FortiGate 7.4 Administrator Study Guide PDF

DO NOT REPRINT © FORTINET FortiGate Administrator Study Guide FortiOS 7.4 DO NOT REPRINT © FORTINET Fortinet Training Institute - Library https://training.fortinet.com Fortinet Product Documentation https://docs.fortinet.com Fortinet Knowledge Base https://kb.fortinet.com Fortinet Fuse User Community https://fusecommunity.fortinet.com/home Fortinet Forums https://forum.fortinet.com Fortinet Product Support https://support.fortinet.com FortiGuard Labs https://www.fortiguard.com Fortinet Training Program Information https://www.fortinet.com/nse-training Fortinet | Pearson VUE https://home.pearsonvue.com/fortinet Fortinet Training Institute Helpdesk (training questions, comments, feedback) https://helpdesk.training.fortinet.com/support/home 11/15/2023 DO NOT REPRINT © FORTINET TABLE OF CONTENTS 01 System and Network Settings 4 02 Firewall Policies and NAT 31 03 Routing 69 04 Firewall Authentication 95 05 Fortinet Single Sign-On (FSSO) 123 06 Certificate Operations 158 07 Antivirus 192 08 Web Filtering 213 09 Intrusion Prevention and Application Control 237 10 SSL VPN 266 11 IPsec VPN 293 12 SD-WAN Configuration and Monitoring 342 13 Security Fabric 381 14 High Availability 408 15 Diagnostics and Troubleshooting 442 System and Network Settings DO NOT REPRINT © FORTINET In this lesson, you will learn about system and network settings on FortiGate. FortiGate 7.4 Administrator Study Guide 4 System and Network Settings DO NOT REPRINT © FORTINET After completing this lesson, you should be able to achieve the objectives shown on this slide. By demonstrating competence in basic system and network administration, you will be able to install FortiGate into your network and configure basic networking settings. You will also be able to better manage administrative users to implement stronger security practices around administrative access. FortiGate 7.4 Administrator Study Guide 5 System and Network Settings DO NOT REPRINT © FORTINET Network address translation (NAT) mode is the default operation mode. What are the other factory default settings? After you have removed FortiGate from its box, what do you do next? Now, you will take a look at how you set up FortiGate. Attach your computer network cable to port1 or the internal switch ports (on the entry-level model). For high- end and mid-range models, connect to the management interface. In most entry-level models, there is a DHCP server on that interface. So, if your computer’s network settings have DHCP enabled, your computer should automatically get an IP, and you can begin setup. To access the GUI on FortiGate or FortiWiFi, open a web browser and visit https://192.168.1.99. The default login information is public knowledge. Never leave the default password blank. Your network is only as secure as your FortiGate admin account. Once you logged in with default login details, you'll see a message to change the default blank password for the admin user password. Before you connect FortiGate to your network, you should set a complex password. You’ll also be asked to apply additional configuration such as hostname, dashboard setup, register with FortiCare, and so on. All FortiGate models have a console port and/or USB management port. The port provides CLI access without a network. You can access the CLI using the CLI console widget on the GUI, or from a terminal emulator, such as PuTTY or Tera Term. FortiGate 7.4 Administrator Study Guide 6 System and Network Settings DO NOT REPRINT © FORTINET When FortiGate is operating in network address translation (NAT) mode, every interface that handles traffic must have an IP address. When in NAT mode, FortiGate can use the IP address to source the traffic, if it needs to start or reply to a session, and as a destination address for devices trying to contact FortiGate or route traffic through it. There are multiple ways to get an IP address: Manually Automatically, using either DHCP or Point-to-Point Protocol over Ethernet (PPPoE) (available on the CLI) FortiGate 7.4 Administrator Study Guide 7 System and Network Settings DO NOT REPRINT © FORTINET How many times have you seen network issues caused by a DHCP server—not client—enabled on the WAN interface? You can configure the interface role. The roles shown on the GUI are the usual interface settings for that part of a topology. Settings that do not apply to the current role are hidden on the GUI. (All settings are always available on the CLI, regardless of the role.) This prevents accidental misconfiguration. For example, when the role is configured as WAN, there is no DHCP server and device detection configuration available. Device detection is usually used to detect devices internally on your LAN. If there is an unusual case, and you need to use an option that’s hidden by the current role, you can always switch the role to Undefined. This displays all options. To help you remember the use of each interface, you can give them aliases. For example, you could call port3 internal_network. This can help to make your list of policies easier to comprehend. FortiGate 7.4 Administrator Study Guide 8 System and Network Settings DO NOT REPRINT © FORTINET Wireless clients are not the only ones that can use FortiGate as their DHCP server. For an interface (such as port3), select the Manual option, enter a static IP, and then enable the DHCP Server option. Options for the built-in DHCP server appear, including provisioning features, such as DHCP options and IP address assignment rules. FortiGate 7.4 Administrator Study Guide 9 System and Network Settings DO NOT REPRINT © FORTINET VLANs split your physical LAN into multiple, logical LANs. In NAT operation mode, each VLAN forms a separate broadcast domain. Multiple VLANs can coexist in the same physical interface, provided they have different VLAN IDs. In this way, a physical interface is split into two or more logical interfaces. A tag is added to each Ethernet frame to identify the VLAN to which it belongs. FortiGate 7.4 Administrator Study Guide 10 System and Network Settings DO NOT REPRINT © FORTINET To create a VLAN using the GUI, click Create New, select Interface, and then, in the Type field, select VLAN. You must specify the VLAN ID and the physical interface to which the VLAN will be bound. Frames that belong to interfaces of that type are always tagged. On the other hand, frames sent or received by the physical interface segment are never tagged. They belong to what is called the native VLAN (VLAN ID 0). Note that in a multi-VDOM environment, the physical interface and its VLAN subinterface can be in separate VDOMs. FortiGate 7.4 Administrator Study Guide 11 System and Network Settings DO NOT REPRINT © FORTINET Before you integrate FortiGate into your network, you should configure a default gateway. If FortiGate gets its IP address through a dynamic method, such as DHCP or PPPoE, then it should also retrieve the default gateway. Otherwise, you must configure a static route. Without this, FortiGate will not be able to respond to packets outside the subnets directly attached to its own interfaces. It probably also will not be able to connect to FortiGuard—important for FortiGate to access—for updates, and may not correctly route traffic. You should make sure that FortiGate has a route that matches all packets (destination is 0.0.0.0/0), known as a default route, and forwards them through the network interface that is connected to the internet, to the IP address of the next router. Routing completes the basic network settings that are required before you can configure firewall policies. You can expand Advanced Options and enter a priority value. When two routes have an equal distance, the route with a lower priority value takes precedence. FortiGate 7.4 Administrator Study Guide 12 System and Network Settings DO NOT REPRINT © FORTINET What if, more than segmenting your network, you want to subdivide policies and administrators into multiple security domains? In that case, you can enable FortiGate VDOMs, which split your FortiGate into multiple logical devices. Each VDOM has independent security policies and routing tables. Also, and by default, traffic from one VDOM cannot go to a different VDOM. This means that two interfaces in different VDOMs can share the same IP address, without any overlapping subnet problems. When you use VDOMs, a single FortiGate device becomes a virtual data center of network security, unified threat management (UTM) inspection, and secure communication devices. FortiGate 7.4 Administrator Study Guide 13 System and Network Settings DO NOT REPRINT © FORTINET Most features are available on both the GUI and CLI, but there are a few exceptions. You can't view reports on the CLI. Also, advanced settings and diagnostic commands for super users are usually not available on the GUI. As you become more familiar with FortiGate, and especially if you want to script its configuration, you might want to use the CLI in addition to the GUI. You can access the CLI through either the JavaScript widget on the GUI named CLI Console, or through a terminal emulator such as Tera Term or PuTTY. Your terminal emulator can connect through the network—SSH or Telnet—or the local console port. SNMP and some other administrative protocols are also supported, but they are read-only. You can't use them for basic setup. FortiGate 7.4 Administrator Study Guide 14 System and Network Settings DO NOT REPRINT © FORTINET Whichever method you use, start by logging in as admin. Begin by creating separate accounts for other administrators. For security and tracking purposes, it is a best practice for each administrator to have their own account. In the Create New field, you can select either Administrator or REST API Admin. Typically, you will select Administrator and then assign an Administrator Profile, which specifies that user’s administrative permissions. You could select REST API Admin to add an administrative user who would use a custom application to access FortiGate with a REST API. The application would allow you to log in to FortiGate and perform any task that your assigned Administrator Profile permits. Other options, not shown here, include: Instead of creating accounts on FortiGate, you could configure FortiGate to query a remote authentication server. In place of passwords, your administrators could authenticate using digital certificates that are issued by your internal certification authority server. If you do use passwords, ensure that they are strong and complex. For example, you could use multiple interleaved words with varying capitalization, and randomly insert numbers and punctuation. Do not use short passwords, or passwords that contain names, dates, or words that exist in any dictionary. These are susceptible to brute force attack. To audit the strength of your passwords, use tools such as L0phtcrack (http://www.l0phtcrack.com/) or John the Ripper (http://www.openwall.com/john/). Risk of a brute force attack is increased if you connect the management port to the internet. In order to restrict access to specific features, you can assign permissions. FortiGate 7.4 Administrator Study Guide 15 System and Network Settings DO NOT REPRINT © FORTINET When assigning permissions to an administrator profile, you can specify read-and-write, read-only, or none to each area. By default, there is a special profile named super_admin, which is used by the account named admin. You can't change it. It provides full access to everything, making the admin account similar to a root superuser account. The prof_admin is another default profile. It also provides full access, but unlike super_admin, it applies only to its virtual domain—not the global settings of FortiGate you can change its permissions. You aren’t required to use a default profile. You could create a profile named auditor_access with read-only permissions. Restricting a person’s permissions to those necessary for his or her job is a best practice, because even if that account is compromised, the compromise to your FortiGate device (or network) is not total. To do this, create administrator profiles, then select the appropriate profile when configuring an account. The Override Idle Timeout option allows the admintimeout value, under config system accprofile, to be overridden per access profile. You can configure administrator profiles to increase inactivity timeout and facilitate use of the GUI for central monitoring. Note that you can do this on a per-profile basis, to prevent the option from being unintentionally set globally. So, what are the effects of administrator profiles? It’s actually more than just read or write access. Depending on the type of administrator profile that you assign, an administrator may not be able to access the entire FortiGate device. For example, you could configure an account that can view only log messages. Administrators may not be able to access global settings outside their assigned virtual domain either. Virtual domains (VDOMs) are a way of subdividing the resources and configurations on a single FortiGate. Administrators with a smaller scope of permissions cannot create, or even view, accounts with more permissions. FortiGate 7.4 Administrator Study Guide 16 System and Network Settings DO NOT REPRINT © FORTINET Another way to secure FortiGate is to define the hosts or subnets that are trusted sources from which to log in. In this example, 10.0.1.10 is configured as the only trusted IP for admin from which admin logs in. If admin attempts to log in from a machine with any other IP, they will receive an authentication failure message. Note that if trusted hosts are configured on all administrators and an administrator is trying to log in from an IP address that is not set on any of the trusted hosts for any administrators, then the administrator will not get the login page. Instead, the administrator will receive this message: “Unable to contact server”. If you leave any IPv4 address as 0.0.0.0/0, it means that connections from any source IP will be allowed. By default, 0.0.0.0/0 is the configuration for the administrator, although you may want to change this. Notice that each account can define its management host or subnet differently. Be aware of any NAT that occurs between the desired device and FortiGate. You can easily prevent an administrator from logging in from the desired IP address if it is later NATed to another address before reaching FortiGate, thus defeating the purpose of the trusted hosts. Another option to configure an administrator account to restrict access to only provision guest user accounts. By enabling this option, the administrator account will be able to provision guest user account given the fact a guest user group is available to provision guest users. FortiGate 7.4 Administrator Study Guide 17 System and Network Settings DO NOT REPRINT © FORTINET You may also want to customize the administrative protocols port numbers. You can choose whether to allow concurrent sessions. You can use concurrent sessions to avoid accidentally overwriting settings, if you usually keep multiple browser tabs open, or accidentally leave a CLI session open without saving the settings, then begin a GUI session and accidentally edit the same settings differently. For better security, use only secure protocols, and enforce password complexity and changes. The Idle timeout settings specifies the number of minutes before an inactive administrator session times out (default is five minutes). A shorter idle timeout is more secure, but increasing the timer can help reduce the chance of administrators being logged out while testing changes. You can override the idle timeout setting per administrator profile using the Override Idle Timeout setting. You can configure an administrator profile to increase inactivity timeout and facilitate use of the GUI for central monitoring. The Override Idle Timeout setting allows the admintimeout value, under config system accprofile, to be overridden per access profile. Note that you can do this on a per profile basis, to avoid the option from being unintentionally set globally. FortiGate 7.4 Administrator Study Guide 18 System and Network Settings DO NOT REPRINT © FORTINET You’ve defined the management subnet—that is, the trusted hosts—for each administrator account. How do you enable or disable management protocols? This is specific to each interface. For example, if your administrators connect to FortiGate only from port3, then you should disable administrative access on all other ports. This prevents brute force attempts and also insecure access. Your management protocols are HTTPS, HTTP, PING, and SSH. By default, the HTTP and TELNET option is not visible on the GUI. Consider the location of the interface on your network. Enabling PING on an internal interface is useful for troubleshooting. However, if it’s an external interface (in other words, exposed to the internet), then the PING protocol could expose FortiGate to a DoS attack. You should disable protocols that do not encrypt data flow, such as HTTP and TELNET. IPv4 and IPv6 protocols are separate. It’s possible to have both IPv4 and IPv6 addresses on an interface, but only respond to pings on IPv6. Security Fabric connection includes CAPWAP and FortiTelemetry. Protocols like FortiTelemetry are not for administrative access, but, like GUI and CLI access, they are protocols where the packets have FortiGate as a destination IP. Use the FortiTelemetry protocol specifically for managing FortiClient and the Security Fabric. Use the CAPWAP protocol for FortiAP, FortiSwitch, and FortiExtender when they are managed by FortiGate. Use the FMG-Access protocol specifically for communicating with FortiManager when that server is managing multiple FortiGate devices. Use the RADIUS accounting protocol when FortiGate needs to listen for and process RADIUS accounting packets for single sign-on authentication. FTM, or FortiToken Mobile push, supports second-factor authentication requests from a FortiToken mobile app. When you assign the interface roles LAN or WAN to the appropriate interfaces, your FortiGate uses the Link Layer Discovery Protocol (LLDP) to detect if there’s an upstream FortiGate in your network. If FortiGate discovers an upstream FortiGate, you're prompted to configure the upstream FortiGate device to join the Security Fabric. FortiGate 7.4 Administrator Study Guide 19 System and Network Settings DO NOT REPRINT © FORTINET Now that FortiGate has basic network settings and administrative accounts, you will learn how to back up the configuration. In addition to selecting the destination of the backup file, you can choose to encrypt or not to encrypt the backup file. Even if you choose not to encrypt the file, which is the default, the passwords stored in the file are hashed, and, therefore, obfuscated. The passwords that are stored in the configuration file would include passwords for the administrative users and local users, and preshared keys for your IPSec VPNs. It may also include passwords for the FSSO and LDAP servers. The other option is to encrypt the configuration file with a password. Besides securing the privacy of your configuration, it also has some effects you may not expect. After encryption, the configuration file cannot be decrypted without the password and a FortiGate of the same model and firmware. This means that if you send an encrypted configuration file to Fortinet technical support, even if you give them the password, they cannot load your configuration until they get access to the same model of FortiGate. This can cause unnecessary delays when resolving your ticket. Instead, you can enable password masking option when creating a new backup file to replace all passwords and secrets in the config file and prevent unintentional data leak when sharing the backup file with a third-party. If you enable virtual domains (VDOMs), subdividing the resources and configuration of your FortiGate device, each VDOM administrator can back up and restore their own configurations. You don’t have to back up the entire FortiGate configuration, however, it is still recommended. Backups are needed to help speed up the return to production in the event of an unforeseen disaster that damages FortiGate. Having to recreate hundreds of policies and objects from scratch takes a significant amount of time, while loading a configuration file on a new device takes much less. Restoring a configuration file is very similar to backing one up and restarts FortiGate. FortiGate 7.4 Administrator Study Guide 20 System and Network Settings DO NOT REPRINT © FORTINET If you open the configuration file in a text editor, you’ll see that both encrypted and unencrypted configuration files contain a cleartext header that contains some basic information about the device. The example on this slide shows what information is included. To restore an encrypted configuration, you must upload it to a FortiGate device of the same model and firmware, then provide the password. To restore an unencrypted configuration file, you are required to match only the FortiGate model. If the firmware is different, FortiGate will attempt to upgrade the configuration. This is similar to how it uses upgrade scripts on the existing configuration when upgrading firmware. However, it is still recommended to match the firmware on FortiGate to the firmware listed in the configuration file. Usually, the configuration file contains only non-default settings, plus few default, yet crucial, settings. This minimizes the size of the backup, which could otherwise be several megabytes in size. FortiGate 7.4 Administrator Study Guide 21 System and Network Settings DO NOT REPRINT © FORTINET YAML format becomes more and more popular often use to create configuration files. FortiOS now supports YAML format, you can take a backup as well as restore YAML configuration file using GUI. This slide shows the sample configuration to understand the difference between the default file format and YAML format. FortiGate 7.4 Administrator Study Guide 22 System and Network Settings DO NOT REPRINT © FORTINET You can view the current firmware version in multiple places on the FortiGate GUI. When you first log in to FortiGate, the landing page is the dashboard. You can see the firmware version in the System widget. This information is also found at System > Firmware & Registration. And, of course, you can retrieve the information on the CLI using the command get system status. If a new version of the firmware is available, you are notified on the dashboard and on the Firmware & Registration page. The Firmware & Registration page allows administrators to manage the firmware running on each FortiGate, FortiAP, and FortiSwitch in the Security Fabric, and to authorize and register these Fabric devices. You can use Upgrade option to upgrade firmware of the selected device. The Fabric Upgrade option upgrades firmware for the root FortiGate as well as Fabric devices. You can also use this option to upgrade firmware for a non-Security Fabric FortiGate with managed FortiSwitch and FortiAP devices. The Fabric Upgrade option uses released firmware images from FortiGuard. You can also use the Register option to register a selected device to FortiCare and an Authorize option to authorize a selected device for use in security fabric. Remember to read the Release Notes to make sure that you understand the supported upgrade path. The Release Notes also provide pertinent information that may affect the upgrade. FortiGate 7.4 Administrator Study Guide 23 System and Network Settings DO NOT REPRINT © FORTINET Some FortiGate services connect to other servers, such as FortiGuard, in order to work. FortiGuard Subscription Services provide FortiGate with up-to-date threat intelligence. FortiGate uses FortiGuard by: Periodically requesting packages that contain a new engine and signatures Querying the FDN on an individual URL or host name By default, the FortiGuard server location is set to anywhere FortiGate selects a server based on server load, from any part of the world. However, you have the option to change the FortiGuard server location to USA. In this case, FortiGate selects a USA-based FortiGuard server. Queries are real-time; that is, FortiGate asks the FDN every time it scans for spam or filtered websites. FortiGate queries, instead of downloading the database, because of the size and frequency of changes that occur to the database. Also, you can select queries to use UDP or HTTPs for transport; the protocols are not designed for fault tolerance, but for speed. So, queries require that your FortiGate device has a reliable internet connection. Packages, like antivirus and IPS, are smaller and don't change as frequently, so they are downloaded (in many cases) only once a day. They are downloaded using TCP for reliable transport. After the database is downloaded, their associated FortiGate features continue to function, even if FortiGate does not have reliable internet connectivity. However, you should still try to avoid interruptions during downloads—if your FortiGate device must try repeatedly to download updates, it can’t detect new threats during that time. When using FortiGuard servers for DNS, FortiOS uses DNS over TLS (DoT) by default to secure the DNS traffic. New FortiGuard DNS servers have been added as primary and secondary servers. FortiGate 7.4 Administrator Study Guide 24 System and Network Settings DO NOT REPRINT © FORTINET Now, third-party SSL certificate verification and OCSP stapling check has been implemented for all FortiGuard servers. By default, the FortiGuard access mode is anycast on FortiGate, to optimize the routing performance to the FortiGuard servers. The FortiGuard server has one IP address to match its domain name. FortiGate connects with a single server address, regardless of where the FortiGate device is located. The domain name of each FortiGuard service is the common name in the certificate of that service. The certificate is signed by a third-party intermediate CA. The FortiGuard server uses the Online Certificate Status Protocol (OCSP) stapling technique, so that FortiGate can always validate the FortiGuard server certificate efficiently. FortiGate will complete the TLS handshake only with a FortiGuard server that provides a good OCSP status for its certificate. Any other status results in a failed SSL connection. The FortiGuard servers query the OCSP responder of the CA every four hours and update its OCSP status. If FortiGuard is unable to reach the OCSP responder, it keeps the last known OCSP status for seven days. FortiGate aborts the connection to the FortiGuard server if: The CN in the server certificate does not match the domain name resolved from the DNS. The OCSP status is not good. The issuer-CA is revoked by the root-CA. The FortiGuard access mode anycast setting forces the rating process to use protocol HTTPS, and port 443. FortiGate 7.4 Administrator Study Guide 25 System and Network Settings DO NOT REPRINT © FORTINET The table on this slide shows a list of some of the FortiGuard servers and their domain names and IP addresses. FortiGate 7.4 Administrator Study Guide 26 System and Network Settings DO NOT REPRINT © FORTINET You can check the status of FortiGuard licenses and the communication to FortiGuard on the FortiGate GUI. You can also check the versions of the locally installed databases for each of the FortiGuard services. FortiGate 7.4 Administrator Study Guide 27 System and Network Settings DO NOT REPRINT © FORTINET The command shown on this slide lists all the FortiGuard databases and engines installed. The information includes the version, contract expiration date, time it was updated, and what happened during the last update. The list includes but is not limited to antivirus, IPS, application, mobile malware definitions, and other security services FortiGate is licensed and updated using FortiGuard services. FortiGate 7.4 Administrator Study Guide 28 System and Network Settings DO NOT REPRINT © FORTINET FortiGate 7.4 Administrator Study Guide 29 System and Network Settings DO NOT REPRINT © FORTINET This slide shows the objectives that you covered in this lesson. By mastering the objectives covered in this lesson, you learned how and where FortiGate fits into your network and how to perform basic FortiGate administration. FortiGate 7.4 Administrator Study Guide 30 Firewall Policies and NAT DO NOT REPRINT © FORTINET In this lesson, you will learn about firewall policies and how to apply them to allow and deny traffic passing through FortiGate. At its core, FortiGate is a firewall, so almost everything that it does to your traffic is linked to your firewall policies. In this lesson, you will learn how to configure network address translation (NAT) and use it to implement source NAT (SNAT) and destination NAT (DNAT) for the traffic passing through FortiGate. FortiGate 7.4 Administrator Study Guide 31 Firewall Policies and NAT DO NOT REPRINT © FORTINET After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in identifying the different components of firewall policies, and recognizing how FortiGate matches traffic with firewall policies and takes appropriate action, you will have a better understanding of how firewall policies interact with network traffic. FortiGate 7.4 Administrator Study Guide 32 Firewall Policies and NAT DO NOT REPRINT © FORTINET To begin, you will learn what firewall policies are. Any traffic passing through a FortiGate must be associated with a firewall policy. A policy is a set of instructions that controls traffic flow through the FortiGate. These instructions determine where the traffic goes, how it's handled, and whether it's allowed to pass through the FortiGate. In summary, firewall policies are sets of rules that specify which traffic is allowed through the FortiGate and what FortiGate should do when traffic matches a policy. Should the traffic be allowed? FortiGate bases this decision on simple criteria. FortiGate analyzes the source of the traffic, the destination IP address, and the service. If the policy does not block the traffic, FortiGate begins a more computationally expensive security profile inspection—often known as Unified Threat Management (UTM)—such as antivirus, application control, and web filtering, if you’ve chosen it in the policy. These inspections block the traffic if there is a security risk, for example, if the traffic contains a virus. Otherwise, the traffic is allowed. Will network address translation (NAT) be applied? Is authentication required? Firewall policies also determine the answers to these questions. After processing is finished, FortiGate forwards the packet toward its destination. FortiGate looks for the matching firewall policy from top to bottom and, if a match is found, the traffic is processed based on the firewall policy. If no match is found, the traffic is dropped by the default Implicit Deny firewall policy. FortiGate 7.4 Administrator Study Guide 33 Firewall Policies and NAT DO NOT REPRINT © FORTINET Each policy matches traffic and applies security by referring to the objects that you’ve defined, such as addresses and profiles. Common policy types are: Firewall Policy: A firewall policy consists of set of rules that control traffic flow through FortiGate. Firewall Virtual Wire Pair Policy: A virtual wire pair policy is used to control the traffic between the interfaces in a virtual wire pair. Multicast Policy: A multicast policy allows multicast packets to pass from one interface to another. Local-In-Policy: A local-in policy controls the traffic to a FortiGate interface and can be used to restrict administrative access. DoS Policy: A denial-of-service (DoS) policy checks for the anomalous patterns in the network traffic that arrives at a FortiGate interface. By default, only Firewall Policy is visible under Policy and Object. Other policies are available based on the interface configurations and advanced features enabled through Feature Visibility. In this lesson, you will learn about IPv4 firewall policies, because they are the most commonly used policies. FortiGate 7.4 Administrator Study Guide 34 Firewall Policies and NAT DO NOT REPRINT © FORTINET When you configure a new firewall policy on the GUI, you must specify a unique name for the firewall policy because it is enabled by default, while it is optional on the CLI. This helps the administrator to quickly identify the policy that they are looking for. However, you can make this feature optional on the GUI on the Feature Visibility page by enabling Allow Unnamed Policies. Note that if a policy is configured without a policy name on the CLI, and you modify that existing policy on the GUI, you must specify a unique name. The FortiGate flat GUI view allows you to select interfaces and other objects by clicking or dragging and dropping from the list populated on the right side. You can select Internet Service as the source. Internet Service is a combination of one or more addresses and one or more services associated with a service found on the internet, such as an update service for software. You can configure many other options that you can configure in the firewall policy, such as firewall and network options, security profiles, logging options, and enabling or disabling a policy. When creating firewall objects or policies, a universally unique identifier (UUID) attribute is added so that logs can record these UUIDs and improve functionality when integrating with FortiManager or FortiAnalyzer. When creating firewall policies, remember that FortiGate is a stateful firewall. As a result, you need to create only one firewall policy that matches the direction of the traffic that initiates the session. FortiGate will automatically remember the source-destination pair and allow replies. FortiGate 7.4 Administrator Study Guide 35 Firewall Policies and NAT DO NOT REPRINT © FORTINET When a packet arrives, how does FortiGate find a matching policy? Each policy has match criteria, which you can define using the following objects: Incoming Interface Outgoing Interface Source: IP address, user, internet services Destination: IP address or internet services Schedule: Specific times to apply policy Service: IP protocol and port number If the traffic matches a firewall policy, FortiGate applies the action configured in the firewall policy: If the Action is set to DENY, FortiGate drops the session. If the Action is set to ACCEPT, FortiGate allows the session and applies other configured settings for packet processing, such as user authentication, source NAT, antivirus scanning, web filtering, and so on. When FortiGate receives traffic, it evaluates the packet’s source IP address, destination IP address, and the requested service (protocol and port number). It also checks the incoming interface and the outgoing interface it needs to use. Based on this information, FortiGate identifies the firewall policy and evaluates the traffic. If the traffic matches the policy, then FortiGate applies the action (Accept/Deny) defined in the policy. For example, to block incoming FTP traffic to all but a few FTP servers, define the addresses of the FTP servers as the destination, and select FTP as the service. You probably wouldn’t specify a source (often any location on the internet is allowed) or schedule (FTP servers are usually always available, day or night). Finally, set the Action setting to ACCEPT. FortiGate 7.4 Administrator Study Guide 36 Firewall Policies and NAT DO NOT REPRINT © FORTINET By default, you can select only a single interface as the incoming interface and a single interface as the outgoing interface. This is because the option to select multiple interfaces, or any interface in a firewall policy, is disabled on the GUI. However, you can enable the Multiple Interface Policies option on the Feature Visibility page to disable the single interface restriction. You can also specify multiple interfaces, or use the any option, if you configure a firewall policy on the CLI, regardless of the default GUI setting. It is also worth mentioning that when you choose the any interface option, you cannot select multiple interfaces for that interface. In the example shown on this slide, because any is selected as the outgoing interface, you cannot add any additional interfaces, because any interface implies that all interfaces have already been selected. FortiGate 7.4 Administrator Study Guide 37 Firewall Policies and NAT DO NOT REPRINT © FORTINET The next match criteria that FortiGate considers is the packet’s source. In each firewall policy, you must select a source address object. Optionally, you can refine your definition of the source address by also selecting a user, or a user group, which provides a much more granular match, for increased security. You can also select ISDB objects as the source in the firewall policy, which you will learn about later in this lesson. When selecting a fully qualified domain name (FQDN) as the source address, it must be resolved by DNS and cached in FortiGate. Make sure FortiGate is configured properly for DNS settings. If FortiGate is not able to resolve an FQDN address, it will present a warning message, and a firewall policy configured with that FQDN may not function properly. FortiGate devices with valid FortiCare support contract receive up-to-date information to use the ISDB and geography database and use them as firewall objects. FortiGate 7.4 Administrator Study Guide 38 Firewall Policies and NAT DO NOT REPRINT © FORTINET In the example shown on this slide, source selectors identify the specific subnet and user group. Remember, user is an optional object. The user object is used here to make the policy more specific. If you wanted the policy to match more traffic, you would leave the user object undefined. You can also use ISDB objects as a source in the firewall policy. There is an either/or relationship between ISDB objects and source address objects in firewall policies. This means that you can select either a source address or an internet service, but not both. FortiGate 7.4 Administrator Study Guide 39 Firewall Policies and NAT DO NOT REPRINT © FORTINET Like the packet’s source, FortiGate also checks the destination address for a match. You can use address objects or ISDB objects as destinations in the firewall policy. The address object may be a host name, IP subnet, or range. If you enter an FQDN as the address object, make sure that you’ve configured your FortiGate device with DNS servers. FortiGate uses DNS to resolve those FQDN host names to IP addresses, that appear in the IP header. You can also choose geographic addresses, which are groups or ranges of addresses that are assigned to a country. FortiGuard is used to update these objects. Why is there is no option to select a user? The user identification is determined at the ingress interface, and packets are forwarded only to the egress interface after the user is successfully authenticated. FortiGate 7.4 Administrator Study Guide 40 Firewall Policies and NAT DO NOT REPRINT © FORTINET One of the most important features that a firewall policy can apply is security profiles, such as IPS and antivirus. A security profile inspects each packet in the traffic flow, where the session has already been conditionally accepted by the firewall policy. When inspecting traffic, FortiGate can use one of two methods: flow-based inspection or proxy-based inspection. Different security features are supported by each inspection type. Note that by default, the Video Filter, VOIP, and Web Application Firewall security profile options are not visible on the policy page on the GUI. You need to enable them on the Feature Visibility page. FortiGate 7.4 Administrator Study Guide 41 Firewall Policies and NAT DO NOT REPRINT © FORTINET An important concept to understand about how firewall policies work is the precedence of order, or, if you prefer a more recognizable term, first come, first served. Policy IDs are identifiers. You can add or remove the policy ID column using the Configure Table settings icon. FortiGate automatically assigns a policy ID when you create a new firewall policy on the GUI. The policy ID never changes, even if you move the rule higher or lower in the sequence. If you enable Policy Advanced Options, then you can manually assign a policy ID, while creating a new policy. If a duplicate entry is found, the system produces an error, so you can assign a different available policy ID number. Policy Advanced Options is not available on the GUI by default, you must enable it on the Feature Visibility page. FortiGate 7.4 Administrator Study Guide 42 Firewall Policies and NAT DO NOT REPRINT © FORTINET Firewall policies appear in an organized list. The list is organized as one of Interface Pair View, Sequence Grouping View, or By Sequence. By default, the policy list appears in Interface Pair View. Each section contains policies in the order that they are evaluated for matching traffic and are arranged by ingress-egress interface pair. Alternatively, you can view your policies as a single, comprehensive list by selecting Sequence Grouping View or By Sequence at the top of the page. In these two views, the policies are also listed in the order in which they are evaluated for traffic matching—they are grouped as uncategorized in Sequence Grouping View layout. You can create new labels to group firewall policies as necessary to organize the firewall policies with the sequence order in mind. To help you remember the use of each interface, you add aliases by editing the interface on the Network page. For example, you could call port1 ISP1. This can help to make your list of policies easier to understand. FortiGate 7.4 Administrator Study Guide 43 Firewall Policies and NAT DO NOT REPRINT © FORTINET Remember you learned that only the first matching policy applies? Arranging your policies in the correct position is important. It affects which traffic is blocked or allowed. In the section of the applicable interface pair, FortiGate looks for a matching policy, beginning at the top. So, you should put more specific policies at the top; otherwise, more general policies will match the traffic first, and more granular policies will never be applied. In the example shown on this slide, you’re moving the Block_FTP policy (ID 2) that matches only FTP traffic, to a position above a more general Full_Access (accept everything from everywhere) policy. Otherwise, FortiGate would always apply the first matching policy in the applicable interface pairs—Full_Access—and never reach the Block_FTP policy. When moving the policies across the policy list, policy IDs remain unchanged. Note that FortiGate assigns the next highest available ID number as policies are created. FortiGate 7.4 Administrator Study Guide 44 Firewall Policies and NAT DO NOT REPRINT © FORTINET In order to optimize and consolidate firewall policies, always check all configured settings. In the example shown on this slide, the two firewall policies have differences in terms of services, security profiles, and logging settings. You can consolidate these two firewall policies by combining services and choosing appropriate logging settings. If you select Security Events (UTM) for the logging settings, traffic logs will not be generated for ALL_ICMP traffic. Note that the ALL_ICMP service is not subject to web filter and antivirus scans, which means that applying these security profiles to the ICMP traffic will result in the traffic passing through without being inspected. FortiGate 7.4 Administrator Study Guide 45 Firewall Policies and NAT DO NOT REPRINT © FORTINET Always plan a maintenance window and create a test case for a few IP addresses and users, before implementing configuration changes in the production network. Any configuration changes made using the GUI or CLI take effect immediately, and can interrupt service. As a best practice, try to configure firewall policies as specifically as possible. This helps to restrict access to only those resources. For example, use correct subnets when configuring address objects. Another setting worth mentioning is security profiles. Security profiles help to provide appropriate security for your network. Proper logging configuration can also help you to analyze, diagnose, and resolve common network issues. FortiGate 7.4 Administrator Study Guide 46 Firewall Policies and NAT DO NOT REPRINT © FORTINET Enabling the security profiles on the FortiGate impacts on firewall resources and throughput. Packets are sent to the kernel or main CPU to enforce filtering. FortiOS supports flow-based and proxy-based inspection in firewall policies and security profiles. Depending on your requirements, you can select inspection mode, but it is useful to know some differences and how it can impact the firewall performance. Flow-based inspection identifies and blocks threats in real time as FortiOS identifies them typically requires lower processing resources than proxy-based inspection. It is recommended to apply flow-based inspection to policies that prioritize traffic throughput Proxy-based inspection involves buffering traffic and examining it as a whole before determining an action. Having all the data to analyze allows for the examination of more data points than flow-based inspection. Some advanced features like usage quota, safe search, and web-profile override are also supported in proxy- based inspection. FortiGate 7.4 Administrator Study Guide 47 Firewall Policies and NAT DO NOT REPRINT © FORTINET By default, low-end FortiGate platforms with RAM of 2 GB or less do not show proxy-based settings on the GUI for firewall policies and security profiles. This is to reduce memory usage on these platforms as the RAM is designed to serve the purpose of the low-end FortiGate and also to maximize security using flow-based security inspection across FortiGate. The option to configure proxy-based inspection mode on firewall policies and security profiles is available using the CLI command config system settings. FortiGate 7.4 Administrator Study Guide 48 Firewall Policies and NAT DO NOT REPRINT © FORTINET If you have enabled logging in the policy, FortiGate generates traffic logs after a firewall policy closes an IP session. By default, Log Allowed Traffic is enabled and set to Security Events and generates logs only for the applied security profiles in the firewall policy. However, you can change the setting to All Sessions, which generates logs for all sessions. If you enable Generate Logs when Session Starts, FortiGate creates a traffic log when the session begins. FortiGate also generates a second log for the same session when it is closed. But remember that increasing logging decreases performance, so use it only when necessary. During the session, if a security profile detects a violation, FortiGate records the attack log immediately. To reduce the number of log messages generated and improve performance, you can enable a session table entry of dropped traffic. This creates the denied session in the session table and, if the session is denied, all packets of that session are also denied. This ensures that FortiGate does not have to perform a policy lookup for each new packet matching the denied session, which reduces CPU usage and log generation. The CLI command is ses-denied-traffic. You can also set the duration for block sessions. This determines how long a session will be kept in the session table by setting block-session-timer in the CLI. By default, it is set to 30 seconds. If the GUI option Generate Logs when Session Starts is not displayed, this means that your FortiGate device does not have internal storage. Regardless of internal storage, the CLI command is set logtraffic-start enable. FortiGate 7.4 Administrator Study Guide 49 Firewall Policies and NAT DO NOT REPRINT © FORTINET Logging on FortiGate records the traffic that passes through, starts from, or ends on FortiGate. It records the actions during the traffic scanning process. FortiGate supports sending all log types to several log devices including its local storage which is subject to the disk available on different FortiGate models. You can view traffic logs in Log & Report > Forward Traffic. Apply the filter needed to display the logs and then enter the policy UUID in the filter field to display records that match the firewall policy. Select the source of the logs and specify the historical time frame to reduce irrelevant log entries. You can also view the logs by right-clicking the firewall policy, and then clicking on Show matching logs. FortiGate 7.4 Administrator Study Guide 50 Firewall Policies and NAT DO NOT REPRINT © FORTINET Geographic-based ISDB objects allow users to define a country, region, and city. These objects can be used in firewall policies for more granular control over the location of the parent ISDB object. ISDB objects are referenced in policies by name, instead of by ID. FortiGate 7.4 Administrator Study Guide 51 Firewall Policies and NAT DO NOT REPRINT © FORTINET FortiGate 7.4 Administrator Study Guide 52 Firewall Policies and NAT DO NOT REPRINT © FORTINET Now, you’ll learn about NAT with firewall policies. After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in these areas, you will be able to configure firewall policies and apply appropriate SNAT and DNAT, and understand how it is applied to the traffic traversing through FortiGate. FortiGate 7.4 Administrator Study Guide 53 Firewall Policies and NAT DO NOT REPRINT © FORTINET NAT is a method that enables a NAT device such as a firewall or router, to translate (or map) the IP address in a packet to another IP address, usually for connectivity purposes. If the port information in the packet is also translated, then the translation method is called PAT. NAT provides the following benefits: Security: The real address of a device is hidden from external networks. Public address depletion prevention: Hundreds of computers can share the same public IPv4 address. Private address flexibility: The addresses can stay the same, even if ISPs change. You can reuse private addresses in multiple networks. There are two types of NAT: SNAT and DNAT. In SNAT, a NAT device translates the source IP address and source port in a packet. In DNAT, a NAT device translates the destination IP address and destination port. You can configure FortiGate to perform SNAT and DNAT as follows: For SNAT, you enable NAT on the matching firewall policy. For DNAT, you configure virtual IPs (VIPs) and then reference them on the matching firewall policy. The example on this slide shows the most common use case for NAT: SNAT. FortiGate, acting as a NAT device, translates the private IP address assigned to the PC to the public address assigned by your ISP. The private-to-public source address translation is needed for the PC to access the internet web server. FortiGate 7.4 Administrator Study Guide 54 Firewall Policies and NAT DO NOT REPRINT © FORTINET To configure a firewall policy, you can enable SNAT in the firewall and network options section. There are two options to select and choose how SNAT should work: 1. To use the outgoing interface IP address: Packets matching the firewall policy translate the IP address in a packet to another IP address, usually for connectivity purposes. 2. To use the dynamic IP pool: This is dynamic SNAT which allows FortiGate to map private IP addresses to the first available public address from a pool of addresses. FortiGate 7.4 Administrator Study Guide 55 Firewall Policies and NAT DO NOT REPRINT © FORTINET When you select Use Outgoing Interface Address on the matching firewall policy, FortiGate uses the egress interface address as the NAT IP for performing SNAT. If there are multiple devices behind FortiGate, FortiGate performs many-to-one NAT. This is also known as PAT. FortiGate assigns to each connection sharing the egress interface address a port number from a pool of available ports. The assignment of a port enables FortiGate to identify packets associated with the connection and then perform the corresponding translation. This is the same behavior as the overload IP pool type, which you will also learn about. Optionally, you may select a fixed port, in which case the source port translation is disabled. With a fixed port, if two or more connections require the same source port for a single IP address, only one connection is established. The example on this slide shows two PCs behind FortiGate that share the same public IP address (70.70.70.70) to access the internet web server 80.80.80.80. Because Use Outgoing Interface Address is enabled on the firewall policy—set nat enable on the CLI—the source IP address of the PCs is translated to the egress interface address. The source port, however, is not always translated. It depends on the available ports and the connection 5-tuple. In the example shown on this slide, FortiGate translates the source port of the connection from PC2 only. Otherwise, the two connections would have the same information on the session table for the reply traffic, which would result in a session clash. FortiGate 7.4 Administrator Study Guide 56 Firewall Policies and NAT DO NOT REPRINT © FORTINET IP pools allow sessions leaving the FortiGate firewall to use NAT. An IP pool defines a single IP address or a range of IP addresses to be used as the source address for the duration of the session. These assigned addresses are used instead of the IP address assigned to that FortiGate interface. IP pools are usually configured in the same range as the interface IP address. When you configure the IP pools that will be used for NAT, there is a limitation that you must take into account. If the IP addresses in the IP pool are different from the IP addresses that are assigned to the interfaces, communications based on those IP addresses may fail if the routing is not properly configured. For example, if the IP address assigned to an interface is 172.16.100.1/24, you cannot choose 10.10.10.1 to 10.10.10.50 for the IP pool unless you configure appropriate routing. There are four types of IP pools that you can configure on the FortiGate firewall: Overload One-to-one Fixed port range Port block allocation The fixed port range and port block allocation types are more common carrier-grade NAT (CGN) deployments. FortiGate 7.4 Administrator Study Guide 57 Firewall Policies and NAT DO NOT REPRINT © FORTINET In the one-to-one pool type, FortiGate assigns an IP pool address to an internal host on a first-come, first- served basis. There is a single mapping of an internal address to an external address. That is, an IP pool address is not shared with any other internal host, thus the name one-to-one. If there are no more addresses available in the IP pool, FortiGate drops packets from unserved hosts. The example on this slide shows three internal hosts accessing the internet. PC1 and PC2 packets are received first by FortiGate and, therefore, served with addresses 70.70.70.71 and 70.70.70.72, respectively. However, FortiGate drops packets sourced from PC3 because they arrived last, which is when there are no more available addresses in the IP pool to choose from. FortiGate 7.4 Administrator Study Guide 58 Firewall Policies and NAT DO NOT REPRINT © FORTINET If you use an IP pool, the source address is translated to an address from that pool, rather than the egress interface address. The larger the number of addresses in the pool, the greater the number of connections that the pool can support. The default IP pool type is overload. In the overload IP pool type, a many-to-one or many-to-few relationship and port translation is used. In the example shown on this slide, source IP 10.0.1.10 is translated to the address 70.70.70.71, which is one of the addresses defined in the IP pool (70.70.70.71 – 70.70.70.75). FortiGate 7.4 Administrator Study Guide 59 Firewall Policies and NAT DO NOT REPRINT © FORTINET VIPs are DNAT objects. For sessions matching a VIP, the destination address is translated; usually a public internet address is translated to the private network address of a server. VIPs are selected in the firewall policy Destination field. The default VIP type is Static NAT. This is a one-to-one mapping. This means that: 1. FortiGate performs DNAT on ingress traffic destined to the external IP address defined in the VIP, regardless of the protocol and port of the connection, provided the matching firewall policy references the VIP as Destination. 2. FortiGate uses as NAT IP the external IP address defined in the VIP when performing SNAT on all egress traffic sourced from the mapped address in the VIP, provided the matching firewall policy has NAT enabled. That is, FortiGate doesn’t use the egress interface address as NAT IP. Note that you can override the behavior described in step 2 by using an IP pool. You can also select FQDN as Type. When you select FQDN, you can configure FQDN address objects as external and internal IP addresses. This enables FortiGate to automatically update the external and internal IP addresses used by the VIP in case the FQDN resolved address change. Optionally, you can enable Port Forwarding on the VIP to instruct FortiGate to redirect the traffic matching the external address and port in the VIP to the mapped internal address and port. When you enable port forwarding, FortiGate no longer performs one-to-one mapping. This means that you can reuse the same external address and map it to different internal addresses and ports provided the external port is unique. For example, you can configure a VIP so connections to the external IP 70.70.70.70 on port 8080 map to the internal IP 192.168.0.70 on port 80. You can then configure another VIP so connections to the external IP 70.70.70.70 on port 8081 map to the internal IP 192.168.0.71 on port 80. FortiGate 7.4 Administrator Study Guide 60 Firewall Policies and NAT DO NOT REPRINT © FORTINET In the example shown on this slide, the internet host initiates a connection to 70.70.70.71 on TCP port 443. On FortiGate, the traffic matches the firewall policy ID 1, which references the WebServer-Ext VIP as destination. Because the VIP is configured as static NAT and has port forwarding disabled, then FortiGate translates the destination address of the packet to 172.16.1.10 from 70.70.70.71. Note that the destination port doesn’t change because port forwarding is disabled. Also note that the external interface address is different from the external address configured in the VIP. This is not a problem as long as the upstream network has its routing properly set. You can also enable ARP reply on the VPN (enabled by default) to facilitate routing on the upstream network. You will learn more about ARP reply in this lesson. FortiGate 7.4 Administrator Study Guide 61 Firewall Policies and NAT DO NOT REPRINT © FORTINET Now, suppose that the internal web server (172.16.1.10) initiates a DNS connection to the internet DNS server (4.2.2.2). On FortiGate, the traffic matches the firewall policy ID 2, which has nat enabled. Because the source address matches the internal address of the VIP, and because the VIP is configured as static NAT with port forwarding disabled, FortiGate translates the source address of the packet to 70.70.70.71 from 172.16.1.10. Note that FortiGate doesn’t have to perform PAT because the static NAT VIP equals one-to- one mapping. That is, the external IP is used by the web server only for SNAT. Also note that FortiGate uses the VIP external address for SNAT if the VIP is referenced in an incoming firewall policy. That is, if you don’t configure firewall policy ID 1, which is shown on the previous slide, or if you disable the firewall policy, then FortiGate doesn’t automatically use the external IP for translating the source address of the web server. Instead, FortiGate uses the egress interface address (70.70.70.70). FortiGate 7.4 Administrator Study Guide 62 Firewall Policies and NAT DO NOT REPRINT © FORTINET The example on this slide shows how FortiGate handles two incoming connections to the same external address, but on different ports. FortiGate forwards each connection to a different internal host based on the VIP mapping settings. This is possible because port forwarding is enabled on the VIPs, which enables FortiGate to redirect the external traffic to the corresponding internal address and port, while using the same external address. Both connections match the firewall policy ID, which references two VIPs as destination. The HTTPS connection matches the WebServer-Ext VIP, and the SSH connection matches the SSHServer-Ext VIP. Note that for the SSH connection, FortiGate also translates the destination port to 22 from 222. Although not shown on this slide, outgoing connections sourced from the web and SSH server would result in FortiGate using as NAT IP the egress interface address for SNAT, providing there is a matching firewall policy with nat enabled. FortiGate 7.4 Administrator Study Guide 63 Firewall Policies and NAT DO NOT REPRINT © FORTINET In FortiOS, VIPs and firewall address objects are completely different. They are stored separately with no overlap. This means that, by default, firewall address objects do not match VIPs. In the example shown on this slide, the destination of the first firewall policy is set to all. Even though this means all destination addresses (0.0.0.0/0), by default, this doesn’t include the external addresses defined on the VIPs. The result is that traffic destined to the external address defined on the Web_Server VIP skips the first policy and matches the second policy instead. But what if you want the first policy to block all incoming traffic to all destinations, including the traffic destined to any VIPs?. This is useful if your network is under attack, and you want to temporarily block all incoming external traffic. You can do this by enabling match-vip on the first firewall policy. Enabling match-vip instructs FortiGate to also check for VIPs during policy evaluation. Note that the match-vip setting is available only when the firewall policy action is set to DENY. In case you want to block only traffic destined to one or more VIPs, you can reference the VIPs as the destination address on the deny firewall policy. FortiGate 7.4 Administrator Study Guide 64 Firewall Policies and NAT DO NOT REPRINT © FORTINET When you configure a VIP or an IP pool, ARP reply is enabled by default. When ARP reply is enabled, FortiGate replies to incoming ARP requests for the external address configured in the VIP and IP pools. Enabling ARP reply is usually not required in most networks because the routing tables on the adjacent devices contain the correct next-hop information, so the networks are reachable. However, sometimes the routing configuration is not fully correct, and having ARP reply enabled can solve the issue for you. For this reason, it’s a best practice to keep ARP reply enabled. Consider the example shown on this slide, which shows an internet connection between FortiGate and an ISP router. The example also shows a simplified version of the ISP router routing table and ARP table. The ISP assigns the FortiGate administrator the public subnet 80.80.80.0/24 to deploy internet-facing services. The administrator configured the VIP shown on this slide to provide internet users with access to the company web server. While testing, the administrator confirms that internet users can reach the web server at 80.80.80.1. However, the administrator is likely unaware that having ARP reply enabled was key for a successful connectivity. The reason is that the ISP router doesn’t have a route in its routing table to access the 80.80.80.0/24 subnet through the 70.70.70.2 gateway. Instead, the routing table contains a connected route for the subnet through port1. The result is that the ISP router generates ARP requests out of port1 to resolve the MAC address of any of the addresses in the 80.80.80.0/24 subnet. Nonetheless, because FortiGate responds to ARP requests for the external address in the VIP, the ISP router is able to resolve the MAC address successfully. FortiGate 7.4 Administrator Study Guide 65 Firewall Policies and NAT DO NOT REPRINT © FORTINET Use the following best practices when implementing NAT: Avoid misconfiguring an IP pool range: Double-check the start and end IP addresses of each IP pool. Ensure that the IP pool address range does not overlap with addresses assigned to FortiGate interfaces or to any hosts on directly connected networks. If you have internal and external users accessing the same servers, configure your DNS services so internal users resolve to use the destination internal address instead of its external address defined in the VIP. Don’t configure a NAT rule for inbound traffic unless it is required by an application. For example, if there is a matching NAT rule for inbound SMTP traffic, the SMTP server might act as an open relay. You must schedule a maintenance window when making changes to NAT mode configuration since making changes could create a network outage. FortiGate 7.4 Administrator Study Guide 66 Firewall Policies and NAT DO NOT REPRINT © FORTINET FortiGate 7.4 Administrator Study Guide 67 Firewall Policies and NAT DO NOT REPRINT © FORTINET This slide shows the objectives that you covered in this lesson. By mastering the objectives covered in this lesson, you learned how to configure, use, and manage firewall policies and NAT on FortiGate. FortiGate 7.4 Administrator Study Guide 68 Routing DO NOT REPRINT © FORTINET In this lesson, you will learn about the routing capabilities and features available on FortiGate. FortiGate 7.4 Administrator Study Guide 69 Routing DO NOT REPRINT © FORTINET After completing this lesson, you should be able to achieve the objectives shown on this slide. By demonstrating competence in routing on FortiGate, you should be able to implement static routing, understand the routing table, and implement routing load balancing. FortiGate 7.4 Administrator Study Guide 70 Routing DO NOT REPRINT © FORTINET When FortiGate operates in NAT mode—the default operation mode—FortiGate behaves as an IP router. An IP router is a device that forwards packets between IP networks. For that, a router performs IP routing, which is the process of determining the next hop to forward a packet to based on the packet destination IP address. FortiGate supports both IPv4 and IPv6 routing. FortiGate performs routing for both firewall traffic (also known as user traffic) and local-out traffic. Firewall traffic is the traffic that travels through FortiGate. Local-out traffic is the traffic generated by FortiGate, usually for management purposes. For example, when you ping a device from FortiGate, that’s local-out traffic. When FortiGate connects to FortiGuard to download the latest definitions, that’s also local-out traffic. FortiGate 7.4 Administrator Study Guide 71 Routing DO NOT REPRINT © FORTINET Routers maintain a routing table. A routing table contains a series of entries, also known as routes. Each route in the routing table indicates the next hop for a particular destination. The next hop refers to the outgoing interface and gateway to use for forwarding the packet. The next hop can be the destination of the packet or another router along the path to the destination. If the next hop isn’t the destination, the next router in the path routes the packet to the next hop. The routing process is repeated on each router along the path until the packet reaches its destination. To route packets, FortiGate performs a route lookup to identify the best route to the destination. The best route is the most specific route to the destination. If FortiGate finds duplicate routes—multiple routes to the same destination—it uses various route attributes as a tiebreaker to determine the best route. Routing takes place before most security features. For example, routing precedes firewall policy evaluation, content inspection, traffic shaping, and source NAT (SNAT). This means that the security actions that FortiGate performs depend on the outgoing interface determined by the routing process. This also means that your security policy configuration must follow your routing configuration, and not the opposite. FortiGate 7.4 Administrator Study Guide 72 Routing DO NOT REPRINT © FORTINET For each session, FortiGate performs two route lookups: For the first packet sent by the originator For the first reply packet coming from the responder After completing these two lookups, FortiGate writes the routing information to its session table. Subsequent packets are routed according to the session table, not the routing table. So, all packets that belong to the same session follow the same path. However, there is an exception to this rule: if there is a change in the routing table that impacts the session, then FortiGate removes the route information for the session table, and then performs additional route lookups to rebuild this information. FortiGate 7.4 Administrator Study Guide 73 Routing DO NOT REPRINT © FORTINET FortiGate maintains its routing information in two tables: RIB and FIB. The routing table, also known as the routing information base (RIB), is a standard routing table containing active (or the best) connected, static, and dynamic routes. The forwarding information base (FIB) can be described as the routing table from the kernel point of view, and is built mostly out of RIB entries plus some system-specific entries required by FortiOS. When FortiGate performs a route lookup, it checks the FIB and not the RIB. However, because the FIB is composed mostly by RIB entries, then the route lookup mainly involves checking routes from the RIB. For this reason, the route lookup is often referred to as the routing table lookup process. Nonetheless, a more accurate statement is to refer to it as the FIB lookup process. You can display the RIB entries on the FortiGate GUI and CLI. However, for the FIB, you can display its entries on the FortiGate CLI only. The output on this slide shows the CLI command that displays the FIB. Note that the output has been cut to fit the slide. You will learn how to display the routing table entries in this lesson. This lesson focuses on the RIB (or routing table) only, and you will learn more about it, including how to monitor its entries, in this lesson. FortiGate 7.4 Administrator Study Guide 74 Routing DO NOT REPRINT © FORTINET One type of manually configured route is called a static route. When you configure a static route, you are telling FortiGate, “When you see a packet whose destination is within a specific range, send it through a specific network interface, towards a specific router.” You can also configure the distance and priority so that FortiGate can identify the best route to any destination matching multiple routes. You will learn about distance and priority in this lesson. For example, in simple home networks, DHCP automatically retrieves and configures a route. Your modem then sends all outgoing traffic through your ISP internet router, which can relay packets to their destination. This is typically referred to as a default route, because all traffic not matching any other routes will, by default, be routed using this route. The example shown on this slide is a default route. The destination subnet value of 0.0.0.0/0.0.0.0 matches all addresses within any subnet. Most FortiGate devices deployed at the edge of the network have at least one of these default routes to ensure internet traffic is forwarded to the ISP network. Static routes are not needed for subnets to which FortiGate has direct Layer 2 connectivity. FortiGate 7.4 Administrator Study Guide 75 Routing DO NOT REPRINT © FORTINET If you create a firewall address object with the type Subnet or FQDN, you can use that firewall address as the destination of one or more static routes. First, enable Static route configuration in the firewall address configuration. After you enable it, the firewall address object becomes available for use in the Destination drop-down list for static routes with named addresses. FortiGate 7.4 Administrator Study Guide 76 Routing DO NOT REPRINT © FORTINET What happens if you need to route traffic to a public internet service (such as Amazon-AWS or Apple Store) through a specific WAN link? Say you have two ISPs and you want to route Netflix traffic through one ISP and all your other internet traffic though the other ISP. To achieve this goal, you need to know the Netflix IP addresses and configure the static route. After that, you must frequently check that none of the IP addresses have changed. The internet service database (ISDB) helps make this type of routing easier and simpler. ISDB entries are applied to static routes to selectively route traffic though specific WAN interfaces. Even though they are configured as static routes, ISDB routes are actually policy routes and take precedence over any other routes in the routing table. As such, ISDB routes are added to the policy routing table. FortiGate 7.4 Administrator Study Guide 77 Routing DO NOT REPRINT © FORTINET The routing monitor widget on the dashboard page enables you to view the routing table and policy route table entries. The routing table contains the best routes (or active routes) of the following type: Static: manual routes that are configured by the administrator. Connected: automatic routes added by FortiOS after an interface is assigned an IP address. A connected route references the interface IP address subnet. Dynamic: routes learned using a dynamic routing protocol such as BGP or OSPF. FortiGate installs these routes automatically in the routing table and indicates the dynamic routing protocol used. To view the routing table entries, select Static & Dynamic, as shown on this slide. However, keep in mind that the routing table doesn’t contain the following routes: Inactive routes: static and connected routes whose interfaces are administratively down or whose links are down. Static routes are also marked inactive when their gateway is detected as dead by the link health monitor. Standby routes: These are active routes that are removed from the routing table because they are duplicate and have higher distances. For instance: A second static default route with a higher distance than another static default route. A dynamic route such as BGP or OSPF, to the same destination as another static route. However, the dynamic route is not displayed in the routing table because the static route has a lower distance. Policy routes: These include regular policy routes, ISDB routes, and SD-WAN rules. Policy routes are viewed in a separate table—the policy route table. To view the policy route table entries, select Policy. FortiGate 7.4 Administrator Study Guide 78 Routing DO NOT REPRINT © FORTINET Distance, or administrative distance, is the first tiebreaker that routers use to determine the best route for a particular destination. If there are two or more routes to the same destination (duplicate routes), the lowest- distance route is considered the best route and, as a result, is installed in the routing table. Other lower- distance routes to the same destination are standby routes and, as a result, are not installed in the routing table. Instead, they are installed in the routing table database. FortiGate 7.4 Administrator Study Guide 79 Routing DO NOT REPRINT © FORTINET You can set the distance for all route types except connected and IS-IS routes—both are hardcoded and their distance value cannot change. This slide shows the default values per type of route. In case FortiGate learns two equal-distance routes to the same destination but that are sourced from different protocols, then FortiGate installs in the routing table the route that was learned last. For example, if you set the distance of BGP routes to 110, and there is another OSPF route to the same destination using the default administrative distance (110), then FortiGate keeps whichever route was learned last in the routing table. Because this behavior can lead to different results based on the timing of events, then it’s not recommended to configure different-protocol routes with the same distance. FortiGate 7.4 Administrator Study Guide 80 Routing DO NOT REPRINT © FORTINET When a dynamic route protocol learns two or more routes to the same destination, it uses the metric as a tiebreaker to identify the best route. The lower the metric, the higher the preference. The dynamic routing protocol then installs the best route in the routing table and the higher-metric routes in the routing table database. Note that the metric is used as tiebreaker for same-protocol dynamic routes, and not between different-protocol dynamic routes. The metric calculation differs among routing protocols, and the details are not covered in this course. For example, RIP uses the hop count, which is the number of routers the packet must pass through to reach the destination. OSPF uses cost, which is determined by the link bandwidth. FortiGate 7.4 Administrator Study Guide 81 Routing DO NOT REPRINT © FORTINET When there are two or more duplicate static routes that have the same distance, FortiGate installs all of them in the routing table. If they also have the same priority, then the routes are known as ECMP static routes, and you will learn more about them in this lesson. The priority setting enables administrators to break the tie among ECMP static routes. The result is that, during the route lookup process, FortiGate selects as the best route the static route with the lowest priority among all the equal-distance duplicate static routes. The lower the priority value, the higher the preference. The priority attribute applies to all routes except connected routes and is set to 1 by default. For dynamic routes, you can change the priority of BGP routes only. The priority of other dynamic routes is hardcoded to 1. The use of the priority value in dynamic routes is useful for advanced routing deployments involving SD-WAN and multiple virtual routing and forwarding (VRF) IDs. The details on how the priority attribute is beneficial for such cases is outside the scope of this course. For static routes, you can configure the priority setting under the Advanced Options on the FortiGate GUI, as shown on this slide. To view the priority in the routing monitor widget, you must enable the priority column (disabled by default). You can also view the priority on the routing table on the FortiGate CLI, which you will learn about later in this lesson. FortiGate 7.4 Administrator Study Guide 82 Routing DO NOT REPRINT © FORTINET The CLI command shown on this slide displays all entries in the routing table. The routing table displays the routes that make it the best active routes to a destination. The left-most column indicates the route source. Route attributes are shown inside square brackets. The first number, in the first pair of attributes, is distance, which applies to both dynamic and static routes. The second number is metric, which applies to dynamic routes only. Static routes and dynamic routes also have priority and weight attributes, which are shown as the last pair of attributes for the respective route. In the case of dynamic routes, the weight is always zero. This command doesn't show standby or inactive routes, which are present in the routing table database only. For example, when two static routes to the same destination subnet have different distances, the one with the lower distance is installed in the routing table, and the one with the higher distance in the routing table database. FortiGate 7.4 Administrator Study Guide 83 Routing DO NOT REPRINT © FORTINET Each of the routes listed in the routing table includes several attributes with associated values. The Network column lists the destination IP address and subnet mask to match. The Interfaces column lists the interface to use to deliver the packet. The Distance, Metric, and Priority attributes are used by FortiGate to make various route selection decisions. You will learn about each of these in this lesson. This slide also shows the command you can run to display the routing table on the FortiGate CLI. The get router info routing-table all command displays the same route entries as the routing monitor widget on the FortiGate GUI. FortiGate 7.4 Administrator Study Guide 84 Routing DO NOT REPRINT © FORTINET You can perform a route lookup on the routing monitor widget by clicking Route Lookup. Then, you must indicate at least the destination address to look up for, and optionally, the destination port, source address, source port, protocol, and source interface. The way the route lookup works is as follows: If you don’t provide all lookup criteria, FortiGate consi

FortiGate 7.4 Administrator Study Guide PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue