FortiGate Multi-Threat Security Systems I Course 201 - Administration, Content Inspection and VPNs.
Module Objectives
•By the end of this module, participants will be able to: »Identify the major features of the FortiGate Unified Threat Management appliance »Modify administrative access restrictions on an interface »Create and manage administrative users »Create and manage administrator access profiles »Backup and restore configuration files »Create a DHCP server on a FortiGatedevice interface »Upgrade or downgrade a FortiGateunit’s firmware
The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc
Upon completion of this chapter, you will be able to:
1) Describe the operation of the Ethernet sublayers.
2) Identify the major fields of the Ethernet frame.
3) Describe the purpose and characteristics of the Ethernet MAC address.
4) Describe the purpose of ARP.
5) Explain how ARP requests impact network and host performance.
6) Explain basic switching concepts.
7) Compare fixed configuration and modular switches.
8) Configure a Layer 3 switch.
Automating with NX-OS: Let's Get Started!Cisco DevNet
A session in the DevNet Zone at Cisco Live, Berlin. Cisco's flagship data center platform, the Nexus series of switches, has a variety of programming protocols to offer. This session will provide participants with an overview and code examples on various protocols: * NX-API * XMPP * Netconf
Upon completion of this chapter, you will be able to:
1) Describe the operation of the Ethernet sublayers.
2) Identify the major fields of the Ethernet frame.
3) Describe the purpose and characteristics of the Ethernet MAC address.
4) Describe the purpose of ARP.
5) Explain how ARP requests impact network and host performance.
6) Explain basic switching concepts.
7) Compare fixed configuration and modular switches.
8) Configure a Layer 3 switch.
Automating with NX-OS: Let's Get Started!Cisco DevNet
A session in the DevNet Zone at Cisco Live, Berlin. Cisco's flagship data center platform, the Nexus series of switches, has a variety of programming protocols to offer. This session will provide participants with an overview and code examples on various protocols: * NX-API * XMPP * Netconf
Gain a solid understanding of VMware vCloud Air networking building blocks, and learn about connectivity options to vCloud Air.
Visit the VMware Cloud Academy for more videos and resources delivered by technical subject-matter experts.
http://vcloud.vmware.com/cloud-academy
Webinar NETGEAR - Insight, le funzionalita' per il Networking ManagementNetgear Italia
In questo secondo appuntamento di webinar dedicati ad Insight, si introducono le funzionalita' di gestione e monitaraggio disponibili per tutte le tipologie di prodotti Insight based.
VMworld 2013: vCloud Hybrid Service Jump Start Part Two of Five: vCloud Hybri...VMworld
VMworld 2013
Ninad Desai, VMware
Greg Herzog, VMware
Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
2. Course 201 - Administration, Content Inspection and VPNs Introduction
01-50003-0201-20131018-D
3
Traditional Network Security Solutions
Firewall
Antivirus
Antispam
WAN Optimization
Web Filtering
Application Control
Intrusion Prevention
VPN
• Many single purpose systems needed to
cope with a variety of threats
4
FortiGate Integrated Network Security Platform
Firewall
Antivirus
Antispam
WAN Optimization
Web Filtering
Application Control
Intrusion Prevention
VPN
and more…
• One device provides a comprehensive
security and networking solution
FortiGate Appliance
3. Course 201 - Administration, Content Inspection and VPNs Introduction
01-50003-0201-20131018-D
5
Unit Design
Hardware
Purpose-driven hardware
FortiOS
Specialized operating system
Firewall AV
Web
Filter
IPS …
Security and network-level services
FortiGuard Subscription Services
Automated update service
6
FortiGate Unit Capabilities
FirewallAntivirusEmail filteringWeb filteringIntrusion preventionApplication controlData leak preventionWAN optimizationSecure VPNWirelessDynamic routingEndpoint complianceVirtual domainsTraffic shapingHigh availabilityLogging and reporting
1
1
1
1 Authentication
4. Course 201 - Administration, Content Inspection and VPNs Introduction
01-50003-0201-20131018-D
7
Fortinet Products
• Network Security
»FortiGate appliances
• High-end, mid-range and
desktop models
• Network Access
»Wireless: FortiWiFi, FortiAP
»Switching: FortiSwitch
»End-point and mobility:
FortiClient
»User Identity:
FortiAuthenticator, FortiToken
• Infrastructure Security
»Application and Content Delivery:
FortiADC
»DDos Mitigation: FortiDDos
»Advanced Threat Protection
»Voice and Video: FortiVoice,
FortiCamera, FortiRecorder
• Application Security
»FortiMail, FortiWeb, FortiDB
»FortiCache
• Management
»FortiManager, FortiAnalyzer,
FortiCloud
8
FortiGuard Subscription Services
• Global Update service for AV/IPS (update.fortiguard.com)
• Global Live service for FortiGuard WF/AS (service.fortiguard.net)
• FortiGate unit will prefer servers nearby
»Calculates server “distance” based on time zones
• Major server centers in North America as well as Asia and Europe
• Nearest servers are preferred but will adjust based on server load
5. Course 201 - Administration, Content Inspection and VPNs Introduction
01-50003-0201-20131018-D
9
• ‘port1’ or ‘internal’ interface will have an IP of 192.168.1.99
• ‘port1’ or ‘internal’ interface will have a DHCP server set up and
enabled (on devices that support DHCP Servers)
• Default login will always be:
user: admin
password: (blank)
• Usernames and passwords are BOTH case sensitive
Device Factory Defaults
10
Device Administration
Web GUI CLI
7. Course 201 - Administration, Content Inspection and VPNs Introduction
01-50003-0201-20131018-D
13
Administrators
Full access within
a single virtual
domain
Full access
super_admin
profile
Custom access
custom
profile
prof_admin
profile
14
Administrator Trusted Hosts
8. Course 201 - Administration, Content Inspection and VPNs Introduction
01-50003-0201-20131018-D
15
Two Factor Authentication
Username and Password (one factor)
FortiToken (two factor)
+
16
Administrator Two Factor Authentication
9. Course 201 - Administration, Content Inspection and VPNs Introduction
01-50003-0201-20131018-D
17
Device Configuration
• Device configuration settings can be saved to
an external file
»Optional encryption
• The file can be restored to rollback device to a
previous configuration
18
Per VDOM Configuration File
10. Course 201 - Administration, Content Inspection and VPNs Introduction
01-50003-0201-20131018-D
19
Interface IPs
• Every used interface on the
unit must have an IP
assigned (in NAT mode)
using one of three methods:
»Manual IP, DHCP assigned,
PPPoE
20
• There must be at least one default gateway
• If an interface is DHCP or PPPoE, then a gateway can be added
to the routing dynamically
Static Gateway
11. Course 201 - Administration, Content Inspection and VPNs Introduction
01-50003-0201-20131018-D
21
DHCP Server Setup
22
DHCP Server IP Reservation
• IP address reserved and always assigned to the same DHCP host
»Select an IP address or choose an existing DHCP lease to add to the reserved list
»Identify the IP address reservation as either DHCP over Ethernet or DHCP over
IPSec
• MAC address of the DHCP host is used to look up the IP address in
the IP reservation table
• Found in the “Advanced” settings of the DHCP server, on the interface
12. Course 201 - Administration, Content Inspection and VPNs Introduction
01-50003-0201-20131018-D
23
DHCP - Activity
24
FortiGate as a DNS Server
• Resolve DNS lookups from an internal network
• Methods to set up DNS for each interface:
»Forward-only: DNS requests sent to the DNS servers configured for the unit
»Non-recursive: DNS requests resolved using a FortiGate DNS database and
unresolved DNS requests are dropped
»Recursive: DNS requests will be resolved using a FortiGate DNS database and
any unresolved DNS requests will be relayed to DNS servers configured for the
unit
• One DNS database can be shared by all the FortiGate interfaces
»If VDOMs are enabled, a DNS database needs be created in each VDOM
13. Course 201 - Administration, Content Inspection and VPNs Introduction
01-50003-0201-20131018-D
25
DNS Forwarding
• FortiGate units can forward (or not) DNS requests sent to its
interfaces
»Behavior on each interface is configured separately
• Allows direct control of the DNS
»GUI allows setting to Forward only
»CLI allows Forward, Recursive and Non-recursive behavior
26
DNS Database Configuration
• DNS zones need to be added when configuring the DNS database
» Each zone has its own domain name
»Zone format defined by RFC 1034 and1035
• DNS entries are added to each zone
»An entry includes a hostname and the IP address it resolves to
»Each entry also specifies the type of DNS entry
• IPv4 address (A) or an IPv6 address (AAAA)
• name server (NS)
• canonical name (CNAME)
• mail exchange (MX) name
• IPv4 (PTR) or IPv6 (PTR)
14. Course 201 - Administration, Content Inspection and VPNs Introduction
01-50003-0201-20131018-D
27
Firmware Upgrade Steps
• Step 1: Backup and store old configuration (Full config backup from CLI)
• Step 2: Have copy of old firmware available
• Step 3: Have disaster recovery option on standby (especially if remote)
• Step 4: READ THE RELEASE NOTES (upgrade path, bug information)
• Step 5: Double check everything
• Step 6: Upgrade
28
Firmware Downgrade Steps
• Step 1: Locate pre-upgrade configuration file
• Step 2: Have copy of old firmware available
• Step 3: Have disaster recovery option on standby (especially if remote)
• Step 4: READ THE RELEASE NOTES (is a downgrade possible?)
• Step 5: Double check everything
• Step 6: Downgrade (all settings except those needed for access are lost)
• Step 7: Restore pre-upgrade configuration
15. Course 201 - Administration, Content Inspection and VPNs Introduction
01-50003-0201-20131018-D
29
Maintainer Access
• Available on all FortiGate devices and some non-FortiGate devices
• Only available through the console port
»Highly secure (requires physical access)
• Only open after a HARD boot
»About 30 seconds (varies by model, by approximately 1 minute)
»Highly secure (soft boot does not activate user)
User: maintainer
Password: bcpb<serial number> All letters in serial number MUST BE uppercase
• Can be disabled in the CLI if physical security is a risk
» config sys global
» set admin-maintainer disable
» end
30
Console Port
• Depending on the FortiGate model, console port
access is provided in the following ways:
»Serial port (older models)
• Standard null model cable will work for console port access
»RJ-45 port
• RJ-45-serial cable is required for access
»USB 2 port
• Requires FortiExplorer to connect
• Each devices ships with proper console cables