DO NOT REPRINT © ] Enterprise Firewall Solution Overview 4 I NSE Training institute In this section, you will learn about the Fortinet Enterprise Firewall solution at a high level Enterprise Firewall 7.0 Study Guide 6DO NOT REPRINT © Evolution of the Enterprise Network + Networks are no longer flat and one-dimensional + Protecting only the perimeter is not enough * Enterprises must protect against a range of constantly evolving threats + Zero-day altacks, advanced persistent threats (APT), polymorphic malware, insider threats, and much more + The enterprise perimeter has been stretched so far that it's no longer recognizable: Mobile workforce Partners accessing your network services Public and private clouds Internet of things (oT) Bring your own device (BYOD) + You must apply the zero-trust model: + The attack can come from anywhere, using any method, and atfect anything NSE training Institute Feit in: Aiea Rese ‘ The traditional way of protecting a network by securing the perimeter has become a thing of the past. Network and security administrators today must protect against a wide range of threats such as zero-day attacks, APTS, polymorphic malware, and many more. They must also protect the network from any potential insider threats. BYOD, mobile users, a remote workforce, and evolving cloud technologies are creating borderless networks, ‘which is further compounding the challenge of securing such complex networks. Malware can easily bypass any entry-point firewall, and get inside the network. This could happen through an infected USB stick, or an employee's compromised personal device being connected to the corporate network, Additionally, network administrators can no longer take for granted that everything and everyone inside the network can be trusted. Attacks can now come from inside the network. To secure such a vast network, you must apply the zero-trust model. The attack can come from anywhere, using any method, and affect anything. Enterprise Firewall 7.0 Study GuideDO NOT REPRINT © Fortinet Enterprise Firewall Solution Overview * Consolidated network operating system + High-speed security processing + Industry-leading security effectiveness + Security Fabric + Muitiple form factors SE Training Institute Feit Ae Raton . The Fortinet Enterprise Firewall solution answers those challenges. It offers effective and fast end-to-end security ‘with a consolidated operating system: FortiOS. The cove of the solution is the Security Fabric, which enables the ‘communication of all the security devices in an enterprise network. The Fortinet Enterprise Firewall solution offers guidelines about where to install your network security devices and what roles they'll have in each part of the enterprise network. You can deliver single-pane-of-glass management and reporting for all of the deployments across the enterprise using a FortiManager and FortiAnalyzer, respectively. Enterprise Firewall 7.0 Study Guide 8DO NOT REPRINT © Firewall Roles in the Enterprise Firewall Solution os atoebe Fev ‘Upto 1 Gbps Ho toe S Fim Qe Separate 1-40Gbp5 Firewall App i eval Conia PS, betwen rom AvaVeN able networks Inbouna Firewall App. protection Conirel& PS frominteral and external treats Breach Frowall App continent CConrol led ‘ane segment Fiter8 iPS NSE training Institute Feit Ae Raton 8 In the Enterprise Firewall solution, each FortiGate device has a specific rale, depending on where its installed and what assets itis protecting. In this lesson you will learn about the Distributed Enterprise Firewall (DEFW), Next Generation Firewall (NGFW), Data Center Firewall (DCFW), and Internal Segmentation Firewall (|SFW). + DEFWsare usually smaller devices installed in branch offices and remote sites. Distributed enterprises Usually don't follow a standardized enterprise netwcrk design, and therefore multiple layers are collapsed into one or two layers. They are connected to the corporate headquarters using a VPN. DEFWs are all-in-one security devices, doing firewall, application control, IPS, web fitering, and antivirus inspection. + NGFWs are usually deployed for firewall, application visibility, intrusion prevention, malware detection, and VPNs. NGFWs can play the traditional role of the entry-point firewall or, depending on the network infrastructure, can be deployed in the core + DCFWs protect corporate services. They focus on inspecting incoming traffic and are usually installed at the distribution layer. Because of the high performance requirements, in most cases the security functions are kept to a minimum: firewall, application control, and IPS. + ISFWs split your network into multiple security segrients. They serve as breach containers for attacks that come from inside. Firewall, application control, web filtering, and IPS are the features that are commonly enabled in these firewalls Enterprise Firewall 7.0 Study GuideDO NOT REPRINT © Security Fabric NSE Training institute In this section, you will learn about the Fortinet Security Fabric. Enterprise Firewall 7.0 Study Guide 10DO NOT REPRINT © Devices That Comprise the Security Fabric * Core: ‘ Se romtmer + Two or more FortiGate devices + FortiAnalyzer BE eevee + Recommended — adds significant visibility or control: + FortiManacer, FortiAP, FortiSwiteh, FortiClient, FortiSandbox, FortiMtail + Extended — integrates with fabric, but may not apply to everyone: + Other Fortinet products and third-party products using the API SE Training Institute Feit Ae Raton . Two or more FortiGate devices and FortiAnalyzer are the mandatory products at the core of the solution. To add ‘more visibility and control, Fortinet recommends adding FortiManager, FortiAP, FortiClient, FortiSandbox, FortiMail, and FortiSwitch. You can extend the solution by adding other network security devices, Enterprise Firewall 7.0 Study Guide "1DO NOT REPRINT © Bi wemor secre Extending the Fabric—Other Products Been ieee Cie BROAD | Open eos Visibitty of the entire : “ Securty Operations digital attack surface INTEGRATED ALdrivenbreach preventionacross devices, networks, andapplications (BY AUTOMATED persons orchestration SE Training Institute Feit: Aiea Rese ° Fortinet recommends using FortiManager for centralized management of all FortiGate devices, and access devices in the Security Fabric. You can integrate FortiSwitch devices, and FortiAP devices to extend the Security Fabric down to the access layer. You can also extend the Security Fabric by integrating FortiMail, FortiWeb, FortiSandbox, and FortiClient EMS. The Security Fabrie is open. The API and protocol itself is available for other vendors to join and for partner integration. This allows for communication between Fortinet and third-party devices. Enterprise Firewall 7.0 Study Guide 12DO NOT REPRINT © Extending the Fabric—Fabric Connectors * Security Fabric multi-cloud support adds Security Fabric connectors to the Security Fabric configuration + Allow you to integrate + Amazon Web Services (AWS) + Microsoft Azure + Oracle Cloud Infrastructure (OC) + Google Cloud Pietform (GOP) Aicioue IBM Cloud SE Training Institute Feit Ae Raton » Fabric connectors allow you to integrate multi-cloud support, such as ACI and AWS, to name a few. In an application-centric infrastructure (ACI), the SDN connector serves as a gateway bridging SDN controllers and FortiGate devices. The SDN connector registers i:self to APIC in the Cisco ACI fabric, polls interested objects, and translates them into address objects. The translated address objects and associated endpoints populate on FortiGate. FortiGate VM supports clouc-init and bootstrapping in various cloud providers, such as Microsoft Azure and Google Cloud Platform (GCP). Enterprise Firewall 7.0 Study Guide 13DO NOT REPRINT © Security Fabric Topology + You must configure root FortiGate first + Fortiénalyzer registration + FortiManager registration Root FortiAnalyzer FortiView + Tree structure S Network on FortiManager. FortiManager supports requests from registered (managed) devices and unregistered (unmanaged) devices. After you enable the FortiManager built-in FDS, you can configure FortiGate devices to use FortiManager FortiGuard services. Enterprise Firewall 7.0 Study Guide 184High Availability DO NOT REPRINT © HA Operations _\—— NSE Training institute In this section, you will review HA operations. Enterprise Firewall 7.0 Study Guide 202High Availability DO NOT REPRINT © Virtual MAC Addresses and Failover * On the primary device, each interface—except HA heartbeat interfaces and reserved management interfaces—is given a virtual MAC address. + Upon failover, the newly elected primary adopts the same virtual MAC addresses as the former primary NSE training Institute oF ns Ap Rss ‘ To forward traffic correctly, a FortiGate HA solution uses virtual MAC addresses. When a primary joins an HA cluster, FortiGate gives each interface a virtual MAC address. The primary informs all secondary devices about the assigned virtual MAC addresses. Upon failover, a secondary adopts the same virtual MAC addresses for equivalent interfaces. Enterprise Firewall 7.0 Study Guide 203High Availability DO NOT REPRINT © How the Virtual MAC Addresses Are Assigned + FortiGate determines the virtual MAC address using the following formula: 00 : 09: Of : 09: group id : (veluster_idtinterface_id) + group_idis the HA group ID converted to hexadesimal + veluster dis 0x00 for virtual custer 1 and 0:80 for vitual cluster 2 + Antertace tis the interface index * Therefore, two or more HA clusters in the same LAN segment should use different HA group IDs, to prevent virtual MAC address conflicts SE Training Institute Fon: AF stn . FortiGate determines the HA virtual MAC addrasses assigned to each interface by the HA group ID, the virtual cluster ID, and the interface index. So, if you have two or more HA clusters in the same broadcast domain, and using the same HA group ID, you might get MAC address conflicts. For those cases, itis strongly recommended that you assign different HA group IDs to each cluster. Enterprise Firewall 7.0 Study Guide 204High Availability DO NOT REPRINT © Verifying the HA Virtual MAC Address NSE training Institute Feit in: Aiea Rese . You can use the command shown on this slide to display the HA virtual MAC address assigned to an interface. Enterprise Firewall 7.0 Study Guide 205High Availability DO NOT REPRINT © Virtual MAC Addresses and Failover * After a failover, gratuitous ARP informs the network that the virtual MAC addresses are now reachable through a different device + Some switches might not clear their MAC tables fast enough, so they would keep sending packets to the former primary device + To shut down the interfaces of the former primary FortiGate (except the heartbeats and reserved management) for one second during failover, use the following commands: config system ha Sendai elton ed orenle end + Because of the link outage, all switches detect the failure and clear their MAC tables SE Training Institute Feit in: Aiea Rese ? After a failover, the new primary broadcasts gratuitous ARP packets, notifying the network that each virtual MAC address is now reachable through a different switch pert. In most networks, that's enough for the switches to update their MAC forwarding tables with the new information. However, some high-end switches might not clear their MAC tables correctly after a failover. So, they keep sending packets to the former primary even after receiving the gratuitous ARPs. In these cases, you should use the command shown on this slide to force the former primary to shut down all its interfaces for one second when the failover happens, excluding heartbeat and reserved management interfaces. This simulates a link failure that clears the related entries from the MAC table of the switches. Enterprise Firewall 7.0 Study GuideHigh Availability DO NOT REPRINT © Active-Active Load Balancing primary tu! MAC-pont primary: physical MAC-port 2-SYN secondary physical WAC port 3a, archiAC secondny-yic ‘9b. sreMAC secondary-physical MAC: pon, datWACX, TCR SYNACKsponBo NSE training Institute Feit Ae Raton ° Take a look at how an HA cluster in active-active mode handles traffic. First, the client sends a SYN packet, which Is always forwarded to the primary FortiGate using the internal interface virtual MAC address as the destination. If the primary decides that the session is going to be inspected by a secondary, the primary forwards the SYN packet io the respective secondary. In the example shown on this slide, the destination MAC address is the physical MAC address of the secondary FortiGate, The secondary responds with a SYN/ACK to the client and starts the connection with the server by directly sending a SYN packet. Enterprise Firewall 7.0 Study Guide 208High Availability DO NOT REPRINT © Active-Active Load Balancing (Contd) Primary v 5-ACK | sscondayphiieal VAC port \ Client \ Secondary iC a PO EO port NSE training Institute oF ns Ap Rss » Next, the client acknowledges the SYN/ACK. The client forwards to the primary using the virtual MAC address as the destination, The primary device forwards the packet to the secondary inspecting that session, using the secondary physical MAG address. Enterprise Firewall 7.0 Study Guide 209DO NOT REPRINT © Active-Active Load Balancing (Contd) Primary Cn vm pete OP secondary-physical MAC-pont Fen AR High Availability When the server responds to the TCP SYN, the packe: is sent to the primary using the external interface virtual MAC. The primary signals the secondary, and itis the secondary that replies to the server. As you see, the objective of active-active mode is not to load balance bandwidth. The traffic is always sent to the primary first. The main objective is to share CPU and memory among multiple FortiGate devices for traffic inspection, Enterprise Firewall 7.0 Study Guide 210High Availability DO NOT REPRINT © What Is Virtual Clustering? + Extension of FGCP for a cluster of two FortiGate devices with multiple VDOMs enabled + Virtual clustering operates in active-passive as well as active-active mode + FortiGate virtual clustering is limited to a cluster of two FortiGate devices with multiple VDOMs enabled Virtual Cluster NSE training Institute Feit Ae Raton “ Virtual clustering is essentially a cluster of two For Gate devices operating with multiple VDOMs enabled, ‘You can configure a virtual cluster in active-passive mode to provide standard failover protection between two instances of a VDOM operating on two different devices. You can also configure a virtual cluster in active-active mode to load balance sessions between two cluster devices. There is another way you can load balance sessions in a virtual cluster, which is VDOM partitioning, Virtual clustering operates on a cluster of only two FortiGate devices. If you want to create a cluster of more than two FortiGate devices operating with multiple VDOMs, you could consider other solutions that either do not include multiple VDOMs in one cluster, or employ a feature, such as standalone session synchronization with FGsp. Other requirements to configure virtual clustering are the same as in a standard HA configuration, Enterprise Firewall 7.0 Study Guide 213High Availability DO NOT REPRINT © Active-Active Virtual Clustering + You can set up virtual cluster in active-active mode to load balance sessions between cluster devices + For virtual clustering, setting HA mode to active-active is similar to an active-active HA cluster without virtual domains + Primary device receives all sessions and load balances them among other cluster devices + Alldevices in a cluster process traffic forall vitual domains NSE training Institute Feit in: Aiea Rese 6 There are two ways to configure load balancing for virtual elustering. The first methad is to set the HA mode to active-active, and the second method is to configure VOM partitioning. For virtual clustering, setting the HA mode to active-acive, the primary device receives all sessions and load balances them among the cluster devices according to the load balancing schedule. All cluster devices process traffic for all VDOMs. Enterprise Firewall 7.0 Study Guide 214High Availability DO NOT REPRINT © VDOM Partitioning + You must set HA mode to active-passive + Uses VDOM partitioning to distribute traffic between both cluster devices * Control the distribution of traffic between the devices in the cluster by adjusting which cluster device is the primary device for each VDOM SE Training Institute Feit in: Aiea Rese ® In VDOM partitioning, the HA made is set to active-passive. To configure VDOM partitioning, you configure one cluster device as the primary for some VDOMs and you set the other cluster device as the primary for other VDOMs. All traffic for a VDOM is processed by the primary device for that VDOM. You ean control the distribution of traffic between cluster devices by adjusting which cluster device is the primary device for each VDOM. Enterprise Firewall 7.0 Study GuideHigh Availability DO NOT REPRINT © VDOM Partitioning (Contd) * Ifyou have two VDOMSs with high traffic volume then you can configure each cluster device to be the primary device for each VDOM + VDOM A and B with high traf volume + Two FortiGate devices in a cluster, FortiGate1 anc FortiGate2 + For VOOM A, FortiGatet is the primary device + For VOOM B, FortiGate? is the primary device Active-Passive HA, Inthe example shown on this slide, HA is configured in active-passive mode. FortiGate 1 processes all traffie far \VDOM A, and FortiGate 2 processes all traffic for DOM B. In case of a failover, one device in the cluster processes all traffic for all VDOMs. Enterprise Firewall 7.0 Study GuideHigh Availability DO NOT REPRINT © HA Troubleshooting NSE Training institute In this section, you will learn about some HA troubleshooting commands. Enterprise Firewall 7.0 Study Guide 247High Availability DO NOT REPRINT Checking the Status of the HA Through the GUI NSE training Institute oF ns Ap Rss n Ifthe HA cluster forms successfully, the GLII displays all the FortiGate members with their hostnames, serial numbers, role, uptime, and synchronization status. Enterprise Firewall 7.0 Study Guide 218DO NOT REPRINT © Checking the Synchronization Status on the GUI NOFW (Pinay) vi NGFW2 (Sey) NPI rma NOW 2 (Secondary) Pent 57 86 206SHO8TESc14 NSE training Institute oF ns Ap Rss High Availability Ifthe HA cluster forms but the configurations are not synchronized, the GUI tooltip for the cluster members displays the portions of their configuration that are out of sync. Enterprise Firewall 7.0 Study Guide 219High Availability DO NOT REPRINT © Connecting to the CLI on a Secondary Device * Using the primary CLI, you can connect to any secondary CLI: + execute ha manage cAdnin_Username> * To list the index numbers for each device, use a question mark: # execute na manage ? please input peer box index. a> sidiary unit FGYM01000001xxxx SE Training Institute Feit in: Aiea Rese ql When troubleshooting a problem in an HA cluster, itis useful to know that you can connect to the CLI of any secondary device from the CLI of the primary device. Using the command shown on this slide with the HA index of the secondary device, you can connect to the CLI of the secondary device. To get the list of secondary FortiGate devices and their HA indexes, use the question mark at the end of that same command. Enterprise Firewall 7.0 Study GuideHigh Availability DO NOT REPRINT © HA Status + iagt Teataevl 1D prasvise brisie0Esbe teaftic.total = 3:0 p:920087 b:157619104 activity.fab = x0 410 8. Yode=2 croup: 1, sex_pickup-0, detay-0 ce-niow'e, petmary_tp-L69.2 Primacy, ha dary, ha prio/o_ha prioi/1 NSE training Institute Feit Ae Raton 2 Using the CLI, you ean get more information about the status of the HA. For example, the command shown on this slide displays heartbeat traffic statistics, as well as the serial number and HA priority of each FortiGate. This, ‘command also shows the heartbeat interface IP address automatically assigned to the primary FortiGate. Enterprise Firewall 7.0 Study Guide 221High Availability DO NOT REPRINT © HA Status (Contd) 4 get cys ha status FA Health Statue: OK Nodeli FortiGate-¥e4 ian Group: Debug 2021-07-29 12: 2021/01/28 12:24201> FoyM0} 0000077642 42 solosted a2 the prinsry becouse it has the satus sa ce secede POTET 1 Tyapen_Veage state TavHOLOO000 E49 (upaated T sessions-16, average-cpu-user/rice/systen/idle-O8/08/0%/100%, momory” 13v¥4010000077650 (updated 3 seconds 230) sessions-0, average-cpu-user/nice/systen/idle-04/08/08/100%, memory~78% NSE training Institute oF i: Ape Rend 2 You can use the command shown on this + HAhealth status. + Cluster uptime + Criteria used to select the primary device + Override status + Status of the monitored interfaces + Status of the HA ping servers le to display the following information: all 7.0 Study Guide 222DO NOT REPRINT © Checking the HA Time Difference f diagnose sys ha dump-by veluster HA information. “0: start_time=1588183799 (2021-07-29 L state/o/chg_time=2 (work) /2(work) /1588188301 (2020-04 12:33:21) mondev: porti (prio=50, is _aggr=0, status=1) port2(prio=50,is_aggr=0, status=1) "EGVMDLU000077649": ha_prio/o=0/9, Link tail pingsve failure=0, flag=0x00000001, uptine/reset cal "eGvmD10000077650": ha prio/oml/1, link failuz pingsvr_failure=0, flag=0x00000000, uptine/reset_cnt NSE training Institute Feit Ae Raton High Availability The HA uptime is one of the variables used to elect the primary deviee. Depending on other variables and configurations, the devices might compare their system uptimes to elect the primary. If that happens, and if there is one member whose system uptime is five minutes more than the system uptimes of all the other devices, that member is elected as the primary. You can use this command to compare the system uptimes of all the devices ina cluster. The reset_cnt value shows you how many times the HA uptime has been reset with the diagnose sys ha reset-uptime command, Enterprise Firewall 7.0 Study GuideHigh Availability DO NOT REPRINT © Types of Failover + Loss of keepalive packets * Primary fails to reply A monitored interface becomes disconnected + The new primary s the device with the fewest falled monitored interfaces + Port monitoring takes precedence over device priority Remote link failover + Uses detect (ping) servers to test IP connectivity + Pings oniginated only from the primary + If it does not get a reply, the cluster renegotiates the primary Solid state disk (SSD) failover + An SSD fails + Only for devices with SSDs Memory utilization threshold * Configurable memory utilization threshold, sample rate, and monitor period + Memory utilization checked at configured sample rate and if ahave config monitor period, a failover is triggered “ - NSE training Institute Feit in: Aiea Rese * There are four aecurrences that can trigger a failover: + When the primary stops replying to heartbeats + When the link status of a monitored interface goes down. You can configure an HA cluster to monitor the link status of one or more interfaces. + When a server (IP address) stops replying to the ping sent by the primary. You can configure an HA cluster to periodically send a ping to one or more servers to test the connectivity between the primary device and the network services. + When FortiOS detects a failure in an SSD. Only available for devices with SSDs. + When memory-based failover is enabled and the configured conditions for utilization exceed the threshold during each sample over the monitor period Enterprise Firewall 7.0 Study Guide 21DO NOT REPRINT © FortiManager Overview {NSE training institute : In this section, you will review the key features of Fortittanager. Enterprise Firewall 7.0 Study Guide 238Central Management © Whats FortiManager? * Single-pane-of-glass management Minimizes both initial costs and ongoing operating expenses for large deployments Helps maintain regulatory compliance Reduces WAN usage with local FortiGuard cache server Provides centralized device management for many Fortinet devices Automates mass device provisioning and maintains policies * Local distribution and control point for firmware and policy updates * Compiex mesh and star IPsec VPN Provides logging and reporting NSE training Institute ‘oFotnt ns A Rte Rene ’ When should you use FortiManager in your network? In large enterprises and managed security service providers (MSSPs), the size of the network introduces challenges that smaller networks don't have: mass provisioning; scheduling rollout of configuration changes; and maintaining, tracking, and auditing many changes. Centralized management through FortiManager can help you to more easily manage many deployment types with many devices, and to reduce the cost of operation. What can FortiManager do? + Provision firewall policies across your network + Act as a central repository for configuration revision control and security audits + Deploy and manage complex mesh and star IPsec VPNs + Act asa private FortiGuard distribution server (FDS) for your managed devices + Script and automate device provisioning, policy changes, and more, with JSON APIs Enterprise Firewall 7.0 Study GuideCentral Management DO NOT REPRINT © Key Features + Centralized management Scripting + Administrative domains (ADOMs) Managers— VPN, FortiAP, FortiSwitch, and Fabric, * Configuration revision control and Viet Recon Fabre) racking Logging and reporting (‘not available in HA + Local FortiGuard service ep mete) aN GraNereTManSOSTICTE ey as-you-go licensing through the Fortinet Vi ‘aa Comer offeo NSE training Institute ‘oFotnt ns A Rte Rene 5 FortiManager can help you to better organize and manage your network. Kay features of FortiManager include: + Contralized management: instead of logging in to hundreds of FortiGate devices individually, you can use FortiManager to manage them all from a single console. + Administrative domains (ADOMSs): FortiManager can group devices into geographic or functional ADOMs, ‘which is ideal if you have a large team of network security administrators. + Configuration revision control: Your FortiManager keeps a history of all configuration changes. You can schedule FortiManager to deploy a new configuration or revert managed devices to a previous configuration. + Local FortiGuard service provisioning: To reduce network delays and minimize internet bandwidth usage, your managed devices can use FortiManager as a private FDN server. + Firmware management: FortiManager can schedule firmware upgrades for managed devices. + Scripting: FortiManager supports CLI-based and TCL-based scripts for configuration deployments. + Pane Managers (VPN, FortiAP, FortiSwitch, and Fabric View): FortiManager management panes simplify the deployment and administration of VPN, FortiAP.FortiSwitch, and Fabric View (Security Fabric). + Logging and reporting: Managed devices can store logs on FortiManager. From that log data, you can generate SQL-based reports, because FortiManager has many of the same logging and reporting features as FortiAnalyzer. + FortiMeter: Allows you turn FortiOS-VMs and FortiWebOS-VMs on and off as needed, paying only for the Volume and consumption of traffic that you use. These VMs are also sometimes called pay-as-you-go VMs. You must have a FortiMeter license and the FortiMeter license must be linked with FortiManager by using FortiCare. Enterprise Firewall 7.0 Study Guide 240Central Management DO NOT REPRINT © Wizards + Assist with various tasks + Main wizards: + Add Device + Install Wizard port Poiicy + Resinstall Policy 1k Search, Cee Bserors #2 Qui natal (Devic 08) 9 Frovisoning Fenottes + 1 Femme Template Montes » NSE training Institute ‘oFotnt ns A Rte Rene 1 The Device Manager pane provides device and installation wizards to aid you in various administrative and maintenance tasks, Using these wizards can decrease the amount of time it takes to do many common tasks. There are four main wizards in the Device Manager pane’ + Add Device is used to add devices to central management and import their configurations. + Install Wizard is used to install configuration chances from the Device Manager pane or Policies & Objects pane to the managed devices. It allows you to preview the changes and, if the administrator doesn't agree with the changes, cancel and modify them, + Import Policy is used to import interface mappings, policy databases, and objects associated with the managed devices into a policy package under the Folicy & Object pane. It runs with the Add Device wizard, by default, and may be run at any time from the managed device list. + Re-install Policy is used to perform a quick install of the policy package. It provides the ability to preview the changes that will be installed on the managed device. You can open the Import policy and Re-install Policy wizards by right-clicking your managed device in the Device Manager. Enterprise Firewall 7.0 Study Guide 248Central Management DO NOT REPRINT © Central VPN Management NSE training institute 2 In this section, you will learn how to configure IPsec VPNs using the FortiManager VPN manager. Enterprise Firewall 7.0 Study Guide 243Central Man DO NOT REPRINT © FortiManager VPN Manager + VPN manager simplifies the administration of multiple VPNs + You can install common IPsec VPN settings on multiple FortiGate devices at the same time * Settings are storec as objects and pushed to the devices as part of the policy packages + VPN manager is enabled for each ADOM + Steps: Create a VPN community Add gateways ( bers) to the community Install the VPN eommunity and gateways confguration ‘Add the frewall policies Install the firewall policies NSE training Institute ‘oFotnt ns A Rte Rene : (On the VPN manager sereen, you can configure IPsee VPN settings that you can install on multiple devices. The settings are stored as objects in the objects database. You push the IPsec VPN settings to one or more devices: by installing a policy package. Follow these steps to cenfigure VPNs with the VPN manager: 1. Create a VPN community. 2. Add gateways (members) to the community. 3. Install the VPN community and gateways configuration. 4. Add the firewall policies. 5. Install the firewall policies. Enterprise Firewall 7.0 Study Guide 248Central Management DO NOT REPRINT © VPN Communities * Contain the common IPsec settings that are shared by all the IPsec gateway members of the community * Three types of communities: + Fullmeshed + Star + Dial-up NSE training Institute ‘oFotnt ns A Rte Rene 4 Depending on the VPN topology you are installing, there are three types of communities: Full meshed Star + Dial-up Enterprise Firewall 7.0 Study Guide 249Central Management DO NOT REPRINT © VPN Communities Configuration + Enter the common phase 1 and phase 2 settings: + These settings are appliedto all the members in the community NSE training Institute ‘OF att ns A Rate Rend 6 The VPN community contains the IPsec phase 1 and 2 settings that are common to all the gateways. Enterprise Firewall 7.0 Study Guide 250Central Management DO NOT REPRINT © VPN Gateways + After the community is created, it is time toadd the VPN gateways + Two types of gateways: + Managed gateways are FortiGate devices managed by FortiManager in the current ADOM + External gateways are devices not managed by FortiManager, or devices in a different ADOM + VPN configuration must te hancied manually by the administrator in that ADOM NSE training Institute ‘oFotnt ns A Rte Rene 6 The next step is to add gateways to the commu + Managed gateways + External gateways There are twa types of gateways: ‘Managed gateways are managed by FortiManager in tie current ADOM. You can treat devices in a different ADOM, or other vendor devices, as external gateways. The administrator must handle VPN configuration ‘manually in that ADOM. Enterprise Firewall 7.0 Study Guide 251Central Management DO NOT REPRINT © VPN Gateway Configuration + For each managed gateway, you configure: + Protected subnets + Gateway role (hub, spoke, and so cn) + Interface where the tunnel terminates + Advanced settings peer ID, IKE mode configuration NSE training Institute ‘oFotnt ns A Rte Rene In VPN gateways, you configure the nade type (hub, spoke, and so on), depending on the VPN topology you select, For example, hub and spoke options are available only in star and dial-up topologies. For each gateway, you can also configure the protected subnet, interfaces, and some advanced settings. Enterprise Firewall 7.0 Study GuideWeb Filtering DO NOT REPRINT © NSE Training Institute Enterprise Firewall Web Filtering E53 Fortios 7.0 In this lesson, you will learn about web filtering. Enterprise Firewall 7.0 Study Guide 248Web Filtering DO NOT REPRINT © Objectives + Test a web filter configura + Inspect HTTPS traffic using SSL inspectior methods + Check web filtering statistics + Troubleshoot common web filtering issues SE training Institute Fett Ate Rem 2 After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in web filtering, you will be able to implement, maintain, and troubleshoot web filtering on FortiGate. Enterprise Firewall 7.0 Study Guide 349DO NOT REPRINT — © Web Filtering Review + FortiGate queries FortiGuard to get the URL category + Caches the FortiGuard answer + Cache TTL value is configurable foontig ayeten fertiguara webfilter-cache enable webtilter-cacne-ttl + 3600 + Supports proxy and flow inspection modes NSE Training Institute Web fitering in FartiOS operates in one of two i pection modes: proxy and flow. By default, FortiGate caches the rating results it receives from FortiGuard. So, before it sends rating requests to FortiGuard, FortiGate checks that the website category isn't already in the local cache. You can configure the time-to-live (TTL) of the entries in the web filtering cache. Enterprise Firewall 7.0 Study GuideWeb Filtering DO NOT REPRINT © Order of Inspection + Web filtering inspection is performed in the following order: Sem Uacrite: emmy FortiGuard yyy, WebContent yy, Advanced Web Filter Filter Filter Options NSE Training Institute Finks Alt Re ‘ During web filtering inspection, FortiGate first checks the static URL filter list, then the FortiGuard categories, and then the content filtering list. Finally, FortiGate can execute some advanced options, such as manipulation of HTTP headers. Enterprise Firewall 7.0 Study GuideDO NOT REPRINT Wes Flere © SSL Inspection + Two methods of inspecting outbound encrypted sessions + SSL cettiiate inspection + SSL fullinspection NSE Training Institute With encrypted traffic making up between 60% ta 80% of most organizations’ traffic, it has become critical that encrypted traffic is inspected in order to maintain a secure network. In the context of web filtering, FortiGate has two methods of inspecting outbound encrypted sessions: SSL certificate inspection and full SSL inspection. ‘You can configure an SSL/SSH inspection profile to use either method of inspection. Enterprise Firewall 7.0 Study Guide 352Web Filtering DO NOT REPRINT © SSL Certificate Inspection + If SNT is not present, FortiGate uses the _- Uses the server name indication (sw) CN field in the server's certificate to extension from the Client Hello of obtain the FDN the SSL handshake, to obtain the FQDN =o Bee be WNSEtraining Institute OF At ed i When using SSL certificate inspection, FortiGate doesn't decrypt or inspect any encrypted traffic. Using this method, FortiGate inspects only the initial unencrypted SSL handshake. If the SNI field exists, FortiGate uses it to obtain the FQDN to rate the site. Ifthe sivz isn’t present, FortiGate retrieves the FQDN from the cw field of the server's certificate. In some cases, the CN’ server name might not match the requested FQDN. For example, the value of the cx field in the digital certificate of youtube .com Is google.com. So, if you connect to youtube . com froma browser that doesn't support sNvI, and FortiGate uses the SSL certificate inspection method, FortiGate assumes, incorrectly, that you are connecting to google.com, and uses the googl=.com category instead of the category for youtube.com. Note that SSL certificate inspection will work only with web filtering, and with some application signature detection when doing application control. It does not work with antivirus, IPS, or DLP scanning, where the full payload needs to be inspected. Enterprise Firewall 7.0 Study Guide 353Web Filtering DO NOT REPRINT © SSL Certificate Inspection and SNI Check config firewall ssl-ssh-profile edit config https set sni-server-cert-check + enable: If the SNI does not match the CN or SAN fields in the returned server's certificate, FortiGate uses the CN field instead of the SNI to obtain the FQDN ct: If the SNI does not match the CN or SAN fields in the returned server's certificate, FortiGate closes the connection + disable: FortiGate does not check the SNI WNSEtraining Institute Fat es A Ree , When doing cettificate-based inspection, by default, FortiGate validates the information in the S1vT field of the client's request against the information in cxl and SAN fields of the server's certificate. If the domain in the NI field does not match any of the domains listed in the cu and sau fields, FortiGate uses the domain in the cw field instead of the domain in the sux field. You can configure FortiGate to be more strict, so it closes the client connection if the domain in the SNT field does not match any of the domains listed in the CN and SAN fields. ‘You can also configure FortiGate to disable SNI checkng altogether, so that FortiGate always rates URLs based on the FQDN. Enterprise Firewall 7.0 Study Guide 354Web Filtering DO NOT REPRINT © Full SSL Inspection + FortiGate acts as a man-in-the middle proxy + Maintains two separate SSL sessions—client-to-FortiGate and FortiGate-to-server + FortiGate encrypts and decrypts packets using its own keys Clientto-FortiGate FortiGateto-sever NSE Training Institute Finks Alt Re . You can configure full SSL inspection to inspect all of the packet contents, including the payload. FortiGate performs this inspection by proxying the SSL connection. Two SSL sessions are established—client-to-FortiGate and FortiGate-to-server. The two established sessions allows FortiGate to encrypt and decrypt packets using its ‘own keys, which allows FortiGate to fully inspect all data inside the encrypted packets. Enterprise Firewall 7.0 Study GuideWeb Filtering DO NOT REPRINT © Category Lookup + Toverify which category a specific website belongs to: guard + You can submit a request for URL rec! a - = atest Web ter Orta 2506091 WNSEtraining Institute OF At ed . You ean access the FortiGuard portal to check which category a URL belongs to. In the portal, you can also request that a URL be reclassified. You can also view the FortiGuard web filter categories. Enterprise Firewall 7.0 Study GuideDO NOT REPRINT © Web Filtering Categories + To check the list of web filtering categories and their corresponding numerical values © webfilter categories 01 Potentially Liable: + You can also use category numbers to test whether a specific category or sub-category is allowed or blocked NSE Training Institute Fatt Rips Rem ‘> You can use the FartiOS CLI to di lay the list of FortiGuard eategories and their numerical values. ‘You can use FortiGuard category numbers when you create web profiles using the FortiOS CLI, or using scripts on FortiManager. to the using the GUI, you can configure different actions for each category using the CLI Enterprise Firewall 7.0 Study Guide 387Web Filtering DO NOT REPRINT © Category Access Test + You can test whether a specific category or subcategory is allowed or blocked [aduk7 Mature Conent WNSEtraining Institute Fat es A Ree 4 You can use catagory numbers to test whether a specific category or subeategory is allowed or blocked. Use the URL format shown on this slide for that purpose. Inthe example shown on this slide, the category 11 is gambling. The test confirms that all sites listed in this, category will be blocked. The replacement message page displays the category that is blocked, with other information, such as client IP, server IP, and user information. Enterprise Firewall 7.0 Study Guide 358