This document provides an overview of FortiGate multi-threat security systems and their administration, content inspection, and basic VPN capabilities. It discusses FortiGate devices, FortiGuard subscription services, logging and alerts capabilities, firewall policies, basic VPN configurations, authentication, antivirus, spam filtering, and web filtering. The document includes descriptions of FortiGate portfolio models, FortiGuard dynamic updates, FortiManager and FortiAnalyzer management products, logging levels, and log storage locations.
Dans le cadre de la 8ème edition des Cyber Security Days 2018, organisée par l'agence nationale de la sécurité informatique, notre partenaire Fortinet-Exclusive Networks a présenté son module "Fortinet Security Fabric".
Dans le cadre de la 8ème edition des Cyber Security Days 2018, organisée par l'agence nationale de la sécurité informatique, notre partenaire Fortinet-Exclusive Networks a présenté son module "Fortinet Security Fabric".
PaloAlto Networks is world’s Cyber Security leader. Their technologies give 65,000 enterprise customers the power to
protect billions of people worldwide.
Cortex, Demisto & Prisma are the few flagship products to prevent attacks with industry-defining enterprise security platforms. Tightly integrated innovations, cloud delivered and easy to deploy and operate.
SD WAN Overview | What is SD WAN | Benefits of SD WAN Ashutosh Kaushik
Small Brief on Next Generation SD-WAN
Dynamic business landscape and uncompromised demands of applications and users have driven dramatic transformation in IT Networking after many years of relative stability. Frequent changes in technologies are shifting networking from static Infrastructure to more agile, secured, future ready and hybrid-cloud infrastructure. This created un-precedented network management complexities that has become a growing concern for the enterprise.
Early Generation of SD-WAN providers were primarily focused on cost reduction via replacing MPLS with low-cost broadband.
Infinxt Next Generation SD-WAN handles data and network security with in-built NGFW, SLA based Application Performance Enhancement, Traffic Shaping, Multi/ Hybrid Cloud App aware routing, in addition to the traditional SD-WAN features
Infinxt Product Variants
1. Infinxt – Next Generation SD-WAN
Infinxt provides you with the best of the SD-WAN features that can address any of your WAN challenges. The device itself being a Zone based firewall, provides application visibility and control. The decoupled Data Plane and Control plane provides you with the needed flexibility and efficiency in addressing Day 0, Day 1 and Day 2 challenges.
The solution is industry and business agnostic whereby it would be able to meet any type of WAN requirements. The offering being indigenously made would be able to address unique requirements for niche industries too through customization
Features
2. Infinxt - Next Generation Firewall Powered by Palo Alto Networks
Legacy firewall security solutions react to new threats. Intelligent network security stays ahead of attackers and increases business agility. Infinxt SD-WAN comes with a pre-hosted Palo Alto Networks VM in the Infinxt iEdge devices. This offering is a boon for customers to convert their branches into next generation secured branches with the NGFW security capability of Palo Alto Networks.
3. Infinxt - Next Generation Secure SD-WAN Powered by Palo Alto Networks
The Secure Next Generation SD-WAN offering from Infinity Labs provides its customers with the best of both Network connectivity and Application security. It’s a unique combination where both the VMs are service chained to leverage their proficiency to provide a secured application experience to the users. Along with SD-WAN features it also gives NGFW features Powered by Palo Alto Networks.
Infinxt SD-WAN Console gives a Single UI for both SD-WAN and NGFW for ease of Network Operation and Management.
This feature gives the enterprises a unique proposition to have Palo Alto NGFW on tried and tested Infinxt Edge Device.
Palo Alto Networks Advantages
Firewall is a network that is used to block certain types of network traffic. It is basically a security system that is designed to protect untrusted access on a private network. Firewall forms a barrier between a trusted and an untrusted network. We are going to tell you the various types of firewall security in this PPT
O Sophos XG Firewall traz uma nova abordagem na forma de gerenciar o seu firewall, responder às ameaças e monitorar o que acontece na sua rede. Prepare-se para um novo nível de simplicidade, segurança e percepção.
PaloAlto Networks is world’s Cyber Security leader. Their technologies give 65,000 enterprise customers the power to
protect billions of people worldwide.
Cortex, Demisto & Prisma are the few flagship products to prevent attacks with industry-defining enterprise security platforms. Tightly integrated innovations, cloud delivered and easy to deploy and operate.
SD WAN Overview | What is SD WAN | Benefits of SD WAN Ashutosh Kaushik
Small Brief on Next Generation SD-WAN
Dynamic business landscape and uncompromised demands of applications and users have driven dramatic transformation in IT Networking after many years of relative stability. Frequent changes in technologies are shifting networking from static Infrastructure to more agile, secured, future ready and hybrid-cloud infrastructure. This created un-precedented network management complexities that has become a growing concern for the enterprise.
Early Generation of SD-WAN providers were primarily focused on cost reduction via replacing MPLS with low-cost broadband.
Infinxt Next Generation SD-WAN handles data and network security with in-built NGFW, SLA based Application Performance Enhancement, Traffic Shaping, Multi/ Hybrid Cloud App aware routing, in addition to the traditional SD-WAN features
Infinxt Product Variants
1. Infinxt – Next Generation SD-WAN
Infinxt provides you with the best of the SD-WAN features that can address any of your WAN challenges. The device itself being a Zone based firewall, provides application visibility and control. The decoupled Data Plane and Control plane provides you with the needed flexibility and efficiency in addressing Day 0, Day 1 and Day 2 challenges.
The solution is industry and business agnostic whereby it would be able to meet any type of WAN requirements. The offering being indigenously made would be able to address unique requirements for niche industries too through customization
Features
2. Infinxt - Next Generation Firewall Powered by Palo Alto Networks
Legacy firewall security solutions react to new threats. Intelligent network security stays ahead of attackers and increases business agility. Infinxt SD-WAN comes with a pre-hosted Palo Alto Networks VM in the Infinxt iEdge devices. This offering is a boon for customers to convert their branches into next generation secured branches with the NGFW security capability of Palo Alto Networks.
3. Infinxt - Next Generation Secure SD-WAN Powered by Palo Alto Networks
The Secure Next Generation SD-WAN offering from Infinity Labs provides its customers with the best of both Network connectivity and Application security. It’s a unique combination where both the VMs are service chained to leverage their proficiency to provide a secured application experience to the users. Along with SD-WAN features it also gives NGFW features Powered by Palo Alto Networks.
Infinxt SD-WAN Console gives a Single UI for both SD-WAN and NGFW for ease of Network Operation and Management.
This feature gives the enterprises a unique proposition to have Palo Alto NGFW on tried and tested Infinxt Edge Device.
Palo Alto Networks Advantages
Firewall is a network that is used to block certain types of network traffic. It is basically a security system that is designed to protect untrusted access on a private network. Firewall forms a barrier between a trusted and an untrusted network. We are going to tell you the various types of firewall security in this PPT
O Sophos XG Firewall traz uma nova abordagem na forma de gerenciar o seu firewall, responder às ameaças e monitorar o que acontece na sua rede. Prepare-se para um novo nível de simplicidade, segurança e percepção.
001 introduction Fortigate Administration IntroductionMohamed Sana
FortiGate Multi-Threat Security Systems I Course 201 - Administration, Content Inspection and VPNs.
Module Objectives
•By the end of this module, participants will be able to: »Identify the major features of the FortiGate Unified Threat Management appliance »Modify administrative access restrictions on an interface »Create and manage administrative users »Create and manage administrator access profiles »Backup and restore configuration files »Create a DHCP server on a FortiGatedevice interface »Upgrade or downgrade a FortiGateunit’s firmware
The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc
This slide explains the design part as well as implementation part of the firewall. And also tells about the need of firewall and firewall capabilities.
THREATS are possible attacks.
It includes
The spread of computer viruses
Infiltration and theft of data from external hackers
Engineered network overloads triggered by malicious mass e-mailing
Misuse of computer resources and confidential information by employees
Unauthorized financial transactions and other kinds of computer fraud conducted in the company's name
Electronic inspection of corporate computer data by outside parties
Damage from failure, fire, or natural disasters
• What is Gateway Level Protection?
What is Firewall?
What is the need of Unified Management?
What is UTM?
Difference between UTM & Firewall
• Why you should switch to UTM-Gateway Level Protection
• Features and advantages offered by UTM.
• How Seqrite-Terminator helps to attain highest Safety, management and security
VMworld 2013: vCloud Hybrid Service Jump Start Part Two of Five: vCloud Hybri...VMworld
VMworld 2013
Ninad Desai, VMware
Greg Herzog, VMware
Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare
Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610.
Instructor: Sam Bowne
Class website: https://samsclass.info/123/123_S17.shtml
CRM is based on rock solid architecture of SugarCRM. Moreover it provides the missing functionalists like work flow, or custom field and integration with third party utilities and software. So its essentially a SugarCRM Community edition with additional functionalities, which makes it very useful for SME / SMB Sector.
CRM becomes much more interesting and beneficial with innovative integration with Telephony, Mobiles, MS Outlook. etc. Also CRM provides flexibility to suite any kind of business processes, in terms of custom modules, custom fields and custom reporting also.
Nowadays CRM has become more of BRM (Business Relationship Management), where in it is expected to control and coordinate internal team as well as external teams, in terms of realtime and historical reporting.
10. FortiGuard
• Dynamic updates
Antivirus, intrusion protection, web filtering, antispam
• Updated 24x7x365
• Data centers around the world
Secure, high availability locations
Page: 10
11. FortiManager
• Manage all Fortinet products from a centralized console
• Minimize administration effort
Deploying, configuring and maintaining devices
Page: 10
12. FortiAnalyzer
• Centralized analysis and reporting
Aggregate and analyze log data from multiple devices
• Comprehensive view of network usage
Identify and address vulnerabilities
Monitor compliance
• Quarantine and content archiving
Page: 10
14. FortiClient
• Security for desktops, laptops, mobile devices
Personal firewall, IPSec VPN, antivirus, antispam, web content
filtering
• FortiGuard keeps FortiClient up-to-date
Page: 11
15. Firewall Basics
• Controls flow of traffic between networks of different trust
level
• Allow good information through but block intrusions,
unauthorized users or malicious traffic
• Rules to allow or deny traffic
Page: 12
17. Common Firewall Features
• Block unwanted incoming traffic
• Block prohibited outgoing traffic
• Block traffic based on content
• Allow connections to an internal network
• Reporting
• Authentication
Page: 13
18. Types of Firewalls
• Packet filter firewall
Inspects incoming and outgoing packets
If matches rules, perform action
• Stateful firewall
Examines headers and content of packet
Holds attributes of connection in memory
Packet forwarded if connection already established and tracked
• Improved performance
• Application layer (proxy-based) firewall
Stands between protected and unprotected network
Repackages messages into new packets allowed into network
Page: 14
19. Network Address Translation
• Map private reserved IP addresses into public IP addresses
Local network uses different set of addresses
• NAT device routes response to proper destination
• Single agent between public and private network
• Conserve IP addresses
One public address used to represent group of computers
• Organization uses own internal IP addressing schemes
Page: 16
20. Dynamic NAT
• Private IP address mapped from a pool of public IP
addresses
• Masks internal network configuration
• Private network can use private IP addresses invalid on
Internet but useful internally
Page: 16
21. Static NAT
• Private IP address mapped to a public IP addresses
Public address always the same
• Allow internal host to have a private IP address but still be
reachable over the Internet
Web server
Page: 16
22. FortiGate Capabilities
• Firewall
Policies to allow or deny traffic
• UTM Features:
Antivirus
• Multiple techniques
Antispam
• Detect, tag, block, and quarantine spam
Web Filtering
• Control access to inappropriate web content
Intrusion Protection
• Identify and record suspicious traffic
Page: 17
23. FortiGate Capabilities
• UTM Features (continued):
Application Control
• Manage bandwidth use
Data Leak Prevention
• Prevents transmission of sensitive information
Page: 17-18
24. FortiGate Capabilities
• Virtual Domains
Single FortiGate functions as multiple units
• Traffic Shaping
Control available bandwidth and priority of traffic
• Secure VPN
Ensure confidentiality and integrity of transmitted data
• WAN Optimization
Improve performance and security
• High Availability
Two or more FortiGates operate as a cluster
Page: 18-19
25. FortiGate Capabilities
• Endpoint Compliance
Use FortiClient End Point Security in network
• Logging
Historical and current analysis of network usage
• User Authentication
Control access to resources
Page: 18-19
26. FortiGate Unit Description
• CPU
Intel processor
• FortiASIC processor
Offload intensive processing
• DRAM
• Flash memory
Store firmware images
• Hard drive
Logs, quarantine, archives
• Interfaces
WAN, DMZ, Internal
Page: 20
27. FortiGate Unit Description
• Serial console port
Management access
• USB port
USB drives or modem
• Wireless
FortiWifi devices can use wireless communications
• Modem
• Module slot bays
Blade card installed in a chassis
• PC card slot
PCMCIA card slot for expansion
Page: 20-21
30. Operating Modes
• NAT/Route Mode
Default configuration
Each FortiGate unit is visible to network it is connected to
Interfaces are on different subnets
Unit functions as a firewall
Page: 24
32. Operating Modes
• Transparent Mode
FortiGate unit is invisible to the network
All interfaces are on the same subnet
Use FortiGate without altering IP infrastructure
Page: 25
51. CLI Command Structure
• Commands
config
• Objects
config system
• Branches
config system interface
• Tables
edit port1
• Parameters
set ip 172.20.110.251 255.255.255.0
Page: 38-44
52. CLI Basics
• Command help
?
config ?
config system ?
• Command completion
? or <tab>
c?
config + <space> + <tab>
• Recalling commands
or
Page: 45
53. CLI Basics
• Editing commands
<CTRL> + <key>
• Line continuation
use at end of each line
• Command abbreviation
get system status g sy st
• IP address formats
192.168.1.1 255.255.255.0
192.168.1.1/24
Page: 46
54. Administrative Users
• Responsible for configuration and operation
• Default: admin
Full read/write control
Can not be renamed
Default password blank
• System administrator
Assigned super_admin profile
• Regular administrator
Access profile other than super_admin
Access configurable
Page: 47
55. Interface Addressing
• Number of physical interfaces varies per model
• Interface addresses configurable
Static
DHCP
PPPoE
Page: 48-51
56. DNS
• Some functions use DNS
Alert email, URL blocking, etc
• Lower end models can retrieve automatically
One interface must use DHCP
Can provide DNS forwarding
Page: 52
57. Configuration Backup and Restore
• Different locations
Local PC
FortiManager
FortiGuard Management Service
USB disk
• Can be encrypted
Required to backup VPN certificates
Page: 53
58. Firmware Upgrades
• File must be obtained from Fortinet
• Apply upgrade
Web Config
CLI
FortiGuard Management Service
Page: 54
59. Lab
• Connecting to Command Line Interface
• Connecting to Web Config
• Configuring Network Connectivity
• Exploring the CLI
• Configuring Global System Settings
• Configuring Administrative Users
Page: 55
60. Agenda
• Introduction
• Overview and System Setup
• FortiGuard Subscription Services
• Logging and Alerts
• Firewall Policies
• Basic VPN
• Authentication
• Antivirus
• Spam Filtering
• Web Filtering
62. FortiGuard Subscription Services
• Continuously updated security
Antivirus
Intrusion Protection
Web Filtering
Antispam
• Delivered through FortiGuard Distribution Network
Page: 75
63. FortiGuard Distribution Network
• Secure, high availability data centers
• Updated methods
Manual
Push
Pull
Customized frequency
• Devices continuously updated
• Device connects to FortiGuard Service Point
Page: 75-76
64. Connecting to FortiGuard Servers
service.fortiguard.net
DNS
FortiGuard Server 1
FortiGuard Server 2
FortiGate
Page: 77
65. Connecting to FortiGuard Servers
service.fortiguard.net
DNS
FortiGuard Server 1
FortiGuard Server 2
FortiGate
Page: 77
66. Connecting to FortiGuard Servers
service.fortiguard.net
DNS
FortiGuard Server 1
FortiGuard Server 2
FortiGate
Page: 77
67. Connecting to FortiGuard Servers
service.fortiguard.net
DNS
FortiGuard Server 1
FortiGuard Server 2
FortiGate
Page: 77
68. Connecting to FortiGuard Servers
service.fortiguard.net
DNS
FortiGuard Server 1
FortiGuard Server 2
FortiGate
Page: 77
69. Connecting to FortiGuard Servers
service.fortiguard.net
DNS
FortiGuard Server 1
FortiGuard Server 2
FortiGate
Page: 77
70. Connecting to FortiGuard Servers
service.fortiguard.net
DNS
FortiGuard Server 1
FortiGuard Server 2
FortiGate
Page: 77
71. Connecting to FortiGuard Servers
DNS
FortiGuard Server 1
FortiGuard Server 2
FortiGate
service.fortiguard.net
Page: 77
72. FortiGuard Antivirus Service
• Latest virus defenses
New and evolving viruses
Spyware
Malware
• Automated updates
Page: 78
73. FortiGuard Intrusion Protection System Service
• Latest defenses against network-level threats
• Library of signatures
• Engines
Anomaly inspection
Deep packet inspection
Full content inspection
Activity inspection
• Supports behavior-based heuristics
Page: 79
74. FortiGuard Web Filtering Service
• Hosted web URL filtering service
• FortiGuard Rating Server
Billions of web page addresses
Regulate and block harmful, inappropriate and dangerous content
• FortiGuard Web Filtering Service
Regulate web activities to meet policy and compliance
CIPA Compliance
Page: 80
75. FortiGuard Antispam Service
• Reduce spam at network perimeter
• Global filters
Sender reputation database (FortiIP)
Spam signature database (FortiSig)
Constantly updated
• Local filters
Banned words
Local white and black lists
Heuristic rules
Bayesian training (in FortiMail)
Page: 81-82
77. Scheduled Updates
• Check for updates at defined times
Once every 1 to 23 hours
Once a day
Once a week
• Must be able to connect to FortiGuard Distribution Network
using HTTPS on port 443
Use override server address option may be used
Page: 84
78. Push Updates
• FortiGuard Distribution Network notifies FortiGate units with
push enabled
FortiGate will request update
• Use push in addition to scheduled updates
Receive updates sooner
• If configuring push through a NAT device, configure port
forwarding
Page: 85-87
79. Manual Updates
• Update antivirus and IPS definitions
• Download definition file
• Copy to computer used to connect to Web Config
Page: 88
80. Caching
• Available for web filtering and antispam
• Improves performance
• Uses small % of system memory
• Least recently used IP or URL deleted when cache full
• Time to Live (TTL) controls time in cache
Page: 89
81. FortiGuard Web Filtering Categories
• Wide range of categories to filter upon
Specify action for each category
Allow, Block, Log, Allow Override
• Enabled through protection profile
Page: 90-91
82. FortiGuard Antispam Controls
• Filter email based on type
IMAP, POP3, SMTP
• Filtering options enabled through protection profile
Page: 92
83. Configuring FortiGuard Using the CLI
• CLI can be used to configure communications with
FortiGuard Distribution Network
Override default connection settings
• config system fortiguard
Page: 93
84. FortiGuard Center
• Online knowledge base and resource
Spyware, virus, IPS, web filtering, antispam attack library
Vulnerabilities
Submit spam and dangerous URLs
• Timely threat and vulnerability information
Updated around the clock
Page: 94-95
88. Logging and Alerts
• Track down and pinpoint problems
• Monitor network and Internet traffic
• Monitor normal traffic
Establish baselines
Identify changes for optimal performance
Page: 101
89. Log Storage Locations
• Local hard disk
FortiGate must have hard disk
• FortiAnalyzer
Device for log collection, analysis and storage
• System Memory
Overwrites older logs when capacity reached
Logs lost when FortiGate reset or loses power
• Syslog
Forward logs to remote computer
• FortiGuard Analysis Service
Subscription-based web service
Page: 101-105
90. Logging Levels
• Emergency
System unstable
• Alert
Immediate action required
• Critical
Functionality affected
• Error
Error condition exists, functionality could be affected
• Warning
Functionality could be affected
• Notification
Normal event
• Information
General info about system operations
• Debug
Primarily used as a support function
Page: 106-107
91. Log Types
• Traffic
Traffic between source and destination interface
Only generated when session table entry expires
• Event
Management activity
• AntiVirus
Virus incidents
• Web Filter
Web content blocking actions
• Attack
Attacks detected and blocked
Page: 108
92. Log Types
• AntiSpam
Records detected spam
• Data Leak Prevention
Records data that matches pre-defined sensitive patterns
• Application Control
IM/P2P
• Records IM and P2P information
VoIP
• Logs SCCP violations
Content
• Logs metadata
Page: 108-109
93. Configuring Logging
• Select location and level
• Enable log generation
Protection profile
• Antivirus, web filtering, FortiGuard web filtering, spam filtering, IPS,
IM/P2P and VoIP
Event log
• Management, system and VPN activities
Firewall policy
• Log Allowed Traffic
Page: 110-114
94. Viewing Log Files
• Log&Report > Log Access
• Remote or Memory tabs
Local Disk if available
• Formatted or Raw view
• Select columns to display
• Filter messages
Page: 115-118
95. Content Archiving
• Store session transaction data
HTTP
FTP
NNTP
IM (AIM, ICQ, MSN, Yahoo!)
Email (POP3, IMAP, SMTP)
• Only available with FortiAnalyzer unit
• Summary
Archives content metadata
• Full
Copies of files or email messages
Page: 119-121
96. Alert Email
• Send notification upon detection of a defined event
• Requires one DNS server configured
• Up to 3 recipients
Page: 122
97. SNMP
• Report system information and forward to SNMP manager
• Access SNMP traps from any FortiGate configured for SNMP
• Read-only implementation
• Fortinet-proprietary MIB available
Or use Fortinet-supported standard MIB
• Add SNMP Communities
8 SNMP managers per community
Page: 123-126
98. Lab
• Exploring Web Config Monitoring
• Configuring System Event Logging
• Exploring the FortiAnalyzer Interface
• Configuring Email Alerts
• SNMP Setup (Optional)
Page: 127
99. Agenda
• Introduction
• Overview and System Setup
• FortiGuard Subscription Services
• Logging and Alerts
• Firewall Policies
• Basic VPN
• Authentication
• Antivirus
• Spam Filtering
• Web Filtering
101. Firewall Policies
• Control traffic passing through FortiGate
What to do with connection request?
• Packet analyzed, content compared to policy
ACCEPT
DENY
• Source, destination and service must match policy
Policy directs action
• Protection profile used with policy
Apply protection settings
• Logging enabled to view connections using policy
Page: 137
102. Policy Matching
• Searches policy list for matching policy
Based on source and destination
• Starts at top of the list and searches down for match
First match is applied
Arrange policies from more specific to more general
• Policies configured separately for each virtual domain
• Move policies in list to influence order evaluated
Page: 138-141
103. User Authentication to Firewall Policies
• User challenged to identify themselves before using policy
Before matching policies not requiring authentication
• Available for policies with:
Action set to ACCEPT
SSL VPN
• Authentication methods
Username + Password
Digital certificates
LDAP
RADIUS
TACACS+
Active Directory
• FSAE required
Page: 142
104. Authentication Protocols
• Protocol used to issue authentication challenge specified
• Firewall policy must include protocol
HTTP
HTTPS
Telnet
FTP
Page: 142
106. Firewall Addresses
• Added to source and destination address
Match source and destination IP address of packets received
• Default of ALL
Represents any IP address on the network
• Address configured with name, IP address and mask
Also use FQDN
Must be unique name
• Groups can be used to simplify policy creation and
management
Page: 144-148
107. Firewall Schedules
• Control when policies are active or inactive
• One-time schedule
Activate or deactivate for a specified period of time
• Recurring schedule
Activate or deactivate at specified times of the day or week
Page: 149-150
108. Firewall Services
• Determine types of communications accepted or denied
• Predefined services applied to policy
Custom service if not on predefined list
• Group services to simplify policy creation and management
Page: 151-153
109. Network Address Translation (NAT)
• Translate source address and port of packets accepted by
policy
Page: 154
121. Fixed Port
• Prevent NAT from translating the source port
Some applications do not function correctly if source port translated
• If Dynamic Pool not enabled, policy with Fixed Port can only
allow one connection to that service at a time
Page: 156
127. Virtual IPs
• Allow connections using NAT firewall policies
• Addresses in packets are remapped and forwarded
Client address does not appear in packet server receives
• Upon reply, session table used to determine what destination
address should be mapped to
Page: 157-158
128. DNAT
• NAT not selected in firewall policy
Policy performs destination network address translation (DNAT)
• Accepts packet from external network intended for specific
address, translates destination address to IP on another
network
Page: 159
139. Server Load Balancing
• Dynamic one-to-many NAT mapping
• External IP address translated to a mapped IP address
Determine by load balancing algorithm
• External IP address not always translated to same mapped
IP address
Page: 160
146. Protection Profiles
• Control all content filtering
• Group of protection settings applied to traffic
Types and levels of protection customized for each policy
• Enables settings for:
Protocol Recognition
Anti-Virus
IPS
Web Filtering
Spam Filtering
Data Leak Prevention Sensor
Application Control
Logging
Page: 161
147. Default Protection Profiles
• Strict
Maximum protection
• Scan
Applies virus scanning to HTTP, FTP, IMAP, POP3, SMTP
• Web
Applies virus scanning and web content blocking to HTTP
• Unfiltered
No scanning, blocking or IPS
Page: 162-172
148. Traffic Shaping
• Control bandwidth available to traffic processed by firewall
policy
Which policies have higher priority?
• Improve quality of bandwidth-intensive traffic
Does NOT increase total bandwidth available
Page: 173
149. Token Bucket Filter
• Dampening function
Delays traffic by buffering bursts
Does not schedule traffic
• Configured rate is never exceeded
Page: 174
150. Token Bucket Filter Mechanism
• Bucket has specified capacity
Tokens added to bucket at mean rate
• If bucket fills, new tokens discarded
• Bucket requests number of tokens equal to packet size
• If not enough tokens in bucket, packet buffered
• Flow will never send packets more quickly than capacity of
the bucket
• Overall transmission rate does not exceed rate tokens placed
in bucket
Page: 175
157. Traffic Shaping Considerations
• Attempt to normalize traffic peaks
Prioritize certain flows over others
• Physical limitation to how much data can be buffered
Packets may be dropped, sessions affected
• Performance on one traffic flow may be sacrificed to
guarantee performance on another
• Not effective in high-traffic situations
Where traffic exceeds FortiGate unit’s capacity
Packets must be received for being subject to shaping
• If shaping not applied to policy, default is high priority
Page: 176-177
158. Disclaimers
• Accept disclaimer before connecting
• Use with authentication or protection profile
• Can redirect to a URL after authentication
Page: 178
162. Virtual Private Networks (VPN)
• Use public network to provide access to private network
• Confidentiality and integrity of data
• Authentication, encryption and restricted access
Page: 195
163. FortiGate VPN
• Secure Socket Layer (SSL) VPN
Access through web browser
• Point-to-Point Tunneling Protocol (PPTP)
Windows standard
• Internet Protocol Security (IPSec) VPN
Dedicated VPN software required
Well suited for legacy applications (not web-based)
Page: 195-196
164. SSL VPN Operating Modes
• Web-only mode
Web browser only
Secure connection between browser and FortiGate unit
FortiGate acts as gateway
• Authenticates users
• Tunnel mode
VPN software downloaded as ActiveX control
FortiGate unit assigns client IP address from range of reserved
addresses
Page: 197-199
165. User Accounts
• Must have user account assigned to SSL VPN user group
• Users must authenticate
Username + Password
RADIUS
TACACS+
LDAP
Digital certificates
• User group provides access to firewall policy
• Split tunneling available
Only traffic destined for tunnel routed over VPN
Page: 200-202
166. Web-Only Configuration
• Enable SSL VPN
• Create user accounts
Assign to user group
• Create firewall policy
• Setup logging (optional)
Page: 204
167. Tunnel Mode Configuration
• Enable SSL VPN
• Specify tunnel IP range
• Create user group
• Create firewall policy
Page: 205
168. SSL VPN Settings
• Tunnel IP Range
Reserve range of IPs for SSL VPN clients
• Server Certificate, Require Client Certificate
Certificates must be installed
• Encryption Key Algorithm
• Idle Time-out
• Client Authentication Time-Out
CLI only
• Portal Message
• Advanced
DNS and WINS Servers
Page: 206-208
169. Firewall Policies
• At least one SSL VPN firewall policy required
• Specify originating IP address
• Specify IP address of intended recipient or network
• Configuration steps:
Specify source and destination IP address
Specify level of encryption
Specify authentication method
Bind user group to policy
Page: 209
170. Firewall Addresses
• Web-only mode
Predefined source address of ALL
Destination IP address where remote client needs to access
• Entire private network, range of private IPs, private IP of host
• Tunnel model
Source is range of IP addresses that can be connected to FortiGate
• Restrict who can access FortiGate
Destination IP address where remote client needs to access
• Entire private network, range of private IPs, private IP of host
Page: 209
171. Configuring Web-Only Firewall Policies
• Specify destination IP address
Name
Type
Subnet/IP range
Interface
• Define policy
Action: SSL-VPN
Add user group
Page: 210-212
172. Configuring Tunnel-Mode Firewall Policies
• Specify source IP addresses
Addresses that can connect to FortiGate
• Specify destination IP address
Addresses clients need to access
• Specify level of encryption
• Specify authentication type
• Bind user group to policy
• ssl.root
Page: 213-218
174. Connecting to the SSL VPN
• https://<FortiGate_IP_address>:10443
Port customizable
• SSL-VPN Web Portal page displayed
Bookmarks
• What appears is pre-determined by administrator’s settings
in User > User Group and VPN > SSL > Portal > Settings
Page: 222
177. PPTP VPN
• Point-to-Point (PPP) authentication protocol
PPP software operates on tunneled links
• Encapsulates PPP packets within IP packets
Not cryptographically protected
• PPTP packets not authenticated or integrity protected
• FortiGate unit assigns client IP address from reserved range
Assigned IP used for duration of connection
• FortiGate unit disassembles PPTP packet and forwards to
correct computer on internal network
Page: 223
178. PPTP VPN
• FortiGate unit can act as PPTP server
• FortiGate unit can forward PPTP packets to PPTP server
Page: 224
181. PPTP Server Configuration
• Configure user authentication for PPTP clients
• Enable PPTP on FortiGate unit
• Configure PPTP server
• Configure client
Page: 226
182. PPTP Pass-Through Configuration
• Configuration required to forward PPTP packets to PPTP
server
• Define virtual IP that points to PPTP server
• Configure firewall policy
• Configure client
Page: 227
183. IPSec VPN
• Industry standard set of protocols
• Layer 3
Applications do not need to be designed to use IPSec
• IP packets encapsulated with IPSec packets
Header of new packet refers to end point of tunnel
• Phase 1
Establish connection
Authenticate VPN peer
• Phase 2
Establish tunnel
Page: 228
184. IPSec Protocols
• Authentication Header (AH)
Authenticate identity of sender
Integrity of data
Entire packet signed
• Encapsulating Security Payload (ESP)
Encrypts data
Signs data only
Page: 229
187. Modes of Operation
• Tunnel mode
Entire IP packet encrypted and/or authenticated
Packet then encapsulated for routing
• Transport mode
Only data in packet encrypted and/or authenticated
Header not modified or encrypted
Page: 230
188. Security Association (SA)
• Defines bundle of algorithms and parameters
Encrypt and authenticate one-directional data flow
• Agreement between two computers about the data
exchanged and protected
Page: 230
189. Internet Key Exchange (IKE)
• Allows two parties to setup SAs
Secret keys
• Uses Internet Security Association Key Management
Protocol (ISAKMP)
Framework for establishing SAs
• Two distinct phases
Phase 1
Phase 2
Page: 231
190. Phase 1
• Authenticate computer involved in transaction
• Negotiate SA policy between computers
• Perform Diffie-Hellman key exchange
• Set up secure tunnel
• Main mode (three exchanges)
Algorithms used agreed upon
Generate secret keys and nonces
Other side’s identity verified
• Aggressive mode (one exchange)
Everything needed to complete exchange
Page: 231
191. Phase 2
• Negotiate SA parameters to set up secure tunnel
• Renegotiate SAs regularly
Page: 232
192. Gateway-to-Gateway Configuration
• Tunnel between two separate private networks
• All traffic encrypted by firewall policies
• FortiGate units at both ends must be in NAT/Route mode
Page: 234
196. Authenticating the FortiGate Unit
• Authenticate itself to remote peers
• Pre-shared key
All peers must use same key
• Digital certificates
Must be installed on peer and FortiGate
Page: 237-238
197. Authenticating Remote Clients
• Permit access using trusted certificates
FortiGate configured for certificate authentication
• Permit access using peer identifier
• Permit access using pre-shared key
Each peer or client must have user account
• Permit access using peer identifier and pre-shared key
Each peer or client must have user account
Page: 239
198. XAuth Authentication
• Separate exchange at end of phase 1
Increased security
• Draws on existing FortiGate user group definitions
• FortiGate can be XAuth server or XAuth client
Page: 239
201. Firewall Policies
• Policies needed to control services and direction of traffic
• Firewall addresses needed for each private network
• Policy-Based VPN
Specify interface to private network, remote peer and VPN tunnel
Single policy for inbound, outbound or both direction
• Route-Based VPN
Requires ACCEPT policy for each direction
Creates Virtual IPSec interface on interface connecting to remote
peer
Page: 247-250
202. Lab
• Configuring SSL VPN for Full Access (Web Portal and
Tunnel Mode)
• Configuring a Basic Gateway-to-Gateway VPN
Page: 251
203. Agenda
• Introduction
• Overview and System Setup
• FortiGuard Subscription Services
• Logging and Alerts
• Firewall Policies
• Basic VPN
• Authentication
• Antivirus
• Spam Filtering
• Web Filtering
205. Authentication
• User or administrator prompted to identify themselves
Only allowed individuals perform actions
• Can be configured for:
Any firewall policy with action of ACCEPT
PPTP and L2TP VPNs
Dial-up IPSEC VPN set up as XAuth server
Dial-up VPN accepting user group as peer ID
Page: 263
206. Authentication Methods
• Local user
User names and passwords used to authenticate stored on
FortiGate
• Remote
Use existing systems to authenticate
• RADIUS
• LDAP
• PKI
• Windows Active Directory
• TACACS+
Page: 264-265
207. Users and User Groups
• Authentication based on user groups
User created
User added to groups
• User
Account created on FortiGate or external authentication server
• User group
Users or servers as members
Specify allowed groups for each resource requiring authentication
Group associated with protection profile
Page: 266-267
208. User Group Types
• Firewall
Access to firewall policy that requires authentication
FortiGate request user name and password (or certificate)
• Directory Service
Allow access to users in DS groups already authenticated
• Single sign on
Requires FSAE
• SSL VPN
Access to firewall policy that requires SSL VPN authentication
Page: 268-270
209. Authentication overrides
• Require access to blocked site
Override block for period of time
• Link to authenticate presented
Page: 271
211. PKI Authentication
• Valid certificate required
• SSL used for secure connection
• Trusted certificates installed on FortiGate and client
Page: 273
212. RADIUS Authentication
• User credentials sent to RADIUS server for authentication
• Shared key used to encrypt data exchanged
• Primary and secondary servers identified on FortiGate unit
Page: 274
213. LDAP Authentication
• User credentials sent to LDAP server for authentication
• LDAP servers details identified on FortiGate
Page: 275
214. TACACS+ Authentication
• User credentials sent to TACACS+ server for authentication
• Choice of authentication types:
Auto
ASCII
PAP
CHAP
MSCHAP
Page: 276
215. Microsoft Active Directory Authentication
• Transparently authenticate users
Fortinet Server Authentication Extensions (FSAE) passes
authentication information to FortiGate
Sign in once to Windows, no authentication prompts from FortiGate
Page: 277
216. FSAE Components
• Domain Controller Agent
Installed on every domain controller
Monitors user logons, sends to Collector Agent
• Collector Agent
Installed on at least one domain controller
Sends information collected to FortiGate
Page: 278
217. FSAE Configuration on Microsoft AD
• Configure Microsoft AD user groups
All members of a group have same access level
FSAE only send Domain Local Security Group and Global Security
Group to FortiGate
• Configure Collector Agent settings
Domain controllers to monitor
• Global Ignore list
Exclude system accounts
• Group filters
Control logon information sent to FortiGate
Page: 279-280
218. FSAE Configuration on FortiGate
• Configure Collector Agents
FortiGate to access at least one collector agent
Up to five can be listed
• Configure user groups
AD groups added to FortiGate user groups
• Configure firewall policy
• Allow guests
Users not listed in AD
Protection profile for FSAE firewall police
Page: 281
219. Labs
• Firewall Policy Authentication
• Adding User Disclaimers and Redirecting URLs
Page: 282
220. Agenda
• Introduction
• Overview and System Setup
• FortiGuard Subscription Services
• Logging and Alerts
• Firewall Policies
• Basic VPN
• Authentication
• Antivirus
• Spam Filtering
• Web Filtering
234. Grayware Categories
• Plugins
Add additional features to an existing application
• Remote Administration Tools (RAT)
Remotely change or monitor a computer on a network
• Toolbars
Augment capabilities of browser
Page: 301-303
235. Spyware
• Component of adware
Track user activities online
Report activities to central server
Target advertising based on online habits
Page: 304-305
236. Quarantine
• Quarantine blocked or infected files
FortiGate unit with hard drive
FortiAnalyzer
• Files uploaded to Fortinet for analysis
Page: 306-307
237. Proxies
• Intercepts all connection requests and responses
• Buffers and scans response before flushing to client
• Splicing
Prevent client from timing out
Server sends part of response to client while buffering
Final part sent if response is clean
FTP uploads, email protocols (SMTP, POP3, IMAP)
• Client comforting
Prevent timeout while files buffered and scanned by FortiGate
Can provide visual status to user that progress being made
HTTP and FTP downloads
Page: 308
243. Spam Filtering Methods
• IP address check
Verify source IP address again list of known spammers
• URL check
Extract URLs and verify against list of spam sources
• Email checksum check
Calculate checksum of message and verify against list of known
spam messages
• Spam submission
Inform FortiGuard
• Black/White list
Check incoming IP and email addresses against known list
SMTP only
Page: 322-323
244. Spam Filtering Methods
• HELO DNS lookup
Check source domain name against registered IP address in DNS
• Return email DNS check
Check incoming return address domain against registered IP in
DNS
• Banned word
Check email against banned word list
• MIME headers check
Check MIME headers against list
• DNSBL and ORDBL
Check email against configured servers
Page: 322-323
245. FortiGuard Antispam Global Filters
• FortiIP sender IP reputation database
Reputation of IP based on properties related to address
• Email volume from a sender
Compare sender’s recent volume with historical pattern
• FortiSig
Spam signature database
FortiSig1
• Spamvertised URLs
FortiSig2
• Spamvertised email addresses
FortiSig3
• Spam checksums
• FortiRule
Heuristic rules
FortiMail only
Page: 324-325
246. Customized Filters
• Compliment FortiGuard
• Banned word lists
• Local black/white list
• Heuristic rules
• Bayesian
FortiMail only
Page: 325
248. Spam Actions
• Tag or discard spam email
Add custom text to subject or instead MIME header and value
• Only discard if SMTP and virus check enabled
• Spam actions logged
Page: 327
249. Banned Word
• Block messages containing specific words or patterns
Values assigned to matches
If threshold exceeded, messages marked as spam
• Perl regular expressions and wildcards can be used
Page: 328-334
250. Black/White List
• IP address filtering
Compare IP address of sender to IP address list
If match, action is taken
• Email address filtering
Compare email address of sender to email address list
If match, action is taken
Page: 335
253. MIME Headers Check
• MIME headers added to email
Describe content type and encoding
• Malformed headers can fool spam or virus filters
• Compare MIME header key-value of incoming email to list
If match, action is taken
Page: 343
254. DNSBL and ORDBL
• Published lists of suspected spammers
• Add subscribed servers
Define action
Page: 344
255. FortiMail Antispam
• Enhanced set of features for detecting and blocking spam
Some techniques not available in FortiGate
• Stand-alone antispam system
Can be second layer in addition to FortiGate
• Legacy virus protection
• Email quarantine
Page: 345
256. Agenda
• Introduction
• Overview and System Setup
• FortiGuard Subscription Services
• Logging and Alerts
• Firewall Policies
• Basic VPN
• Authentication
• Antivirus
• Spam Filtering
• Web Filtering
258. Web Filtering
• Process web content to block inappropriate or malicious
content
• Categorized content
76 categories
40 million domains
Billions of web pages
Automated updates
• Check web addresses against list
• Customizable
Page: 349
259. Order of Filtering
• URL Filtering
Exempt, Block, Allow
• FortiGuard Web Filtering
• Content Exempt
Customizable
• Content Block
Customizable
• Script Filter
Page: 349
260. Web Content Block
• Block specific words or patterns
Score assigned to pattern
Page blocked if greater than threshold
Perl regular expressions or wildcards can be used
Page: 350-353
267. FortiGuard Web Filter
• Managed web filtering solution
Web pages rated and categorized
• Determines category of site
Follows firewall policy
• Allow, block, log, or override
• Ratings based on:
Text analysis
Exploitation of web structure
Human raters
Page: 363
268. Web Filtering Categories
• Categories based on suitability for enterprises, schools, and
home
Potentially liable
Controversial
Potentially non-productive
Potentially bandwidth consuming
Potential security risks
General interest
Business oriented
Others
Page: 364
269. Web Filtering Classes
• Classify web page based on media type or source
Further refine web access
Prevent finding material
• Classes
Cached contents
Image search
Audio search
Video search
Multimedia search
Spam URL
Unclassified
Page: 365
272. Web Filtering Overrides
• Give user ability to override firewall filter block
Administrative overrides
User overrides
• Override permissions configured at user group level or with
override rules
• User group level overrides
Group of users have same level of overrides
Assumes authentication enabled on policy
• Override rules
Fine granularity
Access domain, directory or category
Page: 369