Fortigate

Features
FortiGate as a DHCP server

Default Route
PORT 6 - WAN
Firewall Policy
Internet Services

Policy Table
Create Policy
Using Firewall authentication

Without firewall authentication, the only information that Fortigate knows about the user that is
originating the traffic is their source IP address, which Fortigate cannot use to determine the user
identity.

To configure firewall authentication, you add a source user or user group to the firewall policy.
This requires that users enter credentials at the beginning of the session. Fortigate then uses the
identity of the user, along with the other rules in the firewall policy, to determine if the traffic
should be allowed or denied.

Authentication methods

You can configure two types of firewall authentication on Fortigate:

Local password authentication

Remote password authentication

The difference between these two methods is on whether the user credentials are stored on
Fortigate or on a remote authentication server.

Local password authentication

The simplest method of authentication is local password authentication. User information is

stored locally on the Fortigate device. This method works well for a single Fortigate installation.

When you use firewall authentication, you need to create individual accounts for every user who
requires access to the network. A local user account contains both the username and a password.

You can also create local user groups to group together users who require the same level of
access. You might want to group employees by business area, such as finance or HR, or by
employee type, such as contractors or guests. In most cases, it is the best practice to use a group
in a firewall policy rather than individual user accounts.

Guest accounts

You can also use authentication for guest groups, which contain temporary user accounts that
expire. Administrators can manually create guest accounts or create many guest accounts at once
using randomly generated user IDs and passwords.

Remote authentication

Fortigate sends the user’s entered credentials to an authentication server, such as

FortiAuthenticator. If the server successfully authenticates the user, Fortigate then applies the
matching firewall policy to the traffic.

This method is desirable when multiple Fortigate devices need to authenticate the same users or
user groups, or when adding Fortigate to a network that already contains an authentication server.

Adding authentication to firewall policies

To use firewall authentication, you need to include a user account or user group in the source
definition for a firewall policy, along with the internal subnet.

Configure Local Authentication

Task 1: create a user account

Task 2: create a user group, based on the user’s role or type.
Task 3: add the user group as the source for a firewall policy.
Task 4: verify the configuration and monitor users.
Configure Remote Authentication

Task 1: Connect Fortigate to the remote server

Task 2: Create a user group
Task 3: Add the user group as the source for a firewall policy
Task 4: verify the configuration and monitor users.

Lab simulation

Configure remote authentication

Create a user group
Add authentication to the firewall policy
Verify and monitor firewall authentication

Using SSL Inspection

HTTPS offers protection by applying encryption to web traffic; however, it also introduces a
potential security risk because attackers may attempt to use encrypted traffic to get around your
network’s normal defenses.

Types of SSL Inspection

There are 2 different types of Fortigate SSL Inspection

Certificate Inspection

Deep inspection
Certificate Inspection

When you use SSL certificate inspection, Fortigate inspects the SSL/TLS handshake when a session
begins. By doing this, Fortigate verifies the identity of the web server and makes sure that the
HTTPS protocol is not used as a workaround to access sites you have blocked using web filtering.

Deep inspection

Also known as full inspection, Fortigate impersonates the recipient of the originating SSL session,
then decrypts and inspects the content to find threats and block them. If the content is safe,
Fortigate re-encrpyts the content and sends it to the real recipient.
LAB SIMULATION
LAB SIMULATION 2
Avoid warning certifications
Risk of Malware

FortiGuard Labs

FortiGate Antivirus Scanning

Antivirus scan detects known malware and is the first, fastest, and the simplest way to detect
malware. FortiGate detects viruses that are an exact match for a signature in the FortiGuard
antivirus database.

FortiGate Antivirus Profile

You can configure antivirus settings as part of an antivirus profile. In the antivirus profile, you can
define what FortiGate should do if it detects an infected file. After you configure an antivirus
profile, you must apply it in the firewall policy.
Configure Antivirus Protection

Task 1: Create an antivirus profile, or configure the default antivirus profile.

Task 2: Add the antivirus profile to a firewall policy.

Second, enable antivirus scanning on a firewall policy and select the correct profile.

Task 3: Verify the configuration

Task 4: Monitor Antivirus protection

LAB SIMULATION

Task 1: Create an antivirus profile

Task 2: Apply antivirus to a firewall policy

Task 3: Verify antivirus

Knowledge check
Control web access using web filtering

Learning objectives

Preserve employee productivity

Prevent network congestion

Decrease exposure to web-based-threats

Limit legal liability

Prevent viewing inappropriate material

FortiGuard Category Filters

For web filtering, FortiGate can use FortiGuard category filters to control web access.

Each category contains websites or web pages that have been assigned based on their dominant
web content.

List of categories/subcategories (www.fortiguard.com/webfilter)

FortiGate works with FortiGuard categories to determine how websites are filtered.

Rather than block or allow websites individually, FortiGuard category filtering looks at the
category, with which website has been rated.

Configure a web filter to use a FortiGuard Category

Task 1: Validate FortiGuard security subscription license.

Task 2: Identify how FortiGuard categorizes the website.

Task 3: Configure a web filtering security profile

Task 4: Apply the web filter security profile to a firewall policy to start inspecting web traffic. Also,
enable logs.

Task 5: Test the web filter security profile.

Lab simulation

Authenticate action
Configuring the FortiGate Intrusion Prevention System (IPS)
To identify malicious traffic, FortiGate uses its top-of-the-line IPS engine and IPS sensors.

An IPS sensor is a collection of IPS signatures and filters that define the scope of what the IPS
engine scans when the IPS sensor is applied to a firewall policy.

How does an IPS work?

Protocol Decoders

Signatures
Configuring the FortiGate IPS

Step 1: select the required IPS sensor or create a new custom one.

Step 2: select the required signatures and filters for the sensor and decide whether you want
sensor to block malicious URL and botnet command-and-control (C&C) traffic.

Step 3: Apply the IPS snsor to a firewall policy.

What actions can an IPS take?

Monitoring the IPS

Best practices
Demonstration
Apply the IPSensor to a firewall policy
LAB SIMULATION

TASK 1: Create a custom IPS sensor

What is an IPS signature?
Controlling Application Access

What is application control?

Application control can identify network traffic that is generated from specific applications and
take the appropriate actions, such as monitor and block traffic or apply traffic shaping for all or
specific users of a firewall policy.
How does FortiGate application control work to limit access?

Peer-to-peer protocols use evasive techniques to bypass traditional firewall policies. Therefore,
FortiGate application control involves the matching of known patterns to the transmission
patterns of the application. The database for application control signature is provided by
FortiGuard Labs. The traffic analysis is performed through the IPS engine, which uses flow-based
inspection.

How does FortiGate application control configuration work?

Configuring application control

Task 1: create an application control profile, or modify a preconfigured one.

Task2: Modify action in the application categories or configure application override.

Task 3: Add the application control profile to a firewall policy.

Task4: Verify the configuration

Task5: Monitor the logs regarding application access.

LAB SIMULATION

TASK 1: Configure application control

Task 2: Monitor application control

Creating IPsec Virtual Private Networks

IPsec VPNs
IPsec is a suite of industry standard protocols that is used to create secure connections between
devices located on different, and often geographically distant, networks

Types of VPNs

Remote access VPN

Site-to-site VPNs
Internet Key Exchange (IKE) Protocol

IKEV1 Protocol

For a successful Phase1, the following parameters must match in at least one of the proposals on
each peer device:

Phase 2:

Both peer devices determine which traffic must be sent over the VPN, and how it will be
authenticated and encrypted. The following parameters must match in at least one of the
proposals on each peer device:
IKEv2 Protocol

Benefits of using IKEv2 over IKEv1

Encapsulating Security Payload (ESP)

VPN Configuration Best Practices
Demonstration
Local FortiGate
LAB SIMULATION

TASK 1: Configure FortiGate for a remote access IPSec VPN

Configuring FortiGate SSL VPN

Secure sockets layer virtual private network (SSL VPN) is a type pf VPN that uses SSL encryption to
create a secure and encrypted connection between a client device and a device acting as a VPN
server.

Why use SSL VPN?

Benefits
How does SSL VPN work?

Web mode

Tunnel mode

Web mode

Tunnel Mode

How to configure SSL VPN?

Step 1: Create the users and groups that will be authorized to connect
Step 2: review, edit or create SSL VPN portals.

Step 3: Configure the SSL VPN settings

Step 4: Create a firewall policy to allow VPN traffic.

SSL VPN Best Practices

Demonstration
Fortigate System Maintenance and Monitoring

The most common firewall maintenance tasks include:

Backing up FortiGate Configurations

Following the Recommended Upgrade Path

Monitoring system performance

Examining FortiGate Licenses

LAB SIMULATION

Task 1: Backing up the configuration and performing a firmware upgrade

Upgrade firmware
Task 2: Examining traffic logs
Configuring the Fortinet Security
The Fortinet Security Fabric is an enterprise architecture that helps manage this complexity by
providing a single-pane-of-glass view of the organization’s security posture.

Benefits

What devices comprise the Fortinet security fabric?

Configure the Fortinet Security Fabric

Step 1: configure one of the centralized logging platforms. Configure FortiAnalyzer, or one of the
supported cloud logging platforms, to accept logs from devices in the fabric.

Step 2: Configure FortiGate that will act as the root

Step 3: Join downstream devices to the Security Fabric

Step 4: On the root FortiGate, authorize downstream devices.

Demonstration

Configure to send logs

LAB SIMULATION
Task 1: Examine current security fabric rating