Fortigate-Firewall-Complete-Guide

GitHub GitHub last commit ViewCount


telegram (1)


SUPPORT ME – 🚩💲🙏

“Welcome to the FortiGate Firewall Complete Guide! This comprehensive GitHub repository offers detailed lab guides and invaluable information for mastering FortiGate firewalls. Created with countless days and nights of dedication, this guide is entirely free for your benefit. If you find it helpful, please consider showing your support with a coffee ☕️ or your best wishes. Your encouragement fuels the continuation of this resource. Thank you for being part of this journey! 🚀🔥 #FortiGate #Firewall #Networking”

Buy Me A Coffee



Lab Resources:

How can I do Lab?

Website Version of Full Guide


Topics to be covered:


No Name
Module 1 Introduction to Fortigate Firewall
Module 2 Interface Configurations and Firewall Policies
Module 3 High availability
Module 4 Firewall Authentication
Module 5 Security Profiles
Module 6 Logging and Monitoring
Module 7 Basic IPSEC VPN
Module 8 SSL VPN Upcoming..
Module 9 ** Upcoming..

MODULE 1

Introduction to Fortigate Firewall

Untitled

Table of Contents:

I. Understanding the Features of FortiGate:

FortiGate is a family of network security appliances developed by Fortinet, designed to provide a wide range of security features to protect networks from various threats. Understanding the features of FortiGate involves grasping its capabilities in different areas of network security. Here’s a detailed breakdown:

  1. Firewall: FortiGate operates as a firewall, providing traditional packet filtering capabilities to monitor and control the traffic passing through the network based on predefined rules. It can inspect packets at the application layer for more granular control.
  2. Intrusion Prevention System (IPS): FortiGate includes an IPS module that identifies and blocks malicious activities within the network. It analyzes traffic patterns and signatures to detect and prevent known attacks, such as SQL injection, buffer overflow, and denial-of-service (DoS) attacks.
  3. Virtual Private Network (VPN): FortiGate supports VPN technologies, allowing secure communication between remote sites or individual users and the corporate network over untrusted networks like the Internet. It offers various VPN types such as SSL VPN, IPsec VPN, and L2TP.
  4. Antivirus and Antimalware: FortiGate includes antivirus and antimalware functionalities to detect and block malicious software, including viruses, worms, Trojans, and spyware. It can inspect files and URLs in real time to prevent the spread of malware within the network.
  5. Web Filtering: FortiGate can enforce web filtering policies to control access to websites based on categories, URLs, or specific keywords. It helps organizations enforce acceptable use policies, improve productivity, and mitigate security risks associated with malicious or inappropriate web content.
  6. Application Control: FortiGate offers application control features to identify and control the usage of various applications within the network. It can classify applications based on their behavior and characteristics, allowing administrators to define policies to permit, deny, or limit access to specific applications.
  7. Data Loss Prevention (DLP): FortiGate includes DLP capabilities to prevent the unauthorized transmission of sensitive data outside the network. It can inspect outgoing traffic for predefined data patterns such as credit card numbers, social security numbers, or intellectual property, and enforce policies to prevent data leakage.
  8. Advanced Threat Protection (ATP): FortiGate integrates advanced threat protection mechanisms such as sandboxing and behavior-based analysis to detect and block sophisticated threats like zero-day exploits and targeted attacks. It isolates suspicious files in a sandbox environment to observe their behavior before allowing them into the network.
  9. Traffic Shaping and Quality of Service (QoS): FortiGate allows administrators to prioritize and control network traffic based on predefined policies. It can allocate bandwidth, enforce traffic shaping rules, and ensure quality of service for critical applications to optimize network performance and user experience.
  10. Logging and Reporting: FortiGate provides extensive logging and reporting capabilities to track network activity, security events, and policy violations. It generates detailed reports and alerts for administrators to analyze security incidents, troubleshoot issues, and maintain compliance with regulatory requirements.

II. FortiGuard Queries & Packages

FortiGuard is a comprehensive security intelligence service provided by Fortinet that offers real-time updates and protection against emerging threats for Fortinet products, including FortiGate. FortiGuard queries and packages play a crucial role in keeping security solutions up-to-date and effective. Here’s a detailed explanation:

FortiGuard Queries

FortiGuard queries are requests made by Fortinet security products, such as FortiGate firewalls, to the FortiGuard service infrastructure. These queries are initiated to retrieve the latest threat intelligence, security updates, and other relevant information needed to enhance the security posture of the network. Key aspects of FortiGuard queries include:

FortiGuard Packages

FortiGuard packages are bundles of security updates, intelligence feeds, and definitions provided by Fortinet as part of the FortiGuard subscription service. These packages contain the latest threat intelligence and updates necessary to keep Fortinet security solutions, including FortiGate firewalls, up to date and protected against evolving threats. Key aspects of FortiGuard packages include:

III. Understanding UTM (Unified Threat Management) Firewalls and FortiGate

UTM (Unified Threat Management) Firewalls, like FortiGate, are known for their comprehensive approach to network security. Here’s a detailed explanation of why FortiGate is considered a UTM firewall and an overview of UTM firewall features:

Why FortiGate is a UTM Firewall ?.

FortiGate is commonly referred to as a UTM firewall due to its integration of multiple security features into a single platform. Instead of relying on separate devices for various security functions, FortiGate consolidates these functionalities into a unified solution. This integration offers several advantages:

UTM Firewall Features

UTM firewalls like FortiGate typically offer a wide range of security features to protect networks from various threats. Here’s an overview of key UTM firewall features:

  1. Firewall: UTM firewalls include traditional packet filtering capabilities to monitor and control network traffic based on predefined rules. They can inspect packets at the application layer for granular control.
  2. Intrusion Prevention System (IPS): UTM firewalls incorporate an IPS module to detect and block known and unknown network attacks, including exploits, vulnerabilities, and protocol anomalies.
  3. Virtual Private Network (VPN): UTM firewalls support VPN technologies for secure communication between remote sites or individual users and the corporate network over untrusted networks like the internet.
  4. Antivirus and Antimalware: UTM firewalls provide antivirus and antimalware functionalities to detect and block malicious software, including viruses, worms, Trojans, and spyware.
  5. Web Filtering: UTM firewalls enforce web filtering policies to control access to websites based on categories, URLs, or specific keywords, helping organizations enforce acceptable use policies and mitigate security risks.
  6. Application Control: UTM firewalls offer application control features to identify and control the usage of various applications within the network, allowing administrators to define policies to permit, deny, or limit access to specific applications.
  7. Data Loss Prevention (DLP): UTM firewalls include DLP capabilities to prevent the unauthorized transmission of sensitive data outside the network by inspecting outgoing traffic for predefined data patterns.
  8. Advanced Threat Protection (ATP): UTM firewalls integrate advanced threat protection mechanisms such as sandboxing and behavior-based analysis to detect and block sophisticated threats like zero-day exploits and targeted attacks.
  9. Traffic Shaping and Quality of Service (QoS): UTM firewalls allow administrators to prioritize and control network traffic based on predefined policies, optimizing network performance and user experience.
  10. Logging and Reporting: UTM firewalls provide extensive logging and reporting capabilities to track network activity, security events, and policy violations, enabling administrators to analyze security incidents and maintain compliance.

IV. FortiGate Firewall Platform Design and Architecture

FortiGate is a next-generation firewall platform designed to deliver comprehensive network security and performance. Its architecture consists of various components working together to provide advanced threat protection, network segmentation, and secure connectivity. Let’s explore each component in detail:

Untitled

1. Processing Units

a. CPU (Central Processing Unit)

The CPU is the core processing unit responsible for executing firewall operations, packet processing, and running various security services. FortiGate utilizes multi-core CPUs to handle high-throughput traffic and complex security functions efficiently.

b. NP (Network Processor)

FortiGate includes specialized network processors, such as FortiASIC NP6 and NP7, dedicated to offloading and accelerating specific tasks like packet forwarding, encryption/decryption, and content processing. These NP chips enhance firewall performance and scalability.

2. Security Services

a. Firewall

The firewall component enforces security policies by inspecting and filtering network traffic based on predefined rules, ensuring only authorized traffic flows through the network.

b. IPS (Intrusion Prevention System)

The IPS module detects and prevents known and unknown network attacks by analyzing traffic patterns, signatures, and behavior anomalies, protecting against exploits, malware, and vulnerabilities.

c. VPN (Virtual Private Network)

FortiGate supports various VPN technologies, including IPsec, SSL, and L2TP, to establish secure communication channels between remote sites, users, and partners over untrusted networks like the internet.

d. Antivirus and Antimalware

FortiGate includes antivirus and antimalware services to detect and block malicious software, such as viruses, worms, Trojans, and spyware, preventing them from infecting the network.

e. Web Filtering

The web filtering feature controls access to websites based on categories, URLs, or keywords, allowing organizations to enforce acceptable use policies, block malicious sites, and improve productivity.

f. Application Control

FortiGate offers application control capabilities to identify and control the usage of various applications within the network, allowing administrators to define policies to permit, deny, or limit access to specific applications.

g. DLP (Data Loss Prevention)

DLP functionality prevents the unauthorized transmission of sensitive data outside the network by inspecting outgoing traffic for predefined data patterns such as credit card numbers, social security numbers, or intellectual property.

h. ATP (Advanced Threat Protection)

FortiGate integrates advanced threat protection mechanisms, including sandboxing and behavior-based analysis, to detect and block sophisticated threats like zero-day exploits and targeted attacks.

3. Networking Components

a. Interfaces

FortiGate includes physical and virtual network interfaces to connect to various network segments, enabling traffic ingress/egress and network segmentation for security and performance optimization.

b. Routing

FortiGate supports dynamic and static routing protocols to route traffic between different network segments efficiently and securely, ensuring optimal network performance and connectivity.

c. VLANs (Virtual Local Area Networks)

VLANs allow FortiGate to segment the network into multiple virtual LANs, isolating traffic and improving security, scalability, and performance across large and complex networks.

4. Management and Reporting

a. Management Interface

FortiGate provides a web-based management interface, command-line interface (CLI), and centralized management platforms (FortiManager) for configuring, monitoring, and managing firewall policies, security services, and network settings.

b. Logging and Reporting

FortiGate logs network activity, security events, and policy violations, generating detailed reports and alerts for administrators to analyze security incidents, troubleshoot issues, and maintain compliance with regulatory requirements.

FortiGate’s platform design and architecture leverage these components to deliver robust network security, performance, and scalability for modern enterprise environments.

Three Families of Fortinet SPUs(Security Processing Units):

  1. NETWORK PROCESSOR 7 (NP7)
  2. CONTENT PROCESSOR 9 (CP9)
  3. SECURITY PROCESSING UNIT (SP5)

Untitled

Link: https://www.fortinet.com/products/fortigate/fortiasic

V. FortiGate Firewall CLI

The FortiGate firewall Command Line Interface (CLI) provides administrators with a powerful and flexible tool for configuring, monitoring, and troubleshooting the firewall. Here’s an explanation of the FortiGate firewall CLI:

Overview of FortiGate CLI

The CLI is accessed using SSH or through the console port directly connected to the firewall device. It provides a text-based interface where administrators can execute commands to perform various tasks related to firewall configuration and management.

Key Features and Functions

1. Configuration Management

2. Monitoring and Troubleshooting

3. Security Policy Management

4. VPN Configuration

5. System Administration

Advantages of FortiGate CLI

VI. Getting Management GUI Access of FortiGate Firewall

Accessing the management GUI (Graphical User Interface) of a FortiGate firewall allows administrators to configure and manage the firewall using a web-based interface. Here’s how to obtain management GUI access:

  1. Connect to the FortiGate Firewall

First, establish a connection to the FortiGate firewall. This can be done through the console port directly connected to the firewall device or via SSH (Secure Shell) if remote access is enabled.


# Example SSH command to connect to the FortiGate firewall
ssh admin@<firewall_ip_address>

2. Enable Management Access

Ensure that management access is enabled on the FortiGate firewall. By default, HTTPS (HTTP over SSL) access is enabled on port 443 for management GUI access.

# Example command to enable HTTPS access
config system settings
    set admin-https-ssl-port 443
    set gui-mgmt https
    end

3. Configure Administrative Access

Configure administrative access credentials to log in to the management GUI. Ensure that the admin user has the necessary privileges to access and manage the firewall.

# Example command to configure administrative access
config system admin
    edit admin
        set password <admin_password>
    next
end

4. Access the Management GUI

Once management access is enabled and administrative credentials are configured, access the management GUI using a web browser. Enter the IP address of the FortiGate firewall in the browser’s address bar and log in with the administrative credentials.

https://<firewall_ip_address>

Additional Considerations

Demo:

Untitled

Default Username: admin

Password:

Configure the new strong Password

Sample Topology:

Untitled

Initial CLI Conifguration for GUI access:

Untitled

Taking GUI Admin Access: http://105.0.0.254

Untitled

Untitled

Changing Firewall Hostname: FGT

Untitled

Untitled

Welcome to Fortigate Firewall Dashboard

Untitled

VII. Administration Profiles in FortiGate Firewall

Administration profiles in FortiGate firewall provide a flexible way to manage administrative access and privileges within the firewall. They allow administrators to define specific permissions and restrictions for different users or groups, ensuring secure and efficient management of the firewall. Here’s an in-depth look at administration profiles:

Overview

Administration profiles serve as templates that define the access rights and capabilities of administrators or administrative groups. Each profile specifies the level of access to various firewall functionalities, including configuration, monitoring, and management tasks.

Key Components

1. Access Controls

2. User Authentication

3. Administrative Privileges

4. Session Management

Configuration and Management

1. Profile Creation

2. Profile Assignment

Demo:

Click on Administrator: System —> Administrator

Untitled

By default Super_Admin

Untitled

Set the username/password also select as a Local user:

Untitled

Create the new Administrator Profile for the new user

Untitled

Select the Permission Which you want to give and click Ok.

Note:

The idle timeout period is the amount of time that an administrator will stay logged in to the GUI without any activity. This is to prevent someone from accessing the FortiGate if the management PC is left unattended. By default, it is set to five minutes.

Untitled

Select newly created Profile and Click OK.

Untitled

Untitled

Newly created Admin :

Untitled

Administrator Profile Hierachy:

Untitled

Summary:

The module provided a basic introduction to FortiGate firewall, covering various aspects of the product:

  1. Understanding Features of FortiGate: Explains the features and capabilities of FortiGate firewall, highlighting its advanced threat protection, network segmentation, and secure connectivity.
  2. FortiGuard Queries & Packages: Discusses FortiGuard services, including threat intelligence and security updates provided by Fortinet, enhancing the effectiveness of the firewall in detecting and preventing threats.
  3. UTM Firewalls Features: Describes UTM (Unified Threat Management) features of FortiGate, which include firewall, intrusion prevention, antivirus, web filtering, and application control, offering comprehensive protection against various cyber threats.
  4. Platform Design and Architecture: Explores the design and architecture of FortiGate firewall, including its processing units, security services, networking components, and management features.
  5. About CLI: Provides an overview of the FortiGate Command Line Interface (CLI), which allows administrators to configure, monitor, and troubleshoot the firewall using text-based commands.
  6. Getting Mgmt GUI Access: Details the steps to access the management GUI (Graphical User Interface) of FortiGate firewall, allowing administrators to configure and manage the firewall through a web-based interface.
  7. About Administration Profiles: Discusses administration profiles in FortiGate, which define access rights and privileges for administrators or administrative groups, ensuring secure and efficient management of the firewall.


⬆ Back to Top

MODULE 2

Interface Configurations and Firewall Policies

Untitled

Table of contents:

I. Basic Interface Configuration

Configuring interfaces on a FortiGate firewall is essential for establishing network connectivity and defining traffic flow. Here’s a detailed guide on how to perform basic interface configuration using commands:

1. Connect to the FortiGate Firewall

Before configuring interfaces, establish a connection to the FortiGate firewall using SSH or through the console port directly connected to the firewall device.


Example SSH command to connect to the FortiGate firewall
ssh admin@<firewall_ip_address>

2. Enter Configuration Mode

Enter configuration mode to make changes to the firewall’s configuration. You will need to enter the global configuration context to configure interfaces.

# Enter global configuration mode
config system global

3. Configure Physical Interfaces

FortiGate firewalls have physical interfaces (e.g., Ethernet ports) that connect to the network. Configure the desired physical interfaces with appropriate IP addresses and other settings.

# Example command to configure physical interface
edit system interface
    edit <interface_name>
        set ip <ip_address> <subnet_mask>
    next
end

4. Configure VLAN Interfaces (Optional)

If VLANs (Virtual Local Area Networks) are used to segment the network, configure VLAN interfaces and assign them to the desired physical interfaces.

# Example command to configure VLAN interface
edit system interface
    edit <vlan_interface_name>
        set vlanid <vlan_id>
        set ip <ip_address> <subnet_mask>
    next
end

5. Configure Virtual Interfaces (Optional)

Virtual interfaces such as loopback interfaces can be configured for various purposes, such as management or routing.

# Example command to configure loopback interface
edit system interface
    edit <loopback_interface_name>
        set ip <ip_address> <subnet_mask>
    next
end

6. Configure Default Gateway

Specify the default gateway for the firewall to enable outbound traffic routing to external networks.

# Example command to configure default gateway
config router static
    edit 1
        set gateway <gateway_ip_address>
end

7. Save Configuration Changes

Save the configuration changes to persist them across reboots.

# Save configuration
end

8. Considerations

Demo:

Sample Lab topology:

Untitled

The Management Interface Configurations we have done through CLI:

Untitled

Configure the as per the below image:

Steps:

Untitled

NOTE: Also we can configure the interfaces via CLI

# LAN port2 interface

config system interface
edit port2
set mode static
set ip 10.1.1.100/24
set allowaccess ping
set alias "LAN"
set role lan
end

# WAN port3 interface

config system interface
edit port3
set mode static
set ip 192.168.1.100/24
set allowaccess ping
set alias "WAN"
set role wan
end

# DMZ port4 interface

config system interface
edit port4
set mode static
set ip 172.16.1.100/24
set allowaccess ping
set alias "DMZ"
set role dmz
end

# To see the configuration on CLI

show system interface

Configure the remaining WAN & DMZ interfaces same as the previous one.

Untitled

II. Configuring Static and Dynamic Routing on FortiGate Firewall

Routing is a critical function in network devices like FortiGate firewalls, enabling the forwarding of traffic between different networks. Here’s a detailed guide on how to configure static and dynamic routing using commands:

1. Connect to the FortiGate Firewall

Before configuring routing, establish a connection to the FortiGate firewall using SSH or through the console port directly connected to the firewall device.

# Example SSH command to connect to the FortiGate firewall
ssh admin@<firewall_ip_address>

2. Enter Configuration Mode

Enter configuration mode to make changes to the firewall’s configuration. You will need to enter the global configuration context to configure routing.

# Enter global configuration mode
config system global

3. Configure Static Routes

Static routes are manually configured routes that define the next-hop IP address for destinations not directly connected to the firewall.

# Example command to configure a static route
config router static
    edit 1
        set dst <destination_network> <subnet_mask>
        set gateway <next_hop_ip_address>
end

4. Configure Dynamic Routing Protocols

FortiGate firewalls support dynamic routing protocols such as OSPF (Open Shortest Path First) and BGP (Border Gateway Protocol) for dynamic route exchange and network convergence.

4.1. OSPF Configuration

# Example command to configure OSPF
config router ospf
    set router-id <router_id>
    config area
        edit <area_id>
            set network <area_network> <area_subnet_mask>
    end
    config redistribute connected
        set status enable
    end
end

4.2. BGP Configuration

# Example command to configure BGP
config router bgp
    set as <autonomous_system_number>
    config neighbor
        edit <neighbor_ip_address>
            set remote-as <neighbor_as_number>
            set capability-default-originate enabl
    end
end

5. Verify Routing Configuration

After configuring static and dynamic routing, verify the routing table and routing protocol status to ensure correct configuration.

# Example command to view routing table
get router info routing-table

# Example command to view OSPF neighbor status
get router info ospf neighbor

# Example command to view BGP neighbor status
get router info bgp neighbor

6. Save Configuration Changes

Save the configuration changes to persist them across reboots.

# Save configuration
end

7. Considerations

Demo:

All the Routing Parts will be available Network Tab Section:

Untitled

We can configure the Static Route towards Our Wifi Router/GW to get the internet access.

Steps:

Untitled

Assign the Wifi Router IP address, Make it Destination 0.0.0.0/0.0.0.0 Any Any

Untitled

To configure dynamic routing protocols like RIPv2, OSPF, BGP

Steps to configure RIPv2:

Untitled

Follow the Image with your real network and conditions.

Untitled

III. Configuring DHCP Server Pool for LAN Interface on FortiGate Firewall

Configuring a DHCP server pool on the LAN interface of a FortiGate firewall allows local users to obtain IP addresses automatically, simplifying network management. Here’s a detailed guide on how to configure the DHCP server pool for local users:

1. Connect to the FortiGate Firewall

Before configuring DHCP, establish a connection to the FortiGate firewall using SSH or through the console port directly connected to the firewall device.

# Example SSH command to connect to the FortiGate firewall
ssh admin@<firewall_ip_address>

2. Enter Configuration Mode

Enter configuration mode to make changes to the firewall’s configuration. You will need to enter the system interface context to configure the LAN interface.

# Enter system interface configuration mode
config system interface

3. Configure LAN Interface

If not already configured, configure the LAN interface with an IP address and subnet mask.

# Example command to configure LAN interface
edit <lan_interface_name>
    set ip <ip_address> <subnet_mask>
    set allowaccess ping https ssh
    set dhcp-server enable
    set dhcp-server-option lease-time <lease_time_in_seconds>
    set dhcp-server-option default-gateway <gateway_ip_address>
    set dhcp-server-ip-range <start_ip_address> <end_ip_address>
end

4. Configure DNS Server (Optional)

Optionally, configure DNS server settings for DHCP clients.

# Example command to configure DNS server for DHCP clients
set dhcp-server-option dns-server <dns_server_ip_address>

5. Save Configuration Changes

Save the configuration changes to persist them across reboots.

# Save configuration
end

6. Considerations

Demo:

To configure the DHCP server go to Network —> Interface —> port2(LAN)

Untitled

Untitled

IV. FortiGate Firewall: Basic Firewall Policies Configuration and Theory

Firewall policies on the FortiGate firewall define how traffic is allowed or denied between different network segments. Understanding basic firewall policy configurations and the theory behind rule-by-fault behavior is essential for effective network security. Here’s a detailed explanation:

1. Firewall Policies Overview

Firewall policies are rules that dictate the flow of traffic through the firewall. Each policy consists of conditions, actions, and security profiles. Policies are evaluated in sequence, and the first matching policy is applied to the traffic.

2. Basic Firewall Policy Configuration

2.1. Policy Conditions

2.2. Policy Actions

2.3. Security Profiles

3. Theory: Rule by Default Behavior

FortiGate firewall follows the rule by default behavior, where traffic that does not match any firewall policy is implicitly denied by default. This behavior ensures that only explicitly permitted traffic is allowed to traverse the firewall, enhancing network security.

4. Implicit Deny All Policy

By default, FortiGate firewall includes an implicit “Deny All” policy at the end of the policy list. This policy denies all traffic that does not match any preceding policy. Administrators can modify this behavior by adding specific allow policies above the “Deny All” policy.

5. Best Practices

6. Example Configuration

config firewall policy
    edit 1
        set srcintf "internal"
        set dstintf "external"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
end

Demo:

To configure policy go to Policy & Objects —> Firewall Policy

Untitled

To enable the traffic for LAN —> WAN

Untitled

Untitled

Untitled

V. Network Address Translation - Fortigate

1. Theory of NAT (Network Address Translation)

NAT is a technique used to modify network address information in packet headers while in transit through a router or firewall. It serves several purposes, including conserving IP addresses, enabling connectivity between different network types, and enhancing network security by hiding internal IP addresses.

2. Configuration of NAT on FortiGate Firewall

2.1. Static NAT Configuration (1-to-1 NAT)

Static NAT maps a public IP address to a private IP address on a one-to-one basis, allowing external hosts to initiate connections to internal hosts.

config firewall ippool
    edit "public_pool"
        set type static
        set address <public_ip_range>
    next
end

config firewall vip
    edit "static_nat"
        set extintf "wan1"
        set extip <public_ip>
        set mappedip <private_ip>
    next
end

2.2. Port Forwarding Configuration

Port forwarding redirects traffic from a specific port on the firewall’s public IP address to an internal IP address and port.

config firewall vip
    edit "port_forwarding"
        set extintf "wan1"
        set extip <public_ip>
        set mappedip <private_ip>
        set protocol <protocol>
        set extport <public_port>
        set mappedport <private_port>
    next
end

3. Static IP Assignment

Assigning a static IP address to a device ensures consistency and predictability in network configurations, particularly for devices requiring consistent access or services.

config system interface
    edit <interface_name>
        set ip <ip_address> <subnet_mask>
        set allowaccess <access_options>
    next
end

4. Interface IP Configuration

Configuring IP addresses on interfaces enables communication between different network segments and defines the gateway for traffic leaving the subnet.

config system interface
    edit <interface_name>
        set ip <ip_address> <subnet_mask>
        set allowaccess <access_options>
    next
end

Demo:

By visiting Policy & Objects —> LAN-WAN policy

Untitled

Enter the IP address You want NAT.

Untitled

If you want to Map the original protocol number with custom - you can do it by configuring the Protocol Option. Port Mapping.

Untitled


VI. Virtual Wire configuration

Certainly! FortiGate Virtual Wire (VW) is a feature that allows you to transparently insert security services, such as firewall policies and intrusion prevention systems (IPS), into the network without changing the IP addressing or topology. It operates at Layer 2 of the OSI model, meaning it doesn’t require IP addresses to be changed, making it ideal for scenarios where IP addressing cannot be modified easily.

Advantages of Virtual Wire Feature:

Here’s a breakdown of the key theoretical aspects of FortiGate Virtual Wire:

1. Layer 2 Operation:

2. Transparent Traffic Inspection:

3. In-line Deployment:

4. Traffic Forwarding and Filtering:

5. VLAN Support:

6. Simplified Deployment and Management:

Here’s a detailed explanation of the concept along with configuration steps:

1. Security Policy Configuration:

Create security policies to define how traffic is handled by the Virtual Wire pair. This includes specifying the source and destination zones, as well as the security profiles to be applied (e.g., IPS, antivirus).

config firewall policy
    edit 1
        set srcintf "port2"
        set dstintf "port3"
        set action accept
        ...
    next
end

2. Monitoring and Logging:

Configure logging and monitoring to track traffic passing through the Virtual Wire for security analysis and troubleshooting purposes.

config log
    set status enable
    ...
end

3. Testing and Verification:

Test the Virtual Wire configuration to ensure that traffic is being inspected and forwarded correctly without any disruptions to network connectivity.

This configuration enables the FortiGate unit to operate in Virtual Wire mode, transparently inspecting and filtering traffic between two network segments without requiring any changes to IP addressing or network topology.


Demo:

Sample Topology:

Untitled 107

To configure Virtual Wire, go to Interface –> Create New:

Untitled 108

Now new Virtual Pair Interface is Configured:

Untitled 109

As per the Fortigate we have to configure the Firewall Virtual Wire Pair Policy, go to Policy & Objects –> Firewall Virtual Wire Pair Policy –> create bidirectional policy:

Untitled 110

Now is the Time to Initiate the traffic towards the internet, all the traffic will be available in the firewall, Logs –> Forwarded Traffic:

Untitled 111

Check the logs to verify the Source and destination information, Traffic from PC to Internet.:

Untitled 112

NOTE


Summary:

In Module 2, we covered essential topics related to configuring interfaces and firewall policies on FortiGate firewall. Here’s a summary of the topics covered:

  1. Basic Interface Configuration: Explained how to configure interfaces on FortiGate firewall, including setting IP addresses, subnet masks, and access permissions.
  2. Configure Static and Dynamic Routing: Detailed the configuration of static and dynamic routing protocols such as OSPF and BGP on FortiGate firewall to enable efficient traffic forwarding.
  3. Configuring DHCP: Provided guidance on configuring DHCP server pools on the LAN interface of FortiGate firewall to automate IP address assignment for local users.
  4. Basic Firewall Policies: Covered the configuration of firewall policies on FortiGate firewall, including setting conditions, actions, and security profiles to control traffic flow between different network segments.
  5. Network Address Translation (NAT): Explained the theory and configuration of NAT on FortiGate firewall, including static NAT (1-to-1 NAT) and port forwarding to facilitate communication between internal and external networks.

By understanding and implementing the concepts covered in Module 2, administrators can effectively configure interfaces, routing, DHCP, firewall policies, and NAT on FortiGate firewall to ensure efficient network connectivity and robust security measures.



⬆ Back to Top

MODULE 3

High availability

Untitled

Table of contents:

I. Active-Standby(Theory)

Hardware Requirements:

  1. Identical FortiGate Models: Both FortiGate units in the HA cluster must be identical models to ensure compatibility and proper synchronization.
  2. Sufficient Resources: Ensure that both FortiGate units have adequate CPU, memory, and storage resources to handle the expected network traffic and configurations.
  3. Network Interfaces: Each FortiGate unit should have the same number and type of network interfaces (e.g., Ethernet, fiber) configured identically.
  4. HA Ports: Both FortiGate units must have dedicated HA ports available for HA heartbeat communication and synchronization. These ports should be connected via a dedicated HA link cable or network segment.
  5. Power and Cooling: Ensure that the power supply and cooling systems are sufficient to support both FortiGate units and maintain optimal operating conditions.

Software Requirements:

  1. Compatible Firmware Versions: Both FortiGate units must run the same firmware version to ensure compatibility and proper functionality.
  2. HA Licensing: Ensure that both FortiGate units are licensed for HA features and functionalities. Some HA features may require specific licensing.
  3. Configuration Synchronization: Configure both FortiGate units with identical network configurations, security policies, routing settings, and HA settings.
  4. Virtual Domains (VDOMs): If using VDOMs, ensure that VDOM settings are synchronized between both units and that VDOM HA settings are properly configured.
  5. Monitoring and Management: Set up monitoring and management tools to monitor the health and status of the HA cluster, including CPU usage, memory utilization, and interface status.

Network Requirements:

  1. Dedicated HA Link: Establish a dedicated network link (HA link) between the HA ports of both FortiGate units for heartbeat communication and synchronization.
  2. Redundant Network Connectivity: Ensure redundant network connectivity for both FortiGate units to prevent single points of failure and ensure continuous operation.
  3. Network Topology: Configure network routing and VLAN settings to accommodate HA failover events and ensure seamless traffic redirection in case of unit failure.

By meeting these hardware, software, and network requirements, administrators can set up a robust high availability (HA) configuration in the FortiGate firewall to ensure continuous network operation and minimize downtime.

Active-Standby Theory of FortiGate Firewall with FGCP

Active-standby mode in the FortiGate firewall, facilitated by FGCP (FortiGate Cluster Protocol), is a high availability (HA) configuration where two firewall units operate in tandem. One unit serves as the primary (active) unit, actively processing traffic, while the other unit acts as the secondary (standby) unit, ready to take over in case of failure.

1. FGCP (FortiGate Cluster Protocol)

3. Firewall State

4. Gratuitous ARP (GARP), MAC and IP Swap, Priority

These concepts remain unchanged in the context of FGCP. Gratuitous ARP messages, MAC and IP swap, and priority configurations play crucial roles in ensuring smooth failover and uninterrupted network connectivity during active-standby mode operation with FGCP.

II. Active-Standby(Lab)

Sample Topology:

Untitled

FGT-1 Dashboard:

As shown below diagram FGT-1 HA status is “Standalone”

Untitled

FGT-2 Dashboard:

Untitled

Higher priority devices become the Active/Primary. FGT-1

Untitled

As per our requirement, FGT-1 will be Active, and FGT-2 will be Passive.

Untitled

FGT-1 Dashboard of Both Firewall Synchronization.

Untitled

FGT-2 Lost Connection Screen.

Untitled

FGT-1 Dashboard Widget.

Untitled

After the failure of FGT-1, FGT-2 will take over the role of Primary.

Untitled

Untitled

III. Active-Active Failover in FortiGate Firewall

Active-active failover in FortiGate firewall is a high availability (HA) configuration where both firewall units actively process network traffic simultaneously, distributing the load across the cluster. This configuration enhances performance and ensures redundancy by allowing seamless failover between units in case of hardware or software failures.

HA and load balancing

FGCP active-active HA uses a technique similar to unicast load balancing where the primary unit is associated with the cluster HA virtual MAC addresses and cluster IP addresses. The primary unit is the only cluster unit that receives packets sent to the cluster. The primary unit uses a load-balancing schedule to distribute sessions to all cluster units (including the primary unit). Subordinate unit interfaces retain their actual MAC addresses, and the primary unit communicates with the subordinate units using these MAC addresses. Packets exiting the subordinate units proceed directly to their destination and do not pass through the primary unit.

By default, active-active HA load balancing distributes proxy-based security profile processing to all cluster units. Proxy-based security profile processing is CPU and memory-intensive, so FGCP load balancing may result in higher throughput because resource-intensive processing is distributed among all cluster units.

The following proxy-based security profile processing is load-balanced:

Other features enabled in firewall policies such as endpoint security, traffic shaping, and authentication have no effect on active-active load balancing.

During active-active HA load balancing, the primary unit uses the configured load balancing schedule to determine which cluster unit will process a session. The primary unit stores the load-balancing information for each load-balanced session in the cluster load-balancing session table. Using the information in this table, the primary unit can then forward all of the remaining packets in each session to the appropriate cluster unit. The load balancing session table is synchronized among all cluster units.

ICMP, multicast, and broadcast sessions are never load-balanced and are always processed by the primary unit. The following sessions are only processed by the primary unit:

In addition to load balancing, active-active HA provides the same session, device, and link failover protection as active-passive HA. If the primary unit fails, a subordinate unit becomes the primary unit and resumes operating the cluster. Active-active HA maintains as many load balanced sessions as possible after a failover by continuing to process the load balanced sessions that were being processed by the cluster units that are still operating.

Active-active failover

If a subordinate unit fails, the primary unit redistributes the sessions that the subordinate was processing among the remaining active cluster members. If the primary unit fails, the subordinate units negotiate to select a new primary unit. The new primary unit continues to distribute packets among the remaining active cluster units.

Failover works similarly if the cluster consists of only two units. If the primary unit fails, the subordinate unit negotiates and becomes the new primary unit. If the subordinate unit fails, the primary unit processes all traffic. In both cases, the single remaining unit continues to function as a primary unit, maintaining the HA virtual MAC address for all of its interfaces.

2. Configuration

2.1. HA Configuration

2.2. Firewall Policies

2.3. Monitoring and Alerting

IV. Active - Active(Lab)

Sample Topology:

Untitled

FGT-1 device Active-Active HA configuration, Follow the steps.

Untitled

FGT-2 device HA configuration, Make sure that both are in the same group and Password inorder to synchronize.FGT-2 GUI access will not be available.

Untitled

Both FGT-1 and FGT-2 are synchronized, FGT-1 will be master/primary, and FGT-2 will be secondary.

Untitled

As per the priority, we have decided that FGT-1 128 is Primary and FGT-2 100 will be elected as Secondary.

Untitled

FGT-1 failure occurs, and FGT-2 takes the role of Primary.

Untitled

Summary:

Module 3 of the FortiGate firewall course covers high availability (HA) configurations, including both active-standby and active-active setups. Here’s a brief summary of the topics covered:

  1. Active-Standby (Theory): Explains the theory behind active-standby HA configurations, where one firewall unit serves as the primary (active) unit while the other acts as the secondary (standby) unit. In case of failure, the standby unit takes over seamlessly to ensure continuous operation.
  2. Active-Standby (Lab): Provides hands-on lab exercises for configuring active-standby HA on FortiGate firewall units. Students learn how to set up HA links, synchronize configurations, and test failover scenarios.
  3. Active-Active (Theory): Discusses the theory behind active-active HA configurations, where both firewall units actively process network traffic simultaneously. Load balancing, firewall state synchronization, and session pickup are explained in detail.
  4. Active-Active (Lab): Offers practical lab exercises for configuring active-active HA on FortiGate firewall units. Students learn how to configure load balancing algorithms, ensure firewall state synchronization, and test failover scenarios in an active-active setup.


⬆ Back to Top

MODULE 4

Firewall Authentication

Untitled

Table of contents:

I. Creating Users and Policies

Creating users and policies on the FortiGate firewall allows administrators to control access to network resources and define security rules for traffic flow. Here’s a detailed guide on how to create users and policies:

1. Creating Users

1.1. Local Users

1.2. External Authentication

2. Creating Policies

2.1. Firewall Policies

2.2. VPN Policies

Demo:

Sample Topology:

Untitled

Now we are configuring Captive Portal or User Authentication.

Steps:

Untitled

Select User Type —> Local user

Untitled

Create the login credentials and disable the two-factor authentication for now.:

Untitled

Enable the User account status and assign a default group or create a new one.

Untitled

Our new user has been created and assigned to the default group.

Untitled

II. Create Authentication Policies[Captive Portal]

Demo:

Here we are authenticating LAN users to access the DMZ web browser. below image shows without Captive portal or firewall authentication.

Untitled

Assign created Policy to LAN interface,

Steps:

Untitled

We are going to access DMZ web server but this time we don’t get direct DMZ login page, before accessing we have to be authenticated by Firewall

Untitled

I have entered valid credentials so I can able to access the DMZ server.

Untitled

Getting DMZ Home Page after Successfully Authenticated.

Untitled

To check the User activity on Firewall, Go to Monitor → Firewall User Monitor

Untitled

Summary:

Module 4 of the FortiGate firewall course focuses on firewall authentication. Here’s a summary of the topics covered:

  1. Creating User and Policies: This topic covers the process of creating users and policies on the FortiGate firewall. It includes creating local users with authentication privileges and configuring firewall policies to control traffic flow based on defined criteria.
  2. Create Authentication Policies (Captive Portal): Captive Portal authentication allows administrators to authenticate users before granting access to network resources. This topic explains how to configure authentication policies using Captive Portal to enforce user authentication requirements.
  3. Monitor Firewall Users: Monitoring firewall users is crucial for maintaining network security and performance. This topic covers how to monitor and track user activities on the FortiGate firewall, including viewing logged-in users, session details, and authentication logs.

By covering these topics, Module 4 provides administrators with the knowledge and skills to effectively manage firewall authentication, create user and policy configurations, and monitor user activities to ensure network security and compliance.



⬆ Back to Top

MODULE 5

Security Profiles

Table of contents:

Security Profiles on FortiGate Firewall

Security profiles on FortiGate firewall provide advanced threat protection and content filtering capabilities to safeguard networks from various cyber threats. Here’s a detailed overview of each security profile:

1. Application Control

Demo:

To configure the Application control Go to Security Profiles —> Application Control

Untitled

Select the Application you want block and apply action as Block.

Untitled

Untitled

Apply the Policy which we have created on Firewall & Objects as per requirements.

Untitled

2. Web Filtering

Demo:

Untitled

Untitled

Untitled

Untitled

3. File Filter

Demo:

Untitled

Untitled

Untitled

4. DNS Filter

Demo:

Untitled

Untitled

Untitled

Untitled

5. Antivirus

For Antivirus Filtering we need valid License.

Untitled

6. Intrusion Prevention

Demo:

Untitled

Apply it, as previous we added to required Policy or Zone.

Untitled

7. Video Filter

Demo:

Untitled

8. SSL/SSH Inspection Profile

Demo:

Untitled

The Policy has configured LAN_WAN traffic.

Untitled

Summary:

Module 5 of the FortiGate firewall course focuses on security profiles, which are essential components for safeguarding networks against various cyber threats and enforcing security policies. Here’s a summary of the security profiles covered:

  1. Application Control: Allows administrators to monitor and control the usage of applications within the network, helping to identify and block unauthorized or risky applications.
  2. Web Filtering: Enables administrators to control access to websites based on categories, URLs, or specific content types, providing protection against malicious or inappropriate web content.
  3. File Filter: Scans file transfers for malware, malicious content, and unauthorized file types, helping to prevent the spread of malware and enforce data loss prevention policies.
  4. DNS Filter: Blocks access to malicious or inappropriate domains by filtering DNS requests, providing an additional layer of security against phishing attacks, malware distribution, and access to undesirable content.
  5. Antivirus: Scans network traffic for known malware, viruses, and other malicious content, protecting endpoints and networks from infection.
  6. Intrusion Prevention: Identifies and blocks network-based attacks, including exploits, vulnerabilities, and malicious traffic patterns, to prevent unauthorized access and data breaches.
  7. Video Filter: Controls access to streaming video content based on categories, URLs, or specific content types, helping to optimize bandwidth usage and enforce acceptable use policies.
  8. SSL/SSH Inspection Profile: Decrypts and inspects encrypted SSL/TLS or SSH traffic to detect and prevent threats hidden within encrypted communications, providing visibility into encrypted traffic and enforcing security policies.

By understanding and configuring these security profiles, administrators can implement comprehensive threat protection measures and enforce security policies to safeguard their networks effectively against cyber threats.



⬆ Back to Top

MODULE 6

Logging and Monitoring

Table of contents:

FortiGate Firewall Logging and Monitoring

Logging and monitoring are essential components of network security, providing visibility into network activity, detecting threats, and troubleshooting issues. FortiGate firewall offers comprehensive logging and monitoring capabilities to help administrators effectively manage their network environments.

1. Understanding Log Severity Levels

Log severity levels indicate the importance or severity of logged events. FortiGate firewall categorizes logs into different severity levels, including:

2. Understanding Logs & Sublog Types

FortiGate firewall generates various types of logs to capture different aspects of network activity and security events. Common log types include:

3. Understanding Log Structures

Logs generated by the FortiGate firewall follow a structured format, typically including the following information:

4. Configuring Log Settings

Administrators can configure log settings on the FortiGate firewall to customize logging behavior and control which events are logged. Key configuration options include:

5. Redirect Logs to Syslog & SNMP

FortiGate firewall supports sending logs to external logging and monitoring systems via Syslog and SNMP protocols. This allows administrators to centralize log management and integrate firewall logs with existing monitoring platforms. Key steps include:

Demo:

Sample Log data:

memory-traffic-forward-2024-04-22_0036.log

LAN_WAN Forwarded Traffic Logs:

Untitled

Web Filter Applied Policy Triggered Logs:

Untitled

Sending Logs to External Syslog Server:

Untitled

6. FortiGate Firewall One-Arm Sniffer Configuration:

1. Enable Sniffer:

2. Configure One-Arm Sniffer Interface:

3. Set Sniffer Filters (Optional):

4. Start Sniffer:

5. View Sniffer Output:

7. Cisco Switch SPAN Monitor Source and Destination Configuration:

1. Define SPAN Session:

2. Configure SPAN Type (Optional):

3. Verify SPAN Configuration:

4. Start Monitoring:

5. Analyze Monitored Traffic:

These configurations should help you set up One-Arm Sniffer on FortiGate firewall and SPAN monitoring on a Cisco switch effectively. Remember to adjust the settings according to your specific network requirements and security policies.

Demo:

Sample Topology:

Untitled 102

Cisco Switch ports which are connected to the PC and Firewall, configured SPAN(Switch Port Analyzer):

Untitled 103

Fortigate port2 make it interface type as One-Arm Sniffer, Follow the Image Instructions:

Untitled 104

Generating traffic from the PC towards the internet, all packets are sent to Firewall as well:

Untitled 105

To check the Packet sniffed from the PC, go to “Logs & Report” –> “Sniffer Traffic”:

Untitled 106

Sample Log data:

memory-traffic-sniffer-2024-04-22_2048.log


Summary:

This module equips administrators with the knowledge to efficiently monitor network activity, detect security incidents, and ensure the reliability of their network infrastructure.



⬆ Back to Top

MODULE 7

Basic IPSEC VPN

Table of contents:

I. Understanding the Architecture of IPsec

IPsec (Internet Protocol Security) is a suite of protocols used to secure Internet protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. The architecture of IPsec involves several components and protocols working together to establish secure communication channels. Here’s a detailed overview of the IPsec architecture:

1. Security Associations (SA)

2. Security Associations Database (SAD)

3. Key Management Protocol

4. Encapsulating Security Payload (ESP)

5. Authentication Header (AH)

II. Understanding IKE Phase 1 & 2

IKE (Internet Key Exchange) is a key management protocol used in IPsec VPNs to establish and manage secure communication channels between peers. IKE operates in two phases, known as Phase 1 and Phase 2, each serving distinct purposes in the VPN establishment process. Let’s delve into the details of each phase:

1. IKE Phase 1

Want to Know more about IKEv1: Click Here

2. IKE Phase 2

##

III. Configuring IPsec between FortiGate to FortiGate

IPsec VPNs provide secure communication between networks or devices over the internet by encrypting and authenticating data traffic. Configuring IPsec between FortiGate firewalls involves several steps to establish a secure VPN tunnel. Here’s a detailed guide:

1. Pre-requisites

2. Configure Phase 1 (IKE)

On FortiGate A:

On FortiGate B:

3. Configure Phase 2

On FortiGate A:

On FortiGate B:

4. Verify and Monitor

Demo:

Sample Topology:

Untitled

Site-A to Site-B [Site-to-Site] VPN. Go to VPN —> IPsec Wizard

Untitled

Enter the Remote Site Public IP along with PSK(pre-shared key).

Untitled

Now it is time to add the interesting network (private subnet of both sides)

Untitled

Configure the Tunnel both the sides:(once both side tunnel configured and both the phase negotiation complete tunnel come up or you need to manually bring up the tunnel)

Untitled

once you passed the traffic between two peers the tunnel comes up:

Untitled

Automatically Policy added: to allowing traffic from two different sites.

Untitled

Static Routes between two Tunnel:

Untitled

To Monitoring the VPN Tunnel traffic and User actions:

Untitled

Summary:

This module equips administrators with essential knowledge and practical skills for setting up IPsec VPNs using FortiGate firewalls, enhancing network security, and enabling secure communication over the internet.


⬆ Back to Top


Congratulations 🎁🎁✨ Now You Guys Have the Knowledge of:

By completing these modules, you’ve gained a comprehensive understanding of FortiGate firewall functionalities, security features, high availability configurations, authentication mechanisms, logging and monitoring practices, and VPN setups. You’re now well-equipped to manage and secure network environments effectively using FortiGate firewall solutions. Great job!


Creator 🔝

(https://github.com/hegdepavankumar). Created by:-


@hegdepavankumar


Show some  ❤️  by starring some of the repositories!



If you like what I do, maybe consider buying me a coffee 🥺👉👈

Buy Me A Coffee