Basic Setup of FortiGate Firewall E-Book

Basic Setup of FortiGate Firewall

By

Dr. Hidaia Mahmood Alassouli

[email protected]

1) Introduction:

Fortinet offers the most comprehensive solutions to help industries accelerate security, maximize productivity, preserve user experience, and lower total cost of ownership.

A FortiGate firewall is a comprehensive network security solution that provides firewall protection, intrusion prevention, antivirus and antimalware scanning, VPN connectivity, and other security features. FortiGate firewall is also a router. It offers real-time threat intelligence to help you stay one step ahead of cyber attackers.

When a firewall executes packet filtering, it examines the packets of data, comparing it against filters, which consist of information used to identify malicious data. If a data packet meets the parameters of a threat as defined by a filter, then it is discarded and your network is protected.

This book consists from the following parts:

Firewall Evaluation

Firewall Sizing

FortiGate Series

FortiGate Access

FortiGate GUI Overview

FortiGate Administrator:

FortiGate Password Policy:

FortiGate Global Settings

FortiGate Modes

FortiGate Feature Visibility

FortiGuard

Interfaces

FortiGate Policy 

FortiGate Firewall NAT

F

ortiGate Authentication

FortiGate Firewall Digital Certificates

FortiGate Firewall Security Profiles Inspection Mode

FortiGate Intrusion and Prevention System ( IPS)

FortiGate Web Filtering

FortiGate Firewall File Filtering

FortiGate Firewall Application Control

FortiGate Firewall Antivirus Security Profile

FortiGate High Availability

Other Details about FortiGate High Availability

FortiGate Firewall VPN

FortiGate Firewall IPsec

FortiGate Firewall SSL-VPN

FortiGate Firewall SD-WAN

Labs and Tutorials

2) Firewall Evaluation:

1. Transparent Firewall

- These firewalls do not have IP address

- Work as layer 2 Switch

- No NAT

- No routing

- Inspection Traffic until layer 2

2. First & Second Generation (Traditional Firewall)

- Work at OSI Layer 3 & 4

- NAT

- Routing

- Inspection Traffic

- VPN

- No IPS

- Do not have application awareness

3. UTM ( Unified Threat Management)

-Benefits

-Work at OSI Layer 7

-all-in-one network security platforms

-Firewall - VPN

-IPS - IDS

-Antivirus – Antispyware

-Web Filtering – Mail Filtering

-Load Balancer

4. UTM ( Unified Threat Management)

-Drawbacks

-SPOF

-Recourse Consuming

-Bottle nick issues

-SMB

5. NGFW (Next Generation Firewall)

It is very similar to UTM, but with limited feature. That mean NGFWs may include IPS, antivirus and malware prevention, application control, deep packet inspection and stateful firewalls, encryption, compression, QoS and other capabilities

6. FortiGate Next Generation Firewalls:

3) Firewall Sizing:

1. How to choose your Firewall

Placement of the firewall: Edge, Internal (Routing Between Vlans)

Number of users

What type of ports , how many of each is needed

Number of servers are in the environment regard each server as +10 users

Network Growing , size for tomorrow not today

What services are going to be used Antivirus , IPS , AppContol

Need storage for logs ?

2. Firewall Sizing

3. FortiGate Sizing Guide:

4) FortiGate Series:

1. FortiGate Series :

2. Chassis:

3. Ultra High-end

4. High-end

5. Mid-Range:

6. Entry-Level:

7. Virtual Machines:

8. Data Center:

5) FortiGate Access:

1. There are two ways to access FortiGate :-

2. GUI Access - Web Browser

In order to connect to the GUI using a web browser, an interface must be configured to allow administrative . Access over HTTPS or over both HTTPS and HTTP

3. FortiExplorer

FortiExplorer for iOS is a user-friendly application that helps you to rapidly provision, deploy, and monitor Security Fabric components from your iOS device.

Using USB MGT port

WiFi

FortiCloud

4. To connect and configure a FortiGate with FortiExplorer using a USB connection:

Connect your iOS device to your FortiGate USB A port.

Open FortiExplorer and select your FortiGate from the 

FortiGate Devices

 list.

On the Login screen, select USB.

Enter the default Username (admin) and leave the Password field blank.

5. To connect and configure a FortiGate with FortiExplorer wirelessly:

Open the FortiExplorer app and tap Add on the Devices page.

On the Add Device By page, tap HTTPS.

Enter the Host information, Username, and Password.

6. CLI Access-Console connection:

Using the console cable, connect the FortiGate unit’s console port to the serial communications (COM) port on your management computer.

Start a terminal emulation program on the management computer, select the COM port, and use the following settings:

7. CLI Access - SSH/Telnet:

Connect your computer through any network interface attached to one of the network ports on your FortiGate

6) FortiGate GUI Overview:

1. The GUI contains the following main menus, which provide access to configuration options for most FortiOS features:

Dashboard

Network

Policy & Objects

Security Profiles

VPN

User & Authentication

System

Security Fabric

Log & Report

7) FortiGate Administrator:

By default, FortiGate has an administrator account with the username admin and no password. To prevent unauthorized access to the FortiGate, this account must be protected with a password. Additional administrators can be added for various functions, each with a unique username, password, and set of access privileges.

The following topics provide information about administrators:

Administrator`s

Admin Profiles

8) FortiGate Password Policy:

1. FortiGate allows you to create a password policy for administrators and IPsec pre-shared keys. With this policy, you can enforce regular changes and specific criteria for a password policy, including:

The minimum length, between 8 and 64 characters.

If the password must contain uppercase (A, B, C) and/or lowercase (a, b, c) characters.

If the password must contain numbers (1, 2, 3).

If the password must contain special or non-alphanumeric characters: !, @, #, $, %, ^, &, *, (, and )

Where the password applies (admin or IPsec or both).

The duration of the password before a new one must be specified.

The minimum number of unique characters that a new password must include.

2. If you add a password policy or change the requirements on an existing policy, the next time that administrator logs into the FortiGate, the administrator is prompted to update the password to meet the new requirements before proceeding to log in.

3. To create a system password policy the GUI:

Go to System > Settings.

In the Password Policy section, change the Password scope to Admin, IPsec, or Both.

Configure the password policy options.

4. FortiGate Rest Password

Step 1: Connect the computer to the firewall via the Console port on the back of the unit.

Step2: Power off FortiGate device

Step 2: Start the terminal software.

Step 3: Type in the username: maintainer

Step 4: The password is bcpb + the serial number of the firewall Example: bcpbFGT60C3G10xxxxxx

Step 5:

# Config sys admin

# edit admin

# set password (new password)

# End

5. How to disable Maintainer

# Config sys global

# Set admin-maintainer <option>

6. Maintainer User

The countdown timer starting from when the device powers up, there will be 60 seconds.

Using the maintainer account and resetting a password cause a log to be created; making these actions traceable for security purposes.

The only thing the maintainer account has permissions to do is reset the passwords of super-admin profile accounts.

The account will be able to reset the password for any super-admin profile user in addition to the default admin user. 

This takes into account the possibility that the default account has been renamed

7. Setting the administrator password retries and lockout time

By default, the number password retry attempts is set to three

By default locked time (60 seconds).

A maximum of ten retry attempts can be configured, and the lockout period can be 1 to 2147483647 seconds (over 68 years)

8. To configure the lockout options:

# config system global

# set admin-lockout-threshold <failed attempts>

#set admin-lockout-duration <seconds>

# end

9) FortiGate Global Settings:

1. FortiGate Global Settings

System Settings

System Time

Administration Settings

Workflow Management

View Settings

Start Up Settings

Email Service

Disk Settings

2. System Settings: Changing the host name

The FortiGate host name is shown in the Hostname field in the System Information widget on a dashboard, If the FortiGate is in an HA cluster, use a unique host name to distinguish it from the other devices in the cluster.

The legal characters are numbers(0-9), letters(A-Z, a-z) and special characters - and _.

Max length 35, Min 1

3. To change the host name in the CLI:

# config system global

#set hostname <hostname>

# end

4. System Time

5. Administration Settings

6. Workflow Management

Administrators can use configuration save, or workspace, mode to implement strict change control by requiring changes to be manually committed to the flash

When Configuration save mode is set to Automatic (default), configuration changes are automatically saved to both memory and flash.

When Configuration save mode is set to Workspace, configuration changes are saved to memory but not flash. The changes take effect immediately, but must be manually saved to flash. Unsaved changes are reverted when the device is rebooted.

7. View Settings

8. Start Up Settings

a) Running a file system check automatically

There is an option in FortiOS to enable automatic file system checks if the FortiGate shuts down ungracefully.

By default, the automatic file system check is disabled. When an administrator logs in after an ungraceful shutdown, a warning message appears advising them to manually run a file system check. A warning also appears in the CLI:

b) Restoring from a USB drive

The FortiGate firmware can be manually restored from a USB drive, or installed automatically from a USB drive after a reboot

9. To restore the firmware from a USB drive:

Copy the firmware file to the root directory on the USB drive.

Connect the USB drive to the USB port of the FortiGate device.

Connect to the FortiGate CLI using the RJ-45 to USB (or DB-9) or null modem cable.

Enter the following command:

execute restore image usb <filename>

The FortiGate unit responds with the following message:

This operation will replace the current firmware version! Do you want to continue? (y/n)

Type y. The FortiGate unit restores the firmware and restarts. This process takes a few minutes.

Update the antivirus and attack definitions:

execute update-now

10. To install firmware automatically from a USB drive:

Go to System > Settings.

In the Start Up Settings section, enable Detect firmware and enter the name of the firmware file.

Copy the firmware file to the root directory on the USB drive.

Connect the USB drive to the USB port of the FortiGate device.

Reboot the FortiGate device.

11. Email Service

Alert emails are used to notify administrators about events on the FortiGate device, allowing a quick response to any issues.

There are two methods that can be used to configure email alerts:

Automation stitches

Alert emails

The FortiGate has a default SMTP server, notification.fortinet.net, that provides secure mail service with SMTPS. It is used for all emails that are sent by the FortiGate, including alert emails, automation stitch emails, and FortiToken Mobile activations. You can also configure a custom email service.

12. Configure a custom email service in the GUI:

13. Automation stitches

Automation stitches can be configured to send emails based on a variety of triggers, giving you control over the events that cause an alert, and who gets alerted

14. Alert emails

When configuring an alert email, you can define the threshold when an issue becomes critical and requires attention. When the threshold is reached, an email is sent to up to three recipients on the configured schedule to notify them of the issue.Alert email messages can be configured in the CLI

15. Alert emails

In this example, the FortiGate is configured to send email messages to two addresses, [email protected] and [email protected], every two minutes when multiple intrusions, administrator log in or out events, or configuration changes occur. To configure an alert email:

# config alertemail setting

# set username [email protected]

# set mailto1 [email protected]

# set mailto2 [email protected]

# set filter-mode category

# set email-interval 2

# set IPS-logs enable

# set configuration-changes-logs enable

# set admin-login-logs enable

# end

16. Disk Settings

Both logging and WAN Optimization use hard disk space to save data. In FortiOS, you cannot use the same hard disk for WAN Optimization and logging.

If the FortiGate has one hard disk, then it can be used for either disk logging or WAN optimization, but not both. By default, the hard disk is used for disk logging.

If the FortiGate has two hard disks, then one disk is always used for disk logging and the other disk is always used for WAN optimization.

10) FortiGate Modes:

1. The FortiGate unit has a choice of modes that it can be used in, either NAT mode or transparent mode. The FortiGate unit is able to operate as a firewall in both modes, but some of its features are limited in transparent mode. It is always best to choose which mode you are going to be using at the beginning of the set up. Once you start configuring the device, if you want to change the mode you are going to lose all configuration settings in the change process.

2. NAT mode

NAT mode is the most commonly used mode by a significant margin and is thus the default setting on the device. As the name implies the function of NAT is commonly used in this mode and is easily configured but there is no requirement to use NAT. The FortiGate unit performs network address translation before IP packets are sent to the destination network.

3. NAT mode

# config sys settings

# set opmode nat

# set ip

# set gateway

# set device lan

# end

4. These are some of the characteristics of NAT mode:

5. Transparent mode

Transparent mode is so named because the device is effectively transparent in that it does not appear on the network in the way that other network devices show as a node in the path of network traffic. Transparent mode is typically used to apply the FortiOS features such as Security Profiles etc. on a private network where the FortiGate unit will be behind an existing firewall or router.

6. Transparent mode

These are some of the characteristics of transparent mode:

The FortiGate unit is invisible to the network.

All of its interfaces are on the same subnet and share the same IP address.

The FortiGate unit uses a Management IP address for the purposes of Administration.

Still able to use NAT to a degree, but the configuration is less straightforward

In transparent mode, you can also perform NAT by creating a security policy or policies that translates the source addresses of packets passing through the FortiGate unit as well as virtual IP addresses and/or IP pools.

7. Transparent mode

# config sys settings

# set opmode transparent

# set manageip

# set gateway

# end

11) FortiGate Feature Visibility:

1. Feature visibility is used to control which features are visible in the GUI. This allows features that are not in use to be hidden. Some features are also invisible by default and must be made visible before they can configure in the GUI.

The visibility of a feature does not affect its functionality or configuration. Invisible features can still be configured using the CLI.

12) FortiGuard:

1. FortiGuard services can be purchased and registered to your FortiGate unit. The FortiGate must be connected to the Internet in order to automatically connect to the FortiGuard Distribution Network (FDN) to validate the license and download FDN updates.

2. The FortiGuard subscription update services include:

Antivirus (AV)

Intrusion Protection Service (IPS)

Application Control

Antispam

Web Filtering

Web Application Firewall (WAF)

3. License Information

4. Configuring FortiGuard updates

5.FortiGuard filter

The FortiGuard filter enhances the web filter features by sorting billions of web pages into a wide range of categories that users can allow or block.

The FortiGuard Web Filtering service includes over 45 million individual website ratings that apply to more than two billion pages. When the FortiGuard filter is enabled in a web filter profile and applied to firewall policies, if a request for a web page appears in traffic controlled by one of the firewall policies, the URL is sent to the nearest FortiGuard server. The URL category or rating is returned. If the category is blocked, the FortiGate shows a replacement message in place of the requested page. If the category is not blocked, the page request is sent to the requested URL as normal.To use this service, you must have a valid FortiGuard license.

6. Using FortiManager as a local FortiGuard server

FortiManager can provide a local FortiGuard server with port 443 access.

13) Interfaces:

a) Interfaces:

2. Administrators can configure both physical and virtual FortiGate interfaces in Network > Interfaces. There are different options for configuring interfaces when FortiGate is in NAT mode or transparent mode.

3. Administrators can configure both physical and virtual FortiGate interfaces in Network > Interfaces. There are different options for configuring interfaces when FortiGate is in NAT mode or transparent mode.

b) DHCP:

1. A DHCP server leases IP addresses from a defined address range to clients on the network that request dynamically assigned addresses.

2. A DHCP server can be:-

in server mode, you can define one or more address ranges it assigns addresses from, and options such as the default gateway, DNS server, lease time, and other advanced options.

In relay mode, the interface forwards DHCP requests from DHCP clients to an external DHCP server and returns the responses to the DHCP clients. The DHCP server must have appropriate routing so that its response packets to the DHCP clients arrive at the unit.

c) Virtual Local Area Networks (VLANs):

1. Virtual Local Area Networks (VLANs) multiply the capabilities of your FortiGate unit and can also provide added network security. VLANs use ID tags to logically separate devices on a network into smaller broadcast domains. These smaller domains forward packets only to devices that are part of that VLAN domain. This reduces traffic and increases network security

2. In NAT mode, the FortiGate unit functions as a layer-3 device. In this mode, the FortiGate unit controls the flow of packets between VLANs and can also remove VLAN tags from incoming VLAN packets. The FortiGate unit can also forward untagged packets to other networks such as the Internet.

3. In NAT mode, the FortiGate unit supports VLAN trunk links with IEEE 802.1Q-compliant switches or routers. The trunk link transports VLAN-tagged packets between physical subnets or networks. When you add VLAN sub interfaces to the FortiGate's physical interfaces, the VLANs have IDs that match the VLAN IDs of packets on the trunk link. The FortiGate unit directs packets with VLAN IDs to sub interfaces with matching IDs.

4. You can define VLAN sub interfaces on all FortiGate physical interfaces. However, if multiple virtual domains are configured on the FortiGate unit, you only have access to the physical interfaces on your virtual domain. The FortiGate unit can tag packets leaving on a VLAN sub interface. It can also remove VLAN tags from incoming packets and add a different VLAN tag to outgoing packets.

5. Normally in VLAN configurations, the FortiGate unit's internal interface is connected to a VLAN trunk, and the external interface connects to an Internet router that is not configured for VLANs. In this configuration, the FortiGate unit can apply different policies for traffic on each VLAN interface connected to the internal interface, which results in less network traffic and better security.

d) Interface (WAN) 

1. Interfaces:

2. Administrators can configure both physical and virtual FortiGate interfaces in  Network > Interfaces. There are different options for configuring interfaces when FortiGate is in NAT mode or transparent mode.

14) FortiGate Policy: 

a) FortiGate Policy

1. Set of rules that control inbound and outbound traffic either block traffic or allow

2. The two basic actions at the initial connection are either Accept or Deny:

If the action is Accept, the policy permits communication sessions.

If the action is Deny, the policy blocks communication sessions, and you can optionally log the denied traffic. If no security policy matches the traffic, the packets are dropped. A Deny security policy is needed when it is required to log the denied traffic, also called violation traffic.

All firewalls have default policy deny any any .

3. For traffic to flow through the FortiGate firewall, there must be a policy that matches its parameters:

4. How are the Policy matches determined ?

b) FortiGate Policy Objects  Interfaces

1. Incoming interface and Outgoing Interface can be interfaces or zones

Zone :

Logical Group of Interfaces

To match policies with traffic, select one or more interfaces or any interface

2. Zone

To simplify policy configuration, you can group interfaces into logical zones. For example, you could group port4 to port7 as a DMZ zone. You can create zones on the Interfaces page. However, you should note that you cannot reference an interface in a zone individually, and, if you need to add the interface to the zone, you must remove all references to that interface (for example, firewall policies, firewall addresses, and so on). If you think you might need to reference interfaces individually, you should set multiple source and destination interfaces in the firewall policy, instead of using zones.

3. Multiple Interface Policies

By default, you can select only a single interface as the incoming interface and a single interface as the outgoing interface. This is because the option to select multiple interfaces, or any interface in a firewall policy, is disabled on the GUI. However, you can enable the Multiple Interface Policies option on the Feature Visibility page to disable the single interface restriction.

4. Multiple Interface Policies using any

You can also specify multiple interfaces, or use the any option, if you configure a firewall policy on the CLI, regardless of the default GUI setting.

It is also worth mentioning that when you choose the any interface option, you cannot select multiple interfaces for that interface. In the example shown on this slide, because any is selected as the outgoing interface, you cannot add any additional interfaces, because any interface implies that all interfaces have already been selected.

c) FortiGate Policy Objects  Addresses:

1. Matching by Source: Must specify at least one source (Address Objector internet service database)

Address Object

Subnet

Range

FQDN

MAC

Geography: Country defines addresses by ISP`s geographical location. Database updated through FortiGuard. Internet service database (ISDB) object

2. Matching by Source: May specify user

This may refer to

Local firewall accounts

Accounts on Remote server (AD,RADIUS)

FSSO

Personal Certificate users

In the example shown , source selectors identify the specific subnet and user group. Remember, user is an optional object used here to make the policy more specific you wanted the policy to match more traffic, you would leave the user object undefined. You can also use ISDB as a source in the firewall policy , but you can select either a source address or an internet service , but not both

3. Matching by Destination: Destination criteria can use :

a) Address Object

Subnet

Range

FQDN

MAC

Geography: Country defines addresses by ISP`s geographical location. Database updated through FortiGuard

b) Internet service database (ISDB) object

Like the packet’s source, FortiGate also checks the destination address for a match.

You can use address objects or ISDB objects as destinations in the firewall policy. The address object may be a host name, IP subnet, or range. If you enter an FQDN as the address object, make sure that you’ve configured your FortiGate device with DNS servers. FortiGate uses DNS to resolve those FQDN host names to IP addresses, which are what actually appear in the IP header. 

Why is there is no option to select a user? The user identification is determined at the ingress interface, and packets are forwarded only to the egress interface after user authentication is successful

4. Internet service database (ISDB) object

a) Internet Service is a database that contains a list of IP addresses, IP protocols, and port numbers used by the most common internet services. FortiGate periodically downloads the newest version of this database from FortiGuard. You can select these as Source or Destination in the firewall policy.

What happens if you need to allow traffic to only a few well-known public internet destinations, such as Dropbox or Facebook? When configuring your firewall policy, you can use Internet Service as the destination in a firewall policy, which contains all the IP addresses, ports, and protocols used by that service 

b) For the same reason, you cannot mix regular address objects with ISDB objects, and you cannot select services on a firewall policy. The ISDB objects already have services information, which is hardcoded.

If ISDB selected as Source: You cannot use Address in the Source

If ISDB selected as Destination: You cannot use Address in the Destination. You cannot select service in the firewall policy

c) Geographic-based ISDB objects

Allow users to define a country, region, and city. These objects can be used in firewall policies for more granular control over the location of the parent ISDB object.

ISDB objects are referenced in policies by name, instead of by ID.

d) Internet service database Update

You can disable ISDB updates so they occur only during a change control window.

Once ISDB updates are disabled, other scheduled FortiGuard updates for IPS, AV, and so on, do not update ISDB.

By default, ISDB updates are enabled.

e) Example of ISDB Addresses:

d) FortiGate Policy Objects Services:

1. Another criterion that FortiGate uses to match policies is the packet’s service.

2. Services are defined by a communication protocol and by a port number (e.g. the HTTP service uses the TCP protocol with the port number 80)

Ports 65,535

Standard ports 1 to 1024 are normally used for listening for incoming communication

Protocols

TCP , UDP

3. FortiGate use services to determine the port number of accepted or denied traffic

4. By default, services are grouped together to simplify administration by categories. If the predefined services don’t meet your organizational needs, you can create one or more new services, service groups, and categories.