Category: Fortinet

FCA – FortiGate 7.4 Operator Self-Paced: Notes

Reading Time: 6 minutes

I didn’t take the greatest of notes for this free self-paced course (FCA – FortiGate 7.4 Operator Self-Paced) and free exam but I’ll share the shorthand notes that I did take down below:

  • Overview
    • NGFW
  • Antivirus
  • Web Filter
  • IPS
  • FortiOS
  • Security Processing Units (SPUs)
  • Models:
  • Fortigate VM
    • Entry Level – FG-80F, FWF-80F
    • Mid-range – FG-100F, FG-1000F, FG-4200F
    • High-end – FG-4800F, FG-7081F, FG-7121F, FG-5114C
  • Features:
    • Firewall Auth, local and remote
    • VPN
    • Security Scanning: antivirus, web filtering, app control
    • Monitoring and logging
    • Fortinet Security Fabric
    • FortiGuard Labs – threat intelligence and security research
    • Trusted machine learning and AI
    • Realtime thread intelligence
    • Threat hunting and outbreak alerts
  • Configuring Interfaces and Routing
    • Alias – name for ref
    • IP Address
    • Administrative Access (HTTPS, PING, SSH, ETC)
    • DHCP Servers
  • DHCP Server
    • Address Range
    • Mask
    • Default. Gateway
    • DNS Server (by default same as used by fortigate
  • Static Routing:
    • Default route to gateway for internet
    • Destination – Used to match incoming traffic to the correct route
    • Gateway – IP address Fortigate forwards traffic to
    • Interfaces – Interface FortiGate uses to forward traffic towards destination
    • Distance, Priority
    • Default Route – when no exact destination
  • Monitoring Static Routes:
    • Network > Static Route
  • Reasons may prevent route from being added to table:
  • Misconfigured route
  • Port associated with route is down or disabled
  • Better route to use for destination
  • To check routing tabled:
    • Dashboard > Network > Static and dynamic routing
  • Firewall Policies
    • Sets of rules to control whether traffic is accepted by FortiGate and how it processes it
  • Match based on:
    • Incoming and outgoing. Interfaces
    • Source: IP or User
    • Destination: IP or Internet Service
    • Service: Destination port
    • Schedule
  • Action:
    • Accept
    • Deny
  • IP Subnet:
    • Create a firewall address that corresponds to the IP subnet address
    • Can also create firewall address for a specific device
  • Source/Destination:
    • Default “ALL” option available for both source/dest to match all possible IP addresses
  • Internet Service:
    • Select from ISDB (Internet service database)
  • Policy Table:
    • Contains all rules. Top down
    • If no match default deny
    • Place most specific policy rules at top as it’s first match
  • Accepted Traffic:
    • Next is other features such as antivirus, web filtering
    • Applies NAT and logs based on policy settings
  • Inspection modes:
    • Flow based – examines file as passes through without buffering
    • Proxy based – buffers and examines as a whole – more thorough but slower due to buffering
  • Authenticating Network Users
    • Require users to authenticate to access network resources
  • Add source user or user group to policy
  • Methods:
    • Local password (individuals and groups)
      • Guest groups expire after time including auto generated accounts
    • Remote password authentication
    • Local Authentication Steps:
      • Create user account
      • Create user group
      • Add user group as source to policy
      • Verify and monitor
  • Remote Authentication Steps:
    • Connect FortiGate to remote server
    • Create user group and map remote auth users to group
    • Add group as source to policy
    • Verify and monitor
  • Inspect SSL Traffic
    • Certification Inspection:
      • Inspects the SSL/TLS Handshake
      • Verifies identity of web server
      • Used only with web filtering
      • Only used security feature is web filtering
      • Causes certificate warning only when fortigate displays an encrypted replacement message
  • Deep Inspection:
    • Like man-in-the-middle also causes certificate errors in browser
      • Decrypts incoming traffic to inspect
      • Re-encrypts to send if safe
      • Used with all types of security scanning
      • Can be used with things such as SMTPS, POP3s, IMAPS, FTPS
  • Preloaded SSL Inspection Profiles:
    • Certificate-inspection – read only profile
    • Deep-inspection – read only profile
    • No-inspection – read only profile
    • Deep-inspection
  • Edit custom-deep-inspection or Clone or Create your own profile
  • Certificate Warnings
    • Certificate warnings occur when fortigate encrypts traffic using self-signed certificate
  • Fortigate uses it’s own CA certificate to re-encrypt
  • To avoid
    • Download fortinet CA certificate and install into clients
    • Use CA certificate and install into browsers
  • Blocking Malware
    • FortiGuard Labs provides database of signatures
      • Schedules for updates
    • Antivirus Scan
      • Detects known malware – first fastest simplest – exact match in database
    • Grayware Scan
      • Detects unsolicited programs installed with user knowing or consent – uses fortiguard grayware signature
    • Machine Learning/AI Scan
      • Used to detect zero day attacks for new/unknown signatures
      • Logs by default but doesn’t block by default
  • Configure as part of Antivirus Profile
    • Block or monitor
    • Flow or proxy based
    • Configure in firewall policy after creating
  • Antivirus profile:
    • How windows exe are handled
    • Destination: fortisandbox, file quarantine, discard
    • Use FortiGuard Outbreak Prevention. Database
    • Use External Malware Block List
  • Configure Antivirus Protection
    • Create Antivirus Profile (or use default)
    • Enable Antivirus profile on FW policy
    • Verify configuration
    • Monitor via logs
  • Web Filtering
    • Limit access
    • Prevent Network Congestion
    • Limit exposure to harmful website
    • Limit liability
    • No inappropriate material
    • Fortiguard Categories
      • URL Categories Database
        • Enterprises
        • Schools
        • Personal
        • General Interest Personal Category
        • Bandwidth Consuming Category
  • Can be further devided
    • IE General Interest Personal can be broke down into
      • Social Networking
      • News
  • Allow
  • Block
  • Monitor
    • Allows but logs data (URL,DST,IP)
  • Warning
    • Informs users it’s block but gives option to continue or go back. Interval between warnings
  • Authenticate
    • Permits access if can authenticate
    • Customize interval of time to allow access (once authenticated covers entire category)
  • Configure:
    • Insure valid FortiGuard subscription license
    • Identify how FortiGuard categorizes website
    • Configure web filter security profile
    • Apply web silte profile to security profile
    • Test
  • IPS
    • Detect and block malicious activity by analyzing and blocking potential threats
  • IPS Enginer and Sensor
    • Sensor
      • Signature and Filters
      • Block malicious URLS
  • Engine
    • Protocol Decoders
      • Identify traffic that does not conform to. Protocol standards
    • Signatures
      • Entries in database that contains info about known threats
  • Daily updates
  • ^Log or block
  • Configuring:
    • Select IPS Sensor
    • Review or Edit filters for the sensor
    • Apply Sensor to FW Policy
  • Actions:
    • Default – use as received from FortiGuard updates
    • Allow
    • Monitor – allow but log
    • Block
    • Reset – reset session when signature triggered
    • Quarantine – Block, enable logging, quarantine attacker
  • Monitoring
    • Logs and Reports > Security. Events > Intrusion Prevention
  • Logs tab has full details
  • Best Practices
    • Verify IPS DB up to date
    • Consider using provided as template for custom
    • Consider using IPS inbound and outbound
    • Ensure SSL inspection is in place to check all traffic
    • Evaluate whether to tune IPS sensors
  • Protocol Decoders
    • Detect malformed packets
  • Controlling Application Access
    • Improve security and meet compliance standards in traffic flow of applications
  • Identify network traffic generated by specific applications
    • Monitor
    • Block
    • Traffic Shape
  • Fortiguard labs provides database
  • IPS engine used for flow-based inspection
  • Signatures
    • Monitor
    • Allow
    • Block
    • Quarantine
  • Application and Filter Overrides
    • Override allows a child signature to override it’s parent setting
      • E.g. Facebook = block, facebook chat = allow
  • Configuring:
    • Create Application Control Profile
    • Modify Action or configure app override
    • Add app control profile to FW policy
    • Verify
    • Monitor via logs
  • IPSEC VPN
    • Remote offices and Mobile workers
  • Features:
    • Data Authentication
    • Data Integrity
    • Data Confidentiality
    • Anti-Replay Protection
  • Remote Access VPN:
    • Client device to remote network – teleworkers
    • Client always initiates
    • Passwords and MFA (FortiClient and other vendors)
  • Site-to-Site VPN:
    • Branch to HQ
    • Branch to Branch
    • Either site can establish
    • Hub and spoke
    • Partial mesh
    • Full mesh
    • (Azure, AWS, etc)
  • IKE Protocol
    • Used to create dynamically
    • V1 and v2
    • V1:
      • Phase 1 and Phase 2 (still widely used)
        • Phase 1:
          • IKE Mode (main or aggressive
          • Auth
          • Encryption Alg
          • Hash  Alg
          • Diffie Helment Group
        • Phase 2:
          • Encryption Alg
          • Hash Alg
          • Diffie Helman. Group (Use PFS)
        • Configuring Phase 2:
          • Remote access – both subnets configured on server side
          • Site-to-site subnets on each peer must mirror
    • V2 includes improvements (Table is screenshot from Fortinet Course)
      • Recommended
      • Does not include 2 phases
      • Not compatible with v1
      • Reduced Latency
      • Better Reliablitliy
      • Support of EAP
      • Support of PPPK
      • Support of asymmetric auth
      • Support of strong security alg
      • Better resilience against DoS
      •  
  • Best Practices:
    • Ensure up to date firewalls
    • Use encryption levels that meet reqs
    • Verify both peers support same features
    • Ensure needed ports are open
    • Select proper mode when using IKEv1
  • IKE uses UDP 500 and UDP 4500 when behind NAT
  • Main mode is default for site-to-site
  • Aggressive mode is default for remote access
  • Configuring – has wizard with templates
  • Monitoring
  • SSL VPN
    • Use of common  protocol HTTP/HTTPS
    • Flexibility for client access
    • Granular access to resources
    • Integrity checks for Windows Clients
    • Cost Effective
  • Web Mode:
    • Web based access via portal
    • Reverse proxy
  • Tunnel Mode:
    • Full access
    • Requires FortiClient
  • Configuration:
    • Create Users and Groups or Remote. Auth servers
    • Review Edit Create SSL VPN Portals
      • Full-access
      • Tunnel-access
      • Web-access
      • Custom
    • Configure SSL VPN Settings
    • Create FW Policy to allow VPN traffic
  • Best Practices
    • Select appropriate SSL VPN mode
    • Reduce admin effort using remote auth servers
    • Use valid SSL cert
    • Use principle of least priv
    • Use client integrity check
    • If possible, do not allow connections from all locations
  • System Maintenance and Monitoring
    • Prevent security breaches
    • Optimize performance
    • Meet compliance
    • Ensure business continuity
  • Back up
  • Firmware upgrades
  • Monitor system performance
  • Examine licenese
  • Monitor event logs
  • System > FortiGuard
  • Licenses widget
  • Configuring Security Fabric
    • Integrated
    • Automated
    • Coordinated
      • Benefits:
        • Unified view of network
        • Object sync across devices
        • Security rating
        • Integration
        • Automatic detection of end devices
        • Centralized management
        • Automation
  • Implement
    • Requires 2 FortiGate min in NAT mode
    • One FortiAnalyzer or a cloud logging solution
  • Configuring:
    • Configure FortiAnalyzer or supported cloud logging
    • Configure FortiGate device acting as root
    • Configure downstream devices
    • Authorize downstream devices
Share this article:

Permanent link to this article: https://www.packetpilot.com/fca-fortigate-7-4-operator-self-paced-notes/

Fortinet Certified Associate in Cybersecurity Review

Reading Time: 2 minutes

Well at the end of 2024 I was on a contract job that didn’t get renewed in 2025 so since the New Year rolled over I’ve had time on my hands during the day. I figured I should do something productive. Aside from the staples of cleaning up around the house I thought I’d start heading down paths to help my career. So I did a little digging and came across this certification.

While looking into it I found out it was a free self paced training course with a free exam. Considering I have no income at the moment and need to keep my savings for the keys like mortgage, bills, loan payments, groceries, etc so this was a great find.

To add to the benefits of this I’m admittedly not a firewall guy. When I was working at the healthcare system we had out “Network Engineer 1-3” team, and then we had a “Security team”. The security team handled all the web filtering, most of the firewall maintenance with us Network Engineers doing minimal configuration changes as needed.

When working at the various VAR’s (Value Added Resellers) I’ve worked with it was a similar situation. We had our network infrastructure engineers that handled the route/switch and data center networking projects and consulting. Then we had the security engineers that handled all the various firewall vendor consulting and dedicated wireless engineers.

The Fortinet Certified Associate in Cybersecurity certification run off of a self paced course as I mentioned above. This course was perfect for me. It focuses basic configurations and information around the Fortigate firewall. It was a great intro to understanding the fundamentals of the Fortigate firewall to better understand at a high level what others are talking about. The course is: FCA – FortiGate 7.4 Operator Self-Paced

As quoted from Fortinet themselves the description of the course is:
“In this course, you will learn how to harden the security of your network by using the most common FortiGate features. Through demos and interactive simulations, you will learn how to perform basic operation tasks on FortiGate. You can then build on this knowledge by exploring more advanced topics related to these features.”

It goes over topics at a high level such as Interfaces and Routing, Firewall Policies, Authentication, SSL Inspection, Web Filtering, and more. It takes about a day to get through all the video’s and take the exam.

I found it as a good starting point for someone that hasn’t really had much experience with firewalls and a great way to start year 2025 off with a pick me up motivator. It’s kicked me in the pants to start looking back at everything else I started the last half of 2024 to get going again. I highly recommend it for anyone wanting to get their hands wet with Fortinet/Fortigate and have a achievable win to start out 2025 on a positive note. Here is to the new year and let’s all make it a good one!

Share this article:

Permanent link to this article: https://www.packetpilot.com/fortinet-certified-associate-in-cybersecurity-review/