FortiGate Basics:

Introduction:

FortiGate NGFWs enable security-driven networking and consolidate industry-leading security

capabilities such as intrusion prevention system (IPS), web filtering, secure sockets layer (SSL)
inspection, and automated threat protection.

Fortinet NGFWs meet the performance needs of highly scalable, hybrid IT architectures, enabling
organizations to reduce complexity and manage security risks.

Some of Fortinet UTM Features:

- Security Profiles
- Traffic inspection
- IPS & IDS
- VPN
- Suspicious traffic attributes
- Application control
- AntiVirus
- FortiGuard Web Filtering
- Email filter
- Advance Threat Protection
- Web filtering
- Email filtering
- SD-WAN
-Vulnerability Assessment
-Switch & Wifi Controller

1. Default Username and Password

• Default Username: admin

• Default password is BLANK, means there is no password set for new FortiGate firewall.

2. Default Subnet and Management IP

• Default Subnet:192.168.1.0/24
• Default Management IP:192.168.1.99

3.Options available to access FortiGate

 • GUI (HTTP and HTTPS
• Telnet
• SSH

4.You can access the CLI in three ways:

• Console Connection
• SSH Access
• FortiExplorer

5.FortiGate Modes

• NAT /Router Mode

• Transparent Mode

NAT Mode: FortiGate act as a Layer 3 Router or Gateway for Separate Vlans

Transparent Mode: FortiGate act as a bridge between the two networks and can provide security
features by inspecting the traffic passing through it.

6.Two main types of NAT:

Source NAT or SNAT

Destination NAT or DNAT

7.VDOMS:

VDOMS are nothing but virtual firewalls on main hardware. Two VDOMs can work as independent
firewalls with separate VPN,Security,NAT and Routing Policies.

Benefits of Virtual Domains:

1- Improving Transparent mode configuration

2- Easier administration
3- Continued security
4- Savings in physical space and power
5- More flexible MSSP configurations

8.HA Requirements:

• Same Firmware
 • Same Model
• Same Hardware Specs

9.Heart Beat:

Heart Beat connections i.e back-to-back link for synchronizing and knowing the status of HA Pair.

10.HA Cluster setup ways

• Active-Active
• Active-Passive
• Virtual

11. FortiGuard

It’s Features

• Antivirus
• IPS
• Application Control
• Antispam
• Web Filtering
• WAF

12. QOS Techniques

Main QOS Techniques

• Traffic Policing
• Traffic Shaping
• Queueing

Traffic Policing: Rate limits the traffic and drops any traffic exceeds the configured limit

Traffic Shaping: Rate limits the traffic and buffers the extra traffic exceeding the limit.

13.Power off the FortiGate

Following ways to achieve the power off the FortiGate

Using GUI
 Using CLI

• Using GUI

Go to Dashboard

In the System Resources widget, select Shutdown

• Using CLI

execute shutdown

14.Transparent Proxy:

In transparent proxy, we browsers are not aware of any proxy server and usual internet content is
accessible.

15.Zones:

Zones are used to group multiple interfaces in a virtual zone so that a common security policy can
be applied across zones, which will cover all underlying group of interfaces.

16.Command to communicate

what is the command Different interfaces under same zone cannot communicate to each other

• Set intrazone deny

17.Virtual Wire Pair:

Means to connect two interfaces so that they can forward traffic. It consists of two interfaces that
do not have any IP address and considered as transparent mode.

18.FortiGate Data Leak Prevention (DLP) Overview:

The FortiGate data leak prevention (DLP) system allows you to prevent sensitive data from leaving
your network. When you define sensitive data patterns, data matching these patterns will be
blocked, or logged and allowed, when passing through the FortiGate unit. You configure the DLP
system by creating individual filters based on file type, file size, a regular expression, an advanced
rule, or a compound rule, in a DLP sensor and assign the sensor to a security policy.

The filters in a DLP sensor can examine traffic for the following:
-Known files using DLP fingerprinting
-Known files using DLP watermarking
-Particular file types
-Particular file names
-Files larger than a specified size
-Data matching a specified regular expression
-Credit card and social security numbers

19. FortiGate Proxy Mode Overview:

Proxy-based inspection reconstructs content that passes through the FortiGate and inspects the
content for security threats.

When a firewall policy’s inspection mode is set to proxy, traffic flowing through the policy will be
buffered by the FortiGate for inspection. This means that the packets for a file, email message, or
web page will be held by the FortiGate until the entire payload is inspected for violations (virus,
spam, or malicious web links). After FortiOS has finished the inspection, the payload is either
released to the destination (if traffic is clean) or dropped and replaced with a replacement message
(if traffic contains violations).

20. Transparent Mode Overview:

In transparent mode, a VDOM becomes a layer-2 IP forwarding bridge. This means that Ethernet frames
are forwarded based on destination MAC address, and no other routing is performed. All incoming traffic
that is accepted by the firewall, is broadcast out on all interfaces.

In transparent mode the VDOM is a forwarding bridge, not a switch. A switch can develop a port table
and associated MAC addresses, so that it can bridge two ports to deliver the traffic instead of
broadcasting to all ports.

In transparent mode, the VDOM does not following this switch behavior, but instead is the forwarding
bridge that broadcasts all packets out over all interfaces, subject to security policies.

21. NAT/Route Mode Overview:

A FortiGate can operate in one of two modes: NAT/Route or Transparent.

NAT/Route mode is the most commonly used mode by a significant margin and is thus the default
setting on the device. As the name implies the function of NAT is commonly used in this mode and is
easily configured but there is no requirement to use NAT. The FortiGate unit performs network
address translation before IP packets are sent to the destination network.

These are some of the characteristics of NAT/Route mode:

1-Typically used when the FortiGate unit is a gateway between private and public networks.

2-Can act as a router between multiple networks within a network infrastructure.

3-When used, the FortiGate unit is visible to the networks that is connected to.
4-Each logical interface is on a distinct subnet.

5-Each Interface needs to be assigned a valid IP address for the subnet that it is connected to it.

22. FortiGate Secure SD-WAN Overview:

As the use of business-critical, cloud-based applications and tools continue to increase,

distributed organizations with multiple remote offices are switching from performance-inhibited
wide-area networks (WANs) to software-defined WAN (SD-WAN) architectures. SD-WAN offers
business application steering, cost savings, and performance for Software-as-a-Service (SaaS)
applications, as well as unified communication services. However, SD-WAN has its own
shortcomings—especially when it comes to security with direct internet access.

23.Fortinet Security Fabric Overview:

Security Fabric provides a visionary approach to security that allows your organization to deliver
intelligent, powerful, and seamless security. Fortinet offers security solutions for endpoints, access
points, network elements, the data center, applications, cloud, and data, designed to work together
as an integrated Security Fabric that can be integrated, analyzed, and managed to provide end-to-
end protection for your network. Your organization can also add third-party products that are
members of the Fabric-Ready Partner Program to the Security Fabric.

Security Fabric Benefits:

1-Broad visibility of the entire digital attack surface
2-Integrated Security Architecture
3-Automated Operations Orchestration, and Response

Security Fabric Solutions:

1-Zero-trust network access
2-Security-driven networking
3-Dynamic cloud security
4-Artificial intelligence AI-driven security operations
5-Fabric management center

24. Different encryption mechanisms available in Fortigate Firewall

FortiGate uses AES and DES symmetric-key algorithms for encrypting and decrypting data. Some
of the algorithms supported by FortiGate are,

1. des-md5
2. des-sha1
3. des-sha256
 4. des-sha384
5. des-sha512
6. aes128-md5
7. aes128-sha1 Master You

26. FGCP cluster?

FGCP stands for FortiGate Clustering Protocol. This is one of the proprietaries and popular
high availability solutions offered by Fortinet firewall. FortiGate High Availability solution
mainly contains two firewalls, which are used for configuring the high availability operation.

27.

FortiGate Troubleshooting Commands:

Check configuration CLI

# show
# show | grep xxxx
Check configuration # show full-configuration
#show full-configuration | grep XXXX
#show full-configuration | grep -f XXXX ← display with tree view

Network:

# show firewall policy

# show firewall policy XXXX
Check Firewall Policy

# config firewall policy

(policy) # show

Hardware:

Check Hardware Information # get hardware status

 Check Version, BIOS, Firmware, etc # get system status

Check version # get system status

Display CPU / memory / line usage # get system performance status

Display of NTP server # get system ntp

Display the current time and the time of synchronization with

# execute time
the NTP server

Check interfaces status , Up or Down # get system interface physical

# config system interface

Check interfaces (interface) # show
(interface) # end

Display of ARP table # get system arp

NTP:

# execute time
Check NTP # get system ntp
# diagnose sys ntp status

To view the any Port(port3) interface configuration

show system interface port3

show full-configuration system interface port3

ARP Table
• get system arp
• get system arp-table: static arp
Session Table
• diagnose sys session list
• diagnose sys session filter [$option]
• diagnose sys session clear: clear all session if no filter set
Routing

Show command
• get router info routing-table <ospf|bgp|rip|connected|static|all|static>: view
routing table
• get router info routing-table details 192.168.1.0
BGP
• get router info bgp network 192.168.1.0
• get router info bgp summary: show ip bgp summary
• get router info bgp neighbors [<neighbor ip>]: show ip bgp neighbor <ip>
• exec router clear bgp ip <neighbor ip>: Reset BGP peering
• exec router clear bgp ip <neighbor ip> soft [in | out]: Route Refresh
OSPF
• get router info ospf neighbor [neighbor ip]: show ip ospf neighbor
• get router info ospf database brief: show ip ospf database
• get router info ospf interface <name>: show ip ospf interface
 • get router info ospf status: show ip ospf status
• get router info ospf route: route advertised and received via OSPF
• exec router clear ospf process: clear ip ospf process

High Memory Usage

• diagnose hardware sysinfo memory
• diagnose sys top [seconds] [number of process]
• q or Ctrl-C to quit
• c to sort by cpu, m to sort by memory
• get system performance top [seconds] [number of process]
• q or Ctrl-C to quit
• p to sort by cpu, m to sort by memory
• diagnose sys top-mem
• diagnose sys kill <signal-id> <process id>
• signal id: 9 is enough, but 11 is prefreed as output is sent to crashlog for
troubleshooting purpose
• process id is 2nd column in diagnose sys top command

High Availability (HA):

Check HA Status # get system ha status

# get system ha
Check HA Configuration
# show system ha

28.FortiGate Policy Routing,Identity-Based Route:

How Policy Routing works

• When a packet arrives, the FortiGate starts at the top of the policy route list and
attempts to match the packet with a policy. For a match to be found, the policy must
contain enough information to route the packet.
• At a minimum, this requires the outgoing interface to forward the traffic, and
the gateway to route the traffic to.
• If one or both of these are not specified in the policy route, then the
FortiGate searches the routing table to find the best active route that corresponds
to the policy route.
• If no routes are found in the routing table, then the policy route does not match the
packet. The FortiGate continues down the policy route list until it reaches the end. If
no matches are found, then the FortiGate does a route lookup using the routing
table.
Identity-based Route
• Route traffic based on Identity
• Configuration
• Configure Identity-based-route
• Configure firewall policy to use identity-based-route
29.Iperf-Bandwidth Test on FortiGate

Commands:

diag traffictest server-intf port2 <----- Define server port.

diag traffictest client-intf port1 <----- Define client port.

diag traffictest run

Test bandwidth to server: client mode

# diag traffictest client-intf port1 <----- Define FortiGate port.

# diag traffictest server-intf port1 <----- Define FortiGate port.

# diag traffictest port 5209 <----- Define iPerf3 port running on the iPerf3 server.

# diag traffictest run -c 45.154.168.155 <----- Run iPerf3 against the public 45.154.168.155 iPerf3
server.

Test Reverse Direction from client as Server mode is not fully supported

diagnose traffictest run -R -c 45.154.168.155 -p 5209

Test UDP Traffic, TCP is default

diagnose traffictest run -c 45.154.168.155 -u

Happy Learning…

Follow for more updates: https://www.linkedin.com/in/rakesh-sa-b2b664167

Thanks

Rakesh