FortiGate - Student Guide

FortiGate Multi-Threat Security and Systems I Administration, Content Inspection and VPNs Student Guide

FortiGate Multi-Threat Security and Systems I Student Guide 1 June 2014 FGT1-500005-E-20140417

Fortinet®, FortiGate®, and FortiGuard® are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks, registered or otherwise, of Fortinet. All other product or company names may be trademarks of their respective owners. Copyright © 2002 - 2014 Fortinet, Inc. All rights reserved. Contents and terms are subject to change by Fortinet without prior notice. No part of this publication may be reproduced in any form or by any means or used to make any derivative such as translation, transformation, or adaptation without permission from Fortinet, Inc., as stipulated by the United States Copyright Act of 1976.

Table of Contents VIRTUAL LAB BASICS .................................................................................. 7 Logging into the Virtual Lab ................................................................................................. 7 Transferring files to the VM .......................................................................................................................... 12 Using HTML instead of Java ........................................................................................................................ 12 International keyboards ................................................................................................................................ 13

Topology .............................................................................................................................. 14 Troubleshooting Tips ........................................................................................................... 14

MODULE 1 ................................................................................................... 16 Lab 1: Initial Setup and Configuration .................................................................................. 16 Objectives .................................................................................................................................................... 16 Time to Complete......................................................................................................................................... 16 Exercise 1 (Optional) Configuring Network Interfaces on Student and Remote FortiGate Devices ........... 17 Exercise 2 Exploring the Command Line Interface ..................................................................................... 19 Exercise 3 Restoring Configuration Devices ............................................................................................... 21 Exercise 4 Performing Configuration Backups ............................................................................................ 23

Lab 2: Administrative Access ............................................................................................... 24 Objectives .................................................................................................................................................... 24 Time to Complete......................................................................................................................................... 24 Exercise 1 Profiles and Administrators ....................................................................................................... 25 Exercise 2 Restricting Administrator Access ............................................................................................... 27

MODULE 2 ................................................................................................... 28 Lab 1: Status Monitor and Event Log................................................................................... 28 Objectives .................................................................................................................................................... 28 Time to Complete......................................................................................................................................... 28 Exercise 1 Exploring the GUI Status Monitor .............................................................................................. 29 Exercise 2 Event Log and Logging Options ................................................................................................ 31

Lab 2: Remote Monitoring ................................................................................................... 33 Objectives .................................................................................................................................................... 33 Time to Complete......................................................................................................................................... 33 Exercise 1 Remote Syslog Logging and SNMP Monitoring ........................................................................ 34

MODULE 3 ................................................................................................... 36

Lab 1: Firewall Policy ........................................................................................................... 36 Objectives .................................................................................................................................................... 36 Time to Complete......................................................................................................................................... 36 Exercise 1 Creating Firewall Objects and Rules ......................................................................................... 37 Exercise 2 Policy Action .............................................................................................................................. 39 Exercise 3 Configuring Virtual IP Access .................................................................................................... 40 Exercise 4 Configuring IP Pools.................................................................................................................. 43

Lab 2: Traffic Log ................................................................................................................. 45 Objectives .................................................................................................................................................... 45 Time to Complete......................................................................................................................................... 45 Exercise 1 Enabling Traffic Logging ............................................................................................................ 46

Lab 3: Device Policies ......................................................................................................... 47 Objectives .................................................................................................................................................... 47 Time to Complete......................................................................................................................................... 47 Exercise 1 Enabling Device Identification ................................................................................................... 48

MODULE 4 ................................................................................................... 52 Lab 1: User Authentication .................................................................................................. 52 Objectives .................................................................................................................................................... 52 Time to Complete......................................................................................................................................... 52 Exercise 1 Identity-based Firewall Policy .................................................................................................... 53

MODULE 5 ................................................................................................... 55 Lab 1: SSL VPN................................................................................................................... 55 Objectives .................................................................................................................................................... 55 Time to Complete......................................................................................................................................... 55 Exercise 1 Configuring SSL VPN for Web Access ...................................................................................... 56 Exercise 2 Configuring SSL VPN for Tunnel Mode ..................................................................................... 59

MODULE 6 ................................................................................................... 62 Lab 1: IPSec VPN ................................................................................................................ 62 Objectives .................................................................................................................................................... 62 Time to Complete......................................................................................................................................... 62 Exercise 1 Site to Site IPsec VPN............................................................................................................... 63

MODULE 7 ................................................................................................... 66 Lab 1: Antivirus Scanning .................................................................................................... 66 Objectives .................................................................................................................................................... 66 Time to Complete......................................................................................................................................... 66

Exercise 1 Antivirus Testing ........................................................................................................................ 67

MODULE 8 ................................................................................................... 70 Lab 1: Email Filtering ........................................................................................................... 70 Objectives .................................................................................................................................................... 70 Time to Complete......................................................................................................................................... 70 Exercise 1 Configuring FortiGuard AntiSpam ............................................................................................. 71

MODULE 9 ................................................................................................... 73 Lab 1: Web Filtering............................................................................................................. 73 Lab Objectives ............................................................................................................................................. 73 Time to Complete......................................................................................................................................... 73 Exercise 1 FortiGuard Web Filtering ........................................................................................................... 74

MODULE 10 ................................................................................................. 78 Lab 1: Application Identification ........................................................................................... 78 Objectives .................................................................................................................................................... 78 Time to Complete......................................................................................................................................... 78 Exercise 1 Creating an Application Control List .......................................................................................... 79

Lab 2: Traffic Shaping .......................................................................................................... 81 Objectives .................................................................................................................................................... 81 Time to Complete......................................................................................................................................... 81 Exercise 1 Limiting YouTube Traffic ........................................................................................................... 82

Lab 3: Selective Application Control .................................................................................... 83 Objectives .................................................................................................................................................... 83 Time to Complete......................................................................................................................................... 83 Exercise 1 Block Wikipedia Editing ............................................................................................................. 84

APPENDIX A: ADDITIONAL RESOURCES ........................................................ 85 APPENDIX B: PRESENTATION SLIDES ........................................................... 86 Module 1: Introduction to Fortinet Unified Threat Management ........................................... 87 Module 2: Logging and Monitoring....................................................................................... 108 Module 3: Firewall Policies .................................................................................................. 127 Module 4: Firewall Authentication ........................................................................................ 158 Module 5: SSL VPN ............................................................................................................. 174

Module 6: IPSec VPN .......................................................................................................... 188 Module 7: Antivirus .............................................................................................................. 200 Module 8: Email Filtering ..................................................................................................... 222 Module 9: Web Filtering ....................................................................................................... 241 Module 10: Application Control ............................................................................................ 258

 Virtual Lab Basics Logging into the Virtual Lab

Virtual Lab Basics In this class, you will use a virtual lab for hands-on exercises. This section explains how to connect to the lab and its virtual machines. It also shows the topology of the virtual machines in the lab. Note: If your trainer asks you to use a different laboratory, such as devices physically located in your classroom, please ignore this section. This is applicable only to the virtual lab accessed through the Internet. If you do not know which lab to use, please ask your trainer.

Logging into the Virtual Lab 1. Run the TrueLab System Checker. This will fully verify both: 

compatibility of your computer with the virtual lab environment's software, and



that your computer can connect

It can also diagnose problems with the Java Virtual Machine, company firewall, or proxy server. Use the URL for your location. North America/South America: http://truelab.hatsize.com/syscheck Europe/Middle East/Africa: http://truelab.hatsize.com/syscheck/frankfurt/ Asia/Pacific: http://truelab.hatsize.com/syscheck/singapore/ If a security confirmation dialog appears, click Run. If your computer successfully connects to the virtual lab, the "Status" field will display "SUCCESS". Continue to the next step.

FortiGate Multi-Threat Security and Systems I

7


If "FAILED" appears, read the messages to identify the problem. For help fixing problems, either click the link for the troubleshooter or ask your trainer. 2. With the user name and password that your trainer provides, log into the URL for the virtual lab. Either: https://remotelabs.training.fortinet.com/


8


https://virtual.mclabs.com/

3. Select the time zone for your location, then click Update. This ensures that your class schedule is accurate.

4. Select a screen resolution for the virtual lab's Java applet, then click Open.


9


A list of virtual machines that exist in the virtual lab will appear. Your trainer can describe each of the virtual machines in the lab.

From this page, you can access the console of any of your virtual devices by either clicking on the device’s square, or selecting System > Open. 5. Click K1-Windows to open a connection to that server.


10


A new Java applet window should open within a few seconds. (By default, the web page uses Java to connect to each VM’s console. If this fails, you may need change browser settings to allow Java to run on this web site.) Depending on the virtual machine, the applet provides access to either the GUI or a text-based CLI. Connections to Windows machines will use a Remote Desktop-like GUI. The applet should automatically log in, then display the Windows desktop. For most lab exercises, you will connect to this VM.


11


Note: If your computer’s connection with the virtual Windows server times out or if you are accidentally disconnected, you can regain access by returning to your browser and opening the Java applet again.

Transferring files to the VM When using the Java applet to connect to a VM, you can drag-and-drop files from your computer to the VM. For example, if you have a FortiGate configuration file that you want to upload to your lab VM, you could create it on your computer, then drag it into the Java application window that is connected to the Windows VM. Typically the destination folder is C:\Uploads.

Using HTML instead of Java By default, when you choose to open a VM, your browser will download and use a Java application to connect to the virtual lab’s VM. This means that Java must be installed, updated, and enabled in your browser. Alternatively, you can use HTML5 instead. Click the Settings button, then disable Use Java.


12


When connecting to a VM, your browser will then open a display in a new window or tab.

International keyboards If special characters in your preferred language don’t display correctly, keyboard mappings may not be correct. To solve this, you can copy and paste between your computer and the Java applet. Alternatively, you can use an on-screen keyboard. To do this, click the keyboard icon at the top of the applet window.


13

 Virtual Lab Basics Topology

Topology The network diagram below shows the configuration of your virtual environment.

Each student’s lab contains:    

Windows 2003 Server 2 FortiGate devices Windows XP Linux Server

Troubleshooting Tips  



 

Do not connect to the virtual lab environment through a low-bandwidth or high-latency connection, including VPN tunnels or wireless such as 3G or WiFi. For best performance, use a stable broadband connection such as a LAN. Do not disable or block Java applets. On Mac OS X, since early 2014, to improve security, Java has been disabled by default. In your browser, you must allow Java for this web site. On Windows, if the Java applet is allowed and successfully downloads, but does not appear to launch, you can open the Java console while troubleshooting. To do this, open the Control Panel, click Java, and change the Java console setting to be Show console. Network firewalls can also block Java executables. Note: JavaScript is not the same as Java. Prepare your computer's settings: o Disable screen savers o Change the power saving scheme so that your computer is always on, and does not go to sleep or hibernate If disconnected unexpectedly from any of the virtual machines (or from the virtual lab portal), please attempt to reconnect. If unable to reconnect, please notify the instructor. If during the labs, particularly when reloading configuration files, you see a message similar to the one shown below, the VM is waiting for a response to the authentication server.


14

 Virtual Lab Basics Troubleshooting Tips

To retry immediately, go to the console and enter the CLI command: exec update-now


15

 Module 1 Lab 1: Initial Setup and Configuration

Module 1 Lab 1: Initial Setup and Configuration This first lab will provide an initial orientation to the CLI and administrative GUI and will guide the student through the basic setup of a FortiGate. This lab will demonstrate how to properly backup and restore a configuration file, as well as manipulate administrative access to a FortiGate unit. If during the labs, particularly when reloading configuration files, you see a message similar to the one shown below, go to the console and enter the CLI command execute update-now.

This message indicates that the FortiGate VM is waiting for a response from the authentication server. The execute update-now command will resend the request and force a response.

Objectives   

Distinguish between an encrypted and non-encrypted configuration file Describe how to back up and restore configuration files Recognize model and build information inside a configuration file

Time to Complete Estimated: 15 minutes


16


Exercise 1 (Optional) Configuring Network Interfaces on Student and Remote FortiGate Devices The steps below only need to be performed if your virtual lab set-up has been started from a blank FortiGate image. Before proceeding, please check with your Instructor to confirm if these steps are required for your particular classroom lab configuration. 1. Connect to the console of the Student FortiGate device and at the login screen, enter the default username of admin (all lowercase) and leave the password blank. To access the Student FortiGate device using the GUI, you must first modify the port3 interface settings by executing the following CLI commands: conf system interface edit port3 set ip 10.0.1.254/24 set allowaccess http end You have now configured the port3 interface with an IP address and device access settings. 2. Enter the following command to check your configuration: show system interface 3. Open a web browser and enter the following URL to access the GUI for the Student FortiGate: http://10.0.1.254 4. Accept the FortiGate unit’s self-signed certificate or security exemption if a security warning appears. HTTPS is the recommended protocol for administrative access to the FortiGate unit. Other available protocols include SSH, PING, SNMP, HTTP and Telnet. Note: To access the FortiGate GUI using a standard web browser, cookies and JavaScript must be enabled for proper rendering and display of the graphical user interface. The login page of the Student FortiGate device should now be displayed. Please do not log in at this point. You will have the opportunity to explore the FortiGate unit’s GUI in a later exercise. If you are not presented with a login page, check with your Instructor before proceeding. 5. Connect to the console of the Remote FortiGate device and at the login screen, enter the default username of admin (all lowercase) and leave the password blank. 6. Enter the following CLI commands to set the port4 IP address and access control settings for your device. conf system interface FortiGate Multi-Threat Security and Systems I

17


edit port4 set ip 10.200.3.1/24 set allowaccess http ping end 7. Next, check the route configuration by executing the following command: show router static If there is no static route configured on port4, execute the commands shown below to set this static route. (Routing will be explained in more detail in a later section.) conf route static edit 0 set device port4 set gateway 10.200.3.254 end 8. You can enter the following commands to check your configuration: show system interface show router static At this stage, you will not be able to connect to the remote FortiGate device until you have configured your student FortiGate device with routing information and a firewall policy to allow that management traffic. This configuration will be added later.


18


Exercise 2 Exploring the Command Line Interface In this exercise, students will be introduced to the FortiGate command line interface (CLI). 1. Connect to the console of the Student FortiGate device and at the login screen enter the default username of admin (all lowercase) and no password. 2. Type the following command to display status information about the FortiGate unit: get system status The output displays the FortiGate unit serial number, firmware build, operational mode, and additional settings. 3. Confirm that the firmware build is the correct version for this class. 4. Type the following command to see a full list of accepted objects for the get command: get ? Note: The ? character is not displayed on the screen. At the --More-- prompt in the CLI, press the spacebar to continue scrolling or to scroll one line at a time. Press to exit. Depending on objects and branches used with this command, there may be other sub-keywords and additional parameters to enter. 5. Press the up arrow key to display the previous get system status command and try some of the control key sequences that are summarized below. up arrow, or CTRL+P Previous command down arrow, or CTRL+N Next command CTRL+A Beginning of line CTRL+E End of line CTRL+B Back one word CTRL+F Forward one word CTRL+D Delete current character CTRL+L Clear screen CTRL+C Abort command and exit branch CTRL+C is context sensitive and in general aborts the current command and moves up to the previous command branch level. If already at the root branch level, CTRL+C will force a logout of the current session and another login will be required. 6. Type the following command and press the Tab key 2 or 3 times. execute The command displays the list of available system utility commands one at a time each time the Tab key is pressed. 7. Type the following command to see the entire list of execute commands:


19


execute ? 8. Enter the following CLI commands and compare the available keywords for each one: config ? show ? config begins the configuration mode while show displays the configuration. The only difference is show full-configuration. The default behavior of the show command is to only display the differences from the factory-default configuration. 9. Enter the CLI commands shown below to display the FortiGate unit’s internal interface configuration settings and compare the output for each of them. Only the characters shown in bold type face need to be typed, optionally followed by , to complete the command key word. Use this technique to reduce the number of keystrokes to enter information. CLI commands can be entered in an abbreviated form as long as enough characters are entered to ensure the uniqueness of the command keyword. show system interface port3 show full-configuration system interface port3


20


Exercise 3 Restoring Configuration Devices From the Windows Server, you first will need to connect to the student FortiGate device and restore the configuration file needed to complete the upcoming exercises. 1. Open a web browser and connect to the following URL to access the GUI on the student FortiGate device: http://fgt.student.lab 2. Go to System > Dashboard > Status. Under System Information, click Restore.

3. Browse the Desktop and navigate to the Resources > Module1 > Student folder.

Select the file student-initial.conf and click Restore. After restoring the configuration, the FortiGate will automatically reboot. The length of the boot process is affected by how complex the configuration is. The more complicated the configuration, the longer it will take to parse it and complete the boot process. Most configurations take less than 1 minute to complete the reboot process. 4. Reconnect to the GUI on the student FortiGate device and verify the restored configuration. Go to System > Network > Interface and check your network interfaces. FortiGate Multi-Threat Security and Systems I

21


Go to Router > Static > Static Route and check your default route. 5. Next, perform the following steps on the student FortiGate to verify the DNS configuration settings for the student and remote FortiGate devices. These DNS settings have been added to simplify access to the lab devices. Go to System > Network > DNS Server and review the student and remote DNS zones. In the student DNS zone, verify the IPv4 Address (A) records and Pointer (PTR) records for the student FortiGate device (10.0.1.254) and the Windows Server (10.0.1.10). In the Remote DNS zone, check the IPv4 Address (A) records and Pointer (PTR) records for the Remote FortiGate device (10.200.3.1) and the Windows host (10.0.2.10). 6. From a DOS command prompt on the virtual Windows Server, execute the following commands to verify the DNS lookup functionality. DNS requests are being sent to port3, and recursive DNS requests are allowed on this interface. nslookup server.student.lab 10.0.1.254 nslookup fgt.student.lab 10.0.1.254 nslookup pc.remote.lab 10.0.1.254 nslookup fgt.remote.lab 10.0.1.254 Note: The parameters of the nslookup command are: nslookup [-option] [hostname] [server] 7. In a web browser on the virtual Windows Server, connect to the following web pages to verify that the GUI of the student and remote FortiGate devices can be accessed using their DNS hostnames: http://fgt.student.lab http://fgt.remote.lab


22


Exercise 4 Performing Configuration Backups 1. Connect to the GUI on the student FortiGate device by accessing the URL: https://fgt.student.lab 2. Go to System > Dashboard > Status and under System Information, click Backup.

3. Select Encrypt configuration file and enter the password: fortinet. Click Backup and save the encrypted configuration file to the Desktop with the filename student-initial-enc.conf. (You may need to modify the web browser’s settings to prompt for the location to save files. For Firefox, go to Tools > Options > General and select Always ask me where to save files.) Caution: When backing up the FortiGate unit’s configuration, be sure to use a naming convention that you understand and which identifies both the date and the device information. Every time that you log in and make changes to your device (even if the change seems minor or insignificant), you should ALWAYS make a backup of the configuration file. This will always be the best form of protection against problems. 4. Next try restoring the encrypted configuration file. Browse the Desktop and navigate to the file studentinitial-enc.conf and click Restore. This time you will need to enter the password fortinet as this file is encrypted. 5. Using WordPad or Notepad++, open the file student-initial.conf. In another instance of WordPad, open the file student-initial-enc.conf and compare the details in both. Note: In both the normal and encrypted configuration the top of the file acts as a header, describing the firmware and model information this configuration belongs to.


23

 Module 1 Lab 2: Administrative Access

Lab 2: Administrative Access The aim of this lab will be to demonstrate how to create and modify administrative access permissions.

Objectives  

Identify the steps to create a new administrative user Recognize the options to restrict administrative access



24


Exercise 1 Profiles and Administrators 1. From the GUI on the student FortiGate device, go to System > Admin > Settings and select Enable Password Policy. Configure the password policy using the following settings: Minimum Length:

8

Enable 1 Upper Case Letter 1 Numerical Digit Enable Enable Password Expiration: 90 days Once the settings have been modified, click Apply to save the changes. Must Contain:

2. Log out of the GUI, then log in again and you will be prompted to enter a new administrator password. Enter a new password that meets the requirements configured above. 3. Next, go to System > Admin > Admin Profile and create a new Admin profile called Security_Admin_Profile. Set Security Profile Configuration to Read-Write and set all other permissions to Read Only. Once the profile settings have been modified, click OK to save the changes. 4. Go to System > Admin > Administrators and click Create New to add a new Admin user called Security_Admin. Set Admin Profile to the new profile you created in the previous step. By doing this, you are limiting this administrator’s access so that they will only able to modify and create security profiles. Note: Administrator names and passwords are case-sensitive. You cannot include the < > ( ) # ” characters in an administrator name or password. Spaces are allowed, but not as the first or last character. Spaces in a name or password can be confusing and require the use of quotes to enter the name in the CLI. Once the administrative user settings have been entered, click OK to save the changes. 5. To view the configuration for administrative users and profiles, type the following CLI commands: show system admin show system accprofile 6. Log out of the GUI on the student FortiGate device. Log in again as the Security_Admin user created earlier. 7. Test this administrator’s access by attempting to create or modify various settings on the Student FortiGate device. You should observe that this admin user is only able to configure settings under Security Profiles.


25


For convenience in the labs, the admin password will not be set in the configuration files used in the subsequent modules.


26


Exercise 2 Restricting Administrator Access 1. Connect to the GUI on the remote FortiGate device by accessing the following URL: http://fgt.remote.lab Log in with the default username of admin (all lowercase) and no password. 2. Edit the admin account and enable the setting Restrict this Admin Login from Trusted Hosts Only. Set Trusted Host #1 to the address 10.0.2.0/24. Click OK to save the changes. Now, try connecting to the GUI of the Remote FortiGate device again. What is the result this time? Because you are connecting from the 10.200.1.1 address (because of NAT on the Student FortiGate device) you should notice that you are no longer able to connect to the device since restricting the connecting source IP using Trusted Hosts. 3. Attempt to ping the IP address 10.200.3.1. You should note that the ping no longer responds. This type of access is also affected by the restriction on source IP which we have configured above. 4. Go to the console of the Remote FortiGate device and enter the following CLI commands to add 10.200.0.0/16 as the second trusted IP address (Trusted Host #2) of the admin account: conf sys admin edit admin set trusthost2 10.200.0.0/16 end 5. Test the GUI and ping access again to the IP address 10.200.3.1. You should now be able to connect to the GUI of the Remote device and ping it as well. 6. Go to System > Dashboard > Status and under System Information, click Details for Current Administrator. The administrators currently logged in to the FortiGate unit are displayed. 7. By default, an administrator has a maximum of three attempts to log in to their account before they are locked out for 60 seconds. The source IP address is taken into account by the attempt counter. The number of login attempts and the lockout period can be configured through the CLI. To help improve the overall password security, the maximum number of attempts can be decreased and the lockout timer can be increased using the following CLI commands: config system global set admin-lockout-threshold 2 set admin-lockout-duration 100 end FortiGate Multi-Threat Security and Systems I

27

 Module 2 Lab 1: Status Monitor and Event Log

Module 2 Lab 1: Status Monitor and Event Log The aim of this lab is for students to work with the event log and monitoring on a FortiGate unit.

Objectives  

Identify and properly enable logging of system events Locate event logs for specific information



28


Exercise 1 Exploring the GUI Status Monitor 1. From the GUI of the Student FortiGate device, go to System > Dashboard > Status and locate the System Resources widget. 2. Some widgets are not displayed on the dashboard by default. Click Widget to display the list of widgets available to add to the dashboard.

If not already added, click the Sessions History widget from the pop-up window to add it to the dashboard. Close the widget list window. 3. Hover the mouse over the title bar of the System Resources widget and click Edit to create a custom widget.

Configure a custom widget with the following details: Custom Widget Name:

System Resource History

View Type:

Historical

Time Period:

Last 60 minutes

A line chart appears in a new custom System Resource History widget showing a trace of past CPU and memory usage. FortiGate Multi-Threat Security and Systems I

29


The refresh rate of this window is automatically set to 1/20 of the time period (interval) configured. 4. The Alert Message Console widget displays recent system events, such as system restart and firmware upgrade. Hover the mouse over the title bar of the Alert Message Console widget and click History to view the entire message list.

Scroll to the bottom of the window and click Close. 5. Go to System > Dashboard and select Add Dashboard. Enter any name of your choice for the new dashboard and select the single column display. 6. Next add the Top Sessions widget on your new dashboard. Click the edit icon in the title bar of the Top Sessions widget and observe the different ways in which top sessions can be reported. For example, by top Destination Address, top Applications etc. You can also select to display the top sessions by Source and Destination interfaces. Create your own customized Top Sessions widget and examine the sessions that are listed. 7. Test the functionality of the refresh, page forward, and page back icons in this window. You may need to generate some additional traffic in order to properly test these functions. 8. Click Dashboard and select Reset Dashboards to re-display the default dashboard.


30


Exercise 2 Event Log and Logging Options 1. From the Student FortiGate CLI, execute the following command to check the system status: get system status 2. Verify the Log hard disk status. If it is set to Available proceed to Step 3. If the status appears as Need Format, enter the following command to format the drive. execute formatlogdisk When prompted to continue, type “y” and wait for the system to reboot. Once the system has restarted, check the log disk settings by executing the following command: config log disk setting get You should observe that the status is enabled. 3. Repeat the previous steps on the Remote FortiGate device. 4. Return to the Student FortGate device and log out of the GUI. When logging back in, use an incorrect password once and then use the correct password to log back in again. Go to Log & Report > Event Log > System and examine the log to find the invalid password event. 5. Go to Firewall Objects > Address > Address, and create a new firewall address using the following settings: fortinet Name: FQDN Type: www.fortinet.com FQDN: Leave the remaining settings at their defaults and click OK to save the changes. 6. Next go to Log & Report > Event Log > System and review the log entries. 7. Go to Log & Report > Log Config > Log Setting and uncheck the option System activity event.


31


Click Apply to save the changes. Different types of log entries fall into different categories. Only enable logging for the activity(s) that you need to monitor. This avoids filling the logs with information you do not need, and consuming unnecessary system resources. 8. Go to Firewall Objects > Address > Address and create another firewall address entry. Go to Log & Report > Event Log > System and review the log entries again. Note that the entries are no longer visible for this activity. With this option deselected in the Event Logging settings, you will no longer see entries in the log for Admin users logging on/off or making changes to the unit’s configuration. Other types of log entries will still appear. 9. Go to Log & Report > Log Config > Log Settings and re-enable System activity event.


32

 Module 2 Lab 2: Remote Monitoring

Lab 2: Remote Monitoring The aim of this lab is for students to set up logging to a remote device and monitoring of the FortiGate unit’s behavior. It can be advantageous to use remote monitoring instead of local monitoring in order to reduce resource usage. For example, while the GUI widgets provide useful displays of your system information, they also carry a significant resource cost and should be used sparingly.

Objectives 

Enabling monitoring from a syslog and SNMP device



33


Exercise 1 Remote Syslog Logging and SNMP Monitoring The Linux host in your student lab environment has been pre-configured for you to allow remote Syslog. 1. From the CLI on the student FortiGate device, enter the following commands to set up logging to the syslog server: conf log syslogd setting set status enable set facility local6 set server 10.200.1.254 end 2. Repeat the above step from the CLI on the remote FortiGate device. 3. From the virtual Windows Server desktop launch the putty.exe application and open an SSH session to the Linux host (10.200.1.254).

Log in as root and with the password: password. 4. Run the following command to monitor the FortiGate syslog messages which are mapped to their own file by the local6 facility.


34


tail –f /var/log/fortinet 5. Leave the SSH window open and return to the student FortiGate device and generate some log entries by doing the following:  

Attempt to log in with invalid credentials Make a minor configuration change

6. From the GUI on the Student FortiGate device, go System > Config > SNMP to enable SNMP monitoring. Select Enable for the SNMP Agent then click Apply. 7. Create a new SNMP v3 security name using the settings displayed below. Set the Auth password to fortinet.

Click OK. 8. Go to System > Network > Interface and edit port1. Confirm that SNMP is enabled under the Administrative Access settings. If it is not enabled you will need to enable it first then click OK to save the changes. 9. Leave the SSH window open that is currently running the tail command and run putty again to open a new SSH connection to the LINUX host (10.200.1.254). Next, execute the following snmpwalk command to find and display all of the monitoring options that a device presents through SNMP: snmpwalk -v 3 -a sha -A fortinet -u training -l authNoPriv 10.200.1.1 A tree listing of all the options available to monitor this FortiGate VM device will be displayed. To make it easier to view the information available, you may also append >snmp.test to the command entered above. This will save the output to a file named ‘snmp.test’. Enter the command view snmp.test to view the output file.


35

 Module 3 Lab 1: Firewall Policy

Module 3 Lab 1: Firewall Policy The aim of this lab is for students to work with firewall policies and examine the FortiGate unit behavior when policies are re-ordered.

Objectives  

Describe the various actions that can be set in a firewall policy Demonstrate policy order



36


Exercise 1 Creating Firewall Objects and Rules 1. From the Windows Server, you first will need to connect to the GUI on the Student FortiGate device (10.0.1.254) and restore the following configuration file that is needed for this lab: Resources\Module3\Student\student-policy.conf. The Student FortiGate device will reboot. 2. From the GUI on the Student FortiGate device, go to Firewall Objects > Address > Address and create the following address object: Name:

STUDENT_INTERNAL

Type:

Subnet

Subnet/IP Range:

10.0.1.0/255.255.255.0

Interface:

Any

Once the settings have been entered, click OK to save the changes. 3. The unrestricted port3port1 policy will need to be temporarily disabled in the policy list. To do this, go to Policy > Policy > Policy, right-click the unrestricted port3port1 policy and select Status > Disable. 4. Next click Create New to add a new firewall policy to provide general Internet access from the internal network. Configure the following settings: Firewall Address port3 STUDENT_INTERNAL port1 all always HTTP, HTTPS, DNS, ALL_ICMP, SSH (Hold down the CTRL-key to select multiple services.) ACCEPT Action: Enabled Enable NAT: Use Destination Interface Address: Enabled Enable Log all Sessions and select Generate Logs Log Options: when Session Starts General Internet access Comments: When creating firewall policies, keep in mind that the FortiGate device is a stateful firewall, therefore, a firewall policy only needs to be created for the direction of the originating traffic. Policy Type: Policy Subtype: Incoming Interface: Source Address: Outgoing Interface: Destination Address: Schedule: Service:

Once the policy settings have been entered, click OK to save the changes. 5. From the virtual Windows Server desktop, open a web browser and connect to various external web servers. 6. From the CLI, enter the following command to see the source NAT action. #get system session list Sample Output:


37


STUDENT # get sys session list PROTO EXPIRE SOURCE DESTINATION-NAT

SOURCE-NAT

DESTINATION

tcp

3600

10.0.1.10:3677

-

10.0.1.254:22

tcp

3587

10.0.1.10:3717

10.200.1.1:64133 72.30.38.140:80

tcp

3570

10.0.1.10:3681

10.200.1.1:64097 69.171.228.70:80 -

tcp

3577

10.0.1.10:3710

10.200.1.1:64126 74.125.228.92:80 -

tcp

3587

10.0.1.10:3708

10.200.1.1:64124 74.125.228.92:80 -

tcp

3587

10.0.1.10:3706

10.200.1.1:64122 66.94.245.1:80

-

tcp

2274

10.0.1.10:3608

10.200.1.1:64024 10.200.1.254:22

-

tcp

3587

10.0.1.10:3712

10.200.1.1:64128 80.239.217.66:80 -

tcp

3566

10.0.1.10:3679

10.200.1.1:64095 74.125.227.24:80 -

-

Note that the new source address being applied is that of the destination interface port1(10.200.1.1).


38


Exercise 2 Policy Action 1. Use the same steps you performed earlier to create a second firewall policy. Configure the following settings: Firewall Address port3 STUDENT_INTERNAL port1 Click Create and configure the following: Name: LINUX_ETH1 Type: Subnet Subnet / IP Range: 10.200.1.254/255.255.255.255 Click OK. always Schedule: PING Service: DENY Action: Enabled Log Violation Traffic: Once the policy settings have been entered click OK to save the changes. Policy Type: Policy Subtype: Incoming Interface: Source Address: Outgoing Interface: Destination Address:

2. From the Windows Server, open a DOS command prompt and ping the port1 gateway as follows. ping –t 10.200.1.254 Provided you have not changed the rule ordering, the ping should still work as it matches the ACCEPT policy and not the DENY policy just created. This demonstrates the behavior of policy ordering. The second policy was never checked because the traffic matched the first policy. Leave this window open and perform the next step. 3. From the GUI on the Student FortiGate device, go to Policy > Policy > Policy and right-click any of the column headings. Select Column Settings > ID. Move this column accordingly for easier viewing. By default only the sequence number of the firewall policy is displayed in the GUI. 4. Next, click the Seq.# for the DENY policy created previously and drag this policy upwards to position it before the General Internet access policy. 5. Return to the Windows Server and examine the DOS command prompt window still running the continuous ping. You should observe that this traffic is now blocked and the replies appear as “Request timed out”. Enter CTRL-C to end the ping command.


39


Exercise 3 Configuring Virtual IP Access In this exercise, a virtual IP address will be configured to allow remote Internet connections to the Windows Server located at 10.0.1.10. 1. Go to Firewall Objects > Virtual IP > Virtual IP and click Create New to add a new virtual IP mapping with the following details: VIP_WIN2K3 Name: port1 External Interface: Static NAT Type: 10.200.1.200 External IP Address/Range: 10.0.1.10 Mapped IP Address/Range: Once the virtual IP settings have been entered click OK to save the changes. 2. Next, create a new firewall policy to provide access to the web server. Configure the following settings: Firewall Address port1 all port3 VIP_WIN2K3 always HTTP ACCEPT Enable Log all Sessions and select Generate Logs when Session Starts Disabled (default) Enable NAT: Public access to web server Comments: Once the policy settings have been entered click OK to save the changes. Policy Type: Policy Subtype: Incoming Interface: Source Address: Outgoing Interface: Destination Address: Schedule: Service: Action: Log Options:

3. The firewall is stateful so any existing sessions will not use this new firewall policy until they time out or are cleared. The sessions can be cleared individually from the session widget on the Status page or from the CLI by executing the following: diag sys session clear 4. Connect to the console of the remote Windows host. (From the virtual lab applet, go to Operations > Connect to Secondary > WinXP to connect to the console of your WINXP host.) On the WinXP desktop, open a web browser and access the following URL: http://10.200.1.200 If the virtual IP operation is successful a simple web page appears displaying the message “It works!”. 5. From the CLI on the Student FortiGate device, check the destination NAT entries in the session table by using the following command:


40


#get system session list Sample Output: STUDENT # get sys session list PROTO EXPIRE SOURCE DESTINATION-NAT tcp

3537

10.200.3.1:62426

SOURCE-NAT

DESTINATION

10.200.1.200:80

10.0.1.10:80

6. On the virtual Windows Server desktop open a web browser and connect to a few external web sites. Now examine the session information again as follows: #get system session list Sample Output: STUDENT # get sys session list PROTO EXPIRE SOURCE DESTINATION-NAT

SOURCE-NAT

tcp

3591

10.0.1.10:3995

10.200.1.200:3995 66.94.241.1:80

-

tcp

3590

10.0.1.10:3977

10.200.1.200:3977 72.30.38.140:80

-

tcp

3553

10.0.1.10:3965

10.200.1.200:3965 184.150.187.83:80 -

tcp

3592

10.0.1.10:3998

10.200.1.200:3998 74.125.228.92:80 -

tcp

3584

10.0.1.10:3969

10.200.1.200:3969 69.171.237.16:80 -

tcp

3596

10.0.1.10:4001

10.200.1.200:4001 208.91.113.80:80 -

tcp

3590

10.0.1.10:3983

10.200.1.200:3983 216.115.100.102:80 -

tcp

3590

10.0.1.10:3979

10.200.1.200:3979 216.115.100.103:80 -

tcp

3590

10.0.1.10:3987

10.200.1.200:3987 216.115.100.102:80 -

tcp

3590

10.0.1.10:3981

10.200.1.200:3981 216.115.100.103:80 -

tcp

3590

10.0.1.10:3985

10.200.1.200:3985 216.115.100.102:80 -

tcp

1013

10.0.1.10:3608

10.200.1.1:64024 10.200.1.254:22

tcp

3589

10.0.1.10:3976

10.200.1.200:3976 72.30.38.140:80

tcp

3591

10.0.1.10:3996

10.200.1.200:3996 184.150.187.99:80 -

tcp

3554

10.0.1.10:3967

10.200.1.200:3967 74.125.228.65:80 -

tcp

3590

10.0.1.10:3990

10.200.1.200:3990 216.115.100.103:80 -


DESTINATION

-

41


tcp

3591

10.0.1.10:3978

10.200.1.200:3978 216.115.100.103:80 -

tcp

3590

10.0.1.10:3980

10.200.1.200:3980 216.115.100.103:80 -

Note that the outgoing connections from the Windows Server are now being NATed with the VIP address as opposed to the firewall address. This is a behavior of the static NAT (SNAT) VIP. That is, when SNAT is enabled on a policy, a VIP static NAT takes priority over the destination interface IP address.


42


Exercise 4 Configuring IP Pools Currently, all traffic generated from the Windows Server through the Student FortiGate device has a translated source IP address of 10.200.1.200 because of the static NAT translation in the VIP. In this exercise, an IP address pool will be applied to a new rule which will override this behavior. 1. From the GUI on the Student FortiGate device, go to Firewall Objects > Virtual IP > IP Pool and create a new IP pool using the following settings: WIN2K3_EXT_IP Name: 10.200.1.100 External IP Range/Subnet: Once the policy settings have been entered click OK to save the changes. 2. Go to Policy > Policy > Policy, and right-click the outgoing General Internet access policy. Select Copy Policy then right-click the same policy again and select Paste > Above. 3. Select the new copy of the General Internet access policy and configure the following settings: Firewall Address port3 WIN2K3 port1 all always ALL ACCEPT Enable Log all Sessions and select Generate Logs when Session Starts Enabled Enable NAT: WIN2K3_EXT_IP Use Dynamic IP Pool: Windows Server source NAT override Comments: Once the Policy settings have been entered click OK to save the changes and verify that you have enabled it. Policy Type: Policy Subtype: Incoming Interface: Source Address: Outgoing Interface: Destination Address: Schedule: Service: Action: Log Options:

4. The firewall does stateful inspection so any existing sessions will not use this new firewall policy until they time out or are cleared. The sessions can be cleared individually from the session widget on the status page or from the CLI by executing the following: diag sys session clear 5. Connect to a few external web sites and then examine the session table to check the source NAT used. From the CLI on the Student FortiGate device enter the following command to verify the source NAT IP address: # get system session list Sample Output: STUDENT # get system session list


43


PROTO EXPIRE SOURCE DESTINATION-NAT

SOURCE-NAT

DESTINATION

tcp

3599

10.0.1.10:3963

10.200.1.100:64379 74.125.225.126:443 -

tcp

3599

10.0.1.10:3961

10.200.1.100:64377 74.125.225.111:443 -

tcp

3552

10.0.1.10:3953

10.200.1.100:64369 76.74.133.167:80 -

tcp

3597

10.0.1.10:3956

10.200.1.100:64372 74.125.225.118:80 -

tcp

3597

10.0.1.10:3954

10.200.1.100:64370 74.125.225.117:80 -

tcp

3598

10.0.1.10:3959

10.200.1.100:64375 199.7.57.72:80

tcp

16

10.0.1.10:3948

10.200.1.100:64364 66.36.238.121:22 -

tcp

3598

10.0.1.10:3958

10.200.1.100:64374 209.85.225.84:443 -

tcp

3599

10.0.1.10:3962

10.200.1.100:64378 74.125.225.99:443 -

tcp

0

10.0.1.10:3960

10.200.1.100:64376 98.139.200.238:80 -

tcp

3597

10.0.1.10:3955

10.200.1.100:64371 74.125.225.118:80 -

-

Observe that the source NAT address is now 10.200.1.100 as configured in the VIP pool, therefore the order of precedence is IP Pool > Static-NAT VIP > Destination Interface.


44

 Module 3 Lab 2: Traffic Log

Lab 2: Traffic Log The aim of this lab is to read traffic logs and become familiar with its contents.

Objectives  

Demonstrate how to enable traffic logging Read and understand traffic log entries



45

 Module 3 Lab 2: Traffic Log

Exercise 1 Enabling Traffic Logging 1. Go to Policy > Policy > Policy and click the Seq.# of the DENY policy that you created previously. Drag this policy to position it BEFORE the Window Server Source NAT Override policy. 2. Edit the DENY policy and verify that Log Violation Traffic is enabled. 3. From the Windows Server, open a DOS command prompt and ping the port1 gateway as follows. ping –t 10.200.1.254 Provided you have positioned the rule correctly this traffic should be blocked, and timeout. 4. From the GUI on the Student FortiGate device, go to Log & Report > Traffic Log > Forward Traffic to examine the log entries. You should observe violation traffic entries. These entries appear with red X symbols under the column Security Action. 5. Edit the DENY policy. Change the Action setting to ACCEPT, and enable NAT by selecting the Enable NAT checkbox. Once these policy settings have been entered click OK to save the changes. From the Windows Server, you should observe that the ping now succeeds. 6. From the GUI on the Student FortiGate device, go to Log & Report > Traffic Log > Forward Traffic. The log entries will no longer show violation traffic, but summaries of the ping traffic that passed.


46

 Module 3 Lab 3: Device Policies

Lab 3: Device Policies In this exercise you will create a Firewall policy that uses email captive portal. Once the device is learned, give access by the device to a test web server.

Objectives  

Demonstrate how to enable Device Identification Configure Device Identification policies



47


Exercise 1 Enabling Device Identification 1. From the virtual Windows Server host, you first will need to connect to the Student FortiGate device and restore the configuration file needed for this exercise. Restore the following configuration file: Resources\Delta\delta-student-initial.conf. 2. Edit the outgoing port3 to port2 firewall policy using the following settings: Policy Type: Policy Subtype: Incoming Interface: Source Address: Outgoing Interface: Enable NAT:

Firewall Device Identity port3 STUDENT_INTERNAL port2 Enabled. Select Use Destination Interface Address

3. Next click Create New under Configure Authentication Rules and create the following sub-policies: Sub-policy 1: Destination Address: Device: Schedule: Service: Action: Click OK.

all Windows PC always HTTP Accept

Sub-policy 2: Destination Address: Device: Schedule: Service: Action:

all Collected Emails always HTTP, HTTPS, ALL_ICMP, SSH, SMTP, POP3, FTP (Hold down the CTRL-key to select multiple services.) ACCEPT

Click OK. 4. Under Device Policy Options enable Prompt E-mail Collection Portal for all devices as follows:

Once you have configured all the above policy settings, click OK to save the changes.


48


5. Use drag-and-drop to reorder the sub-policies. The captive portal policy should be last in the sub-policy list because this rule should only be matched if the device has not already been identified. In this example, the first web traffic from the client matches the email captive portal rule. The subsequent traffic matches the collected email device object as we now have this information. 6. Check the device policy and sub-policies.

Click OK. 7. Test the device policy on the Student FortiGate device. First execute the following CLI commands to disable the email DNS check for the captive portal. (This step is required for the purposes of this lab.) config system settings set email-portal-check-dns disable end 8. From your web browser, connect to: http://10.200.1.254 The portal should appear. Accept the conditions and enter your email address when prompted. FortiGate should now redirect you to the web site. 9. From the CLI, use debug flow to examine the traffic: diag debug flow filter addr 10.200.1.254 diag debug flow show func en diag debug flow show cons en diag debug enable diag debug flow trace start 20 10. Go to User & Device > Device > Device Definition and check the new device. This is a dynamic device. FortiGate may update and stored its list of devices to the flash to speed up FortiGate Multi-Threat Security and Systems I

49


detection. diag user device list 11. Clear the device from the CLI: diag user device clear 12. Reload the web page. You should observe that you are redirected to the email portal again. Accept the conditions and enter your email address. 13. Perform a show from the CLI to confirm there are no devices in the configuration file. show user device 14. From the GUI, go to User & Device > Device > Device Definition and edit your device from the device list. Add an alias called myDevice. This creates a static device in the configuration file. Once you have the alias entered, click OK to save the change. Perform the following show command to confirm that the device now appears in the configuration file. show user device 15. Go to User & Device > Device > Device Group. Note that your device is already a member of several predefined device groups. Click Create New and add a new device group called myDevGroup. Next, add myDevice to the Members list and click OK. Note that your device is still a member of the predefined groups and is now a member of the custom group myDevGroup. 16. From a command prompt on the virtual Windows host, open an FTP connection to: 10.200.1.254 Once you have connected, close the FTP connection. 17. Now add a sub-policy to your firewall device policy blocking FTP. Edit the device policy and create the following sub-policy: Sub-policy 3: Destination: Device: Schedule: Service: Action: Log Violation Traffic:

LINUX_ETH1 myDevGroup always FTP Deny Enable

Click OK. 18. Use drag-and-drop to reorder the sub-policies so that this policy is first in the list. 19. From your PC test that you can open an FTP connection to ftp://10.200.1.254


50


You should observe that the connection now fails to establish. View the traffic logs and find the deny entry.


51

 Module 4 Lab 1: User Authentication

Module 4 Lab 1: User Authentication The aim of this lab is to introduce students to user authentication management on the FortiGate unit.

Objectives  

Create an identity-based policy Manage user authentication



52


Exercise 1 Identity-based Firewall Policy 1. From the Windows Server, you first will need to connect to the student FortiGate device and restore the configuration file that is needed for this lab. 2. Connect to the GUI on the student FortiGate device (10.0.1.254) and restore the following configuration file: Resources\Module4\Student\student-auth.conf. The Student FortiGate device will reboot. 3. When the device has rebooted review the user configuration for this lab. Go to User & Device > User > User Definition to review the local user settings Go to User & Device > User Group > User to review the user group configuration. 4. On the virtual Windows Server desktop, open a web browser and connect to a new web site. At the login prompt, enter the following credentials: student Username: F0rtinet Password: You should observe that after successful authentication, you are redirected to your destination web site. 5. From the GUI on the student FortiGate, go to Policy > Policy > Policy and review the outgoing port3  port1 firewall policy with authentication configured. 6. Next, open a putty.exe session and try to ping or connect via SSH to 10.200.1.254. You should observe that using either of these tests will fail. Even though there is an accept rule for this traffic, it is not being allowed. This highlights an important behavior of identity policies. The service becomes a permission and not a selector, therefore, in our example the identity policy matches all outgoing traffic regardless of service. The service is then allowed if it is set for the user. Since the Authentication policy matches the source IP and SSH is not an allowed service, the FortiGate will not look for another matching firewall policy. A policy has already been found and the traffic is not allowed through it. There are two ways that you can use to correct this. You can either add ALL_ICMP and SSH to the identify policy rule for the training user group, or move the regular policy before the identity policy. Using either one of these options, make your configuration change and retest using ping or by connecting through SSH. If using SSH, log in as root with the password: password. 7. Go to User & Device > Monitor > Firewall to view the details of the authenticated user along with the policy used to authenticate this user. 8. Next go to Log & Report > Event Log > User and locate the log messages for the firewall policy authentication events. The details for the entry are displayed in the lower pane of the Event Log window. Notice that the user’s name “student” is now included in the log messages. FortiGate Multi-Threat Security and Systems I

53


9. From the CLI, view the IP addresses and users which have successfully authenticated to the FortiGate unit with the following command: diag firewall auth list Clear all authenticated sessions with the following command: diag firewall auth clear Caution: Be careful using this command on a live FortiGate as it will clear ALL authenticated users.


54

 Module 5 Lab 1: SSL VPN

Module 5 Lab 1: SSL VPN The aim of this lab is for students to work with and manage user groups and portals for the SSL VPN.

Objectives  

Configure and connect to an SSL VPN Enable various authentication security options



55


Exercise 1 Configuring SSL VPN for Web Access 1. From the Windows Server, connect to the GUI on the student FortiGate device (10.0.1.254) and restore the following configuration file: Resources\Module5\Student\student-ssl.conf. The FortiGate will reboot. 2. When the device has rebooted, review the SSL VPN configuration access for this lab. Go to Policy > Policy > Policy and examine the port1port3 policy for SSL VPN. Note from the policy list that this policy has a sub-policy. Edit this policy to view its components. The settings are configured as follows: VPN Policy Type: SSL-VPN Policy Subtype: port1 Incoming Interface: all Remote Address: port3 Local Interface: WIN2K3 Local Protected Subnet: Disabled SSL Client Certificate Restrictive: The policy is incoming, that is from the external network to the internal network. The policy subtype is SSL VPN which indicates further processing besides only accepting the traffic. Under Configure SSL-VPN Authentication Rules, edit the first rule to view its contents. Notice that this allows users in the training group to access the web-access SSL-VPN portal.


56


You will notice that this rule contains many settings including Groups(s), User(s), Schedule, Service and SSL-VPN Portal. Select Cancel to close the edit window for this sub-policy. In an upcoming exercise, we will be adding on to this policy to allow tunnel access. 3. To observe the effect of this policy you will now access the SSL VPN. On the virtual external Windows XP host desktop, open a web browser and access the SSL VPN by browsing to the following URL: https://10.200.1.1. Accept the security warnings for the self-signed certificate and log in using the following credentials: student Username: F0rtinet Password: You should notice that you are successfully able to log in however, the web portal is currently in default settings. We will now configure the web-access portal which is selected in the SSL VPN policy. Log out and return to the virtual Windows Server host. 4. Go to VPN > SSL > Portal and from the drop-down list displayed in the top right hand corner, select web-access to edit this portal. Verify that Include Bookmarks is selected and then in the table shown, create the following bookmarks for the internal server. Bookmark for HTTP: Category: Name:

Test HTTP/HTTPS


57


Type: Location: Click OK.

HTTP/HTTPS 10.0.1.10

Bookmark for RDP: Category: Name: Type: Location: Click OK.

Test RDP RDP 10.0.1.10

Modify the Portal Message with a message of your choice then click Apply to save all the changes. Select View Portal to review your changes. 5. Test the SSL VPN access again from the external Windows host (WINXP) by browsing to: https://10.200.1.1 You should now observe that you have two book marks listed. 6. Select the HTTP/HTTPS bookmark and examine the items listed below to understand how the web access functions. Note the URL of the web site in the browser address bar: https://10.200.1.1/proxy/http/10.0.1.10/ The first part of the address is the encrypted link to the FortiGate SSL VPN gateway: https://10.200.1.1/ The second part of the address is the instruction to use the SSL VPN HTTP proxy: .../proxy/http... The final part of the address is the destination of the connection from the HTTP proxy: .../10.0.1.10/ In this example, the connection is encrypted up to the SSL VPN gateway. The connection to the final destination from the HTTP proxy is in clear text. 7. Return to the virtual Windows Server device and from the GUI on the Student FortiGate device, go to VPN > Monitor > SSL-VPN Monitor. Locate the details of the SSL VPN connection. Note the User, Source IP and Begin Time. 8. Go to Log & Report > Event Log > VPN and view the corresponding log entry. Look for the “SSL tunnel established” message. 9. From the external Windows XP host, log out of the SSL VPN connection. Return to the log and look for the “SSL tunnel shutdown” message.


58


Exercise 2 Configuring SSL VPN for Tunnel Mode In this exercise you will edit the current SSL policy adding a new sub-rule for a second user configured for tunnel mode. 1. Edit the SSL VPN policy and under Configure SSL-VPN Authentication Rules, create a new sub-policy for a full-access portal using the following settings: Group(s):

training

Schedule:

always

SSL-VPN Portal:

full-access

After adding the sub-policy, click OK to save the changes. 2. To observe the effect of this sub-policy you will now access the SSL VPN again. From the virtual external Windows XP host desktop, open a web browser and access the SSL VPN by browsing to the following URL: https://10.200.1.1 When prompted, log in to the SSL VPN using the following credentials: Username: Password: 3. What do you see when you login?

student F0rtinet

You should see the same portal as in the previous exercise. Why? The training user group is associated with both sub-policies therefore the first one matching the webaccess portal is applied. You could move the rule so that the rule for the full-access portal is first in the list however, this will end up affecting all users in that group. Instead, edit the sub-rule created in step 1 above and set the user group to training2. Click OK to save the rule settings, then click OK again to save the policy changes. 4. In the web browser on the virtual remote Windows XP host, connect to the SSL VPN portal once again using the URL: https://10.200.1.1. Note that you may need to clear the web browser’s cache if the login window is not displayed. This time, log in to the SSL VPN using the following credentials: student2 Username: F0rtinet2 Password: You should now observe that the portal established is the full-access portal. Note: If using the SSL VPN client available with FortiClient, you do not need to log in via the portal.


59


5. In the Tunnel Mode panel, click Connect. You should see a link status of UP and the bytes sent and received incrementing. 6. On the virtual remote Windows host, open a DOS command prompt and perform the following: ipconfig Note down your assigned IP address for reference. Note that the ‘fortissl’ adapter has an IP address. Where does this IP address come from? Display the routing information by entering the following command: route print Note the low metric routes and observe that there is a route to 10.0.1.10. Where did this come from? Run a continuous ping to 10.0.1.10 as follows. ping –t 10.0.1.10 7. From the GUI on the Student FortiGate device go to VPN > Monitor > SSL-VPN Monitor. The SSLVPN Monitor displays the client connections and the IP allocated to the tunnel connection. 8. In the firewall policy list, examine the Count field to see the packets and bytes per policy. You may need to reposition this column accordingly for easier viewing. Notice that there is traffic associated with the incoming rule from the ssl. interface. This rule is created automatically. This traffic is the incoming traffic from your SSL VPN client. Where does your assigned address come from? 9. Go VPN > SSL > Portal to access the SSL VPN portal configuration. Edit the full-access portal. Within the Enable Tunnel Mode options, note the IP Pool used which refers to a firewall address object. 10. Go to Firewall Objects to look up that firewall address object. What are the values of that object? The object defines an address range that matches your assigned address, so this is how IP addresses are configured and assigned to SSL VPN clients. Where does the route to 10.0.1.10 come from? HINT: In the policy list, look at the Destination address of the SSL VPN policy. You will observe that the address object values for WIN2K3 are 10.0.1.10/32, so this is where the SSL VPN client route came from. With this present configuration, the SSL VPN client is split tunneling. This means that only traffic to the specific destination behind the firewall is tunneled, and all other traffic goes to the default gateway. What configuration change would you need to make to give the client a default route into the tunnel? Disable split tunneling in the full-access portal which means a default route is pushed to the client FortiGate Multi-Threat Security and Systems I

60


forcing all traffic into the tunnel.


61

 Module 6 Lab 1: IPSec VPN

Module 6 Lab 1: IPSec VPN The aim of this lab is for students to configure an IPSec VPN on the FortiGate device using both interfacebased and policy-based modes.


Configure and implement interface and policy-based IPSec VPNs Demonstrate the differences between interface and policy-based VPNs Explain IPSec VPN configuration options



62


Exercise 1 Site to Site IPsec VPN 1. From the Windows Server, you first will need to connect to the Student and Remote FortiGate devices and restore the configuration files that are needed for this lab. Connect to the GUI on the Student FortiGate device (10.0.1.254) and restore the following configuration file: Resources\Module6\Student\student-ipsec.conf. The Student FortiGate device will reboot. 2. Connect to the GUI on the Remote FortiGate device (10.200.3.1) and restore the following configuration file: Resources\Module6\Remote\remote-ipsec.conf. The Remote FortiGate device will reboot. 3. When the Student FortiGate device has rebooted, open a DOS command prompt from the virtual Windows Server and run a continuous ping to the remote Windows XP host as follows: ping

-t 10.0.2.10

4. From the GUI on the Student FortiGate device, go to VPN > Monitor > IPsec Monitor and examine the tunnel status. You should observe a tunnel named remote with the destination 10.200.3.1 and the status is currently up. This is the tunnel that is established to the Remote FortiGate device. 5. From the Student FortiGate device review the firewall policy port3remote. View the Count column so that you can see the packets and bytes per policy. Observe that the counter is incrementing for the port3remote policy. What is the interface remote? Go to System > Network > Interface and note the blue arrow head associated with port1. If you expand this you will be able to see the remote interface and the type for this interface which is set to Tunnel Interface. 6. Go to VPN > IPsec > Auto Key (IKE) and review the IPsec configuration. Note the Phase 1 and Phase 2 IKE objects. Edit the Phase1 IKE object remote. Select Advanced to view all the settings. Note that IPsec Interface Mode is selected. These settings can also be viewed through the CLI as follows: conf vpn ipsec phase1-interface show The Phase1 IKE object is the IPsec interface referenced in the interface list and firewall policy. How is the traffic getting to this policy?


63


Traffic arrives at the FortiGate unit on the ingress interface. For new connections, a routing lookup is performed to select the egress interface and gateway, and then there is a lookup in the firewall policy to find a matching rule. It is the routing lookup that selects the egress, and therefore, the remote interface is selected in this case. So a route is driving the traffic to the IPsec interface. 7. Go to Router > Monitor and view the current routing table. You will observe a static route to the destination 10.0.2.0/24 pointing to the remote interface. This is an example of the route-based VPN configuration. The alternative is the policy base VPN which we will review next. Generally, the route-based VPN is the preferred approach however there are a few exceptions where you would need to use the policy-based VPN. These will be discussed later. 8. Open a web browser on the Windows Server and connect to the GUI on the Remote FortiGate device. 9. Go to VPN > Monitor > IPsec Monitor and examine the tunnel status from the Remote FortiGate device. You should observe a tunnel named student with the destination 10.200.1.1 and the Status is up. This is the tunnel that is established to the Student FortiGate device. 10. Still on the Remote FortiGate device, go to System > Network > Interface and note there is no tunnel sub-interface for port4. 11. Go to Route > Monitor and view the current routing table. You will observe that there is no route to the 10.0.2.0/24 destination, there is only a default route. How is the traffic entering the tunnel then? 12. Review the firewall policy that exists on the Remote FortiGate device. Note that there is a policy from port6 to port4 for address 10.0.2.0/24 (REMOTE_INTERNAL) to address 10.0.1.0/24 (STUDENT INTERNAL) with action IPsec. Edit this policy to view its settings. The policy subtype is IPsec, and it uses the VPN Tunnel called student. It also has permissions to allow traffic inbound as well as outbound. We will look at these settings later. How is the traffic matching this policy? On the Student FortiGate device, a static route was sending traffic to the IPSec interface. Here there is no static route and the traffic is being sent to the tunnel using the policy subtype setting, hence policybased. The IPSec policy matches traffic from 10.0.2.0/24 to 10.0.1.0/24 and forwards it the tunnel student. 13. From the Remote FortiGate device, go to VPN > IPsec > Auto Key (IKE) and review the IPSec configuration. Note the Phase 1 and Phase 2 IKE objects. These settings can also be viewed through the CLI: conf vpn ipsec phase1-interface


64


conf vpn ipsec phase2-interface 14. Edit the Phase1 IKE object remote and select Advanced to view all the settings. Note that IPSec Interface Mode is not selected. The Phase1 IKE object is the IPSec tunnel referenced in the IPSec firewall policy. Here we are using policy-based on the Remote FortiGate device and interface-based on the Student FortiGate device. The type we use is of local significance therefore we can mix them, as is the case in this example. 15. From the remote Windows XP host, attempt to run a continuous ping to: 10.0.1.10. You should observe this ping fails. Can you Identify why? If the VPN is in Tunnel mode then only a single Firewall policy is used in order to allow and regulate incoming and outgoing traffic. However if the policy is in Interface mode then a VPN Firewall policy is separately needed to allow inbound and outbound communication. In the Student FortiGate device we have only configured the outgoing policy and the VPN is in Interface mode. This is why the new incoming connection is dropped, there is no firewall policy to allow it. 16. Return to the Student FortiGate device and add the missing firewall policy. You should observe the ping now succeeds.


65

 Module 7 Lab 1: Antivirus Scanning

Module 7 Lab 1: Antivirus Scanning The aim of this lab is to work with both flow-based and proxy-based Antivirus scanning.

Objectives  

Configure flow-based and proxy-based antivirus scanning Test FortiGate antivirus scanning behavior



66


Exercise 1 Antivirus Testing 1. From the Windows Server, you first will need to connect to the Student FortiGate device and restore the configuration file that is needed for this lab. Connect to the GUI on the Student FortiGate device (10.0.1.254) and restore the following configuration file: Resources\Module7\Student\student-utm.conf. The Student FortiGate device will reboot. 2. When the FortiGate device has rebooted go to Security Profiles > AntiVirus > Profile and configure the default profile as follows to enable AV scanning on HTTP: Proxy Inspection Mode: Select HTTP and deselect all other settings Virus Scan and Removal: Once the inspection settings have been entered click Apply to save the changes. 3. Go to Policy > Policy > Policy and edit the port3port1 policy. Turn ON AntiVirus and ensure that the default antivirus profile is selected. Once the profile is enabled on the policy click OK to apply the changes. 4. Next go to Policy > Policy > Proxy Options and examine the default proxy options that are shown. These settings determine how FortiOS handles each protocol. For example, which port numbers to use, whether to use client comforting, block oversized emails and so on. 5. Go to System > Config > Replacement Message. From the top right-hand corner select Extended View and under Security modify the Virus Block Page. The HTML editor that is displayed allows you to see the changes as you are making them. If you do not wish to use the standard block pages they can be edited and modified as the situation requires. Click Save shown above the editor window to apply any changes. 6. From the virtual Windows Server host, launch a web browser and access the following web site: http://eicar.org 7. On the Eicar web page, click Download ANTI MALWARE TESTFILE (located in the top right-hand corner of the page) and then click the Download link that appears on the left. Download the any of the eicar sample files from the section Download area using the standard HTTP protocol. The download attempt will be blocked by the FortiGate unit and a replacement message will be displayed similar to the following (should also include any customization you made earlier):


67


The EICAR file is an industry-standard used to test antivirus detection. The file contains the following characters: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* 8. The HTTP virus message is shown when infected files are blocked or have been quarantined. In the message that is displayed, click the link to the Fortinet Virus Encyclopedia to view information about the detected virus. 9. From the GUI on Student FortiGate device, go to Log & Report > Traffic Log > Forward Traffic and locate the antivirus event messages. In order to view summary information of the AV activity, add the Advanced Threat Protection Statistics widget to the Dashboard. 10. On the Eicar web page, click Download ANTI MALWARE TESTFILE and then click the Download link that appears on the left. This time, select the eicar.com file from the Download area using the secure SSL enabled protocol HTTPS section. The download should be successful because we have not enabled SSL inspection. 11. To enable inspection of SSL encrypted traffic on the Student FortiGate unit, go to Policy > Policy > SSL/SSH Inspection and under SSL Inspection Options, ensure the protocol HTTPS on port 443 is enabled. Click Apply. 12. Next, go to Policy > Policy > Policy and edit the policy: port3port1. Under Security Profiles enable SSL/SSH Inspection by setting this to ON. Click OK. 13. To ensure that there are no existing sessions prior to deep scanning the communication exchange, connect to the CLI of the Student FortiGate unit and enter the following command: diag sys session filter dport 443 diag sys session clear 14. Return to the Eicar web page and attempt to download the eicar.com file from the Download area using the secure SSL enabled protocol HTTPS section. This time, the download will be blocked by the FortiGate unit and the replacement message will be displayed. If this is not the case, you may need to clear your recent browsing history as the object may be cached. In Firefox select History > Clear Recent History > Everything.


68


15. Go to Security Profiles > Antivirus > Profile and change the Inspection Mode for the default Antivirus Profile to Flow-based. Click Apply. Try downloading the eicar.com file again. What happens now when the virus is detected?


69

 Module 8 Lab 1: Email Filtering

Module 8 Lab 1: Email Filtering The aim of this lab is for students to work with email filtering.


Enable and use email filtering on a FortiGate unit Modify inspection rules to black or white list emails (using banned word, IP, email etc.) Read and interpret email log entries



70


Exercise 1 Configuring FortiGuard AntiSpam 1. From the Windows Server, connect to the GUI on the student FortiGate device (10.0.1.254) and restore the following configuration file: Resources\ Module7\Student\student-utm.conf. The FortiGate will reboot. 2. Once the FortiGate has rebooted, go to System > Config > Features. Under Security Features turn ON Email Filtering. This step is required to enable the Email filtering feature on the FortiGate device. By default, this is a hidden security feature. Click Apply to save the changes. 3. Next, go to Security Profiles > Email Filter > Profile and edit the default email filtering profile. Select Enable Spam Detection and Filtering to enable it then click Apply. Configure the following settings: Tagged Enable IP Address Check Enable URL Check Once the changes to the email profile have been entered, click Apply to save the changes.

SMTP Spam Action: FortiGuard Spam Filtering:

4. By default FortiGuard services are enabled. Go to System > Config > FortiGuard and check the status of the service. (If you are using the hosted virtual lab environment you will need to change the service port to UDP 8888). 5. Go to Policy > Policy > Policy and edit the port3port1 outgoing policy. Under Security Profiles, turn ON Email Filter and ensure that the default email filter profile is selected. In the steps that follow, you will generate and send test spam emails to your Microsoft Outlook [email protected] inbox. In the classroom lab environment, you will initiate the spam generation using a script called smtpmboxgen.pl which is provided in the Resources\Module8 folder. Details for using this script will be provided in the steps that follow. 6. From the Windows server, open a command prompt and change directory to the C:\Documents and Settings\Administrator\Desktop\Resources\Module8 folder as follows: CD C:\Documents and Settings\Administrator\Desktop\Resources\Module8 Next run the spam script by entering the following: smtpmboxgen.pl 7. From your Microsoft Outlook mail client, check the email inbox to review the tagged spam. To view the corresponding logging events, go to Log & Report > Traffic Log > Forward Log. 8. From the CLI on the Student FortiGate device, execute the following commands to enable Banned Word Check in the default email filter profile: config spamfilter profile edit "default" set spam-filtering enable set options bannedword spamfsip spamfsurl


71


set spam-bword-table 1 end 9. Next, run the commands below to review the banned words that have already been configured for you in the configuration file being used for this lab. config spam bword show Notice the use of both regular expression and wild cards in that list. 10. Go to Security Profiles > Email Filter > Profile again and this time modify the default email filtering profile to set the SMTP Spam Action to Discard. 11. From your Microsoft Outlook mail client, generate a message to: [email protected] that will be caught by the banned words that have been configured. For example, add the word “training” to the subject or message body of your test email and attempt to send the message. When you send the email the following message displays indicating the message was blocked:

Remember that some banned words apply only to the subject line, others apply only to the body and others apply to both. A banned word is only scored once, for example if a banned word has a score 10 and yet the word occurs four times in the message body, it will only still be assigned a count of 10. 12. Go to Log & Report > Security Log > Email Filter and check the email filtering log entries for this event as well. To make it easier to view all email activity, add the column Dst Port and filter on port 25. FortiGate Multi-Threat Security and Systems I

72

 Module 9 Lab 1: Web Filtering

Module 9 Lab 1: Web Filtering The aim of this lab is for students to configure web filtering to block specific categories of web content. The interaction of local categories and overrides will also be demonstrated.

Lab Objectives   

Enable and use web filtering on a FortiGate device Select the most effective method for blocking or allowing a web site Read and interpret web filter log entries



73


Exercise 1 FortiGuard Web Filtering 1. From the Windows Server, you will first need to connect to the Student FortiGate device and restore the configuration file that is needed for this lab. This module uses the same config as in Module 7. Connect to the GUI on the Student FortiGate device (10.0.1.254) and restore the following configuration file: Resources\ Module7\Student\student-utm.conf. The Student FortiGate device will reboot. 2. When the FortiGate device has rebooted go to System > Status and under License information check the FortiGuard Services Web Filtering status to ensure that the license has been validated. A green check mark should be displayed. 3. In the GUI on the Student FortiGate device, go to Security Profiles > Web Filter > Profile and review the settings of the default web filter profile. 4. Verify that the Inspection Mode is set to Proxy and enable FortiGuard Categories. Under FortiGuard Categories right-click the web category Potentially Liable and select the action: Authenticate. Next, set Selected User Groups to the training user group and accept the default Warning Interval value of 5 minutes. Click OK to save the settings. 5. Repeat the above step for the following web categories:   

Adult/Mature Content Security Risk Click OK to save the settings.

6. Next right-click the web category Bandwidth Consuming, and select Warning. Accept the default Warning Interval value of 5 minutes then click OK to save the settings. 7. Repeat the above step for the web category: Unrated. Right-click the web category General Interest Business and select Block. Click Apply to save your changes. 8. Go to Policy > Policy > Policy and edit the outing port3port1 policy. Under Security Profiles, turn on Web Filter and ensure that the default profile is selected. Next, turn ON SSL/SSH Inspection under Proxy Options and ensure the default profile is selected. Click OK to save the policy changes. 9. From the CLI on the Student FortiGate device, check the low-level status information of the web filtering service by entering the following command: diag debug rating


74


The command diag debug rating shows the list of FDS servers for web filtering that the FortiGate unit is using to send requests. Rating requests are only sent to the server on the top of the list in normal operation. Each server is probed for RTT every 2 minutes. The diag debug rating flags indicate the server status as explained below:    

D indicates the server was found via the DNS lookup of the hostname. If the hostname returns more than one IP address, all of them will be flagged with 'D' and will be used first for INIT requests before falling back to the other servers. I indicates the server to which the last INIT request was sent. F signifies the server has not responded to requests and is considered to have failed. T signifies server is currently being timed.

10. From a web browser on the virtual Windows Server, connect to a web site that is usually blocked by the training policy and verify that the blocked message is displayed. A FortiGuard replacement message should be displayed. 11. Go to System > Config > Replacement Message and under Security select FortiGuard Block Page and change the text of the block message to customize it. Click Save located in the upper-right hand corner of the edit pane to apply your changes. 12. Revisit the same web site and ensure that the customized FortiGuard Block Page Blocked message is displayed. You may need to clear your browsers cache or refresh the block page as the browser might take the information from its local cache. 13. Next, in the web browser, attempt to connect to a web site category with an Authenticate action. For example: A Web Page Blocked message is displayed again, this time with a Proceed button.


75


14. Click Proceed to view the Web Filter Block Override page. Enter the username student and the password F0rtinet and click Continue. The web page should now be displayed. 15. From the GUI on the Student FortiGate device, go Log & Report > Traffic Log > Forward Traffic and locate the log messages related to the web filtering activity. In the following step, you will configure an access quota for a couple of categories. Quotas allow access to web resources for a specified length of time. 16. Go to Security Profiles > Web Filter > Profile and edit the default web filter profile. 17. Expand Quota on Categories with Monitor, Warning and Authenticate Actions and click Create New to create new quotas. Select the categories (same as in Step 4) to be assigned quotas and set the quota time value to 5 minutes. Once you have altered the web filter profile, click OK then click Apply to save the profile settings. 18. From a web browser on the Windows Server, attempt to visit a blocked category web site again. 19. Click Proceed on the Web Page Blocked page. Authenticate on the Web Filter Block Override page using the username student and the password F0rtinet and click Continue. Once authenticated properly, the quota timer is initiated. 20. To view the quota timer value, enable the Security Profiles monitors through the CLI as follows: config sys global set gui-utm-monitor enable end then, go to Security Profiles > Monitor > FortiGuard Quota. If the FortiGuard Monitor is not displayed, you may need to clear the web browser’s cache or refresh the page. When the daily quota value is reached, the FortiGuard replacement message will be displayed again. 21. From the GUI on the Student FortiGate device go Log & Report > Traffic Log > Forward Traffic and locate the log messages related to the web filtering activity. 22. Edit the default web filter profile, expand Quota on Categories with Monitor, Warning and Authenticate Actions and delete the quotas on the selected categories. Click OK then click Apply to save the profile settings. 23. Still in the web filter profile and select flow-based. A notification is displayed as follows:


76


Click OK and then click Apply. 24. Test the behavior of the flow based inspection by connecting to a web site that is usually blocked. Check the log entry for this blocked request.


77

 Module 10 Lab 1: Application Identification

Module 10 Lab 1: Application Identification The aim of this lab is for students to use the application control feature to properly identify a given application.

Objectives  

Configure application control in the student lab environment Read and understand application control logs



78


Exercise 1 Creating an Application Control List 1. From the Windows Server, you will first need to connect to the Student FortiGate device and restore the configuration file that is needed for this lab. This module uses the same config as in Module 7. Connect to the GUI on the Student FortiGate device (10.0.1.254) and restore the following configuration file: Resources\ Module10\Student\student-app.conf. The Student FortiGate device will reboot. 2. From the GUI on the Student FortiGate device, go to Security Profiles > Application Control > Application Sensor and review the default application control sensor.(Ensure you are selecting the sensor named default.) 3. On the Edit Application Sensor page, check the settings for the following rules: Youtube Application: Myspace Application: Check the Action setting for each filter. What are the expected actions of these sensors? Traffic shaping is enabled for Youtube and these applications use a shared traffic shaper which is capped at 1 Mbps. Connections to Myspace are blocked. Before proceeding ensure both of these signatures are located at the top of the list. Click Apply to save changes to the profile. 4. Go to Policy > Policy > Policy and edit the port3port1 policy. Ensure that Application Control is turned ON and that the default Application Control sensor is selected. Click OK. You will now test the application control configuration. From the virtual Windows Server, open a web browser and connect to YouTube.com. 5. On the YouTube web site, attempt to play a few videos. Check the traffic shaper monitor in Firewall Objects > Monitor > Traffic Shaper Monitor. 6. Next, enable the Security Profiles monitors through the CLI as follows: config sys global set gui-utm-monitor enable end then, check the Application monitor in Security Profiles > Monitor > Application Monitor. If the Application Monitor is not displayed, you may need to clear the web browser’s cache or refresh the page. 7. From the virtual Windows Server host, open a web browser and connect to Myspace.com. You should observe that you cannot connect to this site.


79


8. Go to Security Profiles > Application Control > Application Sensor and edit the default sensor again. Click Create New to add a new application filter and select Specify Applications. 9. In the search field shown above the Application Name column enter Facebook. From the results that display, select Facebook from the Application Name column. A window displays with a description of the application including popularity, and a reference link that you can click to obtain more rating information from the FortiGuard Center. Set Action to block and ensure that this new signature is place at the top of the list. Once you have added the filter to the profile, click Apply to save the changes. Test that this site is now blocked. Go to Log & Report > Traffic Log > Forward Traffic and view the log information to confirm that this action was correctly logged. The status of the connection should be displayed as deny. 10. From the web browser, and attempt to access the following web site: http://proxite.us On the proxy web page, scroll down to the bottom and enter the URL of MySpace.com. Click Go. You should observe this does allow some connectivity to the site. What action can be taken to stop this? You can create a new rule in the sensor to block the Proxy category.


80

 Module 10 Lab 2: Traffic Shaping

Lab 2: Traffic Shaping The aim of this lab is for students to work with the traffic shaping function of application control to limit a specific application.

Objectives Students will complete the following tasks: 

Restrict YouTube video bandwidth



81

 Module 10 Lab 2: Traffic Shaping

Exercise 1 Limiting YouTube Traffic 1. From the Windows Server, you first will need to connect to the Student FortiGate device and restore the configuration file that is needed for this lab. Connect to the GUI on the Student FortiGate device (10.0.1.254) and restore the following configuration file: Resources\Module10\Student\Student-app.conf The Student FortiGate device will reboot. 2. Go to Policy > Policy > Policy and edit the outbound port3 > port1 firewall policy. Set Application Control to ON and from the drop-down list select the monitor-p2p-and-media profile. Click OK to save the policy settings. 3. From a web browser on the virtual Windows Server host, connect to a Youtube web site and stream a random video. Go to Log & Report > Traffic Log > Forward Traffic and view the application control log entries that are generated. 4. From the GUI on the Student FortiGate device go to Firewall Objects > Traffic Shaper > Shared and create a new traffic shaper with the following details: Name :

YouTube

Maximum Bandwidth:

100

Note: The units are in kilobits per second. Take this into consideration when setting values, as typically bandwidth measurements are done in kilo bytes, or even larger units. 5. Go to Security Profiles > Application Control > Application Sensor and select the monitor-p2p-andmedia application control profile from the drop-down list shown in the upper right-hand corner of the window. 6. Next, edit the sensor: ID2 (Video/Audio). If the ID column is not visible, modify the column settings to add it. Scroll to the bottom of the window, and set Action to Traffic Shaping. Enable both Forward and Reverse Direction Traffic Shaping and from the drop-down list, select the YouTube traffic shaper you created in the previous. Once you have applied the YouTube shaper to both the normal and reverse direction for this signature, click OK then click Apply. 7. Clear the web browser cache and re-open it. Connect to the YouTube web site again and stream the same video. If you set the Shaper levels low enough the experience of playing the video will be very different. Note: Only shared shapers are allowed, so the maximum value here would apply to everyone inside the network that was using the application (YouTube videos in this case). Keep this in mind when using this option.


82

 Module 10 Lab 3: Selective Application Control

Lab 3: Selective Application Control The aim of this lab is to demonstrate how application control can be used to selectively block only specific features inside some network applications.

Objectives Students will complete the following tasks: 

Block user attempts to edit any Wikipedia article, while allowing read-only access to that website.



83

 Module 10 Lab 3: Selective Application Control

Exercise 1 Block Wikipedia Editing 1. From Windows Server, open a browser window and access: http://www.wikipedia.org Open any Wikipedia article. 1. Click on the Edit tab on the top of the page. This should open the Wikipedia editor feature that allows any user to modify articles. 2. From GUI on the Student FortiGate device, go to Security Profiles > Application Control > Application Sensor and select the monitor-p2p-and-media application control profile from the drop-down list shown in the upper right-hand corner of the window. 3. Click Create New to add a new application filter and select Specify Applications. 4. In the search field shown above the Application Name column enter Wikipedia. From the results displayed, select Wikipedia_Edit from the Application Name column. Set Action to block and ensure that this new signature is placed at the top of the list. Once you have added the filter to the profile, click Apply to save the changes 2. Clear the web browser’s cache and access a different Wikipedia article. You should still have access to the Wikipedia document. Try to edit any article again. You should notice that this time you are not able to edit the article.


84

 Appendix A: Additional Resources

Appendix A: Additional Resources 

Fortinet Documentation : http://docs.fortinet.com Manuals, references, cookbooks, and technical notes for Fortinet products.



Fortinet Knowledge Base: http://kb.fortinet.com This site is useful for finding working examples and tips for Fortinet products.



Fortinet Web Site: http://www.fortinet.com Data sheets.



FortiGuard Web Site: http://www.fortiguard.com Information about the FortiGuard Subscription Services.



FortiCare Web Site: https://support.fortinet.com Portal for Fortinet Customer and Technical Support, including opening tickets, registering devices you have purchased, and downloading firmware updates.



Fortinet User Forums: http://support.fortinet.com/forum/ Forums where customers discuss how to use Fortinet devices.


85

 Appendix B: Presentation Slides

Appendix B: Presentation Slides


86

 Introduction to Fortinet Unified Threat Management

Introduction to Fortinet Unified Threat Management

© 2014 Fortinet Inc. All rights reserved. The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams 1 or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc. FGT1-01-50005-E-20131120

Module Overview • Other products available from Fortinet • A FortiGates features • Administrative Access, Users and Profiles • FortiGuard • Operating Modes • Default Settings • Configuration Backup and Restoration • Proper upgrade and downgrade procedures • Console port …and other topics 2

FortiGate Multi-Threat Security Systems I

87


Module Objectives • By the end of this module, participants will be able to: » Identify the major features of the FortiGate Unified Threat Management appliance » Modify administrative access restrictions » Create and manage administrative users » Create and manage administrator access profiles » Backup and restore configuration files » Create a DHCP server on a FortiGate unit’s interface » Upgrade or downgrade a FortiGate unit’s firmware

3

Traditional Network Security Solutions

VPN Intrusion Prevention Application Control Web Filtering WAN Optimization Antispam Antivirus Firewall

• Many single purpose systems needed to cope with a variety of threats

4


88


FortiGate Integrated Network Security Platform VPN Intrusion Prevention Application Control Web Filtering WAN Optimization Antispam Antivirus Firewall and more…

FortiGate Appliance

• One device provides a comprehensive security and networking solution

5

Unit Design

FortiGuard Subscription Services

Firewall

AV

Web Filter

IPS

…

FortiOS Hardware

Security Automated and network-level update service services Specialized operating system Purpose-driven hardware 6


89


FortiGate Unit Capabilities

1 1 1 1

Application control WAN Intrusion Data Antivirus optimization leak prevention prevention Secure VPN Email filtering High availability Firewall Endpoint Dynamic compliance routing Wireless Logging Authentication and reporting Traffic shaping Virtual Web filtering domains

7

Fortinet Products • Network Security » FortiGate appliances • High-end, mid-range and desktop models

• Network Access » Wireless: FortiWiFi, FortiAP » Switching: FortiSwitch » End-point and mobility: FortiClient » User Identity: FortiAuthenticator, FortiToken

• Infrastructure Security » Application and Content Delivery: FortiADC » DDos Mitigation: FortiDDos » Advanced Threat Protection » Voice and Video: FortiVoice, FortiCamera, FortiRecorder

• Application Security » FortiMail, FortiWeb, FortiDB » FortiCache

• Management » FortiManager, FortiAnalyzer, FortiCloud

8


90


FortiGuard Subscription Services • Global Update service for AV/IPS (update.fortiguard.com) » uses SSL on port 443

• Global Live service for FortiGuard WF/AS (service.fortiguard.net) » Uses a proprietary protocol on port 53 or 8888 » Live service (connection & contract required) » Short grace period after contract expiry (about 7 days)

• Handled through FortiGuard Distribution Network(FDN) » Calculates server “distance” based on time zones

• Major server centers in North America as well as Asia and Europe • Nearest servers are preferred but will adjust based on server load » can be sent to a FortiManager instead

9

Modes of Operation NAT • Device operates on Layer 3 or the OSI Model • Interfaces have IP addresses » Packets are routed VIA IP

Device is presence in the routing of the network

Transparent • Device operates on Layer 2 of the OSI • Device interface do not have IPs • Routing decisions are not possible Device is not a presence in network routing.

10


91


OSI Model

11

Device Factory Defaults • ‘port1’ or ‘internal’ interface will have an IP of 192.168.1.99/24 • PING, HTTP, HTTPS protocols are enabled for Management Access • ‘port1’ or ‘internal’ interface will have a DHCP server set up and enabled (on devices that support DHCP Servers) • Default login will always be: user: admin password: (blank) • Usernames and passwords are BOTH case sensitive • Default admin user information should be modified! 12


92


Device Administration

Web GUI HTTP, HTTPS

CLI Console,SSH,Telnet, GUI Widget

13

Administrator Profiles

14


93


Administrator Profiles: Permissions

None Read

Read-Write

System Configuration Network Configuration Firewall Configuration VPN Configuration Wifi Configuration etc.

Admin Profile

15

Administrative Users

Full access

super_admin profile

Custom access

Full access within a single virtual domain

custom profile

prof_admin profile

16


94


Administrative Users: Trusted Hosts

• If logging in from the source IP is not possible, FortiGate will not respond to requests for management traffic to it’s interfaces 17

Two Factor Authentication

Username and Password (one factor) + FortiToken (two factor)

18


95


Administrative Users: Two Factor Authentication

19

Configuration Files

• Device configuration settings can be saved to an external file »Optional encryption • The file can be restored to rollback device to a previous configuration » restoring a configuration always reboots the device

• Configuration files can be backed up automatically » Not available on all models, happens when admin users log out

20


96


Configuration Files: Format Plain Text

Build Number

#config-version=FWF60D-5.00-FW-build252131031:opmode=0:vdom=0:user=admin#conf_file_ver=1048892595416027 5734#buildno=0252#global_vdom=1

Encrypted #FGBK|3|FWF60D|5|00|252|

Model Firmware Major Version

• Header contains some details on the device • After header, encrypted file is not readable

• Restoring Encrypted configuration requires the same device/model running the same build as the config file (and encryption password) • Restoring a text base config file only requires the same model » Different build configuration files can be used (with the same limits as an upgrade)

• Config file only contains non-default and important settings (size) 21

Per Virtual Domain Configuration Files • Configurations are backed up as a whole • If Virtual Domains(VDOMs) are enabled, backups of individual VDOMs is possible

22


97


Interface IPs • Every used interface on the unit must have an IP assigned (in NAT mode) using one of three methods: » Manual IP, DHCP assigned, PPPoE (CLI)

23

Administrative Access: Methods • Each interface has separate options for enabling Management access » Separate settings for IPv4 and IPv6 » IPv6 options only show up if feature is enabled in the GUI

24


98


Hiding features from the GUI • Not all features are visible in the GUI, by default » Some features are ONLY configurable from the CLI » Feature not in the GUI ARE NOT disabled

• Primary features can be hidden/unhidden from Dashboard Widget » Full list of options found in ‘Features’ submenu

25

Hiding features from the GUI: SecurityFeatures

• NGFW » Next Generation Firewall » Line Speed Inspection

• ATP » Advanced Threat Protection » Focuses on protecting PCs

• WF » Web Filtering

• Full UTM » All Inspection profile options are available in the GUI 26


99


Administrative Access: Ports • Service Ports for Administrative access can be customized » Only using secure access methods is recommended

27

Static Gateway • There must be at least one default gateway • If an interface is DHCP or PPPoE, then a gateway can be added to the routing dynamically

28


100


DHCP Server: Setup • Enabled and configured separately for each interface

29

DHCP Server: IP Reservation • IP address reserved and always assigned to the same DHCP host » Select an IP address or choose an existing DHCP lease to add to the reserved list » Identify the IP address reservation as either DHCP over Ethernet or DHCP over IPSec

• MAC address of the DHCP host is used to look up the IP address in the IP reservation table • Found in the “Advanced” settings of the DHCP server, on the interface

30


101


DHCP Logs

31

FortiGate as a DNS Server • Resolve DNS lookups from an internal network • Methods to set up DNS for each interface: » Forward to System DNS: DNS requests relayed to the DNS servers configured for the FortiGate unit » Non-recursive: DNS requests resolved using a FortiGate DNS database and unresolved DNS requests are dropped » Recursive: DNS requests will be resolved using a FortiGate DNS database and any unresolved DNS requests will be relayed to DNS servers configured for the unit

• One DNS database can be shared by all the FortiGate interfaces » If VDOMs are enabled, a DNS database can be created in each VDOM

32


102


DNS Forwarding • FortiGate units can forward (or not) DNS requests sent to its interfaces » Behavior on each interface is configured separately

• Allows direct control of the DNS » GUI allows setting to Forward only » CLI allows Forward, Recursive and Non-recursive behavior

33

DNS Database: Configuration • DNS zones need to be added when configuring the DNS database » Each zone has its own domain name » Zone format defined by RFC 1034 and1035

• DNS entries are added to each zone » An entry includes a hostname and the IP address it resolves to » Each entry also specifies the type of DNS entry • • • • •

IPv4 address (A) or an IPv6 address (AAAA) name server (NS) canonical name (CNAME) mail exchange (MX) name IPv4 (PTR) or IPv6 (PTR)

34


103


Firmware Upgrade Steps

• Step 1: Backup and store old configuration (Full config backup from CLI) • Step 2: Have copy of old firmware available • Step 3: Have disaster recovery option on standby (especially if remote) • Step 4: READ THE RELEASE NOTES (upgrade path, bug information) • Step 5: Double check everything • Step 6: Upgrade 35

Firmware Downgrade Steps

• • • • • • •

Step 1: Locate pre-upgrade configuration file Step 2: Have copy of old firmware available Step 3: Have disaster recovery option on standby (especially if remote) Step 4: READ THE RELEASE NOTES (is a downgrade possible?) Step 5: Double check everything Step 6: Downgrade (all settings except those needed for access are lost) Step 7: Restore pre-upgrade configuration

36


104


Maintainer Access • Available on all FortiGate devices and some non-FortiGate devices • Only available through the hardware console port » Highly secure (requires physical access)

• Only open after a HARD boot » About 30 seconds (varies by model, by approximately 1 minute) » Highly secure (soft boot does not activate user) User: maintainer Password: bcpb

All letters in serial number MUST BE uppercase

• Can be disabled in the CLI if physical security is a risk or for compliance reasons » config sys global » set admin-maintainer disable » end 37

Console Port • Depending on the FortiGate model, console port access is provided in the following ways: » Serial port (older models) • Standard null model cable will work for console port access

» RJ-45 port • RJ-45-serial cable is required for access

» USB 2 port • Requires FortiExplorer to connect

• Each devices ships with proper console cables

38


105


FortiExplorer • Software used to Manage devices via USB-2 » Some models of FortiGate/FortiWifi’s, FortiSwitch, FortiAP

• Available for Windows PC, Mac OSx10 » Release notes contain detailed information on supported OS versions » Connect using USB cable » Allows Full GUI/CLI access, complete configuration options » If device has USB-2 port, FortiExplorer is the only way to access Console port

• Available on Apple Store for IPod/IPad/IPhone » Connect using standard 30pin-USB cable » Limited configuration options, Limited model options

39

Labs • Lab 1: Initial Setup and Configuration » Ex 1: Configuring Network Interfaces » Ex 2: Exploring the Command Line Interface » Ex 3: Restoring Configuration Files » Ex 4: Performing Configuration Backups

(OPTIONAL) • Lab 2: Administrative Access » Ex 1: Profiles and Administrators » Ex 2: Restricting Administrator Access

40


106


Classroom Lab Topology

41


107

 Logging and Monitoring

Logging and Monitoring


Module Overview • Log Severity Levels • Storage Locations • Log types and subtypes • Log Structure and Behavior • Traffic Log • Viewing Log Messages • Reading and Interpreting log messages • Alert Email

… and other topics 2


108


Module Objectives • By the end of this module participants will be able to: » State the Purpose of different log types on a FortiGate » Identify the storage location of log information » Navigate the relevant screens for Logging and Monitoring of a FortiGate » Read and Interpret log messages » View and search logs messages

3


• Logging and monitoring are key elements in maintaining devices on the network » Monitor network and Internet traffic » Track down and pinpoint problems » Establish baselines 4


109


Log Severity Levels • Administrators define what type of logs are recorded • All log messages have a severity level to help indicate how important the event is » Emergency = System unstable » Alert = Immediate action required » Critical = Functionality affected » Error = Error exists that can affect functionality » Warning = Functionality could be affected » Notification = Information about normal events » Information = General system information » Debug = Debug log messages

5

Log Storage Locations

FortiCloud Syslog Hard drive

SNMP FortiAnalyzer FortiManager

Memory

Local logging Remote logging 6


110


Log Storage Locations: FortiAnalyzer/FortiManager

FortiGate

FortiAnalyzer/FortiManager Register

• FAZ/FMG has list of Registered(allowed) devices • SSL-secured OFTP used to encrypt communications 7

FortiAnalyzer/FortiManager: Comparison • FortiManager is a dedicated device designed to Centrally Manage multiple FortiGate devices • FortiAnalyzer is dedicated device designed for long term storage of log data » FMG has identical logging and reporting functionality to FAZ, except for 2Gig daily limit on logs received

8


111


FortiAnalyzer/FortiManager: Configuration

• Up to 3 separate FAZ/FMG devices can be configured (CLI) » May be needed for Redundancy » Generating & sending logs requires resources config log [fortianalyzer|fortianalyzer2|fortianalyzer3] setting set status enable eet server x.x.x.x end 9

Log Storage Locations: FortiCloud • Subscription service » Long term log storage & reporting » FortiGates include 1 month free trial » Links to FortiCare user » Read any documentation on the Website!!

10


112


Log Types and Subtypes • Traffic Log » Forward (Traffic passed/blocked by Firewall policies) » Local (Traffic aimed directly at, or created by the FortiGate device) » Invalid (Log messages about packets considered invalid/malformed and dropped) » Multicast (Log messages about Multicast traffic)

• Event Log » System (System related events) » User (Firewall authentication events) » Router, VPN, WanOpt & Cache, Wifi

• Security Log » By Security profile type (Antivirus, Web Filter, Intrusion Protection, etc.) » Section is not created by default

11

Log Structure and Behavior • Logging is divided into 3 sections: Traffic Log, Event Log, Security Log » Traffic logs relate to packets to and through the device » Event logs relate to any admin and system activity events on the device » Security logs contain log messages related to profiles acting on traffic passing through the device

• Most Security events consolidated into Forward Traffic log » Less CPU intensive this way » Exceptions: DLP, Intrusion Scanning (Security Log only)

• Additional log information can be obtained in some security profiles via the CLI (Antivirus, Web Filter, Email) » extended-utm-log [disable (default) | enabled] • New log options show up (CLI only, varies depending on profile type) • Security event logs show up in Security Logs with more details 12


113


Log Generation FW Policy Log Setting

AV,Web Filter, Email

No Log

Disabled

N/A

No Forward Traffic or Security Logs

No Log

Enabled

Disabled


extended-utm-log

Behavior

No Log

Enabled

Enabled


Log Security Events

Disabled

N/A

No Forward Traffic or Security Logs.

Log Security Events

Enabled

Disabled

Security log events appear in Forward Traffic Log. Forward Traffic Log generated for packets causing a security event.

Log Security Events

Enabled

Enabled

Security log events appear in Security Log. Forward Traffic Log generated for packets causing a security event.

Log all Sessions

Disabled

N/A

Forward Traffic Log generated for every single packet.

Log all Sessions

Enabled

Disabled

Security log events appear in Forward Traffic Log Forward Traffic log generated for every single packet

Log all Sessions

Enabled

Enabled

Security log events appear in Security Logs. Forward Traffic Log generated for every single packet.

13

Viewing Log Messages(GUI)

14


114


Viewing Log Messages(GUI): Adding Filters • Use Filter Settings to customize the display of log messages to show specific information in log messages » Reduce the number of log entries that are displayed » Filters are per column, more can be added

15

Viewing Log Messages (Raw) • Fields in each log message are arranged into two groups: » Log header (common to all log messages) date=2013-09-10 time=11:17:56 logid=0000000009 type=traffic subtype=forward level=notice vd=root

» Log body (varies between each kind of log) srcip=172.16.78.32 srcport=900 srcintf=unknown-0 dstip=1.1.1.32 dstport=800 dstintf=unknown-0 dstcountry="Australia" srccountry="Reserved" service=800/tcp wanoptapptype=cifs duration=20 policyid=100 user="test user" group="test group" identidx=200 wanin=400 wanout=300 lanin=200 lanout=100

16


115


Viewing Log Messages (Raw): Severity Level • Log severity level indicated in the level field of the log message date=2013-09-10 time=13:00:30 logid=0100032001 type=event subtype=system level=information vd="root" user="admin" ui=http(10.0.1.10) action=login status=success reason=none profile="super_admin" msg="Administrator admin logged in successfully from http(10.0.1.10)"

information = normal event

17

Viewing Log Messages (Raw): Type and Subtype » Log header date=2013-09-10 time=12:55:06 log_id=32001 type=utm subtype=dlp eventtype=dlp level=warning vd=“root” filteridx=0

» Log body policyid=12345 identidx=67890 sessionid=312 epoch=0 eventid=0 user="user" group="group" srcip=1.1.1.1 srcport=2560 srcintf="lo" dstip=2.2.2.2 dstport=5120 dstintf="port1" service=mm1 …….

type and subtype fields = log file that message is recorded in

18


116


Viewing Log Messages (Raw): Policy ID » Log body srcip=172.16.78.32 srcport=900 srcintf=unknown-0 dstip=1.1.1.32 dstport=800 dstintf=unknown-0 dstcountry="Australia" srccountry="Reserved" service=800/tcp wanoptapptype=cifs duration=20 policyid=100 user="test user" group="test group" identidx=200 wanin=400 wanout=300 lanin=200 lanout=100 hostname="host" url="www.abcd.com" msg="Data Leak Prevention Testing Message" action=block severity=0 infection="carrier end point filter"

policyid = id number of firewall policy matching the session

19

Viewing Log Messages (Raw): Status » Log body srcip=172.16.78.88 srcname=host srcport=0 srcintf=unknown-0 dstip=229.118.95.200 dstport=0 dstintf=unknown-0 sessionid=0 status=deny user="test user" group="test group" policyid=0 dstcountry="Reserved" srccountry="Reserved" trandisp=snat+dnat tranip=0.0.0.0 tranport=0 transip=0.0.0.0 transport=0 service=other proto=0 appid=1 app="AIM" appcat="IM" applist=unknown-1 duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 vpn="vpn0" shapersentname="shaper sent name" shaperdropsentbyte=16843009 shaperrcvdname="shaper rcvd name" shaperdroprcvdbyte=16843009 shaperperipname="perip name" shaperperipdropbyte=16843009 devtype="iPad" osname="linux" osversion="ver" unauthuser="user" unauthusersource="none" collectedemail="mail" mastersrcmac=02:02:02:02:02:02 srcmac=01:01:01:01:01:01

status = action taken by the FortiGate unit 20


117


Viewing Log Messages(CLI) exe log display

• Best to setup filters on log entries first exe log filter

21

Alert Email

• Send notification to email address upon detection of defined event • Identify SMTP server name • Configure at least one DNS server • Up to three recipients per mail server 22


118


Alert Email: Configure • Configuring Alert email is not possible until an SMTP server has been setup.

• Can be sent to up to 3 emails

23

Alert Message Console • Alert messages can be displayed on the GUI » Individual alerts can be acknowledged and removed from the list » Customizable alert options

24


119


SNMP Monitoring SNMP agent

Managed device

Fortinet MIB

SNMP manager

• Traps received by agent sent to SNMP manager • Configure FortiGate unit interface for SNMP access • Compile and load Fortinet-supplied MIBs into SNMP manager • Create SNMP communities to allow connection from FortiGate unit to SNMP manager

• SNMP v1/v2 − Plain Text

• SNMP v3 − Encrypted

25

SNMP Monitoring: Configuring

• v3 offers additional security over v1/v2 26


120


Configuring Log settings: GUI

27

Configuring Log settings: CLI

• Different log locations have different options that need to be configured (server location, user details, etc) » disk – Hard drive (Built in non-volatile Flash on some models) » fortianalyzer|fortianalyzer2|fortianalyzer3 – separate FortiAnalyzers » fortiguard- Forticloud » memory – system memory (volatile) » sysologd|syslogd2|syslogd3 – separate Syslog servers » webtrends – Webtrends service 28


121


Configuring Log settings: Firewall Policy • Firewall Policy setting decides if a log message is generated or not • ‘Log Settings’ options decide if/where any log messages get stored

29

Event Logging: Settings

• Event logs are not directly caused by traffic passing through any firewall policies (except ‘User’) 30


122


Logging Monitor

• Overall view of the number/type of logs generated • Drilldown allows for more detailed information 31

Monitor • Monitor sub-menus found in CLI for all main function menus • User-friendly display of monitored information • View activity of a specific feature being monitored • Various settings are found under “config system global” gui-antivirus

gui-ap-profile

gui-application-control

gui-central-nat-table

gui-certificates

gui-client-reputation gui-dynamic-profile-display

gui-dlp

gui-dns-database

gui-dynamic-routing

gui-endpoint-control

gui-explicit-proxy

gui-ipsec-manual-key

gui-implicit-policy

gui-ips

gui-icap

gui-ipv6

gui-lines-per-page

gui-load-balance

gui-local-in-policy

gui-multicast-policy

gui-multiple-utm-profiles

gui-object-tags

gui-policy-interface-pairs-view

gui-replacement-message-groups

gui-spamfilter

gui-sslvpn-personal-bookmarks

gui-sslvpn-realms

gui-utm-monitors

gui-voip-profile

gui-vpn

gui-vulnerability-scan

gui-wanopt-cache

gui-webfilter

gui-wireless-controller

gui-wireless-opensecurity

32


123


GUI Monitors • Example: Security Profiles Monitor » Includes all security features • AV Monitor » Recent and top virus activity

• Web Monitor » Top blocked FortiGuard categories

• Application Monitor » Most used applications

• Intrusion Monitor » Recent attacks

• FortiGuard Quota » Per user list of quota usage 33

Status Page: Custom Widgets • Many widgets can have their settings altered to display different information » The same widget can be added multiple times to the same dashboard showing different information

34


124


Status Page: Custom Dashboards

• Multiple dashboards included by default » Included widgets are setup to provide different kinds of information » Can be changed/deleted/added » Per User settings (Diashboard and widget layout is not shared between users) 35

The Crash log • Inspection of is traffic handled by processes • Any time a process closes, it is a “crash” » Some crashes are normal (closing scanunit to do a definition update) diag deb crashlog read

• Does not any log message data

36


125


Labs • Lab 1: Status Monitor and Event Log » Ex 1: Exploring the GUI Status Monitor » Ex 2: Event Log and Logging Options

(OPTIONAL) • Lab 2: Remote Monitoring » Ex 1: Remote Syslog and SNMP Monitoring

37


38


126

 Firewall Policies

Firewall Policies


Module Overview • How Packets are Handled • Policy Types and Subtypes • Network Address and Port Translation • Session Helpers • Proxy vs Flow based inspection • Firewall object usage • Monitoring Firewall policies • Debugging Firewall policies

… and other topics 2


127


Module Objectives • By the end of this module participants will be able to: » Identify the components used in a firewall policy » Create firewall policy objects » Create Address type firewall policies » Manage policy order » Test firewall policies » Monitor network traffic through firewall policies

3

Definition and Overview of Firewall Policies • Polices are a list of rules that define: a)

under what conditions traffic is considered a match

b)

How to handle that traffic

• Processed top down, only first match applies • Implicit deny, no rule to allow the traffic means it gets dropped » Not visible in GUI, by default

4


128


How Packets are Handled: Step 1 Step #1 - Ingress 1. Denial of Service Sensor 2. IP integrity header checking 3. IPSec connection check 4. Destination NAT 5. Routing

5


Step #2 - Stateful Inspection Engine 1. Session Helpers 2. Management Traffic 3. SSL VPN 4. User Authentication 5. Traffic Shaping 6. Session Tracking 7. Policy lookup

6


129




Step #3 - UTM scanning process i) Flow-based Inspection 1. IPS 2. Application Control 3. Email Filter 4. Web Filter 5. Anti-virus ii) Proxy-based Inspection 6. VoIP Inspection 7. Data Leak Prevention 8. Email Filter 9. Web Filter 10. Anti-virus 11. ICAP

7



Step #3 - UTM scanning process i) Flow-based Inspection 1. IPS 2. Application Control 3. Email Filter 4. Web Filter 5. Anti-virus ii) Proxy-based Inspection 6. VoIP Inspection 7. Data Leak Prevention 8. Email Filter 9. Web Filter 10. Anti-virus 11. ICAP

Step #4 - Egress 1. IPSec 2. Source NAT 3. Routing

8


130


Firewall Policies Incoming and outgoing interfaces Source and destination IP addresses Services Schedules

Action = ACCEPT

Authentication

Threat Management

Traffic Shaping

Logging

• Firewall policies include the instructions used by the FortiGate device to determine what to do with a connection request • Packet analyzed, content compared to policy, action performed

9

Policy Types and Subtypes

• Address » Policy match based on IPs

• User Identity » Policy match based on authentication information (user)

• Device Identity » Policy match based on OS/Type

10


131


Policy Types and Subtypes: Address subtype

• Match is based on IP and port information in the packets

11

Policy Types and Subtypes: User Identity subtype

12


132


Policy Types and Subtypes: Device Identity subtype

• OS identity device based on packet behavior and details » MAC address (Forti-Device only), DHCP VCI, TCP SYN Fingerprint, HTTP UserAgent » Identification rules updated with FortiGuard definitions 13

Firewall Policy Elements: Interfaces and Zones

Incoming Interface

Outgoing Interface

• ZONE: A logical group of interfaces

• Select Incoming Interface to identify the interface or zone on which packets are received » Select one(or more) interfaces or ANY to match all interfaces as the source

• Select Outgoing Interface to identify the interface or zone to which packets are forwarded » Select one(or more) interfaces or ANY to match all interfaces as the source

14


133


Firewall Policy Elements: Address objects • The FortiGate device compares the source and destination address in the packet to the policies on the device » Default of ALL addresses available, applies to all IPs

• Addresses in policies configured with: » Name for display in policy list » IP address and mask » FQDN if desired (DNS used to resolve)

• Use Country to create addresses based on geographical location » Geographic database updated periodically with FortiGuard

• Create address groups to simplify administration

15

Firewall Policy Elements: Service objects

Packet Protocol and Port

• • • • •

Firewall Policy

=

Protocol and Port

FortiGate uses Services to determine the port number of accepted or denied traffic Default of ALL services available, applies to all ports and protocols Select a Service from predefined list on FortiGate unit or create a custom service Web Proxy Service also available if Incoming Interface is set to web-proxy Group Services and Web Proxy Service Group to simplify administration

16


134


Firewall Policy Elements: Schedules • Used to make firewall policies that only apply at particular times, or days » Example: Having a normal policy and a less restrictive ‘Lunch time’ policy » Default schedule is 24/7, applies all the time

• Recurring » Configured with a time that happens during a day(s) of the week

• One-time » happens only once

17

Groups • Groups are logical collections of objects for ease of configuration » If there will be multiple firewall policies using the same services, addresses or schedules creating a group can facilitate configuration

• Example: Making a Service Group for World of Warcraft » TCP port 3724 (for Game Play) » TCP port 6112, 6881-6999 (for Updates) » UDP port 3724 (in game Voice chat)

18


135


Policy Logging Options

Accept

Deny

19

Network Address and Port Translation • Network Address Translation – NAT » Altering an IP address of a packet » Source Network Address Translation – SNAT • Altering the Source IP address of a packet

» Destination Network Address Translation – DNAT • Altering the Destination IP address of a packet

• Port Address Translation – PAT » Altering the source Port of a packet

Destination IP address Destination port

Source IP address Source port 20


136


Network Address and Port Translation: NAT

11.12.13.14

Firewall policy with NAT enabled wan1 IP address: 200.200.200.200 wan1 200.200.200.200

Source IP address: 200.200.200.200 Source port: 30912

internal

10.10.10.10

Destination IP address: 11.12.13.14 Destination Port: 80

Source IP address: 10.10.10.1 Source port: 1025 Destination IP address: 11.12.13.14 Destination Port: 80 21

Network Address and Port Translation: IP Pool

Firewall policy with NAT + IP pool enabled wan1 IP pool: 200.200.200.2-200.200.200.10

11.12.13.14

wan1 200.200.200.200

internal

10.10.10.10 Source IP address: 10.10.10.1 Source port: 1025

Source IP address: 200.200.200.? Source port: 30957 Destination IP address: 11.12.13.14 Destination Port: 80

Destination IP address: 11.12.13.14 Destination Port: 80 22


137


Network Address and Port Translation: Fixed Port

11.12.13.14

Firewall policy with NAT + IP pool enabled + fixed port wan1 IP pool: 200.200.200.201 wan1 200.200.200.200

10.10.10.10

Source IP address: 200.200.200.201 Source port: 1025

internal

Destination IP address: 11.12.13.14 Destination Port: 80

Source IP address: 10.10.10.1 Source port: 1025 Destination IP address: 11.12.13.14 Destination Port: 80 23

Network Address and Port Translation: Virtual IP

Firewall policy with destination address virtual IP + Static NAT wan1 IP address: 200.200.200.200

11.12.13.14

wan1

internal

Source IP address: 11.12.13.14

10.10.10.10 Destination IP address: 200.200.200.222 Destination Port: 80

VIP translates destination 200.200.200.222 -> 10.10.10.10 24


138


Network Address and Port Translation: Virtual IP

Firewall policy with destination address virtual IP + Static NAT wan1 IP address: 200.200.200.200

11.12.13.14

wan1

internal

10.10.10.10

Source IP address: 11.12.13.14

• Used to allow connections through a Destination IP address:policies FortiGate using NAT firewall 200.200.200.200

» FortiGate unit can respond to ARP requests on a Destination Port: 80 network for a server that is installed on another network » Used for (1) Server Redundancy and Load Balancing; (2) IPSec VPN site-to-site with identical subnets at both sites; etc. VIP translates destination 200.200.200.200 -> 10.10.10.10 » VIP Group: A group of Virtual IPs for ease-of-use 25

Network Address and Port Translation: Central NAT • Disabled in the GUI (default) config system global set gui-central-nat-table enable end

• Centrally configurable NAT rules

26


139


Session Helpers • What does a Session helper do? • When specific types of traffic pass through the FortiGate additional actions may need to happen • Additional information may be needed from the packets in order for traffic to flow properly

27

Session Helpers: SIP Example • Example of the SIP protocol with a Stateful Firewall doing NAT of 172.16.1.2 to 201.11.13: Firewall opens a “Pinhole” to allow the traffic that will come to port 12546 Send the media traffic to IP address 172.16.1.2, UDP port 12546

172.16.1.1

The IP address inside the IP payload is NATed

Send the media traffic to IP address 201.11.1.3, UDP port 12546

201.11.1.3

172.16.1.2 Media traffic to 172.16.1.2, port 12546

Media traffic to 201.11.1.3, port 12546

Incoming media traffic is allowed even when no firewall policy has been explicitly configured 28


140


Traffic Shaping • Traffic shaping controls which policies have higher priority when large amounts of data is passing through the FortiGate unit • Normalize traffic bursts by prioritizing certain flows over others HTTP FTP IM

29

Traffic Shapers Shared Traffic Shaper

Per-IP Traffic Shaper

Guaranteed Bandwidth Maximum Bandwidth




30


141


Traffic Shapers Shared Traffic Shaper

Per-IP Traffic Shaper



• Traffic shapers apply Guaranteed Bandwidth and Maximum Bandwidth values to addresses Guaranteed Bandwidth affected by policyMaximum Bandwidth » Share values between all IP address affected by the policy Bandwidth » Values applied toGuaranteed each IP address affected by the Maximum Bandwidth policy

31

Threat Management • Security profiles are enabled within each Firewall policy

32


142


Threat Management: Client Reputation • Disabled in the GUI (default) config sys global set gui-client-reputation enable end

• Tracks the “Score” for all devices within that VDOM by assigning a value to various UTM events • Hard drive required to monitor “Score” (FortiAnalyzer, FortiManager or FortiCloud)

33

Threat Management: Client Reputation considerations • 7-day history window shown (default) • Score calculated periodically » Not real time (too much I/O required)

• Max ~5000 tracked hosts (depends on db size & number of logs) » When max hosts reached, least active 10% of records get deleted

• Change history window and DB size in CLI config client-reputation profile set max-rep-db-size {MB, default 100} set window-size 7 {days, default 7} end

• The effect of altering window-size » Larger: Results in more data to process, increases CPU and Memory required, score may be more ‘accurate’ (depending on log creation rate), limited by database size. » Smaller: Less data to process, less resources, less ‘accurate’

• The effect of altering max-rep-db-size » Larger: More storage space required, can increase maximum possible tracked hosts, can result in more data to process (if data based filed before window-size) » Smaller: less storage space required, can decrease maximum possible tracked hosts 34


143


Threat Management: Monitoring Client Reputation • Done via the ‘Threat History’ widget (or FortiAnalyzer, FortiCloud, Reports) » Requires SSD on a non SOHO model (SOHO=2 digit model number, Med=3, Ent=4) or VM » Widget Monitors Top N hosts (configurable in options, max 100) » 3 configurable time periods, separate refresh options » Drill down

35

Threat Management: Client Reputation CLI commands • Only on devices with the ‘Threat History’ widget exe client-reputation erase Wipe out all data in the client reputation database.

exe client-reputation host-count [0 for all] List all (or some) of the tracked hosts

exe client-reputation host-detail Obtain detailed information about a particular host

exe client-reputation host-summary Obtain summary information about a particular host

exe client-reputation purge Database cleanup. Purge old data from the client reputation database.

exe client-reputation topN [‘all’ for all tracked hosts] Display N hosts with the highest (worst) client reputation score

36


144


Proxy vs Flow: Proxy Based Scanning

• Transparent proxy buffers the file as it arrives • Once transmission is complete, FortiGate examines the file » No action until buffer is full or file is finished • Communication is broken on layer 3 (proxy handles communication)

37

Proxy vs Flow: Flow Based Scanning • File is scanned on a packetby-packet basis as it passes through the FortiGate unit • Faster scanning, but lower accuracy rate » Stateless, file chunks are not compared/related to prior chunks of the same file • Faster scanning, but lower accuracy rate • Seamless layer 3

38


145


Proxy vs Flow: Proxys and File size Firewall Policy

• File size is checked against preset thresholds (configured in the CLI : config firewall profileprotocol-options)

Enable Security Profile UTM Proxy Options Oversize File/Email Pass or Block + Threshold

• If larger than threshold (default 10 MB) and action set to block, then file is rejected • If larger than threshold and action set to allow, uncompressed file must fit within memory buffer » If not, by default no further scanning operations performed

39

Proxy vs Flow: Comparison

Proxy based Inspection

Flow based Inspection

• • • •

• Faster (then proxy based) • Less Secure

Slower (then flow based) More Secure Layer 3 communication interrupted Large Files/Slow connections can cause delays

» Less Accurate

• Layer 3 unaffected

• Not all Security Profiles can operate in either mode » App Control & IPS are only flow based » VOIP is only proxy based

40


146


Endpoint Control

? Up to date ? Disallowed software installed ? 41

Device Identification (Bring your own Device) • Device detection is dependent on being enabled in the interface » In the GUI, you will be prompted when you create a device identification policy » Enable directly through the CLI

config system interface edit "port1" set device-identification (enable|disable*) set device-user-identification (enable*|disable) end

• Per-VDOM settings on what to detect config system network-visibility

• Global setting of the device types FortiOS detects is hardcoded 42


147


Device Identification: Agent based vs Agentless with Agent FC FC

DMZ

INTERNET

Agentless

Identification Techniques • Agentless

• Agent Based

» TCP Fingerprinting

» Uses FortiClient

» MAC address vendor codes

» Location & Infrastructure Independent

» HTTP user agent » Requires “direct” connectivity to FortiGate 43

Device Identification: Manual Device entry • Devices can be manually identified in the config config user device edit “me” set mac-address set type “type name” set user “user name”

end

• Once the device is created it can be added to a device group config user device-group

44


148


Device Identification: Device list • User & Devices > Device > Device Definitions diag user device list

45

Device Identification: Policy options • Attempt to detect all Unknown devices » Any device the FortiGate can not identify will be denied » FortiGate will use reattempt identification before denying

• Redirect FortiClient compatible devices » Force users with compatible OS’s to install FortiClient

• Email collection Portal (attach an email to the device) » Webpage to manually enter an email address • Currently, Authentication and Device identification are not compatible

46


149


Device Identification: Email collection • Email Collection » Used in conjunction with device type Collected Emails » Collects an email to be associated with the device » Email are not verified, domain is checked for DNS resolution

47

Device Identification: Email collection portal config sys setting set email-portal-check-dns [enable|disable]

48


150


Object Usage • Allows for faster changes to settings • The Reference column allows administrators to determine where the object is being used » Navigate directly to the appropriate edit page

49

Adjusting Policy Order • Drag and drop policy order from GUI (must click on Seq. #)

• CLI works with policy ID number, not sequence number config firewall policy move {before|after} end

50


151


Monitor • View policy usage by active sessions, bytes or packets • Policy > Monitor > Policy Monitor

51

Debugging Firewall Policies: Understanding the traffic Understand if/how the packets will be manipulated Which interface is supposed to be the Ingress? Which interface is supposed to be the egress? Is there SNAT that will/should happen? Is there DNAT that will/should happen?

What, exactly is the behavior Is there slowness/delay? Is there a timeout? Is there an error? If so, what is it?

52


152


Debugging Firewall Policies: The packet sniff (CLI) • A Packet sniff can be used to find it out where a packet comes in and if/where a packet goes out, but not why. • To view in Wireshark the output must be converted » Output needs to be saved to file » Perl script on KB (article ID: 11186) diag sniff packet interface ‘filter’ level

Interface • Use the logical name » port1, lan, wan1 » ‘any’ can be specified by super_admin users only

Level (1-6) 1: print header of packets 2: print header and data from IP of packets 3: print header and data from Ethernet of packets 4: print header of packets with interface name 5: print header and data from IP of packets with interface name 6: print header and data from Ethernet of packets with interface name

53

Debugging Firewall Policies: The packet sniff (GUI) • Available on devices with internal storage (HD or SMC card) • Downloaded packet sniffs are automatically converted into Wireshark format

54


153


Debugging Firewall Policies: Filters for sniffs • Filters are a de-facto standard in order to restrict the packet sniff » Sniffing for all packets will likely result in too much » Search internet on ‘tcpdump’ for documentation

Some possible Filter options: host – IP address (applies to source and destination) dst host – destination address src host – source address

net – Network, IP range (applies to source and destination) dst net, src net

port – traffic port (applies to source and destination) src port, dst port

Protocol can be specified tcp, udp, arp, icmp, etc.

Primitives can be used to combine filter options and

or

not

55

Debugging Firewall Policies: Example sniffs • Packet sniff of a ping » specify a host that will not change on ingress or egress diag sniff packet any ‘host x.x.x.x and icmp’ (level)

• Packet sniff of FTP traffic » specify a host that will not change on ingress or egress » Specify FTP ports (connection and data) diag sniff packet any ‘host x.x.x.x and (port 21 or port ??)’ (level)

• Packet sniff of traffic from a host connected to FortiGate » specify a host that will not change on ingress or egress » Make sure to exempt the port being used to connect to the FortiGate diag sniff packet any ‘host x.x.x.x and not port ??’ (level)

What level to use (from CLI)? 4 – most human readable 3, 6 – must use if converting to Wireshark 56


154


Debugging Firewall Policies: “diag debug flow” • “diag debug flow” is used to look at all the decisions the firewall is making » Advanced, Multi-step process to setup command diag deb flow show function enable • Optional, increases diagnostic output detail

diag deb flow filter ? • Setup a filter on the traffic • each new filter requires separate command (addr, port, etc)

diag deb flow trace start x • How many packets to continue diagnostic for

diag deb enable • Diagnostic mode must be enabled before any output can be seen 57

Debugging Firewall Policies: ‘diag debug flow’ example • “diag debug flow” is used to look at all the decisions the firewall is making diag deb flow show function enable diag deb flow filter addr 4.2.2.2 diag deb flow filter proto 1 diag deb flow trace start 10 diag deb enable • After debugging is over diag deb reset

» Shuts off all diagnostics running in the ‘diag deb’ command tree diag deb disable » Disables debug output

58


155


Debugging Firewall Policies: Sniff output Level 4 # diag sniff packet any 'host 4.2.2.2' 4 interfaces=[any] filters=[host 4.2.2.2] 8.013631 lan in 192.168.100.110 -> 4.2.2.2: icmp: echo request 8.014093 dmz out 192.168.3.99 -> 4.2.2.2: icmp: echo request 8.036665 dmz in 4.2.2.2 -> 192.168.3.99: icmp: echo reply 8.036790 lan out 4.2.2.2 -> 192.168.100.110: icmp: echo reply

Level 6 # diag sniff packet lan 'host 4.2.2.2' 6 interfaces=[lan] filters=[host 4.2.2.2] 3.258531 lan -- 192.168.100.110 -> 4.2.2.2: icmp: echo request 0x0000

0009 0f4d ebdb 1803 737b cc34 0800 4500

...M....s{.4..E.

0x0010

003c 4711 0000 8001 c895 c0a8 646e 0402

.
0x0020

0202 0800 4cef 0001 006c 6162 6364 6566

....L....labcdef

0x0030

6768 696a 6b6c 6d6e 6f70 7172 7374 7576

ghijklmnopqrstuv

0x0040

7761 6263 6465 6667 6869

wabcdefghi

59

Debugging Firewall Policies: ‘diag debug flow’ output LOG: logid=0100020085 type=event subtype=system level=debug vd="root" trace_id=107 func=resolve_ip_tuple_fast line=4299 msg="vd-root received a packet(proto=1, 192.168.100.110:1->4.2.2.2:8) from lan." LOG: logid=0100020085 type=event subtype=system level=debug vd="root" trace_id=107 func=init_ip_session_common line=4430 msg="allocate a new session-0000573e"

Single decision - 2 steps

Single decision - 2 steps

LOG: logid=0100020085 type=event subtype=system level=debug vd="root" trace_id=107 func=vf_ip4_route_input line=1603 msg="find a route: gw-192.168.3.1 via dmz" LOG: logid=0100020085 type=event subtype=system level=debug vd="root" trace_id=107 func=__iprope_tree_check line=534 msg="use addr/intf hash, len=3" LOG: logid=0100020085 type=event subtype=system level=debug vd="root" trace_id=107 func=get_new_addr line=2401 msg="find SNAT: IP-192.168.3.99, port-62464" LOG: logid=0100020085 type=event subtype=system level=debug vd="root" trace_id=107 func=fw_forward_handler line=663 msg="Allowed by Policy-1: SNAT" LOG: logid=0100020085 type=event subtype=system level=debug vd="root" trace_id=107 func=ids_receive line=237 msg="send to ips"

60


156


Labs • Lab 1: Firewall Policy » Ex 1: Creating Firewall Objects and Rules » Ex 2: Policy Action » Ex 3: Configuring Virtual IP Access » Ex 4: Configuring IP Pools

(OPTIONAL) • Lab 2: Traffic Log » Ex 1: Enabling Traffic Logging

• Lab 3: Device Policies » Ex 1: Enabling Device Identification

61


62


157

 Firewall Authentication

Firewall Authentication


Module Overview • Local User Authentication • Remote Server Authentication • User Groups • Authentication Rules • Disclaimer Page • Authentication Timeout • Two-Factor Authentication • LDAP Configuration and Testing • Radius Configuration and Testing • Monitoring Authenticated Users

2


158


Module Objectives • By the end of this module participants will be able to: » Describe the authentication mechanisms available in FortiGate devices » Create local users and user groups » Describe and configure two-Factor authentication » Configure and test Radius authentication » Configure and test LDAP authentication » Create authentication rules » Configure user disclaimers » Monitor active users

3

Authentication • It is the act of confirming the identity of aA A A person or other entity A • Once the person or entity have been A identified, the network device applies the right firewall policies and profiles to allow or deny the access to each network resource

?

4


159


Local User Authentication • Local user authentication is based on user accounts stored locally on the FortiGate unit » For each account, a user name and password is stored

1

Fortigate

Username and password

2

5

Remote Server Authentication • Accounts are stored in an external authentication server: • Administrators can create an account for the user locally and specify the server to verify the password or • Administrators can add the authentication server to a user group • All users in that server become members of the group

1 OK

2


Fortigate

3

4


Remote Server

6


160


Single Sign On (SSO) • It refers to how users who have authenticated to a domain can leverage an existing authentication event for firewall authentication • It allows users to enter their credentials only once and get access to the network resources without being prompted to log in again • With a FortiGate device, SSO can be implemented using one of the following two methods: » FSSO: It is a Fortinet proprietary communication framework for collecting and forwarding user login events to FortiGate devices » RSSO: Radius Accounting packets are sent to the FortiGate device containing login and logoff events

7

User Authentication via Remote Server Single Sign On

RADIUS

LDAP

TACACS+

Directory Services

RADIUS

8


161


User Groups Types

Paris

Firewall User

Visitors

Guest User

Active Directory

Radius Server

FSSO

RSSO

• User groups are assigned one of four group types: Firewall, Fortinet Single Sign On (FSSO), Guest and Radius Single Sign On (RSSO) • Firewall user groups provide access to firewall policies that require authentication • FSSO and RSSO are used for Single Sign On Authentication

9

Authentication Rules • Authentication Rules are enabled to require firewall authentication • They identify the users and user groups that will be forced to authenticate » They also define other aspects of authentication, including services, schedules, destination address, profiles, logging and traffic shaping

?

Authentication Rule Destination Address Users/ Groups Services Schedules Logging Security Profiles Traffic Shaping

10


162


User Authentication Triggers • User authentication is triggered through any of the following supported protocols: » HTTP » HTTPS » FTP » Telnet

• All other services are not allowed until the user has first authenticated successfully through one of the protocol above

11

Disclaimers • Displays the Terms and Disclaimer Agreement page before the user authenticates » User must accept the disclaimer to proceed with the authentication process » Once authenticated, the user is directed to the original destination

Policy Disclaimer

12


163


Authentication Timeout

• Timeout values specify how long an authenticated connection can be idle before the user must authenticate again » User Authentication Timeout controls the firewall authentication timer • Default value is 5 minutes » SSL VPN Idle Timeout controls the SSL VPN user authentication timer • Default value is also 5 minutes

13

Two-Factor Authentication (2FA) • 2FA is strong authentication which improves security by preventing attacks associated with the use of static passwords alone • 2FA requires two independent ways of identifying a user: » Something you know, such as password or PIN » Something you have, such as a token or a PKI Certificate

• Taken-based codes are good for one-time use only. So, even if it is intercepted, it is already useless • One-Time Passwords (OTP) algorithms can be either time based or event based: » Fortinet uses time, so it is important for the Fortigate’s system clock to be accurate

14


164


One-Time Password Delivery Methods • FortiToken: Every 60 seconds, the token generates a 6-digit code based on a unique seed and GMT time: » Hardware FortiToken » FortiToken Mobile: available for iOS and Android

• Email: The one-time password is sent to user’s configured email address • SMS phone message: The one-time password sent through email to the user’s SMS provider. The email address pattern varies by provider

15

How Taken-Based Authentication Works

Static Password + OTP

OTP Generator

Validation Server

Time sync with accurate NTP Source

2

4

+

Validate Static Password

Algorithm

Algorithm

Time*

3

Same OTP Value

1

Time

Seed

+

Seed

Same Seed Same Time

16


165


Adding a FortiToken

17

LDAP Review • The Lightweight Directory Access Protocol (LDAP) is an application protocol for accessing and maintaining distributed directory information services • The LDAP structure is similar to a tree that contains entries (objects) in each branch: » Each entry has a unique ID, the Distinguished Name (DN) » Each entry also has attributes » Each attribute has a name and one or more values » The attributes are defined in a directory schema

18


166


LDAP Levels of Hierarchy • The LDAP tree usually tends to match the hierarchy of the customer’s organization • The root represents the organization itself, as it is defined as Domain Components (dc), such as: » dc=example, dc=com

• Additional levels can include: » c (country) » ou (organizational unit) » o (organization)

• User accounts or groups usually have element names such as ‘uid’ (user ID) or ‘cn’ (common name)

19

LDAP Directory Tree Example

dc=example,dc=com c=usa

c=france ou= it

ou= hr uid= apiquet

c=canada

uid: jsmith email: [email protected] objectClass: inetOrgPerson

uid= abush

DN: uid= jsmith, ou=it, c=france, dc=example, dc=com 20


167


LDAP Configuration Name of the attribute that identify each user

Parent branch where all users are located

Credentials for a LDAP administrator

21

Radius Overview • It is standard protocol that provides Authentication, Authorization and Accounting (AAA) services Access-Request Access-Accept or Access-Reject User

FortiGate unit

or

Radius server

AccessChallenge

22


168


Radius Configuration • A Fortinet Vendor-Specific Attributes (VSA) dictionary is provided to identify the Fortinet-proprietary RADIUS attributes IP address or FQDN of the Radius server The “Secret” must match the Radius server’s secret key

23

Users Select an external authentication server if the password is not stored locally

Enable two-factor authentication

24


169


User Groups

Select the local users that belong to the group

Select the remote authentication servers that contain users that belong to the group

25

Policy Configuration

26


170


User Monitor

• Displays logged in users, groups, policy ID being used, time left before inactivity timeout, source IP address, amount of traffic sent and the authentication method » Also used to terminate authentication sessions

27

LDAP Test Command • From the Fortigate CLI: diagnose test authserver ldap

• Output sample Fortigate# diagnose test authserver ldap Lab jsmith fortinet authenticate 'jsmith' against 'Lab' succeeded! Group membership(s) CN=SSLVPN,CN=Users,DC=TAC,DC=ottawa,DC=fortinet,DC=com CN=TAC,CN=Users,DC=TAC,DC=ottawa,DC=fortinet,DC=com

28


171


RADIUS Test Command • From the Fortigate CLI: diagnose test authserver radius

• The supported schemes are: » chap » pap » mschap » mschap2

29

Labs • Lab 1: User Authentication » Ex 1: Identity-based Firewall Policy

30


172



31


173

 SSL VPN

SSL VPN


Module Overview • VPN definition • SSL VPN vs. IPSec VPN • Web-only mode • Tunnel mode • Port Forward mode • Split-Tunneling • Client Integrity Checking • SSL VPN portal • SSL VPN configuration • Access modes comparison • SSL VPN monitor 2


174

 SSL VPN

Module Objectives • By the end of this module participants will be able to: » Configure the different SSL VPN operating modes » Setup SSL VPN portals » Configure firewall policies and authentication rules for SSL VPN » Monitor SSL VPN connections

3

Virtual Private Networks (VPN) • A virtual private network (VPN) allows users to remotely access network resources as if they were physically connected to the local network • Used when there is the need to transmit private data across a public network • Is an encrypted point-to-point connection, so it cannot be intercepted by unauthorized users • Uses different security methods to ensure that only authorized users can access the private network

4


175

 SSL VPN

FortiGate VPN SSL VPN •Typically used to secure web transactions •HTTPS link created to securely transmit application data •Client signs on through secure web page (SSL VPN portal) on the FortiGate device

IPSec VPN

VPN

•Well suited for networkbased legacy applications •Secure tunnel created between two host devices •IPSec VPN can be configured between FortiGate unit and most third-party IPSec VPN devices or clients

5

SSL VPN Web-only Mode 1. Connection of a remote user to the SSL VPN portal (HTTPS Web Site) 2. User authentication 3. SSL VPN portal presented 4. Access resources through the SSL VPN portal via bookmarks or the connection tool widgets

User traffic has the internal interface IP address as source

6


176

 SSL VPN

SSL VPN Tunnel Mode 1. Connection of a remote user to the SSL VPN portal (HTTPS Web Site) 2. User Authentication 3. SSL VPN portal presented 4. Tunnel created 5. Access resources (IP traffic encapsulated over HTTPS)

User traffic source IP address is assigned by the FortiGate unit

7

Tunnel Mode Split Tunneling • Split Tunneling disabled: » All IP traffic will be routed over the SSL VPN tunnel (including Internet traffic)

• Split Tunneling enabled: » Only traffic destined to the private network will be routed over the SSL VPN tunnel

Internet

Internal network

Tunnel mode

Split Tunneling Enabled

Split Tunneling disabled

8


177

 SSL VPN

Ways of Connecting SSL VPN Tunnel Mode • Using a browser: » The SSL VPN web portal will display the status of the SSL VPN ActiveX control » The SSL VPN portal must remain open for the tunnel to function

• Using the standalone FortiClient SSL VPN client: » The client must remain running for the tunnel to function

• Either way, a new virtual network adapter called fortissl is created in the client PC: » The FortiGate assigns the adepter a virtual IP address from a pool of reserved addresses

9

SSL VPN Client Port Forward Mode • Port Forward uses a Java applet to extend the amount of applications supported by the Web-only mode • The applet listens on local ports on the user's computer. It encrypts and forwards to the FortiGate unit all the traffic received • The user must configure the applications on the PC to point to the local proxy instead of the application server • Application types: » PortForward: for generic port forward applications » Citrix: for Citrix server web interface access » RDPNative: for Microsoft Windows native RDP client over port forward

10


178

 SSL VPN

Client Integrity Checking • SSL VPN gateway checks client system • Only possible with client running Microsoft Windows • Detects client security applications recognized by the Windows Security Center (antivirus and firewall) • Alternatively, Custom Host Checks can be created using application Globally Unique IDentifiers (GUID) • Determines the state of the applications (active/inactive, current version number and signature updates)

11

Client Integrity Checking Configuration • Relies on external vendors to ensure client integrity • Checks if required software is installed on the connecting PC, otherwise the SSL VPN connection attempt is rejected • CLI-only configuration: config vpn ssl web portal edit set host-check {av|av-fw|custom|fw} set host-check-interval end

12


179

 SSL VPN

Configuration Steps 1. 2. 3. 4. 5.

Configure the SSL VPN general settings Set up user accounts and groups for the SSL VPN clients Configure the web portals to define user access Create the Firewall Policy with the Authentication Rules Create Firewall Policies from/to the SSL VPN interface (only for Tunnel mode) 6. Add routing to ensure that traffic to the users can reach the SSL VPN interface (only for Tunnel mode)

13

Step 1: SSL VPN General Settings

Certificate presented to clients. Use a certificate issued by a Certificate Authority (CA) to avoid web browser warnings If set to High, connections with clients that cannot meet this standard will fail Tunnel session timeout Web portal port number

14


180

 SSL VPN

SSL VPN Policy De-Authentication • Firewall policy authentication session is associated with SSL VPN tunnel session • Forces expiration of firewall policy authentication session when associated SSL VPN tunnel session has ended » Prevents reuse of authenticated SSL VPN firewall policies (not yet expired) by a different user after the initial user terminates the SSL VPN tunnel session

15

Step 2: User Accounts and Groups • SSL VPN supports the following authentication methods: » Local » LDAP » Radius » TACAC+

• Additionally, two-factor authentication is also supported Username and Password (one factor)

+ Token Code (two factor)

16


181

 SSL VPN

Step 3: SSL VPN Portal • Web page displayed after the client has logged into the SSL VPN • Includes widgets to access different SSL VPN functionalities (such as bookmarks and connection tools) • Software download option for Tunnel mode

17

SSL VPN Portal Configuration Enable Tunnel mode

Enable Split Tunneling Virtual IP addresses to be assigned to Tunnel mode users Enable Port Forward mode

Control number of concurrent sessions per user

18


182

 SSL VPN

SSL VPN Portal Example

19

Step 4: Firewall Policy for SSL VPN Authentication • All the three SSL VPN modes require a firewall policy for authentication »Tunnel mode requires additional policies to allow traffic to/from the SSL VPN interface

20


183

 SSL VPN

Firewall Policy for SSL VPN Authentication

21

Step 5: Firewall Policies for Tunnel Mode

22


184

 SSL VPN

Step 6: Routing for Tunnel Mode Subnet that contains the SSL VPN IP addresses for Tunnel mode

23

SSL VPN Monitor A ‘Subsession’ row below a user means that is Tunnel mode

SSL VPN IP address for the user ‘fortinet’

Web-only user

24


185

 SSL VPN

SSL VPN Access Modes

Web-only

Tunnel

Port Forward

• No client software required (web browser only)

• Uses FortiGate-specific client downloaded to PC (ActiveX or Java applet)

• Java applet works as a local proxy to intercept specific TCP port traffic and encrypt it using SSL

• Reverse proxy rewriting of HTTP, HTTPS, FTP, SAMBA (CIFS)

• Requires admin/root privilege to install network tunnel adaptor

• Java applets for RDP, VNC, TELNET, SSH

• Applet is installed without admin/root privileges • Client Applications must point to the Java applet

25

Labs • Lab 1: SSL VPN » Ex 1: Configuring SSL VPN for Web-only access » Ex 2: Configuring SSL VPN for Tunnel mode

26


186

 SSL VPN


27


187

 IPSec VPN

IPSec VPN


Module Overview • IPSec VPN Overview and Terminology • Internet Key Exchange • IKE Phase 1 • IKE Phase 2 • Diffie-Hellman • Quick Mode Selectors • Policy-based VPN • Route-based VPN • Configuring Point-to-point VPNs • VPN Monitor

2


188

 IPSec VPN

Module Objectives • By the end of this module participants will be able to: » Define the architectural components of IPSec VPN » Identify the phases of Internet Key Exchange (IKE) » Identify and compare route-based and policy-based VPNs » Deploy a site-to-site VPN between two FortiGate devices » Monitor VPN connections

3

Virtual Private Networks (VPN) • A virtual private network (VPN) allows users to remotely access network resources as if they were physically connected to the local network • Used when there is the need to transmit private data across a public network • Is an encrypted point-to-point connection, so it cannot be intercepted by unauthorized users • Uses different security methods to ensure that only authorized users can access the private network

4


189

 IPSec VPN

IPSec VPN • Suite of protocols for securing IP communications by authenticating and/or encrypting packets Private network

• Solves requirements for:

Data confidential

» Authentication Data has integrity

» Data Integrity » Data Confidentiality Sender authenticated 5

IPSec VPN Overview • IPSec VPN operates at the network layer (layer 3) » Encryption occurs transparently to the upper layers » IP packets encapsulated within IPSec packets » Applications do not need to be designed to use IPSec

• IPSec VPN can protect upper layer protocols (such as TCP) but the complexity, overhead and bandwidth required for the exchange is increased

6


190

 IPSec VPN

Diffie-Hellman • Diffie-Hellman is a ‘key-agreement’ protocol to allow a pair of peers to communicate over an unsecure channel and independently calculate a shared secret key using only public keys • The shared secret key is then used to calculate keys for symmetric encryption algorithms (such as 3DES, AES) and symmetric authentication (HMACs) • With Perfect Forward Secrecy (PFS) a new common secret key is recalculated each time the phase 2 session key expires

7

Internet Key Exchange • Internet Key Exchange (IKE) allows the parties involved in a transaction to set up their Security Associations (SAs) » SAs are the basis for building security functions into IPSec » In normal two-way traffic the exchange is secured by a pair of SAs » IPSec administrators decide the encryption and authentication algorithms that can be used in the exchange

• IKE uses two distinct phases: • Phase 1 • Phase 2

8


191

 IPSec VPN

Phase 1 • IKE phase 1 performs the following: » Authenticates and protects the parties involved in the IPSec transaction • Can use pre-shared keys or digital certificates (RSA signature)

» Negotiates a matching IKE SA policy between the computers to protect the exchange » Performs a Diffie-Hellman exchange • The keys derived from this exchange are used in phase 2

» Sets up a secure channel to negotiate phase 2 parameters

• Two possible modes: • Main mode: 6 packets are interchanged • Aggressive mode: 3 packets are interchanged

9

Phase 2 • IKE phase 2 performs the following: » Negotiates IPSec SA parameters • Protected by existing IKE SA

» Renegotiates IPSec SAs regularly to ensure security » Optionally, additional Diffie-Hellman exchange may be performed

• There can be more than one phase 2 per each phase 1 • One mode: » Quick mode

10


192

 IPSec VPN

Quick Mode Selectors • Are used to identify and direct traffic to the appropriate phase 2 in cases where multiple phase 2s exist • Allow SAs with different granularities • Similar to firewall policies: » VPN traffic that does not match the selectors is dropped

• Selectors support: » Destination and source IP addresses » Protocol number, and source and destination ports

• In point-to-point VPNs, the selectors configuration at both ends must mirror each other: » The source at one end must be the destination at the other end

11

Types of FortiGate VPN configurations • Route-based (also known as interface-based): » Creates a virtual IPSec network interface: • Traffic crossing the tunnel must be routed to the virtual IPSec interface

» One firewall policy (with the action ACCEPT) is usually required per direction

• Policy-based (also known as tunnel-based): » One firewall policy (with the action IPSEC) is required to allow connections bidirectionally » Hidden in the GUI by default. It can be enabled with the command: config system global set gui-policy-based-ipsec enable end 12


193

 IPSec VPN

Policy-based Versus Route-based Feature

Policy-based

Route-based

FortiGate operation modes supported

NAT and transparent modes

Only NAT mode

L2TP-over-IPSec

Yes

No

GRE-over-IPSec

No

Yes

Routing Protocols

No

Yes

Number of policies per VPN

One policy controls connections A separated policy is in both directions required for connections in each direction

• Generally speaking, route-based VPNs offer more control and flexibility

13

Configuration • Step 1: Configure the phase 1 • Step 2: Configure one or more phases 2 • Step 3: Create the firewall policies • Step 4: Route the traffic to the IPSec interface (only for routebased VPNs)

14


194

 IPSec VPN

Step 1: Defining Phase 1 Parameters

Enable it to select routebased VPN. Disable it to select policy-based VPN

15

Step 2: Defining Phase 2 Parameters

16


195

 IPSec VPN

Step 3: Firewall Policy for Policy-based VPN

17

Step 3: Firewall Policy for Route-based VPN

The name of the IPSec interface matches the name of the phase 1

18


196

 IPSec VPN

Step 4: Routing the Traffic (only for Route-based VPN) IP address at the remote site

IPSec Interface

19

IPSec VPN Monitor • Monitor activity on IPSec VPN tunnels » Stop and start tunnels » Display address, proxy IDs, timeout information

• Green arrow indicates that the negotiations were successful and tunnel is UP • Red arrow means tunnel is DOWN or not in use

20


197

 IPSec VPN

IPSec VPN Monitor Example

Key life remaining time Phase 1 name

Local Quick Mode Selector

Status Remote Quick Mode Selector

21

Labs • Lab 1: IPSec VPN » Ex 1: Site to Site IPSec VPN

22


198

 IPSec VPN


23


199

 Antivirus

Antivirus


Module Overview • Terminology • Heuristic Scanning • Sandboxing • Botnet Connections • Proxy-Based scanning • Flow-Based scanning • Conserve mode • Memory Diagnostics

and more… 2


200

 Antivirus

Module Objectives • By the end of this module participants will be able to: » Identify conserve mode conditions and AV system behavior » Define the virus scanning techniques used on the FortiGate unit » Differentiate between proxy-based and flow-based virus scanning » Configure virus scanning » Update antivirus signature databases through FortiGuard services » Set up Grayware and Heuristic scanning » Submit unknown virus samples to Fortinet » Describe the virus scanning order of operations

3

Terminology: Malware Classifications • Malware » Umbrella term for software that makes unauthorized changes to a computer

• Virus » Infects the computer and spreads on its own » User interaction is not required o Behavior is modeled after a biological virus o Size: very small

• Grayware » User interaction is required for installation » Often comes bundled with installation of free software o Size: highly variable (usually small) 4


201

 Antivirus

Types of Malware: Virus Types • Trojan » Spread to other hosts » Does not replicate on the same host (multiple infections still possible)

• Worm » Spread to other hosts » Replicates on the same host, repeatedly

5

Types of Malware: Evasion Techniques • Encrypted » Payload is encrypted

• Polymorphic » Payload uses changing encryption with each infection » Requires polymorphic engine as part of payload

• Metamorphic » Rewrites payload with each infection » Requires metamorphic engine as part of payload

6


202

 Antivirus

Types of Malware: Behavior • Spyware » Tracks user website behavior

• Adware » Automatically injects advertisements in order to generate revenue

• Ransomware » Restricts user access and demands payment to remove

• Rootkit » Obtains root admin access

• Keylogger » Capture keystrokes

• Mass Mailer » Sends out large volumes of emails 7

Antivirus • Detect and eliminate viruses, worms, Trojans and spyware in realtime » Stop threats before they enter the network

Antivirus

• Scans HTTP and FTP traffic as well as SMTP, POP3 and IMAP and other protocols • Internet Content Adaption Protocol (ICAP) support » FortiGate unit acts as ICAP client to communicate with ICAP servers that the FortiGate unit can utilize for offloading AV scanning services » First enable in CLI: • conf sys global • set gui-icap enable

then configure under Security Profiles > ICAP

8


203

 Antivirus

Heuristics scanning Virus-like attribute + Virus-like attribute + Virus-like attribute > Heuristic threshold • Heuristic scanning tests for “virus-like” or “dangerous” behavior • Virus-like attributes totaled. If greater than a threshold, the file is marked as suspicious • Possibility of false positives

Suspicious

9

Heuristics scanning: Configuration # config antivirus heuristic # set mode [pass|block|disable] # end

• Pass » Enable Heuristic scanning and pass detected files

• Block » Enable Heuristic scanning and block detected files

• Disable » Turn off Heuristic scanning

10


204

 Antivirus

Grayware scanning # config antivirus setting # set grayware[enable|disable] # end

• Enable or Disable only • Acts as part of normal virus scan » Takes action as if infected with virus

11

Sandboxing

• Files detected by Heuristics as suspicious can be submitted for Sandboxing » FortiGuard or FortiSandbox

• Sandboxing a file is when it is executed and monitored within a protected environment to determine if it is a new kind of virus or just a software install » Driver install modifies the registry and/or the system files

• Helps detect Zero day vulnerabilities and provide data for the FortiGuard AV analysts 12


205

 Antivirus

Botnet Connections

• FortiGuard maintains a list of known Botnet IP addresses • Connections to known Botnet server IPs will be dropped • Botnet list periodically updated with FortiGuard updates » Requires valid contract » Can view database version in CLI

diag autoupdate version

13

Proxy-Based scanning • Antivirus proxy buffers the file as it arrives • Once transmission is complete, virus scanner examines the file • Higher detection and accuracy rate • Comfort Clients can be used to avoid timeouts • Multiple Database options 14


206

 Antivirus

Proxy-Based scanning: File Size vs detection rate • Most malware is small » Altering file size does not greatly impact security » Altering file size can greatly impact memory levels » 10mb default size is to achieve certification 1mb 2mb 3mb 4mb 5mb 6mb 7mb 8mb 9mb 10mb exploit mass-mailer phish spyware trojan virus worm

99.83% 99.95% 99.97% 99.97% 99.98% 99.98% 99.99% 100%

100%

∞

100%

100%

99.62% 99.87% 100%

100%

100%

100%

100%

100%

100%

100%

100%

100%

100%

100%

100%

100%

100%

100%

100%

100%

100%

100%

95.08% 97.97% 98.88% 99.47% 99.76% 99.83% 99.89% 99.91% 99.94% 99.95%

100%

97.52% 99.24% 99.62% 99.80% 99.88% 99.93% 99.95% 99.97% 99.98% 99.98%

100%

98.27% 99.37% 99.63% 99.80% 99.88% 99.93% 99.95% 99.97% 99.98% 99.99%

100%

99.02% 99.65% 99.74% 99.86% 99.89% 99.92% 99.94% 99.94% 99.95% 99.96%

100%

15

Proxy-Based scanning: Scan order (Not Oversized) Buffer the File until Eof or Oversize limit

START

Larger then oversize? No

Is an Archive?

Yes

Block the file/Email

No

No

Virus Scan

Yes

Uncompress size Limit?

Infected

Clean

Grayware Enabled?

Pass the file/Email

Grayware Scan Clean

No

Heuristic Enabled?

Infected

Yes

Block Yes

No

Heuristic Scan Clean

Infected

Action? Pass

16


207

 Antivirus

Proxy-Based Scanning: Scan order (Oversized) Buffer the File until Eof or Oversize limit

Larger then oversize?

START

Yes

Oversize action? Block

Pass


Pass the file/Email

17

Proxy-Based Scanning: Full Decision Tree Buffer the File until Eof or Oversize limit

Larger then oversize?

START

Yes

Oversize action? Block

Is an Archive?

Yes

Pass


No

No

Virus Scan

Yes

Uncompress size Limit?

Infected

Clean

Grayware Enabled?

Pass the file/Email

Grayware Scan Clean

No

Heuristic Enabled?

Infected

Yes

Block Yes

No

Heuristic Scan Clean

Infected

Action? Pass

18


208

 Antivirus

Flow-Based Scanning

• File is scanned on a packet-by-packet basis as it passes through the FortiGate unit • Faster scanning, but lower accuracy rate » Difficulty in catching virus variants

• Only available on certain models • Non-proxy scanning 19

Flow-Based Scanning: Scan order Pass the file/Email

Clean

Virus Scan

Normalize Packet

START

Infected


• Normalization is required to get at the real packet contents » Headers removed (tunneling, GRE, etc) » Reassembled (if fragmented)

• Virus scanning within an archive is not possible » Requires entire file to decompress (proxy-based only)

• Grayware: some signatures included in Flow-Database • Heuristic (proxy-based only) 20


209

 Antivirus

Compressed File scanning • Identification of archive types can usually be done with just file header information • Proper decompression takes entire file • Password protected archives cannot be decompressed • Archive is unpacked and the contents are scanned • Scanning inside nested archives is supported (default 12 layers) # config antivirus service # set uncompnestlimit <2-100> # end

21

Proxy Scanning Time limit • AV Scanning on the local PC is not limited by time » User can wait until scan is finished.

• Proxy delays traffic » 30 seconds are allowed for AV scanning to complete » Watchdog will interrupt scan process, traffic will pass (possible timeout has already occurred) » Entry goes into crashlog, Scanunit crashed Signal 14

22


210

 Antivirus

Virus Definition Databases

Regular

Extended

• Smart Update technology

Flow-Based

» Only Databases that are enabled for use on a Firewall policy will update Extreme

23

Virus Definition Databases: Updating • Manually download definitions from Support site and upload

• Automatically

24


211

 Antivirus

Virus Definition Databases: Proxy Database selection • Default is to scan using regular “in the wild” database » set proxy database in CLI # config antivirus setting # set default-db [normal|extended|extreme] # end

• Regular database available on all models • Extended database available on most models • Extreme database only available on a select few models

25

Submitting Unknown Viruses • Sometimes a virus may go undetected because it is not in the signature database » To submit a virus go to: http://www.fortiguard.com/antivirus/virus_scanner.html

26


212

 Antivirus

Investigating Virus Infections • Sometimes viruses will get through because the proper antivirus scan options are not enabled » FortiGuard Subscription Service contains information on which database a virus is in

27

Antivirus Profiles

28


213

 Antivirus

SSL Inspection Options

29


30


214

 Antivirus

Conserve mode: What is it? • What is ‘Conserve mode’? • System self protection measure when facing local resource exhaustion » When entering conserve mode the FortiGate unit activates protection measures in order to recover exhausted resources » Once enough resources are recovered, the system leaves the conserve mode state and releases the protection measures

• Search “conserve mode” at: http://kb.fortinet.com » KB Article IDs: FD33103, 11076, 10209

31

Conserve mode: Different Types • 3 kinds of Conserve mode • Kernel » Not enough memory available for the operating system (kernel) to do it’s job » No set memory level

• System » Overall high memory situation » Occurs when system memory hits around 80% (exits at 70%)

• Proxy » Occurs when proxy runs out of available connects » Max proxy connections varies by device model

• Impact (configurable for System&Proxy) » Only New sessions are subject to conserve mode rules » Fail Open or Closed

32


215

 Antivirus

Conserve mode: av-failopen • av-fail-open is a CLI setting that governs FortiGate behavior for UTM inspected traffic when the device enters System Conserve mode (~80% Memory) config system global set av-failopen {idledrop | off | one-shot | pass} end

• idledrop – Drops all idle connections on the proxy • off – All new sessions with UTM scanning enabled are not passed • one-shot – attempt UTM scanning on all new sessions • pass(default) – All new sessions with UTM scanning enabled pass without inspection 33

Conserve mode: av-failopen-session • av-failopen-session is a CLI setting that governs FortiGate behavior for UTM inspected traffic when the device enters Proxy Conserve mode (0 available connections on the proxy) config system global set av-failopen-session {enable | disable} end

• enable – Use behavior from av-failopen setting • disable(default) – block all further sessions, until connections become available on the proxy

34


216

 Antivirus

Conserve mode: Kernel Conserve mode • Kernel Conserve mode behavior is not configurable. » FortiGate attempts to clear up memory by letting go of memory that is not in use, but has not been released yet » All idle connections on proxies are dropped » New connections pass without inspection (not configurable)

35

Conserve mode: Log Behavior • Kernel and System conserve mode occur due to lack of overall memory resources. » Event recorded in memory » Log can not be created until the device leaves conserve mode

• Proxy conserve mode is a depletion of available connections, but not memory » Log created immediately

• Proper monitoring of vital infrastructure components is essential » SNMP, etc

36


217

 Antivirus

Memory Diagnostics: get sys perf stat # get sys perf stats CPU states: 0% user 0% system 0% nice 100% idle CPU0 states: 0% user 0% system 0% nice 100% idle CPU1 states: 0% user 0% system 0% nice 100% idle CPU2 states: 0% user 0% system 0% nice 100% idle CPU3 states: 0% user 0% system 0% nice 100% idle Memory states: 57% used Average network usage: 21 kbps in 1 minute, 17 kbps in 10 minutes, 92 kbps in 30 minutes Average sessions: 114 sessions in 1 minute, 130 sessions in 10 minutes, 176 sessions in 30 minutes Average session setup rate: 0 sessions per second in last 1 minute, 0 sessions per second in last 10 minutes, 0 sessions per second in last 30 minutes Virus caught: 0 total in 1 minute IPS attacks blocked: 0 total in 1 minute Uptime: 10 days, 0 hours, 17 minutes

37

Memory Diagnostics: diag hard sys shm # diag hard sys shm SHM counter: 25769 SHM allocated: 32575488 SHM total: 1629380608 conservemode: 0 shm last entered: n/a system last entered: n/a SHM FS total: 1665851392 SHM FS free: 1631911936 SHM FS avail: 1631911936 SHM FS alloc: 33939456

1 – Proxy 2 – System 3 – Both

38


218

 Antivirus

Memory Diagnostics: diag fire iprope state # diag fire iprope state av_break=pass/off av_conserve=off Alloc: iprope=167 shaper=5 user=0 nodes=4 pol=10 app_src=0 auth_logon=0 auth_info=0 av_service=http fail open act=off av_service=imap fail open act=off av_service=pop3 fail open act=off av_service=smtp fail open act=off av_service=ftp fail open act=off av_service=im fail open act=off av_service=p2p fail open act=off av_service=nntp fail open act=off av_service=https fail open act=off av_service=imaps fail open act=off av_service=pop3s fail open act=off av_service=smtps fail open act=off av_service=ftps fail open act=off av_service=cifs fail open act=off total group number = 12 act=2 00100012 00100003 00000003 00000004 00100004 00000005 00000006 00000007 0010000a 0010000c 0010000e 0010000f

off – not in Kernel Conserve mode pass – Kernel Conserve mode

39

Memory Diagnostics: diag hard sys slab # diag hard sys slab slabinfo - version: 1.1 (SMP) kmem_cache 108 108 tcp6_session 0 0 ip6_session 0 0 sctp_session 0 0 tcp_session 380 628 ip_session 414 600 ip6_mrt_cache 0 0 fib6_nodes 118 118 ip6_dst_cache 60 60 ndisc_cache 34 34 ip_mrt_cache 0 0 tcp_tw_bucket 384 510 tcp_bind_bucket 672 672 tcp_open_request 624 624

Google ‘unix slab’ for more information 216 928 864 992 960 928 384 64 320 224 352 224 32 160

6 0 0 0 122 130 0 2 5 2 0 30 6 26

6 0 0 0 157 150 0 2 5 2 0 30 6 26

1 1 2 1 1 1 1 1 1 1 1 1 1 1

0 : 0 : 0 : 0 : 35 : 20 : 0 : 0 : 0 : 0 : 0 : 0 : 0 : 0 :

252 124 124 124 124 124 124 252 124 252 124 252 252 252

126 62 62 62 62 62 62 126 62 126 62 126 126 126

… … 40


219

 Antivirus

Memory Diagnostics: diag sys top-summary # diag sys top-summary CPU [|||||||||| Mem [|||||||||||||||||||||| Processes: 20 (running=1 sleeping=100) PID * 594 44 50 51 52 53 54 60 61 64 614 68 74 75 80

RSS 16M 22M 12M 11M 15M 11M 51M 47M 4M 12M 343M 11M 11M 11M 11M

^CPU% MEM% 0.0 0.8 0.0 1.1 0.0 0.6 0.0 0.6 0.0 0.8 0.0 0.6 0.0 2.6 0.0 2.4 0.0 0.2 0.0 0.6 0.0 17.4 0.0 0.6 0.0 0.6 0.0 0.6 0.0 0.6

FDS 28 11 89 9 54 5 19 1465 43 7 71 5 7 7 8

TIME+ 00:02.30 00:23.44 00:00.64 00:00.10 21:23.55 00:00.20 02:09.40 01:44.27 00:00.70 00:00.00 00:24.66 00:00.00 00:00.20 00:00.00 00:00.00

] ]

25.0% 55.0%

1101M/1975M

• RSS – Real Set Size

NAME scanunitd [x4] cmdbsvr zebos_launcher [x12] uploadd miglogd [x2] kmiglogd httpsd [x7] proxyd [x7] imd wad_diskd ipsmonitor [x7] getty merged_daemons fnbamd fclicense

» Memory usage

• FDS – File Descriptors » # open files # Times the process has forked

41

Labs • Lab 1: Antivirus Scanning » Ex 1: Antivirus Testing

42


220

 Antivirus


43


221

 Email Filtering

Email Filtering


Module Overview • The Building blocks of Email • Email Filtering Methods • Email Filtering Actions • Email Filtering Order of Operations • Email Filtering and Virus Scanning • Submitting False-Positives through FortiGuard • Creating an Email Filter Profile • Viewing Email Filtering Log Messages • Deployment strategies

2


222

 Email Filtering

Module Objectives • By the end of this module participants will be able to: » Identify the email filtering methods used on a FortiGate device » Create Firewall policies for Spam detection and email scanning using Email Filter profiles » Modify inspection rules in order to black or white list emails » State available inspection options for various transmission protocols » Describe the flow of email through various transmission protocols » Use logs to view and monitor email filtering activity and events

3

Email Basics Overview: Abbreviations & Terminology SMTP – Simple Mail Transfer Protocol (RFC 821) ESMTP – Extended Simple Mail Transfer Protocol (RFC 5321) POP – Post Office Protocol (RFC 1939 – POP3) IMAP – Internet Message Access Protocol (RFC 2060 – IMAP4rev1) MTA – Mail Transfer Agent (Email Server) MAA – Mail Access Agent (User Authentication & Mail Retrieval) MUA – Mail User Agent (Software like Thunderbird) MX Record – Mail Exchange Record (DNS lookup) Mail Relay – Intermediate Mail server Open Relay – Mail server with no restrictions on destination emails 4


223

 Email Filtering

The building blocks of Email: SMTP • Designed to get a message from point A to point B, without knowing anything about point B » Port 25

• Clear text protocol • Best effort protocol (very little is “required”) » Only a destination

• 3 Digit response codes to command requests » 2xx indicates the command was successful » 3xx command incomplete (authentication is multiple steps) » 4xx temporary failure of some kind (situation may fix itself, try again later) » 5xx permanent failure (Human intervention is required to change this)

• SMTPS is SMTP encapsulated in SSL encryption on port 465 5

The building blocks of Email: MX Records • Used to resolve Mail domains

>nslookup

» Can contain hostnames or IPs

> server 4.2.2.3

» Each entry contains a preference/priority (lowest first)

Default Server: [4.2.2.3] Address: 4.2.2.3 > Set q=a+aaaaa > google.com Server: [4.2.2.3] Address: 4.2.2.3

> nslookup > server 4.2.2.3 Default Server: [4.2.2.3] Address: 4.2.2.3 > set q=mx > google.com Server: [4.2.2.3] Address: 4.2.2.3 Non-authoritative answer: google.com MX preference google.com MX preference google.com MX preference google.com MX preference google.com MX preference

= = = = =

50, 10, 20, 40, 30,

mail mail mail mail mail

exchanger exchanger exchanger exchanger exchanger

= = = = =

alt4.aspmx.l.google.com aspmx.l.google.com alt1.aspmx.l.google.com alt3.aspmx.l.google.com alt2.aspmx.l.google.com

Non-authoritative answer: Name: google.com Addresses: 2001:4860:4007:800::1005 74.125.224.164 74.125.224.169 74.125.224.168 74.125.224.165 74.125.224.161 74.125.224.163 74.125.224.167 74.125.224.162

6


224

 Email Filtering

The building blocks of Email: POP & IMAP • Protocols are used to receive/check email » Can not be used to send email

• POP is very basic protocol » Download & delete » data stored on client (server only has Inbox)

• IMAP is more robust » Create & delete mailboxes (server side folders) » Synchronize folders (inbox, sent items, etc) » Designed for accessing the same email from multiple locations

• Secure versions are encapsulated in SSL and run on different ports » POP3S (995) IMAPS (993) 7

Email Basics: Overview of Message Flow

3

5

4 1

2 6 ;; ANSWER SECTION: example3.com 3600 example3.com 3600

IN IN

MX MX

50 relay.example2.net 100 mail.example3.com

;; ANSWER SECTION: example3.com 3600 example3.com 3600

IN IN

MX MX

50 mail.example3.com 100 relay.example2.net

8


225

 Email Filtering

Spam Actions • Tag to add a custom phrase/word to subject line or a MIME header and value to body of an email message for use in back end or client filtering • Discard to immediately drop the SMTP connection if spam is detected, sending a 5xx response

Tag

Discard

Subject: Free Stuff

Subject: [SPAM] Free Stuff

9

Email Filtering • FortiGate unit can detect and manage spam email Email filtering SPAM?

10


226

 Email Filtering

Email Filtering Methods • The FortiGate unit uses a number of techniques to help detect spam » Some use the FortiGuard Antispam service (requires a subscription) • IP, Email, URL, Checksum

» Others use DNS servers or filters created on the device • HELO DNS • Return Email

» Manually configured options • Black/White listed IPs • Black/White listed Emails (py IP, by name: domain or email) • MIME Headers • Banned word

11

Email Filtering Methods: FortiGuard IP • Connecting IP address is checked • FortiGuard is a reputation database » IP behavior is tracked by volume (historically) » More queries about an IP’s activity to the FortiGuard network makes the reputation worse » IPs have a reputation score, the higher the better • 1 is permanently black listed (score will not change, without FortiGuard interaction) • 3 or less is considered spam

12


227

 Email Filtering

Email Filtering Methods: FortiGuard URL and Email Address

Visit our web site at www.acme.com to learn more about this great offer or send an email to [email protected].

• What language or character set is the email in? » KB Article ID: FD32502

13

Email Filtering Methods: FortiGuard Email Checksum

• The FortiGate unit sends a hash of the email message to the FortiGuard Antispam Service • FortiGuard Antispam Service compares the hash received to hashes of known spam messages

Our online pharmacy offers great prices on all your prescription medications.

hash

14


228

 Email Filtering

Email Filtering Methods: Black/White List (IP) • The FortiGate unit compares the IP address of the sender of an email message to the IP addresses specified in the email filter profile » An administrator can add to or edit the IP addresses and configure the action to take

• Possible actions on a match » Spam (use configured spam action) » Clear (consider as not Spam) » Reject (SMTP Only, force 5xx response regardless of spam action)

15

Email Filtering Methods: Black/White List (email) • The FortiGate unit compares the email address of the sender of an email message to the email addresses specified in the email filter profile

From: [email protected]

Mark as Spam Mark as Clear

» An administrator can add to or edit the email addresses and configure the action to take » Wild card and regular expressions can be used to define the email address

16


229

 Email Filtering

Email Filtering Methods: HELO DNS 220 mail.server.com ESMTP service ready EHLO server.example.com DNS resolves ? 250- mail.server.com says hello 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-CHUNKING 250-8BITMIME 250-SIZE 54525952

• Confirms that client EHLO response resolves to an IP address

17

Email Filtering Methods: Return Email DNS • Confirms that sending email domain from the reply-to field resolves to an IP Address » Domain the email gets sent to, should resolve to an IP

• Does NOT perform any kind of comparison to sender’s IP

18


230

 Email Filtering

Email Filtering Methods: Banned Word Banned words • FortiGate unit blocks email based on words or patterns in the message • A weight is assigned to any banned words in the message • If threshold is exceeded, the message is marked as spam • Define using Wildcards and regular expressions • Patterns only count towards total score once

Let us fill all your prescription drugs. Visit our online pharmacy for great prices on prescription medications. We offer the widest selection of popular drugs.

Drugs Score=10

Pharmacy Score=5

Prescription Score=5

Threshold=18 10 +5 +5 =20

19

Email Filtering Methods: MIME Headers • The FortiGate unit can check the MIME header information of incoming email messages » If a match is found in the header list configured on the device, the corresponding action is taken

• Configured through CLI only # config spamfilter mheader # edit (id) # config entries # edit (entry_id) # set action [spam|clear] # set fieldbody (pattern) # set fieldname (pattern) # end

20


231

 Email Filtering

Email Filtering Methods: DNSBL and ORDBL • The FortiGate unit can compare the IP address or domain name of incoming email message against third-party DNSBL and ORDBL lists » Match IP addresses or domain names of known spammers

• Configured through CLI only # config spamfilter dnsbl # edit [id] # config entries # edit [entry_id] # set action [spam|reject] # set server [destination] # set status [enable|disable] # end

21

Checking all MTAs an email passed through • IP based checks only look at the connecting IP of the session to determine if email is blacklisted (default) • Every time an email passes through a mail server an entry should be added to the “Received” MIME header (depends on mailserver) • FortiGate can walk through receive header and check all IPs • New Servers should be added to the beginning of the list

• FortiGate can walk through receive header and check all IPs • Can cause issues if DNS is slow (emails can pass through multiple servers) # config spamfilter profile # edit # config [pop|imap|smtp] # set hdrip [enable|disable(default)] # end 22


232

 Email Filtering

The ‘Received’ MIME Header Normal contents can include: • Date/time, ID, Transmitting Mail info (EHLO & IP), Receiving Mail info (Name and IP), TLS information, Protocol • Exact format varies based on server software and configuration Received: from mail.fortinet.com (192.168.221.64) by FGT-EXCH-CAS212.fortinet-us.com (192.168.221.212) with Microsoft SMTP Server id 14.1.438.0; Thu, 20 Feb 2014 19:58:32 -0800 Received: from mailrelay.fortinet.com (mailrelay.fortinet.com [192.168.221.66]) by mail.fortinet.com (8.14.4/8.14.4) with ESMTP id s1L3wWr7030157 for ; Thu, 20 Feb 2014 19:58:32 -0800 Received: from smtp.fortinet.com (smtp.fortinet.com [192.168.221.75]) by mailrelay.fortinet.com (8.13.8/8.13.8) with ESMTP id s1L3wWep008129 for < [email protected] >; Thu, 20 Feb 2014 19:58:32 -0800 Received: from mail-qg0-f47.google.com (mail-qg0-f47.google.com [209.85.192.47]) by smtp.fortinet.com with ESMTP id s1L3wUb7004281-s1L3wUb9004281 (version=TLSv1.0 cipher=RC4-SHA bits=128 verify=CAFAIL) for < [email protected] >; Thu, 20 Feb 2014 19:58:31 -0800 Received: by mail-qg0-f47.google.com with SMTP id 63so6254138qgz.6 for < [email protected] >; Thu, 20 Feb 2014 19:58:30 -0800 (PST)

23

Email Filtering Order: SMTP

IP BWL Check

DNSBL & ORDBL FortiGuard IP HELO DNS

MIME Header Email BWL

Banned word (on Body)

IP BWL Check (Receive Header)

Banned word (on Subject)

Return Email DNS FortiGuard URL FortiGuard Checksum DNSBL & ORDBL (Receive Header)

• Email filter checks continue until EITHER • A check comes back with an action • All checks are passed

24


233

 Email Filtering

Email Filtering Order: POP3 & IMAP

MIME Header Email BWL

Banned Word (on Subject)

Not all SMTP based spam checks are available!! • POP3/IMAP used between Mail server and client checking email • SMTP used for delivering email

Return Email DNS FortiGuard IP FortiGuard URL FortiGuard Checksum DNSBL & ORDBL

IP BWL Check

Banned word (on Body)

25

FortiGuard: Query cache Cache • Caching reduces FortiGuard requests; can improve performance • Small % of system memory dedicated to cache • Query results cached until TTL setting is reached • Alternate port 8888 for access to FortiGuard servers

IP address: 10.10.10.1 URL: www.acme.com Message checksum: x65Fsd34c

# # # # #

config system fortiguard set antispam-cache [enable|disable] set antispam-cache-ttl (300 - 86400) set antispam-cache-mpercent (1-15%) end

26


234

 Email Filtering

FortiGuard: Connectivity #diagnose spamfilter fortishield servers Locale License Expiration

: english : Contract : Mon Apr 28 16:00:00 2014

-=- Server List (Thu Feb 20 14:09:04 2014) -=IP 208.91.112.196 208.91.112.198 96.45.33.65 66.117.56.37 209.222.147.43 66.117.56.42 80.85.69.37 80.85.69.40 62.209.40.74

Weight 0 0 0 30 30 30 80 80 90

RTT Flags 1 DI 1 D 25 72 68 73 147 147 207

TZ -8 -8 -8 -5 -5 -5 0 0 1

Packets 5 2 1 1 1 1 1 1 1

Curr Lost Total Lost 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

27

Request Removal From FortiGuard • Spam filtering is best effort, so there can be false positives that occur periodically » FortiGuard Antispam Portal: www.fortiguard.com/antispam/antispam.html

28


235

 Email Filtering

Email Filter Profile • Email Filter security feature disabled by default » To configure profile, first go to System > Status and set Email Filter to ON

29

SSL Options • SMTPS is SSL encapsulated SMTP » Decoding requires SSL/SSH Inspection profile

• ESMTP contains StartTLS command (if supported by server) » Encrypts communication from that point » No SSL/SSH Inspection profile means no inspection or email log.

30


236

 Email Filtering

Combining AV & Email Filtering • If virus scan is enabled the scan happens as the last email filter check » Clear actions associated with the email DO NOT BYPASS the virus scan • White listed senders can still get infected with a virus

» Spam actions associated with the email DO NOT BYPASS the virus scan • Unless the action is DISCARD • Spam email passing through could also have a virus

• If a virus is found, the email is considered spam (even with a clear action) » Spam Action – Tag: Infection is removed and replaced with TXT file containing the AV block message » Spam Action – Discard: SMTP connection is blocked with 5x response

31

Reading Log entries: Forward Traffic log • Email Filter log entries appear in Traffic Log > Forward Traffic log by default » Intended to be brief/summary only

32


237

 Email Filtering

Reading Log entries: Email Filter log # set extended-utm-log enable

» logs show under Security Log> Email Filter as well » More detailed » Additional info means additional resources to create/store log

33

Deployment Strategies: Multiple Spamfiltering devices • Multiple Spam filtering devices/software » Enable checks that are not available on other devices » Only Last device should be able to effect mail flow (discard/quarantine emails)

34


238

 Email Filtering

Deployment Strategies: Geographic Considerations • Geographic IP address object can block source IPs » Not all mail servers are located within their countries

• Mail BWL can block based on domain suffix (

http://en.wikipedia.org/wiki/List_of_Internet_top-level_domains

)

» Not all mail domains have suffix for their country of origin

• Business considerations need to be remembered

# # # #

set pattern ".*\\.[ru|bz]" set pattern-type regexp set score 1000 language western

35

Labs • Lab 1: Email Filtering » Ex 1: Configuring FortiGuard AntiSpam

36


239

 Email Filtering


37


240


Web Filtering

Web Filtering


Module Overview • Web Filtering Functionality Overview • Web Filtering Communications • HTTP Inspection Order • Types of Web Filtering • Proxy-Based Web Filtering • Flow-Based Web Filtering • DNS-Based Web Filtering • Web Content Filtering • Web URL Filtering

• • • • • • • • •

Forcing SafeSearch FortiGuard Category Filter FortiGuard Caching FortiGuard Usage Quotas Web Site Rating Submissions Web Site Rating Overrides Local Categories Web Filter Profiles Web Filter Profiles Actions

2


241


Web Filtering

Module Objectives • By the end of this module participants will be able to: » Identify the web filtering mechanisms used on the FortiGate device » State available web filtering modes and their functionality differences » Select the most effective technique for blocking or allowing a web site » Create web content and URL filters » Configure FortiGuard Web Filtering exemptions and rating overrides » Create firewall policies for web filtering using web filter profiles » View and monitor logs for web filtering activity and events

3

Web Filtering • Means of controlling the web content that a user is able to view » Preserve employee productivity » Prevent network congestion where valuable bandwidth is used for non-business purposes » Prevent loss or exposure of confidential information » Decrease exposure to web-based threats » Limit legal liability when employees access or download inappropriate or offensive material » Prevent copyright infringement caused by employees downloading or distributing copyrighted materials » Prevent children from viewing inappropriate material

4


242


Web Filtering

Proxy-Based Web Filtering (1 of 2) • Proxy based solution that communicates between client and server • Inspects full URL • Allows for customizable block pages to display when sites are prevented • Most resource intensive option • Lowest throughput • Has the Most options available in Advanced section

5

Proxy-Based Web Filtering (2 of 2) • Select inspection mode in web filter profile

6


243


Web Filtering

Flow-Based Web Filtering (1 of 2) • Non-proxy solution that uses IPS engine to perform inspection • High throughput • Inspects full URL • FortiGuard Web Filtering override will not apply when flow-based inspection is enabled • Only a few Advanced options available • Not as flexible as proxy-based » Allow, Monitor, Block ONLY » Warn and Authenticate not possible » Overrides not possible

7

Flow-Based Web Filtering (2 of 2) • Select inspection mode in web filter profile

8


244


Web Filtering

DNS-Based Web Filtering (1 of 2) • DNS-proxy solution that uses DNS queries to decide access • DNS queries redirected to FortiGuard SDNS server • Very lightweight • SSL inspection never required • Cannot inspect URL, only hostname (DNS) • Supports URL Filtering and FortiGuard Category only • No individual block pages, can redirect to a portal • Web site access by IP address is resolved and filtered, as well.

9

DNS-Based Web Filtering (2 of 2) • Select inspection mode in web filter profile

10


245


Web Filtering

When Does Filtering Activate? www.acme.com

DNS Request

!

DNS Response

TCP 3-Way Handshake

HTTP GET

!

HTTP 200

11

Comparing the Types of Web Filtering • Proxy-Based » Highly secure » Traffic is cached

• Flow-Based » High throughput » No caching » Not as secure

• DNS-Based » Very lightweight » Hostname and IP address filtering » No advanced options, URL, and FortiGuard only

12


246


Web Filtering

Web Content Filtering Drugs

• Allow or block web pages containing specific words or patterns » Wildcards or regular expressions used to define patterns

Create Pattern list in the CLI

Pharmacy Score=5

Prescription Score=5

• Scores for matched patterns are added » If greater than threshold, FortiGate unit performs configured action » If pattern appears multiple times on web page, score is only counted once

Score=10

Threshold=18 10 +5 +5 =20

Block or Exempt

www.acme.com

13

Web URL Filtering (1 of 2) • Control web access by allowing or blocking URLs » Text, wildcards or regular expressions can be used to define the URL patterns » If no URL match on list, go on to next enabled check

• Possible web URL filter actions are: » Allow » Block » Monitor » Exempt

14


247


Web Filtering

Web URL Filtering (2 of 2) URL Filter list

URL: www.mypage.com/index.html

www.example.com www.abc.com www.mypage.com/index.html

Block Allow Monitor Exempt

www.mypage.com 15

Forcing Safe Search • Safe Search is used by search sites to prevent inappropriate web sites and images from appearing in search results • FortiGate unit rewrites the search URL to include the required codes to enable Safe Search » Supported for Google, Bing, Yahoo! And Yandex » Does NOT force strict safe search

• Youtube EDU available » Instructions for Youtube will include value to enter on FortiGate unit

16


248


Web Filtering

FortiGuard Category Filter (1 of 3)

URL: www.mypage.com

Categories Allow Block Monitor Warning Authenticate

www.mypage.com 17

FortiGuard Category Filter (2 of 3) • The FortiGate unit accesses the FortiGuard Distribution Server to determine the category of a requested page » Action is taken based on selection in web filtering profile

• Web filter rating determined by: » Human rater » Text analysis » Exploitation of web structure

• Description of Categories can be found on FortiGuard website http://www.fortiguard.com/static/webfiltering.html

18


249


Web Filtering

FortiGuard Category Filter (3 of 3) • Split into multiple categories and sub-categories • Layout will switch periodically as the Internet changes • New categories and sub-categories are released and compatible with updated firmware » Older firmware has new values mapped to existing categories

19

FortiGuard Response Caching • Most web sites are visited over and over again » FortiGate unit can remember what the response was

• Caching improves performance by reducing FortiGate unit requests to FortiGuard servers » Cache checked before sending request to FortiGuard server » TTL settings controls the number of seconds query results are cached

• Small amount of FortiGate unit system memory dedicated to the cache » Default is 2% used for cache, can be increased to 15% from CLI

• Port 53 used for FortiGuard communications » Alternate port number of 8888 can used

20


250


Web Filtering

FortiGuard Usage Quotas

“Games” Quota

“Games” Quota

“Games” Quota

Category: Games

• Quotas allow access to specific categories for a specific length of time (calculated separately for each quota configured) • If authentication is enabled, quota is automatically based on the user, otherwise IP is used • Can only apply to categories with actions: Monitor, Warn or Authenticate

21

Rating Submissions • Requests for rating of a web site, or to have a web site’s rating re-evaluated can be submitted by accessing: » http://www.fortiguard.com/ip_rep.php

22


251


Web Filtering

Rating Override (1 of 2)

Rating override

Category: General Organizations

www.acme.com Sub-Category: Information and Computer Security 23

Rating Override (2 of 2) • Can override the rating applied to a hostname by FortiGuard Subscription Services » Hostname reassigned to a completely different category and uses that action

• Override applies to FortiGate unit only » Changes not submitted to FortiGuard Subscription Services

• Hostnames only » google.com » www.google.com » www.google.com/index.html

24


252


Web Filtering

Local Categories

• Rename and deletion of sub-categories only in CLI config webfilter ftgd-local-cat delete “” rename “” to “”

25

FortiGuard Category Actions: Warning Action = Warning (right click in the GUI)

Web Filtering Warning Page

26


253


Web Filtering

Authenticate Action

Marketing

www.hackthissite.org 27

Web Filter Profiles • Web filtering, FortiGuard web filtering and Advanced Filter options enabled through web filtering profiles • Profile in turn applied to firewall policy » Any traffic being examined by the policy will have the web filtering operations applied to it

28


254


Web Filtering

HTTP Inspection Order Block Page

EXEMPT (from ALL further inspection)

Block

Exempt

URL

Web URL Filter

FortiGuard Filter

Allow

Block

Allow

Block Page

Block Page

Block

Allow

Advanced Filter

Content Filter Block

Allow

Block Page Block

Block Page

Allow

Virus Scan

Display Page

29

Viewing Web Filter Logs (1 of 2)

30


255


Web Filtering

Viewing Web Filter Logs (2 of 2)

31

Labs • Lab 1: Web Filtering » Ex 1: FortiGuard Web Filtering

32


256


Web Filtering


33


257

 Application Control

Application Control


Module Objectives • By the end of this module participants will be able to: » State how a signature trigger is accomplished » Create application control lists » Define application control rules by category » Set up application control through firewall policies by using application control lists » FortiGuard Application Control Database » Add/revise software through FortiGuard » Use application control to perform traffic shaping » View and search logs for application control activity and events

2


258


Application Control • Application control is used to detect and take actions on network traffic based on the application generating the traffic » Facebook, Skype, Gmail etc.

• Can detect application traffic even if contained within other protocols • Supports a large number of applications and categories • DiffServ per application filter • Supports shared and per-IP traffic shaping for application control

3

Application Control List • An application control list defines the applications that will be subject to inspection • For each application, the administrator can specify whether to pass or block the application traffic in addition to other settings • Default rule set is very restrictive, must perform an AV/IPS update in order to obtain new rules

4


259


Adding Signatures Through FortiGuard • Requests for additional or revised application control coverage can be submitted using FortiClient or by accessing: » http://www.fortiguard.com/applicationcontrol/appform.html

5

Application Control Profile Application control profile

• Application control options are enabled through application control sensors • Sensor in turn is applied to firewall policy » Any traffic being examined by the policy will have the application control operations applied to it

6


260


Example: Facebook Application Control

7

Order of Operations

• Processed from the top down • First match action is applied • Can be single application or picked from a set of options to apply to multiple applications

8


261


Implicit Rules • Implicit 1 » Matches traffic against every possible application control signature

• Implicit 2 » Matches traffic that does not conform to any application control signature

9

Disabling logging for Implicit Rules • Logging for the implicit rules can be disabled from the CLI: config application list edit unset other-application-action end

10


262


Creating a Filter Rule

11

Searching Signatures on FortiGuard

• Searchable list of signatures, with descriptions » http://www.fortiguard.com/encyclopedia/applications/ » Signatures change and update

12


263


Behavior Identification

13

Instant Messenger (1 of 3) • Support for MSN(defunct), Yahoo, ICQ and AIM » Software passes traffic through a single IM proxy

• Communications protocols have never been released or had RFC published » Proxy designed through reverse engineering

• Must be explicitly selected from the application control list. IM proxy (not enabled if IM selected) » Lets look closer

14


264


Instant Messenger (2 of 3)

• Fortigate makes use of a man-in-the middle proxy

15

Instant Messenger (3 of 3)

16


265


Fine Tuning Instant Messenger • Instant Messenger Policy configurable from the CLI, default is to allow all users config imp2p policy set [aim/icq/msn/yahoo] [allow/deny] end

• Users can only be restricted if policy is set to deny » Cannot block by user if policy set to allow » Maximum 1000 IM users

17

Instant Messenger Users • First user must be created in CLI config imp2p (protocol)-user edit (username) end

18


266


Monitor

19

Traffic Shaping • Allows for traffic shaping to apply to only SOME of the traffic passing through a profile/policy • Only traffic matching application control signature is shaped • Can track application bandwidth usage and use traffic shaping to control heavy traffic applications • Can use all normal traffic shaping options: Shared, Per-IP, Reverse

20


267


Traffic Shaping: Working Example

21

How Does My Software Actually Work?

? ?

?

?

22


268


How it Works

?

• Application control looks at packets and performs a pattern match comparison to determine traffic • Does not perform any kind of scanning of either system » Only reports that packets match an enabled pattern 23

Peer-to-Peer Detection (1 of 3)

• Traditional file transfer » 1 Client » 1 Server

24


269



• Peer-to-peer transfer » 1 Client » N Servers

25


Why is P2P traffic so difficult to detect? • Traditional Protocols (HTTP, FTP…) were designed to be distinct and separate from other protocols. • P2P communication protocols were designed to be difficult to distinguish from other protocols 26


270


Labs • Lab 1: Application Identification » Ex 1: Creating an Application Control list

• Lab 2: Traffic Shaping » Ex 1: Limiting YouTube Traffic

• Lab 3: Selective Application Control » Ex 1: Block Wikipedia Editing

27


28


271

FortiGate - Student Guide

Recommend Documents