Escolar Documentos
Profissional Documentos
Cultura Documentos
15 May 2013
Copyright© 2013 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortGuard®, are registered
trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All
other product or company names may be trademarks of their respective owners. Performance metrics
contained herein were attained in internal lab tests under ideal conditions, and performance may vary.
Network variables, different network environments and other conditions may affect performance results.
Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties,
whether express or implied, except to the extent Fortinet enters a binding written contract, signed by
Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will
perform according to the performance metrics herein. For absolute clarity, any such warranty will be
limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims
in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this
publication without notice, and the most current version of the publication shall be applicable.
Visit these links for more information and documentation for your Fortinet products:
You can report errors or omissions in this or any Fortinet technical document to techdoc@fortinet.com.
2
Contents
Introduction 5
Wireless Networking 58
Providing remote users access to the internet and corporate network using FortiAP 59
Setting up a FortiGate and FortiAP to provide wired and wireless Internet access 65
Setting up guest wifi users with a captive portal 71
Visualizing and controlling the applications on your network using application control 107
Configuring web filter overrides and local ratings 113
Protecting a web server from vulnerabilities and DoS attacks using IPS 119
3
Blocking email/web traffic or files containing sensitive information 125
Monitoring your network for undesirable behavior using client reputation 131
Inspecting content on the network using flow-based UTM instead of proxy-based UTM 135
Blocking large files from entering the network 141
Blocking access to specific web sites 145
Blocking HTTPS traffic with web filtering 149
Protecting traffic between company headquarters and branch offices using IPsec VPN 155
Providing remote users with access to a corporate network and Internet using SSL VPN 161
Securing remote access to the office network using FortiClient IPsec VPN 169
Securing remote access to the office network for an iOS device over IPsec VPN 175
Redundant OSPF routing between two remote networks over IPsec VPN 183
Authentication 198
4
Introduction
This FortiGate Cookbook provides administrators who are new to FortiGate appliances with
examples of how to implement many basic and advanced FortiGate configurations. FortiGate
products offer administrators a wealth of features and functions for securing their networks, but
to cover the entire scope of configuration possibilities would easily surpass this book. Fortunately,
much more information can be obtained in the FortiOS Handbook. The latest version is available
from the Fortinet Technical Documentation website at http://docs.fortinet.com.
This cookbook contains a series of “recipes” that describe how to solve a problem. Each recipe
begins with a description the configuration requirements, followed by a step-by-step solution, and
concludes with results that show what should occur to verify the steps were completed successfully.
This FortiGate Cookbook was written for FortiOS 5.0 patch 2 (FortiOS 5.0.2).
A PDF copy of this document is available from the FortiGate Technical Documentation website at
http://docs.fortinet.com/cookbook.html. You can also find earlier editions of the FortiGate
Cookbook, that contains additional recipes and troubleshooting tips and video representations of
some of the content in this book.
You can send comments about this document and ideas for new recipes to techdoc@fortinet.com.
New recipes may be published on the FortiGate Cookbook website and added to future versions.
Web-based Manager
Also called the Web Interface or Web UI, the FortiGate web-based manager is an advanced point
and click, drag and drop interface that provides quick access to most FortiGate configuration
settings and includes visual monitoring and management tools.
Using the web-based manager you can add a security policy to monitor application activity on a
network, view the results of this application monitoring policy, and then create additional policies or
change the existing policy to block or limit the traffic produced by some applications.
The web-based manager also provides a wide range of monitoring and reporting tools that provide
detailed information about traffic and events occurring on the FortiGate unit.
You access the web-based manager using HTTP or a secure HTTPS connection from any web
browser. By default you can access the web-based manager by connecting to the FortiGate interface
usually attached to a protected network. Configuration changes made from the web-based manager
take effect immediately, without resetting the unit or interrupting service.
5
FortiExplorer
FortiExplorer provides a user-friendly and accessible tool that you can use to configure a FortiGate
unit over a standard USB connection. You can install FortiExplorer software on a PC running Windows
or Mac OS X and use a USB connection between the PC and your FortiGate unit. Use FortiExplorer
to register your FortiGate unit, check for and perform FortiOS firmware updates, use the FortiExplorer
configuration wizard to quickly set up the FortiGate unit and connect to the
web-based manager or CLI.
Training
Fortinet Training Services provides a variety of training programs world-wide that orient you to your new
equipment, and provides certifications to verify your knowledge level. For more on training services, visit
the Fortinet Training Services web site at http://campus.training.fortinet.com.
6
Installing and Setup
Most people purchase a FortiGate unit with the intention of creating a secure connection between a
protected private network and the Internet. And in most cases they want the FortiGate unit to hide
the IP addresses of the private network from the Internet. This chapter describes how to setup a
number of common configurations with the FortiGate unit.
In addition this chapter describes a common transparent mode FortiGate installation in which a
FortiGate unit provides security services to a network without requiring any changes to the network.
7
8
Setting up a limited access administrator account
This example adds a new FortiGate administrator login that uses an administrator
profile that has limited access only to firewall features, and read-only access to
administrator information. It also shows how to identify the administrators using the
admin administrator account.
Internet
wAN 1
172.20.120.22
FortiGate
LAN
192168.1.99/24
Internal Network
9
Step One: Create a new administrative
profile
10
Results
11
Go to System > Dashboard > Status, and
view the System Information widget.
12
Setting up and troubleshooting FortiGuard services
If you have purchased FortiGuard services and registered your FortiGate unit,
the FortiGate unit it should automatically connect to the FortiGuard Distribution
Network (FDN) and display license information about your FortiGuard services.
In this example, you will verify whether the FortiGate unit is communicating with
the FDN by checking the License Information dashboard widget. The FortiGate
unit automatically connects with the FortiGuard network to verify the FortiGuard
Services status for the FortiGate unit.
Internet
FortiGuard
WAN 1
FortiGate
port 1
Internal Network
13
Verifying the connection
14
Troubleshooting connection issues
Use these steps to troubleshoot FortiGuard • If the command cannot find the numeric IP
services should connection issues arise. address of www.fortiguard.com, then the
FortiGate unit cannot connect to the configured
• Verify that you have registered your FortiGate DNS servers.
unit, purchased FortiGuard services, and that
the services have not expired. You can verify • Make sure that at least one security policy
the support status for your FortiGate unit at includes antivirus. If no security policies include
the Fortinet Support website (https://support. antivirus, the antivirus database may not be
fortinet.com/). updated.
• Verify that the FortiGate unit can communicate • Verify that the FortiGate unit can communicate
with the Internet. The FortiGate unit should with the FortiGuard network. Go to System
be able to communicate with the FortiGuard > Config > FortiGuard > Antivirus and IPS
network if it can communicate with the Internet. Options, you can select Update now to force
an immediate update of the antivirus and IPS
• Go to Router > Monitor > Routing Monitor databases. After a few minutes, you can verify if
and verify that a default route is available and the updates were successful.
configured correctly.
• Test the availability of web filtering and email
• Go to System > Network > DNS and make filtering lookups from System > Config
sure the primary and secondary DNS servers > FortiGuard > Web Filtering and Email
are correct. The FortiGate unit connects to the Filtering options by selecting Test Availability.
FortiGuard network using a domain name, not a If the test is not successful, try changing the
numerical IP address. If the FortiGate interface port that is used for web filtering and email
connected to the Internet gets its IP address filtering lookups. The FortiGate unit uses port
using DHCP, you should make sure Override 53 or 8888 to communicate with the FortiGuard
internal DNS is selected so that the FortiGate network and some ISPs may block one of these
unit gets its DNS server IP addresses from the ports.
ISP using DHCP.
• Determine if there is anything upstream that
• Verify that the FortiGate unit can connect to might be blocking FortiGuard traffic, either on
the DNS servers using the execute ping the network or on the ISP’s network. Many
command to ping them. firewalls block all ports by default, and often
ISPs block low-numbered ports (such as 53).
• You can also attempt a traceroute from FortiGuard uses port 53 by default, so if it is
FortiGate CLI to an external network using a being blocked, you need to either open the port
domain name for a location, for example, enter or change the port used by the FortiGate unit.
the command:
15
• Change the FortiGuard source port. It is If your ISP blocks the lower range of UDP ports
possible ports that are used to contact the (around 1024), you can configure your FortiGate
FortiGuard network are being changed before unit to use higher-numbered ports such as
reaching FortiGuard, or on the return trip, 2048-20000, using the following CLI command:
before reaching your FortiGate unit. A possible
solution for this is to use a fixed-port at the NAT config system global
firewall to ensure the port number remains the set ip-src-port-range 2048-20000
same. end
• FortiGate units contact the FortiGuard Network Trial and error may be required to select the
by sending UDP packets with typical source best source port range. You can also contact
ports of 1027 or 1031, and destination ports of your ISP to determine the best range to use.
53 or 8888. The FDN reply packets would then
have a destination port of 1027 or 1031. • Display the FortiGuard server list. The
diagnose debug rating CLI command
• If your ISP blocks UDP packets in this port shows the list of FortiGuard servers that the
range, the FortiGate unit cannot receive the FortiGate unit can connect to. The command
FDN reply packets. You can select a different should show more than one server.
source port range for the FortiGate unit to use.
16
Logging FortiGate system events to gather network
traffic information
This example shows how to enable logging to capture the details of network traffic
processed by the FortiGate unit.
Internet
WAN 1
172.20.120.123
FortiGate
port 1
192168.1.99
Internal Network
17
Step One: Configure logging and event
logging
18
Results
19
20
Using SNMP to monitor the FortiGate unit
In this example, you configure the SNMP agent and FortiGate interface to send
SNMP traps to the SNMP server for review.
Internet
WAN 1
Internal Network
172.20.120.123
port 1
FortiGate
192168.1.99
SNMP Manager
192.168.1.114
21
Step One: Configure the SNMP agent
and community
Go to System > Config > SNMP.
22
Step Two: Enable SNMP on a
FortiGate interface
Go to System > Network > Interface.
23
Results
This example uses SolarWinds SNMP trap
viewer.
24
Perform an action to trigger a trap, for
example, change the IP address of the
DMZ interface in the FortiGate.
25
26
Using FortiCloud to view log data and reports
This example describes setting up and accessing log and reports in FortiCloud.
1. Activate FortiCloud
2. Configure logging and event logging
3. Enable logging in the security policy
4. Results
FortiCloud
Internet
WAN 1
172.20.120.123
FortiGate
port 1
192168.1.99
Internal Network
27
Step One: Activate FortiCloud
Go to System > Dashboard > Status.
28
Step Three: Enable logging in the
security policy
Results
29
30
Using two ISPs for redundant Internet connections with
distributed sessions
This example describes how to improve the reliability of a network’s connection
to the Internet by using two Internet connections. It also includes configuration of
equal cost multi-path load balancing to make efficient use of these two Internet
connections by distributing sessions to both, without allowing either one to become
overloaded.
Internet
Internal
Network
31
Step One: Configure connections to the
two ISPs
32
Create a security policy for each interface
connecting to their ISPs and the internal
network.
33
Go to Router > Static > Settings and set
the ECMP Load Balancing Method to
Spillover.
Results
Go to Log & Report > Traffic Log >
Forward Traffic to see network traffic
from different source IP addresses flowing
through both wan1 and wan2.
34
Protect a web server on the DMZ network
In this example, a web server on the DMZ network. An internal to DMZ security
policy allows internal users to access the web server using its internal IP address
(10.10.10.22). A WAN to DMZ security policy hides the internal address, allowing
external users to access the web server with a public IP address (172.20.120.22).
Internet
WAN 1
172.20.120.22 DMZ Network
DMZ
FortiGate
LAN
Web Server
10.10.10.22
Internal Network
35
Step One: Configure the FortiGate unit
DMZ interface
Go to System > Network > Interface.
36
Step Three: Create security policies
37
Results
38
Adding a second FortiGate unit to improve reliability
This example adds a second FortiGate unit to a currently installed FortiGate unit to
provide redundancy in the event one FortiGate unit fails. This example also steps
through upgrading the HA cluster to a new firmware version.
Internet
Switch
WAN 1 WAN 1
Switch
Internal Network
39
Step One: Add and connect the second
FortiGate and configure HA
40
Go to System > Config > HA.
41
Go to System > Dashboard > Status to
see the cluster information.
42
Step Three: Upgrading the firmware
for the HA cluster
When a new version of the FortiOS
firmware becomes available, upgrade the
firmware on the primary FortiGate unit,
and the backup FortiGate unit will upgrade
automatically
43
44
Setting up an explicit proxy for users on a private
network
This example sets up the explicit web proxy to accommodate faster web browsing.
Internal users will connect to an explicit web proxy using port 8080 rather than
surfing the Internet directly using port 80.
Internet
port 3
45
Step One: Enable explicit web proxy
on the internal interface
46
Step Three: Add a security policy for
proxy traffic
Results
47
48
Using port pairing to simplify transparent mode
1. Switch the FortiGate unit to transparent mode and add a static route
2. Create an internal and wan 1 port pair
3. Create firewall addresses
4. Create a security policy
5. Results
Router
192.168.1.99/24
wan 1
FortiGate Internal
Internal Network
Management IP
192.168.1.[110-150]
192.168.1.100
49
Step One: Switch the FortiGate unit to
transparent mode and add a static
route
Go to System > Dashboard > Status.
50
Step Three: Create firewall addresses
51
Go to Policy > Policy > Policy.
Results
52
Select an entry for details.
53
54
Adding packet capture to help troubleshooting
Packet capture is a means of logging traffic and its details to troubleshoot any
issues you may have with traffic flow or connectivity. This example shows the
basics of setting up packet capture on the FortiGate unit and analyze the results.
Internet
WAN 1
172.20.120.23 Internal network
Internal
FortiGate
192.168.1.99/24
55
Step One: Create a packet capture
filter
56
Step Three: Stop the packet capture
Results
57
Wireless Networking
FortiOS WiFi networking provides a wide range of capabilities for integrating wireless networks into
your organization’s network architecture. Each WiFi network, or SSID, is represented by a virtual
network interface to which you apply security policies, UTM features, traffic shaping, and so on, in
the same way as for physical wired networks.
You can create multiple WiFi networks to serve different groups of users. For example, you might
have one network for your employees and another for guests or customers. Also, with the increase
in use of Bring Your Own Devices (BYOD); smartphones, tablets and other mobile devices that use
WiFi technology, wireless networks are becoming busier than ever and have to be monitored and
accommodated accordingly.
A network that requires only one WiFi access point is easily created with a FortiWiFi unit operating as
a single thick Access Ppoint (AP). A thick AP such as a FortiWiFi unit contains the WiFi radio facility
as well as access control and authentication functionality.
A thin AP, such as a FortiAP unit contains only the radio facility and a microcontroller that receives
commands and exchanges data with a WiFi controller. If you already have a FortiGate unit, adding
a FortiAP unit as a thin AP managed by the FortiGate unit operating as a WiFi controller is a cost
effective solution for adding WiFi to your network.
The FortiOS WiFi controller feature is available on both FortiGate and FortiWiFi units. A FortiWiFi
unit’s WiFi controller also controls the unit’s internal (Local WiFi) radio facility, treating it much like a
built-in thin AP. Whenever multiple APs are required, a single FortiGate or FortiWiFi unit controlling
multiple FortiAP units is best. A network of multiple thick APs would be more expensive and more
complex to manage.
58
Providing remote users access to the internet and
corporate network using FortiAP
In this example, users in a remote location such as a hotel, use FortiAP to securely
connect to a corporate network and browse the Internet from behind the corporate
firewall.
WLAN_1
FortiAP
Wireless Network
Internet
FortiGate Internal
59
Step One: Configure the FortiGate for
remote user connections
60
Go to Policy > Policy > Policy and create
two security polices.
61
Step Tthee: Configure the FortiGate
unit to connect, and configure FortiAP
Results
The remote user connects the FortiAP to
the network connection at the hotel. They
then connect to the RemoteWiFi wireless
network. They will be able to access the
corporate network and surf the Internet
securely.
62
Selecting an entry for the WLAN_1
interface and internal destination interface
shows traffic using RDP to connect to the
corporate network.
63
64
Setting up a FortiGate and FortiAP to provide wired
and wireless Internet access
This example sets up FortiAP to connect to the Internet using the FortiGate unit.
Wireless and wired users will be on the same subnet and thus can share network
resources.
Internet
WAN 1
172.20.120.226
FortiGate
LAN
192.168.1.99/24
FortiAP wireless
network
Internal network
65
Step One: Configure the FortiGate
WAN 1 and LAN ports
66
Step T WO: Create an internal address
range and security policy
67
Go to WiFi Conroller > WiFi Network >
SSID and create a new SSID.
68
Go to WiFi Conroller > Managed Access
Points > Managed FortiAP.
Results
69
70
Setting up guest wifi users with a captive portal
In this example, a FortiGate unit provides your office with wired networking,
but guest users use laptops and mobile devices. These devices need secure
WiFi access to both the office network and the Internet. Guest users use
web applications and authenticate through a portal using a web browser. The
receptionist for the company is provided a limited access admin account to
distribute temporary password access to the wireless network.
Wireless network
Internet 10.10.10.1/24
WAN 1
Internal network 172.20.120.23
71
Step One: Authorize the FortiAP over
the DMZ interface
72
Step Three: Create an SSID using a
captive portal
73
Step Five: Add security policies
74
Step Six: Add a limited administrative
role for the receptionist
75
Results
76
To verify that guest user logged in
successfully, go to WiFi Controller >
Monitor > Client Monitor.
77
Security Policies and Firewall Objects
FortiGate units are used to control access between the Internet and a network, typically allowing
users on the network to connect to the Internet while protecting the network from unwanted access
from the Internet. The FortiGate unit has to know what access should be allowed and what should
be blocked. This is what security policies are for; controlling all network traffic attempting to pass
through a FortiGate unit. No traffic can pass through a FortiGate unit unless specifically allowed to
by a security policy. With a security policy, you can control address translation, control the addresses
and services used by the traffic, and apply features such as UTM, authentication, and VPNs. Most of
the examples in this cookbook at some point involve the creation of security policies to allow traffic
and then apply a feature to it. This chapter focuses more on firewall features and how to configure
policies to apply them.
It is simple to set up a FortiGate unit to allow users on a network to access the Internet while
blocking traffic from the Internet from accessing the protected network. All that is required is a single
security policy that allows traffic from the Internal network to connect to the Internet. As long as you
do not add a security policy to allow traffic from the Internet onto your internal network, your network
is protected. The same security policy that allows you to connect to the Internet also allows servers
you contact to respond to you. In effect, a single policy allows two-way traffic, but the incoming
traffic is only allowed in response to requests sent by you.
Firewall objects are those elements within the security policy that further dictate how and when
network traffic is routed and controlled. This includes addresses, services, and schedules that are
used in security policies to control the traffic accepted or blocked by a security policy. Addresses are
matched with the source and destination address of packets received by the FortiGate unit.
The examples in this chapter use a number of these elements and policies to build a secure network.
78
Controlling when BYOD users can access the Internet
This example uses FortiOS device identity and security policy scheduling to limit
use of Bring Your Own Device (BYOD) users during company time.
Internet
wan 1
wifi
FortiWiFi
Internal
wireless mobile
devices
internal
network
79
Step One: Add BYODs to the FortiGate
unit
80
Step Three: Add a device identity
security policy
Results
81
82
Using AirPrint with iOS and OS X and a FortiGate unit
This example sets up AirPrint services for use with an iOS device and OS X
computers using Bonjour and multicast security policies.
SSID 1 (WLAN 1 )
ipad 10.10.10.3 10.10.10.1/24 Internal network
(connected to SSID 1 ) OS x
DMZ LAN
FortiAP 10.10.100.1/24 FortiGate 192.168.1.99/24
SSID 2 (WLAN 2)
20.20.20.1.24
AirPrint 20.20.20.2
(connected to SSID 2)
83
Step One: Configure the FortiAP and
SSIDs
84
Go to WiFi Controller > WiFi Network >
SSID.
85
Step Two: Add addresses for the
wireless networks and printer
86
Create an address for the internal network
with the OS X computers.
87
Step Four: Add multicast security
policies
Go to Policy > Policy > Multicast Policy.
88
Step Five: Add inter-subnet security
policies
89
Results
90
Print a document from an OS X computer.
91
92
Using AirPlay with iOS, AppleT V, FortiAP and a
FortiGate unit
This example sets up AirPlay services for use with an iOS device using Bonjour and
multicast security policies.
Apple TV can also be connected to the internet wirelessly, from any iOS device
connected to the same SSID as Apple TV, AirPlay will function. No configuration is
required on the FortiGate unit.
ipad 10.10.10.3
(connected to SSID 1 )
Internal network OS x
DMZ
FortiAP 10.10.100.1/24 FortiGate LAN
192.168.1.99/24
SSID1 (WLAN 1 )
10.10.10.1/24
Apple
TV
93
Step One: Configure the FortiAP and
SSIDs
94
Go to WiFi Controller > WiFi Network >
SSID.
95
Step Three: Add two service object
for AirPlay
96
Go to Policy > Policy > Multicast Policy.
97
Results
98
Go to Log & Report > Traffic Log > Log
Forward and filter on the policy id 6 and 7,
that allow AirPlay traffic.
99
100
Using port forwarding on a FortiGate unit
This example illustrates how to allow incoming connections from the Internet to a
server on the internal network so that the server can access a service that requires
open ports. The service requires opening TCP ports in the range 7882 to 7999, as
well as opening UDP ports 2119 and 2995. This involves creating multiple VIPs that
map sessions from the wan 1 IP address to the server IP address.
Internet
WAN 1
172.20.120.226
Open TCP ports 7882-7999,
UDP port 2119 and 2995 for
traffic from the Internet FortiGate
to the Server LAN
192.168.1.99/24
Server
192.168.1.200
101
Step One: Create three virtual IPs
102
Step Two: Add virtual IPs to a group
103
Results
104
Go to Log & Report > Traffic Log >
Forward Traffic to see the logged activity.
105
UT M Profiles
UTM profiles, including antivirus, web filtering, application control, intrusion protection (IPS), email
filtering, and data leak prevention (DLP), apply core UTM security functions to traffic accepted by
security policies. The FortiGate unit includes default UTM profiles for all of these security features.
You can apply UTM features to traffic accepted by a security policy by selecting the default profiles
for the UTM features that you want to apply.
The default profiles are designed to provide basic protection. You can modify the default profiles,
and group them, for your needs or create new ones. Creating multiple profiles means you can apply
different levels of protection to different traffic types according to the security policies that accept the
traffic.
Endpoint control profiles are created to ensure that workstation computers, also known as
endpoints, on your network meet the network’s security requirements; otherwise, they are not
permitted access. Enhanced by Fortinet’s FortiClient Endpoint Security software, FortiGate endpoint
control can block or control access through the FortiGate unit for workstation computers depending
on the security functions enabled on the computers and the applications running on them. After
creating endpoint control profiles, you can add endpoint security profiles to security policies.
The final UTM profile feature, vulnerability scanning is independent of security policies. By using
vulnerability scanning, you can scan computers on your network for multiple vulnerabilities, and take
action to remove those vulnerabilities.
106
Visualizing and controlling the applications on your
network using application control
This example sets up application monitors in security policies to determine
what applications are contributing to high bandwidth usage on the network or
distractions for employees and blocking access from those applications.
Internet
1001001
001011100
010110011
WAN 1
FortiGate
Internal
Internal Network
107
Step One: Add application control
sensor
108
Step Two: Add a security policy to
use the application control sensor
Go to Policy > Policy > Policy.
109
Select on each blue bar to see further
details on the usage statistics.
110
Select Create New to add a new
application filter.
111
Results
112
Configuring web filter overrides and local ratings
This example sets up web site overrides for blocked sites. It will add web profiles
that prohibit viewing a web site until the user authenticates an override. Once
authenticated, they will still only have a limited amount of time to visit the site.
Internet
FortiGuard
WAN 1
FortiGate
LAN
Internal Network
113
Step One: Configure users and user
groups
114
Go to UTM Security Profiles > Web Filter
> Profile.
115
Step Three: Edit the security profile to
include the web filter UT M profile
Results
116
Select Override. You are prompted to
authenticate to view the page.
117
118
Protecting a web server from vulnerabilities and DoS
attacks using IPS
This example uses IPS to protect a web server by placing the web server on the
internal network with a virtual IP, and creating a security policy that allows web
access from the Internet to the server. IPS is added to the policy to protect the
server from attacks.
Attacks
Internet
FortiGate WAN 1
172.20.120.24
LAN
192.168.1.99/24
Web server
Internal network VIP: 172.20.120.24 --> 192.168.1.200
119
Step One: Configure IPS to detect and
protect against common attacks
120
Step Two: Add a security profile that
includes the IPS UT M profile
121
Step Three: Add a DoS security policy
using IPS
122
Results
123
124
Blocking email/web traffic or files containing sensitive
information
This example sets up data leak prevention (DLP) for the network by analyzing data
using sensors for credit card numbers, watermarked files and file pattern matching.
With these filters, the FortiGate unit will scan outgoing data for potential sensitive
data breaches.
Internet
LAN
FortiGate
Internal network
125
Step One: Create a DLP file matching
pattern filter
126
Select Create New to add a filter to look
for credit card number patterns.
127
Step Four: Add a security profile that
includes the DLP sensor
Results
128
Upload a watermarked file to a server on
the Internet such as a local FTP server or
web server. The FortiGate unit will block
the file and prevent it from leaving the
internal network.
129
130
Monitoring your network for undesirable behavior
using client reputation
Client reputation enables you to monitor traffic from internal sources based on UTM
profiles and risk ratings. Client reputation tracks client behavior and reporting on the
activities you determine are risky or otherwise noteworthy. This example enables
client reputation on web filtering to monitor traffic from various sources to web sites.
Internet
WAN 1
FortiGate
Internal
Internal Network
131
Step One: Add client reputation on the
network
Go to User & Device > Client Reputation
> Reputation Definition.
132
Results
133
134
Inspecting content on the network using flow-based
UT M instead of proxy-based UT M
Flow-based scans examine files as they pass through while proxy-based scans
require that files are cached as they come in and examined once completely
cached. Caching files takes more memory and system resources. UTM features
using flow-based scans will continue to protect network traffic without interruption.
Web Filter
Internal Network
Viruses
Internal Internet
FortiGate WAN 1 Viruses
Viruses
135
Step One: Enable flow-based antivirus
136
Step Three: Add a firewall policy to
include the new UT M security profiles
Results
137
Go to Log & Report > Traffic Log >
Forward Traffic to see the UTM profile is
activated when attempting to download
the file.
138
Select the blue bar in the chart to see
further details by user.
139
140
Blocking large files from entering the network
If a file is too large to be properly scanned by the FortiGate unit, you need to
make sure they still do not enter the network. This example configures data leak
prevention (DLP) options to block files large files from entering the network.
Internal network
LAN Viruses/Spyware
Internet
FortiGate WAN 1
141
Step One: Setup a DLP sensor with
file matching pattern filter
142
Step Two: Add a security profile that
includes the DLP sensor
143
Results
144
Blocking access to specific web sites
This example sets up the FortiGate unit to block users from viewing specific web
sites using web filtering.
Internet
Block Site
WAN 1
FortiGate
LAN
Internal network
145
Step One: Create a new web filter
block list
146
Step Three: Add a security profile
that includes the web filter UT M
profile
Results
147
Go to Log & Report > Traffic Log >
Forward Traffic.
148
Blocking HTT PS traffic with web filtering
Some websites are accessible using http and https protocols, such as YouTube and
Facebook. This example steps through how to block https access to these websites
using either proxy-based or flow-based web filtering profiles. You will need to have
your FortiGate licensed for FortiGuard services.
HTT PS
YouTube Internet
Facebook FortiGuard
WAN 1
FortiGate
Internal
Internal Network
149
Step One: Verify FortiGuard services
are enabled
150
Step Three: Create a SSL Inspection
protile
Go to Policy > Policy > SSL/SSH
Inspection.
151
Results
In a web browser, go to
https://youtube.com. The web page is
blocked and a FortiGate replacement
message is put up in its place.
152
SSL and IPsec VPN
SSL is an easy to use application-level, network-independent method of ensuring private
communication over the Internet. Commonly used to protect the privacy of online shopping
payments, customer’s web browsers can almost transparently switch to using SSL for secure
communication without customer’s being required to do any SSL-related configuration or have any
extra SSL-related software.
The FortiGate SSL VPN configuration requires an SSL VPN web portal for users to log into, a user
authentication configuration to allow SSL VPN users to login, and the creation of SSL VPN security
policies that control the source and destination access of SSL VPN users. SSL VPN security policies
can also apply UTM and other security features to all SSL VPN traffic.
IPsec VPN is a common method for enabling private, secure communication over the Internet.
IPsec supports a similar client server architecture as SSL VPN. However, to support a client
server architecture, IPsec clients must install and configure an IPsec VPN client (such as Fortinet’s
FortiClient Endpoint Security) on their PCs or mobile devices.
IPsec VPN, supports more configuration options than SSL VPN. A common application of IPsec
VPN is for a gateway to gateway configuration that allows users to transparently communicate
between remote networks over the Internet. When a user on one network starts a communication
session with a server on the other network, a security policy configured for IPsec VPN intercepts
the communication session and uses an associated IPsec configuration to both encrypt the session
for privacy but also transparently route the session over the Internet to the remote network. At the
remote network the encrypted communication session is intercepted and decrypted by the IPsec
gateway and the unencrypted traffic is forwarded to the server.
Many variations of the gateway to gateway configuration are available depending on the
requirements.
All communication over IPsec VPNs is controlled by security policies. Security policies allow for
full access control and can be used to apply UTM and other features to IPsec VPN traffic. Fortinet
IPsec VPNs employs industry standard features to ensure the best security and interoperability with
industry standard VPN solutions provided by other vendors.
153
154
Protecting traffic between company headquarters and
branch offices using IPsec VPN
This example uses a gateway-to-gateway IPsec VPN, and assumes that both
offices have connections to the Internet with static IP addresses. This configuration
uses a policy-based IPsec VPN.
wan1 port3
172.20.120.123 172.20.120.141
IPsec
FortiGate Internet FortiGate
port1 port4
192.168.1.99/24 10.10.1.99/24
Internal Internal
Network (HQ) Network (Branch)
155
Step One: Configure the HQ IPsec VPN
Phase 1 and Phase 2 settings
156
Step Two: Add HQ addresses for
the local and remote LAN on the HQ
FortiGate unit
157
Step Four: Configure the Branch IPsec
VPN Phase 1 and Phase 2 settings
158
Step Five: Add Branch addresses for
the local and remote LAN on the HQ
FortiGate unit
159
Results
Go to VPN > Monitor > IPSec Monitor
to verify the status of the VPN tunnel. It
should be up.
160
Providing remote users with access to a corporate
network and Internet using SSL VPN
This example sets up remote users to connect to the corporate network using SSL
VPN, and use the FortiGate UTM for surfing the Internet. During the connecting
phase, the FortiGate unit will also verify that the remote user’s antivirus software is
installed and current.
Internet
Remote sslvpn user
WAN 1
sslroot 172.20.120.123
browsing
FortiGate
Port 1
192.168.1.99/24
161
Step One: Create an SSL VPN tunnel
for remote users
162
Step Two: Create user definitions and
add them to a group
163
Step Four: Add security profiles for
access to the Internet and internal
network
164
Step Five: Set the FortiGate unit to
verify users have current antivirus
software
Results
165
After the check is complete, the portal
appears.
166
Go to Log & Report > Traffic Log >
Forward Traffic and view the details for
the SSL entry.
167
Go to Log & Report > Traffic Log >
Forward Traffic and view the details for
the SSL entry.
168
Securing remote access to the office network using
FortiClient IPsec VPN
This example sets up a remote user and user group to provide protected access to
the corporate network. The remote users use the FortiClient Endpoint Protection
software to connect to the VPN tunnel. This example sets up the user to access the
internal network as well as access the Internet through the FortiGate unit, to provide
a secure surfing experience using the FortiGate UTM features.
IPsec
FortiGate wan 1 Internet
port 1 172.20.120.123
Remote user
192.168.1.99/24 (FortiClient)
Internal Network
169
Step One: Create a new FortiClient
user and add to a user group
Go to User & Device > User > User
Definition.
170
Step Three: Add addresses for the
local LAN and remote FortiClient users
171
Go to Policy > Policy > Policy.
Results
172
Connect using the user name twhite.
173
174
Securing remote access to the office network for an
iOS device over IPsec VPN
This example sets up a remote user and user group to provide protected access
to the corporate network. The remote users use their iPad to connect to the VPN
tunnel. This example sets up the user to access the internal network as well
as access the Internet through the FortiGate unit, to provide a secure surfing
experience using the FortiGate UTM features. This example uses an iPad 2 running
iOS 6.1.2. Menu options may vary for different iOS versions and devices.
wan 1
172.20.120.123
IPsec
FortiGate Internet
Port 1
192.168.1.99/24
Remote user
(iPad)
Internal Network
175
Step One: Create a new user and add
to a user group
Go to User & Device > User > User
Definition.
176
Go to Firewall Objects > Address >
Address.
177
Go to VPN > IPSec > Auto Key (IKE).
178
Step Four: Create security policies for
access to the internal network and
Internet
179
Results
180
Select an entry to view more information.
181
182
Redundant OSPF routing between two remote networks
over IPsec VPN
This example sets up secure communication between two remote networks using
redundant OSPF routes .
Internal Internal
Network (HQ) Network (Branch)
183
Step One: Create redundant IPSec
tunnels on FortiGate 1
184
Go to VPN > IPsec > Auto Key (IKE).
185
Step Two: Create IP addresses for the
IPsec interfaces on FortiGate 1
186
Select Create New in the Networks
section.
187
Edit the primary and secondary interfaces
of FortiGate 2.
188
189
Step Six: Create redundant IPSec
tunnels on FortiGate 2
190
Go to VPN > IPsec > Auto Key (IKE).
191
Step Seven: Create IP addresses for
the IPsec interfaces on FortiGate 2
192
Select Create New in the Networks
section.
193
Edit the primary and secondary interfaces
of FortiGate 1.
194
195
Results
196
The VPN network between the two
OSPF networks uses the primary VPN
connection. Disconnect the wan1 interface
and confirm that the secondary tunnel will
be used automatically to maintain a secure
connection.
197
Authentication
Authentication is the act of confirming the identity of a person or other entity. In the context of a
private computer network, the identities of users or host computers must be established to ensure
that only authorized parties can access the network. The FortiGate unit enables controlled network
access and applies authentication to users of security policies and VPN clients.
Identifying users and other computers (authentication) is a key part of network security. This chapter
describes some basic configurations.
198
Providing single sign-on on a Windows AD network by
adding a FortiGate
This example uses the Fortinet Single Sign-On (FSSO) Collector Agent to integrate a
FortiGate unit into the Windows AD domain.
Internet
WAN 1
172.20.120.123
FortiGate
Port 1
192.168.1.99/24
Windows AD
Internal Network
192.168.1.114
199
Step One: Install the FSSO Collector
Agent
200
Select the domains to monitor, and any
users whose activity you do not wish to
monitor.
201
Step Two: Configure the Single
Sign-on Agent
202
Step Five: Add an address for the
internal network
203
Results
Go to Log & Report > Traffic Log >
Forward Traffic.
204