Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

Course _201 - Introduction

VIEWS: 19 PAGES: 118

									FortiGate Multi-Threat
  Security Systems
Administration and Content
        Inspection
                     Topics


•   System setup
•   Logging and Alerts
•   Firewall Policies
•   Antivirus Scanning and Content Inspection
•   Web Filtering
•   IM and P2P Filtering
•   Administration and Maintenance
•   Transparent Mode
         System Setup
FortiGate Multi-Threat Security Systems
- Administration and Content Inspection
         FortiGate Antivirus Firewall

Network-level Services
• Firewall
• Intrusion prevention and detection
• VPN
• Traffic shaping
Application-level Services
• Firewall
• Intrusion prevention and detection
• Virus protection
• Content filtering for web connections and
  email
              Web-based Manager


• HTTP or HTTPS
• Web browser
  – Windows
  – Mac
  – Linux
• Configure and monitor a FortiGate unit
• Configuration changes effective immediately
• Download, save, and restore configurations
              Command Line Interface


• Serial port
   – RS232
• Network
   – Telnet
   – SSH
• Same configuration capabilities as the web-
  based manager
• Advanced configuration capabilities
           Factory Default Settings

The FortiGate unit is shipped with a factory
  default configuration that allows you to
  connect to and use the FortiGate web-based
  manager to configure the unit onto the
  network
• Internal interface 192.168.1.99/24
  – https , ping access is enabled
• External interface 192.168.100.99/24
  – ping is enabled
• Firmware upgrade using TFTP is done using
  the internal interface only (interrupt boot
  process)
              Modes of Operation


• NAT/Route Mode
  – Default “out of box” configuration
  – Each interface is on a different network
  – Allows the firewall to operate as a bastion gateway


• Transparent Mode
  – Firewall operates as a bridge
  – Administration performed via a management IP
    address
  – Allows for most FortiGate features without altering
    IP infrastructure of network
             NAT/Route Mode


Hide your internal addressing scheme behind
  a firewall
              Transparent Mode


The firewall acts as a bridge and requires an
  IP address for management and updates
The FortiGate unit is invisible to the network
                 System Dashboard


• Shown after a successful GUI login

• Displays firewall status at a glance including:
   –   FortiGuard Subscriptions status
   –   Statistics for content archiving and IPS
   –   Current system time and uptime
   –   CPU and memory utilization
System Dashboard
                Administrative Access


• Options for access to the firewall for purpose of
  administration and maintenance

• Enabled per interface

• Administrative access options are:
   –   HTTP (GUI)
   –   HTTPS (GUI)
   –   Telnet (CLI)
   –   SSH (CLI)
   –   SNMP
   –   PING
            Administrative Users


• Accounts responsible for firewall
  administration

• Have CLI / GUI access to the firewall

• User account can be held locally or via
  RADIUS

• Logins and passwords are case sensitive
            Administrative Users


• Accounts can be limited by use of Access
  Profiles

• The default administrative account is “admin”

• The default access profile is “prof_admin”.
  This profile has all permissions
               IP Addressing


• IP addresses can be assigned in three ways:
  – Static
  – DHCP
  – PPPoE

• Dynamic DNS (DDNS) supported for major
  providers

• Administrative access is configured per
  interface
                   VLANs

• Highly flexible, efficient network
  segmentation
• Supported on models 60 and higher
• IEEE 802.1Q
• Segregate devices logically instead of
  physically by adding 802.1Q VLAN tags to
  all packets sent and received by the devices
• A single FortiGate unit can provide security
  services and control connections between
  multiple security domains
• NAT/Route and Transparent modes
               Virtual Domains

• ease of management
• lower costs – one system with multiple
  firewalls
• each virtual domain functions like a single
  FortiGate unit
• exclusive firewall and routing services to
  multiple networks
• traffic from each network is effectively
  separated for every other network
• packets never cross virtual domain borders
• NAT/Route and Transparent modes
               DHCP Server


• A DHCP server may be configured on any
  interface with a static IP address

• The firewall can support multiple DHCP
  servers on a single interface.
                DHCP Relay


• Allows the firewall to relay a DHCP request
  to a remote DHCP server
                   Static Routes


• Default gateway entry. Required for public network
  access

• Routing decision is based on destination network

• The outgoing interface and metric can be specified

• Multiple routes to the same destination can exist,
  but only one is preferred
      Logging and Alerts
FortiGate Multi-Threat Security Systems -
 Administration and Content Inspection
                    Overview


• Ability to log session transaction data and
  downloaded files

• Ability to log to multiple locations
  simultaneously

• Seamless integration with FortiAnalyzer
  appliance

• Alert e-mail system
                    Configuration


• Choose the location and level:
  – FortiAnalyzer
  – SysLog
  – Memory


• Enable logging:
  – Protection Profile (Content, Content Archiving)
  – Event log
  – Firewall Policy or Interface (Traffic)
                   FortiAnalyzer


• A logging and security center point on the network

• Allows for IPSec encrypted log transfer from the
  firewall

• Full reporting functions

• Required for content and file archiving functions
              Viewing Log Files


• View logs located on the FortiAnalyzer from
  the firewall’s GUI
                Event Logging


• Responsible for:
  – Core system events
  – VPN events
  – Administration events
                   Content Archiving


• The ability to log session transaction data for:
   –   HTTP
   –   FTP
   –   NNTP
   –   IM (AIM, ICQ, MSN, Yahoo!)
   –   Mail (POP3, IMAP, SMTP)


• Ability to archive downloaded files and e-mails

• Requires a FortiAnalyzer appliance
              Log Message Priorities


• All messages have a Priority level:
  –   Emergency
  –   Alert (IPS Signature)
  –   Critical (IPS Anomaly)
  –   Error (Category rating, network address)
  –   Warning (Content filtering, system event)
  –   Notice (Configuration change)
  –   Information (traffic, authentication, content)

  2006-03-22 14:23:37 log_id=0104032126 type=event
  subtype=admin pri=notice vd=root user=admin
  ui=GUI(192.168.96.1) seq=3 msg="User admin added new
  firewall policy 3 from GUI(192.168.96.1)"
                 Alert E-mail


• Generates an e-mail upon detection of a
  message meeting a defined severity level

• Supports multiple recipients

• Supports servers requiring SMTP
  authentication
                  Traffic Logging


• Cannot be logged to memory

• Traffic logging is enabled within:
   – Firewall policies
   – Interfaces


• Logging traffic per firewall policy is usually
  preferred
       Firewall Policies
FortiGate Multi-Threat Security Systems
- Administration and Content Inspection
                  Description


• Allows traffic to pass through the firewall from
  one interface to another

• Traffic cannot pass through a firewall unless
  matched exactly by a firewall policy
               Firewall Policies


• Are comprised of an interface pair; source
  and destination

• In NAT/Route mode the firewall policy
  dictates whether traffic will NAT or route

• There are two primary types of firewall
  policies:
   – Accept
   – Deny
                 Firewall Policy Example




Interface pair

Schedule
Service
NAT/Route
            Firewall Address Objects


• Two types of addresses:
  – IP / IP Range
  – Fully Qualified Domain Name (FQDN)

• Several ways to declare an IP / IP Range:
  –   192.168.1.99
  –   192.168.1.0/255.255.255.0
  –   192.168.1.0/24
  –   192.168.1.99-192.168.1.105
  –   192.168.1.[99-105]
       Firewall Address Object Groups


• Used to group multiple address objects

• Object groups are available for selection in
  firewall policies
             Firewall Service Objects


• Allows firewall policies to use specific protocol-port
  combinations

• The firewall has many predefined service objects

• Creation of custom service objects

• Can create service groups for additional flexibility
     Firewall Service Objects - Custom


• Three types of custom service objects:
  – TCP/UDP
  – ICMP
  – IP
                            NAT


• Default NAT behavior:
   – Source IP translated to destination interface’s IP
   – Sessions differentiated by port


• Fixed Port behavior:
   – Source IP translated to destination interface’s IP
   – Source and destination port not altered


• IP Pool behavior:
   – Source IP translated to available IP within selected IP Pool
             Virtual IP Description


• Used to allow the public limited access to an
  internal host

• Two primary types:
   – Static NAT
   – Load Balance


• Ability to perform port forwarding
               Virtual IP – Static NAT


• Creates a bi-directional translation between an
  internal IP and an external IP

• The source IP of traffic originating from the internal
  host will be translated

• It is possible to utilize IP ranges

• Port Forwarding can be used to alter the source or
  destination ports
  Firewall Policy Authentication Description


• Enabled within a firewall accept policy

• Users must authenticate with the firewall in
  order for sessions to pass

• Authentication occurs against object(s) in a
  user group or an active directory
            Firewall Authentication


• User groups may contain:
   – Radius server
   – LDAP directory
   – Local users

• Selection of protection profile is now in the
  user group

• To authenticate against an Active Directory
  the FSAE extensions must be installed
       Firewall Authentication Protocols


• The firewalls allows authentication on the following
  protocols:
   – HTTP/HTTPS
   – FTP
   – Telnet


• Service groups can be used to force authentication
  of protocols not directly supported

• Default authentication timeout is 15 minutes
    Antivirus Scanning
  and Content Inspection
FortiGate Multi-Threat Security Systems
- Administration and Content Inspection
                 Content Inspection


• Antivirus is a component of the Content
  Inspection System

• Content inspection is comprised of many
  services including:
  –   Antivirus
  –   Spam filtering
  –   Web filtering
  –   Instant Message (IM) filtering
  –   Logging
  –   Content archiving
               Content Inspection


• Content inspection applies to the following
  protocols:
  –   HTTP
  –   FTP
  –   Mail (IMAP, POP3, SMTP)
  –   IM (AIM, ICQ, MSN, Yahoo!)
  –   NNTP
        Content Inspection Configuration


• For traffic to flow two parts are necessary:
   – A source-destination interface pair
   – A firewall policy permitting the traffic


• Content inspection requires an additional
  component:
   – Protection Profile


• The Protection Profile is applied to either:
   – Firewall policy
   – Authentication group
              Protection Profile


• Each content inspection system has its own
  configuration area

• The Protection Profile is where content
  inspection is enabled
          Protection Profiles - Defaults


• There are four preconfigured Protection
  Profiles:
  –   Web (HTTP AV scan, Basic WF)
  –   Scan (All AV scan)
  –   Strict (All AV, Full WF, No Oversize, IPS)
  –   Unfiltered


• A custom Protection Profile is
  recommended.
         Protection Profile Creation


• For firewalls up to the FortiGate 1000 a
  maximum of 32 Protection Profiles can be
  created

• For firewalls beyond the FortiGate 1000 a
  maximum of 200 Protection Profiles can be
  created
                        Antivirus


• To decrease the chance of malicious code
  execution by clients

• Accelerated by proprietary FortiASIC

• Capable of protecting:
   –   HTTP
   –   FTP
   –   Mail (IMAP, POP3, SMTP)
   –   IM (AIM, ICQ, MSN, Yahoo!)
   –   NNTP
                 Antivirus Features


• The Antivirus system has many components
  including:
  –   Real-time scanning of traffic
  –   File pattern blocking
  –   Fragmented e-mail blocking
  –   Oversized file/e-mail blocking
  –   E-mail signatures
  –   Logging
                 Antivirus Updates


• The Antivirus has two components that
  require regular update:
  – Engine
  – Signatures


• The updates can be retrieved from:
  – FortiGuard Distribution Network (FDN)
  – Packages located on the support site
        Antivirus Scanning - Archives


• Scanning of archives

• Scanning of “packers”

• Scanning of encoded files

• The uncompression size limit may need to
  be changed
               Antivirus Engine


• The Antivirus system is port based

• It is possible to add additional ports to each
  supported protocol

• Only active in a session when a file transfer
  is detected
            Grayware / Spyware


• The firewall supports scanning for grayware
  and spyware threats such as:
  – Adware
  – Browser Helper Objects (BHO)
  – Spyware


• Disabled by default

• Can be selectively enabled in the Antivirus
  config
             File Pattern Blocking


• Configured in the File Pattern section of
  Antivirus

• Can be enabled in Protection Profile for all
  protocols supported by Antivirus scanning

• Performed before Antivirus scanning
               Client Comforting


• Can be enabled within the Protection Profile

• Passes data to the client during scanning
  process

• Available for:
   – HTTP
   – FTP
                  Oversized Files


• Firewalls below the enterprise class can scan files
  up to 10% of total memory size

• Files above this threshold are termed “Oversized
  files”

• The oversized file threshold can be lowered to
  improve performance

• The firewall can be configured to pass or block
  oversized files
                  Quarantine


• Allows the firewall to quarantine files to a
  FortiAnalyzer for later retrieval or analysis

• Blocked HTTP and FTP files cannot be
  quarantined
          Web Filtering
FortiGate Multi-Threat Security Systems -
 Administration and Content Inspection
                  Description


• Web Filtering is a content inspection service
  that allows for control of HTTP data through a
  firewall

• Blocked content is replaced with a
  customizable replacement page
              Web Filtering - Features


• The firewall’s web filter includes the
  following:
   –   FortiGuard – Web Filter
   –   Score based content blocking
   –   URL filtering
   –   Content exempting
   –   URL exempting
   –   ActiveX, cookie, and Java applet filter
   –   Web resume download blocking
                  URL Filtering


• Allows for the filtering of a URL using:
   – Simple
   – Regular Expression (regex)

• The following actions can be taken:
   – Block
   – Allow (Allowed, and processed by AV)
   – Exempt (Allowed, and not processed by AV)

• These rules are sensitive to ordering
               Content Blocking


• Allows for blocking of web content using:
  – Wildcards
  – Regular expressions


• Ability to assign a score to individual banned
  patterns

• Choose a score threshold within the
  Protection Profile
             Content Exemption


• Can be used with content blocking to only
  allow selected content

• Language sensitive

• Content exempted is not processed by AV
           FortiGuard – Web Filter


• Managed web filtering
  solution with 76
  categories

• Allows for selective
  override and local
  categorization

• Images can be blocked
  based on URL
        FortiGuard – Web Filter - Override


• Manual override of ratings can be based upon:
   – Domain (www.fortinet.com)
   – Directory (www.fortinet.com/support)
   – Categories (Information Technology)


• The override can be effective for:
   –   Users
   –   User Groups
   –   IP
   –   Protection Profile
     IM and P2P Filtering
FortiGate Multi-Threat Security Systems -
 Administration and Content Inspection
                        IM Features


• IM protocols supported:
   –   MSN Messenger
   –   ICQ
   –   AOL Instant Messenger (AIM)
   –   Yahoo! Instant Messenger (Yahoo!)


• Features:
   –   Protocol block/allow
   –   User block/allow
   –   Usage statistics
   –   File transfer and audio blocking
         IM Features - FortiAnalyzer


• IM chat summary information

• Full IM chat information

• Archiving copies of files transferred
               IM Configuration


• For all IM functions the appropriate protocols
  must be enabled in the Protection Profile
           IM/P2P Overview Screen


• Ability to view for each IM protocol
   – Amount of current users
   – Amount of chat sessions / total messages
   – Amount of file transfers / voice chats


• Ability to view for each P2P protocol:
   – Total number of bytes transferred
   – Average bandwidth utilization
                 Protocol Screen


• Allows for more detailed information for each
  IM protocol including:
  –   Amount of group chats
  –   Amount of private chats
  –   Amount of messages sent/received
  –   Amount of voice chats received/blocked
                      IM Users


• By default all IM traffic is automatically blocked

• Users that are allowed/blocked automatically are
  added to the temporary users list

• Users can then be permanently blocked/allowed on
  a per protocol basis

• Current IM users can be viewed
  Extended Options – IM Protection Profile


• Block audio/voice transfer

• Block file transfers

• Block logins (per protocol)

• Enable detection for IM traffic on non-
  standard ports
                   IM Antivirus


• Features:
  – Antivirus scanning for file transfers
  – File pattern blocking


• Must be enabled within the Anti-Virus
  section of the Protection Profile

• If a virus is detected during an IM session a
  message will appear within the window
  stating that a virus has been blocked
                     P2P Features


• Ability to block pass or block traffic for:
   –   Bit Torrent
   –   eDonkey
   –   Gnutella
   –   KaZaa
   –   Skype
   –   WinNY

• Ability to limit transfer rates (KB/s) for all but
  Skype traffic
         FortiAnalyzer
FortiGate Multi-Threat Security Systems
- Administration and Content Inspection
                  Description


• A purpose-built appliance for centralized
  logging and network security analysis
                          Features


• Hardened, IPSec capable
  appliance

• Certain models allow for hard
  disc redundancy using RAID

• Full suite of reports

• Enables quarantine of potentially
  malicious files
                  Features


• Forensic analysis and aggregation of log
  data

• Network vulnerability scanning

• Ability to function as a secured NAS device
                Configuration


• The firewall must have the FortiAnalyzer
  selected as a logging destination

• The firewall must be registered on the
  FortiAnalyzer
                  Log Browser


• Ability to view specific log types for individual
  devices
                Reporting Features


• Three types of reports:
  – Scheduled
  – On demand
  – Built in summary


• Reporting in several output formats:
  –   HTML
  –   PDF
  –   MS Word
  –   Text
              Reporting Features


• Ability to use IP aliases

• Reports can have custom graphics and titles

• High degree of selection granularity
                 Quarantine


• The FortiAnalyzer allows all FortiGates to
  have a quarantine

• Automatic uploading of files can be enabled

• Automatic ticketing system

• Only one copy of a quarantined file is held
  on the FortiAnalyzer.
         FortiAnalyzer Quarantine


• FortiAnalyzer quarantine example
                Security Events


• Can view recent security events for:
  – Virus
  – Intrusion (IPS)
  – Suspicious
             Vulnerability Scan


• Can scan hosts/subnets for security
  vulnerabilities

• Can be scheduled or on demand
         Log Rolling and FTP archive


• Log files can be
  rolled based on:
  – File size
  – Time


• Logs can be
  uploaded to an FTP
  server
                   Log Viewer


• Allows for real-time viewing of log messages

• Full filtering capability
      Administration and
        Maintenance
FortiGate Multi-Threat Security Systems -
 Administration and Content Inspection
                    Maintenance


• Maintenance of firewalls includes many tasks
  such as:
  –   Configuration backup
  –   IPS signature updates
  –   Antivirus signature updates
  –   FortiGuard Center
  –   Firmware upgrades
  –   FortiGuard Services registration / maintenance
            Configuration Backup


• Configuration can be backed up from:
  – GUI
  – CLI


• The backup file can be sent to:
  – FortiUSB
  – Local PC GUI (HTTP)
  – Local PC CLI (TFTP)
            Configuration Backup


• There are two types of backup:
  – Clear text (default)
  – Password protected


• Password protected backups provide:
  – Backup of IPSec certificates
  – Protection from alteration (checksum)
             Configuration Restore


• A password protected backup will be invalid:
  – Password is forgotten
  – Backup file is altered or corrupted
                    Registration


• Registering your firewall provides many
  benefits including:
  –   FortiGuard Services activation and trials
  –   Service and support contracts
  –   Centralized device information
  –   Creation of support tickets
  –   Technical support forum access
  –   Access to firmware updates
                Fortinet Support Registration



Product Information



Service agreements




Active support tickets
       FortiGuard Distribution Network


• A Fortinet maintained world wide network for
  update distribution:
  – Antivirus signatures
  – IPS signatures


• There are three ways to update using FDN:
  – Scheduled
  – Push
  – Manual
              FDN Push Updates


• When Push updating is configured the FDN
  network:
  – Sends a token to your firewall when an update is
    available
  – Update occurs on 9443/UDP
  – The firewall will require a virtual IP on any NAT
    device between it and the public network
           Firmware Maintenance


• Fortinet makes firmware updates available at
  support.fortinet.com

• A configuration backup should be performed
  before any firmware maintenance

• Firmware files are platform specific
            Firmware Upgrades


• Firmware can be updated in three ways:
  – FortiUSB
  – GUI
  – CLI (TFTP)


• During a firmware upgrade the configuration
  will be retained
    Firmware Testing and Multiple Images


• Starting with the FortiGate 100A, firewalls
  have two partitions within NVRAM.

• This allows these models to have:
  – Two independent firmware images
  – Two independent configuration files
  http://www.fortinet.com/FortiGuardCenter


• Fortinet’s most current Malware information
  and security alerts
  –   Advisories
  –   Virus and Spyware encyclopedias
  –   Latest IPS vulnerabilities
  –   Global threat statistics
  –   FortiGuard URL lookup
  –   and more!
      Transparent Mode
FortiGate Multi-Threat Security Systems
- Administration and Content Inspection
                   Description


• A mode that enables the firewall to behave
  like a layer 2 bridge and still retain its content
  inspection capabilities
                     Positioning


• Reasons to use Transparent mode:
  –   Network diagnostics
  –   Not wanting to alter IP addressing scheme
  –   Wishing to “try out” the firewall
  –   A drop in solution for content inspection and
      filtering (including AV, IPS, web filter)
                   Configuration


• Enabling transparent mode can be done in a few
  ways:
   – GUI
   – CLI or console
   – LCD (on supported models)


• Most configuration performed in NAT/Route mode
  will be lost

• The GUI and CLI must now be accessed using the
  management IP
                 Configuration


• The default management IP is 10.10.10.1
  accessible via the Internal or Port 1 of the
  firewall

• Administrative access is still performed on a
  per interface basis

• Firewall policies remain necessary for traffic
  to flow through the firewall
           Limits of Transparent Mode


• Transparent mode cannot:
  –   Perform NAT/Route of traffic
  –   SSL VPN
  –   PPTP/L2TP VPN
  –   DHCP server
                  FortiGuard


• The firewall must have a valid default
  gateway

• FortiGuard Services require Internet access,
  and occur on 53/UDP by default or optionally
  on 8888/UDP

• Push updates will require a virtual IP on the
  gateway pointing to the management IP
                   Interfaces


• For a transparent mode firewall to pass
  VLAN traffic it must have:
  – VLAN interfaces with appropriate VLAN ID #
  – Firewall policy permitting the exact traffic


• VLAN interfaces must be present on any
  ports in which tagged packets will flow
            System Health Monitoring


• Firewall health
  monitoring:
  –   CPU utilization history
  –   Memory utilization history
  –   Active session table
  –   FortiAnalyzer disc space
              Firewall Session Table


• View current sessions
  on the firewall

• Filter based on:
  –   Protocol
  –   Source IP/Port
  –   Destination IP/Port
  –   Firewall Policy ID

• Allows session removal
THANK YOU

								
To top