FortiGate III Student Guide-Online

7/26/2019 FortiGate III Student Guide-Online

1/520

FortiGate III

Student Guide

for FortiGate 5.2.1

DO NOT REPRINT

FORTINET


2/520

FortiGate III Student Guide

for FortiGate 5.2.1

Last Updated: 20 July 2015

We would like to acknowledge the following major contributors: Francois Ropert, David Chan, AdrianBuckley, Ondrej Holecek, Stephane Hamelin, and Mike Lobban

Fortinet, FortiGate

, and FortiGuard

are registered trademarks of Fortinet, Inc. in the U.S. and other

jurisdictions, and other Fortinet names herein may also be trademarks, registered or otherwise, ofFortinet. All other product or company names may be trademarks of their respective owners. Copyright 2002 - 2015 Fortinet, Inc. All rights reserved. Contents and terms are subject to change by Fortinetwithout prior notice. No part of this publication may be reproduced in any form or by any means orused to make any derivative such as translation, transformation, or adaptation without permission fromFortinet, Inc., as stipulated by the United States Copyright Act of 1976.

DO NOT REPRINT

FORTINET


3/520

Table of Contents

VIRTUAL LAB BASICS ...................................................................................7

Topology..................................................................................................................................8

Logging In ...............................................................................................................................8

Disconnections/Timeouts .............................................................................................................................13

Transferring Files to the VM....................................................................................................13

Using HTML5 Instead of Java ................................................................................................13

Screen Resolution ...................................................................................................................14

International Keyboards ..........................................................................................................14

Troubleshooting Tips ..............................................................................................................15

SYSTEM RESOURCES ...................................................................................17

Objectives ...............................................................................................................................17

Time to Complete ....................................................................................................................17

System, Processes and Crashlog ...........................................................................................18

NETWORK ....................................................................................................21

Objectives ...............................................................................................................................21

Time to Complete ....................................................................................................................21

Exploring the Session Table ...................................................................................................22

Traffic sniffer ...........................................................................................................................25

Break and Fix: Connectivity Issues .........................................................................................28

Tips for Troubleshooting ...............................................................................................................................28

DO NOT REPRINT

FORTINET


4/520

FIREWALL POLICIES .....................................................................................30

Objectives ...............................................................................................................................30

Time to Complete ....................................................................................................................30

Traffic Shaping ........................................................................................................................31

Break and Fix: FTP Traffic ......................................................................................................32


FIREWALL AUTHENTICATION .........................................................................34

Objectives ...............................................................................................................................34

Time to Complete ....................................................................................................................34

Break and Fix: LDAP Authentication ......................................................................................35


FSSO ..........................................................................................................37

Objectives ...............................................................................................................................37

Time to Complete ....................................................................................................................37

Installing FSSO .......................................................................................................................38

Break and Fix: FSSO ..............................................................................................................42


IPSEC ..........................................................................................................44

Objectives ...............................................................................................................................44

Time to Complete ....................................................................................................................44

Break and Fix: IPsec VPN ......................................................................................................45


SECURITY PROFILES ....................................................................................47

Objectives ...............................................................................................................................47

Time to Complete ....................................................................................................................47

DO NOT REPRINT

FORTINET


5/520

Break and Fix: Protection Profiles Part 1 ................................................................................48


Break and Fix: Protection Profiles Part 2 ................................................................................49


EXPLICIT WEB PROXY ..................................................................................51

Objectives ...............................................................................................................................51

Time to Complete ....................................................................................................................51

Break and Fix: Web Proxy ......................................................................................................52


OPERATION MODES ......................................................................................55

Objectives ...............................................................................................................................55

Time to Complete ....................................................................................................................55

Transparent Mode ...................................................................................................................56

NAT/Route Mode ....................................................................................................................60

Break and Fix: NAT/Route Mode ............................................................................................62


EXTERNAL BGP ...........................................................................................63

Objectives ...............................................................................................................................63

Time to Complete ....................................................................................................................63

Break and Fix: BGP ................................................................................................................64


OSPF ..........................................................................................................66

Objectives ...............................................................................................................................66

Time to Complete ....................................................................................................................66

Break and Fix: OSPF ..............................................................................................................67


DO NOT REPRINT

FORTINET


6/520

HIGH AVAILABILITY ......................................................................................69

Objectives ............................................................................................................................ 69

Time to Complete ................................................................................................................. 69

Break and Fix: High Availability ............................................................................................ 70


APPENDIX A: ADDITIONAL RESOURCES ........................................................72

APPENDIX B: PRESENTATION SLIDES ...........................................................73

Module 1: Troubleshooting Concepts...................................................................................74

Module 2: System Resources...............................................................................................97

Module 3: Network..............................................................................................................147

Module 4: Firewall Policies.................................................................................................174

Module 5: Firewall Authentication.......................................................................................211

Module 6: FSSO.................................................................................................................241

Module 7: IPsec..................................................................................................................275

Module 8: Security Profiles.................................................................................................312

Module 9: Explicit Web Proxy.............................................................................................368

Module 10: Operation Modes.............................................................................................390

Module 11: External BGP...................................................................................................424

Module 12: OSPF...............................................................................................................456

Module 13: High Availability...............................................................................................496

DO NOT REPRINT

FORTINET


7/520

Virtual Lab Basics

FortiGate III Student Guide 7

Virtual Lab Basics

In this class, you will use a virtual lab for hands-on exercises. This section explains how to connect tothe lab and its virtual machines. It also shows the topology of the virtual machines in the lab.

Note: If your trainer asks you to use a different lab, such as devices physically located inyour classroom, please ignore this section. This applies only to the virtual lab accessedthrough the Internet. If you do not know which lab to use, please ask your trainer.

DO NOT REPRINT

FORTINET


8/520

Virtual Lab Basics


Topology

Logging In

1. Run the System Checker. This will fully verify both:

compatibility with the virtual lab environment's software, and

that your computer can connect

It can also diagnose problems with your Java Virtual Machine, firewall, or web proxy.

Use the URL for your location.

North America/South America:

https://remotelabs.training.fortinet.com/training/syscheck/?location=NAM-West

Europe/Middle East/Africa:

https://remotelabs.training.fortinet.com/training/syscheck/?location=Europe

Asia/Pacific:

https://remotelabs.training.fortinet.com/training/syscheck/?location=APAC

If a security confirmation dialog appears, click Run.

Internet

IN-STUDENT10.0.1.10

port210.200.2.1/24

port310.0.1.254/24

STUDENTFortiGate

REMOTEFortiGate

WIN-REMOTE10.0.2.10

port510.200.4.1/24

port610.0.2.254/24

LINUX

eth210.200.2.254

10.200.3.254eth3

eth410.200.4.254

FORTIMANAGER

10.200.1.1/24port1

10.200.1.254eth1

10.200.3.1/24port4

port110.0.1.241

port210.200.1.241

DO NOT REPRINT

FORTINET
https://remotelabs.training.fortinet.com/training/syscheck/?location=NAM-Westhttps://remotelabs.training.fortinet.com/training/syscheck/?location=Europehttps://remotelabs.training.fortinet.com/training/syscheck/?location=APAChttps://remotelabs.training.fortinet.com/training/syscheck/?location=APAChttps://remotelabs.training.fortinet.com/training/syscheck/?location=Europehttps://remotelabs.training.fortinet.com/training/syscheck/?location=NAM-West


9/520

Virtual Lab Basics


If your computer successfully connects to the virtual lab, the result messages for the browser

and network checks will each display a check mark icon. Continue to the next step.

If a browser test fails, this will affect your ability to access the virtual lab environment. If anetwork test fails, this will affect the usability of the virtual lab environment. For solutions,either click the Support Knowledge Baselink or ask your trainer.

2. With the user name and password from your trainer, log into the URL for the virtual lab. Either:

https://remotelabs.training.fortinet.com/

DO NOT REPRINT

FORTINET
https://remotelabs.training.fortinet.com/https://remotelabs.training.fortinet.com/


10/520

Virtual Lab Basics


https://virtual.mclabs.com/

3. If prompted, select the time zone for your location, and then click Update.

This ensures that your class schedule is accurate.

4. Click Enter Lab.

A list of virtual machines that exist in your virtual lab should appear.

From this page, you can access the console of any of your virtual devices by either:

clicking on the devices square, or

selecting System > Open.

DO NOT REPRINT

FORTINET
https://virtual.mclabs.com/https://virtual.mclabs.com/https://virtual.mclabs.com/


11/520

Virtual Lab Basics


DO NOT REPRINT

FORTINET


12/520

Virtual Lab Basics


5. Click Win-Studentto open a connection to that server.

A new window should open within a few seconds. (Depending on your accounts preferences,the window may be a Java applet. If this fails, you may need change browser settings to allowJava to run on this web site. You also may need to review and accept an SSL certificate.)

Depending on the virtual machine, the applet provides access to either the GUI or a text-based CLI. Connections to Windows machines will use a Remote Desktop-like GUI. Theapplet should automatically log in, then display the Windows desktop. For most labexercises, you will connect to this VM.

DO NOT REPRINT

FORTINET


13/520

Virtual Lab Basics


Disconnections/Timeouts

If your computers connection with the virtual machine times out or if you are accidentallydisconnected, to regain access, return to the initial window/tab that contains your sessions list of VMsand open the VM again.

If your session frequently times out or does not connect, ask your instructor.

Transferring Files to the VM

When using the Java applet to connect to a VM, you can drag-and-drop files from your computer tothe VM. For example, if you have a FortiGate configuration file that you want to upload to your lab VM,you could create it on your computer, and then drag it into the Java application window that isconnected to the Windows VM. Usually the destination folder is C:\Uploads.

Alternatively, if you store files in a cloud service such as Dropbox or SugarSync, you can use the webbrowser to download them to your VM instead.

Using HTML5 Instead of Java

When you open a VM, your browser may download and use a Java application to connect to thevirtual labs VM. This means that Java must be installed, updated, and enabled in your browser.

Alternatively, you can use HTML5 instead. Click the Settingsbutton, and then select Use Java Client.Click Save & Disconnect, then log in again. (To use this preference, your browser must allowcookies.)

DO NOT REPRINT

FORTINET


14/520

Virtual Lab Basics


When connecting to a VM, your browser should then open a display in a new window or tab.

Screen Resolution

Some Fortinet devices' user interfaces require a minimum screen size.

In the Java client, to configure the screen resolution, click the arrow at the top of the window.

In the HTML 5 client, to configure screen resolution, open the Systemmenu.

International Keyboards

If characters in your language dont display correctly, keyboard mappings may not be correct.

DO NOT REPRINT

FORTINET


15/520

Virtual Lab Basics


To solve this in the HTML 5 client, open the Keyboardmenu at the top of the window. Choose to eitherdisplay an on-screen keyboard, or send text from your computer to the VM's clipboard.

To solve this in the Java client, copy and paste between your computer and the Java applet. Thissends special characters or combinations using the keyboard icon at the top of the applet window.

Troubleshooting Tips

If the HTML 5 client does not work, try the Java client instead. Remembering this preferencerequires that your browser allow cookies.

Do not connect to the virtual lab environment through a low-bandwidth or high-latency connection,including VPN tunnels or wireless such as 3G or Wi-Fi. For best performance, use a stablebroadband connection such as a LAN.

Do not disable or block Java applets. On Mac OS X since early 2014, to improve security, Javahas been disabled by default. In your browser, you must allow Java for this web site. OnWindows, if the Java applet is allowed and successfully downloads, but does not appear tolaunch, you can open the Java console while troubleshooting. To do this, open the ControlPanel, click Java, and change the Java console setting to be Show console.Network firewalls can also block Java executables.Note: JavaScript is not the same as Java.

DO NOT REPRINT

FORTINET


16/520

Virtual Lab Basics


Prepare your computer's settings:

o Disable screen savers

o Change the power saving scheme so that your computer is always on, and does not go tosleep or hibernate

If disconnected unexpectedly from any of the virtual machines (or from the virtual lab portal),please attempt to reconnect. If unable to reconnect, please notify the instructor.

If during the labs, particularly when reloading configuration files, you see a message similar to theone shown below, the VM is waiting for a response to the authentication server.

To retry immediately, go to the console and enter the CLI command:

exec update-now

DO NOT REPRINT

FORTINET


17/520

System Resources


System Resources

During this lab, you will learn to use some system and memory debug commands to describe thestatus of the unit. Additional, you will generate and analyze a crashlog entry after intentionally killingone of the FortiGate processes.

Objectives

Use debug commands to diagnose system problems

Use the crashlog for diagnostics

Time to Complete

Estimated: 15 minutes

DO NOT REPRINT

FORTINET


18/520

System Resources


System, Processes and Crashlog

1. From the Win-Studentserver, log on to the StudentFortiGates GUI using the account adminwith no password:

http://10.0.1.254

2. From System -> Dashboard -> Statusclick the Restorelink inside the System Informationwidget:

3. Click Browseand select the configuration file for this lab:

Resources\FortiGate III\System\Student\student-system.conf

Click Restore. The StudentFortiGate will reboot. Wait a few minutes until it is back up.

4. Using PuTTY, connect SSH to the StudentFortiGate CLI (use the account adminwith nopassword) and execute these commands to check the memory usage:

# get system status

# get system performance status

# diagnose hardware sysinfo memory

# diagnose hardware sysinfo shm

Analyze the outputs from the above commands and answer these questions:

Is this unit running a 32-bit or 64-bit FortiOS?

Does it have a hard disk for logging?

How much memory is available?

Is the unit in conserve mode?

Why are the total high memory (HighTotal) and available high memory (HighFree) 0MB?

DO NOT REPRINT

FORTINET
http://10.0.1.254/http://10.0.1.254/


19/520

System Resources


5. Execute now the following command to display the top 50 processes:

# diagnose sys top

6. Try to find one of these three processes: reportd, miglogd, or ipshelper. Write down its

process ID (the first number from left to right):

7. Use the following command to "kill" the chosen process:

# diagnose sys kill 11

11 is the kill signal. In this case the FortiGate kills the process by sending a segmentation fault(number 11) signal.

Caution: We use the killcommand in this exercise to reproduce a process failure. Becareful although when doing it in a FortiGate that is in production. Improperly killing aprocess might make a FortiGate system unstable.

8. Execute the following command one more time:

# diagnose sys top

Observe that the killed process is running again, but this time it is using a higher ID number.Each time a process starts, it uses the next available process ID number.

9. Now, check the crashlog:

# diagnose debug crashlog read

The output should contain some entries similar to these ones:

93: 2015-03-04 07:47:34 Signal was sent to process byuser

94: 2015-03-04 07:47:34 firmware FortiGate-VM64v5.2.1,build0618b618,140915 (GA) (Release)

95: 2015-03-04 07:47:34 application reportd

DO NOT REPRINT

FORTINET


20/520

System Resources


96: 2015-03-04 07:47:34 *** signal 11 (Segmentation fault)received ***

97: 2015-03-04 07:47:34 Register dump:

98: 2015-03-04 07:47:34 RAX: fffffffffffffffc RBX:0000000000000000

99: 2015-03-04 07:47:34 RCX: ffffffffffffffff RDX:0000000000000400

100: 2015-03-04 07:47:34 R8: 0000000000000000 R9:0000002a95d49de0

...

120: 2015-03-04 07:47:35 [0x0043d14f] => /bin/reportd

121: 2015-03-04 07:47:35 [0x0043abfa] => /bin/reportd

122: 2015-03-04 07:47:35 [0x2a95c40475] => ../lib/libc.so.6(__libc_start_main+0x000000f5)

123: 2015-03-04 07:47:35 liboffset 00021475

124: 2015-03-04 07:47:35 [0x0043aca1] => /bin/reportd

125: 2015-03-04 07:47:35 reportd received a signal - 11

126: 2015-03-04 07:47:36 the killed daemon is /bin/reportd:status=0x0

Check the first three lines. They contain the FortiOS build number, the name of the processthat failed (or was killed) and the kill signal number.

DO NOT REPRINT

FORTINET


21/520

Network


Network

The following lab exercises show how to use some debug commands to troubleshoot connectivityproblems. You will analyze the information in the FortiGate session table, run the built-in sniffer anduse the debug flow to understand how the FortiGate is processing each IP packet.

Objectives

Analyze the information in the session table

Capture traffic using the built-in sniffer tool

Use some CLI troubleshooting utilities and tools

Time to Complete


DO NOT REPRINT

FORTINET


22/520

Network


Exploring the Session Table

During this exercise you will analyze the information displayed in the FortiGate session table.

1. From the Win-Studentserver, log on to the RemoteFortiGates GUI first using the accountadminwith no password:

http://10.200.3.1

2. Find the Resourcefolder on the desktop and upload the Remoteconfiguration file for this lab:

Resources\FortiGate III\General\Remote\remote-general.conf

The RemoteFortiGate will reboot. Wait a few minutes until it is back up.

3. Log on to the StudentFortiGates GUI using the account adminwith no password:

http://10.0.1.254

4. Upload the Studentconfiguration file for this lab:

Resources\FortiGate III\General\Student\student-general.conf

The StudentFortiGate will reboot. Wait a few minutes until it is back up.

5. Open a command prompt window in the Win-Studentserver and execute a ping to the StudentFortiGate's default gateway:

> ping 10.200.1.254

6. Using PuTTY, connect SSH to the StudentFortiGate CLI and execute these commands:

# diagnose sys session filter clear

# diagnose sys session filter proto 1

# diagnose sys session filter dst 10.200.1.254

# diagnose sys session list

Analyze the information related with the ICMP session created for the test traffic:

session info: proto=1 proto_state=00 duration=726 expire=63276timeout=64000 flags=00000000 sockflag=00000000 sockport=0 av_idx=0use=3

origin-shaper=

reply-shaper=

per_ip_shaper=

ha_id=0 policy_dir=0 tunnel=/

state= may_dirty none app_ntf

DO NOT REPRINT

FORTINET
http://10.200.3.1/http://10.200.3.1/http://10.0.1.254/http://10.0.1.254/http://10.200.3.1/


23/520

Network


statistic(bytes/packets/allow_err): org=240/4/1 reply=240/4/1tuples=2

orgin->sink: org pre->post, reply pre->post dev=4->2/2->4gwy=10.200.1.254/10.0.1.10

hook=post dir=org act=snat 10.0.1.10:1->10.200.1.254:8(10.200.1.1:62464)

hook=pre dir=reply act=dnat 10.200.1.254:62464->10.200.1.1:0(10.0.1.10:1)

misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0

serial=00000243 tos=ff/ff ips_view=0 app_list=0 app=0

dd_type=0 dd_mode=0

Observe the following from the session:

The may_dirtyflag

The line containing statistics, which should correctly display the amount of ICMP packetssent and received

The source NAT information

The ID of the policy matching the traffic

The protocol state, whose value is always 00 for the case of ICMP traffic

You will also notice that the expiration timer (expire) and timeoutare unusually high. Thedefault timeout for ICMP sessions is 60 seconds. For the purpose of giving more time toanalyze the session information, the ICMP session timeout was increased to 64.000 seconds.You can see this configuration by typing the CLI command:

# show system session-ttl

7. Stop the ping (if it is still running) and access the StudentFortiGate GUI. Go to Policy &Objects > Policy > IPv4and edit the firewall policy with the sequence number 1 (the first onefrom top to bottom). Click Enablethis policyand then OK.

After a firewall policy configuration change, the FortiGate adds the dirtyflag to all the sessionwith the may_dirtyflag. Next time there is traffic matching any of those sessions, the FortiGatewill re-evaluate the action to take.

8. Execute this command in the StudentFortiGate CLI and observe that the session has the dirtyflag now:


9. Run the ping one more time from the Win-Studentserver to 10.200.1.254:

> ping 10.200.1.254

It should fail as the firewall policy enabled earlier is blocking ICMP traffic.

Check quickly the session information one more time:


If you do it fast enough, you will notice that the session is still there but the blockflag wasadded. All traffic matching a session with that flag is denied. Also, the session expiration

DO NOT REPRINT

FORTINET


24/520

Network


time is much smaller now. The session will remain in the FortiGate memory until this timerexpires (30 seconds).

10. Before proceeding to the next lab exercise, go to Policy & Objects > Policy > IPv4 and disablethe firewall policy with the sequence number 1 (the one blocking the ICMP traffic.)

DO NOT REPRINT

FORTINET


25/520

Network


Traffic sniffer

During this exercise, you will use the FortiGate built-in sniffer to capture traffic. After that, you will usea Perl script to convert the capture to a PCAP file that can be analyzed by a packet analyzer, such asWireshark.

1. Open a SSH connection to the StudentFortiGate using PuTTY.

2. Click on the upper left icon and select Change Settings:

Go to Session -> Loggingand selectAll session output. Then click Browseand select thefolder c:\Perl64\bin. Click Save, and thenApply. With this change, PuTTY will save all thesniffer output into a text file nameputty.log:

DO NOT REPRINT

FORTINET


26/520

Network


3. Type the following command in the StudentFortiGate CLI to start the sniffer:

# diagnose sniffer packet port1 "host 10.200.1.254 and port 80" 3

4. Open a browser and access this URL:

http://10.200.1.254

You should observe the packets captured in the PuTTY window.

5. Close PuTTY and open a command prompt window. Execute these commands:

> cd \Perl64\bin

> perl fgt2eth.pl in putty.log

The Perl script fgt2eth.plconverts the output captured to a PCAP file with the nameputty.log.pcap.

6. Use Windows File Explorerand double click the created file:

c:\Perl64\bin\putty.log.pcap

This starts Wiresharkand opens the file for analysis.

7. Observe the information in the packets captured. Right click any packet and select FollowTCP Stream:

DO NOT REPRINT

FORTINET
http://10.200.1.254/http://10.200.1.254/


27/520

Network


Observe the new Window that pops up. It shows the application-layer data between the clientand the server for that specific TCP session:

Note: Follow TCP Streamis a useful tool to troubleshoot problems at the applicationlayer.

DO NOT REPRINT

FORTINET


28/520

Network


Break and Fix: Connectivity Issues

In this exercise, your environment is simulating the following customer network:

There are however four problems:

1. Although the Telnet protocol is enabled for administrative access in the StudentFortiGate'sport3 (10.0.1.254), you cannot access the unit's CLI using telnet.

2. You cannot access the web server (http://10.200.3.254)from Win-Student.

3. You cannot ping the remote host (10.200.4.1) from Win-Student.

4. You cannot access the GUI of the router 10.200.1.254 from Win-Student. The router GUI mustbe accessible by using the URL:http://10.200.1.254:88

Find the causes of these problems by using first debug commands, before looking forconfiguration mistakes.

In which of the four problems the FortiGate is doing something wrong and in which ones it isnot?

Tips for Troubleshooting

Can you ping the destination IP address from the Win-Student server?

Use the sniffer tool to verify that the traffic is actually arriving to the FortiGate's port3. Useverbosity 4 or 6 and a filter that can capture the traffic both ways

If the traffic is not intended to terminate in the FortiGate, use the sniffer to check that it isactually been forwarded to the next hop IP address (use the network diagram provided.) Again,use a filter in the sniffer that can capture the traffic both ways

WIN-STUDENT10.0.1.10

port210.200.2.1/24

port310.0.1.254/24

STUDENTFortiGate

10.200.1.1/24port1

REMOTE HOST10.200.4.1/24

Web server10.200.3.254

10.200.2.10/24

10.200.1.254/24

DO NOT REPRINT

FORTINET
http://10.200.3.254/http://10.200.3.254/http://10.200.3.254/http://10.200.1.254:88/http://10.200.1.254:88/http://10.200.1.254:88/http://10.200.1.254:88/http://10.200.3.254/


29/520

Network


Check the session table. Is the FortiGate creating the session? Check the session protocol state.Do you see anything wrong there?

Clear the related session (if any) from the session table, enable the debug flow and generate moretest traffic. Do you see any debug flow error?

Try to ping the next hop IP address from the StudentFortiGate. Sniffer the traffic to the next hopIP address while doing it. You can have two simultaneous SSH connections, one running thesniffer and another one running the ping

DO NOT REPRINT

FORTINET


30/520

Firewall Policies


Firewall Policies

During these lab exercises you will configure and monitor traffic shaping. Additionally, you willtroubleshoot and fix a connection problem to a FTP server.

Objectives

Monitor statistics related with traffic shaping

Troubleshoot a FTP connection issue

Time to CompleteEstimated: 40 minutes

DO NOT REPRINT

FORTINET


31/520

Firewall Policies


Traffic Shaping


http://10.0.1.254


Resources\FortiGate III\Firewall-Policies\Student\student-policy.conf


3. Go to Policy & Objects > Objects > Traffic Shapersand click Create New. Configure thefollowing settings:

Type Shared

Name SharedPolicy

Apply shaper All policies using this shaper

Traffic Priority High

Max Bandwidth 10 Kb/s

Click OK.

4. Go to Policy & Objects > Policy > IPv4 and edit the first policy on the top. Enable SharedShaper andselect SharedPolicy. Click OK.

5. From a browser in Win-Studentgo tohttp://www.youtube.comand play some videos.

6. While plying the videos, execute these CLI commands:

# diagnose firewall shaper traffic-shaper stats

# diagnose firewall shaper traffic-shaper list

Locate the counters for packet drops. Execute the above commands a few times more andnotice how those counters increase with the traffic.

7. Before proceeding to the next lab exercise, go to Policy & Objects > Policy > IPv4 and edit thefirst policy on the top one more time. Disable Shared Shaperand click OK.

DO NOT REPRINT

FORTINET
http://10.0.1.254/http://www.youtube.com/http://www.youtube.com/http://www.youtube.com/http://www.youtube.com/http://10.0.1.254/


32/520

Firewall Policies


Break and Fix: FTP Traffic

A FTP server is running in the Linux server 10.200.3.254:222.

The network administrator has installed FileZillain all the workstations. The administrator has alsoadded a pre-configured Siteprofile to FileZillacalled FTPsite.

To connect to the server from any workstation, users open FileZilla, click Site Manager, select the siteFTPsiteand click Connect:

However, you cannot connect to the FTP server from Win-Student. FileZillashows this error after eachconnection attempt:

The problem only happens with the workstations connected behind the StudentFortiGate.Workstations in other subnets can connect successfully.

DO NOT REPRINT

FORTINET


33/520

Firewall Policies


Can you find out what the FortiGate is doing wrong?

What has to be done to fix the problem?

Tips for Troubleshooting Understand first which TCP ports are used for this connection. The control channel is using port

TCP 222. The data channel is using the standard port TCP 20

Understand also how the traffic flows. Is this a FTP server working in active or passive mode? Inactive mode the data channel is initiated by the server. In passive mode the data channel isinitiated by the client. Sniffer the traffic in the FortiGate and Linux server to determine who isinitiating the data channel. To run the sniffer in the Linux server follow these steps:

1. Connect SSH to the Linux server (10.200.1.254). Use the username rootwith the passwordpassword

2. Execute the following command to sniffer the data channel:

# tcpdump -v -i any -nn port 20You can also sniffer the control channel traffic with this other command:

# tcpdump -v -i any -nn port 222

Use the FortiGate's built-in sniffer to capture the control channel traffic (port 222) before and afterthe FortiGate. Use a verbosity level of either 3 or 6 and save the output to a file. After that, use thePerl script to convert it to Wireshark(as explained in an earlier lab exercise) and analyze it

Run the debug flow over the FTP control channel and analyze the output. Is there anythingmissing there?

DO NOT REPRINT

FORTINET


34/520

Firewall Authentication



During this lab you will learn to use the authentication and LDAP debug commands to troubleshoot anauthentication issue.

Objectives

Monitor the status of authenticated users

Troubleshoot problems related with LDAP authentication

Time to CompleteEstimated: 40 minutes

DO NOT REPRINT

FORTINET


35/520



Break and Fix: LDAP Authentication


http://10.0.1.254


Resources\FortiGate III\Firewall-Authentication\Student\student-authentication.conf


An administrator has configured the StudentFortiGate to do LDAP authentication against the WindowsAD server located at 10.0.1.10 (Win-Student). However, authentication is failing.

Two LDAP users have been created in the Windows AD Server:

Username: student, password: Fort1net

Must not have access to information technology sites, such as www.fortinet.com

Belongs to the Windows AD group:

CN=Domain Users,CN=Users,DC=trainingAD,DC=training,DC=lab

Traffic from this user must match the firewall policy crated for the user group LDAPUsers,which contains the web filter profile NoITSites. Do not change this web filtering configuration.

Username: administrator, password:password

Must have unrestricted access to the Internet

Belongs to the Windows AD group:

CN=Enterprise Admins,CN=Users,DC=trainingAD,DC=training,DC=lab

Traffic from this user must match the firewall policy created for the user group EnterpriseAdmins, which does not have any web filter profile. Do not create any web filter profile for thispolicy. Leave it without any.

Use the authentication and LDAP debug commands learned to isolate and fix the problem.

Can you explain why the FortiGate is not challenging users to authenticate?

Can you change the FortiGate configuration to fix the problem?

Can you change the FortiGate configuration to properly restrict the Internet access to the userstudent, while leaving unrestricted access to the user administrator?


First, test the LDAP authentication from the CLI after enabling the real time debug command:

diagnose debug application fnbamd -1

diagnose debug enable

DO NOT REPRINT

FORTINET
http://10.0.1.254/http://10.0.1.254/


36/520



diagnose test authserver ldap WindowsLDAP administrator password

diagnose test authserver ldap WindowsLDAP student Fort1net

Check the Distinguished Name(DN) for student and administrator, by running these commands in

Win-Student:

dsquery user -name student

dsquery user -name administrator

Once the LDAP CLI test works, check the firewall authentication by browsing the Internet fromWin-Student. Look at the session table or run the debug flow to know which firewall policy ismatching the traffic

The output of the LDAP test command shows the user groups for each user. Compare them withthe groups configured in each firewall policy

After any configuration change, de-authenticate the users from the FortiGate and clear thebrowser cache (or refresh the page with the F5 key). It is also recommended to clear the related

entries in the session table:

# diagnose sys session filter dport 80

# diagnose sys session clear

To de-authenticate a user, go to User & Device -> Monitor -> Firewall, select the user and click onDe-authenticate

DO NOT REPRINT

FORTINET


37/520

FSSO


FSSO

During this lab you will install the FSSO collector agent and troubleshoot a FSSO problem.

Objectives

Check the connectivity between the FortiGate and the CA

Track user logon events in the DC, CA and FortiGate

List the active FSSO users

Troubleshoot a FSSO problem

Time to Complete


DO NOT REPRINT

FORTINET


38/520

FSSO


Installing FSSO


http://10.0.1.254


Resources\FortiGate III\FSSO\Student\student-FSSO.conf


3. On Win-Student, right-click the Fortinet Single Sign On (FSSO)installation file located inResources\FSSO,then select Run as administrator.

This should launch the Fortinet Single Sign On Agent Installation Wizard. Follow the wizard toinstall the agent on Win-Student.

4. When prompted for the Windows server administrator password, enter "password":

Click Next.

5. In the Install Optionswindow, accept the default settings:

Click Next.

6. Click Install to complete the installation.

DO NOT REPRINT

FORTINET
http://10.0.1.254/http://10.0.1.254/


39/520

FSSO


7. At the end of theSingle Sign On Agent installation, the Launch DC Agent Install Wizardoptionwill be selected.

Click Finishto complete the collector agent Installation. This launches the Domain ControllerAgent Installation Wizard.

8. In the Install DC Agent Wizard, accept theCollector Agent IP Address of 10.0.1.10 and theCollector Agent Listening Portof 8002.

Click Next.

9. Select the TRAININGAD:trainingAD.training.lab domain to monitor.

Click Next.

10. Only the studentaccount needs to be monitored in this exercise. Expand the TRAININGADdomain and disable all the users in the TRAININGADdomain EXCEPT for student:

Click Next.

11. Set the Working ModetoPolling Mode andselect Check Windows Security Event Logs.

DO NOT REPRINT

FORTINET


40/520

FSSO


Click Next.

12. After the installation, open the Windows start screenand run the applicationConfigure FortinetSingle Sign-on.

Perform the following tasks in the Fortinet single sign-on agent configuration window:

Change the Passwordto Fortinet.

Change the Workstation verify intervalto 0

Change the Log levelto Information

Enable Log logon events in separate logs

ClickApply.

13. Click Show Monitored DCsto verify the communication between the collector agent andthe domain controller agent. The IP address of 10.0.1.10 should show as being logged in.Click Close.

14. Click Select Domains to Monitorand verify that the TRAININGAD:trainingAD.training.lab domain is selected. Click OK.

DO NOT REPRINT

FORTINET


41/520

FSSO


15. Click Set Group Filters. ClickAddand enable the Defaultfilter. ClickAdvancedand expandthe domain name of TRAININGAD. From the expanded list select Users andDomain Admins.ClickAdd, then OK.

Click OK.

Click Save & Closeto close the Fortinet single sign-on agent configurationwindow.

DO NOT REPRINT

FORTINET


42/520

FSSO


Break and Fix: FSSO

In this network the collector agent has been installed in Win-Student. An administrator has configuredthe StudentFortiGate to allow Internet access only to active FSSO users. However, it is not workingas desired. Active FSSO users do not have Internet access.

Use the authentication and FSSO debug commands learned to isolate and fix the problem.

To test the FSSO authentication, generate first a login event following these steps:

1. On Win-Student, run the WindowsRemote DesktopConnectionsapplication.

2. Enter the computer IP address 10.0.1.10:

Log in with these credentials:

Username: Student

Password: Fort1net

Ignore the error message indicating that the user is not authorized for remote login. Theobjective of these steps is just to generate a logon event without rebooting the server.

3. After that, test the Internet access from a browser.

Can you explain why the FortiGate is blocking the traffic?

Can you change the FortiGate or/and collector agent configurations to fix the problem?


Check the active FSSO users in the collector agent by clicking Show logon users

Use the following command to check the active FSSO users in the FortiGate:

# diagnose debug authd fsso list

Use the FortiGate real time debug command for FSSO:

# diagnose debug application authd 8256

# diagnose debug enabled

Check the collector agent logs

DO NOT REPRINT

FORTINET


43/520

FSSO


Use the Windows Remote Desktop Connections application after each configuration change togenerate new login events

DO NOT REPRINT

FORTINET


44/520

IPsec


IPsec

During this lab you will troubleshoot an IPsec VPN problem.

Objectives

Use the IKE real time debug to isolate problems during the phase 1 and phase 2 negotiations

Use the debug flow tool to isolate IPsec traffic flow issues

Monitor the status of an IPsec VPN

Time to Complete


DO NOT REPRINT

FORTINET


45/520

IPsec


Break and Fix: IPsec VPN

1. From the Win-Studentserver, log on to the StudentFortiGates GUI using the account adminwith no password:

http://10.0.1.254


Resources\FortiGate III\VPN\Student\student-vpn.conf


3. Log on to the RemoteFortiGates GUI first using the account adminwith no password:

http://10.200.3.1

Upload the Remoteconfiguration file for this lab:

Resources\FortiGate III\VPN\Remote\remote-vpn.conf

The RemoteFortiGate will reboot and load the new configuration.

An administrator has created an IPsec VPN between the StudentFortiGate and the RemoteFortiGate.The objective is to encrypt the traffic both ways between the subnets 10.0.1.0/24 and 10.0.2.0/24.

For the purpose of this lab, assume that the IP address of the RemoteFortiGate will be changingfrequently, so the administrator has configured the VPN in the StudentFortiGate side as Dialup User.

The name of the VPN in the Studentside is RemoteSite. The name of the VPN in the Remoteside isToHub. There is another VPN created (for a different purpose) in the StudentFortiGate with the nameDialUpUsers.

The VPN IPsec between Studentand Remoteis down. Your objective is to fix the problem, so that thetunnel comes up and you can ping from Win-Studentto Win-Remote.

Use the IPsec debug commands learned in this lesson to isolate and fix the problem. The solutionrequires:

Keeping the Remote Gatewaytype in the VPN RemoteSiteas Dialup User(for the reasonexplained before)

No configuration changes in the DialUPUsersVPN in the StudentFortiGate, as this VPN isalready operative and working as expected (you do not need to test this VPN, assume that it isworking)


Check first why the tunnel is not coming up, use the IKE real time debug in both sides totroubleshoot the problem:

# diagnose debug application ike -1

# diagnose debug enable

After the tunnel is established, check that you can ping from Win-Studentto Win-Remote. If

DO NOT REPRINT

FORTINET
http://10.0.1.254/http://10.200.3.1/http://10.200.3.1/http://10.200.3.1/http://10.0.1.254/


46/520

IPsec


there is a problem, sniffer the traffic and use the debug flow

DO NOT REPRINT

FORTINET


47/520

Security Profiles


Security Profiles

During the following exercises you will use debug commands to fix FortiGuard and web filtering issues.

Objectives

Troubleshoot FortiGuard problems

Troubleshoot web filtering problems

Fix certificate warnings during full SSL inspection

Investigate virus infections

Time to Complete


DO NOT REPRINT

FORTINET


48/520

Security Profiles


Break and Fix: Protection Profiles Part 1


http://10.0.1.254


Resources\FortiGate III\UTM\Student\student-UTM-1.conf


3. The configuration contains two VDOMs. Go to Virtual Domains -> root -> Policy & Objects ->Policy -> IPv4.

Check the firewall policy from port3 to port1. It has antivirus and web filtering enabled.

4. Then go to Virtual Domains -> root -> Policy & Objects -> Security Profiles -> Web Filterandreview the profile WebFilterUsers. Some categories, such as malicious websites, streamingmedia, hackingandproxy avoidanceare being blocked.

Open a browser in Win-Studentand go to these restricted web sites:

http://www.youtube.com

http://www.proxyavoidance.com

The FortiGate is not blocking the access to those sites. Indeed, web filter does not seem to be workingat all.

Why isn't the FortiGate blocking the access to any restricted web site?


Note: Your lab environment uses a FortiManager as a local FDS server. It contains alocal copy of the FDS web rating database. The FortiGate devices validate their VMlicenses against the FortiManager. They also send the rating requests to theFortiManager IP address (10.0.1.241) instead of the public FDS servers. Do notchange this configuration, as it will affect the FortiGate license status.


Use the web filtering real time debug:

# diagnose debug application urlfilter -1


Use the FortiGuard real time debug:

# diagnose debug application update -1


DO NOT REPRINT

FORTINET
http://www.youtube.com/http://www.proxyavoidance.com/http://www.proxyavoidance.com/http://www.youtube.com/


49/520

Security Profiles


Break and Fix: Protection Profiles Part 2

1. Log on to the Student FortiGates GUI using the account adminwith no password:

http://10.0.1.254

2. Upload the Student configuration file for this lab:

Resources\FortiGate III\UTM\Student\student-UTM-2.conf


This configuration is similar to the previous one but it contains the fix to the problem that wastroubleshot during the first exercise of this lab.

The configuration also includes a web filter profile to block, among others, the following FortiGuardcategories:

Proxy Avoidance

Streaming Media and Download

Hacking

All the restricted sites seem to be properly blocked now, such as:

http://www.youtube.com(Streaming Media and Download)

http://www.elite-hackers.com(Hacking)

http://www.proxyavoidance.net(Proxy Avoidance)

However, the administrator complains that the following two sites should be blocked, and they are not.

According to him, they belong to blocked categories:

http://www.metacafe.com

http://www.eicar.org

Additionally, customers are reporting two more problems:

They receive certificate warnings each time they connect to an HTTPS site

Even though antivirus is enabled, they can still download the virus sample eicar.comlocated at the ftp server 10.200.3.254:222. To test it, open FileZillaand connect to thepreconfigured site FTPSite. Select the Desktopas the local sitefolder andpubas theremote sitefolder. Right click the eicar.comfile and select Download:

DO NOT REPRINT

FORTINET
http://10.0.1.254/http://www.youtube.com/http://www.elite-hackers.com/http://www.proxyavoidance.net/http://www.metacafe.com/http://www.eicar.org/http://www.eicar.org/http://www.metacafe.com/http://www.proxyavoidance.net/http://www.elite-hackers.com/http://www.youtube.com/http://10.0.1.254/


50/520

Security Profiles


Why are those two sites reported by the administrator not being blocked? How can you change theFortiGate configuration to fix it?

Why are users getting SSL certificate warnings? How can you resolve it?

Why isn't FortiGate detecting the EICAR virus?


For the web filtering problem: Enable the following real time debug and attempt to browse the two websites not being blocked:

# diagnose debug application urlfilter -1


The output can be verbose, so save it from PuTTY to a local file.

Remember to clear the browse cache and FortiGate session after doing any configuration change

For the antivirus problem:

Sniffer the FTP traffic and analyze the output of the debug flow Check the entry in the FortiGate session table for the FTP session

DO NOT REPRINT

FORTINET


51/520

Explicit Web Proxy


Explicit Web Proxy

During this lab you will troubleshoot some explicit web proxy problems.

Objectives

Monitor web proxy traffic and sessions

Monitor web proxy DNS traffic

Use the web proxy real time debug

Time to Complete


DO NOT REPRINT

FORTINET


52/520

Explicit Web Proxy


Break and Fix: Web Proxy


http://10.0.1.254


Resources\FortiGate III\Web-Proxy\Student\student-web-proxy.conf


3. Open Firefoxand click Open menu. Then click Options:

4. Go toAdvanced -> Networkand click Settings:

DO NOT REPRINT

FORTINET
http://10.0.1.254/http://10.0.1.254/


53/520

Explicit Web Proxy


5. SelectAutomatic proxy configuration URLand type the following URL:

http://10.0.1.254:8080/proxy.pac

6. Restart the browser.

Test the proxy by accessing any web site. Additionally, access to the Fortinet web site is essential forusers. So, test it using the following URL:

http://www.fortinet.com

Why isn't the web proxy working at all?


After fixing the web proxy, test the access to the Fortinet web site. Why isn't working yet? Can youalso fix it?

Tips for Troubleshooting Sniffer the traffic in port 8080 (web proxy traffic)

Sniffer the traffic coming from the browser:

# diagnose sniffer packet any 'host 10.0.1.254 and not port 22 andnot port 443' 4

Sniffer the traffic going to the web proxy IP address:

# diagnose sniffer packet any 'host 10.0.1.10 and not port 22 and notport 443' 4

Use the following debug commands to check the status of the web proxy connections:

# diagnose wad session list

# diagnose test application wad 2200



Run the web proxy real time debug using the filter below:

# config web-proxy debug-url

edit fortinet

set url-pattern www.fortinet.com

set status enable

set exact enable

next

edit fortiguard

DO NOT REPRINT

FORTINET
http://10.0.1.254:8080/proxy.pachttp://www.fortinet.com/http://www.fortinet.com/http://10.0.1.254:8080/proxy.pac


54/520

Explicit Web Proxy


set url-pattern www.fortiguard.com

set status enable

set exact enable

next

end

# diagnose wad debug-url enable

# diagnose wad console-log enable


After that, try to browse these two web sites and compare the results:

http://www.fortinet.com

http://www.fortiguard.com

Remember to restart the browser after any change to the PAC file

DO NOT REPRINT

FORTINET
http://www.fortinet.com/http://www.fortinet.com/http://www.fortiguard.com/http://www.fortiguard.com/http://www.fortiguard.com/http://www.fortinet.com/


55/520

Operation Modes


Operation Modes

This lab has 3 exercises. The first exercise includes a FortiGate in transparent mode. During exercises2 and 3 you will troubleshoot routing problems with two FortiGate devices in NAT/route mode.

Objectives

Describe how FortiGate routes traffic

Diagnose routing problems due to reverse path forwarding check

Identify the existing sessions that will be routed through a different path after a change in therouting table

Use debug commands to troubleshoot routing problems

Segment a layer-2 network into different broadcast domains using a FortiGate in transparentmode

Time to Complete


DO NOT REPRINT

FORTINET


56/520

Operation Modes


Transparent Mode

Port1 and port3 of a FortiGate in transparent mode are connected to a network. An administratorwants to create 4 broadcast domains. For that purpose, the administrator segmented the network into4 VLANs:

VLAN Name VLAN tag FortiGate interfaces

Native VLAN No tag port1

port3

VLAN 20 20 port1-VLAN20

port3-VLAN20


port3-VLAN30


port3-VLAN40

The Win-Studentserver is connected to the native VLAN in port 3.

The following diagram summarizes this network topology:

1. First, check that Firefoxis not configured to use an explicit web proxy.

2. Click Open menu. Then click Options:

DO NOT REPRINT

FORTINET


57/520

Operation Modes


Go toAdvanced -> Networkand click Settings:

Check that No proxyis selected and click OK.


http://10.0.1.254


Resources\FortiGate III\Operation-Modes\Student\student-operation-modes-transparent.conf


This changes the FortiGate to transparent mode and adds all the VLAN sub-interfaces.

5. Connect to the StudentFortiGate using SSH and start this sniffer:

diagnose sniffer packet any "arp and host 10.0.1.15" 4

DO NOT REPRINT

FORTINET
http://10.0.1.254/http://10.0.1.254/


58/520

Operation Modes


6. From Win-Studentcommand prompt, do a ping to 10.0.1.15:

> ping 10.0.1.15

This IP address is not active, so you will not receive any echo reply. However, the ping

triggers ARP traffic that can be captured by the previous sniffer.7. The output of the sniffer will be similar to this:

So, broadcast traffic is being forwarded to all the VLAN sub-interfaces. Each VLAN is not adifferent broadcast domain, as the administrator wants.

Why is this happening?

What configuration change must be done in the FortiGate to actually make each VLAN adifferent broadcast domain?

8. From the FortiGate CLI, execute these configuration changes:

# config system interface

edit port1-VLAN20

set forward-domain 20

next

edit port1-VLAN30


next

edit port1-VLAN40

DO NOT REPRINT

FORTINET


59/520

Operation Modes



next

edit port3-VLAN20


next

edit port3-VLAN30


next

edit port3-VLAN40


next

end

9. Execute the sniffer and ping one more time. Now you will see that the ARP packets areconfined only to the native VLAN.

DO NOT REPRINT

FORTINET


60/520

Operation Modes


NAT/Route Mode


http://10.0.1.254


Resources\FortiGate III\Operation-Modes\Student\student-operation-modes-NAT.conf


3. Log on to the RemoteFortiGates GUI using the account adminwith no password:

http://10.200.3.1

4. Upload the Remoteconfiguration file for this lab:

Resources\FortiGate III\Operation-Modes\Remote\remote-operation-modes-NAT.conf


5. Check the IPsec VPN configuration in both FortiGate units. Go to VPN -> IPsec -> Tunnels.Check also the firewall policy and the routing table in both devices. Go to Policy & Objects ->Policy -> IPv4, then check Router -> Monitor -> Routing Monitor.

You will notice that there is an IPsec VPN created between both units to encrypt the trafficbetween the subnets 10.0.1.0/24 and 10.0.2.0/24. You will also see a route in the StudentFortiGate to the subnet 10.0.2.0/24 using the IPsec tunnel.

6. Execute a continuous ping from the Win-Studentcommand prompt to Win-Remote:

> ping -t 10.0.2.10

You will receive the echo reply from Win-Remoteas an indication that the tunnel is operatingnormally.

7. Without stopping the ping, access the RemoteFortiGate and go to System -> Network ->Interfaces. Click the plus icon besides port4to expand it, and edit the interface ToStudent:

DO NOT REPRINT

FORTINET
http://10.0.1.254/http://10.200.3.1/http://10.200.3.1/http://10.0.1.254/


61/520

Operation Modes


Change theAdministrative Statusof this interface to Down. Click OK.

8. Wait a few seconds and then check the status of the VPN in the StudentFortiGate. Go to VPN-> Monitor -> IPsec Monitor. As the remote virtual IPsec interface is administratively down, theVPN is down.

Check now the routing table. As the VPN is down, the route to 10.0.2.0/24 was removed.

Check also the ping running in Win-Student. It is failing.

9. Proceed to bring back up the remote IPsec interface. Access the RemoteFortiGate, go toSystem -> Network -> Interfaceand edit the ToStudentinterface. Change theAdministrativeStatusto Upand click OK.

10. Go back to the StudentFortiGate and check the status of the VPN. Go to VPN -> Monitor ->IPsec Monitor. If the VPN is still down, right click it and select Bring Up. The tunnel will comeup.

11. Check the routing table. Go to Router -> Monitor -> Routing Monitor. You will notice that theroute to the subnet 10.0.2.0/24 is back to the routing table.

12. Check one more time the ping running in Win-Student. It is not working yet.

13. Sniffer this traffic. Connect to the StudentFortiGate's CLI and execute this command:

# diagnose sniffer packet any "icmp and host 10.0.2.10" 4

Why is the ping not working if the VPN is up and the route is back?

Why is the FortiGate still routing the ping traffic through outport1(and not throughToRemote)?

What can be done to prevent this problem?

DO NOT REPRINT

FORTINET


62/520

Operation Modes


Break and Fix: NAT/Route Mode


http://10.200.3.1


Resources\FortiGate III\Operation-Modes\Remote\remote-operation-modes-NAT.conf



http://10.0.1.254


Resources\FortiGate III\Operation-Modes\Student\student-operation-modes-NAT.conf


.

The administrator is reporting two problems:

1. You cannot ping 10.200.4.1 from Win-Student

2. The StudentFortiGate configuration includes two default routes, one usingport1, and theother one usingport2. However, only one of them is active in the routing table

Can you fix these two problems?


Sniffer the ping to 10.200.4.1

Use the debug flow while running the ping to 10.200.4.1

Use these commands to check the routing table:

# get router info routing-table database

# get router info routing-table all

Check the status of the link health monitors (if any) under System -> Monitor -> Link Monitor

DO NOT REPRINT

FORTINET


63/520

External BGP


External BGP

During this lab you will troubleshoot some BGP issues between two FortiGate devices.

Objectives

Monitor and check the status of a BGP communication

Troubleshoot some common external BGP issues

Time to Complete


DO NOT REPRINT

FORTINET


64/520

External BGP


Break and Fix: BGP


http://10.200.3.1


Resources\FortiGate III\BGP\Remote\remote-BGP.conf

The Remote FortiGate will reboot. Wait a few minutes until it is back up.


http://10.0.1.254


Resources\FortiGate III\BGP\Student\student-BGP.conf


An administrator has configured BGP between Studentand Remote. The StudentFortiGate belongs tothe autonomous system 65500 and the RemoteFortiGate belongs to the autonomous system 65001.However, the BGP peering is currently down. The objective is to bring up the BGP connectionbetween both units. Also, each FortiGate must advertise all its locally connected subnets.

Try not to compare both BGP configurations to find mismatches. You should troubleshoot the problemusing the BGP debug commands learned during this lesson.

Explain each problem supporting your arguments with the output of sniffers and BGP debugcommands.


Use these BGP debug commands and sniffer:


# get router info bgp summary

# get router info bgp network

# get router info bgp neighbors

# get router info bgp neighbors advertise

# diagnose sniffer packet any port 179 4

Use the BGP real time debug:


DO NOT REPRINT

FORTINET


65/520

External BGP


# diagnose ip router bgp all enable

# diagnose ip router bgp level info

Use this command to restart the BGP connection any time:

# execute router clear bgp all

Stop and Think

After fixing the BGP connectivity, you might notice that you cannot reach Win-RemotefromWin-Studentyet, even when both FortiGate routing tables are ok. You do not need to fixthis problem during this lab, but can you find out what is causing this issue?

DO NOT REPRINT

FORTINET


66/520

OSPF


OSPF

During this lab you will troubleshoot some OSPF over IPsec issues between two FortiGate devices.

Objectives

Establish OSPF adjacency between FortiGate devices

Use debug commands to troubleshoot some OSPF problems

Monitor the status of a OSPF network

Time to Complete


DO NOT REPRINT

FORTINET


67/520

OSPF


Break and Fix: OSPF


http://10.200.3.1


Resources\FortiGate III\OSPF\Remote\remote-OSPF.conf



http://10.0.1.254


Resources\FortiGate III\OSPF\Student\student-OSPF.conf


An administrator has configured an IPsec tunnel between the StudentFortiGate and the RemoteFortiGate. OSPF has been configured to run over the tunnel, so that each FortiGate can advertise itsnetworks to its remote peer. The tunnel is currently up, however the OSPF adjacency is down.

The objective is to have the OSPF routes correctly learned by both FortiGate units. Also, the IPsecVPN must remain stable.

Try not to compare both OSPF configurations to find mismatches. You should troubleshoot the

problem using the OSPF debug commands learned in this lesson. Explain each problem supportingyour arguments with the output of the debug commands.


Check the routing table and OSPF neighbor status:


# get router info ospf status

# get router info ospf neighbor

Is the neighbor adjacency established?

Are OSPF routes present?

Run the real time debug:

# diagnose ip router ospf all enable

# diagnose ip router ospf level info


DO NOT REPRINT

FORTINET


68/520

OSPF


Once the OSPF issues are resolved, go to the VPN event logs. Is the IPsec VPN stable? Watchthe log messages for a few minutes

Compare the Studentrouting table when the tunnel is down with the table when it is up.

What is causing the tunnel to bounce?

DO NOT REPRINT

FORTINET


69/520

High Availability


High Availability

During this lab you will troubleshoot some high availability problems between two FortiGate devices.

Objectives

Monitor a HA cluster

Check the status of the HA configuration and session synchronization

Troubleshoot some common HA problems

Time to Complete


DO NOT REPRINT

FORTINET


70/520

High Availability


Break and Fix: High Availability


http://10.200.3.1


Resources\FortiGate III\High-Availability\Remote\remote-ha.conf

The Remote FortiGate will reboot. Wait a few minutes until it is back up.


http://10.0.1.254


Resources\FortiGate III\High-Availability\Student\student-ha.conf


After loading both configurations, the cluster is not forming. The Remoteunit cannot join the HAcluster.

Use the debug commands learned in this lesson to troubleshoot the problem.

LAN30.0.0.0

eth0LAN0

0.0.0.0

WIN-STUDENT10.0.1.10

port110.200.1.1/24

STUDENTFortiGate

FortiGate

REMOTE

LINUX10.200.1.254eth1

port310.0.1.254/24

port1port3

port2

port2

DO NOT REPRINT

FORTINET


71/520

High Availability



Run the HA real time debug in the CLI of both units:

# diagnose debug application hatalk 255

# diagnose debug application hasync 255


Use these additional HA debug commands:

# diagnose sys ha status

# diagnose sys ha showcsum

For easy access to each unit while the cluster is down, each FortiGate starts with different IPaddresses in theirport3:

Student: 10.0.1.254

Remote: 10.0.1.253

So, while Remotecannot join the cluster, you can connect to itsport3IP address via SSH and runthe debug commands

Stop and Think

After the RemoteFortiGate joins the cluster, you will notice that you cannot access theRemoteFortiGate using the IP address 10.0.1.253 anymore. Can you explain why?

DO NOT REPRINT

FORTINET


72/520

Appendix A: Additional Resources


Appendix A: Additional Resources

Training Services http://training.fortinet.com

Technical Documentation http://help.fortinet.com

Knowledge Base http://kb.fortinet.com

Forums https://forum.fortinet.com/

Customer Service & Support https://support.fortinet.com

FortiGuard Threat Research & Response http://www.fortiguard.com

DO NOT REPRINT

FORTINET
http://training.fortinet.com/http://training.fortinet.com/http://help.fortinet.com/http://help.fortinet.com/http://kb.fortinet.com/http://kb.fortinet.com/https://forum.fortinet.com/https://forum.fortinet.com/https://support.fortinet.com/https://support.fortinet.com/http://www.fortiguard.com/http://www.fortiguard.com/http://www.fortiguard.com/https://support.fortinet.com/https://forum.fortinet.com/http://kb.fortinet.com/http://help.fortinet.com/http://training.fortinet.com/


73/520

Appendix B: Presentation Slides


Appendix B: Presentation Slides

DO NOT REPRINT

FORTINET


74/520

This lesson is about troubleshooting concepts.

Troubleshooting Concepts


DO NOT REPRINT

FORTINET


75/520

In this lesson, we will review troubleshooting strategies. We will also introduce some of the

troubleshooting tools available in the FortiGate GUI and CLI.



DO NOT REPRINT

FORTINET


76/520

Lets being by reviewing some troubleshooting concepts and strategies.



DO NOT REPRINT

FORTINET


77/520

Good administrators know their network well before any problem happens. That includes an

understanding of the normal behavior related with traffic volume, network applications, traffic flows

and devices' CPU and memory utilization. So, when a problem happens, good administrators identify

quickly what is behaving abnormally. This information speeds up the troubleshooting process and

helps to isolate the cause of the problem.

Many tools can be used to gather statistics and information while the network is operating normally:

SNMP, logging, sFlow, and the monitors located in the FortiGate GUI.



DO NOT REPRINT

FORTINET


78/520

It is also important to keep the network documentation up-to-date. Network diagrams should include

physical connections, interface names and subnets. Good network documentation also includes

change control records to track any change in the network: Who did the change? When was done?

What was changed?



DO NOT REPRINT

FORTINET


79/520

If a problem happens, the first step is to define it well. For example, if the problem definition is web

filtering is not working, the scope of the problem is too imprecise. Too many things could cause this.

This makes troubleshooting slow. So, we must ask questions to understand the details: Is the

problem happening with one web site? Is it happening with all users? Is it happening randomly? How

can you reproduce the problem?

After answering the right questions, we can define the problem with details. For example: the web

filtering is not blocking the web site X for the user Y. This provides a better place to start the

troubleshooting.



DO NOT REPRINT

FORTINET


80/520

A general approach for troubleshooting network issues is to follow the TCP/IP model and work the

problem either from the highest layer to the bottom or from the lowest layer to the top.

In the first method you check the physical layer first. If a layer operation is ok, you move to the upper

layer, until you find the layer where the problem is happening.

In the second method you check the application layer first, if a layer is not working properly you move

to the layer below to rule out issues in the lower layers.



DO NOT REPRINT

FORTINET


81/520

During the second part of this lesson, we will review some of the troubleshooting tools available in

the FortiGate GUI.



DO NOT REPRINT

FORTINET


82/520

The dashboard is the FortiGate GUI welcome screen. Some of its widgets contain information useful

for troubleshooting, such as the system resources and the alert message console widgets.



DO NOT REPRINT

FORTINET


83/520

Remember that the dashboard is customizable. Widgets can be added, removed and customiz

FortiGate III Student Guide-Online

Documents

Transcript of FortiGate III Student Guide-Online