201 StudentGuide v5.0 RevC WaterMarked

FortiGate Multi-Threat Security Systems I Administration, Content Inspection and VPNs

Student Training GuideCourse 201

www.fortinet.com

For R

eview

Only

FortiGate Multi-Threat Security Systems I Administration, Content Inspection and VPNsStudent Guide for FortiOS 5.0 (Revision C)Course 201

01-50000-0201-20130215-C

Copyright 2013 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams, or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical, or otherwise, for any purpose, without prior written permission of Fortinet, Inc.

TrademarksDynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGate Unified Threat Management System, FortiGuard, FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

For R

eview

Only

Course 201 Administration, Content Inspection and VPNs

01-50000-0201-20130215-C i

MODULE 1:

Introduction to Fortinet Unified Threat Management .................................................................................. 1

MODULE 2:

Logging and Monitoring ................................................................................................................................. 16

MODULE 3:

Firewall Policies ............................................................................................................................................... 29

MODULE 4:

Local User Authentication ............................................................................................................................. 50

MODULE 5:

SSL VPN ............................................................................................................................................................ 59

MODULE 6:

IPSec VPN ......................................................................................................................................................... 71

MODULE 7:

Antivirus ............................................................................................................................................................ 82

MODULE 8:

Email Filtering .................................................................................................................................................. 93

For R

eview

Only

Course 201 Administration, Content Inspection and VPNs

01-50000-0201-20130215-C ii

MODULE 9:

Web Filtering .................................................................................................................................................. 105

MODULE 10:

Application Control ....................................................................................................................................... 120

For R

eview

Only

Course 201 - Administration, Content Inspection and VPNs Introduction

01-50000-0201-20130215-C

1 2013 Fortinet Training Services. This training may not be recorded in any medium, disclosed, copied, reproduced or distributed to anyone without prior written consent of an authorized representative of Fortinet. Rev. 20130215-C

Introduction to Fortinet Unified Threat ManagementModule 1

2

Module Objectives

By the end of this module, participants will be able to: Identify the major features of the FortiGate Unified Threat Management appliance Access and use the FortiGate units administration interfaces Create administrators Work with configuration files

1

For R

eview

Only


01-50000-0201-20130215-C

3

Traditional Network Security Solutions

FirewallAntivirusAntispamWAN OptimizationWeb FilteringApplication ControlIntrusion PreventionVPN

Many single purpose systems needed to cope with a variety of threats

4

Fortinet Solution

FirewallAntivirusAntispamWAN OptimizationWeb FilteringApplication ControlIntrusion PreventionVPN

and more

One device provides a comprehensive security and networking solution

2

For R

eview

Only


01-50000-0201-20130215-C

5

Fortinet Solution

Hardware

Purpose-driven hardware

FortiOS

Specialized operating system

Firewall AV WebFilter IPS

Security and network-level services

FortiGuard Subscription Services

Automated update service

6

FortiGate Unit Capabilities

FirewallAntivirusEmail filteringWeb filteringIntrusion preventionApplication controlData leak preventionWAN optimizationSecure VPNWirelessDynamic routingEndpoint complianceVirtual domainsTraffic shapingHigh availabilityLogging and reporting1111 Authentication

3

For R

eview

Only


01-50000-0201-20130215-C

7

Fortinet Appliances

FortiAnalyzer FortiMail

FortiManager

FortiScan

FortiBridge

FortiCarrier

FortiDB

FortiWifi

FortiWeb FortiSwitch

FortiVoiceFortiAP

FortiGate-ONE

FortiClient

8

FortiGuard Subscription Services

Global Update service for AV/IPS (update.fortiguard.com) Global Live service for FortiGuard WF/AS (service.fortiguard.net) FortiGate unit will prefer servers nearby

Calculates server distance based on time zones

Major server centers in North America as well as Asia and Europe Nearest servers are preferred but will adjust based on server load

4

For R

eview

Only


01-50000-0201-20130215-C

9

Port1 or Internal interface will have an IP of 192.168.1.99 Port1 or Internal interface will have a DHCP server set up and

enabled (on devices that support DHCP Servers) Default login will always be:

user: adminpassword: (blank)

Usernames and passwords are BOTH case sensitive

Device Factory Defaults

10

Device Administration

Web GUI CLI

5

For R

eview

Only


01-50000-0201-20130215-C

11

Admin Profiles

12

Admin Profiles

System Configuration Network Configuration Firewall ConfigurationUTM ConfigurationVPN Configurationetc.

Read Read-Write

AdminProfile

6

For R

eview

Only


01-50000-0201-20130215-C

13

Administrators

Full access withina single virtual

domain

Full access

super_adminprofile

Custom access

customprofile

prof_adminprofile

14

Administrator Trusted Hosts

7

For R

eview

Only


01-50000-0201-20130215-C

15

Administrator Authentication

Username and Password (one factor)

FortiToken (two factor)+

16

Administrator Authentication

8

For R

eview

Only


01-50000-0201-20130215-C

17

Device Configuration

Device configuration settings can be saved to an external fileOptional encryption

The file can be restored to rollback device to a previous configuration

18

Per VDOM Configuration File

9

For R

eview

Only


01-50000-0201-20130215-C

19

Interface IPs

Every used interface on the unit must have an IP assigned (in NAT mode) using one of three methods: Manual IP, DHCP assigned, PPPoE (CLI only)

20

There must be at least one default gateway If an interface is DHCP or PPPoE, then a gateway can be added

to the routing dynamically

Static Gateway

10

For R

eview

Only


01-50000-0201-20130215-C

21

Interface and ModeSelection

Interface and ModeSelection

IP and DNS ConfigurationIP and DNS Configuration

Advanced DHCP ConfigurationReserved IPs, WINS, etc.

Advanced DHCP ConfigurationReserved IPs, WINS, etc.

DHCP Server - Setup

22

DHCP Server IP Reservation

IP address reserved and always assigned to the same DHCP host Select an IP address or choose an existing DHCP lease to add to the reserved list Identify the IP address reservation as either DHCP over Ethernet or DHCP over

IPSec

MAC address of the DHCP host is used to look up the IP address in the IP reservation table

11

For R

eview

Only


01-50000-0201-20130215-C

23

DHCP Activity

24

FortiGate DNS Server

Resolve DNS lookups from an internal network Methods to set up DNS for each interface:

Forward-only: DNS requests sent to the DNS servers configured for the unit Non-recursive: DNS requests resolved using a FortiGate DNS database and

unresolved DNS requests are dropped Recursive: DNS requests will be resolved using a FortiGate DNS database and

any unresolved DNS requests will be relayed to DNS servers configured for the unit

One DNS database can be shared by all the FortiGate interfaces If VDOMs are enabled, a DNS database needs be created in each VDOM

12

For R

eview

Only


01-50000-0201-20130215-C

25

DNS Server Configuration

DNS zones need to be added when configuring the DNS database Each zone has its own domain name Zone format defined by RFC 1034 and1035

DNS entries are added to each zone An entry includes a hostname and the IP address it resolves to Each entry also specifies the type of DNS entry

IPv4 address (A) or an IPv6 address (AAAA) name server (NS) canonical name (CNAME) mail exchange (MX) name IPv4 (PTR) or IPv6 (PTR)

26

Firmware Upgrade Steps

Step 1: Backup and store old configuration (Full config backup from CLI) Step 2: Have copy of old firmware available Step 3: Have disaster recovery option on standby (especially if remote) Step 4: READ THE RELEASE NOTES (upgrade path, bug information) Step 5: Double check everything Step 6: Upgrade

13

For R

eview

Only


01-50000-0201-20130215-C

27

Firmware Downgrade Steps

Step 1: Locate pre-upgrade configuration file Step 2: Have copy of old firmware available Step 3: Have disaster recovery option on standby (especially if remote) Step 4: READ THE RELEASE NOTES (is a downgrade possible?) Step 5: Double check everything Step 6: Downgrade (all settings except those needed for access are lost) Step 7: Restore pre-upgrade configuration

28

Labs

Lab 1: Initial Setup and Configuration Ex 1: Configuring Network Interfaces Ex 2: Exploring the Command Line Interface Ex 3: Restoring Configuration Files Ex 4: Performing Configuration Backups

(OPTIONAL) Lab 2: Administrative Access

Ex 1: Profiles and Administrators Ex 2: Restricting Administrator Access

14

For R

eview

Only


01-50000-0201-20130215-C

29

Classroom Lab Topology

15

For R

eview

Only

For R

eview

Only

Course 201 - Administration, Content Inspection and VPNs Logging and Monitoring

01-50000-0201-20130215-C


Logging and MonitoringModule 2

2

Module Objectives

By the end of this module participants will be able to: Define the storage location for log information Enable logging for different FortiGate unit events View and search logs Monitor log activity Understand RAW log output Customize widgets on the dashboard

16

For R

eview

Only


01-50000-0201-20130215-C

3

Logging and Monitoring

Logging and monitoring are key elements in maintaining devices on the network Monitor network and Internet traffic Track down and pinpoint problems Establish baselines

4

Logging Severity Levels

Administrators define the severity level at which the FortiGate unit records log information

All messages at, or above, the minimum severity level will be logged Emergency = System unstable Alert = Immediate action required Critical = Functionality affected Error = Error exists that can affect functionality Warning = Functionality could be affected Notification = Info about normal events Information = General system information (default) Debug = Debug log messages

17

For R

eview

Only


01-50000-0201-20130215-C

5

Log Storage Locations

Syslog SNMP

Local loggingRemote logging

Memory andHard drive

6

Log Types and Subtypes

Traffic Log Forward (Traffic passed/blocked by Firewall policies) Local (Traffic aimed directly at, or created by FortiGate device) Invalid (Packets considered invalid/malformed and dropped)

Event Log System (System related events) Router, VPN, User, WanOpt & Cache, Wifi

UTM Security Log Antivirus, Web Filter, Intrusion Protection, etc.

18

For R

eview

Only


01-50000-0201-20130215-C

7

Log Structure and Behavior

Options for log behavior: UTM consolidated into Forward Traffic log UTM separated into individual logs

utm-incident-traffic-logconfig sys globalset utm-incident-traffic-log [enable|disable]end If log allowed traffic is disabled on the policy, then a UTM event enabled traffic

logging for that session Behavior is not configurable and only on, pre 5.0

Logs consolidated into Traffic Log is recommend for performance Multiple individual log files are harder on CPU then one

8

Traffic Log Log Generation

Log Traffic UTM Function Extended-utm utm-incident-traffic-log Behavior

Enabled Disabled (traffic does not go to UTM)

N/A N/A Traffic log generated by kernel (like today). All new UTM fields empty.

Enabled Enabled (traffic goes to UTM)

Disabled Either UTM Events generate logs in traffic logAll traffic through policy generates traffic log

Disabled Enabled (traffic goes to UTM)

Disabled Enabled UTM Events generate logs in traffic logOnly traffic that has a UTM even occur generates traffic logs


Disabled Disabled Only UTM events generates logs in the traffic log (no other traffic logs)


Enabled Enabled UTM Events generate logs in utm logOnly traffic that has a UTM even occur generates traffic logs

19

For R

eview

Only


01-50000-0201-20130215-C

9

Viewing Log Messages

10

Log Viewer Filtering

Use Filter Settings to customize the display of log messages to show specific information in log messages Reduce the number of log entries that are displayed Easily locate specific information

20

For R

eview

Only


01-50000-0201-20130215-C

11

date=2012-09-10 time=13:00:30 logid=0100032001 type=event subtype=system level=information vd="root" user="admin" ui=http(10.0.1.10) action=login status=success reason=none profile="super_admin" msg="Administrator admin logged in successfully from http(10.0.1.10)"

Log Severity Level

Log severity level indicated in the level field of the log message

information = normal event

12

Viewing Log Messages (Raw)

Fields in each log message are arranged into two groups: Log header (common to all log messages)

date=2012-11-13 time=11:17:56 logid=0000000009 type=traffic subtype=forward level=notice vd=root

Log body (varies per log entry type)srcip=172.16.78.32 srcport=900 srcintf=unknown-0 dstip=1.1.1.32 dstport=800 dstintf=unknown-0 dstcountry="Australia" srccountry="Reserved" service=800/tcp wanoptapptype=cifs duration=20 policyid=100 user="test user" group="test group" identidx=200 wanin=400 wanout=300 lanin=200 lanout=100

21

For R

eview

Only


01-50000-0201-20130215-C

13

Log headerdate=2012-08-30 time=12:55:06 log_id=32001 type=utm subtype=dlp eventtype=dlp level=warning vd=root filteridx=0

Log bodypolicyid=12345 identidx=67890 sessionid=312 epoch=0 eventid=0 user="user" group="group" srcip=1.1.1.1 srcport=2560 srcintf="lo" dstip=2.2.2.2 dstport=5120 dstintf="port1" service=mm1 .


The type and subtype fields = log file that message is recorded in (for example, UTM > Data Leak Prevention or Traffic > Forward Traffic)

14

Log bodysrcip=172.16.78.32 srcport=900 srcintf=unknown-0 dstip=1.1.1.32 dstport=800 dstintf=unknown-0 dstcountry="Australia" srccountry="Reserved" service=800/tcp wanoptapptype=cifs duration=20 policyid=100 user="test user" group="test group" identidx=200 wanin=400 wanout=300 lanin=200 lanout=100 hostname="host" url="www.abcd.com" msg="Data Leak Prevention Testing Message" action=block severity=0 infection="carrier end point filter"


policyid = id number of firewall policy matching the session

22

For R

eview

Only


01-50000-0201-20130215-C

15

Log bodysrcip=172.16.78.88 srcname=host srcport=0 srcintf=unknown-0 dstip=229.118.95.200 dstport=0 dstintf=unknown-0 sessionid=0 status=deny user="test user" group="test group" policyid=0 dstcountry="Reserved" srccountry="Reserved" trandisp=snat+dnat tranip=0.0.0.0 tranport=0 transip=0.0.0.0 transport=0 service=other proto=0 appid=1 app="AIM" appcat="IM" applist=unknown-1 duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 vpn="vpn0" shapersentname="shaper sent name" shaperdropsentbyte=16843009 shaperrcvdname="shaper rcvd name" shaperdroprcvdbyte=16843009 shaperperipname="perip name" shaperperipdropbyte=16843009 devtype="iPad" osname="linux" osversion="ver" unauthuser="user" unauthusersource="none" collectedemail="mail" mastersrcmac=02:02:02:02:02:02 srcmac=01:01:01:01:01:01


status = action taken by the FortiGate unit

16

Alert Email

Send notification to email address upon detection of defined event Identify SMTP server name Configure at least one DNS server Up to three recipients per mail server

23

For R

eview

Only


01-50000-0201-20130215-C

17

SNMP

SNMP managerManaged device

SNMP agent Fortinet MIB

Traps received by agent sent to SNMP manager Configure FortiGate unit interface for SNMP access Compile and load Fortinet-supplied MIBs into SNMP

manager Create SNMP communities to allow connection from

FortiGate unit to SNMP manager

18

Event Logging

24

For R

eview

Only


01-50000-0201-20130215-C

19

Event Log

20

Monitor

25

For R

eview

Only


01-50000-0201-20130215-C

21

Monitor

Monitor sub-menus found in GUI for all main function menus User-friendly display of monitored information View activity of a specific feature being monitored such as Firewall,

VPN, Router, Wi-Fi, etc. UTM monitoring can be enabled via System > Admin > Settings

22

Monitor

Example: UTM Security Profiles Monitor Includes all UTM features

AV Monitor Recent and top virus activity

Web Monitor Top blocked FortiGuard categories

Application Monitor Most used applications

26

For R

eview

Only


01-50000-0201-20130215-C

23

Status Page Custom Widgets

Many widgets can have their settings altered to display different information The same widget can be added multiple times to the same dashboard showing

different information

24

Labs

Lab 1: Status Monitor and Event Log Ex 1: Exploring the GUI Status Monitor Ex 2: Event Log and Logging Options

(OPTIONAL) Lab 2: Remote Monitoring

Ex 1: Remote Syslog and SNMP Monitoring

27

For R

eview

Only


01-50000-0201-20130215-C

25


28

For R

eview

Only

For R

eview

Only

Course 201 - Administration, Content Inspection and VPNs Firewall Policies

01-50000-0201-20130215-C


Firewall PoliciesModule 3

2

Module Objectives

By the end of this module participants will be able to: Identify the components used in a firewall policy Create firewall objects Create Address and Device Identity policies and manage the order of their

processing Monitor traffic through policies

29

For R

eview

Only


01-50000-0201-20130215-C

3

Firewall Policies

Incoming and outgoing interfaces

Source and destination IP addresses

Services

Schedules

Action = ACCEPT

Authentication

ThreatManagement

TrafficShaping

Logging

Firewall policies include the instructions used by the FortiGate device to determine what to do with a connection request Packet analyzed, content compared to

policy, action performed

4

Types of Policies

Address Policy match based on IPs

User Identity Policy match based on authentication information (user)

Device Identity Policy match based on OS

30

For R

eview

Only


01-50000-0201-20130215-C

5

Firewall Actions

Traffic matches a policy

Accept

Deny

Policy Action

Traffic does not match a Policy

Deny

6

Firewall Policy Elements - Address Subtype

31

For R

eview

Only


01-50000-0201-20130215-C

7

Firewall Policy Elements User Identity Subtype

8

Firewall Policy Elements - Device Identity Subtype

OS identity device based on packet behavior and details MAC address (Forti-Device only), DHCP VCI, TCP SYN Fingerprint, HTTP

UserAgent Identification rules updated with FortiGuard definitions

32

For R

eview

Only


01-50000-0201-20130215-C

9

Device Identification (BYOD)

Device detection is dependent on it being enabled in the interface via the device-identification commandconfig system interface

edit "port1"set device-identification (enable|disable*)set device-user-identification (enable*|disable)

end Per-VDOM settings on what to detectconfig system network-visibility

Global setting of the device types FortiOS detects is hardcoded

10


Devices can be manually identified in the configconfig user device

edit meset mac-addressset type type nameset user user name

end Once the device is created it can be added to a device groupconfig user device-group

33

For R

eview

Only


01-50000-0201-20130215-C

11


Captive Portal options: Device identification (default) Email collection (attach an email to the device) FortiClient download (force FortiClient install)

12


Device-identify Identifies the device through the HTTP user-agent

34

For R

eview

Only


01-50000-0201-20130215-C

13


Email-collection Used in conjunction with device type Collected Emails Collects an email to be associated with the device

14


config sys settingset email-portal-check-dns [enable|disable]

35

For R

eview

Only


01-50000-0201-20130215-C

15


User & Devices > Device > Devicediag user device list

16


Each device-identity policy entry may have one or more devices, device-groups or device categories specified

3 possible actions: Accept (the default) Deny Captive portal

UTM options are only available when the action is Accept

36

For R

eview

Only


01-50000-0201-20130215-C

17

Firewall Address objects

The FortiGate device compares the source and destination address in the packet to the policies on the device Default of ALL addresses available

Addresses in policies configured with: Name for display in policy list IP address and mask FQDN if desired (DNS used to resolve)

Use Country to create addresses based on geographical location Create address groups to simplify administration

18

Firewall Interfaces

OutgoingInterface

IncomingInterface

Select Incoming Interface to identify the interface or zone on which packets are received Select an individual interface or ANY to match all interfaces as the source

Select Outgoing Interface to identify the interface or zone to which packets are forwarded Select an individual interface or ANY to match all interfaces as the source

37

For R

eview

Only


01-50000-0201-20130215-C

19

Firewall Service Objects

Protocol and Port

Packet

Protocol and Port

Firewall Policy

= FortiGate unit uses Services to determine the types of communication accepted or denied Default of ALL services available Select a Service from predefined list on FortiGate unit or create a custom service Web Proxy Service also available if Incoming Interface is set to web-proxy Group Services and Web Proxy Service Group to simplify administration

20

Traffic Logging

DenyAccept

Log Allowed Traffic Log Violation Traffic

38

For R

eview

Only


01-50000-0201-20130215-C

21

Network Address Translation (Source NAT)

10.10.10.1

11.12.13.14Firewall policy

with NAT enabledwan1 IP address: 200.200.200.200

Source IP address:10.10.10.1

Source port: 1025

Destination IP address:11.12.13.14

Destination Port: 80

Source IP address:200.200.200.200Source port: 30912



internal

wan1200.200.200.200

22

NAT Dynamic IP Pool (Source Nat)

Firewall policywith NAT + IP pool enabled

wan1 IP pool: 200.200.200.2-200.200.200.10


Source port: 1025



Source IP address:200.200.200.?Source port: 30957



10.10.10.1internal

wan1

11.12.13.14

200.200.200.200

39

For R

eview

Only


01-50000-0201-20130215-C

23

Central NAT Table

Allows creation of NAT rules and NAT mappings set up by the global firewall table

Control port translation instead of allowing the system to assign them randomly

24

Central NAT Table

40

For R

eview

Only


01-50000-0201-20130215-C

25

Traffic Shaping

HTTPFTPIM

Traffic shaping controls which policies have higher priority when large amounts of data is passing through the FortiGate unit Normalize traffic bursts by prioritizing

certain flows over others

26

Source NAT IP Address and Port

Session table identifies IP and port with NAT applied

41

For R

eview

Only


01-50000-0201-20130215-C

27

Fixed Port (Source NAT)

Firewall policywith NAT + IP pool enabled + fixed port (CLI only)

wan1 IP pool: 200.200.200.201


Source port: 1025


Destination Port: 80Source IP address:10.10.10.1

Source port: 1025



10.10.10.1internal

11.12.13.14

wan1200.200.200.200

28

Firewall policywith destination address virtual IP + Static NAT

wan1 IP address: 200.200.200.200




10.10.10.10

11.12.13.14

internal

wan1

VIP translates destination200.200.200.222 -> 10.10.10.10

Virtual IPs (Destination NAT)

42

For R

eview

Only


01-50000-0201-20130215-C

29

Firewall policywith destination address virtual IP + Static NAT

wan1 IP address: 200.200.200.200


Destination IP address:200.200.200.200Destination Port: 80

10.10.10.10

11.12.13.14

internal

wan1

VIP translates destination200.200.200.200 -> 10.10.10.10

Virtual IPs (Destination NAT)

Used to allow connections through a FortiGate using NAT firewall policies FortiGate unit can respond to ARP requests on a

network for a server that is installed on another network

Used for (1) Server Redundancy and Load Balancing; (2) IPSec VPN site-to-site with identical subnets at both sites; etc.

VIP Group: A group of Virtual IPs for ease-of-use

30

Local-In Firewall Policies

Policies designed for traffic that is localized to the FortiGate unit Central management Update announcement NetBIOS forward

Destination address of firewall policies for local-in traffic is limited to the FortiGate interface IP and secondary IP addresses

Can create local-in firewall policies for IPv4 and IPv6 (CLI Only)

43

For R

eview

Only


01-50000-0201-20130215-C

31

Threat Management

32

Threat Management Client Reputation

44

For R

eview

Only


01-50000-0201-20130215-C

33

UTM Proxy Options - File Size

Firewall Policy

Enable UTM

UTM Proxy Options

Oversize File/EmailPass or Block

Threshold+

File size is checked against preset thresholds

If larger than threshold (Policy> UTM Proxy Options > Common Options > Block Oversized File/Email > Threshold) and action set to block, file is rejected

If larger than threshold and action set to allow, uncompressed file must fit within memory buffer If not, by default no further

scanning operations performed

34

Traffic Shapers

Shared Traffic Shaper Per-IP Traffic Shaper

Guaranteed BandwidthMaximum Bandwidth




45

For R

eview

Only


01-50000-0201-20130215-C

35

Traffic Shapers

Shared Traffic Shaper Per-IP Traffic Shaper





Traffic shapers apply Guaranteed Bandwidthand Maximum Bandwidth values to addresses affected by policy Share values between all IP address affected by the

policy Values applied to each IP address affected by the

policy

36

DoS Policies

DoS Policy Firewall Policy

DoS policies identify network traffic that does not fit known or common patterns of behavior If determined to be an attack,

action in DoS sensor is taken DoS policies applied before firewall

policies If traffic passes DoS sensor, it

continues to firewall policies

46

For R

eview

Only


01-50000-0201-20130215-C

37

Endpoint Control

?

Up to date ?

Disallowed software installed ?

38

Firewall Object Usage

Allows for faster changes to settings The Reference column allows administrators to determine where

the object is being used Navigate directly to the appropriate edit page

47

For R

eview

Only


01-50000-0201-20130215-C

39

Object Tagging

Simplifies firewall policy object management Useful for administering multiple VDOMs Easier to find and access specific firewall policies within specific VDOMs

Available for firewall policies, address objects, IPS predefined signatures and application entries/filters

Objects can provide useful organizational information

40

Monitor

View policy usage by active sessions, bytes or packets Policy > Monitor > Policy Monitor

48

For R

eview

Only


01-50000-0201-20130215-C

41

Labs

Lab 1: Firewall Policy Ex 1: Creating Firewall Objects and Rules Ex 2: Policy Action Ex 3: Configuring Virtual IP Access Ex 4: Configuring IP Pools

(OPTIONAL) Lab 2: Traffic Log

Ex 1: Enabling Traffic Logging Ex 2: Device Policies

42


49

For R

eview

Only

For R

eview

Only

Course 201 - Administration, Content Inspection and VPNs Local User Authentication

01-50000-0201-20130215-C


Local User AuthenticationModule 4

2

Module Objectives

By the end of this module participants will be able to: Describe the authentication mechanisms available through the FortiGate device Create local users and user groups Create identity-based policies to enable local user authentication Monitor active users Check authentication Log entries

50

For R

eview

Only


01-50000-0201-20130215-C

3

Authentication

?AAAAA

The identity of users and host computers must be established to ensure that only authorized parties can access the network The FortiGate unit provides network access

control and applies authentication to users of firewall policies and VPN clients

4

Local User Authentication

Local user authentication is based on usernames and passwords stored locally on the FortiGate unit

An administrator creates local user accounts on the FortiGate device For each account, a user name and password is stored Two-factor authentication can be enabled on a per user basis

51

For R

eview

Only


01-50000-0201-20130215-C

5

User Authentication via Remote Server

The FortiGate unit must be configured to access the external servers used to authenticate the users Administrators can create an account for the user locally and specify

the server to verify the password or Administrators can add the authentication server to a user group

All users in that server become members of the group

6

User Authentication via Remote Server

LDAPDirectoryServices TACACS+RADIUS

Remote Users

Digital certificates

52

For R

eview

Only


01-50000-0201-20130215-C

7

User Groups

FirewallUser Group

Directory ServiceUser Group

Guest User Group

Paris Visitors ActiveDirectory

User groups are assigned one of four group types: Firewall, Fortinet Single Sign on (FSSO), Guest and Radius Single Sign on (RSSO) Firewall user groups provide access to firewall policies that require authentication Directory Service user groups used to allow single sign on for Active Directory or Novell

eDirectory users

8

?

Identity-Based Policies

PolicyEnable Identity Based Policy

User/Group

Services

Schedules

Logging

Threat management

Traffic Shaping

Authentication Rule

Identity-based policies are enabled to require firewall authentication Authentication rules identify the

users and user groups that will be forced to authenticate Also defines other aspects of

authentication, including services, schedules, UTM, logging and traffic shaping

53

For R

eview

Only


01-50000-0201-20130215-C

9

Disclaimers

Policy

Enable Disclaimer

Displays the Disclaimer Agreement page before the user authenticates User must accept the disclaimer to

proceed with the authentication process Once authenticated, the user is directed to

the original destination

10

Authentication Timeout

Timeout values specify how long an authenticated connection can be idle before the user must authenticate again User Authentication Timeout controls

the firewall authentication timer Default value is 5 minutes

SSL VPN Idle Timeout controls the SSL VPN user authentication timer Default value 300 seconds (5

minutes)

54

For R

eview

Only


01-50000-0201-20130215-C

11

Password Policy

Minimum Length: 8 to 64 characters

Must Contain: Uppercase lettersLowercase lettersNumerical digitsNon-alphanumeric characters

Password Expiration: X days

Apply to: AdministratorsIPSec Preshared Key

Set a password policy to enforce higher standards for both the length and complexity of passwords Policies can be applied to administrator password and IPSec VPN preshared keys

12

Two-Factor Authentication

A one-time password can be delivered to the user through various methods: FortiToken: Every 60 seconds, the token generates a 6-digit code based on a

unique serial number, seed and GMT time Email: The one-time password is sent to users configured email address after

successful password authentication SMS phone message: The one-time password sent through email to the users

SMS provider. The email address pattern varies by provider.

55

For R

eview

Only


01-50000-0201-20130215-C

13

Two-Factor Authentication

14

Policy Configuration

56

For R

eview

Only


01-50000-0201-20130215-C

15

User Monitor

Displays logged in users, groups, policy ID being used, time left before inactivity timeout, IP, the amount of traffic sent by user, and the authentication method Also used to terminate authentication sessions

16

Labs

Lab 1: User Authentication Ex 1: Identity-based Firewall Policy

57

For R

eview

Only


01-50000-0201-20130215-C

17


58

For R

eview

Only

For R

eview

Only

Course 201 - Administration, Content Inspection and VPNs SSL VPN

01-50000-0201-20130215-C


SSL VPNModule 5

2

Module Objectives

By the end of this module participants will be able to: Identify the VPN technologies available on the FortiGate device Configure the SSL VPN operating modes Define user restrictions Setup SSL VPN portals Configure firewall policies and authentication rules for SSL VPNs

59

For R

eview

Only


01-50000-0201-20130215-C

3

Virtual Private Networks (VPN)

Secure tunnel over an insecure network Use when there is the need to transmit private data over a public

network PC based, suitable for use when traveling

4

FortiGate VPN

Typically used to secure web transactions

HTTPS link created to securely transmit application data between client and server

Client signs on through secure web page (SSL VPN portal) on the FortiGate device

VPN

SSL VPNWell suited for network-based legacy applicationsSecure tunnel created between two host devicesIPSec VPN can be configured between FortiGate unit and most third-party IPSec VPN devices or clients

IPSec VPN

60

For R

eview

Only


01-50000-0201-20130215-C

5

SSL VPN Web-Only Mode

1. Connection of remote user to SSL VPN portal (HTTPS Web Site)

2. Tunnel created3. User authentication4. Portal Web page presented5. Click bookmark to access resource

6

SSL VPN Tunnel Mode

1. Connection of remote user to SSL VPN Portal (HTTPS Web Site)

2. Tunnel created3. Authenticate4. Portal Web page presented5. Access Resources

61

For R

eview

Only


01-50000-0201-20130215-C

7

User Groups

Web mode and tunnel mode both require a firewall policy for authenticationTunnel mode requires additional policies to allow internal network

access Mode(s) user has access to is determined by authentication policy

Determines the portal page users are presented

8

Authentication

Username and Password (one factor)

FortiToken (two factor)+

62

For R

eview

Only


01-50000-0201-20130215-C

9

SSL VPN Server Certificate

Certificate presented to client initiating SSL VPN session FortiGate device uses a self-signed certificate by default

User certificates issued by trusted Certificate Authority to avoid web browser security warnings

10

Encryption Key Algorithm

Level of encryption used for SSL VPN connections High, Default, Low

The default setting is RC4 (128 bits) and higher If set to High, SSL VPN connections with clients that cannot meet this

standard will fail

63

For R

eview

Only


01-50000-0201-20130215-C

11

Web Portal Interface

Web page displayed when client logs into SSL VPN Includes widgets to access functionality on the portal (such as

bookmarks and connection tools) Software download option for tunnel mode Default SSL VPN web portal page is accessible at:https://

12

Full-Access Web Portal Interface

64

For R

eview

Only


01-50000-0201-20130215-C

13

Tunnel Mode Split-Tunneling

Only traffic destined for the tunnel IP range network will be routed over the SSL VPN

If access to another inside network is desired, the client will need to create a static route pointing to their own SSL VPN interface Associated firewall policies must exist

14

Client Integrity Checking

SSL VPN gateway checks client system Detects client protection applications (for example, antivirus and

personal firewall) Determines state of applications (active/inactive, current version

number and signature updates) Examples include: Cisco Network Admission Control (NAC), MS

Network Access Protection (NAP), Trusted Computing Groups (TCG) Trusted Network Connect

65

For R

eview

Only


01-50000-0201-20130215-C

15

Client Host Checking

Relies on external vendors to ensure client integrity (not implemented by all SSL VPN vendors) Requires administrators to determine appropriate version/signature

versions and policy Easily outdated, limiting the protection provided

Checks to see if required software is installed on the connecting PC, otherwise connection is refused CLI only

config vpn ssl web portaledit (portal name)set host-check [av|av-fw|custom|fw]set host-check-interval [# seconds]end

16

SSL VPN Tunnel Mode Connection

A new network connection called fortissl is created The connection obtains a virtual IP address

This virtual adapter becomes the preferred default route if split tunneling is disabled

The web portal page will display the status of the SSL VPN client ActiveX control

The portal web page must remain open for the tunnel to function

66

For R

eview

Only


01-50000-0201-20130215-C

17

SSL VPN Client Port Forward

Port Forward mode extends applications supported by Web Application Mode

Application Types (some examples): PortForward: for generic port forward application Citrix: for Citrix server web interface access RDPNative: for Microsoft Windows native RDP client over port forward etc.

18

SSL-VPN Policy De-Authentication

Firewall policy authentication session is associated with SSL VPN tunnel session

Forces expiration of firewall policy authentication session when associated SSL VPN tunnel session is ended by user Prevents reuse of authenticated SSL VPN firewall policies (not yet expired) by a

different user after the initial user terminates their SSL VPN tunnel session

67

For R

eview

Only


01-50000-0201-20130215-C

19

SSL VPN Access Modes

Web Mode

No client software required (web browser only)

Reverse proxy rewriting of HTTP, HTTPS, FTP, SAMBA (CIFS)

Java applets for RDP, VNC, TELNET, SSH

Web Mode

No client software required (web browser only)

Reverse proxy rewriting of HTTP, HTTPS, FTP, SAMBA (CIFS)

Java applets for RDP, VNC, TELNET, SSH

Tunnel Mode

Uses FortiGate-specific client downloaded to PC (ActiveX or Java applet)

Requires admin/root privilege to install layer-3 tunnel adaptor

Port Forward Mode

Java applet works as a local proxy to intercept specific TCP port traffic then encrypt in SSL

Downloaded to client PC and installed without admin/root privileges

Client App must point to Java applet

20

Configuration

Step 1: Configure the Settings IP Pool, Certificate, Port, VPN > SSL > Config

Step 2: Configure your Portals for user access Web or Tunnel mode access, bookmarks, VPN > SSL > Portal

Step 3: Decide Split Tunneling or not In Portal Config

Step 4: Setup Firewall VPN policy for access

68

For R

eview

Only


01-50000-0201-20130215-C

21

Configuration

22

Labs

Lab 1: SSL VPN Ex 1: Configuring SSL VPN for Web Access Ex 2: Configuring SSL VPN for Tunnel Mode

69

For R

eview

Only


01-50000-0201-20130215-C

23


70

For R

eview

Only

Course 201 - Administration, Content Inspection and VPNs IPSec VPN

01-50000-0201-20130215-C


IPSec VPNModule 6

2

Module Objectives

By the end of this module participants will be able to: Define the architectural components of IPSec VPN Define the protocols used as part of an IPSec VPN Identify the phases of Internet Key Exchange (IKE) Identify the FortiGate unit IPSec VPN modes Configure IPSec VPN on the FortiGate unit

71

For R

eview

Only


01-50000-0201-20130215-C

3

IPSec VPN

Private network

Senderauthenticated

Dataconfidential

Data hasintegrity

4

IPSec VPN

IPSec is a set of standard protocols and services used to encrypt data so that it cannot be read or tampered with as it travels across a network

Provides: Authentication of the sender Confidentiality of data Proof that data has not been tampered with

72

For R

eview

Only


01-50000-0201-20130215-C

5

IPSec VPN

IPSec VPN operates at the network layer (layer 3) Encryption occurs transparently to the upper layers Applications do not need to be designed to use IPSec

IPSec VPN can protect upper layer protocols (such as TCP) but the complexity and overhead of the exchange is increased For example, IPSec cannot depend on TCP to manage reliability and

fragmentation

6

Internet Key Exchange

Internet Key Exchange (IKE) allows the parties involved in a transaction to set up their Security Associations Phase 1 authenticates the parties involved and sets up a secure

channel to enable the key exchange Phase 2 negotiates the IPSec parameters to define an IPSec tunnel

73

For R

eview

Only


01-50000-0201-20130215-C

7

Phase 1

IKE Phase 1 performs the following: Authenticates and protects the parties involved in the IPSec transaction

Can use pre-exchanged keys or digital certificates Negotiates a matching SA policy between the computers to protect the

exchange Performs a Diffie-Hellman exchange

The keys derived from this exchange are used in Phase 2 Sets up a secure channel to negotiate Phase 2 parameters

8

Defining Phase 1 Parameters

KB IDs:1165713574

74

For R

eview

Only


01-50000-0201-20130215-C

9

Phase 2

IKE Phase 2 performs the following: Negotiates IPSec SA parameters

Protected by existing IKE SA Renegotiates IPSec SAs regularly to ensure security Optionally, additional Diffie-Hellman exchange may be performed

10

Defining Phase 2 Parameters

75

For R

eview

Only


01-50000-0201-20130215-C

11

Interface Mode

Creates a virtual IPSec network interface that applies encryption or decryption as needed to any traffic that it carries Also known as Route-Based

Create two firewall policies between the virtual IPSec interface and the interface that connects to the private network

The firewall policy action is ACCEPT Needs static routes over VPN tunnels Required if dynamic routing, GRE over IPSec or altering of

incoming subnet is needed

12

Tunnel Mode

Easy to configure, single internal external firewall policy supports bi-directional traffic

Policy action is IPSec, Phase1 tunnel selected IPSec policies should be located first in your policy list Vulnerable to errors in quickmodes or policies Order of policies is very important

76

For R

eview

Only


01-50000-0201-20130215-C

13

Tunnel Versus Interface Mode

Tunnel Mode

Less configuration involved Dependent on policy order for proper operation Less granular

Interface Mode

Required for GRE over IPSec Required if manipulation of packet source IPs is

necessary Required to have FortiGate unit participate in

dynamic routing communication over the IPSec connection

More control

14

Overlapping Subnets

Site-to-site route-based VPN configurations sometimes experience a problem where private subnet addresses at each end of the connection are the same

After a tunnel is established, hosts on each side can communicate with hosts on other side using the mapped IP addresses Use NAT with IP Pool

Interface mode can NAT both the incoming and outgoing traffic Tunnel mode can only NAT outgoing traffic

77

For R

eview

Only


01-50000-0201-20130215-C

15

IPSec Topologies (Site-to-Site)

Headquarters

Branch office

Site-to-site

16

IPSec VPN Monitor

Monitor activity on IPSec VPN tunnels Stop and start tunnels Display address, proxy IDs, timeout information

Green arrow indicates that the negotiations were successful and tunnel is UP

Red arrow means tunnel is DOWN or not in use

78

For R

eview

Only


01-50000-0201-20130215-C

17

IPSec VPN Monitor

18

Configuration

Step 1: Configure Phase 1 Choose interface to listen for connections Choose remote location Choose advanced options (DH Group, XAUTH, ..)

Step 2: Configure Phase 2 Possibility for multiple Phase 2s on a single Phase 1 tunnel

Step 3: Create Firewall VPN policy(s) May need more than 1 policy to allow all the access required

79

For R

eview

Only


01-50000-0201-20130215-C

19

Configuration

20

Labs

Lab 1: IPSec VPN Ex 1: Site to Site IPSec VPN

80

For R

eview

Only


01-50000-0201-20130215-C

21


81

For R

eview

Only

For R

eview

Only

Course 201 - Administration, Content Inspection and VPNs Antivirus

01-50000-0201-20130215-C


AntivirusModule 7

2

Module Objectives

By the end of this module participants will be able to: Describe conserve mode conditions and AV system behavior Define the virus scanning techniques used on the FortiGate unit Identify the differences between file-based and flow-based virus scanning Configure quarantine options Define firewall policies using antivirus profiles Update FortiGuard Services

82

For R

eview

Only


01-50000-0201-20130215-C

3

Conserve Mode

What is conserve mode? System self protection measure when facing local resource exhaustion

When entering conserve mode the FortiGate unit activates protection measures in order to recover memory space

Once enough memory is recovered, the system leaves the conserve mode state and releases the protection measures

Two types: regular and kernel Search conserve mode at: http://kb.fortinet.com

KB Article IDs: FD33103, 11076, 10209

4

Conserve Mode

Regular conserve mode is depletion of shared memory Used mainly by proxies (to store the buffered data) but also by buffers (logging,

quarantining)

Impact (configurable) Established sessions remain unchanged New sessions are not inspected

Fail-open action applies to stream and proxy-based inspection

83

For R

eview

Only


01-50000-0201-20130215-C

5

AV Fail-Open

There are currently two conditions that can cause the FortiGate unit to operate in AV fail-open mode: The system is low on memory and has entered conserve mode The individual proxy pool is full (no free connections are available)

With the first condition, low memory, the av-failopen setting will be applied The default for this setting is Pass

6

AV Fail-Open

The system enters conserve mode when the amount of free shared memory is less than approximately 20% Goes back to non-conserve mode when this value increases to

approximately 30% Log entry details actual amount of memory

config system globalset av-failopenidledrop drop idle connectionsoff offone-shot one-shotpass pass

84

For R

eview

Only


01-50000-0201-20130215-C

7

AV Fail-Open

The second condition occurs when the individual proxy pool is full (default disable) The action will depend on the av-failopen-session settings

If the av-failopen-session is enabled and the free connections in the proxy connection pool reaches zero Protocol reverts back to the av-failopen settings

If the av-failopen-session is disabled and the limit is reached, all sessions will be blocked for the proxy

8

Antivirus

Antivirus

Detect and eliminate viruses, worms, Trojans and spyware in real-time

Stop threats before they enter the network

Scans HTTP and FTP traffic as well as incoming and outgoing SMTP, POP3 and IMAP email

Internet Content Adaption Protocol (ICAP) support

FortiGate unit acts as ICAP client to communicate with ICAP servers that the FortiGate unit can utilize for offloading AV scanning services

First enable in Admin Settings, then configure under UTM Security Profiles > ICAP

85

For R

eview

Only


01-50000-0201-20130215-C

9

Antivirus Scanning Order

Filesize

.jpg

FileName

pattern

Virusscan

Filetype

Grayware Heuristics

10

Proxy-Based Scanning

Antivirus proxy buffers the file as it arrives

Once transmission is complete, virus scanner examines the file

Higher detection and accuracy rate

Comfort Clients can be used to avoid timeouts

86

For R

eview

Only


01-50000-0201-20130215-C

11

Flow-Based Scanning

File is scanned on a packet-by-packet basis as it passes through the FortiGate unit

Faster scanning, but lower accuracy rate Difficulty in catching virus

variants

Only available on certain models

Non-proxy scanning

12

Virus Scanning

Regular

Extended

Extreme

Flow-based

87

For R

eview

Only


01-50000-0201-20130215-C

13

Unknown Viruses

Sometimes a virus may go undetected because it is not in the signature database To submit a virus go to:

http://www.fortiguard.com/antivirus/virus_scanner.html

14

Known Virus

Sometimes viruses will get through because the proper antivirus scan options are not enabled FortiGuard Subscription Service contains information on

which database a virus is in

88

For R

eview

Only


01-50000-0201-20130215-C

15

Heuristics Scanning

Virus-like attribute+ Virus-like attribute+ Virus-like attribute

> Heuristic threshold

Suspicious FortiGate unit tests for virus-like behavior Virus-like attributes are totaled and if greater

than a threshold, the file is marked as suspicious Use CLI command to block suspicious files

Possibility of false positives

16

Antivirus Profiles

89

For R

eview

Only


01-50000-0201-20130215-C

17

UTM Proxy Options

18

Quarantine

??FortiAnalyzer

Local hard drive

Infected, blocked or suspicious files can be quarantined to the hard drive on the FortiGate unit or to the FortiAnalyzer device Files quarantined based

on their protocol Information regarding

quarantined files is displayed in the logs

90

For R

eview

Only


01-50000-0201-20130215-C

19

Logs

20

Labs

Lab 1: Antivirus Scanning Ex 1: Antivirus Testing

91

For R

eview

Only


01-50000-0201-20130215-C

21


92

For R

eview

Only

For R

eview

Only

Course 201 - Administration, Content Inspection and VPNs Email Filtering

01-50000-0201-20130215-C


Email FilteringModule 8

2

Module Objectives

By the end of this module participants will be able to: Identify the email filtering methods used on the FortiGate device Configure banned word, IP address and email address filters Define firewall policies using email filter profiles Identify the differences between the email filtering capabilities of the FortiGate and

FortiMail units

93

For R

eview

Only


01-50000-0201-20130215-C

3

Email Filtering

Email filtering

SPAM?

FortiGate unit can detect and manage spam email

4

Spam Actions

Tag Discard

Subject: Free Stuff

Subject: [SPAM] Free Stuff

Tag to add a custom phrase/word to subject line or a MIME header and value to body of an email message for use in back end or client filtering Discard to immediately

drop the SMTP connection if spam is detected

94

For R

eview

Only


01-50000-0201-20130215-C

5

Email Filtering Methods

The FortiGate unit uses a number of techniques to help detect spam Some use the FortiGuard Antispam service and require a subscription Others use DNS servers or filters created on the device Heuristic check Manually configured options

6

Email Filtering Order (SMTP)

IP BWL CheckDNSBL & ORDBL

FortiGuard IPHELO DNS

MIME HeaderEmail BWL

IP BWL Check(Receive Header)

Banned word (on Subject)

Return Email DNSFortiGuard URL

FortiGuard ChecksumDNSBL & ORDBL(Receive Header)

Banned word(on Body)

95

For R

eview

Only


01-50000-0201-20130215-C

7

Email Filtering Order (POP3 and IMAP)

MIME HeaderEmail BWL

Banned Word(on Subject) IP BWL Check

Banned word (on Body)Return Email DNS

FortiGuard IPFortiGuard URL

FortiGuard ChecksumDNSBL & ORDBL

8

FortiGuard IP Address Check

Connecting IP address is checked FortiGuard is a reputation database

IP behavior is tracked More queries about an IPs activity to the FortiGuard network makes the

reputation worse IPs have a score 1-9

1 is permanently black listed 9 is permanently white listed (Fortinet Server IPs only) Less than 3 is considered spam

96

For R

eview

Only


01-50000-0201-20130215-C

9

FortiGuard URL and Email Address Check

What language or character set is the email in? KB Article ID: FD32502

Visit our web site at www.acme.com tolearn more about this great offer orsend an email to [email protected].

10

FortiGuard Email Checksum Check

Our online pharmacy offers great prices on all your prescription medications.

hash

The FortiGate unit sends a hash of the email message to the FortiGuard Antispam Service FortiGuard

Antispam Service compares the hash received to hashes of known spam messages

97

For R

eview

Only


01-50000-0201-20130215-C

11

IP Address Black/White List (BWL)

The FortiGate unit compares the IP address of the sender of an email message to the IP addresses specified in the email filter profile An administrator can add to or edit the IP addresses and configure the action

to take

Possible actions on a match Spam (use spam action) Clear (consider Not Spam) Reject (SMTP Only)

12

Email Address Black/White List (BWL)

From: [email protected]

Mark as ClearMark as Spam The FortiGate unit

compares the email address of the sender of an email message to the email addresses specified in the email filter profile An administrator can add

to or edit the email addresses and configure the action to take

Wild card and regular expressions can be used to define the email address

98

For R

eview

Only


01-50000-0201-20130215-C

13

HELO DNS Lookup

DNSReceived: from mail.acme.com (10.10.10.1)by classroom.fortinet.com with SMTP; 30 Sept 2012 02:27:02 -0000

14

HELO DNS Lookup

Performs an A record lookup of SMTP HELO details to confirm it resolves to an IP address Domain specified in the email should resolve to an IP

Does NOT perform any kind of comparison to senders IP

99

For R

eview

Only


01-50000-0201-20130215-C

15

Return Email DNS Check

Confirms that sending email domain from the reply-to field resolves to an IP Address Domain the email gets sent to, should resolve to an IP

Does NOT perform any kind of comparison to senders IP

16

Banned Word Check

Let us fill all your prescriptiondrugs. Visit our online pharmacyfor great prices on prescription medications. We offer the widestselection of popular drugs.

Banned words

DrugsScore=10

PharmacyScore=5

PrescriptionScore=5

Threshold=18

10 +5 +5 =20

FortiGate unit blocks email based on words or patterns in the message A weight is assigned to

any banned words in the message If threshold is exceeded,

the message is marked as spam Can define Banned

words using Wildcards and regular expressions

100

For R

eview

Only


01-50000-0201-20130215-C

17

MIME Headers Check

The FortiGate unit can check the MIME header information of incoming email messages If a match is found in the header list configured on the device, the

corresponding action is taken

Configured through CLI onlyconfig spamfilter mheader

18

DNSBL and ORDBL Check

The FortiGate unit can compare the IP address or domain name of incoming email message against third-party DNSBL and ORDBL lists Match IP addresses or domain names of known spammers

Configured through CLI onlyconfig spamfilter dnsblconfig spamfilter ordbl

101

For R

eview

Only


01-50000-0201-20130215-C

19

Request Removal From FortiGuard

Spam filtering is best effort so there can be false positives that occur periodically Submit details to the Spam department at:

www.fortiguard.com/antispam/antispam.html

20

FortiGuard Email Filtering Options

CacheIP address:10.10.10.1

URL: www.acme.com

Message checksum:x65Fsd34c

Caching reduces FortiGuard requests; can improve performance Small % of system

memory dedicated to cache Query results cached

until TTL setting is reached Alternate port 8888 for

access to FortiGuard servers

102

For R

eview

Only


01-50000-0201-20130215-C

21

Email Filter Profile

22

Labs

Lab 1: Email Filtering Ex 1: Configuring FortiGuard AntiSpam

103

For R

eview

Only


01-50000-0201-20130215-C

23


104

For R

eview

Only

Course 201 - Administration, Content Inspection and VPNs Web Filtering

01-50000-0201-20130215-C


Web FilteringModule 9

2

Module Objectives

By the end of this module participants will be able to: Identify the web filtering mechanisms used on the FortiGate device Create web content and URL filters Configure FortiGuard Web Filtering Configure FortiGuard Web Filtering exemptions and rating overrides Define firewall policies using web filter profiles

105

For R

eview

Only


01-50000-0201-20130215-C

3

Web Filtering

Means of controlling the web content that a user is able to view Preserve employee productivity Prevent network congestion where valuable bandwidth is used for non-business

purposes Prevent loss or exposure of confidential information Decrease exposure to web-based threats Limit legal liability when employees access or download inappropriate or offensive

material Prevent copyright infringement caused by employees downloading or distributing

copyrighted materials Prevent children from viewing inappropriate material

4

Proxy-Based Web Filtering

Proxy based solution that communicates between client and server Inspects full URL Allows for customizable block pages to display when sites are

prevented Most resource intensive option Lowest throughput Most options available in Advanced section

106

For R

eview

Only


01-50000-0201-20130215-C

5

Proxy-Based Web Filtering

Select inspection mode in web filter profile

6

Flow-Based Web Filtering

Non-proxy solution that uses IPS engine to perform inspection High throughput Inspects full URL FortiGuard Web Filtering override will not apply when flow-based

inspection is enabled Few Advanced options available

107

For R

eview

Only


01-50000-0201-20130215-C

7

Flow-Based Web Filtering


8

DNS-Based Web Filtering

DNS-proxy solution that uses DNS queries to decide access DNS queries redirected to FortiGuard SDNS server Very lightweight SSL inspection never required Cannot inspect URL, only hostname (DNS) Supports URL Filtering and FortiGuard Category only No individual block pages, can redirect to a portalWeb site access by IP means no DNS lookup

108

For R

eview

Only


01-50000-0201-20130215-C

9

DNS-Based Web Filtering


10

When Does Filtering Activate?

www.acme.com

DNS RequestDNS Response!

HTTP GET

! HTTP 200

TCP 3-Way Handshake

109

For R

eview

Only


01-50000-0201-20130215-C

11

HTTP Inspection Order

Virus Scan

Advanced Filter

Content Filter

FortiGuard Filter

Web URL Filter

Block Page

EXEMPT (from ALL further inspection) Block Page

Block Page

Block Page

Block Page Display Page

URLExempt

Block Allow

Block

Allow

AllowBlock

Block

Block

Allow

Allow

12

Types of Web Filtering

Proxy-Based Highly secure Traffic is cached

Flow-Based High throughput No caching Not as secure

DNS-Based Very lightweight Hostname filtering only No advanced options, URL and FortiGuard only

110

For R

eview

Only


01-50000-0201-20130215-C

13

Web Content Filtering

Create Pattern list in the CLI

DrugsScore=10

PharmacyScore=5

PrescriptionScore=5

Threshold=18

10 +5 +5 =20

Block or Exempt

www.acme.com

Allow or block web pages containing specific words or patterns Wildcards or regular

expressions used to define patterns

Scores for matched patterns are added If greater than threshold,

FortiGate unit performs configured action

If pattern appears multiple times on web page, score is only counted once

14

Web URL Filtering

Control web access by allowing or blocking URLs Text, wildcards or regular expressions can be used to define the URL patterns If no URL match on list, go on to next enabled check

Possible web URL filter actions are: Allow Block Monitor Exempt

111

For R

eview

Only


01-50000-0201-20130215-C

15

URL: www.mypage.com/index.html

www.example.com

www.abc.com

www.mypage.com/index.html

Web URL Filtering

URL Filter list

www.mypage.com

BlockAllow

MonitorExempt

16

Forcing Safe Search

Safe Search is used by search sites to prevent explicit web sites and images from appearing in search results

FortiGate unit rewrites the search URL to include the required codes to enable Safe Search Supported for Google, Bing and Yahoo! Does not force strict safe search

Youtube EDU available Instructions for Youtube will include value to enter on FortiGate unit

112

For R

eview

Only


01-50000-0201-20130215-C

17

FortiGuard Category Filter

URL: www.mypage.com

BlockAllow

Monitor

Authenticate

Categories

Warning

www.mypage.com

18


The FortiGate unit accesses the FortiGuard Distribution Server to determine the category of a requested page Action is taken based on selection in web filtering profile

Web filter rating determined by: Human rater Text analysis Exploitation of web structure

113

For R

eview

Only


01-50000-0201-20130215-C

19


Split into multiple categories and sub-categories Layout will switch periodically as the Internet changes New categories and sub-categories are released and compatible with

updated firmware Older firmware has new values mapped to existing categories

20

FortiGuard Caching

Most web sites are visited over and over again FortiGate unit can remember what the response was

Caching improves performance by reducing FortiGate unit requests to FortiGuard servers Cache checked before sending request to FortiGuard server TTL settings controls the number of seconds query results are cached

Small amount of FortiGate unit system memory dedicated to the cache Default is 2% used for cache, can be increased to 15% from CLI

Port 53 used for FortiGuard communications Alternate port number of 8888 can used

KB Article IDs: 11779, FD32121, FD30088

114

For R

eview

Only


01-50000-0201-20130215-C

21

FortiGuard Usage Quotas

Category:GamesGames Quota

Games Quota

Games Quota

Category:GamesCategory:GamesCategory:GamesCategory:Games

Quotas allow access to specific categories for a specific length of time (calculated separately for each quota configured) If authentication is enabled, quota is automatically

based on the user, otherwise IP is used Can only apply to categories with actions: Monitor,

Warn or Authenticate

22

Rating Submissions

Requests for rating of a web site, or to have a web sites rating re-evaluated can be submitted by accessing: http://www.fortiguard.com/ip_rep.php

115

For R

eview

Only


01-50000-0201-20130215-C

23

Rating Override

www.acme.com

Category:General Organizations

Sub-Category: Information and Computer Security

Rating override

24

Rating Override

Can override the rating applied to a hostname by FortiGuard Subscription Services Hostname reassigned to a completely different category and uses that action

Override applies to FortiGate unit only Changes not submitted to FortiGuard Subscription Services

Hostnames only google.com www.google.com www.google.com/index.html

116

For R

eview

Only


01-50000-0201-20130215-C

25

Rename and deletion of sub-categories only in CLIconfig webfilter ftgd-local-catdelete rename to

Local Categories

26

Warning Action

Action = Warning (right click in the GUI)

Web Filtering Warning Page

117

For R

eview

Only


01-50000-0201-20130215-C

27

Authenticate Action

www.hackthissite.org

Marketing

28

Web Filter Profiles

Web filter profile: Web filtering, FortiGuard

web filtering and advanced filtering options enabled through web filtering profiles

Profile in turn applied to firewall policy Any traffic being

examined by the policy will have the web filtering operations applied to it

118

For R

eview

Only


01-50000-0201-20130215-C

29

Labs

Lab 1: Web Filtering Ex 1: FortiGuard Web Filtering

30


119

For R

eview

Only

For R

eview

Only

Course 201 - Administration, Content Inspection and VPNs Application Control

01-50000-0201-20130215-C


Application ControlModule 10

2

Module Objectives

By the end of this module participants will be able to: Define application control lists Define firewall policies using application control lists

120

For R

eview

Only


01-50000-0201-20130215-C

3

Application Control

Application control is used to detect and take actions on network traffic based on the application generating the traffic Facebook, Skype, Gmail etc.

Can detect application traffic even if contained within other protocols Supports a large number of applications and categories DiffServ per application filter Supports shared and per-IP traffic shaping for application control

4

Application Control List

An application control list defines the applications that will be subject to inspection For each application, the administrator can specify whether to

pass or block the application traffic in addition to other settings Default rule set is very restrictive, must perform an AV/IPS update

in order to obtain new rules

121

For R

eview

Only


01-50000-0201-20130215-C

5

Adding to the List

Requests for additional or revised application control coverage can be submitted using FortiClient or by accessing: http://www.fortiguard.com/applicationcontrol/appform.html

6

Application Control Profile

Application control profile

Application control options are enabled through application control sensors Sensor in turn is applied to firewall policy

Any traffic being examined by the policy will have the application control operations applied to it

122

For R

eview

Only


01-50000-0201-20130215-C

7

Example: Facebook Application Control

8

Example: Facebook Application Control

Application Facebook.app_ID allows specific Facebook app rule Each Facebook app assigned unique name and ID

http://apps.facebook.com/app name/

For new Facebook apps not yet in application list:F-SBID( --name "Facebook.App.XXX"; --protocol tcp; --service HTTP; --flow from_client; --parsed_type HTTP_GET; --pattern " /app_name/"; --no_case; --context uri; --within xx,context; --pattern "apps.facebook.com"; --no_case; --context host; )

123

For R

eview

Only


01-50000-0201-20130215-C

9

Order of Operations

Processed from the top down First match action is applied Can be single application or picked from a set of

options to apply to multiple applications

10

Implicit Rules

Matches traffic against every application control signature

Matches traffic that does not conform to any application control signature

124

For R

eview

Only


01-50000-0201-20130215-C

11

Creating a Filter Rule

12

Documents

201 StudentGuide v5.0 RevC WaterMarked