I didn’t take the greatest of notes for this free self-paced course (FCA – FortiGate 7.4 Operator Self-Paced) and free exam but I’ll share the shorthand notes that I did take down below:
- Overview
- NGFW
- Antivirus
- Web Filter
- IPS
- FortiOS
- Security Processing Units (SPUs)
- Models:
- Fortigate VM
- Entry Level – FG-80F, FWF-80F
- Mid-range – FG-100F, FG-1000F, FG-4200F
- High-end – FG-4800F, FG-7081F, FG-7121F, FG-5114C
- Features:
- Firewall Auth, local and remote
- VPN
- Security Scanning: antivirus, web filtering, app control
- Monitoring and logging
-
- Fortinet Security Fabric
-
- FortiGuard Labs – threat intelligence and security research
- Trusted machine learning and AI
- Realtime thread intelligence
- Threat hunting and outbreak alerts
- Configuring Interfaces and Routing
- Alias – name for ref
- IP Address
- Administrative Access (HTTPS, PING, SSH, ETC)
- DHCP Servers
- DHCP Server
- Address Range
- Mask
- Default. Gateway
- DNS Server (by default same as used by fortigate
- Static Routing:
- Default route to gateway for internet
- Destination – Used to match incoming traffic to the correct route
- Gateway – IP address Fortigate forwards traffic to
- Interfaces – Interface FortiGate uses to forward traffic towards destination
- Distance, Priority
-
- Default Route – when no exact destination
- Monitoring Static Routes:
- Network > Static Route
- Reasons may prevent route from being added to table:
- Misconfigured route
- Port associated with route is down or disabled
- Better route to use for destination
- To check routing tabled:
- Dashboard > Network > Static and dynamic routing
- Firewall Policies
- Sets of rules to control whether traffic is accepted by FortiGate and how it processes it
- Match based on:
- Incoming and outgoing. Interfaces
- Source: IP or User
- Destination: IP or Internet Service
- Service: Destination port
- Schedule
- Action:
- Accept
- Deny
- IP Subnet:
- Create a firewall address that corresponds to the IP subnet address
- Can also create firewall address for a specific device
- Source/Destination:
- Default “ALL” option available for both source/dest to match all possible IP addresses
- Internet Service:
- Select from ISDB (Internet service database)
- Policy Table:
- Contains all rules. Top down
- If no match default deny
- Place most specific policy rules at top as it’s first match
- Accepted Traffic:
- Next is other features such as antivirus, web filtering
- Applies NAT and logs based on policy settings
- Inspection modes:
- Flow based – examines file as passes through without buffering
- Proxy based – buffers and examines as a whole – more thorough but slower due to buffering
- Authenticating Network Users
- Require users to authenticate to access network resources
- Add source user or user group to policy
- Methods:
- Local password (individuals and groups)
- Guest groups expire after time including auto generated accounts
- Remote password authentication
- Local password (individuals and groups)
-
- Local Authentication Steps:
- Create user account
- Create user group
- Add user group as source to policy
- Verify and monitor
- Local Authentication Steps:
- Remote Authentication Steps:
- Connect FortiGate to remote server
- Create user group and map remote auth users to group
- Add group as source to policy
- Verify and monitor
- Inspect SSL Traffic
- Certification Inspection:
- Inspects the SSL/TLS Handshake
- Verifies identity of web server
- Used only with web filtering
- Only used security feature is web filtering
- Causes certificate warning only when fortigate displays an encrypted replacement message
- Certification Inspection:
- Deep Inspection:
- Like man-in-the-middle also causes certificate errors in browser
- Decrypts incoming traffic to inspect
- Re-encrypts to send if safe
- Used with all types of security scanning
- Can be used with things such as SMTPS, POP3s, IMAPS, FTPS
- Like man-in-the-middle also causes certificate errors in browser
- Preloaded SSL Inspection Profiles:
- Certificate-inspection – read only profile
- Deep-inspection – read only profile
- No-inspection – read only profile
- Deep-inspection
- Edit custom-deep-inspection or Clone or Create your own profile
- Certificate Warnings
- Certificate warnings occur when fortigate encrypts traffic using self-signed certificate
- Fortigate uses it’s own CA certificate to re-encrypt
- To avoid
- Download fortinet CA certificate and install into clients
- Use CA certificate and install into browsers
- Blocking Malware
- FortiGuard Labs provides database of signatures
- Schedules for updates
- FortiGuard Labs provides database of signatures
-
- Antivirus Scan
- Detects known malware – first fastest simplest – exact match in database
- Grayware Scan
- Detects unsolicited programs installed with user knowing or consent – uses fortiguard grayware signature
- Machine Learning/AI Scan
- Used to detect zero day attacks for new/unknown signatures
- Logs by default but doesn’t block by default
- Antivirus Scan
- Configure as part of Antivirus Profile
- Block or monitor
- Flow or proxy based
- Configure in firewall policy after creating
- Antivirus profile:
- How windows exe are handled
- Destination: fortisandbox, file quarantine, discard
- Use FortiGuard Outbreak Prevention. Database
- Use External Malware Block List
- Configure Antivirus Protection
- Create Antivirus Profile (or use default)
- Enable Antivirus profile on FW policy
- Verify configuration
- Monitor via logs
- Web Filtering
- Limit access
- Prevent Network Congestion
- Limit exposure to harmful website
- Limit liability
- No inappropriate material
-
- Fortiguard Categories
- URL Categories Database
- Enterprises
- Schools
- Personal
- General Interest Personal Category
- Bandwidth Consuming Category
- URL Categories Database
- Fortiguard Categories
- Can be further devided
- IE General Interest Personal can be broke down into
- Social Networking
- News
- IE General Interest Personal can be broke down into
- Allow
- Block
- Monitor
- Allows but logs data (URL,DST,IP)
- Warning
- Informs users it’s block but gives option to continue or go back. Interval between warnings
- Authenticate
- Permits access if can authenticate
- Customize interval of time to allow access (once authenticated covers entire category)
- Configure:
- Insure valid FortiGuard subscription license
- Identify how FortiGuard categorizes website
- Configure web filter security profile
- Apply web silte profile to security profile
- Test
- IPS
- Detect and block malicious activity by analyzing and blocking potential threats
- IPS Enginer and Sensor
- Sensor
- Signature and Filters
- Block malicious URLS
- Sensor
- Engine
- Protocol Decoders
- Identify traffic that does not conform to. Protocol standards
- Signatures
- Entries in database that contains info about known threats
- Protocol Decoders
- Daily updates
- ^Log or block
- Configuring:
- Select IPS Sensor
- Review or Edit filters for the sensor
- Apply Sensor to FW Policy
- Actions:
- Default – use as received from FortiGuard updates
- Allow
- Monitor – allow but log
- Block
- Reset – reset session when signature triggered
- Quarantine – Block, enable logging, quarantine attacker
- Monitoring
- Logs and Reports > Security. Events > Intrusion Prevention
- Logs tab has full details
- Best Practices
- Verify IPS DB up to date
- Consider using provided as template for custom
- Consider using IPS inbound and outbound
- Ensure SSL inspection is in place to check all traffic
- Evaluate whether to tune IPS sensors
- Protocol Decoders
- Detect malformed packets
- Controlling Application Access
- Improve security and meet compliance standards in traffic flow of applications
- Identify network traffic generated by specific applications
- Monitor
- Block
- Traffic Shape
- Fortiguard labs provides database
- IPS engine used for flow-based inspection
- Signatures
- Monitor
- Allow
- Block
- Quarantine
- Application and Filter Overrides
- Override allows a child signature to override it’s parent setting
- E.g. Facebook = block, facebook chat = allow
- Override allows a child signature to override it’s parent setting
- Configuring:
- Create Application Control Profile
- Modify Action or configure app override
- Add app control profile to FW policy
- Verify
- Monitor via logs
- IPSEC VPN
- Remote offices and Mobile workers
- Features:
- Data Authentication
- Data Integrity
- Data Confidentiality
- Anti-Replay Protection
- Remote Access VPN:
- Client device to remote network – teleworkers
- Client always initiates
- Passwords and MFA (FortiClient and other vendors)
- Site-to-Site VPN:
- Branch to HQ
- Branch to Branch
- Either site can establish
- Hub and spoke
- Partial mesh
- Full mesh
- (Azure, AWS, etc)
- IKE Protocol
- Used to create dynamically
- V1 and v2
- V1:
- Phase 1 and Phase 2 (still widely used)
- Phase 1:
- IKE Mode (main or aggressive
- Auth
- Encryption Alg
- Hash Alg
- Diffie Helment Group
- Phase 2:
- Encryption Alg
- Hash Alg
- Diffie Helman. Group (Use PFS)
- Configuring Phase 2:
- Remote access – both subnets configured on server side
- Site-to-site subnets on each peer must mirror
- Phase 1:
- Phase 1 and Phase 2 (still widely used)
- V2 includes improvements (Table is screenshot from Fortinet Course)
- Recommended
- Does not include 2 phases
- Not compatible with v1
- Reduced Latency
- Better Reliablitliy
- Support of EAP
- Support of PPPK
- Support of asymmetric auth
- Support of strong security alg
- Better resilience against DoS
- Best Practices:
- Ensure up to date firewalls
- Use encryption levels that meet reqs
- Verify both peers support same features
- Ensure needed ports are open
- Select proper mode when using IKEv1
- IKE uses UDP 500 and UDP 4500 when behind NAT
- Main mode is default for site-to-site
- Aggressive mode is default for remote access
- Configuring – has wizard with templates
- Monitoring
- SSL VPN
- Use of common protocol HTTP/HTTPS
- Flexibility for client access
- Granular access to resources
- Integrity checks for Windows Clients
- Cost Effective
- Web Mode:
- Web based access via portal
- Reverse proxy
- Tunnel Mode:
- Full access
- Requires FortiClient
- Configuration:
- Create Users and Groups or Remote. Auth servers
- Review Edit Create SSL VPN Portals
- Full-access
- Tunnel-access
- Web-access
- Custom
- Configure SSL VPN Settings
- Create FW Policy to allow VPN traffic
- Best Practices
- Select appropriate SSL VPN mode
- Reduce admin effort using remote auth servers
- Use valid SSL cert
- Use principle of least priv
- Use client integrity check
- If possible, do not allow connections from all locations
- System Maintenance and Monitoring
- Prevent security breaches
- Optimize performance
- Meet compliance
- Ensure business continuity
- Back up
- Firmware upgrades
- Monitor system performance
- Examine licenese
- Monitor event logs
- System > FortiGuard
- Licenses widget
- Configuring Security Fabric
- Integrated
- Automated
- Coordinated
-
- Benefits:
- Unified view of network
- Object sync across devices
- Security rating
- Integration
- Automatic detection of end devices
- Centralized management
- Automation
- Benefits:
- Implement
- Requires 2 FortiGate min in NAT mode
- One FortiAnalyzer or a cloud logging solution
- Configuring:
- Configure FortiAnalyzer or supported cloud logging
- Configure FortiGate device acting as root
- Configure downstream devices
- Authorize downstream devices