Documente Academic
Documente Profesional
Documente Cultură
www.fortinet.com
FortiGate Multi-Threat Security Systems I Administration, Content Inspection and SSL VPN Lab Guide for RealTime OnLine training using FortiOS 4.0 MR3 Patch 1 Course 201 01-4310-0201-RTOL-20110729 Copyright 2011 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams, or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical, or otherwise, for any purpose, without prior written permission of Fortinet, Inc. Trademarks Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGate Unified Threat Management System, FortiGuard, FortiGuard-Antispam, FortiGuardAntivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
.254
Port1 10.200.1.1
Linux
Port4 10.200.3.1
Port6 10.0.2.254
LAN6: 10.0.2.0/24
Port2 10.200.2.1
LAN2: 10.200.2.0/24
.254
.254
Port5 10.200.4.1
REMOTE Windows XP
0.0.0.0 LAN7
LAN5: 10.200.4.0/24
LAN0
If a status of Failed is displayed, verify the on-screen messages to identify potential problem areas or click the Troubleshooter link to help diagnose any problems that were encountered. For assistance with troubleshooting speak to your instructor. 2 If a status of SUCCESS is displayed, log in to the virtual lab portal by browsing to the following URL:
https://virtual.mclabs.com
Enter the username and password provided by the instructor and click LOGIN. 3 Select the time zone for your location from the drop-down menu and click UPDATE. By selecting the proper time zone you ensure that the class schedule is accurate. 4 The virtual lab Java applet is launched. Select a resolution for the applet and click Open to access the Windows 2003 Server device in the virtual lab environment. This will serve as the primary student machine for the classroom exercises. Note: If for any reason the connection to the virtual Windows 2003 Server is lost, regain access by selecting Operations > Disconnect and then Operations > Connect to Primary from the menu.
Troubleshooting Tips
5 To connect to other virtual machines in this environment go to Operations > Connect to Secondary and select one of the available machines in the list.
The instructor will provide a description of each of the virtual systems available to you in the virtual lab environment.
Troubleshooting Tips
It is not recommended to connect to the virtual lab environment using a wireless (WiFi) connection or a VPN tunnel. For optimal performance connect to the lab environment through a dedicated LAN connection. Ensure that the company network or firewall policies are not blocking Java applets. Students should ensure that the following settings are configured on their computer: Screen savers should be disabled on the computer The Power Scheme used on the computer should be set to Always on
In the Java Control Panel (located in the Windows Control Panel) ensure that Java console is set to Show console. It is recommended that the Java console be left open as it often provides useful logs for troubleshooting. If you get disconnected unexpectedly from any of the virtual machines (or from the virtual lab portal) please reattempt a connection. If unable to reconnect repeatedly after multiple attempts, please notify the instructor.
Tasks
In this lab, the following tasks will be completed: Exercise 1 Exploring the Command Line Interface Exercise 2 Accessing Web Config Exercise 3 Configuring Network Interfaces Exercise 4 Configuring the FortiGate DNS Server Exercise 5 Enabling DNS Recursive Exercise 6 Configuring Global System Settings Exercise 7 Configuring Administrative Users
Timing
Estimated time to complete this lab: 55 minutes
3 Type the following command to display status information about the FortiGate unit: get system status The output displays the FortiGate unit serial number, firmware build, operational mode, and additional settings. Confirm that the firmware build on the FortiGate unit is 4.00 (MR3 Patch1) which is the required version for this course. 4 Type the following command to see a full list of accepted objects for the get command: get ?
At the --More-- prompt in the CLI, press the spacebar to continue scrolling or <enter> to scroll one line at a time. Press <q> to exit Depending on objects and branches used with this command, there may be other sub-keywords and additional parameters to enter.
5 Press the key to display the previous get system status command and try some of the control key sequences that are summarized below. Previous command or CTRL+P Next command , or CTRL+N Beginning of line CTRL+A End of line CTRL+E Back one word CTRL+B Forward one word CTRL+F Delete current character CTRL+D Abort command and exit branch CTRL+C Clear screen CTRL+L CTRL+C is context sensitive and in general aborts the current command and moves up to the previous command branch level. If already at the root branch level, CTRL+C will force a logout of the current session and another login will be required. 6 Type the following command and press the <tab> key 2 or 3 times. execute <tab> The command displays the list of available system utility commands one at a time each time the <tab> key is pressed. 7 Type the following command to see the entire list of execute commands: execute ? 8 Enter the following CLI commands and compare the available keywords for each one: config ? show ? These two commands are closely related.
config begins the configuration mode while show displays the configuration. The only difference is show full-configuration. The default behavior of the show command is to only display the differences from
the factory-default configuration. 9 Enter the following CLI commands to display the FortiGate units internal interface configuration settings and compare the output for each of them: show system interface port3 show full-configuration system interface port3 Only the characters shown in bold type face need to be typed, optionally followed by <tab>, to complete the command key word. Use this technique to reduce the number of keystrokes to enter information. CLI commands can be entered in an abbreviated form as long as enough characters are entered to ensure the uniqueness of the command keyword.
2 Select the port3 interface and click Edit ( and click OK. The settings are configured as follows: Destination IP/Mask: Device: Gateway:
3 Go to Router > Static > Static Route and view the default route entry.
The default static route entry has been configured beforehand as part of the virtual lab setup. 4 A default policy has been created on the Student device before the start of the course. Go to Policy > Policy > Policy and confirm that this port3 port1 policy using NAT is displayed. 5 From the CLI on the Student FortiGate unit, enter the following commands to view the interface settings for port1: config system interface edit port1 get end
Note: Depending on how long it has been since the last command has been entered in the CLI, another login may be required.
6 Execute the following command to display the name and details of the interface matching the IP address of 10.0.1.254 using grep: get system interface | grep 10.0.1.254
Note: The grep command line search utility, native to many UNIX platforms, is supported in the FortiOS CLI (v.4.2 and higher). The grep utility can be used in conjuction with the get, show and diag commands to display output that matches a given regular expression.
7 To view the configuration of the FortiGate interfaces through the CLI, type the following command: show system interface 8 To see verbose settings, type the following command: show full-configuration 9 To view additional parameters for all interfaces, type the following command: get system interface Compare the get command output with the output from the show command. The information from each is similar: get displays all settings and values, while show gives the syntax for the configuration. 10 The FortiGate CLI is hierarchical, which means that some commands are only applicable at a certain level or context. To demonstrate the hierarchy, modify the port1 interface to add additional administrative access to assist with troubleshooting during initial deployment. To add SSH access on the port1 interface, type the following CLI commands: config system interface edit port1 set allowaccess https ping ssh next end
Note: The set command is not additive. The existing parameters must be re-entered along with the new parameter being added.
11 Verify the changes by typing the following command: show system interface port1
Leave all other parameters at their default settings and click OK. The Student DNS zone is now created. Student DNS Records To populate the newly created student DNS zone with DNS A and PTR records for the Student FortiGate device and virtual Windows 2003 Server, perform the following steps: 3 In the DNS Entries section of the Edit DNS Zone window, create a new DNS entry to configure the DNS A record for the Student FortiGate device with the following details: Type: Hostname: IP Address: TTL (seconds): Click OK. 4 Create another new DNS entry to configure the DNS PTR record for the Student FortiGate device with the following details: Type: Hostname: IP Address: TTL (seconds): Click OK. IPv4 Pointer (PTR) fgt 10.0.1.254 0 (default) Address (A) fgt 10.0.1.254 0 (default)
5 Create another new DNS entry and configure the details of the DNS A record for the virtual Windows 2003 Server with the following details: Type: Hostname: IP Address: TTL (seconds): Click OK. 6 Create another new DNS entry and configure the details of the DNS PTR record for the virtual Windows 2003 Server with the following details: Type: Hostname: IP Address: TTL (seconds): Click OK. Click OK on the Edit DNS Zone page to save changes to the student DNS zone. Remote DNS Zone To create a second DNS zone for the Remote network, perform the following steps: 7 Still in System > Network > DNS Server, create a new DNS database and configure with the following details: Type: View: DNS Zone: Domain Name: Master Shadow remote remote.lab IPv4 Pointer (PTR) server 10.0.1.10 0 (default) Address (A) server 10.0.1.10 0 (default)
Leave all other parameters at their default settings and click OK. The remote DNS zone is now created.
Remote DNS Records To populate the newly created remote DNS zone with DNS A and PTR records for the Remote FortiGate device, perform the following steps: 8 In the DNS Entries section of the New DNS Zone window, create a new DNS entry and configure the DNS A record for the Remote FortiGate device with the following details: Type: Hostname: IP Address: TTL (seconds): Click OK. 9 Create another new DNS entry and configure the DNS PTR record for the Remote FortiGate device with the following details: Type: Hostname: IP Address: TTL (seconds): Click OK. 10 Create another new DNS entry and configure the DNS A record for the virtual Windows XP installation using the following details: Type: Hostname: IP Address: TTL (seconds): Click OK. 11 Create a final new DNS entry and configure the DNS PTR record for the virtual Windows XP installation with the following details: Type: Hostname: IP Address: TTL (seconds): Click OK. Click OK on the Edit DNS Zone page to save changes to the remote DNS zone. IPv4 Pointer (PTR) pc 10.0.2.10 0 (default) Address (A) pc 10.0.2.10 0 (default) IPv4 Pointer (PTR) fgt 10.200.3.1 0 (default) Address (A) fgt 10.200.3.1 0 (default)
10
Exercise 5
3 In a web browser on the virtual Windows 2003 Server, access the following web pages to verify that Web Config can be accessed on the Student and Remote FortGate devices using DNS hostnames: http://fgt.student.lab http://fgt.remote.lab
11
Type the following command to view the syntax used to set the system time manually:
exec time ?
Note: Once NTP server synchronization is enabled, it may take up to one hour for the time to be synchronized.
3 Verify that the date setting is correct by typing the following CLI command: exec date 4 Back in Web Config in the System Information widget, click the [Change] link for Host Name and change the hostname of the FortiGate unit to your first name and initial of your last name. (For example, AliceB) Click OK. The new hostname will appear in the browser title bar at the next login or when the page is refreshed. 5 View the CLI equivalent commands for all the system settings configured in the above steps by typing the following command: show system global Enforcing Password Policies for the Admin User The FortiGate unit includes the ability to enforce a password policy for administrator login. With the policy in place, regular changes and specific criteria are enforced for the admin password including: minimum length (between 8 and 32 characters) must contain uppercase (A, B, C) and/or lowercase (a, b, c) characters must contain numbers (1, 2, 3) must contain non-alphanumeric characters (!, @, #, $, %, ^, &, *, () whether the password applies to admin or IPsec (or both) duration of the password before a new one must be specified
6 In Web Config, go to System > Admin > Settings and enable Enable Password Policy. Configure the password policy with the following details: Minimum length: Must Contain: 8 Enable 1 Upper Case Letter 1 Numerical Digit Enable Password Expiration: Enable 90 days
Leave all other parameters at their default settings and click Apply.
12
F0rtinet1
super_admin Global Enabled 10.0.1.0/24
13
5 Go to System > Admin > Admin Profile and create a new admin profile called content-control with the following details:
Click OK. Limiting access only to the areas affecting content inspection helps to eliminate accidental errors that could adversely affect connectivity. 6 Go to System > Admin > Administrators and create a new administrative account that uses the new content-control admin profile with the following details: Administrator: Type: Password: Admin Profile: Virtual Domain: Restrict this Admin Login from Trusted Hosts Only cadmin Regular F0rtinetC content-control root enabled 10.0.1.0/24 Click OK. 7 To view the configuration for administrative users and profiles, type the following CLI commands: show system admin show system accprofile 8 Test the new administrative access login by logging out of the current Web Config session and logging in again as the new cadmin user. Try to access areas set to read only, for example, go to System > Network > Interface and attempt to edit an interface. Notice that the data can be viewed but not edited. Click Return. The Trusted Host setting configured for admin1 and cadmin will only allow access to PCs connected to the 10.0.1.0/24 subnet even if the correct password is entered.
Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729
14
9 In the web browser, open a second connection to Web Config only this time, log in as admin with the password of F0rtinet. 10 Go to System > Dashboard > Status and under System Information, click Details for Current Administrator.
11 By default an administrator has a maximum of three attempts to log into their account before they are locked out for 60 seconds. The source IP address is taken into account for the attempt counter. The number of login attempts and the lockout period can be configured through the CLI. To help improve the overall password security, the max number of attempts can be decreased and the lockout timer increase using the following CLI commands: config system global set admin-lockout-threshold 2 set admin-lockout-duration 100 end 12 Log out of all the Web Config windows.
15
16
Tasks
In this lab, you will complete the following tasks: Exercise 1 Exploring Web Config Monitoring Exercise 2 Customizing the System Dashboard Exercise 3 Configuring Email Alerts Exercise 4 Enabling Logging to a FortiAnalyzer device
Tasks
Estimated time to complete this lab: 35 minutes
3 Some widgets are not displayed on the dashboard by default. Click Widget ( ) to display the list of widgets available to add to the dashboard. Click the Log and Archive Statistics widget from the pop-up window to add it to the dashboard. Click to close the widget list window.
4 Hover the mouse over the title bar of the System Resources widget. Click Edit ( ) to create a custom widget.
Configure a custom widget with the following details: Custom Widget Name View Type Time Period System Resource History Historical Last 60 minutes
A line chart appears in a new custom System Resource History widget showing a trace of past CPU and Memory usage. The refresh rate of this window is automatically set to 1/20 of the time period (interval) configured.
5 The Alert Message Console widget displays recent system events, such as system restart and firmware upgrade. Hover over the title bar of the Alert Message Console widget and click History ( ) to view the entire message list.
Scroll to the bottom of the window and click Close. 6 Locate the Top Sessions widget on the dashboard. Click the graphical bars representing sessions per IP address to display more information about the sessions. Identify Web Admin sessions in the session table display by locating the TCP sessions from the IP address of the virtual Windows 2003 Server (10.0.1.10) to the IP address of the internal interface of the FortiGate unit (10.0.2.254). Hover over the title bar of the Top Sessions widget and click Detach. Test the functionality of the refresh, page forward, page back, and the clear session icons in this window. Click Attach to replace the widget on the dashboard. Click Return ( widget. ) to re-display the graphical view of the Top Sessions
2 Once the widget is added to the dashboard, edit the settings for the widget and select the port1 interface to monitor.
3 To monitor real time bandwidth usage per protocol, add the Network Protocol Usage widget to the dashboard. This data can be useful to administrators when creating traffic shaping rules.
4 In the Log and Archive Statistics widget, click a Details link to view the associated log entries for the log selected.
2 Alert emails can be sent based on selected event categories or simply on a log message severity level. Only one of these options can be enabled at a time. Still in the Alert E-mail window, enable Send alert email for the following and configure the settings below: Interval Time: Send alert email for the following: 1 minute Select Intrusion Detected and Virus Detected.
Click Apply to save the settings. 3 Click Test Connectivity. Test messages will be sent to the email account. 4 Open the email client application and confirm that the test messages have been received. If a severity level is used, the CLI contains additional interval hold-off timers for log levels above the selected severity level. 5 To view the Alert E-mail settings that were just configured, enter the following commands in the CLI on the Student FortiGate unit: show system alertemail show alertemail setting
Note: If the FortiGate unit collects more than one log message before an interval is reached, it combines the messages and sends out one alert email.
3 Return to Web Config for the Student FortiGate device and to Log&Report > Log Config > Log Setting. Click Test Connectivity to verify the connection status to the FortiAnalyzer device on the Internet. A green checkmark should be displayed for the connection.
4 In the web browser on the Student FortiGate device, access a few random web sites to generate traffic.
5 Access the FortiAnalyzer device at the IP address entered for your location (as in Step 1 of this exercise). Log in with the username of student and password of fortinet. 6 In FortiAnalyzer Web Config, go to Log & Archive > Log Access > Traffic and locate log entries for your FortiGate device based on the device name assigned. Use the Show list to select the name of your FortiGate device.
Tasks
In this lab, you will complete the following tasks: Exercise 1 Creating Firewall Policy Objects Exercise 2 Creating Firewall Policies Exercise 3 Verifying the Firewall Policies Exercise 4 Configuring Virtual IP Access Exercise 5 Configuring IP Pools Exercise 6 Configuring Traffic Shaping Exercise 7 Testing Traffic Shaping
Timing
Estimated time to complete this lab: 45 minutes
3 Create a second address object with the following details: Address Name: Type: Subnet/IP Range: Interface: web-server Subnet/IP Range 10.0.1.10 port3(internal)
4 Go to Firewall Objects > Service > Group and create a new service group with the following details: Group Name: Members: web DNS, HTTP, HTTPS, PING or to move them between
To select the services for the web group, click the Available Services and Members lists:
http://fgt.remote.lab
Log in with the default username of admin with no password. Keep this web browser window open. 2 Open a second instance of the web browser and connect to the Student FortiGate device at the following address:
http://fgt.student.lab
Log in with the default username of admin with the password of F0rtinet. 3 In Web Config on the Student FortiGate device go to System > Dashboard > Status and edit the Top Sessions widget.
4 Create a new customized Top Sessions Display widget with the following details: Custom Widget Name: Customized Destination Report By: Resolve Host Name Destination Address Enabled
5 In the Customized Destination widget, click the blue bar for the 10.200.3.1 address (fgt.remote.lab) to display all the sessions matching that address. The widget can be detached to make the list easier to view.
In the session list, pay close attention to the Policy ID field. This contains the firewall policy ID that allows the traffic from the virtual Windows 2003 Server to the Remote FortiGate device. Verify that this ID corresponds to the firewall policy created earlier in Exercise 2.
Click Attach to replace the widget on the dashboard if necessary. 6 Close the web browser currently connected to the Remote FortiGate device. 7 On the Student FortiGate device create another new policy, this one more specific, to match all traffic generated from the virtual Windows 2003 Server with the following details: Source Interface / Zone Source Address Destination Interface / Zone Destination Address Schedule Service Action Log Allowed Traffic Enable NAT Comments port3 (internal) web-server port1 (external1) all always web ACCEPT Enabled Enabled Windows 2003 Internet access
8 Because this new policy is more specific than the General Internet policy created in Exercise 2, the order of the policies must be changed for it take effect. Select the policy created above and click Move To ( ). In the Move Policy window, click Before and type the policy ID of the General Internet policy. The re-ordered policy list will be displayed.
9 Open a new browser instance and access Web Config on the Remote FortiGate device at the following address: http://fgt.remote.lab 10 In Web Config on the Student FortiGate device, return to the Customized Destination widget and check the Policy ID value reported in the session list. The sessions established to the Remote FortiGate device should contain the Policy ID generated for the Windows 2003 Internet access policy created in step 7.
Note: Remember that the FortiGate device is a stateful firewall. Therefore, any session already established using an existing firewall policy will be reused until the timeout value expires.
If traffic generated from the virtual Windows 2003 Server does not match the policy ID for the firewall created in step 7, delete any legacy entries created in the session table by clicking the Recycle Bin icon for the entry. This will force a new firewall policy lookup.
11 In the CLI on the Student FortiGate device, view the configuration for the firewall policies created above using the following command: show firewall policy 12 View the configuration for a single firewall policy using the following command: show firewall policy <ID> (Obtain the ID number of the policy from the show firewall policy output used above.) 13 Close the web browser connected to the Remote FortiGate device.
2 To view the VIP settings, enter the following command in the CLI on the Student FortiGate unit: show firewall vip 3 In Web Config on the Student FortiGate device create a new firewall policy to provide a guest PC access to the web server with the following details: Source Interface / Zone Source Address Name Destination Interface / Zone Destination Address Name Schedule Service Action Log Allowed Traffic Enable NAT Comment port1(external1) all port3(internal) vip_to_webserver always HTTP ACCEPT Enabled Disabled (default) Guest PC access to web server
4 From the virtual lab applet, go to Operations > Connect to Secondary > WinXP.
5 Open a web browser window on the virtual Windows XP desktop and access the following URL: http://10.200.1.200 If the virtual IP operation is successful, the Fortinet Training Server web page is displayed. 6 To view the source and destination NAT mappings, enter the following CLI command on the Student FortiGate device: get system session list | grep 10.200.1.200 Sample Output:
tcp tcp tcp tcp tcp tcp 119 119 64 119 64 3487 10.200.3.1:44422 - 10.200.1.200:80 10.200.3.1:59264 - 10.200.1.200:80 10.0.1.10:2903 10.200.3.1:42369 - 10.200.1.200:80 10.200.3.1:59271 - 10.200.1.200:80 10.0.1.10:2904 10.0.1.10:80 10.0.1.10:80 10.0.1.10:80 10.0.1.10:80
10.200.1.200:2903 204.2.171.74:80 -
10.200.1.200:2904 204.2.171.104:80 -
Configuring IP Pools
2 Go to Policy > Policy > Policy and edit the port3 (internal) port1 (external1) policy using the source address of web-server. Set the service to ANY. Ensure that Enable NAT is enabled along with Use Dynamic IP Pool. Select the External_IP pool from the list. 3 From the virtual Windows 2003 Server, open a DOS Command Prompt and ping the Remote FortiGate device at fgt.remote.lab. This will generate a new session. 4 From the CLI on the Student FortiGate device and enter the following command to verify the source NAT IP address: get system session list | grep 10.200.1.100 Output Sample:
icmp 44 10.0.1.10:768 10.200.1.100:29316 10.200.3.1:8 -
As indicated in the session list, a new entry for ICMP traffic is generated and the source NAT IP address is 10.200.1.100.
10
total session 1 The output indicates which shaper policy the session is matching. In this scenario, the prio=4 entry indicate a priority of Low.
11
5 Download the file through FTP multiple times. After each download run the following command in the CLI: diag sys session list Note that the traffic value never increases above the maximum of 131072. 6 To check the status of the traffic shapers, enter the following CLI command: diagnose firewall shaper traffic-shaper 7 Disable all the firewall policies created in this lab and re-enable the unrestricted port3 (internal) port1 (external1) policy.
12
Tasks
In this lab, the following tasks will be completed: Exercise 1 Creating an Identity-Based Firewall Policy Exercise 2 Testing the Firewall Policy For Web Traffic Exercise 3 Session-Based Authentication
Timing
Estimated time to complete this lab: 30 minutes
4 Go to Policy > Policy > Policy and edit the unrestricted port3(internal) port1(external1) policy with the following details: Enable Identity Based Policy Enabled Click Add to create an Authentication Rule. Move Auth_Users group to the Selected User Groups list. Move ANY to the Selected Services list.
Note: Depending on the resolution of your display, you may need use the down arrow key to scroll within the Edit Authentication Rule window.
Save the changes to the policy. 5 Connect to the CLI of the Student FortiGate device and enable Authentication Keep-alive for the web traffic firewall policies by entering the following commands: config system global set auth-keepalive enable end
Note: Authentication keep-alive is used to keep the authentication session active to avoid an idle timeout.
2 In the Authentication Keepalive window, click the Logout link and attempt to browse to another web site.
4 In the Web Config on the Student FortiGate device, go to Log&Report > Log & Archive Access > Event Log. Locate the log messages for the firewall policy authentication events. The details for the entry are displayed in the lower pane of the Event Log window. Note the log message level used for this type of event. 5 Return to the CLI and clear all authenticated sessions with the following command: diagnose firewall iprope resetauth
Note: Use this command with caution on a live system.
6 Re-connect to the web site, this time enter the correct authentication credentials. Click the new window link in Firewall Authentication Keepalive window to view the web page. 7 From the CLI, view the IP addresses and users which have successfully authenticated to the FortiGate unit with the following command: diagnose firewall iprope authuser 8 In the Web Config on the Student FortiGate device, go to User > Monitor > Firewall to view the details of the authenticated user along with the policy used to authenticate this user.
9 Edit the port3(internal) port1(external1) policy and disable the identity-based policy setting.
Session-Based Authentication
2 Go to User > User Group > User Group and create a new group called Explicit_Group. Add the explicit1 and explicit2 users to the Members list. 3 Go to System > Network > Interface and edit the port3(internal) interface to enable Enable Explicit Web Proxy. 4 Go to System > Network > Explicit Proxy. Enable Enable Explicit Web Proxy for HTTP/HTTPS. 5 Go to Policy > Policy > Policy and create a new firewall policy with the following details: Source Interface/Zone: Source Address: Destination Interface/Zone: Destination Address: Action: Enable Identity Based Policy: web-proxy all port1(external1) all ACCEPT Enabled
Click Add and create an authentication rule with the following details: Selected User Group: Services: Schedule: Log Allowed Traffic: Explicit_Group webproxy always Enabled
Note: Depending on the resolution of your display, you may need use the down arrow key to scroll within the Edit Authentication Rule window.
Session-Based Authentication
6 In the classroom environment, Internet Explorer will be used to test the proxy configuration. Since the configuration of Internet Explorer will be modified to use the proxy settings, Mozilla Firefox should be used to administer the Student FortiGate device through Web Config. In Mozilla Firefox on the virtual Windows 2003 Server, go to Tools > Options > Advanced and click the Network tab. In the Connection pane, click Settings and ensure that No Proxy is enabled. 7 In Internet Explorer on the virtual Windows 2003 Server, go to Tools > Internet Options and click the Connections tab. Click LAN settings and enable Use a proxy server for your LAN. Enter the details of the proxy server as follows: Address: Port: 10.0.1.254 8080
8 To reproduce a shared environment where several users connect to the same host, launch a Microsoft Terminal Services client session. On the virtual Windows 2003 Server, click Start > Run and enter the name of the Terminal Services application (mstsc.exe). When prompted for the computer name, enter the following IP address: 10.0.1.10 Log in with the username of Administrator and password of password. 9 In the Terminal Services window, launch the Internet Explorer browser and access any external web site. When prompted, log in with the username of explicit1 and password of fortinet1. At this point, one of the explicit users is now logged in. Minimize the Terminal Services window to return to the virtual Windows 2003 Server desktop. 10 Launch a second instance of Terminal Services and connect to the following IP address: 10.0.1.10 Log into this instance with the username of Administrator and the password of password. 11 In the new instance of Terminal Services, launch the Internet Explorer browser and access a different external web site. When prompted, this time log in with the username of explicit2 and password of fortinet2. 12 Upon successful login, minimize the Terminal Services window to return to the virtual Windows 2003 Server. 13 Connect to the CLI of the Student FortiGate device and enter following commands to display which users are currently connected to the FortiGate device: diag wad user list Sample output: explicit1 10.0.1.10 id:1 VD: root, duration: 273 explicit2 10.0.1.10 id:2 VD: root, duration: 93
Course 201 Administration, Content Inspection and SSL VPN 01-4310-0201-RTOL-20110729
Session-Based Authentication
14 Shut down both instances of Terminal Services. 15 In Internet Explorer on the Virtual Windows 2003 Server, disable Use a proxy server for your LAN. 16 In Web Config on the Student FortiGate unit, disable the webproxyport1(external1) firewall policy.
Session-Based Authentication
Tasks
In this lab, the following tasks will be completed: Exercise 1 Configuring SSL VPN for Web Access Exercise 2 Using the SSL VPN for RDP Access Exercise 3 Configuring SSL VPN Tunnel Mode with Split Tunneling
Timing
Estimated time to complete this lab: 25 minutes
4 Go to User > User Group > User Group and create a new user group with the following details: Name: Type: Allow SSL-VPN Access: SSLVPN Firewall Enable and select the web-access portal from the Allow SSL-VPN Access list. Move the SSL_User user from the Available Users/Groups list to the Members list.
Available Users/Groups:
5 A firewall policy is needed to allow access to the SSL VPN and authenticate the user. Go to Policy > Policy > Policy and create a new policy with the following details: Source Interface: Source Address: Destination Interface: Destination Address: Action: SSL Client Certificate Restrictive: port1(external1) all port3(internal) web-server SSL-VPN Disabled
Click Add to configure a new authentication rule with the following settings: Available User Groups Move SSLVPN from the Available User Groups list to the Selected User Groups list. Move ANY from the Available Services list to the Selected Services list. always Enabled
Service
Note: Depending on the resolution of your display, you may need use the down arrow key to scroll within the Edit Authentication Rule window.
6 From the virtual lab applet menu, go to Operations > Connect to Secondary > WinXP. 7 On the virtual Windows XP desktop, open a web browser and type the following address to connect to the SSL VPN portal: https://10.200.1.1:10443/ Confirm any security exemptions or alerts that may be displayed.
Note: By default, the SSL VPN gateway listens to port 10443. In an actual deployment, port 443 is recommended as this port is typically open on firewalls to allow easy remote access using SSL. The port can be changed by going to System > Admin > Settings and editing the Web Admin HTTPS service from port 443 to a different port number (for example, 8443). Afterwards, edit the SSL VPN login port from 10443 to 443.
8 When prompted, log in as SSL_User with the password of ssl_pw. The SSL VPN portal page will be displayed.
If the connection fails, verify the following: SSL_User is a member of the SSLVPN user group. The SSLVPN user group is associated with the port1(external1) port3 (internal) SSL VPN policy. The SSL VPN policy is at the top of the policy list for port1(external1) port3 (internal). Re-enter a new password for SSL_User in Web Config. 9 In the Bookmarks widget on the SSL VPN Portal page, add a new bookmark with the following details: Name: Type: Location: Description: SSO: Fortinet Training Server HTTP/HTTPS
10.0.1.10
Optional Disabled
10 Click the newly created bookmark link. A new browser window displays the web site. Note the URL of the web site in the browser address bar: https://10.200.1.1:10443/proxy/http/10.0.1.10/ The first part of the address, is the encrypted link to the FortiGate SSL VPN gateway: https://10.200.1.1:10443... The second part of the address is the instruction to use the SSL VPN HTTP proxy: .../proxy/http... The final part of the address is the destination of the connection from the HTTP proxy: .../10.0.1.10/ In this example, the connection is encrypted up to the SSL VPN gateway. The connection to the final destination from the HTTP proxy is unencrypted. 11 Return to the virtual Windows 2003 Server device. 12 In Web Config, go to VPN > Monitor > SSL-VPN Monitor and locate the details of the SSL VPN connection. 13 Return to the virtual Windows XP device and click connection. to log out of the SSL VPN
3 Click Go to launch the connection between the virtual Windows XP and Windows 2003 devices. When prompted, run the Java applet. 4 In Web Config on the virtual Windows 2003 Server, go to VPN > Monitor > SSL-VPN Monitor and locate the details for this connection.
5 In the virtual lab applet, disconnect from the virtual Windows XP device.
Leave all the other parameters at their default values. Click OK in the upper left hand corner of the Tunnel Mode widget to save changes to the widget then click OK at the top of the portal page to save the changes to the tunnel-mode portal.
Note: In the Tunnel Mode widget, note that the default IP range of SSLVPN_TUNNEL_ADDR1 has been used. A custom IP address pool can be created if required by clicking Edit.
3 Go User > User Group > User Group and edit the SSLVPN user group. Change the portal type in the Allow SSL-VPN Access drop-down list to tunnelaccess.
4 Go to Policy > Policy > Policy and create a new policy with the following details: Source Interface: Source Address: Destination Interface: Destination Address: Schedule: Service: Action: Log Allowed Traffic: sslvpn tunnel interface all port3(internal) web-server always ANY ACCEPT Enabled
5 To accept traffic from the SSL VPN tunnel IP range, a static route on the Student FortiGate device must be created that points to the sslvpn interface. Without a static route in place, the RPF check mechanism will drop the packet. In Web Config, go to Router > Static > Static Route and create a new route entry with following details: Destination IP/mask Device
10.212.134.192/255.255.255.224
ssl.root
6 To view the routing table device before Tunnel Mode is initiated, enter the following command in the DOS Command Prompt on the virtual Windows XP device: route print Sample output is:
Active Routes: Network Destination 0.0.0.0 10.0.2.0 10.0.2.10 10.255.255.255 127.0.0.0 192.168.1.0 192.168.1.3 192.168.1.255 224.0.0.0 224.0.0.0 255.255.255.255 255.255.255.255 255.255.255.255 Default Gateway: Netmask 0.0.0.0 255.255.255.0 255.255.255.255 255.255.255.255 255.0.0.0 255.255.255.0 255.255.255.255 255.255.255.255 240.0.0.0 240.0.0.0 255.255.255.255 255.255.255.255 255.255.255.255 10.0.2.254 Gateway 10.0.2.254 10.0.2.10 127.0.0.1 10.0.2.10 127.0.0.1 192.168.1.3 127.0.0.1 192.168.1.3 10.0.2.10 192.168.1.3 10.0.2.10 192.168.1.3 192.168.1.3 Interface 10.0.2.10 10.0.2.10 127.0.0.1 10.0.2.10 127.0.0.1 192.168.1.3 127.0.0.1 192.168.1.3 10.0.2.10 192.168.1.3 10.0.2.10 192.168.1.3 10005 Metric 10 10 10 10 1 10 10 10 10 10 1 1 1
7 In the web browser on the virtual Windows XP device, connect to the portal at the following address: https://10.200.1.1:10443/ When prompted, log in as SSL_User with the password of ssl_pw. 8 The first time Tunnel Mode is used on the device, a plug in will need to be installed. Click the link presented in the message to download and install the plugin.
When the plugin is correctly installed, restart the web browser. 9 In the web browser on the virtual Windows XP device, connect to the portal once again at the following address: https://10.200.1.1:10443/ Log in as SSL_User with a password ssl_pw.
10 From the Tunnel Mode widget click Connect to initiate the tunnel mode connection. The fortissl virtual interface will receive an IP address from the Student FortiGate device. The assigned IP should be in the 10.212.134.[200210]range.
Note: The IP addressed to be allocate to client PCs can be defined in the SSL VPN Portal definition.
11 To view the routing table after Tunnel Mode has been initiated, enter the following command in a DOS Command Prompt on the virtual Windows XP device: Sample output:
Active Routes: Network Destination 0.0.0.0 10.0.1.10 10.0.2.0 10.0.2.10 10.200.1.1 10.212.134.200 10.255.255.255 10.255.255.255 127.0.0.0 192.168.0.0 192.168.0.12 192.168.0.255 224.0.0.0 224.0.0.0 224.0.0.0 255.255.255.255 255.255.255.255 255.255.255.255 255.255.255.255 Default Gateway: Netmask 0.0.0.0 255.255.255.255 255.255.255.0 255.255.255.255 255.255.255.255 255.255.255.255 255.255.255.255 255.255.255.255 255.0.0.0 255.255.255.0 255.255.255.255 255.255.255.255 240.0.0.0 240.0.0.0 240.0.0.0 255.255.255.255 255.255.255.255 255.255.255.255 255.255.255.255 10.0.2.254 Gateway 10.0.2.254 10.212.134.200 10.0.2.10 127.0.0.1 10.0.2.254 127.0.0.1 10.0.2.10 10.212.134.200 127.0.0.1 192.168.0.12 127.0.0.1 192.168.0.12 10.0.2.10 10.212.134.200 192.168.0.12 10.0.2.10 10.212.134.200 10.212.134.200 192.168.0.12 Interface 10.212.134.200 10.0.2.10 127.0.0.1 10.0.2.10 127.0.0.1 10.0.2.10 10.212.134.200 127.0.0.1 192.168.0.12 127.0.0.1 192.168.0.12 10.0.2.10 10.212.134.200 192.168.0.12 10.0.2.10 10.212.134.200 2 192.168.0.12 Metric 1 10 10 1 50 10 50 1 10 10 10 10 50 10 1 1 1 1 10.0.2.10 10
Note the differences now that the SSL tunnel mode is fully established between the Windows XP device and FortiGate unit. A new entry for the host at the IP address of 10.0.1.10 has been added to the routing table with a metric of 1 pointing to the fortissl IP address of 10.212.134.200. This indicates that only traffic to the 10.0.1.10 address is being sent over the SSL VPN. 12 In the web browser on the virtual Windows XP device, connect to the Training portal web site once again to test the connection: https://10.0.1.10 13 Disconnect from the virtual Windows XP device. 14 Disable the firewall policies created in this lab.
Lesson 6 - Antivirus
Lab 6 Antivirus
Objectives
In this exercise, global antivirus settings will be explored including: Accessing the FortiGuard Distribution Network Ensuring that antivirus definitions are updated through the FortiGuard Subscription Services Enabling grayware scanning Setting up file quarantine Enabling antivirus scanning for web proxy server Customizing antivirus replacement messages
Tasks
In this lab, the following tasks will be completed: Exercise 1 Enabling FortiGuard Subscription Services and Updates Exercise 2 Configuring Global Antivirus Settings Exercise 3 Testing Virus Scanning for HTTP Exercise 4 Inspecting HTTPS Traffic
Timing
Estimated time to complete this lab: 30 minutes
Note: These exercises can only be completed if the FortiGate unit has already been registered with Fortinet Support (https://support.fortinet.com). The virtual devices used in the classroom have already been registered.
Lesson 6 - Antivirus
3 Go to UTM Profiles > AntiVirus > Virus Database and confirm that the FortiGate unit is using the Extended Virus Database. 4 Back in System > Config > FortiGuard, expand AntiVirus and IPS Options and enable a scheduled update for every four hours. 5 Still in the AntiVirus and IPS Options window, click Update Now to force the FortiGate unit to obtain the latest antivirus and IPS definitions. If properly entitled and depending on Internet congestion, the FortiGate unit will receive and install the updated definitions after 3 to 5 minutes. 6 After a few minutes, return to System > Config > FortiGuard and check for the new updates. Todays date should appear next to the version number for both AV and IPS Definitions. The AV and IPS signature databases can also be updated either individually or together through the CLI using the following commands: exec update-av exec update-ips exec update-now Update AV engine/definitions Update IPS engine/definitions Update now
Note: Antivirus and IPS updates can also be set to be pushed automatically to the FortiGate unit. To allow push updates, expand AntiVirus and IPS Options and enable Allow Push Update and set the update schedule required, for example, every 4 hours. In the classroom environment, the FortiGate unit is behind a NAT device. Port forwarding must be configured on the NAT device, otherwise push updates will not work.
Note: The update-now command will update antivirus and IPS definitions only. It will not upgrade the system firmware.
7 To view the update settings, enter the following CLI commands on the Student FortiGate unit: get system autoupdate schedule The defined FortiGuard autoupdate interval was set to 4 hours through Web Config but the CLI shows 4:60. This means that the additional minutes interval will be randomly picked from 0 to 59 minutes to spread out the request load on the FortiGuard server. An exact hour and minute interval can be set through the CLI using the following commands: config system autoupdate schedule set time 4:0 end Verify the change with the following CLI command: show system autoupdate schedule
Lesson 6 - Antivirus
8 In the FortiGuard Subscription Services window, expand Web Filtering and Email Filtering Options. Configure the settings with the following details: Enable Web filter cache Enable antispam cache Port Selection Enabled TTL: 1800 seconds (30 minutes) Enabled TTL: 900 seconds (15 minutes) Use Alternate Port (8888)
By default, FortiGuard uses UDP/53 since this port is often left open for DNS traffic. If there is another IPS device on the network that is decoding DNS data on port 53, the FortiGuard request/response may trigger an alert as the data is encrypted. In this scenario, change to the alternate port of 8888 and ensure that any upstream devices will permit this traffic to pass.
Note: The status of FortiGuard Web Filtering may show as unreachable until a web filter profile is applied to a firewall policy.
Lesson 6 - Antivirus
3 In Web Config, go to UTM Profiles > AntiVirus > Profile and create a new profile called Standard with the following details (Click Create New ( ) in the upper right-hand corner of the Edit AntiVirus Profile window): Virus Scan and Removal Quarantine enable all protocols enable all protocols
4 Go to Policy > Policy > Policy and edit the port3(internal) port1(external1) policy to enable UTM using the Standard antivirus profile.
Lesson 6 - Antivirus
5 Replacement messages are substituted for the infected file when the FortiGate antivirus engine detects a virus. Go to System > Config > Replacement Message. Expand HTTP and edit the text of the default Virus message. The same Replacement Messages can be displayed using the following commands in the CLI: show system replacemsg http http-virus
Note: Some replacement messages are stored in raw HTML code. Make sure that the correct syntax is used and preserve the existing HTML tags. An external HTML editor can be used to create the replacement message and then copy and paste the resulting HTML code into the FortiGate replacement message text window.
The Eicar file is an industry-standard used to test antivirus detection. The file contains the following characters: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUSTEST-FILE!$H+H* The HTTP virus message is shown when infected files are blocked or have been quarantined. In the message that is displayed, click the link to the Fortinet Virus Encyclopedia to view information about the detected virus.
Lesson 6 - Antivirus
3 In Web Config, go to Log&Report > Log & Archive Access > UTM Log and locate the antivirus event messages.
Alternately, go to UTM Profiles > Monitor > AV Monitor to view details of the log event.
Note: There may be policies in place from previous exercises that could allow the files to be downloaded. If the above steps do not work, go to the firewall policies and ensure that all other policies other than the default are disabled.
Lesson 6 - Antivirus
5 Return to the Eicar web page and attempt to download the eicar.com file from the Download area using the secure SSL enabled protocol https section.
Note: You may be prompted to accept a security warning to accept the digital certificate from the Eicar web site.
This time, the download will be blocked by the FortiGate unit and the replacement message will be displayed. 6 In Web Config on the Student FortiGate device, edit the port3(internal) port1(external1) policy to disable UTM.
Lesson 6 - Antivirus
Tasks
In this lab, the following tasks will be completed: Exercise 1 Testing Web Category Filtering Exercise 2 Configuring Web Filtering Authentication Exercise 3 Configuring Web Filtering Quotas
Timing
Estimated time to complete this lab: 40 minutes
5 In a web browser on the virtual Windows 2003 Server, connect to a web site. A Web Page Blocked window should be displayed.
6 In Web Config, go to System > Config > Replacement Message. Expand FortiGuard Web Filtering and edit the URL block message to customize the text of the message. 7 Revisit the web site and ensure that the customized Web Page Blocked message is displayed.
3 Go to UTM Profiles > Web Filter > Profile and edit the Category_Test profile. Select all the categories and set the Change Action for Selected Categories to setting to Authenticate. Select the web-override user group from Available User Groups and move it to Selected User Groups.
4 In the web browser, attempt to connect to a blocked category web site. A Web Page Blocked message is displayed again, this time with a Proceed button.
Enter the user name of Override_User and the password of override_pw and click Continue. 6 The blocked web page should be displayed.
Note: The Web Filter Block Override web page may not function properly when flowbased web filtering is used instead of proxy-based filtering.
7 In Web Config, go to Log&Report > Log & Archive Access > UTM Log and locate the log messages related to the web filtering activity.
2 In the web browser, attempt to visit a blocked category web site again. Click the Proceed link on the Web Page Blocked page. Authenticate on the Web Filter Block Override page using the Override_User credentials.
Note: The Web Category Override web page may not function properly when web flowbased proxies are used.
flow
3 Once authenticated properly, the quota timer is initiated. Go to UTM Profiles> Monitor > FortiGuard Quota to display the current quota timer value.
When the daily quota value is reached the FortiGuard replacement message will be displayed again. 4 In Web Config, go to Log&Report > Log & Archive Access > UTM Log and locate the log messages related to the web filtering activity. 5 Edit the Category_Test profile, expand Quotas on Categories and deleted the quotas on the selected categories. 6 Edit the port3(internal) port1(external1) policy to disable UTM.
Tasks
In this lab, the following tasks will be completed: Exercise 1 Blocking Encrypted Files Exercise 2 Blocking Leakage of Credit Card Information Exercise 3 Blocking Oversize Files by Type Exercise 4 DLP Banning and Quarantining Exercise 5 DLP Fingerprinting
Timing
Estimate time to complete this lab: 40 minutes
3 This new DLP rule must be added to a sensor. In Web Config on the Student FortiGate device, go to UTM Profiles > Data Leak Prevention > Sensor. Create a new proxy-based detection sensor called No_Encrypted_Files (Click Create New ( ) in the upper right-hand corner of the Edit DLP Sensor window).
4 In the Edit DLP Sensor window, create a new DLP sensor filter with the following details: Filter Name: Filter By: Advanced Rule: Action: Archive: No_Encrypted_Files_Filter Advanced Rule Block_Encrypted Block Disable
5 Go to Policy > Policy > Policy and edit the port3(internal) port1(external1) firewall to enable UTM. Enable the DLP sensor called No_Encrypted_Files. 6 To test the DLP sensor, an encrypted file will be sent to an email recipient. A web-based file transfer tool will be used to send the file. In a web browser on the virtual Windows 2003 Server, connect to the following URL: http://www.sendspace.com. 7 On the Sendspace web page, click Browse and locate the encrypted test file called dlp-test-encrypt.zip on the desktop of the virtual Windows 2003 Server. Enter the email address of a recipient along with your own email address in the appropriate fields and click Upload. The DLP warning message will be displayed.
8 In Web Config on the Student FortiGate device, go to Log&Report > Log & Archive Access > UTM Log and locate the entry for the data leak action.
9 Change the extension of the encrypted file on the virtual Windows 2003 Server desktop to *.txt. 10 Return to the sendspace.com web site and attempt to transfer the file again. The file should still be blocked. 11 Go to Log&Report > Log & Archive Access > UTM Log and locate the log events generated by the sensor for this blocked transfer. 12 By default, the No_Encrypted_Files sensor is proxy based. The sensor can be modified to use flow-based detection. Flow-based detection provides high concurrent sessions, high session rates and low-latency DLP filtering. In Web Config on the Student FortiGate device, go to UTM Profiles > Data Leak Prevention > Sensor and edit the No_Encrypted_Files sensor to change the Inspection Method to Flow-based Detection. Apply the change to the sensor.
13 Return to the sendspace.com web site once again and attempt to transfer the encrypted test file. The file upload should still be blocked but no replacement message will be displayed since the FortiGate unit resets the connection by sending a TCP RST and ACK message. Depending on the web browser being used, a connection reset message may be displayed.
14 Go to Policy > Policy > Policy and edit the port3(internal) port1(external1) firewall policy to disable UTM.
5 Go to Policy > Policy > Policy and edit the port3(internal) port1(external1) firewall policy to enable UTM. Enable DLP filtering using the Sensitive_Data sensor.
6 A file called creditcards.xls containing credit card numbers is posted on the Fortinet Online Campus. In a web browser on the virtual Windows 2003 Server, attempt to download the file from the following location: http://campus.training.fortinet.com Click Class Descriptions, and the 201 - FortiGate I tab and locate the file in the Student Resource Files section at the bottom of the web page. Click the link to attempt to access the file. The DLP block message will be presented when the file download is attempted.
7 In Web Config on the Student FortiGate device, go to Log&Report > Log & Archive Access > UTM Log and locate the log entry for the DLP block action.
3 Enter the following CLI commands on the Student FortiGate device to clone the built-in Large-HTTP-Post DLP rule to create a second DLP rule called MP3: config dlp rule clone Large-HTTP-Post to MP3 4 Edit the new MP3 rule with the following CLI commands to apply the rule to the HTTP-GET and HTTP-POST operations: edit "MP3" set sub-protocol http-get http-post set field file-type set file-type 3 set file-type-negated disable next end
Note: file-type identifies the integer value of the file pattern table. To find out the correct value to use for a DLP rule (in this case, MP3) enter a question mark after the command. For example: set file-type ? Sample Output: Please enter the integer value of the filepattern table 1 builtin-patterns 2 all_executabled 3 No_MP3
buil
5 Still in the CLI, use the following commands to create a compound rule called MP3_Compound: config dlp compound edit "MP3_Compound" set protocol http set sub-protocol http-get http-post set member "Large-HTTP-Post" "MP3" next end 6 In Web Config on the Student FortiGate device, go to UTM Profiles > Data Leak Prevention > Sensor and edit the Sensitive_Data sensor. Create a new filter to include the new MP3_Compound rule:
7 A file called big.mp3 is posted on the Fortinet Online Campus. In a web browser on the virtual Windows 2003 Server device, attempt to download the file from the following location: http://campus.training.fortinet.com Click Class Descriptions, and the 201 - FortiGate I tab and locate the file in the Student Resource Files section at the bottom of the web page. Click the link to attempt to access the file. The DLP block replacement message should be presented when the file download is attempted.
8 Go to Log&Report > Log & Archive Access > UTM Log and locate the log entry for the DLP block action.
DLP Fingerprinting
Click OK to save the change to the filter and click Apply to save the change to the sensor. 4 Go to Policy > Policy > Policy and enable the port1(external1) port3(internal) policy for vip_to_webserver. Enable UTM and enable the Fingerprint_Test sensor. 5 In the remote lab applet, go Operations > Connect To Secondary > WinXP to connect to the virtual Windows XP device. 6 Launch a web browser on the virtual Windows XP desktop and attempt to access the Fortinet Training web server located at the following location: http://10.200.1.200 7 From the Additional Files tab, click Additional Files and attempt to download the file called HA_Chapter.pdf. The DLP block replacement message should be presented when the file download is attempted.
8 In Web Config on the Student FortiGate device, go to Log&Report > Log & Archive Access > UTM Log and locate the log entry for the DLP block action. 9 In Web Config, go to Firewall > Policy > Policy and edit the port1(external1) port3(internal) policy for vip_to_webserver to disable UTM and the Fingerprint_Test sensor.
DLP Fingerprinting
10
Lab 9
Objectives
Application Control
In this lab, access to specific applications will be blocked using the application control on the FortiGate unit.
Tasks
In this lab, the following tasks will be completed: Exercise 1 Creating an Application Control List Exercise 2 Testing Application Control
Timing
Estimated time to complete this lab: 15 minutes
4 Create a second filter in the App_Control_Lab sensor with the following details: Type: Application: Action: Application Myspace Block
5 Go to Policy > Policy > Policy and edit the port3(internal) port1(external1) firewall to enable UTM. Enable application control using the App_Control_Lab sensor.
3 Create a second filter in the App_Control_Lab2 sensor with the following details: Type: Category: Action: Filter proxy Block
4 Go to Policy > Policy > Policy and edit the port3(internal) port1(external1) firewall to use the App_Control_Lab2 sensor. 5 On the virtual Windows 20003 Server, launch a web browser and access the following web site: http://www.facebook.com 6 In Web Config, go to Log&Report > Log & Archive Access > UTM Log and locate the log entries for the blocked access to Facebook. 7 Return the web browser, attempt to access the following web site: http://proxite.us On the proxy web site, enter the URL of a site to visit and click Go. 8 In the UTM Log, locate the log entries for the blocked proxy actions. 9 Go to Policy > Policy > Policy and edit the port3(internal) port1(external1) firewall to disable UTM.
www.fortinet.com