TSOP14-001 - Fortigate Setup

Technical Standard Operating Procedure

TSOP13-010 Internal Use Only Controlled Document v1.0

TSOP13-010: Fortigate Setup

Revision Date: April 20, 2014

Purpose

This document will outline a procedure to complete a Next Digital standard basic Fortigate configuration.

Requirements An approved Fortigate or Fortiwifi device is required to complete the setup. A network cable and web browser and Internet access is required for device configuration and updates.

Procedure

Initial Setup

1. Update Firmware

2. Set Hostname and Time Zone

3. Set switch/interface

4. Configure LAN Switch Interface

5. Configure WAN Switch Interface

FortiGuard Configuration

Set admin listening port to 9443

Create Firewall Objects

1. Create Next Digital Address and Group

2. Create RDP Management VIP

3. Create VIPs for Exchange (http, https, smtp)

Setup Security Profiles

1. Setup antivirus profile

2. Setup webfilter

3. Setup application control

4. Setup intrusion protection

5. Setup email filter

Setup Firewall Policies

1. Configure Internal to WAN Policies

2. Configure WAN to Internal Policies

Finalize Fortigate Configuration

1. Change admin accounts and passwords

2. Backup the configuration

Responsibilities All technicians are responsible for ensuring admin access and a proper backup of the device is

completed. All steps in the current procedure must be followed unless specified otherwise by an Technical Account Manager



Appendix

Initial Setup 1. Download the latest versions of FortiExplorer, and the Firmware version (Current Supported version is

5.0.5) for the appropriate FortiGate/FortiWifi device from support.fortinet.com

2. Install FortiExplorer

3. Launch FortiExplorer

4. Connect your computer to the FortiGate/FortiWifi using the supplied USB cable

5. Power on FortiGate/FortiWifi. You should see the device in the FortiExplorer Window

6. Click on the Upload button beside Uploaded Firmware

7. Choose the Firmware you downloaded and select open.



8. Select Install, and confirm upgrade by clicking yes on the Update Firmware pop up window.

FortiExplorer will display the progress, watch for Errors. The FortiGate/FortiWifi will reboot once the upload has completed.

After the update completes. Review the Current Firmware Version.



9. Next we are going to do a factory reset to clean up the existing configuration (Fortinet Best Practice

ONLY ON NEW CONFIG)

Navigate to the CLI in FortiExplorer. Log in as admin and type execute factoryreset it will ask you want to continue. Select y The system will reboot.

Dashboard 1. Log into the Web-Based Manager in FortiExplorer (CLI options will be added underneath GUI for those

who prefer it.)

Username: admin Password: (no password)

2. After you log in. Click change beside the host name to change the name to something more

descriptive.



Next Click Change under the system time to update the System time details (Time one, NTP, Etc...)

3. Change the Time Zone to the correct location, and set to Synchronize with NTP server. (You can

choose to use the FortiGuard Servers, or choose your own. e.g. ca.pool.ntp.org, pool.ntp.org, etc.

(Fortiguard Servers are recommended)

Network The next steps will involve changing the interface mode from Switch to Interface, and creating a software Switch. This configuration will allow greater scalability in the future if required.



1. Navigate to Policy > Policy click on the internal wan1 policy and select delete

This policy need to be removed in order to change the interface mode.

2. Navigate to System > Network > Interfaces. Right click on Internal and select Change Mode.

3. You will prompted with the following window. Choose interface Mode and select OK. The

FortiGate/FortiWifi unit will restart.

After the system restarts log back in via the Web-Based Manager in FortiExplorer. Navigate to Network > Interfaces. You will notice that every port on the FortiGate/FortiWifi is now displayed. We will now create a software Switch called Switch.



4. Setup an internal LAN switch interface.

In Network > Interfaces select Create New and you will be redirected to a new window with the

following options. Once configured select OK.

Name Interface name (e.g. Switch, Internal Switch, etc. Make sure it makes sense.) Type Software Switch (Other options are VLAN, Loopback Interface, and Wi-Fi SSID. These options will not be explored in this document) Physical Interface Members Physical Interface you want as part of the switch. Always choose Internal1, or port1 depending on the model of FortiGate/FortiWifi you are working on. Addressing mode Always set to a manual IP. Set the IP address of the internal network. (e.g. 192.168.1.1/24, or 192.168.1.1/255.255.255.0) Administrative Access Set internal administrative access to HTTP, PING, HTTPS, CAPWAP, and SSH. If the client will be using a FortiManager you can select FMG-Access as well. DHCP Server If the FortiGate will be serving as your DHCP server you will need to enable DHCP. DHCP will be covered in a later section.

5. Next step you will need to configure your WAN settings. Click on the Wan1 Interface in Network > interfaces and select edit.

6. If your ISP utilizes DHCP, configure the following.

Alias Name to describe the Interface. This is not required, but recommended. Standard is to use the ISP name. (e.g. Telus, Shaw, Wi-Band, etc...) Addressing mode DHCP Administrative Access Set external administrative access to HTTPS, and PING



Distance Leave Default of 5 Retrieve default gateway from server Make sure this is checked Override internal DNS Check this box as well.

7. If your ISP utilizes Static IP addressing, configure your WAN with the following settings.

Alias Name to describe the Interface. This is not required, but recommended. Standard is to use the ISP name. (e.g. Telus, Shaw, Wi-Band, etc...) Addressing mode Manual IP/Network Mask Set the IP address provided from the ISP (e.g. 75.156.148.223/22, or 75.156.148.223/255.255.252.0) Administrative Access Set external administrative access to HTTPS, and PING



8. If you are using a static address from your ISP you will need to configure a static route. The static route

described here is the Default Gateway for the ISP. To set this you will navigate to Network > Routing.

Select Create New

9. On the New Static Route window, enter the following detail and select OK

Destination IP/Mask Leave this as 0.0.0.0/0.0.0.0 Device Choose your WAN interface Gateway Enter the Gateway IP provided by your ISP



10. Next you will need to enter your System DNS information. Navigate to Network > DNS If the

organization has a domain and DNS server(s). You need to set these setting to their DNS servers, and

domain name. If they do not have a domain, you can have it use FortiGuard Server, or you can specify

the ISPs DNS leaving the Local Domain Name. Primary DNS IP of the Primary DNS server (Normally the Primary Domain Controller) Secondary DNS IP of the Secondary DNS server (If there is not a second DNS server onsite Leave this field Blank) Local Domain Name FQDN of the internal domain (e.g. abcd.internal)

Config The first item to configure in the config section is the FortiGuard Service. The FortiGuard service provides AV, IPS, Web, and Email filtering without this service or if the service expires; all filtering will be disabled. We will also install some additional features to the GUI

1. Navigate to Config > FortiGuard. Expand AV & IPS Download Options, and Web Filtering and Email

filtering options. Choose the following options.

Allow Push Update

Schedule Update Daily 1 hour

Submit attack characteristics



Enable webfilter cache Change TTL to 500

Enable antispam cache change TTL to 500

2. Navigate to Config > Features. Scroll to the bottom and select Show More. The list will expand.

Scroll down until you see multiple Security Profiles and click the off button to turn on (Sounds weird

doesnt it, but you will see in the following images.) Then click apply.

Admin This is the shortest section. Here we will be changing the listening port for HTTPS

1. Navigate to Admin > Settings change the HTTPS port to 9443 (ND Standard). You can also change the

Idle Timeout, but remember 480 minutes can have security implications. (although I change it to 480)

Then click apply.



Firewall Objects

Address As you can see we have skipped over the Policy Tab. This is intentional as we will need to utilize settings from Firewall objects, and Security Profiles in our Policies. The first step is going to be creating addresses for the Next Digital network. We need to specify these addresses to use for restricting access to specific internal resources (e.g. Management servers, or VMWare host via the VIC) to just Next Digital.

1. Navigate to Address > Addresses and select create new. This will open a New Address page. We will

need to enter 3 different addresses for ND. After each entry make sure to click OK

ND_Edmonton IP Range 96.53.105.50-96.53.105.51

ND_Calgary

ND_Datacenter IP 209.90.171.71



2. Next we will want to create a Group for the ND addresses. Navigate to Address > Group. Create New.

Specify a new group name. (e.g. ND_Address_Group, or Next_Digital, etc...), and add the addresses to

the Group as shown in the image below, Select OK to close

VIPS The next option in Firewall objects is the VIPs or Virtual IPs. VIPs are used for creating static NAT, and static NAT with port forwarding. The following configuration will only demonstrate static NAT with port forwarding. The only time you would configure a static NAT would be if you had Multiple servers, and Multiple IPs. The amount of VIPS required will also change based on servers/services running at a particular client. This configuration we will assume we will only require a VIP to connect to a management server (via RDP) and an Exchange server for mail (SMTP only)

3. Navigate to Virtual IPs > Virtual IPs. Select Create new. Once the Add New Virtual IP Mapping

window opens we will create the RDP VIP first followed by the 3 VIPS required for Exchange.

RDP to the Management server

Name the VIP (e.g Management_RDP)



External Interface is the incoming interface (e.g. Wan1, DMZ, etc.)

Enter External IP Address/Range 75.156.148.223 - 75.156.148.223

Enter Internal IP address/Range 192.168.1.9 192.168.1.9

Select Port forwarding Check box

Protocol should be TCP

External Service Port 3399 3399 (external ports may vary)

Map to Port 3389 3389

SMTP, HTTP, and HTTPS to Exchange

Name the VIP (e.g Exchange_SMTP)






External Service Port 25 25

Map to Port 25 25

Name the VIP (e.g Exchange_HTTP)








External Service Port 80 80

Map to Port 80 80

Name the VIP (e.g Exchange_HTTPS)






External Service Port 443 - 443

Map to Port 443 443

4. After you have created the VIPs we will create a new VIP group for Exchange. Navigate to Virtual IPs >

VIP Groups and select create new. When the New VIP Group window opens pick a name for the group

(e.g. Exchange_VIP_Group) and select the 3 Exchange VIPs created earlier to be members of this

group. Select OK when complete.



Security Profiles

AntiVirus Now that we have setup all that networking mumbo jumbo, lets get into the good stuff. The first setting displayed in the GUI is the Anti-Virus profile. When we apply this profile to a policy it will scan Websites (Http only), Email, Files via FTP, and IM. In addition, it will block connection to KNOWN botnet servers, and there is a sandbox option, but we will not get in to that in this document. Here we go.

1. First Step here is to create a new Profile. Please leave the default policies as is. Navigate to AntiVirus >

Profiles and select the + symbol in the top right corner. It will launch a New AntiVirus Profile page.

AntiVirus Profile

Assign a name for the Profile. The most common name would be the name of the company and

the UTM function. (e.g. NDEDM_AV_Profile)

Inspection Mode is Proxy

Select Block Connections to Botnet Servers

Select all of the Virus Scan and Removal checkboxes (The client may not have POP3. IMAP,

etc.., but we still want to scan the inbound GMAIL, Telus Webmail, etc...)



Web Filter The Web Filter is the service that allows, blocks, and monitors websites. One item that needs to be understood is that there is not a local categories DB although you can create your own local filter. We will do a generic exception as an example.

1. Navigate to Web Filter > Profiles and select the + symbol in the top right corner. It will launch a New

Web Filter Profile page.

Web Filter Profile

Assign name for new Web Filter Profile following the same format as the AV profile. (e.g.

NDEDM_WEB_Profile)

Inspection Mode is proxy

Select Fortiguard Categories (If you do not have a valid Service Agreement leave this

unchecked) There are multiple categories that we will need to select. We will select the most

common selections. Expand the appropriate category and select the following selections (Use

the ctrl key for multiple Selections)

o Potentially Liable

Hacking Illegal or Unethical Proxy Avoidance

o Expand Adult/Mature Content and se

Nudity and Risque Pornography

o Bandwidth Consuming

Peer-to-peer File Sharing o Security Risk

Malicious Websites Phishing Spam URLs

o Now that you have made your selections right click on one of your selections and select

block.



Select Enable Safe Search

o Select Search Engine Safe Search Google, Yahoo!, Bing, Yandex

Select Scan Encrypted Connections Leave Exempted Categories checked

Select HTTP POST action Set to comfort

Then Select Apply.

To create a local exception, block, monitor, etc. you can select the Enable Web Site Filter on

the current Web Filter Profile. It will provide an option to create new filter. Click on create

new. If we had set streaming audio/video to be blocked, but wanted to allow YouTube then

this is how we do that.

o In the URL field type youtube.com

o Type is simple (You can use expressions, and wildcards as well, but it is not required

for this example)

o Action is exempt (You can block, allow, and monitor here as well. Using allow does

not unblock the site. It is related to overrides. We will not be getting into overrides in

this document)

o Status is enable (This just Enable, or disables the current URL you are entering.

o Select Apply.



Application Control Application control allows us to Monitor, Block, Reset, and Traffic Shape specific applications. In this document we will only be setting up monitoring to assist us with troubleshooting performance issues. DO NOT CONFIGURE BLOCKING, RESET, or TRAFFIC SHAPING WITHOUT APPROVAL FROM the TAM, DIRECTOR, or PARTNERS

1. Navigate to Application Control > Application Sensors and select the + symbol in the top right corner. It

will launch a New Application Sensor page.

Application Control Sensor

Assign name for new Application Control Sensor following the same format as the AV

profile. (e.g. NDEDM_APP_Sensor)

o Select Allow and Log DNS Traffic

Select OK

You will now be able to edit the sensor. Lets add a monitor to the sensor.

Select Create new, this will launch a new Application Filter

This list can be daunting, but for the purpose of this document it will be easy.

Leave all the defaults and click OK and the bottom of the page



Then Select Apply. You have now created a basic Application sensor to monitor application

traffic

Intrusion Protection Intrusion Protection (IPS) is used to prevent critical attacks on your network. The default settings for IPS still allows some critical vulnerabilities to get through. We are going to setup a sensor to block all critical, and high, and signature defaults for all medium, low, and informational Vulnerabilities.

1. Navigate to Intrusion Protection > IPS sensors and select the + symbol in the top right corner. It will

launch a New IPS Sensor page.

IPS Sensor

Assign name for new IPS Sensor following the same format as the AV profile. (e.g.

NDEDM_IPS_Sensor)

Select OK

You will now be able to edit the sensor. Lets add the Critical, and High blocks to the sensor.

Select Create new, this will launch a new IPS Filter

Under the Severity window - We are going to uncheck the medium, low, and info check

boxes

Scroll to the bottom of the page and select Block All

Then click OK



We can now set the signature defaults for the medium, low, and info to the sensor.

Select Create new, this will launch a new IPS Filter

Under the Severity window - We are going to uncheck the critical, and high check boxes

Scroll to the bottom of the page and select Signature defaults

Then click OK

Your new sensor should look like the next image. If it does click Apply.



Email Filter The Email filter allows us to check inbound email for known SPAM, MALWARE, and PHISHING URL sent to email servers. In our configuration we are using an Exchange server and this is going to require us to configure the profile for SMTP (Some exchange servers are set to use POP3, but the most common protocol used is SMTP). If you do have any other mail server onsite other than Exchange you can also setup IMAP, and POP3. However this does not apply to this document.

Email Lists

1. Navigate to Email Filter > Email Lists and select the Create New in the left corner. It will launch a New

List page. We are going to create an empty BWL list that is required under the profile.

Assign name for new List following the same format as the AV profile. (e.g.

NDEDM_BWL_list)

Select OK

Select OK again

Email Profiles

2. Navigate to Email Filter > Profiles and select the + symbol in the top right corner. It will launch a New Email Filter Profile page (If you experience any inbound mail delivery issues. Please discuss with

a TAM before changing any of these Settings)

Assign name for new list following the same format as the AV profile. (e.g.

NDEDM_MAIL_Profile)

Select Enable Spam Detection and Filtering

UNCHECK IMAP, and POP3

SMTP setting are as follows

o Spam Action : Discard

Fortiguard Spam Filtering

o E-mail Checksum

o URL Check

o Spam Submission



o Detect Phishing URLs in Email

Local Spam Filtering

o Return E-mail DNS Check

o BWL Check

Select previously created Email List

Select OK

Policy

Policies So now that all the hard work is done. We need to put everything we just did to use. Policies are what we use to allow traffic between other networks, and what services (FTP, SMTP, HTTP, VPN, etc) are allowed to go between them. This paragraph could go on forever, but I think you get the idea and hopefully after creating a few of them it will make more sense.

Internal to WAN

1. The first policy we are going to create is the easiest one. Its primary function is to give access from the

internal network to the Internet. You will see other policies that use User Identity these are set on a

client by client basis. Do not set up a User Identity policy without talking to a TAM. Navigate to Policy >

Policy and select Create New.

Policy Type: Firewall

Policy Subtype: Address

Incoming Interface: Switch (or whatever you had named the soft switch) DO NOT EVER

SELECT ALL for INCOMING INTERFACE

Source Address: All

Outgoing Interface: wan1 (Which ever interface you have your internet on) DO NOT EVER

SELECT ALL for OUTGOING INTERFACE

Destination Address: All

Schedule: Always

Service: ALL



Action: Accept

Select Enable NAT (If you do not know what NAT is look it up)

Logging Options: Log Security Events

Security Profiles (This is where all your hard work comes in)

o Turn on the Following (Remember this is traffic going from Internal to External)

Web Filter: Choose your Webfilter (NDEDM_WEB_Profile) Application Control: Choose your Application Control (NDEDM_APP_Sensor) Proxy Options: Leave as default

Select OK

WAN to Internal

2. As previously mentioned in the VIPS section. We will be configuring this FortiGate assuming we have

an Exchange Server, and a Management server. To be able to allow email to be allowed to

communicate with the Exchange server we have to allow SMTP traffic from the WAN to the internal

network. We also need to allow HTTPS, and HTTP for Webmail and RDP for access to the

Management server. We are going to accomplish this by creating two policies. We will do the Exchange

access first, followed by the management server. You should already be in the Policy Section. Go

ahead and click Create New.



Incoming Interface: wan1 (Rule still applies no ALL)

Source Address: All

Outgoing Interface: Switch (Rule still applies no ALL)

Destination Address: Exchange_VIP_Group (Whatever you called your VIP group, or you

can add each of the exchange VIPs)

Schedule: Always

Service: SMTP, HTTP, and HTTPS

Action: Accept



DO NOT ENABLE NAT


Security Profiles

o Turn on the following

AntiVirus: Choose your AntiVirus Profile (NDEDM_AV_Profile) Application Control: Choose your Application Control Sensor

(NDEDM_APP_Sensor)

IPS: Choose your IPS Sensor (NDEDM_IPS_Sensor) Email Filter: Choose your Email Filter (NDEDM_EMAIL_Profile) Proxy Options: Leave as Default Select OK

3. Now we will create the policy to allow Next Digital to connect to the Management server. This policy

should be locked down to only allow access from Next Digital locations.



Incoming Interface: wan1 (Rule still applies no ALL)

Source Address: ND_Address_Group (Whatever you called your VIP group, or you can add

each of the ND VIPs)

Outgoing Interface: Switch (Rule still applies no ALL)

Destination Address: Management_RDP

Schedule: Always

Service: RDP

Action: Accept

DO NOT ENABLE NAT


Security Profiles

o Turn on the following

AntiVirus: Choose your AntiVirus Profile (NDEDM_AV_Profile)



Application Control: Choose your Application Control Sensor (NDEDM_APP_Sensor)

IPS: Choose your IPS Sensor (NDEDM_IPS_Sensor) Proxy Options: Leave as Default Select OK

System

Finalize Config The next couple of steps are the some of the the most important, and often overlooked. We need to change the password for the admin account, create an ND_Admin account, and save the config.

Admin Accounts

1. Navigate to System > Administrators

Highlight the admin entry and select Edit

Select Change Password

o Enter the Old password

o New Password

o Confirm New Password

Select OK

Select OK again

2. The Fortigate will log you out. Log back in and navigate to System > Administrators

Select Create New

o Administrator: ND_Admin (Case Sensitive)

o Type: Regular

o Password: ND default password

o Confirm Password: Self Explanatory



o Admin Profile: super_admin

Click OK

Backup Config

1. Navigate to System > Status

Select Backup in the System Information Window

Select Backup in the pop up window

Congratulations!!! You have just completed a basic FortiGate config.

TSOP14-001 - Fortigate Setup

Documents

Transcript of TSOP14-001 - Fortigate Setup