You are on page 1of 87

FortiGate Multi-Threat Security Systems I

Administration, Content Inspection and SSL VPN

RealTime OnLine Lab Guide


Course 201

www.fortinet.com

FortiGate Multi-Threat Security Systems I Administration, Content Inspection and SSL VPN Lab Guide for RealTime OnLine training using FortiOS 4.0 MR3 Patch 1 Course 201 01-4310-0201-RTOL-20110729 Copyright 2011 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams, or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical, or otherwise, for any purpose, without prior written permission of Fortinet, Inc. Trademarks Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGate Unified Threat Management System, FortiGuard, FortiGuard-Antispam, FortiGuardAntivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Virtual Lab Environment Basics

Topology for Labs

Virtual Lab Environment Basics


This document provides details of the virtual lab environment that will be used for the hands-on labs in this course. Steps are included for connecting to the virtual environment along with troubleshooting tips to help students easily navigate the lab configuration.

Topology for Labs


The network diagram below shows the configuration of the virtual environment that students will use in the course.
LAN1: 10.200.1.0/24 LAN4: 10.200.3.0/24

.254 Port3 10.0.1.254


LAN3: 10.0.1.0/24

.254

Port1 10.200.1.1

Linux

Port4 10.200.3.1

Port6 10.0.2.254
LAN6: 10.0.2.0/24

STUDENT Windows 2003 Server


0.0.0.0 LAN3

Port2 10.200.2.1
LAN2: 10.200.2.0/24

.254

.254

Port5 10.200.4.1

REMOTE Windows XP
0.0.0.0 LAN7

LAN5: 10.200.4.0/24

eth0 0.0.0.0 eth0

LAN0

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Logging in to the Virtual Lab Environment

Virtual Lab Environment Basics

Logging in to the Virtual Lab Environment


1 Run the TrueLab System Checker to verify the compatibility of your computer with the virtual lab environment. Use the URL that is specific to your location. Americas: http://virtual.mclabs.com/syscheck EMEA: http://truelab.hatsize.com/syscheck/index_frk.html Click Run if a security warning window appears. The TrueLab System Checker will determine whether a connection can be established from the PC to the TrueLab environment. It can also help troubleshoot connectivity problems related to the Java Virtual Machine, company firewall, or proxy server. If the PC is successfully able to connect to the TrueLab virtual lab environment a Success message will be displayed.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Virtual Lab Environment Basics

Logging in to the Virtual Lab Environment

If a status of Failed is displayed, verify the on-screen messages to identify potential problem areas or click the Troubleshooter link to help diagnose any problems that were encountered. For assistance with troubleshooting speak to your instructor. 2 If a status of SUCCESS is displayed, log in to the virtual lab portal by browsing to the following URL:

https://virtual.mclabs.com

Enter the username and password provided by the instructor and click LOGIN. 3 Select the time zone for your location from the drop-down menu and click UPDATE. By selecting the proper time zone you ensure that the class schedule is accurate. 4 The virtual lab Java applet is launched. Select a resolution for the applet and click Open to access the Windows 2003 Server device in the virtual lab environment. This will serve as the primary student machine for the classroom exercises. Note: If for any reason the connection to the virtual Windows 2003 Server is lost, regain access by selecting Operations > Disconnect and then Operations > Connect to Primary from the menu.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Troubleshooting Tips

Virtual Lab Environment Basics

5 To connect to other virtual machines in this environment go to Operations > Connect to Secondary and select one of the available machines in the list.

The instructor will provide a description of each of the virtual systems available to you in the virtual lab environment.

Troubleshooting Tips
It is not recommended to connect to the virtual lab environment using a wireless (WiFi) connection or a VPN tunnel. For optimal performance connect to the lab environment through a dedicated LAN connection. Ensure that the company network or firewall policies are not blocking Java applets. Students should ensure that the following settings are configured on their computer: Screen savers should be disabled on the computer The Power Scheme used on the computer should be set to Always on

In the Java Control Panel (located in the Windows Control Panel) ensure that Java console is set to Show console. It is recommended that the Java console be left open as it often provides useful logs for troubleshooting. If you get disconnected unexpectedly from any of the virtual machines (or from the virtual lab portal) please reattempt a connection. If unable to reconnect repeatedly after multiple attempts, please notify the instructor.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Lab 1 - Initial Setup

Lab 1 Initial Setup


Objectives
This first lab will provide an initial orientation to the CLI and Web Config and will guide the student through the basic setup of the FortiGate unit.

Tasks
In this lab, the following tasks will be completed: Exercise 1 Exploring the Command Line Interface Exercise 2 Accessing Web Config Exercise 3 Configuring Network Interfaces Exercise 4 Configuring the FortiGate DNS Server Exercise 5 Enabling DNS Recursive Exercise 6 Configuring Global System Settings Exercise 7 Configuring Administrative Users

Timing
Estimated time to complete this lab: 55 minutes

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Exploring the Command Line Interface

Lab 1 - Initial Setup

Exercise 1 Exploring the Command Line Interface


Prior to beginning this exercise ensure that you have completed all steps in the Virtual Lab Environment Basics document. In this exercise, students will be introduced to the FortiGate command line interface (CLI). 1 In the virtual lab applet, go to Operations > Connect to Secondary > Student to connect to the console of the Student FortiGate device. 2 Click in the window and hit <enter>. At the Fortigate-VM prompt, log in with the username of admin (all lowercase) and no password.
Note: To display the console on the Student FortiGate device in a separate window click Window > Student > Separate Window in the virtual lab applet.

3 Type the following command to display status information about the FortiGate unit: get system status The output displays the FortiGate unit serial number, firmware build, operational mode, and additional settings. Confirm that the firmware build on the FortiGate unit is 4.00 (MR3 Patch1) which is the required version for this course. 4 Type the following command to see a full list of accepted objects for the get command: get ?

Note: The ? character is not displayed on the screen.

At the --More-- prompt in the CLI, press the spacebar to continue scrolling or <enter> to scroll one line at a time. Press <q> to exit Depending on objects and branches used with this command, there may be other sub-keywords and additional parameters to enter.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Lab 1 - Initial Setup

Exploring the Command Line Interface

5 Press the key to display the previous get system status command and try some of the control key sequences that are summarized below. Previous command or CTRL+P Next command , or CTRL+N Beginning of line CTRL+A End of line CTRL+E Back one word CTRL+B Forward one word CTRL+F Delete current character CTRL+D Abort command and exit branch CTRL+C Clear screen CTRL+L CTRL+C is context sensitive and in general aborts the current command and moves up to the previous command branch level. If already at the root branch level, CTRL+C will force a logout of the current session and another login will be required. 6 Type the following command and press the <tab> key 2 or 3 times. execute <tab> The command displays the list of available system utility commands one at a time each time the <tab> key is pressed. 7 Type the following command to see the entire list of execute commands: execute ? 8 Enter the following CLI commands and compare the available keywords for each one: config ? show ? These two commands are closely related.

config begins the configuration mode while show displays the configuration. The only difference is show full-configuration. The default behavior of the show command is to only display the differences from
the factory-default configuration. 9 Enter the following CLI commands to display the FortiGate units internal interface configuration settings and compare the output for each of them: show system interface port3 show full-configuration system interface port3 Only the characters shown in bold type face need to be typed, optionally followed by <tab>, to complete the command key word. Use this technique to reduce the number of keystrokes to enter information. CLI commands can be entered in an abbreviated form as long as enough characters are entered to ensure the uniqueness of the command keyword.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Accessing Web Config

Lab 1 - Initial Setup

Exercise 2 Accessing Web Config


To access Web Config using a standard Web browser, cookies and Javascript must be enabled for proper rendering and display of the graphical user interface. 1 In the virtual lab applet, go to Window > Win2K3 to access the Primary Windows 2003 Server device. 2 From the virtual Windows 2003 Server desktop, open a web browser and enter the following URL to access the FortiGate Web Config interface for the Student device: https://10.0.1.254 Accept the self-signed certificate or security exemption if a security alert appears. HTTPS is the recommended protocol for administrative access to the FortiGate unit. Other available protocols include SSH, ping, SNMP, HTTP, and Telnet. 3 At the login screen, enter the username of admin and leave the password blank. Click Login. 4 The default window displayed in Web Config after a successful login is the Dashboard. Before continuing with the rest of the initial configuration, explore the Dashboard page and find the following information: Firmware Version System Time Serial Number Operation Mode The Dashboard includes a collection of widgets which display system details including the device uptime, CPU and memory usage, number of active sessions, alert messages, number of administrative users, FortiGuard Services status and more. 5 To avoid administrator timeouts in Web Config during the lab exercises, go to System > Admin > Settings and increase Idle Timeout to 60 minutes. 6 It is also useful to increase the number of CLI output lines displayed per page in Web Config. Still in System > Admin > Settings, increase the Lines per Page value under View Settings from 50 to 500. Leave all other settings unchanged. Click Apply to save the changes.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Lab 1 - Initial Setup

Configuring Network Interfaces

Exercise 3 Configuring Network Interfaces


The interface settings on the FortiGate unit can be configured using one of the following addressing modes: DHCP, Manual (Static IP), or PPPoE. In this exercise, the port1 interface on the FortiGate unit will be configured to use a static IP address. 1 In Web Config, go to System > Network > Interface. Select the port1 interface and click Edit ( ). On the Edit Interface page, verify that the following settings are configured:
.

Alias: Addressing mode: IP/Netmask: Administrative Access: Click OK.

external1 Manual 10.200.1.1/24 HTTPS, PING

2 Select the port3 interface and click Edit ( and click OK. The settings are configured as follows: Destination IP/Mask: Device: Gateway:

). Enter an Alias name of internal

3 Go to Router > Static > Static Route and view the default route entry.

0.0.0.0/0.0.0.0 port1 10.200.1.254

The default static route entry has been configured beforehand as part of the virtual lab setup. 4 A default policy has been created on the Student device before the start of the course. Go to Policy > Policy > Policy and confirm that this port3 port1 policy using NAT is displayed. 5 From the CLI on the Student FortiGate unit, enter the following commands to view the interface settings for port1: config system interface edit port1 get end
Note: Depending on how long it has been since the last command has been entered in the CLI, another login may be required.

6 Execute the following command to display the name and details of the interface matching the IP address of 10.0.1.254 using grep: get system interface | grep 10.0.1.254

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Configuring Network Interfaces

Lab 1 - Initial Setup

Note: The grep command line search utility, native to many UNIX platforms, is supported in the FortiOS CLI (v.4.2 and higher). The grep utility can be used in conjuction with the get, show and diag commands to display output that matches a given regular expression.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Lab 1 - Initial Setup

Configuring Network Interfaces

7 To view the configuration of the FortiGate interfaces through the CLI, type the following command: show system interface 8 To see verbose settings, type the following command: show full-configuration 9 To view additional parameters for all interfaces, type the following command: get system interface Compare the get command output with the output from the show command. The information from each is similar: get displays all settings and values, while show gives the syntax for the configuration. 10 The FortiGate CLI is hierarchical, which means that some commands are only applicable at a certain level or context. To demonstrate the hierarchy, modify the port1 interface to add additional administrative access to assist with troubleshooting during initial deployment. To add SSH access on the port1 interface, type the following CLI commands: config system interface edit port1 set allowaccess https ping ssh next end
Note: The set command is not additive. The existing parameters must be re-entered along with the new parameter being added.

11 Verify the changes by typing the following command: show system interface port1

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Configuring the FortiGate DNS Server

Lab 1 - Initial Setup

Exercise 4 Configuring the FortiGate DNS Server


In this exercise, two DNS zones will be configured on the FortiGate DNS server to reach lab hosts using DNS hostnames (FQDNs). Student DNS Zone To create a DNS zone for the Student network, perform the following steps: 1 In Web Config, go to System > Admin > Settings and under Display Options on GUI select DNS Database. Click Apply. 2 Go to System > Network > DNS Server and create a new DNS database with the following details: Type: View: DNS Zone: Domain Name: Master Shadow student student.lab

Leave all other parameters at their default settings and click OK. The Student DNS zone is now created. Student DNS Records To populate the newly created student DNS zone with DNS A and PTR records for the Student FortiGate device and virtual Windows 2003 Server, perform the following steps: 3 In the DNS Entries section of the Edit DNS Zone window, create a new DNS entry to configure the DNS A record for the Student FortiGate device with the following details: Type: Hostname: IP Address: TTL (seconds): Click OK. 4 Create another new DNS entry to configure the DNS PTR record for the Student FortiGate device with the following details: Type: Hostname: IP Address: TTL (seconds): Click OK. IPv4 Pointer (PTR) fgt 10.0.1.254 0 (default) Address (A) fgt 10.0.1.254 0 (default)

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Lab 1 - Initial Setup

Configuring the FortiGate DNS Server

5 Create another new DNS entry and configure the details of the DNS A record for the virtual Windows 2003 Server with the following details: Type: Hostname: IP Address: TTL (seconds): Click OK. 6 Create another new DNS entry and configure the details of the DNS PTR record for the virtual Windows 2003 Server with the following details: Type: Hostname: IP Address: TTL (seconds): Click OK. Click OK on the Edit DNS Zone page to save changes to the student DNS zone. Remote DNS Zone To create a second DNS zone for the Remote network, perform the following steps: 7 Still in System > Network > DNS Server, create a new DNS database and configure with the following details: Type: View: DNS Zone: Domain Name: Master Shadow remote remote.lab IPv4 Pointer (PTR) server 10.0.1.10 0 (default) Address (A) server 10.0.1.10 0 (default)

Leave all other parameters at their default settings and click OK. The remote DNS zone is now created.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Configuring the FortiGate DNS Server

Lab 1 - Initial Setup

Remote DNS Records To populate the newly created remote DNS zone with DNS A and PTR records for the Remote FortiGate device, perform the following steps: 8 In the DNS Entries section of the New DNS Zone window, create a new DNS entry and configure the DNS A record for the Remote FortiGate device with the following details: Type: Hostname: IP Address: TTL (seconds): Click OK. 9 Create another new DNS entry and configure the DNS PTR record for the Remote FortiGate device with the following details: Type: Hostname: IP Address: TTL (seconds): Click OK. 10 Create another new DNS entry and configure the DNS A record for the virtual Windows XP installation using the following details: Type: Hostname: IP Address: TTL (seconds): Click OK. 11 Create a final new DNS entry and configure the DNS PTR record for the virtual Windows XP installation with the following details: Type: Hostname: IP Address: TTL (seconds): Click OK. Click OK on the Edit DNS Zone page to save changes to the remote DNS zone. IPv4 Pointer (PTR) pc 10.0.2.10 0 (default) Address (A) pc 10.0.2.10 0 (default) IPv4 Pointer (PTR) fgt 10.200.3.1 0 (default) Address (A) fgt 10.200.3.1 0 (default)

10

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Lab 1 - Initial Setup

Enabling DNS Recursive

Exercise 5

Enabling DNS Recursive


Now that the DNS database is configured, DNS recursive must be enabled on the port3 interface of the FortiGate device. 1 In the CLI on the Student FortiGate device, enter the following commands: config system dns-server edit port3 set mode recursive end 2 Use the following commands in a DOS Command Prompt on the virtual Windows 2003 Server to verify the DNS lookup functionality: nslookup server.student.lab 10.0.1.254 nslookup fgt.student.lab 10.0.1.254 nslookup pc.remote.lab 10.0.1.254 nslookup fgt.remote.lab 10.0.1.254
Note: The parameters of the nslookup command are: nslookup [-option] [hostname] [server]

3 In a web browser on the virtual Windows 2003 Server, access the following web pages to verify that Web Config can be accessed on the Student and Remote FortGate devices using DNS hostnames: http://fgt.student.lab http://fgt.remote.lab

Exercise 6 Configuring Global System Settings


1 For logging purposes, as well as to optimize FortiGuard updates, the FortiGate unit should be set to the correct time zone and NTP server synchronization should be enabled. In Web Config on the Student FortiGate device, go to System > Dashboard > Status. In the System Information widget, click the [Change] link for System Time. Select the appropriate Time Zone. Enable Automatically adjust clock for daylight savings changes if required in the local area. Enable Synchronize with NTP Server. By default, ntp1.fortinet.net will be used, or a local NTP server can be used if available. Click OK. 2 Display the current system time from the CLI by typing the following command: execute time

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

11

Configuring Global System Settings

Lab 1 - Initial Setup

Type the following command to view the syntax used to set the system time manually:

exec time ?
Note: Once NTP server synchronization is enabled, it may take up to one hour for the time to be synchronized.

3 Verify that the date setting is correct by typing the following CLI command: exec date 4 Back in Web Config in the System Information widget, click the [Change] link for Host Name and change the hostname of the FortiGate unit to your first name and initial of your last name. (For example, AliceB) Click OK. The new hostname will appear in the browser title bar at the next login or when the page is refreshed. 5 View the CLI equivalent commands for all the system settings configured in the above steps by typing the following command: show system global Enforcing Password Policies for the Admin User The FortiGate unit includes the ability to enforce a password policy for administrator login. With the policy in place, regular changes and specific criteria are enforced for the admin password including: minimum length (between 8 and 32 characters) must contain uppercase (A, B, C) and/or lowercase (a, b, c) characters must contain numbers (1, 2, 3) must contain non-alphanumeric characters (!, @, #, $, %, ^, &, *, () whether the password applies to admin or IPsec (or both) duration of the password before a new one must be specified

6 In Web Config, go to System > Admin > Settings and enable Enable Password Policy. Configure the password policy with the following details: Minimum length: Must Contain: 8 Enable 1 Upper Case Letter 1 Numerical Digit Enable Password Expiration: Enable 90 days

Leave all other parameters at their default settings and click Apply.

12

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Lab 1 - Initial Setup

Configuring Administrative Users

Exercise 7 Configuring Administrative Users


1 Go to System > Admin > Administrators to view the list of current administrators. Click to select the default admin administrator and click Edit ( ) or doubleclick the entry in the list. To limit this administrator to specific trusted host computers, enable Restrict this Admin Login from Trusted Hosts Only and enter the IP address of the host computers. The factory default Trusted Host setting of 0.0.0.0/0 allows connections from any host address. Click Cancel to close the Edit Administrator page. 2 Click to select the default admin administrator and click Change Password ( ) The factory default password for the admin account is empty, set the password to F0rtinet (using the number zero) Click OK. 3 Log out of Web Config. Log back in using the new admin password of F0rtinet. 4 To enhance administrative security, create a new administrator account that will be used for day-to-day administration of the FortiGate device and restrict the source IP connection with Trusted Hosts. Go to System > Admin > Administrators and create a new administrator using the following details: Administrator: Type: Password: Admin Profile: Scope Restrict this Admin Login from Trusted Hosts Only admin1 Regular

F0rtinet1
super_admin Global Enabled 10.0.1.0/24

Click OK to save the changes.


Note: Ping requests to this device are also restricted by the trusted host setting of the administrator account.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

13

Configuring Administrative Users

Lab 1 - Initial Setup

5 Go to System > Admin > Admin Profile and create a new admin profile called content-control with the following details:

Click OK. Limiting access only to the areas affecting content inspection helps to eliminate accidental errors that could adversely affect connectivity. 6 Go to System > Admin > Administrators and create a new administrative account that uses the new content-control admin profile with the following details: Administrator: Type: Password: Admin Profile: Virtual Domain: Restrict this Admin Login from Trusted Hosts Only cadmin Regular F0rtinetC content-control root enabled 10.0.1.0/24 Click OK. 7 To view the configuration for administrative users and profiles, type the following CLI commands: show system admin show system accprofile 8 Test the new administrative access login by logging out of the current Web Config session and logging in again as the new cadmin user. Try to access areas set to read only, for example, go to System > Network > Interface and attempt to edit an interface. Notice that the data can be viewed but not edited. Click Return. The Trusted Host setting configured for admin1 and cadmin will only allow access to PCs connected to the 10.0.1.0/24 subnet even if the correct password is entered.
Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

14

Lab 1 - Initial Setup

Configuring Administrative Users

9 In the web browser, open a second connection to Web Config only this time, log in as admin with the password of F0rtinet. 10 Go to System > Dashboard > Status and under System Information, click Details for Current Administrator.

The administrators currently logged in to the FortiGate unit are displayed.

11 By default an administrator has a maximum of three attempts to log into their account before they are locked out for 60 seconds. The source IP address is taken into account for the attempt counter. The number of login attempts and the lockout period can be configured through the CLI. To help improve the overall password security, the max number of attempts can be decreased and the lockout timer increase using the following CLI commands: config system global set admin-lockout-threshold 2 set admin-lockout-duration 100 end 12 Log out of all the Web Config windows.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

15

Configuring Administrative Users

Lab 1 - Initial Setup

16

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Lesson 2 - Logging and Monitoring

Exploring Web Config Monitoring

Lab 2 Logging and Monitoring


Objectives
In this exercise, some of the logging and monitoring mechanisms on the FortiGate unit will be explored.

Tasks
In this lab, you will complete the following tasks: Exercise 1 Exploring Web Config Monitoring Exercise 2 Customizing the System Dashboard Exercise 3 Configuring Email Alerts Exercise 4 Enabling Logging to a FortiAnalyzer device

Tasks
Estimated time to complete this lab: 35 minutes

Exercise 1 Exploring Web Config Monitoring


1 Log in to Web Config on the Student FortiGate unit in the virtual lab environment and go to System > Dashboard > Status. In the System Information pane, click the Backup link for System Configuration. Select Local PC to create a backup of the device configuration to a location on the virtual Windows 2003 Server. Modify the name of the configuration file to identify it as being created before Lab 2. 2 Go to System > Dashboard > Status and locate the System Resources widget. Note the CPU Usage and Memory Usage dial gauges.
Note: When viewing CPU and memory usage in Web Config only the information for core processes are displayed.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Exploring Web Config Monitoring

Lesson 2 - Logging and Monitoring

3 Some widgets are not displayed on the dashboard by default. Click Widget ( ) to display the list of widgets available to add to the dashboard. Click the Log and Archive Statistics widget from the pop-up window to add it to the dashboard. Click to close the widget list window.

4 Hover the mouse over the title bar of the System Resources widget. Click Edit ( ) to create a custom widget.

Configure a custom widget with the following details: Custom Widget Name View Type Time Period System Resource History Historical Last 60 minutes

A line chart appears in a new custom System Resource History widget showing a trace of past CPU and Memory usage. The refresh rate of this window is automatically set to 1/20 of the time period (interval) configured.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Lesson 2 - Logging and Monitoring

Exploring Web Config Monitoring

5 The Alert Message Console widget displays recent system events, such as system restart and firmware upgrade. Hover over the title bar of the Alert Message Console widget and click History ( ) to view the entire message list.

Scroll to the bottom of the window and click Close. 6 Locate the Top Sessions widget on the dashboard. Click the graphical bars representing sessions per IP address to display more information about the sessions. Identify Web Admin sessions in the session table display by locating the TCP sessions from the IP address of the virtual Windows 2003 Server (10.0.1.10) to the IP address of the internal interface of the FortiGate unit (10.0.2.254). Hover over the title bar of the Top Sessions widget and click Detach. Test the functionality of the refresh, page forward, page back, and the clear session icons in this window. Click Attach to replace the widget on the dashboard. Click Return ( widget. ) to re-display the graphical view of the Top Sessions

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Customizing the System Dashboard

Lesson 2 - Logging and Monitoring

Exercise 2 Customizing the System Dashboard


In this exercise, additional widgets will be added to the dashboard to display specific traffic information, protocol usage, and statistical log and archive information. These widgets will provide quick access to system details and statistics that will be required in later exercises. 1 To create a widget to monitor network traffic on the FortiGate unit in real time, access Web Config on the Student FortiGate unit and go to System > Dashboard > Status. Click to add a widget and select the Traffic History widget from the list.

2 Once the widget is added to the dashboard, edit the settings for the widget and select the port1 interface to monitor.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Lesson 2 - Logging and Monitoring

Customizing the System Dashboard

3 To monitor real time bandwidth usage per protocol, add the Network Protocol Usage widget to the dashboard. This data can be useful to administrators when creating traffic shaping rules.

4 In the Log and Archive Statistics widget, click a Details link to view the associated log entries for the log selected.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Configuring Email Alerts

Lesson 2 - Logging and Monitoring

Exercise 3 Configuring Email Alerts


In this exercise, the FortiGate unit will be configured to send alert email messages to a mail account.This exercise can only be completed if the student has an online email account to forward the alert messages to. 1 In Web Config on the Student FortiGate unit, go to Log&Report > Log Config > Alert E-mail and configure email alerts with the following details: SMTP server: Email from: Email to: Authentication: Type the name or IP address of an online email account server. Type the senders email address. Type the destination email address. Enable if the email server requires authentication and enter the senders email address and account password.

2 Alert emails can be sent based on selected event categories or simply on a log message severity level. Only one of these options can be enabled at a time. Still in the Alert E-mail window, enable Send alert email for the following and configure the settings below: Interval Time: Send alert email for the following: 1 minute Select Intrusion Detected and Virus Detected.

Click Apply to save the settings. 3 Click Test Connectivity. Test messages will be sent to the email account. 4 Open the email client application and confirm that the test messages have been received. If a severity level is used, the CLI contains additional interval hold-off timers for log levels above the selected severity level. 5 To view the Alert E-mail settings that were just configured, enter the following commands in the CLI on the Student FortiGate unit: show system alertemail show alertemail setting
Note: If the FortiGate unit collects more than one log message before an interval is reached, it combines the messages and sends out one alert email.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Lesson 2 - Logging and Monitoring

Enabling Logging to a FortiAnalyzer device

Exercise 4 Enabling Logging to a FortiAnalyzer device


FortiAnalyzer devices have been installed in two locations on the Internet for use by students in the virtual classroom. In this exercise, logging to the external FortiAnalyzer device will be configured. 1 In Web Config on the Student FortiGate unit, go to Log&Report > Log Config > Log Setting and confirm that the default logging location is set to the local hard disk. Enable Upload logs remotely and select the FortiAnalyzer device. Enter the IP address of the device closer to your training location: Americas: 209.87.230.134 EMEA: 83.145.92.163 Click Apply. 2 In the CLI for the Student FortiGate device, enter the following CLI commands to configure the connection to the FortiAnalyzer device: config log fortianalyzer setting set status enable set enc-algorithm disable set upload-option realtime end
Note: By default, the FortiGate unit will store the log information locally and will upload to the FortiAnalyzer device on a predefined schedule. Setting the upload-option value to realtime will send the logs to the Fortianalyzer device as they are generated on the FortiGate unit.

3 Return to Web Config for the Student FortiGate device and to Log&Report > Log Config > Log Setting. Click Test Connectivity to verify the connection status to the FortiAnalyzer device on the Internet. A green checkmark should be displayed for the connection.

4 In the web browser on the Student FortiGate device, access a few random web sites to generate traffic.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Enabling Logging to a FortiAnalyzer device

Lesson 2 - Logging and Monitoring

5 Access the FortiAnalyzer device at the IP address entered for your location (as in Step 1 of this exercise). Log in with the username of student and password of fortinet. 6 In FortiAnalyzer Web Config, go to Log & Archive > Log Access > Traffic and locate log entries for your FortiGate device based on the device name assigned. Use the Show list to select the name of your FortiGate device.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Lab 3 - Firewall Policies

Creating Firewall Policy Objects

Lab 3 Firewall Policies


Objectives
In this lab, firewall policy objects and firewall policies will be created and tested.

Tasks
In this lab, you will complete the following tasks: Exercise 1 Creating Firewall Policy Objects Exercise 2 Creating Firewall Policies Exercise 3 Verifying the Firewall Policies Exercise 4 Configuring Virtual IP Access Exercise 5 Configuring IP Pools Exercise 6 Configuring Traffic Shaping Exercise 7 Testing Traffic Shaping

Timing
Estimated time to complete this lab: 45 minutes

Exercise 1 Creating Firewall Policy Objects


1 Log in to Web Config on the Student FortiGate device and go to System > Dashboard > Status. In the System Information pane create a backup of the device configuration to a location on the virtual Windows 2003 Server. Modify the name of the configuration file to identify it as being created before Lab 3. 2 In Web Config, go to Firewall Objects > Address > Address and create a new address object with the following details: Address Name: Type: Subnet/IP Range: Interface: all-dept Subnet/IP Range 10.0.1.0/24 port3(internal)

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Creating Firewall Policies

Lab 3 - Firewall Policies

3 Create a second address object with the following details: Address Name: Type: Subnet/IP Range: Interface: web-server Subnet/IP Range 10.0.1.10 port3(internal)

4 Go to Firewall Objects > Service > Group and create a new service group with the following details: Group Name: Members: web DNS, HTTP, HTTPS, PING or to move them between

To select the services for the web group, click the Available Services and Members lists:

Exercise 2 Creating Firewall Policies


When creating firewall policies, keep in mind that the FortiGate device is a stateful firewall, therefore, a firewall policy only needs to be created for the direction of the originating traffic. 1 Prior to beginning this exercise, the unrestricted port3 port1 firewall policy will need to be temporarily disabled in the policy list. In Web Config on the Student FortiGate device, go to Policy > Policy > Policy and disable the port3 (internal) port1 (external1) policy by unchecking it in the Status column. 2 Still in Policy > Policy > Policy, create a new firewall policy to provide general Internet access from the 10.0.1.X/24 network with the following details: Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action Log Allowed Traffic Enable NAT Comments port3 (internal) all-dept port1 (external1) all always web ACCEPT Enabled Enabled General Internet access

Use Destination Interface Address Enabled

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Lab 3 - Firewall Policies

Verifying the Firewall Policies

Exercise 3 Verifying the Firewall Policies


1 From the virtual Windows 2003 Server, open a web browser and connect to the Remote FortiGate device at the following address:

http://fgt.remote.lab
Log in with the default username of admin with no password. Keep this web browser window open. 2 Open a second instance of the web browser and connect to the Student FortiGate device at the following address:

http://fgt.student.lab
Log in with the default username of admin with the password of F0rtinet. 3 In Web Config on the Student FortiGate device go to System > Dashboard > Status and edit the Top Sessions widget.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Verifying the Firewall Policies

Lab 3 - Firewall Policies

4 Create a new customized Top Sessions Display widget with the following details: Custom Widget Name: Customized Destination Report By: Resolve Host Name Destination Address Enabled

5 In the Customized Destination widget, click the blue bar for the 10.200.3.1 address (fgt.remote.lab) to display all the sessions matching that address. The widget can be detached to make the list easier to view.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Lab 3 - Firewall Policies

Verifying the Firewall Policies

In the session list, pay close attention to the Policy ID field. This contains the firewall policy ID that allows the traffic from the virtual Windows 2003 Server to the Remote FortiGate device. Verify that this ID corresponds to the firewall policy created earlier in Exercise 2.

Click Attach to replace the widget on the dashboard if necessary. 6 Close the web browser currently connected to the Remote FortiGate device. 7 On the Student FortiGate device create another new policy, this one more specific, to match all traffic generated from the virtual Windows 2003 Server with the following details: Source Interface / Zone Source Address Destination Interface / Zone Destination Address Schedule Service Action Log Allowed Traffic Enable NAT Comments port3 (internal) web-server port1 (external1) all always web ACCEPT Enabled Enabled Windows 2003 Internet access

Use Destination Interface Address Enabled

8 Because this new policy is more specific than the General Internet policy created in Exercise 2, the order of the policies must be changed for it take effect. Select the policy created above and click Move To ( ). In the Move Policy window, click Before and type the policy ID of the General Internet policy. The re-ordered policy list will be displayed.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Verifying the Firewall Policies

Lab 3 - Firewall Policies

9 Open a new browser instance and access Web Config on the Remote FortiGate device at the following address: http://fgt.remote.lab 10 In Web Config on the Student FortiGate device, return to the Customized Destination widget and check the Policy ID value reported in the session list. The sessions established to the Remote FortiGate device should contain the Policy ID generated for the Windows 2003 Internet access policy created in step 7.
Note: Remember that the FortiGate device is a stateful firewall. Therefore, any session already established using an existing firewall policy will be reused until the timeout value expires.

If traffic generated from the virtual Windows 2003 Server does not match the policy ID for the firewall created in step 7, delete any legacy entries created in the session table by clicking the Recycle Bin icon for the entry. This will force a new firewall policy lookup.

11 In the CLI on the Student FortiGate device, view the configuration for the firewall policies created above using the following command: show firewall policy 12 View the configuration for a single firewall policy using the following command: show firewall policy <ID> (Obtain the ID number of the policy from the show firewall policy output used above.) 13 Close the web browser connected to the Remote FortiGate device.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Lab 3 - Firewall Policies

Configuring Virtual IP Access

Important Points For Firewall Policy Configuration


Policies are organized according to the direction of traffic from the originator of a request to the receiver of the request. Return traffic is automatically allowed back through due to the stateful nature of the FortiGate device. Policies are matched to traffic in the order they appear in the policy list rather than by ID number. Policies should be listed from most specific to most general so that the proper policies are matched. Matching is based on Source, Destination, Schedule, and Service settings.

Exercise 4 Configuring Virtual IP Access


In this exercise, a virtual IP address will be configured to allow remote Internet connections to the Fortinet Training web server located at 10.0.1.10. 1 Go to Firewall Objects > Virtual IP > Virtual IP and create a new virtual IP mapping with the following details: Name External Interface Type External IP Address Mapped IP Address Port Forwarding vip_to_webserver port1(external1) Static NAT 10.200.1.200 10.0.1.10 Disabled (default)

2 To view the VIP settings, enter the following command in the CLI on the Student FortiGate unit: show firewall vip 3 In Web Config on the Student FortiGate device create a new firewall policy to provide a guest PC access to the web server with the following details: Source Interface / Zone Source Address Name Destination Interface / Zone Destination Address Name Schedule Service Action Log Allowed Traffic Enable NAT Comment port1(external1) all port3(internal) vip_to_webserver always HTTP ACCEPT Enabled Disabled (default) Guest PC access to web server

4 From the virtual lab applet, go to Operations > Connect to Secondary > WinXP.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Configuring Virtual IP Access

Lab 3 - Firewall Policies

5 Open a web browser window on the virtual Windows XP desktop and access the following URL: http://10.200.1.200 If the virtual IP operation is successful, the Fortinet Training Server web page is displayed. 6 To view the source and destination NAT mappings, enter the following CLI command on the Student FortiGate device: get system session list | grep 10.200.1.200 Sample Output:
tcp tcp tcp tcp tcp tcp 119 119 64 119 64 3487 10.200.3.1:44422 - 10.200.1.200:80 10.200.3.1:59264 - 10.200.1.200:80 10.0.1.10:2903 10.200.3.1:42369 - 10.200.1.200:80 10.200.3.1:59271 - 10.200.1.200:80 10.0.1.10:2904 10.0.1.10:80 10.0.1.10:80 10.0.1.10:80 10.0.1.10:80

10.200.1.200:2903 204.2.171.74:80 -

10.200.1.200:2904 204.2.171.104:80 -

7 Disconnect from the Windows XP device.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Lab 3 - Firewall Policies

Configuring IP Pools

Exercise 5 Configuring IP Pools


Currently, all traffic generated from the virtual Windows 2003 Server through the Student FortiGate device has a translated source IP address of 10.200.1.200. The network address translation occurs because of the vip_to_webserver virtual IP address that was created in Exercise 4. In this exercise, an IP address pool will be created so that outgoing traffic generated from the virtual Windows 2003 server will have source NAT applied using the IP address specified in the pool. 1 In Web Config on the Student FortiGate device, go to Firewall Objects > Virtual IP > IP Pool and create a new IP pool with the following details: Name IP Range/subnet External_IP 10.200.1.100

2 Go to Policy > Policy > Policy and edit the port3 (internal) port1 (external1) policy using the source address of web-server. Set the service to ANY. Ensure that Enable NAT is enabled along with Use Dynamic IP Pool. Select the External_IP pool from the list. 3 From the virtual Windows 2003 Server, open a DOS Command Prompt and ping the Remote FortiGate device at fgt.remote.lab. This will generate a new session. 4 From the CLI on the Student FortiGate device and enter the following command to verify the source NAT IP address: get system session list | grep 10.200.1.100 Output Sample:
icmp 44 10.0.1.10:768 10.200.1.100:29316 10.200.3.1:8 -

As indicated in the session list, a new entry for ICMP traffic is generated and the source NAT IP address is 10.200.1.100.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Configuring Traffic Shaping

Lab 3 - Firewall Policies

Exercise 6 Configuring Traffic Shaping


In this exercise, rate limiting will be used for FTP downloads initiated from the internal network while all other traffic will be processed normally. 1 In Web Config on the Student FortiGate device go to Firewall Objects > Traffic Shaper > Shared and create a new traffic shaper with the following details: Name: Apply Shaper: Traffic Priority: Maximum Bandwidth: 1Mb_Low For All Policies Using This Shaper Low Enabled 1024 kbit/s 2 To activate the traffic shaper, go to Policy > Policy > Policy and create a new firewall policy with the following details: Source Interface / Zone Source Address Destination Interface / Zone Destination Address Schedule Service Action Log Allowed Traffic Enable NAT Traffic Shaping Shared Traffic Shaper port3(internal) all-dept port1(external1) all always FTP ACCEPT Enabled Enabled Enabled Enabled Select 1MB_Low from the list of shapers Comments FTP Shaper 3 Move this new policy to the top of the port3 (internal) port1 (external1) list.

Use Destination Interface Address Enabled

10

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Lab 3 - Firewall Policies

Testing Traffic Shaping

Exercise 7 Testing Traffic Shaping


1 From the virtual Windows 2003 Server, open a DOS Command Prompt and use the following command to connect to an FTP server: ftp 10.200.1.254 Log in with the username of anonymous with no password. 2 Change directories and download a sample file with the following commands: cd pub get test.text 3 In the CLI on the Student FortiGate device, enter the following command to filter the session table based on the FTP server IP address: diag sys session filter dst 10.200.1.254 4 Enter the following command to list the sessions established to the FTP server in order to verify that the traffic is correctly rate limited: diag sys session list Sample output:
session info: proto=6 proto_state=01 duration=304 expire=3450 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4 origin-shaper=1MB_Low prio=4 guarantee 0/sec max 131072/sec traffic 904/sec reply-shaper= per_ip_shaper= ha_id=0 hakey=776 policy_dir=0 tunnel=/ state=log may_dirty os rs rem statistic(bytes/packets/allow_err): org=1579/32/1 reply=1968/28/1 tuples=2 orgin->sink: org pre->post, reply pre->post dev=4->2/2->4 gwy=10.200.1.254/10.0.1.10 hook=post dir=org act=snat 10.0.1.10:1491>10.200.1.254:21(10.200.1.200:1491) hook=pre dir=reply act=dnat 10.200.1.254:21>10.200.1.200:1491(10.0.1.10:1491) pos/(before,after) 4107425644/(15,18), 0/(0,0) misc=0 policy_id=5 id_policy_id=0 auth_info=0 chk_client_info=0 vd=0 serial=00000b9c tos=ff/ff ips_view=0 app_list=0 app=0 dd_type=0 dd_rule_id=0 per_ip_bandwidth meter: addr=10.0.1.10, bps=15435

total session 1 The output indicates which shaper policy the session is matching. In this scenario, the prio=4 entry indicate a priority of Low.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

11

Testing Traffic Shaping

Lab 3 - Firewall Policies

5 Download the file through FTP multiple times. After each download run the following command in the CLI: diag sys session list Note that the traffic value never increases above the maximum of 131072. 6 To check the status of the traffic shapers, enter the following CLI command: diagnose firewall shaper traffic-shaper 7 Disable all the firewall policies created in this lab and re-enable the unrestricted port3 (internal) port1 (external1) policy.

12

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Lab 4 - Local User Authentication

Creating an Identity-Based Firewall Policy

Lab 4 Local User Authentication


Objectives
In this lab, an authentication rule will be added to an identity-based policy to force a local user to authenticate before accessing a web page. Session-based authentication using an explicit proxy will also be configured.

Tasks
In this lab, the following tasks will be completed: Exercise 1 Creating an Identity-Based Firewall Policy Exercise 2 Testing the Firewall Policy For Web Traffic Exercise 3 Session-Based Authentication

Timing
Estimated time to complete this lab: 30 minutes

Exercise 1 Creating an Identity-Based Firewall Policy


1 Log in to Web Config on the Student FortiGate unit in the virtual lab environment and go to System > Dashboard > Status. In the System Information pane create a backup of the device configuration to a location on the virtual Windows 2003 Server. Modify the name of the configuration file to identify it as being created before Lab 4. 2 Go to User > User > User and create a new user called Auth_Sample with a password of auth_pw. 3 Go to User > User Group > User Group and create a new group that includes the new sample user with the following details: Name Type Members Auth_Users Firewall Select the Auth_Sample user from the Available Users Group list and use the right arrow to move it to the Members list.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Creating an Identity-Based Firewall Policy

Lab 4 - Local User Authentication

4 Go to Policy > Policy > Policy and edit the unrestricted port3(internal) port1(external1) policy with the following details: Enable Identity Based Policy Enabled Click Add to create an Authentication Rule. Move Auth_Users group to the Selected User Groups list. Move ANY to the Selected Services list.
Note: Depending on the resolution of your display, you may need use the down arrow key to scroll within the Edit Authentication Rule window.

Save the changes to the policy. 5 Connect to the CLI of the Student FortiGate device and enable Authentication Keep-alive for the web traffic firewall policies by entering the following commands: config system global set auth-keepalive enable end
Note: Authentication keep-alive is used to keep the authentication session active to avoid an idle timeout.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Lab 4 - Local User Authentication

Testing the Firewall Policy For Web Traffic

Exercise 2 Testing the Firewall Policy For Web Traffic


1 On the virtual Windows 20003 Server, launch a web browser and access a new web site. At the login prompt, enter the username of Auth_Sample and password of auth_pw.

2 In the Authentication Keepalive window, click the Logout link and attempt to browse to another web site.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Testing the Firewall Policy For Web Traffic

Lab 4 - Local User Authentication

3 When prompted to authenticate, enter an incorrect username or password.

4 In the Web Config on the Student FortiGate device, go to Log&Report > Log & Archive Access > Event Log. Locate the log messages for the firewall policy authentication events. The details for the entry are displayed in the lower pane of the Event Log window. Note the log message level used for this type of event. 5 Return to the CLI and clear all authenticated sessions with the following command: diagnose firewall iprope resetauth
Note: Use this command with caution on a live system.

6 Re-connect to the web site, this time enter the correct authentication credentials. Click the new window link in Firewall Authentication Keepalive window to view the web page. 7 From the CLI, view the IP addresses and users which have successfully authenticated to the FortiGate unit with the following command: diagnose firewall iprope authuser 8 In the Web Config on the Student FortiGate device, go to User > Monitor > Firewall to view the details of the authenticated user along with the policy used to authenticate this user.

9 Edit the port3(internal) port1(external1) policy and disable the identity-based policy setting.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Lab 4 - Local User Authentication

Session-Based Authentication

Exercise 3 Session-Based Authentication


The FortiGate device can also authenticate users based on HTTP sessions. This is particularly useful in environments such as Citrix or Windows Terminal Server where multiple users share the same IP address. In this exercise session-based authentication will be configured using an explicit proxy. 1 In Web Config on the Student FortiGate unit, go to User > User > User. Create two new users with the following details: Username Password Username Password explicit1 fortinet1 explicit2 fortinet2

2 Go to User > User Group > User Group and create a new group called Explicit_Group. Add the explicit1 and explicit2 users to the Members list. 3 Go to System > Network > Interface and edit the port3(internal) interface to enable Enable Explicit Web Proxy. 4 Go to System > Network > Explicit Proxy. Enable Enable Explicit Web Proxy for HTTP/HTTPS. 5 Go to Policy > Policy > Policy and create a new firewall policy with the following details: Source Interface/Zone: Source Address: Destination Interface/Zone: Destination Address: Action: Enable Identity Based Policy: web-proxy all port1(external1) all ACCEPT Enabled

Click Add and create an authentication rule with the following details: Selected User Group: Services: Schedule: Log Allowed Traffic: Explicit_Group webproxy always Enabled

Note: Depending on the resolution of your display, you may need use the down arrow key to scroll within the Edit Authentication Rule window.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Session-Based Authentication

Lab 4 - Local User Authentication

6 In the classroom environment, Internet Explorer will be used to test the proxy configuration. Since the configuration of Internet Explorer will be modified to use the proxy settings, Mozilla Firefox should be used to administer the Student FortiGate device through Web Config. In Mozilla Firefox on the virtual Windows 2003 Server, go to Tools > Options > Advanced and click the Network tab. In the Connection pane, click Settings and ensure that No Proxy is enabled. 7 In Internet Explorer on the virtual Windows 2003 Server, go to Tools > Internet Options and click the Connections tab. Click LAN settings and enable Use a proxy server for your LAN. Enter the details of the proxy server as follows: Address: Port: 10.0.1.254 8080

8 To reproduce a shared environment where several users connect to the same host, launch a Microsoft Terminal Services client session. On the virtual Windows 2003 Server, click Start > Run and enter the name of the Terminal Services application (mstsc.exe). When prompted for the computer name, enter the following IP address: 10.0.1.10 Log in with the username of Administrator and password of password. 9 In the Terminal Services window, launch the Internet Explorer browser and access any external web site. When prompted, log in with the username of explicit1 and password of fortinet1. At this point, one of the explicit users is now logged in. Minimize the Terminal Services window to return to the virtual Windows 2003 Server desktop. 10 Launch a second instance of Terminal Services and connect to the following IP address: 10.0.1.10 Log into this instance with the username of Administrator and the password of password. 11 In the new instance of Terminal Services, launch the Internet Explorer browser and access a different external web site. When prompted, this time log in with the username of explicit2 and password of fortinet2. 12 Upon successful login, minimize the Terminal Services window to return to the virtual Windows 2003 Server. 13 Connect to the CLI of the Student FortiGate device and enter following commands to display which users are currently connected to the FortiGate device: diag wad user list Sample output: explicit1 10.0.1.10 id:1 VD: root, duration: 273 explicit2 10.0.1.10 id:2 VD: root, duration: 93
Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Lab 4 - Local User Authentication

Session-Based Authentication

14 Shut down both instances of Terminal Services. 15 In Internet Explorer on the Virtual Windows 2003 Server, disable Use a proxy server for your LAN. 16 In Web Config on the Student FortiGate unit, disable the webproxyport1(external1) firewall policy.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Session-Based Authentication

Lab 4 - Local User Authentication

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Lesson 5 - SSL VPN

Configuring SSL VPN for Web Access

Lab 5 SSL VPN


Objectives
In this lab, an SSL VPN connection will be configured to allow web-only mode access to public web sites. Additionally, an RDP connection will be performed over the SSL VPN to connect a remote Windows XP device to the virtual Windows 2003 Server.

Tasks
In this lab, the following tasks will be completed: Exercise 1 Configuring SSL VPN for Web Access Exercise 2 Using the SSL VPN for RDP Access Exercise 3 Configuring SSL VPN Tunnel Mode with Split Tunneling

Timing
Estimated time to complete this lab: 25 minutes

Exercise 1 Configuring SSL VPN for Web Access


1 Log in to Web Config on the Student FortiGate unit in the virtual lab environment and go to System > Dashboard > Status. In the System Information pane create a backup of the device configuration to a location on the virtual Windows 2003 Server. Modify the name of the configuration file to identify it as being created before Lab 5. 2 In Web Config, go to VPN > SSL > Portal and edit the web-access portal definition to add the Connection Tool widget from the Add Widget drop-down list. Click OK in the upper left-hand corner of the window to save the change to the portal definition. 3 Authentication must be configured for an internal user to access the SSL VPN gateway. Go to User > User > User and create a new user with the following details: User Name Password SSL_User ssl_pw

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Configuring SSL VPN for Web Access

Lesson 5 - SSL VPN

4 Go to User > User Group > User Group and create a new user group with the following details: Name: Type: Allow SSL-VPN Access: SSLVPN Firewall Enable and select the web-access portal from the Allow SSL-VPN Access list. Move the SSL_User user from the Available Users/Groups list to the Members list.

Available Users/Groups:

5 A firewall policy is needed to allow access to the SSL VPN and authenticate the user. Go to Policy > Policy > Policy and create a new policy with the following details: Source Interface: Source Address: Destination Interface: Destination Address: Action: SSL Client Certificate Restrictive: port1(external1) all port3(internal) web-server SSL-VPN Disabled

Click Add to configure a new authentication rule with the following settings: Available User Groups Move SSLVPN from the Available User Groups list to the Selected User Groups list. Move ANY from the Available Services list to the Selected Services list. always Enabled

Service

Schedule Log Allowed Traffic

Note: Depending on the resolution of your display, you may need use the down arrow key to scroll within the Edit Authentication Rule window.

6 From the virtual lab applet menu, go to Operations > Connect to Secondary > WinXP. 7 On the virtual Windows XP desktop, open a web browser and type the following address to connect to the SSL VPN portal: https://10.200.1.1:10443/ Confirm any security exemptions or alerts that may be displayed.
Note: By default, the SSL VPN gateway listens to port 10443. In an actual deployment, port 443 is recommended as this port is typically open on firewalls to allow easy remote access using SSL. The port can be changed by going to System > Admin > Settings and editing the Web Admin HTTPS service from port 443 to a different port number (for example, 8443). Afterwards, edit the SSL VPN login port from 10443 to 443.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Lesson 5 - SSL VPN

Configuring SSL VPN for Web Access

8 When prompted, log in as SSL_User with the password of ssl_pw. The SSL VPN portal page will be displayed.

If the connection fails, verify the following: SSL_User is a member of the SSLVPN user group. The SSLVPN user group is associated with the port1(external1) port3 (internal) SSL VPN policy. The SSL VPN policy is at the top of the policy list for port1(external1) port3 (internal). Re-enter a new password for SSL_User in Web Config. 9 In the Bookmarks widget on the SSL VPN Portal page, add a new bookmark with the following details: Name: Type: Location: Description: SSO: Fortinet Training Server HTTP/HTTPS

10.0.1.10
Optional Disabled

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Using the SSL VPN for RDP Access

Lesson 5 - SSL VPN

10 Click the newly created bookmark link. A new browser window displays the web site. Note the URL of the web site in the browser address bar: https://10.200.1.1:10443/proxy/http/10.0.1.10/ The first part of the address, is the encrypted link to the FortiGate SSL VPN gateway: https://10.200.1.1:10443... The second part of the address is the instruction to use the SSL VPN HTTP proxy: .../proxy/http... The final part of the address is the destination of the connection from the HTTP proxy: .../10.0.1.10/ In this example, the connection is encrypted up to the SSL VPN gateway. The connection to the final destination from the HTTP proxy is unencrypted. 11 Return to the virtual Windows 2003 Server device. 12 In Web Config, go to VPN > Monitor > SSL-VPN Monitor and locate the details of the SSL VPN connection. 13 Return to the virtual Windows XP device and click connection. to log out of the SSL VPN

Exercise 2 Using the SSL VPN for RDP Access


1 Return to the virtual Windows XP device and connect to the SSL VPN portal at the following address: https://10.200.1.1:10443/ When prompted, log in as SSL_User with the password of ssl_pw. 2 In the Connection Tool widget on the portal web page, select RDP from the Type drop-down list. Configure the RDP connection with the following details: Host: Screen Width: Screen Height: Logon User: Logon Password: Keyboard Layout: 10.0.1.10 1024 (default) 768 (default) administrator password English, US (default)

3 Click Go to launch the connection between the virtual Windows XP and Windows 2003 devices. When prompted, run the Java applet. 4 In Web Config on the virtual Windows 2003 Server, go to VPN > Monitor > SSL-VPN Monitor and locate the details for this connection.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Lesson 5 - SSL VPN

Configuring SSL VPN Tunnel Mode with Split Tunneling

5 In the virtual lab applet, disconnect from the virtual Windows XP device.

Exercise 3 Configuring SSL VPN Tunnel Mode with Split Tunneling


In this exercise, an SSL VPN Tunnel Mode connection with split tunneling will be configured on the FortiGate device. With split tunneling enabled, traffic for networks behind the FortiGate unit is passed through the VPN while other traffic follows its normal route. 1 In Web Config on the virtual Windows 2003 device go to VPN > SSL > Portal and edit the tunnel-access portal. 2 Edit the Tunnel Mode widget (click ( enable Split Tunneling. ) in the title bar of the widget) and

Leave all the other parameters at their default values. Click OK in the upper left hand corner of the Tunnel Mode widget to save changes to the widget then click OK at the top of the portal page to save the changes to the tunnel-mode portal.
Note: In the Tunnel Mode widget, note that the default IP range of SSLVPN_TUNNEL_ADDR1 has been used. A custom IP address pool can be created if required by clicking Edit.

3 Go User > User Group > User Group and edit the SSLVPN user group. Change the portal type in the Allow SSL-VPN Access drop-down list to tunnelaccess.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Configuring SSL VPN Tunnel Mode with Split Tunneling

Lesson 5 - SSL VPN

4 Go to Policy > Policy > Policy and create a new policy with the following details: Source Interface: Source Address: Destination Interface: Destination Address: Schedule: Service: Action: Log Allowed Traffic: sslvpn tunnel interface all port3(internal) web-server always ANY ACCEPT Enabled

5 To accept traffic from the SSL VPN tunnel IP range, a static route on the Student FortiGate device must be created that points to the sslvpn interface. Without a static route in place, the RPF check mechanism will drop the packet. In Web Config, go to Router > Static > Static Route and create a new route entry with following details: Destination IP/mask Device

10.212.134.192/255.255.255.224
ssl.root

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Lesson 5 - SSL VPN

Configuring SSL VPN Tunnel Mode with Split Tunneling

6 To view the routing table device before Tunnel Mode is initiated, enter the following command in the DOS Command Prompt on the virtual Windows XP device: route print Sample output is:
Active Routes: Network Destination 0.0.0.0 10.0.2.0 10.0.2.10 10.255.255.255 127.0.0.0 192.168.1.0 192.168.1.3 192.168.1.255 224.0.0.0 224.0.0.0 255.255.255.255 255.255.255.255 255.255.255.255 Default Gateway: Netmask 0.0.0.0 255.255.255.0 255.255.255.255 255.255.255.255 255.0.0.0 255.255.255.0 255.255.255.255 255.255.255.255 240.0.0.0 240.0.0.0 255.255.255.255 255.255.255.255 255.255.255.255 10.0.2.254 Gateway 10.0.2.254 10.0.2.10 127.0.0.1 10.0.2.10 127.0.0.1 192.168.1.3 127.0.0.1 192.168.1.3 10.0.2.10 192.168.1.3 10.0.2.10 192.168.1.3 192.168.1.3 Interface 10.0.2.10 10.0.2.10 127.0.0.1 10.0.2.10 127.0.0.1 192.168.1.3 127.0.0.1 192.168.1.3 10.0.2.10 192.168.1.3 10.0.2.10 192.168.1.3 10005 Metric 10 10 10 10 1 10 10 10 10 10 1 1 1

7 In the web browser on the virtual Windows XP device, connect to the portal at the following address: https://10.200.1.1:10443/ When prompted, log in as SSL_User with the password of ssl_pw. 8 The first time Tunnel Mode is used on the device, a plug in will need to be installed. Click the link presented in the message to download and install the plugin.

When the plugin is correctly installed, restart the web browser. 9 In the web browser on the virtual Windows XP device, connect to the portal once again at the following address: https://10.200.1.1:10443/ Log in as SSL_User with a password ssl_pw.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Configuring SSL VPN Tunnel Mode with Split Tunneling

Lesson 5 - SSL VPN

10 From the Tunnel Mode widget click Connect to initiate the tunnel mode connection. The fortissl virtual interface will receive an IP address from the Student FortiGate device. The assigned IP should be in the 10.212.134.[200210]range.
Note: The IP addressed to be allocate to client PCs can be defined in the SSL VPN Portal definition.

11 To view the routing table after Tunnel Mode has been initiated, enter the following command in a DOS Command Prompt on the virtual Windows XP device: Sample output:
Active Routes: Network Destination 0.0.0.0 10.0.1.10 10.0.2.0 10.0.2.10 10.200.1.1 10.212.134.200 10.255.255.255 10.255.255.255 127.0.0.0 192.168.0.0 192.168.0.12 192.168.0.255 224.0.0.0 224.0.0.0 224.0.0.0 255.255.255.255 255.255.255.255 255.255.255.255 255.255.255.255 Default Gateway: Netmask 0.0.0.0 255.255.255.255 255.255.255.0 255.255.255.255 255.255.255.255 255.255.255.255 255.255.255.255 255.255.255.255 255.0.0.0 255.255.255.0 255.255.255.255 255.255.255.255 240.0.0.0 240.0.0.0 240.0.0.0 255.255.255.255 255.255.255.255 255.255.255.255 255.255.255.255 10.0.2.254 Gateway 10.0.2.254 10.212.134.200 10.0.2.10 127.0.0.1 10.0.2.254 127.0.0.1 10.0.2.10 10.212.134.200 127.0.0.1 192.168.0.12 127.0.0.1 192.168.0.12 10.0.2.10 10.212.134.200 192.168.0.12 10.0.2.10 10.212.134.200 10.212.134.200 192.168.0.12 Interface 10.212.134.200 10.0.2.10 127.0.0.1 10.0.2.10 127.0.0.1 10.0.2.10 10.212.134.200 127.0.0.1 192.168.0.12 127.0.0.1 192.168.0.12 10.0.2.10 10.212.134.200 192.168.0.12 10.0.2.10 10.212.134.200 2 192.168.0.12 Metric 1 10 10 1 50 10 50 1 10 10 10 10 50 10 1 1 1 1 10.0.2.10 10

Note the differences now that the SSL tunnel mode is fully established between the Windows XP device and FortiGate unit. A new entry for the host at the IP address of 10.0.1.10 has been added to the routing table with a metric of 1 pointing to the fortissl IP address of 10.212.134.200. This indicates that only traffic to the 10.0.1.10 address is being sent over the SSL VPN. 12 In the web browser on the virtual Windows XP device, connect to the Training portal web site once again to test the connection: https://10.0.1.10 13 Disconnect from the virtual Windows XP device. 14 Disable the firewall policies created in this lab.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Lesson 6 - Antivirus

Enabling FortiGuard Subscription Services and Updates

Lab 6 Antivirus
Objectives
In this exercise, global antivirus settings will be explored including: Accessing the FortiGuard Distribution Network Ensuring that antivirus definitions are updated through the FortiGuard Subscription Services Enabling grayware scanning Setting up file quarantine Enabling antivirus scanning for web proxy server Customizing antivirus replacement messages

Tasks
In this lab, the following tasks will be completed: Exercise 1 Enabling FortiGuard Subscription Services and Updates Exercise 2 Configuring Global Antivirus Settings Exercise 3 Testing Virus Scanning for HTTP Exercise 4 Inspecting HTTPS Traffic

Timing
Estimated time to complete this lab: 30 minutes
Note: These exercises can only be completed if the FortiGate unit has already been registered with Fortinet Support (https://support.fortinet.com). The virtual devices used in the classroom have already been registered.

Exercise 1 Enabling FortiGuard Subscription Services and Updates


1 Log in to Web Config on the Student FortiGate unit in the virtual lab environment and go to System > Dashboard > Status. In the System Information pane create a backup of the device configuration to a location on the virtual Windows 2003 Server. Modify the name of the configuration file to identify it as being created before Lab 6. 2 In Web Config go to System > Config > FortiGuard to verify the details of the FortiGuard Subscription Services licensing for the Student FortiGate unit. What is the antivirus definition version, expiry, and last update attempt for the FortiGate unit? If only the version field is showing, the FortiGate unit firmware was upgraded recently and there have been no further update attempts.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Enabling FortiGuard Subscription Services and Updates

Lesson 6 - Antivirus

3 Go to UTM Profiles > AntiVirus > Virus Database and confirm that the FortiGate unit is using the Extended Virus Database. 4 Back in System > Config > FortiGuard, expand AntiVirus and IPS Options and enable a scheduled update for every four hours. 5 Still in the AntiVirus and IPS Options window, click Update Now to force the FortiGate unit to obtain the latest antivirus and IPS definitions. If properly entitled and depending on Internet congestion, the FortiGate unit will receive and install the updated definitions after 3 to 5 minutes. 6 After a few minutes, return to System > Config > FortiGuard and check for the new updates. Todays date should appear next to the version number for both AV and IPS Definitions. The AV and IPS signature databases can also be updated either individually or together through the CLI using the following commands: exec update-av exec update-ips exec update-now Update AV engine/definitions Update IPS engine/definitions Update now

Note: Antivirus and IPS updates can also be set to be pushed automatically to the FortiGate unit. To allow push updates, expand AntiVirus and IPS Options and enable Allow Push Update and set the update schedule required, for example, every 4 hours. In the classroom environment, the FortiGate unit is behind a NAT device. Port forwarding must be configured on the NAT device, otherwise push updates will not work.

Note: The update-now command will update antivirus and IPS definitions only. It will not upgrade the system firmware.

7 To view the update settings, enter the following CLI commands on the Student FortiGate unit: get system autoupdate schedule The defined FortiGuard autoupdate interval was set to 4 hours through Web Config but the CLI shows 4:60. This means that the additional minutes interval will be randomly picked from 0 to 59 minutes to spread out the request load on the FortiGuard server. An exact hour and minute interval can be set through the CLI using the following commands: config system autoupdate schedule set time 4:0 end Verify the change with the following CLI command: show system autoupdate schedule

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Lesson 6 - Antivirus

Enabling FortiGuard Subscription Services and Updates

8 In the FortiGuard Subscription Services window, expand Web Filtering and Email Filtering Options. Configure the settings with the following details: Enable Web filter cache Enable antispam cache Port Selection Enabled TTL: 1800 seconds (30 minutes) Enabled TTL: 900 seconds (15 minutes) Use Alternate Port (8888)

By default, FortiGuard uses UDP/53 since this port is often left open for DNS traffic. If there is another IPS device on the network that is decoding DNS data on port 53, the FortiGuard request/response may trigger an alert as the data is encrypted. In this scenario, change to the alternate port of 8888 and ensure that any upstream devices will permit this traffic to pass.
Note: The status of FortiGuard Web Filtering may show as unreachable until a web filter profile is applied to a firewall policy.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Configuring Global Antivirus Settings

Lesson 6 - Antivirus

Exercise 2 Configuring Global Antivirus Settings


1 In Web Config, go to UTM Profiles > AntiVirus > Virus Database and enable Grayware Detection to scan for malicious grayware-type installers. 2 Display the default quarantine settings for the FortiGate device by entering the following command in the CLI on the Student FortiGate device: get antivirus quarantine File quarantine is available if the FortiGate unit model has an internal hard disk or if a FortiAnalyzer device is available. The default destination for the quarantine is Disk.
Note: If using a FortiGate device without a hard disk, enable quarantine to the online FortiAnalyzer device. For example: config antivirus quarantine set destination FortiAnalyzer end

3 In Web Config, go to UTM Profiles > AntiVirus > Profile and create a new profile called Standard with the following details (Click Create New ( ) in the upper right-hand corner of the Edit AntiVirus Profile window): Virus Scan and Removal Quarantine enable all protocols enable all protocols

4 Go to Policy > Policy > Policy and edit the port3(internal) port1(external1) policy to enable UTM using the Standard antivirus profile.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Lesson 6 - Antivirus

Testing Virus Scanning for HTTP

5 Replacement messages are substituted for the infected file when the FortiGate antivirus engine detects a virus. Go to System > Config > Replacement Message. Expand HTTP and edit the text of the default Virus message. The same Replacement Messages can be displayed using the following commands in the CLI: show system replacemsg http http-virus
Note: Some replacement messages are stored in raw HTML code. Make sure that the correct syntax is used and preserve the existing HTML tags. An external HTML editor can be used to create the replacement message and then copy and paste the resulting HTML code into the FortiGate replacement message text window.

Exercise 3 Testing Virus Scanning for HTTP


1 On the virtual Windows 20003 Server, launch a web browser and access the following web site: http://eicar.org 2 On the Eicar web page, click Download Anti Malware Test File and download the eicar.com file from the Download area using the standard protocol http section. The download attempt will be blocked by the FortiGate unit and the following replacement message will be displayed:

The Eicar file is an industry-standard used to test antivirus detection. The file contains the following characters: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUSTEST-FILE!$H+H* The HTTP virus message is shown when infected files are blocked or have been quarantined. In the message that is displayed, click the link to the Fortinet Virus Encyclopedia to view information about the detected virus.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Inspecting HTTPS Traffic

Lesson 6 - Antivirus

3 In Web Config, go to Log&Report > Log & Archive Access > UTM Log and locate the antivirus event messages.

Alternately, go to UTM Profiles > Monitor > AV Monitor to view details of the log event.
Note: There may be policies in place from previous exercises that could allow the files to be downloaded. If the above steps do not work, go to the firewall policies and ensure that all other policies other than the default are disabled.

Exercise 4 Inspecting HTTPS Traffic


In the previous exercise, the Eicar test file was able to be download and blocked using HTTP. In this exercise, the Eicar test file will be downloaded again, this time using HTTPS. 1 On the virtual Windows 20003 Server, launch a web browser and access the following web site once again: http://eicar.org 2 On the Eicar web page, click Download Anti Malware Test File and download the eicar.com file from the Download area using the secure SSL enabled protocol https section. The download should be successful. 3 In order to inspect HTTP over SSL, go to Policy > Policy > Protocol Options and expand HTTPS to enable Enable Deep Scanning. This will enable inspection of SSL encrypted traffic on the Student FortiGate unit. 4 To ensure that there are no existing sessions prior to deep scanning the communication exchange, connect to the CLI of the Student FortiGate unit and enter the command: diag sys session clear

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Lesson 6 - Antivirus

Inspecting HTTPS Traffic

5 Return to the Eicar web page and attempt to download the eicar.com file from the Download area using the secure SSL enabled protocol https section.
Note: You may be prompted to accept a security warning to accept the digital certificate from the Eicar web site.

This time, the download will be blocked by the FortiGate unit and the replacement message will be displayed. 6 In Web Config on the Student FortiGate device, edit the port3(internal) port1(external1) policy to disable UTM.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Inspecting HTTPS Traffic

Lesson 6 - Antivirus

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Lab 7 - Web Filtering

Testing Web Category Filtering

Lab 7 Web Filtering


Objectives
In this lab, web filtering will be configured to block specific categories of web content. The interaction of local categories and overrides will also be demonstrated.

Tasks
In this lab, the following tasks will be completed: Exercise 1 Testing Web Category Filtering Exercise 2 Configuring Web Filtering Authentication Exercise 3 Configuring Web Filtering Quotas

Timing
Estimated time to complete this lab: 40 minutes

Exercise 1 Testing Web Category Filtering


1 Log in to Web Config on the Student FortiGate unit in the virtual lab environment and go to System > Dashboard > Status. In the System Information pane create a backup of the device configuration to a location on the virtual Windows 2003 Server. Modify the name of the configuration file to identify it as being created before Lab 7. 2 In Web Config, go to UTM Profiles > Web Filter > Profile and create a new web filter profile called Category_Test. (Click Create New ( ) in the upper righthand corner of the Edit Web Filter Profile window) 3 In the Edit Web Filter Profile window, set the Inspection Mode to Proxy and enable the following web categories with an action of Block. Potentially Liable Controversial Bandwidth Consuming Security Risk General Interest - Personal General Interest - Business Unrated 4 Go to Policy > Policy > Policy and edit the port3(internal) port1(external1) policy to enable UTM. Enable web filtering using the Category_Test profile.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Testing Web Category Filtering

Lab 7 - Web Filtering

5 In a web browser on the virtual Windows 2003 Server, connect to a web site. A Web Page Blocked window should be displayed.

6 In Web Config, go to System > Config > Replacement Message. Expand FortiGuard Web Filtering and edit the URL block message to customize the text of the message. 7 Revisit the web site and ensure that the customized Web Page Blocked message is displayed.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Lab 7 - Web Filtering

Configuring Web Filtering Authentication

Exercise 2 Configuring Web Filtering Authentication


Web filtering can be configured to prompt user for authentication before accessing a web resources. A warning page is displayed where the user must enter their credentials before proceeding to the web page. 1 In Web Config, go to User > User > User. Create a new user called Override_User with a password of override_pw. 2 Go to User > User Group > User Group and create a new user group with the following details: Name Type Members web-override Firewall Select Override_User created in step 1 and move it from the Available Users Group list to the Members list.

3 Go to UTM Profiles > Web Filter > Profile and edit the Category_Test profile. Select all the categories and set the Change Action for Selected Categories to setting to Authenticate. Select the web-override user group from Available User Groups and move it to Selected User Groups.

4 In the web browser, attempt to connect to a blocked category web site. A Web Page Blocked message is displayed again, this time with a Proceed button.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Configuring Web Filtering Authentication

Lab 7 - Web Filtering

5 Click Proceed to view the Web Filter Block Override page.

Enter the user name of Override_User and the password of override_pw and click Continue. 6 The blocked web page should be displayed.
Note: The Web Filter Block Override web page may not function properly when flowbased web filtering is used instead of proxy-based filtering.

7 In Web Config, go to Log&Report > Log & Archive Access > UTM Log and locate the log messages related to the web filtering activity.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Lab 7 - Web Filtering

Configuring Web Filtering Quotas

Exercise 3 Configuring Web Filtering Quotas


In addition to using category and classification blocks and overrides, an access quota can be assigned by category, category group, or classification. Quotas allow access to web resources for a specified length of time. The quotas are calculated separately for each user based on the authentication credentials provided and are reset every day at midnight. 1 In Web Config on the Student FortiGate device, go to UTM Profiles > Web Filter > Profile. Edit the Category_Test profile. Expand Quota on Categories and click Create New to create new quotas. Select the categories to be assigned quotas and select the quota time value to 5 minutes.

2 In the web browser, attempt to visit a blocked category web site again. Click the Proceed link on the Web Page Blocked page. Authenticate on the Web Filter Block Override page using the Override_User credentials.
Note: The Web Category Override web page may not function properly when web flowbased proxies are used.
flow

3 Once authenticated properly, the quota timer is initiated. Go to UTM Profiles> Monitor > FortiGuard Quota to display the current quota timer value.

When the daily quota value is reached the FortiGuard replacement message will be displayed again. 4 In Web Config, go to Log&Report > Log & Archive Access > UTM Log and locate the log messages related to the web filtering activity. 5 Edit the Category_Test profile, expand Quotas on Categories and deleted the quotas on the selected categories. 6 Edit the port3(internal) port1(external1) policy to disable UTM.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Configuring Web Filtering Quotas

Lab 7 - Web Filtering

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Lab 8 - Data Leak Prevention

Blocking Encrypted Files

Lab 8 Data Leak Prevention


Objectives
In this lab, the transmission of sensitive data outside the network will be blocked using the data leak prevention features of the FortiGate unit.

Tasks
In this lab, the following tasks will be completed: Exercise 1 Blocking Encrypted Files Exercise 2 Blocking Leakage of Credit Card Information Exercise 3 Blocking Oversize Files by Type Exercise 4 DLP Banning and Quarantining Exercise 5 DLP Fingerprinting

Timing
Estimate time to complete this lab: 40 minutes

Exercise 1 Blocking Encrypted Files


1 Log in to Web Config on the Student FortiGate unit in the virtual lab environment and go to System > Dashboard > Status. In the System Information pane create a backup of the device configuration to a location on the virtual Windows 2003 Server. Modify the name of the configuration file to identify it as being created before Lab 8. 2 DLP rules define the data to be protected. Enter the following commands in the CLI on the Student FortiGate unit to create a new DLP rule called Block_Encrypted: config dlp rule edit Block_Encrypted set protocol http set sub-protocol http-post set field encrypted next end This rule will look for encrypted files that are posted using HTTP.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Blocking Encrypted Files

Lab 8 - Data Leak Prevention

3 This new DLP rule must be added to a sensor. In Web Config on the Student FortiGate device, go to UTM Profiles > Data Leak Prevention > Sensor. Create a new proxy-based detection sensor called No_Encrypted_Files (Click Create New ( ) in the upper right-hand corner of the Edit DLP Sensor window).

4 In the Edit DLP Sensor window, create a new DLP sensor filter with the following details: Filter Name: Filter By: Advanced Rule: Action: Archive: No_Encrypted_Files_Filter Advanced Rule Block_Encrypted Block Disable

5 Go to Policy > Policy > Policy and edit the port3(internal) port1(external1) firewall to enable UTM. Enable the DLP sensor called No_Encrypted_Files. 6 To test the DLP sensor, an encrypted file will be sent to an email recipient. A web-based file transfer tool will be used to send the file. In a web browser on the virtual Windows 2003 Server, connect to the following URL: http://www.sendspace.com. 7 On the Sendspace web page, click Browse and locate the encrypted test file called dlp-test-encrypt.zip on the desktop of the virtual Windows 2003 Server. Enter the email address of a recipient along with your own email address in the appropriate fields and click Upload. The DLP warning message will be displayed.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Lab 8 - Data Leak Prevention

Blocking Encrypted Files

8 In Web Config on the Student FortiGate device, go to Log&Report > Log & Archive Access > UTM Log and locate the entry for the data leak action.

9 Change the extension of the encrypted file on the virtual Windows 2003 Server desktop to *.txt. 10 Return to the sendspace.com web site and attempt to transfer the file again. The file should still be blocked. 11 Go to Log&Report > Log & Archive Access > UTM Log and locate the log events generated by the sensor for this blocked transfer. 12 By default, the No_Encrypted_Files sensor is proxy based. The sensor can be modified to use flow-based detection. Flow-based detection provides high concurrent sessions, high session rates and low-latency DLP filtering. In Web Config on the Student FortiGate device, go to UTM Profiles > Data Leak Prevention > Sensor and edit the No_Encrypted_Files sensor to change the Inspection Method to Flow-based Detection. Apply the change to the sensor.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Blocking Encrypted Files

Lab 8 - Data Leak Prevention

13 Return to the sendspace.com web site once again and attempt to transfer the encrypted test file. The file upload should still be blocked but no replacement message will be displayed since the FortiGate unit resets the connection by sending a TCP RST and ACK message. Depending on the web browser being used, a connection reset message may be displayed.

14 Go to Policy > Policy > Policy and edit the port3(internal) port1(external1) firewall policy to disable UTM.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Lab 8 - Data Leak Prevention

Blocking Leakage of Credit Card Information

Exercise 2 Blocking Leakage of Credit Card Information


Some default rules have been provided on the FortiGate unit to simplify implementation of the DLP feature. The HTTP-Visa-Mastercard is designed to block any HTTP transfers that contain a Visa or Mastercard number in the message body. 1 Enter the following commands in the CLI on the Student FortiGate device to view the built-in HTTP-Visa-Mastercard rule. config dlp rule edit HTTP-Visa-Mastercard get Note the regular expression used to identify the credit card number. 2 Enable HTTP GET and set the option to scan for archive content for this default DLP rule using the following CLI commands (these commands are entered in the CLI right after commands entered in step 1): set sub-protocol http-post http-get set file-scan archive-content end 3 In Web Config on the Student FortiGate device, go to UTM Profiles > Data Leak Prevention > Sensor and create a new DLP sensor using proxy-based detection called Sensitive_Data. 4 In the Edit DLP Sensor window, create a new DLP filter with the following details: Filter Name: Filter By: Advanced Rule: Action: Archive: No_Credit_Cards Advanced Rule HTTP-Visa-Mastercard Block Full

5 Go to Policy > Policy > Policy and edit the port3(internal) port1(external1) firewall policy to enable UTM. Enable DLP filtering using the Sensitive_Data sensor.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Blocking Oversize Files by Type

Lab 8 - Data Leak Prevention

6 A file called creditcards.xls containing credit card numbers is posted on the Fortinet Online Campus. In a web browser on the virtual Windows 2003 Server, attempt to download the file from the following location: http://campus.training.fortinet.com Click Class Descriptions, and the 201 - FortiGate I tab and locate the file in the Student Resource Files section at the bottom of the web page. Click the link to attempt to access the file. The DLP block message will be presented when the file download is attempted.

7 In Web Config on the Student FortiGate device, go to Log&Report > Log & Archive Access > UTM Log and locate the log entry for the DLP block action.

Exercise 3 Blocking Oversize Files by Type


Another use of the data leak prevention functionality is to control bandwidth usage by limiting the download of files of a specific type or beyond a specified size. In this exercise, a compound rules will be created to block a file based on its type and its size. 1 Use the following CLI commands on the Student FortiGate device to edit the built-in DLP rule called Large-HTTP-Post to set the file transfer size to 1000KB for the HTTP-GET and HTTP-POST operations: config dlp rule edit "Large-HTTP-Post" set sub-protocol http-get http-post set value 1000 next end 2 In Web Config on the Student FortiGate device, go to UTM Profiles > Data Leak Prevention > File Filter and create a new file filter list called No_MP3. In the file filter list window, create and enable a new file name pattern to block files with a pattern of *.mp3.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Lab 8 - Data Leak Prevention

Blocking Oversize Files by Type

3 Enter the following CLI commands on the Student FortiGate device to clone the built-in Large-HTTP-Post DLP rule to create a second DLP rule called MP3: config dlp rule clone Large-HTTP-Post to MP3 4 Edit the new MP3 rule with the following CLI commands to apply the rule to the HTTP-GET and HTTP-POST operations: edit "MP3" set sub-protocol http-get http-post set field file-type set file-type 3 set file-type-negated disable next end
Note: file-type identifies the integer value of the file pattern table. To find out the correct value to use for a DLP rule (in this case, MP3) enter a question mark after the command. For example: set file-type ? Sample Output: Please enter the integer value of the filepattern table 1 builtin-patterns 2 all_executabled 3 No_MP3

buil

5 Still in the CLI, use the following commands to create a compound rule called MP3_Compound: config dlp compound edit "MP3_Compound" set protocol http set sub-protocol http-get http-post set member "Large-HTTP-Post" "MP3" next end 6 In Web Config on the Student FortiGate device, go to UTM Profiles > Data Leak Prevention > Sensor and edit the Sensitive_Data sensor. Create a new filter to include the new MP3_Compound rule:

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

DLP Banning and Quarantining

Lab 8 - Data Leak Prevention

7 A file called big.mp3 is posted on the Fortinet Online Campus. In a web browser on the virtual Windows 2003 Server device, attempt to download the file from the following location: http://campus.training.fortinet.com Click Class Descriptions, and the 201 - FortiGate I tab and locate the file in the Student Resource Files section at the bottom of the web page. Click the link to attempt to access the file. The DLP block replacement message should be presented when the file download is attempted.

8 Go to Log&Report > Log & Archive Access > UTM Log and locate the log entry for the DLP block action.

Exercise 4 DLP Banning and Quarantining


1 In Web Config on the Student FortiGate device, go to UTM Profiles > Data Leak Prevention > Sensor and edit the Sensitive_Data sensor to change the action for the No_Credit_Cards rule to Quarantine User. 2 On the Fortinet Online Campus, attempt to download the creditcard.xlsx file once again. The file download should be blocked. 3 In Web Config on the Student FortiGate device, go to User > Monitor > Banned User and locate the banned entry in the list. 4 Select and delete the banned entry. 5 Edit the Sensitive_Data sensor once again to change the action for the No_Credit_Cards rule to Quarantine IP address. 6 Attempt to download the creditcard.xlsx file once again. The IP address should be quarantined. 7 Check the banned user list once again and the locate the entry. Note that the Application Protocol column is empty, indicating that the IP address is quarantined. 8 In Web Config, go to Policy > Policy > Policy and edit the port3(internal) port1(external1) firewall policy to disable UTM and the Sensitive_Data sensor.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Lab 8 - Data Leak Prevention

DLP Fingerprinting

Exercise 5 DLP Fingerprinting


1 In Web Config on the Student FortiGate device, go to UTM Profiles > Data Leak Prevention > Document Fingerprinting. In the Manual Document Fingerprints section, upload a new document to fingerprint. Click Create New and locate the file in the following location on the virtual Windows 2003 Server: C:\Inetpub\wwwroot\addfiles\HA_Chapter.pdf Set the Sensitivity Level to Critical. 2 Go to UTM Profiles > Data Leak Prevention > Sensor and create a new proxybased detection sensor called Fingerprint_Test. 3 On the Edit DLP Sensor page, create a new DLP sensor filter with the following details: Filter Name: Filter By: Sensitivity: Action: Archive: Fingerprint_Document Finger Print Critical Block Full

Click OK to save the change to the filter and click Apply to save the change to the sensor. 4 Go to Policy > Policy > Policy and enable the port1(external1) port3(internal) policy for vip_to_webserver. Enable UTM and enable the Fingerprint_Test sensor. 5 In the remote lab applet, go Operations > Connect To Secondary > WinXP to connect to the virtual Windows XP device. 6 Launch a web browser on the virtual Windows XP desktop and attempt to access the Fortinet Training web server located at the following location: http://10.200.1.200 7 From the Additional Files tab, click Additional Files and attempt to download the file called HA_Chapter.pdf. The DLP block replacement message should be presented when the file download is attempted.

8 In Web Config on the Student FortiGate device, go to Log&Report > Log & Archive Access > UTM Log and locate the log entry for the DLP block action. 9 In Web Config, go to Firewall > Policy > Policy and edit the port1(external1) port3(internal) policy for vip_to_webserver to disable UTM and the Fingerprint_Test sensor.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

DLP Fingerprinting

Lab 8 - Data Leak Prevention

10

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Lab 9 - Application Control

Creating an Application Control List

Lab 9
Objectives

Application Control
In this lab, access to specific applications will be blocked using the application control on the FortiGate unit.

Tasks
In this lab, the following tasks will be completed: Exercise 1 Creating an Application Control List Exercise 2 Testing Application Control

Timing
Estimated time to complete this lab: 15 minutes

Exercise 1 Creating an Application Control List


1 Log in to Web Config on the Student FortiGate unit in the virtual lab environment and go to System > Dashboard > Status. In the System Information pane create a backup of the device configuration to a location on the virtual Windows 2003 Server. Modify the name of the configuration file to identify it as being created before Lab 9. 2 In Web Config, go to UTM Profiles > Application Control > Application Sensor and create a new application control sensor called App_Control_Lab. (Click Create New ( ) in the upper right-hand corner of Web Config) 3 On the Edit Application Sensor page, create a new application filter with the following details: Type: Category: Application: Action: Application media YouTube.Download Monitor

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Testing Application Control

Lab 9 - Application Control

4 Create a second filter in the App_Control_Lab sensor with the following details: Type: Application: Action: Application Myspace Block

The App_Control_Lab sensor will contain the following entries:

5 Go to Policy > Policy > Policy and edit the port3(internal) port1(external1) firewall to enable UTM. Enable application control using the App_Control_Lab sensor.

Exercise 2 Testing Application Control


1 On the virtual Windows 20003 Server, launch a web browser and access the following web site: http://www.youtube.com On the YouTube web site, attempt to play a random video. 2 In Web Config on the Student FortiGate device, go to Log&Report > Log & Archive Access > UTM Log and locate the log entry for the application control action. 3 In the web browser, access the following web site: http://www.myspace.com 4 Locate the log entry for this action in the UTM Log. Double-click the entry to view the details. 5 In Web Config, go to UTM Profiles > Application Control > Application Sensor and edit the App_Control_Lab sensor. Set the action for the YouTube application filter to Block. 6 In the web browser, access the following web site and attempt to play a video once again: http://www.youtube.com 7 View the details of the log entry for this action in the UTM Log.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Lab 9 - Application Control

Creating an Application Control Filter

Exercise 3 Creating an Application Control Filter


1 In Web Config on the Student FortiGate device, go to UTM Profiles > Application Control > Application Sensor and create a new Application Control Sensor called App_Control_Lab2. (Click Create New ( ) in the upper righthand corner of Web Config) 2 Click T next to Create new and create a new filter in the application control sensor with the following details: Type: Application: Action: Application Facebook Block

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

Creating an Application Control Filter

Lab 9 - Application Control

3 Create a second filter in the App_Control_Lab2 sensor with the following details: Type: Category: Action: Filter proxy Block

4 Go to Policy > Policy > Policy and edit the port3(internal) port1(external1) firewall to use the App_Control_Lab2 sensor. 5 On the virtual Windows 20003 Server, launch a web browser and access the following web site: http://www.facebook.com 6 In Web Config, go to Log&Report > Log & Archive Access > UTM Log and locate the log entries for the blocked access to Facebook. 7 Return the web browser, attempt to access the following web site: http://proxite.us On the proxy web site, enter the URL of a site to visit and click Go. 8 In the UTM Log, locate the log entries for the blocked proxy actions. 9 Go to Policy > Policy > Policy and edit the port3(internal) port1(external1) firewall to disable UTM.

Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729

www.fortinet.com