Beruflich Dokumente
Kultur Dokumente
• User: admin
• Password:
Enter this commands in the FortiGate:
config system interface
edit port3
set ip 10.0.0.1/24
set allowaccess ping http https ssh telnet
end
Backup Configuration
Connect using your web browser http://10.0.0.1
Go to DashBoard in the Widget System Information
1. Click Backup
• Select Encryption
• Set a Password.
• Click OK.
Explore the GUI
1. Take your time to view the GUI information.
2. In the Dashboard set the System Time to your current Time Zone.
Go to Dashboard > CLI Console
1. Execute the command: execute formatlogdisk (this command allow the Fortigate Hard
Drive to be formatted.).
2. Name: soporte_RO
3. Click Read Only for all options.
4. OK.
Go to System > Administrators:
1. Create New.
2. Name: soporte
3. Password: soporte
4. Administrator Profile: soporte_RO
5. Ok.
Click admin and Logout. Log in with user support and confirm if you can or not make changes in
the configuration. Once completed login with the admin user to continue with the exercises.
Note: This configuration allows clients requesting DNS resolution to the FortiGate to be
Forwarded to Fortinet System DNS Servers.
In the Dashboard go to the CLI Console and test your DNS Resolution with a ping
to www.google.com using the command: execute ping www.google.com
Note: The DNS Resolution settings for the FortiGate are based on the configuration in the
Network > DNS: Primary and Secondary DNS Server.
To view the System DNS Servers, go to Network > DNS
Once Rebooted if the license doesn’t change to VALID, shutdown the FortiGate and then turn it
up again. Wait a few minutes until the license get validated by the FortiGuard Labs.
Lab #8 - Security policies and Firewall Objects
Create Firewall objects
Go to Policy & Objects > Addresses and perform the following:
Object #1
1. Create New > Address
2. Name: LAN
3. Type: IP/Netmask
4. Subnet / IP Range: 10.0.0.0/24
5. Leave everything default.
6. Ok.
#2 - Object this object will then use it to separate types of access.
1. Create New > Address
2. Name: MyComputer
3. Type: IP/Netmask
4. Subnet / IP Range: 10.0.0.20
5. Leave everything default.
6. Ok.
2. Name: Internet_Restricted
3. FortiGuard Category Based Filter: Enabled.
4. To assign a value to the categories, select by clicking, then right click and choose the
desired option:
5. Block:
a. Pontentially Liable
b. Adult/Mature Content
c. Bandwidth Consuming
6. Warning:
a. General Interest - Personal > social networks.
b. General Interest - Personal > Games
7. Other categories leave them with their values by default.
9. Under Search Engines enable Enforce ‘Safe Search’ on Google, Yahoo!, Bing, Yandex
8. Click "OK".
Try to navigate to a http website like http://www.msn.com and then try to navigate to
https://www.youtube.com HTTPS website is allowed even though we block Bandwidth
Consuming category in the FortiGate, this is because we need to enable SSL/SSH Inspection in
order to allow the FortiGate to verify HTTPS traffic.
Lab #11 – Enable SSH/SSH Inspection
To verify https traffic, you will need to enable SSL/SSH Inspection Security Profile.
Go to Security Profiles > SSL/SSH Inspection and select deep-inspection.
Make sure all setting are equals to the image and click Download Certificate
Install the Certificate in your browser. The following example apply to Internet Explorer:
Double click the Certificate File “Fortinet_CA_SSL”
2. Name: AppControl_Restricted
3. In Categories set to Block the following Categories:
a. P2P
b. Social.Media
4. In Application Overrides
a. Add Signature
b. Add Filter > Name > Instagram
c. Select: Instagram and click Use Selected Signatures
d. Right Click the Application and set the Action to Allow.
6. OK
7. Assign the Application Control Profile to the Internet Policy
Lab #14 – Traffic Shaping Configuration
Traffic Shaping configuration for Instagram
In this part will only allow the Instagram app to use 1mb / 1mb of Internet for all users of the
network.
Go to Policy & Objects > Traffic Shapers:
1. Create New
2. Type: Shared
3. Name: Instagram_BW
4. Traffic Priority: Low
Test your connection to the Gateways using ping to 10.200.1.254 and 10.200.2.254 in the
Fortigate CLI console.
16.2 - Creating a Static Route for WAN Link Load Balancing
WAN link load balancing requires at least one static route to the virtual interface wan-load-
balance To create a static route for WAN Link Load Balancing
1. Go to Network > Static Routes.
2. Click Create New
3. Add this default route:
• User: admin
• Password:
Enter this commands in the FortiAnalyzer:
config system interface
edit port1
set ip 10.0.0.100/24
set allowaccess ping http https ssh
end
execute format disk
Test your connecting to the FortiAnalyzer from your computer or the FortiGate CLI Console.
Go to the FortiAnalyzer GUI interface http://10.0.0.100 and log in with user admin without
password.
Go to System Settings > Network and set the Default Gateway to 10.0.0.1
Go to System Settings and within System Information set the System Time to your Time Zone
You will see the FortiGate you tried to connect, now right click and Add
Go to your computer and open a cmd windows in the folder where you have the wget.exe and
black_list.txt files. Type the following command
Wait some time and them open FortiAnalyzer > FortiView to check the logs information and
graphics.
Take your time to view the options and check the FortiAnalyzer Interface.
Go to Reports > All Reports and Edit “Web Usage Report” use the right click to view the options.
Click Settings
Apply the changes and click View Report. Click Run Report.
The report is Empty, why? Because we specify a Source IP address. Go to your windows Box and
change the IP of your machine to 10.0.0.24 and execute the script to generate traffic:
Click in the tool icon and select Real-Time Log (Make sure the script is still running)
Report > All Reports select Web Usage Report and click Run Report
Now Go to Reports > Generated Reports and select the last one and view in HTML