Westcon Group Inc.

FortiGate WorkShop 101/102 – Introduction to FortiGate

Lab #1 – Introduction to FortiGate (part 1)

Configure Fortigate interface using the CLI (VM Interface), connect using the default credentials:

• User: admin
• Password:
Enter this commands in the FortiGate:
config system interface
edit port3
set ip 10.0.0.1/24
set allowaccess ping http https ssh telnet
end

Backup Configuration
Connect using your web browser http://10.0.0.1
Go to DashBoard in the Widget System Information
1. Click Backup
• Select Encryption
• Set a Password.
• Click OK.
Explore the GUI
1. Take your time to view the GUI information.
2. In the Dashboard set the System Time to your current Time Zone.
Go to Dashboard > CLI Console
1. Execute the command: execute formatlogdisk (this command allow the Fortigate Hard
Drive to be formatted.).

Lab #2 – Introduction to FortiGate (part 2)

Configure Support Account (read only access)
Go to System > Admin Profiles:
1. Create New

FortiGate 5.4 (WorkShop 101-102)

Presented by: Julio Ureña.
Westcon Group Inc.
FortiGate WorkShop 101/102 – Introduction to FortiGate

2. Name: soporte_RO
3. Click Read Only for all options.
4. OK.
Go to System > Administrators:
1. Create New.
2. Name: soporte
3. Password: soporte
4. Administrator Profile: soporte_RO
5. Ok.
Click admin and Logout. Log in with user support and confirm if you can or not make changes in
the configuration. Once completed login with the admin user to continue with the exercises.

Lab #3 – Setup DHCP Server for the LAN interface

Go to Network > Interfaces:
1. Edit “port3”.
2. Assign:
a. Alias: LAN.
b. Role: LAN
c. Enable DHCP Server
i. Starting IP: 10.0.0.50 – End IP: 10.0.0.200
ii. Netmask: 255.255.255.0
iii. Gateway: 10.0.0.1
iv. DNS Server: Same as Interface IP
d. Leave everything default.
e. Ok.
Set your Host-Only network to use the DHCP Server.
Important: Backup your FortiGate Configuration at this point (We will use it latter) Name it
Restored_Point

FortiGate 5.4 (WorkShop 101-102)

Presented by: Julio Ureña.
Westcon Group Inc.
FortiGate WorkShop 101/102 – Introduction to FortiGate

Lab #4 – Internet Access Configuration

Connect to the Fortigate Web go to Network > Interfaces and do the following:
1. Edit the "port1".
2. Assign:
a. Alias: Internet 1.
b. Role: WAN
c. Estimated Bandwidth: 10000 kbps / 10000 kbps
d. Configure the IP 10.200.1.1/24 and leave everything default.
f. Ok.
3. Test connection with the Gateway, Dashboard > CLI Console
a. Type the following commands: execute ping 10.200.1.254

Lab #5 - Static Route Configuration for Internet Access

Go to Network > Static Routes:
1. Create New
2. Device: port1
3. Gateway: 10.200.1.254
4. Leave everything default.
5. Ok.

Test connection with the Gateway, Dashboard > CLI Console

a. Type the following commands: execute ping 8.8.8.8

FortiGate 5.4 (WorkShop 101-102)

Presented by: Julio Ureña.
Westcon Group Inc.
FortiGate WorkShop 101/102 – Introduction to FortiGate

Lab #6 - Configure FortiGate as DNS Server

Some FortiGate Functions are hidden by default, to use it you must enable them in Feature Select
settings. Go to System > Feature Select and do the following:
1. Under Additional Features enable DNS Database.
2. Clic Apply.

Go to Network > DNS Servers and do the following:

1. In DNS Service on Interface, click Create New.
2. Select the Interface that will receive DNS request (port3).
3. Mode: Foward to System DNS.
4. Ok.

Note: This configuration allows clients requesting DNS resolution to the FortiGate to be
Forwarded to Fortinet System DNS Servers.

In the Dashboard go to the CLI Console and test your DNS Resolution with a ping
to www.google.com using the command: execute ping www.google.com
Note: The DNS Resolution settings for the FortiGate are based on the configuration in the
Network > DNS: Primary and Secondary DNS Server.
To view the System DNS Servers, go to Network > DNS

FortiGate 5.4 (WorkShop 101-102)

Presented by: Julio Ureña.
Westcon Group Inc.
FortiGate WorkShop 101/102 – Introduction to FortiGate

Lab #7 - License Activation

To check licenses of Fortinet website: https://support.fortinet.com/
Load the license (FXXXXXXXXXX.lic) file:
Go to Dashboard | Click Update License Information (upload file). The FortiGate needs to be
restarted.

Once Rebooted if the license doesn’t change to VALID, shutdown the FortiGate and then turn it
up again. Wait a few minutes until the license get validated by the FortiGuard Labs.
Lab #8 - Security policies and Firewall Objects
Create Firewall objects
Go to Policy & Objects > Addresses and perform the following:
Object #1
1. Create New > Address
2. Name: LAN
3. Type: IP/Netmask
4. Subnet / IP Range: 10.0.0.0/24
5. Leave everything default.
6. Ok.
#2 - Object this object will then use it to separate types of access.
1. Create New > Address
2. Name: MyComputer
3. Type: IP/Netmask
4. Subnet / IP Range: 10.0.0.20
5. Leave everything default.
6. Ok.

FortiGate 5.4 (WorkShop 101-102)

Presented by: Julio Ureña.
Westcon Group Inc.
FortiGate WorkShop 101/102 – Introduction to FortiGate

Lab #9 - Creating an Internet policy for the network 10.0.0.0/24

Go to Policy & Objects > IPv4 Policy
1. Create New
2. Name: Internet.
3. Inc Int: port3
4. Out int: port1
5. Source: LAN
6. Destination: all
7. Schedule Always
8. Service: HTTP, HTTPS, FTP, PING
9. Action: ACCEPT
10. NAT: Enabled
11. Leave everything default.
12. Ok.

Your Internet Policy should look like:

Test internet connection open your browser a go to www.google.com.

FortiGate 5.4 (WorkShop 101-102)

Presented by: Julio Ureña.
Westcon Group Inc.
FortiGate WorkShop 101/102 – Introduction to FortiGate

Lab #10 – Web Filtering Profile Configuration.

Web Filtering profile allow you to control which sites are your users allow to access.
Go to Security Profiles > Web Filter:
1. To create a new web filtering profile, clicking on the icon "+" on the right side.

2. Name: Internet_Restricted
3. FortiGuard Category Based Filter: Enabled.
4. To assign a value to the categories, select by clicking, then right click and choose the
desired option:
5. Block:
a. Pontentially Liable
b. Adult/Mature Content
c. Bandwidth Consuming
6. Warning:
a. General Interest - Personal > social networks.
b. General Interest - Personal > Games
7. Other categories leave them with their values by default.
9. Under Search Engines enable Enforce ‘Safe Search’ on Google, Yahoo!, Bing, Yandex
8. Click "OK".

FortiGate 5.4 (WorkShop 101-102)

Presented by: Julio Ureña.
Westcon Group Inc.
FortiGate WorkShop 101/102 – Introduction to FortiGate

Assign Security Profile to a policy:

Go to Policy & Objects > IPv4 Policy
1. Edit Internet Policy.
2. On the part of Security Profiles:
a. Enable Web Filter
b. Select Internet_Restricted.
3. OK.

Try to navigate to a http website like http://www.msn.com and then try to navigate to
https://www.youtube.com HTTPS website is allowed even though we block Bandwidth
Consuming category in the FortiGate, this is because we need to enable SSL/SSH Inspection in
order to allow the FortiGate to verify HTTPS traffic.
Lab #11 – Enable SSH/SSH Inspection
To verify https traffic, you will need to enable SSL/SSH Inspection Security Profile.
Go to Security Profiles > SSL/SSH Inspection and select deep-inspection.

Make sure all setting are equals to the image and click Download Certificate

FortiGate 5.4 (WorkShop 101-102)

Presented by: Julio Ureña.
Westcon Group Inc.
FortiGate WorkShop 101/102 – Introduction to FortiGate

Install the Certificate in your browser. The following example apply to Internet Explorer:
Double click the Certificate File “Fortinet_CA_SSL”

Click Install Certificate, Next and

1. Select “Place all certificates in the following store”
2. Click browser
3. Select “Trusted Root Certification Authorities”

4. Next, Finish and Accept the Certificate.

FortiGate 5.4 (WorkShop 101-102)

Presented by: Julio Ureña.
Westcon Group Inc.
FortiGate WorkShop 101/102 – Introduction to FortiGate

Apply the SSL/SSH Security Profile to the Policy:

Go to Policy & Objects > IPv4 Policy
1. Edit Internet Policy.
2. On the part of Security Profiles:
a. Enable SSL/SSH Inspection
b. Select deep-inspection.
3. OK.

Now if you try to access https://www.youtube.com the site will be blocked.

Lab #12 – Antivirus Security Profile
Go to Security Profiles > Antivirus:
1. We will use the "default" profile, set the option Detect Viruses to Block and Apply.
2. Assign this Security Profile to the Internet policy (same as Web Filtering)
Try Fortinet antivirus engine:
1. Go to the website: http://www.eicar.org/85-0-Download.html
2. Download the Virus using the Protocol standard http, in the box click eicar.com.txt
downloads
3. Should receive a notice:

FortiGate 5.4 (WorkShop 101-102)

Presented by: Julio Ureña.
Westcon Group Inc.
FortiGate WorkShop 101/102 – Introduction to FortiGate

Lab #13 – Application Control Security Profile

Go to Security Profiles > Application Control:
1. Create a new profile by clicking on the icon + which is located at the right top.

2. Name: AppControl_Restricted
3. In Categories set to Block the following Categories:
a. P2P
b. Social.Media
4. In Application Overrides
a. Add Signature
b. Add Filter > Name > Instagram
c. Select: Instagram and click Use Selected Signatures
d. Right Click the Application and set the Action to Allow.

6. OK
7. Assign the Application Control Profile to the Internet Policy
Lab #14 – Traffic Shaping Configuration
Traffic Shaping configuration for Instagram
In this part will only allow the Instagram app to use 1mb / 1mb of Internet for all users of the
network.
Go to Policy & Objects > Traffic Shapers:
1. Create New
2. Type: Shared
3. Name: Instagram_BW
4. Traffic Priority: Low

FortiGate 5.4 (WorkShop 101-102)

Presented by: Julio Ureña.
Westcon Group Inc.
FortiGate WorkShop 101/102 – Introduction to FortiGate

5. Max Bandwidth: 1000

6. OK.

Go to Policy & Objects > Traffic Shaping Policy:

1. Create New
2. Source: LAN
3. Destination: all
4. Service: ALL
5. Application: Instagram
6. Outgoing Interface: port1
7. Shared Shaper: Instagram_BW
8. Reverse Shaper: Instagram_BW
9. Enable this Policy: Enabled.
10. Ok.
Note: this exercise is only a sample of how to configure traffic shaping for applications. In the
next policy we will be able to verify the how traffic shaping is able to reduce the bandwidth by
using speedtest.
Lab #15 - Traffic Shaping settings for a user.
Create a second Traffic Shaping Policy for all traffic, use the page www.speedtest.net check
your internet speed, we will make a general configuration to change our Upload and Download
speed. If necessary please change the number of mb that fits your bandwidth (make sure that
the amount of mb is less than your bandwidth, to validate that the policy works):
1. Create New
2. Source: all
3. Destination: all
4. Service: ALL
5. Outgoing Interface: port1
6. Shared Shaper: 2mb (create this shaper by clicking on the +)
7. Reverse Shaper: 1 mb (create this shaper by clicking on the +)
8. Enable this Policy: Enabled.
9. OK.

Now validate the speed test using the page www.speedtest.net

FortiGate 5.4 (WorkShop 101-102)

Presented by: Julio Ureña.
Westcon Group Inc.
FortiGate WorkShop 101/102 – Introduction to FortiGate

Lab #16 – Enabling WAN Link Load Balancing

Backup Your FortiGate Configuration and Name it Internet_Policies and Restore the Backup
Named Restored_Point, that you did in Lab #3
You will enable Wan Link Load Balancing to balance the internet traffic between port1 and
port2.
1. Open Fortigate GUI http://10.0.0.1
2. Go to Network > WAN LLB and enable Interface State.
3. Under WAN BLL, click Create New.
4. Add port1 with the Gateway 10.200.1.254
5. Click Create New one more time.
6. Add port2 with the Gateway 10.200.2.254
7. Select Source-Destination IP as the Load Balancing Algorithm.
8. Click Apply.
a. Your configuration should look like this:

Test your connection to the Gateways using ping to 10.200.1.254 and 10.200.2.254 in the
Fortigate CLI console.
16.2 - Creating a Static Route for WAN Link Load Balancing
WAN link load balancing requires at least one static route to the virtual interface wan-load-
balance To create a static route for WAN Link Load Balancing
1. Go to Network > Static Routes.
2. Click Create New
3. Add this default route:

FortiGate 5.4 (WorkShop 101-102)

Presented by: Julio Ureña.
Westcon Group Inc.
FortiGate WorkShop 101/102 – Introduction to FortiGate

a. Destination: Subnet 0.0.0.0/0.0.0.0

b. Device: wan-load-balance
c. Administrative Distance: 10
4. Ok
16.3 - Creating a Firewall Policy for WAN Link Load Balancing
You will create the firewall policy to allow the internet traffic from port3 to the WAN Link load
balancing interface.
1. Go to Policy & Objects > Ipv4 Policy.
2. Click Create New.
3. Configure the following Settings:
a. Name: Internet
b. Incoming Interface: port3
c. Outgoing Interface: wan-load-balance
d. Source: LAN
e. Destination Address: all
f. Schedule: always
g. Services: ALL
4. Under Firewall / Network Option, enable NAT
5. Click Ok.
16.4 - Testing the WAN Link Load Balancing Configuration
Sniffer the HTTP traffic while generating some traffic. You should see that FortiGate is balancing
the Internet traffic between port1 and port2.
To test the WAN Link Load Balancing Configuration.
1. Connect to the FortiGate via SSH or Console.
2. Log in as admin and enable the sniffer of SYN packets to port 80 using the following
command:
diagnose sniffer packet any ‘tcp[13]&2==2 and port 80’ 4
3. Generate some HTTP traffic from you computer by opening a few tabs in your browser
and connecting to some HTTP website, such as:
a. http://pearsonvue.com/fortinet/
b. https://google.com
c. http://eicar.org
d. http://cve.mitre.org
4. Press Ctrl-C to stop the sniffer and check its output

FortiGate 5.4 (WorkShop 101-102)

Presented by: Julio Ureña.
Westcon Group Inc.
FortiGate WorkShop 101/102 – Introduction to FortiGate

Lab #17 – Configure IP Address to FortiAnalyzer

Configure the FortiAnalyzer interface using the CLI (VM Interface), connect using the default
credentials:

• User: admin
• Password:
Enter this commands in the FortiAnalyzer:
config system interface
edit port1
set ip 10.0.0.100/24
set allowaccess ping http https ssh
end
execute format disk
Test your connecting to the FortiAnalyzer from your computer or the FortiGate CLI Console.

Lab #18 - Configuration Log Settings.

Restore the backup Internet_Policies that you create in Lab #16. Once restore go to Policy &
Object > IPv4 Policy edit the Internet Policy and set the Log Allowed Traffic to All Sessions

Configuration of log shipping for the FortiAnalyzer

In the FortiGate go to Log & Report > Log Settings:
1. Go to Remote Logging and Archiving
2. Enable Send Logs to FortiAnalyzer/FortiManager
3. IP Address: 10.0.0.100
4. Test Connectivity

You will receive an error “Unable to retrieve FortiAnalyzer/Fortimanager status”.

FortiGate 5.4 (WorkShop 101-102)

Presented by: Julio Ureña.
Westcon Group Inc.
FortiGate WorkShop 101/102 – Introduction to FortiGate

Click Ok and Apply the changes.

Go to the FortiAnalyzer GUI interface http://10.0.0.100 and log in with user admin without
password.

Go to System Settings > Network and set the Default Gateway to 10.0.0.1

Go to System Settings and within System Information set the System Time to your Time Zone

Go to Device Manager and click Device Unregistered

You will see the FortiGate you tried to connect, now right click and Add

Assign a name and click OK.

Go to your computer and open a cmd windows in the folder where you have the wget.exe and
black_list.txt files. Type the following command

wget -i blacklist-urls.txt -t 1 -T 1 -w 1 –spider

Wait some time and them open FortiAnalyzer > FortiView to check the logs information and
graphics.

Take your time to view the options and check the FortiAnalyzer Interface.

FortiGate 5.4 (WorkShop 101-102)

Presented by: Julio Ureña.
Westcon Group Inc.
FortiGate WorkShop 101/102 – Introduction to FortiGate

Lab #19 – Generate a Report

Go to Reports > All Reports and Edit “Web Usage Report” use the right click to view the options.

Click Settings

Time Period: Today

Filters and set:

1. Log Field: Source IP (srcip)
2. Match Criteria: Equal To
3. Value: 10.0.0.24

FortiGate 5.4 (WorkShop 101-102)

Presented by: Julio Ureña.
Westcon Group Inc.
FortiGate WorkShop 101/102 – Introduction to FortiGate

Apply the changes and click View Report. Click Run Report.

The report is Empty, why? Because we specify a Source IP address. Go to your windows Box and
change the IP of your machine to 10.0.0.24 and execute the script to generate traffic:

wget -i blacklist-urls.txt -t 1 -T 1 -w 1 –spider

Go to FortiAnalyzer > Log View

Click in the tool icon and select Real-Time Log (Make sure the script is still running)

Now observer the logs in real time.

Go back to the Report Menu and Run the Report Again:

Report > All Reports select Web Usage Report and click Run Report

Now Go to Reports > Generated Reports and select the last one and view in HTML

FortiGate 5.4 (WorkShop 101-102)

Presented by: Julio Ureña.