FortiGate Multi-Threat Security Systems Administration, Content Inspection and Basle VPN Access Course 201-v4.0 “a iy uv > « wl “a v z | z < I e LL ‘rw fortinet.comContents Course Overview... Course Obecives Prrequits.n ‘wre Shous Aon. ‘crticaton SettPaced Trang Course Course Evaluation (or Ssi Paced Tralning Sets) Lesson 1 - Overview and System Setup... 7 nied That Management 7 ‘The Fortinet Soulon 8 ForsGate 8 FortiGuard. 0 Foremanager FortAnaiyzer. 0 oral " FortGlent nn " Frewal Bast... ‘Typos of Firewalls Natwor Address Tanlaton, Fonicate : ForiGate Capabies. FortGate Unt Description FortGate Front View. ForbGate Back View Operating Modes, Device Adnan ‘eb Cong.. Cernmand Lin rice (CL) en Admiisrabve User, Interface Acsrecing DNS nn ~ CConiguraion Backip and Restore, Frmware Upgrades Lab tna Soup, Lesson 2 - FortiGuard Subscription Service FortGuardDistrbuton Netor.... ‘Connecting tothe FerGuard Servers. . FeruGuard Antu Sarvs a FortGuardIntusion Protection Systm S608 enemies TOForuard Web Fteing Sonic, pe 80 ForiGuard Rating Server. 7 FortGuard Web Fitering Service 0 FortiGuard Antispam S218 enn 81 ‘Aspam ites. Cnn a ‘Spam Fitering Techiques a Enabling FortGuard Subscrgtions Sere. © censing. 83 ‘Schecded Updos oy sh Updates. ~ as ‘Manual Updates 2 ‘caching. 89 90 2 o 96 ForsGuard Wb Fiterng Categories. ‘Atspam Conta Contguing FeriGuar Subscpin Services Using tha CL ForbGuard Conor Lab 2-Forinet Subscription Sones Lesson 3 - Logging and Alerts. Log Storage Locations. Local Har Disk FortAnaiyzr. System Memey. Sysiog. ForiGuard aralsis Sarco Logain to Mutiple FortAnayzer Units o Syslog Server 105 Logoing Levels - - 108 Emergency 407 ‘Net 107 cal 407 ————— = 07 Waring 107 Notfeation 407 Infomaten. z 107 Debug 107Leg Types 108 Event Log, 108 Tre Lo, : 108 ‘tack Log. - 108, ‘aves Log 108 Web Fite Log - 108 ‘Anespam Log 108, DLP Log 109 Poplieason Caneel Log 108 Ccontigurng Loogig 10 ‘Selecting Locaton and Level +10 Enabling Log Generaton —— m Veowing Lo Fie. —— 15 Log Display Ferma. 16 ‘Content Aching, == 0 Enabling Content Ac 20 Viewing Content Aches a Alert Ema. 12. Coniguing Net Era, 122 sue, 12 ‘Contguing SMP 123 \Coniguing an rtstae for SNMP Access. a5 Lab 3 Logging and Maing ser Lesson 4 -Firowall Policies... 137 ‘Over. 137 Policy Matching 138 Frewal Poley List. 130 User Authentication to Firewall Palle, 2 ‘Authenteaton Protocole we creating or sting Paes. 13 Faewall Addosses ae Frew Schedles. eer i) Fowl Sonn 151 Nar. ' 184 Vial Ps ie Proton Proles.— 11 “Tee Shaping, 13 Disclaimers . 7a Lab 4 Frewal PolesLesson 5- Basic VPN. FortGate VPN, S8L VPN. PPTP VPN _ - IPsec VPN. SS8LVPH nnn — = 197 ‘Operating Modes ~ 197 User Accounts 20 Cconigureion Overview 2 Enabling SSL VPN ard Configuring SSL VPN Setngs 206 Frewal Pies. 209 ‘SSL VPN bookmark, 218 (Connecting toe VPN mm PrP VPN zs Inastucre Requvremens — m4 ForkGate PPTP Topologies oy ETP Server Configaton 225 PPTP Pate-Through Coniguraton zr 1P00 VPN m8 Pee Protocole 20 Medes of Operation nnn 2 Seca Associaton (A). 20 Intoet Key Exenango (KE) zt Network Topaioges. 2 Satowayto-Gateway Gonigzation. a Defrng Phase 1 Parametos, 25 rowal Poles ar Lab §- St and PSee VPN 251 Lesson 6 - Authentication... ‘Oveniew. ~ ‘Auetiaion Mats, Loca - Remote Users and User Groups 7 Users User Grape Authentication Senge PK Austantoaton, X00 Cerfetes RADIUS Authentication. Contguring @ RADIUS Server SSNBe eea eee Conigurng an LDAP Server 7 ‘TaCACs — 276 ‘Contguing a TACACS* Sever 270 ‘Meroaat Active Directory Authentication, a Forint Sever Auhereaon Extensions (SAE) a FSAE Confguration on the Mrosot Acbve Doty Sam Ot nn. 279 FSAE Confquraton on the FoiGate Uni. 7 2a Lab 6- Autenteaton 22 Lesson 7 - Antivirus. Ants Baments le iter Via Sean raya. Hewat, Flo Fer le pate. Fle ype ‘tone. Enabling Fe itoring File Fier st Caaiog Nev Fla Fer Ut Fe Fiter Pater List. 27 oe a 28 Updating the Anis Detitons 29 Gaya 300 Graywar CatOge66 oo SYNE nnn 04 206 205 307 08 usrantine| ‘Quorantina Flos Uist - Contguing uaretine Options Splicing 308 (ent Comforing.. s 08‘Saning Opens. 00 ‘ended AV Databoce. ne 900) Signatures 310 Replacement Messages, 30 ‘caning Now Standard Pot Ze Uncompressed Sz Limit 310 Lab 7 - Ants Seaning Lesson 8 - Spam Filtering ‘Spam Firing Methods. 22 ‘URL Cheek 32 Ema Checksum Chack. 2 ‘Spam Submision 32 Blackie st 322 HELO DNS Look, 2 etm E-all ONS Chas - 33 Bann Word 323 MIME Headers Check 32 DDNSAL and ORDBL. 2 FortiGuard Arisa, 4 ‘Cobalt ve 34 ‘Customized Fier, 3 Ena Antispam. on 88 ‘Spam Actions. ~ ~ omer Banned Word. ree 928 ;Benned Word Uist Catalog, 328 Now Banned Wor Lit 29 CCenguing Banned Words. 30 ‘Banned Word Ut. ~ 31 Blasio Le. 38 1P Adres Fitrng| = 338 mai Aasres Ust Fiterng 38 ‘Muturpote Internet Mall Extensions (MIME) Headers Chk, 348 [ONS Blackhole List and Open Relay Database Ls. au Fara Antipas 4sLesson 9 - Web Filtering. 349, Order of Fitna. 9 Web Content ioe 350 Web Content Bick ts Catalog 250 New Web Contant Bock Ut. - 361 New Banned Patt Uist. — 352 Web Content Blok Lt. 353 Web Content Exes 354 ‘Web Contant Exempt Lis Catton, 354 New Wis Content Exempt ist 355 New Wat Contant Exempt Pate. 2358 ‘Wed Content Exempt List 387 Enabling Web Fitorg. 288 URL Fite. 250 URL iter Let Catalog, 380 ‘New URL Fitri. ~ “ aeo ‘Now URL Fite ist Entry 281 URL Fite List. 2 ForiGuard Wa Fitton 263 Wi Fiori Catgories 66 Web Firing Classes a ss ‘Enabing FeriGuacd Web Fitorng 368, Wb Fitoring Over. 260 Lab 6 Wed Fiteng are Appendix 1 - Fortinet Certification Foret Cartes Network Scurty Adrinsator(FONSAY. Foret Certtod Network Securty Professional FCNSP), Fortet Crted Trainer (FET). 387 Fortnet Cefled Network Saunt Aainrator 288 Suggested Reacng - cn 888 Highly Recarmended 388 Mandatory. 388 Forint Corifed Nowork Sour Profesional. vn 300 ‘Suggested Reosng 300 Highly Recommended . = aa Mandatory 231 Centestion Exams 393Course Overview “This course provides an rrodtion othe configraton and cistron of ForaGate Unies Treat Management apponces “Through a varity of hands-on labs, you wil lam about the most commen feats of the ForiGate unk. ‘You wt gain a sold understanding of how inept the FertGate unto your {xing ervvonment end te person msninance moved to ensre opts Prorrance ae ul peocton of your carports abs eure 201.140 Aemnsraon, Conte pectin and Bat VPN AccesCourse Objectives Upon completion ot i cout, sei wi be ao Use Web Config end CL to complete ne flowing scnnsrstion and ‘maintonance ase fo Frat devics ‘+ stom stings and network configuration + creating administrative accounts + pertorming sytem backups + montring sytem alors + dove porermance and operational status + ForiGuard Dsrbuton Network Sences and updates + managing frre to orsureavaibity ae reibilty Implement loging and montorng features ofthe FortiGate device using @ Forttnalyzor applince for contr arcing Construct rowal pais wt content inspection, schedules, oure and enesyperstieone, analog uneuharzad ae ‘Aly teowal ply optons or utara, tual IP adress 1 pal ant tae shaping Croat frowall protecton profes implement FortiGate avin oars Such as fe paar blocing,grayare sean, ie quarantine, end arveus fearing Contgure anéspam fitorng usin he subscription based FortGuaré Aitepam Service sod banned word matiods Use Forcate Web Fring estes inclung URL tering, content boeing, ‘nd be ForsGuard Wed Fiterng Sanoe LUnderstnd tne cifernces batween NATIRoue and Traneparentoperatonal modes auras 20.1.0 Adrien, Cont npn and Bae VPN AcesPrerequisites “Te folowing is required to atlond tis curse: Invoictonlovl network security experience Basi understanding of core network secur an fowl concopts ‘Who Should Attend “Tis intesuctntvel couse i intone for anyone who sresponsbo for he educty. nadson increasingly sophisicated content eel feats now omment use oral appicatone asa mada of tack This canbe musta by the dramaterieen phishing aac, signaling a change in sratgy fr spars Teoking prof rem unsuspecting usar. Forint FortMals a family ofhigh-pertamance, mayer ema secunty prorat remove unvaried spar, prvi maximum potato fr Blended malted threats and falta region compliance. For come eat Secuy that includes covtnt archiving and to ghost eels of arspam and ‘suru capable, Fornell: Faria species ema scunty septarcss For endpoint socuy Foret provides orient software, «product tht rovides united endpoint seer or dekops plop and mabe aovens PC desitop and laptop devices naw allowed users to access alrprise| ‘applications and mision eal data both nthe afew and on Be road. Unfortunate, tise dvies ar exposed to blnded toss such a ruses, pam, spyware and worma. hs wel ules sctessng inappropriate and ‘eres reauotsacoose othe Ina, the device wil choose an IP aross {fom Be abe tals ot being used at the te by another vate IP aes. Dynamic NAT naps to secre epetwork a imesh to al coniguson of 2 vat network and makos feel for someone outset ntwor fo mnier [Rdvidual usage patos, Anne advantage of mame NAT I that als & rato networt to uso private IP adresses that ar val onthe rimot but ‘Setuae tral addresses. “This method of mapping an unvegstered IP adress to a regard IP adoss on 2 oneo-ane bal Is parelary ust when a device noods fo be acosstio. from ouside he network. Static NAT ‘Static NAT i type of NAT in wich a pia IP adress is mapped oa publ, Sac P dares, where the pu accross is atvays the samo IP arose. Ths ‘lows an intemal host, ich = Web srr o have an uresitros orate) P ‘ddrae and a be eacnatie ova7 ES Tre, our 201040 Aan, Contr Inspection and Sa VPN AcessFortiGate FortiGate Capabilities FeriGate devices incude a comprehensive aray of security and networking caoabos UTM Features Antivitas “he Forte uses a combination of tchiques to provide eae potacon agains virus attacks, worms nd spyware, Those tchniques clus ognture Docking, He cognition heurscs, Padres checks, and URL. chek and Antispam “The Foro unit delversralsle and high performance feaies to delet, ag, quarantine, and block spar messages andthe mallow atachmons,Incudlng IP aseraos crock, checkoum choc, bane war check, lacie DDNSBL. ORDAL, snd mor. ‘Web Fiterng “The Fora urn conjunction wt the FortGuard Wb tern Series fers ‘eoton tocol access fo Inappropriate web ses at may expose. businosces o poorly Hale maton jeoparaze network sec and oncume vant banduith The ForiSuard Web tora detsoare ie & URL ‘atase wih over 60 millon raed web tes and 7 elegoies. Intrusion Protection Tha Fort unt can record suspous rat logs, an send alr omit system afminsratos, ad can le, pass, cop, esto dear ssplcous packet Gf ssdens. An oganzaten can rete custom sgnatrs fo cutomize the ForiGate unt’ infusion Prtecion Systm or verse network endronmens ‘Th FortGaausion Protecton Systm matches network rac against tome contained natacksgratures.Atack signatures roel pote the atx rom known tac, Forint FortGuard inastuctre ensures te epi entfcaton of naw trate land be doveopment of new stack signatures ‘+ Application Contrel ‘Tne Appleton Cont texture ts you dota ana tke actions on ntwor a asad on he appt generating he wai for stance, Instant Messaging (it), Peerto-Poe (P2P), ana VP Based on FortGat rusian Protecton prota! decoder, applcan corals amore usr teeny and power ay {ee itsion Protection featuos to log and manage the behav of applcaton atc passing ough the Forte ut. Cause 2.74.0/dsraton, Conte apc and Baste VPN cass esao.07 2000050" rafata Leak Prevention ‘Data Leak Prevention (OLP prolacss seit infomation rom bing rans (ver web, enal le wanserpctocals You define es and compound res 12 ‘otect pose data leaks and spocty the actin fo ak in responee, Rules are. ‘compound rea are combined io OL? Senaore wh you can abl in frewa frotecton profes Aeon n respons to to! daa akage nce. + Logieakage + Block sending ofthe data + Content archiving + Ban ver rom using is protocol, The use ded fo the Banned User Lit Firewall ‘AFotiGate unit uses frewal polis to dictate whether raf wil be allowed or ‘ania acess tthe network. Taf wil ot be able to pac rough te Fatale ‘tunis imate tho policy rls exact. Tho FertGato unt wos protacion ‘otis lo dctte which ype o canto! napacton wl be pedorned o Ele assing though the frewa. @ WAN Optimization “The ForiGata WAN optimization can bo used to improve perfomance and [AR sezty scrote a WAN ape a namber of reltdtochnigues,nluseg mw protocol and application asod dala compression and option data edon jet Tatecrnige that reduces now oe the sme datas vansmited cross he WAN), web casing. escurotunnaling. end SSL ocoerton, Endpoint Compliance Endpoint compliance lo calls endpoint conta lets you enforce the use of Foreilant En Point Secu in yur network and ensure tat lens ave Both ‘a mest rent vetion of ho FortClont sofware and the mest up0-dte Sntvrssignatires. The FortGat nt robeves Foren soware ans ‘ntvrus updates tom FartGuara te FortGato unt conan shar sk ve, these tes ar cached to more ecient sere doricadsto multiple and point Te endpoint complance feature also provides montring. The FertGate Unit gathers infrmaton fom cent compure whan thy us a rowal otc wih "he Enate Enapart Complance Chock option enabled Virtual Domains Vital domains (VDOMs) enable a FortGale utto con a8 le Indopondon units single ForiGzt unit can then bo fx enough © sore ‘lpi departments ofan organization, separate organization or be the basis {ora cence provider's managed scuty service. VOOM prode spare secu domain that alow soparato zones, usr authentication, treval polis, ‘outing, and VPN contguratons. Using VDOMS can also singly eamaton of ‘ompiex configurations cause admustators 6 nl have to manage a8 any ‘eutes or rewa poles at one ne course 201.80 emraton, Content Inept a Bae VPN AccessTraffic Shaping ‘Taf shaping cont the bandon avanti an the pry of tafe pressed by reval polo. Trafic haping makes posse to cont which paleles hove ts hghes print when ate amounts fata are moving ough ‘he ForiGat cove, Fr example, he ply fr the corporate wed sarver might began higher pony han the plies fran ampoyess computer ‘Secure VPN ‘The bln SSL VPN capabilites ofthe FortGat unt can ensure the canfcentalty and tog of data vansmite over the internet. The FortGato lint provides enhanced auhontcaton aslo encrypting an secung Information sat rom a web bowser fo wa aren, You can ao crsie High Availablity (HA) Frat Nigh avabily (HA) provides. ‘cal ertorpsenetwertng components: enhanced relabty snd invented ‘arormance.Foriate HAs mpiomented by confguing twa or mae Foals ‘ts fo operat ae an HA cust Tote network the HA cluster appears {incon as a single Freato unt, pocosang rework ale and pong ‘normal secry sonics such a feewal, VEN, PS, vrs scanning, web Sein, ‘2d spam ering sarees. Logging ‘A Forte unit provides extersve logging capa for raf, syst and ‘network proacion knetons.Detaod fog formation and repos provise ‘storia s wel as curent analais of network scott help ony soca 'Ssugs and reduce nelwrk mises and abe, ‘Authentication ‘AForsGate uit can conto access to natwork resources hy dering Has of ‘Suhre users. User autencaon canbe performed ically onthe Fora “at othroigh tie vee of extemal autenteston servers, Sure external Saver types for authentcaton inclu: RADIUS, LOAP,Acve Det, ‘TACACS* and digi oariontee cesta sing a Pub Key astra (PK). Fi2RATINET. Course 201.14. ambsraton, Cone azecton ans Bae VPN Aco ‘soo cao sa08atFEATINET. FortiGate Unit Description ‘AForiGste unt, dopending onthe model, may ince some of the flowing components cpu Depensing on he mode! of FortGat, a 300 Mhz to 1.8 Ghz nel processors Ineludodin the FortGat, Some highrond models may ince dal processors. FortiASIC Content Processor ‘This custor-designod processor augment the capabilities of he uty cfladng some of he oni proceso sctites, such ao antvrus searing, {ram ths GPU. The FortASIc processing ncudas an engine frais ‘Sra scaning, accserang cryptographic operations, processing trewal poles and accelerating pacing ae for apcatone such ae VP and ps rau Gr tnt yond ‘hafta cn eke fom 108A Flash Memory “The FortGata can includ rom 22MB to GAME of fash memory tre rare Images on he deve. Hard Drive ‘Some higher-end ForiGate devices wilincude a hard dive tat cn be usd er gaa pelo Sees cone and arenes Asie: Network Interface Ports ‘Tha Forte includes a coleton of interface connections o connect he device ‘oars networks, sich as animal network, a DMZ network oro aWAN network Semonigh-end entree modal may ieude Sat Formfacor Plupgabie (SFP) and XPF (a 10Gbps version of SFP) network ineraces, Serial Console Port ‘The ForiGat indus a srl console prt to alow acces to the management computer ) spin b ans te ae wo! oa Coure 2014.0 Admiston, Cort nsec and Bae VPN Access ‘aco. 060809usB Port ‘ALS pers incuded on the Fort Gate forse wih any FATS formated USB. ‘ve or an extemal moder. ‘Some FortGate devios, such a the For 60, are WEF abled and wi ‘enable wieassconnwdons between host computers and to Fortato un. Modem ‘Some ForiGate mols, such as the GOAM ince a buitin modem. Module Slot Bays ‘Some tigh-ené modes of ForsGate incu slot bays for Aavanood Mezzanine rds (AMC), where he Fora lose card that inal within a chasse PC Card Slot ‘Some models of FrtGatentgrate a PC (le called PCMCIA) cart lator ‘dona expansion ving Type PC car. kK W c E c L course 201.4. heminraton, Canes pet and Bak VPN AccskK Ww c E . FortiGate Front View Each mal of FortiGate may ook ferent. The exarpe devi ilutatesbolow ‘ste FortGate 51, which canon usd im castroam configura, Sar instore wil be avlable on most FrtGato uns, ae (© Power LED: Tindale gaen when he Fate unt powers on aria ‘Sst equine powot fs esto wil ash gran whan feos Hato [eee (© ‘hethacur i Gaply pean whan ta carec Cable winuee and he connected ‘neces a on whan mare smo lnk setsanedon fis maces Cour 2014.0 Adis, Contr nsec ard Bai VPN AcesFortiGate Back View Each model of FortiGate may ook een. The example device hustrated blow Ista FoniGat 58, which commonly asad casroom configratone. Sei interface conectone wil be avatabe or most FertGat ns m7 (© Power: Power topo comacton. © Ciipite Repiad Be cora cae ee SO Tee eptonl USE conectons can b er sf mode ee USE © Siiereauosy or USB anes, . (© sera Ett cabs connct ne Frat unt contr chan ne netnok. ‘sal metoes se MODUON. ma sone, sso ee om ep wash anos nat WANT and Wane stra svough ramet cae comet th WAN tara te © Tiel gues oar magn The Was Cotton oso apt SATINET. Course 201740 Aitaton, Contec ad Base VEN AcassOperating Modes ‘A ForiGate unt can operate in wo diferent modes depending onthe ‘configuration a the setwork ae the needs of te rgaieaton 4% NATIRoute Mode NATRewe mode she deta conguaton onthe Font unt In NAR Imode, each Porat is visble fo te network hate conactad Al of ts Inertsces are on siteret snes. Each rice tal connotes Io 8 network rustbe conigued wt an I adross thats va for at twa wits ow ‘2 organization wos pial use NATIROue made han the FrSGate un is ‘Geplyed es 2 gatoway between private and publ nebweks, Ins detut NATHRoute mado configuration, he unt functons 9 2 rowal Froval poses conto communcatons trough te FreGate unt No wai can [ass trough the Fert unt nf rewal poles ae put nace to slow etwrk raf to pat. In NATRov mode, frwal polices cn operatoin NAT Imode orn Rote made In NAT ede, he Fora unt pron network ‘Sarees varsaton bot IP packas ae sort the destnaon newer. In Rout ‘ode, no Wansaton takes pace. EK W c E c L cour 2016.0 Aamir, Cntr Inspectn and Bate VPN AcesTransparent Mode In ransptent mode, the FortiGate uit inset the net Al ot interfaces are onto sare eubret. Configure a management Paddess 20 hat ‘oofguration changes canbe made. This ypo of eonigaton used when an ‘organization wees t make use of ne fetreso te ForeGate whos alrng the inrasrucre a he notre aunSepun “QD Transparent nade onthe FortiGate unt wold typical be usd ona prvste rnoterk boning an esing frowal bakin router ne eu Transparent ‘mode configuration, the unt unctons asa frewall Noe can pass vou e ForiGate unt un! irewal poles are ace ‘Connect upto four network segments othe Frito unt allow the devin to ‘onl tafe between those network seamen. FiRATINET. oureo20.4.0 amsrate, Cane azecten and Bate VPN Acts rao. 2090807 =Device Administration Adminstration tasks on the FortGate uit canbe performed tom ether & ‘graphical user intetace (Web Conti) ora comer ne inriace (CL). 4 Web Config ‘Web Config can be used to configure most ForsGate stings and to menior he §atus ofthe FortGate unt usng HTTP ora secure HTTPS connection om ay | ftrtnning a web browser - a aad eit, Catt cn ne i VN A,Doves Aerinraton CContguraton changes made using Web Cong ae efactve inmaditely witout resoting he trea or nterupting serves. Ores sated wih a coniguaion, ‘canbe backed up. The saved conguration canbe restored at any tne Toconnoct tothe Web Cont itarace, te folowing are rose: + Acomutr wih an Ethemet csenecton + Asupporied web browse uch a Merosot nemo Explore verion 8.0 er ‘ngher or Frefor 10 or higher + Ethorot cables (Since ital intrtaces are MDUMDIX auto sensing, “straight though or ossover cables wi wor) Web Contig consists oa mera and pags, mary of wich have multiple abs, ‘nena manu tom sled, such 2s Systm expands reveal Susmenu ‘nen one a the submena tors is setcod the associate page opens tis rst, tab. Tovaw a dferent page eck be abs slong the op te age. course 21.8.0 ernst, Canter pecton and Bas VPN Aces »‘System Dashboard ‘Tha system dashboard, delayed under Systm > Sats, plays important information stout the FertGate device. A default dashboard pays core tas butyou can mave eimants around on the Stats page and ck the Aad Contant Ink to remove or replace tems. Web Conti Menu ‘The lf-tand navigation menu played in Web Config provides acess to caiigraton options fr all major features of te Fort ato unt. ‘System ven Endpoint Contet og 8 Report SATINET. Sl te att SaaS Contour Foie state ane nae rtzha iq tea pcs a prsacon res at godin ogres Ae congue wu Uebteses ad pose. ee Squpgresmirmmnen. Coreg PS, SS, and PPTP wal at neon, aa tr cu ye on poke at ‘Rihonstonsoners uch oo RADI, LOAF ara Widows 8 oor ot non enon, yen Fn {erondpis: Cor Sots ae =e seo cach Conte ogg an taal ewlog massage and ‘oo Coun 201.160 Adrien, Contant natn and Bate VPN AcesStatus Tab '8ystom Information ‘Ta Sytem infrmation pane on te Status ab displays inlomation rgaring tho FertGate unit incing frmware verso and operting made. Tho License intormation pane plas the current stats of sence contacts, ‘orion of sve and (PS dafintons, and avatie sence © © 86 © cuconsole The Status tab aplays a CLI Console whore you can ater commands tcugh {he command ine witout leaving Web Cont ug 2149 maton Cott pn a Be VPN AsoSystem Resources Unit Operation ‘The Unit Operation pane splays which ntracas ae cunt in use, along wih Ink 0 root, restart, ond esa he Farate device. Forsnayer ‘Alert Message Console The Alert Message Console pays important sytem warnings Course 204.0 Adnnchaton, Cente npn sod Base VPN Asse ” ‘non 2012008801(ck Ad Content to play the folowing ational dashocardolomont: ‘Top Sessions WripgeT Displays th Pacraesoe hat have the most sessions open onthe ForkGato Course 2044.0 miata, Carte nspetn and Bot VP Acces rae. 0201 209030 kK W c E Cc“Top Atacks Displays the most umerousatacke decd bythe FortGata unt Fi2ATINET. ‘TralfcHistory Displys th tai on an eclatd itrace overheat how, ay and month. Coure 201.4. Aaiiao, Conte reece and Bae VP Ascass ‘aco. 020% 2000804Course 2014.0 mvisraton, Corte npectn and Bast VPN Acces 2006000" orsoceor ‘Statics The Snes pan ty sti bs ri psig Poigh be Forte nt such 2 caught wuss and dette wre a9 mts vite ‘a Soman wie Vinca Ot dooned Oe eare ‘Span 0 spas detected ‘Web 8 URLs backed 1 Daa loe detects FeRTINET. 8Online Help ‘Onis help canbe acessed fom anyherein Web Conf by cckng the Onine Help, “Te Help window tats payed i content sense canes PH EE: ‘ramet or mamces Esc ay baron con secs mht ong et Tete aon is we Course 2014.0 dries, Cott napecton and Bas VPN Aces ‘a0. 0201 0000801Searching Help ‘Bee Aamnlrason is also posit oare he Halp index by cing he Show Navigation buon Inthe Help window ae ekg Seareh [temermee oe ons TE A | erent mine Somers Unesco npiewsy {iene coin eae Tan state Moe Pontnt BS Sle The Sm sip cat You ‘eyo a i ae Sat ‘pms ‘inn nso ke Seca Course 201.14.0 erator, Cane pacton sed Base VPN Aces roan er a Ts pyran emt pt ot stn nae ‘Sie aC ot tt corey oe ne Sten Ste ote Sn Suet erat ites ates pm tpg te, Pung mney yee pon nt oh, rsa sn nae eon Se a, sic ata ny te‘Topology Viewor ‘The Topology Viewer creates a digram detain the connections othe Forte The vawer ony svalabie on Foriata models 100A and above. Toprogy cagrams use the FortGate tala he canter pt. Al congue _ctres objets can be sed a concted networks ine dora. THs ‘iweris a good way se, ata glance, how the ForiGala is comocid eae 4 rte rpc rd Ba VPN An‘Command Line Interface (CLI) ‘The ForkGate command ine inrtace (CL) can be accsssed by connecting & ‘management comput seal porto the ForiGaleceralconcals connor. Telnet ora secure SSH ca als be utad fo connect othe CL rom any networe that connected othe FersGate unit. incuding he inte. “Tho CLI suppers the sare cantguraton and mortring functionally asthe Web Cant interface natn, the CL can bo uses for avanced comiguraton pions that are not evade fom the Web Cont, “Te folowing i required to use he CL + Acompurer win an avaiable COM port + Arilmodom abl, such a the RL to DB9 ser cable provided wih he Foriate unt. connoct he FortGata consol porta a communion port conte comput + Terminal emulaton sofware such a HyperTerminal for Windows or Taam Logging into the CLI The folowing setings must be configured nthe terminal emulton sativa io connect the CL! ‘Bis per econd 600 ata e Party None Stop bite : “The ainisrator wishing to makes changes othe Fortate even hough he CCL must enter speroprae lage creo, incudng a Username and ‘aaword The detour ogh name on te Foriate admin wth a lank password ‘Te comma ne prompt changes to the 4 character one the senior has compietd a success lg FesRATINET. our 2014.0 mst, Cone npn and Ba VP Aces race ox 200080"FiSATINET. cu Command Structure ‘The scr of he CL commands allows an acinar to madly any of he otings ihe the ForkGate fom te command toe ‘The command site incdes te folowing components ‘Commands + Objects + Branches + Tables + Parameters Commands Commands area the top evel fhe Li command structure, Once logge in 28 sndministale, ype 9 athe ¥ prem view the evatie commands gE Woe: The 2 character ot epayed in he CL sees oo e ere hoe [etnes Ieee sronnasersisces 4 pursIsk canta object Get dinanle nd syste infornation Show ton ourat ion 1e aanese fact sty heat static comands etn euro 2014.0 Adrian, Contr repens Ba VPN Accs“The FortGato CL uses the following commande confi Congres Cl cee, su 5th awl ero, nd ats froelon ot Deol sym tt aman, EERete Semtndis dayne see acon se oot SiR REpuRU depp ele Sapa oes Foroupe: get tarteore sr stow Des he Fate unt conga, Dy a cages Bettany Us cea Soedlgata oo sop be cpl contain Use tow ‘in Sasori copay tata el cand Forwaple how bron cmwcute fur sto comand att ho Futtunncty esso onan a aco rm pemet Fororanpie emmeuta factoryreet doprese Coruna inte clpoce ann ae aso bua operon ct ‘Seo ont nant paras or Sepeyng See BSc Forerample atageose branch course 2014.0 msraton Cone npetn and Ban VP Access‘The nextlove of the FertGat CL command stuctr is bated on confguabio ‘bjs. For seh ofthe command athe top tv, thre ae objects that can bo ‘ssocatoa wih To vow ta cbject aszocatod wih @ command po the command followed by the ? charac. Inhis example, al bjcts related othe contig Gonmand are payed. Objects | ] ‘antivirus configuration gpplication endpoint-control Firewall (couro 2044.0 Admnaraton, Coton nspcton and Base PW Acces! - ‘rao. 020 2080805‘The objact vary depending on the command tats enlored ane include he folowing eran we es Sepsegmat tee sont wont taco meaapt ‘Sean sents or vies et graye opr ro ‘Sirona of ncn ea = 7S tora Pew ‘Psorsaee ans ype sonia appics wolsctan pee " Corto tence er the web esd manage, CU enna, an teeta we = rg er an ea ee Cong te tron proventon ter Conor oapeg vs packets rm one ator onto ante iowars a netrk ‘hoa sand on a ance Scere nae ono veneer tom Soreeiennagas as 7 tjects are containers for more specif ower va tors hat roach nth form (fa tabla. For example iowa obec contains tates of addresses, aaareae ‘Ups, poles and pretection profs Enos nh abe can bo add, dled ‘or edted Table eties consist ot keywords hat canbe sao parsculr valves (or parameters). Not: Tare mayb tor Cl ees ote spect ar, arte ony Course 204.0 mate, Cane apacton sod Basi VEN Acose roe. o%-tnwas0% kK Ww c E 7ranches “Tenet evel of te command suc the branch. branch lt you madly 1 ejects charactenss. The avaabl ranchos wil be diferent dopending onthe ] ‘Blect you are moating ‘When entering branch fan obj, the command proms changes to identy ‘he branch To xa branch, err heen command Intis example, the adrinisttors ecg Forte unitinertce characters. ] F616083907515488 H config system interface | IFGT6083907515488 (interface) # a Coxe 201.74 Aamir, Contr nsec ard Bae VPN AcesTables Atlas calactin of contgurabe tars avaiabe win a tranch An instar can ody tho vals win tho tables fo aoc a ForiGate doi. Intis example, the pore table is being edited. When mostying tbl, he Command pm change to derly the abe. To ext abl, ete the ons ‘onmand ihe are mati ables avalable na branch se the next comma to move toe next ole F5160839075154688 " config systen interface 6T6009907515488 (interface) # edit portt new entry “portl’ added FF6T6089907515488 (por tt) ee SR ‘our 2.14.0 mieraton, Cant hapten and Bat VPN Acoss aoe 205050" «‘The foal components fhe CL command stucure are he parameters. The parameter are the acti valus that are being edited rough the CLiEachtable | ‘auld have a calocson of parameters, sty of when ean be modied though ELI: The parameters aval for maciscason willbe diferent depersng on he {abl thats beng eas 7 Inthis exam, he parameters er the name of¢vdom using ae vom “oot an th IP ase forth vom (sng set ip 172-20.110.251 255.255,255.0) ar being modedin the port bl ql rot avomatcaly caved ths open i usod al changos must bo saved ‘manualybotersexng tho CLby enterng exe ey save at he oot promt, courte 2014.0 Adrian, Contr nape and Bale VPN Aces es ‘ate 020 2000809CLIBasics ‘Tare ae shores and options avaiable to simpy using Ci commands command Help + Pass the question mark (7) key tthe command prompt op a st ofthe ‘commands avalable anda destipton of each command + Type a command followed bya space and poss the question mark (2) Koyo spay ato te objects avalabe for ha command anda dosersin of os + Type a command ftowed by an object and press the question mak (7) Kayo Sapay sist of branches avalide otha commandbjet cannon, song ‘witha sorption ofeach option. ‘Command Completion “+ Use te ta key or the question mark () ke o completo commands. + Press the 2 ky at any prompt to sera hugh the cponssvaabe for that promt + Type te rst charatrs of any command ane pres the ab kay o the teston mark (7) Ke complete the command oro sal rough he ‘Splona tare aval at he crtent cur poston + stor compltg he fat word fa commana ees he space ba an! han ‘hota kay io azo trough ho objects avaale a te cure cursor poston. Recaling Commands Recal previous entered commands by wing the Up and Down arrow keys to ‘svol trough the commands you proves entre couse 201-40 Admoatn, Cente pete and Bae VPN Aces reoancae eoaoertFESRATINET. Ealing Commands Use he Let and Right arrow kayo move th curser back and forth na rcaiod ammang, Use the Backspace and Delle Koy andthe conol eye ted below tosatthe command. Function Koy combination ‘Begining oie corauva Previous command cre use atthe root prompt ext the CLI CTRL“C Line Continuation ‘Totresk along command over util ines, ue character at the end of ach ‘Command Abbreviation -Abreviate commands, objects, and banchos tthe smallest numberof no0- ‘ambiguous charactors, Forexampo, he command jet_oyatem a¢stu canbe IP Address Formats Enter an IP adres an suet using ether doting decimal r slash frmat. Forexampie, ype eaher set ip 192.260.2.1/28 ‘The IP serosa played inthe configuration fl in dotted decimal format. ‘See the Fora CLI Refers Guide or mace dette on using the CL Course 2017.0 Aamo, Contr npoctn and Bese VPN Aces ‘aoe 020 2000801Administrative Users ‘Admiistatve users ar responsi forthe frewasconfguraton and operation, ‘The syton's factory detautconigwaton har one aranistatv account caleg min. The arin acount has fu road convl ofthe Forsicate oniguation. Afr comnecang to Web Cont or he CL, addonal amiitatore ‘an be congured. Once toy ae adéod, gv admiistave users varous Ives ‘tacos to iret pat fhe Forts ut contgutin sing an aes woe. “Thre ae two peso administrative acount that canbe coats on a Forte Seve! + Systom admins: This account ineudes the factory deta sytem dinistatr admin, and ay eer antes asagrod othe ‘Sipe edminpratie. + Regular adrinisator: This in adiistator wth any acoes profil other ‘han super admin. A regular admuntator account has aoses ‘niiguraton opens as determinod bys accocs prof. vtual domains ae ‘nadie, the roglar administra asiges to ore VOOM and cao {access global contguraton opens or tha contguraten for any char VDON. “The deaut scm ver canna be renamed, howaver, the password can end shoad be modi for the accunt nmodaisy after ini ogn fo Web Config ot ‘CL By cfaut, aan has ne password. Tho maximum posowerdlangth 32 charactors Super_admin Access Profile “Te factory default systom administrator account admin uses ho acsoes pata ‘alld super_adiin. This sa spacial roe which cannot be vowed or changed Itean howover, be assigned te adaltona amniatve usr. ‘Any administrator assigned ote uper_siin acess profi has laces to the ForiGate uit cxniiguaton, and madation, hy cn + Enable VOOM configraton + Create VOONs + Configue VON + Assign regular administrators to VDOMS * Configure global optons Uses assigned tothe super ain prof + Can delet ther users assigned he supe_adin profi andr change the ‘onigured auheriaton method, pesswor,oacrass rofl, oly the thee (se are not ged in + Can delet the deat admin acount ony ancher usr wth he ‘super_edman pote ogged nan the ela admin sor not Course 2044.0 mbsraton, Cone iapecten and Bae VPN Aces ‘Sraoae gee eoa08e4Interface Addressing (One of he eat task in sting up FotGae dvie to operate the nawod is te congue the network nerfaces. “Te number of phyla neraces on 2 Feito unt vats por modo. On the FortiGate 608 for example, thee ar eurintedatas. The traces ae narod. Intel mz wa, a wan Tne hal nfo i oo a 6-prtnograted ‘to, bit hee ps are ol insviduy arose “The inrtaces ona Fora ur can support mull IP adresses, each wih Independent saminstawve accosssetings, fo example, HTTPS, pin, and SSM, |AForGate nertce can be contgurod wih a static adress or acquire its IP ‘dros rom 8 DHCP oe PPPOE server ‘The ForiGal intrtaces can bo configured using ter Web Co or te CL Fi2RATINET. ‘course 2014.0 nso, Contr inspecton and Bai VN AccessWaULLeESRTINET. F: Ne configuration inermaton i roqured fr ifrtaces hat aro coniguod 0 use DACA Wien OHCP sloted, tre FortGat un aomatclybroaccass@ DDHGP requst The nora is conigred wih tho P adross and optonaly be DNS sever adereses and deft gateway aderea al he DHCP savor proves. 1 Rotiove deteut gateway rom srvris selects, to gateway (nxt hop) ‘etroved bythe leans wil be sel a he det gateway forthe Facto ‘eve, This wil over any cher configured dou tows Ovarian ONS selected, the ONS eervers reve by the ntrtce wil ‘become he ForiGate dove’ prefored DNS servers. Tis wi vere any ONS. ‘cotton contoured in We sytem, (oun 2014.0 Adminstration, Cott nection and Bake VPN AssePPPOE It PPPOE a confgured or the lntree, th F rondcate a PPPOE request, PPPO Unnumbored (P fed the ISP has assigned a block o thom, hori, hi IP adress canbe te some a8 a bo-eny Padres ATINET. F:Fi2ATINET. ‘Several ForsGateunctons use DNS, ncling alt emaland URL blocking. You ‘most spect th IP acreses fhe ONS server fo whic th Foie un, onnedts. ONS eever IP addroasas are vavelyaupoted oy a ISP. Contig ‘wore FortGatemodos (100 and ower to bln DNS server aderessos ‘utorratealy To obi hese adresses automaticaly, tnt ona Foret unt ‘rerace must use the DAG or PPPOE aderesing mod, FortGate modes 100 and owor can provide DNS Forwaring on ther interaces Hosts onthe tached network use the straceP address at ha ONS orver DNS raquonts sent othe interface ae forwarded fo confired ONS rorver sdoreses o ones that the FortGat Ul obsined automaticaly ours 20-140 Adminiratn, Contraction and ai VPN AeoseConfiguration Backup and Restore _an adit can back up the sytem confguraton ncudng web content es ‘and pam faring fea, a8 wo as rire the sytem consguration fom previously dowloaded backup fi ‘The configuration of he FortGat unt can be backed upto fow iret +The loca PC used to manage te FoiGate unit + Amanagomeat staon sucha ForiManager nt ort Freud Managorant Sonica + AUSB dk the FortGate hes 0 USE por and 8 USE dake conacted tot os ee Suwa ‘The bacup canbe enoyped, To encrypt the bacup fl, select the ener cpton nd ener a password. You wil ned ths password o restr hs. To lockup VPN eaten encryption mst be enabled onthe backup fe, This nop! onion nat vaisiotor backups crested ing he Fortlanage:backp pton Course 2014.0 ameraton, Cone apeton and Bae VPN AcesFare Upgrades Tea es cn pis rb Cr aca ‘rot Pace Son Teepe etre eps Cre CL etre te ate Serta roe el tac ston yen ‘Spang nr on” Soe Ses | moe cae td etn Catt apc ae VPN Acs “ oat 0204 200080"Lab 1 Initial Setup Tasks Inhisab, you wil complet the flowing a: Exercise + Connecting othe Commend Lie Inertace (CLI) Exercise 2 Connecting tothe FortGate Web Consg Exercise 3 Coniguing Network Connectivity Erercise « Exploring te CLL Evareise5 Configuring Giohal Sytem Setings Exercise 6 Contguing Adminisatve Users Exercise 1 Connecting to the Command Line Interface (CLI) “This exercise dts the nil oentaton of CLL When sting up anew ForiGale unl elabishing he connecton tthe CLs generally he Set step, ‘von if most of he confguraton changes are perered a Wb Contig. With ho OU, very cart administer acess, conte tena ForsOS {imware version, and sot some basi parameters to part access to Web Cody ‘orth rest ofthe system configuration ‘Acoss tha console comma ne interface (CL) using te RS-232 seria port on ‘he FordGato unt. Some models use a DBD. and ater uss a las oyle ‘comectr Asari eae used to coon! the Pt the Forse consla por. [ACL adminiatve season can ato beaceaesod remotely using SSH, Te, ot ‘trough 2 Java console applet dung a Web Cong adnate session, Course 2048.0 Adnsraton, Cone Iepeton and Base VEN Aces roo. ones? s‘Conon te Carman Line Io (CU) K Wl c E Cc L chock Deviea Connections +1 Pug he Iiometconnactn if he want port on te FriGate unt. Verity bat the want LED dsr on he rant of he devise green. {trad in RECto%6. The wart oot aioetsScualy prt ade sibet $ See 2 Connect the PC's network abl int th intemal interac gars rough 6) ‘ofthe FortGat nit and mae sre te corresponcg tema LEDindesto is seen, ‘Tha FortGata units bltin DHCP serve wl assign adress tothe devens Connected to these pots a reures. The cory lal sub! seignt af ‘268-1024 wi be ured, Note: The trainee on 2 Fertete unt a t-otevacing hb ont wh {teAOX sarang so oor seagitor cos vr ca can eed Log into the cL 3 Uso sari cable to connec tho PC sor prt the Fort console port that ona on Be back ofthe davies. the PC ls ot equped wih a Serial USB serial adaptor to connect ha PO eo Foote 4 St loin emulation pogram on he PC, such 9s Wows Hyperterminal Tererm, The sei conection sting eqired ar + 9600 bpe + beats + operty + tetop nt + orfow contet 5. Alte ForsGate CL tog prompt, og in wth usomame admin (alowercas) land an empty password 6 Reso the ForiGst dvi fo factory dotauts by typing the foowing conn ‘han asked to continue, te press enter, nd walt forthe ress to comglete 7 Login io mie CL once agin an typ he flowing command to pay states Infrmaton about he Fora ut “The cut lipiays the ForsGate unt sail number, Sars bul, operaonal modo, and eadeonl serge Course 20.160 Adnnsraton Contr ncn and se VPN Aces‘Conoco Commande raoc (CU) {8 Type he folowing command to S60 fullis of accepted haynes: ‘Depending on he Keyword used wi his command, there may be cher sub keywords and atonal parameter 'o ener, G rower nthe Press the Up arow key toraepey the previous gor system status command an try some ofthe contolkey soquences at are summarized boom Previous command param REP Next sommand Down aro CTR Begining of Hoe rermom End fine lemme Baek one word forms Forward one word error [Abert comnandand et BREN [CTRLIS “CTRL*C is contort sensiveandin gonerl aborts the current canmand and ‘moves uo to th previous comand branch evel you ae aad ate oot ranch level, CTRL wil foes slopout ofthe cunt session and anaher login wl be recur 10 Type te following command an poss he ia kay 203 es, “Th command splays te at of valable sytem uly commands oe ata ime each ie the a> hoy is prossed 11 Type be following command to se the ene Het xacut command: ‘Snr othe got comeran, keywords may have subkeywondso requis ‘at aettonalpetameters be anor. The ForsGate CL ioral and all ‘srecute commands can ely be ivoked when ah ep eve 12 rtor the fllowing CL! commands and compare te avaible keyword for Those wo commands ae lossy rats contig begin the configuration mode while snow dls th conigraon, ‘Th ony erence sanew ful !-cont guration. The Gata behavior of the snow command sto only payin ferences om te acoy Stal ‘onion course 20.4.0 esate, Cente! npetin and Ba VPA ron. o5a80"FeSATINET. 13 Err he lowing CLI conenas to deplay te Frito units intra Interface coniguationsetngs and compare the otpul foreach: ‘nly he charactrs shown n bod type face ned obs typed, optionally fellowes by , o complete tne command Hay wor: Use ths techie ‘wnen you Ua the CL! reduce te number kayetokes to enim. {Ci commands can be enor in an abbreviated formas lng a enough charatrs are erred to ensure the uniqueness of te command Keyword Paramore, romover, mast bo fly fypod out. For exapl, when spec¥ing ‘he race name intemal. cannot be abbrovt to Int or Iter. Note: Ath ow retin th CL pos the epacsbarto caren tng tbe [Eset tayt coon ne ata ins, Sess ato ost ‘4 Enter the CL command betow to apay he factory setP adaess of the ForiGate's nema nterioe, later for HTP adnate access to tha FortiGate deve ‘ouoe 2.74.0 Admnsraton, Cott inspscon and Bas VN Accs ‘soo 020 206c5o4Exercise 2. Connecting to the FortiGate Web Config This exercise irroduces the FortiGate Web Config. To access Web Cong using a standard Wed Droweer, such 35 Frafox (1.0 olin or Mzsot inomat Explorer (6.0 oat), enable Cookies and devaser for proper rendering ad Islay ofthe grapial usr rete, awe: yu ar usng our oan atop o Pel exec, make sre ‘Brocoryour orga BC mon setae bre proceocra 1 Sotho POP sotings to DHCP. The FetGate device wl assign tha PC an dress in the range of 192.168.1110 192.108.1210, 2 ery te PC setings using tw config command from the Windows ammand pom. The default gateway corespands to he rtamallnterace IP nas of tho Fora nt (192 168.190) 13 Open a wob browser anc ypo he folowing adress to acess the FortGato Web Contig inarace hepa: //292.168.1.98 -Accopt he sl sles caicate when the seculy set appears HTTPS isthe recommended pctoca er sdminigeative access oh ForSGate UTM doves. Oho avalatie protect nce SSH, png, SNMP, HTTP, and Tenet. 4 Ate ogi sen, enor he usamame of admin al loworcase, lave the Drsenord ban and cick Login '5 Tho at window dsplayes ater 2 sucoss logins the Stam Dashboard Before contnang wih th esto hort contguation, explore ho Syston Dashboard page and nd the olowing soma: [Current Firmware Version 4.0.3 ‘Other ystom dotais found on he Systom Dashboard incu te curent CPU and memory usage, rumba of set seesions, recent conontnepacon| ‘Sats, adminvatve ues, and oruGuard Sewics Sats {6 Boforw proeading othe next exeise, ensure that he FortGato units ‘ining the creat version of Fors femwareraqured forth ass (FertOS 40, ‘waa th rare is ata fo be Fore Seppe eo tha valence ¢ Ree Course 2044.0 Aaminsraton, Cortet inspection and Bae VP Accs 2009089 ese.Fi2RTINET. s Exercise 3 Configuring Network Connectivity sn eerie, he Fert unt want itrtaoesetngs ara configured sing (one of ho follwing adsrossing modos: DHCP, Manval (Sac Por PPPOE ‘Complete steps eth configuration that apples oto your rte sup. X® fyournetwerk stp suports DHCP, compet the secton Contouring the want interface using DMGP + tfyou are using state IP adersses, complete he secon Configuring he want interface using state essimmerts + your setup suppos PPPOE, completo the secon Conuring tho want Infrae using PPPOE. Configuring the want interface Using DHCP ltyouintmet stip (SP or tnt supports DHCP perorm te steps below io centigure tho wat irertce 41 Inthe Web Conta, goto Systom > Network From te Itrace ab, ck Et (CRB forte want eustce. ‘On he Eat trace page, congue the foionng setings: Adaesing mode a Revove ett sony fom snr Ete Adminsvatvesecess HTTPS: Ente tek Apo 2 ‘Wat few saconds for ho want interface fo acquire an ares fom the ISPs DHCP ser belore conning “‘ Note: Coniguaton changes gt sav ote nna fen many when king ‘kina Grice ont = Fare conptin ty, is beaver canbe ranges ee a xe 0 of torovt ater oa prota xt sve at peremee SL SCENES Gitte ean, ny non soe fever 3 Ator a fow seconds, click tho Status nko refosh and ew he acauired HGP adress assignment dts, inertaresonthe CL Nowe sore Cotas 20150 ernsrton, Content pectin and Bae VPN Acassent Neth Connctnty Configuring the want Interface Using Static Assignments oe eee ee | Seer enencreiens 1 ies Cots, 21 yt > Nate. Fram he ehh Et | Cap tre want merce ‘onthe Eat trace page, configure he folowing setings ace i Se scree tenn mee | oe 2 lek ne Optons abt open Networking Options. nth Primary DNS Server , ‘ol enter ho adeas ofthe ONS Saver ven by anatnork admin ) fa second DNS sereris aval, enters IP adress inthe Secandyy ONS. ‘Sere fl ) ick Apo 5 3. Gotothe Router> State» State Route o configure a stato route err for ‘he delat gateway. 1 ‘ex Crate ow. The New State Route window opens. For the want devic, set Gateway othe IP adres ofthe dats gateway evo gon by network adr ] ‘Leave he Destination IP Mask stings atthe deat ooting ek OK. Course 2074.0 Adria, Cano hapten and Bote VPN Acass ‘pang c20 2000804 oConfiguring the want interface using PPPOE you re stip supa PPPOE, pam ses blow congue your 41 Inweb Contig, goto Systam > Network From he Interface ab, clk Edt (igh ortho want eterace (On te Eat itertoce page, configure the fowing stings: ‘Adresing mode PPPoE. emame gypersemane oreo br Paasword Ee yur pasnor (geno you by You ey even oye Rettove dete gateway rom nate oyu SP suport een) ‘veridintrnal ONS Eat oy yur SP apo tsotn) ‘imine access ‘HTTPS: Enable (ek Apo 2. Cickthe Option a © open Networking tons. In he Primary ONS Serr ec, enter te IP adress ofthe ONS Server gen bya network milter. fa second ONS servers salable, enter IP address inthe Secondary ONS ‘Server tals. ek Apa 2. Gotathe Routr> State State Rout ta Yo congue a state route airy for ‘he detaut gateway. ‘lek Grate Now. The New Sac Route window opens. Forthe want device, 0 Gateway the P address of he deta gateway ‘evi guen by a nework admin cc Cours 20.10 Adrian, Contr nspaon ang Bae VPN Access‘il usors, respective ofthe typeof addressing used (DHCP, Static oF PPPoE} should continue with the folowing stops. ‘Viewing Systom Settings For want 1 From the CL, type the folowing commands to ew he nate satings for wont Note: Cepening on how engithas bean sine he st conan ha been raed ‘Gt anemer gn mayb cue, Inthe ccplayed ouput, note the same DHCP paamatrs that ware viewed or {he wand itrace nthe prove Sp, 2 Type he nslookup command to vey the Forinet web sto adress so itcan be sccessly pinged. For exami Contiguring the wand nterace ‘To secure the wan2 interac rom acini usage, romove he Paden and admirably sabi this port Tha Padaress can ony be unset fom thecal 3 Inthe CL console, enter the commands below to dab and lear he ‘sree ofthe wand acs 4 Inviso Cont, got Sytem > Network. From ho Infrae ab ots that he ‘terface it wil ow spay wan with an IP aac of.9-5.0/0-0.9.0 ‘nda labled tatu on ed da th dowr-aow) Apa rete maybe ‘eeded ose the now statis formation. F2ATINET. Course 201.0 Adnan, Cortes npecton and Bas VPN Aces race. o2 eoaosctFi2RATINET. Viewing the Configuration of the Bult DHCP Server ‘Te FortGato unit rsa DHCP server config forth into ntetce '5 Goto System > DHCP From the Sonic ab, expand Infora. en expand ‘Serre (ick the Eetiean and iw he setings forinteral_dhep_ server (re- ‘etna, Note: he OHCP easos a reas evan whan ha FriGas unt std To ck Cancolto ext Viewing DHCP Address Leases {6 Click the Acess Loaos tab and locate the ony forthe PC in te payed mt ‘As new PCs are conocido he sted internal subnet, sito te DHCP ‘Sates nase ae depayed. cure 201740 Adstaton, Contr insseo and Bal VN Aces ‘ooo 20 200808Exercise 4 Exploring the CLI In thi exercise, you wil ove the network configuration fromthe CL and be Inredsoed to some addon! commands 1 Tovew the equivalent CL configuration of the ForiGateintaraces, ype the folowing command 2 Tos verbose songs, ype the commas: 3 To aw akional parameters fr lt intaraces, typo the command Compare the go command output wih the cutput fromthe show command ‘The femation tem each s amar ges deplas al stings an vale, hile show gives the syiax forthe congraion ‘Th FortiGate CL is hearts, wich means that some consnands are cay appleabe ata crain evel contest. Th nox sep demonetates Ferrey whan meting the want interface oad addoneladminstraive tents assist th Poubleshootng uring ital deployment. Once tho ‘jars operatnal, ping access may be removed to ava SpieICMP Gert Se terns nee 4 To ad SSH acces onthe want interac, enter the folowing CL! commands: '5 Very the changes by typing the fotoing command {6 Dipay tho caniguaton of the DHOP server ha roids IP arose tthe PCs connected oto tal taco wih the folowing commands: Course 206.0 emnrate, Cares pecton and Base VPN AcesK W c Ee c L “oinspect he DHCP laa in the CLI orth addresses detrbuted by the Intemalinterfaoe DHCP server, pe ‘Other avaliable DHCP CL commands ar listed below. lease donot run + Te lor atl OHOP leases: “orafesh a HCP ass Cour 201.16.0 Aastra, Cote Inspection nd Baie VP AccessExercise 5 Configuring Global System Settings Ins excise, you wl satup the ONS saner IP ystem tne and @ hostname ‘You wil sso may te iba setings for adnsaivetmo-outs and Web ‘ama pot acess Configuring DNS Settings ‘SOHO model, sec a the FortGao-T00A and ower, canbe confi ‘utomatcaly Use the aoqured DNS server adress, a8 wel as peor focal ONS forwarding 11 In Web Cont, goto System > Network: On he Options ab, mas the ONS songs: Use the folowing DNS server dees Pinay OMS Sarr 4221 Eitan Sener sting Enable DNS forsrdng rom ‘taal (tnt) Not: Fr Fret 200 mals nt aor 28 Per ONS nt Secondary ONS ever cn nb congas ancy. hoary ena are ato Fon tmaried ONS tawadas #2 38-120.20 and €o-38¢499¢e3eapecivy, (ek Apo 2 Compare the op or the DNS CLI commands ‘Te ouput should earespand to the changes made in Sap 1 CContiguing Tine Settings Forlogging purposes, a well aso optimize Fouad update, he ForsGate ‘Gat eat fo the coon timezone and NTP saver syncronization wl Be ‘enabled. Use aoc NTP server ote far deta NTP sever {oot-neproro) 13 Goto Sytem > Status. On th Status tb, clk the Change ink fr System Time inthe Systm Ifomation pane. Inthe Tine Stings wow, st te te zone and enable NTP corer ‘synctvonzaton. 8 detail, fo poo).nep-orgullbe used. (THe NTP 2ever IP accross or FADN can bo Usa) Enable Atomatcaly adjust dook for ‘dyin savings regen you are, ick OK 4 Display the current yom tera the CLI by typing he folowing commas: ‘Question: How can you sth sytem ts manual? [newer Type exec tine ? to view the ema 5. ory thet the date song scoot by typing he allowing CLI command: Fi2RTINET. oure 201-44.0Adminsrate, Cente nspecn and Ba VPN Access ‘roe. 20 tantsFESATINET. Configuring the Hostname Perc te following tops to confgure the hosinare forthe FriGato unit {Goto Systom > Status. Inthe Systom infomation pan, cick be Change nk for Host Name and chang he FortGate Hosname oa nare of your hace ex 0x, ‘Athena ogi, he new hetnarne wl appear in the browser te bx Vow te CL equivalent commands fra the esion eetinge configured he above stops by yg the folowing command: Configuring dle Timeout for Web Contig For the purpose of avldng Web Contig tmoous during he ab exercises, Inerose the ide mooi to tho msi ve {8 Goto System > Adin and soothe Sotings tb, reas hele Tenoout parameter ated andar Tincut Setings a 48 Leave al oer setngs unchanged, (ek Apoyo save the changes. Course 27.740 Aamnistaton, Contr Inspection nd Bae VPN AcesContin Aarne Urs Exercise 6 Configuring Administrative Users Inisexercse you wil congue sdmintative users with 2 new scminitraion roe an og 1 Got System > Admin. Vow the cunt adnsator users om the Aatisttor tab “The factory defat Trusted Hosts sting of 0.0.0.0/0, 0.0.0.0/0, 0.0079 alows connection fam any most adress. 2. The factory default patewors othe admin account i empty. Click Change Password [i )eo the acrn user can acass tho Ea Password window ard sath new paceword to fortinet ‘Tosave the changes, click OK, {3 Logout of Wob Cosby cking he Logout icon or closing he web browser Log back into Web Config using the new amin password you jst created '5 Te enhance administrative secury, create a new acinar eccount th ibe ued for dayodayadntraion ofthe Friate device and wil reste he source conection wih Taste Host (Goto System > Adin From the Adminstrator tb, cck Coats Now. Creat anew adminator wh the flowing setings: we Regu ‘rated Host #4 192.168 078 ‘amin Profle ‘sipesamn (ck OK to save the changes Note: Png oot i oie ae ao rest bythe sed oa cing of 2 Course 2014.0 Aeration, Conte pectin and Ba VPN AsseContr Aamittve Uses FeATINET. g Goto Sytem > Admin, On the Adin Profle b, cick Create New to cost @ ow acca profle wid only reac-une access he conta nspocton cone te New Admin Profle window. Ung wccese ony othe areas fecing cortn!napecion helps sennta cael erore Dat coud ‘dversay aft comet Contour tne new access profle using the folowing setings. You wil have © frpand the secon lo acces a ofthe songs lek OK Not: Yu can stone he FciGate cso sow No, nd aang Ws ‘Suotaze nae bono ae Now Ary rae io Tl casamBle fate mts you presorvaous rep we rac oniratoetu eent Course 2074.0 Aaniraton, Contr nsec and Bed PW Acoass ‘ooe a2 20808097 Got System > Admin. On he Admiisrators tab, cck Croat Now to create ‘Snow stminstratve acoount ature he new conten onl acces roi, Congr he now admit aesount ng te folowing songs ‘aminetatoe oxen we Rogar ek 8 To view the CL canigraton for Aisa Users and roles, toe the follwing ommancs: {9 Tost the new administrative acces login, Log out fhe curront Web Cong fesion and login again wth the ean passwort 23458). “Tyo accos areas whic you haves to Read Only. For example, 9010 ‘System > Networ> tera. You wil oly be able aw data and at itor “The Trustd Hos song conigred for admint and eadiin wil ony alow {coos to PCs conmecad toe intemal 19268 1.024 subnet even the ferret passwort Intros. Fi2ATINET. Courae 2014.0 hembra, Cone apeton and Bot VPN castCree 20/440 ent, Catt prin rd Ba VN A,LESSON 2 FortiGuard Subscription Services SADIAUAS ONINIVUL LAULLEESLesson 2 FortiGuard Subscription Services FortGuard Subscription Serious provie continuout updated secur slutons to Forint securty eves users, cua ans, tun peverton, web fterng, and ants. Suteapion sence aro doiverod trough ho FortGuard Disttlon Neworc Win the FortGuard Subscription Serves ead, ‘cmntators can ansire thal he ForsGat, Foreland Foil Insalata ae perfonring optimal and re protacing ha corporte asso ‘wh ho atst scanty tachclgy. FortiGuard Distribution Network ‘The FortGuar Dstbuton Network ever updos o Friel, Fol, and Foren products rom socure, high avalabaty datacenters in locations ‘wailde.Delvery metas uae push, pul, or customized delve Raquancy that can be contgured based on he requirements ofthe orgerization et up ‘once and updates ave automatcaty Ts str ensures that dvens aro Ups to provide high ves of tacton fr bot known and unknown Beas ForeGuard Subscription Services are connuovsly updated o provid up dato Prolecton fom new and emerging tests lore they can harm corporate Fosources orinac enduse comping svi. Pee i : f ! | I i RATINET. couse 2014.0 mister, Canta apt and Bai PN Acase race. 02% 2090804 7”F22ATINET. ortide coverage of ForiGuardservicas ie proved by FrsGuand Sonic Ponts When 9 ForiGate ui connects tote PortGuad Dston Network is connocing fo closest FortGuaré Soria Pon Forotades now Sorvce Ponts a rogues he Service Poi becomes untenable foray reson, fe Fort Gate unt contacts anotnar Saves Point an ination f svatabie wih, ‘Seconds By dete, the FortGale unt conerucalas wih the Series Poi Uang oP on poets ‘Atoraty tbe UDP port sod for Sanice Pont communication can be swiched to port 8888 trough Web Con, you must change the defaut ForiGuars Service Pont hosbine, we the system rortiguara noa=nane CLI ‘ammand, You cannot change the FortGuard Service Pit hesrame in Web ont Ifthe FortGate unt is unable to connect othe FortiGuard Distibuton Network, ‘heck he coniguraton. For examples may nod to beaded to the ForiGate rong ble of te network to alow ine FartGete unt use HTTPS on por 443 to comecto tho Inormot Cee eee ey ese Plena Course 20.140 Aamntraton, Const npecon end Bae VPN Aes “so. 02% 2080804Connecting to the FortiGuard Servers ‘The folowing stops istrat the process used bythe FortGat yt oat and connect otha ForiGuard servers fa subi Ua. senicesoiqued.net Fouad Sarr + ni hs Ne The Forte nt ui 3 DNS A Racadlelap er scevis.forgusd. nt Tie ONS srr tus ha ass forsee. no Force scores fortgua get eee esac ss an sn INIT mosoge,ente check a seer tau oe ge nt samy for erampe hat The Friguara Server uns response tothe querer apo wy. g209]2.c2m Bint Soon dag eigen, ores cine om et anor hin 2 enc, nt Fouad ‘Thera avaaleFriGua server reuse response 2 qu ‘The sore sis ini ordered by weight. The weights equa the te zane Maintanance. Ont FortiGuard, check he deta about ‘he FortGuard loosing entteent forthe ForiGate uit ‘Question: Whats the anv denon version, exp, anda update tom foryourFoaGate unt? Irony the veri eld i showing, the FortGate unt femware was upgraded ‘sean and ther have been no farther update stomps. é Note: nth dasrom endrorment the Forte unt behind a NAT sevice. Pst, {Snoring mist be cigar on the MAT anette Pur Upte ee rt wat Ste ibe rine Pb orate rman on few cogre Push Update 2. Onthe Fort Guard tab, expand Wob Fitering and Antispam Opons and et ‘he following ForsGuaré concn stings Enable Cache TH, 100 soca (0 mite) Enable Antispam ble Enable Cache FHL, 00 scons (15 rts) Port Selection 3 (eafou (ck Tet Avaaby to establish connect between the FersGate unit nd the FON soree Cours 2014.0 Aamo, Cote rspectn and Bale VP Access |“Te ply wil updo sow the FortGuard Web Fring and AniSpam utceriptonintrmaton Ens that the ForkGat nt hae val aubacipion bore procceang. te: 8 aut, Forside UDP, because ati ost ay open fo: E [DNS tale. thre is anoiner PS devs onthe network tha is decoding DNS dat on 5th Fortean requestreepoce ay age one soe cates ene, ‘Grange to Ubrete tor Faria ammucaon an err pare eos Paskrbtarsieted 4 expand Antvis and IPS Options and click Update Now ooo te Forte tuna obtain the late AV an 1S dtintlons. This neon sends a request 10 ‘an FON sorvor. Afr 3p § minus I propa enites and depending on Intmatcongeston, the Forte until ecaive and istal updated ‘efor ‘ita fer minutes snd lek the FortiGuard menu tab agin and check forthe ew updates Today's dat should appear nxt tho Updata rk for both A {2nd PS Detione, “The AV and PS signature databces can ao be Updated ether nciduay or ogee rough the CL using the folowing commands ‘er00 updaterev Update AV engialdtnions ‘2x80 upaate-ips Updo IPS engnaldeinons ‘exso wpdate-now —Updatanow S eee eee Fortat unt Tol pt ups ean Ania ana PS Opn Sab ‘Ao Push Update axa ote che ued oa ov Pes G sos tesmeeesen tn cow rt aw sont 5 View he CL stings by entering the following commands CL sesso show system autoupdate schedule Compare te output wit get system autoupda Course 2014.0 Adniseaten, Conte peton and Bas VPN Aces recone toagart FiRATINET.Eaning Froud Saeed Ups Note: The dined Fri Gud atone ta wae st hur rough Web gE ‘Config butthe CLifshow system autoupdate achadaie) shows 480. This means ‘lth ston mnaes tr bandon picked For D1»S0 mise THs 7 eo soend othe equations one Fanci san fa ett our ond| ‘ince ronal on besa rough a CL ae see ne rare asec # contig aysten autoupdate schedule (echedale)# eet tine ? Cechedsley# ast time 0 (echedsleyd ood ver eer tow syeten mitnpdste achedsle 6 belo raced he net ib peo coll acu ofa Fite extinction Gots Sytem > Maier. One Bact & Rete bck Sack. Save sn bactop tyr wn he aoe rame ] Fi2RATINET. . scien commana |LESSON 3 Logging and Alerts SAJIIAMAS ININIVAL LSUILYESag Stropetocans Lesson 3 Logging and Alerts Logon ky element of malnanng a Fork Gate unt in stwor. Logging ‘lows an adminstator to acx down and pinpoint poblonseficonty by ‘montoring the many facts of network a nme fey aston 1 being ae {0 dnd priors, logging lets an administer montor ranma evens, 2 wal {2 estblsh network Denavir baste, suchas alowed vac, peal ae sre epuar protools ht pes tveugh to notwor) and vate volume. Tis ‘ype ot network fomaton cane an administrator aa lane whether ornate Forte device i uncon corey and can help dni any conigrston| changes that are necessary fr opival operation, Log Storage Locations Foret og can be stored in various lations depending onthe ype end ‘Requoncy ofthe ogso save. Fr exarpa, fogging atc and onto, conigure ie Forte coves to send logs fo the FortArayzer unt. FersGat og can be stored in the osouingloaton: + Local har FortAnayzor System memery Syeg ForbGuard Analysis Sanco Local Hard Disk ihe ForiGateunithas 2 hard ik, enable logging the hard rom the CL. ‘log types are supported when logang to har ask exept for Content gs Logs sored onthe hard dk cant also be uploaded to @ ForuAalyzr unt couse 2014.0 mieaten, Cane hapten and Bat VPN Acoss rae. o20 rowasot K Ww c E cag Stree ocatons FortiAnalyzer ‘A ForGate davies canbe configured to sand log messages oa Fornalyzer Unt. ForAnalyzr units ao network appances ha provide itgraod fog tlecion, analysis aos, and data stooge Logging te Fortnatyzar units enabiedin the Fort Gate device by eaher poatyng th FrtAnatyzordevie's IP aaoss or anabing Autoratic DScovery. ae discovery enabiod the FotGal i uses HELO poets ocle uns at ae avaiable on he networ wn he same suet wore he Fora ui can automaticaly erate gain he or uni and beg sending og data 10d by defeut by he FortGate unto ranspor og messages to the FartAnalyzar unt TCP port S14 (OFTP) is used to rancior te ante ace an 16 remot vi te lg es and ep ‘loging data raversing a publ natwrk, an IPSec tunnel canbe used 0 {secure the communion between tne Farkas andthe ertanayzr evens ‘The FortGate unt can send alg messoge ype, os wal as quarantine es, to 12 Forunalyzer uit for torape. Lg les stored ona ForiAnalyeer unica alse Be Uploaded to an FTP serve for areal purpose. Cours 201.160 Adiraton, Contr nspacn and Ba PRs | | }‘System Memory nen logging a mameny fs enabled, recent ig nes ae stor or most og Iypes except for Tat and Content malny due to thr Fequoncy and lrge He Size. When the sytem has reached scape frlog messages the ForiGalo ‘ost ovaraes the ages! messages Ife FortiGate unit hs ard dak. th CL can be wd to enable fogging tthe ForeGate rad dx Lge stored onthe td ok can aso be upd 0 Fortarayrer ont orio an TP server Memory los can be vowed rom Log & Ropor> Log Access read tom th CL sing the command cxecace aispiay 10g Wag lr has boon dotred Memory voll, that, tha FortGate units eset or lses power, og ones expr to memory wil eos. cours 2014.0 Admtcraton, Cane npecton and Bose VPN AcesLag Sap Lozaons ‘The syslog savers a remote computor runing sofware used to oars og ‘messages ina P network Admntors common use aylog sores = logging dovcs because any compu can run eylog sofware, ich a Linux, ‘Unix, an Windows systoms, Syslog captures Tile, Event, VP Artspam, ‘Ans, and Alc logs dows not supper Coan Archiv logs. The cant ‘rove tf thal es local byte proxy and en eapod across to@ Fontanatyzar device, The content achive uses th OFT (Odete Fe Transfer) protec svat, communication wt he syiog server takes place on por S14 but any port eumb canbe used \Wen ogaingt 2 sysog sever, hore are to diferent gfe formats aval Comma Separated Vas (CS) or normal. The CSW oma! contains commas, \weeras he normal fomat contain spaces course 2014.0 mnaten, Conte inspec ad Base VPN Asse ‘fat. 020% 206050"FortiGuard Analysis Service FortGuard Analysis Seni is a subscipon-bsed seve tht provides wa Based logging and reporting soluson Logging to Multiple FortiAnalyzer Units or Syslog Servers FortGatedovices can supprt up tothe Frtnalyee anor syslog saver for logging. This allows for load balancing fog wats usy ntwark anvronmerts. For example, send al Evert logs o FortAnaiyzerdove-, at Wa ft oso FomtAnalyzor device 2, and Tati logs fo Fortalyrr devon 2 Loaging to multiple dasinstions x conigured using the CLL For more infomation, 0 the ForiGato CLI Reference Gude eure 2014.0 mao, Content hapston and Base VPN AcassLogging Levels ‘Alogmassages nave seve o roy evel. You define st what saver lve ‘he ForiGao unt eco ogs when you config the legging cation. A ‘meseages at and above th mii og vel selected wl logged, or ‘ramp, you sll he Err lve, tho unt oe fr Exe, Cea lt, and Ermorgeny love messages wil be oaged. ‘Cour 20.1.0 Admire, Cntr npn and Bal PW Acass 106 ‘on ooe ab s0eesoYEmergency vent og, spicy sdminiatve events, can generate an emergency soverty love. Tis evel nates he system hes become urate. Alert ‘tock logs aro the only logs that generate an alert seve level. This evel Incatas thal mediate ation seed Critical ‘This lve is goneratod by oven, atv, and spam ite logs and inst that functonaltysaflecte, Error ‘This loves generated by event and soa iter logs and indies thal an oror condton exis and fnctonalty could be acted Warning “This lovee generated by event and anv logs ad ndcates hat funeonaty oud be feted Notification ‘Tastes gnerate by ac and web fr logs and inccatas information bout norma event. Information “Tris loves gnerate by content archive, overt, and spam er loge ant Inacates gonoral lvermation abut syst operators Debug “This lvoe primarily used as @ support uncon onan as-recte bass only. ‘Sample log message Inthe ftoing sare log message. the prio level notion. This lneates the occurence ofa norma evn, which nts example Indes that ‘he admin user as erated anew frewal ply 2007-01-11 24:23:37 1oq_d-0104032126 typerevent ‘BinGDT(192,168"96.1) eqns magerUoer adain adsed new Rew by ie Beh > cal fay tt Course 2014.0 Asan, Contr iapecton an Base VPN Aces Fi2RATINET. 107ea oes Log Types ‘A FoniGate systom can log a wid range of system at incuding overt network wat, etlack naderto, and goneal yam overs Event Log. “Te event og rcorés management and acy events nding confgraton changes, somin og or igh avaiabilly (HA) and VPN ever Aso, updates oe Engines and Signetures are logged hae Traffic Log ‘The walle og records ay wale botwoon a source ard desnaton intrface, ‘These ineriacos must be corey casei inthe Forte devices hat can dry the session fs nearing or cugoing,ntmal or exter “Trafic og re only generated when he season tbe enty expres. This 6 aus a og message aso includes tho arount of data sen ad rca ‘Thi is noth cao for aon Wate a no essin enti crested and og mossaga goetaod inmositly ndeatng 0 bytes wore Wansmited ae recewes Note: Ary dened fic on a ForGate deve np a a aged. Tae, Iopvitaton day arog es rested. Aso nove tog comers oat prs, seis Jebavarale ser loelscelseny eneble ‘Attack Log “Th stack og rear atacs that ar detected and prevented byte ForeGato Un-The Fort uit wl og stack sgratures and etack anomalies. Packt lepging can alo bo anal through the IPS setinge (CL or Wb Con) Ts featare provides edrnvstators wih the ably to analyze packet for orenslos and fle poste tection. AntiVirus Log “Te anv og ecards vin nde whine proxies. Fr example, when the ForiGate unit ceecs an infotes fa Bock Me ype, or locks an overazes e Web Filter Log ‘The web er lop records HTTP Forts og rating eros incusing wob content octng atone that he ForiGal unit ports, The loge conan ihe URLs and ‘pony the User tare who fequesod the oscuce fuser ehereation is nab, AntiSpam Log “The spam iter log records detoctos pam and locks oral adress patton and content in SMTP, INAP, ard POPS raf ca a. Aart, Cae pectin ard Bae VPNeee eee | Maes atgeneteneateeses tate aces at | option Cott Log care - ] eee et er ‘stampted, VlP'SIVPLE block mestages, th ype o IW apotcaion used, 2 J ‘the content of the transmission voIP ‘The VoIP (Voie over nts Protocol) og records VIP Skinny Cent Control | Prost (SOCP olen lung Beste VlPSesson tos Protos {Bey wanencone. Content } ‘The content og (FrtAnaiyze loging ony) logs metadata rom he pos, such ‘az emal, web pges, and dounioaces fee Addvonaly most log messages lar logged as wl a ibe following VoIP log messapos: 1 SIP tartan end cal ‘SCOP phone rgisration 1+ SCCP cll end of eal) 1+ SIMPLE log message Fi2RATINET. course 2014.0 maton, Conte pectin and Gate VPN Aeese rsoee ozo sag090° 109Configuring Logging “Te sap o configure logging onthe FotiGat dvce are 0 follows: + Selecting the og storage location and minim og seventy lve + Enabling lo generation Selecting Location and Level In Web cont, te fog storage locaton and nium log ves ar contoured in ‘ha Log Setng ab rom LagéRopert > Log Co. Enable he storage locaton obo usod, then st alog seve level fom the Minimum og evel op dow I Depening on he og oeaonseaced, you must congue various her patemetars. Yu wil expire those paramatrs inurl oxrios, euro 2.14.0 Aamnraton, Contino and Base VN Acces 10 ‘soon 20 2080509Enabling Log Generation Depa enema rgite op ogg can be nablsin varus Toestons i Web Cont J | ] «otk min | Protection Profile Contr inspection loging enabled win a protection profi, ncuding An. ius, Web Pirin, FortGuard Web Fite, Spam Fiteig IPS, IMP2P, and voir ‘oar 2014.0 amirato, Const npscton and Bese VPN AcossKE Ww c E couse 201.16. Aammato, Contr noc ana ‘fat. 020 080807Event Log Fonicate ‘trough en, ystom sty, and VEN event logging ate enalod Log by solceng the varous Even Log optons Lan = you uso the CL te sale conan avert gs fra destation, the Event Log ‘plone apy choc bowen tat are greyed Ot Courae 20.4.0 Aamiraton, Cone apaten and Bot VPN Aeceze ‘ras. 020% 2000008 ATINET. F:Fi2ATINET. Firewall Policy or Network Interface “Trac loggng canbe enabled pr frat policy or per inorface. Longing atic or rowel pot mee rar ans beter sued or Woubleshootng, \Wnon traf aging is enabled on a major of rwal plies, consieraton rust mde fore CPU and ratwark uszaton ofthe ogaeg operation, Local nar ik tafe loging on hasvly used systems ean be CPU tensive 2nd shouldbe evolded whenever posable. Ramotadovcos ach as Foruanlyzor ‘nt oF SyLog shad be usd intend, Trai logging can also be erated por irate, ours 2018.0 Adan, Cott inspection snd aie VP AccaVining LogFies Viewing Log Files ‘The Log Accoes enw provides india abs for viewing log Mas sored ona Forténalyze" uit ForiGuard Anais Serer momory, and has sk, _avatabio, Each ab provides optone for amin log messages, such a search 4nd eg options, ncuding acing to log pe to vew Tha coun that ‘Sopoarin to Log Accoss manu reflect ho corent ourdin te gfe “The op potion of tho Log Access pape includes navigational features o help ‘move tough tie log messages and oss spectentarmaton for xara, {garg te onext pape, proviouspago, lst, oF frst page. Arumber can also be ‘nied tofu ahead toa parte page oftog messages, fo expe, entering ‘the number 8 dplays the fh page. ft ForiGata unt na a acl hard ck hat enabled forlogping,anather fb fer Local Disks played ‘Gouro 20.4.0 mst, Carte npecton ard Bas VP Acces raooco20 zogoeo® 1"FeEATINET. Log Display Formats. |Log messages canbe vewod in Formatted view o Raw vow. Formatted View Tha fomatid vw csplays log messages in organized clus. nhs View, you an cintrize the clan dpa and ler ly messages cnn 40h Catt pc ae Ba PN Ans‘You can aor remove the lg ifemation cours you wish to pay. or ‘ample, Date, Tine, nd Source, using Column Setngs. tors stow ony tholog messagos that fa spocfod rca tobe vowed. Fr exam, to aw a og massages fo aspect date range, usa the Dae ‘iter VewirghogFiesRaw View When messages spay in raw view, the og message plays as woulin a regueriog Be, ‘eure 204.16. Aamesraton, Conte nspecon nd Base VP Aecss m8 ‘oe. 020 2080809Content Archiving ‘The content archive feature ts you stor session ransacton deta on an one storage device forthe flown pes of network ae: + aT + FP + NNTP + AM, 100, MSN, Yahoo!) + Email POPS, AP, SMTP) ‘Contant rcving is cry aval whon the Forite units conigurad tog to 8 FertAnayzoe unt ggg lhe FeriGusra alysis Serer, only one summaries oflogs are stored. Fi ATINET. ‘course 2014.0 Admoioraton, Content npecton ard Bane VPN Acoxs ‘raaoa cao atestContent rig Enabling Content Archiving Conte ring i enabled trough DLP ues. ADLP senso i crested using ‘arte, en applied wihin a pretcton proto. Choose edly he cota. Imetnioontion ofthe HITE, HTTPS, FTP, IMAP, POPS, STP, and wai on {he systom dashboard or archive the fll cntant oa FortAnayzor dave. abl atest one ofthe content protectin funcons, such sans Scanning, ‘wa arin, and spam sting forthe relevant poo, to use the content srclang feature for tat pots. Tobe abl to acess a content archiving optons, you must configure a Fecthnaizor nit and orate agin. FESATINET. ‘course 20.74. Admnstbon, Contr nspocbon ard Bal VN AeossViewing Content Archives ‘Alarchivod logs stored ona FrtAnalyzor unite ForkGuard Ansiyse Sore can ‘se viowed om Logthopot > Canfrt Arve Web Con The ForiGuars ‘ralal server ony stores the content summary of og. “To wow loge in Raw fama, ek the Row nk nxt othe Column Satnge nk couse 2014.0 Admiiaraten, Care npecton and Ban VPN Access Sraaaecz0 00080" mmAlert Email ‘The Alt Ema feature onabies the FortGate unto send em niatlons to User's emal adress upon detection ofa massage meeting a dined event ype or scanty evel For example, an alr emai can be congue to sod noticaton cca, ‘vents eu a an HA mombor leaving the HA cuter Configuring Alert Email “The ForGate unit uses the SMTP server name to connect tothe mal sever \Whon configaing alr emai, confgre at ast one ONS sore Upto roe ‘reapers canbe speded per mal serve ane emt bodye bases eraoded. ‘Course 20114. Admnraton, Contr nspscon nd as VPN Aeoss wa ‘fa. 001 ote‘Single Network Management Protec! (SNMP) erates adirstator to manage haraware ona network ncuding server, wokstatone, euler, ewschee and ‘her natnrk coven, An SNMP managed otek is mado Up ef vee mln ‘components: ranaged doves, agar, and SNMP managers Configure the hareware or FriGate SNMP aporto epet=ystom infomation and to sena rapa (alarms or eventmeseages) lo SXBIP managers An SNMP managers @ ‘computor running an appscaton that ean read the incom aps fom te agent lndlvack be ifomaton. Using an SNMP manager sczees SNVP raps and data from any FortGae race confgured for SNMP management acces. “Te FortGate SNMP inplemaniaton is ead-oniy. SNMP vt and v2 complet ‘SNMP managers have radon acess fo Fort ate sytem nfrmation ar can Tecate Forte tape. Ta manor ForsGate system hfematin and ree FeriGate taps, compile Fortnat propetary Management ntorface Babes (WIS), ‘as well as Foret supported standard MB (avaible em the Fortinet Suppor ‘tn into an SNMP manager Configuring SNMP ‘SNMP is contgured though System > Cont n Wat Cai, On the SNMP \in2e tao, enabie he SNIP agent option an enter nation fo he flowing parameters: Descriptor, Location, and Contac.SNMP Communities ‘You can add SNMP communes 20 that SNMP managers can conto the ForiGate ui ovew eystem ifermaton and reel SNMP taps. SNMP Cammuntos cn be configured to have diferent SNMP quorios an wape and they can be congue lo motor the Fora nt fo dforont ets of SNMP ‘vers. Yu can aad up to oght SNMP managers per commun.Configuring an Interface for SNMP Access. "You must contgure one mee itraces onthe Forte tnt to accept SNMP 2 remate SNMP manger wi be able to canned othe ite mocying one of th itracas trough Web aan 2 anton, Cort tn adn Acts ome ATINET. F: &‘Traps Available “The ForiGate agent can send traps to SNMP managers aed to SNMP ‘Bnmunie, To receve rape, oad and compl he Frinet 3.0 Mi ino fe SMUP manager ‘At eaps ince th rap message, aswell ashe ForGale unit srl number and esiame, The folowing eis! avalable Paps + CPU Ovensape + Memory Low + Lag dak apace ow + HA duster tous changes + eterace I changed + 1S Signature + IPS Anomaly + vPRunnel vp + VPR tunnel down ‘couse 2014.0 mhtraton, Cote inspection an Base VP Acces ‘pte. 020 20080005Lab 3 Logging and Monitoring Tasks In hia, you wll compte he fotowing tasks: + erst + Exploring Web Config Monitoring + xercse 2 Contgrng System Event Logging + Exsrcse 3 Exploring he Fornalyzer itrace + reso 4 Contguing Ema Alerts + BrerciseS SNMP Set-up (Optional) Exercise 1. Exploring Web Config Monitoring ‘You have aeady examines he System infomation and conse Information fcions of the Sytem Dashboard This acerca gv you abt tour oh ‘Sats ntomaton presented oa areas ofthe Dashboard 1 Login Web Conti as admin. Go o Syston > Status view the System Daehn ‘Thro ae sverl areas hat provide sumaylfomation ang cckabe ons ks tat proc sonal information trough 9 pop window one Sormation wow. 2 Locate the Systm Resources pane on he System Dashboard. Check he (CPU Usage and Memory Usage satus dal 3 Hover tho meus pine over the Syetom Resouces tts brand lek Histo. ‘pop-up winow appears showing a rae of past CPU Usage, Memory ‘Usage, Sesion, NaworkUtlaslon Vins, and ntusion Mistry. Course 2.14.0, Cott apc and Base VPN AccessInthe Systm Resource History graph widow, the tine neva represented ‘by each hoon sauare can be Selected tom the pulldown mento he "oh of me Intra. The refoch at of bs window somata eto {720% of he tinea. (ck Close tren othe Syston > Stats tab 4 Tre Alot Message Consol pane cisplays the fve most recent ciel system vers, uch as syst restart and ware upade. Hover ver the Alt Massage Conaoo ttle bar nd click th History con \ow a pop-p window thal plays the ete message Us '5. Sesion and content inspection statis are shown nthe Stats pano. Sco thro wllnave been te orn wae through the ForvGale vt and no ‘onleatnspectioncngured, te Contant Archive and Atlack Log sass ‘ll be unntarestng es be, our 2014.0 emia, Contr Iepecon nd Baie VPN Aces“The Rese nkin the fog of e Statics box wi doar he cunt nites oun 5 Ute weed 8 ara racaivad 5 hts wetod 5 fos uploeded 8 te wasters viruses cout 0 stacks arta 9 spams detected 8 ta oe etd {There wl areay be a rambo of sessions recorded by the ForiGato unit Tho “Top Socsion panes not delayed by deat Ast by eking Ads Canton» Top Sesstens. Cha he Dota nk say mere fomaton abot he selon. tthe function ofthe various icons in Ws sen. Thee recon for sean refes, pape forward and back, earn pay ite = wel east session, ‘Question: Can youldeniy te Web Ani sessonsin the Session tbl pay? (tare Look forte TCP setts fom the CP arse fo te IP adres 6 Internal inrtace of he ForiGat nt) ‘Question: For what re the major of por 8 sesslons? (Hint: Remember tat FertGuara Sonics ae enabled} Course 2014.0 hmbistaon, Cone pater ans Bae VPN Aces Srsoec 020 20a08o?‘Contgving Sytem Event toning Exercise 2. Configuring System Event Logging Inti oxrse, youl onsgure system evertloging ewol a te dstnaton store Font ort wl sera lg mesages. ‘You wil enable loging to memory ano the Fotnatyzer device wich wil archive the og messages and ister ganorate reports fhe ForGate unt has @ hard isk tal og massage archiving 1 Goto LogéReport> Log Con, From the Log Seting ab, expand Remote FerAralear. {agging and enable -Aetly hollowing setnge: Minium og evel rate, Fo ita testing purposes, the og level sett th lowest and most vrbose Jove Information. n real deploymons the vel woud mor kay bo sotto ‘Automate dazovery ofa Forinalyer unit wih FoetDiscovery Petco (FOP) ‘Senysppteabe when the FreGate uni and he Fortanyzer unt are onthe ‘ame boadeast domain aubne), This would bea fre station nah acl etwercbutapproanats or @ Fiat 000 chases when Foranayzar ‘inde sed 2 Wiles ont Log Setns tb, enable and expand the Memory option and very tt he arma fog lve sett Information, (ek Ape 3 Inthe Remote Logging secon, click Tet Connectivity to rgitr wth the FortAnaiyzordevicoA popup window plays fo date a sees ‘connection and registration process, ‘Te FortAnlyzer unit being used is conigued to utomatcaty accept and registra new Forte deve connectors, ema satnge are forester ‘on (an ignore loging messages) or lgnre (mana restaton), Inn actual sconario, thre would be aden configuration roid at the Finale endo permite neaeseary comacton for manual vce reaisraton {lek Gose to at tom the FottAnayzer Connection Summary window. 4 Ontho Event Log tb, cick Enabie and socal evens ek Apoyo save th changes ‘You can pla he CL sotngs forthe looping destinations wh the ffowing onan EK W \tion> c _ Eb c L ‘Ssubettue fort analyzer eronory forthe destination above, rr Coxe 2014.0 ames, Contr irepecon and Bae VPN cassSUE taeeeterted 5 Test he loging setup wth some suds log message Sento the logging Log Accose. On the Memon tb, eect th Log Tye pl ‘oun ru a wow he erent og message types. Select each og pe ene [a be and chock te Memary tb fore test messages. Cours 2014.0 Astras, Contraption an Base VEN cassExercise 3 Exploring the FortiAnalyzer Interface 1 camect te Fortanatye dace Wed Can by Ying ne oowng Scorers na wed bowser ‘zp essed crate massgas when hy ae pays Log nite usemme student and ho passa forte, [tera succest lagi, he Forte Dashboard delay 2. ram th ForiAnayzer eb Conf oo Log > Browse On fe Log Bowser {Sh eguneNo Gp and expen rricnte Seven ato a og Ieesaps ar beng oes ye Foeha}yzr unt Fert aon Manes se congue se Montane Serine 3 Expand a ete etogon athe name of helo ow spay. Click ispoy (Gi) © d=py tog He Trelog message ew polos show sled teva incolum. The Inoue ar locos exer veret vl 4+ lr te ou essa dely fas nth Loy Bows To show be ‘ial noma og message at wo at byte Feral ok Fawn he Log Browser window. To change tee po, ek change rk ‘Sioa he og vow slo. 5 010129 Log Viewer Ck te Hoos Sete deve name tom te Devoe dop-doun mens. Slt he og ‘we Chek ok From ts window you can sped he nunba of ero tay on pape ‘anage coun seine nt apayhiomatonn toga Unoratad {Logout of te FortAnatyzer devin. 2RATINET. ours 2144.0 mrt, Cont nspscton rd Bal VPN Asse 12 ‘rso-0204 2006050"Connguinanai Ars Exercise 4 Configuring Email Alerts In his exerao, you wil contgure the FortGate unto send ser mal to test, ‘al account. Ths exerci ean only be completed i you have an online ‘mall sccount wit whieh you can tet. 1 Ineo Contig on te FortGate unit goto LoptReport > Log Contig. Select ‘he Alert Ema tab and us the fatouing cetngs to compet the At Ena coniguraton: mal fom ‘ou eat sates mailto ‘iow emat aces ‘aneaieaton Siig ently sae egaee Paseword ‘ow eel accu paneer ‘Send alert mal forthe folowing nrson an Vins detects Clik Apoyo save te songs. 2 Gick Test Connectivity. Tst message wibo sont the email account. {3 Open an emai cent apptcation and conn thatthe ost mosseges have ‘artemis canbe sen based on selactad avant calageris er simpy on og message tweshold ova treshodTovel is usd, te CL corre ‘datonal ral hold timer foro levels above the selected Wreshald tov ‘heck ho following CLI commands forthe Alor -macontguraion: ‘eoched. contre the mesages an enc one en. SATINET. Course 2014.0 mera, Cone nape and Bat VEN Acons ‘raaea. 020 2090807‘> Satay (Optra Exercise 5 SNMP Set-up (Optional) ‘You enable SNMPY1 and SNMPY2° on the ForiGat unto permit monitoring and Staats gathering by a remote SNMP sever Thi a not used inthe ab ‘onarlo but this exercise provides the basic configuration stops for SNMP ‘Setup onthe Fortioate device. 1 Goto System > Cong. On the SNMPV1/2¢ tb, enable SNMP Agent Enter a ‘ovarpion an locaton, For contact, use your nine eral adress. Click ‘epayto save he changes, 2 Clek Create New to a now community calles 208 training. Accept he ‘ete stings and cick OF, ‘SNMP connactons canbe rst o carta I adresses wth the Hoot stg + Eitor SNMP vi orv2equais an raps canbe enable soparatly wih ota or eustonized gore, + SNMP wap sslecfon can be selected. {Enable SNMP access onthe irc facing the network management ‘Staton by png ne folowing commancs ne CL 4 Vow te CL configuration or he SNMP setings: sow (ful-contigueation) syste snp aysinto "Noto that he CPU, memory, and har-disk rp hesholds canbe satin he cu ‘5 Locato the Friato MB and Trap fle and open ho MIB wth a simple ox foro view he contort Note: Th Forse fesse tor th Fort! Tata Spat web te ft hezpes/esppore fore inetcon- Avegetraiegh regi Tr eco Use of SNMP Mls view aptetion is beyond the sope ofthis cours. Ione |S avalale and conigure, try to access the ForiGat nit wth SNMP and ‘ow some MIB tects. You must enable SNMP adrsvatve acass on he FortGatainertce, “Tha folowing applstions cn be downloade for tatng purposes: + Goat (tpt tes.orlrmpdtplgthin) + Adem SNMP Manager (hip:hmmwadremsat.conisampman) Course 2017.0 Aniston, Connection and Baste VPN Acoss a ‘tao. 020 2080801LESSON 4 Firewall Policies SAJDIIAMAS ONINIVAL LSUILYESLesson ‘Overview 4 Firewall Policies Frewat poicies convo al rae passing trough the ForiGate unt. rewall accep conmuricaon sessions. An accopt poly can apply ForiGate oars Sich a rus searing and athonioaton tthe Consmicsion session ‘ocopted by the poy. DENY pals deny cemmuncalon sation. Frowal pales can ase be wed cone cannedtora and Waffle belween FouGate Intortecs, zones, ana VLAN subrtofaces. Fora packet tobe comectedfiggaglne FreGate unt, to source adeoss, ostinato adress, ard are Be packet rast mah rewal oly. The pac cece ho frewal acon onthe packet. The acon can bao atom the onnectin, dey te connection require auheticaton bfore the connecton ‘owed, oF process the packet aa an IPSec, VPN, or SSL packet Esch poe canbe confgured to route connectors o apply Network Adress ‘Traelaton (NAT) fo ranset sures ané destraton IP adresses and pos, IP foals ea be used in canuncuon wih danse NAT when he towel Waites “Sour adresses. Poles can slo ba Vee to confgre Pot harass “Trantaon (PAT) tough te ForiGate ust. Prolocion rfl are sed wih ‘rowal polces to apt fren protect stings forte wale nats contoled by treval poles “Taf ogging canbe enabied or Frowal olcy so he ForbGate unt wig a Connections tht use ta poy. Day fer oie Gems me Cause 201740 Adis, Cntr nspecion na Base VPN AecossPolicy Matching ‘nen he FrGato unit rcaves a connection stamp on an interac, islets 3 pale lt search tvough tra poly tht mates be connoctonstempt. The ForiGate unt chooses ho poy fet based ante source and destination ‘srestes of he connection aterg. ‘The FortGale uit starsat the top of te acct pokey Stand searches down ‘a it ortho fra potcy hat matches the connection atom soure ane ‘eatnatonsdarestes, service port. and tne and date a wich the cannacton ‘stompt was rocalved. Tho ft ple ha matches sapped to the connection ‘Slempl to poy mates, he connecton Cropped. Arange polses nthe oy lt fom mor spect to re gon. For example, he cofaul poly isa ‘ory gone pay because tmatchos al conection atoms Exceplons to Bat otc ae ada oho poly et above the deft ply No poly blow he ‘eta py wl over be matened ‘General potcies are policies tat can accapt connections ra mati source ‘and datnaonadoases oom adress argos. Goneral pols can also accoptconectons fom mule carve pots or have schedules tat mean the patcy con be matzhod over aide range o tee and dss. Palio ht are "xceptons fo gonerl polos shoul beaded the poy lt above Pe gona pce. For exampl, 2 gonera polcy may alow al oer on tb ema eter {oacess al sovoos on ho Intmet. To Beck acoss to soci servos, uch {8 FTP warvers onthe infame, add poy thal denies FTP econecins stove the general poy. The deny poy blocks FTP conection. Connection atompts {oral oer knds of cross do ol match the FPP poly but a maton he ‘gonerl ply. Therefore the rewal stl accepts llcomectons fom he intemal "vital domain ae enabled on he ForiGate unt, real pallies are configured sopraaly foreach vitual aman Course 20-10 Admintaon Const nspecton ond Base VPN Aecess ‘fate. 020 2080809Poteyasira Firewall Policy List 4 ‘The poly st opays deta of pols In place co he FoniGete device. You | an a, doo, 03, and reardr pois om the Ii. ) Column Settings ‘Some corns of infomation may not ba displayed by default You can use he | CClumn Satingsoptens oad or remove table comes fom the dpe It Select tem odiply tom the Avalble att and ck >to move to te ‘Show taco fein he oda ie. Reon to orem the Show these fel in | ths ord st by selecting the lem and cleing Move Up or Move Down ea tak han, att pn da YN Aes 7Paley Mac Foc oxample, he Count lis ao tothe cok setings, he numberof achat and byt that match a frewal poy canbe spayed Filtering columns ‘ok the Firion to x the clu tars which lon he ply Keto be ied tr soe acsoing Wo clea spctd. lors ate uel for reduc the numba tents hat ae daplayed on he Ist ltrs can beaded for ona column fer ‘tipi columne Fier conguation i maintained ate leaving Web Con, ater logging out of Wb Contigo tar encatng the FortiGate unt Desi Deron ite tyes are avaiable depending on the type of information played Irindl columns. nl cases, Sere re congue by spectying what oer ‘nnd wheter to splay intrmaton fa matches the ler o19 sleet NOT 1S ‘olay norman hat does not match heer ‘ours 20180 Aerntaton, Contant inspection an Base VP secaCourse 2.14.0 Ansan, Contant nspecton and ase VEN Access ‘saonaz0 Sa0e08 Moving policies ‘A poy can be moved within het ointsence the cderin which pies are ‘auaios When mere than one pay has boon defined for ho samo wiriace ar the ple thats rt ne ts valatd rst ak eat Te rng of row ozo poss mort esr ht ey ke ‘ect as expetos renal encryption poles rust be elie Delore eur “rewal ples. Moving a poly nthe oes ot change is ply 1D ruber “The pole oreing can also be changed using the CL move command forthe ‘Firewall policy tbe For example:User Authentication to Firewall Policies User authentication an be enabled on a rewalpocy so hat nd users sing the ‘rewalpoy wil be challenged to sendy errsaves befor they can uso the ley. Pais that requ auhortoaion must be aaded ths poy Ist ove ‘alting poles tat do nt cherie, th poy tat doesnot eqare [utbanseaton i selactd frst Auman vale action seo Accept {SSL VPN. Add sors and a frwall protection prfle fo a usergroup before ‘nabing auhencan ore pay Inne case of user and paseword authentication, the end users ae prompted > Input ruse namo and password. For coritcate athencaton, you ral ‘lstomzed erste on he ForeGate unt and end users can also nave ‘cstomzed oerfats nsaled on ter browees, Orie, the end ers il Sea waming message anahave lo accept he defaul Forte catia wich ‘te ond users web browsers may deer as inva Firewall authenscabon also Ines LOA, RADIUS, Active Directoy and TACACSY authencaon. To ‘ion te FriGate unt to authenteata wan Active Directory serve using ‘Sale sgn, he Fortine! Sewer Authencalon Extention (FSAE) mut be Installed onthe Acave Dvectery Doman Corto. Once the user aunenicates {0 Windows, thay wl nt hav to pero a second athenetonf he rowal policy. ‘Authentication Protocols, ‘Yu can spect th protocol tbe used to lsue the authentication halenge. The fewall poy mus sho ncude te uthenoaton protocol forthe end users ie foto get aumentcaled For example, you are croatng a POPS poy and tkng the HTTP protocat for authonscaton, the Grewal oc seréees must Include at oat TTP and POPS. User aunt suport the fowing petals: + Telnet Lesson 6 of is course wil cise authentication in more det Cours 201.74 0 Adan Canter nection an Bae VP AccsCreating or Editing Policies (lik Create New on the Policy abot Inset Poly before (BE Inthe poly it to croato anew Sreval poley.Giek Eat [gt oan exstng trowel ptey nthe pole lett et tho poy. source and destnaton interfaces of commanicaton session. The ures Sn ‘Dostinston Address matches the source and destnason adress of he bk ommaniaton session. Ww ‘Schaclectoa wn the fal oy i enabled Scurenacrchunpocjumvesonssnsoyscomncaon sesin E ‘Acton dens how he FriGate unt procssas va. Spay an ston 1 £ ‘eet or doy tafe oecongr a rw nenton py Ena th remaining fewal poly eptens to set ona fates. hay sore it he New Paley and ew Auenteaion Ral windows.K W Ne: Th Comms alse a came on coe c tore ne hand oy owen ou may eed el E f L a tedConfiguring Addresses ‘Adresses canbe created ox ete rom he New Adesso Et Actress log box Frowat > Acre) or curing ronal ply eantguratn tom he Adress ul-down stn the trea poly window (Crate Now). The ForiGate unt ‘ames configured hha ett Aadese whch raresote ay adress. on te newer: Th regain ordr foreach all addresses onthe Intra ae. [Adress Name | frowal adress canbe conigred wih a ram an P ares, anda etna ‘ra name and address rang, A sgl IP adress canbe sed wit no mask (or 2 sz mask (255255280 255) Th howal assess can also bea fly ame esigned to he adess wl be sed icy dialog box. Adresses, adress ‘ups, and vrtua IP must have unique hemes to aves conkson in row Course 2014.0 Aas, Catt inepacon and ase VPN Access eso. snaneoF 8Type ‘Adresses canbe Wetifed by a SubnotP Range or FQDN, ‘SubnettP Range Enter he frewal IP aderss and subnet mask or enter an Padres range separated by a hyphen ‘The rewal IP adres can be: + The IP acest of single compute (or exami, 19245 48.48) + Tho P asess ofa subnetwork (for example, 182-168.1.0 ora class © sabe) [AIP Range dross ropresants he range of IP arossos na subnot, for ‘ramp, 192,108.20 4 40192 168 2010 Enter an IP across and ntrack using he flowing format x ea. 3 for example, 192.168.1.0/255.255,255.0 .xn.a/, fr oxample, 292.268 .2.0/24 Erteran IP across range using to flowing formats: see... for example, 192.168.120.200-192.168.110.120 sxe. (eon) for example, 192.168.120.(100-120) sx-2.* for example, 152.168.220.+ toropresent al adresses onthe feb ‘Course 201-74.0Antaton, Cant neocon nd Bas VP Accs 6 ‘00.020 20060809Enter an FODN using the fotoning formats ‘stompin mes foseinst cam Interface ‘Select he interface or zone with which tho IP adress wil be associated, ‘Arn, Any can be selects o anode the IP aacros th ho Intorecazone when te poly is esta Course 2014.0 Aster, Cnt epson nid Base VPN AscotAddress Groups ‘Orgarie related adrosos into adress runs to srplfy poy craton and Imanagenent. For example, ater sdang tee edsresoos and caiguing Bem In ‘br adoress group, contour a single poy sing al te adereseas. fan adeross groups incudod in a ply it cannot be doled unless tis rst removed tom th poly. gone anne nome Ana oe Manto aos cunesretsnneeaan cnet mci} ‘ at as,Spesiodin the sched while ues ropes! wooly fran indefinite period of te. Recuring ‘chedues ar eflectve only specied tne of te day or on spaced days of the week ‘One-Time Schedule ‘One-bme schedules can be costo actate or dactvate a ply fora ‘spose prio of me. For example, a owl might be configured wi) 3 deta aly thet allows ecoos wo all oriea onto amet aa es, You can 2d a ‘Sne-ineechecule to Block access of Itet ung aholay paid. SATINET. Course 2074.0 Aamnsaon, Contant nspcton ana Base VPN AccassRTINET. a Fi ‘ours 2014.0 Arnon, Cote apenas akc VPN fecesor Eng Potcos Firewall Services ‘You can use sence determine the types of communication accapod ot ened by tho froval Soviows contel he pening end closg of port. You can 20 ay ofthe predeted sances ta polyATINET. F: a Cove 201940 rst Cortt pec nd Bi VN eensASUS 2 course 2014.0 mnt, Cartat apecton and Bast VPN onesNaT Newer Adress Translation (NAT) ofthe source adress and pot of packets accepted by he poy can be erabied or csabled as prof rewall poly. When NAT Is enatied, Dynami P Peal en Fixed Por can aso be congue, Cours 20.0 Adrien Cane apecton an atc VPN AcassDynamic IP Poot \Wnen VAT fs nated in the feowal poly th oon o enable Dynami P Poot becomes avaiable, You enehia tan sect an pt oan tne sure adress to an IP adress randomly elcid for aressos in tho IP Pook IP pos cannot be usd whan using zones. An IP pool can nly be associated ww —