SlideShare a Scribd company logo

001 introduction Fortigate Administration Introduction

Mohamed Sana
Mohamed Sana

FortiGate Multi-Threat Security Systems I Course 201 - Administration, Content Inspection and VPNs. Module Objectives •By the end of this module, participants will be able to: »Identify the major features of the FortiGate Unified Threat Management appliance »Modify administrative access restrictions on an interface »Create and manage administrative users »Create and manage administrator access profiles »Backup and restore configuration files »Create a DHCP server on a FortiGatedevice interface »Upgrade or downgrade a FortiGateunit’s firmware The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc

Technology
1 of 16
Download to read offline
Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 1 © 2013 Fortinet Inc. All rights reserved. The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc. 01-50003-0201-20131018-D FortiGate Multi-Threat Security Systems I Module 1: Introduction to Fortinet Unified Threat Management 2 Module Objectives • By the end of this module, participants will be able to: »Identify the major features of the FortiGate Unified Threat Management appliance »Modify administrative access restrictions on an interface »Create and manage administrative users »Create and manage administrator access profiles »Backup and restore configuration files »Create a DHCP server on a FortiGate device interface »Upgrade or downgrade a FortiGate unit’s firmware
Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 3 Traditional Network Security Solutions Firewall Antivirus Antispam WAN Optimization Web Filtering Application Control Intrusion Prevention VPN • Many single purpose systems needed to cope with a variety of threats 4 FortiGate Integrated Network Security Platform Firewall Antivirus Antispam WAN Optimization Web Filtering Application Control Intrusion Prevention VPN and more… • One device provides a comprehensive security and networking solution FortiGate Appliance
Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 5 Unit Design Hardware Purpose-driven hardware FortiOS Specialized operating system Firewall AV Web Filter IPS … Security and network-level services FortiGuard Subscription Services Automated update service 6 FortiGate Unit Capabilities FirewallAntivirusEmail filteringWeb filteringIntrusion preventionApplication controlData leak preventionWAN optimizationSecure VPNWirelessDynamic routingEndpoint complianceVirtual domainsTraffic shapingHigh availabilityLogging and reporting 1 1 1 1 Authentication
Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 7 Fortinet Products • Network Security »FortiGate appliances • High-end, mid-range and desktop models • Network Access »Wireless: FortiWiFi, FortiAP »Switching: FortiSwitch »End-point and mobility: FortiClient »User Identity: FortiAuthenticator, FortiToken • Infrastructure Security »Application and Content Delivery: FortiADC »DDos Mitigation: FortiDDos »Advanced Threat Protection »Voice and Video: FortiVoice, FortiCamera, FortiRecorder • Application Security »FortiMail, FortiWeb, FortiDB »FortiCache • Management »FortiManager, FortiAnalyzer, FortiCloud 8 FortiGuard Subscription Services • Global Update service for AV/IPS (update.fortiguard.com) • Global Live service for FortiGuard WF/AS (service.fortiguard.net) • FortiGate unit will prefer servers nearby »Calculates server “distance” based on time zones • Major server centers in North America as well as Asia and Europe • Nearest servers are preferred but will adjust based on server load
Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 9 • ‘port1’ or ‘internal’ interface will have an IP of 192.168.1.99 • ‘port1’ or ‘internal’ interface will have a DHCP server set up and enabled (on devices that support DHCP Servers) • Default login will always be: user: admin password: (blank) • Usernames and passwords are BOTH case sensitive Device Factory Defaults 10 Device Administration Web GUI CLI
Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 11 Admin Profiles 12 Profile Permissions System Configuration Network Configuration Firewall Configuration UTM Configuration VPN Configuration etc. Read Read-Write Admin Profile
Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 13 Administrators Full access within a single virtual domain Full access super_admin profile Custom access custom profile prof_admin profile 14 Administrator Trusted Hosts
Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 15 Two Factor Authentication Username and Password (one factor) FortiToken (two factor) + 16 Administrator Two Factor Authentication
Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 17 Device Configuration • Device configuration settings can be saved to an external file »Optional encryption • The file can be restored to rollback device to a previous configuration 18 Per VDOM Configuration File
Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 19 Interface IPs • Every used interface on the unit must have an IP assigned (in NAT mode) using one of three methods: »Manual IP, DHCP assigned, PPPoE 20 • There must be at least one default gateway • If an interface is DHCP or PPPoE, then a gateway can be added to the routing dynamically Static Gateway
Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 21 DHCP Server Setup 22 DHCP Server IP Reservation • IP address reserved and always assigned to the same DHCP host »Select an IP address or choose an existing DHCP lease to add to the reserved list »Identify the IP address reservation as either DHCP over Ethernet or DHCP over IPSec • MAC address of the DHCP host is used to look up the IP address in the IP reservation table • Found in the “Advanced” settings of the DHCP server, on the interface
Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 23 DHCP - Activity 24 FortiGate as a DNS Server • Resolve DNS lookups from an internal network • Methods to set up DNS for each interface: »Forward-only: DNS requests sent to the DNS servers configured for the unit »Non-recursive: DNS requests resolved using a FortiGate DNS database and unresolved DNS requests are dropped »Recursive: DNS requests will be resolved using a FortiGate DNS database and any unresolved DNS requests will be relayed to DNS servers configured for the unit • One DNS database can be shared by all the FortiGate interfaces »If VDOMs are enabled, a DNS database needs be created in each VDOM
Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 25 DNS Forwarding • FortiGate units can forward (or not) DNS requests sent to its interfaces »Behavior on each interface is configured separately • Allows direct control of the DNS »GUI allows setting to Forward only »CLI allows Forward, Recursive and Non-recursive behavior 26 DNS Database Configuration • DNS zones need to be added when configuring the DNS database » Each zone has its own domain name »Zone format defined by RFC 1034 and1035 • DNS entries are added to each zone »An entry includes a hostname and the IP address it resolves to »Each entry also specifies the type of DNS entry • IPv4 address (A) or an IPv6 address (AAAA) • name server (NS) • canonical name (CNAME) • mail exchange (MX) name • IPv4 (PTR) or IPv6 (PTR)
Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 27 Firmware Upgrade Steps • Step 1: Backup and store old configuration (Full config backup from CLI) • Step 2: Have copy of old firmware available • Step 3: Have disaster recovery option on standby (especially if remote) • Step 4: READ THE RELEASE NOTES (upgrade path, bug information) • Step 5: Double check everything • Step 6: Upgrade 28 Firmware Downgrade Steps • Step 1: Locate pre-upgrade configuration file • Step 2: Have copy of old firmware available • Step 3: Have disaster recovery option on standby (especially if remote) • Step 4: READ THE RELEASE NOTES (is a downgrade possible?) • Step 5: Double check everything • Step 6: Downgrade (all settings except those needed for access are lost) • Step 7: Restore pre-upgrade configuration
Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 29 Maintainer Access • Available on all FortiGate devices and some non-FortiGate devices • Only available through the console port »Highly secure (requires physical access) • Only open after a HARD boot »About 30 seconds (varies by model, by approximately 1 minute) »Highly secure (soft boot does not activate user) User: maintainer Password: bcpb<serial number> All letters in serial number MUST BE uppercase • Can be disabled in the CLI if physical security is a risk » config sys global » set admin-maintainer disable » end 30 Console Port • Depending on the FortiGate model, console port access is provided in the following ways: »Serial port (older models) • Standard null model cable will work for console port access »RJ-45 port • RJ-45-serial cable is required for access »USB 2 port • Requires FortiExplorer to connect • Each devices ships with proper console cables
Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 31 Labs • Lab 1: Initial Setup and Configuration »Ex 1: Configuring Network Interfaces »Ex 2: Exploring the Command Line Interface »Ex 3: Restoring Configuration Files »Ex 4: Performing Configuration Backups (OPTIONAL) • Lab 2: Administrative Access »Ex 1: Profiles and Administrators »Ex 2: Restricting Administrator Access 32 Classroom Lab Topology

Recommended

Fortigate Training
Fortigate TrainingFortigate Training
Fortigate Training
NCS Computech Ltd.
 
Fortinet FortiOS 5 Presentation
Fortinet FortiOS 5 PresentationFortinet FortiOS 5 Presentation
Fortinet FortiOS 5 PresentationNCS Computech Ltd.
 
FortiGate_Sec_02_Security Fabric (1).pptx
FortiGate_Sec_02_Security Fabric (1).pptxFortiGate_Sec_02_Security Fabric (1).pptx
FortiGate_Sec_02_Security Fabric (1).pptx
NajahIdrissiMoulayRa
 
Fortigate class1
Fortigate class1Fortigate class1
Fortigate class1
RanjithKumar428
 
Fortinet
FortinetFortinet
Fortinet
Petre-doru Dragus
 
VPN
VPNVPN
VPN
Shiraz316
 
Fortinet & VMware integration
Fortinet & VMware integrationFortinet & VMware integration
Fortinet & VMware integration
VMUG IT
 
Fortinet Icon Library
Fortinet Icon LibraryFortinet Icon Library
Fortinet Icon Library
Fortinet
 

Recommended

Fortigate Training
Fortigate TrainingFortigate Training
Fortigate Training
NCS Computech Ltd.
 
Fortinet FortiOS 5 Presentation
Fortinet FortiOS 5 PresentationFortinet FortiOS 5 Presentation
Fortinet FortiOS 5 PresentationNCS Computech Ltd.
 
FortiGate_Sec_02_Security Fabric (1).pptx
FortiGate_Sec_02_Security Fabric (1).pptxFortiGate_Sec_02_Security Fabric (1).pptx
FortiGate_Sec_02_Security Fabric (1).pptx
NajahIdrissiMoulayRa
 
Fortigate class1
Fortigate class1Fortigate class1
Fortigate class1
RanjithKumar428
 
Fortinet
FortinetFortinet
Fortinet
Petre-doru Dragus
 
VPN
VPNVPN
VPN
Shiraz316
 
Fortinet & VMware integration
Fortinet & VMware integrationFortinet & VMware integration
Fortinet & VMware integration
VMUG IT
 
Fortinet Icon Library
Fortinet Icon LibraryFortinet Icon Library
Fortinet Icon Library
Fortinet
 
Network Access Control as a Network Security Solution
Network Access Control as a Network Security SolutionNetwork Access Control as a Network Security Solution
Network Access Control as a Network Security SolutionConor Ryan
 
Chapter 5 : Ethernet
Chapter 5 : EthernetChapter 5 : Ethernet
Chapter 5 : Ethernet
teknetir
 
01- intro to firewall concepts
01- intro to firewall concepts01- intro to firewall concepts
01- intro to firewall concepts
Mostafa El Lathy
 
IP Routing Tutorial
IP Routing TutorialIP Routing Tutorial
IP Routing Tutorial
ShortestPathFirst
 
Network Security - Fortinet, Dublin June 2017
Network Security - Fortinet, Dublin June 2017Network Security - Fortinet, Dublin June 2017
Network Security - Fortinet, Dublin June 2017
Novosco
 
Apresentação fortinet
Apresentação fortinetApresentação fortinet
Apresentação fortinetinternetbrasil
 
Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013
Belsoft
 
Palo alto networks next generation firewalls
Palo alto networks next generation firewallsPalo alto networks next generation firewalls
Palo alto networks next generation firewallsCastleforce
 
Policy and firewall_filters
Policy and firewall_filtersPolicy and firewall_filters
Policy and firewall_filters
Rafael Alcazar
 
Juniper Trouble Shooting
Juniper Trouble ShootingJuniper Trouble Shooting
Juniper Trouble Shooting
Mike(Haobin) Zheng
 
Introduction to SDN
Introduction to SDNIntroduction to SDN
Introduction to SDN
NetCraftsmen
 
Automating with NX-OS: Let's Get Started!
Automating with NX-OS: Let's Get Started!Automating with NX-OS: Let's Get Started!
Automating with NX-OS: Let's Get Started!
Cisco DevNet
 
Presentation fortinet securing the cloud
Presentation fortinet securing the cloudPresentation fortinet securing the cloud
Presentation fortinet securing the cloudxKinAnx
 
Voice over MPLS
Voice over MPLSVoice over MPLS
Voice over MPLSTooba Shaikh
 
Juniper IPv6 Workshop by Irzan
Juniper IPv6 Workshop by IrzanJuniper IPv6 Workshop by Irzan
Juniper IPv6 Workshop by IrzanFebrian ‎
 
Introduction to SSH
Introduction to SSHIntroduction to SSH
Introduction to SSHHemant Shah
 
Router commands
Router commandsRouter commands
Router commandsAkshay Bhardwaj
 
Fortimanager admin-40-mr3
Fortimanager admin-40-mr3Fortimanager admin-40-mr3
Fortimanager admin-40-mr3venkatesh_kmurthy
 
Introduction to QUIC
Introduction to QUICIntroduction to QUIC
Introduction to QUIC
Shuya Osaki
 
Overlay networks
Overlay networksOverlay networks
Overlay networks
Mayank Chaudhari
 
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hackedDEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
Felipe Prado
 
Ccvp plus module 2
Ccvp plus module 2Ccvp plus module 2
Ccvp plus module 2
Le Ngoc Viet
 

More Related Content

What's hot

Network Access Control as a Network Security Solution
Network Access Control as a Network Security SolutionNetwork Access Control as a Network Security Solution
Network Access Control as a Network Security SolutionConor Ryan
 
Chapter 5 : Ethernet
Chapter 5 : EthernetChapter 5 : Ethernet
Chapter 5 : Ethernet
teknetir
 
01- intro to firewall concepts
01- intro to firewall concepts01- intro to firewall concepts
01- intro to firewall concepts
Mostafa El Lathy
 
IP Routing Tutorial
IP Routing TutorialIP Routing Tutorial
IP Routing Tutorial
ShortestPathFirst
 
Network Security - Fortinet, Dublin June 2017
Network Security - Fortinet, Dublin June 2017Network Security - Fortinet, Dublin June 2017
Network Security - Fortinet, Dublin June 2017
Novosco
 
Apresentação fortinet
Apresentação fortinetApresentação fortinet
Apresentação fortinetinternetbrasil
 
Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013
Belsoft
 
Palo alto networks next generation firewalls
Palo alto networks next generation firewallsPalo alto networks next generation firewalls
Palo alto networks next generation firewallsCastleforce
 
Policy and firewall_filters
Policy and firewall_filtersPolicy and firewall_filters
Policy and firewall_filters
Rafael Alcazar
 
Juniper Trouble Shooting
Juniper Trouble ShootingJuniper Trouble Shooting
Juniper Trouble Shooting
Mike(Haobin) Zheng
 
Introduction to SDN
Introduction to SDNIntroduction to SDN
Introduction to SDN
NetCraftsmen
 
Automating with NX-OS: Let's Get Started!
Automating with NX-OS: Let's Get Started!Automating with NX-OS: Let's Get Started!
Automating with NX-OS: Let's Get Started!
Cisco DevNet
 
Presentation fortinet securing the cloud
Presentation fortinet securing the cloudPresentation fortinet securing the cloud
Presentation fortinet securing the cloudxKinAnx
 
Juniper IPv6 Workshop by Irzan
Juniper IPv6 Workshop by IrzanJuniper IPv6 Workshop by Irzan
Juniper IPv6 Workshop by IrzanFebrian ‎
 
Introduction to SSH
Introduction to SSHIntroduction to SSH
Introduction to SSHHemant Shah
 
Introduction to QUIC
Introduction to QUICIntroduction to QUIC
Introduction to QUIC
Shuya Osaki
 
Overlay networks
Overlay networksOverlay networks
Overlay networks
Mayank Chaudhari
 

What's hot (20)

Network Access Control as a Network Security Solution
Network Access Control as a Network Security SolutionNetwork Access Control as a Network Security Solution
Network Access Control as a Network Security Solution
 
Chapter 5 : Ethernet
Chapter 5 : EthernetChapter 5 : Ethernet
Chapter 5 : Ethernet
 
01- intro to firewall concepts
01- intro to firewall concepts01- intro to firewall concepts
01- intro to firewall concepts
 
IP Routing Tutorial
IP Routing TutorialIP Routing Tutorial
IP Routing Tutorial
 
Network Security - Fortinet, Dublin June 2017
Network Security - Fortinet, Dublin June 2017Network Security - Fortinet, Dublin June 2017
Network Security - Fortinet, Dublin June 2017
 
Apresentação fortinet
Apresentação fortinetApresentação fortinet
Apresentação fortinet
 
Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013
 
Palo alto networks next generation firewalls
Palo alto networks next generation firewallsPalo alto networks next generation firewalls
Palo alto networks next generation firewalls
 
Policy and firewall_filters
Policy and firewall_filtersPolicy and firewall_filters
Policy and firewall_filters
 
Juniper Trouble Shooting
Juniper Trouble ShootingJuniper Trouble Shooting
Juniper Trouble Shooting
 
Introduction to SDN
Introduction to SDNIntroduction to SDN
Introduction to SDN
 
Automating with NX-OS: Let's Get Started!
Automating with NX-OS: Let's Get Started!Automating with NX-OS: Let's Get Started!
Automating with NX-OS: Let's Get Started!
 
Presentation fortinet securing the cloud
Presentation fortinet securing the cloudPresentation fortinet securing the cloud
Presentation fortinet securing the cloud
 
Voice over MPLS
Voice over MPLSVoice over MPLS
Voice over MPLS
 
Juniper IPv6 Workshop by Irzan
Juniper IPv6 Workshop by IrzanJuniper IPv6 Workshop by Irzan
Juniper IPv6 Workshop by Irzan
 
Introduction to SSH
Introduction to SSHIntroduction to SSH
Introduction to SSH
 
Router commands
Router commandsRouter commands
Router commands
 
Fortimanager admin-40-mr3
Fortimanager admin-40-mr3Fortimanager admin-40-mr3
Fortimanager admin-40-mr3
 
Introduction to QUIC
Introduction to QUICIntroduction to QUIC
Introduction to QUIC
 
Overlay networks
Overlay networksOverlay networks
Overlay networks
 

Similar to 001 introduction Fortigate Administration Introduction

DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hackedDEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
Felipe Prado
 
Ccvp plus module 2
Ccvp plus module 2Ccvp plus module 2
Ccvp plus module 2
Le Ngoc Viet
 
Forti gate 90d
Forti gate 90dForti gate 90d
Forti gate 90d
Erick Celada
 
Forti gate 90d
Forti gate 90dForti gate 90d
Forti gate 90d
hape01
 
FortiWLC
FortiWLC FortiWLC
FortiWLC
Ahmed Hashem El Fiky
 
VMware vCloud Air: Networking
VMware vCloud Air: NetworkingVMware vCloud Air: Networking
VMware vCloud Air: Networking
VMware
 
Cisco Cloud Networking Workshop
Cisco Cloud Networking Workshop Cisco Cloud Networking Workshop
Cisco Cloud Networking Workshop
Cisco Canada
 
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGatePLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
PROIDEA
 
4.1-cnse-study-guide.pdf
4.1-cnse-study-guide.pdf4.1-cnse-study-guide.pdf
4.1-cnse-study-guide.pdf
ssuser88346b
 
FortiProxy sales presentation-02022020_Vee.pptx
FortiProxy sales presentation-02022020_Vee.pptxFortiProxy sales presentation-02022020_Vee.pptx
FortiProxy sales presentation-02022020_Vee.pptx
NuttapolMix
 
Webinar NETGEAR - Insight, le funzionalita' per il Networking Management
Webinar NETGEAR - Insight, le funzionalita' per il Networking ManagementWebinar NETGEAR - Insight, le funzionalita' per il Networking Management
Webinar NETGEAR - Insight, le funzionalita' per il Networking Management
Netgear Italia
 
VMworld 2013: vCloud Hybrid Service Jump Start Part Two of Five: vCloud Hybri...
VMworld 2013: vCloud Hybrid Service Jump Start Part Two of Five: vCloud Hybri...VMworld 2013: vCloud Hybrid Service Jump Start Part Two of Five: vCloud Hybri...
VMworld 2013: vCloud Hybrid Service Jump Start Part Two of Five: vCloud Hybri...
VMworld
 
CompactLogix-5380-Controller-Technical-Presentation.pdf
CompactLogix-5380-Controller-Technical-Presentation.pdfCompactLogix-5380-Controller-Technical-Presentation.pdf
CompactLogix-5380-Controller-Technical-Presentation.pdf
gerzael1
 
Secure-Access-FortiSwitch-08.24.pdf
Secure-Access-FortiSwitch-08.24.pdfSecure-Access-FortiSwitch-08.24.pdf
Secure-Access-FortiSwitch-08.24.pdf
DAVIDALFONSORAMIREZH
 
Wireless Overview Customer Deck_Mar21_bdbcommented.pptx
Wireless Overview Customer Deck_Mar21_bdbcommented.pptxWireless Overview Customer Deck_Mar21_bdbcommented.pptx
Wireless Overview Customer Deck_Mar21_bdbcommented.pptx
brianbrowne13
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FIDO Alliance
 
FortiGate-200B
FortiGate-200BFortiGate-200B
FortiGate-200B
Компания ИНТРО
 
Fortinet FortiGate 100D
Fortinet FortiGate 100DFortinet FortiGate 100D
Fortinet FortiGate 100D
Hoai Duyen
 

Similar to 001 introduction Fortigate Administration Introduction (20)

DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hackedDEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
 
Ccvp plus module 2
Ccvp plus module 2Ccvp plus module 2
Ccvp plus module 2
 
Forti gate 90d
Forti gate 90dForti gate 90d
Forti gate 90d
 
Forti gate 90d
Forti gate 90dForti gate 90d
Forti gate 90d
 
End point control
End point controlEnd point control
End point control
 
FortiWLC
FortiWLC FortiWLC
FortiWLC
 
Securing mobile user
Securing mobile userSecuring mobile user
Securing mobile user
 
VMware vCloud Air: Networking
VMware vCloud Air: NetworkingVMware vCloud Air: Networking
VMware vCloud Air: Networking
 
Cisco Cloud Networking Workshop
Cisco Cloud Networking Workshop Cisco Cloud Networking Workshop
Cisco Cloud Networking Workshop
 
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGatePLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
PLNOG 9: Robert Dąbrowski - Carrier-grade NAT (CGN) Solution with FortiGate
 
4.1-cnse-study-guide.pdf
4.1-cnse-study-guide.pdf4.1-cnse-study-guide.pdf
4.1-cnse-study-guide.pdf
 
FortiProxy sales presentation-02022020_Vee.pptx
FortiProxy sales presentation-02022020_Vee.pptxFortiProxy sales presentation-02022020_Vee.pptx
FortiProxy sales presentation-02022020_Vee.pptx
 
Webinar NETGEAR - Insight, le funzionalita' per il Networking Management
Webinar NETGEAR - Insight, le funzionalita' per il Networking ManagementWebinar NETGEAR - Insight, le funzionalita' per il Networking Management
Webinar NETGEAR - Insight, le funzionalita' per il Networking Management
 
VMworld 2013: vCloud Hybrid Service Jump Start Part Two of Five: vCloud Hybri...
VMworld 2013: vCloud Hybrid Service Jump Start Part Two of Five: vCloud Hybri...VMworld 2013: vCloud Hybrid Service Jump Start Part Two of Five: vCloud Hybri...
VMworld 2013: vCloud Hybrid Service Jump Start Part Two of Five: vCloud Hybri...
 
CompactLogix-5380-Controller-Technical-Presentation.pdf
CompactLogix-5380-Controller-Technical-Presentation.pdfCompactLogix-5380-Controller-Technical-Presentation.pdf
CompactLogix-5380-Controller-Technical-Presentation.pdf
 
Secure-Access-FortiSwitch-08.24.pdf
Secure-Access-FortiSwitch-08.24.pdfSecure-Access-FortiSwitch-08.24.pdf
Secure-Access-FortiSwitch-08.24.pdf
 
Wireless Overview Customer Deck_Mar21_bdbcommented.pptx
Wireless Overview Customer Deck_Mar21_bdbcommented.pptxWireless Overview Customer Deck_Mar21_bdbcommented.pptx
Wireless Overview Customer Deck_Mar21_bdbcommented.pptx
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
 
FortiGate-200B
FortiGate-200BFortiGate-200B
FortiGate-200B
 
Fortinet FortiGate 100D
Fortinet FortiGate 100DFortinet FortiGate 100D
Fortinet FortiGate 100D
 

Recently uploaded

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 

Recently uploaded (20)

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 

001 introduction Fortigate Administration Introduction

  • 1. Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 1 © 2013 Fortinet Inc. All rights reserved. The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc. 01-50003-0201-20131018-D FortiGate Multi-Threat Security Systems I Module 1: Introduction to Fortinet Unified Threat Management 2 Module Objectives • By the end of this module, participants will be able to: »Identify the major features of the FortiGate Unified Threat Management appliance »Modify administrative access restrictions on an interface »Create and manage administrative users »Create and manage administrator access profiles »Backup and restore configuration files »Create a DHCP server on a FortiGate device interface »Upgrade or downgrade a FortiGate unit’s firmware
  • 2. Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 3 Traditional Network Security Solutions Firewall Antivirus Antispam WAN Optimization Web Filtering Application Control Intrusion Prevention VPN • Many single purpose systems needed to cope with a variety of threats 4 FortiGate Integrated Network Security Platform Firewall Antivirus Antispam WAN Optimization Web Filtering Application Control Intrusion Prevention VPN and more… • One device provides a comprehensive security and networking solution FortiGate Appliance
  • 3. Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 5 Unit Design Hardware Purpose-driven hardware FortiOS Specialized operating system Firewall AV Web Filter IPS … Security and network-level services FortiGuard Subscription Services Automated update service 6 FortiGate Unit Capabilities FirewallAntivirusEmail filteringWeb filteringIntrusion preventionApplication controlData leak preventionWAN optimizationSecure VPNWirelessDynamic routingEndpoint complianceVirtual domainsTraffic shapingHigh availabilityLogging and reporting 1 1 1 1 Authentication
  • 4. Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 7 Fortinet Products • Network Security »FortiGate appliances • High-end, mid-range and desktop models • Network Access »Wireless: FortiWiFi, FortiAP »Switching: FortiSwitch »End-point and mobility: FortiClient »User Identity: FortiAuthenticator, FortiToken • Infrastructure Security »Application and Content Delivery: FortiADC »DDos Mitigation: FortiDDos »Advanced Threat Protection »Voice and Video: FortiVoice, FortiCamera, FortiRecorder • Application Security »FortiMail, FortiWeb, FortiDB »FortiCache • Management »FortiManager, FortiAnalyzer, FortiCloud 8 FortiGuard Subscription Services • Global Update service for AV/IPS (update.fortiguard.com) • Global Live service for FortiGuard WF/AS (service.fortiguard.net) • FortiGate unit will prefer servers nearby »Calculates server “distance” based on time zones • Major server centers in North America as well as Asia and Europe • Nearest servers are preferred but will adjust based on server load
  • 5. Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 9 • ‘port1’ or ‘internal’ interface will have an IP of 192.168.1.99 • ‘port1’ or ‘internal’ interface will have a DHCP server set up and enabled (on devices that support DHCP Servers) • Default login will always be: user: admin password: (blank) • Usernames and passwords are BOTH case sensitive Device Factory Defaults 10 Device Administration Web GUI CLI
  • 6. Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 11 Admin Profiles 12 Profile Permissions System Configuration Network Configuration Firewall Configuration UTM Configuration VPN Configuration etc. Read Read-Write Admin Profile
  • 7. Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 13 Administrators Full access within a single virtual domain Full access super_admin profile Custom access custom profile prof_admin profile 14 Administrator Trusted Hosts
  • 8. Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 15 Two Factor Authentication Username and Password (one factor) FortiToken (two factor) + 16 Administrator Two Factor Authentication
  • 9. Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 17 Device Configuration • Device configuration settings can be saved to an external file »Optional encryption • The file can be restored to rollback device to a previous configuration 18 Per VDOM Configuration File
  • 10. Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 19 Interface IPs • Every used interface on the unit must have an IP assigned (in NAT mode) using one of three methods: »Manual IP, DHCP assigned, PPPoE 20 • There must be at least one default gateway • If an interface is DHCP or PPPoE, then a gateway can be added to the routing dynamically Static Gateway
  • 11. Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 21 DHCP Server Setup 22 DHCP Server IP Reservation • IP address reserved and always assigned to the same DHCP host »Select an IP address or choose an existing DHCP lease to add to the reserved list »Identify the IP address reservation as either DHCP over Ethernet or DHCP over IPSec • MAC address of the DHCP host is used to look up the IP address in the IP reservation table • Found in the “Advanced” settings of the DHCP server, on the interface
  • 12. Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 23 DHCP - Activity 24 FortiGate as a DNS Server • Resolve DNS lookups from an internal network • Methods to set up DNS for each interface: »Forward-only: DNS requests sent to the DNS servers configured for the unit »Non-recursive: DNS requests resolved using a FortiGate DNS database and unresolved DNS requests are dropped »Recursive: DNS requests will be resolved using a FortiGate DNS database and any unresolved DNS requests will be relayed to DNS servers configured for the unit • One DNS database can be shared by all the FortiGate interfaces »If VDOMs are enabled, a DNS database needs be created in each VDOM
  • 13. Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 25 DNS Forwarding • FortiGate units can forward (or not) DNS requests sent to its interfaces »Behavior on each interface is configured separately • Allows direct control of the DNS »GUI allows setting to Forward only »CLI allows Forward, Recursive and Non-recursive behavior 26 DNS Database Configuration • DNS zones need to be added when configuring the DNS database » Each zone has its own domain name »Zone format defined by RFC 1034 and1035 • DNS entries are added to each zone »An entry includes a hostname and the IP address it resolves to »Each entry also specifies the type of DNS entry • IPv4 address (A) or an IPv6 address (AAAA) • name server (NS) • canonical name (CNAME) • mail exchange (MX) name • IPv4 (PTR) or IPv6 (PTR)
  • 14. Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 27 Firmware Upgrade Steps • Step 1: Backup and store old configuration (Full config backup from CLI) • Step 2: Have copy of old firmware available • Step 3: Have disaster recovery option on standby (especially if remote) • Step 4: READ THE RELEASE NOTES (upgrade path, bug information) • Step 5: Double check everything • Step 6: Upgrade 28 Firmware Downgrade Steps • Step 1: Locate pre-upgrade configuration file • Step 2: Have copy of old firmware available • Step 3: Have disaster recovery option on standby (especially if remote) • Step 4: READ THE RELEASE NOTES (is a downgrade possible?) • Step 5: Double check everything • Step 6: Downgrade (all settings except those needed for access are lost) • Step 7: Restore pre-upgrade configuration
  • 15. Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 29 Maintainer Access • Available on all FortiGate devices and some non-FortiGate devices • Only available through the console port »Highly secure (requires physical access) • Only open after a HARD boot »About 30 seconds (varies by model, by approximately 1 minute) »Highly secure (soft boot does not activate user) User: maintainer Password: bcpb<serial number> All letters in serial number MUST BE uppercase • Can be disabled in the CLI if physical security is a risk » config sys global » set admin-maintainer disable » end 30 Console Port • Depending on the FortiGate model, console port access is provided in the following ways: »Serial port (older models) • Standard null model cable will work for console port access »RJ-45 port • RJ-45-serial cable is required for access »USB 2 port • Requires FortiExplorer to connect • Each devices ships with proper console cables
  • 16. Course 201 - Administration, Content Inspection and VPNs Introduction 01-50003-0201-20131018-D 31 Labs • Lab 1: Initial Setup and Configuration »Ex 1: Configuring Network Interfaces »Ex 2: Exploring the Command Line Interface »Ex 3: Restoring Configuration Files »Ex 4: Performing Configuration Backups (OPTIONAL) • Lab 2: Administrative Access »Ex 1: Profiles and Administrators »Ex 2: Restricting Administrator Access 32 Classroom Lab Topology