Silabus Training FortiGate PDF [PDF]

Citation preview

Network Security Management



© Copyright Fortinet Inc. All rights reserved.



Introduction to Fortigate



FortiGuard Subscription Services • Internet connection and contract required • Provided by FortiGuard Distribution Network o Major data centers in North America, Asia, and Europe o FortiGate prefers data center in nearest time zone, but will adjust by server load



• Package updates : FortiGuard Antivirus and IPS o Update.fortiguard.net o TCP port 443 (SSL)



• Live queries : FortiGuard Web Filtering and Antispam o Service.fortiguard.net o Proprietary protocol on UDP port 53 or 8888 3



Modes of Operation NAT



Tranparent



• FortiGate is an OSI Layer 3 router • Interfaces have IP Address • Packet are routed by IP



• FortiGate is an OSI Layer 2 switch or bridge • Interfaces do not have IPs • Cannot route packets, only forward or not



4



Operation Modes & the OSI Model



5



Factory Default Settings  Port 1 / internal interface IP : 192.168.1.99/24



 PING, HTTP, HTTPS, and SSH protocol management enabled  Built-in DHCP Server is enabled on port 1 / internal interface  Default Login :



User : admin Password : (blank) o Both are case sensitive o Modify the default (blank) root password! 6



Resetting a Lost admin Password User : maintainer Password : bcpb All letters in must be upper case “FGT60..” etc.  All FortiGate models and some other Fortinet device types  Only aftert hard power cycle  Only during first 30 seconds after boot



 Only through hardware console port o Requires physical access for security reasons o If compliance/risk of physical access requires, maintainer can be disabled config sys global set admin-maintainer disable end 7



Admnistrator Profiles  System > Administrator



8



Administrator Profiles : Permissions None



Read



Read-Write



System Configuration



×



×



√



Network Configuration



×



×



√



Firewall Configuration



×



√



×



VPN Configuration



√



×



×



WiFi Controller



√



×



×



Log & Report



×



√



×



9



Administrator Profiles : Hierarchy



10



Administrative Access : Trusted Sources  Administrative access is denied for connections coming from IP addresses that are not in any of the trusted host subnets



11



Features Hidden by Default • •



By default, some features like IPv6 are hidden in GUI Hide/show via System > Feature Visibiliy



12



Link Aggregation  Bundles several physical ports to form a single point-to-point logical channel with greater bandwidth o Increases redundancy for higher availability



13



Interface IPs  In NAT mode, interfaces can’t be used until they have an IP address o Manually assigned o Automatic



• DHCP • PPPoE Exceptions: One-Arm Sniffer or FortiSwitch



14



Interface Role Compared to Alias  Role defines groups of interface settings typically together



o Avoid accidental misconfiguration o Four types : • WAN



• LAN • DMZ • Undefined (show all settings)



o



Not in list of Policies



 Alias is nickname for interface o Used in list policies to label interfaces by purpose 15