Você está na página 1de 138

FortiGate

Configuraes Bsicas
Engenharia de Redes
Laurence Stendard
1

Tpicos

Instalao
Interfaces
Rotas
Firewall
NAT
VPN IPsec - Clientto-Site
VPN SSL Clientto-Site
VPN IPsec Siteto-Site
IPS
DoS Sensor
Backup
Command Line

Instalao
Conectar notebook/workstation interface
interna.
Configurar endereo na rede
192.168.1.99/24.

Instalao (cont.)
https://192.168.1.99
name = admin password = em branco.

Instalao (cont.)

Interfaces

Interfaces (cont.)

Interfaces - VLAN

Interfaces VLAN (cont.)

Interfaces IP Secundrio

10

Interfaces IP Secundrio (cont.)

11

Interfaces Modo de Operao

No existe um opo opo para forar o modo de


operao de uma interface atravs da interface web (?!)
Isto deve ser configurado atravs da CLI:

Fortigate51B#config system interface


Fortigate51B(interface)#edit wan1
Fortigate51B(wan1)#set speed 100full
Fortigate51B(wan1)#end

12

Rotas

13

Rotas (cont.)

14

Firewall Regras - View

15

Firewall Regras Default

16

NAT de Entrada 1 /p 1
Endereo Externo: 200.202.114.251 -> Endereo
Interno: 10.123.123.10

17

NAT de Entrada 1 p/ 1 (cont.)

18

NAT de Entrada 1 p/ 1 (cont.)

19

NAT de Entrada 1 p/ 1 (cont.)

20

NAT de Sada 1 p/ 1

Endereo Externo: 10.123.123.[100-102] -> Endereo Interno:


200.202.114.[252-254]

21

NAT de Sada 1 p/ 1 (cont.)

22

NAT de Sada 1 p/ 1 (cont.)

23

NAT de Sada 1 p/ 1 (cont.)

necessrio criar uma regra de entrada mesmo que no


exista a necessidade de acessos do ambiente externo
para o interno.

24

NAT de Sada 1 p/ 1 (cont.)

25

NAT de Sada 1 p/ 1 (cont.)

26

NAT de Sada Central NAT


Table

27

NAT de Sada Central NAT Table (cont.)

28

NAT de Sada Central NAT Table (cont.)

29

NAT de Sada Central NAT Table (cont.)

30

VPN IPsec Client-to-Site Servidor TACACS+

31

VPN IPsec Client-to-Site Servidor TACACS+ (cont.)

32

VPN IPsec Client-to-Site Servidor TACACS+ (cont.)

33

VPN IPsec Client-to-Site Servidor TACACS+ (cont.)

34

VPN IPsec Client-to-Site Servidor TACACS+ (cont.)

O campo Key deve ser preenchido com o


mesmo valor usado no campo Server Key da
35
configurao do Fortigate.

VPN IPsec Client-to-Site User Group

36

VPN IPsec Client-to-Site User Group (cont.)

37

VPN IPsec Client-to-Site User Group (cont.)

38

VPN IPsec Client-to-Site Fase 1

39

VPN IPsec Client-to-Site Fase 1 (cont.)

40

VPN IPsec Client-to-Site Fase 1 (cont.)

41

VPN IPsec Client-to-Site Fase 2

42

VPN IPsec Client-to-Site Fase 2 (cont.)

43

VPN IPsec Client-to-Site Fase 2 (cont.)

44

VPN IPsec Client-to-Site Rede Interna e Range


dos Remote Clients

45

VPN IPsec Client-to-Site Rede Interna e Range dos


Remote Clients (cont.)
Range dos Remote Clients:
- NAT do endereo pblico do client para um endereo
interno (facilita roteamento).
- Aplicado interface Fase 1 da VPN (MyVPN_Fase1).

46

VPN IPsec Client-to-Site Regra de Firewall (cont.)


Regra de
Entrada

47

VPN IPsec Client-to-Site Regra de Firewall (cont.)


Regra de
Sada

48

VPN IPsec Client-to-Site Regra de Firewall (cont.)

49

VPN IPsec Client-to-Site DHCP Clients

50

VPN IPsec Client-to-Site DHCP Clients (cont.)

51

VPN IPsec Client-to-Site DHCP Clients (cont.)

52

VPN IPsec Software Client


Verso free:
www.forticlient.com

53

VPN IPsec Software Client (cont.)

54

VPN IPsec Software Client (cont.)

55

VPN IPsec Software Client (cont.)

56

VPN IPsec Software Client (cont.)

57

VPN IPsec Software Client (cont.)

58

VPN IPsec Software Client (cont.)

59

VPN IPsec Software Client (cont.)

60

VPN IPsec Software Client (cont.)

61

VPN IPsec Software Client (cont.)

62

VPN IPsec Software Client (cont.)

Caso existam mais redes a serem acessadas atravs da


VPN:

63

VPN IPsec Software Client (cont.)

64

VPN IPsec Software Client (cont.)

65

VPN IPsec Software Client (cont.)

66

VPN IPsec Software Client (cont.)

67

VPN SSL Modo Web

Editar o grupo
SSLVPN_TUNNEL_ADDR1

68

VPN SSL Modo Web (cont.)

69

VPN SSL Modo Web (cont.)

70

VPN SSL Modo Web (cont.)

71

VPN SSL Modo Web (cont.)

72

VPN SSL Modo Web Portal

73

VPN SSL Modo Web Usurios e Grupos

74

VPN SSL Modo Web Usurios e Grupos (cont.)

75

VPN SSL Modo Web Regra de


Firewall
Regra: Range SSL VPN ->
Rede Interna

76

VPN SSL Modo Web Regra de Firewall (cont.)

77

VPN SSL Modo Web Regra de Firewall (cont.)


Regra de Web
Portal

78

VPN SSL Modo Web Regra de Firewall (cont.)

79

VPN SSL Modo Web Regra de Firewall (cont.)

80

VPN SSL Modo Web Regra de


Firewall

81

VPN SSL Modo Web Acesso

82

VPN SSL Modo Web Acesso (cont.)


Instalao do Plugin

83

VPN SSL Modo Web Acesso (cont.)

84

VPN SSL Modo Web Acesso (cont.)

85

VPN SSL Modo Tunnel

Configuraes de gateway como feito para o modo


Web.
Adicionar rota para o Address Range
SSLVPN_TUNNEL_ADDR1

86

VPN SSL Modo Tunnel Instalar Client

87

VPN SSL Modo Tunnel (cont.)

88

VPN SSL Modo Tunnel (cont.)

89

VPN IPsec Site-to-Site Fase


1
- Site A: Gateway = 200.202.114.250 Rede=10.123.123.0/24
- Site B: Gateway = 200.142.90.178 Rede =
10.55.1.0/24

90

VPN IPsec Site-to-Site Fase 1 (cont.)

91

VPN IPsec Site-to-Site Fase 1 (cont.)

92

VPN IPsec Site-to-Site Fase


2

93

VPN IPsec Site-to-Site Fase 2 (cont.)

94

VPN IPsec Site-to-Site Fase 2 (cont.)


Quando existirem mais de uma rede em ambos os
lados devem ser criadas uma Fase 2 para cada par
de redes que se comunicam.

95

VPN IPsec Site-to-Site Monitorao

96

VPN IPsec Site-to-Site Monitorao (cont.)

97

VPN IPsec Site-to-Site Monitorao (cont.)

98

IPS - Sensor

99

IPS Sensor (cont.)

100

IPS Filtro
Filtros so utilizados para definir os protocolos e
aplicaes analisados.

101

IPS Filtro (cont.)

102

IPS Regra

103

IPS Logs

104

IPS Logs (cont.)

105

IPS Descrio do Ataque

106

DoS Sensor

Deteco de ataques atravs de desvios do


comportamento da rede.

107

DoS Sensor (cont.)

108

DoS Sensor (cont.)

109

DoS Sensor (cont.)

A deteco de DoS usa polticas especficas. (A


poltica de IPS definida nas regras de
firewall.)

110

DoS Sensor (cont.)

111

DoS Sensor (cont.)

112

DoS Sensor (cont.)

113

Backup e Restore

114

Backup e Restore (cont.)

115

Backup e Restore (cont.)

Fortigate51B # execute backup full-config tftp


my-config.cfg 200.202.114.251
Please wait...
Connect to tftp server 200.202.114.251 ...
Send config file to tftp server OK.

116

VDOM

Virtual Domain (VDOM) = virtualizao


do equipamento

117

VDOM
(cont.)

118

VDOM
(cont.)

119

VDOM - Criao

120

VDOM Criao (cont.)

121

VDOM Limites

122

VDOM Limites (cont.)

123

VDOM Adicionar Interfaces

124

VDOM Adicionar Interfaces (cont.)

125

VDOM Adicionar Interfaces (cont.)

126

VDOM Operao

127

CLI

Acesso atravs de SSH, Telnet, console local


(9600,8,n,1) e dashboard:

128

CLI (cont.)

Fortigate51B # show full-configuration


#config-version=FG50BH-4.00-FW-build272-100331:opmode=0:vdom=0
#conf_file_ver=14300459513520570275
#buildno=0272
#global_vdom=1
config system global
set access-banner disable
set admin-concurrent enable
set admin-https-pki-required disable
set admin-lockout-duration 60
set admin-lockout-threshold 3
set admin-maintainer enable
set admin-port 80

129

CLI (cont.)

Fortigate51B # get system performance status


CPU states: 0% user 13% system 0% nice 87% idle
Memory states: 33% used
Average network usage: 30720 kbps in 1 minute, 16453
kbps in 10 minutes, 8129 kbps in 30 minutes
Average sessions: 21 sessions in 1 minute, 19 sessions
in 10 minutes, 22 sessions in 30 minutes
Virus caught: 0 total in 1 minute
IPS attacks blocked: 0 total in 1 minute
Uptime: 0 days, 22 hours, 50 minutes

130

CLI (cont.)
Fortigate51B # get system performance top
Run Time: 16 days, 0 hours and 57 minutes
17U, 4S, 15I; 502T, 130F, 129KF
ipsengine
3049
S <
1.9
miglogd
25
S
1.9
newcli
726
R
0.9
httpsd
67
S
0.0
httpsd
63
S
0.0
cmdbsvr
15
S
0.0
httpsd
27
S
0.0
newcli
707
S
0.0
newcli
80
S
0.0
newcli
1400
S
0.0
sslvpnd
52
S
0.0
scanunitd
5867
S <
0.0
updated
54
S
0.0
merged_daemons
45
S
0.0
iked
444
S
0.0
forticron
46
S
0.0
urlfilter
48
S
0.0
fdsmgmtd
55
S
0.0
scanunitd
5845
S <
0.0

14.8
2.5
2.7
6.6
6.5
4.4
3.0
2.7
2.6
2.6
2.3
2.3
2.3
2.2
2.2
2.2
2.1
2.1
2.1

131

CLI (cont.)
Fortigate51B # get system interface physical
== [onboard]
==[internal]
mode: static
ip: 10.123.123.1 255.255.255.0
ipv6: ::/0
status: up
speed: 100Mbps (Duplex: full)
==[wan1]
mode: static
ip: 200.202.114.250 255.255.255.248
ipv6: ::/0
status: up
speed: 100Mbps (Duplex: full)
==[wan2]
mode: static
ip: 0.0.0.0 0.0.0.0
ipv6: ::/0
status: down
speed: n/a

132

CLI (cont.)
Fortigate51B # show firewall policy
config firewall policy
edit 7
set srcintf "internal"
set dstintf "wan1"
set srcaddr "ServerLab1"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
set logtraffic enable
set nat enable
next
edit 3
set srcintf "wan1"
set dstintf "internal"
set srcaddr "all"
set dstaddr "UbuntuMaster_Ext_Int"
set action accept
set schedule "always"
set service "ANY"
set logtraffic enable
next

133

CLI (cont.)

Fortigate51B # get system session status


The total number of sessions for the current VDOM: 9988
Fortigate51B #
PROTO
EXPIRE
tcp
3600
tcp
3494
tcp
3505
tcp
77
tcp
107

get system session list


SOURCE
SOURCE-NAT
10.123.123.10:33297 -

DESTINATION
DESTINATION-NAT
10.123.123.1:22

10.123.123.10:49923 200.202.114.250:60299 91.189.90.40:80


10.123.123.10:49922 200.202.114.250:45962 91.189.90.40:80
10.123.123.10:49925 200.202.114.250:58253 91.189.90.40:80
10.123.123.10:49924 200.202.114.250:41868 91.189.90.40:80

134

CLI (cont.)

GREP !!!
Fortigate51B # get system performance status | grep -i idle
CPU states: 3% user 0% system 0% nice 97% idle

135

Referncias

Intranet: documento
Firewall Fortinet FortiGate.doc
Famlia FortiGate:
www.fortinet.com/products/fortigate
Sites demo:
www.fortigate.com ( user: demo password:
fortigate)
www.fortianalyzer ( user: demo password:
fortianalyzer)
www.fortimanager.com ( user: demo
password: fortimanager)
Technical Documents: docs.fortinet.com
Knowledge Center: kb.fortinet.com
136
Training Services:campus.training.fortinet.com

Perguntas
Se
Multiplicandoambososladospora

Somando

Dividindoambososladospor

Portanto:

!?!??
137

0br1g@d0 !!!

138