Upload
ala12
View
46
Download
2
Tags:
Embed Size (px)
DESCRIPTION
Guia de estudio para certificacion
Citation preview
FortiGate Multi-Threat Security Systems I Administration, Content Inspection and VPNs
Student Training GuideCourse 201
www.fortinet.com
For R
eview
Only
FortiGate Multi-Threat Security Systems I Administration, Content Inspection and VPNsStudent Guide for FortiOS 5.0 (Revision C)Course 201
01-50000-0201-20130215-C
Copyright 2013 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams, or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical, or otherwise, for any purpose, without prior written permission of Fortinet, Inc.
TrademarksDynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGate Unified Threat Management System, FortiGuard, FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
For R
eview
Only
Course 201 Administration, Content Inspection and VPNs
01-50000-0201-20130215-C i
MODULE 1:
Introduction to Fortinet Unified Threat Management .................................................................................. 1
MODULE 2:
Logging and Monitoring ................................................................................................................................. 16
MODULE 3:
Firewall Policies ............................................................................................................................................... 29
MODULE 4:
Local User Authentication ............................................................................................................................. 50
MODULE 5:
SSL VPN ............................................................................................................................................................ 59
MODULE 6:
IPSec VPN ......................................................................................................................................................... 71
MODULE 7:
Antivirus ............................................................................................................................................................ 82
MODULE 8:
Email Filtering .................................................................................................................................................. 93
For R
eview
Only
Course 201 Administration, Content Inspection and VPNs
01-50000-0201-20130215-C ii
MODULE 9:
Web Filtering .................................................................................................................................................. 105
MODULE 10:
Application Control ....................................................................................................................................... 120
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Introduction
01-50000-0201-20130215-C
1 2013 Fortinet Training Services. This training may not be recorded in any medium, disclosed, copied, reproduced or distributed to anyone without prior written consent of an authorized representative of Fortinet. Rev. 20130215-C
Introduction to Fortinet Unified Threat ManagementModule 1
2
Module Objectives
By the end of this module, participants will be able to: Identify the major features of the FortiGate Unified Threat Management appliance Access and use the FortiGate units administration interfaces Create administrators Work with configuration files
1
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Introduction
01-50000-0201-20130215-C
3
Traditional Network Security Solutions
FirewallAntivirusAntispamWAN OptimizationWeb FilteringApplication ControlIntrusion PreventionVPN
Many single purpose systems needed to cope with a variety of threats
4
Fortinet Solution
FirewallAntivirusAntispamWAN OptimizationWeb FilteringApplication ControlIntrusion PreventionVPN
and more
One device provides a comprehensive security and networking solution
2
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Introduction
01-50000-0201-20130215-C
5
Fortinet Solution
Hardware
Purpose-driven hardware
FortiOS
Specialized operating system
Firewall AV WebFilter IPS
Security and network-level services
FortiGuard Subscription Services
Automated update service
6
FortiGate Unit Capabilities
FirewallAntivirusEmail filteringWeb filteringIntrusion preventionApplication controlData leak preventionWAN optimizationSecure VPNWirelessDynamic routingEndpoint complianceVirtual domainsTraffic shapingHigh availabilityLogging and reporting1111 Authentication
3
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Introduction
01-50000-0201-20130215-C
7
Fortinet Appliances
FortiAnalyzer FortiMail
FortiManager
FortiScan
FortiBridge
FortiCarrier
FortiDB
FortiWifi
FortiWeb FortiSwitch
FortiVoiceFortiAP
FortiGate-ONE
FortiClient
8
FortiGuard Subscription Services
Global Update service for AV/IPS (update.fortiguard.com) Global Live service for FortiGuard WF/AS (service.fortiguard.net) FortiGate unit will prefer servers nearby
Calculates server distance based on time zones
Major server centers in North America as well as Asia and Europe Nearest servers are preferred but will adjust based on server load
4
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Introduction
01-50000-0201-20130215-C
9
Port1 or Internal interface will have an IP of 192.168.1.99 Port1 or Internal interface will have a DHCP server set up and
enabled (on devices that support DHCP Servers) Default login will always be:
user: adminpassword: (blank)
Usernames and passwords are BOTH case sensitive
Device Factory Defaults
10
Device Administration
Web GUI CLI
5
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Introduction
01-50000-0201-20130215-C
11
Admin Profiles
12
Admin Profiles
System Configuration Network Configuration Firewall ConfigurationUTM ConfigurationVPN Configurationetc.
Read Read-Write
AdminProfile
6
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Introduction
01-50000-0201-20130215-C
13
Administrators
Full access withina single virtual
domain
Full access
super_adminprofile
Custom access
customprofile
prof_adminprofile
14
Administrator Trusted Hosts
7
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Introduction
01-50000-0201-20130215-C
15
Administrator Authentication
Username and Password (one factor)
FortiToken (two factor)+
16
Administrator Authentication
8
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Introduction
01-50000-0201-20130215-C
17
Device Configuration
Device configuration settings can be saved to an external fileOptional encryption
The file can be restored to rollback device to a previous configuration
18
Per VDOM Configuration File
9
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Introduction
01-50000-0201-20130215-C
19
Interface IPs
Every used interface on the unit must have an IP assigned (in NAT mode) using one of three methods: Manual IP, DHCP assigned, PPPoE (CLI only)
20
There must be at least one default gateway If an interface is DHCP or PPPoE, then a gateway can be added
to the routing dynamically
Static Gateway
10
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Introduction
01-50000-0201-20130215-C
21
Interface and ModeSelection
Interface and ModeSelection
IP and DNS ConfigurationIP and DNS Configuration
Advanced DHCP ConfigurationReserved IPs, WINS, etc.
Advanced DHCP ConfigurationReserved IPs, WINS, etc.
DHCP Server - Setup
22
DHCP Server IP Reservation
IP address reserved and always assigned to the same DHCP host Select an IP address or choose an existing DHCP lease to add to the reserved list Identify the IP address reservation as either DHCP over Ethernet or DHCP over
IPSec
MAC address of the DHCP host is used to look up the IP address in the IP reservation table
11
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Introduction
01-50000-0201-20130215-C
23
DHCP Activity
24
FortiGate DNS Server
Resolve DNS lookups from an internal network Methods to set up DNS for each interface:
Forward-only: DNS requests sent to the DNS servers configured for the unit Non-recursive: DNS requests resolved using a FortiGate DNS database and
unresolved DNS requests are dropped Recursive: DNS requests will be resolved using a FortiGate DNS database and
any unresolved DNS requests will be relayed to DNS servers configured for the unit
One DNS database can be shared by all the FortiGate interfaces If VDOMs are enabled, a DNS database needs be created in each VDOM
12
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Introduction
01-50000-0201-20130215-C
25
DNS Server Configuration
DNS zones need to be added when configuring the DNS database Each zone has its own domain name Zone format defined by RFC 1034 and1035
DNS entries are added to each zone An entry includes a hostname and the IP address it resolves to Each entry also specifies the type of DNS entry
IPv4 address (A) or an IPv6 address (AAAA) name server (NS) canonical name (CNAME) mail exchange (MX) name IPv4 (PTR) or IPv6 (PTR)
26
Firmware Upgrade Steps
Step 1: Backup and store old configuration (Full config backup from CLI) Step 2: Have copy of old firmware available Step 3: Have disaster recovery option on standby (especially if remote) Step 4: READ THE RELEASE NOTES (upgrade path, bug information) Step 5: Double check everything Step 6: Upgrade
13
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Introduction
01-50000-0201-20130215-C
27
Firmware Downgrade Steps
Step 1: Locate pre-upgrade configuration file Step 2: Have copy of old firmware available Step 3: Have disaster recovery option on standby (especially if remote) Step 4: READ THE RELEASE NOTES (is a downgrade possible?) Step 5: Double check everything Step 6: Downgrade (all settings except those needed for access are lost) Step 7: Restore pre-upgrade configuration
28
Labs
Lab 1: Initial Setup and Configuration Ex 1: Configuring Network Interfaces Ex 2: Exploring the Command Line Interface Ex 3: Restoring Configuration Files Ex 4: Performing Configuration Backups
(OPTIONAL) Lab 2: Administrative Access
Ex 1: Profiles and Administrators Ex 2: Restricting Administrator Access
14
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Introduction
01-50000-0201-20130215-C
29
Classroom Lab Topology
15
For R
eview
Only
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring
01-50000-0201-20130215-C
1 2013 Fortinet Training Services. This training may not be recorded in any medium, disclosed, copied, reproduced or distributed to anyone without prior written consent of an authorized representative of Fortinet. Rev. 20130215-C
Logging and MonitoringModule 2
2
Module Objectives
By the end of this module participants will be able to: Define the storage location for log information Enable logging for different FortiGate unit events View and search logs Monitor log activity Understand RAW log output Customize widgets on the dashboard
16
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring
01-50000-0201-20130215-C
3
Logging and Monitoring
Logging and monitoring are key elements in maintaining devices on the network Monitor network and Internet traffic Track down and pinpoint problems Establish baselines
4
Logging Severity Levels
Administrators define the severity level at which the FortiGate unit records log information
All messages at, or above, the minimum severity level will be logged Emergency = System unstable Alert = Immediate action required Critical = Functionality affected Error = Error exists that can affect functionality Warning = Functionality could be affected Notification = Info about normal events Information = General system information (default) Debug = Debug log messages
17
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring
01-50000-0201-20130215-C
5
Log Storage Locations
Syslog SNMP
Local loggingRemote logging
Memory andHard drive
6
Log Types and Subtypes
Traffic Log Forward (Traffic passed/blocked by Firewall policies) Local (Traffic aimed directly at, or created by FortiGate device) Invalid (Packets considered invalid/malformed and dropped)
Event Log System (System related events) Router, VPN, User, WanOpt & Cache, Wifi
UTM Security Log Antivirus, Web Filter, Intrusion Protection, etc.
18
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring
01-50000-0201-20130215-C
7
Log Structure and Behavior
Options for log behavior: UTM consolidated into Forward Traffic log UTM separated into individual logs
utm-incident-traffic-logconfig sys globalset utm-incident-traffic-log [enable|disable]end If log allowed traffic is disabled on the policy, then a UTM event enabled traffic
logging for that session Behavior is not configurable and only on, pre 5.0
Logs consolidated into Traffic Log is recommend for performance Multiple individual log files are harder on CPU then one
8
Traffic Log Log Generation
Log Traffic UTM Function Extended-utm utm-incident-traffic-log Behavior
Enabled Disabled (traffic does not go to UTM)
N/A N/A Traffic log generated by kernel (like today). All new UTM fields empty.
Enabled Enabled (traffic goes to UTM)
Disabled Either UTM Events generate logs in traffic logAll traffic through policy generates traffic log
Disabled Enabled (traffic goes to UTM)
Disabled Enabled UTM Events generate logs in traffic logOnly traffic that has a UTM even occur generates traffic logs
Disabled Enabled (traffic goes to UTM)
Disabled Disabled Only UTM events generates logs in the traffic log (no other traffic logs)
Disabled Enabled (traffic goes to UTM)
Enabled Enabled UTM Events generate logs in utm logOnly traffic that has a UTM even occur generates traffic logs
19
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring
01-50000-0201-20130215-C
9
Viewing Log Messages
10
Log Viewer Filtering
Use Filter Settings to customize the display of log messages to show specific information in log messages Reduce the number of log entries that are displayed Easily locate specific information
20
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring
01-50000-0201-20130215-C
11
date=2012-09-10 time=13:00:30 logid=0100032001 type=event subtype=system level=information vd="root" user="admin" ui=http(10.0.1.10) action=login status=success reason=none profile="super_admin" msg="Administrator admin logged in successfully from http(10.0.1.10)"
Log Severity Level
Log severity level indicated in the level field of the log message
information = normal event
12
Viewing Log Messages (Raw)
Fields in each log message are arranged into two groups: Log header (common to all log messages)
date=2012-11-13 time=11:17:56 logid=0000000009 type=traffic subtype=forward level=notice vd=root
Log body (varies per log entry type)srcip=172.16.78.32 srcport=900 srcintf=unknown-0 dstip=1.1.1.32 dstport=800 dstintf=unknown-0 dstcountry="Australia" srccountry="Reserved" service=800/tcp wanoptapptype=cifs duration=20 policyid=100 user="test user" group="test group" identidx=200 wanin=400 wanout=300 lanin=200 lanout=100
21
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring
01-50000-0201-20130215-C
13
Log headerdate=2012-08-30 time=12:55:06 log_id=32001 type=utm subtype=dlp eventtype=dlp level=warning vd=root filteridx=0
Log bodypolicyid=12345 identidx=67890 sessionid=312 epoch=0 eventid=0 user="user" group="group" srcip=1.1.1.1 srcport=2560 srcintf="lo" dstip=2.2.2.2 dstport=5120 dstintf="port1" service=mm1 .
Viewing Log Messages (Raw)
The type and subtype fields = log file that message is recorded in (for example, UTM > Data Leak Prevention or Traffic > Forward Traffic)
14
Log bodysrcip=172.16.78.32 srcport=900 srcintf=unknown-0 dstip=1.1.1.32 dstport=800 dstintf=unknown-0 dstcountry="Australia" srccountry="Reserved" service=800/tcp wanoptapptype=cifs duration=20 policyid=100 user="test user" group="test group" identidx=200 wanin=400 wanout=300 lanin=200 lanout=100 hostname="host" url="www.abcd.com" msg="Data Leak Prevention Testing Message" action=block severity=0 infection="carrier end point filter"
Viewing Log Messages (Raw)
policyid = id number of firewall policy matching the session
22
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring
01-50000-0201-20130215-C
15
Log bodysrcip=172.16.78.88 srcname=host srcport=0 srcintf=unknown-0 dstip=229.118.95.200 dstport=0 dstintf=unknown-0 sessionid=0 status=deny user="test user" group="test group" policyid=0 dstcountry="Reserved" srccountry="Reserved" trandisp=snat+dnat tranip=0.0.0.0 tranport=0 transip=0.0.0.0 transport=0 service=other proto=0 appid=1 app="AIM" appcat="IM" applist=unknown-1 duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 vpn="vpn0" shapersentname="shaper sent name" shaperdropsentbyte=16843009 shaperrcvdname="shaper rcvd name" shaperdroprcvdbyte=16843009 shaperperipname="perip name" shaperperipdropbyte=16843009 devtype="iPad" osname="linux" osversion="ver" unauthuser="user" unauthusersource="none" collectedemail="mail" mastersrcmac=02:02:02:02:02:02 srcmac=01:01:01:01:01:01
Viewing Log Messages (Raw)
status = action taken by the FortiGate unit
16
Alert Email
Send notification to email address upon detection of defined event Identify SMTP server name Configure at least one DNS server Up to three recipients per mail server
23
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring
01-50000-0201-20130215-C
17
SNMP
SNMP managerManaged device
SNMP agent Fortinet MIB
Traps received by agent sent to SNMP manager Configure FortiGate unit interface for SNMP access Compile and load Fortinet-supplied MIBs into SNMP
manager Create SNMP communities to allow connection from
FortiGate unit to SNMP manager
18
Event Logging
24
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring
01-50000-0201-20130215-C
19
Event Log
20
Monitor
25
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring
01-50000-0201-20130215-C
21
Monitor
Monitor sub-menus found in GUI for all main function menus User-friendly display of monitored information View activity of a specific feature being monitored such as Firewall,
VPN, Router, Wi-Fi, etc. UTM monitoring can be enabled via System > Admin > Settings
22
Monitor
Example: UTM Security Profiles Monitor Includes all UTM features
AV Monitor Recent and top virus activity
Web Monitor Top blocked FortiGuard categories
Application Monitor Most used applications
26
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring
01-50000-0201-20130215-C
23
Status Page Custom Widgets
Many widgets can have their settings altered to display different information The same widget can be added multiple times to the same dashboard showing
different information
24
Labs
Lab 1: Status Monitor and Event Log Ex 1: Exploring the GUI Status Monitor Ex 2: Event Log and Logging Options
(OPTIONAL) Lab 2: Remote Monitoring
Ex 1: Remote Syslog and SNMP Monitoring
27
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring
01-50000-0201-20130215-C
25
Classroom Lab Topology
28
For R
eview
Only
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Firewall Policies
01-50000-0201-20130215-C
1 2013 Fortinet Training Services. This training may not be recorded in any medium, disclosed, copied, reproduced or distributed to anyone without prior written consent of an authorized representative of Fortinet. Rev. 20130215-C
Firewall PoliciesModule 3
2
Module Objectives
By the end of this module participants will be able to: Identify the components used in a firewall policy Create firewall objects Create Address and Device Identity policies and manage the order of their
processing Monitor traffic through policies
29
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Firewall Policies
01-50000-0201-20130215-C
3
Firewall Policies
Incoming and outgoing interfaces
Source and destination IP addresses
Services
Schedules
Action = ACCEPT
Authentication
ThreatManagement
TrafficShaping
Logging
Firewall policies include the instructions used by the FortiGate device to determine what to do with a connection request Packet analyzed, content compared to
policy, action performed
4
Types of Policies
Address Policy match based on IPs
User Identity Policy match based on authentication information (user)
Device Identity Policy match based on OS
30
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Firewall Policies
01-50000-0201-20130215-C
5
Firewall Actions
Traffic matches a policy
Accept
Deny
Policy Action
Traffic does not match a Policy
Deny
6
Firewall Policy Elements - Address Subtype
31
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Firewall Policies
01-50000-0201-20130215-C
7
Firewall Policy Elements User Identity Subtype
8
Firewall Policy Elements - Device Identity Subtype
OS identity device based on packet behavior and details MAC address (Forti-Device only), DHCP VCI, TCP SYN Fingerprint, HTTP
UserAgent Identification rules updated with FortiGuard definitions
32
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Firewall Policies
01-50000-0201-20130215-C
9
Device Identification (BYOD)
Device detection is dependent on it being enabled in the interface via the device-identification commandconfig system interface
edit "port1"set device-identification (enable|disable*)set device-user-identification (enable*|disable)
end Per-VDOM settings on what to detectconfig system network-visibility
Global setting of the device types FortiOS detects is hardcoded
10
Device Identification (BYOD)
Devices can be manually identified in the configconfig user device
edit meset mac-addressset type type nameset user user name
end Once the device is created it can be added to a device groupconfig user device-group
33
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Firewall Policies
01-50000-0201-20130215-C
11
Device Identification (BYOD)
Captive Portal options: Device identification (default) Email collection (attach an email to the device) FortiClient download (force FortiClient install)
12
Device Identification (BYOD)
Device-identify Identifies the device through the HTTP user-agent
34
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Firewall Policies
01-50000-0201-20130215-C
13
Device Identification (BYOD)
Email-collection Used in conjunction with device type Collected Emails Collects an email to be associated with the device
14
Device Identification (BYOD)
config sys settingset email-portal-check-dns [enable|disable]
35
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Firewall Policies
01-50000-0201-20130215-C
15
Device Identification (BYOD)
User & Devices > Device > Devicediag user device list
16
Device Identification (BYOD)
Each device-identity policy entry may have one or more devices, device-groups or device categories specified
3 possible actions: Accept (the default) Deny Captive portal
UTM options are only available when the action is Accept
36
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Firewall Policies
01-50000-0201-20130215-C
17
Firewall Address objects
The FortiGate device compares the source and destination address in the packet to the policies on the device Default of ALL addresses available
Addresses in policies configured with: Name for display in policy list IP address and mask FQDN if desired (DNS used to resolve)
Use Country to create addresses based on geographical location Create address groups to simplify administration
18
Firewall Interfaces
OutgoingInterface
IncomingInterface
Select Incoming Interface to identify the interface or zone on which packets are received Select an individual interface or ANY to match all interfaces as the source
Select Outgoing Interface to identify the interface or zone to which packets are forwarded Select an individual interface or ANY to match all interfaces as the source
37
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Firewall Policies
01-50000-0201-20130215-C
19
Firewall Service Objects
Protocol and Port
Packet
Protocol and Port
Firewall Policy
= FortiGate unit uses Services to determine the types of communication accepted or denied Default of ALL services available Select a Service from predefined list on FortiGate unit or create a custom service Web Proxy Service also available if Incoming Interface is set to web-proxy Group Services and Web Proxy Service Group to simplify administration
20
Traffic Logging
DenyAccept
Log Allowed Traffic Log Violation Traffic
38
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Firewall Policies
01-50000-0201-20130215-C
21
Network Address Translation (Source NAT)
10.10.10.1
11.12.13.14Firewall policy
with NAT enabledwan1 IP address: 200.200.200.200
Source IP address:10.10.10.1
Source port: 1025
Destination IP address:11.12.13.14
Destination Port: 80
Source IP address:200.200.200.200Source port: 30912
Destination IP address:11.12.13.14
Destination Port: 80
internal
wan1200.200.200.200
22
NAT Dynamic IP Pool (Source Nat)
Firewall policywith NAT + IP pool enabled
wan1 IP pool: 200.200.200.2-200.200.200.10
Source IP address:10.10.10.1
Source port: 1025
Destination IP address:11.12.13.14
Destination Port: 80
Source IP address:200.200.200.?Source port: 30957
Destination IP address:11.12.13.14
Destination Port: 80
10.10.10.1internal
wan1
11.12.13.14
200.200.200.200
39
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Firewall Policies
01-50000-0201-20130215-C
23
Central NAT Table
Allows creation of NAT rules and NAT mappings set up by the global firewall table
Control port translation instead of allowing the system to assign them randomly
24
Central NAT Table
40
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Firewall Policies
01-50000-0201-20130215-C
25
Traffic Shaping
HTTPFTPIM
Traffic shaping controls which policies have higher priority when large amounts of data is passing through the FortiGate unit Normalize traffic bursts by prioritizing
certain flows over others
26
Source NAT IP Address and Port
Session table identifies IP and port with NAT applied
41
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Firewall Policies
01-50000-0201-20130215-C
27
Fixed Port (Source NAT)
Firewall policywith NAT + IP pool enabled + fixed port (CLI only)
wan1 IP pool: 200.200.200.201
Source IP address:200.200.200.201
Source port: 1025
Destination IP address:11.12.13.14
Destination Port: 80Source IP address:10.10.10.1
Source port: 1025
Destination IP address:11.12.13.14
Destination Port: 80
10.10.10.1internal
11.12.13.14
wan1200.200.200.200
28
Firewall policywith destination address virtual IP + Static NAT
wan1 IP address: 200.200.200.200
Source IP address:11.12.13.14
Destination IP address:200.200.200.222
Destination Port: 80
10.10.10.10
11.12.13.14
internal
wan1
VIP translates destination200.200.200.222 -> 10.10.10.10
Virtual IPs (Destination NAT)
42
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Firewall Policies
01-50000-0201-20130215-C
29
Firewall policywith destination address virtual IP + Static NAT
wan1 IP address: 200.200.200.200
Source IP address:11.12.13.14
Destination IP address:200.200.200.200Destination Port: 80
10.10.10.10
11.12.13.14
internal
wan1
VIP translates destination200.200.200.200 -> 10.10.10.10
Virtual IPs (Destination NAT)
Used to allow connections through a FortiGate using NAT firewall policies FortiGate unit can respond to ARP requests on a
network for a server that is installed on another network
Used for (1) Server Redundancy and Load Balancing; (2) IPSec VPN site-to-site with identical subnets at both sites; etc.
VIP Group: A group of Virtual IPs for ease-of-use
30
Local-In Firewall Policies
Policies designed for traffic that is localized to the FortiGate unit Central management Update announcement NetBIOS forward
Destination address of firewall policies for local-in traffic is limited to the FortiGate interface IP and secondary IP addresses
Can create local-in firewall policies for IPv4 and IPv6 (CLI Only)
43
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Firewall Policies
01-50000-0201-20130215-C
31
Threat Management
32
Threat Management Client Reputation
44
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Firewall Policies
01-50000-0201-20130215-C
33
UTM Proxy Options - File Size
Firewall Policy
Enable UTM
UTM Proxy Options
Oversize File/EmailPass or Block
Threshold+
File size is checked against preset thresholds
If larger than threshold (Policy> UTM Proxy Options > Common Options > Block Oversized File/Email > Threshold) and action set to block, file is rejected
If larger than threshold and action set to allow, uncompressed file must fit within memory buffer If not, by default no further
scanning operations performed
34
Traffic Shapers
Shared Traffic Shaper Per-IP Traffic Shaper
Guaranteed BandwidthMaximum Bandwidth
Guaranteed BandwidthMaximum Bandwidth
Guaranteed BandwidthMaximum Bandwidth
Guaranteed BandwidthMaximum Bandwidth
45
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Firewall Policies
01-50000-0201-20130215-C
35
Traffic Shapers
Shared Traffic Shaper Per-IP Traffic Shaper
Guaranteed BandwidthMaximum Bandwidth
Guaranteed BandwidthMaximum Bandwidth
Guaranteed BandwidthMaximum Bandwidth
Guaranteed BandwidthMaximum Bandwidth
Traffic shapers apply Guaranteed Bandwidthand Maximum Bandwidth values to addresses affected by policy Share values between all IP address affected by the
policy Values applied to each IP address affected by the
policy
36
DoS Policies
DoS Policy Firewall Policy
DoS policies identify network traffic that does not fit known or common patterns of behavior If determined to be an attack,
action in DoS sensor is taken DoS policies applied before firewall
policies If traffic passes DoS sensor, it
continues to firewall policies
46
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Firewall Policies
01-50000-0201-20130215-C
37
Endpoint Control
?
Up to date ?
Disallowed software installed ?
38
Firewall Object Usage
Allows for faster changes to settings The Reference column allows administrators to determine where
the object is being used Navigate directly to the appropriate edit page
47
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Firewall Policies
01-50000-0201-20130215-C
39
Object Tagging
Simplifies firewall policy object management Useful for administering multiple VDOMs Easier to find and access specific firewall policies within specific VDOMs
Available for firewall policies, address objects, IPS predefined signatures and application entries/filters
Objects can provide useful organizational information
40
Monitor
View policy usage by active sessions, bytes or packets Policy > Monitor > Policy Monitor
48
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Firewall Policies
01-50000-0201-20130215-C
41
Labs
Lab 1: Firewall Policy Ex 1: Creating Firewall Objects and Rules Ex 2: Policy Action Ex 3: Configuring Virtual IP Access Ex 4: Configuring IP Pools
(OPTIONAL) Lab 2: Traffic Log
Ex 1: Enabling Traffic Logging Ex 2: Device Policies
42
Classroom Lab Topology
49
For R
eview
Only
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Local User Authentication
01-50000-0201-20130215-C
1 2013 Fortinet Training Services. This training may not be recorded in any medium, disclosed, copied, reproduced or distributed to anyone without prior written consent of an authorized representative of Fortinet. Rev. 20130215-C
Local User AuthenticationModule 4
2
Module Objectives
By the end of this module participants will be able to: Describe the authentication mechanisms available through the FortiGate device Create local users and user groups Create identity-based policies to enable local user authentication Monitor active users Check authentication Log entries
50
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Local User Authentication
01-50000-0201-20130215-C
3
Authentication
?AAAAA
The identity of users and host computers must be established to ensure that only authorized parties can access the network The FortiGate unit provides network access
control and applies authentication to users of firewall policies and VPN clients
4
Local User Authentication
Local user authentication is based on usernames and passwords stored locally on the FortiGate unit
An administrator creates local user accounts on the FortiGate device For each account, a user name and password is stored Two-factor authentication can be enabled on a per user basis
51
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Local User Authentication
01-50000-0201-20130215-C
5
User Authentication via Remote Server
The FortiGate unit must be configured to access the external servers used to authenticate the users Administrators can create an account for the user locally and specify
the server to verify the password or Administrators can add the authentication server to a user group
All users in that server become members of the group
6
User Authentication via Remote Server
LDAPDirectoryServices TACACS+RADIUS
Remote Users
Digital certificates
52
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Local User Authentication
01-50000-0201-20130215-C
7
User Groups
FirewallUser Group
Directory ServiceUser Group
Guest User Group
Paris Visitors ActiveDirectory
User groups are assigned one of four group types: Firewall, Fortinet Single Sign on (FSSO), Guest and Radius Single Sign on (RSSO) Firewall user groups provide access to firewall policies that require authentication Directory Service user groups used to allow single sign on for Active Directory or Novell
eDirectory users
8
?
Identity-Based Policies
PolicyEnable Identity Based Policy
User/Group
Services
Schedules
Logging
Threat management
Traffic Shaping
Authentication Rule
Identity-based policies are enabled to require firewall authentication Authentication rules identify the
users and user groups that will be forced to authenticate Also defines other aspects of
authentication, including services, schedules, UTM, logging and traffic shaping
53
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Local User Authentication
01-50000-0201-20130215-C
9
Disclaimers
Policy
Enable Disclaimer
Displays the Disclaimer Agreement page before the user authenticates User must accept the disclaimer to
proceed with the authentication process Once authenticated, the user is directed to
the original destination
10
Authentication Timeout
Timeout values specify how long an authenticated connection can be idle before the user must authenticate again User Authentication Timeout controls
the firewall authentication timer Default value is 5 minutes
SSL VPN Idle Timeout controls the SSL VPN user authentication timer Default value 300 seconds (5
minutes)
54
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Local User Authentication
01-50000-0201-20130215-C
11
Password Policy
Minimum Length: 8 to 64 characters
Must Contain: Uppercase lettersLowercase lettersNumerical digitsNon-alphanumeric characters
Password Expiration: X days
Apply to: AdministratorsIPSec Preshared Key
Set a password policy to enforce higher standards for both the length and complexity of passwords Policies can be applied to administrator password and IPSec VPN preshared keys
12
Two-Factor Authentication
A one-time password can be delivered to the user through various methods: FortiToken: Every 60 seconds, the token generates a 6-digit code based on a
unique serial number, seed and GMT time Email: The one-time password is sent to users configured email address after
successful password authentication SMS phone message: The one-time password sent through email to the users
SMS provider. The email address pattern varies by provider.
55
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Local User Authentication
01-50000-0201-20130215-C
13
Two-Factor Authentication
14
Policy Configuration
56
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Local User Authentication
01-50000-0201-20130215-C
15
User Monitor
Displays logged in users, groups, policy ID being used, time left before inactivity timeout, IP, the amount of traffic sent by user, and the authentication method Also used to terminate authentication sessions
16
Labs
Lab 1: User Authentication Ex 1: Identity-based Firewall Policy
57
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Local User Authentication
01-50000-0201-20130215-C
17
Classroom Lab Topology
58
For R
eview
Only
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs SSL VPN
01-50000-0201-20130215-C
1 2013 Fortinet Training Services. This training may not be recorded in any medium, disclosed, copied, reproduced or distributed to anyone without prior written consent of an authorized representative of Fortinet. Rev. 20130215-C
SSL VPNModule 5
2
Module Objectives
By the end of this module participants will be able to: Identify the VPN technologies available on the FortiGate device Configure the SSL VPN operating modes Define user restrictions Setup SSL VPN portals Configure firewall policies and authentication rules for SSL VPNs
59
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs SSL VPN
01-50000-0201-20130215-C
3
Virtual Private Networks (VPN)
Secure tunnel over an insecure network Use when there is the need to transmit private data over a public
network PC based, suitable for use when traveling
4
FortiGate VPN
Typically used to secure web transactions
HTTPS link created to securely transmit application data between client and server
Client signs on through secure web page (SSL VPN portal) on the FortiGate device
VPN
SSL VPNWell suited for network-based legacy applicationsSecure tunnel created between two host devicesIPSec VPN can be configured between FortiGate unit and most third-party IPSec VPN devices or clients
IPSec VPN
60
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs SSL VPN
01-50000-0201-20130215-C
5
SSL VPN Web-Only Mode
1. Connection of remote user to SSL VPN portal (HTTPS Web Site)
2. Tunnel created3. User authentication4. Portal Web page presented5. Click bookmark to access resource
6
SSL VPN Tunnel Mode
1. Connection of remote user to SSL VPN Portal (HTTPS Web Site)
2. Tunnel created3. Authenticate4. Portal Web page presented5. Access Resources
61
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs SSL VPN
01-50000-0201-20130215-C
7
User Groups
Web mode and tunnel mode both require a firewall policy for authenticationTunnel mode requires additional policies to allow internal network
access Mode(s) user has access to is determined by authentication policy
Determines the portal page users are presented
8
Authentication
Username and Password (one factor)
FortiToken (two factor)+
62
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs SSL VPN
01-50000-0201-20130215-C
9
SSL VPN Server Certificate
Certificate presented to client initiating SSL VPN session FortiGate device uses a self-signed certificate by default
User certificates issued by trusted Certificate Authority to avoid web browser security warnings
10
Encryption Key Algorithm
Level of encryption used for SSL VPN connections High, Default, Low
The default setting is RC4 (128 bits) and higher If set to High, SSL VPN connections with clients that cannot meet this
standard will fail
63
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs SSL VPN
01-50000-0201-20130215-C
11
Web Portal Interface
Web page displayed when client logs into SSL VPN Includes widgets to access functionality on the portal (such as
bookmarks and connection tools) Software download option for tunnel mode Default SSL VPN web portal page is accessible at:https://
12
Full-Access Web Portal Interface
64
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs SSL VPN
01-50000-0201-20130215-C
13
Tunnel Mode Split-Tunneling
Only traffic destined for the tunnel IP range network will be routed over the SSL VPN
If access to another inside network is desired, the client will need to create a static route pointing to their own SSL VPN interface Associated firewall policies must exist
14
Client Integrity Checking
SSL VPN gateway checks client system Detects client protection applications (for example, antivirus and
personal firewall) Determines state of applications (active/inactive, current version
number and signature updates) Examples include: Cisco Network Admission Control (NAC), MS
Network Access Protection (NAP), Trusted Computing Groups (TCG) Trusted Network Connect
65
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs SSL VPN
01-50000-0201-20130215-C
15
Client Host Checking
Relies on external vendors to ensure client integrity (not implemented by all SSL VPN vendors) Requires administrators to determine appropriate version/signature
versions and policy Easily outdated, limiting the protection provided
Checks to see if required software is installed on the connecting PC, otherwise connection is refused CLI only
config vpn ssl web portaledit (portal name)set host-check [av|av-fw|custom|fw]set host-check-interval [# seconds]end
16
SSL VPN Tunnel Mode Connection
A new network connection called fortissl is created The connection obtains a virtual IP address
This virtual adapter becomes the preferred default route if split tunneling is disabled
The web portal page will display the status of the SSL VPN client ActiveX control
The portal web page must remain open for the tunnel to function
66
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs SSL VPN
01-50000-0201-20130215-C
17
SSL VPN Client Port Forward
Port Forward mode extends applications supported by Web Application Mode
Application Types (some examples): PortForward: for generic port forward application Citrix: for Citrix server web interface access RDPNative: for Microsoft Windows native RDP client over port forward etc.
18
SSL-VPN Policy De-Authentication
Firewall policy authentication session is associated with SSL VPN tunnel session
Forces expiration of firewall policy authentication session when associated SSL VPN tunnel session is ended by user Prevents reuse of authenticated SSL VPN firewall policies (not yet expired) by a
different user after the initial user terminates their SSL VPN tunnel session
67
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs SSL VPN
01-50000-0201-20130215-C
19
SSL VPN Access Modes
Web Mode
No client software required (web browser only)
Reverse proxy rewriting of HTTP, HTTPS, FTP, SAMBA (CIFS)
Java applets for RDP, VNC, TELNET, SSH
Web Mode
No client software required (web browser only)
Reverse proxy rewriting of HTTP, HTTPS, FTP, SAMBA (CIFS)
Java applets for RDP, VNC, TELNET, SSH
Tunnel Mode
Uses FortiGate-specific client downloaded to PC (ActiveX or Java applet)
Requires admin/root privilege to install layer-3 tunnel adaptor
Port Forward Mode
Java applet works as a local proxy to intercept specific TCP port traffic then encrypt in SSL
Downloaded to client PC and installed without admin/root privileges
Client App must point to Java applet
20
Configuration
Step 1: Configure the Settings IP Pool, Certificate, Port, VPN > SSL > Config
Step 2: Configure your Portals for user access Web or Tunnel mode access, bookmarks, VPN > SSL > Portal
Step 3: Decide Split Tunneling or not In Portal Config
Step 4: Setup Firewall VPN policy for access
68
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs SSL VPN
01-50000-0201-20130215-C
21
Configuration
22
Labs
Lab 1: SSL VPN Ex 1: Configuring SSL VPN for Web Access Ex 2: Configuring SSL VPN for Tunnel Mode
69
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs SSL VPN
01-50000-0201-20130215-C
23
Classroom Lab Topology
70
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs IPSec VPN
01-50000-0201-20130215-C
1 2013 Fortinet Training Services. This training may not be recorded in any medium, disclosed, copied, reproduced or distributed to anyone without prior written consent of an authorized representative of Fortinet. Rev. 20130215-C
IPSec VPNModule 6
2
Module Objectives
By the end of this module participants will be able to: Define the architectural components of IPSec VPN Define the protocols used as part of an IPSec VPN Identify the phases of Internet Key Exchange (IKE) Identify the FortiGate unit IPSec VPN modes Configure IPSec VPN on the FortiGate unit
71
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs IPSec VPN
01-50000-0201-20130215-C
3
IPSec VPN
Private network
Senderauthenticated
Dataconfidential
Data hasintegrity
4
IPSec VPN
IPSec is a set of standard protocols and services used to encrypt data so that it cannot be read or tampered with as it travels across a network
Provides: Authentication of the sender Confidentiality of data Proof that data has not been tampered with
72
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs IPSec VPN
01-50000-0201-20130215-C
5
IPSec VPN
IPSec VPN operates at the network layer (layer 3) Encryption occurs transparently to the upper layers Applications do not need to be designed to use IPSec
IPSec VPN can protect upper layer protocols (such as TCP) but the complexity and overhead of the exchange is increased For example, IPSec cannot depend on TCP to manage reliability and
fragmentation
6
Internet Key Exchange
Internet Key Exchange (IKE) allows the parties involved in a transaction to set up their Security Associations Phase 1 authenticates the parties involved and sets up a secure
channel to enable the key exchange Phase 2 negotiates the IPSec parameters to define an IPSec tunnel
73
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs IPSec VPN
01-50000-0201-20130215-C
7
Phase 1
IKE Phase 1 performs the following: Authenticates and protects the parties involved in the IPSec transaction
Can use pre-exchanged keys or digital certificates Negotiates a matching SA policy between the computers to protect the
exchange Performs a Diffie-Hellman exchange
The keys derived from this exchange are used in Phase 2 Sets up a secure channel to negotiate Phase 2 parameters
8
Defining Phase 1 Parameters
KB IDs:1165713574
74
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs IPSec VPN
01-50000-0201-20130215-C
9
Phase 2
IKE Phase 2 performs the following: Negotiates IPSec SA parameters
Protected by existing IKE SA Renegotiates IPSec SAs regularly to ensure security Optionally, additional Diffie-Hellman exchange may be performed
10
Defining Phase 2 Parameters
75
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs IPSec VPN
01-50000-0201-20130215-C
11
Interface Mode
Creates a virtual IPSec network interface that applies encryption or decryption as needed to any traffic that it carries Also known as Route-Based
Create two firewall policies between the virtual IPSec interface and the interface that connects to the private network
The firewall policy action is ACCEPT Needs static routes over VPN tunnels Required if dynamic routing, GRE over IPSec or altering of
incoming subnet is needed
12
Tunnel Mode
Easy to configure, single internal external firewall policy supports bi-directional traffic
Policy action is IPSec, Phase1 tunnel selected IPSec policies should be located first in your policy list Vulnerable to errors in quickmodes or policies Order of policies is very important
76
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs IPSec VPN
01-50000-0201-20130215-C
13
Tunnel Versus Interface Mode
Tunnel Mode
Less configuration involved Dependent on policy order for proper operation Less granular
Interface Mode
Required for GRE over IPSec Required if manipulation of packet source IPs is
necessary Required to have FortiGate unit participate in
dynamic routing communication over the IPSec connection
More control
14
Overlapping Subnets
Site-to-site route-based VPN configurations sometimes experience a problem where private subnet addresses at each end of the connection are the same
After a tunnel is established, hosts on each side can communicate with hosts on other side using the mapped IP addresses Use NAT with IP Pool
Interface mode can NAT both the incoming and outgoing traffic Tunnel mode can only NAT outgoing traffic
77
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs IPSec VPN
01-50000-0201-20130215-C
15
IPSec Topologies (Site-to-Site)
Headquarters
Branch office
Site-to-site
16
IPSec VPN Monitor
Monitor activity on IPSec VPN tunnels Stop and start tunnels Display address, proxy IDs, timeout information
Green arrow indicates that the negotiations were successful and tunnel is UP
Red arrow means tunnel is DOWN or not in use
78
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs IPSec VPN
01-50000-0201-20130215-C
17
IPSec VPN Monitor
18
Configuration
Step 1: Configure Phase 1 Choose interface to listen for connections Choose remote location Choose advanced options (DH Group, XAUTH, ..)
Step 2: Configure Phase 2 Possibility for multiple Phase 2s on a single Phase 1 tunnel
Step 3: Create Firewall VPN policy(s) May need more than 1 policy to allow all the access required
79
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs IPSec VPN
01-50000-0201-20130215-C
19
Configuration
20
Labs
Lab 1: IPSec VPN Ex 1: Site to Site IPSec VPN
80
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs IPSec VPN
01-50000-0201-20130215-C
21
Classroom Lab Topology
81
For R
eview
Only
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Antivirus
01-50000-0201-20130215-C
1 2013 Fortinet Training Services. This training may not be recorded in any medium, disclosed, copied, reproduced or distributed to anyone without prior written consent of an authorized representative of Fortinet. Rev. 20130215-C
AntivirusModule 7
2
Module Objectives
By the end of this module participants will be able to: Describe conserve mode conditions and AV system behavior Define the virus scanning techniques used on the FortiGate unit Identify the differences between file-based and flow-based virus scanning Configure quarantine options Define firewall policies using antivirus profiles Update FortiGuard Services
82
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Antivirus
01-50000-0201-20130215-C
3
Conserve Mode
What is conserve mode? System self protection measure when facing local resource exhaustion
When entering conserve mode the FortiGate unit activates protection measures in order to recover memory space
Once enough memory is recovered, the system leaves the conserve mode state and releases the protection measures
Two types: regular and kernel Search conserve mode at: http://kb.fortinet.com
KB Article IDs: FD33103, 11076, 10209
4
Conserve Mode
Regular conserve mode is depletion of shared memory Used mainly by proxies (to store the buffered data) but also by buffers (logging,
quarantining)
Impact (configurable) Established sessions remain unchanged New sessions are not inspected
Fail-open action applies to stream and proxy-based inspection
83
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Antivirus
01-50000-0201-20130215-C
5
AV Fail-Open
There are currently two conditions that can cause the FortiGate unit to operate in AV fail-open mode: The system is low on memory and has entered conserve mode The individual proxy pool is full (no free connections are available)
With the first condition, low memory, the av-failopen setting will be applied The default for this setting is Pass
6
AV Fail-Open
The system enters conserve mode when the amount of free shared memory is less than approximately 20% Goes back to non-conserve mode when this value increases to
approximately 30% Log entry details actual amount of memory
config system globalset av-failopenidledrop drop idle connectionsoff offone-shot one-shotpass pass
84
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Antivirus
01-50000-0201-20130215-C
7
AV Fail-Open
The second condition occurs when the individual proxy pool is full (default disable) The action will depend on the av-failopen-session settings
If the av-failopen-session is enabled and the free connections in the proxy connection pool reaches zero Protocol reverts back to the av-failopen settings
If the av-failopen-session is disabled and the limit is reached, all sessions will be blocked for the proxy
8
Antivirus
Antivirus
Detect and eliminate viruses, worms, Trojans and spyware in real-time
Stop threats before they enter the network
Scans HTTP and FTP traffic as well as incoming and outgoing SMTP, POP3 and IMAP email
Internet Content Adaption Protocol (ICAP) support
FortiGate unit acts as ICAP client to communicate with ICAP servers that the FortiGate unit can utilize for offloading AV scanning services
First enable in Admin Settings, then configure under UTM Security Profiles > ICAP
85
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Antivirus
01-50000-0201-20130215-C
9
Antivirus Scanning Order
Filesize
.jpg
FileName
pattern
Virusscan
Filetype
Grayware Heuristics
10
Proxy-Based Scanning
Antivirus proxy buffers the file as it arrives
Once transmission is complete, virus scanner examines the file
Higher detection and accuracy rate
Comfort Clients can be used to avoid timeouts
86
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Antivirus
01-50000-0201-20130215-C
11
Flow-Based Scanning
File is scanned on a packet-by-packet basis as it passes through the FortiGate unit
Faster scanning, but lower accuracy rate Difficulty in catching virus
variants
Only available on certain models
Non-proxy scanning
12
Virus Scanning
Regular
Extended
Extreme
Flow-based
87
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Antivirus
01-50000-0201-20130215-C
13
Unknown Viruses
Sometimes a virus may go undetected because it is not in the signature database To submit a virus go to:
http://www.fortiguard.com/antivirus/virus_scanner.html
14
Known Virus
Sometimes viruses will get through because the proper antivirus scan options are not enabled FortiGuard Subscription Service contains information on
which database a virus is in
88
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Antivirus
01-50000-0201-20130215-C
15
Heuristics Scanning
Virus-like attribute+ Virus-like attribute+ Virus-like attribute
> Heuristic threshold
Suspicious FortiGate unit tests for virus-like behavior Virus-like attributes are totaled and if greater
than a threshold, the file is marked as suspicious Use CLI command to block suspicious files
Possibility of false positives
16
Antivirus Profiles
89
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Antivirus
01-50000-0201-20130215-C
17
UTM Proxy Options
18
Quarantine
??FortiAnalyzer
Local hard drive
Infected, blocked or suspicious files can be quarantined to the hard drive on the FortiGate unit or to the FortiAnalyzer device Files quarantined based
on their protocol Information regarding
quarantined files is displayed in the logs
90
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Antivirus
01-50000-0201-20130215-C
19
Logs
20
Labs
Lab 1: Antivirus Scanning Ex 1: Antivirus Testing
91
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Antivirus
01-50000-0201-20130215-C
21
Classroom Lab Topology
92
For R
eview
Only
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Email Filtering
01-50000-0201-20130215-C
1 2013 Fortinet Training Services. This training may not be recorded in any medium, disclosed, copied, reproduced or distributed to anyone without prior written consent of an authorized representative of Fortinet. Rev. 20130215-C
Email FilteringModule 8
2
Module Objectives
By the end of this module participants will be able to: Identify the email filtering methods used on the FortiGate device Configure banned word, IP address and email address filters Define firewall policies using email filter profiles Identify the differences between the email filtering capabilities of the FortiGate and
FortiMail units
93
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Email Filtering
01-50000-0201-20130215-C
3
Email Filtering
Email filtering
SPAM?
FortiGate unit can detect and manage spam email
4
Spam Actions
Tag Discard
Subject: Free Stuff
Subject: [SPAM] Free Stuff
Tag to add a custom phrase/word to subject line or a MIME header and value to body of an email message for use in back end or client filtering Discard to immediately
drop the SMTP connection if spam is detected
94
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Email Filtering
01-50000-0201-20130215-C
5
Email Filtering Methods
The FortiGate unit uses a number of techniques to help detect spam Some use the FortiGuard Antispam service and require a subscription Others use DNS servers or filters created on the device Heuristic check Manually configured options
6
Email Filtering Order (SMTP)
IP BWL CheckDNSBL & ORDBL
FortiGuard IPHELO DNS
MIME HeaderEmail BWL
IP BWL Check(Receive Header)
Banned word (on Subject)
Return Email DNSFortiGuard URL
FortiGuard ChecksumDNSBL & ORDBL(Receive Header)
Banned word(on Body)
95
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Email Filtering
01-50000-0201-20130215-C
7
Email Filtering Order (POP3 and IMAP)
MIME HeaderEmail BWL
Banned Word(on Subject) IP BWL Check
Banned word (on Body)Return Email DNS
FortiGuard IPFortiGuard URL
FortiGuard ChecksumDNSBL & ORDBL
8
FortiGuard IP Address Check
Connecting IP address is checked FortiGuard is a reputation database
IP behavior is tracked More queries about an IPs activity to the FortiGuard network makes the
reputation worse IPs have a score 1-9
1 is permanently black listed 9 is permanently white listed (Fortinet Server IPs only) Less than 3 is considered spam
96
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Email Filtering
01-50000-0201-20130215-C
9
FortiGuard URL and Email Address Check
What language or character set is the email in? KB Article ID: FD32502
Visit our web site at www.acme.com tolearn more about this great offer orsend an email to [email protected].
10
FortiGuard Email Checksum Check
Our online pharmacy offers great prices on all your prescription medications.
hash
The FortiGate unit sends a hash of the email message to the FortiGuard Antispam Service FortiGuard
Antispam Service compares the hash received to hashes of known spam messages
97
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Email Filtering
01-50000-0201-20130215-C
11
IP Address Black/White List (BWL)
The FortiGate unit compares the IP address of the sender of an email message to the IP addresses specified in the email filter profile An administrator can add to or edit the IP addresses and configure the action
to take
Possible actions on a match Spam (use spam action) Clear (consider Not Spam) Reject (SMTP Only)
12
Email Address Black/White List (BWL)
From: [email protected]
Mark as ClearMark as Spam The FortiGate unit
compares the email address of the sender of an email message to the email addresses specified in the email filter profile An administrator can add
to or edit the email addresses and configure the action to take
Wild card and regular expressions can be used to define the email address
98
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Email Filtering
01-50000-0201-20130215-C
13
HELO DNS Lookup
DNSReceived: from mail.acme.com (10.10.10.1)by classroom.fortinet.com with SMTP; 30 Sept 2012 02:27:02 -0000
14
HELO DNS Lookup
Performs an A record lookup of SMTP HELO details to confirm it resolves to an IP address Domain specified in the email should resolve to an IP
Does NOT perform any kind of comparison to senders IP
99
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Email Filtering
01-50000-0201-20130215-C
15
Return Email DNS Check
Confirms that sending email domain from the reply-to field resolves to an IP Address Domain the email gets sent to, should resolve to an IP
Does NOT perform any kind of comparison to senders IP
16
Banned Word Check
Let us fill all your prescriptiondrugs. Visit our online pharmacyfor great prices on prescription medications. We offer the widestselection of popular drugs.
Banned words
DrugsScore=10
PharmacyScore=5
PrescriptionScore=5
Threshold=18
10 +5 +5 =20
FortiGate unit blocks email based on words or patterns in the message A weight is assigned to
any banned words in the message If threshold is exceeded,
the message is marked as spam Can define Banned
words using Wildcards and regular expressions
100
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Email Filtering
01-50000-0201-20130215-C
17
MIME Headers Check
The FortiGate unit can check the MIME header information of incoming email messages If a match is found in the header list configured on the device, the
corresponding action is taken
Configured through CLI onlyconfig spamfilter mheader
18
DNSBL and ORDBL Check
The FortiGate unit can compare the IP address or domain name of incoming email message against third-party DNSBL and ORDBL lists Match IP addresses or domain names of known spammers
Configured through CLI onlyconfig spamfilter dnsblconfig spamfilter ordbl
101
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Email Filtering
01-50000-0201-20130215-C
19
Request Removal From FortiGuard
Spam filtering is best effort so there can be false positives that occur periodically Submit details to the Spam department at:
www.fortiguard.com/antispam/antispam.html
20
FortiGuard Email Filtering Options
CacheIP address:10.10.10.1
URL: www.acme.com
Message checksum:x65Fsd34c
Caching reduces FortiGuard requests; can improve performance Small % of system
memory dedicated to cache Query results cached
until TTL setting is reached Alternate port 8888 for
access to FortiGuard servers
102
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Email Filtering
01-50000-0201-20130215-C
21
Email Filter Profile
22
Labs
Lab 1: Email Filtering Ex 1: Configuring FortiGuard AntiSpam
103
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Email Filtering
01-50000-0201-20130215-C
23
Classroom Lab Topology
104
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Web Filtering
01-50000-0201-20130215-C
1 2013 Fortinet Training Services. This training may not be recorded in any medium, disclosed, copied, reproduced or distributed to anyone without prior written consent of an authorized representative of Fortinet. Rev. 20130215-C
Web FilteringModule 9
2
Module Objectives
By the end of this module participants will be able to: Identify the web filtering mechanisms used on the FortiGate device Create web content and URL filters Configure FortiGuard Web Filtering Configure FortiGuard Web Filtering exemptions and rating overrides Define firewall policies using web filter profiles
105
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Web Filtering
01-50000-0201-20130215-C
3
Web Filtering
Means of controlling the web content that a user is able to view Preserve employee productivity Prevent network congestion where valuable bandwidth is used for non-business
purposes Prevent loss or exposure of confidential information Decrease exposure to web-based threats Limit legal liability when employees access or download inappropriate or offensive
material Prevent copyright infringement caused by employees downloading or distributing
copyrighted materials Prevent children from viewing inappropriate material
4
Proxy-Based Web Filtering
Proxy based solution that communicates between client and server Inspects full URL Allows for customizable block pages to display when sites are
prevented Most resource intensive option Lowest throughput Most options available in Advanced section
106
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Web Filtering
01-50000-0201-20130215-C
5
Proxy-Based Web Filtering
Select inspection mode in web filter profile
6
Flow-Based Web Filtering
Non-proxy solution that uses IPS engine to perform inspection High throughput Inspects full URL FortiGuard Web Filtering override will not apply when flow-based
inspection is enabled Few Advanced options available
107
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Web Filtering
01-50000-0201-20130215-C
7
Flow-Based Web Filtering
Select inspection mode in web filter profile
8
DNS-Based Web Filtering
DNS-proxy solution that uses DNS queries to decide access DNS queries redirected to FortiGuard SDNS server Very lightweight SSL inspection never required Cannot inspect URL, only hostname (DNS) Supports URL Filtering and FortiGuard Category only No individual block pages, can redirect to a portalWeb site access by IP means no DNS lookup
108
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Web Filtering
01-50000-0201-20130215-C
9
DNS-Based Web Filtering
Select inspection mode in web filter profile
10
When Does Filtering Activate?
www.acme.com
DNS RequestDNS Response!
HTTP GET
! HTTP 200
TCP 3-Way Handshake
109
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Web Filtering
01-50000-0201-20130215-C
11
HTTP Inspection Order
Virus Scan
Advanced Filter
Content Filter
FortiGuard Filter
Web URL Filter
Block Page
EXEMPT (from ALL further inspection) Block Page
Block Page
Block Page
Block Page Display Page
URLExempt
Block Allow
Block
Allow
AllowBlock
Block
Block
Allow
Allow
12
Types of Web Filtering
Proxy-Based Highly secure Traffic is cached
Flow-Based High throughput No caching Not as secure
DNS-Based Very lightweight Hostname filtering only No advanced options, URL and FortiGuard only
110
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Web Filtering
01-50000-0201-20130215-C
13
Web Content Filtering
Create Pattern list in the CLI
DrugsScore=10
PharmacyScore=5
PrescriptionScore=5
Threshold=18
10 +5 +5 =20
Block or Exempt
www.acme.com
Allow or block web pages containing specific words or patterns Wildcards or regular
expressions used to define patterns
Scores for matched patterns are added If greater than threshold,
FortiGate unit performs configured action
If pattern appears multiple times on web page, score is only counted once
14
Web URL Filtering
Control web access by allowing or blocking URLs Text, wildcards or regular expressions can be used to define the URL patterns If no URL match on list, go on to next enabled check
Possible web URL filter actions are: Allow Block Monitor Exempt
111
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Web Filtering
01-50000-0201-20130215-C
15
URL: www.mypage.com/index.html
www.example.com
www.abc.com
www.mypage.com/index.html
Web URL Filtering
URL Filter list
www.mypage.com
BlockAllow
MonitorExempt
16
Forcing Safe Search
Safe Search is used by search sites to prevent explicit web sites and images from appearing in search results
FortiGate unit rewrites the search URL to include the required codes to enable Safe Search Supported for Google, Bing and Yahoo! Does not force strict safe search
Youtube EDU available Instructions for Youtube will include value to enter on FortiGate unit
112
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Web Filtering
01-50000-0201-20130215-C
17
FortiGuard Category Filter
URL: www.mypage.com
BlockAllow
Monitor
Authenticate
Categories
Warning
www.mypage.com
18
FortiGuard Category Filter
The FortiGate unit accesses the FortiGuard Distribution Server to determine the category of a requested page Action is taken based on selection in web filtering profile
Web filter rating determined by: Human rater Text analysis Exploitation of web structure
113
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Web Filtering
01-50000-0201-20130215-C
19
FortiGuard Category Filter
Split into multiple categories and sub-categories Layout will switch periodically as the Internet changes New categories and sub-categories are released and compatible with
updated firmware Older firmware has new values mapped to existing categories
20
FortiGuard Caching
Most web sites are visited over and over again FortiGate unit can remember what the response was
Caching improves performance by reducing FortiGate unit requests to FortiGuard servers Cache checked before sending request to FortiGuard server TTL settings controls the number of seconds query results are cached
Small amount of FortiGate unit system memory dedicated to the cache Default is 2% used for cache, can be increased to 15% from CLI
Port 53 used for FortiGuard communications Alternate port number of 8888 can used
KB Article IDs: 11779, FD32121, FD30088
114
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Web Filtering
01-50000-0201-20130215-C
21
FortiGuard Usage Quotas
Category:GamesGames Quota
Games Quota
Games Quota
Category:GamesCategory:GamesCategory:GamesCategory:Games
Quotas allow access to specific categories for a specific length of time (calculated separately for each quota configured) If authentication is enabled, quota is automatically
based on the user, otherwise IP is used Can only apply to categories with actions: Monitor,
Warn or Authenticate
22
Rating Submissions
Requests for rating of a web site, or to have a web sites rating re-evaluated can be submitted by accessing: http://www.fortiguard.com/ip_rep.php
115
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Web Filtering
01-50000-0201-20130215-C
23
Rating Override
www.acme.com
Category:General Organizations
Sub-Category: Information and Computer Security
Rating override
24
Rating Override
Can override the rating applied to a hostname by FortiGuard Subscription Services Hostname reassigned to a completely different category and uses that action
Override applies to FortiGate unit only Changes not submitted to FortiGuard Subscription Services
Hostnames only google.com www.google.com www.google.com/index.html
116
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Web Filtering
01-50000-0201-20130215-C
25
Rename and deletion of sub-categories only in CLIconfig webfilter ftgd-local-catdelete rename to
Local Categories
26
Warning Action
Action = Warning (right click in the GUI)
Web Filtering Warning Page
117
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Web Filtering
01-50000-0201-20130215-C
27
Authenticate Action
www.hackthissite.org
Marketing
28
Web Filter Profiles
Web filter profile: Web filtering, FortiGuard
web filtering and advanced filtering options enabled through web filtering profiles
Profile in turn applied to firewall policy Any traffic being
examined by the policy will have the web filtering operations applied to it
118
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Web Filtering
01-50000-0201-20130215-C
29
Labs
Lab 1: Web Filtering Ex 1: FortiGuard Web Filtering
30
Classroom Lab Topology
119
For R
eview
Only
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Application Control
01-50000-0201-20130215-C
1 2013 Fortinet Training Services. This training may not be recorded in any medium, disclosed, copied, reproduced or distributed to anyone without prior written consent of an authorized representative of Fortinet. Rev. 20130215-C
Application ControlModule 10
2
Module Objectives
By the end of this module participants will be able to: Define application control lists Define firewall policies using application control lists
120
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Application Control
01-50000-0201-20130215-C
3
Application Control
Application control is used to detect and take actions on network traffic based on the application generating the traffic Facebook, Skype, Gmail etc.
Can detect application traffic even if contained within other protocols Supports a large number of applications and categories DiffServ per application filter Supports shared and per-IP traffic shaping for application control
4
Application Control List
An application control list defines the applications that will be subject to inspection For each application, the administrator can specify whether to
pass or block the application traffic in addition to other settings Default rule set is very restrictive, must perform an AV/IPS update
in order to obtain new rules
121
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Application Control
01-50000-0201-20130215-C
5
Adding to the List
Requests for additional or revised application control coverage can be submitted using FortiClient or by accessing: http://www.fortiguard.com/applicationcontrol/appform.html
6
Application Control Profile
Application control profile
Application control options are enabled through application control sensors Sensor in turn is applied to firewall policy
Any traffic being examined by the policy will have the application control operations applied to it
122
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Application Control
01-50000-0201-20130215-C
7
Example: Facebook Application Control
8
Example: Facebook Application Control
Application Facebook.app_ID allows specific Facebook app rule Each Facebook app assigned unique name and ID
http://apps.facebook.com/app name/
For new Facebook apps not yet in application list:F-SBID( --name "Facebook.App.XXX"; --protocol tcp; --service HTTP; --flow from_client; --parsed_type HTTP_GET; --pattern " /app_name/"; --no_case; --context uri; --within xx,context; --pattern "apps.facebook.com"; --no_case; --context host; )
123
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Application Control
01-50000-0201-20130215-C
9
Order of Operations
Processed from the top down First match action is applied Can be single application or picked from a set of
options to apply to multiple applications
10
Implicit Rules
Matches traffic against every application control signature
Matches traffic that does not conform to any application control signature
124
For R
eview
Only
Course 201 - Administration, Content Inspection and VPNs Application Control
01-50000-0201-20130215-C
11
Creating a Filter Rule
12