Learning Center
Plans & pricing Sign in
Sign Out

Course _201 - Introduction

VIEWS: 19 PAGES: 118

									FortiGate Multi-Threat
  Security Systems
Administration and Content

•   System setup
•   Logging and Alerts
•   Firewall Policies
•   Antivirus Scanning and Content Inspection
•   Web Filtering
•   IM and P2P Filtering
•   Administration and Maintenance
•   Transparent Mode
         System Setup
FortiGate Multi-Threat Security Systems
- Administration and Content Inspection
         FortiGate Antivirus Firewall

Network-level Services
• Firewall
• Intrusion prevention and detection
• Traffic shaping
Application-level Services
• Firewall
• Intrusion prevention and detection
• Virus protection
• Content filtering for web connections and
              Web-based Manager

• Web browser
  – Windows
  – Mac
  – Linux
• Configure and monitor a FortiGate unit
• Configuration changes effective immediately
• Download, save, and restore configurations
              Command Line Interface

• Serial port
   – RS232
• Network
   – Telnet
   – SSH
• Same configuration capabilities as the web-
  based manager
• Advanced configuration capabilities
           Factory Default Settings

The FortiGate unit is shipped with a factory
  default configuration that allows you to
  connect to and use the FortiGate web-based
  manager to configure the unit onto the
• Internal interface
  – https , ping access is enabled
• External interface
  – ping is enabled
• Firmware upgrade using TFTP is done using
  the internal interface only (interrupt boot
              Modes of Operation

• NAT/Route Mode
  – Default “out of box” configuration
  – Each interface is on a different network
  – Allows the firewall to operate as a bastion gateway

• Transparent Mode
  – Firewall operates as a bridge
  – Administration performed via a management IP
  – Allows for most FortiGate features without altering
    IP infrastructure of network
             NAT/Route Mode

Hide your internal addressing scheme behind
  a firewall
              Transparent Mode

The firewall acts as a bridge and requires an
  IP address for management and updates
The FortiGate unit is invisible to the network
                 System Dashboard

• Shown after a successful GUI login

• Displays firewall status at a glance including:
   –   FortiGuard Subscriptions status
   –   Statistics for content archiving and IPS
   –   Current system time and uptime
   –   CPU and memory utilization
System Dashboard
                Administrative Access

• Options for access to the firewall for purpose of
  administration and maintenance

• Enabled per interface

• Administrative access options are:
   –   HTTP (GUI)
   –   HTTPS (GUI)
   –   Telnet (CLI)
   –   SSH (CLI)
   –   SNMP
   –   PING
            Administrative Users

• Accounts responsible for firewall

• Have CLI / GUI access to the firewall

• User account can be held locally or via

• Logins and passwords are case sensitive
            Administrative Users

• Accounts can be limited by use of Access

• The default administrative account is “admin”

• The default access profile is “prof_admin”.
  This profile has all permissions
               IP Addressing

• IP addresses can be assigned in three ways:
  – Static
  – DHCP
  – PPPoE

• Dynamic DNS (DDNS) supported for major

• Administrative access is configured per

• Highly flexible, efficient network
• Supported on models 60 and higher
• IEEE 802.1Q
• Segregate devices logically instead of
  physically by adding 802.1Q VLAN tags to
  all packets sent and received by the devices
• A single FortiGate unit can provide security
  services and control connections between
  multiple security domains
• NAT/Route and Transparent modes
               Virtual Domains

• ease of management
• lower costs – one system with multiple
• each virtual domain functions like a single
  FortiGate unit
• exclusive firewall and routing services to
  multiple networks
• traffic from each network is effectively
  separated for every other network
• packets never cross virtual domain borders
• NAT/Route and Transparent modes
               DHCP Server

• A DHCP server may be configured on any
  interface with a static IP address

• The firewall can support multiple DHCP
  servers on a single interface.
                DHCP Relay

• Allows the firewall to relay a DHCP request
  to a remote DHCP server
                   Static Routes

• Default gateway entry. Required for public network

• Routing decision is based on destination network

• The outgoing interface and metric can be specified

• Multiple routes to the same destination can exist,
  but only one is preferred
      Logging and Alerts
FortiGate Multi-Threat Security Systems -
 Administration and Content Inspection

• Ability to log session transaction data and
  downloaded files

• Ability to log to multiple locations

• Seamless integration with FortiAnalyzer

• Alert e-mail system

• Choose the location and level:
  – FortiAnalyzer
  – SysLog
  – Memory

• Enable logging:
  – Protection Profile (Content, Content Archiving)
  – Event log
  – Firewall Policy or Interface (Traffic)

• A logging and security center point on the network

• Allows for IPSec encrypted log transfer from the

• Full reporting functions

• Required for content and file archiving functions
              Viewing Log Files

• View logs located on the FortiAnalyzer from
  the firewall’s GUI
                Event Logging

• Responsible for:
  – Core system events
  – VPN events
  – Administration events
                   Content Archiving

• The ability to log session transaction data for:
   –   HTTP
   –   FTP
   –   NNTP
   –   IM (AIM, ICQ, MSN, Yahoo!)
   –   Mail (POP3, IMAP, SMTP)

• Ability to archive downloaded files and e-mails

• Requires a FortiAnalyzer appliance
              Log Message Priorities

• All messages have a Priority level:
  –   Emergency
  –   Alert (IPS Signature)
  –   Critical (IPS Anomaly)
  –   Error (Category rating, network address)
  –   Warning (Content filtering, system event)
  –   Notice (Configuration change)
  –   Information (traffic, authentication, content)

  2006-03-22 14:23:37 log_id=0104032126 type=event
  subtype=admin pri=notice vd=root user=admin
  ui=GUI( seq=3 msg="User admin added new
  firewall policy 3 from GUI("
                 Alert E-mail

• Generates an e-mail upon detection of a
  message meeting a defined severity level

• Supports multiple recipients

• Supports servers requiring SMTP
                  Traffic Logging

• Cannot be logged to memory

• Traffic logging is enabled within:
   – Firewall policies
   – Interfaces

• Logging traffic per firewall policy is usually
       Firewall Policies
FortiGate Multi-Threat Security Systems
- Administration and Content Inspection

• Allows traffic to pass through the firewall from
  one interface to another

• Traffic cannot pass through a firewall unless
  matched exactly by a firewall policy
               Firewall Policies

• Are comprised of an interface pair; source
  and destination

• In NAT/Route mode the firewall policy
  dictates whether traffic will NAT or route

• There are two primary types of firewall
   – Accept
   – Deny
                 Firewall Policy Example

Interface pair

            Firewall Address Objects

• Two types of addresses:
  – IP / IP Range
  – Fully Qualified Domain Name (FQDN)

• Several ways to declare an IP / IP Range:
  –   192.168.1.[99-105]
       Firewall Address Object Groups

• Used to group multiple address objects

• Object groups are available for selection in
  firewall policies
             Firewall Service Objects

• Allows firewall policies to use specific protocol-port

• The firewall has many predefined service objects

• Creation of custom service objects

• Can create service groups for additional flexibility
     Firewall Service Objects - Custom

• Three types of custom service objects:
  – ICMP
  – IP

• Default NAT behavior:
   – Source IP translated to destination interface’s IP
   – Sessions differentiated by port

• Fixed Port behavior:
   – Source IP translated to destination interface’s IP
   – Source and destination port not altered

• IP Pool behavior:
   – Source IP translated to available IP within selected IP Pool
             Virtual IP Description

• Used to allow the public limited access to an
  internal host

• Two primary types:
   – Static NAT
   – Load Balance

• Ability to perform port forwarding
               Virtual IP – Static NAT

• Creates a bi-directional translation between an
  internal IP and an external IP

• The source IP of traffic originating from the internal
  host will be translated

• It is possible to utilize IP ranges

• Port Forwarding can be used to alter the source or
  destination ports
  Firewall Policy Authentication Description

• Enabled within a firewall accept policy

• Users must authenticate with the firewall in
  order for sessions to pass

• Authentication occurs against object(s) in a
  user group or an active directory
            Firewall Authentication

• User groups may contain:
   – Radius server
   – LDAP directory
   – Local users

• Selection of protection profile is now in the
  user group

• To authenticate against an Active Directory
  the FSAE extensions must be installed
       Firewall Authentication Protocols

• The firewalls allows authentication on the following
   – FTP
   – Telnet

• Service groups can be used to force authentication
  of protocols not directly supported

• Default authentication timeout is 15 minutes
    Antivirus Scanning
  and Content Inspection
FortiGate Multi-Threat Security Systems
- Administration and Content Inspection
                 Content Inspection

• Antivirus is a component of the Content
  Inspection System

• Content inspection is comprised of many
  services including:
  –   Antivirus
  –   Spam filtering
  –   Web filtering
  –   Instant Message (IM) filtering
  –   Logging
  –   Content archiving
               Content Inspection

• Content inspection applies to the following
  –   HTTP
  –   FTP
  –   Mail (IMAP, POP3, SMTP)
  –   IM (AIM, ICQ, MSN, Yahoo!)
  –   NNTP
        Content Inspection Configuration

• For traffic to flow two parts are necessary:
   – A source-destination interface pair
   – A firewall policy permitting the traffic

• Content inspection requires an additional
   – Protection Profile

• The Protection Profile is applied to either:
   – Firewall policy
   – Authentication group
              Protection Profile

• Each content inspection system has its own
  configuration area

• The Protection Profile is where content
  inspection is enabled
          Protection Profiles - Defaults

• There are four preconfigured Protection
  –   Web (HTTP AV scan, Basic WF)
  –   Scan (All AV scan)
  –   Strict (All AV, Full WF, No Oversize, IPS)
  –   Unfiltered

• A custom Protection Profile is
         Protection Profile Creation

• For firewalls up to the FortiGate 1000 a
  maximum of 32 Protection Profiles can be

• For firewalls beyond the FortiGate 1000 a
  maximum of 200 Protection Profiles can be

• To decrease the chance of malicious code
  execution by clients

• Accelerated by proprietary FortiASIC

• Capable of protecting:
   –   HTTP
   –   FTP
   –   Mail (IMAP, POP3, SMTP)
   –   IM (AIM, ICQ, MSN, Yahoo!)
   –   NNTP
                 Antivirus Features

• The Antivirus system has many components
  –   Real-time scanning of traffic
  –   File pattern blocking
  –   Fragmented e-mail blocking
  –   Oversized file/e-mail blocking
  –   E-mail signatures
  –   Logging
                 Antivirus Updates

• The Antivirus has two components that
  require regular update:
  – Engine
  – Signatures

• The updates can be retrieved from:
  – FortiGuard Distribution Network (FDN)
  – Packages located on the support site
        Antivirus Scanning - Archives

• Scanning of archives

• Scanning of “packers”

• Scanning of encoded files

• The uncompression size limit may need to
  be changed
               Antivirus Engine

• The Antivirus system is port based

• It is possible to add additional ports to each
  supported protocol

• Only active in a session when a file transfer
  is detected
            Grayware / Spyware

• The firewall supports scanning for grayware
  and spyware threats such as:
  – Adware
  – Browser Helper Objects (BHO)
  – Spyware

• Disabled by default

• Can be selectively enabled in the Antivirus
             File Pattern Blocking

• Configured in the File Pattern section of

• Can be enabled in Protection Profile for all
  protocols supported by Antivirus scanning

• Performed before Antivirus scanning
               Client Comforting

• Can be enabled within the Protection Profile

• Passes data to the client during scanning

• Available for:
   – HTTP
   – FTP
                  Oversized Files

• Firewalls below the enterprise class can scan files
  up to 10% of total memory size

• Files above this threshold are termed “Oversized

• The oversized file threshold can be lowered to
  improve performance

• The firewall can be configured to pass or block
  oversized files

• Allows the firewall to quarantine files to a
  FortiAnalyzer for later retrieval or analysis

• Blocked HTTP and FTP files cannot be
          Web Filtering
FortiGate Multi-Threat Security Systems -
 Administration and Content Inspection

• Web Filtering is a content inspection service
  that allows for control of HTTP data through a

• Blocked content is replaced with a
  customizable replacement page
              Web Filtering - Features

• The firewall’s web filter includes the
   –   FortiGuard – Web Filter
   –   Score based content blocking
   –   URL filtering
   –   Content exempting
   –   URL exempting
   –   ActiveX, cookie, and Java applet filter
   –   Web resume download blocking
                  URL Filtering

• Allows for the filtering of a URL using:
   – Simple
   – Regular Expression (regex)

• The following actions can be taken:
   – Block
   – Allow (Allowed, and processed by AV)
   – Exempt (Allowed, and not processed by AV)

• These rules are sensitive to ordering
               Content Blocking

• Allows for blocking of web content using:
  – Wildcards
  – Regular expressions

• Ability to assign a score to individual banned

• Choose a score threshold within the
  Protection Profile
             Content Exemption

• Can be used with content blocking to only
  allow selected content

• Language sensitive

• Content exempted is not processed by AV
           FortiGuard – Web Filter

• Managed web filtering
  solution with 76

• Allows for selective
  override and local

• Images can be blocked
  based on URL
        FortiGuard – Web Filter - Override

• Manual override of ratings can be based upon:
   – Domain (
   – Directory (
   – Categories (Information Technology)

• The override can be effective for:
   –   Users
   –   User Groups
   –   IP
   –   Protection Profile
     IM and P2P Filtering
FortiGate Multi-Threat Security Systems -
 Administration and Content Inspection
                        IM Features

• IM protocols supported:
   –   MSN Messenger
   –   ICQ
   –   AOL Instant Messenger (AIM)
   –   Yahoo! Instant Messenger (Yahoo!)

• Features:
   –   Protocol block/allow
   –   User block/allow
   –   Usage statistics
   –   File transfer and audio blocking
         IM Features - FortiAnalyzer

• IM chat summary information

• Full IM chat information

• Archiving copies of files transferred
               IM Configuration

• For all IM functions the appropriate protocols
  must be enabled in the Protection Profile
           IM/P2P Overview Screen

• Ability to view for each IM protocol
   – Amount of current users
   – Amount of chat sessions / total messages
   – Amount of file transfers / voice chats

• Ability to view for each P2P protocol:
   – Total number of bytes transferred
   – Average bandwidth utilization
                 Protocol Screen

• Allows for more detailed information for each
  IM protocol including:
  –   Amount of group chats
  –   Amount of private chats
  –   Amount of messages sent/received
  –   Amount of voice chats received/blocked
                      IM Users

• By default all IM traffic is automatically blocked

• Users that are allowed/blocked automatically are
  added to the temporary users list

• Users can then be permanently blocked/allowed on
  a per protocol basis

• Current IM users can be viewed
  Extended Options – IM Protection Profile

• Block audio/voice transfer

• Block file transfers

• Block logins (per protocol)

• Enable detection for IM traffic on non-
  standard ports
                   IM Antivirus

• Features:
  – Antivirus scanning for file transfers
  – File pattern blocking

• Must be enabled within the Anti-Virus
  section of the Protection Profile

• If a virus is detected during an IM session a
  message will appear within the window
  stating that a virus has been blocked
                     P2P Features

• Ability to block pass or block traffic for:
   –   Bit Torrent
   –   eDonkey
   –   Gnutella
   –   KaZaa
   –   Skype
   –   WinNY

• Ability to limit transfer rates (KB/s) for all but
  Skype traffic
FortiGate Multi-Threat Security Systems
- Administration and Content Inspection

• A purpose-built appliance for centralized
  logging and network security analysis

• Hardened, IPSec capable

• Certain models allow for hard
  disc redundancy using RAID

• Full suite of reports

• Enables quarantine of potentially
  malicious files

• Forensic analysis and aggregation of log

• Network vulnerability scanning

• Ability to function as a secured NAS device

• The firewall must have the FortiAnalyzer
  selected as a logging destination

• The firewall must be registered on the
                  Log Browser

• Ability to view specific log types for individual
                Reporting Features

• Three types of reports:
  – Scheduled
  – On demand
  – Built in summary

• Reporting in several output formats:
  –   HTML
  –   PDF
  –   MS Word
  –   Text
              Reporting Features

• Ability to use IP aliases

• Reports can have custom graphics and titles

• High degree of selection granularity

• The FortiAnalyzer allows all FortiGates to
  have a quarantine

• Automatic uploading of files can be enabled

• Automatic ticketing system

• Only one copy of a quarantined file is held
  on the FortiAnalyzer.
         FortiAnalyzer Quarantine

• FortiAnalyzer quarantine example
                Security Events

• Can view recent security events for:
  – Virus
  – Intrusion (IPS)
  – Suspicious
             Vulnerability Scan

• Can scan hosts/subnets for security

• Can be scheduled or on demand
         Log Rolling and FTP archive

• Log files can be
  rolled based on:
  – File size
  – Time

• Logs can be
  uploaded to an FTP
                   Log Viewer

• Allows for real-time viewing of log messages

• Full filtering capability
      Administration and
FortiGate Multi-Threat Security Systems -
 Administration and Content Inspection

• Maintenance of firewalls includes many tasks
  such as:
  –   Configuration backup
  –   IPS signature updates
  –   Antivirus signature updates
  –   FortiGuard Center
  –   Firmware upgrades
  –   FortiGuard Services registration / maintenance
            Configuration Backup

• Configuration can be backed up from:
  – GUI
  – CLI

• The backup file can be sent to:
  – FortiUSB
  – Local PC GUI (HTTP)
  – Local PC CLI (TFTP)
            Configuration Backup

• There are two types of backup:
  – Clear text (default)
  – Password protected

• Password protected backups provide:
  – Backup of IPSec certificates
  – Protection from alteration (checksum)
             Configuration Restore

• A password protected backup will be invalid:
  – Password is forgotten
  – Backup file is altered or corrupted

• Registering your firewall provides many
  benefits including:
  –   FortiGuard Services activation and trials
  –   Service and support contracts
  –   Centralized device information
  –   Creation of support tickets
  –   Technical support forum access
  –   Access to firmware updates
                Fortinet Support Registration

Product Information

Service agreements

Active support tickets
       FortiGuard Distribution Network

• A Fortinet maintained world wide network for
  update distribution:
  – Antivirus signatures
  – IPS signatures

• There are three ways to update using FDN:
  – Scheduled
  – Push
  – Manual
              FDN Push Updates

• When Push updating is configured the FDN
  – Sends a token to your firewall when an update is
  – Update occurs on 9443/UDP
  – The firewall will require a virtual IP on any NAT
    device between it and the public network
           Firmware Maintenance

• Fortinet makes firmware updates available at

• A configuration backup should be performed
  before any firmware maintenance

• Firmware files are platform specific
            Firmware Upgrades

• Firmware can be updated in three ways:
  – FortiUSB
  – GUI
  – CLI (TFTP)

• During a firmware upgrade the configuration
  will be retained
    Firmware Testing and Multiple Images

• Starting with the FortiGate 100A, firewalls
  have two partitions within NVRAM.

• This allows these models to have:
  – Two independent firmware images
  – Two independent configuration files

• Fortinet’s most current Malware information
  and security alerts
  –   Advisories
  –   Virus and Spyware encyclopedias
  –   Latest IPS vulnerabilities
  –   Global threat statistics
  –   FortiGuard URL lookup
  –   and more!
      Transparent Mode
FortiGate Multi-Threat Security Systems
- Administration and Content Inspection

• A mode that enables the firewall to behave
  like a layer 2 bridge and still retain its content
  inspection capabilities

• Reasons to use Transparent mode:
  –   Network diagnostics
  –   Not wanting to alter IP addressing scheme
  –   Wishing to “try out” the firewall
  –   A drop in solution for content inspection and
      filtering (including AV, IPS, web filter)

• Enabling transparent mode can be done in a few
   – GUI
   – CLI or console
   – LCD (on supported models)

• Most configuration performed in NAT/Route mode
  will be lost

• The GUI and CLI must now be accessed using the
  management IP

• The default management IP is
  accessible via the Internal or Port 1 of the

• Administrative access is still performed on a
  per interface basis

• Firewall policies remain necessary for traffic
  to flow through the firewall
           Limits of Transparent Mode

• Transparent mode cannot:
  –   Perform NAT/Route of traffic
  –   SSL VPN
  –   DHCP server

• The firewall must have a valid default

• FortiGuard Services require Internet access,
  and occur on 53/UDP by default or optionally
  on 8888/UDP

• Push updates will require a virtual IP on the
  gateway pointing to the management IP

• For a transparent mode firewall to pass
  VLAN traffic it must have:
  – VLAN interfaces with appropriate VLAN ID #
  – Firewall policy permitting the exact traffic

• VLAN interfaces must be present on any
  ports in which tagged packets will flow
            System Health Monitoring

• Firewall health
  –   CPU utilization history
  –   Memory utilization history
  –   Active session table
  –   FortiAnalyzer disc space
              Firewall Session Table

• View current sessions
  on the firewall

• Filter based on:
  –   Protocol
  –   Source IP/Port
  –   Destination IP/Port
  –   Firewall Policy ID

• Allows session removal

To top