Beruflich Dokumente
Kultur Dokumente
This document is intended to provide the SE with a tool to show to the Customers
and Partners the main functionalities of the Fortinet devices with virtual machine.
It has several step by step exercises to configure and setup all the devices and
how to show it to the customer.
Prerequisites
Edit VM network and create a NAT vmnet (or edit the existing one if you already
have it created):
Check the IP your ESXi server received from DHCP. This IP will be referred as
ESX-IP in this document:
Start the SET-Linux server, then connect to it with user fortinet and password
fortinet.
Open the Linux Terminal and execute the following commands there:
sudo su
cd /root/scripts
./Deploy.sh ESX-IP fad.conf
Example:
root@SET-Linux:# sudo su
root@SET-Linux:# [sudo] password for fortinet: fortinet
root@SET-Linux:# cd /root/scripts/
root@SET-Linux:# ./Deploy.sh 192.168.10.128 fad.conf
root@SET-Linux:#
If this is the first installation, just select y for all options and wait for the
deployment of all VMs, which can take some minutes.
If, for some reason, you want to just reinstall one VM, delete that then run the same
script again, but this time choosing n except for the VM you want to reinstall.
1 Connectivity Diagram
The FortiGate acts as an ISP and allows traffic from all VMs to Internet.
FG-IP:1080 to 10.0.0.11:80
FG-IP:1081 to 10.0.0.12:80
2 Initial Setup
Go to the WS1 VM console, open a Terminal and type the following commands:
Then, go to the WS2 VM console, open a Terminal and yype the following
commands:
The Deploy script should have already configured everything in SET-Linux, so you
just need to check that.
Open a terminal and check that the IP address from the ens192 interface is
10.0.0.100/24:
Execute the command show system interface to see all FortiGate interfaces were
correctly configured by the Deploy script. Otherwise please re-run the script, put
n for all steps except for the one that configures the FortiGate. If you still have
problems, please ask for instructors help.
Take note of the IP address from port1, youll use it for this lab anywhere the [FG-
IP] tag is indicated.
Configure the IP for port1, that will be used for management only:
From the SET-Linux VM, connect to FortiADC1 GUI through http://10.0.0.11 with
admin and no password.
Go to Networking > Interface and configure port2, port3 and port4 as indicated:
Go to Networking > Routing > Static and configure 2 static routes as indicated.
Notice that wan1 will be used since it has lower distance:
From FortiADC console, try to ping external websites to check that name resolution
and routing are working properly.
There are already some health checks created. Go to Shared Resources > Health
Check and see how they are configured. See the LB_HLTHCK_HTTP details:
Go to Server Load Balance > Real Server Pool > Real Server and create both
webservers:
Then go to Server Load Balance > Virtual Server, and create one in Advanced
Mode:
From SET Linux VM try accessing this Virtual Server through the CLI:
# curl http://10.0.21.100 -v
Go to Log & Report > Log Browsing > Traffic Log and see the generated logs,
including the details:
Run the command to connect to server several times to see the behavior:
Check again persistence table, traffic logs and Session table. Is traffic being sent
to both webservers or always to the same?
Go to Shared Resources > Health Check and create a new one as indicated:
Edit the Real Server Pool to use the newly created health check:
Exercise 2: Testing
From SET Linux VM, test accessing the virtual server using Firefox. Then, try also
through command line:
# curl http://10.0.21.100 -v
Check the Traffic Logs for SLB HTTP. Verify the details, and compare with the log
generated when using curl:
From the ESX console, connect to WS1 VM. Open a terminal and stop the Apache
WebServer service with the following commands:
Wait a few seconds and verify that WS1 is considered online again. Check logs to
see health check monitoring:
Go to Link Load Balance > Link Group and add both gateways:
Create a Link Policy to set all traffic from port2 to use the created link-group:
Exercise 2: Testing
Or
From the ESX GUI, open the WS1 VM console. Using curl, try accessing a few
different https websites or ping them:
Dont worry about the certificates errors, the idea is to generate traffic only. Check
that traffic is sent through wan1 and wan2:
Now suppose the datacenter wants to provide access to webservers through both
wan links. The first step is to create this second virtual server using wan2 (we
already have on in wan1 from previous labs).
Go to Server Load Balance > Virtual Server and create a second one with same
characteristics of VS-Webservers-Wan1, but now using wan2:
Go to Global Load Balance > Global Object > Data Center and create an object to
reference where this FortiADC is (we will name it datacenter1)
Leave the TTL for the members as -1 to use the zone level TTL:
Change Zone settings to have a TTL = 1. With that, DNS clients will not cache
records and will query for www.fortilab.com name resolution always:
From the SET Linux VM, verify how FortiADC answers DNS queries to
www.fortilab.com. You can use nslookup for that and point to both FortiADC IPs:
Test DNS resolution using FortiADC wan1 IP to see it does not return the Virtual
Server IP associated with wan2:
Go to Log & Report > Log Browsing and verify GLB generated logs:
Go to the WS3 VM console, open a Terminal and type the following commands:
Then, go to the WS4 VM console, open a Terminal and type the following
commands:
From SET-Linux VM, login to http://10.0.0.12. Go to System > Settings > Basic
and set hostname to FortiADC2.
Go to Link Load Balance > Link Group and create both gateways. Remember to
enable ICMP health check for them:
Server Load Balance > Real Server Pool and create both Real Servers:
Go to Global Load Balance > Global Object and create datacenter2 and
datacenter1 objects:
Create the local servers (remember you can use the Discover button):
Go to FQDN Settings and edit the existing Virtual Server Pool to include all
members from datacenter2:
Exercise 5: Testing
From SET Linux VM, test name resolution for all FortiADC wan interfaces. Notice
that all virtual servers are presented, since they are all available:
Go to ESX console and suspend WS4 VM. Does it change anything? Why?
Check Dashboard>Server Load Balance and Blobal Load balance on FADC2 and
FADC1
Before you start, verify that all FortiGate wan interfaces are up and enabled, and
that all webservers are running.
Connect to FortiADC1 and enable ping in all interfaces. This will be necessary later
when they test each other with the icmp health check:
Go to Link Load Balance > Virtual Tunnel and create a new tunnel named vt1. Add
2 members, one connecting wan1-wan1 and other using wan2-wan2:
Go to Link Policy, delete the existing policy (the one created during LLB lab), and
set the Default Link Group as link-group-1:
Go back to Virtual Tunnel vt1 and verify it is shown as available now. What was
the difference with the older LLB policy? Discuss with instructor.
Go to Shared Resources and add address objects for both datacenter networks:
Go to Link Load Balance > Virtual Tunnel and create a new tunnel named vt1. Add
2 members, one connecting wan1-wan1 and other using wan2-wan2:
Go to Shared Resources and add address objects for both datacenter networks:
Finally, go to Link Load Balance > Link Policy and create a policy to route traffic
from datacenter1 network to datacenter2 through the tunnel:
Connect to WS3 console and leave a ping to both WS1 and WS2 running:
In the FortiADC1 GUI, go to Server Load Balance > Virtual Server and create a
new Content Rewriting rule:
Then edit the Virtual Server VS-WebServers-Wan1 and enable this content
rewriting:
Now try to access http://10.0.22.100/index2.html. You will receive a not found alert,
since theres no rewriting rule, and this page does not really exist in the servers.
Exercise 2: Content Routing
In FortiADC1, go to Server Load Balance > Real Server Pool and create two new
Real Servers as indicated:
Create a new content routing rule as indicated. Notice that not defining a match
condition means a match anything.
Note: you can suspend WS3, WS4 and FortiADC2 VMs now to save resources in
your computer.
10 Scripting
From SET Linux VM, try accessing http://10.0.22.100 using Firefox. You should
see the page correctly.
Now change the Redirect-curl script and set firefox instead of curl:
Try from Firefox and using curl to see the differences now.
This lab intention is to briefly explain how to start working with scripts. Check the
existing scripts to understand better how they are and have some ideas on what
is possible to do.
11 ADC Security
Exercise 1: Authentication
Edit the VS-WebServers-Wan1 virtual server and set the authentication policy:
From SET Linux VM, open a terminal and using curl try to access
http://10.0.21.100/index.html:
From SET Linux VM, run the following to simulate a SQL Injection attack:
wget http://89.93.236.107/index.html?x=1--
Also, to facilitate our packet captures, we need to change SLB health check for
ICMP instead of HTTP. To do so, go to Server Load Balance > Real Server Pool
and edit RS-Pool-Webservers:
To change that, go to Server Load Balance > Application Resources and create a
new HTTP profile with the Source Address option enabled and HTTP mode as
Server Close (we will need that later):
Run the same capture again and verify the source IP used:
From the SET Linux CLI, run the following to see the included header with the
original source IP:
Notice that for each SYN packet received in port3 (wan) theres also a SYN packet
in port2 (lan) to the server.
Still from CLI, set this connection pool in the VS-WebServer-Wan1 virtual server:
Notice that only the first SYN is sent in port2. Why is that? Discuss with
instructor.
Exercise 3: Caching
Go to Server Load Balance > Application Optimization and create a new Caching
object:
Notice that theres only one access to the real server (in port2), while subsequent
traffic is delivered by the FortiADC directly.