Fortinet: FortiGate Comprehensive Getting Started Guide

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
all right let's jump right into a fortigate basic configuration uh first we'll have a topology of what we're going to be configuring then we'll go over how do we get access to the fortigate um then we'll cover a bit of network configuration what firewall registration is and how to do it as well as some basic security configurations logging and alerts and then we'll cover a little bit of troubleshooting and monitoring and if you are brand new to the fortigate firewall or even firewalls in general you know i'd really recommend to to view the whole video i think in the long term this is going to save you a lot of time but if you are familiar and you're looking for a specific section or a specific topic just check through on the bottom here checking the chapters and and find the the chapter that's that's suited for exactly what you're looking for so in this environment we're going to have a windows machine that we're going to be connecting up to our fortigate so the fortigate will by default uh own the ip address of 192.168.1.99 which we'll have access to and then also by default it's wan port which could be named something different based on the model that you have but in my case it will be wan one and this port will be configured to receive a dhcp address and and in this case the dhcp address that the 40 gate will be receiving from the isp modem will be 166.166.1.2 so after we power the 48 on what we're going to be focusing on uh when we are on site looking at the unit is is the status led so we want the status led to go from an off state to a blinking state to a solid state once it's a fully solid state the unit has fully booted and now we can access it so if we have a fortigate model that looks similar to what we're seeing in front of us here then we would be connecting to any of the ports between one and eight but we might also have a fortigate which has possibly has a management port mgmt if that's the case then plug into the management port instead of any of the other interfaces and then once you're connected to one of these interfaces you should receive an ip address within the range of 192.168.1.0 okay so let's access the fortigate now 192.168.1.99 the default username is going to be admin with no password so then let's just add a new password here okay now we have access to the unit all right so we can start by accessing some of our system settings and yeah we can change our hostname here we can also change our idle timeout so that we don't get automatic logged out after say five minutes only when we're using the firewall um and then and then we can also maybe change the the theme here too we can change our colors especially if we have multiple fortigates this this comes in handy all right let's take a look at our network configuration so we can see under network interfaces that we have a device connected to port number one on the firewall which is our windows machine and then another device connected to wan one if we look at the wan1ip address where we have the ip of 166.166.1.2 and then we can also see the internal configuration so this is a hardware switch which encompasses seven ports uh internal one to seven on the firewall here and let's take a look now at our routing table so if we go to the dashboard network and then routing we can see here that we have a default route via 166.166.1.1 which is our isp so let's take a quick test here and just make sure that we can actually access the internet perfect and then maybe you know make sure that our dns is okay all right so that means the firewall itself can access the internet and there's no dns issues if we do need to actually see our dns configuration of the firewall itself we can go to network dns quickly go over another use case let's say we instead of receiving an ip address via dhcp we have a static ip address we'll just use the same ip in this case we save that we hit okay what we'll notice here is now we're not going to be able to access the internet anymore right and you know let's look at the the routing table here and as we can see here i think this might be just a little stale from that previous record nope my mistake no all that is yeah like you can see is we don't have uh 0.0.0.0 we you know we no longer have that that default route anymore and that's because we're not receiving an ip address by dhcp in which case that would prompt the fortigate to automatically inject a default route by default so you know really in this case all we have to do is we just find what our next hop is going to be which is 166.166.1.1 and then now that we have that default route i think that our internet will be restored again perfect okay and back to the interfaces tab so as we can see here is that yeah the internal interface it does encompass these these seven different uh fortigate ports let's say if we had a case where maybe we wanted to connect a switch to port two well what we could do in that case is we could create a new interface that would be considered a vlan interface and that would be residing under the internal interface and let's say the vlan id is 100 right and then we create the network this would be the 40 gates ip here and then we just configure the access that we would want to allow to that particular vlan interface and then we can configure a ducp server for devices that are connected to the access port of of the switch and then we hit ok and this would be the idea of what we would see here so now we can see that there is a vlan essentially a sub interface under this internal logical interface which compas encompasses all these ports so now if you were to connect a switch up to say internal 2 any tagged traffic that is arriving on the 40 gate tagged for vlan 100 will actually be seen by the fortigate on this particular interface vlan 100 and no longer the internal native vlan interface okay now the next step will be to make sure that we can allow traffic through the firewall so under the policy and objects firewall policy that is where we are able to configure a policy that's going to essentially allow in in our use case it's going to allow that windows machine which we're on right now to be able to access the internet so when we double click this policy we are required to add a name for it so let's just call this internet all for now and there's not really much restrictions on this policy so any traffic coming into the the internal interface which in this case is the windows machine going out the wan interface based on the routing table lookup matching a source and destination of all with a schedule and service of always and all we are going to apply this this this nat rule so using the outgoing interface the fortigate is going to do a sourcenat based on the one1ip address which is 166.166.1.2 that's exactly what we want if we are sending traffic over the public internet because if we do not have nat enabled then um you know our internet or isp is going to see the traffic coming from a private ip address and then it's going to drop the traffic okay so now that we have the firewall policy configured let's see if this policy actually works so let's keep note of the byte counter that we see here which is 233 kilobytes so if we access let's access google you know let's maybe do um let's do a quick speed test okay now the speed test is complete now let's just refresh that firewall policy page and there we go immediately we can see that the byte counter is increased not so important right now in this particular case but once we have lots of different firewall policies this can be very useful for us to be able to identify which policy that we might be matching and there are other ways which we'll go into shortly here too okay so let's access system 40 guard and let's quickly go over registration so registration is the process in which at least for the fortigate in this example where you can associate your fortigate serial number um with you as an organization right why this is important is so that let's say for example you call into fortinet support uh for the attack team right you can call into tac and then provide your serial number or provide or be able to create a ticket on your own before calling into fortinet support and then they will just check your serial number make sure that there is valid support for the product and then they'll be able to assist right another reason why is you want your product to be registered so that if you have any contracts so for example if i purchased db here which isn't currently not licensed on my fortigate if i were to purchase this service then i can apply this contract to this particular fortigate by being able to to register that contract again with with the firewall so there's two ways that you can register your fortigate so one would be to register by your fortigate as long as obviously that 40 gate has an internet connection because it is going to be reaching out to to 40 guard so you can do that by creating you know in my case i am already registered on this fortigate but you could create your account and register your 40 gate just via this system 40 guard section alternatively and my more preferred method would be to access support.fortinet.com uh start by registering if you haven't already and then when you're ready login with your newly created credentials then on the main page you can click register now and then you can enter in your your product serial number service contract registration code or license certificate to start the registration process so in here you would uh you'd start just by putting in your 40 gate serial number and then following the prompt once we're successfully registered then we can actually take a look at the status of that registration for example this is i believe this is the firewall that we're currently using and we can you know get a list of of all of our service contracts and our existing support types you know when they're activated and when the expiration dates are okay so back to the 48 so now we can confirm that the firewall is registered we have firmware and general updates application control signatures our antivirus our web filters all up to date so now let's actually go and let's configure that on our policy so as you can see i've already checked all these boxes yours probably won't be checked until you enable these but notice that ips or intrusion prevention is not enabled here so let's quickly go and enable that by going to system feature visibility and enabling intrusion prevention and what the feature visibility section is there for is it's really just enabling a feature to be visible in the gui it's not actually disabling the feature entirely or enabling the feature entirely it's just whether it can be seen in the gui or not so for example if we look at the network section here we can see that there's no dynamic writing protocols that are visible to us well once we enable advanced routing there we go now we can see rip ospf bgp and the same applies for intrusion prevention so now let's go back to our policy and enable ips okay and as for for configuration let's go over those quickly here too okay so let's start with antivirus so the the default action for antivirus is going to be block if if a known signature is found okay and for web filter the 48 is going to be looking at the http and https traffic that's that's flowing through it and it's going to be trying to um not exactly but essentially it's going to be trying to check the url of the traffic so um you know and based on that url it's going to be able to categorize that particular website that you're accessing under one of any of these different categories here so let's take a second and go over one example here so if we open a web browser and go for go to fortiguard.com and then do a web filter lookup let's look at for example fortinet.com fortinet.com is categorized as information technology so based on what we have configured for information technology let's take a look here based on we have for information technology that traffic will be allowed but then we could for example change it to monitor so that we allow the traffic and we also are going to be saving a log record of that traffic we could change it to block we could change it to warning so that users would be prompted and they would have to bypass a warning signal before accessing the website or we could require authentication so if we required authentication maybe we would want a specific ldap group for example a user must authenticate within a certain ldap group while they're accessing the url and once they do that then they would actually get access to a website within this particular category of information technology so for testing purposes let's just try that let's configure that so now our default web filter has information technology configured as blocked let's save our firewall policy and then let's go to fortinet.com there we go and as we can see that website was blocked because the category of information technology is blocked and then we can go and look in our log reports here for web filter and then we can see that fortinet.com was blocked and if we click into the specifics of it we can see a lot more detail such as the timestamp the source interface destination interface destination ip the specific url and the policy id that we've hit which down the road will be very important especially like i was saying before if we have many many policies now we can actually take that policy id and we can and various other bits of information such as the profile name category but coming back to that policy id now we can look at our firewall policy here um it's not enabled there by default so i'll right click the the header here and add id and then there we go we can see on the far right there that the policy id is number one so we've identified the policy where the traffic was blocked okay so in the background i've gone and i've re re-allowed the information technology category so we're no longer going to be blocked when we access fortinet.com so now let's take a look at the dns filter so the dns filter at first it appears to have a very similar function which is that we're looking at category-based filters and we're seeing pretty much the exact same categories here but the underlying logic in which the fortigate is using to to actually take action based off of the dns filter versus the web filter is different so for dns filter the 48 is going to be looking at the dns response when a dns query goes out so let's try a similar test as before we're going to block or in this case it's essentially we are actually redirecting the dns response to a particular web page um versus blocking and that web page will be in this case it's a fortinet ip here so for example if we took this ip if we just pasted it in without doing anything you know this is the website that that we're going to be seeing right what web page blog because we're again we're doing a dns redirect versus actually proxying the http or https traffic okay so now let's test out a new configuration change here so it looks like we still got through so it's probably the web browser caching things there we go so now we're seeing that that successful dns redirect here okay now let's take a look at application control so with application control we have um you know there's various applications that are are categorized under you know the following categories that we have here and we can take action based off of a whole category which encompasses many different applications or we can override and say okay you know i want to have a specific action for a specific application so for example let's look at bittorrent so if i were to add this this application here so right now bittorrent if we look at the description here bittorrent is a peer-to-peer technology and it's under the category of p2p which we do see where is it right here so right here on the far right we see p2p so in this particular case when it you know when a user is using bittorrent um first the fortigate when it's when it's identifying this traffic first the 48 is going to be looking at this section which is application and filter overrides so in this particular case if i were to click ok you know we are going to see that bittorrent would be blocked even though the category is indicating that p2p is configured for monitor okay so let's test here with torguard then so we'll create a new signature or a reference a signature okay okay and and just a brief update about what what tour guard is it's a it's a vpn application that can be used to pretty much change your public ip uh by using vpn as the technology or you know it can be used to to not have visibility from something like a firewall in this case the fortigate will be able to fortunately have visibility to this application okay so now let's uh try to use tour guard so you know let's just use a fake account testing123 at testing.com yeah so we you know we can see here that we we can't even log in so you know usually i'd expect a little more from the application but it kind of makes sense in this case is that the application's obviously expecting that there's nothing in the way here so you know it seems like if the application cannot reach out to the internet or reach out to whatever resource it needs to reach out to it's it's just gonna you know it's gonna get stuck there right so we don't have control over the the specific application but we do have control over what the application can communicate to and in this case it seems like the fortigate effectively is blocking access to torguard servers let's take a look there okay it seemed like the application did proceed and almost seemed to look like it almost seemed to look like it was working but it it still is not working right because these are fake credentials anyway so let's take a look at our application control section under the login report area here and yeah we can we can see that when there's reach outs to tour guard they're all being blocked okay you know another item that we have here is is ips as well um so so by default um you know obviously there's there's thousands and thousands of ips signatures that the 40 gate is is going to be able to block but by default how it how it works is that there's a you know a medium high and critical filter section so we have our medium high critical and then based on that severity um based on any of these three severities the fortigate is going to take the the default action based off of you know thousands of different signatures to to protect the network so um you know you can modify these as you choose maybe change the filter options which are they're very broad or you could actually configure um you know specific signatures if you choose to as well but but yeah the default would be medium high and critical the the default action will will be taken there um one thing that is kind of cool too is that you can also enable packet logging so if you enable packet logging here then if an ips signature is to be tripped and the 48 sees that it will also save a copy of the packet capture so that you might be able to you know for example if you are seeing a false positive or if you're even seeing a legitimate attack you can verify that with the actual packet capture contents i guess yeah and a few other security profiles or um security configurations that are very worth mentioning but maybe a little bit outside of this basic um basic configuration video would be for example file filter it would be ssl inspection here this being a very very good topic if we're talking about having more visibility into our encrypted communication the default is certificate inspection but we can open up a lot of doors into visibility with deep inspection now there's caveats with deep inspection that that should be considered too and additionally there's dlp or data loss prevention and let's look at a few other that would be under our system and feature visibility section so email filter so there is some basic anti-spam detection abilities on the fortigate um video filter as well so that you know for example if you want to have youtube videos that are categorized and action is taken based off of the category of the video that can be done just to note is that requires deep inspection which is involves that ssl inspection category that we were looking at a moment ago there's also some basic web application firewall functionality fortinet's product the 40 web has web application firewall integrated and a lot more functionality with regards to protecting web servers but there is that basic functionality on the fortigate as well let's see if there's any other here there's also the dos policy so if you if you enable the dos policy it won't be under the firewall policy section but it would be under policy and objects i'll enable it in a second here and be able to show you as well there's there's a voip so you know for alg sip manipulation voip is also another profile that can be enabled so let's just um apply a few of these just to give you a kind of an idea as to where you would go to configure them okay so after enabling that let's look yeah for example our ipv4 dos policy here so we can create specifics um for dos policies specific thresholds whether we're blocking or monitoring so i'll let you take a look at that if that's something you're interested interested in um and then going back to our firewall policy section we'll see that we've you know we've added a couple more items below here you know we file filter was already there but email filter and voip has been added we can also change the global inspection mode from flow to proxy base and you'll notice that another security profile will be added which is web application firewall so um the inspection mode must be proxy for web application firewall to be a feature that's enabled again some of this stuff is a little bit outside of the scope of what we're doing right now but it's um something to consider is that you need proxy based inspection to be enabled for the web application firewall security profile to show up and um yeah so let's dive into logging and alerts now okay so if we go to login report and log settings we can see that there's various different destinations that the 48 can can log traffic traffic logs and security logs too right so one could be the disk and not every single 48 is going to have a disk but that is an option there's also memory so logging to ram you know now in that case it is volatile so if you reboot the unit all logs will be lost so it might be just for specific troubleshooting use cases and then there's also sending logs to a 4d analyzer it's another fortinet product it's really good for aggregating reports for being able to identify logs from multiple different firewalls there's also just sending logs to to just a regular syslog server and another option too is using 40 gate cloud so if we enable this cloud logging setting we can also connect up to 48 cloud which there is a paid for version and a free version in this case let's just uh start by activating our account so we use the same credentials that we would use when we access support.fortinet.com so let's activate that account and then see when it's connected okay and once we've activated 40 cloud we can go back to the dashboard and status section and then we should see that this 40 gate cloud widget shows as activated um you know and at this point we can take a look at say our forward traffic logs if we look in the top right corner here we can see that the the log destination so all these logs that we're seeing here they're they're stored on the physical disk um that's that's installed in this fortigate but we can also see another log location and now we can see that there's there are you know pretty much almost the exact same logs here that we're seeing when we're flipping between these two pages we can see the logs from the destination as the 40 gate cloud and now all of our logs will be you know starting to populate now under these other sections so now let's go over how we actually you know how do we get these logs in this view that we're seeing here um how do we configure the firewall policy to log all this information right well you know it's all controlled based on our firewall policy so you know based on what we're seeing here we have a couple logging options to determine what shows up under that that login report page right so if we just have security events enabled then only security events that are defined by these security profiles are going are going to show up in the in the forward traffic logs and various other logs right but let's say for example if we're just you know logging a loud traffic as security events if we go on our device and we maybe you know we do a ping for example that that traffic is not going to show up because it hasn't been triggered by any of these security profiles now let's just quickly test this by changing it to all sessions and we'll save the policy and then now every single session that gets established with the fortigate on this firewall policy that traffic is going to be visible to to the fortigate and it's going to be logged so let's just do a quick ping test here and then and then now let's take a look and see if that log was created okay so i just waited for just a couple minutes here and then we could actually see um that ping showing up right and the reason why we might have to wait a minute or two is because like i was mentioning before is that the you know the log is being aggregated by the 40 gate and then it gets sent off to 40 cloud and then needs to be read back to to the 48 itself right but the idea is that we do have that visibility um and that's due to us making that configuration change on the firewall policy um to enable uh logging all sessions all right so now let's quickly go over how we could create a um you know an email alert so if we go to security fabric and automation and we create a new automation stitch what we can do here is we can take a trigger so this is pretty much going to be our triggering event which uh maybe we'll just make it simple and you know let's go over an event log entry let's say login okay let's say we have an administrator login to the 48 itself that's failed so we can take that and apply that as a trigger and then we can add an action to say okay you know let's from the 48 let's send out an email um yeah and the email could be you know really you know whatever we type in here something along those lines right but you know that's the idea how we can we can be alerted when something's happening based off of any type of custom trigger that we create here okay so let's go over monitoring quickly and a little bit of troubleshooting right so starting with monitoring um you know all of our monitoring dashboards are going to be available on the dashboard section right so if we start with the the status section here we can see that we have you know we have a bit of information about our cpu about our sessions open on the firewall we can also add you know some information about you know maybe we want to see some of the memory usage on the firewall uh maybe we also want to see some detail about certain you know the bandwidth utilization on certain interfaces right so let's look at our wan link let's see if there's anything else that maybe we'd want to see as well yeah some detail about our dhcp clients that the fortigate would be leasing out maybe some information about dns as well but you get the idea is that there's you know there's a lot of different widget options that we have here to to gain that monitoring visibility and and fairly quickly right so you know here's an idea of how we're you know how the 48 how quickly it's able to reach the dns servers you know some information about the dhcp clients connected to the 40 gate um you know and we have boundless statistics you know just in case there's there's boundless spikes or you know users are noticing any type of latency or performance issues you know another thing we can do too is take a look at other you know other dashboard options which is network here you know as we can see oh yeah it's using that dhcp widget that we added to the status dashboard there but then you know we also have our routes which we covered before too um get a you know a quick view of the routing table without having to go in the cli you know as well if we had ipsec or ssl vpn tunnels that are connecting or terminating to this firewall we have that visibility here as well you know some of the things that we can also use for troubleshooting purposes would be to you know check our forward traffic log i know we've been here a couple times already but um you know maybe based off of a you know a time stamp from a particular user if they told you okay i was having an issue at this time well we can you know look back in time and try and find out how the firewall was handling those sessions maybe if it intentionally were blocking it or even just what policy would that traffic have been hitting we can also see you know sort of our antivirus web filter application control ips logs here you know we can also see event logs so we have system event logs maybe aj events if we have a high availability configuration here you know some router events vpn events so a lot of resources under the log and report section and then maybe we also want to do a couple basic uh packet sniffer um you know diagnostics whether it be in the gui or on the command line right um so if anybody you know is familiar with with linux and and maybe tcp dump then this comes this comes very easy where um really what we're doing is we're using uh diagnose or diag sniffer packet and then in this any section here this is pretty much saying i will i just want to sniff for for packets regardless of which interface it arrives at and which interface packets are sent out on um you alternatively if you just want to focus on a specific interface you could pick for example wan one and we would only be seeing packets that are specific to to this uh interface but in this case just for for example say let's um just use any and then you know we'll look for any traffic that's going to this host which is 4.2.2.2 so let's just run a quick ping here and then we'll just run one there we go okay so you know what's great here is we got immediately we had some really good visibility as to the traffic flow here so we can see that the echo request came into the firewall the firewall successfully um forwarded the packet to to to the wan or to the isp and then we see that you know our destination 4.2.2.2 responded back and our wan one interface received that traffic and then here's the the egress packet coming back the echo reply going back to the client that actually initiated the ping so it's a really good start to finish view of the firewalls receiving i guess ingress and egress on the packet capture there you know and really all you have to do is once you get comfortable with just these you know the diag sniffer packet any and then you know this is a four zero and then l is in lima we won't get into the the specifics of what those mean but we can in another video um and then you know what's important is what we have in in the brackets here which is our filter so you can change that to be a host or port or port range but this is just a quick basic test here alternatively another option um you know if cli is is is not what we're looking for or maybe we also want to have a little bit more of a uh you know sort of like a wireshark view of of that packet instead well then we can go to the network and packet capture section and you know let's use we do have to identify an interface here um and then using that same example though let's look for traffic going to the same ip okay so we've just created that packet capture we start it so the you know now the firewall is listening for any traffic that would be going to that um that ip 4.2.2.2 so let's just do the exact same thing again okay uh there we go we you know we immediately see that the the sniffer picked up on that traffic and now let's download that that output and just like that we can see the traffic in wireshark so this might be really useful in a case where you know maybe we need to confirm to the isp that yes the firewall is say receiving traffic or yes that you know ultimately it's receiving traffic and it's it's egressing that traffic um over to the isp and we can actually confirm um you know we can confirm the the the destination mac address which would typically be the isps mac okay so hopefully this was a valuable use of your time you know i know this video was a little bit longer than maybe the the average video out there but um you know the idea here is that um you know i was hoping to make sure that we can uh you know save as much time for you in the in the long run so um yeah with that i'll see you in the next video thanks
Info
Channel: ToThePoint Fortinet
Views: 13,140
Rating: undefined out of 5
Keywords: FortiFirewall, Firewall, fortinet, fortigate, fortinet how to, fortigate how to, firewall how to, firewalls, fortinet tutorial, fortigate tutorial, firewall tutorial, network engineer, itsec, cybersecurity, cyber security, firewall configuration, fortinet setup, fortigate setup, firewall setup
Id: T00SGsiqaxA
Channel Id: undefined
Length: 39min 15sec (2355 seconds)
Published: Thu Jan 27 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.