FCA – FortiGate 7.4 Operator Self-Paced: Notes

Reading Time: 6 minutes

I didn’t take the greatest of notes for this free self-paced course (FCA – FortiGate 7.4 Operator Self-Paced) and free exam but I’ll share the shorthand notes that I did take down below:

  • Overview
    • NGFW
  • Antivirus
  • Web Filter
  • IPS
  • FortiOS
  • Security Processing Units (SPUs)
  • Models:
  • Fortigate VM
    • Entry Level – FG-80F, FWF-80F
    • Mid-range – FG-100F, FG-1000F, FG-4200F
    • High-end – FG-4800F, FG-7081F, FG-7121F, FG-5114C
  • Features:
    • Firewall Auth, local and remote
    • VPN
    • Security Scanning: antivirus, web filtering, app control
    • Monitoring and logging
    • Fortinet Security Fabric
    • FortiGuard Labs – threat intelligence and security research
    • Trusted machine learning and AI
    • Realtime thread intelligence
    • Threat hunting and outbreak alerts
  • Configuring Interfaces and Routing
    • Alias – name for ref
    • IP Address
    • Administrative Access (HTTPS, PING, SSH, ETC)
    • DHCP Servers
  • DHCP Server
    • Address Range
    • Mask
    • Default. Gateway
    • DNS Server (by default same as used by fortigate
  • Static Routing:
    • Default route to gateway for internet
    • Destination – Used to match incoming traffic to the correct route
    • Gateway – IP address Fortigate forwards traffic to
    • Interfaces – Interface FortiGate uses to forward traffic towards destination
    • Distance, Priority
    • Default Route – when no exact destination
  • Monitoring Static Routes:
    • Network > Static Route
  • Reasons may prevent route from being added to table:
  • Misconfigured route
  • Port associated with route is down or disabled
  • Better route to use for destination
  • To check routing tabled:
    • Dashboard > Network > Static and dynamic routing
  • Firewall Policies
    • Sets of rules to control whether traffic is accepted by FortiGate and how it processes it
  • Match based on:
    • Incoming and outgoing. Interfaces
    • Source: IP or User
    • Destination: IP or Internet Service
    • Service: Destination port
    • Schedule
  • Action:
    • Accept
    • Deny
  • IP Subnet:
    • Create a firewall address that corresponds to the IP subnet address
    • Can also create firewall address for a specific device
  • Source/Destination:
    • Default “ALL” option available for both source/dest to match all possible IP addresses
  • Internet Service:
    • Select from ISDB (Internet service database)
  • Policy Table:
    • Contains all rules. Top down
    • If no match default deny
    • Place most specific policy rules at top as it’s first match
  • Accepted Traffic:
    • Next is other features such as antivirus, web filtering
    • Applies NAT and logs based on policy settings
  • Inspection modes:
    • Flow based – examines file as passes through without buffering
    • Proxy based – buffers and examines as a whole – more thorough but slower due to buffering
  • Authenticating Network Users
    • Require users to authenticate to access network resources
  • Add source user or user group to policy
  • Methods:
    • Local password (individuals and groups)
      • Guest groups expire after time including auto generated accounts
    • Remote password authentication
    • Local Authentication Steps:
      • Create user account
      • Create user group
      • Add user group as source to policy
      • Verify and monitor
  • Remote Authentication Steps:
    • Connect FortiGate to remote server
    • Create user group and map remote auth users to group
    • Add group as source to policy
    • Verify and monitor
  • Inspect SSL Traffic
    • Certification Inspection:
      • Inspects the SSL/TLS Handshake
      • Verifies identity of web server
      • Used only with web filtering
      • Only used security feature is web filtering
      • Causes certificate warning only when fortigate displays an encrypted replacement message
  • Deep Inspection:
    • Like man-in-the-middle also causes certificate errors in browser
      • Decrypts incoming traffic to inspect
      • Re-encrypts to send if safe
      • Used with all types of security scanning
      • Can be used with things such as SMTPS, POP3s, IMAPS, FTPS
  • Preloaded SSL Inspection Profiles:
    • Certificate-inspection – read only profile
    • Deep-inspection – read only profile
    • No-inspection – read only profile
    • Deep-inspection
  • Edit custom-deep-inspection or Clone or Create your own profile
  • Certificate Warnings
    • Certificate warnings occur when fortigate encrypts traffic using self-signed certificate
  • Fortigate uses it’s own CA certificate to re-encrypt
  • To avoid
    • Download fortinet CA certificate and install into clients
    • Use CA certificate and install into browsers
  • Blocking Malware
    • FortiGuard Labs provides database of signatures
      • Schedules for updates
    • Antivirus Scan
      • Detects known malware – first fastest simplest – exact match in database
    • Grayware Scan
      • Detects unsolicited programs installed with user knowing or consent – uses fortiguard grayware signature
    • Machine Learning/AI Scan
      • Used to detect zero day attacks for new/unknown signatures
      • Logs by default but doesn’t block by default
  • Configure as part of Antivirus Profile
    • Block or monitor
    • Flow or proxy based
    • Configure in firewall policy after creating
  • Antivirus profile:
    • How windows exe are handled
    • Destination: fortisandbox, file quarantine, discard
    • Use FortiGuard Outbreak Prevention. Database
    • Use External Malware Block List
  • Configure Antivirus Protection
    • Create Antivirus Profile (or use default)
    • Enable Antivirus profile on FW policy
    • Verify configuration
    • Monitor via logs
  • Web Filtering
    • Limit access
    • Prevent Network Congestion
    • Limit exposure to harmful website
    • Limit liability
    • No inappropriate material
    • Fortiguard Categories
      • URL Categories Database
        • Enterprises
        • Schools
        • Personal
        • General Interest Personal Category
        • Bandwidth Consuming Category
  • Can be further devided
    • IE General Interest Personal can be broke down into
      • Social Networking
      • News
  • Allow
  • Block
  • Monitor
    • Allows but logs data (URL,DST,IP)
  • Warning
    • Informs users it’s block but gives option to continue or go back. Interval between warnings
  • Authenticate
    • Permits access if can authenticate
    • Customize interval of time to allow access (once authenticated covers entire category)
  • Configure:
    • Insure valid FortiGuard subscription license
    • Identify how FortiGuard categorizes website
    • Configure web filter security profile
    • Apply web silte profile to security profile
    • Test
  • IPS
    • Detect and block malicious activity by analyzing and blocking potential threats
  • IPS Enginer and Sensor
    • Sensor
      • Signature and Filters
      • Block malicious URLS
  • Engine
    • Protocol Decoders
      • Identify traffic that does not conform to. Protocol standards
    • Signatures
      • Entries in database that contains info about known threats
  • Daily updates
  • ^Log or block
  • Configuring:
    • Select IPS Sensor
    • Review or Edit filters for the sensor
    • Apply Sensor to FW Policy
  • Actions:
    • Default – use as received from FortiGuard updates
    • Allow
    • Monitor – allow but log
    • Block
    • Reset – reset session when signature triggered
    • Quarantine – Block, enable logging, quarantine attacker
  • Monitoring
    • Logs and Reports > Security. Events > Intrusion Prevention
  • Logs tab has full details
  • Best Practices
    • Verify IPS DB up to date
    • Consider using provided as template for custom
    • Consider using IPS inbound and outbound
    • Ensure SSL inspection is in place to check all traffic
    • Evaluate whether to tune IPS sensors
  • Protocol Decoders
    • Detect malformed packets
  • Controlling Application Access
    • Improve security and meet compliance standards in traffic flow of applications
  • Identify network traffic generated by specific applications
    • Monitor
    • Block
    • Traffic Shape
  • Fortiguard labs provides database
  • IPS engine used for flow-based inspection
  • Signatures
    • Monitor
    • Allow
    • Block
    • Quarantine
  • Application and Filter Overrides
    • Override allows a child signature to override it’s parent setting
      • E.g. Facebook = block, facebook chat = allow
  • Configuring:
    • Create Application Control Profile
    • Modify Action or configure app override
    • Add app control profile to FW policy
    • Verify
    • Monitor via logs
  • IPSEC VPN
    • Remote offices and Mobile workers
  • Features:
    • Data Authentication
    • Data Integrity
    • Data Confidentiality
    • Anti-Replay Protection
  • Remote Access VPN:
    • Client device to remote network – teleworkers
    • Client always initiates
    • Passwords and MFA (FortiClient and other vendors)
  • Site-to-Site VPN:
    • Branch to HQ
    • Branch to Branch
    • Either site can establish
    • Hub and spoke
    • Partial mesh
    • Full mesh
    • (Azure, AWS, etc)
  • IKE Protocol
    • Used to create dynamically
    • V1 and v2
    • V1:
      • Phase 1 and Phase 2 (still widely used)
        • Phase 1:
          • IKE Mode (main or aggressive
          • Auth
          • Encryption Alg
          • Hash  Alg
          • Diffie Helment Group
        • Phase 2:
          • Encryption Alg
          • Hash Alg
          • Diffie Helman. Group (Use PFS)
        • Configuring Phase 2:
          • Remote access – both subnets configured on server side
          • Site-to-site subnets on each peer must mirror
    • V2 includes improvements (Table is screenshot from Fortinet Course)
      • Recommended
      • Does not include 2 phases
      • Not compatible with v1
      • Reduced Latency
      • Better Reliablitliy
      • Support of EAP
      • Support of PPPK
      • Support of asymmetric auth
      • Support of strong security alg
      • Better resilience against DoS
      •  
  • Best Practices:
    • Ensure up to date firewalls
    • Use encryption levels that meet reqs
    • Verify both peers support same features
    • Ensure needed ports are open
    • Select proper mode when using IKEv1
  • IKE uses UDP 500 and UDP 4500 when behind NAT
  • Main mode is default for site-to-site
  • Aggressive mode is default for remote access
  • Configuring – has wizard with templates
  • Monitoring
  • SSL VPN
    • Use of common  protocol HTTP/HTTPS
    • Flexibility for client access
    • Granular access to resources
    • Integrity checks for Windows Clients
    • Cost Effective
  • Web Mode:
    • Web based access via portal
    • Reverse proxy
  • Tunnel Mode:
    • Full access
    • Requires FortiClient
  • Configuration:
    • Create Users and Groups or Remote. Auth servers
    • Review Edit Create SSL VPN Portals
      • Full-access
      • Tunnel-access
      • Web-access
      • Custom
    • Configure SSL VPN Settings
    • Create FW Policy to allow VPN traffic
  • Best Practices
    • Select appropriate SSL VPN mode
    • Reduce admin effort using remote auth servers
    • Use valid SSL cert
    • Use principle of least priv
    • Use client integrity check
    • If possible, do not allow connections from all locations
  • System Maintenance and Monitoring
    • Prevent security breaches
    • Optimize performance
    • Meet compliance
    • Ensure business continuity
  • Back up
  • Firmware upgrades
  • Monitor system performance
  • Examine licenese
  • Monitor event logs
  • System > FortiGuard
  • Licenses widget
  • Configuring Security Fabric
    • Integrated
    • Automated
    • Coordinated
      • Benefits:
        • Unified view of network
        • Object sync across devices
        • Security rating
        • Integration
        • Automatic detection of end devices
        • Centralized management
        • Automation
  • Implement
    • Requires 2 FortiGate min in NAT mode
    • One FortiAnalyzer or a cloud logging solution
  • Configuring:
    • Configure FortiAnalyzer or supported cloud logging
    • Configure FortiGate device acting as root
    • Configure downstream devices
    • Authorize downstream devices
Share this article:

Permanent link to this article: https://www.packetpilot.com/fca-fortigate-7-4-operator-self-paced-notes/

Leave a Reply

Your email address will not be published.