Course 201 v3.0 Slides

Course 201 v3.0 Slides

FortiGate 200D , Agenda

SSL VPN , , FortiGate Application-level services

Antivirus, intrusion protection, antispam, web content filtering Network-level services Firewall, IPSec and SSL VPN, traffic shaping Management, reporting, analysis products Authentication, logging, reporting, secure administration, SNMP Firewall Controls flow of traffic between networks of different trust level Allow good information through but block intrusions, unauthorized users or malicious traffic Rules to allow or deny traffic

Internet Firewall Untrusted network Trusted corporate network NAT/Route Internal 192.168.1.99 192.168.1.3

WAN1 204.23.1.5 Internet Routing policies control traffic between internal networks. Router DMZ 10.10.10.1 10.10.10.2 NAT mode policies control

traffic between internal and external networks. Transparent Gateway to public network WAN1 Internet 204.23.1.5 10.10.10.2 Router

Internal Hub or switch 10.10.10.3 Page: 25 Web Config ( ) Configure and monitor device through web browser CLI

Command line interface Page: 26 https://163.17.x.x Firefox 37~ IE 11~

Web Config ( ) CLI Console

& (IPv4/IPv6), GUIIPv4/IPv6), GUI), GUIGUI , GUI , GUI , GUI & , GUI , GUI , GUI SSL VPN , GUIWeb GUIPortal, GUI , GUI

FortiView, GUI , GUI IP Lesson 4 Firewall GUIPolicies Firewall Policies Control traffic passing through FortiGate What to do with connection request? Packet analyzed, content compared to policy ACCEPT DENY

Source, destination and service must match policy Policy directs action Protection profile used with policy Apply protection settings Logging enabled to view connections using policy Page: 137 Policy Matching Searches policy list for matching policy Based on source and destination Starts at top of the list and searches down for match

First match is applied Arrange policies from more specific to more general Policies configured separately for each virtual domain Move policies in list to influence order evaluated Page: 138-141 User Authentication to Firewall Policies User challenged to identify themselves before using policy Before matching policies not requiring authentication Available for policies with: Action set to ACCEPT SSL VPN

Authentication methods Username + Password Digital certificates LDAP RADIUS TACACS+ Active Directory

FSAE required Page: 142 Authentication Protocols Protocol used to issue authentication challenge specified Firewall policy must include protocol Page: 142 HTTP

HTTPS Telnet FTP Creating Policies Source and destination address Schedule Service

Action NAT Options Page: 143 Protection profile Logging Authentication Traffic shaping

Disclaimers Firewall Addresses Added to source and destination address Match source and destination IP address of packets received Default of ALL Represents any IP address on the network Address configured with name, IP address and mask Also use FQDN Must be unique name Groups can be used to simplify policy creation and management

Page: 144-148 Firewall Schedules Control when policies are active or inactive One-time schedule Activate or deactivate for a specified period of time Recurring schedule Activate or deactivate at specified times of the day or week Page: 149-150 Firewall Services Determine types of communications accepted or denied

Predefined services applied to policy Custom service if not on predefined list Group services to simplify policy creation and management Page: 151-153 Network Address Translation (NAT) Translate source address and port of packets accepted by policy Page: 154 Network Address Translation (NAT) Client

FortiGate internal 10.10.10.1 Page: 154 Server wan1 Internet

172.16.1.1 Network Address Translation (NAT) Client FortiGate internal Server wan1 172.16.1.1

10.10.10.1 Firewall Policy with NAT enabled wan1 IP: 192.168.2.2 Page: 154 Internet Network Address Translation (NAT) Client FortiGate internal

Server wan1 172.16.1.1 10.10.10.1 Firewall Policy with NAT enabled wan1 IP: 192.168.2.2 Source IP: 10.10.10.1 Source Port: 1025

Destination IP: 172.16.1.1 Destination Port: 80 Page: 154 Internet Network Address Translation (NAT) Client FortiGate internal

Server wan1 172.16.1.1 10.10.10.1 Firewall Policy with NAT enabled wan1 IP: 192.168.2.2 Source IP: 10.10.10.1 Source Port: 1025 Destination IP:

172.16.1.1 Destination Port: 80 Page: 154 Internet Source IP: 192.168.2.2 Source Port: 30912 Destination IP: 172.16.1.1 Destination Port: 80 Network Address Translation (NAT)

Client FortiGate internal Server wan1 172.16.1.1 10.10.10.1 Firewall Policy with NAT enabled

wan1 IP: 192.168.2.2 Page: 154 Internet Source IP: 10.10.10.1 Source Port: 1025 Destination IP: 172.16.1.1 Destination Port: 80 Source IP: 192.168.2.2

Source Port: 30912 Destination IP: 172.16.1.1 Destination Port: 80 Original New Dynamic IP Pool Translate source address to an IP address randomly selected from addresses in IP pool Page: 155

Dynamic IP Pool Client FortiGate internal 10.10.10.1 Page: 155 Server wan1

Internet 172.16.1.1 Dynamic IP Pool Client FortiGate internal 10.10.10.1 Page: 155

Server wan1 Firewall Policy with NAT + IP Pool IP Pool wan1: 172.16.12.12-172.16.12.12 Internet 172.16.1.1 Dynamic IP Pool Client FortiGate

internal 10.10.10.1 wan1 Firewall Policy with NAT + IP Pool IP Pool wan1: 172.16.12.12-172.16.12.12 Source IP: 10.10.10.1 Source Port: 1025 Destination IP: 172.16.1.1

Destination Port: 80 Page: 155 Server Internet 172.16.1.1 Dynamic IP Pool Client FortiGate

internal 10.10.10.1 wan1 Firewall Policy with NAT + IP Pool IP Pool wan1: 172.16.12.12-172.16.12.12 Source IP: 10.10.10.1 Source Port: 1025 Destination IP: 172.16.1.1 Destination Port: 80

Page: 155 Server Source IP: 172.16.12.12 Source Port: 30957 Destination IP: 172.16.1.1 Destination Port: 80 Internet 172.16.1.1

Dynamic IP Pool Client FortiGate internal 10.10.10.1 wan1 Internet 172.16.1.1

Firewall Policy with NAT + IP Pool IP Pool wan1: 172.16.12.12-172.16.12.12 Source IP: 10.10.10.1 Source Port: 1025 Destination IP: 172.16.1.1 Destination Port: 80 Original Page: 155 Server

Source IP: 172.16.12.12 Source Port: 30957 Destination IP: 172.16.1.1 Destination Port: 80 New Fixed Port Prevent NAT from translating the source port Some applications do not function correctly if source port translated If Dynamic Pool not enabled, policy with Fixed Port can only

allow one connection to that service at a time Page: 156 Fixed Port Client FortiGate internal 10.10.10.1 Page: 156

Server wan1 Internet 172.16.1.1 Fixed Port Client FortiGate internal

10.10.10.1 Page: 156 Server wan1 Firewall Policy with NAT + IP Pool + Fixed Port IP Pool wan1: 172.16.12.12-172.16.12.12 Internet 172.16.1.1

Fixed Port Client FortiGate internal 10.10.10.1 wan1 Firewall Policy with NAT + IP Pool + Fixed Port IP Pool wan1: 172.16.12.12-172.16.12.12 Source IP:

10.10.10.1 Source Port: 1025 Destination IP: 172.16.1.1 Destination Port: 80 Page: 156 Server Internet 172.16.1.1 Fixed Port

Client FortiGate internal 10.10.10.1 wan1 Firewall Policy with NAT + IP Pool + Fixed Port IP Pool wan1: 172.16.12.12-172.16.12.12 Source IP: 10.10.10.1

Source Port: 1025 Destination IP: 172.16.1.1 Destination Port: 80 Page: 156 Server Source IP: 172.16.12.12 Source Port: 1025 Destination IP: 172.16.1.1 Destination Port: 80

Internet 172.16.1.1 Fixed Port Client FortiGate internal 10.10.10.1 Page: 156

Server wan1 Firewall Policy with NAT + IP Pool + Fixed Port IP Pool wan1: 172.16.12.12-172.16.12.12 Source IP: 10.10.10.1 Source Port: 1025 Destination IP: 172.16.1.1 Destination Port: 80

Source IP: 172.16.12.12 Source Port: 1025 Destination IP: 172.16.1.1 Destination Port: 80 Original New Internet 172.16.1.1

Virtual IPs Allow connections using NAT firewall policies Addresses in packets are remapped and forwarded Client address does not appear in packet server receives Upon reply, session table used to determine what destination address should be mapped to Page: 157-158 DNAT NAT not selected in firewall policy Policy performs destination network address translation (DNAT) Accepts packet from external network intended for specific

address, translates destination address to IP on another network Page: 159 DNAT Server 10.10.10.2 Internet wan1 dmz

192.168.1.100 Server 10.10.10.1 Client Page: 159 DNAT Server 10.10.10.2 Internet 10.10.10.1

Client Page: 159 wan1 Firewall Policy with Destination Address VIP VIP, Static NAT Interface Wan1 Address 172.16.1.1 192.168.1.100 dmz 192.168.1.100

Server DNAT Server 10.10.10.2 Internet 10.10.10.1 Client Page: 159 Source IP: 10.10.10.1

Source Port: 1025 Destination IP: 172.16.1.1 Destination Port: 80 wan1 Firewall Policy with Destination Address VIP VIP, Static NAT Interface Wan1 Address 172.16.1.1 192.168.1.100 dmz

192.168.1.100 Server DNAT Server 10.10.10.2 Internet 10.10.10.1 Client Page: 159 Source IP:

10.10.10.1 Source Port: 1025 Destination IP: 172.16.1.1 Destination Port: 80 wan1 Firewall Policy with Destination Address VIP VIP, Static NAT Interface Wan1 Address 172.16.1.1 192.168.1.100 dmz

192.168.1.100 Server Source IP: 172.16.12.12 Source Port: 1025 Destination IP: 192.168.1.100 Destination Port: 80 DNAT Server 10.10.10.2

Internet 10.10.10.1 Client Page: 159 Source IP: 10.10.10.1 Source Port: 1025 Destination IP: 172.16.1.1 Destination Port: 80 Original

wan1 Firewall Policy with Destination Address VIP VIP, Static NAT Interface Wan1 Address 172.16.1.1 192.168.1.100 dmz 192.168.1.100 Server Source IP:

172.16.12.12 Source Port: 1025 Destination IP: 192.168.1.100 Destination Port: 80 New DNAT Server 10.10.10.2 Internet wan1

dmz 192.168.1.100 Server 10.10.10.1 Client Page: 159 DNAT Server 10.10.10.2

Firewall Policy with NAT Internet wan1 dmz 192.168.1.100 Server 10.10.10.1 Client Page: 159

DNAT Source IP: 192.168.1.100 Source Port: 1025 Destination IP: 10.10.10.2 Destination Port: 80 Server 10.10.10.2 Firewall Policy with NAT

Internet wan1 dmz 192.168.1.100 Server 10.10.10.1 Client Page: 159 DNAT

Source IP: 172.16.1.1. Source Port: 1025 Destination IP: 10.10.10.2 Destination Port: 80 Server 10.10.10.2 Source IP: 192.168.1.100 Source Port: 1025 Destination IP:

10.10.10.2 Destination Port: 80 Firewall Policy with NAT Internet wan1 dmz 192.168.1.100 Server 10.10.10.1

Client Page: 159 New DNAT Original Source IP: 172.16.1.1. Source Port: 1025 Destination IP: 10.10.10.2

Destination Port: 80 Server 10.10.10.2 Source IP: 192.168.1.100 Source Port: 1025 Destination IP: 10.10.10.2 Destination Port: 80 Firewall Policy with NAT Internet

wan1 dmz 192.168.1.100 Server 10.10.10.1 Client Page: 159 Server Load Balancing Dynamic one-to-many NAT mapping

External IP address translated to a mapped IP address Determine by load balancing algorithm External IP address not always translated to same mapped IP address Page: 160 Server Load Balancing wan1 dmz FortiGate Internet

Internet 10.10.10.1 10.10.10.2 Client Page: 160 Client Internet

10.10.10.3 Client Server Server Server Server Load Balancing wan1 dmz

FortiGate Internet Internet 10.10.10.1 10.10.10.2 Client Page: 160 Client

Internet Firewall Policy with Destination Address VIP VIP, ServerLB Interface Wan1 Address 172.16.1.1 192.168.1.100 192.168.1.101 192.168.1.200 10.10.10.3 Client

Server Server Server Server Load Balancing wan1 dmz FortiGate Internet Internet

10.10.10.1 10.10.10.2 Client Client Internet 10.10.10.3 Client

Source IP: 10.10.10.3 Source Port: 1025 Destination IP: 172.16.1.1 Destination Port: 80 Page: 160 Firewall Policy with Destination Address VIP VIP, ServerLB Interface Wan1 Address 172.16.1.1 192.168.1.100

192.168.1.101 192.168.1.200 Server Server Server Server Load Balancing wan1 dmz FortiGate

Internet Internet 10.10.10.1 10.10.10.2 Client Client Internet 10.10.10.3

Client Source IP: 10.10.10.3 Source Port: 1025 Destination IP: 172.16.1.1 Destination Port: 80 Page: 160 Firewall Policy with Destination Address VIP VIP, ServerLB

Interface Wan1 Address 172.16.1.1 192.168.1.100 192.168.1.101 192.168.1.200 Server Server Server Server Load Balancing wan1

dmz FortiGate Internet Internet 10.10.10.1 10.10.10.2 Client Client

Internet 10.10.10.3 Client Source IP: 10.10.10.3 Source Port: 1025 Destination IP: 172.16.1.1 Destination Port: 80 Page: 160

Firewall Policy with Destination Address VIP VIP, ServerLB Interface Wan1 Address 172.16.1.1 192.168.1.100 192.168.1.101 192.168.1.200 Server Source IP: 10.10.10.3 Source Port: 1025 Destination IP:

192.168.1.200 Destination Port: 80 Server Server Server Load Balancing wan1 dmz FortiGate Internet

Internet 10.10.10.1 10.10.10.2 Client Page: 160 Client Internet Firewall Policy with

Destination Address VIP VIP, ServerLB Interface Wan1 Address 172.16.1.1 192.168.1.100 192.168.1.101 192.168.1.200 10.10.10.3 Client Server Source IP:

10.10.10.3 Source Port: 1025 Destination IP: 172.16.1.1 Destination Port: 80 Source IP: 10.10.10.3 Source Port: 1025 Destination IP: 192.168.1.200 Destination Port: 80 Original

New Server Server Protection Profiles Control all content filtering Group of protection settings applied to traffic Types and levels of protection customized for each policy Enables settings for:

Page: 161 Protocol Recognition Anti-Virus IPS Web Filtering Spam Filtering Data Leak Prevention Sensor Application Control Logging

Default Protection Profiles Strict Maximum protection Scan Applies virus scanning to HTTP, FTP, IMAP, POP3, SMTP Web Applies virus scanning and web content blocking to HTTP Unfiltered No scanning, blocking or IPS Page: 162-172

Traffic Shaping Control bandwidth available to traffic processed by firewall policy Which policies have higher priority? Improve quality of bandwidth-intensive traffic Does NOT increase total bandwidth available Page: 173 Token Bucket Filter Dampening function Delays traffic by buffering bursts Does not schedule traffic

Configured rate is never exceeded Page: 174 Token Bucket Filter Mechanism Bucket has specified capacity Tokens added to bucket at mean rate If bucket fills, new tokens discarded

Bucket requests number of tokens equal to packet size If not enough tokens in bucket, packet buffered Flow will never send packets more quickly than capacity of the bucket Overall transmission rate does not exceed rate tokens placed in bucket Page: 175 Token Bucket Filter Mechanism Token bucket Destination Network Regulator

End users Buffer Page: 175 FortiGate unit Token Bucket Filter Mechanism Token bucket Data packets Destination Network Regulator

End users Buffer Page: 175 FortiGate unit Token Bucket Filter Mechanism Tokens Token bucket Data packets Destination Network

Regulator End users Buffer Page: 175 FortiGate unit Token Bucket Filter Mechanism Tokens Token bucket Data packets Destination Network

Regulator End users Buffer Page: 175 FortiGate unit Token Bucket Filter Mechanism Tokens Token bucket Data packets

Destination Network Regulator End users Buffer Page: 175 FortiGate unit Token Bucket Filter Mechanism Tokens Token bucket Data packets

Destination Network Regulator End users Buffer Page: 175 FortiGate unit Traffic Shaping Considerations Attempt to normalize traffic peaks Prioritize certain flows over others

Physical limitation to how much data can be buffered Packets may be dropped, sessions affected Performance on one traffic flow may be sacrificed to guarantee performance on another Not effective in high-traffic situations Where traffic exceeds FortiGate units capacity Packets must be received for being subject to shaping If shaping not applied to policy, default is high priority Page: 176-177 Disclaimers Accept disclaimer before connecting

Use with authentication or protection profile Can redirect to a URL after authentication Page: 178 Lab Creating Firewall Policy Objects Configuring Firewall Policies Testing Firewall Policies

Configuring Virtual IP Access Debug Flow Page: 179 Agenda

Introduction Overview and System Setup FortiGuard Subscription Services Logging and Alerts Firewall Policies Basic VPN Authentication Antivirus Spam Filtering Web Filtering Lesson 5 Basic GUIVPN

Virtual Private Networks (VPN) Use public network to provide access to private network Confidentiality and integrity of data Authentication, encryption and restricted access Page: 195 FortiGate VPN Secure Socket Layer (SSL) VPN Access through web browser Point-to-Point Tunneling Protocol (PPTP) Windows standard

Internet Protocol Security (IPSec) VPN Dedicated VPN software required Well suited for legacy applications (not web-based) Page: 195-196 SSL VPN Operating Modes Web-only mode Web browser only Secure connection between browser and FortiGate unit FortiGate acts as gateway Authenticates users Tunnel mode VPN software downloaded as ActiveX control

FortiGate unit assigns client IP address from range of reserved addresses Page: 197-199 User Accounts Must have user account assigned to SSL VPN user group Users must authenticate Username + Password

RADIUS TACACS+ LDAP Digital certificates User group provides access to firewall policy Split tunneling available Only traffic destined for tunnel routed over VPN Page: 200-202 Web-Only Configuration Enable SSL VPN Create user accounts Assign to user group

Create firewall policy Setup logging (optional) Page: 204 Tunnel Mode Configuration Enable SSL VPN Specify tunnel IP range Create user group

Create firewall policy Page: 205 SSL VPN Settings Tunnel IP Range Reserve range of IPs for SSL VPN clients Server Certificate, Require Client Certificate Certificates must be installed Encryption Key Algorithm Idle Time-out Client Authentication Time-Out CLI only

Portal Message Advanced DNS and WINS Servers Page: 206-208 Firewall Policies At least one SSL VPN firewall policy required Specify originating IP address Specify IP address of intended recipient or network

Configuration steps: Page: 209 Specify source and destination IP address Specify level of encryption Specify authentication method Bind user group to policy Firewall Addresses Web-only mode

Predefined source address of ALL Destination IP address where remote client needs to access Entire private network, range of private IPs, private IP of host Tunnel model Source is range of IP addresses that can be connected to FortiGate Restrict who can access FortiGate Destination IP address where remote client needs to access Entire private network, range of private IPs, private IP of host Page: 209 Configuring Web-Only Firewall Policies Specify destination IP address

Name Type Subnet/IP range Interface Define policy Action: SSL-VPN Add user group Page: 210-212

Configuring Tunnel-Mode Firewall Policies Specify source IP addresses Addresses that can connect to FortiGate Specify destination IP address Addresses clients need to access Specify level of encryption Specify authentication type

Bind user group to policy ssl.root Page: 213-218 SSL VPN Bookmarks Hyperlinks to frequently accessed applications Web-only mode FortiGate forwards connection request to servers VPN > SSL > Portal Page: 219-221 Connecting to the SSL VPN

https://:10443 Port customizable SSL-VPN Web Portal page displayed Bookmarks What appears is pre-determined by administrators settings in User > User Group and VPN > SSL > Portal > Settings Page: 222 Connecting to the SSL VPN Page: 222

Connecting to the SSL VPN PPTP VPN Point-to-Point (PPP) authentication protocol PPP software operates on tunneled links Encapsulates PPP packets within IP packets Not cryptographically protected PPTP packets not authenticated or integrity protected FortiGate unit assigns client IP address from reserved range Assigned IP used for duration of connection FortiGate unit disassembles PPTP packet and forwards to correct computer on internal network

Page: 223 PPTP VPN FortiGate unit can act as PPTP server FortiGate unit can forward PPTP packets to PPTP server Page: 224 FortiGate Unit as PPTP Server Internet FortiGate

PPTP Clients Page: 224 Internal Network FortiGate Unit Forwards Traffic to PPTP Server Internet FortiGate PPTP Clients Page: 225

PPTP Server Internal Network PPTP Server Configuration Configure user authentication for PPTP clients Enable PPTP on FortiGate unit Configure PPTP server

Configure client Page: 226 PPTP Pass-Through Configuration Configuration required to forward PPTP packets to PPTP server Define virtual IP that points to PPTP server Configure firewall policy Configure client Page: 227 IPSec VPN Industry standard set of protocols

Layer 3 Applications do not need to be designed to use IPSec IP packets encapsulated with IPSec packets Header of new packet refers to end point of tunnel Phase 1 Establish connection Authenticate VPN peer Phase 2 Establish tunnel Page: 228

IPSec Protocols Authentication Header (AH) Authenticate identity of sender Integrity of data Entire packet signed Encapsulating Security Payload (ESP) Encrypts data Signs data only Page: 229 Authentication Header (AH) Original IP

Header Authentication Header TCP Header Authenticated Page: 229 Data Encapsulating Security Payload (ESP)

Encrypted New IP Header ESP Header Original IP Header TCP Header Authenticated Page: 229

Data ESP Trailer ESP Authentication Trailer Modes of Operation Tunnel mode Entire IP packet encrypted and/or authenticated Packet then encapsulated for routing

Transport mode Only data in packet encrypted and/or authenticated Header not modified or encrypted Page: 230 Security Association (SA) Defines bundle of algorithms and parameters Encrypt and authenticate one-directional data flow Agreement between two computers about the data exchanged and protected Page: 230

Internet Key Exchange (IKE) Allows two parties to setup SAs Secret keys Uses Internet Security Association Key Management Protocol (ISAKMP) Framework for establishing SAs Two distinct phases Phase 1 Phase 2 Page: 231 Phase 1

Authenticate computer involved in transaction Negotiate SA policy between computers Perform Diffie-Hellman key exchange Set up secure tunnel Main mode (three exchanges) Algorithms used agreed upon Generate secret keys and nonces Other sides identity verified

Aggressive mode (one exchange) Everything needed to complete exchange Page: 231 Phase 2 Negotiate SA parameters to set up secure tunnel Renegotiate SAs regularly Page: 232 Gateway-to-Gateway Configuration Tunnel between two separate private networks All traffic encrypted by firewall policies FortiGate units at both ends must be in NAT/Route mode

Page: 234 Gateway-to-Gateway Configuration Internet FortiGate 1 Site 1 Page: 234 FortiGate 2

Site 2 Gateway-to-Gateway Configuration FortiGate receives connection request from remote peer Uses IPSec phase 1 parameters Establish secure connection Authenticate peer If policy permits, tunnel established Uses IPSec phase 2 parameters Applies policy Configuration steps Define phase 1 parameters Define phase 2 parameters

Create firewall policies Page: 234 Defining Phase 1 Parameters Page: 235-236 Authenticating the FortiGate Unit Authenticate itself to remote peers Pre-shared key All peers must use same key Digital certificates Must be installed on peer and FortiGate

Page: 237-238 Authenticating Remote Clients Permit access using trusted certificates FortiGate configured for certificate authentication Permit access using peer identifier Permit access using pre-shared key Each peer or client must have user account Permit access using peer identifier and pre-shared key Each peer or client must have user account Page: 239

XAuth Authentication Separate exchange at end of phase 1 Increased security Draws on existing FortiGate user group definitions FortiGate can be XAuth server or XAuth client Page: 239 IKE Negotiation Parameters Page: 240-242 Defining Phase 2 Parameters

Page: 243-246 Firewall Policies Policies needed to control services and direction of traffic Firewall addresses needed for each private network Policy-Based VPN Specify interface to private network, remote peer and VPN tunnel Single policy for inbound, outbound or both direction Route-Based VPN Requires ACCEPT policy for each direction Creates Virtual IPSec interface on interface connecting to remote peer

Page: 247-250 Lab Configuring SSL VPN for Full Access (Web Portal and Tunnel Mode) Configuring a Basic Gateway-to-Gateway VPN Page: 251 Agenda

Introduction Overview and System Setup FortiGuard Subscription Services Logging and Alerts Firewall Policies Basic VPN Authentication Antivirus Spam Filtering

Web Filtering Lesson 6 Authentication Authentication User or administrator prompted to identify themselves Only allowed individuals perform actions Can be configured for:

Page: 263 Any firewall policy with action of ACCEPT PPTP and L2TP VPNs Dial-up IPSEC VPN set up as XAuth server Dial-up VPN accepting user group as peer ID Authentication Methods Local user User names and passwords used to authenticate stored on FortiGate Remote Use existing systems to authenticate

Page: 264-265 RADIUS LDAP PKI Windows Active Directory TACACS+ Users and User Groups Authentication based on user groups

User created User added to groups User Account created on FortiGate or external authentication server User group Users or servers as members Specify allowed groups for each resource requiring authentication Group associated with protection profile Page: 266-267 User Group Types Firewall

Access to firewall policy that requires authentication FortiGate request user name and password (or certificate) Directory Service Allow access to users in DS groups already authenticated Single sign on Requires FSAE SSL VPN Access to firewall policy that requires SSL VPN authentication Page: 268-270 Authentication overrides

Require access to blocked site Override block for period of time Link to authenticate presented Page: 271 Authentication Settings Page: 272 PKI Authentication Valid certificate required SSL used for secure connection Trusted certificates installed on FortiGate and client

Page: 273 RADIUS Authentication User credentials sent to RADIUS server for authentication Shared key used to encrypt data exchanged Primary and secondary servers identified on FortiGate unit Page: 274 LDAP Authentication User credentials sent to LDAP server for authentication LDAP servers details identified on FortiGate Page: 275

TACACS+ Authentication User credentials sent to TACACS+ server for authentication Choice of authentication types: Page: 276 Auto ASCII PAP

CHAP MSCHAP Microsoft Active Directory Authentication Transparently authenticate users Fortinet Server Authentication Extensions (FSAE) passes authentication information to FortiGate Sign in once to Windows, no authentication prompts from FortiGate Page: 277 FSAE Components Domain Controller Agent Installed on every domain controller Monitors user logons, sends to Collector Agent

Collector Agent Installed on at least one domain controller Sends information collected to FortiGate Page: 278 FSAE Configuration on Microsoft AD Configure Microsoft AD user groups All members of a group have same access level FSAE only send Domain Local Security Group and Global Security Group to FortiGate Configure Collector Agent settings Domain controllers to monitor

Global Ignore list Exclude system accounts Group filters Control logon information sent to FortiGate Page: 279-280 FSAE Configuration on FortiGate Configure Collector Agents FortiGate to access at least one collector agent Up to five can be listed Configure user groups

AD groups added to FortiGate user groups Configure firewall policy Allow guests Users not listed in AD Protection profile for FSAE firewall police Page: 281 Labs Firewall Policy Authentication Adding User Disclaimers and Redirecting URLs Page: 282

Agenda Introduction Overview and System Setup FortiGuard Subscription Services

Logging and Alerts Firewall Policies Basic VPN Authentication Antivirus Spam Filtering Web Filtering Lesson 7 Antivirus Antivirus Detect and eliminate viruses, worms and spyware Scan HTTP and FTP traffic Scan SMTP, POP3, IMAP

Page: 289 Antivirus Elements File filter File pattern and file type recognition Virus scan Virus definitions kept up-to-date through FortiGuard Subscription Services Grayware Heuristics Detect virus-like behavior

Page: 289-290 File Filter File pattern Name, extension or pattern Built-in patterns or custom File type Analyze file to determine type Types pre-configured Actions Allow Block Replacement message sent

Page: 291 Enabling File Filtering Page: 292 File Name Pattern Filtering Page: 295 File Type Filtering Page: 296

File Pattern Filtering Page: 297 Virus Scan Virus definitions used to detect and eliminate threats Updated regularly FortiGuard Subscription Services license required Page: 298 Updating Antivirus Definitions Page: 299

Grayware Unsolicited commercial software Often installed without consent Scans for grayware in enabled categories Categories and content updated regularly Page: 300 Grayware Categories Adware Pop-up advertising content Browser Helper Objects Add capabilities to browser

Dialers Unwanted calls through modem or Internet connection Downloaders Retrieve files Games Hacker Tools Subvert network and host security Page: 301-303 Grayware Categories Hijackers Manipulate settings

Jokes Key loggers Log input for later retrieval Misc Uncategorized (multiple functionalities) NMT (Network Management Tool) Cause network disruption P2P File exchanges containing viruses Page: 301-303

Grayware Categories Plugins Add additional features to an existing application Remote Administration Tools (RAT) Remotely change or monitor a computer on a network Toolbars Augment capabilities of browser Page: 301-303 Spyware Component of adware Track user activities online

Report activities to central server Target advertising based on online habits Page: 304-305 Quarantine Quarantine blocked or infected files FortiGate unit with hard drive FortiAnalyzer Files uploaded to Fortinet for analysis Page: 306-307 Proxies

Intercepts all connection requests and responses Buffers and scans response before flushing to client Splicing Prevent client from timing out Server sends part of response to client while buffering Final part sent if response is clean FTP uploads, email protocols (SMTP, POP3, IMAP) Client comforting Prevent timeout while files buffered and scanned by FortiGate

Can provide visual status to user that progress being made HTTP and FTP downloads Page: 308 Scanning Options Page: 309-310 Lab Configuring Global Antivirus Settings Configuring a Protection Profile Testing Protection Profile Settings for HTTP/FTP Antivirus Scanning Page: 311

Agenda Introduction Overview and System Setup

FortiGuard Subscription Services Logging and Alerts Firewall Policies Basic VPN Authentication Antivirus Spam Filtering Web Filtering Lesson 8 Spam GUIFiltering Spam Filtering Manage unsolicited bulk email Detect spam messages

Identify transmissions from known/suspected spam servers Page: 321 Spam Filtering Methods IP address check Verify source IP address again list of known spammers URL check Extract URLs and verify against list of spam sources Email checksum check Calculate checksum of message and verify against list of known spam messages

Spam submission Inform FortiGuard Black/White list Check incoming IP and email addresses against known list SMTP only Page: 322-323 Spam Filtering Methods HELO DNS lookup Check source domain name against registered IP address in DNS Return email DNS check Check incoming return address domain against registered IP in DNS

Banned word Check email against banned word list MIME headers check Check MIME headers against list DNSBL and ORDBL Check email against configured servers Page: 322-323 FortiGuard Antispam Global Filters FortiIP sender IP reputation database

Reputation of IP based on properties related to address Email volume from a sender Compare senders recent volume with historical pattern FortiSig Spam signature database FortiSig1 Spamvertised URLs FortiSig2 Spamvertised email addresses

FortiSig3 Spam checksums FortiRule Heuristic rules FortiMail only Page: 324-325 Customized Filters

Compliment FortiGuard Banned word lists Local black/white list Heuristic rules Bayesian FortiMail only Page: 325 Enabling Antispam Page: 326

Spam Actions Tag or discard spam email Add custom text to subject or instead MIME header and value Only discard if SMTP and virus check enabled Spam actions logged Page: 327 Banned Word Block messages containing specific words or patterns Values assigned to matches If threshold exceeded, messages marked as spam

Perl regular expressions and wildcards can be used Page: 328-334 Black/White List IP address filtering Compare IP address of sender to IP address list If match, action is taken Email address filtering Compare email address of sender to email address list If match, action is taken Page: 335

Configuring IP Address List Page: 336-338 Configuring Email Address List Page: 339-342 MIME Headers Check MIME headers added to email Describe content type and encoding Malformed headers can fool spam or virus filters Compare MIME header key-value of incoming email to list If match, action is taken

Page: 343 DNSBL and ORDBL Published lists of suspected spammers Add subscribed servers Define action Page: 344 FortiMail Antispam Enhanced set of features for detecting and blocking spam Some techniques not available in FortiGate Stand-alone antispam system

Can be second layer in addition to FortiGate Legacy virus protection Email quarantine Page: 345 Agenda

Introduction Overview and System Setup FortiGuard Subscription Services Logging and Alerts Firewall Policies Basic VPN Authentication Antivirus Spam Filtering Web Filtering

Lesson 9 Web GUIFiltering Web Filtering Process web content to block inappropriate or malicious content Categorized content 76 categories 40 million domains Billions of web pages

Automated updates Check web addresses against list Customizable Page: 349 Order of Filtering URL Filtering Exempt, Block, Allow FortiGuard Web Filtering Content Exempt Customizable

Content Block Customizable Script Filter Page: 349 Web Content Block Block specific words or patterns Score assigned to pattern Page blocked if greater than threshold Perl regular expressions or wildcards can be used Page: 350-353

Web Content Block Page: 352 Web Content Exemption Override web content block Even if banned words appear Page: 354-357 Web Content Exemption Page: 356 Enabling Web Filtering

Page: 358 URL Filter Block specific pages Displays replacement message Text, regular expressions and wildcards can be used Page: 359-362 URL Filter Page: 361

FortiGuard Web Filter Managed web filtering solution Web pages rated and categorized Determines category of site Follows firewall policy Allow, block, log, or override Ratings based on: Text analysis Exploitation of web structure Human raters Page: 363

Web Filtering Categories Categories based on suitability for enterprises, schools, and home Page: 364 Potentially liable

Controversial Potentially non-productive Potentially bandwidth consuming Potential security risks General interest Business oriented Others Web Filtering Classes Classify web page based on media type or source Further refine web access Prevent finding material Classes

Page: 365 Cached contents Image search Audio search Video search Multimedia search Spam URL

Unclassified Enabling FortiGuard Web Filtering Page: 366 Enabling FortiGuard Web Filtering Options Page: 367-368 Web Filtering Overrides Give user ability to override firewall filter block Administrative overrides User overrides

Override permissions configured at user group level or with override rules User group level overrides Group of users have same level of overrides Assumes authentication enabled on policy Override rules Fine granularity Access domain, directory or category Page: 369 Allowing Override at User Group Level Page: 370

Configuring Override Rules (Directory or Domain) Page: 371-372 Configuring Override Rules (Category) Page: 373 Web Filtering Override Page Page: 375 Web Filtering Authentication Page Page: 375

Local Ratings Administrator controlled block of web sites Per protection profile basis Page: 376 Local Categories Administrator controlled block on group of web sites Per protection profile basis Page: 377 Thank you for attending .

Recently Viewed Presentations

  • About Heartbeat  We are the North Wests leading

    About Heartbeat We are the North Wests leading

    This session makes reference to the new eatwell guide that replaced the eatwell plate. They will learn about the importance of sleep, brushing their teeth, eating well and exercising often. How to call for help. Helping someone who is choking,...
  • Refining Your Research Question In this session, we

    Refining Your Research Question In this session, we

    Refining Your Research Question In this session, we will… Discuss guidelines for creating a 'good' research question Provide time to revisit and revise your research questions and plans Consider appropriate methods for investigating your research question(s) Guiding Principles for Scientific...
  • Crime and Deviance - h6a2sociology

    Crime and Deviance - h6a2sociology

    Subcultural Strain Theory. Subcultural strain theories see deviance as the product of a delinquent subculture with different values to those of mainstream society. Focus mainly on working class population. Subcultures provide an alternative structure for those who are denied the...
  • The UN

    The UN

    The UN CHV20 The United Nations is an international organization that is almost like a world government. The headquarters building is in New York City.
  • How to characterize child language acquisition? Critical age ...

    How to characterize child language acquisition? Critical age ...

    How do children "guess" meanings of unknown words? Common semantic errors ACQUISTION OF MEANING common errors include undergeneralization, overgeneralization and complexive concepts. After child acquires close to 100 words, the overgeneralized meanings narrow and the undergeneralized meanings extend.
  • Japan's Geography!

    Japan's Geography!

    Japan is an archipelago. An Archipelago is an island chain. Japan is made up of 4 main large islands and over 3,000 smaller islands. In this photo taken with a 15-second exposure by a fixed-position camera in Ushinefumoto in Tarumizu,...
  • The Role of the Architect - California State University ...

    The Role of the Architect - California State University ...

    What is software architecture? "architecture is the structure of the system, comprised of . components or building blocks. the externally visible properties of those components, and
  • National Centre for Resilience: Implementation Programme - Proposed

    National Centre for Resilience: Implementation Programme - Proposed

    Jim Sharp - Met Office. Ian Lisk - NHP . David Fachney - SEPA. Neil Ritchie - SG, Environment. Vicki Webster - SG, Risk. ... Kirsty Irving - Scottish Flood Forum. David Gurney - D & G Council (& COSLA...