Nse4 Manual Fortinet

Virtual Lab Setup Guide
for FortiGate, FortiAnalyzer, and FortiManager 5.4

FORTINETTRAININGSERVICES
http://www.fortinet.com/training
FORTINET DOCUMENTLIBRARY
http://docs.fortinet.com
FORTINETKNOWLEDGE BASE
http://kb.fortinet.com
FORTINETFORUMS
https://forum.fortinet.com
CUSTOMERSERVICE&SUPPORT
https://support.fortinet.com
FORTIGUARDCENTER
http://www.fortiguard.com
NETWORK SECURITY EXPERT PROGRAM (NSE)

https://www.fortinet.com/support-and-training/training/network-security-expert-program.html
FEEDBACK
Email: courseware@fortinet.com
6/13/2017
TABLEOFCONTENTS
Change Log 4
Disclaimer 6
Introduction 7
Materials 8
Additional files required for the labs 9
System Requirements 10
Network Topology 10
Loading the VMs in VMware Workstation 11
Loading the Windows VMs on VMware Workstation 12 11
Loading the Fortinet VMs on VMware Workstation 12 11
Loading the Prebuilt Linux Image 12
Loading the FIT VM 12
Configuring VMware Virtual Networking 13
Configuring the VMs 16
Linux 17
Local-FortiGate 24
Local-Windows 25
FortiManager 35
FortiAnalyzer 38
Restoring the Local-FortiGate Initial Configuration and License 39
Remote-FortiGate 40
Remote-Windows 41
Testing 43
Creating Snapshots 45
Change Log
The FortiGate 5.4 Lab Setup Guide has been updated to include the latest training releases of FortiAnalyzer
5.4.2 and FortiManager 5.4.2.
If you already built your virtual lab environment based on the FortiGate 5.4 Lab Setup Guide, and will be teaching
FortiAnalyzer and FortiManager 5.4.2, you need to make modifications to your lab environment as outlined
below.
If you have not already built the FortiGate 5.4 lab environment as per the FortiGate
5.4 Lab Setup Guide, you can ignore this Change Log and complete the lab setup in
its entirety.
Modifications needed Instructions
Obtain VM firmware image You can download the files from Fortinet Support (www.support.fortinet.com)
files for: by logging in with supplied credentials.
l FortiAnalyzer 5.4.2 Perform a firmware update on your existing FortiAnalyzer and FortiManager
l FortiManager 5.4.2 VMs through the System Resources widget on the Dashboard of each VM.
This replaces the FortiAnalyzer The IP address for both VMs will remain the same.
and FortiManager 5.4.0 VMs.
Replace the Resources folder The Resources folder is provided in the Virtual-Lab-Setup-Files-
on your Local-Windows Desktop FGT-FAZ-FMG-5.4.zip.
Upload the new 5.4.2 initial l FortiManager: Log into the FortiManager GUI at 10.0.1.241 (admin / blank
configuration files for both password) and restore the initial configuration from:
FortiAnalyzer and FortiManager
Resources/FortiManager/initial-config/FMG-5.4.2-
VMs
initial.dat
l FortiAnalyzer: Log into the FortiAnalyzer GUI at 10.0.1.210 (admin / blank

password) and restore the initial configuration from:
Resources/FortiAnalyzer/initial-config/FAZ-5.4.2-
initial.dat
*Obtain 1 IOC license for After purchase, you can download the files from Fortinet Support
FortiAnalyzer (www.support.fortinet.com) by logging in with supplied credentials.
*Load the FIT VM for The image is provided in the Virtual-Lab-Setup-Files-FGT-FAZ-

FortiAnalyzer labs FMG-5.4.zip. See Loading the FIT VM for instructions.
*Configure virtual networking See Configuring VM Virtual Networking for instructions.

for the FIT VM
4 Virtual Lab Setup Guide for FortiGate, FortiAnalyzer, and FortiManager 5.4
Fortinet Technologies Inc.
Change Log
Modifications needed Instructions
Open FortiManager See To configure FortiManager as an FDN server for instructions.

communication with FortiGuard
and re-download the most
recent service packages and
updates
*Upload the IOC license to See To upload the entitlement files for instructions.
FortiManager
Install Nikto v2.1.5 on the Linux If you are using the pre-built Linux VM, the VM is included in the Virtual-
VM* Lab-Setup-Files-FGT-FAZ-FMG-5.4.zip. This Linux VM already
includes Nikto, so you only need to replace your existing Linux VM with this
new one.
If you built your Linux from scratch, you will need to complete the Nikto
installation on your Linux VM. See Installing Nikto for instructions.
*Add a PuTTY bookmark for FIT See To create bookmarks in PuTTY for instructions.
in Local-Windows
*Create the FAZadmin user in See To create the Training OU and additional users for instructions.
the Training OU in Active
Directory (Local-Windows)
Testing network connectivity See Testing for instructions.
Create new snapshots of all See Creating Snapshots for instructions.

modified VMs
* This is only required for the FortiAnalyzer 5.4.2 training. It is not necessary for the FortiGate or FortiManager
training.
Virtual Lab Setup Guide for FortiGate, FortiAnalyzer, and FortiManager 5.4 5
Disclaimer
Fortinet only supports lab environments that are built to the specifications outlined in this guide. Any
modifications to, or deviations from, the environment described in this guide can impact the outcome of the
student lab exercises. Lab exercises are used as a way to reenforce learning, and knowledge obtained from
successfully performing these labs is essential for NSE certification preparation.
Introduction
This guide explains how to configure the lab for the following Fortinet training courses:
l FortiGate I 5.4.1 (NSE4 preparation)

l FortiGate II 5.4.1 (NSE4 preparation)
l FortiAnalyzer 5.4.2 (NSE5 preparation)
l FortiManager 5.4.2 (NSE5 preparation)
In this environment, the FortiManager is acting as a local FortiGuard server. It validates the FortiGate licenses
and replies to FortiGuard Web Filtering rating requests from FortiGate VMs. The FortiManager is configured in
closed network mode, providing FortiGuard services to local FortiGate VMs, without requiring Internet access.
To administer this lab as designed, you will:
1. Load, configure, and test the VM images required for this lab.
2. Save a VMware snapshot of the VM images.
3. Deploy a copy of all VMs for each student every time there is a class.
Materials
To build the virtual lab required for this class, you must purchase or download:
Resource Information
1 VMware Workstation
installation per For hardware system requirements, see System Requirements
student
2 FortiGate VM
For Local-FortiGate and Remote-FortiGate
licenses
1 FortiAnalyzer VM
Must be registered with the IPaddress 10.0.1.210
license
1 FortiManager VM
Must be registered with the IPaddress 10.0.1.241
license
4 FortiCare contracts One for Local-FortiGate, Remote-FortiGate, FortiAnalyzer, and FortiManager
1 FortiGuard Web
Filtering and IPS For Local-FortiGate only
contract
For FortiAnalyzer (only required if teaching the FortiAnalyzer 5.4.2 course). Provides the
1 IOC license
Indicators-of-Compromise feature.
2 Windows Server
For Local-Windows and Remote-Windows
2012 VMs
Prebuild image is provided by Fortinet Training. The image is provided in the Virtual-
1 Linux VM image
Lab-Setup-Files-FGT-FAZ-FMG-5.4.zip.
Prebuild image is provided by Fortinet Training (only required if teaching FortiAnalyzer 5.4.2).
1 FIT VM image
The image is provided in the Virtual-Lab-Setup-Files-FGT-FAZ-FMG-5.4.zip.
VM firmware image
files for:
l FortiGate 5.4.1 After purchase, you can download the files from Fortinet Support (www.support.fortinet.com)
l FortiAnalyzer 5.4.2 by logging in with supplied credentials.
l FortiManager 5.4.2
Materials Additional files required for the labs
Resource Information
1 Resources folder
that includes:
l Initial configuration Prebuild files are provided by Fortinet Training. The files are provided in the Virtual-Lab-
for each lab Setup-Files-FGT-FAZ-FMG-5.4.zip.
l Solution
configuration files for
each lab
Additional files required for the labs
The following software is also required on the Windows VM.
Some of these files are provided in the Virtual Lab Setup Guide ZIP package.
Software Resource
Mozilla Firefox
https://www.mozilla.org/en-US/firefox/new/
46.0.1
Mozilla Thunderbird
https://www.mozilla.org/en-US/thunderbird/
45.1.0
PuTTY 0.67 http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
ActivePerl
http://www.activestate.com/activeperl/downloads
5.22.1.2201
Perl script for

converting
FortiGate sniffer File name: fgt2eth.pl
output to Wireshark http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=11186
PCAP (packet
capture) format
Windows Server
2012 patch Installation file provided in the Virtual-Lab-Setup-Files-FGT-FAZ-FMG-5.4.zip.
KB9089134
Wireshark 2.0.3 https://www.wireshark.org/download.html
Nikto 2.1.5 http://www.cirt.net/nikto2
System Requirements Materials
Software Resource
Notepad++ 6.9.1 https://notepad-plus-plus.org/download/v6.9.html
FileZilla Client
https://filezilla-project.org/download.php
3.17.0.1
Adobe Reader https://get.adobe.com/reader/
Adobe Flash Player

http://get.adobe.com/flashplayer/
17.0.0
FortiClient 5.4.0
https://support.fortinet.com
build 0780
Java 8 Update 91
GNU Wget 1.11.4 http://gnuwin32.sourceforge.net/packages/wget.htm
System Requirements
Each workstation running VMware Workstation requires:
l 1 Ethernet interface
l 8 GB RAM
l 300 GB storage (hard disk, SAN, etc.)
Network Topology
Loading the VMs in VMware Workstation
This section outlines how to load the VMs in VMware Workstation, including the Windows VMs, Fortinet VMs
(FortiGate, FortiManager, and FortiAnalyzer), and the Linux VM.
The Virtual-Lab-Setup-Files-FGT-FAZ-FMG-5.4.zip package provides a

prebuilt image of the Linux VM, which does not require additional configuration; you
only need to load it and deploy it. However, should you wish to build your own Linux
VM, this guide provides the steps for building the Linux image from scratch. See Linux
for more information.
Loading the Windows VMs on VMware Workstation 12
The following procedure outlines how to create Windows VMs on VMware Workstation 12.
To create a Windows VMs on VMware Workstation 12

1. Go to File > New Virtual Machine.
2. Click Custom, then click Next
3. Select Workstation 12 hardware compatibility.
4. Click Next, then select Installer disk image file (ISO).
5. Click Next, then specify the VM name according to the network topology diagram (i.e. Local-Windows and
Remote-Windows)
6. Accept all other default settings.
7. Click Finish to build the VM.
Loading the Fortinet VMs on VMware Workstation 12
The following procedure outlines how to create the FortiGate, FortiManager, and FortiAnalyzer VMs on VMware
Workstation 12.
To create FortiGate, FortiManager, and FortiAnalyzer VMs on VMware Workstation 12:

1. Go to File > Open.
2. Select the Open Virtualization Format file format.
3. Select the file name FortiGate-VM.ovf.
4. Name the VM Local-FortiGate.
5. Repeat for each VM, naming the VMs according to the diagram
l Remote-FortiGate
l FortiManager
Loading the Prebuilt Linux Image Loading the VMs in VMware Workstation
l FortiAnalyzer
Loading the Prebuilt Linux Image
The following procedure outlines how to load the prebuilt Linux image on VMware Workstation 12.
To load the prebuild Linux image

3. Select prebuild image: Linux.ovf.
4. Name the VM Linux.
Loading the FIT VM
The FIT (Firewall Inspection Tester) VM includes a traffic generation tool used for the FortiAnalyzer labs. The VM
generates web browsing traffic, application control, botnet IP hits, malware URLs, and malware downloads.
This is only required if teaching the FortiAnalyzer 5.4.2 course.
The following procedure outlines how to load the FITVMimage on VMware Workstation 12.
To load the FIT VM image

3. Select prebuild image: FIT.ovf.
4. Name the VM FIT.
Configuring VMware Virtual Networking
Once you've loaded the VMs, you must configure their virtual network adapters to make the lab's required virtual
network topology.
Inside each students virtual lab, there are eight VMs:
l Local-Windows
l Remote-Windows
l Local-FortiGate
l Remote-FortiGate
l Linux
l FortiAnalyzer
l FortiManager
l FIT VM (traffic generator used for the FortiAnalyzer course)
The topology supports both HA and non-HA topology, which the students will switch between during the labs by
reconfiguring their VMs; no VMware reconfiguration is required.
The key to this flexible networking is the six LAN segments used in the current setup, plus the predefined
interfaces: vmnet0 and vmnet1.
l vmnet0 bridges the physical NIC which provides the default route to the Internet.
l vmnet1 is a host-only private network shared between the host and the guest systems.
By mapping the guest VMs virtual NICs to virtual LAN segments, you create the topology.
To configure VMWare virtual networking

1. Create one additional virtual NIC on each of your Windows VMs:
l Local-Windows: Add 1 more NIC (2 NICs total).
l Remote-Windows: Add 1 more NIC (2 NICs total).
2. Ensure that the prebuilt Linux VM has five NICs. If not, add the as many as needed to have five.
3. Create the LAN segments:
a. Right-click the Local-Windows VM and select Settings.
b. Select any of the two Network Adapters.
c. Click LAN Segments.
d. Click Add as many times as needed to create the six LAN segments:
e. Click OK twice to close the windows.

4. Map the LAN segments to each vNIC:
l For the Local-Windows VM, map these network adapters:
Network Adapter LAN Segment
1 (first) LAN3
2 Custom: VMnet1 (Host-only)
l For the Remote-Windows VM, map these network adapters:
1 LAN6
2 Custom: VMnet1 (Host-only)
l For both FortiGate VMs (Local-FortiGate and Remote-FortiGate), map the first seven network adapters:
1 LAN1
2 LAN2
3 LAN3
4 LAN4
5 LAN5
6 LAN6
7 LAN3
l For the FortiManager VM, map these network adapters:
1 LAN3
2 LAN1
l For the FortiAnalyzer VM, map these network adapters:
2 LAN3
4 LAN1
This actually maps FortiAnalyzer port1 to LAN3, as VMWare port2 corresponds to FortiAnalyzer port1. It
also maps port3 to LAN1, as VMWare port4 corresponds to FortiAnalyzer port3.
l For the Linux VM, map these network adapters:
1 VMnet0
2 LAN1
3 LAN2
4 LAN4
5 LAN5
l For the FIT VM, map these network adapters:
1 LAN3
Configuring the VMs
Before you deploy the VMs, you must first install the required software and files on your Windows VM. You must
also configure some initial settings on your Fortinet VMs so that they have network connectivity, and load their
VM license.
The prebuilt Linux VM provided with the Virtual Lab Setup resources is already
configured. The root password for the prebuilt VM is: password.
The prebuild FIT VM provided with the Virtual Lab Setup resources is already
configured.
Linux
If you choose not to use the prebuilt Linux VM provided with the Virtual Lab Setup resources, you can use the
instructions provided in this section to build your own, or use them to understand the configuration of the prebuilt
VM.
The root password for the prebuilt Linux VM is: password.
To configure networking
1. From the network configuration tools, configure the interface IP addressing.
eth0 = LAN0 = Management network
eth1 = LAN1 = 10.200.1.254/24
eth2 = LAN2 = 10.200.2.254/24
eth3 = LAN4 = 10.200.3.254/24
eth4 = LAN5 = 10.200.4.254/24
2. Activate the network adaptors.
3. Enable routing and add iptables NAT policy:
vi /etc/sysctl.conf and set net.ipv4.ip_forward = 1
4. Enter the following command to reload the sysctl configuration:
sysctl -p /etc/sysctl.conf
5. Clear the existing iptables rules:
iptables F
iptables t nat F
6. Add a single NAT rule to NAT all outing packets with the address obtained by DHCP on eth0:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
7. Check that the NAT rule is there:
iptables t nat L
service iptables save
(or # /sbin/service iptables save.)
8. In order to be able to clone the image, edit the following files:
/etc/sysconfig/network-scripts/ifcfg-eth0
Linux
In each of these files, find a line that says HWADDR=mac-address-here and delete the whole HWADDR
line.
To install HTTP and FTP services

1. Enter the following commands:
yum install httpd
chkconfig --levels 345 httpd on
yum install vsftpd

chkconfig --levels 345 vsftpd on
touch /var/ftp/pub/test.text
To configure FTP service

1. Disable security-enhanced Linux (SELinux):
setenforce 0
2. Edit the file:
/etc/selinux/config
and change the SELINUX setting to disabled:

SELINUX=disabled
3. Create two VSFTPd configuration files based on the default one:
cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd-222.conf
cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd-21.conf
4. Delete the default configuration file:
rm /etc/vsftpd/vsftpd.conf
5. Edit the configuration file vsftpd-222.conf and add the following lines at the end of the file:
port_enable=YES
port_promiscuous=YES
pasv_enable=NO
listen_port=222
listen_address=10.200.3.254
6. Edit the configuration file vsftpd-21.conf and add the following line at the end of the file:
listen_address=10.200.1.254
7. Restart the FTP server:
Linux
/sbin/service vsftpd restart
To configure Syslog
1. The syslog package should already be installed. Enable remote logging on the service:
vi /etc/sysconfig/syslog and add -r to the SYSLOG OPTIONS
2. Add the following line to the syslog.conf:
local6.* /var/log/fortinet
3. Restart syslog:
/sbin/service syslog restart
4. Check the service is listening:
netstat anp | grep 514
5. Configure SNMP-Utils:
yum install net-snmp-utils
To configure email
1. Enter the following commands:
yum install dovecot postfix

yum remove sendmail
2. Edit /etc/dovecot.conf to have the line:
protocols = imap imaps pop3 pop3s
3. Make that change operational for the current session by running the command:
/sbin/service dovecot restart
4. Make that change operational after the next reboot by running the command:
chkconfig dovecot on
5. Edit the /etc/postfix/main.cf file using vi.

l Uncomment :
mydomain = domain.tld
and replace domain.tld with the domain training.lab:

mydomain = training.lab
l Uncomment:
Linux
myorigin = $mydomain
l Uncomment:
myhostname = host.domain.tld
replace host.domain.tld with the hostname linux.training.lab:

myhostname = linux.training.lab
l Uncomment :
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
l Comment (add a # at the beginning):

# mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
l Uncomment:
mynetworks = 168.100.189.0/28
replace 168.100.189.0/28 with 10.0.0.0/8, 127.0.0.0/8

mynetworks = 10.0.0.0/8, 127.0.0.0/8
l Uncomment:
inet_interfaces = all
l Comment:
inet_interfaces = localhost line.
6. Restart the postfix service:
/sbin/service postfix restart
To configure OpenSSL
1. From the /root directory:
mkdir ssl
cd ssl
mkdir certs
mkdir newcerts
mkdir requests
mkdir keys
touch index.txt
touch serial
echo 01 > serial
cp /etc/pki/tls/openssl.cnf
2. Edit file /root/ssl/openssl.cnf and set:

dir = /root/ssl,
search for the [v3_ca ] section and uncomment:

keyUsage = cRLSign, keyCertSign
Linux
To configure accounts
1. Open a terminal and type:
system-config-users
2. In the User Manager dialog box, click Add User and add the following accounts:
User Password
admin fortinet1
student fortinet1
FortiGate fortinet1
To download the EICAR file

1. From the Linux GUI open Mozilla Firefox browser.
2. Navigate to http://eicar.org.
3. Download the eicar.com antivirus test file.
4. Store the file in /var/ftp/pub.
To configure a webpage to upload files

1. Go to /var/www/html.
2. Right click and click Create Document > Empty File.
3. Name it result.html.
4. Right-click and select Open with "Text Editor".
5. Copy and paste the html syntax as below:
<html>
<head>
<title> Result from upload </title>
</head>
<body>
File Upload Processed!
</body>
</html>
6. Click Save.
7. Click Close.
8. Still in /var/www/html, right-click and selec Create Document > Empty File.
9. Name it fileupload.html.
10. Right click and click Open with "Text Editor".
11. Copy and paste the html syntax as below:
<html>
<head>
<title> Test for file upload DLP Lab </title>
</head>
Linux
<body>
<font face='Comic Sans MS'>
<h1> DLP Upload Test Page</h1>
<h2>In order to test the DLP Sensor either upload a file or type in the text to be
blocked into the text area and press submit, if the post would have been successful
you will see a upload processed page</h2><br>
<h4>File Upload</h4>
<form action='result.html' method='post' enctype='multipart/form-data'>
<input type='file' name='TestFile'/><br>
<input type='submit' value='Submit the file'><br>
</form>
<h4>Text Input</h4>
<form action='result.html' method='post' enctype='multipart/form-data'>
<input type='textarea' name='TestArea'/><br>
<input type='submit' value='Submit the TextArea'><br>
</form>
</font>
</body>
</html>
12. Click Save.

13. Click Close.
Installing Nikto
For the FortiAnalyzer 5.4.2 training, Nikto is installed on the Linux VM and the FortiAnalyzer labs run this Nikto
instance. For the FortiGate 5.4.1 training, Nikto is installed on Local-Windows and the FortiGate labs run this
Nikto instance. Nikto runs much faster on Linux and this is required for the FortiAnalyzer training.
Accordingly, if you are teaching the FortiAnalyzer course, install Nikto on the Linux VM. If you are not teaching
FortiAnalyzer, then you only need to install Nikto on Local-Windows.
To install Nikto on the Linux VM for the FortiAnalyzer training

1. Download and install Nikto version 2.1.5 from the official website: http://www.cirt.net/nikto2.
Download the package in the gz format.
For example:
# wget https://cirt.net/nikto/nikto-2.1.5.tar.gz
2. Extract the package using the following command:
tar -zxvf nikto-2.1.5.tar.gz
3. Move the extracted Nikto package to /usr/local/bin:
cd ~
sudo cp -apvf nikto-2.1.5/* /usr/local/bin/
Linux
ls -l /usr/local/bin/
sudo vim /usr/local/bin/nikto-2.1.5/nikto.conf
4. Create a symlink for the conf file to /etc and then make the Nikto script executable using chmod:
sudo ln -s /usr/local/bin/nikto.conf /etc/nikto.conf

ls -l /etc/nikto.conf
sudo chmod 755 /usr/local/bin/nikto.pl
ls -l /usr/local/bin/nikto.pl
5. Update the Nikto database packages:
/usr/local/bin/nikto.pl -update
Local-FortiGate
The following procedure outlines how to configure the network interfaces on Local-FortiGate.
To configure network interfaces on Local-FortiGate

1. Start the Local-FortiGate VM and open the VM console.
2. Enter:
exec formatlogdisk
This formats the virtual disk, which is required to store data such as local reports or logs. The device will
reboot after the format is complete.
3. Enter this configuration to configure the network interfaces:
config system interface

edit port1
set ip 10.200.1.1 255.255.255.0
set allowaccess http
next
edit port3
set ip 10.0.1.254 255.255.255.0
set allowaccess http
next
end
config router static
edit 1
set gateway 10.200.1.254
set device port1
next
end
config firewall policy
edit 1
set srcintf port3
set dstintf port1
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ALL
set nat enable
next
end
Local-Windows
The Local-Windows VM is used as the student's network management computer in the lab. Students will
initiate most client network connections from it, and administer Fortinet VMs.
To perform initial setup

1. On this VM, verify that the correct local time and time zone is set, and that the screen has a resolution of at least
1280x1024. (This ensures proper display of the FortiOS GUI.)
2. Change the administrator account password to password. (Disable password complexity check if required.)
3. Configure the IPv4 network settings for LAN3:
l IP address: 10.0.1.10
l Netmask: 255.255.255.0
l Default gateway: 10.0.1.254
l DNS: 10.0.1.254
4. Configure the IPv6 network settings for LAN3:
l Obtain an IPv6 address automatically
l Obtain DNS server address automatically
5. Install the following software:
l Firefox
l PuTTY
l ActivePerl
l Nikto
l Thunderbird
l FileZilla
l Wireshark
l Adobe Reader
l Adobe Flash
l Notepad++
l Java
6. VMnet1 is your guest access network. When editing this network adapter, choose a unique address. Do not
configure a gateway.
7. Open Windows Firewall and disable Windows Firewall in all the network types.
To install AD, Web, and DNS Services

1. Open Server Manager and select Add roles and features.
2. Click Next.
3. Select Role-based or feature-based installation.
4. Click Next.
5. Select the server with the IP address 10.0.1.10.
Local-Windows
6. Click Next.
7. On the Server Roles screen, select Active Directory Domain Services, DNS Server, and Web Server
(ISS). Add all the features for those three roles.
8. Click Next.
9. Click Next until you get the Confirmation screen.
10. Click Install. Wait until the installation finishes.
11. From the Server Manager, click the flag icon with the exclamation point and select Promote this server to a
domain controller:
12. Select Add a new forest.

13. Type trainingAD.training.lab as the domain name.
14. Click Next.
15. Type any DSRM password and click Next.
16. Omit the DNS warning and click Next.
17. Accept all the remaining default values and click Next until you get the Prerequisites Check screen.
18. Click Install. Wait until the installation finishes.
Creating users in Active Directory

The following procedure outlines how to create two active directory users in the Users container: Student and
ADadmin.
To create the Student user

1. Open Active Directory Users and Computer.
2. Expand the trainingAD.training.lab tree.
3. Right click the Users container. Select to New > User.
4. Create the user student for the class, with password password. Disable User must change password at
next logon and enable Password never expires.
To create the ADadmin user

2. Expand the trainingAD.training.lab tree.
3. Right click the Users container. Select to New > User.
Local-Windows
4. Create user ADadmin for the class, with password Training!. Disable User must change password at next
logon and enable Password never expires.
To create the Training Organizational Unit and additional users

2. Right-click trainingAD.training.lab from the tree.
3. Select New > Organizational Unit.
4. Name the organizational unit Training.
5. Right-click Training from the tree and select New > User.
6. Create the following user:
7. Type Training! as the password. Disable User must change password at next logon and enable
Password never expires.
8. Repeat the process to create another two users in the Training organizational unit (same settings and password):
l aduser2
l FAZadmin
To create an Active Directory group

2. Expand the trainingAD.training.lab tree and right click the Training container.
3. Select New > Group.
4. Create a new security group called AD-users.
5. Click OK.
Local-Windows
6. Double-click the AD-user group from the right pane.

7. Select the Members tab and add aduser1 and aduser2.
8. Click OK.
To install Remote Desktop Services

1. Open the Server Manager.
2. Select Add roles and features.
3. Select Role-based or feature-based installation.
4. Select the server 10.0.1.10.
5. Select Remote Desktop Services.
6. Click Next three times.
7. For the Role Service, select Remote Desktop Session Host.
Local-Windows
8. Click Next.
9. Confirm the installation and reboot the VM after the installation finishes.
To enable Remote Desktop access to the Student user

2. Go to Active Directory Users and Computers > trainingAD.training.lab > Users.
3. Right-click the user student and select Add to a group.
4. Add the student user to the Remote Desktop Users group.
5. Go to the Start menu and right-click This PC. Select Properties.
6. Click Remote Settings.
7. Select Allow remote connections to this computer.
8. Clear the Allow connections only from computers running checkbox.
9. Click Apply.
To configure Thunderbird
1. Open Mozilla Thunderbird and click the three bars icon in the upper right of the application.
2. Select Options > Account Settings.
3. Select Outgoing Server (SMTP) and click Add. Configure the following settings:
Setting Value
Server Name 10.200.1.254
Port 25
Connection security None
Local-Windows
Setting Value
Authentication Method Password, transmitted insecurely
Username student
4. Click OK.
5. From the bottom of the left menu of the Account Settings dialog, click Account Actions > Add Mail
Account.
6. Add the following account:
Your name admin
Email address admin@training.lab
Password fortinet1
7. Click Continue.
8. Add the following incoming and outgoing server settings:
9. Click Done. Accept the certificate exception.

10. Select Account Actions > Add Mail Account again to create a second user.
11. Add the second account:
Your name student
Email address student@training.lab
Password fortinet1
12. Click Continue.

13. Add the following incoming and outgoing server settings:
14. Click Done.
To configure FileZilla
1. Open FileZilla.
2. Click on the upper left icon to open the site manager.
3. Add this site and name it FTPsite:
Local-Windows
l Host: 10.200.3.254
l Port: 222
l Protocol: FTP
l Encryption: Use plain FTP
l Logon type: Anonymous
Before saving the site, click on the Transfer Settings tab and select Active as the transfer mode.
4. Add this second site and name it Linux:

l Host: 10.200.1.254
l Port: Leave it empty
l Protocol: FTP
l Encryption: Use plain FTP
l Logon type: Anonymous
Before saving the site, click on the Transfer Settings tab and select Default as the transfer mode.
Configuring SMB file share

The Local-Window machine requires adding SMB file share.
To create share folder

1. Open File Explorer.
2. Go to C drive.
3. Create new folder with name of DLPshare.
To add the file share

1. Go to Server Manager > File and Storage Services.
2. Click Shares.
3. From the TASKS dropdown menu, New Share.
A wizard opens.
4. Select SMB Share-Quick.

5. Click Next.
6. Select Type a custom path.
7. Click Browse and select dlpshare folder.
8. Click Select Folder.
9. Click Next until you get to Permissions screen. On the Permissions screen, make sure
BUILTIN\Administrators have full access.
Local-Windows
10. Click Next.

11. Click Create.
12. Click Close on View Result screen.
To disable HSTS in Firefox

1. Open Firefox.
2. Open the about:config page.
3. Right click New > Integer, add an item named test.currentTimeOffsetSeconds and value 11491200, confirm.
4. Clear the cache.
To disable certificate pinning

1. Open Firefox.
2. Open the about:config page.
3. Search security.cert_pinning.enforcement_level.
4. Edit and change value to 0.
5. Clear the cache.
To create bookmarks in PuTTY

1. Open PuTTY.
2. Complete the following:
Host Name (or IP address field) 10.0.1.254.
Saved Sessions LOCAL-FORTIGATE
3. Click Save.
4. Repeat steps 2 and 3 for the following VMs:
Host Name (or IP address field) 10.200.3.1
Saved Sessions REMOTE-FORTIGATE
Local-Windows
Saved Sessions FORTIANALYZER
Saved Sessions FORTIMANAGER
Saved Sessions LINUX
Saved Sessions FIT
To install the CA certificates in Firefox

1. From Local-Windows, open Firefox and connect HTTP to Local-FortiGate.
2. Go to System > Certificates.
3. Select the certificate Fortinet_CA_SSL and click Download.
4. Click Open menu in Firefox and select Options.
Local-Windows
5. Go to Advanced > Certificates and click View Certificates.

6. Select the Authorities tab
7. Click Import and select the Fortinet_CA_SSL certificate.
8. Enable the three options:
l Trust this CA to identify websites.
l Trust this CA to identify email users.
l Trust this CA to identify software developers.
4. Click OK.
To install additional files

1. After that, copy the Resources folder that comes with the Lab Setup ZIP file to the desktop.
2. Copy the Perl script to convert FortiGate sniffer capture to PCAP to the Active Perl bin folder:
c:\Perl64\bin
3. Add shortcuts to the Windows task bar and desktop for the following applications: File Explorer, Firefox, PuTTY,
command prompt, Notepad++, Windows Remote Desktop Connection, and FileZilla.
4. Add the following paths to the Path System variable:
C:\Users\Administrator\Desktop\Resources\FortiGate-II\IPS\nikto-2.1.5
C:\Program Files (x86)\GnuWin32\bin
C:\Users\Administrator\Desktop\Resources\FortiGate-I\Logging
C:\Users\Administrator\Desktop\Resources\FortiGate-II\IPv6
5. Open Mozilla and add the following four bookmarks to the bookmarks toolbar:
l Local-FortiGate: http://10.0.1.254
l Remote-FortiGate: http://10.200.3.1
l FortiManager: https://10.0.1.241
l FortiAnalyzer: https://10.0.1.210
FortiManager
Even though FortiManager is not the focus of FortiAnalyzer and FortiGate courses, it is required for the lab setup
due to the use of closed network mode. More information about the FortiManager closed network mode can be
found in this document:
http://docs.fortinet.com/uploaded/files/2153/LicensingIsolatedFortiGates.pdf
Requesting closed network entitlement files

After you have purchased VM licenses and registered them on https://support.fortinet.com, you must request
closed network entitlement files. These files are required for manually uploading FortiGate license validation
information to FortiManager in close network mode.
To request closed network entitlement files

1. On the Fortinet Technical Support web site (https://support.fortinet.com/) create a ticket with Fortinet Technical
Support by going to Assistance > Create Ticket > Customer Service > Submit Ticket.
2. Enter the Serial Number. Under Category, select CS Contact/License.
3. In the Comment field, ask for an entitlement file for your FortiGate VMs. Provide the serial number and license
number. If you don't remember them, you can find them in Asset > Manage View Products > <Select
product>.
Example:
Serial Number: FGVM010000024628
License Number: FGVM0035444
Alternatively, as with registration, you can attach a spreadsheet that contains serial
and license numbers if you want to ask for entitlement files for two or more FortiGate
VMs at the same time. Fortinet Technical Support will provide one entitlement file that
contains validation information for all of your FortiGate VMs. All FortiGate VMs must
be registered with the same account;devices registered under different accounts
cannot be combined into the same entitlement file.
Within a day or two, you should receive an entitlement file from customer service.
To configure the FortiManager initial settings

1. Start the FortiManager and open the VM console. From the console make the following changes:

edit port1
set ip 10.0.1.241 255.255.255.0
set allowaccess http https ssh ping telnet
next
end
2. Connect to the GUI from the Local-Windows VM and restore the FMG-5.4.2-initial.dat file from the folder
Resources/FortiManager/initial-config.
FortiManager
3. Upload a valid FortiManager VM license.
To configure FortiManager as a local FDN server

1. Log into the FortiManager GUI and click FortiGuard.
2. From the left menu, click Advanced Settings.
3. Turn on Enable Communication with FortiGuard Server and click Apply.
4. Turn on Enable AntiVirus and IPS Service and enable FortiGate 5.4 and FortiAnalyzer 5.4.
5. Turn on the following services:

l Enable Web Filter Service
l Enable Email Filter Service
7. Click Apply.
8. Wait until FortiManager has downloaded and synchronized all the service packages and updates. This could take
several hours.
If you previously built your environment for the FortiGate 5.4.1 course and are now
updating your environment for the FortiAnalyzer and FortiManager 5.4.2 courses, you
must re-download all the service packages and updates again.
9. Check the status of the updates through the following CLI commands:
# diagnose fmupdate update-status fds

# diagnose fmupdate update-status fgd
FortiManager
Once complete, the upullStat should say Synced. Note that it will sync after every package
FortiManager downloads, so you can run these commands multiple times to verify the status. It should take
several hours to complete.
If you do not see any progress in the downloads, for example, the UpullStat
remains in the Connected state, you can manually trigger the update through the
following commands:
# diagnose fmupdate updatenow fds
# diagnose fmupdate updatenow fdg
10. Once complete, the file size for web filtering (FURL) and email filter (SPAM00x) under Query Server
Management > Receive Status should be approximately as they appear in this screenshot:
12. After the FortiGuard packages and updates are synchronized, click Advanced Settings and turn off Enable
Communication with FortiGuard Server.
13. Click Apply.
To upload the entitlement files to FortiManager

1. Log into the FortiManager GUI and click FortiGuard.
2. From the left menu, click Advanced Settings.
3. From the Upload Options for FortiGate/FortiMail section, click Upload for Service License.
4. Upload the following, one at a time:
Click Apply after each file upload.
l Both FortiGate entitlement files

l The FortiAnalyzer IOC license file (only if you are teaching the FortiAnalyzer 5.4.2 training)
FortiAnalyzer
The following procedure outlines how to configure the FortiAnalyzer system settings.
To configure the FortiAnalyzer initial settings

1. Start FortiAnalyzer and open the VM console.
2. From the console make the following changes:

edit port1
set ip 10.0.1.210 255.255.255.0
set allowaccess http https ssh ping telnet
next
end
3. Connect to the GUI from the Local-Windows VM and restore the file from the folder
Resources/FortiAnalyzer/initial-config/FAZ-5.4.2-initial.dat
4. Upload the FortiAnalyzer VM license.
If you are teaching the FortiAnalyzer 5.4.2 course, you can confirm whether the IOC
license you uploaded to FortiManager is successfully being managed by
FortiManager by running the following command on FortiManager:
# diag fmupdate dbcontract
Under the FortiAnalyzer serial number, you should see a contract that starts with
PBDS. This is the IOC license.
Restoring the Local-FortiGate Initial Configuration and License
At this stage, you are ready to restore the Local-FortiGate initial configuration and license.
To restore the Local-FortiGate initial configuration and license

1. On the Local-Windows VM, open a web browser and connect to the FortiGate VM's GUI.
2. Upload the initial configuration file that's located in Resources/FortiGate-I/Introduction/local-
initial.conf.
3. After that, upload the VM license.
FortiGate should query FortiManager to validate its VM license and FortiGuard service contracts.
If the license status does not appear as Valid, run the following command:
# execute update-now
Remote-FortiGate
The following procedure outlines how to configure the network interfaces on Remotel-FortiGate.
To configure network interfaces on Remote-FortiGate

1. Start the Remote-Windows FortiGate VM and open the VM console.
2. Enter exec formatlogdisk to format the virtual disk, which is required to store data such as local reports or
logs. The device will reboot after the format is complete.
3. From the console, enter these commands:

edit port4
set ip 10.200.3.1 255.255.255.0
set allowaccess ping https ssh http fgfm
next
end
config router static
edit 1
set device port4
set gateway 10.200.3.254
next
end
4. Connect to the GUI from the Local-Windows VM and upload the remote-initial.conf file from the folder
Resources/FortiGate-I/Introduction.
5. Upload the VM license for this device.
FortiGate should validate the license against FortiManager. None of the FortiGuard services are required in
this FortiGate.
If the license status does not appear as Valid, run the following command:
# execute update-now
Remote-Windows
To configure initial settings

1. On this VM, verify that the correct local time and time zone is set, and that the screen has a resolution of at least
1280x1024 (this ensures proper display of the FortiOS GUI).
2. Configure the network settings for LAN6:
l IP address: 10.0.2.10
l Netmask: 255.255.255.0
l Default gateway: 10.0.2.254
l DNS: 10.0.2.254
3. VMnet1 is your guest access network. When editing this network adapter, chose a unique address and do not
configure a gateway on this adapter.
4. Open Windows Firewall and disable Windows Firewall in all the network types.
Installing the Microsoft patch for SSL VPN

For SSL VPN tunnel mode to work properly, it is required the installation of a Microsoft hotfix that solves a
Microsoft problem with the FortiSSL adapter.
To install the Microsoft patch for SSL VPN

1. Execute this command from the Remote-Windows command prompt:
bcdedit -set testsigning on
2. After that, install the hotfix file named:
Windows8.1-KB9089134-x64.exe
This file can be found compressed in the Lab Setup ZIP file.
If you get an error indicating that the hotfix has expired, change the Local-Windows system date to April 1,
2015 and try the installation again. After the installation, you can change it back to the right date.
Installing additional software

You must install the following software:
l Firefox
l PuTTY
l Wireshark
l Java
l Adobe Flash
l Notepad++
l FortiClient (install only the VPN module)
Remote-Windows
Once installed, add shortcuts to the Windows task bar and desktop for the following applications:
l File Explorer
l Firefox, PuTTY
l command prompt
l FortiClien.
Testing
Once you have all VMs installed, and have configured all LAN segments, host IP settings and virtual network
connections, test connectivity.
From Local-Windows server, test connectivity to:
10.0.1.254 LAN3 Local-FortiGate_port3
10.0.1.241 FortiManager
10.0.1.210 FortiAnalyzer
10.0.1.20 FIT (only if you are teaching the FortiAnalyzer 5.4.2 course)
From Local-FortiGate, test connectivity to:
10.0.1.10 LAN3 Local-Windows
10.200.1.254 LAN1 LINUX_eth1
10.200.2.254 LAN2 LINUX_eth2
4.2.2.2 To test IPforwarding and NAT on your Linux VM
From the Linux host, test connectivity to:
10.200.3.1 LAN4 Remote-FortiGate_port4
4.2.2.2 LAN0
From Remote-FortiGate, test connectivity to:
10.0.2.10 LAN6 Remote-Windows server
10.200.3.254 LAN4 LINUX_eth1
10.200.4.254 LAN5 LINUX_eth2
Testing
From Remote-Windows, test connectivity to:
From FortiAnalyzer, test connectivity to:
Creating Snapshots
Once you have completed and tested your configuration, save a snapshot of each VM. These snapshots are what
you will deploy for each student in the class.
You can also re-deploy these snapshots to revert a student's VM if their configuration is not working and they
need to quickly restore it to a functional state.
No part of this publication may be reproduced in any form or by any means or used to make any
derivative such as translation, transformation, or adaptation without permission from Fortinet Inc.,
as stipulated by the United States Copyright Act of 1976.
Copyright 2017 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, FortiCare and FortiGuard, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinets General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinets internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

Nse4 Manual Fortinet

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Nse4 Manual Fortinet

Încărcat de

Drepturi de autor:

Formate disponibile

Virtual Lab Setup Guide

for FortiGate, FortiAnalyzer, and FortiManager 5.4

NETWORK SECURITY EXPERT PROGRAM (NSE)

Modifications needed Instructions

l FortiAnalyzer: Log into the FortiAnalyzer GUI at 10.0.1.210 (admin / blank

*Load the FIT VM for The image is provided in the Virtual-Lab-Setup-Files-FGT-FAZ-

*Configure virtual networking See Configuring VM Virtual Networking for instructions.

Modifications needed Instructions

Open FortiManager See To configure FortiManager as an FDN server for instructions.

Testing network connectivity See Testing for instructions.

Create new snapshots of all See Creating Snapshots for instructions.

l FortiGate I 5.4.1 (NSE4 preparation)

4 FortiCare contracts One for Local-FortiGate, Remote-FortiGate, FortiAnalyzer, and FortiManager

Additional files required for the labs

The following software is also required on the Windows VM.

PuTTY 0.67 http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

Perl script for

Wireshark 2.0.3 https://www.wireshark.org/download.html

Nikto 2.1.5 http://www.cirt.net/nikto2

Notepad++ 6.9.1 https://notepad-plus-plus.org/download/v6.9.html

Adobe Reader https://get.adobe.com/reader/

Adobe Flash Player

GNU Wget 1.11.4 http://gnuwin32.sourceforge.net/packages/wget.htm

Each workstation running VMware Workstation requires:

The Virtual-Lab-Setup-Files-FGT-FAZ-FMG-5.4.zip package provides a

Loading the Windows VMs on VMware Workstation 12

To create a Windows VMs on VMware Workstation 12

Loading the Fortinet VMs on VMware Workstation 12

To create FortiGate, FortiManager, and FortiAnalyzer VMs on VMware Workstation 12:

Loading the Prebuilt Linux Image

To load the prebuild Linux image

Loading the FIT VM

This is only required if teaching the FortiAnalyzer 5.4.2 course.

To load the FIT VM image

Inside each students virtual lab, there are eight VMs:

To configure VMWare virtual networking

e. Click OK twice to close the windows.

Network Adapter LAN Segment

2 Custom: VMnet1 (Host-only)

l For the Remote-Windows VM, map these network adapters:

Network Adapter LAN Segment

2 Custom: VMnet1 (Host-only)

Network Adapter LAN Segment

Network Adapter LAN Segment

l For the FortiManager VM, map these network adapters:

Network Adapter LAN Segment

l For the FortiAnalyzer VM, map these network adapters:

Network Adapter LAN Segment

l For the Linux VM, map these network adapters:

Network Adapter LAN Segment

l For the FIT VM, map these network adapters:

Network Adapter LAN Segment

The root password for the prebuilt Linux VM is: password.

vi /etc/sysctl.conf and set net.ipv4.ip_forward = 1

4. Enter the following command to reload the sysctl configuration:

5. Clear the existing iptables rules:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

7. Check that the NAT rule is there:

(or # /sbin/service iptables save.)

8. In order to be able to clone the image, edit the following files:

To install HTTP and FTP services

yum install vsftpd

To configure FTP service