enable end

FortiGate I Student Guide

41

 Firewall Policies Lab 1: Firewall Policy

This setting will reduce the amount of logging entries c aused by the violation traffic. Notice how the time between log entries increases.

FortiGate I Student Guide

42

 Firewall Policies Lab 1: Firewall Policy

Exercise 3 Access through Virtual IPs In this lab, you will configure a virtual IP address to allow Internet connections to the Windows server located at 10.0.1.10. 1.

On the Student FortiGate's GUI, go to Policy & Objects > Objects > Virtual IPs. Click Create New to add a new virtual IP mapping: Name:

VIP_INTERNAL_HOS T

External Interface:

port1

Type:

Static NAT

External IP Address/Range:

10.200.1.200 - 10.200.1.200

Mapped IP Address/Range:

10.0.1.10

Click OK to save the changes. 2.

Create a new firewall policy to provide access to the web server. Configure these settings: Incoming Interface:

port1

Source Address:

all

Outgoing Interface:

port3

Destination Address:

VIP_INTERNAL_HOS T

Schedule:

always

Service:

HTTP, HTTPS

Action:

ACCEPT

Log Options:

Enable Log all Sessions and select Generate Logs when Session Starts

Enable NAT:

Disabled (default)

Comments:

Public access to web server

Click OK to save the changes. 3.

The firewall is stateful so any existing sessions will not use this new firewall policy until they time out or are cleared. The sessions can be cleared individually from the session widget on the Status page or from the CLI by executing the following: diag sys session clear

4.

Connect to the console of the remote host, open a web browser and access the following URL: http://10.200.1.200 If the virtual IP operation is successful a simple web page appears.

FortiGate I Student Guide

43

 Firewall Policies Lab 1: Firewall Policy

5.

From the CLI on the Student FortiGate, check the destination NAT entries in the session table: #get system session list Sample output: STUDENT # get sys session list PROTO EXPIRE SOURCE DESTINATION-NAT tcp

6.

3537

10.200.3.1:62426

SOURCE-NAT

DESTINATION

10.200.1.200:80

10.0.1.10:80

On the Windows server, open a web browser and connect to a few external web sites. Now return to the CLI on the FortiGate named Student, and examine the session information again: #get system session list Sample output: STUDENT # get sys session list PROTO EXPIRE SOURCE DESTINATION-NAT

SOURCE-NAT

DESTINATION

tcp

3591

10.0.1.10:3995

10.200.1.200:3995 66.94.241.1:80

-

tcp

3590

10.0.1.10:3977

10.200.1.200:3977 72.30.38.140:80

-

tcp

3553

10.0.1.10:3965

10.200.1.200:3965 184.150.187.83:80 -

tcp

3592

10.0.1.10:3998

10.200.1.200:3998 74.125.228.92:80 -

tcp

3584

10.0.1.10:3969

10.200.1.200:3969 69.171.237.16:80 -

tcp

3596

10.0.1.10:4001

10.200.1.200:4001 208.91.113.80:80 -

tcp -

3590

10.0.1.10:3983

10.200.1.200:3983 216.115.100.102:80

tcp -

3590

10.0.1.10:3979

10.200.1.200:3979 216.115.100.103:80

tcp -

3590

10.0.1.10:3987

10.200.1.200:3987 216.115.100.102:80

tcp 3590 10.0.1.10:3981 216.115.100.103:80 -

10.200.1.200:3981

tcp 3590 10.0.1.10:3985 216.115.100.102:80 -

10.200.1.200:3985

tcp

1013

10.0.1.10:3608

10.200.1.1:64024 10.200.1.254:22

tcp -

3589

10.0.1.10:3976

10.200.1.200:3976 72.30.38.140:80

FortiGate I Student Guide

-

44

 Firewall Policies Lab 1: Firewall Policy

tcp

3591

10.0.1.10:3996

10.200.1.200:3996 184.150.187.99:80 -

tcp

3554

10.0.1.10:3967

10.200.1.200:3967 74.125.228.65:80 -

tcp -

3590

10.0.1.10:3990

10.200.1.200:3990 216.115.100.103:80

tcp -

3591

10.0.1.10:3978

10.200.1.200:3978 216.115.100.103:80

tcp -

3590

10.0.1.10:3980

10.200.1.200:3980 216.115.100.103:80

Note that the outgoing connections from the Windows server are now being NATed with the VIP address as opposed to the firewall address. This is a behavior of the source NAT (SNAT) VIP. That is, when you enable SNAT on a policy, a VIP static NAT takes priority over the destination interface IP address.

FortiGate I Student Guide

45

 Firewall Policies Lab 1: Firewall Policy

Exercise 4 Dynamic NAT with IP Pools Currently, the Student FortiGate translates the source IP address of all traffic generated from the Windows server 10.200.1.200 because of the source NAT translation in the VIP. Now you will apply an IP address pool to change the behavior from static NAT to dynamic NAT. 1.

On the Student FortiGate's GUI, go to Policy & Objects > Objects > IP Pools. Create a new IP pool: Name:

INTERNAL_HOS T_E XT_IP

Type

Overload

External IP Range/Subnet:

10.200.1.100-10.200.1.100

Once the policy settings have been entered click OK to save the changes. 2.

Go to Policy & Objects > Policy > IPv4, and right-click the port3→ port1policy. Select Copy Policy, then right-click the same policy again and select Paste Before.

3.

Select the new copy of the General Internet Access policy and configure these settings: Incoming Interface:

port3

Source Address:

STUDENT_INTERNAL

Outgoing Interface:

port1

Destination Address:

all

Schedule:

always

Service:

ALL

Action:

ACCEPT

Log Options:

Enable Log all Sessions and select Generate Logs when Session Starts

Enable NAT:

Enabled

Use Dynamic IP Pool:

INTERNAL_HOS T_E XT_IP

Comments:

Windows Server source NAT override

Click OK to save the changes. Verify that you have enabled it. 4.

FortiGate does stateful inspection, so any existing sessions will not use this new firewall policy until they time out or you manually clear the session table. You can do this either individually from the session widget on the dashboard, or clear the entire list from the CLI: diag sys session filter src 10.0.1.10 diag sys session clear

5.

Connect to a few web sites such as http://yahoo.com/. From the CLI on the Student FortiGate, verify the source NAT IP address that those sessions are using: # get system session list

FortiGate I Student Guide

46

 Firewall Policies Lab 1: Firewall Policy

Sample output: STUDENT # get system session list PROTO EXPIRE SOURCE DESTINATION-NAT

SOURCE-NAT

DESTINATION

tcp -

3599

10.0.1.10:3963

10.200.1.100:64379 74.125.225.126:443

tcp -

3599

10.0.1.10:3961

10.200.1.100:64377 74.125.225.111:443

tcp

3552

10.0.1.10:3953

10.200.1.100:64369 76.74.133.167:80 -

tcp -

3597

10.0.1.10:3956

10.200.1.100:64372 74.125.225.118:80

tcp -

3597

10.0.1.10:3954

10.200.1.100:64370 74.125.225.117:80

tcp

3598

10.0.1.10:3959

10.200.1.100:64375 199.7.57.72:80

tcp

16

10.0.1.10:3948

10.200.1.100:64364 66.36.238.121:22 -

tcp -

3598

10.0.1.10:3958

10.200.1.100:64374 209.85.225.84:443

tcp -

3599

10.0.1.10:3962

10.200.1.100:64378 74.125.225.99:443

tcp -

0

10.0.1.10:3960

10.200.1.100:64376 98.139.200.238:80

tcp -

3597

10.0.1.10:3955

10.200.1.100:64371 74.125.225.118:80

-

Notice that the source NAT address is now 10.200.1.100 as configured in the VIP pool, and the IP pool has overridden the static NAT VIP.

FortiGate I Student Guide

47

 Firewall Policies Lab 1: Firewall Policy

Exercise 5 Device Identification 1.

Disable all outgoing policies except for the General Internet Access policy.

2.

From the Windows server, run a continuous ping to 10.200.1.254.

3.

Edit the outgoing general Internet access policy. Select Source Device Type and choose a type that will not match your Windows server, such as Linux PC. Click OK. FortiGate will notify you that this action enables device identification on the source interface. Click OK to accept this change. Return to the continuous ping. You should observer this traffic is blocked. Try browsing the Internet and confirm the firewall blocks this traffic.

4.

Go to your Forward Traffic log. You should observer that there are no logging entries. This is because the traffic matches the implicit deny policy and logging is not enabled by default. Edit the implicit deny policy and enable log violation traffic. Return to the Forward Traffic log and confirm there are logging entries for the denied traffic.

5.

Edit the outgoing general Internet access policy and change the Source Device Type to Windows PC to match your Windows server host. Return to the continuous ping, started earlier. You should observer this traffic is allowed. Try browsing the Internet and confirm that the firewall allows this traffic.

6.

Go to User & Device > Device > Device Definition and review the details of your detected host device. This is a dynamic device list. FortiGate may update its list of devices and cache them to the flash disk to speed up detection. diag user device list

7.

Clear the device from the CLI and then verify that it's removed: diag user device clear diag user device list

8.

From the Windows server, visit a few web sites. This will generate traffic so that device identification can detect the host. Usually, it will use the HTTP User-Agent: header.

9.

Display the device list again, and look for the internal host. diag user device list

10. Perform a show from the CLI to confirm there are no devices in the configuration file. show user device 11. From the GUI, go to User & Device > Device > Device Definition. Edit your device from the device list. Add an alias called myDevice. This creates a static device in the configuration file. Click OK to save the change. Perform the following show command to confirm that the device now appears in the configuration file as a permanent device. show user device

FortiGate I Student Guide

48

 Firewall Policies Lab 1: Firewall Policy

12. Go to User & Device > Device > Device Group. Note that your device is already a member of several predefined device groups. Click Create New and add a new device group called myDevGroup. Add myDevice to the Members list and click OK. Note that your device is still a member of the predefined groups and is now a member of the custom group myDevGroup. 13. Return to the outgoing general internet access policy and configure it to use your permanent device or static device group. Check that your traffic is unaffected by this change.

FortiGate I Student Guide

49

 Firewall Authentication

Lab 1: User Authentication

Firewall Authentication Lab 1: User Authentication In this lab, you will learn how to authenticate users with FortiGate.

Objectives 

Create an authentication policy



Manage user authentication



Track user login events



Monitor active users



Enable the captive portal



Exempt some users from the captive portal

Time to Complete Estimated: 20 minutes

FortiGate I Student Guide

50

 Firewall Authentication

Lab 1: User Authentication

Exercise 1 Authentication via a Firewall Policy 1.

On the Win-Student computer, open the Windows CLI and type the following command Use_External_DNS You should see output similar to the following image.

2.

Open a web browser. Go to the GUI for the FortiGate named Student, and log in as admin. http://10.0.1.254/

3.

Restore the configuration file that is required by this lab: Resources\Firewall-Authentication\Student\student-auth.conf FortiGate will reboot.

4.

Log in again. Review the user configuration for this lab. Go to User & Device > User > User Definition to review the local user settings Go to User & Device > User Group > User Groups to review the user group configuration. You should see that there are 2 users (Student & Guest), 3 Groups (Guest-group, SSO_Guest_Users, & training) and 2 firewall policies for port3 → port1.

5. Go to the System > Network > DNS Server and delete the entry for port3. 6. Confirm that the user is properly configured by using the CLI command diag test auth local training Student F0rtinet The command should return a successful result if the proper configuration has been loaded. Note: The second character in Fortinet (the password) is a number zero, and not a letter O. Both the user name and password are case-sensitive. 7.

On the Win-Student server, open a web browser and connect to a new web site. You should observe that the website does not display and you receive a timeout.

8.

Open a command prompt and try to ping a website by its domain name. For example: http://www.hotmail.com/ You should find that the computer is unable to resolve the hostname to an IP address.

9.

On the Student FortiGate's GUI, go to Policy & Objects > Policy > IPv4. Review the outgoing port3 → port1 firewall policy with authentication configured as Source User(s): training. Add DNS as an allowed service and apply the change to that policy.

FortiGate I Student Guide

51

 Firewall Authentication

Lab 1: User Authentication

Return to the Windows command prompt and attempt to ping by name again. Now the behavior should be that the hostname can be resolved via DNS, but the ping still times out because the policy does not allow ICMP. Note: FortiGate allows DNS to pass through the policy even though authentication has not succeeded yet. 10. On the Win-Student server, open a web browser. Connect to a new web site. At the login prompt, enter the following credentials: Username:

Student

Password:

F0rtinet

You should observe that after successful authentication, FortiGate redirects your browser to the web site that you requested. 11. On the Student FortiGate, go to User & Device > Monitor > Firewall to view the details of the authenticated user along with some details about their IP address, how much traffic they have sent, what method of authentication was used and so on. If you right-click the columns at the top, you can find more information that can be added to the display. 12. Go to System > Network > DNS Server. Add a new DNS service entry for port3 that is set to Forward to System DNS. 13. On the Win-Student computer, open the Windows CLI and type the following command Use_Internal_DNS You should see output similar to this:

14. From the CLI, view the IP addresses and users which have successfully authenticated to the FortiGate unit with the following command: diag firewall auth list Clear all authenticated sessions with the following command: diag firewall auth clear Caution: Be careful when using this command on a FortiGate in a real network. It will clear all authenticated users.

FortiGate I Student Guide

52

 Firewall Authentication

Lab 1: User Authentication

Exercise 2 Captive Portals

Note: Verify that you are not authenticated through the FortiGate before you begin. Use either the User Monitor in the GUI or the CLI command from the previous exercise in order to de-authenticate. 1.

On the Student FortiGate's GUI, go to Policy & Objects > Policy > IPv4. Edit the second policy (which does not have authentication enabled and is slightly greyed out currently) and enable it. You can go into the policy select Enable this policy at the bottom and then apply the change, or right click the Seq # and select Enable.

2.

On the Windows desktop, open a web browser and connect to a new web site You should observe that, unlike before, FortiGate doesn't ask you to authenticate. However, you can still access the website even though the first policy has authentication enabled. This illustrates the behavior of authentication and how it interacts with the Firewall polic ies. The source for the first policy is your IP AND all users in the training group. You have not authenticated yet, so your traffic does not match the source for that policy. The second policy will match all IPs and has no authentication options enabled, so it matches your traffic and allows the connection through. Since FortiGate found a policy match with just the source IP, it does not force a login.

3.

On the Student FortiGate's GUI, go to System > Network > Interfaces and edit the port 3 interface. Set the Security Mode to Captive Portal and click OK to save the change

4.

Open a web browser and connect to a new web site FortiGate should prompt you to log in. Use the same credentials as the previous exercise. Note: If you are not prompted to login, refer to step 1

5.

On the Student FortiGate's GUI, go to Policy & Objects > Policy > IPv4. Edit the first firewall policy. Change the source to STUDENT_FALSE and the group to training.

Note: STUDNT_FALSE has the IP 10.0.1.100 so it does not match the IP of the Win-Student computer. 6.

On the Student FortiGate's GUI, go to User & Device > Monitor > Firewall. De-authenticate your user session.

FortiGate I Student Guide

53

 Firewall Authentication

7.

Lab 1: User Authentication

Open a web browser and connect to a new web site. FortiGate should not prompt you to login, but show a disclaimer instead. Look at the firewall policies in the CLI. You should find that the second policy with the captive portal is suppressed. config firewall policy show end This means that even though port3 has captive portal enabled for all traffic that is behind it, any traffic that matches the second firewall policy will not receive the captive portal to authenticate.

FortiGate I Student Guide

54

 SSL VPN Lab 1: SSL VPN

SSL VPN Lab 1: SSL VPN In this lab, you will manage user groups and portals for the SSL VPN.

Objectives 

Configure and connect to an SSL VPN



Enable authentication security



Configure a firewall policies for access to private network resources

Time to Complete Estimated: 30 minutes

FortiGate I Student Guide

55

 SSL VPN Lab 1: SSL VPN

Exercise 1 SSL VPN for Web Access 1.

On the Win-Student server, open a web browser. Go to the GUI for the FortiGate named Student, and log in as admin. http://10.0.1.254/

2.

Restore the configuration file that is required by this lab: Resources\SSL-VPN\Student\student-ssl.conf. FortiGate will reboot.

3.

When the device has rebooted, review the SSL VPN configuration access for this lab. Go to Policy & Objects > Policy > IPv4 and examine the ssl.root→port1 firewall policy.

4.

Edit this policy to view its components. Configure these settings: Incoming Interface:

ssl.root

Source Address:

all

Source User(s):

Training_One

Outgoing Interface:

Port1

5.

Under VPN > SSL > Settings, review the authentication rules at the bottom. This allows all users that authorized to login, access to the web-acess portal.

6.

To observe the effect of this policy you will now access the SSL VPN. On the Win-Remote computer, open a web browser and access the SSL VPN by browsing to: https://10.200.1.1/ Accept the security warnings for the self-signed certificate and log in using the following credentials: Username:

Student

Password:

F0rtinet

You should notice that you are successfully able to log in, but the web portal is currently in default settings. You will now configure the web-access portal which is selected in the SSL VPN policy. 7.

Log out and return to the Win-Student computer.

8.

In the GUI of the Student FortiGate, go to VPN > SSL > Portals and select web-access and Edit to modify the settings for this portal. Create the following bookmarks for the internal server. First Bookmark:

FortiGate I Student Guide

56

 SSL VPN Lab 1: SSL VPN

Category:

Test

Name:

Linux Website

Type:

HTTP/HTTPS

URL:

10.200.1.254

Click OK. Second Bookmark: Category:

Test

Name:

Student Computer Website

Type:

RDP

Host:

10.0.1.10

Click OK. Click OK at the bottom of the page to save the bookmarks on this portal. 9.

Test the SSL VPN access again from the Win-Remote computer by browsing to: https://10.200.1.1 You should now observe that you have two bookmarks listed.

10. Select the “Linux Website” bookmark and examine the items listed below to understand how the web access functions. Note: Do not use the Student computer website yet. It will be tested in the next exercise. Note the URL of the web site in the browser address bar: https://10.200.1.1/proxy/http/10.200.1.254/ The first part of the address is the encrypted link to the FortiGate SSL VPN gateway: https://10.200.1.1/ The second part of the address is the instruction to use the SSL VPN HTTP proxy: .../proxy/http... The final part of the address is the destination of the connection from the HTTP proxy: .../ 10.200.1.254/ In this example, the connection is encrypted up to the SSL VPN gateway. The connection to the final destination from the HTTP proxy is in clear text. 11. Return to the Win-Student computer and from the GUI on the Student FortiGate, go to VPN > Monitor > SSL-VPN Monitor. Locate the details of the SSL VPN connection. Note the User, Source IP and Begin Time. Log the user out by selecting their name and clicking Delete.

FortiGate I Student Guide

57

 SSL VPN Lab 1: SSL VPN

Exercise 2 Testing Authentication 1.

On the Win-Remote computer, open a web browser. Start the SSL VPN by going to: https://10.200.1.1 When prompted, log in to the SSL VPN using the following credentials: Username:

Student2

Password:

F0rtinet

You should receive a permission denied failure message. 2.

Go to the CLI of the Student FortiGate. Locally test user authentication. diag test auth local Training_Two Student2 F0rtinet This user should successfully authenticate. Together with the behavior you observed in the previous step, t his means that while FortiGate can confirm the user and group information, that user is not authorized to login to the SSL VPN portal.

3.

To allow those users to login, go to the firewall policies. Edit the ssl.root→port1 policy by adding Training_Two as an additional source user group.

4.

To observe the effect of these changes, access the SSL VPN again. Login with both the Student and Student2 users. What do you see when you login? You should see the same portal as in the previous exercise. Why? The portal mapping rules have all users accessing the web-access portal.

5.

Under VPN > SSL > Settings create a new mapping for a user group and portal: Users/Group:

Training_Two

Portal

full-access

After adding the mapping rule, click OK to go back to the settings page, then click APPLY to save the changes.

FortiGate I Student Guide

58

 SSL VPN Lab 1: SSL VPN

Note: If you click OK but do not click APPLY, then FortiGate will not save the changes you make to the portal mapping rules. 6.

Logout out of the SSL VPN portal (if you haven’t already) and login again. Be sure to use the Student2 user credentials from step 1. You should now observe that the portal established is the full-access portal, which has different widgets and options enabled then the web-access portal.

FortiGate I Student Guide

59

 SSL VPN Lab 1: SSL VPN

Exercise 3 Accessing Resources Beyond Different Interfaces 1.

Log out of the SSL VPN portal (if you haven’t already) and login again as Student.

2.

Now click the “Student Computer Website” bookmark, created in Exercise 1. FortiGate should display an access error. Why? All traffic generated by users of the SSL VPN on this FortiGate will originate from the ssl.root interface. This includes both Web and Tunnel mode traffic. The host IP, 10.0.1.10, is behind port3 and there is no firewall policy that allows traffic ssl.root→port3.

3.

4.

Next go to Policy & Objects > Policy > IPv4 and create a firewall policy with the following settings: Incoming Interface:

ssl.root

Source Address:

all

Source User(s):

Training_One, Training_Two

Outgoing Interface:

port3

Destination Address

STUDENT_INTERNAL

Schedule

always

Service

ALL

Action

Accept

Go back to the SSL VPN portal and select the “Student Computer Website” again. FortiGate should now allow the web site to display because traffic is now allowed to pass from ssl.root to port3.

5.

Log out of the SSL VPN portal.

6.

In your browser, go to: http://10.0.1.10/ The connection should time out because there is no access from the Win-Remote computer to the Win-Student computer.

7.

Log into the SSL VPN portal again, this time as Student2. Scroll down to the SSL VPN tunnel area. If you have not yet installed the SSL VPN adapter, a message will appear. Click the link to download and install the adapter, then log in again. Three buttons should now appear instead of the error message: Connect, Disconnect, and Refresh. Click Connect.

8.

In your browser, go again to: http://10.0.1.10/ Now the connection should succeed, and the web page should display. This is because FortiGate is now sending traffic through the SSL VPN tunnel, rather than sending it to the default gateway.

FortiGate I Student Guide

60

 Basic IPsec VPN Lab 1: IPsec VPN

Basic IPsec VPN Lab 1: IPsec VPN In this lab, you will configure an IPsec VPN on the FortiGate using both interface-based and policybased modes.

Objectives 

Demonstrate the differences between interface and policy -based VPNs



Explain IPsec VPN configuration options

Time to Complete Estimated: 30 minutes

FortiGate I Student Guide

61

 Basic IPsec VPN Lab 1: IPsec VPN

Exercise 1 Site-to-Site IPsec VPN 1.

On the Win-Student server, open a web browser. Go to the GUI for the FortiGate named Student, and log in as admin. http://10.0.1.254/

2.

Restore the configuration file that is required by this lab: Resources\Basic-IPsec-VPN\Student\student-ipsec.conf. The Student FortiGate will reboot.

3.

Go to the GUI for the FortiGate named Remote, and log in as admin. http://10.200.3.1/

4.

Restore the configuration file that is required by this lab: Resources\Basic-IPsec-VPN\Remote\remote-ipsec.conf. The Remote FortiGate will reboot.

5.

When the Student FortiGate has rebooted, on the Windows server, open a command prompt. Run a continuous ping to the Win-Remote computer: ping -t 10.0.2.10

6.

From the GUI on the Student FortiGate, go to VPN > Monitor > IPsec Monitor and examine the tunnel status. You should observe a tunnel named remote with the destination 10.200.3.1 and the status is currently up. This is the tunnel that the Student FortiGate established with the Remote FortiGate.

7.

Review the firewall policy port3 → remote. View the Count column so that you can see the packets and bytes per policy. Observe that the counter is incrementing for the port3→remote policy. What is the interface remote? Go to System > Network > Interfaces and note the plus (+) associated with port1. If you expand this, you will be able to see the remote interface and the type for this interface which is set to Tunnel Interface.

8.

Go to VPN > IPsec > Tunnels. Select the remote tunnel, then click edit to review the IPsec configuration. You can click on Edit next to each section to review the details and make configuration changes. Click the check mark to save your changes or the X to discard your changes.

9.

Go to Router > Monitor > Routing Monitor and view the current routing table. You will observe a static route to the destination 10.0.2.0/24 pointing to the remote interface. This is an example of the route-based VPN configuration. The alternative is the policy -based VPN which we will review next. Usually, route-based VPNs are preferred, but there are a few exceptions where you would need to use a policy-based VPN. These will be discussed later.

10. Open a web browser on the Windows server. Connect to the GUI on the Remote FortiGate device. 11. Go to VPN > Monitor > IPsec Monitor and examine the tunnel status from the Remote

FortiGate I Student Guide

62

 Basic IPsec VPN Lab 1: IPsec VPN

FortiGate device. You should observe a tunnel named student with the destination 10.200.1.1 and the Status is up. This is the tunnel that this FortiGate established with the Student FortiGate. 12. Go to System > Network > Interface. Notice there is no tunnel sub-interface for port4. 13. Go to Router > Monitor > Routing Monitor and view the current routing table. Notice that there is no specific route for 10.0.2.0/24; there is only a default route. How is the traffic entering the tunnel then? 14. Review the firewall policy that exists on the Remote FortiGate device. Note that there is a policy from port6 to port4 for address 10.0.2.0/24 (REMOTE_INTE RNA L) to address 10.0.1.0/24 (STUDENT INTERNAL) with action IPsec. Edit this policy to view its settings. The policy subtype is IPsec, and it uses the VPN Tunnel called student. It also has permissions to allow traffic inbound as well as outbound. We will look at these settings later. How is the traffic matching this policy? On the Student FortiGate, a static route was sending traffic to the IPsec virtual interface. Here there is no static route. Instead, the policy setting is sending traffic to the VPN. The IPsec policy matches traffic from 10.0.2.0/24 to 10.0.1.0/24 and forwards it the tunnel named student. 15. On the Remote FortiGate's GUI, go to VPN > IPsec > Tunnels. Select the student tunnel, then click edit to review the IPsec configuration. You can click on Edit next to each section to review the details and make configuration changes. Click the check mark to save your changes or the X to discard your changes. 16. Edit the Phase1 IKE object remote and select Advanced to view all the settings. Note that IPsec Interface Mode is not selected. The Phase1 IKE object is the IPsec tunnel referenced in the IPsec firewall policy. Here we are using policy-based on the Remote FortiGate device and interface-based on the Student FortiGate device. The type we use is of local significance therefore we can mix them, as is the case in this example. 17. From the Win-Remote desktop, attempt to run a continuous ping to 10.0.1.10. You should observe this ping fails. Can you identify why? If the VPN is in tunnel mode, then FortiGate uses only 1 firewall policy to allow both incoming and outgoing traffic. But if the policy is in interface mode, then you must have 2 separate VPN firewall policies: one to allow inbound, and one to allow outbound communication. On the Student FortiGate, we have only configured the outgoing policy. The VPN is in interface mode. So FortiGate drops the new incoming connection: there is no firewall policy to allow it. 18. Return to the Student FortiGate. Add the missing firewall policy that allows traffic to travel in the opposite direction. You should observe that the ping now succeeds.

FortiGate I Student Guide

63

 Explicit Web Proxy Lab 1: Explicit Web Proxy

Explicit Web Proxy Lab 1: Explicit Web Proxy In this lab, you will learn how to configure FortiGate to be an explicit web proxy.

Objectives 

Configure a FortiGate as an explicit web proxy



Use a PAC file to configure the Internet browser to use the web proxy



Exempt some servers from the proxy



Display the list of current web proxy users

Time to Complete Estimated: 30 minutes

FortiGate I Student Guide

64

 Explicit Web Proxy Lab 1: Explicit Web Proxy

Exercise 1 Configuring the Explicit Web Proxy 1.

On the Win-Student server, open a web browser. Go to the GUI for the FortiGate named Student, and log in as admin. http://10.0.1.254/

2.

Restore the configuration file that is required by this lab: Resources\Explicit-Web-Proxy\Student\student-wp.conf

3.

Go to System > Dashboard > Status. In the Features widget, enable Explicit Proxy. Click Apply.

4.

Go to System > Network > Explicit Proxy and enable HTTP / HTTPS web proxy.

5.

Go to System > Network > Interfaces and edit port3. Enable the option Enable Explicit Web Proxy. Click OK.

6.

Go to Policy & Objects > Policy > Explicit Proxy. Click Create New. Add this explicit proxy policy: Explicit Proxy Type

Web

Source Address

STUDENT_INTERNAL

Outgoing Interface

port1

Destination Address

all

Action

AUTHENTICA TE

Add this authentication rule: Source User(s)

Student

Schedule

always

Click OK to save it. 7.

Open Mozilla Firefox. Click the Open menu icon on the top right corner. Select Options:

8.

Go to the Advanced > Network tab and click Settings:

FortiGate I Student Guide

65

 Explicit Web Proxy Lab 1: Explicit Web Proxy

9.

Select manual proxy configuration and enter: HTTP Proxy

10.0.1.254

Port

8080

Enable the option Use this proxy server for all protocols. Additionally, add the subnet 10.0.1.0/24 to the No Proxy for list. This list contains the names, IP addresses and subnet of web sites that will be exempted from using the proxy:

Click OK.

FortiGate I Student Guide

66

 Explicit Web Proxy Lab 1: Explicit Web Proxy

10. Try to browse any web site. FortiGate will ask you for authentication. Use these credentials: User Name

Student

Password

F0rtinet

After that, you should have Internet access through the explicit web proxy. Note: The second character in Fortinet (the password) is a zero 0, and not a letter. Both the username and password are always case sensitive. 11. While browsing different web sites, type the following CLI command to check t he list of active web proxy users: # diagnose wad user list You can also check this list from the GUI, by going to User & Device > Monitor > Firewall. 12. Type these CLI commands to list some web proxy sessions: diagnose sys session filter clear diagnose sys session filter dport 8080 diagnose sys session list You can also use the grep command to display only the source and destination IP addresses and ports for each session: diagnose sys session list | grep hook=pre Why is the source IP address of all those sessions 10.0.1.10? Why is the destination IP address of all those sessions 10.0.1.254? Why don’t we see any public IP address listed in those sessions? 13. While browsing a HTTP site, type these other commands to list another set of proxy sessions: diagnose sys session filter clear diagnose sys session filter dport 80 diagnose sys session list | grep hook=out Why is the source IP address of all these sessions 10.200.1.1? Why don’t we see the IP address of Windows server (10.0.1.10)? In the case of explicit web proxy, for each connection to a web site, two sessions are created with the FortiGate: one from the client to the proxy, and another one from the proxy to the server.

FortiGate I Student Guide

67

 Explicit Web Proxy Lab 1: Explicit Web Proxy

Exercise 2 Using a PAC File 1.

Log in to the Student FortiGate's GUI.

2.

Go to System > Network > Explicit Proxy. Enable the option PAC, then click the pencil icon to edit the PAC file:

Select the file proxy.pac in the folder Resources\Explicit-Web-Proxy. Click Import, then Apply. 3.

Click the pencil icon again to look at the imported PAC file:

Click Apply to save all the changes in the explicit proxy configuration. Note: The second line in the PAC file specifies that the browser will not use a proxy to reach the servers in the subnet 10.0.0.0/8. The next line configures the browser to use the FortiGate proxy for any other subnet or URL. FortiGate I Student Guide

68

 Explicit Web Proxy Lab 1: Explicit Web Proxy

4.

Open Mozilla Firefox options again. Select the Advanced > Network tab and click Settings. Select the option Automatic proxy configuration URL then type: http://10.0.1.254:8080/proxy.pac

Click OK. 5.

Close Firefox and open it again. Try to browse any web site in the Internet. The traffic will go through the FortiGate proxy. If FortiGate asks you to authenticate, use the same Student account.

6.

Connect now a web site in the network 10.0.0.0/8. The browser will not use the proxy and will send the HTTP request directly to the server. Try with this server: http://10.200.1.254 It is not working. There is something missing in the FortiGate configuration. Do you know what it is?

7.

Go to Policy & Objects > Policy > IPv4 add the following firewall policy: Incoming Interface

port3

Source Address

STUDENT_INTERNAL

Outgoing Interface

port1

Destination Address

All

Schedule

Always

Service

ALL

Action

ACCEPT

NAT

Enabled

FortiGate I Student Guide

69

 Explicit Web Proxy Lab 1: Explicit Web Proxy

8.

Try to access http://10.200.1.254 one more time. It should work now.

9.

To finish the lab exercise, disable the proxy in Mozilla. Go to Options one more time, select Advanced > Network , click Settings, and select No proxy.

Click OK to save the change.

FortiGate I Student Guide

70

 Antivirus

Lab 1: Antivirus Scanning

Antivirus Lab 1: Antivirus Scanning In this lab, you will work with both flow-based and proxy-based antivirus scanning.

Objectives 

Configure flow-based and proxy-based antivirus scanning



Understand FortiGate antivirus scanning behavior



Scan multiple protocols



Insert replacement messages in multiple protocols

Time to Complete Estimated: 30 minutes

FortiGate I Student Guide

71

 Antivirus

Lab 1: Antivirus Scanning

Exercise 1 Antivirus & Block pages 1.

On the Win-Student server, open a web browser. Go to the GUI for the FortiGate named Student, and log in as admin. http://10.0.1.254/

2.

Restore the configuration file that is required by this lab: Resources\Antivirus\Student\student-av.conf FortiGate will reboot.

3.

When the FortiGate has rebooted, go to Policy& Objects > Policy > IPv4 and edit the port3→port1 policy. Notice that an antivirus profile, Protocol Options and SSL/SSH Inspection are selected. You cannot disable those last 2 profiles, only change them.

4.

Go to Security Policies > AntiVirus. Examine the antivirus profile that is referenced by the firewall policy (default). This profile defines the behavior for virus scanning on the traffic that matches policies using that profile. Verify that the inspection mode is Proxy, to block viruses, and that HTTP scanning is enabled.

5.

Verify the proxy options. This profile determines how FortiGate’s proxies pick up protocols. Go to Policy & Objects > Policy > Proxy Options. The HTTP listening port should be set to port 80

6.

Configure the SSL/SSH profile referenced by the firewall policy. This profile determines how encrypted traffic, like HTTPS will be handled. Go to Policy & Objects > Policy > SSL/SSH Inspection, and edit the profile named default. Configure the profile to inspect certificate details by selecting Full SSL Inspection.

7.

Go to System > Config > Replacement Message. From the top right-hand corner select Extended View and under Security modify the Virus Block Page. The HTML editor that is displayed allows you to see the changes as you are making them. If you do not want to use the standard block pages, you can modify them. Click Save shown above the editor window to apply any changes.

8.

From the virtual WIN-Student host, launch a web browser and access the following web site: http://eicar.org

9.

On the EICAR web page, click Download ANTI MALWARE TESTFILE (located in the top righthand corner of the page) and then click the Download link that appears on the left. Download the any of the EICAR sample files from the section Download area using the standard HTTP protocol. FortiGate should block the download attempt, and instead insert a replacement message similar to the following (should also include any customization you made earlier):

FortiGate I Student Guide

72

 Antivirus

Lab 1: Antivirus Scanning

The EICAR file is an industry-standard used to test antivirus detection with an undamaging test file. The file contains the following characters: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* 10. FortiGate shows the HTTP virus message when it blocks or quarantines infected files. In the message that is displayed, click the link to the Fortinet Virus Encyclopedia to view information about the detected virus. 11. From the GUI on Student FortiGate, go to Log & Report > Traffic Log > Forward Traffic and locate the antivirus event messages. In order to view summary information of the antivirus activity, add the Advanced Threat Protection Statistics widget to the dashboard. 12. On the EICAR web page, click Download ANTI MALWARE TESTFILE and then click the Download link that appears on the left. This time, select the eicar.com file from the Download area using the secure SSL enabled protocol HTTPS section. Your download should succeed. FortiGate should not block the file, because we have not enabled full SSL inspection. 13. To enable inspection of SSL encrypted traffic on the Student FortiGate unit, go to Policy & Objects > Policy > SSL/SSH Inspection, edit the default profile, set the Inspection Mode to Full SSL Inspection and make sure that HTTPS is enabled and set to port 443. Click Apply. 14. To ensure that there are no existing sessions prior to deep scanning the communication exchange, connect to the CLI of the Student FortiGate and enter the following command: diag sys session filter dport 443 diag sys session clear This will clear out all the HTTPS(port 443) sessions on the firewall, in case the webserver did not properly close down the communications. 15. Return to the EICAR web page and attempt to download the eicar.com file from the Download area using the secure SSL enabled protocol HTTPS section. This time, FortiGate should block the download and replace it with a message. If it doesn't, you may need to clear your cache. In Firefox, select History > Clear Recent History > Everything. 16. In order to see the block page you will need to allow the certificate warning. Encrypted protocols are designed to prevent eavesdropping.

FortiGate I Student Guide

73

 Antivirus

Lab 1: Antivirus Scanning

Exercise 2 Flow vs Proxy scanning 1.

On the Win-Student server, open a web browser. Go to the GUI for the FortiGate named Student, and log in as admin. http://10.0.1.254/

2.

Edit the default Antivirus profile, and set the inspection mode to Flow,

3.

On the Win-Student computer, open the FileZilla FTP client software.

4.

Connect to 10.200.1.254. Leave the username and password blank to use anonymous FTP.

5.

On the Remote side, open the pub folder and download the file named eicar.com. The client should display an error message that the server aborted the connection.

6.

On the GUI of the Student FortiGate, locate the logs for the detection of this file. With Flow based virus scanning, data from the file has already been sent to the client so no immediate block message/page may be possible, depending on the protocol being scanned.

FortiGate I Student Guide

74

 Web Filtering Lab 1: Web Filtering

Web Filtering Lab 1: Web Filtering In this lab, you will configure web filtering to block specific categories of content. The interaction of local categories and overrides will also be demonstrated.

Lab Objectives 

Enable and use web filtering on a FortiGate device



Troubleshoot and configure FortiGuard Category filtering



Read and interpret web filter log entries



Work with proxy and flow-based web filtering



Monitor blocked categories



Work with and configure Web Rating Overrides



Configure Web Profile Overrides

Time to Complete Estimated: 30 minutes

FortiGate I Student Guide

75

 Web Filtering Lab 1: Web Filtering

Exercise 1 FortiGuard Web Filtering 1.

On the Win-Student server, open a web browser. Go to the GUI for the FortiGate named Student, and log in as admin. http://10.0.1.254/

2.

Restore the configuration file that is required by this lab: Resources\Web-Filtering\Student\student-wf.conf. FortiGate will reboot.

2.

When the FortiGate device has rebooted go to System > Status and under License information check the FortiGuard Services Web Filtering status to ensure that the license has been validated. A green check mark should be displayed.

3.

In the GUI on the Student FortiGate device, go to Security Profiles > Web Filter and review the settings of the default web filter profile. Verify that the Inspection Mode is set to Proxy. Under FortiGuard Categories right-click and expand the web category Potentially Liable. The category and all the sub categories inside should have the action set to Authenticate. Expand Adult/Mature Content. You should find that Other Adult Material and Pornography are blocked while all other sub-categories are set to Monitor. Expand Bandwidth Consuming. The category and all sub categories inside should have the action set to Warning. Expand Security Risk . The category and all sub categories inside should have the action set to Block . All of the General Interest categories and sub-categories should be set to Monitor.

4.

Go to Policy & Objects > Policy > IPv4 and edit the outing port3→port1 policy. In addition to a web filter profile, Proxy options and SSL/SSH Inspection profile have also been enabled. Review the settings in the assigned Proxy options and SSL/SSH Profiles.

5.

From the CLI on the Student FortiGate device, check the low-level status information of the web filtering service by entering the following command: diag debug rating The command diag debug rating shows the list of FDS servers for web filtering that the FortiGate is using to send requests. FortiGate normally sends rating requests to the server on the top of the list. Each server is probed for RTT every 2 minutes. Note: Your lab environment uses a FortiManager as a local FDS server. It contains a local copy of the FDS web rating database. The FortiGate devices have been configured to send the rating requests to the FortiManager instead of the public FDS servers. For this reason, the output of the above command lists only the FortiManager IP address.

6.

On the Win-Student computer, open a web browser, and go to: http://www.bing.com

FortiGate I Student Guide

76

 Web Filtering Lab 1: Web Filtering

You should receive a block page.

7.

Verify that the rating of the website www.bing.com is NOT pornography by going to the URL http://www.fortiguard.com/static/webfiltering.html and checking. You will find that Bing is not rated as pornography and that the category it belongs to has a monitor action rather than block.

8.

From the CLI on the Student FortiGate, examine the FortiGate's behavior: diag debug application url 255 diag debug enable Access the website www.bing.com again. The diagnostic output will indicates that the URL matches a local rating.

9.

In the GUI on the Student FortiGate device, go to Security Profiles > Advanced > Web Rating override You will find and entry for www.bing.com which assigned the category of Pornography.

10. Go to Security Profiles > Advanced > Web Rating Overrides. Edit the Rating override for www.bing.com and set the category to Potentially Liable and the sub-category to Proxy Avoidance. 11. Access the website http://www.bing.com again This time, the block page will give you the option to Proceed. Click Proceed and enter the following user credentials

User: Student Password: F0rtinet Note: If you receive a certificate warning, be sure to allow it.

FortiGate I Student Guide

77

 Web Filtering Lab 1: Web Filtering

12. In the GUI on the Student FortiGate device, go to Log & Report > Security Log > Web Filter. If you do not see the Security Log menu, log out and then log in again to start a new GUI session. If you examine the actions taken in the logs you will find that initially a Block action shows up. However, more recent logs show a different action. 13. Go to Security Profiles > Web Filter. Edit the web filter profile and select Flow-based. A notification is displayed as follows:

Click OK on this pop-up and then click Apply at the bottom of the profile. 14. Test the behavior of the flow based inspection by connecting to www.bing.com again. 15. Go to Security Profiles > Advanced > Web Rating override and delete the entry for: http://www.bing.com Access www.bing.com again. 16. In the GUI on the Student FortiGate device, go to Security profiles > Monitor > Web Monitor. Review the output. You can click on the charts in order to get additional information on what is being displayed.

FortiGate I Student Guide

78

 Web Filtering Lab 1: Web Filtering

Note: If you do not see the Monitor menu, then it is hidden. You can enable it via the CLI: config system global set gui-utm-monitors enable end Log out, then log in again for the Monitor menu to appear. It will not appear for existing GUI sessions.

FortiGate I Student Guide

79

 Web Filtering Lab 1: Web Filtering

Exercise 2 Web Profile Overrides 1.

On the Win-Student computer, open a new browser windows and visit: www.youtube.com FortiGate should block this.

2.

In the GUI on the Student FortiGate, go to Security Profiles > Web Filter Set the inspection mode to Proxy.

3.

Enable Allow block ed Override and configure the following options 

Apply to Group(s): Override_Permissions



Assign to Profile: monitor_all



Scope: IP



Duration Mode: Constant



Duration: 0 days, 0 hours, 15 minutes

Click Apply to save the changes 4.

Visit the website www.youtube.com again. You will find that at the bottom of the page there is an override link.

5.

Click Override and enter the following user credentials User: Student2 Password: F0rtinet FortiGate should now allow you to access the web site.

6.

In the GUI on the Student FortiGate device, go to Log & Report > Security Logs > Web Filter Compare the current pass-through entries for YouTube with the older block entries. Notice that the web profile that is reported as being used is different.

FortiGate I Student Guide

80

 Application Control

Lab 1: Application Identification

Application Control Lab 1: Application Identification In this lab, you will use the application control feature to properly identify an application.

Objectives 

Configure Application Control in the student lab environment



Read and understand application control logs



Enable and Monitor traffic shaping through Application Control



Use Application control to Fine tune Internet Access

Time to Complete Estimated: 30 minutes

FortiGate I Student Guide

81

 Application Control Lab 1: Application Identification

Exercise 1 Creating an Application Control List 1. On the Win-Student server, open a web browser. Go to the GUI for the FortiGate named Student, and log in as admin. http://10.0.1.254/ 2. Restore the configuration file that is required by this lab: Resources\Application-Control\Student\student-app.conf FortiGate will reboot. 3. Log in again. Go to Security Profiles > Application Control. Review the default application control sensor. (Verify that you are selecting the sensor named default.) On the Edit Application Sensor page, check the settings for the following rules: Application Signature

MySpace

Category

Social.Media

The action for this should show as being Block. 4. Go to Policy & Objects > Policy > IPv4 and edit the port3→port1 policy. Verify that Application Control is turned on and that the default application control sensor is selected. 5. Enable the Security Profiles monitors: config system global set gui-utm-monitors enable end Go to http://www.dailymotion.com and play a video. While the video is playing, go the GUI of the FortiGate and check the application monitor in Security Profiles > Monitor > Application Monitor. If your browser does not show the application monitor, you may need to refresh the page or log in to the FortiGate again. 6. On the Win-Student computer, open a new web browser window. Go to http://www.myspace.com/. You should observe that you cannot connect to this site. It times out. 7. Go to Security Profiles > Application Control. Edit the default sensor again. At the bottom of the profile, enable Replacement messages for HTTP-based application. 8. Go to the MySpace web site again. Now FortiGate should display a block message. 9. Go to Log & Report > Traffic Log > Forward Traffic and view the log information to confirm that this action was correctly logged.

FortiGate I Student Guide

82

 Application Control Lab 1: Application Identification

Exercise 2 Limiting DailyMotion Traffic 1. On the Student FortiGate's GUI, go to Policy & Objects > Objects > Traffic Shapers and click Create New to create a new shaper. Configure the following settings: Type:

Shared

Name:

DailyMotion_Shaper

Apply shaper:

All policies using this shaper

Traffic Priority:

Low

Max Bandwidth:

10

Click OK. 2. Go to Security Profiles > Application Control. Edit the default profile. Add an Application Override for DailyMotion, set the action to Traffic Shaping and have it use DailyMotion_Shaper. Click Apply. 3. Clear the web browser cache and re-open it. Connect to the DailyMotion web site again and stream a video. This will probably result in much different experience. Note: If your classroom is using a virtual lab, the underlying hardware is shared, and so the amount of available bandwidth for Internet access varies by usage by other simultaneous use. The traffic shaper is set to a very low value in order to make sure that the difference in behavior is easily noticeable. In real networks, this setting would be greater. 4. Check the traffic shaper monitor in Policy & Objects > Monitor > Traffic Shaper Monitor. In the upper right corn, change Report by to Current Bandwidth.

FortiGate I Student Guide

83

 Application Control Lab 1: Application Identification

Exercise 3 Fine Tuning Web Site Access 1. Go to Security Profiles > Application Control. Edit the default profile. 2. Change the action for Dailymotion to Reset:

3. Clear the browser cache and access DailyMotion one more time. FortiGate should insert a replacement message from application control about the application being blocked. 4. Go to Security Profiles > Application Control. Edit the default profile. Disable Replacement Messages for HTTP-based applications, then click Apply. 5. Refresh the DailyMotion page. The browser should display an error message, telling you that the connection was reset. Note: Depending on which browser you use for the test, the wording and nature of the error will vary. If you do not receive a connection reset message, clear the browser's cache and on FortiGate, use the CLI command: diagnose sys session clear 6. Open a browser window. Go to: http://www.myspace.com Since there is no longer an HTTP-based block message enabled, the 2 signatures will behave differently based on the configured action.

FortiGate I Student Guide

84

 Appendix A: Additional Resources

Appendix A: Additional Resources Training Services

http://training.fortinet.com

Technical Documentation

http://help.fortinet.com

Knowledge Base

http://kb.fortinet.com

Forums

https://support.fortinet.com/forum

Customer Service & Support

https://support.fortinet.com

FortiGuard Threat Research & Response

http://www.fortiguard.com

FortiGate I Student Guide

85

 Appendix B: Presentation Slides

Appendix B: Presentation Slides

FortiGate I Student Guide

86

 Introduction to Fortinet UTM

In this lesson, we will show FortiGate administration basics. This includes how – and where – FortiGate fits into your existing network architecture.

FortiGate I Student Guide

87

 Introduction to Fortinet UTM

After completing this lesson, you should have these practical skills in FortiGate administration fundamentals, such as how to log in, make administrator accounts, do basic network settings, and how to use your FortiGate’s GUI or CLI. You’ll also be able to set up FortiGate to act as your local network’s DNS or DHCP server. Lab exercises can help you to test and reinforce your skills.

FortiGate I Student Guide

88

 Introduction to Fortinet UTM

(slide contains animation) A FortiGate is a “Unified Threat Management” device, but what exactly does this mean? Well, if we look at a typical network security solution, multiple single-purpose devices are used. Each performs a specific task. There is: (click) • One device acting as the firewall • Another device that scans for viruses • Another device filtering email • One device to optimize WAN usage • Another device to filter web sites • One device for application control • One device for intrusion prevention • Another device to provide VPN access That is a lot of different devices. Most likely, they all have different vendors. All of this can introduce unwanted complexity, and many potential points of failure.

FortiGate I Student Guide

89

 Introduction to Fortinet UTM

So how is FortiGate different? FortiGate provides a comprehensive approach to security. It even includes some basic accessory network services such as authentication and DHCP. All this and more is combined into a single device. That way, you can reconfigure your network and security deployment by simply accessing one device. Cabling and interfaces between 10 devices? Gone. And it’s all from a single vendor. Per-module licensing? Gone. If you’re familiar with Cisco ASA, you may even expect multiple management interfaces. This, too, is simpler on FortiGate. Regardless of whether you are building a VPN or applying antivirus, you can configure it all from one unified GUI or CLI. How can FortiGate do so many things? Shouldn’t separate functions be divided among different devices for performance reasons? In some cases, yes. High load of one specific workload may be worth a dedicated device. And Fortinet offers several. But now you have the choice – you can specialize if your network requires it.

FortiGate I Student Guide

90

 Introduction to Fortinet UTM

In this architecture diagram, you can see how FortiGate UTM platforms add strength without compromising on flexibility – they are still internally modular. Plus: • Devices add duplication. Sometimes, dedication doesn’t mean efficiency. If it’s overloaded, can 1 device borrow free RAM on 9 others? Do you want to configure policies, logging, and routing on 10 separate devices? Does 10 times the duplication bring you 10 times the benefit? Or is it a hassle? • FortiGate hardware isn’t just off-the-shelf. It’s carrier-grade. Underneath, most FortiGate models have 1 or more specialized circuits called ASICs that are engineered by Fortinet. For example, a CP or NP chip handles cryptography and packet forwarding more efficiently. Compared to a singlepurpose device with only a CPU, FortiGate can have dramatically better performance. (The exception? Virtualization platforms – VMware, Citrix Xen, Microsoft, or Oracle Virtual Box – have general-purpose vCPUs. But virtualization might be worthwhile due to other benefits, such as distributed computing and cloud-based security.) • FortiGate is flexible. If all you need is firewalling and antivirus, FortiGate won’t require you to waste CPU, RAM, and electricity on others. In each firewall policy, UTM modules can be enabled or disabled. You won’t pay more to add VPN seat licenses later, either. What requires a subscription? Only FortiGuard subscription services.

FortiGate I Student Guide

91

 Introduction to Fortinet UTM

FortiGuard subscription services give your FortiGate access to 24 x7 security updates powered by Fortinet’s researchers. Your FortiGate uses FortiGuard in 2 ways: • By periodically requesting packages that contain a new engine and many signatures, or • By querying the FDN on an individual URL or host name Queries are real-time – that is, FortiGate asks the FDN every time it scans for spam or filtered web sites. Also, queries use UDP for transport – they are connectionless and the protocol is not designed for fault tolerance, but speed. So they require that your FortiGate have a reliable Internet connection. Downloaded packages like antivirus and IPS, however, aren’t that frequent. They use TCP for reliable transport. And their associated FortiGate features continue to function even if FortiGate does not have reliable Internet connectivity. Keep in mind, though, that you should still avoid interruptions. If your FortiGate must try repeatedly to download updates, it can’t detect new threats during that time.

FortiGate I Student Guide

92

 Introduction to Fortinet UTM

So now we’ve seen a simplified overview of the software architecture. What about the network architecture? Where does FortiGate fit in? When you deploy a FortiGate, you can choose on the dashboard between two modes: NAT or transparent. • In NAT mode, FortiGate forwards packets based on Layer 3, like a router. Each of its logical network interfaces have an IP address. • In transparent mode, FortiGate forwards packets at Layer 2, like a switch. So except for the management interface, its interfaces have no IP address. Interfaces can be exceptions to the router vs. switch operation mode on an individual basis, however. We’ll show these later.

FortiGate I Student Guide

93

 Introduction to Fortinet UTM

What does that mean for your traffic, in terms of the 7-layer OSI model? Which operation mode should you choose? NAT mode is the most common choice. In NAT mode, the destination address is the FortiGate’s address. Typically FortiGate will rewrite the destination address, and/or port number and source address in the IP network layer, into the server’s private network address before forwarding the packet – in other words, it will apply NAT and port forwarding. Depending on your presentation and application layer protocols, it might also: • Terminate SSL or TLS sessions so back-end servers don’t need to decrypt • Modify the addresses in the application layer headers, such as the “Host:” and “X-Forwarded-For:” in the HTTP header So NAT mode works well for edge or gateway security, where you divide your private IPv4 network from an external network such as guest Wi-Fi or the Internet. In transparent mode, the destination address is the server’s address – not a FortiGate’s interface. As a result, it usually doesn’t need to rewrite encapsulated layers – with the exception of TCP SYNrelated analysis. Only the MAC address in the frame is rewritten. So in complex IP environments such as MSSP or mobile phone carriers, this simplifies deployment. Only the management interface needs an IP address. But because network-facing interfaces don’t have an IP address, you must verify that your topology doesn’t have any loops at Layer 2 – Ethernet.

FortiGate I Student Guide

94

 Introduction to Fortinet UTM

NAT mode is the default operation mode. What are the other default settings? Once you’ve removed your FortiGate from its box, what do you do next? Let’s see how to set up a FortiGate. Attach your computer’s network cable to port1 or the internal switch ports (depending on your model) to begin setup. There is a DHCP server on that interface, so if your computer’s network settings have DHCP enabled, your computer should automatically get an IP, and you can begin setup quickly. Every FortiGate or FortiWifi device has these same default settings. (Note that FortiAP is not the same. It’s covered in a separate lesson.) To access the GUI on FortiGate or FortiWifi, open a web browser and go to http://192.168.1.99. Remember: The default login is publicly available knowledge. Never leave its default password blank! Your network is only as secure as your FortiGate’s “admin” account. Before you connect your FortiGate to your overall network, you should set a complex password. You should also restrict it so that FortiGate allows administrative connections only from your local console or management subnet.

FortiGate I Student Guide

95

 Introduction to Fortinet UTM

What happens if you forget the password for your “admin” account, or a hostile employee changes it? This recovery method is on all FortiGate devices, and even some non-FortiGate devices like FortiMail. It’s a temporary account, only available through the local console port, and only after a hard reboot – disrupting power by unplugging or switching off the power, then restoring it. FortiGate must be physically shut off, then turned back on – not simply rebooted through the CLI. That’s the difference between a hard boot and a soft boot. Even then, the “maintainer” login will only be available for login for about 30 seconds after boot completes. If you can’t ensure physical security, or have compliance requirements, you can disable the “maintainer” account. Use caution: if you disable “maintainer” and then lose your “admin” password, you cannot recover access to your FortiGate.

FortiGate I Student Guide

96

 Introduction to Fortinet UTM

All FortiGate models have a console port. This provides CLI access without a network. • On older models, it’s a serial port. A standard null modem cable can be used to connect the serial port to your computer’s serial port. • On newer models, it’s an RJ-45 port. Access by connecting an RJ-45-to-serial cable from your computer’s serial port to the RJ-45 port on the FortiGate. • In some newer models, the console port is a USB2 port. In that case, you’ll plug in the USB cable, then open FortiExplorer. Each device ships with its appropriate cable. Serial ports on computers are becoming less common. If your computer have one, you can purchase a USB-to-serial adapter.

FortiGate I Student Guide

97

 Introduction to Fortinet UTM

Most features are available in both the GUI and CLI. There are a few exceptions. Reports can’t be viewed in the CLI, for example, and diagnostic commands for power users are usually not in the GUI. What if you don’t want to use the GUI? There is also a CLI. As you become more familiar with FortiGate, and especially if you want to script its configuration, you may want to use it in addition. You can access the CLI via either the JavaScript widget in the GUI named “CLI Console,” or via a terminal emulator such as Tera Term (http://ttssh2.sourceforge.jp/index.html.en) or PuTTY (http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html). Your terminal emulator can connect via the network – SSH or telnet – or the local console port. SNMP and some other administrative protocols are also supported, but they are not used for basic setup. Let’s focus on setup now.

FortiGate I Student Guide

98

 Introduction to Fortinet UTM

As an alternative GUI during setup, you can plug in your smart phone, and use FortiExplorer. FortiExplorer isn’t a complete configuration tool for all devices. Its focus is deployment – configuring network addresses and routing. After that, your FortiGate can be integrated into the network, and you can continue by configuring firewall policies, security profiles and other features.

FortiGate I Student Guide

99

 Introduction to Fortinet UTM

There are a few supported platforms for the FortiExplorer software. This is what FortiExplorer looks like when you are running it on a Windows laptop. On the left side, you can see that FortiExplorer can fully update device firmware and configure its network settings so that FortiGate is prepared for you to plug it into your network.

FortiGate I Student Guide

100

 Introduction to Fortinet UTM

Whichever method you use, start by logging in as “admin”. Begin by creating accounts for other administrators. It’s not shown here, but alternatively, instead of creating accounts on FortiGate itself, you could configure FortiGate to query a remote authentication server. You could also require personal certificates, authenticated via your PKI certificate authority, instead of passwords. Choose strong, complex passwords. For example, you could use multiple interleaved words with varying capitalization, and randomly insert numbers and punctuation. Do not use short passwords, nor passwords that contain names, dates, or words that exist in any dictionary. These will be very weak against brute force attacks. To audit the strength of your passwords, use tools such as l0phtcrack (http://www.l0phtcrack.com/) or John the Ripper (http://www.openwall.com/john/). Risk of attackers brute forcing your firewall is especially high if you connect the management port to the Internet. In order to restrict access to specific features, you can assign permissions.

FortiGate I Student Guide

101

 Introduction to Fortinet UTM

When assigning permissions in an access profile, you can specify read-and-write, read-only, or no access to each area. By default, there is a special profile named “super_admin”, which is used by the account named “admin”. It cannot be changed. It provides full access to everything, making the “admin” account similar to a root superuser account. “prof_admin” is another default profile. It also provides full access, but unlike “super_admin”, it only applies to its virtual domain – not the global settings of the FortiGate. Also, its permissions can be changed. You aren’t required to use a default profile. You could, for example, create a profile named “auditor_access” with read-only permissions. Restricting a person’s permissions to those necessary for his or her job is a good best practice, because even if that account is compromised, the compromise is not complete. To do this, create administrative access profiles, then select the appropriate profile when configuring an account.

FortiGate I Student Guide

102

 Introduction to Fortinet UTM

What are the effects of access profiles? It’s actually more than just read or write access. Depending on the type of access profile that you assign, each administrator may not be able to access the entire FortiGate. For example, you could configure an account that can only view log messages. Administrators may not be able to access global settings outside their assigned virtual domain, either. (Virtual domains, by the way, are a way of subdividing the resources and configurations on a single FortiGate. VDOMs are shown in another lesson.) Administrators with a smaller scope of permissions cannot create, or even view, accounts with more permissions. So, for example, an administrator using the “prof_admin” or a custom profile cannot see – nor reset the password of – accounts that use the “super_admin” profile.

FortiGate I Student Guide

103

 Introduction to Fortinet UTM

To further secure access to your network security, use two-factor authentication. Two factor authentication just means that instead of only using one way to verify your identity – typically a password or personal certificate – you verify identity in two ways. In the example shown here, “twofactor” would mean a password plus an RSA randomly generated number from a FortiToken that is synchronized with FortiGate.

FortiGate I Student Guide

104

 Introduction to Fortinet UTM

FortiToken is not the only option if you want to use two-factor authentication. Remember, “two-factor authentication” literally only means that you use two methods to verify the person’s identity. Alternatively, FortiGate can send an email to the administrator’s address, or send a text message. To be able to do this, you must first configure FortiGate with the settings of a mail server that it can use to send email, or an SMS server. The mail server can be configured under “System > Config > Messaging Servers” in the GUI, or the CLI. SMS settings however are CLI-only.

FortiGate I Student Guide

105

 Introduction to Fortinet UTM

Another way to secure your FortiGate is to define which hosts or subnets are trusted sources of login attempts. Define all three, for all accounts. (If you leave any IPv4 address as 0.0.0.0/0, this means to allow connections from any source IP – obviously not what you want.) Notice that each account can define its management host or subnet differently. This is especially useful if you will be setting up virtual domains on your FortiGate, where the VDOM’s administrators may not even belong to the same organization.. Now try to access FortiGate’s GUI or CLI from an external IP. Does it work? No. Your web browser or terminal emulator won’t receive a response. Not even to a ping. Unless you connect from the network administrators’ subnet, FortiGate won’t allow you to even try to log in. So external brute force is impossible. So is discovery by ICMP.

FortiGate I Student Guide

106

 Introduction to Fortinet UTM

You may also want to customize the administrative protocols’ port numbers. You can also choose whether to allow concurrent sessions. This can be used to prevent accidentally overwriting settings if you usually keep multiple browser tabs open, or accidentally leave a CLI session open without saving the settings, then begin a GUI session and accidentally edit the same settings, for example.

FortiGate I Student Guide

107

 Introduction to Fortinet UTM

We’ve defined the management subnet – that is, the trusted hosts – for each administrator account. How do you enable or disable management protocols? This is specific to each interface. For example, if your administrators connect to FortiGate only from port1, you should disable all administrative access on all other ports. This prevents brute force attempts, and also insecure access. For better security, it always best to only use secure, encrypted methods of access. Some protocols – such as telnet, ICMP, HTTP, and SNMP version 1 – don’t have encryption or even authentication. So they should never be enabled on public, untrusted networks. IPv4 and IPv6 protocols are separate. It’s possible, for example, to have both IPv4 and IPv6 addresses on an interface, but only respond to pings on IPv6. However, IPv6 is hidden in the GUI by default. How do you show IPv6 settings?

FortiGate I Student Guide

108

 Introduction to Fortinet UTM

FortiGate has hundreds of features. If you don’t use all of them, hiding features that you don’t use makes it easier to focus on your work. Hiding a feature in the GUI does not disable it. It is still functional, and still can be configured via CLI. (In fact, many diagnostic features are only available in the CLI.) Some advanced or less commonly used features, such as IPv6, are hidden by default. There are 2 ways to show hidden features: • Use the “Features” widget on the dashboard, or • Go to “System > Config > Features”

FortiGate I Student Guide

109

 Introduction to Fortinet UTM

The “Features” widget shows and hides features by bulk presets. • NGFW shows features for line speed inspection, with no added latency. This hides all UTM options that can potentially slow down traffic. • ATP shows features for advanced threat protection that focus on protecting endpoint computers. • WF shows features for web filtering. • Full UTM is a present that shows almost all UTM features. Load balancing and a few others aren’t enabled here, though. So if the “Features” widget does not show the feature you’re looking for, go to “System > Config > Features” instead.

FortiGate I Student Guide

110

 Introduction to Fortinet UTM

Once you have administrator accounts, they can configure the network interfaces. Remember: When the FortiGate device is in NAT/route mode, every interface that handles traffic usually must have an IP address. This is so that packets with this interface will have a source and destination at the IP layer. There are 3 ways to do this: • assign a static IP, or • automatically retrieve one, via either DHCP or PPPoE As we mentioned earlier, there are 2 exceptions. Other, less commonly used are “One-Arm Sniffer” and “Dedicate to FortiAP”. Unlike how interfaces are usually in NAT mode, these aren’t assigned an address. • “One-Arm Sniffer” is an interface in promiscuous mode. As a result, regardless of each packet’s destination address, FortiGate can inspect all traffic that arrives. So although the overall FortiGate is in NAT mode, acting as a router, this specific interface does not. It receives traffic, but cannot send. There are more considerations, which are in the IPS lesson. • “Dedicate to FortiAP” creates both an access point controller and DHCP server. Clients connecting to SSIDs managed through this interface receive an IP address from the pool on this interface.

FortiGate I Student Guide

111

 Introduction to Fortinet UTM

Wireless clients aren’t the only ones that can use FortiGate as their DHCP server. Select the “Manual” option, enter a static IP, then enable the DHCP server option. Options for the builtin DHCP server will appear.

FortiGate I Student Guide

112

 Introduction to Fortinet UTM

For the built-in DHCP server, you can reserve specific IP addresses for devices with specific MAC addresses. Those devices will always receive the same lease, unless the number of devices exceeds the size of the IP pool.

FortiGate I Student Guide

113

 Introduction to Fortinet UTM

For detailed information about the MAC addresses and the corresponding IPs, you can look in the router subsection of the event log, or in the DHCP Monitor, which you can find in the System menu.

FortiGate I Student Guide

114

 Introduction to Fortinet UTM

Like with DHCP, you can also configure FortiGate to act as your local DNS server. A local DNS server can improve performance for your FortiMail or other devices that use DNS queries frequently. If your FortiGate offers DHCP to your local network, DHCP can be used configure those hosts to use FortiGate itself as both the gateway and DNS server. FortiGate can answer DNS queries in one of 3 ways: • by relaying all queries – that is, acting as a DNS relay instead of a DNS server • by relaying queries only the queries it can’t resolve to your ISP’s DNS server, • by returning a null response if it can’t resolve queries itself. You can enable and configure DNS separately on each interface.

FortiGate I Student Guide

115

 Introduction to Fortinet UTM

If you choose the DNS forwarding option, you can control DNS queries within your own network without having to setup a separate DNS server.

FortiGate I Student Guide

116

 Introduction to Fortinet UTM

If you choose to have your DNS server resolve queries, or you choose a split DNS, you must set up a DNS database on your FortiGate. This defines the host names that FortiGate will resolve queries for. Use zone file syntax outlined by RFCs 1034 and 1035.

FortiGate I Student Guide

117

 Introduction to Fortinet UTM

Lastly, before you can integrate FortiGate in your network, FortiGate must have a default gateway. If FortiGate gets its IP address through a dynamic method such as DHCP or PPPoE, then it will also retrieve the default gateway. Otherwise you must configure a static route. Without this, the FortiGate will not be able to respond to packets outside the subnets directly attached to its own interfaces. It probably also won’t be able to connect to FortiGuard for updates, and may not properly route traffic. Routing details are covered in another lesson. For now, you should usually make sure that FortiGate has a route that matches all packets (destination is 0.0.0.0/0), and forwards them through the network interface that is connected to the Internet, to the IP address of the next router. Routing completes the basic network settings that are required before you can configure firewall policies.

FortiGate I Student Guide

118

 Introduction to Fortinet UTM

Now that FortiGate has basic network settings and administrative accounts, let’s show how to back up the configuration. You can encrypt configuration files with a password, if necessary. Besides securing the privacy of your configuration, it also has some effects you may not expect. Once encrypted, the configuration file cannot be decrypted without the password and a FortiGate of the same model and firmware. This means that if you send an encrypted configuration file to Fortinet Technical Support, even if you give them the password, they still cannot load your configuration until they get access to the same model of FortiGate. This can cause unnecessary delays when resolving your ticket. Even if the configuration is not encrypted as a whole, each passwords is encrypted individually. So in many cases, encrypting the entire configuration file may not be necessary.

FortiGate I Student Guide

119

 Introduction to Fortinet UTM

If you open the configuration file in a text editor, you’ll see that both encrypted and unencrypted configuration files contain a clear text header that contains some basic information about the device. The diagram here shows what information it includes. To restore an encrypted configuration, you must upload it to the same model of FortiGate, with the same firmware version, then provide the password. To restore an unencrypted configuration file, you are only required to match the model. If the firmware is different, FortiGate will attempt to upgrade the configuration, similar to how it uses upgrade scripts on the existing configuration when upgrading firmware. Usually, the configuration file only contains non-default settings, plus a few default yet crucial settings. This minimizes the size of the backup, which could otherwise be several MB in size.

FortiGate I Student Guide

120

 Introduction to Fortinet UTM

If you enable virtual domains, subdividing the resources and configuration of your FortiGate, each VDOM administrator can back up and restore their own configurations. You don’t have to back up the entire FortiGate configuration. VDOM details are discussed in a separate lesson.

FortiGate I Student Guide

121

 Introduction to Fortinet UTM

Upgrading the firmware on a FortiGate is simple. The easiest method is to click the “Update” link on the “System Information” widget on the dashboard, then choose a firmware file that you have downloaded from support.fortinet.com. If you want to make a “clean install” by overwriting both the existing firmware and its current configuration, you can do this via the local console CLI, within the boot loader menu, while FortiGate is rebooting. However, this is not the usual method.

FortiGate I Student Guide

122

 Introduction to Fortinet UTM

You can also downgrade firmware. Since settings change in each firmware version, you should have a configuration file in the syntax that is compatible with the firmware. Remember to read the release notes. Sometimes a downgrade between firmware versions that preserves the configuration is not possible, such as when the OS changed from 32-bit to 64-bit. In that situation, the only way to downgrade is to format the disk, then reinstall. Once you’ve determined the downgrade is possible, verify everything again, then start the downgrade. After it completes, restore a configuration backup that is compatible with that version. Why should you keep emergency firmware and physical access? Old firmware versions don’t know how to convert future configurations. Also, when upgrading via a path that is not supported by the configuration translation scripts, you might lose all settings except basic access settings such as administrator accounts and network interface IP addresses. Another rare but possible scenario is that the firmware could be corrupted when you are uploading it. For all of those reasons, you should always have local console access during an upgrade, in case of emergency. However, in practice, if you read the Release Notes and have a reliable connection to the GUI or CLI, it should not usually be necessary.

FortiGate I Student Guide

123

 Introduction to Fortinet UTM

Remember your initial setup via FortiExplorer? You can also use it to download firmware, then install it on your FortiGate.

FortiGate I Student Guide

124

 Introduction to Fortinet UTM

To review, these are the topics that we just talked about. We showed how FortiGate can replace multiple single-purpose devices yet increase power efficiency and throughput. We explained the differences between FortiGuard services, and how those are part of the UTM architecture. We showed how to configure administrator accounts, permissions, and how to harden administrative access. We also explained how to choose the operation mode based upon the behavior you need for each network interface, how to configure the network settings, and finally how to back up the configuration and install firmware.

FortiGate I Student Guide

125

 Logging & Monitoring

In this lesson, we will look at how to monitor your FortiGate, and how to log its system events and network traffic. Since you are implementing a security solution, it is important to know how to appropriately monitor the device’s operation. It is vital to have logging and monitoring configured properly and to know how to read the output. Otherwise if you encounter issues, you won’t have any messages from FortiGate to help you find out what is happening in your network.

FortiGate I Student Guide

126

 Logging & Monitoring

By the end of this lesson, you’ll be able to: Describe log severity levels Identify where logs are stored Describe the different types of logs Understand log structure and behavior Configure log settings Understand the impact of logs on resources Describe how to view log messages, and finally Describe how to search and interpret log message

FortiGate I Student Guide

127

 Logging & Monitoring

The basic purpose of logs is to help you monitor your network traffic levels, track down problems, establish baselines and a lot more. Think of your own internal organization, where it is highly probable that more than one administrator has access to your FortiGate device. Since it is not practical to block other administrators from making changes to your FortiGate configuration, you can simply view the log files to find out what is happening on the device—including any changes that were made. Logs help provide you with the big picture so you can make adjustments to your network security, if necessary. Keep in mind that some organizations have legal requirements when it comes to logging, so it is important to be aware of your organization’s policies during configuration.

FortiGate I Student Guide

128

 Logging & Monitoring

Each log entry includes a log level that ranges in order of importance from Debug to Emergency. In total there are eight levels. Debug, the lowest level, puts additional information into the event log and is worthless unless you are actively investigating something. Debug is only needed to log diagnostic data, puts more strain on the CPU resources, and requires additional resources to create. Generally the lowest level you want to use is Information. You and your organization’s policies dictate what needs to be logged.

FortiGate I Student Guide

129

 Logging & Monitoring

You can choose to store logs in a variety of places both on and off the device. Locally, the FortiGate device has memory and many devices have a built-in hard drive. Externally, you can store logs on Syslog Servers, FortiCloud, SNMP, or a FortiAnanlyzer device.

FortiGate I Student Guide

130

 Logging & Monitoring

As an external logging device for FortiGate, a FortiAnalyzer or FortiManager is simply viewed as an IP with which the FortiGate can communicate. As a result, you can place a FortiAnalyzer or FortiManager within the same network as a FortiGate, or outside of it. However, a Fortigate can communicate with a FortiAnalyzer or FortiManager only if it is registered device. So long as the FortiGate is properly registered with the FortiAnalyzer or FortiManager, it accepts incoming logs. Communication between the Fortigate and FortiAnalyzer or FortiManager is done via SSL encrypted OFTP traffic, so when a log message is generated, it can be safely transmitted across an unsecure network.

FortiGate I Student Guide

131

 Logging & Monitoring

So far, we’ve discussed FortiAnalyzer and FortiManager as interchangeable external logging devices for the FortiGate. While configuring the FortiGate to send logs to a FortiAnalyzer or FortiGate is identical—they share a common hardware and software platform—the FortiAnalyzer and FortiManager actually have different capabilities that are worth noting. Both take log entries, but a FortiManager’s primary purpose is to centrally manage multiple FortiGate devices. As such, it has a flat limit imposed on the amount of logs it can receive in a day, regardless of the model. On the other hand, the FortiAnalyzer’s primary purpose is to store and analyze logs, so the log limit is much higher (though the limit is model-dependent). Even the smallest FortiAnalyzer can handle more logs per day than any FortiManager. But at the most basic level, what you can do with the logs received on a FortiManager is no different than what you can do with logs received on a FortiAnalyzer. The FortiGate has 2 methods for transmitting the log events. There is the store-and-upload option, as well as real time.

FortiGate I Student Guide

132

 Logging & Monitoring

You can configure logging to either a FortiAnalyzer or FortiManager through the GUI or CLI. In the GUI, it is done under Log & Report > Log Config > Log Settings. Here, each device must be set up separately, one at a time. In the CLI, you can configure up to three separate FortiAnalyzer or FortiManager devices at the same time. The options in the GUI only relate to the ‘config log fortianalyzer setting’, not fortianalyzer2 or fortianalyzer3. You may need a setup like this for redundancy or for some other requirement. Keep in mind that generating logs requires resources, so the impact of sending logs to multiple locations ultimately depends on how many logs you are creating.

FortiGate I Student Guide

133

 Logging & Monitoring

Another external logging option you can use is FortiCloud. FortiCloud is a subscription-based service, offered by Fortinet, that offers long term storage of logs as well as provides reporting functionality. It’s a similar idea to FortiAnalyzer, but more advantageous for smaller setups, where purchasing a dedicated logging appliance isn’t feasible. Every FortiGate comes with a free one month trial. You can activate your free trial from the GUI and link it to your FortiCare user and start sending logs. Be sure to read any documentation on the website if you are considering the subscription-based option.

FortiGate I Student Guide

134

 Logging & Monitoring

On the FortiGate, all logs are split up into three different log types. These are traffic logs, event logs, and security logs. Each log type is further split up into sub-types. Traffic logs contain Forward, Local, Invalid and Multicast. The Forward log contains information about traffic either accepted or rejected by a firewall policy. Local traffic is traffic directly to/from the FortiGate, and includes logging into the GUI, as well as FortiGuard queries. Invalid packets are the logs thrown away before they even get to a firewall policy. Event logs contain System, User, and Router/VPN/WanOpt &Cache/Wifi sub-types. System events are related to system operations, such as automatic updates of the AV/IPS definitions and people logging into the GUI. User contains logon/off events for users hitting firewall policies. Router/VPN/WanOpt &Cache/Wifi contain log entries related to the specific feature. For example, Router contains BGP or RIP log entries and VPN contains IPSec and SSLVPN log entries. Finally, Security logs contain log entries based on the security profile type. For example, Antivirus, Web Filter, and Intrusion Protection to name a few. Security logs only show specific sub-types if logs are created within it.

FortiGate I Student Guide

135

 Logging & Monitoring

The Log & Report section of the FortiGate GUI includes the three log types: Traffic, Event, and (if configured), Security. The Traffic Log contains events about packets. The Event Log contains admin or system activity events. The Security Log contains messages related to security profiles activated on firewall policies. By default, most of the events related to security appear in the Forward Traffic log—a sub-type of the Traffic Log. This is for performance: fewer log files is less CPU intensive. The exception to this is DLP and Intrusion Scanning. Events such as these always appear in the Security Log section.

FortiGate I Student Guide

136

 Logging & Monitoring

To inspect your logs through the GUI, go to the Log & Report section and select the log type to view. In the upper right corner of the window, you can switch between viewing the logs from different locations if the FortiGate is set up to log to multiple locations. It is not recommended to configure your firewall to actively inspect traffic without creating a log entry about it.

FortiGate I Student Guide

137

 Logging & Monitoring

This chart illustrates the expected behavior when you enable different logging options. The first column, Policy Log Setting, shows the log setting on the Firewall policy: No Log, Log Security Events, or Log all Sessions. The second column shows whether an Antivirus, Web Filter, or Email security profile is enabled or disabled. Remember, DLP and IPS profiles always generate logs in the Security Log section. The last column shows the behavior. If you enable any profiles on your policy and logging is not enabled, you will not get logs of any kind—even if the profile is configured to block the traffic. So if you apply a security profile, it’s important to remember to consider the logging setting.

FortiGate I Student Guide

138

 Logging & Monitoring

When viewing the logs, you might encounter a high volume of log messages, depending on your configuration. This makes it difficult to locate a specific log or log type, especially during an investigation. In order to negotiate the logs more efficiently, you can set up various filters. The more information you specify in the filter, the easier it is to find the precise log entry. Filters are configured for each column of data you choose to display. By default only a subset of the information appears in the log table. Make sure to configure the table columns for your own requirements.

FortiGate I Student Guide

139

 Logging & Monitoring

Every log message you view has a standard layout comprised of two sections: a header and a body. The header contains the same information regardless of the log. The body, however, changes from one type of log message to another. This is because there is some data common to all logs, like a date and time, while other data is event dependent.

FortiGate I Student Guide

140

 Logging & Monitoring

Let’s take a closer look at the header in this is an example of a raw log entry. While the output is not as structured as it appears in the GUI, the information contained in a raw log file is the same. As you can see in the header, aside from the date, time, and log ID attributes, you can see the that log type is UTM, the sub-type is DLP, and the severity level is Warning. The attributes in the header (such as log type and sub-type) are common to every log, but the data aligned to it can be different. For example, the header can contain a log type of Event and sub-type of System instead of what you see in the example above. Accordingly, the information in the header of the log directly effects the data contained in the associated body of the log. Note that if you log to a 3rd party device, such as a Syslog server, you need to know how to set up your filters in order to find what you need in your log messages. You can find a document that contains all the logs and their layouts from the Fortinet docs web site at http://docs.fortinet.com .

FortiGate I Student Guide

141

 Logging & Monitoring

Now lets take a closer look at the body of a log. The body provides the specifics of the log message and helps you understand what actually happened. In the above log, we can see the action taken by the FortiGate device when it encountered the traffic through the status attribute. Here, the status is Deny, which means the FortiGate prevented this particular piece of traffic from passing. The value indicated by policyid field provides useful information about the policy this traffic passed through (which firewall rule was used).

FortiGate I Student Guide

142

 Logging & Monitoring

Rather than look at raw logs or logs through the GUI, you can also display log messages from the CLI. This allows you to set up a number of filters on the logs that display and capture the output to a file and send it via the options you specify, such as FTP.

FortiGate I Student Guide

143

 Logging & Monitoring

Monitoring your logs is critical, as it allows you to review the progress of an attack, whether afterwards or while in progress, and address the issue quickly. How the attack unfolds may reveal weaknesses in your preparations. There are three ways you can monitor logs: Alert Emails, Alert Message Console, and SNMP.

FortiGate I Student Guide

144

 Logging & Monitoring

Since you can’t always be physically at the device, you can monitor logs by setting up Alert emails. Alert emails are set up similar to any log device. First you decide “what” is going in to them (a filter) and then “where” it is going.

FortiGate I Student Guide

145

 Logging & Monitoring

In order to set up an alert email, the first thing you need to do is configure an SMTP server to allow for communication between the server and the FortiGate device. This can only be done in the CLI. This allows you to configure your alert email settings in the GUI through the Log & Report > Log Config > Alert E-mail menu. Without configuring an SMTP server that will receive the email, the alert email option does not appear in the GUI.

FortiGate I Student Guide

146

 Logging & Monitoring

Another log monitoring option is the alert message console. The Alert Message Console is a GUI widget that you can enable on the System dashboard. Here, instead of the alerts being emailed to administrators like in Alert emails, they appear directly in the widget on the System page when you log in to the FortiGate. You can configure the widget to set up the events you want to appear as alerts, the number of alerts, and even the name of the widget itself. For example, you can have multiple alert widgets on the dashboard with different names all displaying different types of alerts. Once an alert appears in the Alert Message Console it remains until acknowledged. Once you confirm the event did not impact anything, you acknowledge it, and it is removed from your list — it no longer appears as something that requires further attention.

FortiGate I Student Guide

147

 Logging & Monitoring

Another method of monitoring logs is through an SNMP manager. In order to use this method, you require the Management Information Base (MIB) file. A MIB is a text file that describes a list of SNMP data objects that are used by the SNMP manager. These MIBs provide information the SNMP manager needs to interpret the SNMP trap, event, and query messages sent by the FortiGate device SNMP agent. They can be loaded into any SNMP software so that you can set up automatic queries to the device in order to discover operational status. You can obtain CPU, memory levels, the cause for the last spam detection, and more. A FortiGate device can support SNMP v1, v2 and v3. You can obtain the MIB files either on the Support website or directly from the FortiGate GUI through the System > Config > SNMP menu.

FortiGate I Student Guide

148

 Logging & Monitoring

Setting up the necessary SNMP options is fairly straight forward from the GUI. Simply enable and define the service as you would any other SNMP monitored device and then enable your protocol options and methods of monitoring. What can be monitored with the different options is exactly the same. SNMP v3 offers some additional security over the previous two versions of the protocol, like traffic encryption and authentication.

FortiGate I Student Guide

149

 Logging & Monitoring

In the GUI, under Log & Report > Log Config > Log Settings, you can enable different locations for log storage. You can also configure the different kind of traffic you want to appear in the Local traffic log. Finally, you can configure the GUI preferences. Resolving IPs to host names requires the FortiGate to perform DNS lookups for all the IPs. If your DNS is not working or running slowly, this can impact your ability to look through the logs as the requests will timeout.

FortiGate I Student Guide

150

 Logging & Monitoring

Using the CLI to configure log settings provides you with more flexibility and options than the GUI. From the CLI, you can configure up to three separate FortiAnalyzers and Syslog servers, options not available in the GUI. There is also the ability to set up logging to Webtrends, a 3rd party service. The information you require for configuring the log settings is dependent on the logging option you configure: disk, FortiAnalyzer, FortiGuard, memory, Syslog, or Webtrends.

FortiGate I Student Guide

151

 Logging & Monitoring

Firewall policies also have logging options you can configure. The policy setting determines if and when a log message is generated for traffic passing through a particular firewall policy. The settings under Log Settings in the GUI and the ‘config log’ command in the CLI determine where the FortiGate stores the log messages it creates.

FortiGate I Student Guide

152

 Logging & Monitoring

It’s important to remember that creating logs is not “free”—it does weigh on your system. The more logs that get generated, the heavier the toll on your CPU and memory resources. Storing logs for a period of time also requires disk space, as does accessing them. So before configuring logging, make sure its worth the extra resources and that your system can handle the influx. Also important to note is logging behavior with UTM profiles. UTM profiles create log events when traffic is detected. Depending on the amount of traffic you have and logging settings that are enabled, your traffic logs can easily become a problem that will ultimately impact the performance of your firewall. There is an option in the CLI that removes some of the information stored in the traffic log: set brieftraffic-format enabled. By executing this command, you can free up resources on the firewall.

FortiGate I Student Guide

153

 Logging & Monitoring

In configuring the Event log settings, remember that Event logs are not caused by traffic passing through firewall policies. For example, VPNs going up and down or routing protocol activity are not caused by traffic passing through a firewall policy. One exception might be the user log. This does not record information about traffic through firewall policies directly, but it does record user logon/logoff events on traffic that passes through policies. Event logs provide all of the system information generated by the FortiGate device, such as administrator logins, configuration changes made by administrators, user activity, and daily operations of the device. So what you enable depends on what features you are implementing and what information you need to get out of the logs. You can enable what events you want to log through the Log & Report > Log Config > Log Settings menu.

FortiGate I Student Guide

154

 Logging & Monitoring

There is also a daily log monitor section. This displays the number of logs generated over time as well as the log type. This allows you to see where your FortiGate device is using most of its resources and if any trends are occurring. You can drill down through these logs and obtain further information by clicking any of the days.

FortiGate I Student Guide

155

 Logging & Monitoring

Each function of the FortiGate device has an equivalent “Monitor” menu item in the GUI. This allows you to take a view, at any given moment, how the feature is performing. The Security functions have a monitor option like the rest, but you need to enable it from the CLI before it appears. With a lot of security activity this could impact your CPU, so it’s disabled by default.

FortiGate I Student Guide

156

 Logging & Monitoring

One example of a GUI monitor is the Security Profiles monitor, found in the GUI under Security Profiles > Monitor. It has sub-sections for each security feature to highlight recent activity, such as AV Monitor, Web Monitor, and Application Monitor to name a few. This gives you a snapshot of what is happening with that particular option. Almost every menu has this option.

FortiGate I Student Guide

157

 Logging & Monitoring

Another means of monitoring is through the widgets on the status page. Many can be customized to show the same type of information in multiple ways. If you click the pencil icon in the upper right corner of the widget, you can configure any of the available settings for that widget. You can add some widgets to the same dashboard multiple times, with each instance displaying different information.

FortiGate I Student Guide

158

 Logging & Monitoring

By default, there are a number of different dashboards available. Each one has a different name with a different collection of widgets to provide different types of information. Each user has their own dashboard setup and layout, so if one user deletes a dashboard and rearranges the widgets on the Status page, it will not impact any of the other users. You can alter a user’s permissions to not allow them to make changes to their dashboard and use this to restrict their access.

FortiGate I Student Guide

159

 Logging & Monitoring

One other area you may want to monitor, purely for diagnostics, is the crash logs, available through the CLI. The FortiGate is like a computer, with different processes that handle different things, like DHCP or web filtering for example. Any time a process is closed for any reason, the crash log records this as a crash. If there is an abnormal termination of a process, you can look at the crash logs and find out the conditions that caused it. A normal and fairly common thing to see in the crash log are entries for Scanunitd, which is the process responsible for virus scanning. Any time the definitions package is updated, that process needs to close down in order to apply the new package. This is a normal shutdown and appears with a status of zero, which indicates a normal shut down with no abnormalities.

FortiGate I Student Guide

160

 Logging & Monitoring

In this lesson, we covered log severity levels; storage locations; log types and subtypes; log structure and behavior; log settings; viewing logs messages; and monitoring, reading, and interpreting log messages.

FortiGate I Student Guide

161

 Firewall Policies

In this lesson, we will show you how to pass traffic through FortiGate, and explain how that works. At its core, FortiGate is a firewall, so almost everything that it does to your traffic is linked into your firewall rules.

FortiGate I Student Guide

162

 Firewall Policies

After this lesson, you should be able to properly identify the different components used in a firewall policy. You’ll be able to configure firewall policies and arrange them to correctly match traffic.

FortiGate I Student Guide

163

 Firewall Policies

You’ll also be able to apply UTM and other features through the firewall policy, test your policies, and monitor traffic passing through them.

FortiGate I Student Guide

164

 Firewall Policies

To begin, let’s talk about what firewall policies are. Firewall policies define which traffic matches, and what FortiGate will do if it does. Should the traffic be allowed? This is decided first based on simple criteria such as the source. Then, if the policy itself does not block the traffic, FortiGate begins more computationally expensive UTM inspection, such as application control and web-filtering, if you’ve chosen it in the policy. Those scans could block the traffic if, for example, it contains a virus. Otherwise, the traffic is allowed. Will NAT be applied? Authentication required? Firewall policies also determine that. Once processing is finished, FortiGate forwards the packet towards its destination.

FortiGate I Student Guide

165

 Firewall Policies

When a packet arrives, how does FortiGate find a matching policy? Each policy has match criteria, which you can define using objects: • Ingress and egress interfaces • Source and destination, by IP address, device ID, or user • Network service(s) (that is, IP protocol and port number) • Schedule Once FortiGate finds a matching policy, it applies its settings for packet processing. Is antivirus scanning applied? Will source NAT be applied? For example, if you want to block incoming FTP to all but a few FTP servers, you would define the addresses of your FTP servers, and select those as the destination, and select FTP as the service. You probably wouldn’t specify a source (often any location on the Internet is allowed) nor schedule (usually FTP servers are always available, day or night). Finally, you would set the Action setting to Accept. This might be enough, but often, you’ll want more thorough security. Here, the policy also authenticates the user, scans for viruses, limits the bandwidth consumption, and logs blocked connection attempts.

FortiGate I Student Guide

166

 Firewall Policies

Firewall policies appear in an organized list. It’s either organized into a section view, or global view. Usually, it will appear in section view. Each section contains policies for that ingress-egress pair. Alternatively, you can choose to view your policies as a single comprehensive list, by selecting Global View at the top of the page. Policy sequence numbers define the order in which rules are processed. Policy IDs are identifiers. By default sequence numbers are displayed on the GUI. CLI commands, however, use policy ID: edit . This may confuse the administrator in to modifying the wrong policy. To avoid such errors add the policy ID to the GUI using the column settings.

FortiGate I Student Guide

167

 Firewall Policies

In some cases, you won’t have a choice of which view, though. If you use multiple source/destination interfaces or the ‘any’ interface, policies cannot be separated into sections by interface pairs – some would be triplets or more. So instead, policies are then always displayed in a single list. It is ordered primarily by the policy sequence number. To help you remember the use of each interface, you can give them aliases. For example, you could call port1 “WAN.” This can help to make your list of policies easier to comprehend.

FortiGate I Student Guide

168

 Firewall Policies

Remember that we mentioned that only the “first” matching policy applies? Moving your policies into the correct position is important. It affects which traffic is blocked or allowed. In the applicable interface pair’s section, FortiGate will look for a matching policy, beginning at the top. So usually, you should put more specific policies at the top. Otherwise, more general policies will match the traffic first, and your more granular policies will never be applied. Here, we’re moving a policy that only matches Windows SMB traffic above the more general “accept everything from everywhere” policy. Otherwise, FortiGate would always apply the first matching policy – the “accept everything” policy – and never reach the “block SMB” policy. How does FortiGate determine if a packet matches a policy? Let’s look at that next.

FortiGate I Student Guide

169

 Firewall Policies

Each policy matches traffic and applies security by referring to objects such as addresses and profiles that you’ve defined. What about other firewall policy types? Do IPv6 policies exist? Yes. And they use slightly different objects that are relevant to their type. In this lesson, we’re discussing IPv4 firewall policies and SSL/SSH inspection. They are the most common use case.

FortiGate I Student Guide

170

 Firewall Policies

To begin describing how FortiGate finds a policy for each packet, let’s start with the interface pairs. We showed them in section view. Packets arrive on an ingress interface; routing determines the egress. Both interfaces must match the policy’s interface criteria in order for it to be a successful match. In each policy, you must select both a source and destination interface, even it is ‘any’. So if a packet arrives on port4, but you only have policies for between port1 WAN ingress and port2 DMZ, for example, the packet would not match your policies and therefore be dropped due to the implicit deny policy at the end of the list, even if the packet did match the egress port of ‘any’. Interfaces may be grouped into logical zones. For example, you could group port7 to port10 as a LAN zone. This generally simplifies policy configuration, except that an interface in a zone cannot be referenced individually. So if you must subdivide a zone, don’t. Instead, select multiple source and destination interfaces in the firewall policy.

FortiGate I Student Guide

171

 Firewall Policies

The next match criteria that FortiGate will consider is the packet’s source. In each firewall policy, you therefore must select a source address object. Optionally, you can refine your definition of the source by also selecting a user, group and/or a specific device. If you organization allows BYOD (that is, Bring Your Own Device), then a combination of all three provides a much more granular match. In earlier releases of FortiOS 5, sub-policies were used for authentication (also called identity) and device identification. Also, it was either-or: you could not use both types in the same rule. In 5.2, you can now use both user and device definitions together, in the same firewall policy.

FortiGate I Student Guide

172

 Firewall Policies

Using Source Device Type causes the FortiGate to enable device identification on the source interface(s) of that policy.

FortiGate I Student Guide

173

 Firewall Policies

There are two device identification techniques: agentless and agent-based. • Agentless uses traffic from the device: the MAC address OUI, TCP fingerprint, and HTTP “User-Agent:” header. Devices are indexed by their MAC address. • Agent-based uses FortiClient. FortiClient sends information to FortiGate, and the device tracked by its FortiClient UID.

FortiGate I Student Guide

174

 Firewall Policies

Device Definitions shows the list of detected devices. You can also define static entries. Detected devices are saved to the FortiGate’s flash. Therefore on restart, the FortiGate knows devices already identified, and does not have to re-categorize each device. The user displayed in the device information is just a tag, it cannot be used as a means of identity for an authentication policy.

FortiGate I Student Guide

175

 Firewall Policies

The CLI command ‘diag user device list’ shows a more detailed listing than User & Devices > Device > Device Definitions, including the detection method.

FortiGate I Student Guide

176

 Firewall Policies

FortiClient devices have a unique id which can be used as an index for the device. This is instead of the MAC address, which may be problematic when a device has multiple MAC addresses (such as servers or virtual machines), or where there is no Layer 2 visibility of that device.

FortiGate I Student Guide

177

 Firewall Policies

FortiGate can control FortiClient settings via the profile and registration.

FortiGate I Student Guide

178

 Firewall Policies

License Information on the FortiGate GUI dashboard shows the registered devices. Windows and Mac FortiClient installers are also available from this dashboard widget.

FortiGate I Student Guide

179

 Firewall Policies

Once a FortiClient registers itself with a FortiGate, you’ll be able to see its UID on the endpoint control device list.

FortiGate I Student Guide

180

 Firewall Policies

You may configure the default FortiClient profile or add additional profiles. New profiles applied to devices or users override the default.

FortiGate I Student Guide

181

 Firewall Policies

Once you’ve configured the settings, FortiGate will send them back to FortiClient.

FortiGate I Student Guide

182

 Firewall Policies

FortiClient is the agent-based approach for source device type.

FortiGate I Student Guide

183

 Firewall Policies

To reduce the total number of firewall policies in RAM, and simplify administration, you can group service and address objects, then reference that group in the firewall policy, instead of selecting multiple objects each time or making multiple policies. You can also group virtual IPs.

FortiGate I Student Guide

184

 Firewall Policies

Here, all three source selectors identify the user group, device type, and specific subnet. This would not have been possible in previous firmware versions. Remember, user and device are optional objects. They are used here so that the policy is more specific. If you wanted the policy to match more traffic, you could leave them undefined.

FortiGate I Student Guide

185

 Firewall Policies

In earlier releases of FortiOS 5, if traffic matched an identity sub-policy, by default, FortiGate simply blocked traffic that failed authentication. It would not ‘fall through’ to try the next authentication rule unless you had explicitly enabled the option “fall-through-unauthenticated”. But in this release, FortiGate uses the fall-through behavior by default.

FortiGate I Student Guide

186

 Firewall Policies

Like the packet’s source, FortiGate also checks the destination address for a match. Address objects may be a host name, IP subnet or range. If you enter an FQDN as the address object, make sure that you’ve configured your FortiGate with DNS settings. FortiGate uses DNS to resolve those host names to IP addresses, which are what actually appear in the IP header. Geographic addresses, which are groups or ranges of addresses allocated to a country, may be selected instead. These objects are updated via FortiGuard.

FortiGate I Student Guide

187

 Firewall Policies

Schedules add a time element to the policy. For example, a policy allowing backup software may activate at night, or a remote address may be allowed for testing purposes and a schedule provides a test window.

FortiGate I Student Guide

188

 Firewall Policies

Another criterion that FortiGate uses to match policies is the packet’s service. At the IP layer, protocol numbers (for TCP, UDP, SCTP, etc.) and source and destination ports together define each network service. Generally, only a destination port (that is, the server’s “listening port”) is defined. Some legacy applications may use a specific source port, but in most modern applications, the source port is randomly determined at transmission time, and therefore is not a reliable way to define the service. For example, the predefined service object named HTTP is TCP destination port 80; HTTPS is TCP destination port 443. However, the source ports are ephemeral, and therefore not defined.

FortiGate I Student Guide

189

 Firewall Policies

We’ve just shown several component objects that can be re-used as you make policies. What if you want to delete an object? If it’s being used, you can’t. First, you must reconfigure the objects that are currently using it. The GUI provides a simple way to find out where in the FortiGate’s configuration an object is being referenced. See the numbers in the Ref. column? They are the number of places where that object is being used. The number is actually a link, so if you click it, you can see which objects use it.

FortiGate I Student Guide

190

 Firewall Policies

We’ve just shown how policies are matched. Let’s look a little beyond that now, to slightly before policies, and to the scans they can use, as well as packet egress. What happens when a packet first arrives on a FortiGate network interface? Step 1 is packet ingress. • If a Denial of Service sensor is selected in the policy, it takes effect. Because it’s applied so early, DoS packets don’t receive other scans, and therefore don’t consume unnecessary CPU or RAM. • At the IP layer, the packet’s CRC is checked for a match with the CRC in the header to make sure that the packet wasn’t corrupted in transmission. • IPSec session-related packets are sent to either the kernel or hardware for payload decryption. • Destination NAT is applied before routing. • If this is a new session, or routing information has changed, FortiGate will make a routing lookup.

FortiGate I Student Guide

191

 Firewall Policies

Step 2 is stateful inspection. • Is this traffic destined for the FortiGate itself, such as the administrative GUI, SSL VPN, authentication, DNS quers, or FortiGuard? • Is this traffic that should be forwarded by a policy’s established session, or that should be checked for a policy match? • Does the traffic require a session helper to open dynamic ports, rewrite addresses in application layer headers, etc.?

FortiGate I Student Guide

192

 Firewall Policies

Step 3 is content inspection. FortiGate applies the security profiles that you selected in the policy here. There are two mains types of content inspection: • Flow-based • Proxy-based The order of inspection is important. The next step applies only if traffic is not blocked by the previous step.

FortiGate I Student Guide

193

 Firewall Policies

Step 4 is packet egress. • Should FortiGate route the packet to an IPsec VPN virtual interface, before it is rerouted to a physical interface? • Should FortiGate apply source NAT? • Which interface should the packet depart from?

FortiGate I Student Guide

194

 Firewall Policies

If you enable session starts, FortiGate will create a traffic log when the session begins. But remember that increasing logging decreases performance. So use it only where necessary. Once a firewall policy closes an IP session, if you have enabled logging in the policy, FortiGate will generate traffic logs. During the session, if a security profile detects a violation, FortiGate will record the attack log immediately. To reduce the amount of log messages generated and improve performance, you can enable a session table entry of dropped traffic. This option is in the CLI, and is called ‘ses-denied-traffic’. If the GUI option session starts is not displayed, your FortiGate device does not have internal storage. This option is in the CLI, regardless of internal storage, and is called ‘set logtraffic-start enable’.

FortiGate I Student Guide

195

 Firewall Policies

Once the first packet – assuming it is not dropped – establishes an IP session, FortiGate enters it in its session table. If subsequent packets are received before the session times out, hashing function lookups up the applicable policy for scans or NAT that it should apply to incoming packets. You can use the monitor section in order to determine how much traffic is matching each firewall policy.

FortiGate I Student Guide

196

 Firewall Policies

The session table can also be viewed from the CLI. Firewall performance of connections per session and maximum number of connections are indicated by the session table. But keep in mind that if your FortiGate contains FortiASIC NP chips designed to accelerate processing, without loading the CPU, this may not be completely accurate. The session table reflects what is known to and processed by the CPU.

FortiGate I Student Guide

197

 Firewall Policies

Since the session table has a finite amount of RAM that it can use on your FortiGate, adjusting the session time to live (TTL) can improve performance. There are global default timers, session state timers, and timers configurable in firewall objects.

FortiGate I Student Guide

198

 Firewall Policies

In this example, you can see the session TTL, which reflects how long FortiGate can receive no packets until it will remove the session from its table. Proto_state for TCP is taken from its state machine, which we’ll talk about next. Traffic shaping manages your bandwidth. Traffic counters are the overall counters for the session, and determine how much data was sent and received. NAT actions are also tracked.

FortiGate I Student Guide

199

 Firewall Policies

In the previous slide, remember that the session table contained a number that indicated the connection’s current TCP state. These are the states of the TCP state machine. They are single digit values, but proto_state is always shown as two digits. This is because when proxy based inspection is used, which is discussed later, two connections are establish with the proxy: one to the client, and one to the server. If there are too many connections in the SYN state for long periods of time, this indicates a SYN flood, which you can mitigate with DoS policies. UDP is a stateless protocol. So it doesn’t technically have states like TCP. However, the session table does use the state column to track unidirectional UDP as state 0, and bidirectional USP as state 1.

FortiGate I Student Guide

200

 Firewall Policies

Before looking at the session table, first build a filter. To look at our test connection you can filter on ‘dst’ 10.200.1.254 and ‘dport’ 80.

FortiGate I Student Guide

201

 Firewall Policies

Here we see the corresponding session table entry. Here you can see the routing and NAT actions that apply to the traffic.

FortiGate I Student Guide

202

 Firewall Policies

In addition to security scans, firewall policies also determine what network address (NAT) or port address translation (PAT) to apply to each packet. NAT and PAT, also known as NAPT, translate internal, typically private, IP addresses, to external, typically public or Internet, IP addresses. In FortiOS, NAT and traffic forwarding are configured in the same firewall policy. However, diagnostics clearly show NAT and forwarding as separate actions. The NAT option in a firewall policy, and IP Pools, are source NAT settings and objects. Virtual IPs are destination NAT objects.

FortiGate I Student Guide

203

 Firewall Policies

The default source NAT option uses the egress interface address. This is a many-to-one NAT. In other words, port address translation is used and connections are tracked using the original source address and source port combinations, and allocated source port. This is the same behavior as the overload IP Pool type, discussed later. Optionally, you may select fixed port in which case the source port translation is disabled. With fixed port, if two or more connections require the same source port for a single IP address, only one connection can establish.

FortiGate I Student Guide

204

 Firewall Policies

If you use an IP pool, the source address is translated to an address from that pool rather than the egress interface address. The larger the number of addresses in the pool, the greater the number of connections can be supported. The default IP pool type is overload, here there is a many-to-one/few relationship and port translation is used.

FortiGate I Student Guide

205

 Firewall Policies

One-to-one differs in the sense that there is a single mapping of an internal address to external address. Port address translation is not required in this case. See the circled example showing the same source ports on ingress and egress? Mappings are not fixed. They are allocated on a first-come first-serve basis. If there are no more addresses available, a connection will be refused as shown in the debug flow.

FortiGate I Student Guide

206

 Firewall Policies

This example uses a fixed port range IP pool. The internal address range 10.0.1.10-10.0.1.11 maps to the external address range 10.200.1.7-10.200.1.8. This configuration provides an explicit relationship between internal and external ranges, and disables port address translation.

FortiGate I Student Guide

207

 Firewall Policies

These two CLI outputs illustrate the behavior difference between the port block allocation type, and the default overload type. Using hping, a rogue client generates many SYN packets per second. In the first example, the port block allocation type limits the client to 64 connections for that IP pool. Other users will not be impacted by the rogue client. In the second example, the overload type imposes no limits, and the rogue client uses many more connections in the session table. Other users will now be impacted.

FortiGate I Student Guide

208

 Firewall Policies

Virtual IPs (VIPs) are destination NAT objects. For sessions matching a VIP, the destination address is translated: usually a public Internet address is translated to a server’s private network address. Select VIPs in the firewall policy’s destination address field. The default VIP type is static NAT. This is a one-to-one mapping which applies for incoming and outgoing connections. That is, an outgoing policy with NAT enabled would use the VIP address instead of the egress interface address. This behavior, however, can be overridden by use of an IP pool. The static NAT VIP can be restricted to forward only certain ports. For example, connections to the external IP on port 8080 map to the internal IP on port 80. From the CLI, you can select the NAT type to load-balance and server-load-balance. Plain load balancing distributes connections from an external IP address to multiple internal addresses. The later builds on that mechanism, using a virtual server and real servers, and provides session persistence and server availability check mechanisms. VIPs should be routable to the external facing (ingress) interface. FortiOS responds to ARP requests for VIP, and IP Pool, objects. ARP responses are configurable.

FortiGate I Student Guide

209

 Firewall Policies

In this example, connections to the VIP 200.200.200.222 are NATed to the internal host 10.10.10.10. Because this is static NAT, all NATed outgoing connections from 10.10.10.10 will use the VIP address in the packet’s destination field, not the egress interface’s address.

FortiGate I Student Guide

210

 Firewall Policies

For feature completeness, you can use a central NAT table. This is disabled by default. To enable it from the GUI, go to System > Config > Features. In the CLI, use: conf sys global set gui-central-nat-table enable end In this case, the source NAT action is defined in a central table. If no central NAT rule exists, then the default action of destination interface address is used. Central NAT rules also allow control over source port usage.

FortiGate I Student Guide

211

 Firewall Policies

Some application layer protocols are not fully independent of the lower layers such as the network or transport layer. If the session helper detects a such a pattern, it may make changes to the application headers or create expected secondary connections. A good example is where an application has both a control and a data/media channel, such as with FTP. Firewalls will typically allow the control channel and rely on the session helpers to handle the dynamic data/media transmission connections. When more advanced application tracking and control is required, an Application Layer Gateway (ALG) can be used. The VoIP profile is an example of an ALG.

FortiGate I Student Guide

212

 Firewall Policies

In this example, the media recipient address in the SIP SDP payload is modified to reflected the NATed IP address.

FortiGate I Student Guide

213

 Firewall Policies

Traffic shaping (also called quality of service (QoS)) can be applied in firewall policy and used to manage the bandwidth used by each service or application. FortiGate can count the packet rates of ingress and egress to police traffic. Note that these apply equally to TCP and UDP, and UDP protocols may not recover as gracefully from packet loss. ToS/DSCP flags, if used, can map packets to a specific transmission queue. For additional information, see the Traffic Shaping FortiOS Handbook.

FortiGate I Student Guide

214

 Firewall Policies

Two types of traffic shapers can be configured: Shared and Per-IP. A shared shaper applies a total bandwidth to all traffic using that shaper: The scope can be per-policy or for all policies referencing that shaper.

FortiGate I Student Guide

215

 Firewall Policies

FortiGates equipped with Network Processors (NP) offload packet handling from the CPU. For each new IP session, the first packet always goes to the CPU. If the session can be offloaded to an available NP, the kernel sends session information to the NP. All subsequent packets in that session are forwarded by the NP and not the CPU, so their transmission is accelerated. When the last packet is sent or received, such as a TCP FIN or TCP RST signal, the NP returns this session to the CPU, which handles tear down. Non-eligible sessions remain on the CPU. Typically, this includes policies that have a security profile enabled. IP fragments are also non-eligible. “diagnose” CLI commands, such as “diag packet sniff” and “diag debug flow”, run on the CPU. They will not show packets handled by an NP. To ensure accurate output for these commands, you can temporarily disable NPU offload in each firewall policy so that the packets are handled by the CPU and therefore received by the troubleshooting command.

FortiGate I Student Guide

216

 Firewall Policies

As a UTM, one of the most important features that a firewall policy can apply is security profiles such as IPS and antivirus. These profiles inspect each packet in traffic flows where the session has already been conditionally accepted by the firewall policy. When inspecting traffic, FortiGate can use one of two methods: flow- or proxy-based. Different security features are supported by each type.

FortiGate I Student Guide

217

 Firewall Policies

In proxy-based scans, we’re typically meaning a transparent proxy. It’s called “transparent” because at the IP layer, FortiGate is not the destination address, yet FortiGate intercepts the traffic anyway. In TCP connections, FortiGate’s proxy generates the SYN ACK to the client and completes the three-way handshake with the client before creating a second, new connection to the server. If the payload is less than the oversize limit, the proxy buffers transmitted files/email for inspection before continuing transmission. The proxy analyzes and may change headers such as HTTP “Host:” and URI for web filtering. If a security profile decides to block the connection, the proxy can send a replacement message to the client. This adds latency to the overall transmission speed.

FortiGate I Student Guide

218

 Firewall Policies

Proxy options affect the content inspection proxy. Settings include port numbers, oversize file action and threshold, and client comforting (where the proxy transmits packets slowly while it continues to buffer and scan).

FortiGate I Student Guide

219

 Firewall Policies

How are flow-based scans different? There is no proxy. If you are familiar with the TCP flow analysis of Wireshark, then that is essentially what the flow engine sees. Packets are buffered, analyzed, and forwarded as they are received. The same signatures used for proxy-based techniques apply to flow-based, therefore the detection rate is potentially the same. Original traffic is unaltered consequently advanced features which modify content, such as safe search enforcement, are not supported.

FortiGate I Student Guide

220

 Firewall Policies

A SSL/SSH inspection profile contains settings for decrypting these protocols, which is required in order to scan their content. Otherwise, viruses could be transmitted via HTTPS or SMTPS, for example, without detection. For SSH, inspection allows the FortiGate to intercept connections and control protocol commands. For example, using an SSH tunnel, a client could port forward any other protocol across an SSH connection. Using an SSH profile, FortiGate can block the “Port-Forward” command.

FortiGate I Student Guide

221

 Firewall Policies

When troubleshooting firewall policies, you need to understand how the traffic should flow. Typically there are many firewall policies. What is the ingress/egress interface? What is actually happening to the traffic/application? Is it slow? Is it failing to connect? These can help to define which troubleshooting steps you need to take.

FortiGate I Student Guide

222

 Firewall Policies

One of the most fundamental network debugging tools is packet capture, or “sniffing.” The syntax of the CLI command is ‘diag sniff packet interface filter level’. The interface is the name of the physical or logical interface; if your account has the access profile super_admin, you can specify the ‘any’ interface. The filters are similar to ‘tcpdump’ on Linux. For level, you can choose from 1 to 6 depending on your requirements. The only output options are the payloads in ASCII and Hexadecimal format. To completely decode the packet and view its content, save the output to a plain text file, convert it to .pcap format, then open it with Wireshark.

FortiGate I Student Guide

223

 Firewall Policies

Here are some general examples. Much more can be learnt by reading the man page for tcpdump.

FortiGate I Student Guide

224

 Firewall Policies

If your model of FortiGate has internal storage, you can capture packets from the GUI. Looking at the content of the packets can help you to see what is abnormal. The options in the GUI are the same as those from the CLI. To run a trace, specify a source interface and a filter. What is the main advantage over the CLI? You can download the output in a file format which can be read by Wireshark, without having to use a conversion script. Any packet capture filter should be very specific in order to avoid writing large amounts of data to disk which will affect performance.

FortiGate I Student Guide

225

 Firewall Policies

Before, we mentioned that a packet capture does not show why FortiGate may have dropped a packet. This is the purpose of the packet flow. This is an example of ‘diag debug flow’. The first lines enable it, and enable it to print to console. Next, the filters define which IP address and port numbers to trace the flow fow; ‘addr’ implies both source and destination, and ‘port 80’ typically captures HTTP.

FortiGate I Student Guide

226

 Firewall Policies

Here is output for the previous example, for the three way handshake. • Virtual domain ‘root’ receives a packet: the protocol is TCP; destination port 80; source IP 10.0.1.10; destination IP 10.200.1.1. The packet is received on interface ‘port3’. • FortiOS identifies this a new session because it does not match any entries in its current session table. • FortiOS performs a routing lookup, as this the first packet of the connection; gateway 10.200.1.254 (in this case the destination) is found on interface ‘port1’. • For the firewall policy match, the interfaces are ‘port3’ to ‘port1’. The hashing function is used for the policy lookup. • The connection matches policy ID 1 with source NAT enabled. The source address and port for all packets in this connection will NAT to 10.200.1.1:39738. • The packet is sent to IPS module. In this case, the IPS security profile is enabled on the firewall policy. • Next, the reply (SYN/ACK) is received. This is identified as reply traffic for an existing connection. For the first reply packet, a routing lookup occurs. • Next, the client send the ACK. This is identified as belonging to an existing connection.

FortiGate I Student Guide

227

 Firewall Policies

The retransmission of SYN packets is a good indicator of the firewall blocking a connection. However, we don’t know for sure. We could look at the traffic logs, if logging was enabled for the deny policy. What else could we use, though? The packet flow.

FortiGate I Student Guide

228

 Firewall Policies

Combining debug flow and packet sniffer, we now see which firewall action is blocking this traffic.

FortiGate I Student Guide

229

 Firewall Policies

To review, here’s all the topics we covered in this lesson.

FortiGate I Student Guide

230

 Firewall Authentication

In this lesson, we will show you how to use authentication on the firewall policies of a FortiGate. Normal firewall policies involve separating devices based on the IP address or subnet involved. Adding authentication to firewall policies, however, provides a mechanism to make decisions on not just where the device is, but who is using the device.

FortiGate I Student Guide

231

 Firewall Authentication

After completing this lesson, you should have a solid understanding of the mechanics of authentication on a FortiGate as well as some practical skills configuring firewall authentication.

FortiGate I Student Guide

232

 Firewall Authentication

Traditional firewalling grants network access by authenticating the source IP address only. This is inadequate, as the firewall cannot determine who is using the device to which it is granting access. This can pose a security risk. Authentication allows action based on the user, not just the IP address. In this way, inspection rules follow individuals across multiple devices.

FortiGate I Student Guide

233

 Firewall Authentication

Not all available methods of authentication can be used for firewall authentication (for example, certificate-based authentication cannot be used). You can, however, use local password authentication, remote password authentication, and two-factor authentication. Two-factor authentication is slightly different from the others, as it is enabled on top of an existing method—it cannot be enabled without first configuring one of the other methods. In this lesson, we will discuss all three available methods.

FortiGate I Student Guide

234

 Firewall Authentication

The first and simplest method of authentication is Local Password Authentication. User account information (user name and password) is stored locally on the FortiGate device, so there is no lookup to an external server for user validation. Local Password Authentication is the simplest method of authentication to configure, since you only need access to the FortiGate. Other methods of authentication are more complex, as they involve configuring the exchange of information between the FortiGate and a remote server as well as configuring the various users and user groups on the server itself. Troubleshooting in those situations becomes more complicated, as you need to examine both the FortiGate and external server. With Local Password Authentication, you need only examine the FortiGate.

FortiGate I Student Guide

235

 Firewall Authentication

The second method of authentication is remote server authentication (or server-based password authentication). This includes any form of authentication where the final decision on user credentials is made by an external server—not the FortiGate. This method is desirable when multiple FortiGate devices need to authenticate the same users or user groups. With remote server authentication, user information is sent from the FortiGate to a remote server. The remote server then evaluates the information it receives and sends a response. The server response is examined by FortiGate and consults its configuration to deal with the traffic. However, it is the server — not the FortiGate — that has final authority over evaluating the user credentials. With Remote Server Authentication, the FortiGate does not store all (or, in the case of some configurations, any) of the user information locally.

FortiGate I Student Guide

236

 Firewall Authentication

Multiple protocols are supported for remote user authentication, including POP3, RADIUS (includes server authentication and the single sign on method, RSSO), LDAP, and TACACS+. Single sign on (SSO) methods, such as FSSO, NTML, and RSSO, are also supported for remote user authentication.

FortiGate I Student Guide

237

 Firewall Authentication

With a FortiGate, you can implement Single Sign On (SSO) using FSSO and RSSO. SSO allows a single login event to be used for all authentication and access situations. Without SSO, if a user logs in to a Wi-Fi network, they will need to log in through a firewall policy separately when they try to pass traffic. SSO links multiple authentication events to a single event.

FortiGate I Student Guide

238

 Firewall Authentication

One remote server authentication protocol worth mentioning is POP3, as the login credentials the remote server accepts is different from most other authentication protocols. Most other authentication protocols user the user name. POP3 servers, however, authenticate users based on email address. Some POP3 servers require the full email with domain ([email protected]), others require the suffix only, while still others accept both formats. This is determined by the configuration of the server itself and is not a setting on the FortiGate. You can only configure POP3 authentication though the CLI. You can also use LDAP to validate with email, rather than the user name.

FortiGate I Student Guide

239

 Firewall Authentication

The third, and final, method of authentication for firewalls — which is really just an extension of an existing authentication method — is two-factor authentication. Traditional user authentication requires your user name plus something you know, such as a password. The weakness with this traditional method of authentication is that if someone obtains your user name, they only need your password to compromise your account. Furthermore, since people tend to use the same password across multiple accounts (some sites with more security vulnerabilities than others), accounts are vulnerable to attack, regardless of password strength. Two-factor authentication, on the other hand, requires something you know, such as a password, and something you have, such as a token. This increases the complexity for an attacker to compromise an account, as it puts less importance on often-vulnerable passwords. With this authentication method, security is split between two different options: both a password and a key of some kind.

FortiGate I Student Guide

240

 Firewall Authentication

One-time passwords are one such method you can use with Two-Factor Authentication as “something you have”. FortiToken and FortiToken Mobile (hardware and software respectively) both generate one-time passwords. The passwords for both FortiToken and FortiToken Mobile generate every 60 seconds. You can deliver OTP through alternative methods, other than providing the end user with a token or mobile app. For example, you can send an OTP through email or through an SMS phone message. It is very important that FortiTokens are synchronized with the FortiGate. Otherwise FortiGate cannot predict the correct string to use.

FortiGate I Student Guide

241

 Firewall Authentication

Tokens use a specific algorithm to generate a one-time password. The algorithm consists of: a seed, which is a randomly-generated number that does not change in time, and the time, which is obtained from an internal, accurate, clock Both seed and time go through an algorithm that generates a one-time password on the token. The OTP has a short life span, usually measured in seconds (60 seconds for a FortiToken, possibly more/less for other RSA key generators). Once the life span ends, for example after 60 seconds, a new one generates. With two-factor authentication using a token, the user must first log in with a static password followed by the OTP (or code) generated by the token. A validation server (a FortiGate) receives the user’s credentials and validates the static password first. The validation server then proceeds to validate the OTP. It does so by re-generating the same OTP using the seed and system time (which is synchronized with the one on the token) and comparing it with the one received from the user. If the static password is valid, and the one-time password matches, the user is successfully authenticated. Again, both the token and the validation server must use the same seed and have synchronized system clocks. As such, it is crucial that you configure your FortiGate’s date/time properly or link it to an NTP server.

FortiGate I Student Guide

242

 Firewall Authentication

To use a FortiToken, you must first register it on a FortiGate device. Whether it’s a hardware or software token, a serial number is used to provide the FortiGate with details on the initial seed value. If you are using FortiToken Mobile, each FortiGate (and FortiGate VM) allows for two free activations. More than this requires the purchase of activations codes for additional mobile tokens from Fortinet. You cannot register FortiTokens on more than one FortiGate. A deployment like that requires the use of a central FortiAuthenticator. In that case, the FortiTokens are registered on the FortiAuthenticator and not the FortiGate. FortiGate uses FortiAuthenticator as its validation server, which allows the same FortiToken to be used for access on multiple FortiGate devices.

FortiGate I Student Guide

243

 Firewall Authentication

Not all types of authentication involve prompting the user to enter their login credentials. While active authentication (used with LDAP, RADIUS, Local Password Authentication, and TACACS+) prompts the user to manually enter credentials, passive authentication (used with FSSO, RSSO, and NTLM) determines user information without ever asking the user to log in. Passive authentication, therefore, occurs transparently for the user.

FortiGate I Student Guide

244

 Firewall Authentication

Active authentication prompts the user based on: the protocol of the traffic they use to try and pass through a firewall, and the firewall policy itself The policy must specify the authentication protocols allowed, such as HTTP/S, FTP, and Telnet. If the policy that has authentication enabled does not allow at least one of the supported protocols for obtaining user credentials, the user will not be able to authenticate. Passive authentication determines the user identity behind the scenes and does not require any specific services to be allowed within the policy.

FortiGate I Student Guide

245

 Firewall Authentication

You can enable both active and passive authentication. If both active and passive authentication are enabled and a user’s credentials can be determined through passive means, then the user will never receive a login prompt, regardless of the order of any firewall policies. This is because there is no need to prompt the user for active authentication credentials when passive authentication can determine who they are. When active and passive authentication methods are combined, active authentication is intended to be used as a backup only for when passive authentication fails. No one method of authentication is considered more important than another. The first method that can determine a user name for any traffic is the deciding factor. Ultimately that determines how the traffic is handled.

FortiGate I Student Guide

246

 Firewall Authentication

A firewall policy defines and matches traffic going from the source to the destination. An IP address is required as part of the policy configuration for the source and destination. User, user group, and device information can be enabled as well. If enabled, they become part of the source definition for that policy. Accordingly, a source is comprised of source address(es)+source user(s)/group(s)+source device(s).

FortiGate I Student Guide

247

 Firewall Authentication

No service (with the exception of DNS) is allowed through the firewall policy prior to successful user authentication. DNS is allowed because it is a base protocol and will most likely be required to initially see proper authentication protocol traffic. Hostname resolution is almost always a requirement for any protocol. However, the DNS service must still be defined as allowed within the policy in order for it to pass. In the following example, Policy #1 allows users to use external DNS servers on the other side of port2 in order to resolve host names, prior to successful authentication. Therefore, the DNS traffic is allowed through even before authentication happens. It is also allowed if authentication is unsuccessful, as users need to be able to try to authenticate again. Any service that includes DNS would function the same way, like the default ‘ALL’ service. Policy #2, on the other hand, never allows DNS traffic, even after successful authentication. The HTTP service is TCP port 80 and does not include DNS (UDP port 53).

FortiGate I Student Guide

248

 Firewall Authentication

In this example, assuming active authentication is used, any initial traffic from the 10.10.1.0/24 subnet will not match policy #1. Policy 1 looks at the IP as well as the user information, and since the user has not authenticated there is no match. Next, a check is made against policy #2. There is a match and traffic is allowed with no need to authenticate. When only active authentication is used, if all possible policies that could match the source IP have authentication enabled, then the user will receive a login prompt (assuming they use an acceptable login protocol). In other words, if policy #2 also had authentication enabled, the users would receive login prompts. If passive authentication is used and it can successfully obtain user details, then traffic form 10.10.1.0/24 with users that belong to the guest-group will apply to policy #1 even though policy #2 does not have authentication enabled.

FortiGate I Student Guide

249

 Firewall Authentication

If you want all users connecting to the network to authenticate through active authentication, you can enable the captive portal. With captive portal, network interfaces perform authentication at the interface level—regardless of the firewall policy that allows it or the port that it ultimately leaves by (authentication being enabled or disabled on the policy is not a factor). Essentially, a captive portal is a convenient way to authenticate web users on wired or Wi-Fi networks through an HTML form that requests the user’s name and password. You can host a captive portal on a FortiGate device or an external authentication server. The captive portal setting must be enabled on the Ingress interface of the traffic. Captive portals are not compatible with interfaces in DHCP mode.

FortiGate I Student Guide

250

 Firewall Authentication

Using the previous example, with captive portal enabled on port 1 all traffic from behind port 1 would receive a login prompt, not just the users in the 10.10.1.0/24 subnet or traffic that may be going somewhere other then port 2. Passive authentication never requires a captive portal, since it obtains user details differently. Only active authentication methods can use the captive portal feature (depending on the configuration).

FortiGate I Student Guide

251

 Firewall Authentication

A firewall policy can have the captive portal suppressed. When suppressed, traffic that matches the source and destination are not presented with the captive portal page. The captive-portal-exempt setting must be enabled in the CLI for each firewall policy and only applies to traffic that matches that policy. The security-exempt-list CLI setting, however, applies those sources at all times, regardless of the firewall policy settings. Depending on the configuration, one option or the other usually results in simplifying your configuration more. Use the option that best fits the requirements of the situation and results in less confusion or ongoing maintenance. You can create and configure security exempt lists only from the CLI. However, you can enable them through the GUI settings.

FortiGate I Student Guide

252

 Firewall Authentication

You can enable disclaimers to be used in conjunction with captive portal, if desired. Disclaimers are not considered authentication or a captive portal, but the two tend to go hand-in-hand. With the authentication and disclaimer setting, the disclaimer appears before the user authenticates and acts as a reminder of the rules for the network. Under this setting, users must accept the terms in the disclaimer in order to proceed with the authentication process. Neither a security exemption list nor a captive portal exemption on a firewall can bypass a disclaimer.

FortiGate I Student Guide

253

 Firewall Authentication

Any time FortiGate is required to jump into the traffic stream (with authentication pages or disclaimers for example), you can modify the particulars of the block page through the GUI. Editing HTML-related block message requires knowledge of HTML, to ensure proper positioning and look of the page. The default layout is the Simple View, which hides most of the replacement messages. Use Extended View to show all editable replacement messages.

FortiGate I Student Guide

254

 Firewall Authentication

An authentication timeout ensures users do not authenticate and then stay in memory indefinitely. If users stay in memory forever, it would eventually lead to memory exhaustion. There are three options for timeout behavior: • IDLE – Looks at the packets from the hosts IP. If there are no packets generated by the host device in the configured timeframe then the user is logged out. • HARD – Time is an absolute value. Regardless of the user’s behavior, the timer starts as soon as the user authenticates and expires after the configured value. • NEW SESSION – Even if traffic is being generated on existing communications channels, the authentication expires if no new sessions are created through the firewall from the host device, within the configured timeout. Choose the type of timeout that best suits the needs of authentication in your environment.

FortiGate I Student Guide

255

 Firewall Authentication

We’ve mentioned users and user groups several times in this lesson. Now, we’ll take a closer look at how both users and user groups are used by FortiGate for firewall authentication. Before that, however, we’ll give a short refresher on how you create users and groups on an external server, which is useful if Remote Password Authentication is used as a method of authentication.

FortiGate I Student Guide

256

 Firewall Authentication

LDAP is a standard remote authentication protocol currently supported by the FortiGate device. The behavior of LDAP is defined through multiple RFCs. LDAP is an application protocol for distributed directory information services. It can also be viewed as a database that contains user accounts, among other things. The structure of this database is similar to a tree that contains entries (or objects) in each branch. Each of these objects has a unique identifier, which is called the distinguished name (or DN). The objects also have attributes, and each attribute has a name and one or more values. This structure is defined in what is called a “directory schema”.

FortiGate I Student Guide

257

 Firewall Authentication

The hierarchy of an LDAP schema is not required to hold any resemblance to the organization. However, generally the name conventions used and the group structure match with the name of the company and corporate hierarchy very closely.

FortiGate I Student Guide

258

 Firewall Authentication

On the top, we have the root or DC. This is where an LDAP tree always starts, with any schema. After that the groups are defined using C, OU, and/or O. The exact behavior and options used depend on the schema and what exactly is being defined. At the end of the tree is the UID, which contains specific details about a particular user. The full path to find a user contains all of the information necessary in order to locate a user within the tree structure. This means you will need the DN (somewhere to start), the group information (C, OU, O), and the UID.

FortiGate I Student Guide

259

 Firewall Authentication

What you enter for the LDAP configuration depends heavily on the server’s schema and security settings. Windows Active Directory is very common. “Common Name Identifier” is the attribute name to look up in order to find the user name. Some schemas will call this UID, Active Directory calls it ‘sAMAccountName’ or sometimes ‘cn’. “Distinguished Name” identifies the top of the tree to look in. Generally this will be a DC value. The “Bind Type” setting will vary, depending on the security settings of the LDAP server. Normally, this will need to be ‘Regular’, with the credentials being for a user, that is authorized perform LDAP queries.

FortiGate I Student Guide

260

 Firewall Authentication

To see if a user’s credentials can successfully authenticate or not, you must use the CLI or enable to authentication on a firewall policy. The GUI will only test if the initial LDAP connection to the server is successful or not. Because the GUI only tests success/failure, either look at the server logs or run a packet sniff to see both sides of the LDAP communications so you can find out exactly what is happening. Exact output will vary depending the Hierarchy of the LDAP server that was queried. “diagnose test authserver” can be used to test most (not all) methods of authentication.

FortiGate I Student Guide

261

 Firewall Authentication

RADIUS doesn’t have the same kind of behavior as LDAP, as there is no tree structure to consider. Normal authentication queries with the RADIUS protocol begin with an Access-Request being sent from the FortiGate to the RADIUS server. Valid responses to this are “Access-Accept” and “AccessReject” (yes and no effectively). If Two-Factor Authentication is enabled on the server, it will come back with an “Access-Challenge” message, where it is essentially looking for more information. Any other response from the server is not considered to be a valid response.

FortiGate I Student Guide

262

 Firewall Authentication

RADIUS configuration on a FortiGate is straightforward. The servers location needs to be defined along with the secret that was set up in order for the server to allow remote queries. Backup servers (with separate secrets) can be defined in case the primary server fails.

FortiGate I Student Guide

263

 Firewall Authentication

Testing RADIUS is much the same as LDAP. The GUI can test the connection to the server, but not a user login. Make sure that authentication is operational prior to implementing it on any of your firewall policies. Like LDAP, it reports success, failure, and group membership details depending on the server’s response. Deeper troubleshooting requires server access.

FortiGate I Student Guide

264

 Firewall Authentication

Now that we’ve examined how to create users on the LDAP or RADIUS server, lets look at how to create the firewall users and groups on the FortiGate. This is the first step to authentication: creating firewall users and groups. You can create firewall authentication users through the Users & Devices > User > User Definition page of the FortiGate GUI. A wizards walks you through the creation process. You are required to define the type of user (Local or Remote) and the user credentials. For remote authentication, you must select the server to authenticate as well. There are other optional settings available, such as adding contact information , enabling Two-Factor Authentication, or adding the user to a User Group.

FortiGate I Student Guide

265

 Firewall Authentication

Once you’ve made user accounts, you can assign firewall policies to them. But rather than assign firewall policies to act on individual users, you can put users into groups with policies making decisions based on the group itself. These groups are known as user groups. By assigning individual users to the appropriate user groups, you can control access to network resources. You can define both local and remote user groups on a FortiGate device. There are four user group types: • • • •

Firewall Fortinet Single Sign On (FSSO) Guest, and RADIUS Single Sign On (RSSO)

The firewall user groups do not need to match any sort of group that may already exist on a server. The firewall user groups exist solely to make configuration of firewall policies easier. Note that most authentication types have the option to make decisions based on the individual user, rather than just user groups.

FortiGate I Student Guide

266

 Firewall Authentication

As mentioned, one of the four user group types is Guest. Guest groups are user groups that exclusively contain temporary user accounts (the whole account, not just the password), and are most commonly used in wireless networks. Guest accounts expire after a predetermined amount of time. You can automatically create guest users on the fly, or manual create them through an admin user. You can create special admin users that only have access to create and manage guest user accounts.

FortiGate I Student Guide

267

 Firewall Authentication

You can configure user groups through the FortiGate GUI under User & Device > User > User Group. You must specify the user group type, the local users that belong to the group, and the remote authentication server(s) that contain the users that belong to the user group. User groups simplify your configuration if you want to treat specific users in the same way. For example, if you want to provide all Accountants with access to the same network resources. If you want to treat all users differently, you would need to add all users to firewall policies separately.

FortiGate I Student Guide

268

 Firewall Authentication

Once you’ve created firewall users and groups, you can move on to configuring the policies. IP information is part of the source definition for a policy in combination with any configured user and groups specified. Just because a user is in a group does not mean they can only be referenced by using the group.

FortiGate I Student Guide

269

 Firewall Authentication

After creating firewall policies, you can monitor access of your firewall users. To keep track of who is authenticated through the firewall policies there is a User Monitor section in the GUI located under User & Device > Monitor > Firewall. The User Monitor screen displays who has authenticated through the firewall policies of your FortiGate device at any given moment. It does not include administrators, because they are not authenticating through firewall policies that allow traffic — they are logging directly into the FortiGate. This feature also allows you to de-authenticate a user or multiple users simultaneously.

FortiGate I Student Guide

270

 Firewall Authentication

There are no events logged for successful or failed login attempts through a firewall policy. Users that log in successfully show up in the monitor. Those that do not are prevented from passing through the firewall. Once a user is successfully logged in, all further logs generated from the host automatically begin to contain their user information. Default reports and charts are set up so that the source adjusts to be the user or the IP if there is no authentication. You can find the list of possible log events that can show up in the Log & Report > Event Log > User section in the Log Message Reference Guide on the doc.fortinet.com website.

FortiGate I Student Guide

271

 Firewall Authentication

In this lesson, we discussed: • Authentication, what it is and how it works • Three methods of authentication, specifically Local Password Authentication, Remote Password Authentication, and Two-Factor Authentication • The different authentication protocols • One-time passwords and tokens • Authentication types (active and passive) • Authentication policies • Captive Portal and disclaimers • Authentication timeout • Users/user groups, both in regards to an external LDAP or RADIUS server and through the FortiGate, and • How to monitor firewall users

FortiGate I Student Guide

272

 SSL VPN

In this lesson, we will show you how to use and configure SSL VPN. SSL VPNs are an easy way of providing access to your private network for remote users.

FortiGate I Student Guide

273

 SSL VPN

After completing this lesson, you should have these practical skills that you can use to configure an SSL VPN for your organization.

FortiGate I Student Guide

274

 SSL VPN

A virtual private network enables users to remotely and securely access private resources as if they were locally connected. It is generally used to transmit private information safely between LANs separated by an untrusted public network such as the Internet, so it is not only implemented for providing access to mobile users, but also for interconnecting geographically disperse networks across the Internet. The user data travelling inside a VPN tunnel is encrypted, so it cannot be intercepted by unauthorized users. VPNs also use security methods to ensure that only authorized users can establish the VPN and access the private network’s resources.

FortiGate I Student Guide

275

 SSL VPN

The most common type of VPNs are SSL VPN and IPsec VPN. SSL VPNs are commonly used to secure web transactions. Clients connect to a web portal and log in. It is essentially meant to connect a PC to a private network. This approach is simple in that users only need a regular web browser to connect and are not usually required to install any kind of special software or go through a complex setup. They simply need to access an HTTPS web site and log in. This makes SSL VPN an ideal solution for users who are either not technically skilled, or who need to connect from public computers. IPsec is also used to connect a PC to a private network. However, there are some important differences. Firstly, SSL VPN access is through a web portal, whereas IPsec is not. Finally, IPsec is a standard protocol supported by most vendors, so a VPN session can be established not only between two FortiGate devices, but also between different vendor devices. By comparison, SSL VPN can only be established between a client PC and an end device. In this lesson, we are going to focus on SSL VPN.

FortiGate I Student Guide

276

 SSL VPN

Web-only mode is used to connect using HTTPS to the FortiGate device from any browser. Once connected, users need credentials in order to pass an authentication check. Once authenticated, users are presented with a portal that contains possible resources for them to access. Different users can have different portals with different resources and access permissions. One of the widgets contains links to all or some of the resources available for the user to access. Another widget allows users to type the URL or IP address of the server they want to reach. A Webonly SSL VPN user makes use of these two widgets to access the internal network. The main advantage of Web-only mode is that it is clientless. This means the user is not required to install any client VPN software to obtain access. However, Web-only mode has two main disadvantages: First, all interaction with the internal network must be done from the browser exclusively (through the web portal). External network applications running on the user’s PC cannot send data across the VPN. Second, a limited number of protocols are supported, such as HTTP/HTTPS, FTP, RDP, SMB/CIFS, SSH, Telnet, VNC, Ping.

FortiGate I Student Guide

277

 SSL VPN

Tunnel mode access begins in much the same way as Web-only mode. Users must connect to the FortiGate through HTTPS and successfully authenticate. They are then presented with a web page that has various options, including a widget to activate tunnel mode. By clicking “Connect”, a tunnel is established between the PC and the FortiGate device. Inside the tunnel, IP traffic is encapsulated over HTTPS and sent to the other side. The FortiGate device receives the traffic and de-encapsulates the IP packets, forwarding them to the private network as if they originated from the inside. The main advantage of Tunnel mode over Web-only mode is that, once the VPN is established, any IP network application running on the client can send traffic across the tunnel. The main disadvantage is that this requires the installation of a VPN software client, which requires administrative privileges. If the VPN client is not installed when the user accesses the SSL VPN web portal, the “Tunnel Mode” widget offers the option to download and install it.

FortiGate I Student Guide

278

 SSL VPN

Tunnel mode can operate in two different ways: with and without Split Tunneling enabled. When Split Tunneling is disabled, all IP traffic generated by the client’s PC (including Internet traffic) is routed across the SSL tunnel to the FortiGate. This sets up the FortiGate as the default gateway for the host. You can use this method in order to apply UTM features to the traffic on those SSL VPN clients or to monitor or restrict internet access. This adds more latency and bandwidth usage. When Split Tunneling is enabled, only traffic destined for the private network(s) behind the FortiGate gets routed across the tunnel.

FortiGate I Student Guide

279

 SSL VPN

There are two methods to connect to an SSL VPN tunnel. The first method is through a browser. The limitation is that the browser window or tab with the SSL VPN portal must remain open in order to keep the tunnel up. The second method is through a standalone SSL VPN client. Using an SSL VPN client means the browser is not necessary to maintain the tunnel, but it also means you have to install an SSL VPN client. When the SSL VPN client is installed, a virtual network adapter called fortissl is added to the user’s PC. This virtual adapter dynamically receives an IP address from the FortiGate device each time a new VPN is established. All packets sent by the client use this virtual IP address as the source address.

FortiGate I Student Guide

280

 SSL VPN

Because tunnel mode requires installing a virtual network adapter, which requires administrative level access to accomplish, it is not always a feasible method to use. For those situations where tunnel mode isn’t practical and web-only mode isn’t flexible enough, there is a web-only extension called port forward mode. Rather than use a virtual adapter to create a tunnel with an IP separate from the local IP, port forward uses a Java applet to set up a local proxy that is accessed by connecting to the loopback address.

FortiGate I Student Guide

281

 SSL VPN

Between web-only and tunnel mode, tunnel mode is the most versatile, as it supports any IP application. However, it requires admin/root privileges to install a VPN client. You can get a direct tunnel connection either through a browser or by using the standalone VPN client. Web-only, on the other hand, is clientless, but does not support all the IP applications like tunnel mode. You can connect only through a browser—and only through one connected to the SSL VPN portal. Port Forward (an extension of Web-only) supports some additional IP applications, but it requires users to change the application configuration to send the IP traffic to a Java applet acting as a local proxy. The final decision about which mode to use depends on many factors, such as technical knowledge of the users, type of network applications, and if admin access to the user’s PCs is possible or not.

FortiGate I Student Guide

282

 SSL VPN

When users log into to their individual portal, there is an option that allows them to create their own bookmarks (known as frequently used connections). An administrator must enable the user bookmark option, and once enabled, users can create and modify their own bookmarks from the portal. Administrators have the ability to view and delete bookmarks the remote user has added to their SSL VPN login in the GUI under VPN > SSL > Personal Bookmarks. This allows administrators to monitor and remove any unwanted bookmarks that do not meet with corporate policy From the CLI of the FortiGate, administrators can create bookmarks for different users. These bookmarks appear even if the user bookmark option is disabled in the portal, as that option only effects the users ability to create and modify their own bookmarks.

FortiGate I Student Guide

283

 SSL VPN

Depending on the type of bookmark an administrator wants to create, they may need to enter additional information during configuration, such as URLs for websites, and folders for FTP sites to name a few. Only three types of bookmarks can be used if employing the Port Forwarding method (an extension for web-only mode): citrix, portforward, and rdpnative. Citrix and RDP native are specific for that kind of traffic. Portforward is a generic type of bookmark that you can customize to suit the traffic.

FortiGate I Student Guide

284

 SSL VPN

Instead of just adding bookmarks on a per-user basis, administrators can also add bookmarks on a per-portal basis. This allows bookmarks to appear for all users who log in to that particular portal. These bookmarks use the exact same configuration options that personal bookmarks do, but can be configured from the GUI, rather than the CLI. Users cannot modify administrator-added bookmarks, whether they are created on a per-user or per-portal basis.

FortiGate I Student Guide

285

 SSL VPN

To add flexibility to your SSL VPN deployment, you may consider configuring “Realms”. Realms are custom login pages, usually for user groups, such as your Accounting team and your Sales team, but can be for individual users as well. With realms, users and user groups can access different portals based on the URL they enter. This is unlike a default deployment, where SSL VPN login is handled by going directly to the FortiGate’s IP address. With different portals, you can customize each login page separately as well as limit concurrent user logins separately. Example of Realms on a FortiGate: HTTPS://192.168.1.1 HTTPS://192.168.1.1/Accounting HTTPS://192.168.1.1/TechnicalSupport HTTPS://192.168.1.1/Sales

FortiGate I Student Guide

286

 SSL VPN

Since SSL VPNs are methods for people outside your network to connect to resources inside your network, you must take appropriate measures to ensure the safety and security of the information in your network. There are multiple options and settings available to help secure SSL VPN access. In this lesson, we’ll cover client integrity checking and restricting host connection addresses.

FortiGate I Student Guide

287

 SSL VPN

When a user connects to your network through SSL VPN, a portal is established between your network and the user PC. The VPN session is secured natively in two ways: the connection is encrypted and the user must log in with their credentials, such as a user name and password. However, you can configure additional security checks to increase the security of the connection. One method of increasing your security is through client integrity checking. Client integrity ensures, to some extent, that the connecting computer is secure by checking whether specific security software, such as antivirus or firewall software, is installed and running. This feature only supports Microsoft Windows clients, as it accesses the Windows Security Center to perform its checks. Alternatively, you can customize this feature to check the status of other applications by using their Globally Unique Identifier (GUID). The GUID is a unique ID in the Windows Configuration Registry that identifies each Windows application. Client Integrity can also check the current software and signature versions for the antivirus and firewall applications.

FortiGate I Student Guide

288

 SSL VPN

The Client Integrity check is performed when the VPN is still establishing—just after user authentication has finished. If the required software is not running on the client’s PC, the VPN connection attempt is rejected even with valid user credentials. Client Integrity is enabled per web portal and only by using CLI commands. The list of recognized software along with the associated registry key value is available through the CLI. Software is split into three categories: AntiVirus (av), Firewall(fw), and Custom. Custom is used for customized or proprietary software that an organization may require. Administrators can only configure these settings through the CLI. The disadvantage of enabling Client Integrity checking is that it can result in a lot of administrative overhead. First, all users must have their security software updated in order to successfully establish a connection. Second, software updates can result in a change to the registry key values, which can also prevent a user from successfully connecting. As such, administrators must have in depth knowledge of the Windows operating system and subsequent registry behavior in order to properly make extended use of, as well as maintain, this feature.

FortiGate I Student Guide

289

 SSL VPN

The second method you can use to help secure SSL VPN access is restricting host connection addresses. Setting up IP restriction rules can be very useful when considering proper security configuration. Not all IPs need, or should be allowed, access to the login page. This method allows you to set up rules to restrict access from specific IPs. One simple rule is to allow or disallow traffic based on Geographic IP addresses. The default logic allows all IPs to connect. From the CLI, you can configure the VPN SSL setting to disallow specific IPs.

FortiGate I Student Guide

290

 SSL VPN

To monitor remote user connections, you can view the SSL VPN Monitor table, accessible through the GUI under VPN > Monitor > SSL VPN Monitor. This table shows all the SSL VPN users currently connected to the FortiGate device. It displays the user names, IP addresses, and connection times. In the table, a subsession row below a user means the user has brought up an SSL VPN tunnel. No subsession row below the user means the user is only connected to the web portal page. Whether the VPN tunnel is activated with the Web Portal widget or the standalone client, they appear the same way in the SSL VPN Monitor table.

FortiGate I Student Guide

291

 SSL VPN

When an SSL VPN is disconnected, either by the user or through the SSL VPN idle setting, all associated sessions in the FortiGate session table are deleted. This prevents reuse of authenticated SSL VPN sessions (not yet expired) after the initial user terminates the tunnel. The SSL VPN user idle setting is not associated with the firewall authentication timeout setting. It is a separate idle option specifically for SSL VPN users. A remote user is considered idle when the FortiGate does not see any packets or activity from the user within the configured timeout period.

FortiGate I Student Guide

292

 SSL VPN

There are four mandatory steps that must be followed in order to configure SSL VPN. The fifth step is optional and only necessary to allow access to internal resources. Configuration does not need to be done strictly in this order. However there are several places where, if certain options are not configured ahead of time, you are prevented from making further configurations.

FortiGate I Student Guide

293

 SSL VPN

The first step is to create the accounts and user groups for the SSL VPN clients. User and group creation was previously covered in the Firewall Authentication module. All the FortiGate authentications methods, with the exception of the Remote Password Authentication using the FSSO protocol, can be used for SSL VPN authentication. This includes Local Password Authentication and Remote Password Authentication (using the LDAP, RADIUS, TACACS+, and POP3 protocols). Two-Factor Authentication, with or without FortiToken, is also supported.

FortiGate I Student Guide

294

 SSL VPN

The second step is to configure the portal. A portal is simply a webpage that contains tools and resource links for the users to access. Options on the portal can be enabled or disabled to allow or deny access. Options such as tunnel mode, links for downloading FortiClient, predefined bookmarks, and more. You can individually configure and link each portal to a specific user group and/or user so they only have access to required resources. There are several different theme options that provide different color coding to the portals as well.

FortiGate I Student Guide

295

 SSL VPN

This is a sample of an SSL VPN portal page after the user logs in. It contains various widgets, based on the configuration of the portal. The “Bookmarks” and “Connection Tool” widgets are for web-only mode. The “Tunnel Mode” widget activates tunnel mode through the browser. The standalone client can link into that directly, though the user must have access to a portal that contains the client.

FortiGate I Student Guide

296

 SSL VPN

The third step to configuring SSL VPN is to configure the general settings. First, we’ll talk about the connection settings specifically, and then later, the tunnel mode client settings, and the authentication portal mapping settings. As with any other HTTPS web site, the SSL VPN portal presents a digital certificate when users are connecting. By default, the presented certificated is self-signed, which triggers the browser to show a certificate warning. To avoid the warning, you should use a digital certificate signed by a Certificate Authority (CA) known to the browser. Alternatively, you can load the digital certificate into the browser as a trusted authority. Certificates are covered in more detail in the ‘Certificate Operations’ lesson. By default, an inactive SSL VPN is disconnected after 300 seconds (5 minutes) of inactivity. You can change this timeout through Idle Logout settings in the GUI. Note that it is separate from the authentication idle timeout discussed in the firewall authentication lesson. Also by default, the port for the SSL VPN portal is 443, which means that users need to connect using HTTPS to the IP address of the FortiGate device and to port 443 (which is also the standard port for the administration HTTPS protocol).

FortiGate I Student Guide

297

 SSL VPN

In a default configuration, the SSL VPN login portal and the administrator login for HTTPS both use port 443. This is convenient because users do not need to specify the port in their browser. For example, https://www.example.com/ automatically uses port 443 in any browser. This is considered a valid setup on the FortiGate because you generally don’t access the SSL VPN login through every interface. Likewise you generally don’t enable administrative access on every interface of your FortiGate. So even though the ports may overlap, the interfaces that each one uses to access may not. If SSL VPN and HTTPS admin access both use the same port, and are both enabled on the same interface, only the SSL VPN login portal will appear. In order to have access to both on the same interface, you need to change the port number for one of the services. This will effect the port number for that service on all interfaces.

FortiGate I Student Guide

298

 SSL VPN

Once you set up your SSL VPN connection settings, you can define your Tunnel Mode settings. When users connect, the tunnel is assigned an IP address. You can choose to use the default range or create your own range. The IP range determines how many users can connect concurrently. DNS Servers will only be effective if DNS traffic is sent over the VPN tunnel. Generally this will only be the case when split tunnel mode is disabled and all traffic is being sent from the client PC across the tunnel.

FortiGate I Student Guide

299

 SSL VPN

The last part of step three is to set up the authentication rules that map users to the appropriate portal and realm. These settings allow different groups of users to access different portals and/or realms. The default rule applies to the root realm and must be present, otherwise an error message appears that prevents any setting changes from being saved. In the above example, accountants and teachers only have access to their own realms. If they need access to the root realm to see the student portal, you would need to add an additional authentication rule.

FortiGate I Student Guide

300

 SSL VPN

The fourth, and last, mandatory step to configure SSL VPN involves creating firewall policies for login. SSL VPN traffic on the FortiGate uses a virtual interface called SSL.. Each VDOM contains a different virtual interface based on it’s name. By default, if VDOMs are not enabled then the device operates with a single VDOM called root. VDOMs are covered in more detail in the FCNSP module on Virtual Networking. In order to activate and successfully log in to the SSL VPN portal, there must be a firewall policy that goes from the SSL VPN interface to the interface that is listening for the SSL VPN login, that includes all of the users/groups that can log in as the source. If there are multiple interfaces listening for a login than all of them must be specified, either with different policies or in the same policy. Without a policy like this, no login portal is presented to users.

FortiGate I Student Guide

301

 SSL VPN

In this example, there are three different user groups that log in remotely: Teachers, Accountants, and Students. In order to enable authentication, you must create a firewall policy with the source interface as ssl.root that includes those three groups for the source. That firewall policy will enable the login portal and allow those groups to authenticate. It will also allow those groups to access resources and bookmarks that are beyond the wan1 interface. Without a firewall policy that is SSL. to the interface that the user is trying to connect from, no login portal will be presented. If there are resources behind other interfaces that tunnel mode users need access to, then you need to create additional policies that allow traffic from ssl.root to exit those interfaces. If resources inside are allowed to initiate traffic to hosts on the other side of the SSL Tunnel, then policies need to be in place to allow that.

FortiGate I Student Guide

302

 SSL VPN

As an optional step, you can create firewall policies for traffic to the internal network. Any traffic that gets generated by the users of the SSL VPN exits from the ssl. interface. This includes not only tunnel mode traffic, but traffic generated by the widgets on the web portal page. The firewall policy discussed in step four allows login and access to external resources. As such, policies should be created to allow users access to resources inside the network.

FortiGate I Student Guide

303

 SSL VPN

In this lesson, we discussed: • • • • • • • •

What SSL VPN is and how it operates Differences of SSL VPN vs. IPsec VPN Web-only mode, tunnel mode (including split tunneling), and port forwarding Methods of connecting to SSL VPN tunnels Portals, bookmarks and realms Securing SSL VPN access through client integrity checking and restricting host connection access Monitoring SSL VPN users Configuring SSL VPN

FortiGate I Student Guide

304

 Basic IPsec VPN

In this lesson, we will show you how to set up site-to-site IPsec VPN. VPNs are heavily used in today’s IT infrastructure to join private corporate networks across the Internet. IPsec is an RFC standard. Whether you have FortiGate devices only or mix in another vendor’s devices, the principles are essentially the same.

FortiGate I Student Guide

305

 Basic IPsec VPN

After completing this lesson, you should have these practical skills that you can use to set up a simple IPsec tunnel for a site-to-site VPN. During this, we will explain how to choose between configuring a policy-based or route-based VPN. You will also learn how to verify the status of each tunnel.

FortiGate I Student Guide

306

 Basic IPsec VPN

A Virtual Private Network (VPN) allows people in remote places – separated by the Internet – to securely access resources on your local network. For example, if workers are traveling or working from home, you can use a VPN to give LAN access to them. You can also use a VPN to interconnect multiple campuses. There are multiple types of VPN: PPTP, L2TP, SSL VPN, and IPsec are popular choices. • PPTP is fast, but security is weak, and easily defeated. • IPsec requires a gateway or installation of client software. So it is more complicated to set up for mobile users than SSL VPN, where they can simply utilize their web browser instead. • SSL VPN is designed for tunnels between a single client and a LAN, not between entire offices. Because of this, many networks now use a combination of SSL VPN – for mobile user access – and Ipsec or L2TP – for tunnels between offices. Often, “tunnel” is used as a synonym for “VPN,” although not all VPNs technically are tunnels, as we will see in a minute.

FortiGate I Student Guide

307

 Basic IPsec VPN

When should you use IPsec? What is it? It is a vendor-neutral standard set of protocols used to join two physically distinct LANs, as if they were a single logical LAN, despite being separated by the Internet. In theory, RFC 2409 and 4305 do support null encryption – that is, you can make VPNs which not encrypt traffic. The RFCs also support null data integrity. But does that provide any advantages over plain traffic? No. No one can trust traffic that may have had an attack injected by an attacker. Rarely do people want data sent by an unknown person. Most people also want private network data, such as credit card transactions and medical records, to remain private. So in reality, regardless of vendor, IPsec VPNs almost always have settings for 3 important benefits: •Authentication, to verify the identity of at least the initiator (and sometimes also the responder); •Data integrity, or HMAC, to prove that encapsulated data has not been tampered with as it traverses a potentially hostile network; •Confidentiality, or encryption, to ensure that only the intended recipient can read the message. And, of course VPNs have virtual routing and network settings to use when joined to the remote LAN.

FortiGate I Student Guide

308

 Basic IPsec VPN

When we say “the IPsec protocol,” what layers & protocols are we talking about? IPsec injects itself above the third layer: IP. What’s encapsulated? It depends on the mode. IPsec can operate in two modes: transport mode, or tunnel mode. • Transport mode directly encapsulates what would usually be the fourth layer (TCP transport, for example) and above. Once the IPsec encapsulation is removed, there is no additional routing layer left. That’s why it’s also called “direct peer-to-peer” or “client-to-client”. So this mode is not technically a “tunnel,” even though many people use the word “VPN” and “tunnel” interchangeably. (“Tunneling” technically means encapsulating an IP packet inside another IP packet.) Transport mode does not traverse NAT well – especially carrier-grade symmetric NAT – and depending on the case, may require NAT Traversal, ALG or hole punching, or may not work. This is because port numbers are inside the encrypted ESP payload. • Tunnel mode is a true tunnel. Encapsulation first adds a second IP layer, then the original transport layer (TCP, UDP, etc.). The second IP layer contains a private network that is routable on the remote network. Once the IPsec packet reaches the remote LAN, and is “unwrapped,” the packet can continue on its journey. To fit an IPsec packet into the frame, when FortiGate applies ESP, one payload may be split in order to fit into two packets. So you don’t need to adjust frame MTU. But this does mean that you might need more bandwidth for VPN traffic.

FortiGate I Student Guide

309

 Basic IPsec VPN

Let’s look at the 2 methods of encapsulation: Which should you choose? Why might some extra bandwidth be needed? Why is NAT traversal necessary? Blue underlined parts of each packet are additional bits that are required by ESP. It varies by transport vs. tunnel mode. Relative to a non-IPsec packet, notice that the green Layer 4 transport area of the frame is now shorter. Remember, the 1500 byte default frame MTU has not changed. Payload length is variable, and filled with padding. So this doesn’t always matter. But if the additional ESP bits cause the packet payload to not fit, then FortiGate must split the payload into multiple frames. IKE is in separate packets, too, and also requires additional bits to be transmitted. You are trading some bandwidth for: • Security and, • Routability (in the case of tunnel mode) Notice that after you remove the VPN-related headers, a transport mode packet can’t be transmitted any further – it has no second IP header inside. So it’s not routable. That’s OK if the packet is decrypted at an endpoint such as the FortiGate itself (think of encrypted Syslog tunnels, and some special cases such as multicast, GRE-IPSec and L2TP-IPSec for Windows/Android clients), but not usually if there are more router hops until the packet reaches its destination. For those purposes, you’ll need tunnel mode instead. Notice, too, that TCP or UDP port numbers are inside the ESP payload. They will be encrypted. So NAT can’t rewrite them for port forwarding or port overloading.

FortiGate I Student Guide

310

 Basic IPsec VPN

Because encapsulation styles and other settings vary, and any mismatches cause VPNs to fail, starting with FortiOS 5.2, there are VPN templates. You can use these to simplify VPN setup – reducing the guesswork about what settings are compatible between devices. But sometimes you may need to create a tunnel manually, or pass it though a NAT device. So let’s show you how.

FortiGate I Student Guide

311

 Basic IPsec VPN

If you’re passing your VPN through NAT devices such as firewalls, it helps to know which protocols to allow. Really, “IPsec” means three separate protocols. • IKE, which is used to authenticate peers, exchange keys, and negotiate the encryption and checksums that will be used; essentially, it is the “control channel”, • AH, which is the “authentication header” – the checksums that verify the integrity of the data • ESP, which is the “encapsulated security payload” – the encrypted payload, essentially, the “data channel” So if you need to pass IPsec traffic through another firewall, remember: allowing just 1 protocol or port number is not enough. Note that although the IPsec RFC mentions AH, it does not offer encryption, an important benefit. So it is not used by FortiGate. As a result, you don’t need to allow IP protocol 51. To make a VPN, configure matching settings on both ends – whether the VPN is between 2 FortiGates, or between a FortiGate and FortiClient, or between a 3rd party device and a FortiGate. If the settings don’t match, tunnel setup will fail.

FortiGate I Student Guide

312

 Basic IPsec VPN

Let’s talk about how FortiGate starts an IPsec tunnel. If you’re creating a custom VPN tunnel, it will help you to understand which settings to use, and how tunnels work.

FortiGate I Student Guide

313

 Basic IPsec VPN

On FortiGate, there are two ways a packet can initiate an IPsec VPN: by matching a route, or by matching a policy. (In our old documentation, route-based used to be called “interface-based,” and policy-based used to be called “tunnel-based.”) How do you know when to use policy-based or routed-based? Generally, try to use route-based. It offers more flexibility and control. We can implement very complex routing scenarios, such as where tunneled traffic is required to be routed with policy-based routing, or if you require GRE-over-IPsec. In comparison, policy-based VPNs must be used when the FortiGate is in transparent mode, or if the other peer requires L2TP-over-IPsec.

FortiGate I Student Guide

314

 Basic IPsec VPN

In addition to different limitations, how to configure them is different. • In a route-based VPN, FortiGate automatically adds a virtual interface with that name. Two firewall policies with the action ACCEPT are usually required: one for sessions originating on the local network, and another for sessions from the remote network. You also need to route the VPN traffic to the virtual network interface. (Usually, you’ll use a static route.) • In a policy-based VPN, only one firewall policy with the action IPSEC is required. The policy is bidirectional. By default, the GUI hides policy-based VPNs. To show policy-based VPN settings, use the CLI setting “set gui-policy-based-ipsec enable”. Both sides of your VPN don’t need to be configured in the same route-based or policy-based mode. You can configure one peer as routed-based, and the other as policy-based. But the Phase 1 and 2 settings must match.

FortiGate I Student Guide

315

 Basic IPsec VPN

If you have a simple case – like the site-to-site scenario in this lesson – use the VPN wizard. But if you need to tailor your VPN settings, you can still make a custom VPN. When making a route-based VPN, one additional step is usually required: you must also create a route to direct VPN traffic to the new virtual interface for IPsec. (If you use the wizard, though, this is done automatically.)

FortiGate I Student Guide

316

 Basic IPsec VPN

When the VPN wizard is completed, FortiGate automatically creates many of the required objects: • Addresses and address groups • Static routes • Policies • Phase 1 and Phase 2 settings To immediately check the status of your tunnel, click “Show Tunnel List.” This can be your first test of whether your VPN is working.

FortiGate I Student Guide

317

 Basic IPsec VPN

How does FortiGate bring up a VPN? Let’s begin by talking about Internet Key Exchange – also called IKE – Phase I. This is when each endpoint of the tunnel – the initiator and the responder – connect and begin to set up the VPN. When they first connect, the channel is not secure yet. An attacker in the middle could intercept unencrypted keys. And both ends have no strong guarantee of each other’s identity, either. So how can they exchange sensitive private keys? They can’t. First, both ends have to create a temporary secure channel. They’ll use this to protect strong authentication, and negotiate the “real” keys for the “real” tunnel later. Let’s show how this works.

FortiGate I Student Guide

318

 Basic IPsec VPN

(slide uses animation) This is Phase 1, where peers say hello and create an IKE SA that defines a temporary secure channel. (click) What is an SA? A security association is simply the algorithms and parameters used to encrypt and authenticate data between 2 points. Settings must agree. Otherwise the Phase 1 will fail. (Each side wouldn’t be able to decrypt or authenticate traffic from the other.) As you can see, which settings are used can be inflexible – what we call “aggressive mode” – or somewhat flexible – what we call “main mode.” Details are in the advanced IPsec lesson. (click) In Phase 1, FortiGate IKE SAs are a secure channel that are used for: • The Diffie-Hellman keys that will be used by Phase 2, and • To build the final ESP tunnels.

FortiGate I Student Guide

319

 Basic IPsec VPN

At the end of Phase I, FortiGate uses the Diffie-Hellman method. It uses the public key (that both ends know) plus a mathematical factor called a “nonce” in order to generate a common private key. This is crucial. With Diffie-Hellman, even if an attacker can listen in to the messages containing the public keys, they cannot determine the secret key. This is why it works even with a weakly authenticated IKE channel, where a user name and password and FortiToken have not been exchanged, for example. The new private key is used to calculate additional keys: for symmetric encryption and authentication.

FortiGate I Student Guide

320

 Basic IPsec VPN

If your VPN must pass through a NAT device, as we mentioned, ESP encryption would normally prevent the NAT device from being able to read and remap the port numbers inside. To solve this, Phase I was extended. It added NAT traversal, also called “NAT-T.” When NAT-T is enabled in both ends, peers can detect any NAT device along the path. If NAT is found, then: • Both Phase 2 and remaining Phase 1 packets change to UDP port 4500 • FortiGate and client encapsulate ESP within UDP port 4500 So if you have two FortiGates that are behind, for example, an ISP modem that has NAT, you will probably need to enable this setting.

FortiGate I Student Guide

321

 Basic IPsec VPN

Once details such as dead peer detection, NAT, and symmetric keys have been determined, your FortiGate is ready to establish the “real” SA – that is, IPsec SA which defines the ESP channel that will be used to encapsulate and transmit data through the VPN. It does this via IKE Phase II. There can be 1 tunnel for Phase I, but 2 or more tunnels for Phase II. Let’s see how.

FortiGate I Student Guide

322

 Basic IPsec VPN

Once Phase 1 has established a somewhat secure channel and private keys, Phase 2 begins. Phase 2 negotiates security parameters for the IPsec SA – not to be confused with the IKE SA. It is this IPsec SA – not IKE – that ESP will use to transmit data between LANs. IKE Phase 2 does not end once ESP begins. Phase 2 periodically renegotiates cryptography. This maintains security. Also, if you enable Perfect Forward Secrecy, each time the Phase 2 session key expires, FortiGate will use Diffie-Hellman to recalculate a new common secret key. So even if the same encryption algorithms are selected each time, the ESP tunnel will be changing to use a different private key, making it much harder for an attacker to crack the tunnel. Each Phase 1 can have multiple Phase 2. When would this happen? For example, you may want to use different encryption keys for each subnet whose traffic is crossing the tunnel. How does FortiGate select which Phase 2 to use? The Quick Mode setting. Additionally, most traffic is two-way traffic. So this means there are usually two tunnels, and two ESP SAs: one for each direction.

FortiGate I Student Guide

323

 Basic IPsec VPN

During Phase 2, we must configure a pair of settings called Quick Mode Selectors. They identify and direct traffic to the appropriate Phase 2 if there are multiple. In other words, it allows granular SAs. Selectors behave similarly to a firewall policy. VPN traffic must match selectors in one of the Phase 2 SAs. If it does not, the traffic is dropped. When configuring selectors, specify the source and destination IP subnet that will match each Phase 2. You can also specify the protocol number, and source and destination ports for the allowed traffic. In point-to-point VPNs, such as when connecting a branch office FortiGate to headquarters’ FortiGate, both sides’ configuration must mirror each other. Quick mode selectors for dial-up VPNs are different, and details are in the advanced IPsec lesson.

FortiGate I Student Guide

324

 Basic IPsec VPN

Once all settings are configured, each time that a host on your local LAN sends a packet where the destination is on the remote LAN, FortiGate should automatically bring up the VPN tunnel. It should remain available for some time, as long as the tunnel is being used.

FortiGate I Student Guide

325

 Basic IPsec VPN

If you need detailed control of your VPN, such as for IKE version 2, you can still configure it manually.

FortiGate I Student Guide

326

 Basic IPsec VPN

If you are configuring a custom VPN, you can start from the wizard. Click Custom VPN Tunnel (No Template). Configure the remote FortiGate’s WAN IP address, and indicate which network interface on this local FortiGate is the gateway that leads to it. FortiGate will use this to connect to the other end. If your peers use pre-shared keys for the initial (IKE) authentication, both peers must be configured with the same pre-shared key. For Phase 1, choose which encryption and authentication to propose, and so on. They should match, too. If peers can’t agree on IKE security, even Phase 1 won’t be established. So if in doubt, make sure Phase 1 and Phase 2 settings on both FortiGates match.

FortiGate I Student Guide

327

 Basic IPsec VPN

You already identified the other FortiGate’s WAN IP (the “Remote Gateway”), so now also indicate your local FortiGate’s WAN IP. Remember: during IKE, each side must have some way to identify its peer so that it can label the IKE SA. Once Phase 1 completes, Phase 2 begins. This sets up the ESP tunnels that will be used for actual data transfer. For each subnet on each end of the VPN, you can specify different levels of ESP security. For example, connections to the Finance LAN might need larger key sizes and stronger authentication. To do this, configure multiple Phase 2 entries. For simplicity, here, we show only one Phase 2: the “Local Address” is our LAN, and the “Remote Address” is the remote LAN. Remember that if traffic doesn’t match an IPsec SA, the IPsec engine will drop the packet. Usually, it’s more intuitive to filter traffic with firewall policies. So if you don’t want to use SA filtering, you can just set the quick mode selectors to be 0.0.0.0/0.

FortiGate I Student Guide

328

 Basic IPsec VPN

If you used the wizard for everything, it would have created routes and policies suitable for a route-based VPN. What if you, for example, have a FortiGate in transparent mode? Remember, first, you must enable the GUI to show policy-based IPsec options. Configure your phases as before, then create a policy. When policy-based VPN settings are visible, an additional “Action” setting is available when you configure a policy. Choose “IPsec.” Then choose the policy-mode tunnel settings. If you enable “Allow traffic to be initiated from the remote site,” you only need to make one policy. It will govern both directions.

FortiGate I Student Guide

329

 Basic IPsec VPN

With a route-based VPN, firewall policies are different. • There are two policies usually, not one. • The interface doesn’t match wan1; it matches the virtual interface, which in this example is named “HQ-to-Branch.” The VPN wizard is the easiest way to make these. If you did that, you can skip this step. But if you want to manually set up a VPN, use these as examples.

FortiGate I Student Guide

330

 Basic IPsec VPN

In route-based VPN, you need to route VPN traffic destined for the remote LAN to the IPsec interface. If you used the wizard, this was created for you, automatically. (In a policy-based VPN, traffic is routed to wan1 or another external interface instead. Since there is usually a default route, which routes all non-local packets towards the Internet, that’s why policy-based VPNs can usually skip this step.) To do this, usually you’ll add a static route.

FortiGate I Student Guide

331

 Basic IPsec VPN

In the GUI, there is a tool to monitor the status of your IPsec VPNs. Through this tool, you can see how much traffic has passed through each tunnel. You can also start and stop individual tunnels, and get additional details. If the tunnel is up, there will be a green arrow appearing next to its name. If it is down or not in use, then a red arrow is displayed. For example, here, simply by looking at the “remote Gateway” column, you can find a misconfiguration problem: the IP should be an interface on the remote FortiGate, not a subnet IP. So it is impossible to bring up.

FortiGate I Student Guide

332

 Basic IPsec VPN

This example shows 3 different VPN tunnels: Client_VPN, Home_VPN, and Office_VPN. The phase 1 Office_VPN appears twice because it has two separate phase 2 associated with the same phase 1. The other VPNs have one Phase 2 per Phase 1. For each phase 2, we can see the phase 1 name, key life remaining time, status and the quick mode selectors.

FortiGate I Student Guide

333

 Basic IPsec VPN

If your tunnel is not starting, it helps to know the expected behavior. This varies by type. This outlines the steps. Depending on whether you are creating a route (interface-based) or policy-based VPN, FortiGate will use a different mechanism. One common mistake is to configure a policy-based VPN, but to set the action to “ACCEPT” – and this causes FortiGate to egress clear text packets, not encrypted ones. Another common mistake is to route eggressing packets to the wrong port. Remember, route-based VPNs must egress through the virtual interface, not the WAN.

FortiGate I Student Guide

334

 Basic IPsec VPN

Like with any feature, IPsec uses some system resources. Requirements vary by the number of VPNs. Strong cryptography involving large key sizes can increase resource usage noticeably. Many models of FortiGate have specialized FortiASIC chips to increase IPsec cryptographic performance, so especially if you have many tunnels simultaneously, check that your configuration offloads cryptography to these chips where possible. In some cases, you may be able to offload incoming traffic to one ASIC, and outgoing traffic to another ASIC. Details are in the hardware acceleration lesson.

FortiGate I Student Guide

335

 Basic IPsec VPN

To review, these are the topics we’ve talked about. We presented an overview of the IPsec technology, which includes Internet Key Exchange, phase 1, phase 2, Diffie-Hellman and Quick Mode Selectors. We also showed the difference between policy-based and route-based VPNs, and how to use the VPN monitor.

FortiGate I Student Guide

336

 Antivirus & Conserve Mode

In this lesson, we will show you how to use antivirus scanning on a FortiGate. Since antivirus scanning is one of the features that, depending on your configuration and chosen signature database, can use significant RAM, we will also show you how to resolve “conserve mode.”

FortiGate I Student Guide

337

 Antivirus & Conserve Mode

After completing this lesson, you should have these practical skills. Not only will you be able to configure antivirus, but you should have a better understanding of how virus scanning works, along with knowledge of some tools to help you optimize memory usage on your FortiGate.

FortiGate I Student Guide

338

 Antivirus & Conserve Mode

How old are viruses? In 1949, John Von Neumann gave lectures at the University of Illinois about what he called “self-replicating automata.” On ARPANET, the precursor to the Internet, the first virus, named Creeper, was detected in 1971. Since then, malicious software has evolved into many types. Technically, although we often refer to all malware as viruses, not every piece of unwanted software behaves like a virus – malware is not always self-replicating, and sometimes users willingly install it. To include viruses, worms, Trojans, spyware and all others, we now use the term “malware.” Malware can be divided into 2 major types: viruses, which infect the computer and spread on their own (generally via an exploit), such as Flash ad banners whose binaries contain buffer overflow code grayware which requires some kind of user interaction but convinces them that the benefit outweighs the cost, such as browser toolbars that also track the user’s activity and insert its own ads into web pages

FortiGate I Student Guide

339

 Antivirus & Conserve Mode

Within the category of viruses, there are 2 important subtypes: Trojans such as Zeus, like the literary Trojan horse, trick users into letting down their defenses and installing them, and then often use the network to spread via email or instant message. Worms, such as Conficker and Code Red, spread by connecting to open ports on the network and exploiting misconfigurations or other vulnerabilities in those daemons A Trojan can infect the same host multiple times, but that happens when another copy arrives from an external source. The local copy of the software does not try to re-infect the computer. Are all viruses malicious? By definition, yes. But some white hat hackers and academics have written beneficial worm-like software. It spreads via the same exploits, but then cleans infections and/or patches the host. For example, Creeper was followed by Reaper, which removed Creeper from infected systems.

FortiGate I Student Guide

340

 Antivirus & Conserve Mode

Regardless of how the virus spreads, once installed, a virus is somehow malicious. What makes it malicious? Its behavior. (This is one of the reasons, by the way, that security analysts use sandboxing such as FortiSandbox to discover new viruses. Looking at which C functions a virus contains, for example, cannot find all viruses. Forensics lab must see which functions actually execute, and what the effects are.) Most people are familiar with spyware, adware, and rootkits. Malware could also be: Ransomware such as the CryptoLocker worm is fairly new. The software holds the computer hostage, often encrypting critical user data with a password or secret key, until the victim pays the extortionist. Key loggers record key strokes and return them to a remote location – including sending administrator logins and personal email addresses for executives. Mass mailers transform computers into open relay mail servers for the botnet, often managed via a remote command and control, sending spam for hire. These are often operated by organized crime syndicates.

FortiGate I Student Guide

341

 Antivirus & Conserve Mode

Just as viruses have evolved many vectors for spreading, they also have evolved many techniques for evading antivirus engines and manual analysis. Viruses can encrypt their payloads, or change the exact code. As a result, when comparing a signature to the binary sample, the two therefore aren’t an exact, bit-bybit match. So in order to detect the virus, the engine must be able to either: match flexibly, or ignore the changeable parts of the code, and match only based on the polymorphic or metamorphic engine.

FortiGate I Student Guide

342

 Antivirus & Conserve Mode

Now that you know some different ways that viruses spread and evade detection, what are some methods that FortiGate uses to find and block them?

FortiGate I Student Guide

343

 Antivirus & Conserve Mode

At the host level, a host-based antivirus software such as FortiClient helps. But hostbased antivirus can’t be installed on routers. Guest Wi-Fi networks and ISP customers also might not have antivirus software installed. So how can you protect them? And how can you protect your own network from these botnets? The solution is to implement antivirus in your network security – on your FortiGate. Just like viruses have many ways that they try to avoid detection, FortiGate has many techniques that it can use to detect them. Let’s explain each method.

FortiGate I Student Guide

344

 Antivirus & Conserve Mode

The first, fastest, simplest way to detect malware is if it exactly matches a signature. Grayware is not technically a virus; remember, it is often bundled with innocuous software, but it does have unwanted side effects, so it is categorized as malware. Often, grayware can be detected this way, with a simple FortiGuard Antivirus signature. But for the reasons we just described, viruses usually cannot be detected this way.

FortiGate I Student Guide

345

 Antivirus & Conserve Mode

What is another way that FortiGate can use to detect viruses? It can look for attributes that viruses usually have – in other words, it can apply heuristics. Heuristics are based on probability, so they increase the possibility of false positives, but they also can detect zero-day viruses – viruses that are new and unknown, and therefore no signature exists yet. That is the tradeoff. If your network is a frequent target for virus-writers, enabling heuristics may be worth the performance cost because it can help you to detect a virus before the outbreak begins. By default, when the antivirus scan’s heuristic engine detects a virus-like characteristic, it will log the file as “Suspicious” – but will not block it. Suspicious files can be treated differently from a positive match with a virus or grayware signature: you can choose whether to block or allow suspicious files. When should you disable heuristic blocking vs. configure the antivirus scan to only log detections? Windows operating system updates often modify the registry. Viruses often do this, too, however. So, for example, you might apply heuristics scans to Windows updates, but block suspicious behavior in all other connections.

FortiGate I Student Guide

346

 Antivirus & Conserve Mode

Remember, if the antivirus scan’s heuristic engine finds a suspicious file, it may not always be a virus. So you might want to configure a separate action for it, or a separate policy where heuristics is disabled for connections that you know will trigger false positives. To configure the action that FortiGate will take if the scan finds a suspicious file, use these CLI commands.

FortiGate I Student Guide

347

 Antivirus & Conserve Mode

What if heuristics is too uncertain? What if you need a more sophisticated, more certain way to detect malware, and to find zero-day viruses? You can integrate your antivirus scans with FortiSandbox. For environments that require more iron-clad certainty, FortiSandbox executes the file within a protected environment, then examines the effects of the software to see if it is dangerous. For example, let’s say you have 2 files. Both alter the system registry, and are therefore suspicious. One is a driver installation – its behavior is normal – but the second file installs a virus that connects to a botnet command and control server. Sandboxing would reveal the difference. Then, you can submit a sample of the new virus to FortiGuard security researchers, and quickly receive and deploy a FortiGuard Antivirus or IPS update to defend your network against this new threat.

FortiGate I Student Guide

348

 Antivirus & Conserve Mode

In order for FortiGate to sandbox files, it must be able to send them to either a FortiSandbox device or a FortiCloud sandboxing account. What is the primary difference between the two? FortiCloud has limits imposed on the amount of data that can be transmitted. Each account has a quota. FortiSandbox limitations vary by the model’s capabilities. On FortiSandbox, you also must configure it to accept input from your FortiGate or FortiMail.

FortiGate I Student Guide

349

 Antivirus & Conserve Mode

Whether you use FortiSandbox to discover new viruses, or one is discovered by your own security team, the next step is to develop a signature to detect it so that your FortiGates can begin to block it. New viruses can be submitted to FortiGuard’s security research team manually or automatically, via FortiSandbox or FortiCloud Sandbox. If you want to submit a new virus manually, go to the FortiGuard web site. Upload the file for scanning. If the virus does not currently exist in any of the FortiGuard Antivirus databases, the web site will report it as being “clean”. You will then have the option to submit the sample to FortiGuard analysts. They will develop a signature for it, as well as engine modifications (if necessary), and this will be in the next update that your FortiGate and FortiMail devices download from FortiGuard. In addition to protecting your own network, this obviously also helps to ensure that others’ networks won’t be infected either. By being part of a united security community, you can help to stop botnets from growing into large threats. This has benefits for you, and not just your neighbors. If your neighbors aren’t infected, your network won’t need to spend as much CPU, RAM, and bandwidth on fighting spam, worms, DDoS attacks, and other threats.

FortiGate I Student Guide

350

 Antivirus & Conserve Mode

Now that we’ve discussed the types of scans, let’s talk about the engines that use them. They don’t behave the same way. FortiGate has traditional proxies, which break up each session into particular states which it analyzes, but it can also analyze traffic as a more continuous packet flow. Let’s discuss how to choose between those two types of engine.

FortiGate I Student Guide

351

 Antivirus & Conserve Mode

One of the factors when choosing an antivirus engine is speed. Software that is installed on endpoints such as FortiClient can usually schedule scans for later, pause the current scan, or scan only with spare CPU cycles when the computer is idle. In other words, time is not a factor. But on a network device, this is not possible. FortiGate must scan quickly to avoid a session or connection timeout. FortiGate will allow up to 30 seconds for a scan to complete. If it takes longer then that, then a process called a “watchdog” terminates the scan, and allows the traffic to pass. Also, FortiGate creates an event log saying that scanunit “crashed” with a Signal 14. It’s not a real crash – it’s not abnormal behavior exactly – but because the scan is terminated before completing. From the software’s perspective, that’s technically a crash, so the event log records it as one. As you can see, speed is an important factor in network antivirus scans. With that in mind, let’s consider the two engines.

FortiGate I Student Guide

352

 Antivirus & Conserve Mode

Depending on the protocol, FortiGate may be able to use either: • an implicit proxy, or • an explicit proxy – that is, a proxy that clients must indicate that they want to use. Usually, you’ll use an implicit proxy. Clients to connect through the proxy’s IP, not to it. As long traffic is routed through FortiGate, the proxy transparently intercepts that traffic, without configuring the clients. Each proxy parses that protocol’s commands. Traffic usually must arrive on the expected port, and conform to the specification. (A proxy cannot scan a protocol that it does not listen for, or understand.) For example, in an SMTP session, an SMTP proxy knows each valid stage: the client uses the MAIL FROM: command to specify the sender, RCPT TO: for the recipient, DATA for the message, etc. When scanning for viruses, the SMTP proxy known the DATA command – which is the part that may contain a virus payload – before it passes that data to a scanunitd child process. Especially for larger files, this can add noticeable latency: FortiGate must buffer the entire file (or wait until the oversize limit is reached) first before scanning. So if your file limit is large, consider the setting Comfort Clients. While buffering the file, the proxy will slowly retransmit some data until it can complete the buffer, and finish the scan. This prevents a connection or session timeout. What’s the disadvantage? Very small viruses in the first bytes could infect the client before the scan result is available. Disable client comforting if very high security is required.

FortiGate I Student Guide

353

 Antivirus & Conserve Mode

What is another way to reduce latency? Use the flow-based engine instead. It doesn’t analyze sessions in discrete protocol stages. The flow-based engine scans the packets as a continuous stream, looking for viral payloads regardless of surrounding protocol details. Depending on your model, some flow-based operations may be performed by a specialized FortiASIC chip, further improving performance. But flow-based scans can’t support all features that proxy-based scans can. The flow-based engine doesn’t operate according to the rules of the protocol. This means that even if the scan later detects a virus, the flow-based engine may have already forwarded packets where it should have inserted a block message. So the client may think it is a network error, and try again. Also, much like a proxy with client comforting enabled, the flow-based engine forwards packets at the same time as scanning the payload. The result? The client may already have received most of a virus by the time that the scan drops the connection. Like with client comforting, if your environment requires very high security, you may want to avoid this option. Regardless of which engine you use, the scan techniques will give similar detection rates. How can you choose between the scan engines? If performance is your top priority, then flow-based is more appropriate. If security is your priority, proxy-based – with client comforting disabled – is more appropriate.

FortiGate I Student Guide

354

 Antivirus & Conserve Mode

Both engines buffer up to your specified file size limit. The default is 10 MB. It’s large enough for most files except movies. If your FortiGate model has more RAM, though, you may be able to increase this threshold. Without a limit, very large files could exhaust scan memory. So this threshold balances risk vs. performance. Is this tradeoff unique to FortiGate, or to a specific model? No. Regardless of vendor or model, you must make a choice. This is due to the difference between scans in theory, that have no limits, and scans on real-world devices that have finite RAM. In order to detect 100% of malware regardless of file size, a firewall would need infinitely large RAM – something that no device has in the real world. Most viruses are very small. So percentage-wise – unless many viruses are Trojans appended to the very end of a large file – changing this value doesn’t impact security very much. This table shows a typical tradeoff. You can see that even with a 5 MB threshold, only 0.14% of spyware passes through. But after billions of packets, several hosts may require disinfection.

FortiGate I Student Guide

355

 Antivirus & Conserve Mode

So what is the recommended buffer limit? It varies by model and configuration. Adjust “oversize” for your unique network for optimal performance. A smaller buffer minimizes proxy latency and (for both engines) RAM usage, but that may allow viruses may pass through undetected. With a buffer that’s too large, clients may notice transmission timeouts. Balance the two. If you aren’t sure how large of a buffer you need, temporarily enable “oversize-log” to see if this is frequent, and whether the large files are important to allow. Files that are too large for the maximum buffer size cannot be completely scanned. And the default is to allow files to pass. This is because large files are often harmless, and many networks have antivirus software installed on endpoints, so this minimizes unnecessary help desk calls. But if you require a very secure environment, or if your endpoints have no antivirus software, you can change this setting – on a per-protocol basis – so that FortiGate blocks oversized files. If oversized files are blocked, then your endpoints are safe. You won’t need the logs about oversize files for forensics. So you may be able to improve performance slightly by disabling “oversize-log.”

FortiGate I Student Guide

356

 Antivirus & Conserve Mode

Relatedly, large files are often compressed. From the scan’s perspective, this is light encryption. It won’t match signatures. So FortiGate must decompress the file in order to scan it. When decompressing, FortiGate must first identify the compression algorithm. Some archive types can be correctly identified using only the header. Also, FortiGate must check whether the file is password-protected. If the archive is protected with a password, FortiGate can’t decompress it, and therefore can’t scan it. FortiGate then decompresses files into RAM. Just like other large files, this buffer has a maximum size: “uncompress-oversize-limit”. Increasing this limit may decrease performance, but allows you to scan larger compressed files. If an archive is nested – for example, if an attacker is trying to circumvent your scans by putting a ZIP file inside the ZIP file – FortiGate will try to undo all layers of compression. By default, FortiGate will attempt to uncompress and scan up to 12 layers deep, but you can configure it to scan up to 100 layers deep. Often, you shouldn’t increase this setting, though. It increases RAM usage, and if a file is repeatedly compressed more than 12 times, it is almost always a virus anyway.

FortiGate I Student Guide

357

 Antivirus & Conserve Mode

Let’s review briefly. If the buffer is full, the antivirus scan has a simple behavior. FortiGate will, depending on your setting, either block or pass the file. Since FortiGate doesn’t have the entire file, it would be impossible to determine whether or not the file contains a virus.

FortiGate I Student Guide

358

 Antivirus & Conserve Mode

If the file has been completely transmitted – that is, FortiGate reaches the byte that marks the end of the file (EoF) – then FortiGate decompresses the file (if applicable) and uses these scans, in this order. The virus scan is first, because the results have high certainty and the computations are fast. Heuristics, which are less certain, are applied last.

FortiGate I Student Guide

359

 Antivirus & Conserve Mode

If you consider all of the settings together, this is the complete decision tree that FortiGate uses for antivirus scans.

FortiGate I Student Guide

360

 Antivirus & Conserve Mode

When an attacker releases a new virus into the wild, like with all antivirus software, your FortiGate must be updated with a matching signature so that it can detect it. Most organizations don’t have the personnel to dedicate to writing antivirus signatures, 24 hours a day, 7 days a week. Even if you do, it is usually beneficial to share security knowledge and workload. A FortiGuard Antivirus service contract provides your FortiGate with access to the latest signatures and detection engines from Fortinet’s security research team.

FortiGate I Student Guide

361

 Antivirus & Conserve Mode

You can update your FortiGate’s antivirus signatures and engines via either push, pull, or both methods. (If temporary packet loss, for example, interferes with the push method, also enabling pull as a backup method helps to ensure that your FortiGate will not miss any updates.) Regardless of which method you select, virus scanning must be enabled in at least one firewall policy. Otherwise, FortiGate will not download any updates. Alternatively, you can download packages from the Fortinet Technical Support web site, and then manually upload them to your FortiGate.

FortiGate I Student Guide

362

 Antivirus & Conserve Mode

“diagnose autoupdate status” shows your automatic update options, just like System > Config > FortiGuard does on the GUI.

FortiGate I Student Guide

363

 Antivirus & Conserve Mode

It’s worth noting that there is an additional feature to the FortiGuard Antivirus service: when FortiGate detects connections of infected computers to a botnet’s command and control servers – sometimes this is an IRC channel, or sometimes this is a darknet web server – FortiGate can block those connections. The setting is in the antivirus profile. The FortiGuard security research team compiles and maintains a list of known botnet command and control server IP addresses. FortiGate downloads this via FortiGuard Antivirus and IPS updates.

FortiGate I Student Guide

364

 Antivirus & Conserve Mode

Multiple FortiGuard Antivirus databases exist. Support varies by FortiGate model. All FortiGate devices have the “regular” database, which only contains signatures for viruses that are “in the wild” – that is, viruses detected in recent months or submitted by Fortinet users and partners. It is the smallest database, and therefore results in the fastest scans, but does not detect all known viruses. Some models support the “extended” database, which detects viruses that have not been detected for some time. Vulnerable platforms are still common, and/or these viruses could be an issue later due to portable hard disks, periodic connectivity, and other reasons. The most powerful models and FortiClient support the “extreme” database. It is intended for high security environments, and detects all known viruses, including for legacy operating systems such as DOS, Windows3.x, Win95, Windows 98, and so on.

FortiGate I Student Guide

365

 Antivirus & Conserve Mode

Via the CLI, you can choose which database your FortiGate will use.

FortiGate I Student Guide

366

 Antivirus & Conserve Mode

Once you have chosen an antivirus database, in order to use antivirus scans, you’ll also need to configure an antivirus profile. These profiles contain settings for the inspection mode (that is, the proxy or flow-based engines), and define what FortiGate should do if it detects an infected file. Proxy options also specify the proxies’ listening port numbers for various unencrypted protocols. You can scan HTTP, for example, even if the connection doesn’t occur on the IANA standard TCP port 80. But what about encrypted protocols? Encryption is a popular method for attackers to circumvent security. So as you would expect, FortiGate can scan encrypted protocols. But that isn’t configured here.

FortiGate I Student Guide

367

 Antivirus & Conserve Mode

For secure protocols (HTTPS, FTPS, etc.), the proxies are configured in a different profile type: the so-called SSL inspection profiles. Encrypted protocols can be inspected to a greater or lesser extent, depending on what you select. ‘SSL Certificate inspection’ only validates certificate information, such as the issuing CA. This type cannot inspect the contents of the traffic, which are inside the encrypted payload. ‘Full SSL Inspection’ validates the certificate, but also decrypts the payloads for antivirus scanning. Because this method uses an authorized man-in-the-middle (MITM) attack, clients will detect the inspection. Users may need to either override the SSL validation failure, or install your CA certificate. Certificate-based inspection is described in detail in another lesson.

FortiGate I Student Guide

368

 Antivirus & Conserve Mode

Virus scanning statics can be found on the FortiGate dashboard, on the “Advanced Threat Protection Statistics” widget. If your FortiGate is submitting files for sandboxing, then it keeps statistics about the number of files submitted, and the results of those scans. These statistics are separate from files that are scanned locally on the FortiGate.

FortiGate I Student Guide

369

 Antivirus & Conserve Mode

When the antivirus scan detects a virus, by default, it creates a log about what virus was detected, and by which method. It also provides a link to more information on the FortiGuard web site.

FortiGate I Student Guide

370

 Antivirus & Conserve Mode

If the antivirus logs are empty, this doesn’t mean your network has no outbreak. Before, we showed how to pass a file if it is too large for scan buffers, is passwordencrypted, or has too many layers of nested compression. Logging can be disabled for those. We also explained the flow-based engine, and client comforting by the proxy-based engine. Even if FortiGate detected a virus and reset the connection, some or all of the virus could have been transmitted before then. And when choosing an antivirus database, we said that if you trade some security for better performance, some viruses may pass through. We also explained zero-day exploits. If any of that happens, how can you submit a sample of a suspected virus, or get information on how to disinfect those hosts? Visit the FortiGuard web site, http://www.fortiguard.com. In the example here, this antivirus signature is only in the “extended” database for FortiClient. What does this mean? Unless you have a FortiGate model that can use the “extreme” database, and you have enabled it, your firewall would not have been able to detect that specific virus. If you have vulnerable Android hosts, and FortiClient was installed, they would have been safe. But if they were not protected, you would need to apply the recommended action to disinfect them.

FortiGate I Student Guide

371

 Antivirus & Conserve Mode

If your antivirus scans are not functioning as you expect, where should you begin troubleshooting? Verify that FortiGuard updates are enabled, and that you have selected antivirus profiles in your firewall policies. Updates won’t occur if there is no firewall policy that uses them, and antivirus scans won’t occur unless a firewall policy applies them. If automatic updates are enabled, the next thing to examine is whether those scheduled update requests are succeeding. For that, use the command “diagnose autoupdate version”. It shows details about the antivirus engine and databases, IPS engine and definitions, geography-to-IP mappings database, and other features. It also shows your FortiGuard contract status – FortiGate won’t be able to download updates if it’s not authorized – and when the last update was attempted, and succeeded.

FortiGate I Student Guide

372

 Antivirus & Conserve Mode

Both manual and automatic updates to FortiGuard packages trigger FortiGate to check if the version is newer. If the version available is equal to or less than the version installed, then to prevent accidental downgrades, it will not apply the update. To turn off the version check, you can use this command with the “enable” flag. If a specific signature is causing false positives, you can use this command to temporarily disable the version check, and revert the database. After you have resolved the issue with Fortinet Technical Support, make sure to run this command again but with the “disable” flag instead.

FortiGate I Student Guide

373

 Antivirus & Conserve Mode

If your FortiGate’s RAM usage is high, the next thing to examine is the event log. Look for messages about “conserve mode.” Conserve mode occurs when FortiGate does not have enough RAM available to properly handle traffic. UTM such as antivirus is not required to be enabled for conserve mode to occur, but UTM inspection does increase memory usage beyond simple firewall policies. In other words, conserve mode is more possible when antivirus or IPS is enabled. You can determine whether antivirus is using much of the memory by running the command “diagnose sys top”. There are a few categories of RAM conservation. Let’s show the difference.

FortiGate I Student Guide

374

 Antivirus & Conserve Mode

Kernel conservation mode is when FortiOS specifically does not have enough memory available. There’s no single cause, but it could be processes simultaneously opening too many files, too much information on the stack, etc. System conservation mode indicates a lack of RAM for processes and daemons such as miglogd. The threshold is whenever the overall memory usage reaches about 80%. Once triggered, FortiGate will not exit this mode until memory has dropped by 10% to approximately 70%. Proxy conservation mode is when the transparent UTM proxy runs out of available sockets. The maximum number of proxied connections varies by model. In kernel conservation, the behavior is not configurable. It is a critical lack of RAM. But behavior for system and proxy RAM conservation is configurable. Let’s see the settings that you can use.

FortiGate I Student Guide

375

 Antivirus & Conserve Mode

‘av-fail-open’ is the CLI setting that controls FortiGate’s behavior while it is in system conserve mode. Depending on your configuration and traffic types, each option may be more or less effective at freeing RAM.

FortiGate I Student Guide

376

 Antivirus & Conserve Mode

If ‘av-failopen-session’ is enabled, then FortiGate will act according to the ‘avfailopen’ setting. Otherwise, by default, it will block new sessions until RAM becomes available.

FortiGate I Student Guide

377

 Antivirus & Conserve Mode

During kernel conservation mode, FortiGate attempts to reclaim memory that is not in use. In an operating system, when a process releases memory, it is not immediately reclaimed. There is a “garbage collector” memory daemon that periodically finds unused pointers. As part of this process, FortiGate drops any sessions that the proxy considers idle. While FortiGate is in this type of conserve mode, all new sessions will pass through the FortiGate without any UTM inspection, because the operating system does not have enough memory to do so.

FortiGate I Student Guide

378

 Antivirus & Conserve Mode

Because logging itself requires some RAM, depending on the type of conserve mode, log messages may not always immediately appear. Kernel conserve mode especially may not appear easily. Creating a log entry takes up memory. While in conserve mode, your FortiGate’s operating system is doing everything possible to prevent RAM usage from increasing. Trying to create a log entry while conserve mode is active would be counterproductive. If your FortiGate is in one of the three conserve modes, how can you correct it?

FortiGate I Student Guide

379

 Antivirus & Conserve Mode

This shows the shared memory diagnostic. It indicates what type of conserve mode (if any) your FortiGate is in. It also provides a quick summary of how much shared memory is being used on your FortiGate. The antivirus database is one of the things on your FortiGate that uses shared memory, so if this is very high, you can try to solve the problem by switching from the “extended” signature database to the “regular” database, for example. Notice that this command doesn’t show kernel conserve mode, however. How can you determine how much kernel memory is used?

FortiGate I Student Guide

380

 Antivirus & Conserve Mode

‘diagnose firewall iprope state’ has a section right at the beginning with an entry for ‘av_break’. Normally, the ‘av_break’ option will be ‘pass/off’. But if FortiGate is currently in kernel conserve mode, this command will show ‘av_break=pass/pass’. If this is very common, and you’ve checked your configuration, you may need to examine the traffic levels and protocol types. Your network may have grown or changed in important ways, and need a more powerful model capable of supporting the added or changed traffic. Much of the other output of this command is dictated by the settings for ‘av-failopen’ and ‘av-failopen-session’ and will change based on the configured options.

FortiGate I Student Guide

381

 Antivirus & Conserve Mode

To review what we discussed, here is a list. We showed: • Some different Malware terminology and what they meant • The different types of scanning that can be enabled on a FortiGate • Sandboxing and how that can be used. • Blocking botnet connection • The difference between proxy and flow based virus scanning • The different Antivirus databases • The behavior of oversized files • The order of operations within the virus scanning engine • How to handle an undetected piece of malware • Some details about virus scanning encrypted traffic • How to read virus detection logs • What conserve mode is • Some of the memory diagnostics that are available on a FortiGate

FortiGate I Student Guide

382

 Explicit Proxy

In this lesson, we will show you how your web browsers can use FortiGate as an explicit proxy.

FortiGate I Student Guide

383

 Explicit Proxy

After completing this lesson, you should have these practical skills. You will learn how to configure both FortiGate and the web browsers that will use it as an explicit proxy. Since you can alternatively use an implicit proxy, we will also explain why in some cases you might want an explicit proxy instead.

FortiGate I Student Guide

384

 Explicit Proxy

A proxy receives or intercepts requests from a client to a server. If allowed, and if no cache is available, it forwards the request to the server on behalf of the client. Two sessions are created: one from the client to the proxy, and another one from the proxy to the server. How is this different from an implicit proxy, sometimes called a transparent proxy?

FortiGate I Student Guide

385

 Explicit Proxy

An implicit proxy server does not require any configuration change on the clients. Clients continue to use the web just like they would without a proxy. Clients send requests to the web server’s IP address and port number. The proxy intercepts the client’s requests transparently – that is, at the IP layer, the destination address doesn’t change. Does this mean that implicit proxies don’t require any configuration changes, anywhere? Not necessarily. Usually, both incoming and outgoing traffic is routed through FortiGate. As a result, web browsing is already being routed through FortiGate, where it can be intercepted by the transparent proxy. But if clients’ traffic isn’t currently routed through FortiGate, then you must reconfigure routing so that the packets will be routed through FortiGate, where the implicit proxy can intercept.

FortiGate I Student Guide

386

 Explicit Proxy

How is an explicit proxy different? With explicit proxy servers, you must configure clients to send the requests to the proxy’s IP address, not the web site’s servers. But because clients are specifically sending web traffic to your FortiGate, though, you shouldn’t need to reconfigure any routers. Methods vary by web browser or other HTTP client.

FortiGate I Student Guide

387

 Explicit Proxy

How do you configure users’ web browsers to use an explicit web proxy? In large networks, you won’t configure the browser settings individually, on each computer; instead, for example, you may use an Active Directory login script or roaming profile. Alternatively, you can configure browsers to use an explicit proxy by installing PAC file, or using the web proxy autodiscovery protocol (WAPD). Let’s look at each.

FortiGate I Student Guide

388

 Explicit Proxy

With manual configuration, you must provide one proxy’s FQDN or IP address. It is limited to only one proxy. If you want to exempt specific IP addresses, subnets and FQDNs from using the proxy, you can add them to a list. For those destinations, the browser will send requests directly to the web servers.

FortiGate I Student Guide

389

 Explicit Proxy

The second possible method is a standard explicit auto-configuration file, called a PAC file. A PAC file contains instructions that tell the browser when to use a proxy, and which proxy to use, depending on the destination. This method supports use of multiple proxy servers. To deploy the PAC file, first you must install it on an HTTP server that the clients can reach. (Your FortiGate can act as the HTTP server for the PAC file.) Then you must configure all browsers with the PAC file’s URL. Again, in larger networks, you usually won’t do this individually; instead, you will use your domain to define the PAC file’s URL.

FortiGate I Student Guide

390

 Explicit Proxy

What does a PAC file contain? A PAC file is a JavaScript. When browsers run it, determines whether the request will be proxied, and what the addresses should be in packets, including in the URL and “Host:” header at the Layer 7 HTTP layer. In this example: • The PAC file allows any connection to example.com to bypass the proxy. • Connections to servers in the 10.0.0.0/24 subnet use the proxy named fastproxy.example.com – whose FQDN is resolved to an IP address by a DNS query at the time of the request, so it could be separate for clients on the private vs. public network. • All other requests are made through proxy.example.com.

FortiGate I Student Guide

391

 Explicit Proxy

Browsers can automatically discover the URL where the PAC files is located via the web proxy autodiscovery protocol. There are two methods you can use to do this. One is to use a DNS server; the other is to use a DHCP server. Most browsers try the DHCP method first. If it fails, they try the DNS method.

FortiGate I Student Guide

392

 Explicit Proxy

(slide contains animation) With the DHCP method, the browser sends a DHCPINFORM request to the DHCP server. The DHCP server replies with PAC file’s URL. (click) The browser downloads the PAC file.

FortiGate I Student Guide

393

 Explicit Proxy

(slide contains animation) The DNS method is very similar; differences are in the required PAC URL. First, the browser queries the DNS server to resolve the FQDN wpad.. (click) The DNS server replies with the IP address of the web server (in this case, a FortiGate) where the browser can download the PAC file. This method always uses TCP port 80 and the PAC file name wpad.dat. (click) The browser downloads the PAC file, then accesses the web through the proxies indicated in the PAC file.

FortiGate I Student Guide

394

 Explicit Proxy

Usually, you will enable the proxy to cache responses from web servers. A web cache stores responses from web servers so that the next time a client requests the same thing, FortiGate can quickly send the cached content, instead of forwarding the request and waiting for the response. This reduces WAN bandwidth usage, server load, and delay. We will review how web caching works in the next slides.

FortiGate I Student Guide

395

 Explicit Proxy

(slide contains animation) If you’ve enabled caching, when the client makes a request, the proxy checks first if the URL that the client requested is already in memory. (click) If it is not, the proxy forwards the request to the server. When it responds, FortiGate stores the response in memory – that is, it adds content to its cache. (click) The proxy also forwards a copy of the content to the client.

FortiGate I Student Guide

396

 Explicit Proxy

(slide contains animation) If any client using FortiGate’s proxy requests the exact same URL… (click) FortiGate will recognize it, and immediately forward a copy of that content from the cache to the client. Unless the content on the server has changed, the proxy does not need to request content from the server again, so from the client’s perspective, each response after the initial request is faster. Notice that because dynamic URLs are not exactly the same, and their content may be personalized for each client, dynamic URLs are usually not cached.

FortiGate I Student Guide

397

 Explicit Proxy

Given that cache consumes system resources, do you want all users to be able to use the cache? You can configure FortiGate’s HTTP proxy to allow access only to authenticated users that belong to specific user groups. Authentication can be either based on either source IP address or HTTP session cookies. How should you decide which to use? IP-based authentication requires less RAM to remember the authenticated sessions. However, it should only be used when each user has a different IP address from the perspective of the source address in the IP header. If your users are behind source NAT, such as with a remote office that uses Internet sharing, use HTTP session-based authentication instead. In this mode, each browser inserts an HTTP cookie in its requests. The cookie identifies the user’s sessions. This method requires slightly more RAM because FortiGate must remember all session cookies. However, it can even differentiate the same person using multiple accounts – multiple tabs in multiple browsers.

FortiGate I Student Guide

398

 Explicit Proxy

What does the traffic flow look like when a user authenticates with the explicit proxy, using HTTP session-based authentication? If a user connects and the request doesn’t have any associated authentication session, first FortiGate replies to the browser, requesting login credentials. The browser prompts the user to authenticate, and remembers the authenticated state by storing a cookie. If the same user makes more requests later, the browser automatically sends the same cookie again. FortiGate identifies the user via a lookup in its table of current session cookies, so the user does not need to authenticate for every request – only the first time.

FortiGate I Student Guide

399

 Explicit Proxy

These are the steps for configuring a FortiGate as an explicit web proxy. We will show the details of each step next.

FortiGate I Student Guide

400

 Explicit Proxy

By default, the explicit web proxy settings are hidden in the GUI. To show them, in the dashboard’s Features widget, enable explicit proxy.

FortiGate I Student Guide

401

 Explicit Proxy

Once explicit proxy settings are visible in the GUI, you can enable and configure them. You can configure the TCP port where the proxy is listening, edit and upload the PAC file, and choose the default action that FortiGate will take if there is any traffic that doesn’t match a proxy policy. We will talk about the proxy policies later.

FortiGate I Student Guide

402

 Explicit Proxy

After enabling the explicit web proxy globally, you must specify which on which interfaces the proxy will listen for connections.

FortiGate I Student Guide

403

 Explicit Proxy

The next step is to create explicit proxy policies to specify which traffic and users are allow to use the proxy. Starting from FortiOS 5.2, policies for explicit proxy are configured in a different configuration section than the regular firewall policies. Proxy traffic can be inspected. We can do antivirus, web filtering, application control and IPS inspection. Additionally, the use of web caching can be enabled or disabled per policy. When the proxy traffic matches a proxy policy, the FortiGate take one of three possible actions: Accept the traffic, deny it, or request authentication before accepting it.

FortiGate I Student Guide

404

 Explicit Proxy

If you select authentication as the action, you will be presented with the option to add authentication rules. These rules specify which users and users groups are allowed, and what kind of inspection is going to be done over each of them.

FortiGate I Student Guide

405

 Explicit Proxy

Authentication for the explicit proxy behaves differently than it usually does for firewall policies. With the explicit proxy, FortiGate will not “fall through” to try the next authentication rule. FortiGate always applies the first policy that matches all criteria: the source IP address, the destination IP address, and the outgoing interface. It doesn’t evaluate any policy after the first match, even if the user failed to authenticate with the first rule. Let’s look at an example next.

FortiGate I Student Guide

406

 Explicit Proxy

In this example, the first proxy policy matches traffic from 10.0.1.0/24. It only allows the user named Student. The second policy allows traffic – without authentication – only if the source address matches 10.0.0.0/8. With this configuration, if traffic arrives from the 10.0.1.0/24 subnet, and that user has not authenticated yet, then FortiGate prompts the user to authenticate. Traffic from that source IP address always matches the first policy, and FortiGate does not continue to evaluate other policies in the list after it finds a match. So FortiGate never applies the second policy for that subnet – only for the rest of 10.0.0.0/8.

FortiGate I Student Guide

407

 Explicit Proxy

In the CLI, if you disable the setting “strict-guest”, then all users that do not belong to any user group in the proxy policy will be treated as if they belong to a group named “SSO_guest_user”. In this way, you can control their access even if the users cannot authenticate.

FortiGate I Student Guide

408

 Explicit Proxy

Like with firewall policies, when creating proxy policies, you use firewall address objects to specify the source and destination. With HTTP, the destination may appear in both the IP header’s destination field, and the HTTP header’s “Host:” field. They aren’t always the same. Usually, the “Host:” header is a FQDN, indicating possibly an Apache virtual host; it is not usually an IP address. But at the IP layer, the destination field always contains an IP address. So if you are matching by using the “IP Range” object, keep in mind which layer you are matching, and the effects of NAT at both layers. Are IP addresses and domain names the only way you can use to match traffic with a proxy rule? No. One type of firewall address object can only be used in proxy policies: the URL pattern object type. The proxy can match policies based on the requested URL (not only the destination IP address). URL address objects are used for that purpose.

FortiGate I Student Guide

409

 Explicit Proxy

In this example of the use of an URL Address object, the first proxy policy allows unrestricted access to the URL update.microsoft.com. No authentication is required. All other traffic would match the second policy, which enforces authentication when accessing any other URL.

FortiGate I Student Guide

410

 Explicit Proxy

If you are using the WPAD DNS method to configure the browser, you may need to edit the PAC file to indicate the file name and listening port number. As we explained before, the DNS method always assumes that the PAC file is located at: http://:80/wpad.dat So if your clients use the DNS method, you must configure FortiGate to offer the PAC file named wpad.dat, and to listen for requests for it on port 80.

FortiGate I Student Guide

411

 Explicit Proxy

Also, you must check that the Local Domain Name setting is properly configured. This indicates which requests that FortiGate will reply to; FortiGate will only reply if clients’ requests for the WPAD file match the FortiGate’s own HTTP “Host:” header.

FortiGate I Student Guide

412

 Explicit Proxy

Once the web proxy is working, you can monitor which users that are connected to it – that is, the proxy’s session table. You can do this from the GUI, or from the CLI by using the command: diagnose wad user list You can also remove all entries from the list of users that are currently authenticated with the proxy.

FortiGate I Student Guide

413

 Explicit Proxy

Here is a review of what we discussed. We reviewed some explicit web proxy concepts. We also showed how to configure and monitor a FortiGate that is acting as an explicit web proxy, and how to configure web browsers to use the proxy. Depending on your situation, we explained that some configuration choices require more RAM, and require specific FortiGate port numbers. Finally, we showed how to see which users are currently authenticated with the explicit proxy.

FortiGate I Student Guide

414

 Web Filtering

In this lesson, we will show you how to filter users’ access to web sites, which is one of the most commonly used features employed by network administrators.

FortiGate I Student Guide

415

 Web Filtering

After completing this lesson, you should have these practical skills. This will give you an understanding of the various options that are available to manage and track web content. Familiarity with website design and behavior, as well as the HTTP protocol are useful to understanding this module.

FortiGate I Student Guide

416

 Web Filtering

Web filtering is simply a means of controlling, or tracking, the websites people visit. There are many reasons why a network administrator would want to do this: preserve employee productivity; prevent network congestion where valuable bandwidth is used for non-business purposes; prevent loss or exposure of confidential information; decrease exposure to web-based threats; limit legal liability when employees access or download inappropriate or offensive material; prevent copyright infringement caused by employees downloading or distributing copyrighted materials; prevent children from viewing inappropriate material.

FortiGate I Student Guide

417

 Web Filtering

Proxy-based web filtering is achieved using a transparent proxy intercepting traffic between the client and server, and setting up a man-in-the-middle. Proxy-based provides he the most flexibility and configuration options for inspecting web traffic because it intercepts at Layer 7, as such some features are only available to you when using proxy-based inspection. Greater control comes at a cost, it is also the most resource intensive in terms of memory and CPU usage, resulting in the slowest throughput. That said, it is widely used and is a very strong solution on appropriately scaled systems.

FortiGate I Student Guide

418

 Web Filtering

Flow-based web filtering is achieved by caching traffic intercepted traffic between the client and server, analyzing the TCP flow: hence flow-based. It provides less flexibility and configuration options for inspecting web traffic, when compared to proxy-based, because it intercepts at Layer 3 and works with the Layer 4 data. It does not recover actual files, as the proxy does, so content cannot be sent to scanunit.

FortiGate I Student Guide

419

 Web Filtering

Rather than looking at the HTTP protocol, another option is to filter the DNS request that occur prior to an HTTP Get request. This has the advantage of being very lightweight, but at a cost because it lacks the precision of HTTP filtering. Every protocol will generate DNS requests in order to resolve a hostname, therefore this kind of filtering will impact all of the higher level protocols that depend on DNS, not just web traffic. For example, it could apply FortiGuard categories to DNS requests for FTP servers. Very few web filtering features are possible beyond hostname filtering, due to the amount of data available at the point of inspection.

FortiGate I Student Guide

420

 Web Filtering

Inspection mode is set in the web filter profile. When changing mode, the options displayed will change because they are dependent on the inspection mode. When a web filter profile using proxy inspection mode is selected in your firewall policy, a proxy options profile must also be defined. The proxy options profile defines proxy behaviors as well as the ports to be inspected for web or DNS traffic. HTTPS inspection port numbers, and other settings related to the handling of SSL, are defined separately in the SSL/SSH inspection profile.

FortiGate I Student Guide

421

 Web Filtering

Let’s summarize the different modes. Proxy-based caches traffic, so it can cause a noticeable delay depending on the file size, oversize limit and connection speed. It does, however, support a greater number of web filtering features. Flow-based has a much higher throughput rate, compared to proxybased, because it does not cache data so there is no transmission delay. DNS-based is very lightweight because it handles only the nameserver lookup, but suffers from accuracy issues because it does not see the full URL.

FortiGate I Student Guide

422

 Web Filtering

DNS web filtering looks at the nameserver response which typically occurs when you connect to a website. Proxy and flow-based web filtering booth look for the HTTP 200 response returned when you successfully access the website. Handling the response, as opposed to the DNS request or HTTP Get, confirms the site is present.

FortiGate I Student Guide

423

 Web Filtering

Static URL filtering is enabled in the web filter profile. Entries in the URL filter list are checked against the website that is visited. If a match is found, then the configured action is taken. If there is no match, then the FortiGate will move on to the next check enabled. Patterns set to the type “Simple” are exact text matches. Patterns set to the type “Wildcard” allow for some flexibility in the text pattern by allowing wildcard characters and partial matching to occur. Patterns set to the type “Reg. Expression” allows for the use of PCRE regular expressions to be used.

FortiGate I Student Guide

424

 Web Filtering

When a user visits a website, the FortiGate looks at the URL list for a matching entry. In this example, the website matches the 3rd entry (using same list as the previous slide). This entry is a simple type, so the match must be an exact one. There is no option for a partial match with a simple pattern. In this case the action is to block the website so the user is presented with a block page, rather than the website they were expecting to see.

FortiGate I Student Guide

425

 Web Filtering

Rather than block or allow websites individually like Static URL filtering, FortiGuard Category filtering looks at the category that a website has been rated with. Action is taken based on that category, not the URL itself. FortiGuard Category filtering is a live service that requires a connection to the FortiGuard network and active contract in order to operate. If the contract expires, there is a 7 day grace period to renew the contract before services will be cut off. Rather than communicating to the FortiGuard network to receive a website’s category, larger FortiManager models can be used instead. FortiGuard Category filtering and Static URL filtering have different lists of possible actions that can be configured. The impact of selecting different actions will be covered later on.

FortiGate I Student Guide

426

 Web Filtering

When a user visits a web site, you can use the FortiGuard live service to find out the category for the URL and allow or block access by category. This is a great way to perform bulk URL filtering without having to individually define each web site. After the 7 day grace period the FortiGate will not be able to rate websites and every visit will be treated as a rating error. In the event of a rating error for a website there are only 2 options, block or allow.

FortiGate I Student Guide

427

 Web Filtering

FortiGuard category filtering is enabled in the GUI, through the Web Filter profile. Categories and subcategories are listed and can have the action to take defined individually. Actions are assigned through right clicking the mouse and selecting from a menu. If the feature is enabled and the unit does not have a valid contract then a warning will be displayed in the GUI.

FortiGate I Student Guide

428

 Web Filtering

The FortiGate can maintain a list of recent web site rating responses in memory, so if the URL is one that the device already knows about it will not have to send back a rating request. Two ports are available for the unit to query FortiGuard with, port 53 and port 8888. Port 53 is the default since this is also the port number used for DNS which is almost guaranteed to be open. However, any kind of inspection will reveal that this traffic is not DNS and prevent the service from working. In this case, you can switch to the alternate port 8888, but this port is not guaranteed to be open in all networks so you will need to check this before setting this up. Port 80 is an option for FortiGuard communications, but only if you are using a FortiManager, rather than the FortiGuard network.

FortiGate I Student Guide

429

 Web Filtering

Caching responses reduces the amount of time it takes to establish a rating for a website. Packets operate on the scale of milliseconds at the fastest with Seconds, not being unusual. Memory checking is orders of magnitude faster (nanoseconds). This timeout defaults to 15 seconds but can be adjusted as high as 30 seconds if necessary.

FortiGate I Student Guide

430

 Web Filtering

Web site categories are determined by both automatic and human methods. The FortiGuard team has automatic web crawlers that look at various aspects of the website in order to come up with a rating. There are also people who examine websites and look into rating requests in order to determine categories.

FortiGate I Student Guide

431

 Web Filtering

There is always the possibility for errors in rating, or a scenario where you simply do not agree with the rating a site has been given. In this case, you can use the web portal to contact the FortiGuard filtering team to submit a web site for a new rating, or to get it rated if it is not already in the database.

FortiGate I Student Guide

432

 Web Filtering

The ‘Warning’ action is only an option when using FortiGuard Category filtering and only with Proxymode inspection. It is not available with Static URL filtering. When someone visits a website that is in a Category with an action of warning, they are presented with a page that warns them they may not wish to visit this website. They are given a choice to go to the website anyway, or go back to the previous website.

FortiGate I Student Guide

433

 Web Filtering

The ‘Authenticate’ action is only an option when using FortiGuard Category filtering and only with Proxymode inspection. It is not available with Static URL filtering. The authentication action blocks all websites that are in that category, unless a successful passcode is entered. This is not user authentication and putting in proper credential will not result in any kind of login. The username/password pair is used in the same way a key is used to open a locked door. Once this has been done successfully, access is allowed to that category for the amount of time that has been configured. This will allow the user to visit any other websites that are in the same category for however long has been configured. They will not be prompted again when visiting a second (or third) website in the same category, so long as the timer has not expired.

FortiGate I Student Guide

434

 Web Filtering

The ‘Exempt’ action is only an option when using Static URL filtering. It is not available with FortiGuard category filtering. The exempt action is used in order to bypass issues that may be caused by other checks. Sometimes FortiGuard category filtering is not granular enough, sometimes a file you need is being caught by virus scanning. Exempt gives the ability to bypass one or more checks or all further checks.

FortiGate I Student Guide

435

 Web Filtering

These actions are possible with FortiGuard Category filtering and Static URL filtering. Regardless of which feature they are used with, the resulting action will be the same. • Allow – Effectively defines the website as being trusted. Access to the site is permitted and no log message is generated to record this. • Monitor – Access to the website is permitted and a log message is generated to record the event • Block – Prevents access to the website and displays a block page to the user instead. Log message generation is subject to firewall policy, specifically the “Logging Option” setting.

FortiGate I Student Guide

436

 Web Filtering

When using FortiGuard category filtering, one option to allow or block access to a website is to make a web rating override and define the website to be in a category other then what FortiGuard puts it into. Web ratings are only for hostnames, no URLs or wildcard characters are allowed. Category filtering is not granular, like static URL filtering. If you have a category that is blocked (or allowed) and you need to make an exception for a particular website, this is one option that is available to you. If the contract expires, and the 7 day grace period passes, web rating overrides will be not be effective. All website categories will be still be considered rating errors.

FortiGate I Student Guide

437

 Web Filtering

Since FortiGuard category filtering is not granular and performs actions based on the category the websites are in there may be times when an exception needs to be made for a single website. Rather than unblock a potentially unwanted category access can be provided an a site-by-site basis. The reverse can also be true, with the majority of websites in a category being fine, but a single one needs blocking. Changing the category does not automatically result in a different action for the website. This will depend on the settings within the Web Filter profile at the time the user is accessing that web site.

FortiGate I Student Guide

438

 Web Filtering

Custom categories can be created and used in conjunction with web rating overrides. If the predefined categories within FortiGuard are not suitable for the situation, additional customized categories can be added. These custom categories can be added and deleted as needed, so long as they are not in use. A category is considered to be used if there are any Web rating overrides that have been configured to us it. It will also be considered in use if there is an action associated with that category other than ‘Allow’ in any web filter profile.

FortiGate I Student Guide

439

 Web Filtering

FortiGuard quota can be used to limit the time users spend on web sites, based on the categorization. Quota cannot redirect you once the web site is loaded in the browser. For example, if you had 45 seconds left on your quota and you visited a web site, it would likely finish loading before 45 seconds was done. You could then spend 20 minutes browsing the information you received. You could not get blocked or notified until the next attempt to access another one of these web sites. The reason for this is that the connection to the web site is not generally a live stream. Once you receive the information, the connection is closed.

FortiGate I Student Guide

440

 Web Filtering

Quotas are configured just below where you configure the Category actions in the Web filter profile. There can be multiple quotas (timers) configured within this section. Each one can either be linked to a single category, or multiple. If the quota applies to multiple categories then it is not that amount for each individual category, the timer applies to all of the categories that are specified.

FortiGate I Student Guide

441

 Web Filtering

Some Features on the FortiGate can’t provide direct user feedback. FortiGuard quota won’t provide any feedback to the user until they exceed the quota they have been given, unless the Fortinet bar is enabled. The Fortinet Bar injects a Java applet which uses a communications port to talk to the FortiGate and get additional information from features that would otherwise provide no direct user feedback. FortiGuard quota provides a count down. Other features that can’t do block pages (IE: application control) will show block events in the top bar. HTTPS pages are a lot more sensitive to injected data, so it’s not possible to reliably insert data, so the Fortinet Bar is only available for HTTP websites.

FortiGate I Student Guide

442

 Web Filtering

Enforcing safe search can be done for Google, Bing and Yahoo. Safe search is an option that some search engines have in order to apply their filters to the search results that are displayed. This way even if Safe Search is disabled in the browser, the FortiGate will make sure the query is subject to whatever settings the service decides. All the FortiGate can do is ensure that it is enabled. It cannot dictate the behavior of this, as this task is up to the search engine providers. It works by looking for the Safe Search string when you submit a search. If it is not there, the FortiGate unit will modify the request to include it. This way, even if it is not enabled locally in the browser, it gets applied to the request as it passes through the FortiGate. YouTube EDU filtering is also available. This is a service offered by YouTube to educational institutions. When you create an account with them they provide you with an identifier. Unlike normal Safe Search, this does not append the URL, but adds an HTTP header into the packets. This identifies your school to YouTube when people visit. Within your YouTube EDU account, you can configure the filters and settings in order to limit video access.

FortiGate I Student Guide

443

 Web Filtering

There are several different components to web filtering, and when they are enabled, the inspection order follows these steps. The local static URL filter occurs first. Second, FortiGuard category filtering determines a rating. Finally advanced filters take place, like Safe search or removing Active X components. After all the checks are done the information is handed off internally for virus scanning.

FortiGate I Student Guide

444

 Web Filtering

Here’s a look at the web filter profile. Up at the top you can enable FortiGuard and assign the actions to the various web site categories. If you scroll down towards the bottom you will find the more advanced options that can be enabled, like Safe Search and Static URL filtering. Once you have enabled and saved the settings you require, you will need to apply the profile to your firewall policy to activate the options.

FortiGate I Student Guide

445

 Web Filtering

Web profile overrides change the rules that will be used to inspect traffic. Enabling them allows authorized users to enter a passcode that will change the Web filter profile that inspects there traffic to another profile. Proper configuration would mean this new profile had elevated access permissions and allow additional websites. The new profile will be used to inspect ALL of their web traffic from that point on, until the timer expires. Authentication must be enabled in order to use this. Once web profile overrides are enabled, the FortiGuard block page will show an override link that users can select in order to active this override. • • • •

Apply to Groups – Select the user credentials that allow overrides. Assign to Profile – Which Web profile will be used, after a successful override. Scope – Who will be effected by the override. Duration – How long the override will last.

FortiGate I Student Guide

446

 Web Filtering

How the FortiGate handles HTTPS traffic is decided based on the settings of the SSL Inspection profile that is applied to the Firewall Policy. SSL Certificate Inspection reads only unencrypted data from the hello message, whereas Full SSL Inspection will proxy SSL, allowing for full content inspection. SSL and Certificates are covered in more detail in the Certificate Operations module.

FortiGate I Student Guide

447

 Web Filtering

This is an example of the log message generated as a result of applying a web filter profile on a firewall policy. Access details include information about the FortiGuard quota and category (if those are enabled), which web filter profile was used to inspect the traffic, the URL and more details about the event.

FortiGate I Student Guide

448

 Web Filtering

You can also view the raw log data by selecting the “Download Raw Log” button at the top right of the GUI. When the downloaded file is opened, it will be a plain text file in a syslog format.

FortiGate I Student Guide

449

 Web Filtering

List of IPs to use for FortiGuard comes back from update server (FortiGuard Distribution Network or FortiManager). • Weight – Based on the difference in timezone between the FortiGate and this server (modified by traffic) • RTT – Return Trip Time • Flags – D (IP returned from DNS), I (Contract server contacted), T (being timed), F (failed) • TZ – Server timezone • Curr Lost – current number of consecutive lost packets (in a row, resets to 0 when 1 packet succeeds) • Total Lost – total number of lost packets List is a variable length, depending on the FortiGuard Distribution Network, but approximately 10 total IPs is the average.

FortiGate I Student Guide

450

 Web Filtering

Logs can be used to determine the decision made by the FortiGate but this depends on the configured settings. The firewall policy may not be set to log or the action could be set to accept. In both of those cases no log event will be generated to record the decision. This diagnostic shows the full URL in the output. In order to have it fit some of the output was chopped off from this page. The source of the request, the hostname, URL, user (if authentication is enabled), the profile used to examine the URL can all be determined by reading the output.

FortiGate I Student Guide

451

 Web Filtering

Here is a review of what we discussed. We showed: • An overview of web filtering functionality • Explained the different types and modes for web filtering • How static URL filtering works • How FortiGuard category filtering works • How to submit a website for rating • Different actions that can be associated with accessing a website • How to do a rating override and create a custom category • Applying a quota to a category • Introduced the Fortinet Bar • Showed how it’s possible to force safe search with some common websites • Explained the order of the checks involved with inspecting websites • Explained how to configure a web profile override • Finally we covered the basics of inspecting HTTPS traffic

FortiGate I Student Guide

452

 Application Control

In this lesson, you will learn about how to control network applications – beyond simply blocking or allowing a port number.

FortiGate I Student Guide

453

 Application Control

After completing this lesson, you should have these practical skills to apply application control, keep it up-to-date, and monitor what applications are being used on your network. Lab exercises can help you to reinforce what you’ve learned.

FortiGate I Student Guide

454

 Application Control

Application control detects applications – often, ones that waste bandwidth – and allows you to monitor and/or block the traffic. Like other UTM inspection, to use application control, you must first set it up. Unlike other forms of UTM, such as web filtering or antivirus, application control isn’t applied by a proxy. It uses IPSEngine. So it doesn’t operate by built-in protocol states. It matches patterns in the entire byte stream of the packet. By comparison, when applying web filtering and antivirus via HTTP proxy, the proxy first parses HTTP and removes the protocol, and then scans only the payload inside. Why does FortiGate use a flow-based scan for application control?

FortiGate I Student Guide

455

 Application Control

Because proxies can’t easily detect peer-to-peer applications. When HTTP and other protocols were designed, they were designed to be easy to trace. In that way, administrators could easily give access to single servers behind NAT devices such as routers and, later, firewalls. But when peer-to-peer applications were designed, they had to be able to work without assistance – or cooperation – from the network administrators. In order to achieve this, the designers made them skilled at bypassing firewalls, and incredibly hard to detect. Port randomization, pinholes, and changing encryption patterns are some of the techniques that P2P protocols use. These techniques make them difficult to bock via firewall policy, and also make them difficult to proxy.

FortiGate I Student Guide

456

 Application Control

Let’s show how this works. Here is a traditional, client-server architecture. There may be many clients of popular sites, but often, such as with an office file server, it’s just between one client and one server. Traditional downloads use a defined protocol over a standard port number. Whether it’s from a web or FTP site, the download is from a single IP address, to a single IP address. So blocking this kind of traffic is easy: you only need one firewall policy. But it’s more difficult for peer-to-peer downloads. Why?

FortiGate I Student Guide

457

 Application Control

Peer-to-peer downloads divide each file among multiple (theoretically unlimited) peers. Each peer delivers part of the file. Interestingly, where many clients is a disadvantage for client-server architectures, it is an advantage for peer-to-peer: as the number of peers increases to n, the file is delivered n times faster. Because popularity increases the speed of delivery – unlike traditional client-server architecture, where popularity could effectively cause a denial of service attack on the server – some software, such as BitTorrent distributions of Linux, and games distributing new patches, leverage this advantage. Even if each client has little bandwidth, together, they can offer more bandwidth for the download than many powerful servers. Conversely, in order to download the file, this also means that the requesting peer can consume much more bandwidth per second than it could from only a single server. Even if there is only one peer on your network, it can consume unusually large amounts. And because the protocols are usually evasive, and there will be many sessions to many peers, they are difficult to completely block. In a DHCP LAN or guest Wi-Fi, where the inside peer doesn’t have a static IP address or even predictable physical location, it can be extremely difficult to find and stop.

FortiGate I Student Guide

458

 Application Control

So how does application control block these applications, and more? It scans packets passing through the FortiGate, and looks for patterns. A particular application, such as Google Talk, is identified by matching known patterns to its transmission patterns. So obviously it can only be accurately identified if this stream is unique somehow. Not every application behaves in a unique way. Many reuse pre-existing, standard protocols and communications methods. For example, many video games such as World of Warcraft now use the BitTorrent protocol to distribute game patches. Application control only scans the network traffic. Application control doesn’t scan software installed on the client; this would require software to be installed on the endpoint, such as a FortiScan agent. So it won’t detect software until it starts and connects to the network. Application control does not use FortiGate’s proxies. So unlike some other UTM profiles, you can’t switch between proxy- and flow-based inspection.

FortiGate I Student Guide

459

 Application Control

Before you try to control applications, it’s important to understand how that works. How does application control detect the newest applications, and changes to those application protocols? To do this, you can configure your FortiGate to automatically update its application control signature database, in the same way that it polls FortiGuard for new IPS signatures. The extended IPS signature package includes more application control signatures. So if you don’t find the ones you need initially, you can enable that option to download more.

FortiGate I Student Guide

460

 Application Control

To view the signatures that your FortiGate has downloaded, click the ‘View Application Signatures” link in the application control profile. Remember, if you did not enable download of the extended IPS database, FortiGuard may have more signatures available that you do not see in the GUI. To see those, visit the FortiGuard web site.

FortiGate I Student Guide

461

 Application Control

On the FortiGuard web site, you can read details about each signature’s related application. Let’s look at an example. This is the article for Google Talk. It is an instant messenger, so Fortinet has put it in the “Collaboration” category. The article mentions that Google Talk, like many instant messengers now, uses the Jabber protocol. So if you block the application, the logs may show the Jabber protocol, even though the application that the user has installed is named Google Talk. If there are any special requirements in order to scan or block the application, the article provides some advice. But it’s always wise to search the Internet for more information, and to make test policies and observe the behavior. At the top of the page, you’ll also notice a risk rating…

FortiGate I Student Guide

462

 Application Control

When building an application control signature, FortiGuard’s security research team evaluates the application and assigns a risk level. It is based on the types of security risk. The rating is Fortinetspecific, and not related to CVSS or other external systems. If you aren’t aware of specific software, this information can help you to decide if it would be wise to block the software or not.

FortiGate I Student Guide

463

 Application Control

If there are new applications that you need to control, and the latest update doesn’t have any definitions for them, you can ask FortiGuard to add them. Remember, though, that not all applications can be uniquely defined. That is to say, there must be something about the traffic that can be used to differentiate it from other similar traffic: traffic that occurs on the same port, or via the same protocol.

FortiGate I Student Guide

464

 Application Control

Once you have a signature, the next step is to define your settings to control it. Do this in an application sensor. Then, to apply your application control settings, select the profile in the firewall policy . Like any other security profile, these settings are not global. FortiGate will only apply them to traffic governed by the firewall policy where you’ve selected an application control profile. This allows granular control.

FortiGate I Student Guide

465

 Application Control

Did you see these two at the end of the list of categories? They are catch-all categories: • ‘All Other Known Applications’ • ‘All Other Unknown Applications’ ‘All Other Known Applications’ matches traffic that can be identified, but that, in the profile, you did not explicitly enable. This is because some categories are only directly configurable through the CLI: the ones that are in the extended IPS database. ‘All Other Unknown Applications’ matches traffic that could not be identified. Application control will create a log entry that says the traffic is an ‘Unknown Application’. Depending on: • how many rare applications your users have • which IPS database you are using (remember, the default IPS database can identify fewer rare applications than the extended one) this might cause many log entries. Frequent log entries decrease performance.

FortiGate I Student Guide

466

 Application Control

Once you’ve applied application control, FortiGate will start to scan packets for matches. It will do this in a specific order. There are two major sections to the application control profile: • ‘Categories’ is at the top • ‘Application Overrides’ below ‘Categories First, IPSEngine examines the traffic stream for a signature match. If you’ve configured any overrides, application control considers those first. It looks for a matching override starting at the top of the list, like firewall policies. If no matching override exists, then application control applies the action that you’ve configured for applications in your selected categories. Multiple overrides for the same signature cannot be created.

FortiGate I Student Guide

467

 Application Control

Both categories’ and overrides’ actions are configurable. • • • • •

Allow – Simply passes the traffic Monitor – Passes the traffic, but also records a log message Block – Drops the detected traffic without notifying the client, and records a log message Reset – Resets the TCP connection, and records a log message Traffic Shaping – Rate limits the application so that it doesn’t deprive more important traffic of bandwidth, and also record a log message

Which is the correct action to select? It depends on the application. If an application requires feedback to prevent instability or other unwanted behavior, then you might use ‘Reset’ instead of ‘Block’. If you need to allow the application but prevent it from starving other applications of bandwidth, then traffic shaping might be a good choice. Otherwise, the most efficient use of FortiGate resources to simply block.

FortiGate I Student Guide

468

 Application Control

Order of scans is introduced in the firewall policies lesson. But here is a review of the third phase: where application control occurs. Application control is later than many of FortiGate’s other scans and actions, such as for VPN ingress and DoS. But within UTM, it is one of the first scans. So if traffic is blocked by application control, FortiGate never does later scans like web filtering or antivirus, even if those profiles use flow-based inspection from IPSEngine, just like application control. But if you have configured application control to allow the traffic – not block it or reset the TCP connection – then FortiGate will proceed to the next scans: email filtering, web filtering, and antivirus. Because each scan can have exemptions, this has some interesting effects.

FortiGate I Student Guide

469

 Application Control

Here is an example of how several UTM features could work together, overlap, or as substitutes, on the same traffic. In this profile, application control (in general) blocks the categories Social.Media and Video/Audio. For those applications, FortiGate responds with application control’s HTTP block message. (It’s slightly different than web filtering’s HTTP block message.) But at the bottom of this profile, there are some exceptions. Instead of blocking, application control applies traffic shaping to Facebook and YouTube. After the application control scan is done, FortiGate begins other scans, such as web filtering. This, too, could block Facebook and YouTube, but it would use its own message. Also, web filtering doesn’t check the list of application control overrides. So even if an application control override allows and rate limits an app, web filtering could still block it. Similarly, static URL filtering has its own ‘Exempt’ action, which bypasses all subsequent security checks. However, application control occurs before web filtering, so that web filtering exemption can’t bypass application control.

FortiGate I Student Guide

470

 Application Control

For HTTP-based applications, application control can provide some feedback to the user about why their application was blocked. This is called a “block page”, and it’s similar to the one you can configure for URLs that you block via FortiGuard Web Filtering. The block page says: • which signature detected the application (in this case, HTTP.Browser_Firefox) • the signature’s category (Web.Others) • the URL that was specifically blocked (in this case, the index page of msn.com), since a web page can be assembled from multiple URLs • the client’s source IP (10.0.1.10) • the server’s destination IP (23.101.196.141) • user name (if authentication is enabled) • the UUID of the policy governing the traffic • and the FortiGate’s host name The last two pieces of information can help you to find which FortiGate blocked the page, even if you have a large network with many FortiGates securing different segments.

FortiGate I Student Guide

471

 Application Control

If an application is necessary, but you do need to prevent it from impacting bandwidth for more sensitive streaming applications such as video conferencing, then – instead of blocking it entirely – you can rate limit the application. Shaping traffic via application control is very useful when you are trying to limit traffic that uses the same TCP or UDP port numbers as a mission-critical application. Some high-traffic web sites such as YouTube can be throttled in this way.

FortiGate I Student Guide

472

 Application Control

Let’s say that you have enabled application control because users have been complaining that the network is slow. During peak times, you notice that there is no bandwidth remaining. Application control – with the ‘Monitor’ action selected – showed that many users were using YouTube, and it correlated to periods of bandwidth saturation. How could you solve this? With web filtering, you can see that www.youtube.com is often accessed, but it doesn’t analyze the function of each URL. And it can’t apply traffic shaping. Alternatively, since YouTube generates large volumes of traffic, you could use application control signatures with a traffic shaping action. Let’s examine the details of how that could work.

FortiGate I Student Guide

21

473

 Application Control

Not all URL requests to www.youtube.com are for video. Your browser makes several HTTP requests for: • the web page itself • Images • Scripts and style sheets • Video and all of them have separate URLs. If you analyze a site like YouTube, the web pages themselves doesn’t use much bandwidth. Mostly, the culprit is the video. But since it is all transported via the same protocol (HTTPS), and the URLs contain dynamically generated alphanumeric strings: • traditional firewall policies can’t block or throttle it by port number/protocol, which are all the same • web filtering cannot apply traffic shaping With application control, you can rate limit only the videos. This prevents users from saturating your network bandwidth while still allowing them to access the other content on the site, such as for comments or sharing links.

FortiGate I Student Guide

474

 Application Control

At the bottom of the application sensor, there are more options that affect how application control functions. ‘Deep Inspection of Cloud Applications’ does not enable SSL Inspection. Many applications are switching to HTTPS-only, so remember that for those, you will also need an SSL/SSH inspection profile. This includes many popular ones, such as Twitter. If the application is encrypted, and you haven’t enabled SSL/SSH inspection, then application control won’t be able to recognize the application. If you choose to enable ‘Allow and Log DNS Traffic’, be aware that you should only do it for short periods, such as during an investigation. Leaving this option enabled for long periods can impact performance and cause premature disk failure. One log is created per packet. So depending on the application, and how often it queries DNS servers, this can use significant system resources. ‘Replacement Messages for HTTP-based Applications’ allows you to replace blocked content with an explanation for the user’s benefit. Application control can also link into the Fortinet Bar, if that has been enabled. With non-HTTP applications, however, you can only drop the packets or reset the TCP connection.

FortiGate I Student Guide

475

 Application Control

If you have logging enabled, you can use it to discover which applications are being used on your network, and details about them. Look in Log & Report > Security Log > Application Control. In this example, application control detected a client attempting to access Facebook. The configured action was to monitor the traffic. We know this because the ‘Action’ indicates ‘pass,’ so we know FortiGate didn’t block the traffic. But the action wasn’t to simply allow the traffic without logging, either, which we know because the log message exists. To view details about the log message, click its entry. The application name is a link to the FortiGuard encyclopedia web site. If you were unaware of the application, and don’t know what type of risks it presents, you could click the link to read more.

FortiGate I Student Guide

476

 Application Control

If you look in the forward traffic log, where firewall policies record activity, you’ll also find a summary of traffic where FortiGate applied application control. Again, this is because application control is applied by a firewall policy. To find which policy applied application control, you can use either the ‘Policy ID’ or the ‘Policy UUID’ fields of this log message.

FortiGate I Student Guide

477

 Application Control

To review, here is what we discussed. We discussed: • How application control identifies traffic • Why some traffic, especially peer-to-peer, is hard to block without application control • FortiGuard’s 5-point rating system for application control signatures • How to submit requests for additional applications • How to configure an application control sensor • When to shape traffic • Order of operations for the application control and IPSEngine processes • How to read logs to discover which applications have been detected, and which action FortiGate applied

FortiGate I Student Guide

478

View more...

Comments

Copyright ©2017 KUPDF Inc.
SUPPORT KUPDF