12 0 887 KB
Network Security Management
© Copyright Fortinet Inc. All rights reserved.
Introduction to Fortigate
FortiGuard Subscription Services • Internet connection and contract required • Provided by FortiGuard Distribution Network o Major data centers in North America, Asia, and Europe o FortiGate prefers data center in nearest time zone, but will adjust by server load
• Package updates : FortiGuard Antivirus and IPS o Update.fortiguard.net o TCP port 443 (SSL)
• Live queries : FortiGuard Web Filtering and Antispam o Service.fortiguard.net o Proprietary protocol on UDP port 53 or 8888 3
Modes of Operation NAT
Tranparent
• FortiGate is an OSI Layer 3 router • Interfaces have IP Address • Packet are routed by IP
• FortiGate is an OSI Layer 2 switch or bridge • Interfaces do not have IPs • Cannot route packets, only forward or not
4
Operation Modes & the OSI Model
5
Factory Default Settings Port 1 / internal interface IP : 192.168.1.99/24
PING, HTTP, HTTPS, and SSH protocol management enabled Built-in DHCP Server is enabled on port 1 / internal interface Default Login :
User : admin Password : (blank) o Both are case sensitive o Modify the default (blank) root password! 6
Resetting a Lost admin Password User : maintainer Password : bcpb All letters in must be upper case “FGT60..” etc. All FortiGate models and some other Fortinet device types Only aftert hard power cycle Only during first 30 seconds after boot
Only through hardware console port o Requires physical access for security reasons o If compliance/risk of physical access requires, maintainer can be disabled config sys global set admin-maintainer disable end 7
Admnistrator Profiles System > Administrator
8
Administrator Profiles : Permissions None
Read
Read-Write
System Configuration
×
×
√
Network Configuration
×
×
√
Firewall Configuration
×
√
×
VPN Configuration
√
×
×
WiFi Controller
√
×
×
Log & Report
×
√
×
9
Administrator Profiles : Hierarchy
10
Administrative Access : Trusted Sources Administrative access is denied for connections coming from IP addresses that are not in any of the trusted host subnets
11
Features Hidden by Default • •
By default, some features like IPv6 are hidden in GUI Hide/show via System > Feature Visibiliy
12
Link Aggregation Bundles several physical ports to form a single point-to-point logical channel with greater bandwidth o Increases redundancy for higher availability
13
Interface IPs In NAT mode, interfaces can’t be used until they have an IP address o Manually assigned o Automatic
• DHCP • PPPoE Exceptions: One-Arm Sniffer or FortiSwitch
14
Interface Role Compared to Alias Role defines groups of interface settings typically together
o Avoid accidental misconfiguration o Four types : • WAN
• LAN • DMZ • Undefined (show all settings)
o
Not in list of Policies
Alias is nickname for interface o Used in list policies to label interfaces by purpose 15