FortiGate Fort iGate Multi-Threat Multi-Threat Security Systems I Administration, Content Content Inspection and SSL VPN Course 201
www.fortinet.com
FortiGate Multi-Threat Security Systems I Administration, Content Inspection and SSL VPN Student Guide v4.1 for FortiOS 4.0 MR2 Course 201 01-4200-0201-20100430
© Copyright 2010 Fortinet, Inc. All rights reserved. No part of this publication including text, text, examples, diagrams, or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical, or otherwise, for any purpose, without prior written permission of Fortinet, Inc.
Trademarks
Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGate Unified Threat Management System, FortiGuard, FortiGuard-Antispam, FortiGuardAntivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet, FortiOS, FortiPartner, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
FortiGate Multi-Threat Security Systems I Administration, Content Inspection and SSL VPN Student Guide v4.1 for FortiOS 4.0 MR2 Course 201 01-4200-0201-20100430
© Copyright 2010 Fortinet, Inc. All rights reserved. No part of this publication including text, text, examples, diagrams, or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical, or otherwise, for any purpose, without prior written permission of Fortinet, Inc.
Trademarks
Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGate Unified Threat Management System, FortiGuard, FortiGuard-Antispam, FortiGuardAntivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet, FortiOS, FortiPartner, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Contents
Contents Introduction........ Introduction..................... ............................ ............................. ............................ ........................... ............... .. 1 Course Overview ........................ .................................... ........................ ......................... ......................... ........................ .................. ...... 3 Course Objectives ........................ .................................... ........................ ........................ ........................ ....................... ........... 3 Prerequisites ........................ .................................... ........................ ........................ ......................... ......................... .................. ...... 3 Who Should Attend ....................... ................................... ........................ ......................... ......................... ..................... ......... 3 Certification ........................ .................................... ......................... ......................... ........................ ........................ .................... ........ 4 Self-Paced Training Course ........................ .................................... ......................... ......................... ................... ....... 4 Course Evaluation (for Self-Paced Training Students) ........................ ........................... ... 4
Lesson 1 - Overview and System Setup ................................ ................................ 7 Unified Threat Management .......................... ...................................... ........................ ........................ ....................... ............. 7 The Fortinet Solution ......................... ..................................... ......................... ......................... ........................ ....................... ........... 8 FortiGate Appliance ....................... ................................... ......................... ........................ ....................... ..................... ......... 8 FortiGuard ....................... ................................... ........................ ........................ ........................ ........................ ...................... .......... 10 FortiManager................................ FortiManager................... ......................... ......................... ......................... ........................ .................... ........ 10 FortiAnalyzer ........................ .................................... ........................ ........................ ........................ ......................... ................. .... 11 FortiMail ........................ .................................... ........................ ........................ ....................... ....................... ......................... ............. 11 FortiClient................................. FortiClient..................... ........................ ......................... ........................ ....................... ......................... ............. 11 FortiWeb........................ FortiWeb..................................... ........................ ....................... ......................... ........................ ....................... ............ 12 FortiDB ....................... .................................. ....................... ......................... ........................ ....................... ........................ ................ .... 12 FortiScan................................. FortiScan..................... ....................... ....................... ........................ ........................ ........................ ............... ... 12 FortiSwitch ........................ ................................... ....................... ......................... ......................... ....................... .................... ......... 12 FortiCarrier ........................ ................................... ....................... ......................... ......................... ........................ .................... ........ 12 Firewall Basics................................ Basics............................................ ......................... ......................... ........................ ........................ ............ 13 Types of Firewalls ....................... ................................... ......................... ........................ ....................... ...................... .......... 15 Network Address Translation ....................... ................................... ......................... ......................... ................ .... 17 FortiGate Capabilities ........................ .................................... ......................... ........................ ........................ ...................... ......... 18 Firewall............ Firewall ........................ ........................ ....................... ....................... ......................... ........................ ....................... ............... ... Unified Threat Management.................. Management.............................. ....................... ....................... ........................ .............. WAN Optimization........... Optimization ....................... ......................... ......................... ........................ ........................ ..................... ......... Endpoint Control ........................ ................................... ........................ ......................... ....................... ....................... ............ Virtual Domains ........................ ..................................... ......................... ....................... ........................ ......................... ............ Traffic Shaping ......................... ..................................... ......................... ........................ ....................... ......................... ............. Secure VPN ....................... ................................... ........................ ......................... ........................ ........................ ................... ...... High Availability ....................... .................................... ........................ ........................ ......................... ........................ .............. Logging ....................... ................................... ........................ ........................ ........................ ....................... ....................... ............... ... User Authentication............ Authentication ........................ ....................... ....................... ........................ ....................... .................... .........
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
18 18 19 19 19 19 20 20 20 20
i
Contents
FortiGate Unit Components................. Components............................. ......................... ......................... ........................ .................... ........ 21 CPU ........................ .................................... ........................ ........................ ....................... ....................... ......................... .................... ....... 21 FortiASIC Content Processor.......................... Processor...................................... ........................ ........................ ............... ... 21 DRAM ......................... .................................... ....................... ........................ ........................ ........................ ........................ ................ .... 21 Flash Memory ....................... .................................... .......................... ......................... ......................... ......................... .............. .. 21 Hard Drive............ Drive ........................ ........................ ........................ ......................... ........................ ....................... ...................... .......... 21 Network Interface Ports ......................... ..................................... ......................... ......................... ....................... ........... 21 Serial Console Port ....................... ................................... ......................... ......................... ......................... .................... ....... 21 USB Port ........................ ................................... ........................ ......................... ........................ ........................ ........................ ............ 21 Wireless ....................... ................................... ........................ ........................ ........................ ........................ ....................... .............. ... 21 Module Slot Bays ....................... ................................... ........................ ........................ ......................... ........................ ........... 22 PC Card Slot ......................... ..................................... ........................ ........................ ......................... ......................... ................ .... 22 FortiGate Unit Front View ........................ .................................... ........................ ........................ ...................... .......... 23 FortiGate Unit Back View ......................... ...................................... ........................ ........................ ...................... ......... 24 FortiGate Operating Modes ....................... ................................... ........................ ......................... ........................ .............. ... 25 NAT/Route Mode ........................ ................................... ........................ ......................... ......................... ....................... .......... 25 Transparent Mode............................ Mode........................................ ........................ ......................... ........................ ................. ...... 26 Device Administration................. Administration............................ ........................ ......................... ......................... ........................ ................. ...... 27 Web Config ........................ ..................................... ......................... ......................... ........................ ........................ ................... ...... 27 Command Line Interface....................... Interface................................... ......................... ........................ ........................ ............. 37 Administrators ........................ .................................... ......................... ......................... ......................... ........................ .............. ... 48 DHCP ....................... .................................... ......................... ....................... ....................... ........................ ........................ .................. ...... 54 Interface Addressing ........................ .................................... ........................ ........................ ........................ .................. ...... 57 DNS ........................ .................................... ........................ ........................ ....................... ....................... ......................... .................... ....... 61 Configuration Backup and Restore R estore .......................... ...................................... ........................ .................. ...... 62 Firmware Upgrades ....................... .................................... ........................ ....................... ......................... .................... ....... 64 Disk Usage............................. Usage.......................................... ......................... ........................ ......................... ........................ .............. ... 65 Lab 1 - Initial Setup ........................ .................................... ........................ ........................ ........................ ......................... ...............66 ..66
Lesson 2 - Logging and Alerts Alerts .......................... ........................................ ................... ..... 81 Logging Levels ......................... ..................................... ......................... .......................... ........................ ........................ ................... ...... 81 Emergency............. Emergency ......................... ........................ ........................ ........................ ........................ ......................... .................... ....... 81 Alert............................ Alert........................................ ........................ ........................ ......................... ........................ ........................ ................ ... 81 Critical ......................... .................................... ....................... ........................ ......................... ........................ ....................... ................ .... 81 Error ........................ ................................... ....................... ......................... ........................ ....................... ........................ .................... ........ 81 Warning........................... Warning........................................ ......................... ........................ ........................ ........................ ...................... .......... 82 Notification ......................... ...................................... ......................... ........................ ........................ ......................... ................... ...... 82 Information ......................... ..................................... ........................ ........................ ........................ ......................... .................... ....... 82 Debug ....................... .................................... ......................... ........................ ......................... ........................ ....................... ................ .... 82 Log Storage ....................... .................................... ........................ ........................ ......................... ......................... ......................... .............. 83 Local Logging............................ Logging........................................ ......................... ......................... ........................ ........................ ............ 83 Remote Logging............................ Logging........................................ ........................ ......................... ......................... .................... ........ 85 FortiGuard Analysis Service ........................ .................................... ....................... ........................ ................... ...... 86 FortiAnalyzer.................................. FortiAnalyzer...................... ......................... ......................... ........................ ........................ ................... ....... 87
ii
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
Contents
Log Types............ Types ......................... ........................ ....................... ......................... ........................ ........................ ......................... ............... ... 88 Event Log ....................... .................................... ......................... ....................... ....................... ........................ ....................... ........... Traffic Log ....................... ................................... ........................ ........................ ........................ ........................ ...................... .......... Attack Log ......................... .................................... ....................... ........................ ........................ ........................ ..................... ......... AntiVirus Log............ Log ........................ ......................... ........................ ....................... ......................... ......................... ................ .... Web Filter Log............. Log ......................... ....................... ....................... ......................... ........................ ....................... ............... ... Email Filter Log ........................ ..................................... ......................... ....................... ........................ ......................... ............ DLP Log ........................ .................................... ........................ ........................ ........................ ........................ ........................ ............ Application Control Log ........................ ..................................... ......................... ........................ ........................ ............ Network Scan Log........... Log ........................ ......................... ......................... ......................... ......................... .................... .......
88 88 88 88 88 88 89 89 89
Generating Logs ......................... .................................... ........................ ......................... ........................ ......................... ................. .... 90 Viewing Log Files......................... Files...................................... ......................... ......................... ........................ ........................ ............... .. 93 Log Display Formats ........................ .................................... ......................... ......................... ........................ ................ .... 94 Logging to a FortiAnalyzer Device..................... Devi ce................................. ......................... ......................... ................. ..... 97 FortiAnalyzer Device List ........................ ..................................... ........................ ....................... ...................... .......... 98 Viewing FortiAnalyzer Logs............................. Logs.......................................... ......................... ....................... ........... 100 Browsing Log Files............ Files ........................ ........................ .......................... ......................... ........................ ................. .... 103 Searching the Logs ........................ ..................................... ......................... ........................ ........................ ................ .... 104 Logging to Multiple FortiAnalyzer Units or Syslog Servers........................ Servers........................ 106 Content Archiving ....................... .................................. ........................ ......................... ........................ ......................... ............... .. 107 Viewing Content Archives ........................ .................................... ........................ ........................ ................... ....... 109 Alert Email ........................ ..................................... ........................ ........................ ......................... ....................... ........................ ............. 110 SNMP ....................... .................................... ......................... ........................ ........................ ........................ ........................ .................... ........ 111 Configuring an Interface for SNMP Access.................................. Access......................................... ....... 114 Reporting ........................ .................................... ....................... ........................ ......................... ........................ ....................... ............... .... 115 Report Layout........................... Layout........................................ ......................... ........................ ........................ ...................... .......... 115 Lab 2 - Logging and Monitoring ........................ .................................... ......................... ......................... ................ .... 117
Lesson 3 - Firewall Policies ....................................... ................................................ ......... 125 Policy Matching...................... Matching................................... ......................... ......................... .......................... ......................... ................. ..... 126 Firewall Policy List............................. List.......................................... ......................... ........................ ......................... ............. 127
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
iii
Contents
Firewall Policy Elements........................ Elements.................................... ......................... ......................... ........................ ................ .... 131 Firewall Addresses.......................... Addresses....................................... .......................... ......................... ......................... ............... .. 133 Firewall Schedules............ Schedules ......................... ......................... ........................ ......................... ......................... ................. ..... 138 Firewall Services............ Services ........................ ........................ ......................... ......................... ......................... ..................... ........ 145 Firewall Actions............ Actions ........................ ........................ ......................... ........................ ........................ ........................ ........... 151 Logging Traffic ......................... .................................... ........................ ......................... ......................... ........................ ........... 155 Network Address Translation............ Translation ......................... ........................ ........................ ......................... .............. .. 156 Identity-Based Policies................................. Policies.............................................. ......................... ....................... ............... .... 164 Threat Management................ Management.............................. .......................... ....................... ....................... ........................ ............ 166 Traffic Shaping............. Shaping ......................... ........................ ......................... ........................ ....................... ........................ ............ 187 Virtual IPs............................. IPs........................................ ........................ ......................... ....................... ........................ ................. .... 197 Load Balancing ......................... ..................................... ......................... .......................... ......................... ..................... ......... 203 DoS Policy List............ List ....................... ........................ ......................... ........................ ........................ ........................ .............. 213 Sniffer Policy List ........................ ................................... ........................ ......................... ......................... ..................... ........ 214 Firewall Suggested Practices ........................ .................................... ........................ ........................ ..................... ......... 215 General ........................ .................................... ....................... ....................... ........................ ......................... ........................ ............. 215 Policies.............................. Policies........................................... ........................ ....................... ........................ ........................ ................... ....... 215 NAT ....................... ................................... ........................ ........................ ........................ ....................... ....................... .................... ........ 215 Lab 3 - Firewall Policies ........................ .................................... ......................... ......................... ........................ .................217 .....217
Lesson 4 - Authentica Authentication tion ........................... ......................................... ....................... ......... 233 Authentication Methods ........................ ..................................... ........................ ....................... ......................... .................. ..... 234 Local Users ........................ ..................................... ......................... ........................ ........................ ........................ ................. ..... 234 Remote Users ....................... .................................... ......................... ........................ ........................ ......................... ............... 234 Authenticated Operations ........................ ..................................... ........................ ........................ ......................... .............. .. 236 Firewall Authentication...................... Authentication.................................. ........................ ......................... ......................... .............. .. 236 SSL VPN Authentication ....................... .................................... ......................... ....................... ...................... ........... 239 IPSec Authentication............. Authentication.......................... .......................... ......................... ....................... ....................... .............. .. 240 Administrator Authentication ........................ ..................................... ......................... ....................... ............... .... 242 Users ....................... .................................. ....................... ......................... ......................... ....................... ....................... ........................ ............ 243 User Groups ......................... .................................... ....................... ......................... ......................... ........................ ...................... .......... 245 Firewall User Group ........................ ..................................... .......................... ......................... ......................... ............... .. 246 Directory Service User Group ......................... ..................................... ......................... ........................ ............. 248 Identity-Based Policies ......................... ...................................... ........................ ....................... ......................... .................. ..... 250 Authentication Rules ....................... .................................... ......................... ........................ ........................ ................ .... 251 Monitoring Firewall Authentication............. Authentication.......................... ......................... ........................ ....................... ............. 253 Lab 4 - Authentication ........................ .................................... ......................... ........................ ........................ .....................254 ........254
iv
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
Contents
Lesson 5 - SSL VPN ........................... ......................................... ............................ ................... ..... 261 FortiGate VPN ....................... .................................... ......................... ........................ ....................... ........................ .................... ....... 261 SSL VPN ........................ .................................... ....................... ........................ ......................... ........................ ..................... ......... 261 IPsec VPN............ VPN ........................ ........................ ........................ ........................ ........................ ........................ ................... ....... 262 SSL VPN......................... VPN..................................... ........................ ........................ ........................ ........................ ......................... ............... .. 263 Operating Modes.............................. Modes.......................................... ........................ ......................... ......................... .............. .. 263 Web-Only Mode ......................... ..................................... ........................ ........................ ......................... ..................... ........ 263 Tunnel Mode ........................ ..................................... ......................... ........................ ........................ ......................... ............... 264 User Groups ......................... ...................................... ......................... ......................... ........................ ........................ .................... ....... 265 Portals.................... Portals................................. ......................... ........................ ....................... ....................... ......................... ........................ ........... 267 Web-Access Portal............................. Portal......................................... ........................ ........................ ........................ .............. 267 Tunnel-Access Portal ....................... ................................... ........................ ........................ ......................... ............... .. 269 Full-Access Portal ....................... .................................... .......................... ......................... ......................... .................. ..... 270 Enabling SSL VPN......................... VPN...................................... ........................ ........................ .......................... ....................... .......... 271 SSL VPN Firewall Policies ....................... ................................... ........................ ........................ ........................ .............. .. 273 Web-Only Mode Firewall Firewall Policies ........................ ..................................... ........................ .................. ....... 273 Tunnel Mode Firewall Policies .......................... ...................................... ........................ ...................... .......... 276 Connecting to the SSL VPN ........................ .................................... ......................... ......................... ..................... ......... 278 Web Portal Page ........................ ..................................... ........................ ........................ ......................... .................... ........ 278 Lab 5 - SSL VPN ......................... ..................................... ........................ ......................... ........................ ......................... .............. 279
Lesson 6 - FortiGuard FortiGuard Subscription Subscription Services Services .................. .................. 287 FortiGuard Distribution Network ........................ .................................... ......................... ........................ ............... .... 287 Connecting to the FortiGuard Servers ........................ ................................... ........................ ............. 289 FortiGuard Antivirus Service.................................. Service.............................................. ........................ ........................ ............ 290 FortiGuard Intrusion Prevention System Service.......................... Service....................................... ............. 291 FortiGuard Web Filtering Service ........................ .................................... ......................... ......................... .............. 292 FortiGuard Antispam Service......................... Service..................................... ........................ ........................ .................... ........ 293 FortiGuard Vulnerability Management Service.................................. Service.......................................... ........ 294 FortiGuard Subscription Services Licensing ....................... ................................... ....................... ........... 295 Updating Antivirus and IPS Services ......................... ..................................... ........................ .................... ........ 296 Scheduled Updates........... Updates ........................ ........................ ......................... ......................... ........................ ................. .... Override Server.................................. Server.............................................. ......................... ......................... ........................ ............ Push Updates............................. Updates......................................... ........................ ........................ ....................... ..................... .......... Manual Updates ....................... .................................... ......................... ........................ ........................ ...................... ..........
297 297 297 299
Web Filtering and Antispam Options ....................... .................................... ........................ ..................... .......... 301 Port Selection............. Selection ........................ ....................... ......................... ........................ ........................ ......................... .............. 301 Caching ........................ .................................... ........................ ........................ ........................ ........................ ....................... ........... 301
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
v
Contents
Configuring FortiGuard Subscription Services Using the CLI..................... 303 FortiGuard Center..................... Center................................. ......................... ........................ ....................... ......................... .................. ..... 304 Lab 6 - Fortinet Subscription Services ........................ ..................................... ......................... ...................305 .......305
Lesson 7 - Threat Management Management .................................... .......................................... ...... 311 Content Scanning Techniques ........................ .................................... ......................... ......................... .................. ...... 311 Flow-Based Scanning ........................ .................................... ......................... ......................... ........................ .............. 311 File-Based Scanning............ Scanning ....................... ....................... ......................... ........................ ........................ ................. .... 312 Threat Management Architectural Components ......................... ..................................... ................ .... 313 Proxies ....................... ................................... ........................ ........................ ........................ ........................ ........................ .............. .. 313 IPS Engine ......................... ..................................... ....................... ........................ ......................... ........................ .................. ...... 314 Scanunit Daemon ........................ .................................... ........................ ........................ ......................... .................... ....... 314 URLFilter Daemon ......................... .................................... ........................ ......................... ......................... .................. ..... 315 Update Daemon............. Daemon ........................ ........................ ......................... ......................... ......................... ..................... ......... 315
Lesson 8 - Antivirus ........................... ......................................... ............................ ................... ..... 319 Virus Types....................... Types................................... ........................ ........................ ......................... ........................ ........................ ............... 319 Virus............ Virus ......................... ......................... ....................... ....................... ........................ ........................ ........................ ................. ..... 319 Trojan............ Trojan ........................ ........................ ......................... ......................... ....................... ........................ ......................... .............. .. 319 Worm ....................... ................................... ......................... ........................ ....................... ........................ ........................ ................ .... 319 Antivirus Elements................................ Elements............................................. ........................ ....................... ......................... .................. ..... 320 File Size ....................... .................................... ......................... ........................ ......................... ........................ ...................... ........... 320 File Pattern.......................... Pattern...................................... ......................... ......................... ....................... ....................... ................. ..... 320 Virus Scan............................. Scan......................................... ......................... ........................ ........................ ......................... .............. .. 320 File Type ........................ ..................................... ......................... ........................ ........................ ......................... ..................... ........ 320 Grayware ........................ ..................................... ......................... ........................ ........................ ........................ .................... ........ 321 Heuristics ....................... .................................. ....................... ........................ ......................... ........................ ...................... ........... 321 File Filters ....................... ................................... ......................... ........................ ........................ ......................... ....................... ............... .... 322 File Filter Actions ........................ .................................... ........................ ........................ ......................... ..................... ........ 322 Defining File Filters ....................... ................................... ......................... ......................... ........................ .................. ...... 323 Virus Databases ......................... .................................... ........................ ......................... ......................... ........................ ............... .... 329 Regular Virus Database............ Database ........................ ........................ ......................... ........................ ...................... ........... 329 Extended Virus Database D atabase ...................... ................................... ......................... ......................... ..................... ........ 329 Flow-Based Virus Scanning........... Scanning ........................ ......................... ........................ ........................ ................. ..... 330 Updating the Antivirus Definitions ......................... ...................................... .......................... .................. ..... 331 Grayware ........................ .................................... ........................ ........................ ........................ ......................... ........................ ............... .... 332 Grayware Categories ........................ ..................................... ......................... ........................ ......................... ............... 332 Heuristics.............................. Heuristics.......................................... ........................ ........................ ........................ ....................... ...................... ........... 336 Quarantine............................. Quarantine.................. ........................ ......................... ....................... ........................ ......................... .................... ........ 337 Quarantine Options........... Options ........................ ......................... ........................ ......................... ......................... ................. ..... 337 Quarantined Files List ........................ ..................................... ......................... ....................... ....................... .............. .. 339 Quarantine Virus Senders......................... Senders...................................... ......................... ........................ .................. ...... 340
vi
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
Contents
Antivirus Profiles ......................... ...................................... .......................... ........................ ........................ .......................... ............. 342 Enabling Antivirus Profiles in Firewall Policies................................... Policies..................................... 344 Antivirus Suggested Practices ......................... ..................................... ........................ ........................ .................. ...... 345 Lab 7 - Antivirus Scanning ....................... .................................... .......................... ......................... ........................ ............ 346
Lesson 9 - Email Filtering ............................ .......................................... ....................... ......... 351 Email Filtering Actions ........................ ..................................... ......................... ......................... ......................... ................. ..... 352 Tag ........................ .................................... ....................... ........................ ......................... ........................ ....................... .................. ....... 352 Discard ....................... .................................... ........................ ....................... ......................... ........................ ........................ ............. 352 Email Filtering Methods ......................... ..................................... ........................ ........................ ........................ ................ .... 353 IP Address Check ........................ .................................... ......................... ......................... ....................... .................. ....... 353 URL Check ...................... .................................. ......................... ......................... ........................ ........................ ................... ....... 353 Email Checksum Check ........................ ..................................... ......................... ......................... ..................... ........ 353 Black/White List.............................. List......................................... ........................ ......................... ........................ ................. ..... 353 HELO DNS Lookup ........................ ..................................... ......................... ......................... ......................... ............... ... 353 Return E-mail DNS Check .......................... ...................................... ........................ ........................ ................ .... 353 Banned Word ........................ .................................... ........................ ........................ ......................... ......................... .............. 354 Multipurpose Internet Mail Extensions (MIME) Headers Check.......... 354 FortiGuard Email Filters................................. Filters.............................................. ........................ ....................... .................... ........ 356 Global Filters ....................... ................................... ........................ ......................... ......................... ....................... ............... .... 356 Customized Filters ......................... .................................... ......................... ......................... ........................ ................. .... 357 Banned Word............................... Word............................................ ......................... ........................ ........................ ......................... ............. 358 Defining Banned Word Lists.................................. Lists.............................................. ........................ .................. ...... 358 IP Address Filtering ....................... .................................... ......................... ........................ ........................ ....................... ........... 365 Defining IP Address Lists .......................... ...................................... ........................ ....................... .................. ....... 365 Email Address Filtering ....................... .................................... ......................... ......................... .......................... ................. .... 369 Defining Email Address Filters ........................ .................................... ....................... ........................ ............. 369 Multipurpose Internet Mail Extensions (MIME) Headers Check ................ ................ 373 DNS Blackhole List and Open Relay Database List................................ List.................................. .. 374 Email Filter Profiles.................................. Profiles............................................. ........................ .......................... ......................... .............. 375 Enabling Email Filter Profiles in Firewall Policies............................. Policies................................ ... 379 FortiMail Email Filtering ......................... ..................................... ......................... ......................... ......................... ............... .. 380
Lesson 10 - Web Filtering ............................ .......................................... ....................... ......... 383 Web Filtering Elements......................... Elements.................................... ......................... .......................... ........................ ................ .... 383 URL Filter....................... Filter................................... ........................ ........................ ......................... ......................... ....................... ............... .... 384 Defining URL Filter Lists .......................... ...................................... ......................... ......................... .................. ...... 384 FortiGuard Web Filter ........................ .................................... ........................ ........................ ........................ .................... ........ 388 FortiGuard Web Filtering Filtering Categories ........................ .................................... ........................ .............. .. 389 FortiGuard Web Filtering Classes .......................... ...................................... ........................ ................. ..... 391 FortiGuard Web Filtering Overrides ........................ .................................... ........................ ................ .... 392 Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
vii
Contents
Web Filtering Overrides.............................................................................. 394 Administrative Overrides...................................................................... 394 Override Rules ..................................................................................... 395 Web Filtering Override Page................................................................ 399 Web Filtering Authentication Page ....................................................... 399 User Overrides..................................................................................... 400 Local Ratings.............................................................................................. 401 Local Categories......................................................................................... 403 Web Content Filter...................................................................................... 405 Defining Web Content Filters Lists ....................................................... 405 Web Filter Profiles ...................................................................................... 408 Advanced Filtering Settings ................................................................. 411 Enabling Web Filter Profiles in Firewall Policies .................................. 413 Lab 8 - Web Filtering ..................................................................................414
Lesson 11 - Data Leak Prevention ..................................... 423 Monitored Data Types ................................................................................ 423 Data Leak Prevention Rules....................................................................... 424 Regular Rules ...................................................................................... 424 Compound Rules ................................................................................. 431 Rule Processing................................................................................... 433 Rule Priority ......................................................................................... 433 Data Leak Prevention Sensors................................................................... 434 Data Leak Prevention Sensor Actions ................................................. 437 Enabling Data Leak Prevention in Firewall Policies ............................. 439 Data Leak Prevention Logging............................................................. 440 Data Leak Prevention Suggested Practices ............................................... 441 Lab 9 - Data Leak Prevention .....................................................................442
Lesson 12 - Application Control ........................................ 449 Application Types ....................................................................................... 450 Application Control Lists ............................................................................. 452 Defining Application Control Lists ........................................................ 452 Enabling Application Control in a Firewall Policy ................................. 455 Application Control Logging ................................................................. 456 Lab 10 - Application Control .......................................................................457
viii
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
Contents
Lesson 13 - Endpoint Control ............................................ 461 Endpoint Network Access Control ............................................................. 461 Application Sensors ............................................................................ 461 Endpoint NAC Profiles ........................................................................ 466 Enabling Endpoint NAC in Firewall Policies ........................................ 468 Vulnerability Scanning ............................................................................... 469 Assets ................................................................................................. 469 Monitoring Endpoints................................................................................. 473
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
ix
Contents
x
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
Introduction
1
www.fortinet.com
Introduction
Course Overview
Course Overview This course provides an introduction to the configuration and administration of FortiGate Unified Threat Management (UTM) appliances. Through a variety of hands-on labs, students will learn about the most common features of the FortiGate unit. Students will gain a solid understanding of how to integrate the FortiGate unit into an existing environment and the operational maintenance involved to ensure optimal performance and full protection of corporate assets.
Course Objectives Upon completion of this course, students will be able to: •
Use Web Config and the CLI to complete the following administration and maintenance tasks for FortiGate devices: •
Configure system and network settings.
•
Create administrative accounts.
•
Perform system backups.
•
Monitor system alerts.
•
Verify device performance and operational status.
•
Update FortiGuard Subscription Services.
•
Manage firmware to ensure availability and reliability.
•
Implement logging and monitoring features of the FortiGate device using a FortiAnalyzer appliance for content archiving.
•
Construct firewall policies with schedules, source and service type restrictions, and unauthorized traffic logging.
•
Apply firewall policy options for authentication, virtual IP address, IP pool, and traffic shaping.
•
Enable FortiGate threat management features in policies including antivirus, email filtering, web filtering, data leak prevention and application control.
•
Understand the differences between operating a FortiGate unit in NAT/Route and Transparent modes.
Prerequisites The following is required to attend this course: •
Introductory-level network security experience
•
Basic understanding of core network security and firewall concepts
Who Should Attend This introductory-level course is intended for anyone who is responsible for the day-to-day administration and management of a FortiGate unit.
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
3
Course Overview
Introduction
Certification This course helps to prepare students for the following certification exams: •
Fortinet Certified Network Security Associate (FCNSA)
•
Fortinet Certified Network Security Professional (FCNSP)
Self-Paced Training Course Course 201 - Administration, Content Inspection and SSL VPN is available as a 2day instructor-led course (public class or private on-site session) or as a selfpaced training course.
If this training is being taken as self-paced, the following are required to perform the hands-on exercises included in this Student Guide: •
A PC or laptop running Microsoft Windows 2000/XP/2003/Vista/7
The PC or laptop used for the exercises in the Student Guide requires a serial port to connect the FortiGate unit to the computer. If the computer does not include a serial port, a USB to Serial adaptor can be purchased from a local computer supply store. •
A FortiGate unit
This course is designed to be used with a Small Office/Home Office (SOHO) level FortiGate model (FortiGate 80 Series or lower). The FortiGate must be running FortiOS version 4.0 MR2 of the firmware. •
Internet connection
An Internet connection is required. •
A FortiGuard Subscription Services license
Each new FortiGate unit comes with a free 30-day license to access FortiGuard Subscriptions Service updates. If beyond the initial 30-day trial time limit, a license to access FortiGuard Subscriptions Services is required to complete some of the exercises in the course. •
Remote access to the FortiAnalyzer unit at the following address: http://209.87.230.134
Course Evaluation (for Self-Paced Training Students) Once this training has been concluded, please complete the course survey. The comments provided will help to guide development of future versions of this course. To access the survey, type the following URL in a web browser: http://campus.training.fortinet.com
Click Student Survey in the Quick Links pane on the left hand side of the web page.
4
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
LESSON
1
Overview and System Setup
5
www.fortinet.com
Overview and System Setup
Unified Threat Management
Lesson 1 Overview and System Setup Maintaining a secure network environment using existing network security technologies is a significant challenge due to a number of reasons: •
Increasingly sophisticated and rapidly evolving cyber threats evade one or more standalone security technologies.
•
The costs and complexities associated with managing an increasingly distributed network with no clear perimeter adds strain to already taxed resources.
•
The performance and processing power required to provide complete content level protection is difficult to achieve without purpose-built hardware.
Most standalone network security offerings generally consist of single-purpose security software deployed onto PC-based hardware platforms, and provide basic network security functions like firewall and V PN services. These standalone network security products, however, fail to provide the comprehensive security, network deployment flexibility and the performance necessary to combat complex network-level and content-level security threats.
Unified Threat Management In order to solve the security problems for businesses and service providers, the Unified Threat Management (UTM) market has emerged. UTM devices incorporate firewall, intrusion prevention, antivirus and more in a single device. Many vendors have attempted to provide UTM capabilities by cobbling together existing firewall and VPN offerings with antivirus and intrusion detection and/or prevention technologies from other vendors. Others have simply relabeled their existing network security products, which offer limited threat management capabilities across different technology areas. In order to address the challenges faced by the modern organization, an effective UTM solution must deliver a network security platform comprised of robust and fully integrated security and networking functions. Protection must be provided against the next generation of threats and offer centralized management from a single console, all without impairing the performance of the network.
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
7
The Fortinet Solution
Overview and System Setup
The Fortinet Solution Fortinet is a leading worldwide provider of Unified Threat Management network security solutions. Fortinet supplies a comprehensive UTM solution comprised of the FortiGate network security platform, the FortiGuard security subscription services and an integrated suite of management, reporting and analysis products. Fortinet UTM solutions enable customers to cost-effectively defend against current and next generation network and application layer threats without slowing down their networks. Fortinet UTM solutions are built from the ground up offering truly integrated hardware, software and services for the best security and performance possible.
FortiGate Appliance The FortiGate unit is a dedicated, easily managed security device that delivers a full suite of capabilities including: •
Application-level services such as virus protection, email filtering, web content filtering, data leak prevention, application control, as well as IM, P2P, and VoIP filtering
•
Network-level services such as firewall, intrusion detection, IPSec and SSL VPN, and traffic shaping
•
Management services such as user authentication, logging, reporting, administration profiles, secure administrative access, and SNMP
The FortiGate relies on the dedicated Fortinet Global Threat Research Team that researches and develops protection against known and unknown security threats. This dynamic protection forms the basis of the FortiGuard Subscription Services, which results in continuous updates for antivirus, intrusion prevention, web filtering and antispam services.
FortiGate Network Security Product Portfolio From the FortiGate 30 series for small businesses and branch offices to the FortiGate 5000 series for large enterprises and services providers, all FortiGate appliances include a proprietary technology platform, which includes the proprietary FortiASIC processor specifically designed for accelerating certain security functions. Also part of the FortiGate technology platform is FortiOS, a proprietary operating system that provides the foundation for all security functions. FortiGate platforms incorporate sophisticated networking features, such as high availability for maximum network uptime and virtual domain capabilities to separate various networks requiring different security policies.
8
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
The Fortinet Solution
Overview and System Setup
FortiGate Solutions for the Small Office/Home Office (SOHO) and Branch Office
The FortiGate 30B series, 50B series, 51B, 60B series, 80C series along with the 100C and 111C devices are all-in-one, network-based security solutions designed to protect smaller deployments from network level and content level threats. FortiGate Solutions for Medium-Sized Enterprises
The FortiGate enterprise series, which includes the FortiGate 200A to the FortiGate 800 models, meets enterprise-class requirements for network level and content level threat protection, performance, availability and reliabili ty. These models include all of the key security services provided by other FortiGate models, with integrated enterprise firewall, VPN, intrusion prevention, antivirus / antispyware, spam filtering, web filtering and traffic-shaping services. Units in the FortiGate enterprise series meet the requirements for mission critical enterprise applications. FortiGate Solutions for Large-Sized Enterprises and Service Providers
The Fortinet network security solution for large enterprises and service providers includes the FortiGate 1000 series of devices to the FortiGate 5000 series. These high performance units are designed to meet the most stringent requirements for performance and reliability, including redundant, hot-swappable power supplies and fans to minimize single-point failures, and also support active/active redundant fail-over for uninterrupted service. The high capacity, reliability and easy management of FortiGate units make them natural choices as the cornerstone of a service provider's managed service offerings.
FortiGuard FortiGuard Subscription Services extend the value of the initial investment in Fortinet by providing customers with dynamic updates to antivirus, intrusion prevention, web filtering and email filtering functionality. FortiGuard Subscription Services are continuously updated by the 24x7x365 Global Threat Research Team possessing in-depth expertise in content and network level attacks. The FortiGuard network has data centers around the world located in secure, high-availability locations that automatically deliver updates to the Fortinet security platforms. With the FortiGuard Subscription Services enabled, customers can rest assured that their Fortinet security platforms are performing optimally and protecting their corporate assets with the l atest security technology.
FortiManager To compliment the FortiGate product line, Fortinet also offers FortiManager appliances which enable customers to manage all Fortinet products from a centralized console. It minimizes the administrative effort required to deploy, configure, and maintain the full range of network protection services provided by Fortinet products.
10
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
Overview and System Setup
The Fortinet Solution
FortiAnalyzer For centralized analysis and reporting, Fortinet offers FortiAnalyzer appliances for forensics, archiving and graphical reporting functions. The FortiAnalyzer unit is a dedicated hardware solution that securely aggregates and analyzes log data from FortiGate security appliances. It provides network administrators with a comprehensive view of network usage and security information, supporting the needs of enterprises and service providers responsible for discovering and addressing vulnerabilities across dispersed FortiGate systems. FortiAnalyzer appliances minimize the effort required to monitor and maintain acceptable use policies, to identify attack patterns and prosecute attackers, and to comply with governmental regulations regarding privacy and disclosure of security breaches. They accept and process a full range of log records provided by FortiGate systems, including traffic, event, virus, attack, content filtering, and email filtering data. FortiAnalyzer devices also provide advanced security management functions such as quarantine archiving, event correlation, vulnerability assessments, traffic analysis, and content archiving.
FortiMail With the worldwide volume of spam now significantly increasing, daily corporate email servers and users alike are becoming increasingly overwhelmed. Spam email results in wasted corporate resources and decreased em ployee productivity. In addition, increasingly sophisticated content level threats now commonly use email applications as a mode of attack. This can be illustrated by the dramatic rise in phishing attacks, signaling a change in strategy for spammers looking to profit from unsuspecting users. Fortinet FortiMail is a family of high-performance, multi-layered email security platforms that remove unwanted spam, provide maximum protection for blended email-related threats and facilitate regulatory compliance. For complete email security that includes content archiving and the highest levels of antispam and antivirus capabilities, Fortinet offers FortiMail specialized email security appliances. The FortiMail device can provide full messaging server functionality when configured in Server Mode.
FortiClient For endpoint security, Fortinet provides FortiClient software, a product that provides unified endpoint security for desktops, laptops and mobile devices. PC desktop and laptop devices have allowed users to access enterprise applications and mission critical data both in the office and on the road. Unfortunately, these devices are exposed to blended threats such as viruses, spam, spyware and worms. As well, users accessing inappropriate and dangerous web content jeopardize device integrity, negatively impact productivity and violate corporate content access guidelines. While security technologies, such as antivirus agents, are available to protect devices from certain threats, such methods fall short from comprehensively protecting against blended threats and do not enforce content access guidelines. FortiClient provides unified security agent features for personal computers including personal firewall, IPSec VPN, antivirus, antispam and web content filtering. FortiClient's protection agent is powered by FortiGuard Subscription Services to ensure devices are comprehensibly protected against today's blended threats.
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
11
The Fortinet Solution
Overview and System Setup
FortiWeb FortiWeb devices protect, balance, and accelerate Web applications, databases, and the information exchanged between them. FortiWeb devices protect webbased applications, improve the security of confidential information and aid in legislative and PCI compliance. FortiWeb goes beyond traditional web application firewalls to provide XML security enforcement, application acceleration, and server load balancing.
FortiDB FortiDB devices provide a comprehensive solution to secure databases and applications such as ERP, CRM, SCM and custom applications, addressing vulnerability management, Database Activity Monitoring (DAM), data loss prevention, auditing and compliance as well as change control.
FortiScan FortiScan devices integrate endpoint vulnerability management, industry and federal compliance, patch management, remediation, auditing and reporting into a single, unified appliance. A FortiScan device can be used to identify security vulnerabilities and finds compliance exposures on hosts, servers and throughout the network.
FortiSwitch FortiSwitch devices meet the growing needs of high-speed interconnected applications driven by server virtualization, data center consolidation, and parallel and cloud computing applications. With FortiSwitch hardware at the core, network operators can build wire speed, resilient, scalable, ultra-low latency fabrics with the simplicity and robustness of standard Ethernet. Multi-path traffic switching and Dynamic Congestion Avoidance features on the device switch data flows to the lowest latency path - avoiding congestion while maintaining full Ethernet compliance.
FortiCarrier FortiCarrier devices extend the integrated security concept to protect critical applications across a service provider's IP network. Features such as a GTP firewall, secure MMS with scanning of all interfaces, and an SIP/IMS signaling firewall assure service providers of the security, privacy, and quality of service that are critical to their businesses.
12
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
Overview and System Setup
Firewall Basics
Firewall Basics A firewall is a hardware-based network device or software running on a computer that actively inspects and controls the flow of traffic between computer networks of different trust levels. Examples include the Internet which is an untrusted zone and an internal network which is a zone with a higher level of trust.
Internet
Firewall
Untrusted network
Trusted corporate network
The area situated between the Internet and a trusted internal network is often referred to as a demilitarized zone (DMZ) or perimeter network . Normally, this is where firewalls are positioned but some larger organizations may also place firewalls between different parts of their own network that require different levels of security. Firewalls control the flow of traffic between two or more networks, allowing good information through but blocking intrusions, unauthorized users, or mali cious traffic from accessing a network. As network traffic passes through the firewall, the firewall either allows or denies passage based on a set rules configured on the device. The rules may be defined by the firewall administrator or the default rules may apply. For example, a firewall might permit all traffic of a specified type (such as HTTP) and deny all other services or requests. Or, it might be configured to deny all traffic types except incoming (also referred to as ingress ) traffic from a specified network address or address range. Firewalls can enforce an organization’s security policies by filtering outgoing (also referred to as egress ) traffic to ensure that it complies with usage policies. Incoming traffic is similarly inspected and matched against the firewall’s policies to allow or deny access, to apply advanced filtering options and other security settings configured in the policy. In basic terms, a firewall’s main function is to keep information from leaking out (for example, confidential business information) and leaking in (for example, viruses, spyware, or spam). Depending on the sophistication of the firewall, it can provide rudimentary or advanced protection.
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
13
Firewall Basics
Overview and System Setup
Entry-level software firewalls for personal computers are widely available or even built in to the operating system to protect an individual computer when it accesses an external network. Firewalls designed for businesses can be more extensively customized in various ways. They can perform more involved operations, such as filtering spam and spyware, preventing intrusions into the network and allowing administrators to monitor traffic. High-end enterprise products can also create virtual private networks, allow management for multiple firewalls, support sophisticated authentication or access management systems, and allow for load balancing and failover. Some common firewall features include: •
Blocking unwanted incoming traffic based on source or destination IP addresses
•
Blocking outgoing network traffic based on source or destination IP addresses. This can be an advantage for organizations who, for example, may want to prevent employees from accessing inappropriate web si tes from workplace computers.
•
Blocking network traffic based on content. For example, the firewall can screen network traffic for unacceptable content such as files that contain viruses or unacceptable spam email.
•
Allowing connections to an internal network. For example, telecommuters and traveling salespeople can use a VPN to connect to the corporate network.
•
Reporting on network traffic and firewall activities. Administrators might use this reporting information to know what the firewall is doing, who tried to break into the network, who tried to access inappropriate material on the Internet and so forth.
•
Performing authentication to verify the identity of the users or processes. By authenticating users, the firewall has additional information it can work with to filter packets. Identifying the user can permit the firewall to allow the user to access some services but not others.
14
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
Overview and System Setup
Firewall Basics
Types of Firewalls Firewalls fall into different categories including: •
Packet filter firewall
•
Stateful firewall
•
Application layer (or proxy-based) firewall
Packet Filter Firewall Data that is transmitted across a TCP/IP network is broken down into small chunks called packets . Packet filter firewalls act by inspecting incoming and outgoing packets. If a packet matches the packet filter’s set of rules, the desired action is taken. For example, the packet filter may allow the packet, drop (silently discard) the packet or reject it (with an error response). The packets are filtered based only on information contained in the packet headers for example, the source and destination IP address, port number and protocol. No connection state information is maintained with this type of packet filtering.
Stateful Firewall A stateful firewall is a form of packet filtering that does more than just examine the headers of a packet to determine source and destination information. It also looks at the contents of the packet to determine what the state is of each connection that is created and holds attributes of each connection in a state table in memory, from the start to the end of the connection. These attributes may include details such as the IP addresses and ports involved in the connection and the sequence numbers of the packets passing through the connection. When a packet is received by the firewall, it will compare the information reported in the packet header with the state of its associated session stored in memory in the state table. If the information matches what is in memory, the packet is allowed to pass the firewall. If the two do not match, the packet is dropped. When stateful filtering is used, packets are only forwarded if they belong to a connection that has already been established and tracked in a state table. Since more intensive checking is performed at the time of setup of the connection, all packets for that session that are delivered after the initial setup are processed quickly since they belong to an existing pre-screened session. Once the session has ended, its entry in the state table is discarded and the ports closed off until a connection to the specific port is requested. This allows an added layer of protection from the threat of port scanning. Stateful firewalls provide added efficiency in terms of packet inspection since they only need to check the state table, instead of checking the packet against the firewall's established rule set each time a packet is received.
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
15
Firewall Basics
Overview and System Setup
Application Layer (or Proxy-Based) Firewall Some firewalls can serve proxy server functions, modifying traffic as it passes through the gateway. A proxy stands between the protected and unprotected network; all external connections leading into the proxy terminate at the proxy. This effectively eliminates IP routing between the networks. The proxy repackages the messages into new packets that are allowed into the internal network. The proxy also terminates internal traffic that is headed out to the Internet and repackages it in a new packet with the source IP address of the proxy, not the internal host. In the case of a proxy firewall, traffic never flows directly between the networks. Instead, the proxy repackages requests and responses. No internal host is directly accessible from the external network and no external host is directly accessible by an internal host. With a proxy firewall, the firewall is the endpoint of the incoming and outgoing connection. Proxy-based firewalls work at the application layer of the TCP/IP protocol stack inspecting the contents of the traffic, blocking inappropriate content, such as certain web sites, viruses, attempts to exploit client software vulnerabilities, and so forth, as dictated by its rule set.
16
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
Overview and System Setup
Firewall Basics
Network Address Translation Network Address Translation (NAT) is a method of mapping one or more private, reserved IP addresses to one or more public IP addresses. Typically, the NAT device has a public IP address that can be seen by external hosts. Computers on the local network use a completely different set of IP addresses. When traffic goes out, the internal IP address is removed and replaced with the public IP address of the NAT device. When replies come back to the NAT device, it determines which internal computer the response belongs to and routes it to its proper destination.
Using NAT allows a network to maintain public IP addresses separately from private IP addresses and allows a single device to act as an agent between a public network and a private network. Using NAT conserves IP addresses since a single unique IP address can be used to represent an entire group of computers, using a specific block of IP addresses that are never recognized or routed on the Internet. As a result, organizations can use their own internal IP addressing schemes, with a single IP address provided by their Service Provider. NAT provides additional security on the network by effectively hiding the entire internal network to the outside world by using only one address for the entire network.
Dynamic NAT Dynamic NAT is one form of NAT in which a private IP address is mapped to a public IP address drawn from a pool of registered public IP addresses. Typically, the NAT device will maintain a table of registered IP addresses. When a private IP address requests access to the Internet, the device will choose an IP address from the table that is not being used at the time by another private IP address. Dynamic NAT helps to secure a network as it masks the internal configuration of a private network and makes it difficult for someone outside the network to monitor individual usage patterns. Another advantage of dynamic NAT is that it allows a private network to use private IP addresses that are invalid on the Internet but useful as internal addresses. This method of mapping an unregistered IP address to a registered IP address on a one-to-one basis is particularly useful when a device needs to be accessible from outside the network.
Static NAT Static NAT is a type of NAT in which a private IP address is mapped to a public, static IP address, where the public address is always the same IP address. This allows an internal host, such as a web server, to have an unregistered (private) IP address and still be reachable over the Internet.
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
17
FortiGate Capabilities
Overview and System Setup
FortiGate Capabilities FortiGate devices include a comprehensive array of security and networking capabilities.
Firewall A FortiGate unit uses firewall policies to dictate whether traffic will be allowed or denied access to the network. Traffic will not be able to pass through the FortiGate unit unless it matches the policy rules exactly. The FortiGate unit uses UTM profiles to dictate which type of content inspection will be performed on traffic passing though the firewall.
Unified Threat Management Antivirus The FortiGate unit uses a combination of techniques to provide real-time protection against virus attacks, worms and spyware. These techniques inclu de signature blocking, file recognition, heuristics, IP address checks, and URL checks and more.
Email Filtering The FortiGate unit delivers reliable and high performance features to detect, tag, quarantine, and block spam messages and their malicious attachments, including IP address checks, checksum checks, banned word check, black/white l ist, DNSBL, ORDBL, and more.
Web Filtering The FortiGate unit, in conjunction with the FortiGuard Web Filtering Service offers a solution to control access to inappropriate web sites that may expose businesses to potentially liable material, jeopardize network security and consume valuable bandwidth. The FortiGuard Web Filtering database is a URL database with over 60 million rated web sites and 76 web content categories.
Intrusion Prevention The FortiGate unit can record suspicious traffic in logs, can send alert email to system administrators, and can log, pass, drop, reset, or clear suspicious packets or sessions. An organization can create custom signatures to customize the Intrusion Prevention System on the FortiGate unit for diverse network environments. The FortiGate Intrusion Prevention System matches network traffic against patterns contained in attack signatures. Attack signatures reliably protect the network from known attacks. The FortiGuard infrastructure ensures the rapid identification of new threats and the development of new attack signatures.
Application Control Application Control detects network traffic based on the applications generating the traffic, for instance, Instant Messaging (IM), Peer-to-Peer (P2P), and VoIP. Based on FortiGate Intrusion Prevention protocol decoders, application control is a more user-friendly and powerful way to use Intrusion Protection features to log and manage the behavior of application traffic passing through the FortiGate unit.
18
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
Overview and System Setup
FortiGate Capabilities
Data Leak Prevention Data Leak Prevention (DLP) protects sensitive information from being transmitted over web, email, or file transfer protocols. Rules and compound rules are defined to detect possible data leaks and specify the action to take in response. Rules and compound rules are combined into DLP Sensors which can be enabled in firewall protection profiles. Actions in response to detected data leakage i nclude:
•
Log leakage
•
Block sending of the data
•
Content archiving
•
Ban user from using this protocol
•
Add user to the banned user List
WAN Optimization The FortiGate WAN optimization can be used to improve performance and security across a WAN by applying a number of related techniques, including protocol and application-based data compression and optimization data deduction (a technique that reduces how often the same data is transmitted across the WAN), web caching, secure tunneling, and SSL acceleration.
Endpoint Control Endpoint control can be used to block or monitor applications on the client computer, including enforcement of the use of FortiClient End Point S ecurity software. Clients can be monitored to ensure they have both the most recent version of the FortiClient software and the most up-to-date antivirus signatures. A database of end point applications to allow, block or monitor is available on the FortiGate device. Endpoint client computers can also be scanned to help determine if the computers are vulnerable to attacks.
Virtual Domains Virtual Domains (VDOMs) enable a FortiGate unit to function as multiple independent units. A single FortiGate unit can then be flexible enough to serve multiple departments of an organization, separate organizations or be the basis for a service provider’s managed security service. VDOMs provide separate security domains that allow separate zones, user authentication, firewall policies, routing, and VPN configurations. Using VDOMs can also simplify administration of complex configurations because administrators do not have to manage as many routes or firewall policies at one time.
Traffic Shaping Traffic shaping controls the bandwidth available and the priority of traffic processed by a firewall policy. Traffic shaping makes it possible to control which policies have the highest priority when large amounts of data are moving through the FortiGate device. For example, the policy for the corporate web server might be given higher priority than the policies for an employee's computer.
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
19
FortiGate Capabilities
Overview and System Setup
Secure VPN The built-in SSL and IPSec VPN capabilities of the FortiGate unit can ensure the confidentiality and integrity of data transmitted over the Internet. The FortiGate unit provides enhanced authentication in addition to encrypting and securing information sent from a web browser to a web server. Customized SSL VPN web portal configurations can be created which have a different look and feel, as well as different types of web portal functionality.
High Availability FortiGate High Availability (HA) provides a solution for two key requirements of critical enterprise networking components: enhanced reliability and increased performance. FortiGate HA is implemented by configuring two or more FortiGate units to operate as an HA cluster. To the network, the HA cluster appears to function as a single FortiGate unit, processing network traffic and providing normal security services such as firewall, VP N, IPS, virus scanning, web filtering, and spam filtering services.
Logging A FortiGate unit provides extensive logging capabilities for traffic, system and network protection functions. Detailed log information and reports provide historical as well as current analysis of network activity to help identify security issues and reduce network misuse and abuse.
User Authentication A FortiGate unit can control access to network resources by defining lists of authorized users. User authentication can be performed locally on the FortiGate unit, or through the use of external authentication servers and and digital certificates. Supported external server types for authentication include: RADIUS, LDAP, Directory Services, and TACACS+.
20
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
Overview and System Setup
FortiGate Unit Components
FortiGate Unit Components A FortiGate unit, depending on the model, may include some of the following components:
CPU Depending on the model of FortiGate device, a 300 Mhz to 1.8 Ghz Intel processor is included. Some higher-end models may include dual processors.
FortiASIC Content Processor This custom-designed processor augments the capabilities of the uni t by offloading some of the intensive processing activities, such as antivirus scanning, from the CPU. The FortiASIC processior includes an engine for antivirus signature scanning, accelerating cryptographic operations, processing firewall policies and accelerating packing traffic for applications such as VoIP and HTTPS.
DRAM The FortiGate unit can include from 64MB to 1GB of DRAM.
Flash Memory The FortiGate unit can include from 32MB to 64MB of flash memory to store firmware images on the device.
Hard Drive Some FortiGate devices include a hard drive that can be used for storing logs, archiving content and quarantines as well as enabling the WAN optimization mechanisms on certain FortiGate models.
Network Interface Ports The FortiGate unit includes a collection of interface connections to connect the device to various networks, such as an internal network, a DMZ network or to a WAN network. Some high-end enterprise models may include Small Formfactor Pluggable (SFP) and XPF (a 10Gbps version of SFP) network interfaces.
Serial Console Port The FortiGate unit includes a serial console port to allow access to a management computer.
USB Port A USB port is included on the FortiGate device for use with any FAT16 formatted USB drive or an external modem.
Wireless Some FortiGate devices, such as the FortiWifi 30, 50, 60 and 80C are WiFi enabled and will enable wireless connections between host computers and the FortGate unit.
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
21
FortiGate Unit Components
Overview and System Setup
Module Slot Bays Some high-end models of FortiGate device include slot bays for Advanced Mezzanine Cards (AMC), where the FortiGate is a blade card that is installed within a chassis.
PC Card Slot Some models of FortiGate devices integrate a PC card slot (also called PCMCIA) for additional expansion using a Type II PC card.
22
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
Overview and System Setup
FortiGate Unit Components
FortiGate Unit Front View Each model of a FortiGate unit may look different. The example device illustrated below is the FortiGate 51B, which is commonly used in classroom configurations. Similar indicators will be available on most FortiGate units.
1
Power LED: This indicator will display green when the FortiGate unit is powered on. Status LED: This indicator will flash green when the FortiGate unit is starting up and will be off when the FortiGate unit is running normally, or when the device is shut off. The indicator will be red when the modem is in use and connected. Alarm: The Alarm indicator will display red when a major error has occurred and will display amber when a minor error has occurred. WAN1 and WAN2 interface LED: There are indicators for each of the wan interfaces on the FortiGate unit. The indicator will display green when the correct cable is in use, and the connected equipment has power. This indicator will flash green when there is network activity on the interface and will be off when there is no link established on the interface. Internal interface LEDs: There are indicators for each internal interface on the FortiGate unit. The indicator will display green when the correct cable is in use, and the connected equipment has power. This indicator wil l flash green when there is network activity on the interface and will be off when there is no link established on the interface.
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
23
FortiGate Unit Components
Overview and System Setup
FortiGate Unit Back View Each model of FortiGate unit may look different. The example device illustrated below is the FortiGate 51B, which is commonly used in classroom configurations. Similar interface connections will be available on most FortiGate units.
Power: Plug the power adaptor connection here. Console: This RJ-45 interface connects the FortiGate unit to the management computer using the supplied DB-9 serial cable. USB: These optional USB connections can be used for a serial modem (serial to USB adapter required), or for USB drives. Internal: Ethernet cables connect the FortiGate unit to computers on an internal network. Internal interfaces are MDI/MDIX auto-sensing, therefore, both straight through and cross-over cables will work. WAN1 and WAN2: A straight-through Ethernet cable connects the wan1 interface to the Internet (public switch, router or modem). The wan2 connection offers an optional redundant connection to the Internet.
24
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
Overview and System Setup
FortiGate Operating Modes
FortiGate Operating Modes A FortiGate unit can operate in two different modes depending on the configuration of the network and the needs of the organization.
NAT/Route Mode NAT/Route Mode is the default configuration on the FortiGate unit. In NAT/Route Mode, each FortiGate unit is visible to the network that it is connected to. All of its interfaces are on different subnets. Each interface that is connected to a network must be configured with a private IP address that is valid for that network.
Internal 192.168.1.99
192.168.1.3 WAN1 204.23.1.5
Internet
Routing policies control traffic between internal networks.
Router
DMZ 10.10.10.1 10.10.10.2 NAT mode policies control traffic between internal and external networks.
An organization would typically use NAT/Route Mode when the FortiGate unit is deployed as a gateway between private and public networks. In its default NAT/Route Mode configuration, the unit functions as a firewall. Firewall policies control communications through the FortiGate unit. No traffic can pass through the FortiGate unit until firewall policies are put in place to allow network traffic to pass. In NAT/Route Mode, firewall policies can operate in NAT Mode or in Route Mode. In NAT Mode, the FortiGate unit performs network address translation before IP packets are sent to the destination network. In Route Mode, no translation takes place.
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
25
FortiGate Operating Modes
Overview and System Setup
Transparent Mode In Transparent Mode, the FortiGate unit is invisible to the network. All of its interfaces are on the same subnet. Configure a management IP address so that configuration changes can be made. This type of configuration is used when an organization wishes to make use of the features of the FortiGate without altering the IP infrastructure of the network.
Gateway to public network WAN1 Internet
204.23.1.5
10.10.10.2
Router
Internal
Hub or switch
10.10.10.3
Transparent Mode on the FortiGate unit would typically be used on a private network behind an existing firewall or behind a router. In its default Transparent Mode configuration, the unit functions as a firewall. No traffic can pass through the FortiGate unit until firewall policies are added. Connect network segments to the FortiGate unit to all ow the device to control traffic between these network segments.
26
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
Overview and System Setup
Device Administration
Device Administration Administration tasks on the FortGate unit can be performed from either a graphical user interface (Web Config) or a command l ine interface (CLI).
Web Config Web Config can be used to configure most FortiGate settings and to monitor the status of the FortiGate unit using HTTP or a secure HTTPS connection from any computer running a web browser. Web Config consists of a menu and web pages. When a menu item is selected, such as System , it expands to reveal a submenu. When one of the submenu items is selected, the associated page is displayed.
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
27
Device Administration
Overview and System Setup
Configuration changes made using Web Config are effective immediately without resetting the firewall or interrupting service. Once satisfied with a configuration, it can be backed up. The saved configuration can be restored at any time. To connect to the Web Config interface, the following are required:
28
•
A computer with an Ethernet connection
•
A display monitor with a resolution of at least 1280x1024
•
A supported web browser such as Microsoft Internet Explorer (version 8 or higher) or Firefox (version 3.5 or higher)
•
Ethernet cables (Since internal interfaces are MDI/MDIX auto-sensing, straight-through or crossover cables will work)
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
Overview and System Setup
Device Administration
System Dashboard The system dashboard, displayed under System > Dashboard > Status uses widgets to display important information about the FortiGate device. A default dashboard displays core widgets. Elements can be moved around on the Status page and or click Widget to remove, replace or add additional items to the dashboard. Web Config Menu
The left-hand navigation menu displayed in Web Config provides access to configuration options for all major features of the FortiGate unit. System
Configure system facilities, such as network interfaces, virtual domains, DHCP services, High Availability (HA), system time and set system options.
Router
Configure FortiGate static and dynamic routing.
Firewall
Configure firewall policies and protection profiles that apply network protection features. Also configure virtual IP addresses and IP pools.
UTM
Configure antivirus, IPS, web filtering, email filtering. data leak prevention and application control.
VPN
Configure IPSec, SSL, and PPTP virtual private networking.
User
Configure user accounts for use with firewall poli cies that require user authentication. Also configure external authentication servers such as RADIUS, LDAP, and Windows AD.
WAN Opt. & Cache
Configure WAN Optimization rules and caching. This menu item is only available devices containing an internal hard drive supporting WAN Optimization.
Endpoint
Monitor list of known endpoints. Configure FortiClient settings for endpoints. Configure software application detection on endpoints.
Log&Report
Configure logging and alert email. View log messages and reports.
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
29
Device Administration
Overview and System Setup
Default System Dashboard Widgets System Information
The System Information widget on the Status tab displays information regarding the FortiGate unit, including firmware versions and operating mode.
License Information
The License Information widget displays the current status of service contracts, versions of antivirus and IPS definitions, available services and more.
30
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
Overview and System Setup
Device Administration
CLI Console
The Status tab displays a CLI Console where commands can be entered without leaving Web Config.
System Resources
The System Resource widget displays the current CPU and memory usage.
Unit Operation
The Unit Operation widget displays which interfaces are currently in use, along with links to reboot, restart, and reset the FortiGate device.
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
31
Device Administration
Overview and System Setup
Alert Message Console
The Alert Message Console displays important system warnings.
Log and Archive Statistics
The Log and Archive Statistics widget displays summary logging and archive information.
32
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
Overview and System Setup
Device Administration
Top Sessions
Top Sessions displays the IP addresses that have the most sessions open on the FortiGate unit.
Add Widgets
Click Widget to display the additional dashboard elements.
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
33
Device Administration
Overview and System Setup
Add Dashboards
Click Dashboard to add additional dashboard pages or to rename, delete or reset existing dashboard pages. Once a new dashboard page has been added, widgets can be added to the web page.
Online Help
Online help can be accessed from anywhere in Web Config by clicking the Online Help icon.
The Help window that is displayed is context sensitive.
34
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
Overview and System Setup
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
Device Administration
35
Device Administration
Overview and System Setup
Searching Help
It is also possible to search the Help index by clicking Show Navigation in the Help window and clicking the Contents , Index or Search tabs.
36
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
Overview and System Setup
Device Administration
Command Line Interface The FortiGate Command Line Interface (CLI) can be accessed by connecting a management computer serial port to the FortiGate serial console connector. Telnet or a secure SSH can also be used to connect to the CLI from any network that is connected to the FortiGate unit, including the Internet. The CLI supports the same configuration and monitoring functionality as Web Config. In addition, the CLI can be used for advanced configuration options that are not available from the Web Config. The following is required to use the CLI: •
A computer with an available COM port
•
A null modem cable, such as the RJ-45 to DB9 serial cable provided with the FortiGate unit, to connect the FortiGate console port to a communications port on the computer
•
Terminal emulation software such as HyperTerminal for Windows or PuTTY
A CLI administrative session can also be accessed remotely using SSH,or Telnet. The CLI Console widget on the dashboard can be used to access the command line interface directly in Web Config.
Logging in to the CLI The following settings must be configured in the terminal emulation software to connect to the CLI: Bits per second
9600
Data bits
8
Parity
None
Stop bits
1
Flow control
None
The administrator wishing to makes changes to the FortiGate device through the CLI must enter appropriate login credentials, including a user name and password. The default login name on the FortiGate unit is admin with a blank password
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
37
Device Administration
Overview and System Setup
.
The command line prompt changes to the # character once the administrator has completed a successful login.
38
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
Overview and System Setup
Device Administration
CLI Command Structure The structure of the CLI commands allows an administrator to modify any of the settings within the FortiGate unit from the command line. The command structure includes the following components: •
Commands
•
Objects
•
Tables
•
Sub-commands
•
Fields and values
Commands
Commands are at the top level of the CLI command structure and indicate an action that the FortiGate unit should perform on a part of the configuration or host on the network. Once logged in as an administrator, type ? at the # prompt to view the available commands. Note: The ? character that is typed is not displayed in the command line.
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
39
Device Administration
Overview and System Setup
The FortiGate CLI uses the following commands: config
Configures CLI objects, such as the firewall, the router, and antivirus protection. For example: config system admin
get
Displays system status information. get can also be used within a config command to display the settings for that command, or use get with a full path to display the settings for a particular object. For example: get hardware status
show
Displays the FortiGate unit configuration. By default, onl y changes to the default configuration are displayed. Use show full-configuration to display the complete configuration. Use show within a config command to display the configuration of that command. For example: show branch
execute
Runs static commands to reset the FortiGate unit to factory defaults or to back up or restore a FortiGate configuration file. The execute commands are available only from the root level. For example: execute factoryreset
diagnose
Commands in the diagnose branch are used to debug the operation of the FortiGate unit and to set parameters for displaying different levels of diagnostic information. For example: diagnose branch
exit
40
Exits the CLI.
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
Overview and System Setup
Device Administration
Objects
The next level of the FortiGate CLI command structure is based on configurable objects. For each of the commands at the top level, there are objects that can be associated with it. Objects contains tables and/or fields. To view the objects associated with a command, type the command followed by the ? character. In this example, all objects related to the config command are displayed.
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
41
Device Administration
Overview and System Setup
The objects vary depending on the command that is entered and include the following:. application
Configures application control.
antivirus
Scans services for viruses and grayware, optionally providing quarantine of infected files
dlp
Configures Data Leak Prevention (DLP).
endpoint control
Configures parts of the Endpoint NAC feature:
firewall
Controls connections between interfaces according to policies based on IP addresses and type of service, applies protection profiles
gui
Controls preferences for the web-based manager, CLI console, and topology viewer
imp2p
Controls user access to Internet Messaging and Peer-toPeer applications
ips
Configures the Intrusion Prevention System
log
Configures logging
netscan
Configures the Endpoint network vulnerability scanner.
report
Configures SQL reports.
router
Moves packets from one network segment to another towards a network destination, based on packet headers
spamfilter
Filters email based on MIME headers, a banned word list, email and IP addresses
system
Configures options related to the overall operation of the FortiGate unit, such as interfaces, virtual domains, and administrators
user
Authenticates users to use firewall policies or VPNs
voip
Configures VoIP profiles for firewall policies.
vpn
Provides Virtual Private Network access through the FortiGate unit
wanopt
Configures FortiGate WAN optimization
web-proxy
Configures the FortiGate web proxy.
webfilter
Blocks or passes web traffic based on a banned word list, filter URLs, and FortiGuard-Web category filtering
Objects are containers for more specific lower level items that are each in the form of a table. For example, the firewall object contains tables of addresses, address groups, policies and protection profiles. Entries in the table can be added, deleted or edited. Table entries consist of keywords that can be set to particular values (or parameters). Note: There may be other CLI objects that are model-specific and, therefore, only available on certain FortiGate models.
42
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
Overview and System Setup
Device Administration
Tables
The next level of the command structure is the table. The table allows the modification of an objects’ fields and values. The available tables will be different depending on the object being modified. When entering a table, the command prompt changes to identify the table. To exit a table, enter the end command. In this example, the administrator is editing the FortiGate unit interface table.
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
43
Device Administration
Overview and System Setup
Sub-commands
Sub-commands are command that are available only when nested within the scope of another command and affect fields and their values. In this example, the edit sub-command is entered to modify the port field..
44
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
Overview and System Setup
Device Administration
Fields and Values
The final components of the CLI command structure are the fields and values. The parameters are the actual items that are being edited through the CLI. Each table could have a collection of fields, any of which can be modified through the CLI. The fields and values available for modification will be different depending on the table that is being edited. In this example, the vdom called root is being assigned the value of 172.20.110.251 255.255.255.0 in the port1 table.
Once the desired parameters are set, type end to go back to the table level. Alternately, to configure other parameters, type next to display the next parameter. By default, when end or next is entered, the parameters are written to the configuration file. These changes are not lost should a system reboot occur. Modifying the cfg-save parameter can change the behavior so that changes are not automatically saved. If this option is used, all changes must be saved manually before exiting the CLI by entering exe cfg save at the root level.
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
45
Device Administration
Overview and System Setup
CLI Basics There are shortcuts and options available to simplify using CLI commands. Command Help
•
Press the question mark (?) key at the command prompt to display a list of the commands available and a description of each command.
•
Type a command followed by a space and press the question mark (?) key to display a list of the objects available for that command and a description of each.
•
Type a command followed by an object and press the question mark (?) key to display a list of branches available for that command/object combination, along with a description of each option.
Command Completion
•
Use the tab key or the question mark (?) key to complete commands.
•
Press the tab key at any prompt to scroll through the options available for that prompt.
•
Type the first characters of any command and press the tab key or the question mark (?) key to complete the command or to scroll through the options that are available at the current cursor position.
•
After completing the first word of a command, press the space bar and then the tab key to scroll through the objects available at the current cursor position.
Recalling Commands
Recall previously entered commands by using the and arrow keys to scroll through the commands previously entered.
46
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
Overview and System Setup
Device Administration
Editing Commands
Use the and keys to move the cursor back and forth in a recalled command. Use the Backspace and Delete keys and the control keys listed below to edit the command. Function
Key combination
Beginning of line
CTRL+A
End of line
CTRL+E
Back one character
CTRL+B
Forward one character
CTRL+F
Delete current character
CTRL+D
Previous command
CTRL+P
Next command
CTRL+N
Abort the command
CTRL+C
Exit the CLI if used at the root prompt
CTRL+C
Line Continuation
To break a long command over multiple lines, use a \ character at the end of each line. Command Abbreviation
Abbreviate commands, objects, and branches to the smallest number of nonambiguous characters. For example, the command get system status can be abbreviated to g sy st. IP Address Formats
Enter an IP address and subnet using either dotted decimal or slash-bit format. For example, type either: set ip 192.168.1.1 255.255.255.0
or set ip 192.168.1.1/24
The IP address is displayed in the configuration file in dotted decimal format. See the FortiGate CLI Reference Guide for more details on using the CLI.
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
47
Device Administration
Overview and System Setup
Administrators Administrators are responsible for the firewall’s configuration and operation. The system’s factory default configuration has one administrative account called admin . The admin account has full read/write control of the FortiGate unit’s configuration. After connecting to Web Config or the CLI, additional administrators can be configured. Once they are added, administrators are given various levels of access to different parts of the FortiGate unit configuration using an admi n profile.
Admin Profiles Admin profiles define the permissions assigned to administrators. Multiple admin profiles can be created and assigned to administrators to restrict them to specific tasks. To view the list of available admin profiles on the FortiGate unit, go to System > Admin > Admin Profile .
The factory default system administrator account called admin uses an admin profile called super_admin . This is a special profile which cannot be viewed or changed. It can, however, be assigned to additional administrative users. Any administrator assigned to the super_admin profile has full access to the FortiGate unit configuration in all VDOMs, and in addition, they can:
48
•
Enable VDOM configuration
•
Create VDOMs
•
Configure VDOMs
•
Assign regular administrators to VDOMs
•
Configure global options
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
Overview and System Setup
Device Administration
Users assigned to the super_admin profile: •
Can delete other users assigned the super_admin profile and/or change the configured authentication method, password, or admin profile, only if the other users are not logged in.
•
Can delete the default admin account only if another user with the super_admin profile is logged in and the default admin user is not.
The default super_admin_read_only profile can be assigned to any administrator and allows them to view all the configuration settings on the FortiGate unit but not make any modifications. The default prof_admin profile can also be assigned to any administrator and allows the same access as the super_admin profile, but is tied to a specific VDOM. This profile can be edited to remove any permissions that should be available to the administrator. To view or modify any other admin profiles in the list (other than super_admin ), select the profile and click Edit ( ) or double-click the entry.
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
49
Device Administration
Overview and System Setup
New admin profiles can be defined by clicking Create New ( ) on the Admin Profile List page. Complete the parameters of the admin profile as needed.
50
Profile Name
The name assigned to the profile will be used to identify the profile on the New Administrator page.
Access Control
Select None , Read Only or Read-Write for each of the configuration settings listed.
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
Overview and System Setup
Device Administration
Administrative Users An identity must be created for each administrative user assigned to the FortiGate unit. The administrator will log into the FortiGate unit with the credentials defined. To view the list of available administrators on the FortiGate unit, go to System > Admin > Administrators .
The default admin user will be displayed in the list. To view or modify any administrator in the list (other than admin ), select them and click Edit ( ) or double-click the entry. To modify the password for any administrator in the list, select them and click Change Password ( ). The default admin user cannot be renamed, however, the password can and should be modified for the account immediately after initial login to Web Config or CLI. By default, admin has no password. The maximum password length is 32 characters.
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
51
Device Administration
Overview and System Setup
New administrators can be defined by clicking Create New ( ) on the Administrators List page. Complete the parameters of the administrator as needed.
Administrator
The name assigned to the administrator that will be used to log into the FortiGate unit.
Type
Select the authentication type used by the administrator. Select Regular to authenticate with the Password entered, Remote to authenticate using an entry in an LDAP, RADIUS or TACACS+ server, or PKI to authenticate using a digital certificate.
Password
Enter the password used by the administrator to log in using Regular authentication. The password entered must conform to the rules identified in Admin Settings .
52
Trusted Hosts
Administrators will only be able to log into FortiGate devices from the hosts identified. Click + to add more Trusted Hosts fields.
Admin Profile
Select the Admin Profile from the list to define the permissions (or rights) assigned to the administrator.
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
Overview and System Setup
Device Administration
Admin Settings Settings related to administrator access are defined in System > Admin > Settings .
Web Administration Ports
Define the ports used for administrative access to Web Config
Password Policy
Define the policy settings to be enforced when administrator passwords are created.
Timeout Settings
Administrators will be forced to reauthenticate after a certain period of inactivity as defined by this value.
Display Settings
Define the language for the interface and the number of entries displayed for administrators. Enable IPv6 Support on GUI to display fields required when using IP v6.
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
53
Device Administration
Overview and System Setup
DHCP The FortiGate unit can operate as a Dynamic Host Configuration Protocol (DHCP) server to assign IP addresses to PCs on the network. A range of IP addresses is defined on the FortiGate unit, and are leased to PCs as needed. The PC must be set to Obtain an IP address automatically to receive the IP address from the FortiGate device. A DHCP server called internal is available by default on the FortiGate unit. Multiple DHCP servers can be created on the FortiGate unit. To view the list of available DHCP servers on a Fortigate unit, go to System > DHCP Server > Service .
To view the parameters of the internal DHCP server, select the server and click Edit ( ) or double-click the entry.
54
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
Overview and System Setup
Device Administration
The parameters of the internal DHCP server are displayed.
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
55
Device Administration
Overview and System Setup
Address Leases Administrators can view the list of addresses that have been leased to PCs on the network. Go to System > DHCP Server > Address Leases .
56
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
Overview and System Setup
Device Administration
Interface Addressing One of the first tasks in setting up a FortiGate device to operate in the network is to configure the network interfaces. The number of physical interfaces on a FortiGate unit varies per model. On the FortiGate 51B for example, there are five interfaces. The interfaces are named wan1, wan2 , internal1, internal2 and internal3 . The interfaces on a FortiGate unit can support multiple IP addresses, each with independent administrative access settings, for example, HTTPS, ping, and SSH. A FortiGate interface can be configured with a static IP address or acquire its IP address from a DHCP or PPPoE server. The FortiGate interfaces can be configured using either Web Config or the CLI command config system interface. Administrative access is configured per interface and can include the following protocols: •
HTTPS
•
PING
•
HTTP
•
SSH
•
SNMP
•
Telnet
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604
57
Device Administration
Overview and System Setup
Manual In Web Config, configure a manual (or static) IP address on the Interface tab in System > Network. Select Manual as the Addressing mode . The IP address and subnet information are entered in the IP/Netmask field. Note that an IP address can only be assigned on the same subnet as the network to which the interface connects. The same is true for any assigned secondary IP addresses.
58
Course 201-v4.1 Administration, Content Inspection and SSL VPN 01-4200-0201-20100604