100% found this document useful (1 vote)

1K views

Fortinet Fortigate Infrastructure Lab Guide For Fortios 72

This document provides a lab guide for configuring FortiGate devices using FortiOS 7.2. It includes exercises for routing, VDOM configuration, Fortinet Single Sign-On, SSL VPN, IPsec VPN, high availability, and diagnostics. The exercises guide users through configuring features such as route failover, ECMP, policy routing, inter-VDOM links, FSSO authentication, SSL VPN web and tunnel modes, IPsec dial-up and static VPNs, redundant VPN tunnels, HA settings, and diagnostic commands.

Uploaded by

Hein Min Zaw

Available Formats

Download as PDF, TXT or read online on Scribd

100% found this document useful (1 vote)

1K views

Fortinet Fortigate Infrastructure Lab Guide For Fortios 72

Uploaded by

Hein Min Zaw

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 126

DO NOT REPRINT

FortiGate Infrastructure
Lab Guide
for FortiOS 7.2
DO NOT REPRINT
© FORTINET
Fortinet Training Institute - Library

https://training.fortinet.com

Fortinet Product Documentation

https://docs.fortinet.com

Fortinet Knowledge Base

https://kb.fortinet.com

Fortinet Fuse User Community

https://fusecommunity.fortinet.com/home

Fortinet Forums

https://forum.fortinet.com

Fortinet Product Support

https://support.fortinet.com

FortiGuard Labs

https://www.fortiguard.com

Fortinet Training Program Information

https://www.fortinet.com/nse-training

Fortinet | Pearson VUE

https://home.pearsonvue.com/fortinet

Fortinet Training Institute Helpdesk (training questions, comments, feedback)

https://helpdesk.training.fortinet.com/support/home

8/30/2022
DO NOT REPRINT
© FORTINET

TABLE OF CONTENTS

Change Log 6
Network Topology 7
Lab 1: Routing 8
VM Usernames and Passwords 10
Exercise 1: Configuring Route Failover 11
Verify the Routing Configuration 11
Configure a Second Default Route 12
Configure the Firewall Policies 13
View the Routing Table 15
Configure Link Health Monitors 16
Test the Route Failover 17
Restore the Routing Table 19
Exercise 2: Configuring Equal Cost Multipath and Policy Routing 21
Configure Administrative Distance 21
Change the ECMP Load Balancing Algorithm 22
Verify Traffic Routing 22
Configure Priority 24
Verify ECMP 24
Configure a Policy Route for HTTPS Traffic 26
Verify the Policy Route 27
Lab 2: VDOM Configuration 30
Exercise 1: Creating VDOMs and VDOM Objects 32
Create a VDOM 32
Create a Per-VDOM Administrator 33
Move an Interface to a Different VDOM 34
Add the DNS Service to an Interface 35
Test the Per-VDOM Administrator Account 36
Execute Per-VDOM CLI Commands 36
Exercise 2: Configuring an Inter-VDOM Link 38
Create an Inter-VDOM Link 38
Configure Routing Between VDOMs 39
Configure Firewall Policies for Inter-VDOM Traffic 41
Test the Inter-VDOM Link 42
DO NOT REPRINT
© FORTINET
Lab 3: Fortinet Single Sign-On Configuration 44
Exercise 1: Configuring FortiGate for FSSO Authentication 46
Review the FSSO Configuration on FortiGate 46
Assign FSSO Users to a Firewall Policy 48
Test FSSO 49
Lab 4: ZTNA 52
Lab 5: SSL VPN 53
Exercise 1: Configuring Web Mode SSL VPN 55
Configure the SSL VPN Settings 55
Create a Firewall Policy for SSL VPN 56
Test the SSL VPN Access 58
Add an Administrator-Based Bookmark to the SSL VPN Portal 60
Test SSL VPN Access Using the Predefined Bookmark 61
Examine the Web Mode Mechanism (Reverse HTTP Proxy) 62
Monitor an SSL VPN User 62
Exercise 2: Configuring SSL VPN Tunnel Mode 64
Add Tunnel Mode 64
Configure the Routing for Tunnel Mode 65
Configure FortiClient for SSL VPN Connections 65
Test SSL VPN in Tunnel Mode 66
Review VPN Events 67
Lab 6: IPsec VPN Configuration 69
Exercise 1: Configuring a Dial-Up IPsec VPN Between Two FortiGate Devices 72
Create Phase 1 and Phase 2 on Local-FortiGate (Dial-Up Server) 72
Create Firewall Policies for VPN Traffic on Local-FortiGate (Dial-Up Server) 74
Create Phase 1 and Phase 2 on Remote-FortiGate (Dial-Up Client) 75
Create a Static Route for VPN Traffic on Remote-FortiGate (Dial-Up Client) 77
Create the Firewall Policies for VPN Traffic on Remote-FortiGate (Dial-Up Client) 78
Test and Monitor the VPN 79
Exercise 2: Configuring a Static IPsec VPN Between Two FortiGate Devices 82
Create Phase 1 and Phase 2 on Local-FortiGate 83
Create a Static Route for VPN Traffic on Local-FortiGate 85
Create Firewall Policies for VPN Traffic on Local-FortiGate 85
Test and Monitor the VPN 87
Exercise 3: Configuring Redundant Static IPsec VPN Tunnels Between Two
FortiGate Devices 88
Prerequisites 88
Check the IPsec VPN Tunnel on Local-FortiGate 89
Review the VPN Configuration on Both FortiGate Devices 90
Test and Monitor the VPN 90
Create a Backup VPN Tunnel Using the IPsec Wizard 91
DO NOT REPRINT
© FORTINET
Review the Objects the IPsec Wizard Created 93
Adjust Routing for the Backup VPN Tunnel on Local-FortiGate 95
Review the Backup VPN Configuration on Remote-FortiGate 96
Test VPN Redundancy 96
Lab 7: High Availability 99
Lab HA Topology 99
Exercise 1: Configuring HA 103
Configure HA Settings on Local-FortiGate 103
Configure HA Settings on Remote-FortiGate 104
Observe and Verify the HA Synchronization Status 104
Verify FortiGate Roles in an HA Cluster 105
Verify Firewall Policy Configuration 106
View Session Statistics 107
Exercise 2: Triggering an HA Failover 108
Trigger a Failover by Rebooting the Primary FortiGate 108
Verify the HA Failover and FortiGate Roles 108
Trigger an HA Failover by Resetting the HA Uptime 109
Observe HA Leave and Join Messages Using Diagnostic Commands 110
Exercise 3: Configuring the HA Management Interface 112
Access the Secondary FortiGate CLI Through the Primary FortiGate CLI 112
Set Up a Reserved HA Management Interface 113
Configure and Access the Primary FortiGate Using the Reserved HA Management
Interface 114
Configure and Access the Secondary FortiGate Using the Reserved HA Management
Interface 114
Disconnect Remote-FortiGate From the Cluster 115
Restore the Remote-FortiGate Configuration 116
Lab 8: Diagnostics Performance 118
Exercise 1: Determining What Is Happening Now 120
Run Diagnostic Commands 120
Exercise 2: Troubleshooting a Connectivity Problem 122
Identify the Problem 122
Use the Sniffer 122
Use the Debug Flow Tool 123
Fix the Problem 123
Test the Fix 124
DO Change
NOTLogREPRINT
© FORTINET
Change Log

This table includes updates to the FortiGate Infrastructure 7.2 Lab Guide dated 6/13/2022 to the updated
document version dated 8/30/2022.

Change Location

Various formatting fixes Entire guide

Updated URLs to test http Lab 1, Exercise 1 and 2

FortiGate Infrastructure 7.2 Lab Guide 6

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Network Topology

7 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Lab 1: Routing

In this lab, you will configure the router settings and test scenarios to learn how FortiGate makes routing
decisions.

Objectives
l Route traffic based on the destination IP address, as well as other criteria
l Balance traffic among multiple paths
l Implement route failover
l Implement policy routing
l Diagnose a routing problem

Time to Complete
Estimated: 50 minutes

FortiGate Infrastructure 7.2 Lab Guide 8

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Prerequisites
Before beginning this lab, you must restore a configuration file to Local-FortiGate.

To restore the Local-FortiGate configuration file

1. Connect to the Local-FortiGate GUI, and then log in with the username admin and password password.
2. In the upper-right corner of the screen, click admin, and then click Configuration > Revisions.

3. Click the + sign to expand the list.

4. Select the configuration with the comment initial, and then click Revert.

5. Click OK to reboot.

9 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT VM Usernames and Passwords

VM Username Password

Local-Client Administrator password

Remote-Client Administrator password

Local-FortiGate admin password

Remote-FortiGate admin password

ISFW admin password

FortiAnalyzer admin password

FortiGate Infrastructure 7.2 Lab Guide 10

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 1: Configuring Route Failover

In the lab network, Local-FortiGate has two interfaces connected to the internet: port1 and port2. In this exercise,
you will configure the port1 connection as the primary internet link and the port2 connection as the backup internet
link. Local-FortiGate should use the port2 connection only if the port1 connection is down. To achieve this
objective, you will configure two default routes with different administrative distances, as well as two link health
monitors.

Verify the Routing Configuration

You will verify the existing routing configuration on Local-FortiGate.

Take the Expert Challenge!

On the Local-FortiGate GUI (admin/password), complete the following:
l View the existing static route configuration on Local-FortiGate.
l Enable the Distance and Priority columns on the static route configuration page.
l Make a note of the Distance and Priority values of the existing default route.
If you require assistance, or to verify your work, use the step-by-step instructions that follow.

After you complete the challenge, see Configure a Second Default Route on page 12.

To verify the routing configuration

1. Connect to the Local-FortiGate GUI, and then log in with the username admin and password password.
2. Click Network > Static Routes.
3. Verify the existing default route for port1.

4. Right-click any of the columns to open the context-sensitive menu.

5. In the Select Columns section, select Distance and Priority, and then click Apply.

11 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Configuring
REPRINT Route Failover Configure a Second Default Route

The Distance and Priority columns appear in the GUI.

Note that, by default, static routes have a Distance value of 10 and a Priority value of 1.

Configure a Second Default Route

You will create a second default route using the port2 interface. To make sure this second default route remains
the standby route, you will assign it a higher distance.

Take the Expert Challenge!

l On the Local-FortiGate GUI, configure a second default route using port2.

l Assign it a Distance of 20 and a Priority of 5.
If you require assistance, or to verify your work, use the step-by-step instructions that follow.

After you complete the challenge, see Configure the Firewall Policies on page 13.

FortiGate Infrastructure 7.2 Lab Guide 12

Fortinet Technologies Inc.
DO Configure
NOTtheREPRINT
Firewall Policies Exercise 1: Configuring Route Failover

© FORTINET
To configure a second default route
1. Continuing on the Local-FortiGate GUI, click Network > Static Routes.
2. Click Create New.
3. Configure the following settings:

Field Value

Gateway Address 10.200.2.254

Interface port2

Administrative Distance 20

4. Click the + sign to expand the Advanced Options section.

5. In the Priority field, type 5.

6. Click OK.
A second default route is added.

Configure the Firewall Policies

You will modify the existing Full_Access firewall policy to log all sessions. You will also create a second firewall
policy to allow traffic through the secondary interface.

13 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Configuring
REPRINT Route Failover Configure the Firewall Policies

l Continuing on the Local-FortiGate GUI, enable logging for all sessions in the existing Full_Access
firewall policy.
l Create a second firewall policy named Backup_Access.
l Configure the Backup_Access policy to allow traffic from port3 to port2 with NAT enabled.
l Enable logging on the Backup_Access policy for all sessions.
If you require assistance, or to verify your work, use the step-by-step instructions that follow.

After you complete the challenge, see View the Routing Table on page 15

To configure the firewall policies

1. Continuing on the Local-FortiGate GUI, click Policy & Objects > Firewall Policy.
2. Double-click the existing Full_Access policy to edit it.
3. Enable logging for All Sessions.

All Sessions logging ensures that all traffic is logged and not only sessions inspected
by security profiles. This will assist you in verifying traffic routing using the Forward
Traffic logs.

4. Click OK.
5. Click Create New.
6. Configure a second firewall policy with the following settings:

Field Value

Name Backup_Access

FortiGate Infrastructure 7.2 Lab Guide 14

Fortinet Technologies Inc.
DO View
NOT REPRINT
the Routing Table Exercise 1: Configuring Route Failover

Incoming Interface port3

Outgoing Interface port2

Source LOCAL_SUBNET

Destination all

Schedule always

Service ALL

Action Accept

NAT Enabled

Log Allowed Traffic All Sessions

7. Click OK.

View the Routing Table

The Local-FortiGate configuration now has two default routes with different distances. You will view the routing
table to see which route was installed in the routing table and which route was installed in the routing table
database.

To view the routing table

1. On the Local-FortiGate CLI, log in with the username admin and password password.
2. Enter the following command to list the routing table entries:
get router info routing-table all

Note that the second default route is not listed.

3. Enter the following command to list the routing table database entries:
get router info routing-table database

4. Confirm that the second default route is listed as inactive.

15 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Configuring
REPRINT Route Failover Configure Link Health Monitors

Stop and think!

Why is the port2 default route the standby route?

The port2 default route has a higher administrative distance than the port1 default route. When two or more
routes to the same destination have different distances, the higher distance route is not installed in the
routing table, but you can still see it in the routing table database.

5. Leave the Local-FortiGate CLI session open.

Configure Link Health Monitors

You will configure two link health monitors to monitor the status of both the port1 and port2 routes.

2. Enter the following commands to configure another link health monitor for port2:
config system link-monitor
edit port2-monitor
set srcintf port2
set server 4.2.2.2
set gateway-ip 10.200.2.254
set protocol ping
set update-static-route enable

FortiGate Infrastructure 7.2 Lab Guide 16

Fortinet Technologies Inc.
DO Test
NOT REPRINT
the Route Failover Exercise 1: Configuring Route Failover

3. Leave your Local-FortiGate CLI session open.

Test the Route Failover

First, you will access various websites and use the Forward Traffic logs to verify that the port1 route is being
used. Next, you will force a failover by reconfiguring the port1 link health monitor to ping an invalid IP address. You
will then generate some more traffic, and use the Forward Traffic logs to verify that the port2 route is being used.

To confirm the port1 route is the primary route

1. Continuing on the Local-FortiGate GUI, click Log & Report > Forward Traffic.
2. Right-click any of the columns to open the context-sensitive menu.
3. In the Select Columns section, select Destination Interface.

4. Scroll down in the context-sensitive menu, and then click Apply.

The Destination Interface column is displayed.

5. On the Local-Client VM, open a few new tabs in the browser, and visit a few websites, such as:

17 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Configuring
REPRINT Route Failover Test the Route Failover

© FORTINET
l http://neverssl.com
l http://www.testingmcafeesites.com
l http://eu.httpbin.org
6. On the Local-FortiGate GUI, click Log & Report > Forward Traffic.
7. Click the refresh icon.

8. Locate the relevant log entries for the three websites you accessed, and verify that their Destination Interface
indicates port1.

This verifies that the port1 route is currently the route in use.

To force the failover

1. Return to the Local-FortiGate CLI session, and then enter the following commands to modify the port1 link monitor:
config system link-monitor
edit port1-monitor
set server 10.200.1.13
next
end

2. Wait a few seconds.

Because 10.200.1.13 is a non-existent host in the lab network, the link health monitor does not receive any
replies. Because of this, the link health monitor assumes that the port1 internet connection is down, and
removes the corresponding route from the routing table.

3. Leave your Local-FortiGate CLI session open.

To verify the route change

1. Continuing on the Local-FortiGate GUI, click Log & Report > System Events > General System Events.
Verify that the Local-FortiGate detected the link failure and removed the corresponding port1 route.

FortiGate Infrastructure 7.2 Lab Guide 18

Fortinet Technologies Inc.
DO Restore
NOTtheREPRINT
Routing Table Exercise 1: Configuring Route Failover

2. Click Dashboard > Network, and then click Routing to expand it to full screen.
3. Verify that the port2 route replaced the port1 route in the routing table.

To verify traffic logs

1. On the Local-Client VM, open a few new tabs in the browser, and visit a few websites, such as:
l http://neverssl.com
l http://www.testingmcafeesites.com
l http://eu.httpbin.org
2. Return to the browser tab where you are logged in to the Local-FortiGate GUI, and then click Log & Report >
Forward Traffic.
3. Locate the relevant log entries for the three websites you accessed, and verify that their Destination Interface
indicates port2.

This verifies that the Local-FortiGate is using the port2 default route.

Restore the Routing Table

Before starting the next exercise, you will restore the port1 link health monitor server configuration with a valid
host address, which will restore the port1 default route as the best route in the routing table.

19 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Configuring
REPRINT Route Failover Restore the Routing Table

© FORTINET
To restore the port1 health monitor configuration
1. Return to the Local-FortiGate CLI session, and then enter the following commands:
config system link-monitor
edit port1-monitor
set server 4.2.2.1
next
end

2. Close the Local-FortiGate CLI session.

To verify the routing table

1. Continuing on the Local-FortiGate GUI, click Dashboard > Network, and then click Routing to expand it to full
screen.
2. Verify that the port1 route replaced the port2 route in the routing table.

3. Close the browser.

FortiGate Infrastructure 7.2 Lab Guide 20

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 2: Configuring Equal Cost Multipath and Policy
Routing

In this exercise, you will configure equal cost multi-path (ECMP) routing on Local-FortiGate to load balance the
internet traffic between port1 and port2. After that, you will configure a policy route to route HTTPS traffic through
port1 only.

Configure Administrative Distance

To establish ECMP, first you will configure multiple static routes with the same administrative distance.

Take the Expert Challenge!

On the Local-FortiGate GUI (admin/password), complete the following:
l Change the port2 static route Administrative Distance to 10.
l Verify that both port1 and port2 default routes are present in the routing table.
If you require assistance, or to verify your work, use the step-by-step instructions that follow.

After you complete the challenge, see Change the ECMP Load Balancing Algorithm on page 22.

To configure administrative distance

1. Connect to the Local-FortiGate GUI, and then log in with the username admin and password password.
2. Click Network > Static Routes.
3. Double-click the port2 static route to edit it.
4. Change the Administrative Distance to 10.

5. Click OK.

21 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Configuring
REPRINT Equal Cost Multipath and Policy Routing Change the ECMP Load Balancing Algorithm

© FORTINET
To verify the routing table
1. Continuing on the Local-FortiGate GUI, click Dashboard > Network, and then click Routing to expand it to full
screen.
2. Verify that both default routes are installed in the routing table.

Change the ECMP Load Balancing Algorithm

By default, the ECMP load balancing algorithm is based on source IP address. This works well when there are
multiple clients generating traffic. In the lab network, because you have only one client (Local-Client), the source
IP address method will not balance any traffic to the second route. Only one route will always be used. For this
reason, you will change the load balancing method to use both source and destination IP addresses. Using this
method, as long as the traffic goes to multiple destination IP addresses, FortiGate load balances the traffic across
both routes.

To modify the ECMP load balancing method

1. On the Local-FortiGate CLI, log in with the username admin and password password.
2. Enter the following commands to change the ECMP load-balancing method:
config system settings
set v4-ecmp-mode source-dest-ip-based
end

3. Leave the Local-FortiGate CLI session open.

Verify Traffic Routing

You will generate some HTTP traffic and verify traffic routing using the Forward Traffic logs.

FortiGate Infrastructure 7.2 Lab Guide 22

Fortinet Technologies Inc.
DO Verify
NOT TrafficREPRINT
Routing Exercise 2: Configuring Equal Cost Multipath and Policy Routing

l On the Local-Client VM, open a few new browser tabs, and then generate some HTTP traffic.
l Verify the traffic routing on Local-FortiGate, using the Forward Traffic logs.
l Identify why all the outgoing packets are still being routed through port1.
If you require assistance, or to verify your work, use the step-by-step instructions that follow.

After you complete the challenge, see Configure Priority on page 24.

To verify traffic routing

1. On the Local-Client VM, open new tabs in the browser, and visit a few websites, such as:
l http://neverssl.com
l http://www.testingmcafeesites.com
l http://eu.httpbin.org
2. On the Local-FortiGate GUI, click Log & Report > Forward Traffic.
3. Identify the Destination Interface in the relevant log entries for the websites you accessed.

Why are all the outgoing packets still being routed through port1?

Stop and think!

The port2 route is not being used to route internet traffic. Why?

At the beginning of this exercise, you set a distance of 10 on the port2 route but you didn't change its priority.
The port2 route priority is still 5 and you configured it in the previous exercise (see Configure a Second
Default Route on page 12). In addition, the port1 route has distance and priority values of 10 and 1,
respectively.

When two routes to the same destination have the same distance, both remain in the routing table.
However, if the priorities are different, the route with the lowest priority value—port1 in this case—is used.
To achieve ECMP with static routes, the distance and priority values must be the same for all routes.

23 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Configuring
REPRINT Equal Cost Multipath and Policy Routing Configure Priority

You will change the priority value for the port2 route to match the port1 route.

Take the Expert Challenge!

On the Local-FortiGate GUI, modify the static routing configuration so both default routes are eligible for
ECMP.

If you require assistance, or to verify your work, use the step-by-step instructions that follow.

After you complete the challenge, see Verify ECMP on page 24

To configure priority
1. Continuing on the Local-FortiGate GUI, click Network > Static Routes.
2. Double-click the port2 default route to edit it.
3. Click the + sign to expand the Advanced Options section.
4. Change the Priority value to 1.
5. Click OK.

Verify ECMP

Now that both port1 and port2 routes share the same distance and priority values, they are eligible for ECMP.
First, you will verify the routing table, and then you will verify traffic routing using the Forward Traffic logs.

To verify the routing table

1. Return to the Local-FortiGate CLI session, and then enter the following command on Local-FortiGate:
get router info routing-table database

2. Verify that both default routes are currently active.

FortiGate Infrastructure 7.2 Lab Guide 24

Fortinet Technologies Inc.
DO Verify
NOT REPRINT
ECMP Exercise 2: Configuring Equal Cost Multipath and Policy Routing

To configure the CLI sniffer

1. Continuing on the Local-FortiGate CLI session, enter the following command:
diagnose sniffer packet any 'not host 172.16.100.1 and not host 172.16.100.3 and tcp
[13]&2==2 and port 80' 4

The filter 'tcp[13]&2==2' matches packets with the SYN flag on, so the output will
show all SYN packets for port 80 (HTTP).

2. Leave the Local-FortiGate CLI window open in the background.

To verify ECMP routing

1. On the Local-Client VM, open new tabs in the browser, and visit a few websites, such as:
l http://neverssl.com
l http://www.testingmcafeesites.com
l http://eu.httpbin.org
2. Return to the Local-FortiGate CLI session, and then press Ctrl+C to stop the sniffer.
3. Analyze the sniffer output.

25 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Configuring
REPRINT Equal Cost Multipath and Policy Routing Configure a Policy Route for HTTPS Traffic

© FORTINET
The SYN packets are egressing both port1 and port2. This verifies that Local-FortiGate is now load
balancing all internet traffic across both routes.

4. Leave the Local-FortiGate CLI session open.

Configure a Policy Route for HTTPS Traffic

You will force all HTTPS traffic to egress through port1 using a policy route. All other traffic should remain
unaffected and balanced between port1 and port2. To implement this, you will configure a policy route.

To configure a policy route for HTTPS traffic

1. Continuing on the Local-FortiGate GUI, click Network > Policy Routes.
2. Click Create New.
3. Configure the following settings:

Field Value

Incoming interface port3

Source Address > IP/Netmask 10.0.1.0/24

Destination Address > IP/Netmask 0.0.0.0/0

Protocol TCP

Source ports From 1 to 65535

Destination ports From 443 to 443

Action Forward Traffic

Outgoing interface Enabled and port1

Gateway address 10.200.1.254

The policy route should look like the following example:

FortiGate Infrastructure 7.2 Lab Guide 26

Fortinet Technologies Inc.
DO Verify
NOT REPRINT
the Policy Route Exercise 2: Configuring Equal Cost Multipath and Policy Routing

4. Click OK.

Verify the Policy Route

First, you will verify the routing table, and then you will verify policy routing by generating HTTPS traffic and
viewing the CLI sniffer output.

To verify the policy route table

1. Continuing on the Local-FortiGate GUI, click Dashboard > Network, and then click Routing to expand it to
fullscreen.
2. In the upper-right corner, click Static & Dynamic, and then select Policy in the drop-down list.

To verify policy routing for HTTPS traffic

1. Continuing on the Local-FortiGate CLI session, enter the following command on Local-FortiGate:

27 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Configuring
REPRINT Equal Cost Multipath and Policy Routing Verify the Policy Route

© FORTINET
diagnose sniffer packet any 'not host 172.16.100.1 and not host 172.16.100.3 and tcp
[13]&2==2 and port 443' 4

As before, this sniffer filter matches packets with the SYN flag on, but this time for port
443 (HTTPS).

Leave the Local-FortiGate CLI window open in the background.

2. On the Local-Client VM, open new tabs in the browser, and then visit a few HTTPS websites, such as:
l https://www.fortiguard.com
l https://support.fortinet.com
3. On the Local-FortiGate CLI session, and then press Ctrl+C to stop the sniffer.
4. Analyze the sniffer output.

The SYN packets are egressing port1 only. This verifies that Local-FortiGate is applying the policy route for
HTTPS traffic.

To verify non-HTTPS traffic routing

1. Continuing on your Local-FortiGate CLI session, enter the following command:
diagnose sniffer packet any 'not host 172.16.100.1 and not host 172.16.100.3 and tcp
[13]&2==2 and port 80' 4

2. On the Local-Client VM, open new tabs in the browser, and then visit a few HTTP websites, such as:
l http://neverssl.com
l http://www.testingmcafeesites.com
l http://eu.httpbin.org
3. On the Local-FortiGate CLI session, press Ctrl+C to stop the sniffer.
4. Analyze the sniffer output.

FortiGate Infrastructure 7.2 Lab Guide 28

Fortinet Technologies Inc.
DO Verify
NOT REPRINT
the Policy Route Exercise 2: Configuring Equal Cost Multipath and Policy Routing

HTTP (port 80) traffic remains unaffected by the policy route, and is still load balanced across both port1 and
port2 routes.

Stop and think!

The Local-FortiGate configuration still has the two link health monitors for port1 and port2. Do they also
enable routing failover for ECMP scenarios?

Yes. If Local-FortiGate detects a problem in any of the routes, the link monitor removes the corresponding
route, and all internet traffic is routed through the remaining route.

5. Close the Local-FortiGate CLI session and browser.

29 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Lab 2: VDOM Configuration

In this lab, you will examine how to create a virtual domain (VDOM) and configure an inter-VDOM link.

Objectives
l Use VDOMs to split a FortiGate into multiple virtual devices
l Create an administrative account and limit access to one VDOM
l Use inter-VDOM links to route traffic between VDOMs

Time to Complete
Estimated: 40 minutes

Topology
The goal of this lab is to create the following topology. You will use VDOMs to logically split Local-FortiGate into
two virtual firewalls: the root VDOM and the customer VDOM. Both VDOMs are running in NAT mode, so all
internet traffic coming from Local-Client must first pass through the customer VDOM, and then through the root
VDOM.

FortiGate Infrastructure 7.2 Lab Guide 30

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Prerequisites
Before beginning this lab, you must restore a configuration file to Local-FortiGate.

To restore the Local-FortiGate configuration file

3. Click + to expand the list.

4. Select the configuration with the comment local-vdom, and then click Revert.

5. Click OK to reboot.

31 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 1: Creating VDOMs and VDOM Objects

In this exercise, you will examine how to add a new VDOM. Then, you will create an inter-VDOM link between the
VDOM you added and the root VDOM. You will also create an administrator account that has access to only one
VDOM.

The configuration file for this exercise already has VDOMs enabled. You will use only
multi-vdom mode in this exercise.

Create a VDOM

A FortiGate with VDOMs enabled includes a root VDOM. You can create additional VDOMs to split the physical
FortiGate into multiple virtual firewalls. In the next steps, you will add a second VDOM.

To create a VDOM
1. Connect to the Local-FortiGate GUI, and then log in with the username admin and password password.
You will notice that the FortiGate menu has changed. This is because VDOMs are enabled. There is now a
drop-down list at the top of the menu, and a VDOM drop-down list on the title bar. In the VDOM drop-down list,
you can select global settings or VDOM-specific settings for the root VDOM. The default setting is Global.

2. In the VDOM drop-down list, select Global.

3. Click System > VDOM.
4. Click Create New.
5. Configure the following VDOM settings:

Field Value

Virtual Domain customer

Type Traffic

NGFW Mode Profile-based

WiFi country/region Canada

6. Click OK.

FortiGate Infrastructure 7.2 Lab Guide 32

Fortinet Technologies Inc.
DO Create
NOT REPRINT
a Per-VDOM Administrator Exercise 1: Creating VDOMs and VDOM Objects

© FORTINET
Notice that the drop-down list at the top of the menu and the VDOM drop-down list show a third option—the
VDOM-specific settings for customer.

Create a Per-VDOM Administrator

You will create an administrator account that has access to the customer VDOM only.

To create a per-VDOM administrator

1. On the Local-FortiGate GUI, click Global > System > Administrators.
2. Click Create New > Administrator.
3. Configure the following settings:

Field Value

User Name customer-admin

Type Local User

Password fortinet

Confirm Password fortinet

Administrator Profile prof_admin

Virtual Domains customer

4. In the Virtual Domains list, remove root to restrict the new administrator's access to customer.

33 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Creating
REPRINT
VDOMs and VDOM Objects Move an Interface to a Different VDOM

5. Click OK.

Move an Interface to a Different VDOM

The customer-admin account can log in only through an interface in the customer VDOM. Therefore, move the
port3 interface, which connects to the internal network, to the customer VDOM.

To move an interface to a different VDOM

1. Continuing on the Local-FortiGate GUI, click Global > Network > Interfaces.
2. Edit port3.
3. In the Virtual Domain drop-down list, select customer.

4. Click OK.
5. Click OK to confirm the configuration.

FortiGate Infrastructure 7.2 Lab Guide 34

Fortinet Technologies Inc.
DO Add
NOT REPRINT
the DNS Service to an Interface Exercise 1: Creating VDOMs and VDOM Objects

For Local-Client, the DNS server is port3. First, you will enable the DNS database in the Feature Visibility
section. Then, you will add DNS service to port3.

To enable the DNS database

1. Continuing on the Local-FortiGate GUI, in the VDOM drop-down list, select the customer VDOM.

2. Click System > Feature Visibility.

3. In the Additional Features section, enable DNS Database.

4. Click Apply.

To add DNS service to an interface

1. Continuing on the Local-FortiGate GUI, in the customer VDOM, click Network > DNS Servers.
2. Under DNS Service on Interface, click Create New, and then configure the following settings:

Field Value

Interface port3

Mode Forward to System DNS

35 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Creating
REPRINT
VDOMs and VDOM Objects Test the Per-VDOM Administrator Account

Test the Per-VDOM Administrator Account

To see what access is available to the customer-admin account, try logging in to the FortiGate-Local GUI as
customer-admin.

To test the per-VDOM administrator account

1. On the Local-Client VM, open a browser, and then connect to the Local-FortiGate GUI.
2. Log in, but this time, use the administrator name customer-admin and password fortinet.
3. View the GUI and examine what the VDOM administrator is allowed to control.
Because the customer-admin administrator can access the customer VDOM only, the GUI does not display
the Global configuration settings or the VDOM-specific settings for the root VDOM.

4. Log out of the Local-FortiGate GUI, and then log in again with the username admin and password password.
This account has access to the global settings and all VDOMs.

Stop and think!

Why is the dashboard different between the two login sessions?

Logging in with the admin account gives you full access to the root VDOM, as well as the
FortiGate system resources. Logging in with the customer-admin account gives you access to
the customer VDOM only, and does not give you access to the system resource details.

Execute Per-VDOM CLI Commands

After you enable VDOMs, the GUI menu structure and CLI tree structure change. You will examine the differences
on the CLI for VDOMs.

FortiGate Infrastructure 7.2 Lab Guide 36

Fortinet Technologies Inc.
DO Execute
NOTPer-VDOM
REPRINT
CLI Commands Exercise 1: Creating VDOMs and VDOM Objects

© FORTINET
To execute per-VDOM CLI commands
1. On the Local-FortiGate CLI, log in with the username admin and password password.
2. Try to run the following command to list the routing table:
get router info routing-table all

Did the CLI reject this command? To run this command when VDOMs are enabled,
you must specify the VDOM first, in order for FortiGate to know which VDOM routing
table to display.

3. To enter the customer VDOM context, enter the following commands:

config vdom
edit customer

Be careful when you type VDOM names with the edit command.

VDOM names are case-sensitive, and the edit command can both modify and
create a VDOM. For example, if you enter edit Root, you will not enter the pre-
existing root VDOM. Instead, you will create and enter a new VDOM named Root.

4. Now that you have specified the VDOM, try looking at the routing table again, using the following command:
get router info routing-table all
The command works now. The information displayed in the routing table is specific to the customer VDOM.
Remember that each VDOM has its own routing table.

5. Go to the root VDOM context, using the following commands:

next
edit root
6. Enter the following command to list the routing table:
get router info routing-table all
This time, the information displayed in the routing table belongs to the root VDOM. You will see that this table
is different from the one for the customer VDOM.

7. Close the Local-FortiGate CLI session.

37 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 2: Configuring an Inter-VDOM Link

In this exercise, you will examine how to route traffic between two VDOMs using an inter-VDOM link.

Create an Inter-VDOM Link

You will create an inter-VDOM link to route traffic between two VDOMs.

To create an inter-VDOM link

1. Connect to the Local-FortiGate GUI, and then log in with the username admin and password password.
2. In the Global VDOM settings, click Network > Interfaces.
3. Click Create New, and then select VDOM Link.
4. In the Name field, type vlink.
5. In the Interface 0 (vlink0) section, configure the following settings:

Field Value

Virtual Domain root

IP/Network Mask 10.10.100.1/30

Administrative Access HTTPS, PING, SSH

6. In the Interface 1 (vlink1) section, configure the following settings:

Field Value

Virtual Domain customer

IP/Network Mask 10.10.100.2/30

Administrative Access HTTPS, PING, SSH

FortiGate Infrastructure 7.2 Lab Guide 38

Fortinet Technologies Inc.
DO Configure
NOTRoutingREPRINT
Between VDOMs Exercise 2: Configuring an Inter-VDOM Link

7. Click OK.
After you create the inter-VDOM link, notice the two inter-VDOM subinterfaces that were added in the root
and customer VDOMs (expand vlink). These interfaces are named vlink0 and vlink1. You can use them to
route traffic between two VDOMs.

Configure Routing Between VDOMs

You will add the static routes to both VDOMs to route traffic between them. The objective is to have internet traffic
from Local-Client cross the customer VDOM first, and then cross the root VDOM, before the traffic goes to the
Linux server and the internet.

39 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Configuring
REPRINT an Inter-VDOM Link Configure Routing Between VDOMs

© FORTINET
To configure routing between VDOMs
1. Continuing on the Local-FortiGate GUI, in the VDOM drop-down list, select the customer VDOM.

2. Click Network > Static Routes.

3. Click Create New to specify a default route for the customer VDOM.
4. Add the following route:

Field Value

Destination Subnet

0.0.0.0/0.0.0.0

Gateway Address 10.10.100.1

Interface vlink1

5. Click OK.
Now, you will specify a route for the root VDOM to the internal network.

6. In the VDOM drop-down list, select root.

7. Click Network > Static Routes.

8. Click Create New.
9. Configure the following route:

Field Value

Destination Subnet

10.0.1.0/24

Gateway Address 10.10.100.2

Interface vlink0

FortiGate Infrastructure 7.2 Lab Guide 40

Fortinet Technologies Inc.
DO Configure
NOTFirewall
REPRINT
Policies for Inter-VDOM Traffic Exercise 2: Configuring an Inter-VDOM Link

Configure Firewall Policies for Inter-VDOM Traffic

You will create firewall policies to allow internet traffic to pass through the customer and root VDOMs.

Take the Expert Challenge!

On the Local-FortiGate GUI (10.0.1.254 | admin/password), configure the appropriate firewall policies
to allow traffic to flow freely across the inter-VDOM link. This requires two firewall policies, one from port3 to
vlink1, and one from vlink0 to port1.

If you require assistance, or to verify your work, use the step-by-step instructions that follow.

After you complete the challenge, see Test the Inter-VDOM Link on page 42.

To configure firewall policies for inter-VDOM traffic for port3 to vlink1

1. Continuing on the Local-FortiGate GUI, in the VDOM drop-down list, select customer.

2. Click Policy & Objects > Firewall Policy.

3. Click Create New.
4. Configure the following firewall policy to allow traffic to pass from port3 to vlink1:

Field Value

Name Internet

Incoming Interface port3

Outgoing Interface vlink1

Source all

Destination all

Schedule always

Service ALL

Action ACCEPT

41 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Configuring
REPRINT an Inter-VDOM Link Test the Inter-VDOM Link

NAT <disable>

5. Click OK.

To configure firewall policies for inter-VDOM traffic for vlink0 to port1

1. Continuing on the Local-FortiGate GUI, in the VDOM drop-down list, select root.
2. Click Policy & Objects > Firewall Policy.
3. Click Create New.
4. Configure the following policy:

Field Value

Name Internet

Incoming Interface vlink0

Outgoing Interface port1

Source all

Destination all

Schedule always

Service ALL

Action ACCEPT

NAT <enable>

5. Click OK.

Test the Inter-VDOM Link

You will test your configuration to confirm that internet traffic is being routed through the two VDOMs and the inter-
VDOM link.

To test the inter-VDOM link

1. Continuing on the Local-Client VM, open a few browser tabs, and visit a few external HTTP websites, such as:
l http://www.pearsonvue.com/fortinet/
l http://cve.mitre.org
l http://www.eicar.org
Traffic should be flowing through both VDOMs now.

2. Open a terminal window, and then run a traceroute command to an internet public IP address.
traceroute 4.2.2.2

FortiGate Infrastructure 7.2 Lab Guide 42

Fortinet Technologies Inc.
DO Test
NOT REPRINT
the Inter-VDOM Link Exercise 2: Configuring an Inter-VDOM Link

© FORTINET
3. Check the output.
The first hop IP address is 10.0.1.254, which is port3 in the customer VDOM. The second hop IP address
is 10.10.100.1, which is the inter-VDOM link in the root VDOM. The third hop IP address is
10.200.1.254, which is the Linux server.

4. Close the terminal and your browser.

43 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Lab 3: Fortinet Single Sign-On Configuration

In this lab, you will test user authentication using FSSO. The lab uses a demo environment to emulate the
behavior of an active FSSO DC agent from the Local-Client VM using a Python script. Therefore, you will not
configure a DC agent to send logon events from the Local-Client VM.

Objectives
l Review the SSO configuration on FortiGate
l Test the transparent or automatic user identification by generating user logon events
l Monitor the SSO status and operation

Time to Complete
Estimated: 35 minutes

FortiGate Infrastructure 7.2 Lab Guide 44

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Prerequisites
Before beginning this lab, you must restore a configuration file to Local-FortiGate.

To restore the Local-FortiGate configuration file

3. Click the + sign to expand the list.

4. Select the configuration with the comment local-FSSO, and then click Revert.

5. Click OK to reboot.

45 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 1: Configuring FortiGate for FSSO Authentication

In this exercise, you will configure FortiGate for FSSO and test user authentication. The lab uses a demo
environment to emulate the behavior of an active FSSO DC agent from the Local-Client VM using a Python script.
Therefore, you will not configure a DC agent to send logon events from the Local-Client VM.

In the real world, you must configure FortiGate to identify users by polling their logon
events using an FSSO agent, and you must install and configure a collector agent.
FSSO agents are available on the Fortinet Support website
(http://support.fortinet.com).

For FortiGate to communicate and poll information from the FSSO collector agent,
you must assign the polled user to a firewall user group, and then add the user group
as a source on a firewall policy.

Finally, you can verify the user logon event that FortiGate collects. This event is
generated after a user logs in to the Windows Active Directory domain. Therefore, no
firewall authentication is required.

Review the FSSO Configuration on FortiGate

You will review the FSSO configuration and FSSO user groups on FortiGate. FSSO allows FortiGate to
automatically identify the users who connect using SSO. Then, you will add FSSO user groups to the firewall
policies.

To review the FSSO server and FSSO user group configuration on FortiGate
1. Connect to the Local-FortiGate GUI, and then log in with the username admin and password password.
2. Click Security Fabric > External Connectors.
3. Select TrainingDomain, and then click Edit.

4. Review the Endpoint/Identity status in the upper-right corner of the screen, and see that the status is
Disconnected.
Leave the window open.

FortiGate Infrastructure 7.2 Lab Guide 46

Fortinet Technologies Inc.
DO Review
NOTthe FSSO
REPRINT
Configuration on FortiGate Exercise 1: Configuring FortiGate for FSSO Authentication

© FORTINET
To run a script to simulate a user logon event
1. On the Local-Client VM, open a terminal window, and then enter the following commands to simulate a user logon
event:
cd Desktop/FSSO/
python2 fssoreplay.py -l 8000 -f sample.log
2. Keep the terminal window open.
The script continues to run in the background.

To review the FSSO connection and FSSO user groups

1. Continuing on the TrainingDomain window, click Apply & Refresh.
2. Select TrainingDomain, and then click Edit.
3. In the Users/Groups field, click View.

The TRAININGAD/AD-USERS monitored group is displayed.

4. Click X to close the Collector Agent Group Filters window.

5. Click OK.
A green up arrow confirms the communication with the FSSO collector agent is up.

47 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Configuring
REPRINT FortiGate for FSSO Authentication Assign FSSO Users to a Firewall Policy

To assign the FSSO user to an FSSO user group

1. Continuing on the Local-FortiGate GUI, click User & Authentication > User Groups.
2. Click Create New, and then configure the following settings:

Field Value

Name Training

Type Fortinet Single Sign-On (FSSO)

Members TRAININGAD/AD-USERS

The FSSO user is automatically listed because of the selected group type—FSSO.

3. Click OK.

Assign FSSO Users to a Firewall Policy

You will assign your FSSO user group as a source on a firewall policy. This allows you to control access to
network resources based on user identity.

To test the connection without assigning the FSSO user group to a firewall policy
1. On the Local-Client VM, open a new browser, and then go to https://www.fortinet.com.
You can see that all users can access the Fortinet website.

To add the FSSO user group to your firewall policy

1. Return to the browser where you are logged in to the Local-FortiGate GUI, and then click Policy & Objects >
Firewall Policy.
2. Edit the Full_Access firewall policy.
3. In the Source drop-down list, click LOCAL_SUBNET.
4. In the Select Entries section, select User, and then add the Training group.

FortiGate Infrastructure 7.2 Lab Guide 48

Fortinet Technologies Inc.
DO Test
NOT FSSO REPRINT Exercise 1: Configuring FortiGate for FSSO Authentication

5. Click Close, and then click OK.

Test FSSO

After a user logs in, they are automatically identified based on their IP address. As a result, FortiGate allows the
user to access network resources as policy decisions are made.

To test the connection after assigning the FSSO user to the firewall policy
1. On the Local-Client VM, open a new browser tab, and then go to http://support.fortinet.com.

The Python script that is running on Local-Client is already sending user logon events
with the following information:
l user: aduser1
l IP: 10.0.1.10
In this case, the website loads successfully because aduser1 belongs to the
configured user group on a firewall policy.

To review the connection status between the FSSO collector agent and FortiGate
1. On the Local-FortiGate CLI, log in with the username admin and password password.
2. Enter the following commands to show the connection status between FortiGate and each collector agent:
diagnose debug enable
diagnose debug authd fsso server-status
3. Observe the CLI output.
Your FortiGate is connected to the FSSO collector agent.

49 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Configuring
REPRINT FortiGate for FSSO Authentication Test FSSO

© FORTINET
Server Name Connection Status Version Address
----------- ----------------- ------- -------
TrainingDomain connected FSAE server 1.1 10.0.1.10

To monitor communication between the FSSO collector agent and FortiGate

1. Continuing on the Local-FortiGate CLI, log in with the username admin and password password.
2. Enter the following commands:
diagnose debug enable
diagnose debug application authd 8256
3. On the Local-Client VM, on a terminal window, press Ctrl+C to stop the script, and then run the following
command again to simulate a user logon event:
python2 fssoreplay.py -l 8000 -f sample.log
4. View the output of the diagnose command.
[_process_logon: 871]: ADUSER1(10.0.1.10, 0) logged on from TrainingDomain.
[_process_logon:1103]: ADUSER1 (10.0.1.10, 0) from TrainingDomain exists
fsae_io_ctx_process_msg[TrainingDomain]: received heartbeat 100004
fsae_io_ctx_process_msg[TrainingDomain]: received heartbeat 100005

You generated a logon event in the Local-Client VM using the script, and it was
forwarded to FortiGate.

5. Enter the following command to stop the debug process:

diagnose debug reset

To display the FSSO logons

1. Continuing on the Local-FortiGate VM, enter the following command:
diagnose debug authd fsso list
2. Review the output, which shows the FSSO logons.
----FSSO logons----
IP:10.0.1.10 User: ADUSER1 Groups: TRAINING/AD-USERS Workstation
C7280677811.TRAININGAD.TRAINING.LAB MemberOf: Training TRAININGAD/AD-USE Stale
Total number of logons listed: 1, filtered: 0
----end of FSSO logons----

To review the user event logs

1. Connect to the Local-FortiGate GUI, and then log in with the username admin and password password.
2. Click Log & Report > System Events, and then click the View Logs arrow in the User Events widget.

3. Select a log, and then click Details to view more information about it.

FortiGate Infrastructure 7.2 Lab Guide 50

Fortinet Technologies Inc.
DO Test
NOT FSSO REPRINT Exercise 1: Configuring FortiGate for FSSO Authentication

To monitor FSSO logons

1. Continuing on the Local-FortiGate GUI, click Dashboard > Users & Devices, and then double-click Firewall
Users to expand it to full screen.
2. Click Show all FSSO Logons, and then click Refresh if the user's details don't appear.

51 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Lab 4: ZTNA

There is no lab associated with this lesson.

FortiGate Infrastructure 7.2 Lab Guide 52

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Lab 5: SSL VPN

In this lab, you will examine how to configure an SSL VPN connection in tunnel and web modes. You will also
manage user groups and portals for an SSL VPN.

Objectives
l Configure and connect to an SSL VPN
l Enable authentication security
l Configure a firewall policy for SSL VPN users to access private network resources
l Customize the SSL VPN portal for web mode
l Configure FortiClient for the SSL VPN connection in tunnel mode

Time to Complete
Estimated: 40 minutes

53 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Prerequisites
Before beginning this lab, you must restore a configuration file to Local-FortiGate.

To restore the Local-FortiGate configuration file

4. Select the configuration with the comment local-SSL-VPN.conf, and then click Revert.

5. Click OK to reboot.

FortiGate Infrastructure 7.2 Lab Guide 54

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 1: Configuring Web Mode SSL VPN

On FortiGate, there are two modes you can configure to allow remote access through SSL VPN: web mode and
tunnel mode.

In this exercise, you will examine how to test web mode, which allows SSL VPN users to connect from the
Remote-Client VM to resources located in the local subnet (10.0.1.0/24).

Configure the SSL VPN Settings

You will configure the SSL VPN settings to allow the remote connection shown in the following image:

To create a user for SSL VPN connections

1. Connect to the Local-FortiGate GUI, and then log in with the username admin and password password.
2. Click User & Authentication > User Definition.
3. Click Create New.
4. Click Local User, and then click Next.
5. Type the following credentials for the remote user, and then click Next:

Username student

Password fortinet

6. Leave the contact information empty, and click Next.

7. For User Account Status, verify that Enabled is selected.
8. Enable User Group, click the + that appears, and then in the right pane, select SSL_VPN_USERS.
9. Click Submit.

The SSL_VPN_USERS group was preconfigured for the purpose of this lab.

To review the settings of this group, click User & Authentication > User Groups.

55 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Configuring
REPRINT Web Mode SSL VPN Create a Firewall Policy for SSL VPN

© FORTINET
To configure the SSL VPN settings for web access
1. Continuing on the Local-FortiGate GUI, click VPN > SSL-VPN Settings.
2. In the Connection Settings section, configure the following settings:

Field Value

Listen on Interface(s) port1

Listen on Port 10443

Restrict Access Allow access from any host

Server Certificate Fortinet_Factory

Inactive For 3000 seconds

3. In the Tunnel Mode Client Settings section, verify the following setting:

Field Value

Address Range Automatically assign addresses

4. In the Authentication/Portal Mapping section, select All Other Users/Groups, and then click Edit.

5. In the Portal drop-down list, select web-access, and then click OK.
6. Click Apply to save the changes.
Notice the warning message displayed at the top of this page. It indicates that you must create a firewall policy
for SSL VPN connections.

Create a Firewall Policy for SSL VPN

You will create a firewall policy that allows traffic to the local subnet (10.0.1.0/24) from remote users connected
to the SSL VPN portal.

FortiGate Infrastructure 7.2 Lab Guide 56

Fortinet Technologies Inc.
DO Create
NOT REPRINT
a Firewall Policy for SSL VPN Exercise 1: Configuring Web Mode SSL VPN

To create a firewall policy for SSL VPN

1. Continuing on the Local-FortiGate GUI, click Policy & Objects > Firewall Policy.
2. Click Create New, and then configure the following firewall policy settings:

Field Value

Name SSL-VPN-Access

Incoming Interface SSL-VPN tunnel interface (ssl.root)

Outgoing Interface port3

Source Address > SSLVPN_TUNNEL_ADDR1

User > SSL_VPN_USERS

Destination LOCAL_SUBNET

Schedule always

Service ALL

Action ACCEPT

Inspection mode Flow-based

NAT Disabled

3. Click OK to save the configuration.

The SSL VPN firewall policy allows traffic only from users in the SSL_VPN_Users
group.

4. Log out of the Local-Client VM.

57 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Configuring
REPRINT Web Mode SSL VPN Test the SSL VPN Access

You must log out of the Local-Client VM before proceeding to the next step of the lab.

Test the SSL VPN Access

You will test the SSL VPN by accessing resources remotely in the local subnet (10.0.1.0/24).

For this, you will connect to the SSL VPN portal using the Remote-Client VM, and then you will create an RDP
connection to the Local-Client VM.

To access the SSL VPN portal

1. In your lab environment, connect to the Remote-Client VM.
2. Open Firefox, and then connect to:
https://10.200.1.1:10443/
A security warning appears.

FortiGate Infrastructure 7.2 Lab Guide 58

Fortinet Technologies Inc.
DO Test
NOT REPRINT
the SSL VPN Access Exercise 1: Configuring Web Mode SSL VPN

Why do you receive a security warning?

For SSL connections, FortiGate is using a built-in certificate, which is signed by a certificate authority that
the browser does not trust.

3. Click Advanced, and then click Accept the Risk and Continue.
The remote login page opens.

4. Log in with the username student and password fortinet.

The SSL VPN web portal opens. The portal is using default settings.

To test the SSL VPN portal

1. Continuing on the SSL VPN portal where you are logged in as student, click Quick Connection.
Notice all the available options the SSL VPN portal allows for connections.

2. Click RDP, and then configure the following setting:

Field Value

Host 10.0.1.10

3. Keep the default values for the remaining settings, and then click Launch.
4. Log in with the username Administrator and password password.
5. Click OK.
You are now remotely connected to the Local-Client VM.

6. Log out of the Local-Client RDP session.

59 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Configuring
REPRINT Web Mode SSL VPN Add an Administrator-Based Bookmark to the SSL VPN Portal

You must log out of the Local-Client VM before proceeding to the next step of the lab.

7. Close the web browser that is running the RDP session.

8. In the upper-right corner, click student > Logout to log out of the SSL VPN portal.

Add an Administrator-Based Bookmark to the SSL VPN Portal

You will customize the SSL VPN portal with a new color and a predefined bookmark.

To customize the SSL VPN portal

1. Connect to the Local-FortiGate GUI, and then log in with the username admin and password password.
2. Click VPN > SSL-VPN Portals.
3. Select web-access, and then click Edit.
4. Configure the following settings:

Field Value

Portal Message My Portal

Theme Neutrino

Show Connection Launcher <disable>

User Bookmarks <disable>

5. In the Predefined Bookmarks section, click Create New, and then configure the following settings:

Field Value

Name Local-Client VM

Type HTTP/HTTPS

URL http://10.0.1.10

Single Sign-On Disable

6. Click OK.
7. Click OK again to save the portal settings.

FortiGate Infrastructure 7.2 Lab Guide 60

Fortinet Technologies Inc.
DO Test
NOT REPRINT
SSL VPN Access Using the Predefined Bookmark Exercise 1: Configuring Web Mode SSL VPN

You will connect to the SSL VPN portal on the Remote-Client VM again to access the resources in the local subnet
(10.0.1.0/24).

For this, you will access the Local-Client VM using the predefined bookmark on the SSL VPN portal.

Notice that the SSL VPN portal looks different and provides fewer settings.

To test the bookmark

1. Return to the Remote-Client VM.
2. Open Firefox, and then reconnect to the SSL VPN portal at:
https://10.200.1.1:10443/
3. Log in with the username student and password fortinet.
Notice that the SSL VPN portal no longer allows quick connections or allows you to add bookmarks.

4. Click the Local-Client VM bookmark.

You will connect to the web server running on the Local-Client VM at 10.0.1.10.

61 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Configuring
REPRINT Web Mode SSL VPN Examine the Web Mode Mechanism (Reverse HTTP Proxy)

You will examine the reverse HTTP proxy mechanism to learn how SSL VPN connections in web mode work.

To examine the reverse HTTP proxy mechanism

1. Continuing on the Remote-Client VM where you are connected to the web server running on the Local-Client VM
at 10.0.1.10, examine the URL in the address bar.

If you were on the local network while accessing the website, the address would be http://10.0.1.10.
But, because you are accessing the website remotely through the FortiGate HTTP proxy, the URL is different.

Notice the URL structure in the browser address bar:

https://10.200.1.1:10443/proxy/..../http/10.0.1.10/
What does it mean?

Part of the URL Description

https://10.200.1.1:10443 Indicates that the connection is SSL/TLS-encrypted, and that the portal is
on the FortiGate port1 SSL VPN gateway

/proxy/..../http/ Indicates that the connection is being handled by the FortiGate HTTP
reverse proxy

10.0.1.10/ Indicates the destination IP address of the website inside your private
network, which you are accessing through the VPN

FortiGate encrypts the connection to the browser, but the destination server IP address
in the URL is displayed in cleartext, not hidden from users. The secondary connection,
from the FortiGate HTTP proxy to the bookmarked website, is not encrypted.

Monitor an SSL VPN User

You will monitor and disconnect an SSL VPN user from the FortiGate GUI.

To monitor and disconnect an SSL VPN user

1. Return to the Local-FortiGate GUI.
2. Click Dashboard > Network, and then view the SSL-VPN widget.
You can see that the student user is connecting from the remote host 10.200.3.1.

FortiGate Infrastructure 7.2 Lab Guide 62

Fortinet Technologies Inc.
DO Monitor
NOTan SSL
REPRINT
VPN User Exercise 1: Configuring Web Mode SSL VPN

© FORTINET
3. Right-click student, and then select End Session.
4. Click OK.
The student user no longer appears in the SSL VPN monitor.

63 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 2: Configuring SSL VPN Tunnel Mode

In this exercise, you will examine how to change the SSL VPN settings to allow remote access to the resources in
the local subnet (10.0.1.0/24), but perform a connection in tunnel mode from the Remote-Client VM.

You will use the remote access module of FortiClient, which supports the Fortinet SSL VPN client.

FortiClient is already installed on the Remote-Client VM.

Add Tunnel Mode

You will change the SSL VPN portal mapping settings to use tunnel-access, to allow connections in tunnel mode
only.

The full-access setting available on FortiGate supports both web and tunnel modes.

To add tunnel mode

1. Connect to the Local-FortiGate GUI, and then log in with the username admin and password password.
2. Click VPN > SSL-VPN Settings.
3. In the Authentication/Portal Mapping section, select All Other Users/Groups, and then click Edit.

4. In the Portal drop-down list, select tunnel-access, and then click OK.
5. Click Apply.

FortiGate Infrastructure 7.2 Lab Guide 64

Fortinet Technologies Inc.
DO Configure
NOTtheREPRINT
Routing for Tunnel Mode Exercise 2: Configuring SSL VPN Tunnel Mode

You will establish the routing address to use in tunnel mode.

Notice that in tunnel mode, FortiClient establishes one or more routes in the SSL VPN user's host after the tunnel
is connected. Traffic destined to the internal subnets is correctly routed through the tunnel.

To configure the routing for tunnel mode

1. Continuing on the Local-FortiGate GUI, click VPN > SSL-VPN Portals.
2. Select the tunnel-access portal, and then click Edit.
3. In the Tunnel Mode section, set the Routing Address Override to LOCAL_SUBNET.

4. Click OK.

Configure FortiClient for SSL VPN Connections

SSL VPN connections in tunnel mode require FortiClient. You will use FortiClient, which is installed on the
Remote-Client VM, to test your configuration.

To configure FortiClient for SSL VPN

1. Connect to the Remote-Client VM.
2. Click Desktop > forticlientsslvpn > 64bit, and then double-click forticlientsslvpn to configure SSL VPN client
settings.
3. Configure the following settings for the FortiClient SSLVPN application:

Field Value

Server 10.200.1.1

Customize port 10443

65 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Configuring
REPRINT SSL VPN Tunnel Mode Test SSL VPN in Tunnel Mode

You will connect using the student account to test tunnel mode.

To connect in tunnel mode

1. Continuing on the FortiClient SSLVPN application, in the User field, type student, and in the Password field,
type fortinet.

2. Click Connect.
3. Click Continue to accept the certificate.
The tunnel is connected.

To test the tunnel

1. Continuing on the Remote-Client VM, open Firefox, and then access the following URL:
http://10.0.1.10
2. Look at the URL.
You are connected to the web server URL as if you were based in the local subnet (10.0.1.0/24).

FortiGate Infrastructure 7.2 Lab Guide 66

Fortinet Technologies Inc.
DO Review
NOTVPNREPRINT
Events Exercise 2: Configuring SSL VPN Tunnel Mode

© FORTINET
This time, you are not using the reverse HTTP proxy as in the case of web-access mode. The IP traffic is
directly encapsulated over HTTPS and sent through the tunnel.

3. Return to FortiClient, and then click Stop.

To attempt SSL VPN access by web mode

1. Continuing on the Remote-Client VM, open a web browser, and then log in to the SSL VPN portal at
https://10.200.1.1:10443/ with the username student and password fortinet.
2. After you log in to the SSL VPN connection, FortiGate displays the following warning message:

3. Click student > Logout to log out of the SSL VPN portal.

Review VPN Events

You will review the VPN events for both of the SSL VPN connections you performed in this lab (web and tunnel
modes).

To review VPN events for SSL VPN connections

1. Connect to the Local-FortiGate GUI, and then log in with the username admin and password password.
2. Click Log & Report > System Events, and then click View Logs arrow button on the VPN Eventswidget.

3. Compare the log details of the tunnel-up logs you see.

Hint: Use your log filters to filter on Action = tunnel-up.

The most recent tunnel-up log shows one IP address under Remote IP. This log shows the recent
connection to the SSL VPN portal. Even though the SSL VPN portal presented a warning message and did
not allow remote access to the local resources, FortiGate shows that an SSL VPN connection was
established and the tunnel was up.

67 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Configuring
REPRINT SSL VPN Tunnel Mode Review VPN Events

The second most recent tunnel-up log in the VPN event list shows the SSL VPN connection in tunnel mode
through FortiClient. Notice this log presents two IP addresses:
l Remote IP: IP address of the remote user's gateway (egress interface)
l Tunnel IP: IP address FortiGate assigns to the virtual network adapter fortissl

Stop and think!

Aside from SSL VPN connections in web mode showing one IP address and in tunnel mode showing two IP
addresses, which other indicator shows how SSL VPN users are connected?

Notice the following Tunnel Type indicators in the log details shown in the previous step:
l ssl-web is for web mode
l ssl-tunnel is for tunnel mode

FortiGate Infrastructure 7.2 Lab Guide 68

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Lab 6: IPsec VPN Configuration

In this lab, you will configure site-to-site IPsec VPN tunnels between two FortiGate devices. First, you will
configure a dial-up tunnel, and then a static tunnel. Then, you will add a second VPN tunnel that will act as a
backup tunnel between the FortiGate devices.

Objectives
l Deploy a site-to-site VPN between two FortiGate devices
l Set up dial-up and static remote gateways
l Configure redundant VPNs between two FortiGate devices

Time to Complete
Estimated: 50 minutes

69 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Prerequisites
Before beginning this lab, you must restore a configuration file to Remote-FortiGate and Local-FortiGate.

Make sure that you restore the correct configuration on each FortiGate, using the
following steps. Failure to restore the correct configuration on each FortiGate will
prevent you from doing the lab exercises.

To restore the Remote-FortiGate configuration file

1. Connect to the Remote-FortiGate GUI, and then log in with the username admin and password password.
2. In the upper-right corner of the screen, click admin, and then click Configuration > Revisions.

3. Click the + sign to expand the list.

4. Select the configuration with the comment initial, and then click Revert.

5. Click OK to reboot.

To restore the Local-FortiGate configuration file

FortiGate Infrastructure 7.2 Lab Guide 70

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET

3. Click the + sign to expand the list.

4. Select the configuration with the comment initial, and then click Revert.

5. Click OK to reboot.

71 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 1: Configuring a Dial-Up IPsec VPN Between
Two FortiGate Devices

In this exercise, you will configure a dial-up VPN between Local-FortiGate and Remote-FortiGate. Local-FortiGate
will act as the dial-up server and Remote-FortiGate will act as the dial-up client.

Create Phase 1 and Phase 2 on Local-FortiGate (Dial-Up Server)

You will configure the IPsec VPN by creating phase 1 and phase 2.

To create phase 1 and phase 2

1. Connect to the Local-FortiGate GUI, and then log in with the username admin and password password.
2. Click VPN > IPsec Tunnels, and then click Create New > IPsec Tunnel.
3. Configure the following settings:

Field Value

Name ToRemote

Template type Custom

4. Click Next.
5. In the Network section, configure the following settings:

Field Value

Remote Gateway Dialup User

Interface port1

Dead Peer Detection On Idle

6. In the Authentication section, configure the following settings:

Field Value

Method Pre-shared Key

Pre-shared Key fortinet

Mode Aggressive

Accept Types Specific peer ID

Peer ID Remote-FortiGate

FortiGate Infrastructure 7.2 Lab Guide 72

Fortinet Technologies Inc.
DO Create
NOT Phase 1 and Phase 2 on Local-FortiGate
(Dial-Up REPRINT
Server)
Exercise 1: Configuring a Dial-Up IPsec VPN Between Two
FortiGate Devices

© FORTINET
Setting a peer ID is useful when there are multiple dial-up tunnels on the FortiGate
acting as the dial-up server, and you want dial-up clients to connect to a specific tunnel.

7. In the Phase 2 Selectors section, configure the following setting:

Field Value

Local Address 10.0.1.0/24

8. Keep the default values for the remaining settings.

9. Click OK.

l You do not need to add a static route because it is a dial-up VPN. FortiGate
dynamically adds or removes appropriate routes to each dial-up peer, each time
the peer VPN is trying to connect.
l Even though you could have configured 10.0.2.0/24 as the Remote Address
instead of 0.0.0.0/0, it is more convenient to use the latter for scalability
purposes. That is, when you have multiple remote peers, each with different remote
subnets, using 0.0.0.0/0 as the remote subnet results in the dial-up server
accepting any subnet during the tunnel negotiation. This allows multiple remote
peers to use the same phase 2 selector configuration. For this exercise, there is
only one remote peer (Remote-FortiGate). Local-FortiGate then learns about the
remote subnet 10.0.2.0/24 when Remote-FortiGate connects to the tunnel.
However, if there are more remote peers with different remote subnets, you do not
need to change the existing dial-up server configuration for the additional remote
peers to be able to connect.

73 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1:Devices
FortiGate
Configuring a Dial-Up IPsec VPN Between Two
REPRINT Create Firewall Policies for VPN Traffic on Local-
FortiGate (Dial-Up Server)

You will create two firewall policies between port3 and To Remote—one for each traffic direction.

To create firewall policies for VPN traffic

1. On the Local-FortiGate GUI, click Policy & Objects > Firewall Policy.
2. Click Create New.
3. Configure the following settings:

Field Value

Name Remote_out

Incoming Interface port3

Outgoing Interface ToRemote

Source LOCAL_SUBNET

Destination REMOTE_SUBNET

Schedule always

Service ALL

Action ACCEPT

4. In the Firewall/Network Options section, disable NAT.

5. Click OK.
6. Click Create New again.
7. Configure the following settings:

Field Value

Name Remote_in

Incoming Interface ToRemote

Outgoing Interface port3

Source REMOTE_SUBNET

Destination LOCAL_SUBNET

Schedule always

Service ALL

Action ACCEPT

FortiGate Infrastructure 7.2 Lab Guide 74

Fortinet Technologies Inc.
DO Create
NOT Phase 1 and Phase 2 on Remote-FortiGate
(Dial-Up REPRINT
Client)
Exercise 1: Configuring a Dial-Up IPsec VPN Between Two
FortiGate Devices

Create Phase 1 and Phase 2 on Remote-FortiGate (Dial-Up Client)

You will create phase 1 and phase 2 on Remote-FortiGate.

To create phase 1 and phase 2

1. Connect to the Remote-FortiGate GUI, and then log in with the username admin and password password.
2. Click VPN > IPsec Tunnels, and then click Create New > IPsec Tunnel.
3. Configure the following settings:

Field Value

Name ToLocal

Template type Custom

4. Click Next.
5. In the Network section, configure the following settings:

Field Value

Remote Gateway Static IP Address

IP Address 10.200.1.1

Interface port4

Dead Peer Detection On Idle

6. In the Authentication section, configure the following settings:

Field Value

Method Pre-shared Key

Pre-shared Key fortinet

75 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1:Devices
FortiGate
Configuring a Dial-Up IPsec VPN Between Two
REPRINT Create Phase 1 and Phase 2 on Remote-FortiGate
(Dial-Up Client)

Mode Aggressive

Accept Types Any peer ID

7. In the Phase 1 Proposal section, configure the following settings:

Field Value

Local ID Remote-FortiGate

The local ID should be the same as the peer ID that you configured on Local-FortiGate,
which is acting as the dial-up server.

8. In the Phase 2 Selectors section, configure the following settings:

Field Value

Local Address 10.0.2.0/24

Remote Address 10.0.1.0/24

FortiGate Infrastructure 7.2 Lab Guide 76

Fortinet Technologies Inc.
DO Create
NOT a Static Route for VPN Traffic on Remote-
FortiGate REPRINT
(Dial-Up Client)
Exercise 1: Configuring a Dial-Up IPsec VPN Between Two
FortiGate Devices

9. Keep the default values for the remaining settings.

10. Click OK.

Except for Local Address and Remote Address, all phase 1 and phase 2 settings
on both VPN peers mirror each other. For dial-up IPsec VPN, the local and remote
addresses do not have to mirror for the tunnel to come up.

Create a Static Route for VPN Traffic on Remote-FortiGate (Dial-Up Client)

You will create one static route on Remote-FortiGate. This step was not necessary on Local-FortiGate because,
as the dial-up server, it automatically adds the route for the remote network after the tunnel comes up.

To create a static route for VPN traffic on Remote-FortiGate

1. On the Remote-FortiGate GUI, click Network > Static Routes.
2. Click Create New.
3. Configure the following settings:

Field Value

Destination Subnet

10.0.1.0/24

Interface ToLocal

77 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT
Two
1: Configuring a Dial-Up IPsec VPN Between
REPRINT
FortiGate Devices
Create the Firewall Policies for VPN Traffic on Remote-
FortiGate (Dial-Up Client)

4. Click OK.

Create the Firewall Policies for VPN Traffic on Remote-FortiGate (Dial-Up

Client)

You will create two firewall policies between port6 and To Local—one for each traffic direction.

To create firewall policies for VPN traffic

1. On the Remote-FortiGate GUI, click Policy & Objects > Firewall Policy.
2. Click Create New.
3. Configure the following settings:

Field Value

Name Local_out

Incoming Interface port6

Outgoing Interface ToLocal

Source REMOTE_SUBNET

Destination LOCAL_SUBNET

Schedule always

Service ALL

Action ACCEPT

4. In the Firewall/Network Options section, disable NAT.

5. Click OK.

FortiGate Infrastructure 7.2 Lab Guide 78

Fortinet Technologies Inc.
DO Test
NOT REPRINT
and Monitor the VPN Exercise 1: Configuring a Dial-Up IPsec VPN Between Two FortiGate Devices

Field Value

Name Local_in

Incoming Interface ToLocal

Outgoing Interface port6

Source LOCAL_SUBNET

Destination REMOTE_SUBNET

Schedule always

Service ALL

Action ACCEPT

8. In the Firewall/Network Options section, disable NAT.

9. Click OK.

Test and Monitor the VPN

Now that you configured the VPN on both FortiGate devices, you will test the VPN.

To test the VPN

1. On the Remote-FortiGate GUI, click Dashboard > Network > IPsec.
2. Click the + sign beside Custom to expand the custom VPN tunnel section.
Notice that the ToLocal VPN is currently down.

3. Right-click the VPN, and then click Bring Up > All Phase 2 Selectors to bring up the tunnel.

79 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Configuring
REPRINT a Dial-Up IPsec VPN Between Two FortiGate Devices Test and Monitor the VPN

The Name column of the VPN now contains a green up arrow, which indicates that the tunnel is up. If
required, click the refresh button in the upper-right corner to refresh the widget information.

Stop and think!

Do you always have to manually bring up the tunnel after you create it?

No. With the current configuration, the tunnel will stay down until you manually bring it up, or there is traffic
that should be routed through the tunnel. Because you are not generating traffic between the 10.0.2.0/24
and 10.0.1.0/24 subnets yet, the tunnel is still down. If you had generated the required traffic while the
tunnel was down, it would have come up automatically.

You can initiate a tunnel only from Remote-FortiGate because it is the dial-up client.

4. On the Remote-Client VM, open a terminal window, and then enter the following command to ping the Local-Client
VM:
ping 10.0.1.10
The ping should work.

5. On the Remote-FortiGate GUI, click Dashboard > Network > IPsec.

6. Click the refresh button in the upper-right corner multiple times to refresh the widget information.
You will notice that the counters for Incoming Data and Outgoing Data increase over time. This indicates
that the traffic between 10.0.1.10 and 10.0.2.10 is being encrypted successfully and routed through the
tunnel.

7. On the Local-FortiGate GUI, click Dashboard > Network > Routing.

Find the static route that was dynamically added to the FortiGate device.

8. View the route details.

FortiGate Infrastructure 7.2 Lab Guide 80

Fortinet Technologies Inc.
DO Test
NOT REPRINT
and Monitor the VPN Exercise 1: Configuring a Dial-Up IPsec VPN Between Two FortiGate Devices

9. On the Remote-Client VM, press Ctrl+C to stop the ping.

81 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 2: Configuring a Static IPsec VPN Between Two
FortiGate Devices

In this exercise, you will configure a static VPN between Local-FortiGate and Remote-FortiGate. You will also
configure a static route on Local-FortiGate for VPN traffic.

Before beginning this lab, you must restore a configuration file to Local-FortiGate.

Make sure that you restore the correct configuration on Local-FortiGate, using the
following steps. Failure to restore the correct configuration on Local-FortiGate will
prevent you from doing the lab exercise.

To restore the Local-FortiGate configuration file

3. Click the + sign to expand the list.

4. Select the configuration with the comment local-ipsec-vpn, and then click Revert.

FortiGate Infrastructure 7.2 Lab Guide 82

Fortinet Technologies Inc.
DO Create
NOT Phase 1 and Phase 2 on Local-
FortiGate REPRINT Exercise 2: Configuring a Static IPsec VPN Between Two FortiGate
Devices

5. Click OK to reboot.

Create Phase 1 and Phase 2 on Local-FortiGate

You will configure the IPsec VPN by creating phase 1 and phase 2.

To create phase 1 and phase 2

Field Value

Name ToRemote

Template type Custom

4. Click Next.
5. In the Network section, configure the following settings:

83 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Configuring
Devices REPRINT a Static IPsec VPN Between Two FortiGate Create Phase 1 and Phase 2 on Local-
FortiGate

Remote Gateway Static IP Address

IP Address 10.200.3.1

Interface port1

Dead Peer Detection On Idle

6. In the Authentication section, configure the following settings:

Field Value

Method Pre-shared Key

Pre-shared Key fortinet

Mode Aggressive

Accept Types Any peer ID

7. In the Phase 2 Selectors section, configure the following settings:

Field Value

Local Address 10.0.1.0/24

Remote Address 10.0.2.0/24

8. Keep the default values for the remaining settings.

9. Click OK.

FortiGate Infrastructure 7.2 Lab Guide 84

Fortinet Technologies Inc.
DO Create
NOT a Static Route for VPN Traffic on Local-
FortiGate REPRINT Exercise 2: Configuring a Static IPsec VPN Between Two FortiGate
Devices

You will create one static route on Local-FortiGate.

To create a static route for VPN traffic on Local-FortiGate

1. On the Local-FortiGate GUI, click Network > Static Routes.
2. Click Create New.
3. Configure the following settings:

Field Value

Destination Subnet

10.0.2.0/24

Interface ToRemote

4. Click OK.

Create Firewall Policies for VPN Traffic on Local-FortiGate

You will create two firewall policies between port3 and ToRemote—one for each traffic direction.

To create firewall policies for VPN traffic

1. On the Local-FortiGate GUI, click Policy & Objects > Firewall Policy.
2. Click Create New.
3. Configure the following settings:

85 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2:Devices
FortiGate
Configuring a Static IPsec VPN Between Two
REPRINT Create Firewall Policies for VPN Traffic on Local-
FortiGate

Name Remote_out

Incoming Interface port3

Outgoing Interface ToRemote

Source LOCAL_SUBNET

Destination REMOTE_SUBNET

Schedule always

Service ALL

Action ACCEPT

4. In the Firewall/Network Options section, disable NAT.

5. Click OK.
6. Click Create New again.
7. Configure the following settings:

Field Value

Name Remote_in

Incoming Interface ToRemote

Outgoing Interface port3

Source REMOTE_SUBNET

Destination LOCAL_SUBNET

Schedule always

Service ALL

Action ACCEPT

8. In the Firewall/Network Options section, disable NAT.

9. Click OK.

FortiGate Infrastructure 7.2 Lab Guide 86

Fortinet Technologies Inc.
DO Test
NOT REPRINT
and Monitor the VPN Exercise 2: Configuring a Static IPsec VPN Between Two FortiGate Devices

You will test the VPN and monitor its status.

To test the VPN

1. On the Local-FortiGate GUI, click Dashboard > Network > IPsec.
2. Click the + sign beside Custom to expand the custom VPN tunnel section.
Notice that the ToRemote VPN is currently down.

3. Right-click the VPN, and then click Bring Up > All Phase 2 Selectors.

4. In the top-right corner, click the refresh button to refresh the widget information.
The Name column of the VPN now contains a green up arrow, which indicates that the tunnel is up.

5. On the Remote-Client VM, open a terminal window, and then enter the following command to ping the Local-Client
VM:
ping 10.0.1.10
The ping should work.

6. On the Local-FortiGate GUI, click Dashboard > Network > IPsec.

7. In the upper-right corner, click the refresh button multiple times to refresh the widget information.
You will notice that the counters for Incoming Data and Outgoing Data increase over time. This indicates
that the traffic between 10.0.1.10 and 10.0.2.10 is being encrypted successfully and routed through the
tunnel.

8. On the Remote-Client VM, press Ctrl+C to stop the ping.

87 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 3: Configuring Redundant Static IPsec VPN
Tunnels Between Two FortiGate Devices

In this exercise, you will configure one more VPN tunnel between Local-FortiGate and Remote-FortiGate for
redundancy purposes. You must first restore a configuration file on Remote-FortiGate.

Prerequisites

Before beginning this exercise, you must restore a configuration file on Remote-FortiGate.

Make sure that you restore the correct configuration on Remote-FortiGate, using the
following steps. Failure to restore the correct configuration on Remote-FortiGate will
prevent you from doing the lab exercise.

After you load the configurations, Remote-FortiGate will be preconfigured for VPN
redundancy. This exercise provides instructions to review the configuration for
Remote-FortiGate.

To restore the Remote-FortiGate configuration file

3. Click the + sign to expand the list.

4. Select the configuration with the comment remote-redundant-ipsec-vpn, and then click Revert.

5. Click OK to reboot.

FortiGate Infrastructure 7.2 Lab Guide 88

Fortinet Technologies Inc.
DO Check
NOT the IPsec VPN Tunnel on Local-
FortiGate REPRINT Exercise 3: Configuring Redundant Static IPsec VPN Tunnels Between Two
FortiGate Devices

You just restored a configuration file to Remote-FortiGate. You will now check the status of the ToRemote VPN
on Local-FortiGate.

To check the VPN on Local-FortiGate

1. On the Local-FortiGate GUI, click Dashboard > Network > IPsec.
2. Click the + sign beside Custom to expand the custom VPN tunnel section.
Notice that the ToRemote VPN is currently down.

If the ToRemote VPN still appears up, wait a few more seconds, and then press
Ctrl+R to refresh the page. The tunnel will be brought down automatically by dead
peer detection (DPD) approximately 60 seconds after the configuration is restored on
Remote-FortiGate.

3. Right-click the VPN, and then click Bring Up > All Phase 2 Selectors.

4. In the upper-right corner, click the refresh button to refresh the widget information.
The Name column of the VPN shows a red down arrow, indicating that the tunnel is still down.

After you restore the configuration on Remote-FortiGate, the configuration for the
tunnel on Remote-FortiGate no longer mirrors the configuration on Local-FortiGate,
which is why the tunnel does not come up this time. You will fix this in the next
procedure.

89 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT
Two
3: Configuring Redundant Static IPsec VPN Tunnels Between
REPRINT
FortiGate Devices
Review the VPN Configuration on Both
FortiGate Devices

Phase 1 and phase 2 settings on both peers are no longer a mirror of each other. You will review the VPN
configuration on each FortiGate and identify the differences. After that, you will apply the changes to the Local-
FortiGate configuration so it mirrors the configuration on Remote-FortiGate.

To review the VPN configuration on both FortiGate devices

1. On the Local-FortiGate GUI, click VPN > IPsec Tunnels, and then double-click ToRemote to review the tunnel
settings.
2. On the Remote-FortiGate GUI, click VPN > IPsec Tunnels, and then double-click ToLocal to review the tunnel
settings.
3. Compare the settings in the Authentication section on each FortiGate.

Stop and think!

What are the differences in the VPN configuration between the two FortiGate devices?

Authentication
l Local-FortiGate uses aggressive mode for IKE, while Remote-FortiGate uses main mode.

To change the VPN configuration on Local-FortiGate

1. On the Local-FortiGate GUI, click VPN > IPsec Tunnels, and then double-click ToRemote to edit the tunnel
settings.
2. Click the Authentication section, and then configure the following setting:

Field Value

Mode Main (ID protection)

3. Click OK.

Test and Monitor the VPN

Now that you fixed the VPN configuration on Local-FortiGate, you will test the VPN. Instead of bringing up the
tunnel manually, you will generate traffic to bring the tunnel up.

FortiGate Infrastructure 7.2 Lab Guide 90

Fortinet Technologies Inc.
DO Create
NOT
IPsec
a Backup VPN Tunnel Using the
REPRINT
Wizard
Exercise 3: Configuring Redundant Static IPsec VPN Tunnels Between
Two FortiGate Devices

© FORTINET
To test the VPN
1. On the Remote-Client VM, open a terminal window, and then enter the following command to ping the Local-Client
VM:
ping 10.0.1.10
The ping should work.

The first few pings will fail while FortiGate negotiates and establishes the VPN.

2. On the Local-FortiGate GUI, click Dashboard > Network > IPsec.

3. Click the + sign beside Custom to expand the custom VPN tunnel section.
Notice that the ToRemote VPN is currently up.

4. On the Remote-Client VM, press Ctrl+C to stop the ping.

Create a Backup VPN Tunnel Using the IPsec Wizard

You will configure a backup VPN tunnel on Local-FortiGate, named ToRemoteBackup, for redundancy
purposes. To configure the new tunnel, you will use the IPsec wizard. On the Remote-FortiGate, the backup VPN
tunnel was preconfigured and named ToLocalBackup.

To create a VPN using the IPsec wizard

1. On the Local-FortiGate GUI, click VPN > IPsec Tunnels, and then click Create New > IPsec Tunnel.
2. Configure the following settings:

Field Value

Name ToRemoteBackup

Template type Site to Site

NAT configuration No NAT between sites

Remote device type FortiGate

3. Click Next.
4. Configure the following settings:

91 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT
Two
3: Configuring Redundant Static IPsec VPN Tunnels Between
REPRINT
FortiGate Devices
Create a Backup VPN Tunnel Using the
IPsec Wizard

Remote device IP Address

Remote IP address 10.200.4.1

Outgoing Interface port2

Authentication method Pre-shared Key

Pre-shared key fortinet

5. Click Next.
6. Configure the following settings:

Field Value

Local interface port3

Local subnets 10.0.1.0/24

Remote Subnets 10.0.2.0/24

Internet Access None

7. Click Next.
8. Click Create.
You should see the following screen:

9. Click Create to create the new VPN tunnel.

10. Click Show Tunnel List, and then click the + sign beside Site to Site - FortiGate to expand the VPN tunnel
section.
You will see the VPN you just created.

FortiGate Infrastructure 7.2 Lab Guide 92

Fortinet Technologies Inc.
DO Review
NOTthe Objects
Created REPRINTthe IPsec Wizard Exercise 3: Configuring Redundant Static IPsec VPN Tunnels Between Two
FortiGate Devices

Review the Objects the IPsec Wizard Created

You will review the objects that the IPsec wizard created.

To review the objects the IPsec wizard created

1. On the Local-FortiGate GUI, click VPN > IPsec Tunnels, and then double-click ToRemoteBackup to review the
tunnel settings.
Notice the quick mode selectors that the wizard configured for you.

2. Click Cancel.
3. Click Policy & Objects > Addresses, and then click the + icon to expand Address Group.
Observe the following new firewall address objects:
l ToRemoteBackup_local_subnet_1, a member of the ToRemoteBackup_local address group
l ToRemoteBackup_remote_subnet_1, a member of the ToRemoteBackup_remote address group

93 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3:Devices
FortiGate
Configuring Redundant Static IPsec VPN Tunnels Between Two
REPRINT Review the Objects the IPsec Wizard
Created

4. Click Policy & Objects > Firewall Policy.

Observe the two new firewall policies: one from port3 to ToRemoteBackup and another from
ToRemoteBackup to port3. You will see that the Action in both cases is ACCEPT.

5. Click Network > Static Routes, and then view the static route the wizard added.

FortiGate Infrastructure 7.2 Lab Guide 94

Fortinet Technologies Inc.
DO Adjust
NOT Routing for the Backup VPN Tunnel on
REPRINT
Local-FortiGate
Exercise 3: Configuring Redundant Static IPsec VPN Tunnels Between
Two FortiGate Devices

Why did the IPsec wizard add a second route using the blackhole interface?

FortiGate drops all packets routed to the blackhole interface. The IPsec wizard added two static routes: one
to the IPsec virtual interface, with a distance of 10, and one to the blackhole interface, with a distance of 254.
The route with the lowest distance, the one to the IPsec virtual interface, takes precedence. However, if the
VPN is down, the route to the blackhole interface becomes active, even though it was originally the route
with the higher distance. So, traffic destined to the VPN is now routed to the blackhole interface and
dropped. The route to the blackhole interface prevents FortiGate from sending VPN traffic to the default
route while the VPN is down. The route to the blackhole interface also prevents FortiGate from creating
unnecessary sessions in the session table.

Adjust Routing for the Backup VPN Tunnel on Local-FortiGate

You will increase the administrative distance of the static route the IPsec wizard created for the
ToRemoteBackup VPN, so the tunnel is only used when the ToRemote VPN is down.

To configure a backup VPN on Local-FortiGate

1. On the Local-FortiGate GUI, click Network > Static Routes.
2. Double-click the static route created for ToRemoteBackup to edit the settings.

3. Configure the following setting:

Field Value

Administrative Distance 20

95 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT
Two
3: Configuring Redundant Static IPsec VPN Tunnels Between
REPRINT
FortiGate Devices
Review the Backup VPN Configuration on
Remote-FortiGate

4. Click OK.

Review the Backup VPN Configuration on Remote-FortiGate

For the purpose of this lab, the backup VPN configuration on Remote-FortiGate was preconfigured for you. The
configuration also includes a zone to reduce the number of firewall policies needed for the redundant VPNs. You
will review this configuration.

To review the Remote-FortiGate configuration

1. On the Remote-FortiGate GUI, click VPN > IPsec Tunnels, and then double-click ToLocalBackup to review the
tunnel settings.
2. Click Network > Static Routes, and then view ToLocalBackup to review the static route for the backup VPN.
3. Click Network > Interfaces, and then expand the Zone section to view the VPN zone details to review the
interface zone.
4. Click Policy & Objects > Firewall Policy, and then view the Local_out and Local_in policies to review the
firewall policies for VPN traffic on Remote-FortiGate.

Test VPN Redundancy

You will test the VPN failover. You will use the sniffer tool to monitor which VPN tunnel the traffic is using.

To test VPN redundancy

1. On the Local-FortiGate CLI, log in with the username admin and password password.
2. Enter the following command to sniff all ICMP traffic to 10.0.2.10 with verbosity 4:
diagnose sniffer packet any 'icmp and host 10.0.2.10' 4
3. On the Local-Client VM, open a terminal window, and then run a continuous ping to Remote-Client, using the
following command:
ping 10.0.2.10
4. Return to the Local-FortiGate CLI session, and then view the sniffer output.
It shows that Local-FortiGate is routing the packets through the ToRemote VPN.

FortiGate Infrastructure 7.2 Lab Guide 96

Fortinet Technologies Inc.
DO Test
NOT REPRINT
VPN Redundancy Exercise 3: Configuring Redundant Static IPsec VPN Tunnels Between Two FortiGate Devices

© FORTINET
28.040086 port3 in 10.0.1.10 -> 10.0.2.10: icmp: echo request
28.040107 ToRemote out 10.0.1.10 -> 10.0.2.10: icmp: echo request
28.041188 ToRemote in 10.0.2.10 -> 10.0.1.10: icmp: echo reply
28.041196 port3 out 10.0.2.10 -> 10.0.1.10: icmp: echo reply
Now, you will simulate a failure in the ToRemote VPN, and observe how FortiGate starts using the secondary
ToRemoteBackup VPN.

5. On the Local-FortiGate GUI, click Network > Interfaces.

6. Click the + sign beside port1 to view the subinterfaces using port1.
7. Right-click ToRemote, and then click Set Status > Disable to disable the VPN interface.

ToRemote is now grayed out.

8. Wait about a minute for DPD to detect the failure in ToRemote, and as a result, for FortiGate to reroute the traffic
through ToRemoteBackup.
9. Return to the Local-FortiGate CLI session, and then view the sniffer output again.
Notice that the ToRemoteBackup VPN is being used now.
546.352063 port3 in 10.0.1.10 -> 10.0.2.10: icmp: echo request
546.352090 ToRemoteBackup out 10.0.1.10 -> 10.0.2.10: icmp: echo request
546.353546 ToRemoteBackup in 10.0.2.10 -> 10.0.1.10: icmp: echo reply
546.353560 port3 out 10.0.2.10 -> 10.0.1.10: icmp: echo reply
10. On the Local-FortiGate GUI, click Network > Interfaces.
11. Click the + sign beside port1 to view the subinterfaces using port1.
12. Right-click ToRemote, and then click Set Status > Enable to re-enable the VPN interface.

ToRemote is no longer grayed out.

97 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: Configuring
REPRINT Redundant Static IPsec VPN Tunnels Between Two FortiGate Devices Test VPN Redundancy

© FORTINET
13. Return to the Local-FortiGate CLI session, and then view the sniffer output again.
Notice that the ToRemote VPN is being used again.
589.622935 port3 in 10.0.1.10 -> 10.0.2.10: icmp: echo request
589.622948 ToRemote out 10.0.1.10 -> 10.0.2.10: icmp: echo request
589.624057 ToRemote in 10.0.2.10 -> 10.0.1.10: icmp: echo reply
589.624072 port3 out 10.0.2.10 -> 10.0.1.10: icmp: echo reply
14. Press Ctrl+C to stop the ping.
15. Close the Local-FortiGate CLI window.

FortiGate Infrastructure 7.2 Lab Guide 98

In this lab, you will examine how to set up a FortiGate Clustering Protocol (FGCP) high availability (HA) cluster of
FortiGate devices. You will explore active-active HA mode and observe FortiGate HA behavior. You will also
perform an HA failover and use diagnostic commands to observe the election of a new primary device in the
cluster. Finally, you will configure management ports on FortiGate devices to reach each FortiGate individually for
management purposes.

Objectives
l Set up an HA cluster using FortiGate devices
l Observe HA synchronization and interpret diagnostic output
l Perform an HA failover
l Manage individual cluster members by configuring a reserved management interface

Time to Complete
Estimated: 40 minutes

Lab HA Topology

After you upload the required configurations to each FortiGate, the logical topology will change to the following:

99 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Prerequisites
Before beginning this lab, you must restore a configuration file to Local-FortiGate and Remote-FortiGate.

You must restore the configuration to Local-FortiGate first, and then to Remote-
FortiGate.

If you restore the configuration to Remote-FortiGate first, it will produce unintended

results and may prevent you from doing the lab exercises.

To restore the Local-FortiGate configuration file

3. Click + to expand the list.

4. Select the configuration with the comment local-ha, and then click Revert.

FortiGate Infrastructure 7.2 Lab Guide 100

5. Click OK to reboot.

To restore the Remote-FortiGate configuration file

3. Click + to expand the list.

4. Select the configuration with the comment initial, and then click Revert.

101 FortiGate Infrastructure 7.2 Lab Guide

5. Click OK to reboot.

FortiGate Infrastructure 7.2 Lab Guide 102

FortiGate HA uses FGCP, which uses a heartbeat link for HA-related communications to discover other FortiGate
devices in the same HA group, elect a primary device, synchronize configuration, and detect failed devices in an
HA cluster.

In this exercise, you will examine how to configure HA settings on both FortiGate devices. You will observe the HA
synchronization status, and use diagnose commands to verify that the configuration is in sync on both FortiGate
devices.

Unless instructed otherwise, always use the console connection of Local-FortiGate

and Remote-FortiGate to access the CLI. This ensures that you can access the CLI of
the device regardless of the HA role.

Configure HA Settings on Local-FortiGate

You will configure HA-related settings using the Local-FortiGate GUI.

To configure HA settings on Local-FortiGate

1. Connect to the Local-FortiGate GUI, and then log in with the username admin and password password.
2. Click System > HA, and then configure the following HA settings:

Field Value

Mode Active-Active

Device priority 200

Group name Training

Password Fortinet

Tip: Click Change, and then type the password.

Session pickup <enable>

Monitor interfaces Click X to remove any ports that are selected.

Heartbeat interfaces Click X to remove port4, and then select port2.

The configuration should look like the following example:

103 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Configuring
REPRINT HA Configure HA Settings on Remote-FortiGate

3. Click OK.

Configure HA Settings on Remote-FortiGate

You will configure HA-related settings on Remote-FortiGate, using the console.

To configure HA settings on Remote-FortiGate

1. Connect to the Remote-FortiGate CLI, and then log in with the username admin and password password.
2. Enter the following commands:
config system ha
set group-name Training
set mode a-a
set password Fortinet
set hbdev port2 0
set session-pickup enable
set override disable
set priority 100
end

Observe and Verify the HA Synchronization Status

Now that you have configured HA on both FortiGate devices, you will verify that HA is established and that the
configurations are fully synchronized.

The checksums for all cluster members must match for the FortiGate devices to be synchronized.

To observe and verify the HA synchronization status

1. On the Remote-FortiGate CLI, you should see the debug messages about the HA synchronization process.
These messages sometimes display useful status change information.

2. Wait 4–5 minutes for the FortiGate devices to synchronize.

After the FortiGate devices are synchronized, the Remote-FortiGate device logs out all admin users.

FortiGate Infrastructure 7.2 Lab Guide 104

Fortinet Technologies Inc.
DO Verify
NOT REPRINT
FortiGate Roles in an HA Cluster Exercise 1: Configuring HA

© FORTINET
secondary succeeded to sync external files with primary
secondary starts to sync with primary
logout all admin users

3. When prompted, log back in to the Remote-FortiGate CLI with the username admin and password password.
4. To check the HA synchronization status, enter the following command:
diagnose sys ha checksum show

5. On the Local-FortiGate CLI, enter the following command to check the HA synchronization status:
diagnose sys ha checksum show

6. Compare the output from both FortiGate devices.

If both FortiGate devices are synchronized, the checksums match.

7. Alternatively, you can run the following CLI command on any member to view the checksums of all members:
diagnose sys ha checksum cluster

Verify FortiGate Roles in an HA Cluster

After the checksums of both FortiGate devices match, you will verify the cluster member roles to confirm the
primary and secondary devices.

To verify FortiGate roles in an HA cluster

1. On both the Local-FortiGate CLI and Remote-FortiGate CLI, enter the following command to verify that the HA
cluster is established:
get system status

2. On both FortiGate devices, view the Current HA mode line, and then write down the device serial number
(Serial-Number).
Notice that Local-FortiGate is a-a primary and Remote-FortiGate is a-a secondary.

Stop and think!

Why was Local-FortiGate elected as the primary?

In the primary election process, the first criterion checked is the number of connected monitored ports.
Because you didn't configure monitored ports, then the next criterion is checked.

Because you disabled the override setting, then the next criterion checked is HA uptime. Because you
enabled HA on both devices about the same time, then the HA uptime difference is less than five minutes,
and therefore, the next criterion, priority, is checked.

Local-FortiGate has a priority of 200, which is greater than Remote-FortiGate, which has a priority of 100.
The result is that Local-FortiGate is elected primary.

3. On the Local-FortiGate CLI , enter the following command to confirm the reason for the primary election:
get system ha status

4. In the output, look for the Primary selected using section to identify the reason for the latest primary election
event.

105 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Configuring
REPRINT HA Verify Firewall Policy Configuration

The output confirms that Local-FortiGate was elected primary because of its higher
priority.

If you see that the election reason is a higher uptime, then that is probably because
you rebooted one of the members, and as a result, the HA uptime of that device was
reset. The reboot then caused the HA uptime difference to be more than five minutes.

Verify Firewall Policy Configuration

By default, a FortiGate HA active-active cluster load balances only sessions that are subject to proxy inspection.
For this reason, you will verify that the matching firewall policy is configured to perform proxy inspection.

To verify firewall policy configuration

1. Continuing on the Local-FortiGate GUI, click Policy & Objects > Firewall Policy.
2. Double-click the firewall policy named P3_to_P1 to view its settings.
Your page should look similar to the following example:

FortiGate Infrastructure 7.2 Lab Guide 106

Fortinet Technologies Inc.
DO View
NOT REPRINT
Session Statistics Exercise 1: Configuring HA

© FORTINET
The firewall policy P3_to_P1 has been preconfigured for you. The firewall policy
matches the internet traffic that you will generate in the next task, and is configured to
perform antivirus and web filtering proxy-based inspection on the matching traffic. This
way, the primary FortiGate will distribute some of the matching sessions to the
secondary FortiGate.

3. Click Cancel.

View Session Statistics

You will view session statistics.

To view session statistics

1. On the Local-Client VM, open a few browser tabs, and connect to a few websites, such as:
l https://docs.fortinet.com
l www.yahoo.com
l www.bbc.com
2. On both the Local-FortiGate CLI and Remote-FortiGate CLI, enter the following command:
get system session status

The primary FortiGate handles more sessions than the secondary FortiGate. This is
because the primary handles:
l Cluster management traffic (local-in and local-out connections)
l Non-TCP firewall traffic
l TCP firewall traffic that is not subject to proxy-based inspection or any inspection
l TCP firewall traffic that is subject to proxy-based inspection and that isn't distributed
to the secondary

107 FortiGate Infrastructure 7.2 Lab Guide

You set up an HA cluster. In this exercise, you will examine how to trigger an HA failover, and observe the
renegotiation among devices to elect a new primary device and redistribute the sessions.

Unless instructed otherwise, always use the console connection of Local-FortiGate

and Remote-FortiGate to access the CLI. This ensures that you can access the device
CLI regardless of the HA role.

Trigger a Failover by Rebooting the Primary FortiGate

You will reboot the primary FortiGate in the cluster to trigger a failover.

Take the Expert Challenge!

1. On the Local-Client VM, complete the following:

l Play a long video (more than 5 minutes long) on https://www.youtube.com.
l Run a continuous ping to IP address 4.2.2.2.
2. On the Local-FortiGate CLI, reboot Local-FortiGate.
If you require assistance, or to verify your work, use the step-by-step instructions that follow.

After you have performed these steps, see Triggering an HA Failover on page 108.

To trigger a failover by rebooting the primary FortiGate

1. On the Local-Client VM, open a browser, and then visit the following URL:
https://www.youtube.com

2. Play a long video (more than 5 minutes long).

3. While the video is playing, open a terminal, and then run a continuous ping to a public IP address:
ping 4.2.2.2

4. To trigger a failover, on the Local-FortiGate CLI, enter the following command to reboot Local-FortiGate:
execute reboot

5. Press Y to confirm that you want to reboot Local-FortiGate.

Verify the HA Failover and FortiGate Roles

You will verify the HA failover, and check the roles of FortiGate in an HA cluster.

FortiGate Infrastructure 7.2 Lab Guide 108

Fortinet Technologies Inc.
DO Trigger
NOT REPRINT
an HA Failover by Resetting the HA Uptime Exercise 2: Triggering an HA Failover

© FORTINET
To verify the HA failover and FortiGate roles
1. On the Local-Client VM, check the terminal and video that you started earlier.
Because of the failover, Remote-FortiGate is now the primary processor of traffic. Your ping and video should
still be running.

2. Press Ctrl+C to stop the ping.

3. To verify that Remote-FortiGate is acting as the primary device in the HA cluster, on the Remote-FortiGate CLI,
enter the following command:
get system status

Stop and think!

When Local-FortiGate finishes rebooting and rejoins the cluster, does it rejoin as the secondary device, or
resume its initial role of primary device?

4. To see the status of all cluster members, enter the following command on any FortiGate in the cluster:
get system ha status

You should see that Local-FortiGate rejoins the cluster as a secondary device. It lost its role as the primary
device.

The output of get system ha status has been cut to fit this page.

Local-FortiGate becomes the secondary device in the cluster because it has a lower
HA uptime than Local-Remote. In addition, the HA uptime difference between the
members is more than 5 minutes.

Trigger an HA Failover by Resetting the HA Uptime

You will trigger a failover by resetting the HA uptime on the current primary FortiGate—which should be Remote-
FortiGate—and then you will verify the role of Remote-FortiGate in the HA cluster.

To trigger an HA failover by resetting the HA uptime on FortiGate

1. On the Remote-FortiGate CLI console, enter the following command:
diagnose sys ha reset-uptime

109 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Triggering
REPRINT an HA Failover Observe HA Leave and Join Messages Using Diagnostic Commands

© FORTINET
After you reset the HA uptime on Remote-FortiGate, Local-FortiGate becomes the
member with the highest HA uptime. Because the HA uptime difference between the
members is more than five minutes, then Local-FortiGate is elected as the new
primary.

Remote-FortiGate now has the secondary role in the cluster.

2. On the Remote-FortiGate CLI, enter the following command to verify this:

get system status

Observe HA Leave and Join Messages Using Diagnostic Commands

The HA synchronization process is responsible for FGCP packets that communicate cluster status and build the
cluster. You will use real-time diagnostic commands to observe this process.

To observe HA failover using diagnostic commands

1. On the Local-FortiGate CLI, enter the following commands:
diagnose debug enable
diagnose debug application hatalk 0
diagnose debug application hatalk 255

The diagnose debug application hatalk 0 command stops the debug. You
will use this command later.

2. On the Remote-FortiGate CLI, enter the following command to reboot Remote-FortiGate:

execute reboot

3. Press Y to confirm that you want to reboot Remote-FortiGate.

4. On the Local-FortiGate CLI, view the output while the secondary device reboots and starts communicating with the
cluster.

FortiGate Infrastructure 7.2 Lab Guide 110

Fortinet Technologies Inc.
DO Observe
NOTHAREPRINT
Leave and Join Messages Using Diagnostic Commands Exercise 2: Triggering an HA Failover

The output shows that the current primary FortiGate is sending heartbeat packets and trying to synchronize
its configuration with the configuration of the secondary FortiGate.

5. To stop the debug output on Local-FortiGate, press the up arrow key twice, select the second-last command (in
this case, diagnose debug application hatalk 0), and then press Enter.

111 FortiGate Infrastructure 7.2 Lab Guide

In this exercise, you will examine how to configure a spare interface in the cluster as a reserved HA management
interface. This allows both FortiGate devices to be reachable for management purposes regardless of the
member role.

If a reserved HA management interface is not configured, your cluster management connections are handled by
the primary FortiGate. However, you can access the CLI of the secondary FortiGate from the primary FortiGate
CLI, or by using the secondary console connection.

You can also configure an in-band HA management interface, which is an alternative to the reserved HA
management interface, and does not require reserving an interface that is only for management access.

Unless instructed otherwise, always use the console connection of Local-FortiGate

and Remote-FortiGate to access the CLI. This ensures that you can access the device
CLI regardless of the HA role.

Access the Secondary FortiGate CLI Through the Primary FortiGate CLI

You will connect to the secondary FortiGate CLI through the primary FortiGate CLI.

To access the secondary FortiGate CLI through the primary FortiGate CLI
1. On the Local-FortiGate CLI, log in with the username admin and password password.
2. Enter the following command to access the secondary FortiGate CLI through the primary FortiGate heartbeat
interface:
execute ha manage <id> admin

Use ? to list the values for <id>.

3. When prompted, enter the password password to log in to Remote-FortiGate.

FortiGate Infrastructure 7.2 Lab Guide 112

Fortinet Technologies Inc.
DO Set
NOT REPRINT
Up a Reserved HA Management Interface Exercise 3: Configuring the HA Management Interface

4. Enter the following command to get the status of the secondary FortiGate:
get system status

5. View the Current HA mode line.

You will notice that Remote-FortiGate is a-a secondary.

6. Enter the following command to return to the Local-FortiGate CLI:

exit

Set Up a Reserved HA Management Interface

You will use an unused interface on the FortiGate devices in an HA cluster to configure a reserved HA
management interface and a unique IP address on each member. This way, you can access each member
directly regardless of its role.

To set up a reserved HA management interface

1. On the Local-Client VM, open a browser, and then log in to the Local-FortiGate GUI at 10.0.1.254 with the
username admin and password password.
2. Click System > HA.
3. Right-click Local-FortiGate, and then click Edit.

4. Enable Management Interface Reservation, and then in the Interface field, select port7.
5. Click OK.

113 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: Configuring
REPRINT
Management Interface
the HA Configure and Access the Primary FortiGate Using the Reserved HA
Management Interface

port7 connects to the same LAN segment as port3.

Configure and Access the Primary FortiGate Using the Reserved HA

Management Interface

You will configure and verify access to the primary FortiGate using the reserved HA management interface.

To configure and verify access to the primary FortiGate using the reserved HA management
interface
1. On the Local-FortiGate CLI, log in with the username admin and password password.
2. Enter the following commands to configure port7:
config system interface
edit port7
set ip 10.0.1.253/24
set allowaccess ping ssh snmp http
end

Even though this address overlaps with port3, which is not allowed by default
(FortiGate does not allow overlapped subnets by default), it is allowed here because
the routing entries for the reserved HA management interface are excluded from the
routing table.

3. On the Local-Client VM, open a browser, and then log in to the Local-FortiGate GUI at 10.0.1.253 (note the IP
address) with the username admin and password password.
This verifies connectivity to port7.

Configure and Access the Secondary FortiGate Using the Reserved HA

Management Interface

You will configure and verify access to the secondary FortiGate using the reserved HA management interface.

FortiGate Infrastructure 7.2 Lab Guide 114

Fortinet Technologies Inc.
DO Disconnect
NOT REPRINTRemote-FortiGate From the Cluster Exercise 3: Configuring the HA Management Interface

1. On the Remote-FortiGate CLI, complete the following:

l Verify that the reserved HA management interface was synchronized with the secondary device.
show system ha
l Verify that port7 has no configuration, and then configure port7 IP/Netmask as 10.0.1.252/24
with the same allowaccess configured for Local-FortiGate port7.
2. On the Local-Client VM, log in to the Remote-FortiGate GUI (admin/password) using the port7 IP
address to verify connectivity.
If you require assistance, or to verify your work, use the step-by-step instructions that follow.

After the configuration is ready, see Configuring the HA Management Interface on page 112.

To configure and verify access to the secondary FortiGate using the management interface
1. On the Remote-FortiGate CLI, enter the following command to verify that the reserved HA management interface
was synchronized with the secondary device:
show system ha

Look for ha-mgmt-status and config ha-mgmt-interfaces. These should already be set.

2. Enter the following command to verify that port7 has no configuration:

show system interface port7

3. Configure port7, using the following commands:

config system interface
edit port7
set ip 10.0.1.252/24
set allowaccess ping ssh snmp http
next
end

4. On the Local-Client VM, open a browser, and then log in to the Remote-FortiGate GUI at 10.0.1.252 (note the IP
address) with the username admin and password password.
This will verify connectivity to port7.

Each device in the cluster now has its own management IP address for monitoring purposes.

Disconnect Remote-FortiGate From the Cluster

You will disconnect Remote-FortiGate from the cluster. Remote-FortiGate will prompt you to configure an IP
address on any port on Remote-FortiGate so that you can access it after the disconnection.

To disconnect Remote-FortiGate from the cluster

1. On the Local-Client VM, open a browser, and then log in to the Local-FortiGate GUI at 10.0.1.254 with the
username admin and password password.

115 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT3: Configuring
REPRINT the HA Management Interface Restore the Remote-FortiGate Configuration

4. When prompted, configure the following settings:

Field Value

Interface port3

IP/Netmask 10.0.1.251/24

5. Click OK.
This removes the FortiGate from the HA cluster.

Restore the Remote-FortiGate Configuration

You will restore the Remote-FortiGate configuration, so that you can use Remote-FortiGate in the next labs.

Failure to perform these steps will prevent you from doing the next exercises.

To restore the Remote-FortiGate configuration file

1. On the Local-Client VM, open a browser, and then log in to the Remote-FortiGate GUI at 10.0.1.251 with the
username admin and password password.
2. In the upper-right corner of the screen, click admin, and then click Configuration > Revisions.

FortiGate Infrastructure 7.2 Lab Guide 116

Fortinet Technologies Inc.
DO Restore
NOTtheREPRINT
Remote-FortiGate Configuration Exercise 3: Configuring the HA Management Interface

3. Click + to expand the list.

4. Select the configuration with the comment initial, and then click Revert.

5. Click OK to reboot.

Failure to perform these steps will prevent you from doing the next exercises.

117 FortiGate Infrastructure 7.2 Lab Guide

In this lab, you will run diagnostic commands to learn about the current status of FortiGate. You will also use the
sniffer and debug flow tools to troubleshoot and fix a connectivity problem.

Objectives
l Identify normal behavior for your network
l Monitor for abnormal behavior, such as traffic spikes
l Diagnose problems at the physical and network layers
l Diagnose connectivity problems using the debug flow
l Diagnose resource problems, such as high CPU or memory usage

Time to Complete
Estimated: 30 minutes

FortiGate Infrastructure 7.2 Lab Guide 118

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Prerequisites
Before beginning this lab, you must restore a configuration file to Local-FortiGate.

To restore the Local-FortiGate configuration file

1. On the Local-FortiGate GUI, log in with the username admin and password password.
2. In the upper-right corner of the screen, click admin, and then click Configuration > Revisions.

3. Click the + sign to expand the list.

4. Select the configuration with the comment local-diagnostics, and then click Revert.

5. Click OK to reboot.

119 FortiGate Infrastructure 7.2 Lab Guide

In this exercise, you will use CLI commands to get information about FortiGate, such as traffic volume, CPU
usage, memory usage, and the ARP table.

Run Diagnostic Commands

You will run some diagnostic commands and take note of some of the information displayed.

To run diagnostic commands

1. On the Local-FortiGate CLI, log in with the username admin and password password.
2. Find the following information and write down your answers in the space provided—refer to the list of commands
that follows to get the answers:

Field Value

Firmware branch point

Current HA mode

Hostname

CPU utilization

Memory utilization

Average network usage

Average session setup rate

Negotiated speed and duplex mode for interface

port1

MTU for port1

MAC address for the IP address 10.200.1.254

Name of the process consuming the most CPU (if

any)

Name of the process consuming the most memory

FortiGate Infrastructure 7.2 Lab Guide 120

Fortinet Technologies Inc.
DO Run
NOT REPRINT
Diagnostic Commands Exercise 1: Determining What Is Happening Now

© FORTINET
Enter the following CLI commands to find the information requested above:
get system status
get system performance status
get hardware nic port1
get system arp
diagnose sys top 1

(Press Shift+P to order the processes by CPU usage, Shift+M to order them by
memory usage, or Q to stop.)

3. Close the Local-FortiGate CLI session.

121 FortiGate Infrastructure 7.2 Lab Guide

In this exercise, you will use the sniffer and debug flow to troubleshoot a network connectivity problem.

Identify the Problem

As you will see in this procedure, there is a network connectivity problem between the Local-Client VM and the
Linux server.

To identify the problem

1. On the Local-Client VM, open a terminal window.
2. Start a continuous ping to the Linux server (IP address 10.200.1.254):
ping 10.200.1.254

The ping is failing. You will use the sniffer and debug flow tools on Local-FortiGate to find out why.

3. Do not close the terminal window—keep the ping running.

Use the Sniffer

Take the Expert Challenge!

Now that you understand what the problem is, try to fix it without looking at the FortiGate configuration. Use
the built-in sniffer and debug flow tools to troubleshoot the problem.

If you require assistance, or to verify your work, use the step-by-step instructions that follow.

After you complete the challenge, see Troubleshooting a Connectivity Problem on page 122.

You will start troubleshooting by sniffing the ICMP traffic going to the Linux server.

To use the sniffer

1. On the Local-FortiGate CLI, log in with the username admin and password password.
2. Enter the following command to sniff the ICMP traffic to 10.200.1.254:
diagnose sniffer packet any "icmp and host 10.200.1.254" 4

3. Observe the output.

interfaces=[any]
filters=[icmp and host 10.200.1.254]
5.439019 port3 in 10.0.1.10 -> 10.200.1.254: icmp: echo request
10.442347 port3 in 10.0.1.10 -> 10.200.1.254: icmp: echo request

FortiGate Infrastructure 7.2 Lab Guide 122

Fortinet Technologies Inc.
DO Use
NOT REPRINT
the Debug Flow Tool Exercise 2: Troubleshooting a Connectivity Problem

© FORTINET
15.444343 port3 in 10.0.1.10 -> 10.200.1.254: icmp: echo request
20.545397 port3 in 10.0.1.10 -> 10.200.1.254: icmp: echo request

The packets are arriving on FortiGate, but FortiGate is not routing them.

4. Press Ctrl+C to stop the sniffer.

Use the Debug Flow Tool

You will run the debug flow tool to get information about why the packets are being dropped.

To use the debug flow tool

1. On the Local-FortiGate CLI session, enter the following commands. You will configure the debug flow filter to
capture all ICMP traffic to and from the 10.200.1.254 IP address.
diagnose debug flow filter clear
diagnose debug flow filter proto 1
diagnose debug flow filter addr 10.200.1.254
diagnose debug enable
diagnose debug flow trace start 3

The output should be similar to the following example. FortiGate receives the ICMP packet from 10.0.1.10
to 10.200.1.254 from port3.
id=20085 trace_id=1 func=print_pkt_detail line=5363 msg="vd-root received a packet
(proto=1, 10.0.1.10:1->10.200.1.254:2048) from port3. type=8, code=0, id=1,
seq=33."

It creates a new session.

id=20085 trace_id=1 func=init_ip_session_common line=5519 msg="allocate a new
session-00000340"

It finds a route for the destination 10.200.1.254 through port1.

id=20085 trace_id=1 func=vf_ip_route_input_common line=2583 msg="find a route:
flag=04000000 gw-10.200.1.254 via port1"

It drops the packet. The debug flow shows the error message.
id=20085 trace_id=1 func=fw_forward_handler line=586 msg="Denied by forward policy
check (policy 0)"

The Denied by forward policy check message indicates that the traffic is denied by a firewall policy.
It could be either a denied policy explicitly configured by the administrator, or the implicit denied policy for
traffic that does not match a configured policy.

The policy 0 indicates that the traffic was denied by the default implicit policy. If the traffic was blocked by
an explicitly configured policy, its policy ID number would be indicated in this output, instead of 0.

Fix the Problem

Now that you found the cause of the problem, you will fix the problem.

123 FortiGate Infrastructure 7.2 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Troubleshooting
REPRINT a Connectivity Problem Test the Fix

© FORTINET
To fix the problem
1. Connect to the Local-FortiGate GUI, and then log in with the username admin and password password.
2. Click Policy & Objects > Firewall Policy.
3. Look at the firewall policies.
The Full_Access firewall policy does not allow ICMP traffic (only HTTP)—this is why FortiGate is dropping
the ping packets.

4. Edit the Full_Access firewall policy.

5. Change the service from HTTP to ALL.
6. Click OK.

Test the Fix

You will test to confirm that the configuration change fixed the problem.

To test the fix

1. On the Local-Client VM, check the terminal window to see if the continuous ping is working now.
2. Press Ctrl+C to stop the ping, but leave the terminal open.
3. On the Local-FortiGate CLI session where you are running debug commands, clear all the ICMP sessions from the
session table, using the following commands:
diagnose sys session filter clear
diagnose sys session filter proto 1
diagnose sys session clear

4. Start the debug flow again, using the following commands:

diagnose debug flow filter clear
diagnose debug flow filter proto 1
diagnose debug flow filter addr 10.200.1.254
diagnose debug enable
diagnose debug flow trace start 3

There should not be any output yet, because the ping is not running.

5. Return to the terminal window, and then start the ping again.
ping 10.200.1.254

6. Check the debug flow output.

It is a bit different now. The error message is not displayed and you can see a few new logs.

Traffic is allowed by the firewall policy with the ID 1.

id=20085 trace_id=4 func=fw_forward_handler line=737 msg="Allowed by Policy-1: SNAT"

FortiGate applies source NAT (SNAT).

id=20085 trace_id=4 func=__ip_session_run_tuple line=3164 msg="SNAT 10.0.1.10-
>10.200.1.1:62464"

Additionally, you can see the debug flow logs from the return (ping reply) packets.

FortiGate Infrastructure 7.2 Lab Guide 124

Fortinet Technologies Inc.
DO Test
NOT the FixREPRINT Exercise 2: Troubleshooting a Connectivity Problem

© FORTINET
id=20085 trace_id=5 func=print_pkt_detail line=5363 msg="vd-root received a packet
(proto=1, 10.200.1.254:62464->10.200.1.1:0) from port1. type=0, code=0, id=62464,
seq=83."
id=20085 trace_id=5 func=resolve_ip_tuple_fast line=5438 msg="Find an existing
session, id-000003f2, reply direction"
id=20085 trace_id=5 func=__ip_session_run_tuple line=3178 msg="DNAT 10.200.1.1:0-
>10.0.1.10:1"
id=20085 trace_id=5 func=vf_ip_route_input_common line=2583 msg="find a route:
flag=04000000 gw-10.0.1.10 via port3"

The procedure in this exercise describes what you should usually do when
troubleshooting connectivity problems on FortiGate. Sniff the traffic first to check that
the packets are arriving on FortiGate and that FortiGate is routing them correctly. If the
sniffer shows that the traffic is being dropped by FortiGate, use the debug flow tool to
find out why.

125 FortiGate Infrastructure 7.2 Lab Guide

No part of this publication may be reproduced in any form or by any means or used to make any
derivative such as translation, transformation, or adaptation without permission from Fortinet Inc.,
as stipulated by the United States Copyright Act of 1976.
Copyright© 2022 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

Fortigate Administratior 7.4 Lab Guide
0% (1)
Fortigate Administratior 7.4 Lab Guide
250 pages
NSE7 - OT Security FortiOS 7.2 - Study Guide
No ratings yet
NSE7 - OT Security FortiOS 7.2 - Study Guide
317 pages
Ebin - Pub Fortinet Enterprise Firewall Study Guide For Fortios 72
No ratings yet
Ebin - Pub Fortinet Enterprise Firewall Study Guide For Fortios 72
390 pages
F5 - Configuring BIG-IP LTM v11 - Instructor
100% (1)
F5 - Configuring BIG-IP LTM v11 - Instructor
493 pages
Fortinet Zero Trust Access Lab Guide For FortiOS 7.2 (Fortinet Training Institute)
100% (1)
Fortinet Zero Trust Access Lab Guide For FortiOS 7.2 (Fortinet Training Institute)
247 pages
FortiGate Infrastructure 7.2 Lab Guide-Online
No ratings yet
FortiGate Infrastructure 7.2 Lab Guide-Online
123 pages
FortiGate Infrastructure 7.2 Study Guide-Online
No ratings yet
FortiGate Infrastructure 7.2 Study Guide-Online
388 pages
FCP Sec Ops - FortiAnalyzer Analyst 7.4 - Study Guide
100% (3)
FCP Sec Ops - FortiAnalyzer Analyst 7.4 - Study Guide
216 pages
(Fcss NW) - Sd-Wan Fortios 7.2 - Study Guide
No ratings yet
(Fcss NW) - Sd-Wan Fortios 7.2 - Study Guide
381 pages
(FCSS NW) - Enterprise Firewall Administrator FortiOS 7.4 - Study Guide
No ratings yet
(FCSS NW) - Enterprise Firewall Administrator FortiOS 7.4 - Study Guide
384 pages
NSE7 - Enterprise Firewall FortiOS 7.0 - Study Guide
100% (1)
NSE7 - Enterprise Firewall FortiOS 7.0 - Study Guide
528 pages
Fortigate Infrastructure Lab Guide: Do Not Reprint © Fortinet
91% (11)
Fortigate Infrastructure Lab Guide: Do Not Reprint © Fortinet
143 pages
FortiGate Security 6.2 Lab Guide-Online
100% (3)
FortiGate Security 6.2 Lab Guide-Online
232 pages
SD-WAN 6.2 Lab Guide-Online PDF
100% (3)
SD-WAN 6.2 Lab Guide-Online PDF
85 pages
MySQL Exercises & Solutions
80% (10)
MySQL Exercises & Solutions
61 pages
OSP Training For Local Designer of PLDT
75% (4)
OSP Training For Local Designer of PLDT
57 pages
Fortinet Fortimanager Study Guide For Fortimanager 72
100% (1)
Fortinet Fortimanager Study Guide For Fortimanager 72
372 pages
Network Access Control Reference Architecture: Rick Leclerc Solutions Architect January 29, 2020
No ratings yet
Network Access Control Reference Architecture: Rick Leclerc Solutions Architect January 29, 2020
15 pages
Do Not Reprint © Fortinet: Fortimanager Lab Guide
No ratings yet
Do Not Reprint © Fortinet: Fortimanager Lab Guide
182 pages
Fortinet Fortiweb Lab Guide For Fortiweb 64
No ratings yet
Fortinet Fortiweb Lab Guide For Fortiweb 64
103 pages
FortiOS 7.4.3 Administration Guide
No ratings yet
FortiOS 7.4.3 Administration Guide
3,620 pages
Fortinet Fortigate Security Lab Guide For Fortios 72
No ratings yet
Fortinet Fortigate Security Lab Guide For Fortios 72
204 pages
FortiManager-7 4 0-Administration - Guide
No ratings yet
FortiManager-7 4 0-Administration - Guide
937 pages
FortiAuthenticator Student Guide-Online
67% (3)
FortiAuthenticator Student Guide-Online
455 pages
VDOM Configuration
No ratings yet
VDOM Configuration
7 pages
FortiNAC Deployment Prerequisite Task List
100% (1)
FortiNAC Deployment Prerequisite Task List
26 pages
How To Setup FortiGate Firewall To Access The Internet
No ratings yet
How To Setup FortiGate Firewall To Access The Internet
7 pages
Getting Started with FortiGate
From Everand
Getting Started with FortiGate
Fabrizio Volpe
No ratings yet
C-Plath 4000 Autopilot Operation
No ratings yet
C-Plath 4000 Autopilot Operation
142 pages
Web Application Development 1 ALL
No ratings yet
Web Application Development 1 ALL
8 pages
Enterprise Firewall 7.2 Lab Guide-Online U
No ratings yet
Enterprise Firewall 7.2 Lab Guide-Online U
158 pages
FortiGate Infrastructure 6.0 Lab Guide-Online
No ratings yet
FortiGate Infrastructure 6.0 Lab Guide-Online
148 pages
FortiGate Infrastructure 6.0 Lab Guide V2-Online-Unlocked
100% (1)
FortiGate Infrastructure 6.0 Lab Guide V2-Online-Unlocked
147 pages
FortiGate Security 7.2 Lab Guide-Online
No ratings yet
FortiGate Security 7.2 Lab Guide-Online
203 pages
NSE7 - Enterprise Firewall FortiOS 6.4 - Study Guide
No ratings yet
NSE7 - Enterprise Firewall FortiOS 6.4 - Study Guide
533 pages
(FCSS ZT - NSE7) - Zero Trust Access FortiOS 7.2 - Study Guide
100% (1)
(FCSS ZT - NSE7) - Zero Trust Access FortiOS 7.2 - Study Guide
192 pages
FortiGate Authentication
No ratings yet
FortiGate Authentication
77 pages
LAB 7 - High Availability (HA)
100% (1)
LAB 7 - High Availability (HA)
17 pages
Fortigate Security Study Guide: Do Not Reprint © Fortinet
No ratings yet
Fortigate Security Study Guide: Do Not Reprint © Fortinet
459 pages
FortiNAC Demo Walkthrough
No ratings yet
FortiNAC Demo Walkthrough
13 pages
NSE7 - SD-WAN FortiOS 6.4.5 - Study Guide
No ratings yet
NSE7 - SD-WAN FortiOS 6.4.5 - Study Guide
229 pages
Introduction To FortiGate Part-1
100% (3)
Introduction To FortiGate Part-1
330 pages
(FCSS SASE) - FortiSASE Administrator FortiSASE 24 - Study Guide
100% (1)
(FCSS SASE) - FortiSASE Administrator FortiSASE 24 - Study Guide
171 pages
FortiGate 7.4 Operator Lesson Scripts
100% (1)
FortiGate 7.4 Operator Lesson Scripts
33 pages
FortiGate Security 7.2 Study Guide-Online-10
No ratings yet
FortiGate Security 7.2 Study Guide-Online-10
40 pages
Fortigate Fortiwifi and Fortiap Configuration Guide 56
No ratings yet
Fortigate Fortiwifi and Fortiap Configuration Guide 56
205 pages
FortiGate 7.4 Administrator Study Guide-Online v2 Español
No ratings yet
FortiGate 7.4 Administrator Study Guide-Online v2 Español
818 pages
Lab 3 - Nat PDF
100% (2)
Lab 3 - Nat PDF
24 pages
Fortigate VM
No ratings yet
Fortigate VM
22 pages
(FCSS SASE) - FortiSASE Administrator FortiSASE 23 - Study Guide
No ratings yet
(FCSS SASE) - FortiSASE Administrator FortiSASE 23 - Study Guide
149 pages
Fortinac Control Manager 83
No ratings yet
Fortinac Control Manager 83
755 pages
Install and Configure FortiGate Default Certificate
100% (1)
Install and Configure FortiGate Default Certificate
3 pages
NSE7 - LAN Edge FortiGate 7.0 - Study Guide
No ratings yet
NSE7 - LAN Edge FortiGate 7.0 - Study Guide
478 pages
FortiOS 7.4 Best Practices
No ratings yet
FortiOS 7.4 Best Practices
47 pages
FortiGate Security 7.0 Study Guide - FortiGate - Security - 7.0 - Study - Guide-Online
No ratings yet
FortiGate Security 7.0 Study Guide - FortiGate - Security - 7.0 - Study - Guide-Online
42 pages
FortiSandbox-4 4 1-Administration - Guide
No ratings yet
FortiSandbox-4 4 1-Administration - Guide
256 pages
IPSEC Config - Fortigate
No ratings yet
IPSEC Config - Fortigate
220 pages
FCP - FortiManager Administrator 7.4 - Study Guide
100% (1)
FCP - FortiManager Administrator 7.4 - Study Guide
327 pages
FortiNAC FortiGate VPN Integration
No ratings yet
FortiNAC FortiGate VPN Integration
58 pages
Fortigate Infrastructure Lab Guide: Do Not Reprint © Fortinet
No ratings yet
Fortigate Infrastructure Lab Guide: Do Not Reprint © Fortinet
143 pages
Do Not Reprint © Fortinet: Fortigate Infrastructure Lab Guide
No ratings yet
Do Not Reprint © Fortinet: Fortigate Infrastructure Lab Guide
140 pages
Do Not Reprint © Fortinet: Fortigate Infrastructure Lab Guide
100% (1)
Do Not Reprint © Fortinet: Fortigate Infrastructure Lab Guide
147 pages
FortiGate Infrastructure 6.0 Lab Guide V2-Online-Unlocked
100% (2)
FortiGate Infrastructure 6.0 Lab Guide V2-Online-Unlocked
53 pages
MS 700T00A ENU TrainerHandbook
100% (1)
MS 700T00A ENU TrainerHandbook
371 pages
Juniper Networks Technical Documentation
No ratings yet
Juniper Networks Technical Documentation
3 pages
Juniper Networks Technical Documentation
No ratings yet
Juniper Networks Technical Documentation
11 pages
Juniper Networks Technical Documentation
No ratings yet
Juniper Networks Technical Documentation
9 pages
MOdule 4 - Measures of Position
No ratings yet
MOdule 4 - Measures of Position
13 pages
4.1 Prototype Thinking BPA
No ratings yet
4.1 Prototype Thinking BPA
21 pages
Wild
No ratings yet
Wild
6 pages
Gold 4g Speaker Manual Multi Language Rev4
No ratings yet
Gold 4g Speaker Manual Multi Language Rev4
130 pages
Chapter 4 - Database
No ratings yet
Chapter 4 - Database
22 pages
SDN Lab 2
No ratings yet
SDN Lab 2
17 pages
DBMS Module - 2
No ratings yet
DBMS Module - 2
155 pages
w03 - WS - SolidWorks - Assemblies V01
No ratings yet
w03 - WS - SolidWorks - Assemblies V01
5 pages
cysa+ study notes
No ratings yet
cysa+ study notes
53 pages
3D Cell Design Capability Stack Template 2402 Workflow
No ratings yet
3D Cell Design Capability Stack Template 2402 Workflow
53 pages
(FREE PDF Sample) Computers in The Medical Office Ninth Edition. Edition Susan M. Sanderson Ebooks
100% (2)
(FREE PDF Sample) Computers in The Medical Office Ninth Edition. Edition Susan M. Sanderson Ebooks
53 pages
Mini Project Banking Managment System
No ratings yet
Mini Project Banking Managment System
11 pages
Altair Activate
No ratings yet
Altair Activate
2 pages
100K MailAccess HQ Database
No ratings yet
100K MailAccess HQ Database
1,742 pages
Sudoku - 20230314 (Easy, Moderate, Hard)
No ratings yet
Sudoku - 20230314 (Easy, Moderate, Hard)
20 pages
Chapter 12 Accessible
No ratings yet
Chapter 12 Accessible
24 pages
Department of Electrical & Computer Engineering: North South University Lab Report
No ratings yet
Department of Electrical & Computer Engineering: North South University Lab Report
8 pages
Pseudocode Writing (Paper 2)
No ratings yet
Pseudocode Writing (Paper 2)
2 pages
Trimble MX2: Mobile Mapping System
No ratings yet
Trimble MX2: Mobile Mapping System
2 pages
Server-Specific Requirements For Exchange Server 2003
No ratings yet
Server-Specific Requirements For Exchange Server 2003
7 pages
UNIT -5
No ratings yet
UNIT -5
32 pages
Verbal and Non Verbl Super Intelligence Book
No ratings yet
Verbal and Non Verbl Super Intelligence Book
53 pages
Introduction1989 Reprint
No ratings yet
Introduction1989 Reprint
15 pages
Process Process Creation / Termination
No ratings yet
Process Process Creation / Termination
3 pages
Pertemuan 11 PHP MVC 1
100% (1)
Pertemuan 11 PHP MVC 1
14 pages
Zenbusiness Terms of Service
No ratings yet
Zenbusiness Terms of Service
30 pages

Fortinet Fortigate Infrastructure Lab Guide For Fortios 72

Uploaded by

Fortinet Fortigate Infrastructure Lab Guide For Fortios 72

Uploaded by

DO NOT REPRINT

Fortinet Product Documentation

Fortinet Knowledge Base

Fortinet Fuse User Community

Fortinet Product Support

Fortinet Training Program Information

Fortinet | Pearson VUE

Fortinet Training Institute Helpdesk (training questions, comments, feedback)

Various formatting fixes Entire guide

Updated URLs to test http Lab 1, Exercise 1 and 2

FortiGate Infrastructure 7.2 Lab Guide 6

7 FortiGate Infrastructure 7.2 Lab Guide

FortiGate Infrastructure 7.2 Lab Guide 8

To restore the Local-FortiGate configuration file

3. Click the + sign to expand the list.

9 FortiGate Infrastructure 7.2 Lab Guide

Local-Client Administrator password

Remote-Client Administrator password

Local-FortiGate admin password

Remote-FortiGate admin password

ISFW admin password

FortiAnalyzer admin password

FortiGate Infrastructure 7.2 Lab Guide 10

Verify the Routing Configuration

You will verify the existing routing configuration on Local-FortiGate.

Take the Expert Challenge!

To verify the routing configuration

4. Right-click any of the columns to open the context-sensitive menu.

11 FortiGate Infrastructure 7.2 Lab Guide

The Distance and Priority columns appear in the GUI.

Configure a Second Default Route

Take the Expert Challenge!

l On the Local-FortiGate GUI, configure a second default route using port2.

FortiGate Infrastructure 7.2 Lab Guide 12

Gateway Address 10.200.2.254

4. Click the + sign to expand the Advanced Options section.

Configure the Firewall Policies

13 FortiGate Infrastructure 7.2 Lab Guide

To configure the firewall policies

FortiGate Infrastructure 7.2 Lab Guide 14

Incoming Interface port3

Outgoing Interface port2

Log Allowed Traffic All Sessions

View the Routing Table

To view the routing table

Note that the second default route is not listed.

4. Confirm that the second default route is listed as inactive.

15 FortiGate Infrastructure 7.2 Lab Guide

Stop and think!

Why is the port2 default route the standby route?

5. Leave the Local-FortiGate CLI session open.

Configure Link Health Monitors

To configure link health monitoring

FortiGate Infrastructure 7.2 Lab Guide 16

3. Leave your Local-FortiGate CLI session open.

Test the Route Failover

To confirm the port1 route is the primary route

4. Scroll down in the context-sensitive menu, and then click Apply.

17 FortiGate Infrastructure 7.2 Lab Guide

To force the failover

2. Wait a few seconds.

3. Leave your Local-FortiGate CLI session open.

To verify the route change

FortiGate Infrastructure 7.2 Lab Guide 18

To verify traffic logs

Restore the Routing Table

19 FortiGate Infrastructure 7.2 Lab Guide

2. Close the Local-FortiGate CLI session.

To verify the routing table

3. Close the browser.

FortiGate Infrastructure 7.2 Lab Guide 20

Configure Administrative Distance

Take the Expert Challenge!

To configure administrative distance

21 FortiGate Infrastructure 7.2 Lab Guide

Change the ECMP Load Balancing Algorithm