FGT 01 Introduction
-
Upload
max-olguin-mella -
Category
Documents
-
view
224 -
download
0
Transcript of FGT 01 Introduction
-
Introduction to FortiGate Unified Threat Management 7 April 2014
1
2014 Fortinet Inc. All rights reserved.The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc. FGT1-01-50005-E-20131120
Introduction to Fortinet Unified Threat Management
2
Module Overview
Other products available from Fortinet A FortiGates features Administrative Access, Users and Profiles FortiGuard Operating Modes Default Settings Configuration Backup and Restoration Proper upgrade and downgrade procedures Console port
and other topics
-
Introduction to FortiGate Unified Threat Management 7 April 2014
3
Module Objectives
By the end of this module, participants will be able to: Identify the major features of the FortiGate Unified Threat Management appliance Modify administrative access restrictions Create and manage administrative users Create and manage administrator access profiles Backup and restore configuration files Create a DHCP server on a FortiGate units interface Upgrade or downgrade a FortiGate units firmware
4
Traditional Network Security Solutions
FirewallAntivirusAntispamWAN OptimizationWeb FilteringApplication ControlIntrusion PreventionVPN
Many single purpose systems needed to cope with a variety of threats
-
Introduction to FortiGate Unified Threat Management 7 April 2014
5
FortiGate Integrated Network Security Platform
FirewallAntivirusAntispamWAN OptimizationWeb FilteringApplication ControlIntrusion PreventionVPN
and more
One device provides a comprehensive security and networking solution
FortiGate Appliance
6
Unit Design
Hardware
Purpose-driven hardware
FortiOS
Specialized operating system
Firewall AV WebFilter IPS
Security and network-level services
FortiGuard Subscription Services
Automated update service
-
Introduction to FortiGate Unified Threat Management 7 April 2014
7
FortiGate Unit Capabilities
FirewallAntivirusEmail filteringWeb filteringIntrusion preventionApplication controlData leak preventionWAN optimizationSecure VPNWirelessDynamic routingEndpoint complianceVirtual domainsTraffic shapingHigh availabilityLogging and reporting1111 Authentication
8
Fortinet Products
Network Security FortiGate appliances
High-end, mid-range and desktop models
Network Access Wireless: FortiWiFi, FortiAP Switching: FortiSwitch End-point and mobility:
FortiClient User Identity:
FortiAuthenticator, FortiToken
Infrastructure Security Application and Content Delivery:
FortiADC DDos Mitigation: FortiDDos Advanced Threat Protection Voice and Video: FortiVoice,
FortiCamera, FortiRecorder
Application Security FortiMail, FortiWeb, FortiDB FortiCache
Management FortiManager, FortiAnalyzer,
FortiCloud
-
Introduction to FortiGate Unified Threat Management 7 April 2014
9
FortiGuard Subscription Services
Global Update service for AV/IPS (update.fortiguard.com) uses SSL on port 443
Global Live service for FortiGuard WF/AS (service.fortiguard.net) Uses a proprietary protocol on port 53 or 8888 Live service (connection & contract required) Short grace period after contract expiry (about 7 days)
Handled through FortiGuard Distribution Network(FDN) Calculates server distance based on time zones
Major server centers in North America as well as Asia and Europe Nearest servers are preferred but will adjust based on server load
can be sent to a FortiManager instead
10
Modes of Operation
NAT
Device operates on Layer 3 or the OSI Model
Interfaces have IP addresses Packets are routed VIA IP
Device is presence in the routing of the network
Transparent
Device operates on Layer 2 of the OSI
Device interface do not have IPs Routing decisions are not
possible
Device is not a presence in network routing.
-
Introduction to FortiGate Unified Threat Management 7 April 2014
11
OSI Model
12
port1 or internal interface will have an IP of 192.168.1.99/24 PING, HTTP, HTTPS protocols are enabled for
Management Access port1 or internal interface will have a DHCP server set up and
enabled (on devices that support DHCP Servers) Default login will always be:
user: adminpassword: (blank)
Usernames and passwords are BOTH case sensitive
Default admin user information should be modified!
Device Factory Defaults
-
Introduction to FortiGate Unified Threat Management 7 April 2014
13
Device Administration
Web GUIHTTP, HTTPS
CLIConsole,SSH,Telnet, GUI Widget
14
Administrator Profiles
-
Introduction to FortiGate Unified Threat Management 7 April 2014
15
Administrator Profiles: Permissions
System Configuration Network Configuration Firewall ConfigurationVPN ConfigurationWifi Configurationetc.
None Read Read-Write
AdminProfile
16
Administrative Users
Full access withina single virtual
domain
Full access
super_adminprofile
Custom access
customprofile
prof_adminprofile
-
Introduction to FortiGate Unified Threat Management 7 April 2014
17
Administrative Users: Trusted Hosts
If logging in from the source IP is not possible, FortiGate will not respond to requests for management traffic to its interfaces
18
Two Factor Authentication
Username and Password (one factor)
FortiToken (two factor)+
-
Introduction to FortiGate Unified Threat Management 7 April 2014
19
Administrative Users: Two Factor Authentication
20
Configuration Files
Device configuration settings can be saved to an external fileOptional encryption
The file can be restored to rollback device to a previous configuration restoring a configuration always reboots the device
Configuration files can be backed up automatically Not available on all models, happens when admin users log out
-
Introduction to FortiGate Unified Threat Management 7 April 2014
21
Configuration Files: Format
Header contains some details on the device After header, encrypted file is not readable
Restoring Encrypted configuration requires the same device/model running the same build as the config file (and encryption password)
Restoring a text base config file only requires the same model Different build configuration files can be used (with the same limits as an upgrade)
Config file only contains non-default and important settings (size)
#config-version=FWF60D-5.00-FW-build252-131031:opmode=0:vdom=0:user=admin#conf_file_ver=10488925954160275734#buildno=0252#global_vdom=1
#FGBK|3|FWF60D|5|00|252|
Plain Text Encrypted
Model
Firmware Major Version
Build Number
22
Per Virtual Domain Configuration Files
Configurations are backed up as a whole If Virtual Domains(VDOMs) are enabled, backups of individual VDOMs is
possible
-
Introduction to FortiGate Unified Threat Management 7 April 2014
23
Interface IPs
Every used interface on the unit must have an IP assigned (in NAT mode) using one of three methods: Manual IP, DHCP assigned,
PPPoE (CLI)
24
Administrative Access: Methods
Each interface has separate options for enabling Management access Separate settings for IPv4 and
IPv6 IPv6 options only show up if
feature is enabled in the GUI
-
Introduction to FortiGate Unified Threat Management 7 April 2014
25
Hiding features from the GUI
Not all features are visible in the GUI, by default Some features are ONLY configurable from the CLI Feature not in the GUI ARE NOT disabled
Primary features can be hidden/unhidden from Dashboard Widget
Full list of options found in Features submenu
26
Hiding features from the GUI: SecurityFeatures
NGFW Next Generation Firewall Line Speed Inspection
ATP Advanced Threat Protection Focuses on protecting PCs
WF Web Filtering
Full UTM All Inspection profile options are available in the GUI
-
Introduction to FortiGate Unified Threat Management 7 April 2014
27
Administrative Access: Ports
Service Ports for Administrative access can be customized Only using secure access methods is recommended
28
There must be at least one default gateway If an interface is DHCP or PPPoE, then a gateway can be added
to the routing dynamically
Static Gateway
-
Introduction to FortiGate Unified Threat Management 7 April 2014
29
DHCP Server: Setup
Enabled and configured separately for each interface
30
DHCP Server: IP Reservation
IP address reserved and always assigned to the same DHCP host Select an IP address or choose an existing DHCP lease to add to the reserved list Identify the IP address reservation as either DHCP over Ethernet or DHCP over
IPSec
MAC address of the DHCP host is used to look up the IP address in the IP reservation table
Found in the Advanced settings of the DHCP server, on the interface
-
Introduction to FortiGate Unified Threat Management 7 April 2014
31
DHCP Logs
32
FortiGate as a DNS Server
Resolve DNS lookups from an internal network Methods to set up DNS for each interface:
Forward to System DNS: DNS requests relayed to the DNS servers configured for the FortiGate unit
Non-recursive: DNS requests resolved using a FortiGate DNS database and unresolved DNS requests are dropped
Recursive: DNS requests will be resolved using a FortiGate DNS database and any unresolved DNS requests will be relayed to DNS servers configured for the unit
One DNS database can be shared by all the FortiGate interfaces If VDOMs are enabled, a DNS database can be created in each VDOM
-
Introduction to FortiGate Unified Threat Management 7 April 2014
33
DNS Forwarding
FortiGate units can forward (or not) DNS requests sent to its interfaces Behavior on each interface is configured separately
Allows direct control of the DNS GUI allows setting to Forward only CLI allows Forward, Recursive and Non-recursive behavior
34
DNS Database: Configuration
DNS zones need to be added when configuring the DNS database Each zone has its own domain name Zone format defined by RFC 1034 and1035
DNS entries are added to each zone An entry includes a hostname and the IP address it resolves to Each entry also specifies the type of DNS entry
IPv4 address (A) or an IPv6 address (AAAA) name server (NS) canonical name (CNAME) mail exchange (MX) name IPv4 (PTR) or IPv6 (PTR)
-
Introduction to FortiGate Unified Threat Management 7 April 2014
35
Firmware Upgrade Steps
Step 1: Backup and store old configuration (Full config backup from CLI) Step 2: Have copy of old firmware available Step 3: Have disaster recovery option on standby (especially if remote) Step 4: READ THE RELEASE NOTES (upgrade path, bug information) Step 5: Double check everything Step 6: Upgrade
36
Firmware Downgrade Steps
Step 1: Locate pre-upgrade configuration file Step 2: Have copy of old firmware available Step 3: Have disaster recovery option on standby (especially if remote) Step 4: READ THE RELEASE NOTES (is a downgrade possible?) Step 5: Double check everything Step 6: Downgrade (all settings except those needed for access are lost) Step 7: Restore pre-upgrade configuration
-
Introduction to FortiGate Unified Threat Management 7 April 2014
37
Maintainer Access
Available on all FortiGate devices and some non-FortiGate devices Only available through the hardware console port
Highly secure (requires physical access)
Only open after a HARD boot About 30 seconds (varies by model, by approximately 1 minute) Highly secure (soft boot does not activate user)
User: maintainerPassword: bcpb All letters in serial number MUST BE uppercase
Can be disabled in the CLI if physical security is a risk or for compliance reasons
config sys global set admin-maintainer disable end
38
Console Port
Depending on the FortiGate model, console port access is provided in the following ways: Serial port (older models)
Standard null model cable will work for console port access RJ-45 port
RJ-45-serial cable is required for access USB 2 port
Requires FortiExplorer to connect
Each devices ships with proper console cables
-
Introduction to FortiGate Unified Threat Management 7 April 2014
39
FortiExplorer
Software used to Manage devices via USB-2 Some models of FortiGate/FortiWifis, FortiSwitch, FortiAP
Available for Windows PC, Mac OSx10 Release notes contain detailed information on supported OS versions Connect using USB cable Allows Full GUI/CLI access, complete configuration options If device has USB-2 port, FortiExplorer is the only way to access Console port
Available on Apple Store for IPod/IPad/IPhone Connect using standard 30pin-USB cable Limited configuration options, Limited model options
40
Labs
Lab 1: Initial Setup and Configuration Ex 1: Configuring Network Interfaces Ex 2: Exploring the Command Line Interface Ex 3: Restoring Configuration Files Ex 4: Performing Configuration Backups
(OPTIONAL) Lab 2: Administrative Access
Ex 1: Profiles and Administrators Ex 2: Restricting Administrator Access
-
Introduction to FortiGate Unified Threat Management 7 April 2014
41
Classroom Lab Topology