201 v3.0 slides to accompany student guide
DESCRIPTION
Fortinet 201 Training CourseTRANSCRIPT
![Page 1: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/1.jpg)
FortiGate Multi-Threat Security Systems Administration, Content Inspection and Basic VPN
Course 201 v4.0
Raúl Núñez Herrero
Fortinet Certified Instructor
![Page 2: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/2.jpg)
Prerequisites
• Introductory-level network security experience• Basic understanding of core network security and firewall
concepts
![Page 3: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/3.jpg)
Agenda
• Introduction• Overview and System Setup• FortiGuard Subscription Services• Logging and Alerts• Firewall Policies• Basic VPN• Authentication• Antivirus• Spam Filtering• Web Filtering
![Page 4: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/4.jpg)
Lesson 1Overview and System Setup
![Page 5: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/5.jpg)
Unified Threat Management
• One device Firewall, intrusion protection, antivirus and more
• Centralized management
Page: 7
![Page 6: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/6.jpg)
Fortinet Solution
• FortiGate platform• FortiGuard Subscription Services• Management, reporting, analysis products
Page: 8
![Page 7: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/7.jpg)
FortiGate
• Application-level services Antivirus, intrusion protection, antispam, web content filtering
• Network-level services Firewall, IPSec and SSL VPN, traffic shaping
• Management, reporting, analysis products Authentication, logging, reporting, secure administration, SNMP
Page: 8
![Page 8: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/8.jpg)
FortiGate Portfolio
• SOHO FortiGate 30B, 50B, 51B, 60B, 100A, 110C, 111C Protect smaller deployments
• Medium-Sized Enterprises FortiGate 200C. 310B, 620B Meet demands of mission critical enterprise applications
• Large-Sized Enterprises and Carriers FortiGate 1000A, 3016B, 3600A, 3810A, 5020, 5050, 5140 High performance and reliability
Page: 9-10
![Page 9: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/9.jpg)
FortiGate Portfolio
Page: 9
![Page 10: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/10.jpg)
FortiGuard
• Dynamic updates Antivirus, intrusion protection, web filtering, antispam
• Updated 24x7x365• Data centers around the world
Secure, high availability locations
Page: 10
![Page 11: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/11.jpg)
FortiManager
• Manage all Fortinet products from a centralized console• Minimize administration effort
Deploying, configuring and maintaining devices
Page: 10
![Page 12: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/12.jpg)
FortiAnalyzer
• Centralized analysis and reporting Aggregate and analyze log data from multiple devices
• Comprehensive view of network usage Identify and address vulnerabilities Monitor compliance
• Quarantine and content archiving
Page: 10
![Page 13: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/13.jpg)
FortiMail
• Multi-layered email security Advanced spam filtering, antivirus
• Facilitate regulatory compliance
Page: 11
![Page 14: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/14.jpg)
FortiClient
• Security for desktops, laptops, mobile devices Personal firewall, IPSec VPN, antivirus, antispam, web content
filtering
• FortiGuard keeps FortiClient up-to-date
Page: 11
![Page 15: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/15.jpg)
FortiGate Capabilities
• Firewall Policies to allow or deny traffic
• UTM Features: Antivirus
• Multiple techniques
Antispam• Detect, tag, block, and quarantine spam
Web Filtering• Control access to inappropriate web content
Intrusion Protection• Identify and record suspicious traffic
Page: 17
![Page 16: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/16.jpg)
FortiGate Capabilities
• UTM Features (continued): Application Control
• Manage bandwidth use
Data Leak Prevention• Prevents transmission of sensitive information
Page: 17-18
![Page 17: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/17.jpg)
FortiGate Capabilities
• Virtual Domains Single FortiGate functions as multiple units
• Traffic Shaping Control available bandwidth and priority of traffic
• Secure VPN Ensure confidentiality and integrity of transmitted data
• WAN Optimization Improve performance and security
• High Availability Two or more FortiGates operate as a cluster
Page: 18-19
![Page 18: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/18.jpg)
FortiGate Capabilities
• Endpoint Compliance Use FortiClient End Point Security in network
• Logging Historical and current analysis of network usage
• User Authentication Control access to resources
Page: 18-19
![Page 19: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/19.jpg)
Operating Modes
• NAT/Route Mode Default configuration Each FortiGate unit is visible to network it is connected to Interfaces are on different subnets Unit functions as a firewall
Page: 24
![Page 20: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/20.jpg)
Operating Modes – NAT/Route
Internet
Router
WAN1204.23.1.5
Internal192.168.1.99
DMZ10.10.10.1
10.10.10.2
192.168.1.3
NAT mode policies control traffic between internal and external networks.
Routing policies control traffic between internal
networks.
Page: 24
![Page 21: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/21.jpg)
Operating Modes
• Transparent Mode FortiGate unit is invisible to the network All interfaces are on the same subnet Use FortiGate without altering IP infrastructure
Page: 25
![Page 22: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/22.jpg)
Operating Modes – Transparent
Internet
Router
10.10.10.2
10.10.10.3
204.23.1.5
Gateway to public network
WAN1
InternalHub or switch
Page: 25
![Page 23: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/23.jpg)
Device Administration
• Web Config Configure and monitor device through web browser
• CLI Command line interface
Page: 26
![Page 24: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/24.jpg)
Web Config
Page: 26
![Page 25: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/25.jpg)
Web Config Menu
Page: 28
![Page 26: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/26.jpg)
System Information
Page: 29
![Page 27: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/27.jpg)
License Information
Page: 29
![Page 28: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/28.jpg)
CLI Console
Page: 29
![Page 29: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/29.jpg)
System Resources
Page: 30
![Page 30: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/30.jpg)
Unit Operation
Page: 30
![Page 31: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/31.jpg)
Alert Message Console
Page: 30
![Page 32: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/32.jpg)
Top Sessions
Page: 31
![Page 33: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/33.jpg)
Top Viruses
Page: 31
![Page 34: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/34.jpg)
Top Attacks
Page: 32
![Page 35: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/35.jpg)
Traffic History
Page: 32
![Page 36: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/36.jpg)
Statistics
Page: 33
![Page 37: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/37.jpg)
Online Help
Page: 34-35
![Page 38: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/38.jpg)
Topology Viewer
Page: 36
![Page 39: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/39.jpg)
Command Line Interface (CLI)
Page: 37
![Page 40: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/40.jpg)
CLI Command Structure
• Commands config
• Objects config system
• Branches config system interface
• Tables edit port1
• Parameters set ip 172.20.110.251 255.255.255.0
Page: 38-44
![Page 41: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/41.jpg)
CLI Basics
• Command help ? config ? config system ?
• Command completion ? or <tab> c? config + <space> + <tab>
• Recalling commands or
Page: 45
![Page 42: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/42.jpg)
CLI Basics
• Editing commands <CTRL> + <key>
• Line continuation use \ at end of each line
• Command abbreviation get system status g sy st
• IP address formats 192.168.1.1 255.255.255.0 192.168.1.1/24
Page: 46
![Page 43: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/43.jpg)
Administrative Users
• Responsible for configuration and operation• Default: admin
Full read/write control Can not be renamed Default password blank
• System administrator Assigned super_admin profile
• Regular administrator Access profile other than super_admin Access configurable
Page: 47
![Page 44: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/44.jpg)
Interface Addressing
• Number of physical interfaces varies per model• Interface addresses configurable
Static DHCP PPPoE
Page: 48-51
![Page 45: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/45.jpg)
DNS
• Some functions use DNS Alert email, URL blocking, etc
• Lower end models can retrieve automatically One interface must use DHCP Can provide DNS forwarding
Page: 52
![Page 46: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/46.jpg)
Configuration Backup and Restore
• Different locations Local PC FortiManager FortiGuard Management Service USB disk
• Can be encrypted Required to backup VPN certificates
Page: 53
![Page 47: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/47.jpg)
Firmware Upgrades
• File must be obtained from Fortinet• Apply upgrade
Web Config CLI FortiGuard Management Service
Page: 54
![Page 48: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/48.jpg)
Lab
• Connecting to Command Line Interface• Connecting to Web Config• Configuring Network Connectivity• Exploring the CLI• Configuring Global System Settings• Configuring Administrative Users
Page: 55
![Page 49: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/49.jpg)
Agenda
• Introduction• Overview and System Setup• FortiGuard Subscription Services• Logging and Alerts• Firewall Policies• Basic VPN• Authentication• Antivirus• Spam Filtering• Web Filtering
![Page 50: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/50.jpg)
Lesson 2FortiGuard Subscription Services
![Page 51: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/51.jpg)
FortiGuard Subscription Services
• Continuously updated security Antivirus Intrusion Protection Web Filtering Antispam
• Delivered through FortiGuard Distribution Network
Page: 75
![Page 52: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/52.jpg)
FortiGuard Distribution Network
• Secure, high availability data centers• Updated methods
Manual Push Pull Customized frequency
• Devices continuously updated• Device connects to FortiGuard Service Point
Page: 75-76
![Page 53: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/53.jpg)
Connecting to FortiGuard Serversservice.fortiguard.net
DNS
FortiGuard Server 1
FortiGuard Server 2
FortiGate
Page: 77
![Page 54: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/54.jpg)
Connecting to FortiGuard Serversservice.fortiguard.net
DNS
FortiGuard Server 1
FortiGuard Server 2
FortiGate
Page: 77
![Page 55: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/55.jpg)
Connecting to FortiGuard Serversservice.fortiguard.net
DNS
FortiGuard Server 1
FortiGuard Server 2
FortiGate
Page: 77
![Page 56: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/56.jpg)
Connecting to FortiGuard Serversservice.fortiguard.net
DNS
FortiGuard Server 1
FortiGuard Server 2
FortiGate
Page: 77
![Page 57: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/57.jpg)
Connecting to FortiGuard Serversservice.fortiguard.net
DNS
FortiGuard Server 1
FortiGuard Server 2
FortiGate
Page: 77
![Page 58: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/58.jpg)
Connecting to FortiGuard Serversservice.fortiguard.net
DNS
FortiGuard Server 1
FortiGuard Server 2
FortiGate
Page: 77
![Page 59: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/59.jpg)
Connecting to FortiGuard Serversservice.fortiguard.net
DNS
FortiGuard Server 1
FortiGuard Server 2
FortiGate
Page: 77
![Page 60: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/60.jpg)
Connecting to FortiGuard Servers
DNS
FortiGuard Server 1
FortiGuard Server 2
FortiGate
service.fortiguard.net
Page: 77
![Page 61: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/61.jpg)
FortiGuard Antivirus Service
• Latest virus defenses New and evolving viruses Spyware Malware
• Automated updates
Page: 78
![Page 62: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/62.jpg)
FortiGuard Intrusion Protection System Service
• Latest defenses against network-level threats• Library of signatures• Engines
Anomaly inspection Deep packet inspection Full content inspection Activity inspection
• Supports behavior-based heuristics
Page: 79
![Page 63: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/63.jpg)
FortiGuard Web Filtering Service
• Hosted web URL filtering service• FortiGuard Rating Server
Billions of web page addresses Regulate and block harmful, inappropriate and dangerous content
• FortiGuard Web Filtering Service Regulate web activities to meet policy and compliance CIPA Compliance
Page: 80
![Page 64: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/64.jpg)
FortiGuard Antispam Service
• Reduce spam at network perimeter• Global filters
Sender reputation database (FortiIP) Spam signature database (FortiSig) Constantly updated
• Local filters Banned words Local white and black lists Heuristic rules Bayesian training (in FortiMail)
Page: 81-82
![Page 65: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/65.jpg)
FortiGuard Subscription Service Licensing
Page: 83
![Page 66: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/66.jpg)
Scheduled Updates
• Check for updates at defined times Once every 1 to 23 hours Once a day Once a week
• Must be able to connect to FortiGuard Distribution Network using HTTPS on port 443 Use override server address option may be used
Page: 84
![Page 67: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/67.jpg)
Push Updates
• FortiGuard Distribution Network notifies FortiGate units with push enabled FortiGate will request update
• Use push in addition to scheduled updates Receive updates sooner
• If configuring push through a NAT device, configure port forwarding
Page: 85-87
![Page 68: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/68.jpg)
Manual Updates
• Update antivirus and IPS definitions• Download definition file• Copy to computer used to connect to Web Config
Page: 88
![Page 69: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/69.jpg)
Caching
• Available for web filtering and antispam• Improves performance• Uses small % of system memory• Least recently used IP or URL deleted when cache full• Time to Live (TTL) controls time in cache
Page: 89
![Page 70: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/70.jpg)
FortiGuard Web Filtering Categories
• Wide range of categories to filter upon Specify action for each category Allow, Block, Log, Allow Override
• Enabled through protection profile
Page: 90-91
![Page 71: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/71.jpg)
FortiGuard Antispam Controls
• Filter email based on type IMAP, POP3, SMTP
• Filtering options enabled through protection profile
Page: 92
![Page 72: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/72.jpg)
Configuring FortiGuard Using the CLI
• CLI can be used to configure communications with FortiGuard Distribution Network Override default connection settings
• config system fortiguard
Page: 93
![Page 73: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/73.jpg)
FortiGuard Center
• Online knowledge base and resource Spyware, virus, IPS, web filtering, antispam attack library Vulnerabilities Submit spam and dangerous URLs
• Timely threat and vulnerability information Updated around the clock
Page: 94-95
![Page 74: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/74.jpg)
Lab
• Enabling FortiGuard Services and Updates
Page: 96
![Page 75: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/75.jpg)
Agenda
• Introduction• Overview and System Setup• FortiGuard Subscription Services• Logging and Alerts• Firewall Policies• Basic VPN• Authentication• Antivirus• Spam Filtering• Web Filtering
![Page 76: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/76.jpg)
Lesson 3Logging and Alerts
![Page 77: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/77.jpg)
Logging and Alerts
• Track down and pinpoint problems• Monitor network and Internet traffic• Monitor normal traffic
Establish baselines Identify changes for optimal performance
Page: 101
![Page 78: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/78.jpg)
Log Storage Locations
• Local hard disk FortiGate must have hard disk
• FortiAnalyzer Device for log collection, analysis and storage
• System Memory Overwrites older logs when capacity reached Logs lost when FortiGate reset or loses power
• Syslog Forward logs to remote computer
• FortiGuard Analysis Service Subscription-based web service
Page: 101-105
![Page 79: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/79.jpg)
Logging Levels• Emergency
System unstable• Alert
Immediate action required• Critical
Functionality affected• Error
Error condition exists, functionality could be affected• Warning
Functionality could be affected• Notification
Normal event• Information
General info about system operations• Debug
Primarily used as a support function
Page: 106-107
![Page 80: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/80.jpg)
Log Types
• Traffic Traffic between source and destination interface Only generated when session table entry expires
• Event Management activity
• AntiVirus Virus incidents
• Web Filter Web content blocking actions
• Attack Attacks detected and blocked
Page: 108
![Page 81: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/81.jpg)
Log Types
• AntiSpam Records detected spam
• Data Leak Prevention Records data that matches pre-defined sensitive patterns
• Application Control IM/P2P
• Records IM and P2P information
VoIP• Logs SCCP violations
Content• Logs metadata
Page: 108-109
![Page 82: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/82.jpg)
Configuring Logging
• Select location and level• Enable log generation
Protection profile• Antivirus, web filtering, FortiGuard web filtering, spam filtering, IPS,
IM/P2P and VoIP
Event log• Management, system and VPN activities
Firewall policy• Log Allowed Traffic
Page: 110-114
![Page 83: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/83.jpg)
Viewing Log Files
• Log&Report > Log Access• Remote or Memory tabs
Local Disk if available
• Formatted or Raw view• Select columns to display• Filter messages
Page: 115-118
![Page 84: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/84.jpg)
Content Archiving
• Store session transaction data HTTP FTP NNTP IM (AIM, ICQ, MSN, Yahoo!) Email (POP3, IMAP, SMTP)
• Only available with FortiAnalyzer unit• Summary
Archives content metadata
• Full Copies of files or email messages
Page: 119-121
![Page 85: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/85.jpg)
Alert Email
• Send notification upon detection of a defined event• Requires one DNS server configured• Up to 3 recipients
Page: 122
![Page 86: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/86.jpg)
SNMP
• Report system information and forward to SNMP manager• Access SNMP traps from any FortiGate configured for SNMP• Read-only implementation• Fortinet-proprietary MIB available
Or use Fortinet-supported standard MIB
• Add SNMP Communities 8 SNMP managers per community
Page: 123-126
![Page 87: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/87.jpg)
Lab
• Exploring Web Config Monitoring• Configuring System Event Logging• Exploring the FortiAnalyzer Interface• Configuring Email Alerts• SNMP Setup (Optional)
Page: 127
![Page 88: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/88.jpg)
Agenda
• Introduction• Overview and System Setup• FortiGuard Subscription Services• Logging and Alerts• Firewall Policies• Basic VPN• Authentication• Antivirus• Spam Filtering• Web Filtering
![Page 89: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/89.jpg)
Lesson 4Firewall Policies
![Page 90: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/90.jpg)
Firewall Policies
• Control traffic passing through FortiGate What to do with connection request?
• Packet analyzed, content compared to policy ACCEPT DENY
• Source, destination and service must match policy Policy directs action
• Protection profile used with policy Apply protection settings
• Logging enabled to view connections using policy
Page: 137
![Page 91: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/91.jpg)
Policy Matching
• Searches policy list for matching policy Based on source and destination
• Starts at top of the list and searches down for match First match is applied Arrange policies from more specific to more general
• Policies configured separately for each virtual domain• Move policies in list to influence order evaluated
Page: 138-141
![Page 92: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/92.jpg)
User Authentication to Firewall Policies
• User challenged to identify themselves before using policy Before matching policies not requiring authentication
• Available for policies with: Action set to ACCEPT SSL VPN
• Authentication methods Username + Password Digital certificates LDAP RADIUS TACACS+ Active Directory
• FSAE required
Page: 142
![Page 93: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/93.jpg)
Authentication Protocols
• Protocol used to issue authentication challenge specified• Firewall policy must include protocol
HTTP HTTPS Telnet FTP
Page: 142
![Page 94: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/94.jpg)
Creating Policies
• Source and destination address• Schedule• Service• Action• NAT• Options
Protection profile Logging Authentication Traffic shaping Disclaimers
Page: 143
![Page 95: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/95.jpg)
Firewall Addresses
• Added to source and destination address Match source and destination IP address of packets received
• Default of ALL Represents any IP address on the network
• Address configured with name, IP address and mask Also use FQDN Must be unique name
• Groups can be used to simplify policy creation and management
Page: 144-148
![Page 96: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/96.jpg)
Firewall Schedules
• Control when policies are active or inactive• One-time schedule
Activate or deactivate for a specified period of time
• Recurring schedule Activate or deactivate at specified times of the day or week
Page: 149-150
![Page 97: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/97.jpg)
Firewall Services
• Determine types of communications accepted or denied• Predefined services applied to policy
Custom service if not on predefined list
• Group services to simplify policy creation and management
Page: 151-153
![Page 98: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/98.jpg)
Network Address Translation (NAT)
• Translate source address and port of packets accepted by policy
Page: 154
![Page 99: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/99.jpg)
Network Address Translation (NAT)
Page: 154
internal wan1
10.10.10.1
Internet
Client FortiGate Server
172.16.1.1
![Page 100: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/100.jpg)
Network Address Translation (NAT)
Page: 154
internal wan1
10.10.10.1
Internet
Client FortiGate Server
172.16.1.1
Firewall Policy with NAT enabledwan1 IP: 192.168.2.2
![Page 101: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/101.jpg)
Network Address Translation (NAT)
Page: 154
internal wan1
10.10.10.1
Internet
Client FortiGate Server
172.16.1.1
Firewall Policy with NAT enabledwan1 IP: 192.168.2.2
Source IP: 10.10.10.1
Source Port: 1025Destination IP:
172.16.1.1Destination Port: 80
![Page 102: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/102.jpg)
Network Address Translation (NAT)
Page: 154
internal wan1
10.10.10.1
Internet
Client FortiGate Server
172.16.1.1
Firewall Policy with NAT enabledwan1 IP: 192.168.2.2
Source IP: 10.10.10.1
Source Port: 1025Destination IP:
172.16.1.1Destination Port: 80
Source IP: 192.168.2.2
Source Port: 30912Destination IP:
172.16.1.1Destination Port: 80
![Page 103: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/103.jpg)
Network Address Translation (NAT)
Page: 154
internal wan1
10.10.10.1
Internet
Client FortiGate Server
172.16.1.1
Firewall Policy with NAT enabledwan1 IP: 192.168.2.2
Source IP: 10.10.10.1
Source Port: 1025Destination IP:
172.16.1.1Destination Port: 80
Source IP: 192.168.2.2
Source Port: 30912Destination IP:
172.16.1.1Destination Port: 80
Original New
![Page 104: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/104.jpg)
Dynamic IP Pool
• Translate source address to an IP address randomly selected from addresses in IP pool
Page: 155
![Page 105: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/105.jpg)
Dynamic IP Pool
Page: 155
internal wan1
10.10.10.1
Internet
Client FortiGate Server
172.16.1.1
![Page 106: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/106.jpg)
Dynamic IP Pool
Page: 155
internal wan1
10.10.10.1
Internet
Client FortiGate Server
172.16.1.1Firewall Policy with NAT + IP Pool
IP Pool wan1: 172.16.12.12-172.16.12.12
![Page 107: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/107.jpg)
Dynamic IP Pool
Page: 155
internal wan1
10.10.10.1
Internet
Client FortiGate Server
172.16.1.1Firewall Policy with NAT + IP Pool
IP Pool wan1: 172.16.12.12-172.16.12.12
Source IP: 10.10.10.1
Source Port: 1025Destination IP:
172.16.1.1Destination Port: 80
![Page 108: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/108.jpg)
Dynamic IP Pool
Page: 155
internal wan1
10.10.10.1
Internet
Client FortiGate Server
172.16.1.1Firewall Policy with NAT + IP Pool
IP Pool wan1: 172.16.12.12-172.16.12.12
Source IP: 10.10.10.1
Source Port: 1025Destination IP:
172.16.1.1Destination Port: 80
Source IP: 172.16.12.12
Source Port: 30957Destination IP:
172.16.1.1Destination Port: 80
![Page 109: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/109.jpg)
Dynamic IP Pool
Page: 155
internal wan1
10.10.10.1
Internet
Client FortiGate Server
172.16.1.1Firewall Policy with NAT + IP Pool
IP Pool wan1: 172.16.12.12-172.16.12.12
Source IP: 10.10.10.1
Source Port: 1025Destination IP:
172.16.1.1Destination Port: 80
Source IP: 172.16.12.12
Source Port: 30957Destination IP:
172.16.1.1Destination Port: 80
Original New
![Page 110: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/110.jpg)
Fixed Port
• Prevent NAT from translating the source port Some applications do not function correctly if source port translated
• If Dynamic Pool not enabled, policy with Fixed Port can only allow one connection to that service at a time
Page: 156
![Page 111: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/111.jpg)
Fixed Port
Page: 156
internal wan1
10.10.10.1
Internet
Client FortiGate Server
172.16.1.1
![Page 112: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/112.jpg)
Fixed Port
Page: 156
internal wan1
10.10.10.1
Internet
Client FortiGate Server
172.16.1.1Firewall Policy with NAT + IP Pool + Fixed Port
IP Pool wan1: 172.16.12.12-172.16.12.12
![Page 113: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/113.jpg)
Fixed Port
Page: 156
internal wan1
10.10.10.1
Internet
Client FortiGate Server
172.16.1.1Firewall Policy with NAT + IP Pool + Fixed Port
IP Pool wan1: 172.16.12.12-172.16.12.12
Source IP: 10.10.10.1
Source Port: 1025Destination IP:
172.16.1.1Destination Port: 80
![Page 114: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/114.jpg)
Fixed Port
Page: 156
internal wan1
10.10.10.1
Internet
Client FortiGate Server
172.16.1.1Firewall Policy with NAT + IP Pool + Fixed Port
IP Pool wan1: 172.16.12.12-172.16.12.12
Source IP: 10.10.10.1
Source Port: 1025Destination IP:
172.16.1.1Destination Port: 80
Source IP: 172.16.12.12
Source Port: 1025Destination IP:
172.16.1.1Destination Port: 80
![Page 115: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/115.jpg)
Fixed Port
Page: 156
internal wan1
10.10.10.1
Internet
Client FortiGate Server
172.16.1.1Firewall Policy with NAT + IP Pool + Fixed Port
IP Pool wan1: 172.16.12.12-172.16.12.12
Source IP: 10.10.10.1
Source Port: 1025Destination IP:
172.16.1.1Destination Port: 80
Source IP: 172.16.12.12
Source Port: 1025Destination IP:
172.16.1.1Destination Port: 80
Original New
![Page 116: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/116.jpg)
Virtual IPs
• Allow connections using NAT firewall policies• Addresses in packets are remapped and forwarded
Client address does not appear in packet server receives
• Upon reply, session table used to determine what destination address should be mapped to
Page: 157-158
![Page 117: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/117.jpg)
DNAT
• NAT not selected in firewall policy Policy performs destination network address translation (DNAT)
• Accepts packet from external network intended for specific address, translates destination address to IP on another network
Page: 159
![Page 118: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/118.jpg)
DNAT
Page: 159
wan1 dmz
10.10.10.1
192.168.1.100
10.10.10.2
Internet
Client
Server
Server
![Page 119: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/119.jpg)
DNAT
Page: 159
wan1 dmz
10.10.10.1
192.168.1.100
10.10.10.2
Internet
Client
Server
Server
Firewall Policy withDestination Address VIP
VIP, Static NATInterface Wan1
Address 172.16.1.1 192.168.1.100
![Page 120: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/120.jpg)
DNAT
Page: 159
wan1 dmz
10.10.10.1
192.168.1.100
10.10.10.2
Internet
Client
Server
Server
Firewall Policy withDestination Address VIP
VIP, Static NATInterface Wan1
Address 172.16.1.1 192.168.1.100Source IP: 10.10.10.1
Source Port: 1025Destination IP:
172.16.1.1Destination Port: 80
![Page 121: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/121.jpg)
DNAT
Page: 159
wan1 dmz
10.10.10.1
192.168.1.100
10.10.10.2
Internet
Client
Server
Server
Firewall Policy withDestination Address VIP
VIP, Static NATInterface Wan1
Address 172.16.1.1 192.168.1.100Source IP: 10.10.10.1
Source Port: 1025Destination IP:
172.16.1.1Destination Port: 80
Source IP: 172.16.12.12
Source Port: 1025Destination IP: 192.168.1.100
Destination Port: 80
![Page 122: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/122.jpg)
DNAT
Page: 159
wan1 dmz
10.10.10.1
192.168.1.100
10.10.10.2
Internet
Client
Server
Server
Firewall Policy withDestination Address VIP
VIP, Static NATInterface Wan1
Address 172.16.1.1 192.168.1.100Source IP: 10.10.10.1
Source Port: 1025Destination IP:
172.16.1.1Destination Port: 80
Original New
Source IP: 172.16.12.12
Source Port: 1025Destination IP: 192.168.1.100
Destination Port: 80
![Page 123: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/123.jpg)
DNAT
Page: 159
wan1 dmz
10.10.10.1
192.168.1.100
10.10.10.2
Internet
Client
Server
Server
![Page 124: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/124.jpg)
DNAT
Page: 159
wan1 dmz
10.10.10.1
192.168.1.100
10.10.10.2
Internet
Client
Server
Server
Firewall Policy with NAT
![Page 125: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/125.jpg)
DNAT
Page: 159
wan1 dmz
10.10.10.1
192.168.1.100
10.10.10.2
Internet
Client
Server
Server
Firewall Policy with NAT
Source IP: 192.168.1.100
Source Port: 1025Destination IP:
10.10.10.2Destination Port: 80
![Page 126: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/126.jpg)
DNAT
Page: 159
wan1 dmz
10.10.10.1
192.168.1.100
10.10.10.2
Internet
Client
Server
Server
Firewall Policy with NAT
Source IP: 192.168.1.100
Source Port: 1025Destination IP:
10.10.10.2Destination Port: 80
Source IP: 172.16.1.1.
Source Port: 1025Destination IP:
10.10.10.2Destination Port: 80
![Page 127: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/127.jpg)
DNAT
Page: 159
wan1 dmz
10.10.10.1
192.168.1.100
10.10.10.2
Internet
Client
Server
Server
Firewall Policy with NAT
Source IP: 192.168.1.100
Source Port: 1025Destination IP:
10.10.10.2Destination Port: 80
Source IP: 172.16.1.1.
Source Port: 1025Destination IP:
10.10.10.2Destination Port: 80
OriginalNew
![Page 128: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/128.jpg)
Server Load Balancing
• Dynamic one-to-many NAT mapping• External IP address translated to a mapped IP address
Determine by load balancing algorithm
• External IP address not always translated to same mapped IP address
Page: 160
![Page 129: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/129.jpg)
Server Load Balancing
Page: 160
wan1 dmz
10.10.10.1
Client
FortiGate
Server
10.10.10.2
Client
10.10.10.3
Client
Internet Internet Internet
Server Server
![Page 130: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/130.jpg)
Server Load Balancing
Page: 160
wan1 dmz
10.10.10.1
Client
FortiGate
Server
10.10.10.2
Client
10.10.10.3
Client
Internet Internet Internet
Server Server
Firewall Policy withDestination Address VIP
VIP, ServerLBInterface Wan1
Address 172.16.1.1 192.168.1.100 192.168.1.101 192.168.1.200
![Page 131: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/131.jpg)
Server Load Balancing
Page: 160
wan1 dmz
10.10.10.1
Client
FortiGate
Server
10.10.10.2
Client
10.10.10.3
Client
Internet Internet Internet
Server Server
Firewall Policy withDestination Address VIP
VIP, ServerLBInterface Wan1
Address 172.16.1.1 192.168.1.100 192.168.1.101 192.168.1.200
Source IP: 10.10.10.3
Source Port: 1025Destination IP:
172.16.1.1Destination Port: 80
![Page 132: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/132.jpg)
Server Load Balancing
Page: 160
wan1 dmz
10.10.10.1
Client
FortiGate
Server
10.10.10.2
Client
10.10.10.3
Client
Internet Internet Internet
Server Server
Firewall Policy withDestination Address VIP
VIP, ServerLBInterface Wan1
Address 172.16.1.1 192.168.1.100 192.168.1.101 192.168.1.200
Source IP: 10.10.10.3
Source Port: 1025Destination IP:
172.16.1.1Destination Port: 80
![Page 133: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/133.jpg)
Server Load Balancing
Page: 160
wan1 dmz
10.10.10.1
Client
FortiGate
Server
10.10.10.2
Client
10.10.10.3
Client
Internet Internet Internet
Server Server
Firewall Policy withDestination Address VIP
VIP, ServerLBInterface Wan1
Address 172.16.1.1 192.168.1.100 192.168.1.101 192.168.1.200
Source IP: 10.10.10.3
Source Port: 1025Destination IP:
172.16.1.1Destination Port: 80
Source IP: 10.10.10.3
Source Port: 1025Destination IP: 192.168.1.200
Destination Port: 80
![Page 134: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/134.jpg)
Server Load Balancing
Page: 160
wan1 dmz
10.10.10.1
Client
FortiGate
Server
10.10.10.2
Client
10.10.10.3
Client
Internet Internet Internet
Server Server
Firewall Policy withDestination Address VIP
VIP, ServerLBInterface Wan1
Address 172.16.1.1 192.168.1.100 192.168.1.101 192.168.1.200
Source IP: 10.10.10.3
Source Port: 1025Destination IP:
172.16.1.1Destination Port: 80
Source IP: 10.10.10.3
Source Port: 1025Destination IP: 192.168.1.200
Destination Port: 80
Original New
![Page 135: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/135.jpg)
Protection Profiles
• Control all content filtering• Group of protection settings applied to traffic
Types and levels of protection customized for each policy
• Enables settings for: Protocol Recognition Anti-Virus IPS Web Filtering Spam Filtering Data Leak Prevention Sensor Application Control Logging
Page: 161
![Page 136: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/136.jpg)
Default Protection Profiles
• Strict Maximum protection
• Scan Applies virus scanning to HTTP, FTP, IMAP, POP3, SMTP
• Web Applies virus scanning and web content blocking to HTTP
• Unfiltered No scanning, blocking or IPS
Page: 162-172
![Page 137: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/137.jpg)
Traffic Shaping
• Control bandwidth available to traffic processed by firewall policy Which policies have higher priority?
• Improve quality of bandwidth-intensive traffic Does NOT increase total bandwidth available
Page: 173
![Page 138: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/138.jpg)
Token Bucket Filter
• Dampening function Delays traffic by buffering bursts Does not schedule traffic
• Configured rate is never exceeded
Page: 174
![Page 139: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/139.jpg)
Token Bucket Filter Mechanism
• Bucket has specified capacity Tokens added to bucket at mean rate
• If bucket fills, new tokens discarded• Bucket requests number of tokens equal to packet size• If not enough tokens in bucket, packet buffered• Flow will never send packets more quickly than capacity of
the bucket• Overall transmission rate does not exceed rate tokens placed
in bucket
Page: 175
![Page 140: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/140.jpg)
Token Bucket Filter Mechanism
Page: 175
Destination Network
FortiGate unit
End users
Token bucket
Regulator
Buffer
![Page 141: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/141.jpg)
Token Bucket Filter Mechanism
Page: 175
Destination Network
FortiGate unit
End users
Token bucket
Regulator
Data packets
Buffer
![Page 142: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/142.jpg)
Token Bucket Filter Mechanism
Page: 175
Destination Network
FortiGate unit
End users
Token bucket
Regulator
Data packets
Tokens
Buffer
![Page 143: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/143.jpg)
Token Bucket Filter Mechanism
Page: 175
Destination Network
FortiGate unit
End users
Token bucket
Regulator
Data packets
Tokens
Buffer
![Page 144: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/144.jpg)
Token Bucket Filter Mechanism
Page: 175
Destination Network
FortiGate unit
End users
Token bucket
Regulator
Data packets
Tokens
Buffer
![Page 145: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/145.jpg)
Token Bucket Filter Mechanism
Page: 175
Destination Network
FortiGate unit
End users
Token bucket
Regulator
Data packets
Tokens
Buffer
![Page 146: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/146.jpg)
Traffic Shaping Considerations
• Attempt to normalize traffic peaks Prioritize certain flows over others
• Physical limitation to how much data can be buffered Packets may be dropped, sessions affected
• Performance on one traffic flow may be sacrificed to guarantee performance on another
• Not effective in high-traffic situations Where traffic exceeds FortiGate unit’s capacity Packets must be received for being subject to shaping
• If shaping not applied to policy, default is high priority
Page: 176-177
![Page 147: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/147.jpg)
Disclaimers
• Accept disclaimer before connecting• Use with authentication or protection profile• Can redirect to a URL after authentication
Page: 178
![Page 148: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/148.jpg)
Lab
• Creating Firewall Policy Objects• Configuring Firewall Policies• Testing Firewall Policies• Configuring Virtual IP Access• Debug Flow
Page: 179
![Page 149: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/149.jpg)
Agenda
• Introduction• Overview and System Setup• FortiGuard Subscription Services• Logging and Alerts• Firewall Policies• Basic VPN• Authentication• Antivirus• Spam Filtering• Web Filtering
![Page 150: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/150.jpg)
Lesson 5Basic VPN
![Page 151: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/151.jpg)
Virtual Private Networks (VPN)
• Use public network to provide access to private network• Confidentiality and integrity of data• Authentication, encryption and restricted access
Page: 195
![Page 152: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/152.jpg)
FortiGate VPN
• Secure Socket Layer (SSL) VPN Access through web browser
• Point-to-Point Tunneling Protocol (PPTP) Windows standard
• Internet Protocol Security (IPSec) VPN Dedicated VPN software required Well suited for legacy applications (not web-based)
Page: 195-196
![Page 153: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/153.jpg)
SSL VPN Operating Modes
• Web-only mode Web browser only Secure connection between browser and FortiGate unit FortiGate acts as gateway
• Authenticates users
• Tunnel mode VPN software downloaded as ActiveX control FortiGate unit assigns client IP address from range of reserved
addresses
Page: 197-199
![Page 154: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/154.jpg)
User Accounts
• Must have user account assigned to SSL VPN user group• Users must authenticate
Username + Password RADIUS TACACS+ LDAP Digital certificates
• User group provides access to firewall policy• Split tunneling available
Only traffic destined for tunnel routed over VPN
Page: 200-202
![Page 155: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/155.jpg)
Web-Only Configuration
• Enable SSL VPN• Create user accounts
Assign to user group
• Create firewall policy• Setup logging (optional)
Page: 204
![Page 156: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/156.jpg)
Tunnel Mode Configuration
• Enable SSL VPN• Specify tunnel IP range• Create user group• Create firewall policy
Page: 205
![Page 157: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/157.jpg)
SSL VPN Settings
• Tunnel IP Range Reserve range of IPs for SSL VPN clients
• Server Certificate, Require Client Certificate Certificates must be installed
• Encryption Key Algorithm• Idle Time-out• Client Authentication Time-Out
CLI only
• Portal Message• Advanced
DNS and WINS Servers
Page: 206-208
![Page 158: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/158.jpg)
Firewall Policies
• At least one SSL VPN firewall policy required• Specify originating IP address• Specify IP address of intended recipient or network• Configuration steps:
Specify source and destination IP address Specify level of encryption Specify authentication method Bind user group to policy
Page: 209
![Page 159: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/159.jpg)
Firewall Addresses
• Web-only mode Predefined source address of ALL Destination IP address where remote client needs to access
• Entire private network, range of private IPs, private IP of host
• Tunnel model Source is range of IP addresses that can be connected to FortiGate
• Restrict who can access FortiGate
Destination IP address where remote client needs to access• Entire private network, range of private IPs, private IP of host
Page: 209
![Page 160: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/160.jpg)
Configuring Web-Only Firewall Policies
• Specify destination IP address Name Type Subnet/IP range Interface
• Define policy Action: SSL-VPN Add user group
Page: 210-212
![Page 161: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/161.jpg)
Configuring Tunnel-Mode Firewall Policies
• Specify source IP addresses Addresses that can connect to FortiGate
• Specify destination IP address Addresses clients need to access
• Specify level of encryption• Specify authentication type• Bind user group to policy• ssl.root
Page: 213-218
![Page 162: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/162.jpg)
SSL VPN Bookmarks
• Hyperlinks to frequently accessed applications Web-only mode
• FortiGate forwards connection request to servers• VPN > SSL > Portal
Page: 219-221
![Page 163: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/163.jpg)
Connecting to the SSL VPN
• https://<FortiGate_IP_address>:10443 Port customizable
• SSL-VPN Web Portal page displayed Bookmarks
• What appears is pre-determined by administrator’s settings in User > User Group and VPN > SSL > Portal > Settings
Page: 222
![Page 164: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/164.jpg)
Connecting to the SSL VPN
Page: 222
![Page 165: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/165.jpg)
Connecting to the SSL VPN
![Page 166: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/166.jpg)
PPTP VPN
• Point-to-Point (PPP) authentication protocol PPP software operates on tunneled links
• Encapsulates PPP packets within IP packets Not cryptographically protected
• PPTP packets not authenticated or integrity protected• FortiGate unit assigns client IP address from reserved range
Assigned IP used for duration of connection
• FortiGate unit disassembles PPTP packet and forwards to correct computer on internal network
Page: 223
![Page 167: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/167.jpg)
PPTP VPN
• FortiGate unit can act as PPTP server• FortiGate unit can forward PPTP packets to PPTP server
Page: 224
![Page 168: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/168.jpg)
FortiGate Unit as PPTP Server
Page: 224
Internet
PPTP Clients Internal Network
FortiGate
![Page 169: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/169.jpg)
FortiGate Unit Forwards Traffic to PPTP Server
Page: 225
Internet
PPTP Clients Internal Network
FortiGatePPTP Server
![Page 170: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/170.jpg)
PPTP Server Configuration
• Configure user authentication for PPTP clients• Enable PPTP on FortiGate unit• Configure PPTP server• Configure client
Page: 226
![Page 171: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/171.jpg)
PPTP Pass-Through Configuration
• Configuration required to forward PPTP packets to PPTP server
• Define virtual IP that points to PPTP server• Configure firewall policy• Configure client
Page: 227
![Page 172: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/172.jpg)
IPSec VPN
• Industry standard set of protocols• Layer 3
Applications do not need to be designed to use IPSec
• IP packets encapsulated with IPSec packets Header of new packet refers to end point of tunnel
• Phase 1 Establish connection Authenticate VPN peer
• Phase 2 Establish tunnel
Page: 228
![Page 173: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/173.jpg)
IPSec Protocols
• Authentication Header (AH) Authenticate identity of sender Integrity of data Entire packet signed
• Encapsulating Security Payload (ESP) Encrypts data Signs data only
Page: 229
![Page 174: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/174.jpg)
Authentication Header (AH)
Page: 229
Original IP Header
Authentication Header
DataTCP Header
Authenticated
![Page 175: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/175.jpg)
Encapsulating Security Payload (ESP)
Page: 229
New IP Header
ESP Header
Original IP Header
TCP Header DataESP
Trailer
ESP Authentication
Trailer
Encrypted
Authenticated
![Page 176: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/176.jpg)
Modes of Operation
• Tunnel mode Entire IP packet encrypted and/or authenticated Packet then encapsulated for routing
• Transport mode Only data in packet encrypted and/or authenticated Header not modified or encrypted
Page: 230
![Page 177: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/177.jpg)
Security Association (SA)
• Defines bundle of algorithms and parameters Encrypt and authenticate one-directional data flow
• Agreement between two computers about the data exchanged and protected
Page: 230
![Page 178: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/178.jpg)
Internet Key Exchange (IKE)
• Allows two parties to setup SAs Secret keys
• Uses Internet Security Association Key Management Protocol (ISAKMP) Framework for establishing SAs
• Two distinct phases Phase 1 Phase 2
Page: 231
![Page 179: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/179.jpg)
Phase 1
• Authenticate computer involved in transaction• Negotiate SA policy between computers• Perform Diffie-Hellman key exchange• Set up secure tunnel• Main mode (three exchanges)
Algorithms used agreed upon Generate secret keys and nonces Other side’s identity verified
• Aggressive mode (one exchange) Everything needed to complete exchange
Page: 231
![Page 180: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/180.jpg)
Phase 2
• Negotiate SA parameters to set up secure tunnel• Renegotiate SAs regularly
Page: 232
![Page 181: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/181.jpg)
Gateway-to-Gateway Configuration
• Tunnel between two separate private networks• All traffic encrypted by firewall policies• FortiGate units at both ends must be in NAT/Route mode
Page: 234
![Page 182: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/182.jpg)
Gateway-to-Gateway Configuration
Page: 234
Internet
Site 1
FortiGate 1
Site 2
FortiGate 2
![Page 183: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/183.jpg)
Gateway-to-Gateway Configuration
• FortiGate receives connection request from remote peer Uses IPSec phase 1 parameters
• Establish secure connection• Authenticate peer
• If policy permits, tunnel established Uses IPSec phase 2 parameters Applies policy
• Configuration steps Define phase 1 parameters Define phase 2 parameters Create firewall policies
Page: 234
![Page 184: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/184.jpg)
Defining Phase 1 Parameters
Page: 235-236
![Page 185: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/185.jpg)
Authenticating the FortiGate Unit
• Authenticate itself to remote peers• Pre-shared key
All peers must use same key
• Digital certificates Must be installed on peer and FortiGate
Page: 237-238
![Page 186: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/186.jpg)
Authenticating Remote Clients
• Permit access using trusted certificates FortiGate configured for certificate authentication
• Permit access using peer identifier• Permit access using pre-shared key
Each peer or client must have user account
• Permit access using peer identifier and pre-shared key Each peer or client must have user account
Page: 239
![Page 187: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/187.jpg)
XAuth Authentication
• Separate exchange at end of phase 1 Increased security
• Draws on existing FortiGate user group definitions• FortiGate can be XAuth server or XAuth client
Page: 239
![Page 188: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/188.jpg)
IKE Negotiation Parameters
Page: 240-242
![Page 189: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/189.jpg)
Defining Phase 2 Parameters
Page: 243-246
![Page 190: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/190.jpg)
Firewall Policies
• Policies needed to control services and direction of traffic• Firewall addresses needed for each private network• Policy-Based VPN
Specify interface to private network, remote peer and VPN tunnel Single policy for inbound, outbound or both direction
• Route-Based VPN Requires ACCEPT policy for each direction Creates Virtual IPSec interface on interface connecting to remote
peer
Page: 247-250
![Page 191: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/191.jpg)
Lab
• Configuring SSL VPN for Full Access (Web Portal and Tunnel Mode)
• Configuring a Basic Gateway-to-Gateway VPN
Page: 251
![Page 192: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/192.jpg)
Agenda
• Introduction• Overview and System Setup• FortiGuard Subscription Services• Logging and Alerts• Firewall Policies• Basic VPN• Authentication• Antivirus• Spam Filtering• Web Filtering
![Page 193: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/193.jpg)
Lesson 6Authentication
![Page 194: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/194.jpg)
Authentication
• User or administrator prompted to identify themselves Only allowed individuals perform actions
• Can be configured for: Any firewall policy with action of ACCEPT PPTP and L2TP VPNs Dial-up IPSEC VPN set up as XAuth server Dial-up VPN accepting user group as peer ID
Page: 263
![Page 195: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/195.jpg)
Authentication Methods
• Local user User names and passwords used to authenticate stored on
FortiGate
• Remote Use existing systems to authenticate
• RADIUS• LDAP• PKI• Windows Active Directory• TACACS+
Page: 264-265
![Page 196: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/196.jpg)
Users and User Groups
• Authentication based on user groups User created User added to groups
• User Account created on FortiGate or external authentication server
• User group Users or servers as members Specify allowed groups for each resource requiring authentication Group associated with protection profile
Page: 266-267
![Page 197: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/197.jpg)
User Group Types
• Firewall Access to firewall policy that requires authentication FortiGate request user name and password (or certificate)
• Directory Service Allow access to users in DS groups already authenticated
• Single sign on
Requires FSAE
• SSL VPN Access to firewall policy that requires SSL VPN authentication
Page: 268-270
![Page 198: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/198.jpg)
Authentication overrides
• Require access to blocked site Override block for period of time
• Link to authenticate presented
Page: 271
![Page 199: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/199.jpg)
Authentication Settings
Page: 272
![Page 200: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/200.jpg)
PKI Authentication
• Valid certificate required• SSL used for secure connection• Trusted certificates installed on FortiGate and client
Page: 273
![Page 201: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/201.jpg)
RADIUS Authentication
• User credentials sent to RADIUS server for authentication• Shared key used to encrypt data exchanged• Primary and secondary servers identified on FortiGate unit
Page: 274
![Page 202: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/202.jpg)
LDAP Authentication
• User credentials sent to LDAP server for authentication• LDAP servers details identified on FortiGate
Page: 275
![Page 203: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/203.jpg)
TACACS+ Authentication
• User credentials sent to TACACS+ server for authentication• Choice of authentication types:
Auto ASCII PAP CHAP MSCHAP
Page: 276
![Page 204: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/204.jpg)
Microsoft Active Directory Authentication
• Transparently authenticate users Fortinet Server Authentication Extensions (FSAE) passes
authentication information to FortiGate Sign in once to Windows, no authentication prompts from FortiGate
Page: 277
![Page 205: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/205.jpg)
FSAE Components
• Domain Controller Agent Installed on every domain controller Monitors user logons, sends to Collector Agent
• Collector Agent Installed on at least one domain controller Sends information collected to FortiGate
Page: 278
![Page 206: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/206.jpg)
FSAE Configuration on Microsoft AD
• Configure Microsoft AD user groups All members of a group have same access level FSAE only send Domain Local Security Group and Global Security
Group to FortiGate
• Configure Collector Agent settings Domain controllers to monitor
• Global Ignore list Exclude system accounts
• Group filters Control logon information sent to FortiGate
Page: 279-280
![Page 207: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/207.jpg)
FSAE Configuration on FortiGate
• Configure Collector Agents FortiGate to access at least one collector agent Up to five can be listed
• Configure user groups AD groups added to FortiGate user groups
• Configure firewall policy• Allow guests
Users not listed in AD Protection profile for FSAE firewall police
Page: 281
![Page 208: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/208.jpg)
Labs
• Firewall Policy Authentication• Adding User Disclaimers and Redirecting URLs
Page: 282
![Page 209: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/209.jpg)
Agenda
• Introduction• Overview and System Setup• FortiGuard Subscription Services• Logging and Alerts• Firewall Policies• Basic VPN• Authentication• Antivirus• Spam Filtering• Web Filtering
![Page 210: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/210.jpg)
Lesson 7Antivirus
![Page 211: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/211.jpg)
Antivirus
• Detect and eliminate viruses, worms and spyware• Scan HTTP and FTP traffic• Scan SMTP, POP3, IMAP
Page: 289
![Page 212: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/212.jpg)
Antivirus Elements
• File filter File pattern and file type recognition
• Virus scan Virus definitions kept up-to-date through FortiGuard Subscription
Services
• Grayware• Heuristics
Detect virus-like behavior
Page: 289-290
![Page 213: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/213.jpg)
File Filter
• File pattern Name, extension or pattern Built-in patterns or custom
• File type Analyze file to determine type Types pre-configured
• Actions Allow Block
• Replacement message sent
Page: 291
![Page 214: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/214.jpg)
Enabling File Filtering
Page: 292
![Page 215: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/215.jpg)
File Name Pattern Filtering
Page: 295
![Page 216: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/216.jpg)
File Type Filtering
Page: 296
![Page 217: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/217.jpg)
File Pattern Filtering
Page: 297
![Page 218: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/218.jpg)
Virus Scan
• Virus definitions used to detect and eliminate threats Updated regularly FortiGuard Subscription Services license required
Page: 298
![Page 219: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/219.jpg)
Updating Antivirus Definitions
Page: 299
![Page 220: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/220.jpg)
Grayware
• Unsolicited commercial software Often installed without consent
• Scans for grayware in enabled categories Categories and content updated regularly
Page: 300
![Page 221: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/221.jpg)
Grayware Categories
• Adware Pop-up advertising content
• Browser Helper Objects Add capabilities to browser
• Dialers Unwanted calls through modem or Internet connection
• Downloaders Retrieve files
• Games• Hacker Tools
Subvert network and host security
Page: 301-303
![Page 222: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/222.jpg)
Grayware Categories
• Hijackers Manipulate settings
• Jokes• Key loggers
Log input for later retrieval
• Misc Uncategorized (multiple functionalities)
• NMT (Network Management Tool) Cause network disruption
• P2P File exchanges containing viruses
Page: 301-303
![Page 223: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/223.jpg)
Grayware Categories
• Plugins Add additional features to an existing application
• Remote Administration Tools (RAT) Remotely change or monitor a computer on a network
• Toolbars Augment capabilities of browser
Page: 301-303
![Page 224: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/224.jpg)
Spyware
• Component of adware Track user activities online Report activities to central server Target advertising based on online habits
Page: 304-305
![Page 225: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/225.jpg)
Quarantine
• Quarantine blocked or infected files FortiGate unit with hard drive FortiAnalyzer
• Files uploaded to Fortinet for analysis
Page: 306-307
![Page 226: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/226.jpg)
Proxies
• Intercepts all connection requests and responses• Buffers and scans response before flushing to client• Splicing
Prevent client from timing out Server sends part of response to client while buffering Final part sent if response is clean FTP uploads, email protocols (SMTP, POP3, IMAP)
• Client comforting Prevent timeout while files buffered and scanned by FortiGate Can provide visual status to user that progress being made HTTP and FTP downloads
Page: 308
![Page 227: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/227.jpg)
Scanning Options
Page: 309-310
![Page 228: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/228.jpg)
Lab
• Configuring Global Antivirus Settings• Configuring a Protection Profile• Testing Protection Profile Settings for HTTP/FTP Antivirus
Scanning
Page: 311
![Page 229: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/229.jpg)
Agenda
• Introduction• Overview and System Setup• FortiGuard Subscription Services• Logging and Alerts• Firewall Policies• Basic VPN• Authentication• Antivirus• Spam Filtering• Web Filtering
![Page 230: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/230.jpg)
Lesson 8Spam Filtering
![Page 231: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/231.jpg)
Spam Filtering
• Manage unsolicited bulk email Detect spam messages Identify transmissions from known/suspected spam servers
Page: 321
![Page 232: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/232.jpg)
Spam Filtering Methods
• IP address check Verify source IP address again list of known spammers
• URL check Extract URLs and verify against list of spam sources
• Email checksum check Calculate checksum of message and verify against list of known
spam messages
• Spam submission Inform FortiGuard
• Black/White list Check incoming IP and email addresses against known list SMTP only
Page: 322-323
![Page 233: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/233.jpg)
Spam Filtering Methods
• HELO DNS lookup Check source domain name against registered IP address in DNS
• Return email DNS check Check incoming return address domain against registered IP in
DNS
• Banned word Check email against banned word list
• MIME headers check Check MIME headers against list
• DNSBL and ORDBL Check email against configured servers
Page: 322-323
![Page 234: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/234.jpg)
FortiGuard Antispam Global Filters
• FortiIP sender IP reputation database Reputation of IP based on properties related to address
• Email volume from a sender Compare sender’s recent volume with historical pattern
• FortiSig Spam signature database FortiSig1
• Spamvertised URLs FortiSig2
• Spamvertised email addresses FortiSig3
• Spam checksums
• FortiRule Heuristic rules FortiMail only
Page: 324-325
![Page 235: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/235.jpg)
Customized Filters
• Compliment FortiGuard• Banned word lists• Local black/white list• Heuristic rules• Bayesian
FortiMail only
Page: 325
![Page 236: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/236.jpg)
Enabling Antispam
Page: 326
![Page 237: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/237.jpg)
Spam Actions
• Tag or discard spam email Add custom text to subject or instead MIME header and value
• Only discard if SMTP and virus check enabled• Spam actions logged
Page: 327
![Page 238: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/238.jpg)
Banned Word
• Block messages containing specific words or patterns Values assigned to matches If threshold exceeded, messages marked as spam
• Perl regular expressions and wildcards can be used
Page: 328-334
![Page 239: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/239.jpg)
Black/White List
• IP address filtering Compare IP address of sender to IP address list If match, action is taken
• Email address filtering Compare email address of sender to email address list If match, action is taken
Page: 335
![Page 240: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/240.jpg)
Configuring IP Address List
Page: 336-338
![Page 241: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/241.jpg)
Configuring Email Address List
Page: 339-342
![Page 242: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/242.jpg)
MIME Headers Check
• MIME headers added to email Describe content type and encoding
• Malformed headers can fool spam or virus filters• Compare MIME header key-value of incoming email to list
If match, action is taken
Page: 343
![Page 243: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/243.jpg)
DNSBL and ORDBL
• Published lists of suspected spammers• Add subscribed servers
Define action
Page: 344
![Page 244: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/244.jpg)
FortiMail Antispam
• Enhanced set of features for detecting and blocking spam Some techniques not available in FortiGate
• Stand-alone antispam system Can be second layer in addition to FortiGate
• Legacy virus protection• Email quarantine
Page: 345
![Page 245: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/245.jpg)
Agenda
• Introduction• Overview and System Setup• FortiGuard Subscription Services• Logging and Alerts• Firewall Policies• Basic VPN• Authentication• Antivirus• Spam Filtering• Web Filtering
![Page 246: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/246.jpg)
Lesson 9Web Filtering
![Page 247: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/247.jpg)
Web Filtering
• Process web content to block inappropriate or malicious content
• Categorized content 76 categories 40 million domains Billions of web pages Automated updates
• Check web addresses against list• Customizable
Page: 349
![Page 248: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/248.jpg)
Order of Filtering
• URL Filtering Exempt, Block, Allow
• FortiGuard Web Filtering• Content Exempt
Customizable
• Content Block Customizable
• Script Filter
Page: 349
![Page 249: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/249.jpg)
Web Content Block
• Block specific words or patterns Score assigned to pattern Page blocked if greater than threshold Perl regular expressions or wildcards can be used
Page: 350-353
![Page 250: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/250.jpg)
Web Content Block
Page: 352
![Page 251: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/251.jpg)
Web Content Exemption
• Override web content block Even if banned words appear
Page: 354-357
![Page 252: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/252.jpg)
Web Content Exemption
Page: 356
![Page 253: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/253.jpg)
Enabling Web Filtering
Page: 358
![Page 254: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/254.jpg)
URL Filter
• Block specific pages Displays replacement message
• Text, regular expressions and wildcards can be used
Page: 359-362
![Page 255: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/255.jpg)
URL Filter
Page: 361
![Page 256: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/256.jpg)
FortiGuard Web Filter
• Managed web filtering solution Web pages rated and categorized
• Determines category of site Follows firewall policy
• Allow, block, log, or override• Ratings based on:
Text analysis Exploitation of web structure Human raters
Page: 363
![Page 257: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/257.jpg)
Web Filtering Categories
• Categories based on suitability for enterprises, schools, and home Potentially liable Controversial Potentially non-productive Potentially bandwidth consuming Potential security risks General interest Business oriented Others
Page: 364
![Page 258: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/258.jpg)
Web Filtering Classes
• Classify web page based on media type or source Further refine web access Prevent finding material
• Classes Cached contents Image search Audio search Video search Multimedia search Spam URL Unclassified
Page: 365
![Page 259: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/259.jpg)
Enabling FortiGuard Web Filtering
Page: 366
![Page 260: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/260.jpg)
Enabling FortiGuard Web Filtering Options
Page: 367-368
![Page 261: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/261.jpg)
Web Filtering Overrides
• Give user ability to override firewall filter block Administrative overrides User overrides
• Override permissions configured at user group level or with override rules
• User group level overrides Group of users have same level of overrides Assumes authentication enabled on policy
• Override rules Fine granularity Access domain, directory or category
Page: 369
![Page 262: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/262.jpg)
Allowing Override at User Group Level
Page: 370
![Page 263: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/263.jpg)
Configuring Override Rules (Directory or Domain)
Page: 371-372
![Page 264: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/264.jpg)
Configuring Override Rules (Category)
Page: 373
![Page 265: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/265.jpg)
Web Filtering Override Page
Page: 375
![Page 266: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/266.jpg)
Web Filtering Authentication Page
Page: 375
![Page 267: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/267.jpg)
Local Ratings
• Administrator controlled block of web sites• Per protection profile basis
Page: 376
![Page 268: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/268.jpg)
Local Categories
• Administrator controlled block on group of web sites• Per protection profile basis
Page: 377
![Page 269: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/269.jpg)
Lab
• Configuring Local Web URL and Content Filtering• Testing Web Category Filtering
Page: 378
![Page 270: 201 v3.0 Slides to Accompany Student Guide](https://reader038.vdocuments.us/reader038/viewer/2022103007/563dbb94550346aa9aae64d6/html5/thumbnails/270.jpg)
Thank you for attending
Please complete the online evaluation form at:http://campus.training.fortinet.com
Click Student Survey.