fgt 01 introduction

Introduction to FortiGate Unified Threat Management 7 April 2014

1

2014 Fortinet Inc. All rights reserved.The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc. FGT1-01-50005-E-20131120

Introduction to Fortinet Unified Threat Management

2

Module Overview

Other products available from Fortinet A FortiGates features Administrative Access, Users and Profiles FortiGuard Operating Modes Default Settings Configuration Backup and Restoration Proper upgrade and downgrade procedures Console port

and other topics


3

Module Objectives

By the end of this module, participants will be able to: Identify the major features of the FortiGate Unified Threat Management appliance Modify administrative access restrictions Create and manage administrative users Create and manage administrator access profiles Backup and restore configuration files Create a DHCP server on a FortiGate units interface Upgrade or downgrade a FortiGate units firmware

4

Traditional Network Security Solutions

FirewallAntivirusAntispamWAN OptimizationWeb FilteringApplication ControlIntrusion PreventionVPN

Many single purpose systems needed to cope with a variety of threats


5

FortiGate Integrated Network Security Platform

FirewallAntivirusAntispamWAN OptimizationWeb FilteringApplication ControlIntrusion PreventionVPN

and more

One device provides a comprehensive security and networking solution

FortiGate Appliance

6

Unit Design

Hardware

Purpose-driven hardware

FortiOS

Specialized operating system

Firewall AV WebFilter IPS

Security and network-level services

FortiGuard Subscription Services

Automated update service


7

FortiGate Unit Capabilities

FirewallAntivirusEmail filteringWeb filteringIntrusion preventionApplication controlData leak preventionWAN optimizationSecure VPNWirelessDynamic routingEndpoint complianceVirtual domainsTraffic shapingHigh availabilityLogging and reporting1111 Authentication

8

Fortinet Products

Network Security FortiGate appliances

High-end, mid-range and desktop models

Network Access Wireless: FortiWiFi, FortiAP Switching: FortiSwitch End-point and mobility:

FortiClient User Identity:

FortiAuthenticator, FortiToken

Infrastructure Security Application and Content Delivery:

FortiADC DDos Mitigation: FortiDDos Advanced Threat Protection Voice and Video: FortiVoice,

FortiCamera, FortiRecorder

Application Security FortiMail, FortiWeb, FortiDB FortiCache

Management FortiManager, FortiAnalyzer,

FortiCloud


9

FortiGuard Subscription Services

Global Update service for AV/IPS (update.fortiguard.com) uses SSL on port 443

Global Live service for FortiGuard WF/AS (service.fortiguard.net) Uses a proprietary protocol on port 53 or 8888 Live service (connection & contract required) Short grace period after contract expiry (about 7 days)

Handled through FortiGuard Distribution Network(FDN) Calculates server distance based on time zones

Major server centers in North America as well as Asia and Europe Nearest servers are preferred but will adjust based on server load

can be sent to a FortiManager instead

10

Modes of Operation

NAT

Device operates on Layer 3 or the OSI Model

Interfaces have IP addresses Packets are routed VIA IP

Device is presence in the routing of the network

Transparent

Device operates on Layer 2 of the OSI

Device interface do not have IPs Routing decisions are not

possible

Device is not a presence in network routing.


11

OSI Model

12

port1 or internal interface will have an IP of 192.168.1.99/24 PING, HTTP, HTTPS protocols are enabled for

Management Access port1 or internal interface will have a DHCP server set up and

enabled (on devices that support DHCP Servers) Default login will always be:

user: adminpassword: (blank)

Usernames and passwords are BOTH case sensitive

Default admin user information should be modified!

Device Factory Defaults


13

Device Administration

Web GUIHTTP, HTTPS

CLIConsole,SSH,Telnet, GUI Widget

14

Administrator Profiles


15

Administrator Profiles: Permissions

System Configuration Network Configuration Firewall ConfigurationVPN ConfigurationWifi Configurationetc.

None Read Read-Write

AdminProfile

16

Administrative Users

Full access withina single virtual

domain

Full access

super_adminprofile

Custom access

customprofile

prof_adminprofile


17

Administrative Users: Trusted Hosts

If logging in from the source IP is not possible, FortiGate will not respond to requests for management traffic to its interfaces

18

Two Factor Authentication

Username and Password (one factor)

FortiToken (two factor)+


19

Administrative Users: Two Factor Authentication

20

Configuration Files

Device configuration settings can be saved to an external fileOptional encryption

The file can be restored to rollback device to a previous configuration restoring a configuration always reboots the device

Configuration files can be backed up automatically Not available on all models, happens when admin users log out


21

Configuration Files: Format

Header contains some details on the device After header, encrypted file is not readable

Restoring Encrypted configuration requires the same device/model running the same build as the config file (and encryption password)

Restoring a text base config file only requires the same model Different build configuration files can be used (with the same limits as an upgrade)

Config file only contains non-default and important settings (size)

#config-version=FWF60D-5.00-FW-build252-131031:opmode=0:vdom=0:user=admin#conf_file_ver=10488925954160275734#buildno=0252#global_vdom=1

#FGBK|3|FWF60D|5|00|252|

Plain Text Encrypted

Model

Firmware Major Version

Build Number

22

Per Virtual Domain Configuration Files

Configurations are backed up as a whole If Virtual Domains(VDOMs) are enabled, backups of individual VDOMs is

possible


23

Interface IPs

Every used interface on the unit must have an IP assigned (in NAT mode) using one of three methods: Manual IP, DHCP assigned,

PPPoE (CLI)

24

Administrative Access: Methods

Each interface has separate options for enabling Management access Separate settings for IPv4 and

IPv6 IPv6 options only show up if

feature is enabled in the GUI


25

Hiding features from the GUI

Not all features are visible in the GUI, by default Some features are ONLY configurable from the CLI Feature not in the GUI ARE NOT disabled

Primary features can be hidden/unhidden from Dashboard Widget

Full list of options found in Features submenu

26

Hiding features from the GUI: SecurityFeatures

NGFW Next Generation Firewall Line Speed Inspection

ATP Advanced Threat Protection Focuses on protecting PCs

WF Web Filtering

Full UTM All Inspection profile options are available in the GUI


27

Administrative Access: Ports

Service Ports for Administrative access can be customized Only using secure access methods is recommended

28

There must be at least one default gateway If an interface is DHCP or PPPoE, then a gateway can be added

to the routing dynamically

Static Gateway


29

DHCP Server: Setup

Enabled and configured separately for each interface

30

DHCP Server: IP Reservation

IP address reserved and always assigned to the same DHCP host Select an IP address or choose an existing DHCP lease to add to the reserved list Identify the IP address reservation as either DHCP over Ethernet or DHCP over

IPSec

MAC address of the DHCP host is used to look up the IP address in the IP reservation table

Found in the Advanced settings of the DHCP server, on the interface


31

DHCP Logs

32

FortiGate as a DNS Server

Resolve DNS lookups from an internal network Methods to set up DNS for each interface:

Forward to System DNS: DNS requests relayed to the DNS servers configured for the FortiGate unit

Non-recursive: DNS requests resolved using a FortiGate DNS database and unresolved DNS requests are dropped

Recursive: DNS requests will be resolved using a FortiGate DNS database and any unresolved DNS requests will be relayed to DNS servers configured for the unit

One DNS database can be shared by all the FortiGate interfaces If VDOMs are enabled, a DNS database can be created in each VDOM


33

DNS Forwarding

FortiGate units can forward (or not) DNS requests sent to its interfaces Behavior on each interface is configured separately

Allows direct control of the DNS GUI allows setting to Forward only CLI allows Forward, Recursive and Non-recursive behavior

34

DNS Database: Configuration

DNS zones need to be added when configuring the DNS database Each zone has its own domain name Zone format defined by RFC 1034 and1035

DNS entries are added to each zone An entry includes a hostname and the IP address it resolves to Each entry also specifies the type of DNS entry

IPv4 address (A) or an IPv6 address (AAAA) name server (NS) canonical name (CNAME) mail exchange (MX) name IPv4 (PTR) or IPv6 (PTR)


35

Firmware Upgrade Steps

Step 1: Backup and store old configuration (Full config backup from CLI) Step 2: Have copy of old firmware available Step 3: Have disaster recovery option on standby (especially if remote) Step 4: READ THE RELEASE NOTES (upgrade path, bug information) Step 5: Double check everything Step 6: Upgrade

36

Firmware Downgrade Steps

Step 1: Locate pre-upgrade configuration file Step 2: Have copy of old firmware available Step 3: Have disaster recovery option on standby (especially if remote) Step 4: READ THE RELEASE NOTES (is a downgrade possible?) Step 5: Double check everything Step 6: Downgrade (all settings except those needed for access are lost) Step 7: Restore pre-upgrade configuration


37

Maintainer Access

Available on all FortiGate devices and some non-FortiGate devices Only available through the hardware console port

Highly secure (requires physical access)

Only open after a HARD boot About 30 seconds (varies by model, by approximately 1 minute) Highly secure (soft boot does not activate user)

User: maintainerPassword: bcpb All letters in serial number MUST BE uppercase

Can be disabled in the CLI if physical security is a risk or for compliance reasons

config sys global set admin-maintainer disable end

38

Console Port

Depending on the FortiGate model, console port access is provided in the following ways: Serial port (older models)

Standard null model cable will work for console port access RJ-45 port

RJ-45-serial cable is required for access USB 2 port

Requires FortiExplorer to connect

Each devices ships with proper console cables


39

FortiExplorer

Software used to Manage devices via USB-2 Some models of FortiGate/FortiWifis, FortiSwitch, FortiAP

Available for Windows PC, Mac OSx10 Release notes contain detailed information on supported OS versions Connect using USB cable Allows Full GUI/CLI access, complete configuration options If device has USB-2 port, FortiExplorer is the only way to access Console port

Available on Apple Store for IPod/IPad/IPhone Connect using standard 30pin-USB cable Limited configuration options, Limited model options

40

Labs

Lab 1: Initial Setup and Configuration Ex 1: Configuring Network Interfaces Ex 2: Exploring the Command Line Interface Ex 3: Restoring Configuration Files Ex 4: Performing Configuration Backups

(OPTIONAL) Lab 2: Administrative Access

Ex 1: Profiles and Administrators Ex 2: Restricting Administrator Access


41

Classroom Lab Topology

fgt 01 introduction

Documents