10. FortiGuard
• Dynamic updates
Antivirus, intrusion protection, web filtering, antispam
• Updated 24x7x365
• Data centers around the world
Secure, high availability locations
Page: 10
11. FortiManager
• Manage all Fortinet products from a centralized console
• Minimize administration effort
Deploying, configuring and maintaining devices
Page: 10
12. FortiAnalyzer
• Centralized analysis and reporting
Aggregate and analyze log data from multiple devices
• Comprehensive view of network usage
Identify and address vulnerabilities
Monitor compliance
• Quarantine and content archiving
Page: 10
14. FortiClient
• Security for desktops, laptops, mobile devices
Personal firewall, IPSec VPN, antivirus, antispam, web content
filtering
• FortiGuard keeps FortiClient up-to-date
Page: 11
15. Firewall Basics
• Controls flow of traffic between networks of different trust
level
• Allow good information through but block intrusions,
unauthorized users or malicious traffic
• Rules to allow or deny traffic
Page: 12
17. Common Firewall Features
• Block unwanted incoming traffic
• Block prohibited outgoing traffic
• Block traffic based on content
• Allow connections to an internal network
• Reporting
• Authentication
Page: 13
18. Types of Firewalls
• Packet filter firewall
Inspects incoming and outgoing packets
If matches rules, perform action
• Stateful firewall
Examines headers and content of packet
Holds attributes of connection in memory
Packet forwarded if connection already established and tracked
• Improved performance
• Application layer (proxy-based) firewall
Stands between protected and unprotected network
Repackages messages into new packets allowed into network
Page: 14
19. Network Address Translation
• Map private reserved IP addresses into public IP addresses
Local network uses different set of addresses
• NAT device routes response to proper destination
• Single agent between public and private network
• Conserve IP addresses
One public address used to represent group of computers
• Organization uses own internal IP addressing schemes
Page: 16
20. Dynamic NAT
• Private IP address mapped from a pool of public IP
addresses
• Masks internal network configuration
• Private network can use private IP addresses invalid on
Internet but useful internally
Page: 16
21. Static NAT
• Private IP address mapped to a public IP addresses
Public address always the same
• Allow internal host to have a private IP address but still be
reachable over the Internet
Web server
Page: 16
22. FortiGate Capabilities
• Firewall
Policies to allow or deny traffic
• UTM Features:
Antivirus
• Multiple techniques
Antispam
• Detect, tag, block, and quarantine spam
Web Filtering
• Control access to inappropriate web content
Intrusion Protection
• Identify and record suspicious traffic
Page: 17
23. FortiGate Capabilities
• UTM Features (continued):
Application Control
• Manage bandwidth use
Data Leak Prevention
• Prevents transmission of sensitive information
Page: 17-18
24. FortiGate Capabilities
• Virtual Domains
Single FortiGate functions as multiple units
• Traffic Shaping
Control available bandwidth and priority of traffic
• Secure VPN
Ensure confidentiality and integrity of transmitted data
• WAN Optimization
Improve performance and security
• High Availability
Two or more FortiGates operate as a cluster
Page: 18-19
25. FortiGate Capabilities
• Endpoint Compliance
Use FortiClient End Point Security in network
• Logging
Historical and current analysis of network usage
• User Authentication
Control access to resources
Page: 18-19
26. FortiGate Unit Description
• CPU
Intel processor
• FortiASIC processor
Offload intensive processing
• DRAM
• Flash memory
Store firmware images
• Hard drive
Logs, quarantine, archives
• Interfaces
WAN, DMZ, Internal
Page: 20
27. FortiGate Unit Description
• Serial console port
Management access
• USB port
USB drives or modem
• Wireless
FortiWifi devices can use wireless communications
• Modem
• Module slot bays
Blade card installed in a chassis
• PC card slot
PCMCIA card slot for expansion
Page: 20-21
30. Operating Modes
• NAT/Route Mode
Default configuration
Each FortiGate unit is visible to network it is connected to
Interfaces are on different subnets
Unit functions as a firewall
Page: 24
32. Operating Modes
• Transparent Mode
FortiGate unit is invisible to the network
All interfaces are on the same subnet
Use FortiGate without altering IP infrastructure
Page: 25
51. CLI Command Structure
• Commands
config
• Objects
config system
• Branches
config system interface
• Tables
edit port1
• Parameters
set ip 172.20.110.251 255.255.255.0
Page: 38-44
52. CLI Basics
• Command help
?
config ?
config system ?
• Command completion
? or <tab>
c?
config + <space> + <tab>
• Recalling commands
or
Page: 45
53. CLI Basics
• Editing commands
<CTRL> + <key>
• Line continuation
use at end of each line
• Command abbreviation
get system status g sy st
• IP address formats
192.168.1.1 255.255.255.0
192.168.1.1/24
Page: 46
54. Administrative Users
• Responsible for configuration and operation
• Default: admin
Full read/write control
Can not be renamed
Default password blank
• System administrator
Assigned super_admin profile
• Regular administrator
Access profile other than super_admin
Access configurable
Page: 47
55. Interface Addressing
• Number of physical interfaces varies per model
• Interface addresses configurable
Static
DHCP
PPPoE
Page: 48-51
56. DNS
• Some functions use DNS
Alert email, URL blocking, etc
• Lower end models can retrieve automatically
One interface must use DHCP
Can provide DNS forwarding
Page: 52
57. Configuration Backup and Restore
• Different locations
Local PC
FortiManager
FortiGuard Management Service
USB disk
• Can be encrypted
Required to backup VPN certificates
Page: 53
58. Firmware Upgrades
• File must be obtained from Fortinet
• Apply upgrade
Web Config
CLI
FortiGuard Management Service
Page: 54
59. Lab
• Connecting to Command Line Interface
• Connecting to Web Config
• Configuring Network Connectivity
• Exploring the CLI
• Configuring Global System Settings
• Configuring Administrative Users
Page: 55
60. Agenda
• Introduction
• Overview and System Setup
• FortiGuard Subscription Services
• Logging and Alerts
• Firewall Policies
• Basic VPN
• Authentication
• Antivirus
• Spam Filtering
• Web Filtering
62. FortiGuard Subscription Services
• Continuously updated security
Antivirus
Intrusion Protection
Web Filtering
Antispam
• Delivered through FortiGuard Distribution Network
Page: 75
63. FortiGuard Distribution Network
• Secure, high availability data centers
• Updated methods
Manual
Push
Pull
Customized frequency
• Devices continuously updated
• Device connects to FortiGuard Service Point
Page: 75-76
64. Connecting to FortiGuard Servers
service.fortiguard.net
DNS
FortiGuard Server 1
FortiGuard Server 2
FortiGate
Page: 77
65. Connecting to FortiGuard Servers
service.fortiguard.net
DNS
FortiGuard Server 1
FortiGuard Server 2
FortiGate
Page: 77
66. Connecting to FortiGuard Servers
service.fortiguard.net
DNS
FortiGuard Server 1
FortiGuard Server 2
FortiGate
Page: 77
67. Connecting to FortiGuard Servers
service.fortiguard.net
DNS
FortiGuard Server 1
FortiGuard Server 2
FortiGate
Page: 77
68. Connecting to FortiGuard Servers
service.fortiguard.net
DNS
FortiGuard Server 1
FortiGuard Server 2
FortiGate
Page: 77
69. Connecting to FortiGuard Servers
service.fortiguard.net
DNS
FortiGuard Server 1
FortiGuard Server 2
FortiGate
Page: 77
70. Connecting to FortiGuard Servers
service.fortiguard.net
DNS
FortiGuard Server 1
FortiGuard Server 2
FortiGate
Page: 77
71. Connecting to FortiGuard Servers
DNS
FortiGuard Server 1
FortiGuard Server 2
FortiGate
service.fortiguard.net
Page: 77
72. FortiGuard Antivirus Service
• Latest virus defenses
New and evolving viruses
Spyware
Malware
• Automated updates
Page: 78
73. FortiGuard Intrusion Protection System Service
• Latest defenses against network-level threats
• Library of signatures
• Engines
Anomaly inspection
Deep packet inspection
Full content inspection
Activity inspection
• Supports behavior-based heuristics
Page: 79
74. FortiGuard Web Filtering Service
• Hosted web URL filtering service
• FortiGuard Rating Server
Billions of web page addresses
Regulate and block harmful, inappropriate and dangerous content
• FortiGuard Web Filtering Service
Regulate web activities to meet policy and compliance
CIPA Compliance
Page: 80
75. FortiGuard Antispam Service
• Reduce spam at network perimeter
• Global filters
Sender reputation database (FortiIP)
Spam signature database (FortiSig)
Constantly updated
• Local filters
Banned words
Local white and black lists
Heuristic rules
Bayesian training (in FortiMail)
Page: 81-82
77. Scheduled Updates
• Check for updates at defined times
Once every 1 to 23 hours
Once a day
Once a week
• Must be able to connect to FortiGuard Distribution Network
using HTTPS on port 443
Use override server address option may be used
Page: 84
78. Push Updates
• FortiGuard Distribution Network notifies FortiGate units with
push enabled
FortiGate will request update
• Use push in addition to scheduled updates
Receive updates sooner
• If configuring push through a NAT device, configure port
forwarding
Page: 85-87
79. Manual Updates
• Update antivirus and IPS definitions
• Download definition file
• Copy to computer used to connect to Web Config
Page: 88
80. Caching
• Available for web filtering and antispam
• Improves performance
• Uses small % of system memory
• Least recently used IP or URL deleted when cache full
• Time to Live (TTL) controls time in cache
Page: 89
81. FortiGuard Web Filtering Categories
• Wide range of categories to filter upon
Specify action for each category
Allow, Block, Log, Allow Override
• Enabled through protection profile
Page: 90-91
82. FortiGuard Antispam Controls
• Filter email based on type
IMAP, POP3, SMTP
• Filtering options enabled through protection profile
Page: 92
83. Configuring FortiGuard Using the CLI
• CLI can be used to configure communications with
FortiGuard Distribution Network
Override default connection settings
• config system fortiguard
Page: 93
84. FortiGuard Center
• Online knowledge base and resource
Spyware, virus, IPS, web filtering, antispam attack library
Vulnerabilities
Submit spam and dangerous URLs
• Timely threat and vulnerability information
Updated around the clock
Page: 94-95
88. Logging and Alerts
• Track down and pinpoint problems
• Monitor network and Internet traffic
• Monitor normal traffic
Establish baselines
Identify changes for optimal performance
Page: 101
89. Log Storage Locations
• Local hard disk
FortiGate must have hard disk
• FortiAnalyzer
Device for log collection, analysis and storage
• System Memory
Overwrites older logs when capacity reached
Logs lost when FortiGate reset or loses power
• Syslog
Forward logs to remote computer
• FortiGuard Analysis Service
Subscription-based web service
Page: 101-105
90. Logging Levels
• Emergency
System unstable
• Alert
Immediate action required
• Critical
Functionality affected
• Error
Error condition exists, functionality could be affected
• Warning
Functionality could be affected
• Notification
Normal event
• Information
General info about system operations
• Debug
Primarily used as a support function
Page: 106-107
91. Log Types
• Traffic
Traffic between source and destination interface
Only generated when session table entry expires
• Event
Management activity
• AntiVirus
Virus incidents
• Web Filter
Web content blocking actions
• Attack
Attacks detected and blocked
Page: 108
92. Log Types
• AntiSpam
Records detected spam
• Data Leak Prevention
Records data that matches pre-defined sensitive patterns
• Application Control
IM/P2P
• Records IM and P2P information
VoIP
• Logs SCCP violations
Content
• Logs metadata
Page: 108-109
93. Configuring Logging
• Select location and level
• Enable log generation
Protection profile
• Antivirus, web filtering, FortiGuard web filtering, spam filtering, IPS,
IM/P2P and VoIP
Event log
• Management, system and VPN activities
Firewall policy
• Log Allowed Traffic
Page: 110-114
94. Viewing Log Files
• Log&Report > Log Access
• Remote or Memory tabs
Local Disk if available
• Formatted or Raw view
• Select columns to display
• Filter messages
Page: 115-118
95. Content Archiving
• Store session transaction data
HTTP
FTP
NNTP
IM (AIM, ICQ, MSN, Yahoo!)
Email (POP3, IMAP, SMTP)
• Only available with FortiAnalyzer unit
• Summary
Archives content metadata
• Full
Copies of files or email messages
Page: 119-121
96. Alert Email
• Send notification upon detection of a defined event
• Requires one DNS server configured
• Up to 3 recipients
Page: 122
97. SNMP
• Report system information and forward to SNMP manager
• Access SNMP traps from any FortiGate configured for SNMP
• Read-only implementation
• Fortinet-proprietary MIB available
Or use Fortinet-supported standard MIB
• Add SNMP Communities
8 SNMP managers per community
Page: 123-126
98. Lab
• Exploring Web Config Monitoring
• Configuring System Event Logging
• Exploring the FortiAnalyzer Interface
• Configuring Email Alerts
• SNMP Setup (Optional)
Page: 127
99. Agenda
• Introduction
• Overview and System Setup
• FortiGuard Subscription Services
• Logging and Alerts
• Firewall Policies
• Basic VPN
• Authentication
• Antivirus
• Spam Filtering
• Web Filtering
101. Firewall Policies
• Control traffic passing through FortiGate
What to do with connection request?
• Packet analyzed, content compared to policy
ACCEPT
DENY
• Source, destination and service must match policy
Policy directs action
• Protection profile used with policy
Apply protection settings
• Logging enabled to view connections using policy
Page: 137
102. Policy Matching
• Searches policy list for matching policy
Based on source and destination
• Starts at top of the list and searches down for match
First match is applied
Arrange policies from more specific to more general
• Policies configured separately for each virtual domain
• Move policies in list to influence order evaluated
Page: 138-141
103. User Authentication to Firewall Policies
• User challenged to identify themselves before using policy
Before matching policies not requiring authentication
• Available for policies with:
Action set to ACCEPT
SSL VPN
• Authentication methods
Username + Password
Digital certificates
LDAP
RADIUS
TACACS+
Active Directory
• FSAE required
Page: 142
104. Authentication Protocols
• Protocol used to issue authentication challenge specified
• Firewall policy must include protocol
HTTP
HTTPS
Telnet
FTP
Page: 142
106. Firewall Addresses
• Added to source and destination address
Match source and destination IP address of packets received
• Default of ALL
Represents any IP address on the network
• Address configured with name, IP address and mask
Also use FQDN
Must be unique name
• Groups can be used to simplify policy creation and
management
Page: 144-148
107. Firewall Schedules
• Control when policies are active or inactive
• One-time schedule
Activate or deactivate for a specified period of time
• Recurring schedule
Activate or deactivate at specified times of the day or week
Page: 149-150
108. Firewall Services
• Determine types of communications accepted or denied
• Predefined services applied to policy
Custom service if not on predefined list
• Group services to simplify policy creation and management
Page: 151-153
109. Network Address Translation (NAT)
• Translate source address and port of packets accepted by
policy
Page: 154
121. Fixed Port
• Prevent NAT from translating the source port
Some applications do not function correctly if source port translated
• If Dynamic Pool not enabled, policy with Fixed Port can only
allow one connection to that service at a time
Page: 156
127. Virtual IPs
• Allow connections using NAT firewall policies
• Addresses in packets are remapped and forwarded
Client address does not appear in packet server receives
• Upon reply, session table used to determine what destination
address should be mapped to
Page: 157-158
128. DNAT
• NAT not selected in firewall policy
Policy performs destination network address translation (DNAT)
• Accepts packet from external network intended for specific
address, translates destination address to IP on another
network
Page: 159
139. Server Load Balancing
• Dynamic one-to-many NAT mapping
• External IP address translated to a mapped IP address
Determine by load balancing algorithm
• External IP address not always translated to same mapped
IP address
Page: 160
146. Protection Profiles
• Control all content filtering
• Group of protection settings applied to traffic
Types and levels of protection customized for each policy
• Enables settings for:
Protocol Recognition
Anti-Virus
IPS
Web Filtering
Spam Filtering
Data Leak Prevention Sensor
Application Control
Logging
Page: 161
147. Default Protection Profiles
• Strict
Maximum protection
• Scan
Applies virus scanning to HTTP, FTP, IMAP, POP3, SMTP
• Web
Applies virus scanning and web content blocking to HTTP
• Unfiltered
No scanning, blocking or IPS
Page: 162-172
148. Traffic Shaping
• Control bandwidth available to traffic processed by firewall
policy
Which policies have higher priority?
• Improve quality of bandwidth-intensive traffic
Does NOT increase total bandwidth available
Page: 173
149. Token Bucket Filter
• Dampening function
Delays traffic by buffering bursts
Does not schedule traffic
• Configured rate is never exceeded
Page: 174
150. Token Bucket Filter Mechanism
• Bucket has specified capacity
Tokens added to bucket at mean rate
• If bucket fills, new tokens discarded
• Bucket requests number of tokens equal to packet size
• If not enough tokens in bucket, packet buffered
• Flow will never send packets more quickly than capacity of
the bucket
• Overall transmission rate does not exceed rate tokens placed
in bucket
Page: 175
157. Traffic Shaping Considerations
• Attempt to normalize traffic peaks
Prioritize certain flows over others
• Physical limitation to how much data can be buffered
Packets may be dropped, sessions affected
• Performance on one traffic flow may be sacrificed to
guarantee performance on another
• Not effective in high-traffic situations
Where traffic exceeds FortiGate unit’s capacity
Packets must be received for being subject to shaping
• If shaping not applied to policy, default is high priority
Page: 176-177
158. Disclaimers
• Accept disclaimer before connecting
• Use with authentication or protection profile
• Can redirect to a URL after authentication
Page: 178
162. Virtual Private Networks (VPN)
• Use public network to provide access to private network
• Confidentiality and integrity of data
• Authentication, encryption and restricted access
Page: 195
163. FortiGate VPN
• Secure Socket Layer (SSL) VPN
Access through web browser
• Point-to-Point Tunneling Protocol (PPTP)
Windows standard
• Internet Protocol Security (IPSec) VPN
Dedicated VPN software required
Well suited for legacy applications (not web-based)
Page: 195-196
164. SSL VPN Operating Modes
• Web-only mode
Web browser only
Secure connection between browser and FortiGate unit
FortiGate acts as gateway
• Authenticates users
• Tunnel mode
VPN software downloaded as ActiveX control
FortiGate unit assigns client IP address from range of reserved
addresses
Page: 197-199
165. User Accounts
• Must have user account assigned to SSL VPN user group
• Users must authenticate
Username + Password
RADIUS
TACACS+
LDAP
Digital certificates
• User group provides access to firewall policy
• Split tunneling available
Only traffic destined for tunnel routed over VPN
Page: 200-202
166. Web-Only Configuration
• Enable SSL VPN
• Create user accounts
Assign to user group
• Create firewall policy
• Setup logging (optional)
Page: 204
167. Tunnel Mode Configuration
• Enable SSL VPN
• Specify tunnel IP range
• Create user group
• Create firewall policy
Page: 205
168. SSL VPN Settings
• Tunnel IP Range
Reserve range of IPs for SSL VPN clients
• Server Certificate, Require Client Certificate
Certificates must be installed
• Encryption Key Algorithm
• Idle Time-out
• Client Authentication Time-Out
CLI only
• Portal Message
• Advanced
DNS and WINS Servers
Page: 206-208
169. Firewall Policies
• At least one SSL VPN firewall policy required
• Specify originating IP address
• Specify IP address of intended recipient or network
• Configuration steps:
Specify source and destination IP address
Specify level of encryption
Specify authentication method
Bind user group to policy
Page: 209
170. Firewall Addresses
• Web-only mode
Predefined source address of ALL
Destination IP address where remote client needs to access
• Entire private network, range of private IPs, private IP of host
• Tunnel model
Source is range of IP addresses that can be connected to FortiGate
• Restrict who can access FortiGate
Destination IP address where remote client needs to access
• Entire private network, range of private IPs, private IP of host
Page: 209
171. Configuring Web-Only Firewall Policies
• Specify destination IP address
Name
Type
Subnet/IP range
Interface
• Define policy
Action: SSL-VPN
Add user group
Page: 210-212
172. Configuring Tunnel-Mode Firewall Policies
• Specify source IP addresses
Addresses that can connect to FortiGate
• Specify destination IP address
Addresses clients need to access
• Specify level of encryption
• Specify authentication type
• Bind user group to policy
• ssl.root
Page: 213-218
174. Connecting to the SSL VPN
• https://<FortiGate_IP_address>:10443
Port customizable
• SSL-VPN Web Portal page displayed
Bookmarks
• What appears is pre-determined by administrator’s settings
in User > User Group and VPN > SSL > Portal > Settings
Page: 222
177. PPTP VPN
• Point-to-Point (PPP) authentication protocol
PPP software operates on tunneled links
• Encapsulates PPP packets within IP packets
Not cryptographically protected
• PPTP packets not authenticated or integrity protected
• FortiGate unit assigns client IP address from reserved range
Assigned IP used for duration of connection
• FortiGate unit disassembles PPTP packet and forwards to
correct computer on internal network
Page: 223
178. PPTP VPN
• FortiGate unit can act as PPTP server
• FortiGate unit can forward PPTP packets to PPTP server
Page: 224
181. PPTP Server Configuration
• Configure user authentication for PPTP clients
• Enable PPTP on FortiGate unit
• Configure PPTP server
• Configure client
Page: 226
182. PPTP Pass-Through Configuration
• Configuration required to forward PPTP packets to PPTP
server
• Define virtual IP that points to PPTP server
• Configure firewall policy
• Configure client
Page: 227
183. IPSec VPN
• Industry standard set of protocols
• Layer 3
Applications do not need to be designed to use IPSec
• IP packets encapsulated with IPSec packets
Header of new packet refers to end point of tunnel
• Phase 1
Establish connection
Authenticate VPN peer
• Phase 2
Establish tunnel
Page: 228
184. IPSec Protocols
• Authentication Header (AH)
Authenticate identity of sender
Integrity of data
Entire packet signed
• Encapsulating Security Payload (ESP)
Encrypts data
Signs data only
Page: 229
187. Modes of Operation
• Tunnel mode
Entire IP packet encrypted and/or authenticated
Packet then encapsulated for routing
• Transport mode
Only data in packet encrypted and/or authenticated
Header not modified or encrypted
Page: 230
188. Security Association (SA)
• Defines bundle of algorithms and parameters
Encrypt and authenticate one-directional data flow
• Agreement between two computers about the data
exchanged and protected
Page: 230
189. Internet Key Exchange (IKE)
• Allows two parties to setup SAs
Secret keys
• Uses Internet Security Association Key Management
Protocol (ISAKMP)
Framework for establishing SAs
• Two distinct phases
Phase 1
Phase 2
Page: 231
190. Phase 1
• Authenticate computer involved in transaction
• Negotiate SA policy between computers
• Perform Diffie-Hellman key exchange
• Set up secure tunnel
• Main mode (three exchanges)
Algorithms used agreed upon
Generate secret keys and nonces
Other side’s identity verified
• Aggressive mode (one exchange)
Everything needed to complete exchange
Page: 231
191. Phase 2
• Negotiate SA parameters to set up secure tunnel
• Renegotiate SAs regularly
Page: 232
192. Gateway-to-Gateway Configuration
• Tunnel between two separate private networks
• All traffic encrypted by firewall policies
• FortiGate units at both ends must be in NAT/Route mode
Page: 234
196. Authenticating the FortiGate Unit
• Authenticate itself to remote peers
• Pre-shared key
All peers must use same key
• Digital certificates
Must be installed on peer and FortiGate
Page: 237-238
197. Authenticating Remote Clients
• Permit access using trusted certificates
FortiGate configured for certificate authentication
• Permit access using peer identifier
• Permit access using pre-shared key
Each peer or client must have user account
• Permit access using peer identifier and pre-shared key
Each peer or client must have user account
Page: 239
198. XAuth Authentication
• Separate exchange at end of phase 1
Increased security
• Draws on existing FortiGate user group definitions
• FortiGate can be XAuth server or XAuth client
Page: 239
201. Firewall Policies
• Policies needed to control services and direction of traffic
• Firewall addresses needed for each private network
• Policy-Based VPN
Specify interface to private network, remote peer and VPN tunnel
Single policy for inbound, outbound or both direction
• Route-Based VPN
Requires ACCEPT policy for each direction
Creates Virtual IPSec interface on interface connecting to remote
peer
Page: 247-250
202. Lab
• Configuring SSL VPN for Full Access (Web Portal and
Tunnel Mode)
• Configuring a Basic Gateway-to-Gateway VPN
Page: 251
203. Agenda
• Introduction
• Overview and System Setup
• FortiGuard Subscription Services
• Logging and Alerts
• Firewall Policies
• Basic VPN
• Authentication
• Antivirus
• Spam Filtering
• Web Filtering
205. Authentication
• User or administrator prompted to identify themselves
Only allowed individuals perform actions
• Can be configured for:
Any firewall policy with action of ACCEPT
PPTP and L2TP VPNs
Dial-up IPSEC VPN set up as XAuth server
Dial-up VPN accepting user group as peer ID
Page: 263
206. Authentication Methods
• Local user
User names and passwords used to authenticate stored on
FortiGate
• Remote
Use existing systems to authenticate
• RADIUS
• LDAP
• PKI
• Windows Active Directory
• TACACS+
Page: 264-265
207. Users and User Groups
• Authentication based on user groups
User created
User added to groups
• User
Account created on FortiGate or external authentication server
• User group
Users or servers as members
Specify allowed groups for each resource requiring authentication
Group associated with protection profile
Page: 266-267
208. User Group Types
• Firewall
Access to firewall policy that requires authentication
FortiGate request user name and password (or certificate)
• Directory Service
Allow access to users in DS groups already authenticated
• Single sign on
Requires FSAE
• SSL VPN
Access to firewall policy that requires SSL VPN authentication
Page: 268-270
209. Authentication overrides
• Require access to blocked site
Override block for period of time
• Link to authenticate presented
Page: 271
211. PKI Authentication
• Valid certificate required
• SSL used for secure connection
• Trusted certificates installed on FortiGate and client
Page: 273
212. RADIUS Authentication
• User credentials sent to RADIUS server for authentication
• Shared key used to encrypt data exchanged
• Primary and secondary servers identified on FortiGate unit
Page: 274
213. LDAP Authentication
• User credentials sent to LDAP server for authentication
• LDAP servers details identified on FortiGate
Page: 275
214. TACACS+ Authentication
• User credentials sent to TACACS+ server for authentication
• Choice of authentication types:
Auto
ASCII
PAP
CHAP
MSCHAP
Page: 276
215. Microsoft Active Directory Authentication
• Transparently authenticate users
Fortinet Server Authentication Extensions (FSAE) passes
authentication information to FortiGate
Sign in once to Windows, no authentication prompts from FortiGate
Page: 277
216. FSAE Components
• Domain Controller Agent
Installed on every domain controller
Monitors user logons, sends to Collector Agent
• Collector Agent
Installed on at least one domain controller
Sends information collected to FortiGate
Page: 278
217. FSAE Configuration on Microsoft AD
• Configure Microsoft AD user groups
All members of a group have same access level
FSAE only send Domain Local Security Group and Global Security
Group to FortiGate
• Configure Collector Agent settings
Domain controllers to monitor
• Global Ignore list
Exclude system accounts
• Group filters
Control logon information sent to FortiGate
Page: 279-280
218. FSAE Configuration on FortiGate
• Configure Collector Agents
FortiGate to access at least one collector agent
Up to five can be listed
• Configure user groups
AD groups added to FortiGate user groups
• Configure firewall policy
• Allow guests
Users not listed in AD
Protection profile for FSAE firewall police
Page: 281
219. Labs
• Firewall Policy Authentication
• Adding User Disclaimers and Redirecting URLs
Page: 282
220. Agenda
• Introduction
• Overview and System Setup
• FortiGuard Subscription Services
• Logging and Alerts
• Firewall Policies
• Basic VPN
• Authentication
• Antivirus
• Spam Filtering
• Web Filtering
234. Grayware Categories
• Plugins
Add additional features to an existing application
• Remote Administration Tools (RAT)
Remotely change or monitor a computer on a network
• Toolbars
Augment capabilities of browser
Page: 301-303
235. Spyware
• Component of adware
Track user activities online
Report activities to central server
Target advertising based on online habits
Page: 304-305
236. Quarantine
• Quarantine blocked or infected files
FortiGate unit with hard drive
FortiAnalyzer
• Files uploaded to Fortinet for analysis
Page: 306-307
237. Proxies
• Intercepts all connection requests and responses
• Buffers and scans response before flushing to client
• Splicing
Prevent client from timing out
Server sends part of response to client while buffering
Final part sent if response is clean
FTP uploads, email protocols (SMTP, POP3, IMAP)
• Client comforting
Prevent timeout while files buffered and scanned by FortiGate
Can provide visual status to user that progress being made
HTTP and FTP downloads
Page: 308
243. Spam Filtering Methods
• IP address check
Verify source IP address again list of known spammers
• URL check
Extract URLs and verify against list of spam sources
• Email checksum check
Calculate checksum of message and verify against list of known
spam messages
• Spam submission
Inform FortiGuard
• Black/White list
Check incoming IP and email addresses against known list
SMTP only
Page: 322-323
244. Spam Filtering Methods
• HELO DNS lookup
Check source domain name against registered IP address in DNS
• Return email DNS check
Check incoming return address domain against registered IP in
DNS
• Banned word
Check email against banned word list
• MIME headers check
Check MIME headers against list
• DNSBL and ORDBL
Check email against configured servers
Page: 322-323
245. FortiGuard Antispam Global Filters
• FortiIP sender IP reputation database
Reputation of IP based on properties related to address
• Email volume from a sender
Compare sender’s recent volume with historical pattern
• FortiSig
Spam signature database
FortiSig1
• Spamvertised URLs
FortiSig2
• Spamvertised email addresses
FortiSig3
• Spam checksums
• FortiRule
Heuristic rules
FortiMail only
Page: 324-325
246. Customized Filters
• Compliment FortiGuard
• Banned word lists
• Local black/white list
• Heuristic rules
• Bayesian
FortiMail only
Page: 325
248. Spam Actions
• Tag or discard spam email
Add custom text to subject or instead MIME header and value
• Only discard if SMTP and virus check enabled
• Spam actions logged
Page: 327
249. Banned Word
• Block messages containing specific words or patterns
Values assigned to matches
If threshold exceeded, messages marked as spam
• Perl regular expressions and wildcards can be used
Page: 328-334
250. Black/White List
• IP address filtering
Compare IP address of sender to IP address list
If match, action is taken
• Email address filtering
Compare email address of sender to email address list
If match, action is taken
Page: 335
253. MIME Headers Check
• MIME headers added to email
Describe content type and encoding
• Malformed headers can fool spam or virus filters
• Compare MIME header key-value of incoming email to list
If match, action is taken
Page: 343
254. DNSBL and ORDBL
• Published lists of suspected spammers
• Add subscribed servers
Define action
Page: 344
255. FortiMail Antispam
• Enhanced set of features for detecting and blocking spam
Some techniques not available in FortiGate
• Stand-alone antispam system
Can be second layer in addition to FortiGate
• Legacy virus protection
• Email quarantine
Page: 345
256. Agenda
• Introduction
• Overview and System Setup
• FortiGuard Subscription Services
• Logging and Alerts
• Firewall Policies
• Basic VPN
• Authentication
• Antivirus
• Spam Filtering
• Web Filtering
258. Web Filtering
• Process web content to block inappropriate or malicious
content
• Categorized content
76 categories
40 million domains
Billions of web pages
Automated updates
• Check web addresses against list
• Customizable
Page: 349
259. Order of Filtering
• URL Filtering
Exempt, Block, Allow
• FortiGuard Web Filtering
• Content Exempt
Customizable
• Content Block
Customizable
• Script Filter
Page: 349
260. Web Content Block
• Block specific words or patterns
Score assigned to pattern
Page blocked if greater than threshold
Perl regular expressions or wildcards can be used
Page: 350-353
267. FortiGuard Web Filter
• Managed web filtering solution
Web pages rated and categorized
• Determines category of site
Follows firewall policy
• Allow, block, log, or override
• Ratings based on:
Text analysis
Exploitation of web structure
Human raters
Page: 363
268. Web Filtering Categories
• Categories based on suitability for enterprises, schools, and
home
Potentially liable
Controversial
Potentially non-productive
Potentially bandwidth consuming
Potential security risks
General interest
Business oriented
Others
Page: 364
269. Web Filtering Classes
• Classify web page based on media type or source
Further refine web access
Prevent finding material
• Classes
Cached contents
Image search
Audio search
Video search
Multimedia search
Spam URL
Unclassified
Page: 365
272. Web Filtering Overrides
• Give user ability to override firewall filter block
Administrative overrides
User overrides
• Override permissions configured at user group level or with
override rules
• User group level overrides
Group of users have same level of overrides
Assumes authentication enabled on policy
• Override rules
Fine granularity
Access domain, directory or category
Page: 369