DO NOT

REPRINT ©
FORTINET
FortiGate Study Guide
Security for FortiOS 7.0

DO NOT REPRINT
© FORTINET
Fortinet Training

https://training.fortinet.com

Fortinet Document Library

https://docs.fortinet.com

Fortinet Knowledge Base

https://kb.fortinet.com

Fortinet Fuse User Community

https://fusecommunity.fortinet.com/home

Fortinet Forums

https://forum.fortinet.com

Fortinet Support

https://support.fortinet.com

FortiGuard Labs

https://www.fortiguard.com

Fortinet Network Security Expert Program (NSE)

https://training.fortinet.com/local/staticpage/view.php?
page=certifications Fortinet | Pearson VUE

https://home.pearsonvue.com/fortinet

Feedback

Email: [email protected]

6/7/2021
DO NOT REPRINT
© FORTINET

TABLE OF CONTENTS

01 Introduction and Initial Configuration 4 02 Security Fabric 57 03

Firewall Policies 101 04 Network Address Translation (NAT) 148 05
Firewall Authentication 201 06 Logging and Monitoring 259 07
Certificate Operations 304 08 Web Filtering 356 09 Application Control
422 10 Antivirus 467 11 Intrusion Prevention and Denial of Service 515
12 SSL VPN 568
Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about FortiGate administration basics and the components within
FortiGate that you can enable to extend functionality. This lesson also includes details about how
and where FortiGate fits into your existing network architecture.
 FortiGate Security 7.0 Study Guide 4
Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

In this lesson, you will explore the topics shown on this slide.

FortiGate Security 7.0 Study Guide 5

Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET
 After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in identifying the platform design features of FortiGate, FortiGate

features in virtualized networks and the cloud, as well as the FortiGate security processing units,
you will be able to describe the fundamental components of FortiGate and explain the types of tasks
that FortiGate can perform.

FortiGate Security 7.0 Study Guide 6

DO NOT FORTINET
Introduction and Initial Configuration
REPRINT ©
 In the past, the common way of protecting a network was securing the perimeter and installing a
firewall at the entry point. Network administrators used to trust everything and everyone inside the
perimeter.

Now, malware can easily bypass any entry-point firewall and get inside the network. This could
happen through an infected USB stick, or an employee’s compromised personal device being
connected to the corporate network. Additionally, because attacks can come from inside the
network, network administrators can no longer inherently trust internal users and devices.

What’s more, today’s networks are highly complex environments whose borders are constantly
changing. Networks run vertically from the LAN to the internet, and horizontally from the physical
network to a private virtual network and to the cloud. A mobile and diverse workforce (employees,
partners, and customers) accessing network resources, public and private clouds, the IoT, and
BYOD programs all conspire to increase the number of attack vectors against your network.

In response to this highly complex environment, firewalls have become robust multifunctional
devices that counter an array of threats to your network. Thus, FortiGate can act in different modes
or roles to address different requirements. For example, FortiGate can be deployed as a data center
firewall whose function is to monitor inbound requests to servers and to protect them without
increasing latency for the requester. Or, FortiGate can be deployed as an internal segmentation
firewall as a means to contain a network breach.

FortiGate can also function as DNS and DHCP servers, and be configured to provide web filter,
antivirus, and IPS services.

FortiGate Security 7.0 Study Guide 7

DO NOT FORTINET
Introduction and Initial Configuration
REPRINT ©
 In the architecture diagram shown on this slide, you can see how FortiGate platforms add strength,
without compromising flexibility. Like separate, dedicated security devices, FortiGate is still
internally modular. Plus:

• Devices add duplication. Sometimes, dedication doesn’t mean efficiency. If it’s overloaded, can
one device borrow free RAM from nine others? Do you want to configure policies, logging, and
routing on 10 separate devices? Does 10 times the duplication bring you 10 times the benefit,
or is it a hassle? For smaller to midsize businesses or enterprise branch offices, unified threat
management (UTM) is often a superior solution, compared to separate dedicated appliances.
• FortiGate hardware isn’t just off-the-shelf. It’s carrier-grade. Most FortiGate models have one or
more specialized circuits, called ASICs, that are engineered by Fortinet. For example, a CP or
NP chip handles cryptography and packet forwarding more efficiently. Compared to a single-
purpose device with only a CPU, FortiGate can have dramatically better performance. This is
especially critical for data centers and carriers where throughput is business critical.
(The exception? Virtualization platforms—VMware, Citrix Xen, Microsoft, or Oracle Virtual
Box—have general-purpose vCPUs. But, virtualization might be worthwhile because of other
benefits, such as distributed computing and cloud-based security.)
• FortiGate is flexible. If all you need is fast firewalling and antivirus, FortiGate won’t require you to
waste CPU, RAM, and electricity on other features. In each firewall policy, you can enable or
disable UTM and next-generation firewall modules. Also, you won’t pay more to add VPN seat
licenses later.
• FortiGate cooperates. A preference for open standards instead of proprietary protocols means
less vendor lock-in and more choice for system integrators. And, as your network grows,
FortiGate can leverage other Fortinet products, such as FortiSandbox and FortiWeb, to
distribute processing for deeper security and optimal performance—a total Security Fabric
approach.

FortiGate Security 7.0 Study Guide 8

DO NOT FORTINET
Introduction and Initial Configuration
REPRINT ©
 FortiGate virtual machines (VMs) have the same features as physical FortiGate devices, except for
hardware acceleration. Why? First, the hardware abstraction layer software for hypervisors is made
by VMware, Xen, and other hypervisor manufacturers, not by Fortinet. Those other manufacturers
don’t make Fortinet’s proprietary SPU chips. But there is another reason, too. The purpose of generic
virtual CPUs and other virtual chips for hypervisors is to abstract the hardware details. That way, all
VM guest OSs can run on a common platform, no matter the different hardware on which the
hypervisors are installed. Unlike vCPUs or vGPUs that use generic, non-optimal RAM and vCPUs for
abstraction, SPU chips are specialized optimized circuits. Therefore, a virtualized ASIC chip would
not have the same performance benefits as a physical SPU chip.

If performance on equivalent hardware is less, you may wonder, why would anyone use a
FortiGate VM? In large-scale networks that change rapidly and may have many tenants,
equivalent processing power and distribution may be achievable using larger amounts of cheaper,
general purpose hardware. Also, trading some performance for other benefits may be worth it.
You can benefit from faster network and appliance deployment and teardown.

FortiGate VMX and the FortiGate Connector for Cisco ACI are specialized versions of FortiOS and an
API that allow you to orchestrate rapid network changes through standards, such as OpenStack for
software-defined networking (SDN).
• FortiGate VM is deployed as a guest VM on the hypervisor.
• FortiGate VMX is deployed inside the virtual networks of a hypervisor, between guest VMs. •
FortiGate Connector for Cisco ACI allows ACI to deploy physical or virtual FortiGate VMs for north-
south traffic.

FortiGate Security 7.0 Study Guide 9

DO NOT FORTINET
Introduction and Initial Configuration
REPRINT ©
 All Fortinet hardware acceleration hardware has been renamed security processing units
(SPUs). This includes NPx and CPx processors.

Most FortiGate models have specialized acceleration hardware, called SPUs that can offload
resource intensive processing from main processing (CPU) resources. Most FortiGate devices
include specialized content processors (CPs) that accelerate a wide range of important security
processes, such as virus scanning, attack detection, encryption, and decryption. (Only selected
entry-level FortiGate models do not include a CP processor.)

SPU and nTurbo data is now visible in a number of places on the GUI. For example, the Active
Sessions column pop-up in the firewall policy list and the Sessions dashboard widget. Per-session
accounting is a logging feature that allows FortiGate to report the correct bytes per packet numbers
per session for sessions offloaded to an NP7, NP6 or NP6lite processor.

The following example shows the Sessions dashboard widget tracking SPU and nTurbo sessions.
Current sessions shows the total number of sessions, SPU shows the percentage of these
sessions that are SPU sessions, and Nturbo shows the percentage that are nTurbo sessions.

NTurbo offloads firewall sessions that include flow-based security profiles to NP6 or NP7 network
processors. Without NTurbo, or with NTurbo disabled, all firewall sessions that include flow-based
security profiles are processed by the FortiGate CPU.

FortiGate Security 7.0 Study Guide 10

Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET
 The Fortinet content processor (CP9) works outside of the direct flow of traffic, providing high-speed
cryptography and content inspection services. This frees businesses to deploy advanced security
whenever it is needed without impacting network functionality. CP8 and CP9 provide a fast path for
traffic inspected by IPS, including sessions with flow-based inspection.

CP processors also accelerate intensive proxy-based tasks:

• Encryption and decryption (SSL)
• Antivirus

FortiSPU network processors work at the interface level to accelerate traffic by offloading traffic from
the main CPU. Models that support FortiOS 6.4 or later contain NP6, NP6lite, and NP7 network
processors.

Fortinet integrates content and network processors along with a RISC-based CPU into a single
processor known as SoC4 for entry-level FortiGate security devices used for distributed
enterprises. This simplifies device design and enables breakthrough performance without
compromising on security.

FortiGate Security 7.0 Study Guide 11

DO NOT FORTINET
Introduction and Initial Configuration
REPRINT ©
 FortiGate Security 7.0 Study Guide 12
Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET
 Good job! You now understand some of the high-level features of FortiGate.

Now, you will learn how to perform the initial setup of FortiGate and learn about why you might
decide to use one configuration over another.

FortiGate Security 7.0 Study Guide 13

Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET
 After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in setting up FortiGate, you will be able to use the device
effectively in your own network.

FortiGate Security 7.0 Study Guide 14

DO NOT FORTINET
Introduction and Initial Configuration
REPRINT ©
 What about the network architecture? Where does FortiGate fit in?

When you deploy FortiGate, you can choose between two operating modes: NAT mode or transparent mode.

• In NAT mode, FortiGate routes packets based on Layer 3, like a router. Each of its logical
network interfaces has an IP address and FortiGate determines the outgoing or egress
interface based on the destination IP address and entries in its routing tables.
• In transparent mode, FortiGate forwards packets at Layer 2, like a switch. Its interfaces have no IP
addresses and FortiGate identifies the outgoing or egress interface based on the destination MAC
address. The device in transparent mode has an IP address used for management traffic.

Interfaces can be exceptions to the router versus switch operation mode, on an individual basis.

When you enable virtual domains (VDOMs) on FortiGate, you can configure each VDOM for NAT
mode or transparent mode, regardless of the operation mode of other VDOMs on FortiGate. By
default, VDOMs are disabled on the FortiGate device, but there is still one VDOM active: the root
VDOM. It is always there in the background. When VDOMs are disabled, the NAT mode or
transparent mode relates to the root VDOM.

VDOMs are a method of dividing a FortiGate device into two or more virtual devices that function as
multiple independent devices. VDOMs can provide separate firewall policies and, in NAT mode,
completely separate configurations for routing and VPN services for each connected network or
organization. In transparent mode, VDOM applies security scanning to traffic and is installed between
the internal network and the external network.

By default, a VDOM is in NAT mode when it is created. You can switch it to transparent mode, if

required. FortiGate Security 7.0 Study Guide 15

DO NOT FORTINET
Introduction and Initial Configuration
REPRINT ©
 Network address translation (NAT) mode is the default operation mode. What are the other
factory default settings? After you’ve removed FortiGate from its box, what do you do next?

Now you’ll take a look at how you set up FortiGate.

Attach your computer network cable to port1 or the internal switch ports (on the entry-level model).
For high end and mid-range models, connect to the MGMT interface. In most entry-level models,
there is a DHCP server on that interface, so, if your computer’s network settings have DHCP
enabled, your computer should automatically get an IP, and you can begin setup.

To access the GUI on FortiGate or FortiWifi, open a web browser and visit https://192.168.1.99.

The default login information is public knowledge. Never leave the default password blank. Your
network is only as secure as your FortiGate admin account. Once you logged in with default login
details, you'll see a message to change the default blank password for the admin user password.
Before you connect FortiGate to your network, you should set a complex password. You’ll also be
asked to apply additional configuration such as hostname, dashboard setup, register with FortiCare,
and so on.

All FortiGate models have a console port and/or USB management port. The port provides CLI access
without a network. You can access the CLI using the CLI console widget on the GUI, or from a
terminal emulator, such as PuTTY or Tera Term.

FortiGate Security 7.0 Study Guide 16

DO NOT FORTINET
Introduction and Initial Configuration
REPRINT ©
 Some FortiGate services connect to other servers, such as FortiGuard, in order to work.
FortiGuard Subscription Services provide FortiGate with up-to-date threat intelligence.
FortiGate uses FortiGuard by:

• Periodically requesting packages that contain a new engine and signatures

• Querying the FDN on an individual URL or host name

By default, the FortiGuard server location is set to anywhere FortiGate selects a server based on
server load, from any part of the world. However, you have the option to change the FortiGuard
server location to USA. In this case, FortiGate selects a USA-based FortiGuard server.

Queries are real-time; that is, FortiGate asks the FDN every time it scans for spam or filtered
websites. FortiGate queries, instead of downloading the database, because of the size and
frequency of changes that occur to the database. Also, you can select queries to use UDP or
HTTPs for transport; the protocols are not designed for fault tolerance, but for speed. So, queries
require that your FortiGate device has a reliable internet connection.

Packages, like antivirus and IPS, are smaller and don't change as frequently, so they are
downloaded (in many cases) only once a day. They are downloaded using TCP for reliable
transport. After the database is downloaded, their associated FortiGate features continue to function,
even if FortiGate does not have reliable internet connectivity. However, you should still try to avoid
interruptions during downloads—if your FortiGate device must try repeatedly to download updates, it
can’t detect new threats during that time.

FortiGate Security 7.0 Study Guide 17

DO NOT FORTINET
Introduction and Initial Configuration
REPRINT ©

In FortiOS 6.4 or later, third-party SSL certificate verification and OCSP stapling check has been
implemented for all FortiGuard servers. By default, the FortiGuard access mode is anycast on
 FortiGate, to optimize the routing performance to the FortiGuard servers. The FortiGuard server has
one IP address to match its domain name. FortiGate connects with a single server address,
regardless of where the FortiGate device is located.

The domain name of each FortiGuard service is the common name in the certificate of that service.
The certificate is signed by a third-party intermediate CA. The FortiGuard server uses the Online
Certificate Status Protocol (OCSP) stapling technique, so that FortiGate can always validate the
FortiGuard server certificate efficiently. FortiGate will complete the TLS handshake only with a
FortiGuard server that provides a good OCSP status for its certificate. Any other status results in a
failed SSL connection.

The FortiGuard servers query the OCSP responder of the CA every four hours and update its OCSP
status. If FortiGuard is unable to reach the OCSP responder, it keeps the last known OCSP status
for seven days.

FortiGate aborts the connection to the FortiGuard server if:

• The CN in the server certificate does not match the domain name resolved from
the DNS. • The OCSP status is not good.
• The issuer-CA is revoked by the root-CA.

The FortiGuard access mode anycast setting forces the rating process to use protocol HTTPS, and
port 443. The table on this slide shows a list of some of the FortiGuard servers and their domain
names and IP addresses.

FortiGate Security 7.0 Study Guide 18

DO NOT FORTINET
Introduction and Initial Configuration
REPRINT ©
 FortiGate Security 7.0 Study Guide 19
Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

Good job! You now understand how to perform the initial setup of FortiGate and why you might
decide to use one configuration over another. Now, you will learn about basic administration.

FortiGate Security 7.0 Study Guide 20

Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET
 After completing this lesson, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in basic administration, you will be able to better manage

administrative users and implement stronger security practices around administrative access.

FortiGate Security 7.0 Study Guide 21

Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET
 Most features are available on both the GUI and CLI, but there are a few exceptions. You can't view
reports on the CLI. Also, advanced settings and diagnostic commands for super users are usually not
available on the GUI.

As you become more familiar with FortiGate, and especially if you want to script its configuration, you
might want to use the CLI in addition to the GUI. You can access the CLI through either the
JavaScript widget on the GUI named CLI Console, or through a terminal emulator such as Tera
Term
(http://ttssh2.sourceforge.jp/index.html.en) or PuTTY
(http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html). Your terminal emulator can
connect through the network—SSH or telnet—or the local console port.

SNMP and some other administrative protocols are also supported, but they are read-only. You
can't use them for basic setup.

FortiGate Security 7.0 Study Guide 22

Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET
 This slide shows some basic CLI commands that you can use to list commands under a command
set, check the system status, and list attributes and their values for an interface.

FortiGate Security 7.0 Study Guide 23

DO NOT FORTINET
Introduction and Initial Configuration
REPRINT ©
 Whichever method you use, start by logging in as admin. Begin by creating separate accounts for
other administrators. For security and tracking purposes, it is a best practice for each
administrator to have their own account.

In the Create New drop-down list, you can select either Administrator or REST API Admin.
Typically, you will select Administrator and then assign an Administrator Profile, which specifies
that user’s administrative permissions. You could select REST API Admin to add an administrative
user who would use a custom application to access FortiGate with a REST API. The application
would allow you to log in to FortiGate and perform any task that your assigned Administrator
Profile permits.

Other options not shown here, include:

• Instead of creating accounts on FortiGate itself, you could configure FortiGate to query a
remote authentication server.
• In place of passwords, your administrators could authenticate using digital certificates that are
issued by your internal certification authority server.

If you do use passwords, ensure that they are strong and complex. For example, you could use
multiple interleaved words with varying capitalization, and randomly insert numbers and punctuation.
Do not use short passwords, or passwords that contain names, dates, or words that exist in any
dictionary. These are susceptible to brute force attack. To audit the strength of your passwords, use
tools such as L0phtcrack (http://www.l0phtcrack.com/) or John the Ripper
(http://www.openwall.com/john/). Risk of a brute force attack is increased if you connect the
management port to the internet.

In order to restrict access to specific features, you can assign permissions.

FortiGate Security 7.0 Study Guide 24

DO NOT FORTINET
Introduction and Initial Configuration
REPRINT ©
When assigning permissions to an administrator profile, you can specify read-and-write, read-only, or none to each area.

By default, there is a special profile named super_admin, which is used by the account named admin. You can't change it.
It provides full access to everything, making the admin account similar to a root superuser account.

The prof_admin is another default profile. It also provides full access, but unlike super_admin, it applies only to its virtual
domain—not the global settings of FortiGate. Also, you can change its permissions.

You aren’t required to use a default profile. You could, for example, create a profile named auditor_access with read-only
permissions. Restricting a person’s permissions to those necessary for his or her job is a best practice, because even if that
account is compromised, the compromise to your FortiGate device (or network) is not total. To do this, create administrator
profiles, then select the appropriate profile when configuring an account.

The Override Idle Timeout feature allows the admintimeout value, under config system accprofile, to be overridden
per access profile. You can configure administrator profiles to increase inactivity timeout and facilitate use of the GUI for
central monitoring.

Note that you can do this on a per-profile basis, to prevent the option from being unintentionally set globally. FortiGate

Security 7.0 Study Guide 25

Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET
 What are the effects of administrator profiles?

It’s actually more than just read or write access.

Depending on the type of administrator profile that you assign, an administrator may not be able to
access the entire FortiGate device. For example, you could configure an account that can view only
log messages. Administrators may not be able to access global settings outside their assigned virtual
domain either. Virtual domains (VDOMs) are a way of subdividing the resources and configurations
on a single FortiGate.

Administrators with a smaller scope of permissions cannot create, or even view, accounts with more
permissions. So, for example, an administrator using the prof_admin or a custom profile cannot see,
or reset the password of accounts that use the super_admin profile.

FortiGate Security 7.0 Study Guide 26

Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET
 To further secure access to your network security, use two-factor authentication.

Two-factor authentication means that instead of using one method to verify your identity—typically a
password or digital certificate—your identity is verified by two methods. In the example shown on this
slide, two-factor authentication includes a password plus an RSA randomly generated number from a
FortiToken that is synchronized with FortiGate.

FortiGate Security 7.0 Study Guide 27

Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

What happens if you forget the password for your admin account, or a malicious employee changes it?

This recovery method is available on all FortiGate devices and even some non-FortiGate devices,
like FortiMail. There is no maintainer procedure in the VM. The administrator must revert to a
snapshot or reprovision the VM and restore the configuration. It’s a temporary account, only
available through the local console port, and only after a hard reboot—disrupting power by
 unplugging or turning off the power, then restoring it. You must physically shut off FortiGate, then
turn it back on, not reboot it through the CLI.

The maintainer login is available for login only for about 60 seconds after the restart
completes (or less time on older models).

If you cannot ensure physical security, or have compliance requirements, you can disable the
maintainer account. Use caution if you disable maintainer and then lose your admin
password, because you cannot recover access to your FortiGate device. In order to regain access in
this scenario, you will need to reload the device. This will reset to the device to its factory default
settings.

FortiGate Security 7.0 Study Guide 28

DO NOT FORTINET
Introduction and Initial Configuration
REPRINT ©

Another way to secure FortiGate is to define the hosts or subnets that are trusted sources from
which to log in.

In this example, we have configured 10.0.1.10 as the only trusted IP for admin from which admin
logs in. If admin attempts to log in from a machine with any other IP, they will receive an
authentication failure message.
 Note that If trusted hosts are configured on all administrators and an administrator is trying to log in
from an IP address that is not set on any of the trusted hosts for any administrators, then the
administrator will not get the login page but rather will receive the message: “Unable to contact
server”.

If you leave any IPv4 address as 0.0.0.0/0, it means that connections from any source IP will be
allowed. By default, 0.0.0.0/0 is the configuration for the administrator, although you may want
to change this.

Notice that each account can define its management host or subnet differently. This is especially
useful if you are setting up VDOMs on FortiGate, where the VDOM administrators may not even
belong to the same organization. Be aware of any NAT that occurs between the desired device and
FortiGate. You can easily prevent an administrator from logging in from the desired IP address if it
is later NATed to another address before reaching FortiGate, thus defeating the purpose of the
trusted hosts.

FortiGate Security 7.0 Study Guide 29

Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

You may also want to customize the administrative protocols port numbers.

You can choose whether to allow concurrent sessions. You can use concurrent sessions to avoid
accidentally overwriting settings, if you usually keep multiple browser tabs open, or accidentally
leave a CLI session open without saving the settings, then begin a GUI session and accidentally edit
the same settings differently.

For better security, use only secure protocols, and enforce password complexity and changes.

The Idle timeout settings specifies the number of minutes before an inactive administrator session
times out (default is five minutes). A shorter idle timeout is more secure, but increasing the timer
 can help reduce the chance of administrators being logged out while testing changes.

You can override the idle timeout setting per administrator profile using the Override Idle Timeout setting.

You can configure an administrator profile to increase inactivity timeout and facilitate use of the GUI
for central monitoring. The Override Idle Timeout setting allows the admintimeout value, under
config system accprofile, to be overridden per access profile.

Note that you can do this on a per profile basis, to avoid the option from being unintentionally set globally.

FortiGate Security 7.0 Study Guide 30

DO NOT FORTINET
Introduction and Initial Configuration
REPRINT ©

You’ve defined the management subnet—that is, the trusted hosts—for each administrator account.
How do you enable or disable management protocols?
This is specific to each interface. For example, if your administrators connect to FortiGate only from
port3, then you should disable administrative access on all other ports. This prevents brute force
attempts and also insecure access. Your management protocols are HTTPS, HTTP, PING, and
SSH. By default, the HTTP and TELNET option is not visible on the GUI.

Consider the location of the interface on your network. Enabling PING on an internal interface is
useful for troubleshooting. However, if it’s an external interface (in other words, exposed to the
internet), then the PING protocol could expose FortiGate to a DoS attack. You should disable
protocols that do not encrypt data flow, such as HTTP and TELNET. IPv4 and IPv6 protocols are
separate. It’s possible to have both IPv4 and IPv6 addresses on an interface, but only respond to
pings on IPv6.
 Security Fabric connection includes CAPWAP and FortiTelemetry. Protocols like FortiTelemetry are
not for administrative access, but, like GUI and CLI access, they are protocols where the packets
have FortiGate as a destination IP. Use the FortiTelemetry protocol specifically for managing
FortiClient and the Security Fabric. Use the CAPWAP protocol for FortiAP, FortiSwitch, and
FortiExtender when they are managed by FortiGate. Use the FMG-Access protocol specifically for
communicating with FortiManager when that server is managing multiple FortiGate devices. Use the
RADIUS accounting protocol when FortiGate needs to listen for and process RADIUS accounting
packets for single sign-on authentication. FTM, or FortiToken Mobile push, supports second-factor
authentication requests from a FortiToken mobile app.
When you assign the interface roles LAN or WAN to the appropriate interfaces, your FortiGate uses
the Link Layer Discovery Protocol (LLDP) to detect if there’s an upstream FortiGate in your
network. If FortiGate discovers an upstream FortiGate, you're prompted to configure the upstream
FortiGate device to join the Security Fabric.

FortiGate Security 7.0 Study Guide 31

Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

FortiGate has hundreds of features. If you don’t use all of them, hiding features that you don’t use
makes it easier to focus on your work.

Hiding a feature on the GUI does not disable it. It is still functional, and still can be configured using

the CLI. Some advanced or less commonly used features, such as IPv6, are hidden by default.

To show hidden features, click System > Feature Visibility.

 FortiGate Security 7.0 Study Guide 32
Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

When FortiGate is operating in NAT mode, every interface that handles traffic must have an IP
address. When in NAT mode, FortiGate can use the IP address to source the traffic, if it needs to
start or reply to a session, and as a destination address for devices trying to contact FortiGate or
route traffic through it. There are multiple ways to get an IP address:

• Manually
• Automatically, using either DHCP or PPPoE (available on the CLI)

FortiGate Security 7.0 Study Guide 33

Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET
 FortiGate can use FortiIPAM to automatically assign IP addresses based on the configured network
size for the FortiGate interface. FortiIPAM provides an on-premises IP address management solution
when integrating network resources with FortiGate, and automatically assigns subnets to FortiGate to
prevent duplicate IP addresses from overlapping within the same Security Fabric. Note that FortiIPAM
is a paid service.

There is an exception to the IP address requirement: the One-Arm Sniffer interface type. This
interfaces is not assigned an address.

When you select One-Arm Sniffer by enabling a sniffer on the CLI, the interface is not inline with the
traffic flow. Rather, it is receiving a copy of the traffic from a mirrored port on a switch. The interface
operates in promiscuous mode, scanning traffic that it sees, but is unable to make changes because
the original packet has already been processed by the switch. As a result, one-arm sniffer mode is
mostly used in proof of concept (POC), or in environments where corporate requirements state that
traffic must not be changed, only logged. Once it is enabled, a One-Arm Sniffer option appears in
the Addressing mode setting of a interface.

FortiGate Security 7.0 Study Guide 34

Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET
 How many times have you seen network issues caused by a DHCP server—not client—enabled on
the WAN interface?

You can configure the interface role. The roles shown on the GUI are the usual interface settings for
that part of a topology. Settings that do not apply to the current role are hidden on the GUI. (All
settings are always available on the CLI regardless of the role.) This prevents accidental
misconfiguration.

For example, when the role is configured as WAN, there is no DHCP server and device
detection configuration available. Device detection is usually used to detect devices
internally on your LAN.

If there is an unusual case, and you need to use an option that’s hidden by the current role, you
can always switch the role to Undefined. This displays all options.

To help you remember the use of each interface, you can give them aliases. For example, you could
call port3 internal_network. This can help to make your list of policies easier to comprehend.

FortiGate Security 7.0 Study Guide 35

Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET
 Before you integrate FortiGate into your network, you should configure a default gateway.

If FortiGate gets its IP address through a dynamic method such as DHCP or PPPoE, then it
should also retrieve the default gateway.

Otherwise, you must configure a static route. Without this, FortiGate will not be able to respond to
packets outside the subnets directly attached to its own interfaces. It probably also will not be
able to connect to FortiGuard for updates, and may not correctly route traffic.

You should make sure that FortiGate has a route that matches all packets (destination is
0.0.0.0/0), known as a default route, and forwards them through the network interface that is
connected to the internet, to the IP address of the next router.

Routing completes the basic network settings that are required before you can configure firewall policies.

FortiGate Security 7.0 Study Guide 36

Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET
 Link aggregation logically binds multiple physical interfaces into a single channel. Link aggregation
increases bandwidth and provides redundancy between two network devices.

FortiGate Security 7.0 Study Guide 37

DO NOT FORTINET
Introduction and Initial Configuration
REPRINT ©
 FortiGate Security 7.0 Study Guide 38
Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET
 Good job! You now have the knowledge needed to carry out some basic administrative tasks.
Now, you’ll learn about built-in servers.

FortiGate Security 7.0 Study Guide 39

Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in implementing the DHCP and DNS built-in servers, you will
know how to provide these services through FortiGate.
 FortiGate Security 7.0 Study Guide 40
Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

Wireless clients are not the only ones that can use FortiGate as their DHCP server.

For an interface (such as port3), select the Manual option, enter a static IP, and then enable the
DHCP Server option. Options for the built-in DHCP server appear, including provisioning features,
such as DHCP options and IP address assignment rules. You can also block specific MAC
addresses from receiving an IP address.

Note that the screenshot on the middle of the slide shows that you can create IP address
assignment rules in the IP Address Assignment Rule section.

FortiGate Security 7.0 Study Guide 41

Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET
For the built-in DHCP server, you can reserve specific IP addresses for devices with specific MAC addresses.

The action selected for Unknown MAC Addresses defines what the FortiGate DHCP server does
when it gets a request from a MAC address that is not explicitly listed. The default action is Assign
IP; however, you can change the default action type to Assign IP or Block.

• Assign IP: permits the DHCP server to assign from its pool of addresses to the identified MAC
address. A device receiving an IP address will always receive the same address provided that its
lease has not expired.
• Block: is the computer with the identified MAC address and the Block option will not
receive an IP address.
• Reserve IP: allows you to bind a specific IP to a MAC address.

FortiGate Security 7.0 Study Guide 42

Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET
 You can configure FortiGate to act as your local DNS server. You can enable and configure DNS
separately on each interface.

A local DNS server can improve performance for your FortiMail device or other devices that use DNS
queries frequently. If your FortiGate device offers DHCP to your local network, you can use DHCP to
configure those hosts to use FortiGate as both the gateway and DNS server.

FortiGate can answer DNS queries in one of three ways:

• Forward: relays all queries to a separate DNS server (that you have configured in Network > DNS);
that is, it acts as a DNS relay instead of a DNS server.
• Non-Recursive: replies to queries for items in the FortiGate DNS databases and does not
forward unresolvable queries.
• Recursive: replies to queries for items in the FortiGate DNS databases and forwards all other
queries to a separate DNS server for resolution.

You can configure all modes on the GUI or CLI.

FortiGate Security 7.0 Study Guide 43

Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET
 If you select Recursive, FortiGate queries its own database before forwarding unresolved
requests to the external DNS servers.

If you select Forward to System DNS, you can control DNS queries within your own network,
without having to enter any DNS names in the FortiGate DNS server.

FortiGate Security 7.0 Study Guide 44

Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET
 If you choose to have your DNS server resolve queries, or you choose a split DNS, you must set
up a DNS database on your FortiGate device.

This defines the host names that FortiGate resolves queries for. Note that FortiGate currently
supports only the DNS record types listed on this slide.

FortiGate Security 7.0 Study Guide 45

DO NOT FORTINET
Introduction and Initial Configuration
REPRINT ©
 FortiGate Security 7.0 Study Guide 46
Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

Good job! You now know how to enable DHCP and DNS services on FortiGate, and
 have some understanding of configuration possibilities. Now, you will learn about
fundamental maintenance.

FortiGate Security 7.0 Study Guide 47

Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET

After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in the basic maintenance of FortiGate, you will be able to perform the
vital activities of backing up and restoring configurations, upgrading and downgrading firmware, and
ensuring that FortiGate remains reliably in service throughout its lifecycle.
 FortiGate Security 7.0 Study Guide 48

DO NOT FORTINET
Introduction and Initial Configuration
REPRINT ©

Now that FortiGate has basic network settings and administrative accounts, you will learn how to back
up the configuration. In addition to selecting the destination of the backup file, you can choose to
encrypt or not to encrypt the backup file. Even if you choose not to encrypt the file, which is the
default, the passwords stored in the file are hashed, and, therefore, obfuscated. The passwords that
are stored in the configuration file would include passwords for the administrative users and local
users, and preshared keys for your IPSec VPNs. It may also include passwords for the FSSO and
LDAP servers.

The other option is to encrypt the configuration file with a password. Besides securing the privacy of
your configuration, it also has some effects you may not expect. After encryption, the configuration
file cannot be decrypted without the password and a FortiGate of the same model and firmware. This
means that if you send an encrypted configuration file to Fortinet technical support, even if you give
them the password, they cannot load your configuration until they get access to the same model of
FortiGate. This can cause unnecessary delays when resolving your ticket.

If you enable virtual domains (VDOMs), subdividing the resources and configuration of your
FortiGate device, each VDOM administrator can back up and restore their own configurations. You
don’t have to back up the entire FortiGate configuration, however, it is still recommended.

Backups are needed to help speed up the return to production in the event of an unforeseen
disaster that damages FortiGate. Having to recreate hundreds of policies and objects from
scratch takes a significant amount of time, while loading a configuration file on a new device
takes much less.

Restoring a configuration file is very similar to backing one up and restarts FortiGate.

FortiGate Security 7.0 Study Guide 49

Introduction and Initial Configuration
DO NOT REPRINT
© FORTINET

If you open the configuration file in a text editor, you’ll see that both encrypted and unencrypted
configuration files contain a cleartext header that contains some basic information about the device.
The example on this slide shows what information is included. To restore an encrypted
configuration, you must upload it to a FortiGate device of the same model and firmware, then
provide the password.

To restore an unencrypted configuration file, you are required to match only the FortiGate model. If
the firmware is different, FortiGate will attempt to upgrade the configuration. This is similar to how it
uses upgrade scripts on the existing configuration when upgrading firmware. However, it is still
recommended to match the firmware on FortiGate to the firmware listed in the configuration file.

Usually, the configuration file contains only non-default settings, plus few default, yet crucial,
settings. This minimizes the size of the backup, which could otherwise be several megabytes in
size.

FortiGate Security 7.0 Study Guide 50

Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET
 You can view the current firmware version in multiple places on the FortiGate GUI. When you first
log in to FortiGate, the landing page is the dashboard. You can see the firmware version in the
System widget. This information is also found at System > Firmware. And, of course, you can
retrieve the information on the CLI using the command get system status.

If a new version of the firmware is available, you are notified on the dashboard and on the Firmware page.

Remember to read the Release Notes to make sure that you understand the supported upgrade
path. The Release Notes also provide pertinent information that may affect the upgrade.

FortiGate Security 7.0 Study Guide 51

Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET
 Upgrading the firmware on FortiGate is simple. Click System > Firmware, and then browse to the
firmware file that you have downloaded from support.fortinet.com or choose to upgrade
online.

If you want to do a clean installation by overwriting both the existing firmware and its current
configuration, you can do this using the local console CLI, within the boot loader menu, while
FortiGate is rebooting. However, this is not the usual method.

FortiGate Security 7.0 Study Guide 52

Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET
 You can also downgrade the firmware. Because settings change in each firmware version, you
should have a configuration file in the syntax that is compatible with the firmware.

Remember to read the Release Notes. Sometimes a downgrade between firmware versions that
preserves the configuration is not possible. In that situation, the only way to downgrade is to
format the disk, then reinstall.

After you’ve confirmed that the downgrade is possible, verify everything again, then start the
downgrade. After the downgrade completes, restore a configuration backup that is compatible with
that version.

Why should you keep emergency firmware and physical access?

Earlier firmware versions do not know how to convert later configurations. Also, when upgrading
through a path that is not supported by the configuration translation scripts, you might lose all
settings except basic access settings, such as administrator accounts and network interface IP
addresses. Another rare, but possible, scenario is that the firmware could be corrupted when you are
uploading it. For all of those reasons, you should always have local console access during an
upgrade. However, in practice, if you read the Release Notes and have a reliable connection to the
GUI or CLI, it should not be necessary.

FortiGate Security 7.0 Study Guide 53

DO NOT FORTINET
Introduction and Initial Configuration
REPRINT ©
 FortiGate Security 7.0 Study Guide 54
Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET
 Congratulations! You have completed this lesson.

Now, you will review the objectives that you covered in the lesson.

FortiGate Security 7.0 Study Guide 55

Introduction and Initial Configuration

DO NOT REPRINT
© FORTINET
 This slide shows the objectives that you covered in this lesson.

By mastering the objectives covered in this lesson, you learned how and where FortiGate fits
into your network and how to perform basic FortiGate administration.

FortiGate Security 7.0 Study Guide 56

Security Fabric

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the Fortinet Security Fabric.
 FortiGate Security 7.0 Study Guide 57
Security Fabric

DO NOT REPRINT
© FORTINET

In this lesson, you will learn about the topics shown on this slide.

By demonstrating competence in deploying the Fortinet Security Fabric, using and extending the
Security Fabric features, and understanding its topology, you will be able to use the Fortinet Security
Fabric effectively in your network.

FortiGate Security 7.0 Study Guide 58

Security Fabric

DO NOT REPRINT
© FORTINET
 After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in understanding key concepts of the Fortinet Security Fabric, you
will better understand the value of the Security Fabric, the servers that comprise it, and how to
deploy it.

FortiGate Security 7.0 Study Guide 59

Security Fabric

DO NOT REPRINT
© FORTINET
 What is the Fortinet Security Fabric?

It is a Fortinet enterprise solution that enables a holistic approach to network security, whereby the
network landscape is visible through a single console and all network devices are integrated into a
centrally managed and automated defence.

The network devices include all components, from physical endpoints to virtual devices in the cloud.
Because devices are centrally managed and are sharing threat intelligence with one another in real
time, and are receiving updates from Fortinet at the macro level, your network can quickly identify,
isolate, and neutralize threats as they appear.

The Security Fabric has the following attributes:

• Broad: It provides visibility of the entire digital attack surface to better manage risk
• Integrated: It provides a solution that reduces the complexity of supporting multiple point
products • Automated: Threat intelligence is exchanged between network components in real-
time allowing for automated response to threats

A fourth attribute could be added to this description of the Security Fabric: open. The API and
protocol are available for other vendors to join and for partner integration. This allows for
communication between Fortinet and third-party devices.

FortiGate Security 7.0 Study Guide 60

Security Fabric

DO NOT REPRINT
© FORTINET
 Why has Fortinet deemed the Security Fabric an essential solution for a robust network defence?

As networks evolved and various new types of threats surfaced, point security products were
deployed to address these emerging threats. Often, these piecemeal solutions were effective,
but deploying products using different standards and protocols meant that defence assets could
not be effectively coordinated.

The illustration on the right side of the slide tells a story of a network that has deployed security
solutions from four different vendors. The administrator at the center, working from the security
console, has visibility into only some of the security solutions. This lack of visibility of the entire
network defence is a serious flaw, and could allow a foreign infiltrator to breach network defences
undetected.

The sheer complexity of today’s networks compounds this problem. In addition, increasingly
sophisticated malware has an expanding attack surface on which to exploit, because networks have
broken out of the confines of a traditional network perimeter and have expanded to virtualized
networks and public clouds. Add to this mix, the ever growing numbers of unmanaged devices, as a
result of BYOD programs, and you have the perfect security storm.

The most feasible solution is to build a centrally managed, holistic approach to security, whereby
you have a clear line of sight to all potential infiltration points and can coordinate defences to
contain and neutralize network breaches.

FortiGate Security 7.0 Study Guide 61

Security Fabric

DO NOT REPRINT
© FORTINET
 As shown on this slide, the Fortinet Security Fabric offers eight solutions: network access, security
WLAN/LAN, public and private cloud infrastructure, applications, endpoint, security operations,
open fabric ecosystem, and fabric management center. Each of these solutions is based on
specific use cases and involve the integration of specific Fortinet products.

The Fortinet Security Fabric offers network security with FortiGate, IPS, VPN, SD-WAN. It also
offers multi cloud strategy across public clouds, private clouds, hybrid clouds, and software as a
service (SaaS). It also offers quite a sophisticated endpoint offering ranging from the Fabric Agent
all the way up to full endpoint protection, email security, web application security, secure access
across distributed enterprises and SD WAN environments, advanced threat protection,
management and analytics, and security information and event management (SIEM).

All of these are underscored and supported by FortiGuard Services, which deliver AI-powered
intelligence and protection across the Security Fabric.

FortiGate Security 7.0 Study Guide 62

Security Fabric

DO NOT REPRINT
© FORTINET
 FortiGate and FortiAnalyzer creates the core of the Security Fabric. To add more visibility and control,
Fortinet recommends adding FortiManager, FortiAP, FortiClient, FortiSandbox, FortiMail, FortiWeb,
FortiAI, and FortiSwitch. The solution can be extended by adding other network security devices.

FortiGate Security 7.0 Study Guide 63

Security Fabric

DO NOT REPRINT
© FORTINET
 FortiGate Security 7.0 Study Guide 64
Security Fabric

DO NOT REPRINT
© FORTINET

Good job! You now understand the basics of the Fortinet Security Fabric.

Next, you’ll learn how to deploy the Security Fabric in your network environment.

FortiGate Security 7.0 Study Guide 65

Security Fabric

DO NOT REPRINT
© FORTINET
 After completing this section, you should be able to achieve the objectives shown on this slide.

By demonstrating competence in the deployment of the Fortinet Security Fabric, you will better
understand the value of the Security Fabric and how it helps to manage all your network devices
more efficiently.

FortiGate Security 7.0 Study Guide 66

Security Fabric

DO NOT REPRINT
© FORTINET
 In this simple network that comprises only the core devices of a Security Fabric, there is one
FortiAnalyzer and one next-generation firewall (NGFW) FortiGate. This implementation example is
intended to be a high level view only. For more detail, see docs.fortinet.com. The FortiGate
device named External is acting as the edge firewall and will also be configured as the root firewall
within the Security Fabric. Downstream from the root firewall there are three internal segmentation
firewalls that compartmentalize the WAN in order to contain a breach and control access to various
LANs. In this example, there are Accounting, Marketing, and Sales LANs.

FortiGate Security 7.0 Study Guide 67

Security Fabric

DO NOT REPRINT
© FORTINET
 First, on the root FortiGate, you must enable Security Fabric Connection in the interfaces facing
any downstream FortiGate. If you select Serve as Fabric Root, you also need to configure the
FortiAnalyzer IP address. Then, you need to configure a fabric name for the Security Fabric. This
FortiAnalyzer configuration will be pushed to all the downstream FortiGate devices. All downstream
FortiGate devices send logs directly to FortiAnalyzer.

You can also preauthorize your downstream devices by adding the serial number of the device.
When you add the serial number of a Fortinet device to the trusted list on the root FortiGate, the
device can join the Security Fabric as soon as it connects. After you authorize the new FortiGate,
additional connected FortiAP and FortiSwitch devices automatically appear in the topology tree. On
the topology tree, it's easier for you to authorize them with one click.

FortiGate Security 7.0 Study Guide 68

Security Fabric

DO NOT REPRINT
© FORTINET
 The second step in implementing the Security Fabric is configuring the downstream Fortinet devices.
On the downstream FortiGate devices, you must enable Security Fabric Connection and Device
Detection on the interfaces facing the downstream FortiGate devices. On the Fabric Connectors
page, select Join Existing
Fabric and add the root (upstream) FortiGate IP address. The root FortiGate pushes its
FortiAnalyzer configuration to all downstream FortiGate devices.

FortiGate Security 7.0 Study Guide 69

Security Fabric

DO NOT REPRINT
© FORTINET
 The third step in implementing the Security Fabric is to authorize the downstream FortiGate
device on the both root FortiGate and the FortiAnalyzer. Click the serial number of the highlighted
downstream FortiGate device and select Authorize. After few seconds, the downstream
FortiGate will join the Security Fabric. In
order to complete the full Security Fabric process, you will need to authorize all your devices on the
FortiAnalyzer. From the FortiAnalyzer Device Manager section, select all your devices in the
Security Fabric and click Authorize. After few seconds, you will notice all your authorized devices
join the Security Fabric.

FortiGate Security 7.0 Study Guide 70

Security Fabric

DO NOT REPRINT
© FORTINET
 When the Security Fabric is enabled, settings to sync various objects, such as addresses,
services, and schedules, from the upstream FortiGate to all downstream FortiGate devices is
enabled by default. Synchronization always happens from the root FortiGate to downstream
FortiGate devices. Any object that can be synced will be available on downstream FortiGate
devices after synchronization.

The CLI command set fabric-object-unification is only available on the root FortiGate.
When set to local, global objects will not be synchronized to downstream devices in the Security
Fabric. The default value is default.

The CLI command set configuration-sync local is used when a downstream FortiGate
doesn’t need to participate in object synchronization. When set to local on a downstream FortiGate,
the device does not synchronize objects from the root, but will still participate in sending the
synchronized object downstream.

You can also enable or disable per object synchronization in the Security Fabric. This option is not
available for objects you create on a downstream FortiGate. Fabric synchronization is disabled by
default for supported fabric objects, and these fabric objects are kept as locally created objects on all
the FortiGate devices in the Security Fabric. If object synchronization is disabled on the root
FortiGate, using the command set fabric object disable, firewall addresses and address
groups will not be synchronized to downstream FortiGate devices.

FortiGate Security 7.0 Study Guide 71

Security Fabric

DO NOT REPRINT
© FORTINET

If there is an object conflict during synchronization, you’ll get a notification to resolve the
conflict. In the topology tree, Remote-FortiGate is highlighted in amber because there is a
conflict.
 In the example shown on this slide, you will examine how to resolve a syncing conflict.
1. The notification icon displays this message: Firewall objects are in conflict with other
FortiGates in the fabric. Click Review firewall object conflicts.
2. On the Firewall Object Synchronization page, you can see that both the root FortiGate and
downstream FortiGate devices contain the synn_add_1 object (with a different IP address/subnet
schema on each device), causing a status of Content mismatch. In the Strategy field, there are
two options to resolve the conflict: Automatic and Manual. If you select Automatic, as shown in
this example, you can then click Rename All Objects.

FortiGate Security 7.0 Study Guide 72

Security Fabric

DO NOT REPRINT
© FORTINET

3. Remote-FortiGate is appended to the name of the downstream FortiGate device sync_Add_1

address object and the status has changed to Resolved.
4. In the topology tree, none of the FortiGate devices are highlighted.
 FortiGate Security 7.0 Study Guide 73
Security Fabric

DO NOT REPRINT
© FORTINET

There are two VDOM modes: split-vdom and multi-vdom. In split-vdom mode, FortiGate has two
VDOMs in total, including root and FG-traffic vdoms. You cannot add VDOMs in split-vdom
mode. 1. split-vdom mode:

a) The root VDOM in split-vdom mode is the management VDOM and does only management
work. The following navigation bar entries and pages are hidden in the root vdom:

• All Policy & Object entries

• User & Device, Security Profiles
• Traffic-related FortiView entries
• VPN entries
• System > Fabric Connectors, Reputation, Feature Visibility, Object
Tags entries • Wan-Opt entries
• Most route entries
• Most log event entries
• Monitor entries

b) The FG-traffic VDOM can provide separate security policies and allow traffic through FortiGate.

2. In multi-vdom mode, you can create multiple VDOMs that function as multiple independent
units. By default, the root is the management VDOM and can be used to do both management
tasks and allow other traffic. You can select any VDOM to act as the management VDOM.

FortiGate Security 7.0 Study Guide 74

Security Fabric

DO NOT REPRINT
© FORTINET
 You can enable FortiGate Security Fabric in split-task VDOM mode. If you enable split-task VDOM
mode on the upstream FortiGate device, it can allow downstream FortiGate devices to join the
Security Fabric in the root and FG-traffic VDOMs. If split-task VDOM mode is enabled on the
downstream FortiGate, it can connect to the upstream FortiGate only through the downstream
FortiGate interface on the root VDOM.

Telemetry settings are shown in both global and VDOM contexts, but in the VDOM
context, only the topology and FortiTelemetry-enabled interface fields are shown.

FortiGate Security 7.0 Study Guide 75

Security Fabric

DO NOT REPRINT
© FORTINET
 You can click Global > Physical Topology to see the root FortiGate and all downstream FortiGate
devices that are in the same Security Fabric as the root FortiGate. You can click root > Physical
Topology or FG Traffic > Physical Topology to see the root FortiGate and only the downstream
FortiGate devices that are connected to the current selected VDOM on the root FortiGate.

FortiGate Security 7.0 Study Guide 76

Security Fabric

DO NOT REPRINT
© FORTINET
 When you configure FortiGate devices in multi-vdom mode and add them to the Security Fabric,
each VDOM with its assigned ports is displayed when one or more devices are detected. Only the
ports with discovered and connected devices appear in the Security Fabric view and, because of
this, you must enable Device Detection on ports you want to have displayed in the Security
Fabric. VDOMs without ports with connected devices are not displayed. All VDOMs configured must
be part of a single Security Fabric. In the example shown on this slide, the Local-FortiGate is
configured in multi-VDOM mode, and has three VDOMs (root, VDOM1, and VDOM2), each with
ports that have connected devices.

FortiGate Security 7.0 Study Guide 77

Security Fabric

DO NOT REPRINT
© FORTINET
 Device identification is an important component in the Security Fabric. FortiGate detects most of
the third party devices in your network and added into the topology view in the Security Fabric.
There are two device identification techniques: with an agent and without an agent (agentless).

Agentless identification uses traffic from the device. Devices are indexed by their MAC address and
there are various ways to identify devices, such as HTTP user-Agent header, TCP fingerprint, MAC
address OUI, and FortiOS-VM detection methods, to name a few. Agentless device identification is
only effective if FortiGate and the workstations are directly connected network segments, where
traffic is sent directly to FortiGate, and there is no intermediate router or Layer 3 device between
FortiGate and the workstations.

Note that FortiGate uses a first come, first served approach to determine the device identity. For
example, if a device is detected by the HTTP user agent, FortiGate updates its device table with the
detected MAC address and scanning stops as soon as the type has been determined for that MAC
address.

Agent-based device identification uses FortiClient. FortiClient sends information to FortiGate, and
the device is tracked by its unique FortiClient user ID (UID).

FortiGate Security 7.0 Study Guide 78

Security Fabric

DO NOT REPRINT
© FORTINET
 By default, FortiGate uses device detection (passive scanning), which runs scans based on the
arrival of traffic.

FortiGate Security 7.0 Study Guide 79

Security Fabric

DO NOT REPRINT
© FORTINET
FortiGate Security 7.0 Study Guide 80