Fortigate Coobook 502

The FortiGate Coobook
15 May 2013
Essential Recipes for Success with your FortiGate
Copyright 2013 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, and FortGuard, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions, and performance may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinets General Counsel, with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinets internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.
Visit these links for more information and documentation for your Fortinet products: Fortinet Knowledge Base - http://kb.fortinet.com Technical Documentation - http://docs.fortinet.com Training Services - http://campus.training.fortinet.com Technical Support - http://support.fortinet.com You can report errors or omissions in this or any Fortinet technical document to techdoc@fortinet.com.
Contents
Introduction Installing and Setup
Setting up a limited access administrator account Setting up and troubleshooting FortiGuard services Logging FortiGate system events to gather network traffic information Using SNMP to monitor the FortiGate unit Using FortiCloud to view log data and reports Using two ISPs for redundant Internet connections with distributed sessions Protect a web server on the DMZ network Adding a second FortiGate unit to improve reliability Setting up an explicit proxy for users on a private network Using port pairing to simplify transparent mode Adding packet capture to help troubleshooting 5 7 9 13 17 21 27 31 35 39 45 49 55 58 59 65 71 78 79 83 93 101 106 107 113 119
Wireless Networking
Providing remote users access to the internet and corporate network using FortiAP Setting up a FortiGate and FortiAP to provide wired and wireless Internet access Setting up guest wifi users with a captive portal
Security Policies and Firewall Objects

Controlling when BYOD users can access the Internet Using AirPrint with iOS and OS X and a FortiGate unit Using AirPlay with iOS, AppleTV, FortiAP and a FortiGate unit Using port forwarding on a FortiGate unit
UTM Profiles
Visualizing and controlling the applications on your network using application control Configuring web filter overrides and local ratings Protecting a web server from vulnerabilities and DoS attacks using IPS
Blocking email/web traffic or files containing sensitive information Monitoring your network for undesirable behavior using client reputation Inspecting content on the network using flow-based UTM instead of proxy-based UTM Blocking large files from entering the network Blocking access to specific web sites Blocking HTTPS traffic with web filtering
125 131 135 141 145 149 153 155 161 169 175 183 198 199
SSL and IPsec VPN

Protecting traffic between company headquarters and branch offices using IPsec VPN Providing remote users with access to a corporate network and Internet using SSL VPN Securing remote access to the office network using FortiClient IPsec VPN Securing remote access to the office network for an iOS device over IPsec VPN Redundant OSPF routing between two remote networks over IPsec VPN
Authentication
Providing single sign-on on a Windows AD network by adding a FortiGate
Introduction
This FortiGate Cookbook provides administrators who are new to FortiGate appliances with examples of how to implement many basic and advanced FortiGate configurations. FortiGate products offer administrators a wealth of features and functions for securing their networks, but to cover the entire scope of configuration possibilities would easily surpass this book. Fortunately, much more information can be obtained in the FortiOS Handbook. The latest version is available from the Fortinet Technical Documentation website at http://docs.fortinet.com. This cookbook contains a series of recipes that describe how to solve a problem. Each recipe begins with a description the configuration requirements, followed by a step-by-step solution, and concludes with results that show what should occur to verify the steps were completed successfully. This FortiGate Cookbook was written for FortiOS 5.0 patch 2 (FortiOS 5.0.2). A PDF copy of this document is available from the FortiGate Technical Documentation website at http://docs.fortinet.com/cookbook.html. You can also find earlier editions of the FortiGate Cookbook, that contains additional recipes and troubleshooting tips and video representations of some of the content in this book. You can send comments about this document and ideas for new recipes to techdoc@fortinet.com. New recipes may be published on the FortiGate Cookbook website and added to future versions.
Web-based Manager
Also called the Web Interface or Web UI, the FortiGate web-based manager is an advanced point and click, drag and drop interface that provides quick access to most FortiGate configuration settings and includes visual monitoring and management tools. Using the web-based manager you can add a security policy to monitor application activity on a network, view the results of this application monitoring policy, and then create additional policies or change the existing policy to block or limit the traffic produced by some applications. The web-based manager also provides a wide range of monitoring and reporting tools that provide detailed information about traffic and events occurring on the FortiGate unit. You access the web-based manager using HTTP or a secure HTTPS connection from any web browser. By default you can access the web-based manager by connecting to the FortiGate interface usually attached to a protected network. Configuration changes made from the web-based manager take effect immediately, without resetting the unit or interrupting service.
FortiExplorer
FortiExplorer provides a user-friendly and accessible tool that you can use to configure a FortiGate unit over a standard USB connection. You can install FortiExplorer software on a PC running Windows or Mac OS X and use a USB connection between the PC and your FortiGate unit. Use FortiExplorer to register your FortiGate unit, check for and perform FortiOS firmware updates, use the FortiExplorer configuration wizard to quickly set up the FortiGate unit and connect to the web-based manager or CLI.
Registering your Fortinet product

Before you begin configuring and customizing features, take a moment to register your Fortinet product at the Fortinet Technical Support web site, https://support.fortinet.com. Many Fortinet customer services, such as firmware updates, technical support, and FortiGuard Antivirus and other FortiGuard services, require product registration.
For more information

Documentation
The Fortinet Technical Documentation web site, http://docs.fortinet.com, provides the most up-to-date versions of Fortinet publications.
Fortinet Knowledge Base

The Fortinet Knowledge Base provides additional Fortinet technical documentation, such as troubleshooting and how-to-articles, examples, FAQs, technical notes, a glossary, and more. Visit the Fortinet Knowledge Base at http://kb.fortinet.com.
Training
Fortinet Training Services provides a variety of training programs world-wide that orient you to your new equipment, and provides certifications to verify your knowledge level. For more on training services, visit the Fortinet Training Services web site at http://campus.training.fortinet.com.
Installing and Setup

Most people purchase a FortiGate unit with the intention of creating a secure connection between a protected private network and the Internet. And in most cases they want the FortiGate unit to hide the IP addresses of the private network from the Internet. This chapter describes how to setup a number of common configurations with the FortiGate unit. In addition this chapter describes a common transparent mode FortiGate installation in which a FortiGate unit provides security services to a network without requiring any changes to the network.
Setting up a limited access administrator account

This example adds a new FortiGate administrator login that uses an administrator profile that has limited access only to firewall features, and read-only access to administrator information. It also shows how to identify the administrators using the admin administrator account.
1. Create a new administrative profile 2. Add a new administrator and assign the profile 3. Results
Internet
wAN 1 172.20.120.22 FortiGate LAN 192168.1.99/24
Internal Network
Step One: Create a new administrative profile

Go to System > Admin > Admin Profle. Create a new administer profile that allows the administrator with this profile to view and edit firewall objects and security policies and only view administrator information.
Step Two: Add a new administrator and assign a profile

Go to System > Admin > Administrators. Create a new administrator with the Firewall_Admin_Access profile, to enable full access to all FortiOS features.
The admin profile controls what features of the FortiGate configuration the administrator can see and configure from web-based manager and CLI. You can add multiple profiles and assign users and administrators different profiles, depending on what they are tasked to do with the FortiGate unit.
10
Results
Log in to the FortiGate unit using the user name of Terry_White. As this administrator, you can and edit any element of the FortiGate unit pertaining to the firewall objects and security policies. You can also view the other administrator information. Note that any menu items for other features do not appear.
Go to Log & Report > Event Log > System. Verify that the login activity occurred.
Select the entry for more information on the administrator log in.
11
Go to System > Dashboard > Status, and view the System Information widget. The Current Administrator row indicates the current administrators and the number of administrators logged in.
Select Details for the Current Administrator to view all administrators logged in.
12
Setting up and troubleshooting FortiGuard services

If you have purchased FortiGuard services and registered your FortiGate unit, the FortiGate unit it should automatically connect to the FortiGuard Distribution Network (FDN) and display license information about your FortiGuard services. In this example, you will verify whether the FortiGate unit is communicating with the FDN by checking the License Information dashboard widget. The FortiGate unit automatically connects with the FortiGuard network to verify the FortiGuard Services status for the FortiGate unit.
Internet FortiGuard
WAN 1
FortiGate
port 1
Internal Network
13
Verifying the connection

Any subscribed services should have a green check mark, indicating that connections are successful. A grey X indicates that the FortiGate unit cannot connect to the FortiGuard network, or that the FortiGate unit is not registered. A red X indicates that the FortiGate unit was able to connect but that a subscription has expired, or has not been activated.
You can also view the FortiGuard connection status by going to System > Config > FortiGuard.
14
Troubleshooting connection issues

Use these steps to troubleshoot FortiGuard services should connection issues arise. Verify that you have registered your FortiGate unit, purchased FortiGuard services, and that the services have not expired. You can verify the support status for your FortiGate unit at the Fortinet Support website (https://support. fortinet.com/). Verify that the FortiGate unit can communicate with the Internet. The FortiGate unit should be able to communicate with the FortiGuard network if it can communicate with the Internet. Go to Router > Monitor > Routing Monitor and verify that a default route is available and configured correctly. Go to System > Network > DNS and make sure the primary and secondary DNS servers are correct. The FortiGate unit connects to the FortiGuard network using a domain name, not a numerical IP address. If the FortiGate interface connected to the Internet gets its IP address using DHCP, you should make sure Override internal DNS is selected so that the FortiGate unit gets its DNS server IP addresses from the ISP using DHCP. Verify that the FortiGate unit can connect to the DNS servers using the execute ping command to ping them. You can also attempt a traceroute from FortiGate CLI to an external network using a domain name for a location, for example, enter the command:
execute traceroute www.fortiguard.com
If the command cannot find the numeric IP address of www.fortiguard.com, then the FortiGate unit cannot connect to the configured DNS servers. Make sure that at least one security policy includes antivirus. If no security policies include antivirus, the antivirus database may not be updated. Verify that the FortiGate unit can communicate with the FortiGuard network. Go to System > Config > FortiGuard > Antivirus and IPS Options, you can select Update now to force an immediate update of the antivirus and IPS databases. After a few minutes, you can verify if the updates were successful. Test the availability of web filtering and email filtering lookups from System > Config > FortiGuard > Web Filtering and Email Filtering options by selecting Test Availability. If the test is not successful, try changing the port that is used for web filtering and email filtering lookups. The FortiGate unit uses port 53 or 8888 to communicate with the FortiGuard network and some ISPs may block one of these ports. Determine if there is anything upstream that might be blocking FortiGuard traffic, either on the network or on the ISPs network. Many firewalls block all ports by default, and often ISPs block low-numbered ports (such as 53). FortiGuard uses port 53 by default, so if it is being blocked, you need to either open the port or change the port used by the FortiGate unit.
15
Change the FortiGuard source port. It is possible ports that are used to contact the FortiGuard network are being changed before reaching FortiGuard, or on the return trip, before reaching your FortiGate unit. A possible solution for this is to use a fixed-port at the NAT firewall to ensure the port number remains the same. FortiGate units contact the FortiGuard Network by sending UDP packets with typical source ports of 1027 or 1031, and destination ports of 53 or 8888. The FDN reply packets would then have a destination port of 1027 or 1031. If your ISP blocks UDP packets in this port range, the FortiGate unit cannot receive the FDN reply packets. You can select a different source port range for the FortiGate unit to use.
If your ISP blocks the lower range of UDP ports (around 1024), you can configure your FortiGate unit to use higher-numbered ports such as 2048-20000, using the following CLI command: config system global
end set ip-src-port-range 2048-20000
Trial and error may be required to select the best source port range. You can also contact your ISP to determine the best range to use. Display the FortiGuard server list. The diagnose debug rating CLI command shows the list of FortiGuard servers that the FortiGate unit can connect to. The command should show more than one server.
16
Logging FortiGate system events to gather network traffic information

This example shows how to enable logging to capture the details of network traffic processed by the FortiGate unit.
1. Configure logging and event logging 2. Enable logging in the security policy 3. Results
Internet
WAN 1 172.20.120.123
FortiGate
port 1 192168.1.99
Internal Network
17
Step One: Configure logging and event logging

Go to Log & Report > Log Config > Log Setting. Enable and configure logging. Note that logging to disk is only available on FortiGate units with a hard disk or flash drive. Logging to disk is enabled in the CLI using the config log disk setting commands.
Step Two: Enable logging in the security policy

Go to Policy > Policy > Policy. For any security policy, in the Logging Options section, select Log all Sessions.
18
Results
To see information about network traffic processed by the FortiGate unit, go to Log & Report > Traffic Log > Forward Traffic.
Select an entry for more information.
19
20
Using SNMP to monitor the FortiGate unit

Simple Network Management Protocol (SNMP) enables you to monitor hardware on your network. You configure the hardware, such as the FortiGate SNMP agent, to report system information and send traps (alarms or event messages) to SNMP managers. An SNMP manager, or host, is a typically a computer running an application that reads the traps from the agent and sends out SNMP queries to the SNMP agents. In this example, you configure the SNMP agent and FortiGate interface to send SNMP traps to the SNMP server for review. 1. Configure the SNMP agent and community 2. Enable SNMP on a FortiGate interface 3. Download the MIB files and configure the SNMP manager 4. Results
Internet
Internal Network WAN 1 172.20.120.123
port 1 FortiGate 192168.1.99
SNMP Manager 192.168.1.114
21
Step One: Configure the SNMP agent and community

Go to System > Config > SNMP. Configure the agent.
Under the SNMP version, create a new community. You need to add a host IP address where the SNMP manager is installed, 192.168.1.114/32, and select the port to receive SNMP request and send SNMP traps. You can also set the IP address/Netmask to 0.0.0.0/0.0.0.0 and the Interface to ANY so that any SNMP manager at any network connected to the FortiGate unit can use this SNMP community and receive traps from the FortiGate unit.
22
Step Two: Enable SNMP on a FortiGate interface

Go to System > Network > Interface. Enable SNMP on port 1.
Step Three: Download the MIB files and configure the SNMP manager
Go to System > Config > SNMP to download FortiGate SNMP MIB. There are two MIB files for FortiGate units: the Fortinet MIB, and the FortiGate MIB. The Fortinet MIB contains traps, fields and information that is common to all Fortinet products. The FortiGate MIB contains traps, fields and information that is specific to FortiGate units. Configure the SNMP manager at 192.168.1.114 to receive traps from the FortiGate unit.
23
Results
This example uses SolarWinds SNMP trap viewer. In SolarWinds Toolset Launch Pad, go to SNMP > MIB Viewer and select Launch.
Select Select Device and enter the IP address of the FortiGate unit and the community string.
Open the SNMP Trap Receiver and select Launch.
24
Perform an action to trigger a trap, for example, change the IP address of the DMZ interface in the FortiGate. Verify that the SNMP manager receives the trap.
View the UTM log by going to Log & Report > Event Log > System.
25
26
Using FortiCloud to view log data and reports

FortiCloud is an online hosted security management and log retention service. It provides a centralized reporting, traffic analysis, configuration and log retention tool without the need for additional hardware and software. This example describes setting up and accessing log and reports in FortiCloud. 1. Activate FortiCloud 2. Configure logging and event logging 3. Enable logging in the security policy 4. Results
FortiCloud
Internet
WAN 1 172.20.120.123
FortiGate
port 1 192168.1.99
Internal Network
27
Step One: Activate FortiCloud

Go to System > Dashboard > Status. On the License Information widget, in the FortiCloud section, select Activate.
Once the account is created, you can launch the FortiCloud portal from the License Information widget.
Step Two: Configure logging

Go to Log & Report > Log Config > Log Setting. Enable and configure logging to FortiCloud.
28
Step Three: Enable logging in the security policy

Go to Policy > Policy > Policy. For any security policy, in the Logging Options section, select Log all Sessions.
Results
Go to System > Dashboard > Status. On the License Information widget, in the FortiCloud section, select Launch Portal. From the portal, you can see the log data and reports.
29
30
Using two ISPs for redundant Internet connections with distributed sessions
This example describes how to improve the reliability of a networks connection to the Internet by using two Internet connections. It also includes configuration of equal cost multi-path load balancing to make efficient use of these two Internet connections by distributing sessions to both, without allowing either one to become overloaded.
1. Configure connections to the two ISPs 2. Add security policies 3. Configure fail over detection and spillover load balancing 4. Results
Internet
ISP 1
WAN1 FortiGate LAN
WAN 2
ISP 2
Internal Network
31
Step One: Configure connections to the two ISPs

Go to System > Network > Interface.
Step Two: Add security policies

Go to Policy > Policy > Policy. Create a security policy for the primary interface connecting to their ISPs and the internal network.
32
Create a security policy for each interface connecting to their ISPs and the internal network.
Step Three: Configure fail over detection and spillover load balancing
Go to Router > Static > Settings. Create two new Dead Gateway Detection entries.
Set the Ping Interval and Failover Threshold to a smaller value for a more immediate reaction to a connection going down.
33
Go to Router > Static > Settings and set the ECMP Load Balancing Method to Spillover. The Spillover Threshold value is calculated in kbps (kilobit per second). However the bandwidth on interfaces is calculated in kBps (kilo Byte per second). For wan1 interface, Spillover Threshold = 100 kbps = 100000 bps 100000 bps = 102400 bps = 102400/8 Bps = 12800 Bps
Results
Go to Log & Report > Traffic Log > Forward Traffic to see network traffic from different source IP addresses flowing through both wan1 and wan2.
Disconnect the wan1 port on the FortiGate unit to see all traffic will automatically flow through the wan2 port unit wan1 is available again.
34
Protect a web server on the DMZ network

In this example, a web server on the DMZ network. An internal to DMZ security policy allows internal users to access the web server using its internal IP address (10.10.10.22). A WAN to DMZ security policy hides the internal address, allowing external users to access the web server with a public IP address (172.20.120.22). 1. Configure the FortiGate unit DMZ interface 2. Add virtual IPs 3. Create security policies 4. Results
Internet WAN 1 172.20.120.22 DMZ
DMZ Network
FortiGate LAN
Web Server 10.10.10.22 Internal Network
35
Step One: Configure the FortiGate unit DMZ interface

Go to System > Network > Interface. Edit the DMZ interface settings.
Your FortiGate unit may have an interface named DMZ. Using the DMZ interface is recommended but not required.
Step Two: Add virtual IPs

Go to Firewall Objects > Virtual IP > Virtual IP. Create two virtual IPs; one for HTTP access and one for HTTPS access.
Each virtual IP will have the same address mapping from the public-facing interface to the DMZ interface. The difference is the port for each traffic type; (port 80 for HTTP and port 443 for HTTPS).
36
Step Three: Create security policies

Go to Policy > Policy > Policy. Create a security policy to allow HTTP and HTTPS traffic from the Internet to the DMZ interface and web server.
Create a security policy to allow HTTP and HTTPS traffic from the internal network to the DMZ interface and web server. Adding this policy reduces traffic on the wan1 interface by allowing traffic to pass directly from the Internal interface to the DMZ interface, rather than from the Internal interface, to the wan1 interface, then back in through the wan1 interface to the DMZ interface.
37
Results
External users can access the web server on the DMZ network from the internet using http://172.20.120.22 and https://172.20.120.22. Internal users can access the web server using http://10.10.10.22 and https://10.10.10.22.
Go to Policy > Monitor > Policy Monitor. Use the policy monitor to verify that traffic from the Internet and from the internal network is allowed to access the web server. This verifies that the policies are configured correctly.
Go to Log & Report > Traffic Log > Forward Traffic.
The traffic log should shows sessions from the internal network and from the Internet accessing the web server on the DMZ network.
38
Adding a second FortiGate unit to improve reliability

This example adds a second FortiGate unit to a currently installed FortiGate unit to provide redundancy in the event one FortiGate unit fails. This example also steps through upgrading the HA cluster to a new firmware version. 1. Add and connect the second FortiGate and configure HA 2. Test the failover functionality 3. Upgrade the firmware for the HA cluster
Internet
Switch
WAN 1 Dual HA Links
WAN 1
FortiGate Internal
FortiGate Internal
Switch
Internal Network
39
Step One: Add and connect the second FortiGate and configure HA
Go to System > Dashboard > Status. Change the host name of the primary FortiGate unit.
Go to System > Config > HA. Configure the HA settings for the primary FortiGate unit.
Go to System > Dashboard > Status. Change the host name of the backup FortiGate unit.
40
Go to System > Config > HA. Configure the HA settings for the backup FortiGate unit. Ensure that the Group Name and Password are the same as on the primary FortiGate unit.
Go to System > Config > HA to view the cluster information.
Select View HA Statistics for more information on the cluster.
41
Go to System > Dashboard > Status to see the cluster information.
Step Two: Test the failover functionality

Unplug the ethernet cable from the wan 1 interface of the primary FortiGate unit. Traffic will divert to the backup FortiGate unit. Use the ping command to view the results.
Shut down the primary FortiGate unit, and see that traffic fails over to the backup FortiGate unit using a ping command.
42
Step Three: Upgrading the firmware for the HA cluster

When a new version of the FortiOS firmware becomes available, upgrade the firmware on the primary FortiGate unit, and the backup FortiGate unit will upgrade automatically Go to System > Dashboard > Status to upgrade the firmware.
The firmware will load on the primary FortiGate unit, and then on the backup unit. Go to Log & Report > Event Log > System.
Go to System > Dashboard > Status. Both FortiGate units have the new firmware installed.
43
44
Setting up an explicit proxy for users on a private network

This example sets up the explicit web proxy to accommodate faster web browsing. Internal users will connect to an explicit web proxy using port 8080 rather than surfing the Internet directly using port 80.
1. Enable explicit web proxy on the internal interface 2. Configure the explicit web proxy for HTTP/HTTPS traffic 3. Add a security policy for proxy traffic 4. Results
Internet
port 3
FortiGate Explicit web proxy port 4 Internal Network
45
Step One: Enable explicit web proxy on the internal interface

Go to System > Network > Interface and enable web proxy on port 4.
You may need to enable Explicit Proxy and WAN Opt. & Cache on the System Information widget before you proceed. Go to System > Dashboard > Status and select Enable for these options.
Step Two: Configure the explicit web proxy for HTT P/HTT PS traffic
Go to System > Network > Explicit Proxy and enable the http/https explicit web proxy.
Ensure to set the Default Firewall Policy Action to Deny. Later you will create a security policy for webproxy traffic with web cache enabled.
46
Step Three: Add a security policy for proxy traffic

Go to Policy > Policy > Policy. Create a security policy for webproxy traffic, and enable web cache.
Results
Configure web browsers on the private network to connect using a proxy server. The IP address of the HTTP proxy server is 10.10.1.99 (the IP address of the FortiGate internal interface) and the port is 8080 (the default explicit web proxy port). Web browsers configured to use the proxy server are able to connect to the Internet. Go to Policy > Policy > Policy to see the ID of the policy (3) allowing webproxy traffic. Web proxy traffic is not counted by firewall policy.
47
48
Using port pairing to simplify transparent mode

This example simplifies configuring a FortiGate unit operating in transparent mode by using port pairing. When you create a port pair, all traffic accepted by one of the ports of the pair can only exit out the other port. You add security policies to control the traffic that can pass between these to ports and to apply UTM protection to the traffic. 1. Switch the FortiGate unit to transparent mode and add a static route 2. Create an internal and wan 1 port pair 3. Create firewall addresses 4. Create a security policy 5. Results
Protected web server 192.168.1.200
Internet
Router
wan 1
FortiGate Internal
192.168.1.99/24
Management IP 192.168.1.100
Internal Network 192.168.1.[110-150]

49
Step One: Switch the FortiGate unit to transparent mode and add a static route
Go to System > Dashboard > Status. In the System Information widget, select Change beside the Operation mode.
Log into the FortiGate unit using the management IP 192.168.1.100. Go to System > Network > Routing Table and set a static route.
Step Two: Create an internal and wan 1 port pair
Go to System > Network > Interface. Create an internal/wan 1 pair.
50
Step Three: Create firewall addresses

Go to Firewall Objects > Address > Address. Create addresses for the web server and address range for internal users.
Step Four: Create security policies
Go to Policy > Policy > Policy. Create a security policy that allows internal users to access the web server using HTTP and HTTPS.
51
Go to Policy > Policy > Policy. Create a security policy that allows connections from the web server to the internal users network and to the internet using any service.
Results
Connect to the web server from the internal network and surf the Internet from the server itself. Go to Log & Report > Traffic Log > Forward Traffic to verify that there is traffic from the internal to wan 1 interface.
52
Select an entry for details.
Go to Policy > Monitor > Policy Monitor to see the active sessions.
53
54
Adding packet capture to help troubleshooting

Packet capture is a means of logging traffic and its details to troubleshoot any issues you may have with traffic flow or connectivity. This example shows the basics of setting up packet capture on the FortiGate unit and analyze the results.
1. Create a packet capture filter 2. Start the packet capture 3. Stop the packet capture 4. Results
Internet WAN 1 172.20.120.23 FortiGate
Internal network
Internal 192.168.1.99/24
55
Step One: Create a packet capture filter

Go to System > Network > Packet Capture and create a new filter.
For this example, the FortiGate unit will capture 100 HTTP packets on the internal interface from/to host 192.168.1.200. Host(s) can be a single or multiple IPs separated by comma, IP range or subnet. Port(s) can be single or multiple separated by comma or range. Protocol can be simple, multiple separated by comma or range. Use 6 for TCP, 17 for UDP, 1 for ICMP.
Step Two: Start the packet capture

Select Start to begin the packet capture, and from an internal computer or device set to IP address 192.168.1.200, surf the Internet to generate traffic.
56
Step Three: Stop the packet capture

Once the maximum packets to save is reached (in this example 100), the capturing progress is stopped and allows you to download the saved pcap file. You can also stop the capturing at any time before the maximum is reached.
Results
Open the pcap file with a pcap file viewer such as tcpdump or Wireshark. Depending on the kind of traffic you need to capture, you may adjust the settings in the filter to meet your needs.
Go to Log & Report > Event Log > System to verify that the packet capture file was successfully downloaded.
57
Wireless Networking
FortiOS WiFi networking provides a wide range of capabilities for integrating wireless networks into your organizations network architecture. Each WiFi network, or SSID, is represented by a virtual network interface to which you apply security policies, UTM features, traffic shaping, and so on, in the same way as for physical wired networks. You can create multiple WiFi networks to serve different groups of users. For example, you might have one network for your employees and another for guests or customers. Also, with the increase in use of Bring Your Own Devices (BYOD); smartphones, tablets and other mobile devices that use WiFi technology, wireless networks are becoming busier than ever and have to be monitored and accommodated accordingly. A network that requires only one WiFi access point is easily created with a FortiWiFi unit operating as a single thick Access Ppoint (AP). A thick AP such as a FortiWiFi unit contains the WiFi radio facility as well as access control and authentication functionality. A thin AP, such as a FortiAP unit contains only the radio facility and a microcontroller that receives commands and exchanges data with a WiFi controller. If you already have a FortiGate unit, adding a FortiAP unit as a thin AP managed by the FortiGate unit operating as a WiFi controller is a cost effective solution for adding WiFi to your network. The FortiOS WiFi controller feature is available on both FortiGate and FortiWiFi units. A FortiWiFi units WiFi controller also controls the units internal (Local WiFi) radio facility, treating it much like a built-in thin AP. Whenever multiple APs are required, a single FortiGate or FortiWiFi unit controlling multiple FortiAP units is best. A network of multiple thick APs would be more expensive and more complex to manage.
58
Providing remote users access to the internet and corporate network using FortiAP
In this example, users in a remote location such as a hotel, use FortiAP to securely connect to a corporate network and browse the Internet from behind the corporate firewall.
1. Configure the corporate SSID and security policies 2. Configure the FortiGate unit to connect and configure FortiAP 3. Authorize the remote FortiAP connection 4. Results
FortiAP
WLAN_1
Wireless Network
Internet
WLAN 1 Internal Network
FortiGate
Internal
59
Step One: Configure the FortiGate for remote user connections

Go to WiFi Controller > WiFi Network > SSID and create a new SSID for the FortiAP. Configure the WiFi Settings, and DHCP Server so wireless users can connect directly to the FortiAP.
Go to Firewall Objects > Address > Address. Create addresses for the remote users and the corporate network.
60
Go to Policy > Policy > Policy and create two security polices. Create a policy for remote wireless users to access the Internet.
Create a policy for remote wireless users to access the corporate network.
Step Two: Configure FortiAP to connect to the corporate FortiGate unit

In the System Information tab, enter the AC IP Address of the public facing interface of the FortiGate unit. The remote user will plug an Ethernet cable into the FortiAP and into the network connection to the Internet at the hotel. FortiAP searches for the FortiGate interface you configure here.
61
Step Tthee: Configure the FortiGate unit to connect, and configure FortiAP
Go to WiFi Controller > Managed Devices > Managed FortiAP. Right-click the FortiAP in the list and select Authorize.
With the FortiAP authorized with the FortiGate unit, you can use the FortiGate to configure the wireless settings for the FortiAP remotely.
Results
The remote user connects the FortiAP to the network connection at the hotel. They then connect to the RemoteWiFi wireless network. They will be able to access the corporate network and surf the Internet securely.
Go to WiFi Controller > Monitor > Client Monitor to see remote wireless users connected to the FortiAP unit.
When the remote wireless user connects to the corporate network, traffic appears in the log messages. Go to Log & Report > Traffic Log > Forward Traffic.
62
Selecting an entry for the WLAN_1 interface and internal destination interface shows traffic using RDP to connect to the corporate network.
Selecting an entry for the WLAN_1 interface and wan1 destination interface shows internet traffic.
63
64
Setting up a FortiGate and FortiAP to provide wired and wireless Internet access
This example sets up FortiAP to connect to the Internet using the FortiGate unit. Wireless and wired users will be on the same subnet and thus can share network resources.
1. Configure the FortiGate WAN 1 and LAN ports 2. Create an internal address range and security policy 3. Set up a wireless network with the FortiAP 4. Results
Internet WAN 1 172.20.120.226 FortiGate LAN 192.168.1.99/24 wireless network Internal network
FortiAP
65
Step One: Configure the FortiGate WAN 1 and LAN ports

Go to System > Network > Interface. Configure the WAN 1 interface to use DHCP.
Configure the LAN interface to use a static IP with a DHCP server enabled.
66
Step T WO: Create an internal address range and security policy

Go to Firewall Objects > Address > Address. Create a new address range for the internal network users.
Go to Policy > Policy > Policy. Create a security policy allowing users on the wired network to access the Internet.
Step Three: Set up a wireless network with the FortiAP

Connect the FortiAP to the LAN interface. Go to WiFi Conroller > Managed Access Points > Managed FortiAP and authorize the FortiAP.
67
Go to WiFi Conroller > WiFi Network > SSID and create a new SSID. Ensure the Traffic Mode is set to Local bridge with FortiAPs Interface.
Go to WiFi Conroller > WiFi Network > Custom AP Profile. Select Create New and select My_SSID for Radio 1 and Radio 2.
68
Go to WiFi Conroller > Managed Access Points > Managed FortiAP. Edit the FortiAP in the Wireless Settings and select MyProfile for the AP Profile.
Results
Have the wifi users connect to My_SSID and they should be able to surf the internet. The wireless devices will be in the same subnet as the internal wired network. Go to WiFi Controller > Monitor > Client Monitor to see wifi users and their IP addresses. Go to Log & Report > Traffic Log > Forward Traffic and verify that wifi users accessing the internet with the same security policy as the wired network users.
69
70
Setting up guest wifi users with a captive portal

In this example, a FortiGate unit provides your office with wired networking, but guest users use laptops and mobile devices. These devices need secure WiFi access to both the office network and the Internet. Guest users use web applications and authenticate through a portal using a web browser. The receptionist for the company is provided a limited access admin account to distribute temporary password access to the wireless network. 1. Authorize the FortiAP over the DMZ interface 2. Add wifi guest users 3. Create an SSID using a captive portal 4. Add firewall addresses 5. Add security policies 6. Add a limited administrative role for the receptionist 7. Results
Internet
Wireless network 10.10.10.1/24
Internal network
WAN 1 172.20.120.23 FortiAP
Internal FortiGate DMZ 192.168.1.99/24 10.10.80.99/24
71
Step One: Authorize the FortiAP over the DMZ interface

Go to System > Network > Interface. Set the DMZ interface to be dedicated to FortiAP connections.
Connect the FortiAP to the DMZ interface and go to WiFi Controller > Managed Access Points > Managed FortiAP to authorize the FortiAP.
Step Two: Add wifi guest users

Go to User & Device > User > User Group. Create guest wifi users group.
72
Step Three: Create an SSID using a captive portal

Go to WiFi Controller > WiFi Network > SSID. Create new SSID using captive portal.
Step Four: Add firewall addresses
Go to Firewall Objects > Address > Address. Create addresses for internal wired network and guest wifi users.
73
Step Five: Add security policies
Go to Policy > Policy > Policy. Create a security policy allowing wifi guest users accessing the internal network.
Create a security policy allowing wifi guest users accessing the Internet.
74
Step Six: Add a limited administrative role for the receptionist

Go to System > Admin > Admin Profile. Create a limited admin profile allowing the receptionist to create new guest users.
Go to System > Admin > Administrators. Create a new admin account for the receptionist using the new limited profile.
75
Results
When a guest requires access to the wireless network, the company receptionist logs into the FortiGate unit with their account. The receptionist creates guest user names on the FortiGate unit. Once logged in, they go to User & Device > User > Guest Management and create new user id.
The FortiGate unit generates a password for the user. This password is only valid for four hours.
Once this information is provided to the guest user, they can log in through the captive portal on the authentication page.
76
To verify that guest user logged in successfully, go to WiFi Controller > Monitor > Client Monitor.
Once authenticated, guest users can surf on the internet and can also access resources in the internal wired network. Go to Policy > Monitor > Policy Monitor and verify the active sessions.
Select one of the bars for more information.
77
Security Policies and Firewall Objects

FortiGate units are used to control access between the Internet and a network, typically allowing users on the network to connect to the Internet while protecting the network from unwanted access from the Internet. The FortiGate unit has to know what access should be allowed and what should be blocked. This is what security policies are for; controlling all network traffic attempting to pass through a FortiGate unit. No traffic can pass through a FortiGate unit unless specifically allowed to by a security policy. With a security policy, you can control address translation, control the addresses and services used by the traffic, and apply features such as UTM, authentication, and VPNs. Most of the examples in this cookbook at some point involve the creation of security policies to allow traffic and then apply a feature to it. This chapter focuses more on firewall features and how to configure policies to apply them. It is simple to set up a FortiGate unit to allow users on a network to access the Internet while blocking traffic from the Internet from accessing the protected network. All that is required is a single security policy that allows traffic from the Internal network to connect to the Internet. As long as you do not add a security policy to allow traffic from the Internet onto your internal network, your network is protected. The same security policy that allows you to connect to the Internet also allows servers you contact to respond to you. In effect, a single policy allows two-way traffic, but the incoming traffic is only allowed in response to requests sent by you. Firewall objects are those elements within the security policy that further dictate how and when network traffic is routed and controlled. This includes addresses, services, and schedules that are used in security policies to control the traffic accepted or blocked by a security policy. Addresses are matched with the source and destination address of packets received by the FortiGate unit. The examples in this chapter use a number of these elements and policies to build a secure network.
78
Controlling when BYOD users can access the Internet

This example uses FortiOS device identity and security policy scheduling to limit use of Bring Your Own Device (BYOD) users during company time.
1. Add BYODs to the FortiGate unit 2. Add schedules for time allowed for use of a BYOD 3. Add a device identity security policy 4. Results
Internet
wan 1 wifi
FortiWiFi
Internal wireless mobile devices internal network
79
Step One: Add BYODs to the FortiGate unit

Go to User & Device > Device > Device Definition.
Alternatively, got to System > Network Interface, and for the wireless interface, select Detect and Identify Devices. Devices not yet added may appear in the list. Double-click on the entry and enter an Alias to add it.
The BYOD information may not initially fill in on the table until the user connects with their device. Select Refresh if needed.
Step Two: Add schedules for time allowed for use of a BYOD
Go to Firewall Objects > Schedule > Recurring.
The schedule, when included with a security policy, will allow users to access the Internet with their personal wireless devices over lunch time hours. This schedule can also be used in other security policies as well as this application.
80
Step Three: Add a device identity security policy

Go to Policy > Policy > Policy and create a Device Identity policy.
Create a new authentication rule that includes the wireless devices and the new schedule.
Results
Go to Log & Report > Traffic Log > Forward Traffic. When a mobile user connects during the lunch break, they can surf the Internet, as shown in the logs.
When the time in the schedule is reached, further surfing cannot continue. This does not appear in the logs, as only allowed traffic is logged. Evidence that the schedule and policy are working appears when attempting to connect to a web site, and possibly a few questions from the BYOD users.
81
82
Using AirPrint with iOS and OS X and a FortiGate unit

This example sets up AirPrint services for use with an iOS device and OS X computers using Bonjour and multicast security policies.
1. Configure the FortiAP and SSIDs 2. Add addresses for the wireless networks and printer 3. Add service objects for printing 4. Add multicast security policies 5. Add inter-subnet security policies 6. Results
ipad 10.10.10.3 (connected to SSID 1 )
SSID 1 (WLAN 1 ) 10.10.10.1/24
Internal network OS x DMZ 10.10.100.1/24
FortiAP
SSID 2 (WLAN 2) 20.20.20.1.24
FortiGate
LAN 192.168.1.99/24
AirPrint 20.20.20.2 (connected to SSID 2)
83
Step One: Configure the FortiAP and SSIDs

Go to System > Network > Interface. Set the DMZ interface as dedicated for the FortiAP unit.
Connect FortiAP to the DMZ interface. Go to WiFi Controller > Managed Access Points > Managed FortiAP and authorize the FortiAP.
Once authorized, it will appear in the authorized list.
84
Go to WiFi Controller > WiFi Network > SSID. Create an SSID for the network for wireless users.
Create an SSID for the network for the AirPrint printer.
85
Step Two: Add addresses for the wireless networks and printer
Go to Firewall Objects > Address > Address. Create addresses for the SSID 1, SSID 2 and AirPrint printer.
86
Create an address for the internal network with the OS X computers.
Step Three: Add service objects for printing

Go to Firewall Objects > Service > Service. Create a new service for Internet Printing Protocol (IPP) for iOS devices.
Create a new service for PDL Data Stream for OS X computers.
87
Step Four: Add multicast security policies

Go to Policy > Policy > Multicast Policy. Create two policies to allow multicast traffic from WLAN 1 and WLAN 2 for iOS devices.
Create two policies to allow multicast traffic from the LAN and WLAN 2 for OS X computers.
88
Step Five: Add inter-subnet security policies

Go to Policy > Policy > Policy. Create policy allowing IPP service from WLAN1 to WLAN2.
Create policy allowing printing from a OS X computer to the AirPrint printer.
89
Results
Print a document from an iOS device. Go to Log & Report > Traffic Log > Multicast Traffic to see the printing traffic passing through the FortiGate unit.
Select an entry to see more information.
Go to Log & Report > Traffic Log > Forward Traffic and verify the entry with the IPP service.
90
Print a document from an OS X computer. Go to Log & Report > Traffic Log > Multicast Traffic to see the printing traffic passing through the FortiGate unit.
Go to Log & Report > Traffic Log > Forward Traffic and filter the destination interface for WLAN 2 traffic.
91
92
Using AirPlay with iOS, AppleT V, FortiAP and a FortiGate unit

This example sets up AirPlay services for use with an iOS device using Bonjour and multicast security policies. Apple TV can also be connected to the internet wirelessly, from any iOS device connected to the same SSID as Apple TV, AirPlay will function. No configuration is required on the FortiGate unit.
1. Configure the FortiAP and SSIDs 2. Add addresses for the wireless network 3. Add service objects for multicasting 4. Add multicast security policies 5. Add inter-subnet security policies 6. Results
ipad 10.10.10.3 (connected to SSID 1 )
Internal network OS x
FortiAP
SSID1 (WLAN 1 ) 10.10.10.1/24
DMZ 10.10.100.1/24
FortiGate LAN
192.168.1.99/24
Apple TV
93
Step One: Configure the FortiAP and SSIDs

Go to System > Network > Interface. Set the DMZ interface as dedicated for the FortiAP unit.
Connect FortiAP to the DMZ interface. Go to WiFi Controller > Managed Access Points > Managed FortiAP and authorize the FortiAP.
Once authorized, it will appear in the authorized list.
94
Go to WiFi Controller > WiFi Network > SSID. Create an SSID for the network for wireless users.
Step Two: Add addresses for the wireless network
Go to Firewall Objects > Address > Address. Create addresses for SSID 1.
95
Step Three: Add two service object for AirPlay

Go to Firewall Objects > Service > Service.
Step Four: Add multicast security policies

Go to Policy > Policy > Multicast Policy. Create a policy to allow multicast traffic from the LAN and WLAN 1 for AppleTV to iOS devices.
96
Go to Policy > Policy > Multicast Policy. Create a policy to allow multicast traffic from the WLAN 1 and LAN for iOS devices to AppleTV.
Step Five: Add inter-subnet security policies

Go to Policy > Policy > Policy. Create policy allowing traffic from the Apple TV to the iOS device.
Create policy allowing traffic from the iOS device to the Apple TV.
97
Results
Use Airplay from the iPad to stream video to the Apple TV. Go to Log & Report > Traffic Log > Multicast Traffic to see the multicast traffic between the WLAN 1 and LAN interfaces. Select and entry for more information.
98
Go to Log & Report > Traffic Log > Log Forward and filter on the policy id 6 and 7, that allow AirPlay traffic.
Select and entry for more information.
99
100
Using port forwarding on a FortiGate unit

This example illustrates how to allow incoming connections from the Internet to a server on the internal network so that the server can access a service that requires open ports. The service requires opening TCP ports in the range 7882 to 7999, as well as opening UDP ports 2119 and 2995. This involves creating multiple VIPs that map sessions from the wan 1 IP address to the server IP address.
1. Create three virtual IPs 2. Add the virtual IPs to a group 3. Create a security policy to allow inbound traffic to the server 4. Results
Internet WAN 1 172.20.120.226 Open TCP ports 7882-7999, UDP port 2119 and 2995 for traffic from the Internet to the Server FortiGate LAN 192.168.1.99/24 Server 192.168.1.200
101
Step One: Create three virtual IPs

Go to Firewall Objects > Virtual IP > Virtual IP.
Add a virtual IP for the TCP port range 7882 to 7999.
Add a virtual IP for the UDP port 2119.
Add a virtual IP for the UDP port 2995.
102
Step Two: Add virtual IPs to a group

Go to Firewall Objects > Virtual IP > VIP Group. Create a VIP group that includes all three virtual IPs.
Step Three: Create a security policy to allow inbound traffic to the server
Go to Policy > Policy > Policy. Create a security policy allowing inbound connections to the server from the Internet.
103
Results
Go to Policy > Monitor > Policy Monitor to see the active sessions.
Select the blue bar for more information.
104
Go to Log & Report > Traffic Log > Forward Traffic to see the logged activity.
105
UT M Profiles
UTM profiles, including antivirus, web filtering, application control, intrusion protection (IPS), email filtering, and data leak prevention (DLP), apply core UTM security functions to traffic accepted by security policies. The FortiGate unit includes default UTM profiles for all of these security features. You can apply UTM features to traffic accepted by a security policy by selecting the default profiles for the UTM features that you want to apply. The default profiles are designed to provide basic protection. You can modify the default profiles, and group them, for your needs or create new ones. Creating multiple profiles means you can apply different levels of protection to different traffic types according to the security policies that accept the traffic. Endpoint control profiles are created to ensure that workstation computers, also known as endpoints, on your network meet the networks security requirements; otherwise, they are not permitted access. Enhanced by Fortinets FortiClient Endpoint Security software, FortiGate endpoint control can block or control access through the FortiGate unit for workstation computers depending on the security functions enabled on the computers and the applications running on them. After creating endpoint control profiles, you can add endpoint security profiles to security policies. The final UTM profile feature, vulnerability scanning is independent of security policies. By using vulnerability scanning, you can scan computers on your network for multiple vulnerabilities, and take action to remove those vulnerabilities.
106
Visualizing and controlling the applications on your network using application control
This example sets up application monitors in security policies to determine what applications are contributing to high bandwidth usage on the network or distractions for employees and blocking access from those applications. 1. Add an application control sensor 2. Add a security policy to use the application control sensor 3. Reviewing data from the application control monitor 4. Block high bandwidth applications 5. Add a security policy to use the block application control sensor 6. Results
Internet
1001001 001011100 010110011
WAN 1 FortiGate Internal
Internal Network
107
Step One: Add application control sensor

Go to UTM Security Profiles > Application Control > Application Sensor. Select the plus icon in the upper right corner of the window to create a new sensor list for monitoring application traffic.
Select Create New to add a new application filter. Ensure you set the Action to Monitor. At this stage in the process, you want to watch the application traffic to determine where problems, if any, are occurring.
108
Step Two: Add a security policy to use the application control sensor
Go to Policy > Policy > Policy. Edit the security policy allowing internal users to access the Internet and apply the application control sensor in the UTM Security Profiles section.
Step Three: Review the data from the application control monitor
Go to UTM > Monitor > Application Monitor.
109
Select on each blue bar to see further details on the usage statistics.
Go to Log & Report > Traffic Log > Forward Traffic. You can see the sensor is working and picking up on various application traffic.
Step Four: Block high-bandwidth applications

Go to UTM Security Profiles > Application Control > Application Sensor. Select the plus icon in the upper right corner of the window to create a new sensor list for blocking application traffic.
110
Select Create New to add a new application filter. Select the options for streaming media, instant messaging clients, social media and peer-to-peer file sharing. Ensure you set the Action to Block.
Step Five: Add a security policy to use the block application control sensor
Go to Policy > Policy > Policy. Edit the security policy allowing internal users to access the Internet and apply the block application control sensor in the UTM Security Profiles section.
111
Results
Go to Log & Report > Traffic Log > Forward Traffic. You can see the sensor is working and blocking the selected application traffic.
Select and entry to see more details.
112
Configuring web filter overrides and local ratings

This example sets up web site overrides for blocked sites. It will add web profiles that prohibit viewing a web site until the user authenticates an override. Once authenticated, they will still only have a limited amount of time to visit the site.
1. Configure users and user groups 2. Configure rating overrides and web filter profiles 3. Edit security profile to include the web filter UTM profile 4. Results
Internet FortiGuard WAN 1 FortiGate LAN
Internal Network 113
Step One: Configure users and user groups

Go to User & Device > User > User Definition. Add users. These users will be allowed to override the web filter blocking.
Go to User & Device > User > User Group and add users to a group.
Step Two: Configure rating overrides and web filter profiles

Go to UTM Security Profiles > Web Filter > Rating Overrides. Select Lookup Rating to see the FortiGuard rating for a URL. Select Custom Categories and Create New and add the new category name for the URL.
114
Go to UTM Security Profiles > Web Filter > Profile. Create web filter profile to allow the Web News and Streaming Media and Download categories.
Create a new profile to block the new Web news category, as well as Streaming Media and Download categories. Select the blue arrow to expand the Advanced Filter section. Enable Allow Blocked Override and Assign to Overrided_URLs profile.
115
Step Three: Edit the security profile to include the web filter UT M profile
Go to Policy > Policy > Policy. Edit the policy allowing outbound traffic from internal network and add the web filter profile .
Results
In a web browser, go to cnn.com. The FortiGate unit blocks the web site wth an override option.
116
Select Override. You are prompted to authenticate to view the page.
Once successfully authenticated, you are guaranteed access for 15 minutes from your IP address only. This access will be for all allowed categories according to the Overrided_URLs web filter profile. Go to Log & Report > Traffic Log > Forward Traffic and filter the destination to the IP address of cnn.com (157.166.255.19)
117
118
Protecting a web server from vulnerabilities and DoS attacks using IPS
This example uses IPS to protect a web server by placing the web server on the internal network with a virtual IP, and creating a security policy that allows web access from the Internet to the server. IPS is added to the policy to protect the server from attacks.
1. Configure IPS to detect and protect against common attacks 2. Add a security profile that includes the IPS UTM profile 3. Add a DoS security policy using IPS 4. Results
Attacks Internet FortiGate WAN 1 172.20.120.24 LAN 192.168.1.99/24
Internal network
Web server VIP: 172.20.120.24 --> 192.168.1.200
119
Step One: Configure IPS to detect and protect against common attacks
Go to UTM Security Profiles > Intrusion Protection > IPS Sensor. Create a new sensor.
Select Create New and add a new IPS filter.
120
Step Two: Add a security profile that includes the IPS UT M profile
Go to Policy > Policy > Policy. Edit the security policy allowing traffic to the web server from the Internet and add the new IPS sensor.
121
Step Three: Add a DoS security policy using IPS

Go to Policy > Policy > DoS Policy. Create a new policy. The Incoming Interface is the one connected to the Internet.
122
Results
Perform an DoS tcp_sync_flood attack to the web server IP address. The TCP sync session should be blocked when the threshold of 20 is reached. Note: Ensure you have the proper IP address of your web server. Otherwise you may be unwillingly causing a DoS attack on another server!
Go to Log & Report > UTM Security Log > Intrusion Protection.
123
124
Blocking email/web traffic or files containing sensitive information

This example sets up data leak prevention (DLP) for the network by analyzing data using sensors for credit card numbers, watermarked files and file pattern matching. With these filters, the FortiGate unit will scan outgoing data for potential sensitive data breaches.
1. Create a DLP file matching pattern filter 2. Setup a DLP sensor with sensor criteria 3. Create an address range for the internal network 4. Add a security profile that includes the DLP sensor 5. Results
Internet
WAN 1
FortiGate
Data leak LAN Internal network
125
Step One: Create a DLP file matching pattern filter

To create a file matching pattern, you need to create a DLP file filter. Go to UTM Security Profiles > Data Leak Prevention > File Filter. Create new file filter table and add the file filter.
Step Two: Setup a DLP sensor with sensor criteria

Go to UTM Security Profiles > Data Leak Prevention > Sensor. Create a new sensor. To this sensor you will add the filters the FortiGate unit uses to scan outgoing data.
Select Create New to add a filter to look for the file patterns.
126
Select Create New to add a filter to look for credit card number patterns.
Select Create New to add a filter to look for a corporate identifier, or watermark, in outgoing files.
Step Three: Create an address range for the internal network

Go to Firewall Objects > Address > Address. Create an address range for the internal network. The FortiGate unit will scan any traffic for data loss from this range.
127
Step Four: Add a security profile that includes the DLP sensor
Go to Policy > Policy > Policy. Create a security policy and enable the DLP sensor using the filters created.
Results
Upload a file containing a credit card number to a server on the Internet such as a local FTP server or web server. The FortiGate unit will block the file and prevent it from leaving the internal network. Go to Log & Report > Traffic Log > Forward Traffic and locate the blocked log entry.
128
Upload a watermarked file to a server on the Internet such as a local FTP server or web server. The FortiGate unit will block the file and prevent it from leaving the internal network. Go to Log & Report > Traffic Log > Forward Traffic and locate the blocked log entry.
Upload an exe file to a server on the Internet such as a local FTP server or web server. The FortiGate unit will block the file and prevent it from leaving the internal network. Go to Log & Report > Traffic Log > Forward Traffic and locate the blocked log entry.
129
130
Monitoring your network for undesirable behavior using client reputation

Client reputation enables you to monitor traffic from internal sources based on UTM profiles and risk ratings. Client reputation tracks client behavior and reporting on the activities you determine are risky or otherwise noteworthy. This example enables client reputation on web filtering to monitor traffic from various sources to web sites.
1. Add client reputation to the network 2. Create a security policy 3. Results
Internet
Internal Network
131
Step One: Add client reputation on the network

Go to User & Device > Client Reputation > Reputation Definition. Enable Client Reputation Tracking by selecting the Off button to turn the feature on. To configure the profile, decide how risky or dangerous each of the types of behavior are to your network and rate them accordingly. The higher you rate a type of behavior the more visible clients engaging in this behavior will become in the client reputation monitor and the more easily you can detect this behavior.
Step Two: Create a security policy
Go to Policy > Policy > Policy. In the UTM Security Profiles section, enable the web filter profile. You can use the default profiles for data gathering purposes.
132
Results
Allow traffic to pass through the FortiGate unit for a day. Then go to User & Device > Client Reputation > Reputation Score to view the results. Each user by device that met the threshold set appears in the chart. With this information, you can see where potential problems may occur or potential security breaches are imminent.
Select the blue bar for a device to see more information.
Client reputation only highlights risky activity. It does not include tools to stop the behavior. Rather, client reputation is a tool that exposes risky behavior. When you uncover risky behavior that you are concerned about you can take additional action to stop it. That action could include adding more restrictive security policies to block the activity or increase UTM protection. You can also taking other measures outside your FortiGate unit to stop the activity.
133
134
Inspecting content on the network using flow-based UT M instead of proxy-based UT M

Flow-based scans examine files as they pass through while proxy-based scans require that files are cached as they come in and examined once completely cached. Caching files takes more memory and system resources. UTM features using flow-based scans will continue to protect network traffic without interruption. Flow-based scanning is an ideal solution to ease the memory requirements of some UTM scans.
1. Enable flow-based antivirus 2. Enable flow-based web filtering 3. Add a firewall policy to include the new UTM security profiles 4. Results
Internal Network
Web Filter Viruses
Internal
FortiGate
WAN 1
Internet Viruses
Viruses
135
Step One: Enable flow-based antivirus

Go to UTM Security Profiles > Antivirus > Profile. Select the plus icon in the upper right corner and add a new AV profile.
Step Two: Enable flow-based web filtering

Go to UTM Security Profiles > Web Filter > Profile. Select the plus icon in the upper right corner and add a new profile to block search engines and portals.
136
Step Three: Add a firewall policy to include the new UT M security profiles
Go to Policy > Policy > Policy. Edit the policy allowing users to access the Internet and apply the flow-based profiles.
Results
To test the AV scanning, from a PC in the internal network, go to http://www.eicar.org and try to download a test file. The browser will time out and display a message similar to what is shown here from Google Chrome.
137
Go to Log & Report > Traffic Log > Forward Traffic to see the UTM profile is activated when attempting to download the file.
To test the web filtering, from a PC in the internal network, go to google.com. The FortiGate unit displays a block message.
Go to UTM Security Profiles > Monitor > Web Monitor.
138
Select the blue bar in the chart to see further details by user.
139
140
Blocking large files from entering the network

If a file is too large to be properly scanned by the FortiGate unit, you need to make sure they still do not enter the network. This example configures data leak prevention (DLP) options to block files large files from entering the network.
1. Setup a DLP sensor with file matching pattern filter 2. Add a security profile that includes the DLP sensor 3. Results
Internal network
LAN
Viruses/Spyware
FortiGate WAN 1
Internet
141
Step One: Setup a DLP sensor with file matching pattern filter
Go to UTM Security Profiles > Data Leak Prevention > Sensor. Create a new senor. To this sensor you will add the filters the FortiGate unit uses to check incoming files.
Select Create New to add a filter to look for a file size threshold.
142
Step Two: Add a security profile that includes the DLP sensor
Go to Policy > Policy > Policy. Create a security policy and enable the DLP sensor using the filters created.
143
Results
Any attempt to download a file larger than 10 MB is blocked. The FortiGate unit displays a replacement message explaining why the attempt failed.
Go to Log & Report > Traffic Log > Forward Traffic. Select an entry to see information on the blocked file.
144
Blocking access to specific web sites

This example sets up the FortiGate unit to block users from viewing specific web sites using web filtering.
1. Create a new web filter block list 2. Add the block list to a web filter profile 3. Add a security profile that includes the web filter UTM profile 4. Results
Internet
Block Site
WAN 1
FortiGate
LAN
Internal network 145
Step One: Create a new web filter block list

Go to UTM Security Profiles > Web Filter > URL Filter. Create a new filter list for blocked URLs.
Select Create New to enter a list of URLs you want to prevent users from accessing. Using the asterisk (*) as a wildcard in the URL, ensures any sub-domain for the site is also blocked.
Step Two: Add the block list to a web filter profile

Go to UTM Security Profiles > Web Filter > Profile. Create a new profile and expand the Advanced Filter. Select the new block list in the Web URL Filter.
146
Step Three: Add a security profile that includes the web filter UT M profile
Go to Policy > Policy > Policy. Edit the policy allowing outbound traffic from the internal network to include UTM security profiles and select the new profile.
Results
In a web browser, attempt to visit fortinet.com and docs.fortinet.com. In both cases, the FortiGate unit displays a message.
147
Go to Log & Report > Traffic Log > Forward Traffic.
148
Blocking HTT PS traffic with web filtering

Some websites are accessible using http and https protocols, such as YouTube and Facebook. This example steps through how to block https access to these websites using either proxy-based or flow-based web filtering profiles. You will need to have your FortiGate licensed for FortiGuard services. 1. Verify FortiGuard services are enabled 2. Create a web filter profile 3. Create an SSL inspection profile 4. Create a security profile with the web filter and SSL profiles 5. Results
YouTube Facebook
HTT PS FortiGuard Internet
Internal Network 149
Step One: Verify FortiGuard services are enabled

Go to System > Dashboard > Status.
In the Licence Information widget, verify that the FortiGate unit is connected to the FortiGuard servers. A green check mark should appear next to the services you are subscribed to.
Step Two: Create a web filter profile

Go to UTM Security Profiles > Web Filter > Profile. Select the plus icon in the upper-right corner to create a new profile. Ensure the inspection mode is set to Proxy. You can also set the Inspection Mode to Flow-based or DNS.
150
Step Three: Create a SSL Inspection protile

Go to Policy > Policy > SSL/SSH Inspection. Select the plus icon in the upper-right corner to create a new profile and enable only the HTTPS option.
Step Four: Create a security profile

Go to Policy > Policy > Policy. Create a new security policy that uses the new SSL/SSH inspection profile and the HTTPS web filter profile.
151
Results
In a web browser, go to https://youtube.com. The web page is blocked and a FortiGate replacement message is put up in its place.
Go to System > Admin > Settings. Enable UTM Monitoring in the Display Options on GUI area.
Go to UTM Security Profiles > Monitor > Web Monitor.
If you chose DNS block or redirect, when you visit https://youtube.com, the browser will time out. FortiGuard will not display a message.
152
SSL and IPsec VPN

SSL is an easy to use application-level, network-independent method of ensuring private communication over the Internet. Commonly used to protect the privacy of online shopping payments, customers web browsers can almost transparently switch to using SSL for secure communication without customers being required to do any SSL-related configuration or have any extra SSL-related software. The FortiGate SSL VPN configuration requires an SSL VPN web portal for users to log into, a user authentication configuration to allow SSL VPN users to login, and the creation of SSL VPN security policies that control the source and destination access of SSL VPN users. SSL VPN security policies can also apply UTM and other security features to all SSL VPN traffic. IPsec VPN is a common method for enabling private, secure communication over the Internet. IPsec supports a similar client server architecture as SSL VPN. However, to support a client server architecture, IPsec clients must install and configure an IPsec VPN client (such as Fortinets FortiClient Endpoint Security) on their PCs or mobile devices. IPsec VPN, supports more configuration options than SSL VPN. A common application of IPsec VPN is for a gateway to gateway configuration that allows users to transparently communicate between remote networks over the Internet. When a user on one network starts a communication session with a server on the other network, a security policy configured for IPsec VPN intercepts the communication session and uses an associated IPsec configuration to both encrypt the session for privacy but also transparently route the session over the Internet to the remote network. At the remote network the encrypted communication session is intercepted and decrypted by the IPsec gateway and the unencrypted traffic is forwarded to the server. Many variations of the gateway to gateway configuration are available depending on the requirements. All communication over IPsec VPNs is controlled by security policies. Security policies allow for full access control and can be used to apply UTM and other features to IPsec VPN traffic. Fortinet IPsec VPNs employs industry standard features to ensure the best security and interoperability with industry standard VPN solutions provided by other vendors.
153
154
Protecting traffic between company headquarters and branch offices using IPsec VPN
This example uses a gateway-to-gateway IPsec VPN, and assumes that both offices have connections to the Internet with static IP addresses. This configuration uses a policy-based IPsec VPN.
1. Configure the HQ IPsec VPN Phase 1 and Phase 2 settings 2. Add HQ addresses for the local and remote LAN on the HQ FortiGate unit 3. Create an HQ IPsec security policy 4. Configure the Branch IPsec VPN Phase 1 and Phase 2 settings 5. Add Branch addresses for the local and remote LAN on the HQ FortiGate unit 6. Create an branch IPsec security policy 7. Results
wan1 172.20.120.123
FortiGate
IPsec
port3 172.20.120.141
Internet FortiGate
port1 192.168.1.99/24
port4 10.10.1.99/24
Internal Network (HQ)
Internal Network (Branch)
155
Step One: Configure the HQ IPsec VPN Phase 1 and Phase 2 settings
Go to VPN > IPsec > Auto Key (IKE). Select Create New Phase 1.
156
Step Two: Add HQ addresses for the local and remote LAN on the HQ FortiGate unit
Go to Firewall Objects > Address > Address. Create a local address and a remote LAN address.
Step Three: Create an HQ IPsec security policy

Go to Policy > Policy > Policy. When complete, make sure it is at the top of the policy list by clicking on the policy sequence number and dragging the row to the top of the policy table.
157
Step Four: Configure the Branch IPsec VPN Phase 1 and Phase 2 settings
158
Step Five: Add Branch addresses for the local and remote LAN on the HQ FortiGate unit
Go to Firewall Objects > Address > Address. Create a local address and a remote LAN address.
Step Six: Create a Branch IPsec security policy

Go to Policy > Policy > Policy. When complete, make sure it is at the top of the policy list by clicking on the policy sequence number and dragging the row to the top of the policy table.
159
Results
Go to VPN > Monitor > IPSec Monitor to verify the status of the VPN tunnel. It should be up.
A user on either of the office networks should be able to connect to any address on the other office network transparently. For example, from a PC on the Branch office with IP address 10.10.1.100 you should be able to ping a device on the Headquarters network with the IP address 192.168.1.114 and vice versa.
From the Headquarters FortiGate unit go to Log & Report > Traffic Log > Forward Traffic.
From the Branch FortiGate unit go to Log & Report > Traffic Log > Forward Traffic.
160
Providing remote users with access to a corporate network and Internet using SSL VPN
This example sets up remote users to connect to the corporate network using SSL VPN, and use the FortiGate UTM for surfing the Internet. During the connecting phase, the FortiGate unit will also verify that the remote users antivirus software is installed and current. 1. Create an SSL VPN tunnel for remote users 2. Create user definitions and add them to a group 3. Add an address for the local network 4. Add security profiles for access to the Internet and internal network 5. Set the FortiGate unit to verify users have current antivirus software 6. Results
Internet
WAN 1 172.20.120.123
Remote sslvpn user
sslroot browsing
FortiGate
Port 1 192.168.1.99/24
Internal Network
Windows Server 192.168.1.114
161
Step One: Create an SSL VPN tunnel for remote users

Go to VPN > SSL > Portal. Edit the full-access portal.
The full-access portal allows the use of tunnel mode and/or web mode. In this scenario we are using both modes.
Enable Split Tunneling is not enabled so that all internet traffic will go through the FortiGate unit and be subject to the corporate UTM profiles.
Select Create New in the Include Bookmarks area to add a bookmark for a remote desktop link/connection.
162
Step Two: Create user definitions and add them to a group

Go to User & Device > User > User Definition. Add a remote user.
Go to User & Device > User > User Group. Add the user to a user group for SSL VPN connections.
Step Three: Add an address for the local network

Go to Firewall Objects > Address > Address. Add the address for the local network.
163
Step Four: Add security profiles for access to the Internet and internal network
Go to Policy > Policy > Policy. Add a security policy allowing access to the internal network.
Add a security policy allowing access to the Internet. For this policy, the Incoming Interface is sslvpn tunnel interface and Outgoing Interface is wan1. This way, the remote SSL VPN users accessing the Internet through the FotiGate unit.
164
Step Five: Set the FortiGate unit to verify users have current antivirus software
Go to System > Status > Dashboard. In the CLI Console widget, enter the commands on the right to enable the host check for compliant antivirus software on the remote users computer.
Results
Log into the portal as twhite.
The FortiGate unit performs the host check.
165
After the check is complete, the portal appears.
Select the bookmark Remote Desktop link to begin an RDP session.
Go to VPN > Monitor > SSL-VPN to verify the list of SSL users. The Web Application description indicates that the user is using web mode.
166
Go to Log & Report > Traffic Log > Forward Traffic and view the details for the SSL entry.
In the Tunnel Mode widget, select Connect to enable the tunnel.
Select the bookmark Remote Desktop link to begin an RDP session.
Go to VPN > Monitor > SSL-VPN to verify the list of SSL users. The Tunnel description indicates that the user is using tunnel mode.
167
Go to Log & Report > Traffic Log > Forward Traffic and view the details for the SSL entry.
Go to Log & Report > Traffic Log > Forward Traffic. Internet access occurs simultaneously through the FortiGate unit.
168
Securing remote access to the office network using FortiClient IPsec VPN
This example sets up a remote user and user group to provide protected access to the corporate network. The remote users use the FortiClient Endpoint Protection software to connect to the VPN tunnel. This example sets up the user to access the internal network as well as access the Internet through the FortiGate unit, to provide a secure surfing experience using the FortiGate UTM features. 1. Create a new FortiClient user and add to a user group 2. Create an IPsec FortiClient VPN tunnel 3. Add addresses for the local LAN and remote FortiClient users 4. Create security policies for access to the internal network and Internet 5. Results
192.168.1.99/24
FortiGate wan 1 172.20.120.123 port 1
Internet
IPsec Remote user (FortiClient)
Internal Network
169
Step One: Create a new FortiClient user and add to a user group
Go to User & Device > User > User Definition. Create a new user.
Go to User & Device > User > User Group. Create a user group for FortiClient users and add user twhite.
Step Two: Create an IPsec FortiClient VPN tunnel

Go to VPN > IPsec > Auto Key (IKE). Select Create FortiClient VPN.
170
Step Three: Add addresses for the local LAN and remote FortiClient users
Go to Firewall Objects > Address > Address.
Step Four: Create security policies for access to the internal network and Internet
Go to Policy > Policy > Policy. Create a security policy allowing remote FortiClient users to access the internal network.
171
Go to Policy > Policy > Policy. Create a security policy allowing remote FortiClient users to access the Internet securely through the FortiGate unit.
Results
Launch FortiClient and go to Remote Access and add new connection.
172
Connect using the user name twhite.
On the FortiGate unit, go to VPN > Monitor > IPsec Monitor to see the satus of the tunnel.
Verify the IP address assigned to the remote user by the FortiGate unit. which is 10.10.1.100. All hosts in the internal network should be accessible using the FortiClient VPN, to test this, ping an internal server set to IP 192.168.1.114 and logon to it using RDP.
Go to Log & Report > Traffic Log > Forward Traffic and filter by the policy ID controlling the FortiClient VPN traffic.
173
174
Securing remote access to the office network for an iOS device over IPsec VPN
This example sets up a remote user and user group to provide protected access to the corporate network. The remote users use their iPad to connect to the VPN tunnel. This example sets up the user to access the internal network as well as access the Internet through the FortiGate unit, to provide a secure surfing experience using the FortiGate UTM features. This example uses an iPad 2 running iOS 6.1.2. Menu options may vary for different iOS versions and devices.
1. Create a new user and add to a user group 2. Add addresses for the local LAN and remote users 3. Configure the IPsec VPN Phase 1 and Phase 2 settings 4. Create security policies for access to the internal network and Internet 5. Results
wan 1 172.20.120.123 FortiGate Port 1 192.168.1.99/24 Internet
IPsec
Remote user (iPad)
Internal Network
175
Step One: Create a new user and add to a user group

Go to User & Device > User > User Definition. Create a new user.
Go to User & Device > User > User Group. Create a user group for ios users and add user twhite.
Step Two: Add addresses for the local LAN and remote users
176
Step Three: Configure the IPsec VPN Phase 1 and Phase 2 settings
Go to VPN > IPSec > Auto Key (IKE). Select Create Phase 1.
For the Mode, select Main. In the Advanced section select Enable IPsec Interface Mode and select 2 for the DH Group. Enable XAUTH and select the user group ios_group.
177
Go to VPN > IPSec > Auto Key (IKE). Select Create Phase 2.
In the Advanced section select 2 for the DH Group.
Once you complete the tunnel configuration, go to System > Dashboard > Status and enter the commands here in the CLI widget.
178
Step Four: Create security policies for access to the internal network and Internet
Go to Policy > Policy > Policy. Create a security policy allowing remote iOS users to access the internal network.
Go to Policy > Policy > Policy. Create a security policy allowing remote ios users to access the Internet securely through the FortiGate unit.
179
Results
On the iPad, go to Settings > General > VPN and select Add VPN Configuration.
On the FortiGate unit, go to VPN > Monitor > IPsec Monitor and see the status of the tunnel.
Users on the internal network will be accessible using the iPad. Go to Log & Report > Traffic Log > Forward Traffic to see the traffic.
180
Select an entry to view more information.
Remote iOS users can also access the internet securely via the FortiGate unit. Go to Log & Report > Traffic Log > Forward Traffic to see the traffic.
Select an entry to view more information.
181
182
Redundant OSPF routing between two remote networks over IPsec VPN
This example sets up secure communication between two remote networks using redundant OSPF routes . 1. Create redundant IPSec tunnels on FortiGate 1 2. Create IP addresses for the IPsec interfaces on FortiGate 1 3. Configure OSPF on FortiGate 1 4. Configure firewall addresses on FortiGate 1 5. Configure security policies on FortiGate 1 6. Create redundant IPSec tunnels for FortiGate 2 7. Create IP addresses for the IPsec interfaces on FortiGate 2 8. Configure OSPF on FortiGate 2 9. Configure firewall addresses on FortiGate 2 10. Configure security policies on FortiGate 2 11. Results
WAN 1 172.20.120.24 FortiGate 1 Internal 10.20.1.1/24 WAN 2 172.20.120.23
OSPF
IPsec IPsec
WAN 1 172.20.120.123 FortiGate 2 WAN 2 172.20.120.127 Internal 10.21.1.1/24
Internet
OSPF
Internal Network (HQ)
Internal Network (Branch)
183
Step One: Create redundant IPSec tunnels on FortiGate 1

Go to VPN > IPsec > Auto Key (IKE). Select Create Phase 1 and create the primary tunnel. Select Advanced and select Enable IPSec Interface Mode.
Select Create Phase 2.
184
Go to VPN > IPsec > Auto Key (IKE). Select Create Phase 1 and create the secondary tunnel. Select Advanced and select Enable IPSec Interface Mode.
185
Step Two: Create IP addresses for the IPsec interfaces on FortiGate 1

Go to System > Network > Interface. Select the arrow for wan1 to expand the list. Edit the primary tunnel interface.
Select the arrow for wan2 to expand the list. Edit the secondary tunnel interface.
Step Three: Configure OSPF on FortiGate 1

Go to Router > Dynamic > OSPF. Enter the Router ID for FortiGate 1.
Select Create New in the Area section. Add the backbone area of 0.0.0.0.
186
Select Create New in the Networks section. Create the networks and select Area 0.0.0.0 for each one.
Select Create New in the Interfaces section. create primary and secondary tunnel interfaces. Set the Cost of 10 for the primary interface and 100 for the secondary interface.
Step Four: Configure firewall addresses on FortiGate 1

Go to Firewall Objects > Address > Address. Edit the subnets behind FortiGate 1 and FortiGate 2.
187
Edit the primary and secondary interfaces of FortiGate 2.
Step Five: Configure security policies on FortiGate 1

Go to Policy > Policy > Policy. Create security policies for each primary and secondary interface to the FortiGate 2 primary and secondary interfaces.
188
189
Step Six: Create redundant IPSec tunnels on FortiGate 2

Go to VPN > IPsec > Auto Key (IKE). Select Create Phase 1 and create the primary tunnel. Select Advanced and select Enable IPSec Interface Mode.
190
Go to VPN > IPsec > Auto Key (IKE). Select Create Phase 1 and create the secondary tunnel. Select Advanced and select Enable IPSec Interface Mode.
191
Step Seven: Create IP addresses for the IPsec interfaces on FortiGate 2

Go to System > Network > Interface. Select the arrow for wan1 to expand the list. Edit the primary tunnel interface.
Select the arrow for wan2 to expand the list. Edit the secondary tunnel interface.
Step Eight: Configure OSPF on FortiGate 2

Go to Router > Dynamic > OSPF. Enter the Router ID for FortiGate 2.
Select Create New in the Area section. Add the backbone area of 0.0.0.0.
192
Select Create New in the Networks section. Create the networks and select Area 0.0.0.0 for each one.
Select Create New in the Interfaces section. create primary and secondary tunnel interfaces. Set the Cost of 10 for the primary interface and 100 for the secondary interface.
Step Nine: Configure firewall addresses on FortiGate 2

Go to Firewall Objects > Address > Address. Edit the subnets behind FortiGate 1 and FortiGate 2.
193
Edit the primary and secondary interfaces of FortiGate 1.
Step Ten: Configure security policies on FortiGate 2

Go to Policy > Policy > Policy. Create security policies for each primary and secondary interface to the FortiGate 1 primary and secondary interfaces.
194
195
Results
Verify the primary and secondary IPSec vpn tunnel status on FortiGate1 and FortiGate2. Tunnels on both FortiGates should be UP. Go to VPN > Monitor > IPsec Monitor to verify the status.
Verify the routing table on FortiGate 1 and FortiGate 2. The primary OSPF route (the one with cost =10) appears on both FortiGates. Go to Router > Monitor > Routing Monitor. Type OSPF for the Type and select Apply Filter to verify OSPF route.
Verify that traffic flows via the primary tunnel. From a PC1 set to IP:10.20.1.100 behind FortiGate 1, run a tracert to a PC2 set to IP address 10.21.1.00 behind fortiGate 2 and vise versa. From PC1, you should see the traffic goes through 10.1.1.2 which is the primary tunnel interface IP set on FortiGate 2. From PC2, you should see the traffic goes through 10.1.1.1 which is the primary tunnel interface IP set on FortiGate 1.
196
The VPN network between the two OSPF networks uses the primary VPN connection. Disconnect the wan1 interface and confirm that the secondary tunnel will be used automatically to maintain a secure connection. Verify the IPSec vpn tunnels status on FortiGate 1 and FortiGate 2. Both FortiGates should show that primary tunnel is DOWN and secondary tunnel is UP. Go to VPN > Monitor > IPsec Monitor to verify the status.
Verify the routing table on FortiGate 1 and FortiGate 2. The secondary OSPF route (the one with cost =100) appears on both FortiGate units. Go to Router > Monitor > Routing Monitor. Type OSPF for the Type and select Apply Filter to verify OSPF route.
Verify that traffic flows via the secondary tunnel. From a PC1 set to IP:10.20.1.100 behind FortiGate 1, run a tracert to a PC2 set to IP:10.21.1.100 behind fortiGate 2 and vise versa. From PC1, you should see the traffic goes through 10.2.1.2 which is the secondary tunnel interface IP set on FortiGate 2. From PC2, you should see the traffic goes through 10.2.1.1 which is the secondary tunnel interface IP set on FortiGate 1.
197
Authentication
Authentication is the act of confirming the identity of a person or other entity. In the context of a private computer network, the identities of users or host computers must be established to ensure that only authorized parties can access the network. The FortiGate unit enables controlled network access and applies authentication to users of security policies and VPN clients. Identifying users and other computers (authentication) is a key part of network security. This chapter describes some basic configurations.
198
Providing single sign-on on a Windows AD network by adding a FortiGate

This example uses the Fortinet Single Sign-On (FSSO) Collector Agent to integrate a FortiGate unit into the Windows AD domain. 1. Install the FSSO Collector Agent 2. Configure the Single Sign-on Agent 3. Configure the FortiGate unit to connect to the FSSO agent 4. Add a FSSO user group 5. Add an address for the internal network 6. Add a security profile that includes an authentication rule 7. Results
Internet
WAN 1 172.20.120.123
FortiGate
Port 1 192.168.1.99/24
Windows AD 192.168.1.114
Internal Network
199
Step One: Install the FSSO Collector Agent

Run the setup for the Fortinet SSO Collector Agent. After logging in, configure the agent settings.
Add the Collector Agent address information.
200
Select the domains to monitor, and any users whose activity you do not wish to monitor.
Set the working mode and complete the installation.
201
Step Two: Configure the Single Sign-on Agent

If required, select Require authenticatied connection from FortiGate, and add a password. You will also enter this password when configuring the FSSO on the FortiGate unit.
Step Three: Configure the FortiGate unit to connect to the FSSO agent
On the FortiGate unit, go to User & Device > Authentication > Single SignOn. Enter this password used configuring the FSSO on the FortiGate unit in the previous step.
Step Four: Add a FSSO user group

On the FortiGate unit, go to User & Device > User > User Group.
202
Step Five: Add an address for the internal network

Step Six: Add a security profile that includes an authentication rule

Go to Policy > Policy > Policy. Add an accept user identity security policy and add the new FSSO group.
203
Results
Go to Log & Report > Traffic Log > Forward Traffic. As users log into the Windows AD system, the FortiGate collects their connection information.
204

Fortigate Coobook 502

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Fortigate Coobook 502

Uploaded by

Copyright:

Available Formats

The FortiGate Coobook

Essential Recipes for Success with your FortiGate

Security Policies and Firewall Objects

SSL and IPsec VPN

Registering your Fortinet product

For more information

Fortinet Knowledge Base

Installing and Setup

Setting up a limited access administrator account

wAN 1 172.20.120.22 FortiGate LAN 192168.1.99/24

Step One: Create a new administrative profile

Step Two: Add a new administrator and assign a profile

Setting up and troubleshooting FortiGuard services

Verifying the connection

Troubleshooting connection issues

Logging FortiGate system events to gather network traffic information

Step One: Configure logging and event logging

Step Two: Enable logging in the security policy

Select an entry for more information.

Using SNMP to monitor the FortiGate unit

port 1 FortiGate 192168.1.99

SNMP Manager 192.168.1.114

Step One: Configure the SNMP agent and community

Step Two: Enable SNMP on a FortiGate interface

Open the SNMP Trap Receiver and select Launch.

Using FortiCloud to view log data and reports

Step One: Activate FortiCloud

Step Two: Configure logging

Step Three: Enable logging in the security policy

WAN1 FortiGate LAN

Step One: Configure connections to the two ISPs

Step Two: Add security policies

Protect a web server on the DMZ network

Internet WAN 1 172.20.120.22 DMZ

Web Server 10.10.10.22 Internal Network

Step One: Configure the FortiGate unit DMZ interface

Step Two: Add virtual IPs

Step Three: Create security policies

Go to Log & Report > Traffic Log > Forward Traffic.

Adding a second FortiGate unit to improve reliability

WAN 1 Dual HA Links

Go to System > Config > HA to view the cluster information.

Select View HA Statistics for more information on the cluster.

Go to System > Dashboard > Status to see the cluster information.

Step Two: Test the failover functionality

Step Three: Upgrading the firmware for the HA cluster

Setting up an explicit proxy for users on a private network

Step One: Enable explicit web proxy on the internal interface

Step Three: Add a security policy for proxy traffic

Using port pairing to simplify transparent mode

Protected web server 192.168.1.200

Internal Network 192.168.1.[110-150]

Step Two: Create an internal and wan 1 port pair

Go to System > Network > Interface. Create an internal/wan 1 pair.

Step Three: Create firewall addresses

Step Four: Create security policies

Select an entry for details.

Adding packet capture to help troubleshooting

Internet WAN 1 172.20.120.23 FortiGate

Step One: Create a packet capture filter

Step Two: Start the packet capture

Step Three: Stop the packet capture

Security Policies and Firewall Objects

SSL and IPsec VPN