Fortinet NSE4 Notes

Source:
I. Security
II. Infrastructure

1. Introduction & Initial Configuration

a. What are the key features, services and built-in servers of FortiGate?
FortiGate is a firewall. A firewall is a multifunctional device that inspects network traffic.
It uses policies to enforce traffic rules and determine where it goes, how it is handled, if it is
allowed to pass and so on.
FortiGate can function as a DNS or DHCP server. These services are enabled per interface
in the Network > Interfaces options.
Platform design features of FortiGate: profiles can be configured to provide web filtering,
Application Control, IPS intrusion prevention system, antivirus and VPN services.
FortiGate SPU’s (or security processing units) are specialized, optimized circuits, reffered
to as “acceleration hardware”. They mainly affect logging technology used by Fortinet appliances.
FortiGate features in virtualized networks and the cloud use virtual vCPU’s.
b. What is the relationship between FortiGate and FortiGuard?
FortiGuard is a subscription service.
FortiGate uses this service for package updates, performing live queries to check content
for spam or malicious websites and DNS requests. It requests packages which contain new
signatures (antivirus, AC and intrusion prevention features), downloading them over TCP.
FortiGuard uses verified (signed by a certification authority) SSL certificates. It connects to the
data center in the nearest time zone.
c. What are the factory defaults? What about basic network settings and console
ports?
NAT mode is the default operation mode, meaning that interfaces require an IP address to be used.

S&T România
 Hardware is configured out-of-the-box by connecting to the management MGMT interface
or Port1. All FortiGate devices have a console port and an USB management port. This
management interface should not be exposed to the Internet.
The default IP address is 192.168.1.99 with 255.255.255.0 gateway. Default credentials
are “admin” and a blank password.
A default gateway (0.0.0.0/0) and/or static route has to be configured so FortiGate can
function properly. The default gateway is needed so the device can respond to packets outside the
subnets directly attached to its own interface.
Transparent operation mode makes use of Layer 2 MAC addresses.

d. How are administrative users accounts created? How are their permissions granted?
What is their configuration method?
The command line interface (CLI) and graphical user interface (GUI) are the main
administration methods available on FortiGate.
Administrator accounts are created through the System > Administrators > Create New
setting. Admin profiles can be assigned to each account. Permissions (-rw/read-only/none) restrict
access to specific features and are given through the System > Admin Profiles window. The
profile “super_admin” provides full global access, while “prof_admin” represents full access
inside a VDOM. Each profile has an “override_timer” option.

S&T România
 e. What are VDOMs?
Virtual domains are a way of subdividing the resources of a single device. They split the
FortiGate into multiple virtual devices. Each one employs individual routing tables and security
policies. By default, two virtual domains cannot communicate. As an additional feature, they can
share the same IP address without overlapping subnet problems.
FortiGate devices limit the creation of virtual domains to 10 VDOMs.
f. How are backup and restore tasks performed? How would an encrypted
configuration file be restored?
Use the Profile (admin) > Configuration > Backup/Restore window to access these
settings. To restore an encrypted configuration, the file must be uploaded to a device of the same
model, which is running the same firmware version and build. Else, compatibility issues may arise.
g. How is the firmware upgraded?
The firmware version can be identified using the “get system status” command or in the
System > Fabric Management window. It can be upgraded from the same path in the GUI.
h. Extra coverage
Administrative access can be restricted via configuring trusted hosts, or by using secure
access protocols like HTTPS and SSH.
A virtual local area network (or VLAN) splits the physical LAN into multiple logical LANs
and is identified by a tag. Multiple VLANs can coexist on the same physical interface. They are
created through the Network > Interfaces window.

S&T România
 2. Firewall Policies
a. Explain firewall policy components
A policy is a set of instructions that controls how traffic flows through the FortiGate. It is
associated to any traffic passing through the firewall. A policy is composed of type, incoming and
outgoing interface, source/destination IP address and user, service definitions, schedule, NAT rules
and security profile. By default, policies require a name in the GUI, but this can be disabled in the
Feature Visibility page. If the CLI is used to create policies, policy names are optional. Beware
of naming restrictions.
A source address or an internet service database object may be selected in the source field
of any policy, but not both.
Multiple interfaces or the ANY interface can be enabled in the firewall policies from the
System > Feature Visibility window. Note that this disables the Interface pair view.
A zone is a logical group of interfaces.
Security profiles restrict access.
b. Understand how traffic is matched to policies
FortiGate matches traffic based on source and destination IP addresses and the service
being used, protocol and port number. To match policies with traffic, select one or more interfaces.
Matching policies are searched for from top to bottom and the first matching policy is applied
(Allow / Deny actions). If no policy is found, the packets are dropped.
c. Use the policy list views
Firewall policies appear in an organized list. The two available lists are Interface Pair view
and By Sequence view. The policies are listed in the order they are evaluated for traffic matching.
d. Where is an object referenced?
The numbers in the Ref column of the policy view indicate the number of times an object
is used. The column links to the location of the object being used.
e. Demonstrate how to find matching policies for traffic type
Define policy lookup matching criteria and find policies without having actual traffic pass through.

S&T România
 3. Monitoring and Logging
a. Understand log basics
The log file workflow assumes firewall traffic is recorded and the information is contained
in a log message, which is then stored in a log file. Layout of a log message is composed from a
header and a body.
Log severity level varies from 0 (Emergency) to 6 (Information).
The purpose of logging traffic information is to allow monitorisation of the network
perimeter and internet traffic volume, as well as diagnosing problems and establishing the normal
baseline for recognizing anomalies and trends. Service use is tracked and the load on network
devices can be determined. Logging supports incident response and forensic analysis, leading to
the possibility of discovering the chain of activities that led to an alleged breach.
Log types are: Traffic [Forward (accepted or rejected based on policies), Local
(Management IP), One-Arm Sniffer], Security [AV, App Control, IDS, WebFilter, DNS] and
Event-based [HA, VPN, SD-WAN, Wifi, Endpoint, User, General System].
b. Describe the effect of logging on performance
The more logs are produced, the more resources will be used. The toll on CPU, RAM and
disk space will be heavier. Logs have a TTL which is 7 days by default. The value is configurable
via the GUI or the #config log disk setting - set status enable - set maximum-log-age <INT>.
CLI command.
c. Identify log storage options
Logs can be stored locally on the FortiGate hard drive or sent to a remote device such as
FortiAnalyzer. If the FortiAnalyzer disk is full, oldest logs are overwritten.
d. Understand disk allocation and reserved space (manage disk quota)
A default percent is allocated for storing logs on the device disk. However, logs can be
stored on remote devices.
e. Identify external log storage options and configure remote logging
Remote logging has to be enabled first, and the server IP has to be set to the appliance that
handles the logging process. Logs can be stored on the FortiGate disk, on a Forti Analyzer product,
a FortiManager or transferred to a syslog server.
f. Understand log transmission and how to enable reliable logging
FortiGate uses port 514/UDP for log transmission. Reliable logging changes the transport
protocol to TCP. Communications can be further encrypted using the SSL-secured OFTPS.

S&T România
 g. Understand miglogd
This is the log daemon. The option caches logs on the local disk when FortiAnalyzer is not
available.
h. View and search for logs messages on the GUI, LogView and CLI
Traffic can be viewed in the Log & Report > Traffic window.
Log summary data can be viewed via FortiView.
*user specific traffic can be anonymized using the config log setting – set user anonymize
enabled command on the CLI.
i. Configure alert e-mail and threat weight (view administration manual)
j. Configure log backups, rolling, downloading and uploading
The upload is done in real time or every 5 minutes by default. The option responsible for
this process is store-and-upload and is only available on FortiGates with an internal hard drive.
k. Best practices
Logs displayed on FortiAnalyzer are dependent on the devices that generate them. Log in
a centralized format.
Synchronize time on all devices.

S&T România
 4. AV Antivirus Engine
a. Review antivirus scanning techniques
An antivirus scan is the first, fastest and simplest way to detect malware. It matches the
exact signature of the virus to the entries in the FortiGuard database in real time, stopping threats
from spreading to the entire system.
“Grayware” represents unsolicited software. Grayware scans are a separate type of scan
available on FortiGate.
AI scans are based on probability models, but also detect 0-day attacks. This feature is
enabled by default (W2/AI.Pallas suspicious signature).
The scans are performed in the order presented above.
b. Compare all available scanning modes
Stream-based scans (also known as default scan):
Are performed with no oversize limit on a best effort basis
Can inspect the contents of large archive files without buffering the entire file
Decompress and scan an entire archive (up to 12 levels). FortiGate will try to undo all
layers on compression by default.
Legacy scan mode:
Used to disable stream-based scanning for troubleshooting purposes
Limited by the oversize and uncompressed-oversize limits
Antivirus scanning must be enabled in at least one policy in order for FortiGate to download
updates. The (dynamic) malware block list is available on a web server and is defined as a Security
Fabric connector, matching SHA1, MD5 and SHA256 hashes of viruses.
Oversized files can be sandboxed if a FortiSandbox product is integrated in the fabric.
c. Enable FortiSandbox with AV
Sandboxes might detect viruses with more certainty. The options are either the cloud-based
sandbox or the FortiSandbox appliance. These are subscription-based services and there are several
options available for purchase. Administrators must configure the antivirus profile to send the
suspicious files to the sandbox. The GUI option in the Security Fabric > Fabric Connectors
window must be enabled for the sandbox to work.
The databases specific to the sandboxes are supplement to the FortiGate signature DB.
Inline scanning is supported in proxy based inspection mode, but is limited to the
FortiSandbox appliance. The clients file is held and inspected and further actions are applied to it
as per configuration.

S&T România
 d. Differentiate between available FortiGuard signature databases
There are multiple signature databases. DB versions can be viewed in the System >
FortiGuard window. The Extended database is available on all models and contains signatures
detected in recent months. The Extreme database includes all viruses, dormant versions of malware
and legacy system targeting viruses. It is supported by most models and can be activated via
#config antivirus settings use-extreme-db enable CLI command. Cloud databases exist as well.
e. Configure antivirus profiles and protocol options
Configuring AV profiles is easy. A profile can be configured on the antivirus page.
Windows executables can be treated as viruses. Outbreak protection may block viruses without
existing signatures.
Protocol options enable port mappings, e-mail and web or other options. They are
accessible via the Policy & Objects > Protocol Options page. Oversize limits can be modified
on a per protocol basis.
f. Apply an antivirus profile in flow-based inspection mode
Flow based inspection mode is more performant. Flow based inspection uses the default
scanning and legacy mode. It uses the Extended database by default. It is enabled from the Security
Profiles > Antivirus window. A block replacement message is sent at the 2nd attempt of
connection.

S&T România
 g. Apply the antivirus profile in proxy-based inspection mode
Proxy based inspection mode buffers the entire file before scanning. It is resource-heavy,
though more security-focused. Files bigger than the buffer size are allowed by default, though not
scanned. Sandboxing can be configured. Block messages are displayed immediately to end users.
The antivirus block page contains the file name, virus name, website host and URL, username and
group and a link to FortiGuard support.
It is enabled in Security Profiles > Antivirus and Firewall Policy windows.
h. Use acceleration hardware with antivirus scans
Only flow-based antivirus scanning is accelerated. Hardware acceleration is supported by
models with NP6, NP7 or SoC4 chips (NTurbo). Traffic is routed through the IPS engine.
FortiGate devices with CP8 or CP9 chips can offload signatures to improve performance and
system resource utilization.
i. Log and monitor antivirus events and FortiSandbox events
Threats are monitored in the standalone Dashboard > Top Destinations page on the
device. It divises the topology in network segments.
The Security Events page contains information about logged detections. Oversized files
should also be logged.
j. Recognize recommended antivirus configuration practices
Antivirus scanning should be performed on all Internet policies. Default scan size should
be maintained because more scanning implies more memory and resources utilization.
Firewall policies with antivirus applied should have security events logging enabled.
Deep inspection is preferred over certificate inspection.

Troubleshooting commands:
#execute update-av
#get system performance status
#diag antivirus database-info
#diag antivirus test “get scantime”

S&T România
 5. Virtual Domains (VDOMs)
a. Define and describe virtual domains
A virtual domain splits the FortiGate into multiple logical devices. FortiGate supports up
to 10 VDOMs. Each has its own routing table and security policy. By default, traffic from one
virtual domain can not travel to another. Each VDOM has its own physical interface link to the
Internet.
Multi-VDOM mode enables creation of multiple virtual domains that function as
independent units. The types of multi-virtual-domain are admin_VDOM and traffic_VDOM. Use
cases for this mode are the creation of a management and secondary VDOMs, or implementation
of a meshed virtual domain.
The admin_VDOM does not pass any data and is used for management purposes only. The
management VDOM is by default root. This is where FortiGuard traffic is always generated from,
as it needs to query for updates. It must have access to NTP, SNMP and DNS filtering.
In a meshed VDOM, inter-VDOM links allow communication between virtual domains.
An internet facing interface is not required for each of them. When creating an inter-virtual-domain
link, at least one of them must be operating in NAT mode in order to avoid Layer 2 routing loops.
b. Create administrative accounts with access limited to one or more VDOMs
Each virtual domain can have an admin. In comparison to the super_admin profile, admin
accounts are restricted to their own domain. One administrator can be responsible for multiple
virtual domains. Accounts can be created from the Global > System > Administrators window
and can be assigned created virtual domains or administrator profiles.
c. Configure VDOMs to split FortiGate into multiple virtual firewalls
Virtual domain settings are enabled through the CLI (though some high-end models
support the GUI feature directly) command #config system global set vdom-mode multi-vdom.
FortiGate allows only one admin_VDOM. Administrators can log in via SSH or HTTPS. The
virtual domain type can be changed from the CLI with the command #config vdom edit <name>
config sys settings set vdom-type [traffic/admin] end. Interfaces are assigned to VDOMs in the
Global > Network > Interfaces window. Virtual domain names are case sensitive.

S&T România
 d. Route traffic between VDOMs (inter-VDOM links)
Inter-virtual-domain link support varies by operation mode:
NAT-to-NAT
NAT-to-transparent and transparent-to-NAT
Transparent-transparent (excludes Layer 3 operation mode; potential Layer 2 loops)
Routes are required to correctly route traffic between two VDOMs. The administrator must
ensure the correct firewall policies are put in place. They can be created from the Global >
Network > Interfaces view.
NAT-to-NAT case requires both interfaces have an IP address in the same subnet.
e. Limit the resources allocated globally and per VDOM
This can be achieved via the Global > System > Global resources \ VDOM window. A
single VDOM should not consume the device resources of any other virtual domain.
Global resource and VDOM resources limit can be monitored by accessing the Global >
System VDOM window. It displays memory and CPU utilization.
By default, there are no limits configured.
Besides ping and traceroute, debugging the packet flow and packet sniffing (inspecting
packet headers) are the adequate tools for troubleshooting virtual domains.
*npu0_vlink[0/1] and npu1_vlink[0/1] are accelerated interfaces on the models with NP4 or NP6
chips.

S&T România
 6. Web Filtering
a. Describe FortiOS inspection modes
FortiOS can inspect traffic in two modes: flow-based and proxy-based.
Flow-based inspection is the default mode. It represents a per-policy setting and scans files on a
per packet basis, as they pass through the FortiGate. It matches threats on a direct filter approach.
Proxy-based inspection is more thorough, although slower and more resource-intensive. Because
it scans the content completely, it adds latency. This mode consists of two TCP connections,
FortiGate acting as a proxy between the client and server.
Web filtering activates based on requests (ex. HTTP GET, PUT).
b. Review and implement NGFW operation modes
Next Generation Firewall mode features two operation modes: profile and policy based.
Each is similar to the application control operation modes.

S&T România
 7. Authentication
a. Describe firewall authentication
Authentication with credentials is more reliable than just verifying the source IP address
and device type. After successful credential verification, FortiGate applies the policies specific to
each network resource in order to allow or deny access. In some cases, access is controlled by user
groups.
b. Identify methods of firewall authentication available on FortiGate
FortiGate allows local password auth, storing credentials on disk. This method works well
for a single instance installation. Additional user information can be added besides username and
password.
Remote authentication can be configured on several server technologies. Accounts are
stored on the remote server. The server evaluates the credentials after FortiGate forwards the
information posted in the login page. A server can be added to a user group.
Two-factor authentication is enabled on top of an existing method of authentication. It
requires a token or certificate. An NTP server is recommended for this functionality.
c. Identify supported remote authentication servers and configure a remote
authentication server
Remote authentication is a form of server-based password authentication. FortiGate
provides support for RADIUS and LDAP servers. Other servers such as pop3 (available from CLI)
and TACACS+ can be configured.
Lightweight Directory Access Protocol is an application protocol used for accessing and
maintaining distributed directory information services. It maintains authentication data. LDAP
uses port 389/TCP by default to allow acces based on permissions, by binding. On the User &
Authentication > LDAP servers page, the Distinguished Name Identifier represents the top of the
tree where the users are located (generally, a Domain Controller value). The bind type is based on
the security of the LDAP server. Certificates can be enabled to provide a secure connection.
Radius does not work with a directory tree. It provides AAA services (authentication,
authorisation and accounting). FortiGate can point to a RADIUS Server using the IP address for
remote authentication. Remote queries must be allowed from FortiGate client, else the server will
not reply. RADIUS group memberships are provided by vendor specific attributes (VSA’s)
configured on the server.
User accounts must be configured on FortiGate. The preconfigured server must be pointed
towards in the User & Authentication > User Definition window. The servers and users should be
added to some group in order to better manage access and permissions.

S&T România
 d. Describe active authentication and passive authentication. Describe the order of
operations
Active authentication means that users are prompted to manually enter their credentials
before being granted access. In order for the dialog to show up, a policy must allow HTTP/S, FTP
and/or Telnet protocols. Any other services are not allowed until the user has authenticated
successfully through one of the protocols listed above.
Passive authentication is a more transparent method and involves server-based credential
verification. Credentials are determined automatically and the method varies depending on the
type of authentication used (FSSO, NTLM or other). A remote directory server might be queried
for user information & group membership.
e. Configure user groups in firewall policies
The group types available on FortiGate are: Guest, Firewall, FSSO, RSSO. User groups
exist to make configuration of firewall policies easier (eg. 2k - 4k users). This alows for users to
be treated the same when requesting network resources. User groups are defined on the User &
Authentication > User Groups page. Preconfigured remote servers can be added to a group.
Guest user groups contain temporary guest accounts. They are most comonly used to
provide guest access to wireless networks. The account expiry control detemines the access
duration before the account expires. Accounts are added to the Guest User Group, which is then
associated with firewall policies.
Some firewall policies require authentication. Firewall policies can be configured to
authenticate certificate users. The source of a firewall policy must include the source IP address,
but can include an user group. Anyone who belongs to the group and provides correct information
will have a successful authentiation. DNS (base protocol) is the only traffic which is allowed before
providing proper credentials. It must be explicitly listed as allowed in the policy. Hostname
resolution is a requirement for most application layer services.
Authentication on demand can be enabled from the CLI.
f. Monitor firewall users
Time-out behavior can be defined from the CLI command #config user setting set auth-
timeout-type [idle-timeout|hard-timeout|new-session]. This setting deauthenticates users after
an amount of time spent idle (without generating packets). Default time is five minutes. If users
remained online for an indefinite amount of time, system memory resources would exhaust.
The Dashboard > User & Devices > Firewall Users page allows you to terminate user
sessions. Administrators are not included because they do not log in via policies which require
authentication.

S&T România
 8. FSSO Fortinet Single Sign-On
a. Define SSO and FSSO
When this feature is enabled, users do not need to provide credentials each time they log
on / they do not need to re-authenticate each time they access a network resource. They could, for
example, log in via an one time password generated after credential verification.

SSO is a process which allows users to be logged in automatically to every application in

scope after being identified, regardless of platform (licensed or open-source) and domain.
In FSSO, FortiGate allows network access based on passive user identification by user ID,
IP address, and group membership. FSSO is typically used with directory services and represents
a software agent that enables FortiGate to identify users for VPN access or security policies. Users
who are already identified can access apps without being prompted to provide credentials. The
domain controller verifies the credentials and FortiGate applies the policy defined for that
particular traffic.
b. Understand FSSO Deployment (DC Agent Mode) and configuration
Fortinet Single Sign-On can be deployed in agentless or agent-based modes, depending on
the directory server. Windows Active Directory AD uses a collector agent.
c. Identify FSSO modes for Windows AD
There are two working modes that monitor sign-on activities in Windows, namely DC
Agent mode and Polling mode. FortiGate also provides an agentless working mode, which is
intended for small networks with a limited number of users.
Domain Controller DC Agent Mode is the recommended working mode, as it is the most
scalable. It requires one agent installed on each DC, if there are multiple domain controllers. These
agents (dcagent.dll) monitor user login events and forward them to the collector agent, another
FSSO component.
The collector agent is responsible for group verification, workstation checks and sending
domain local and global security group information to FortiGate. It forwards captured domain
controller events and forwards them to the FortiGate device, updating the login records.
Polling mode can be agent-based or agentless.
Agent-based requires a collector agent on the Windows server. This implies a less complex
installation. Every few seconds, the collector agent polls each domain controller for user login
events. It uses SMB port 445/TCP by default to request event logs. Event logging must be enabled.
Agentless polling mode deploys FFSO without installing an agent. It directly polls
FortiGate, but is resource-heavy and does not scale as easily. It does not poll workstations and has
fewer available features. In this deployment, FortiGate frequently polls DCs to collect user login
events. While the user authenticates with the DC, FortiGate recognizes the login event in the next
poll and knows whose traffic it is receiving, so users are not prompted to re-authenticate.

S&T România
 d. Detect user login events in Windows Active Directory using FSSO
e. Install FSSO agents
The DNS server must be able to resolve all workstation names, as IP addresses are not
included in Microsoft login event logs. Firmware images can be downloaded from
support.fortinet.com. The collector agent version must match the domain controller agent version.
The installation process must be run as administrator. The collector agent must be
configured to monitor logins, ntlm authentication and directory access. The DC agent installer will
launch next.

f. Configure one Fortinet Collector Agent

Listening port for DC agent is 8002/UDP. Listening FortiGate port is 8000/TCP.
Authentication between FortiGate and collector agent must be enabled. Timers can be configured
with specific functions.
A group filter can be configured as well. Most single sign-on deployments need group
segmentation, as security profiles need to be assigned to each group. This controls what
information is sent to which FortiGate. At least 256 Windows AD groups are supported. The
default filter applies to all devices without a defined filter.
The AD access mode (Set Directory Access Information) specifies to the collector agent
how to acces and collect user group information. Standard mode uses Windows convention
Domain\groups, while advanced mode uses LDAP convention and supports nested groups.

S&T România
 g. Recognize and monitor Fortinet Single Sign-On related messages
Fortinet Single Sign-On log messages are generated by login events. They can be viewed
in the Log & Report > System Events > User Events window. To log all events, the minimum
log level should be set to Notification or Information.
h. Perform troubleshooting
#diagnose debug authd fsso list (FSSO users currently logged on)
#execute fsso refresh

#diagnose debug enable

#diagnose debug authd fsso server-status (Checks connection to FortiGate)

#diagnose debug fsso-polling detail (Status of agentless polls to DC)

#diagnose debug fsso-polling refresh-user (Flushes active FSSO users)

S&T România
 9. IPsec VPN
a. Describe the benefits of IPsec VPN
IPsec is a vendor neutral set of protocols, used to join two physical distinct LANs. It is
basically a suite of protocols which connects two networks, as if it was a single logical network.
IPsec provides services at the IP / network layer. The main protocol used is ESP, which translates
to Encapsulated Security Payload.
IPsec includes Internet Key Exchange IKE protocol, used to authenticate peers, exchange
keys and negociate checksums. This is the control channel. It uses ports 500/UDP and 4500/UDP.
IKE establishes an IPsec VPN tunnel. FortiGate negociates with peers and determines the security
associations which define authentication, keys and settings used for encryption and decryption.
Both devices need to establish their SA and secret keys. IPsec architecture requires security
associations. The SA is the bundle of algorithms and parameters used to authenticate and encrypt
data travelling thru the tunnel. Security associations expire.
FortiGate IPsec VPNs support two modes:
Tunnel mode, the default mode selected when a VPN is first configured
Transport mode, which encrypts data
Transport mode is used when:
No tunneling is needed. The peers are the actual sender/recipient of the plaintext and
protected data. Example: IPsec tunnel between FortiGate and FortiAnalyzer could be in
transport-mode
When tunneling is already done by other protocol. Example: GRE over IPsec, L2TP over
IPsec, IP-in-IP over IPsec

S&T România
 After the VPN is established, data is wrapped in ESP packets. For NAT traversal, ESP is
UDP encapsulated. Both protocols must be enabled in a firewall policy.
AH means authentication header, though this protocol is not supported by FortiGate, nor
does it encrypt any traffic.
Settings must match on both ends for the VPN tunnel to come up. During tunnel
establishments, they negociate encryption and authentication algorithms to use.
b. Understand how IPsec works and learn about the IPsec wizard
IPsec should be deployed in route-based mode. Benefits include a simpler operation and
configuration, redundancy as well as support for dynamic routing protocols. A virtual interface is
required for each VPN. Multiple connection to the same interface are allowed. The tunnel can be
configured in the same way as non-IPsec traffic.
The IPsec wizard is available at VPN > IPsec Wizard on the GUI. IPsec tunnel templates
are available as well.
Backwards compatibility issues may dictate the use of legacy policy-based VPN
configuration, which is not supported anymore.
c. Identify and understand the phases of IKEv1
IKE negociates the private keys and encryption that IPsec uses to create a VPN tunnel.
Security associations SA provide the basis for building security functions into IPsec. In normal
two-way traffic, the exchange is secured by a pair of IKE security associations.
IKE uses two distinct phases:
Phase 1: main or aggressive mode, outcome: IKE SA
Phase 2: quick mode, outcome: IPsec SAs

S&T România
Phase 1 routes traffic as shown in the diagram below:

Aggressive mode is faster. The first of three packets contains the peer ID.

d. Understand phase1 and phase2 settings

Phase 1 uses a single bidirectional SA, while phase 2 uses two SA, one for each traffic
direction. There must be at least one firewall policy which allows traffic on the IPsec tunnel
(recommended: one incoming and one outgoing).
IKE Mode Config setting automatically configures VPN clients virtual network settings,
kind of like DHCP. By default, FortiClient VPNs use it to retrieve settings from FortiGate. You
must enable it on both peers. It is only available if remote gateway is set to dialup user.
If the remote gateway is set to dial-up user, routes appear in the Dashboard > Network >
Routing window, as a static route appears in the routing table after phase2 comes up. The Add
Route option must be enabled so FortiGate automatically adds a static route for the local network

S&T România
presented by the remote peer during phase2 negociation. If phase2 goes down, the route is removed
from the routing table. In this case, the tunnel is initiated by remote users.
IPsec supports extended authentication XAuth (sometimes reffered to as phase 1,5).
Dynamic routing protocols can be set up for best path selection and scalability.
If the remote gateway is set to static IP address or dynamic DNS, the routes can be
monitored from the Dashboard > Network > Static & Dynamic Routing window after phase1
comes up. The virtual interface of the IPsec tunnel is the outgoing interface. Both peers can initiate
tunnel connections, as the addresses are known.
e. Understand redundant VPN configuration between two FortiGate devices
The full mesh VPN topology is the most fault tolerant, but it does not scale as quickly or
easily. Dead peer detection DPD feature should be enabled in a redundant IPsec VPN deployment.
Multiple probing modes are available, with the option not to send any included.
f. Monitor IPsec VPN and review logs

Logs can be viewed in the logging window under VPN Events tag.
The monitor widget enables me to bring down the entire tunnel of an IPsec VPN.
#get vpn ipsec tunnel details
#get vpn ipsec stats tunnel (All VPNs currently active)
#get vpn ipsec tunnel summary
#get ipsec tunnel list
#diagnose vpn ike gateway list name <name>

S&T România
 10. SSL VPN
a. Describe the SSL VPN modes
Two modes are available:
Web mode
Tunnel mode

Web mode provides a HTTPS gateway mechanism, having users log in through a web
portal. It only requires a web browser to use. Users access internal network resources with
bookmarks. It supports a limited number of protocols. The VPN only stays up while the portal
page is open, and is available through browser interaction only. External network applications
cannot send data across the VPN.
Tunnel mode requires the installation of a virtual adapter called fortissl and is accessed
through FortiClient. The tunnel stays up while the VPN client is connected. FortiGate establishes
the tunnel and assigns a virtual IP to the client from a pool of IP addresses. It supports split
tunneling as a feature.

Set-up steps: configure portals, settings, interfaces, policies

b. Configure timers
SSL VPN timers prevent logouts when users experience long network latency.
Several types of timers can be configured from VPN > SSL VPN Settings > Idle Logout
or via the command #config vpn ssl settings set [login/idle]-timeout <300> on the CLI.
c. Monitor connected users
Users can be viewed in the Dashboard > Network > SSL VPN page. The End Session
button forces disconnection of said user.
d. Review SSL VPN logs
SSL VPN Logs can be viewed in the Log & Report > System Events > VPN Events
widget. They show if the SSL VPN tunnel is established or closed, client connections and
authentication actions.

S&T România
 11. Certificate Operations
a. Describe how FortiGate uses certificates to authenticate users and devices
A certificate is a digital identity / document produced and signed by a CA. It identifies an
end entity. Digital certificates are used to enhance security. FortiGate uses certificates for
inspection before allowing connections. Essentially, a man in the middle (trusted MiTM). The
device generates certificates on demand for the purpose of inspecting encrypted data which is
transmitted between devices. Certificates belong to the entry in the Subject field (distinguished
name) and may have different formats. FortiGate uses x.509v3 std.
Administrators can use certificates as a form of second-factor authentication to log in to FortiGate.
b. Describe how FortiGate uses digital certificates to ensure privacy
Firewalls use digital certificates to enforce privacy. Certificates and their associated private
keys ensure that FortiGate can connect securely using SSL to another service. Users who have
certificates issued by a trusted certification authority CA (identified by the Issuer field) are
allowed to connect in order to access the network or establish a VPN connection.
FortiGate first checks the local CRL (certificate revocation list), where certificates are
identified by a serial number. The validity dates must be current.
The digital signature on the certificate must pass as well.
By default, a self-signed server certificate is used. It is recommended to purchase a
certificate listed with an approved CA for the domain. This trusted certificate should then be
uploaded for use.
FortiGate uses secure sockets layer SSL protocol for privacy. It employs both symmetric
and asymmetric cryptography.
Symmetric cryptography uses the same key to encrypt and decrypt data. When FortiGate
establishes a session between itself and another device, the key (the value used to produce the key)
must be shared so that data can be secured by one side, sent over the network and decrypted by
peers.
Asymmetric cryptography uses a pair of keys. One key performs the encryption function
and the other key performs the opposite. If FortiGate connects to a web server to initiate a SSL
session, it would use the web servers public key to encrypt a secret, which would then be decrypted
by the servers private key.
c. Describe certificate inspection
FortiGate uses the SNI server name indication to identify the hostname (validated by the
DNS beforehand) of the server at the beginning of the client-hello process (an extension of the
TLS protocol). If there is none, it then looks at the subject or subject alternative name fields.
Certificate inspection does not permit the inspection of encrypted traffic, even though web
filtering and application control are available. Certificate inspections verifies the identity of web

S&T România
servers. To configure this feature, a policy must be set, enabling the Security Profiles > SSL/SSH
Inspection > Multiple Clients Connectiong to Multiple Servers setting.
Invalid SSL certificates behavior can be configured in the Security Profiles > SSL/SSH
Inspection > Common Options window. Such certificates produce security warnings due to
problems with the format details.
d. Identify what is required to implement full SSL inspection
The only way for FortiGate to inspect encrypted traffic is to intercept the certificate coming
from the server. FortiGate proxies the SSL traffic. An inspection profile should be applied to a
firewall policy, so FortiGate inspects traffic through that policy.
In order for full SSL inspection to be implemented, FortiGate must be compliant with the
IETF RFC 5280, section 4.2.1.9, adding two extensions to the CA certificate, namely
“keyUsage=keyCertSign”, which states that the corresponding private key is permitted to sign
certificates, and “cA=True”.
In this inspection mode, FortiGate dynamically generates temporary certificates to perform
full SSL inspection. These certificates can be self-signed or issued by an internal CA, with the
device acting as a subordinate CA. The root certificate must be imported into client machines.
Some sites may need exemption from SSL Inspection (banking, finance, law enforcement).

S&T România
 12. The Security Fabric
a. Define the Fortinet Security Fabric and identify why is it required
The Security Fabric is an enterprise solution which is focused on network security. The
fabric enables communication and visibility among devices of the network. The devices are
centrally managed through a console and are sharing threat intelligence between one another in
real time. They are receiving updates at the macro level. The fabric includes physical components
and virtual devices in the cloud.
The fabric is based on a tree model. The root FortiGate must be configured first, and the
FortiAnalyzer and FortiManager must be registered. Branch FortiGates connect to upstream
FortiGate devices. Information about the network topology is transmitted using the FortiTelemetry
protocol. The root device forwards this information to the FortiAnalyzer, which generates views
and IOC reports, and then sends them back to the root FortiGate.
Features:
Provides visibility of the entire digital attack surface for risk management
Reduced complexity of integrating multi-point devices
Automated response to threats
It allows vendor-neutral and partner integration
Networks are susceptible to undetected network infiltration as many administrators lack
visibility of their defences, mainly because multiple vendor device integration is a difficult task to
achieve. The fabric offers a centrally managed approach to monitorization of network defence.
All members send logs to a single FortiAnalyzer.
All members are managed by the same FortiManager.
All members use the same FortiSandbox for file inspection where antivirus is applied.
b. Identify the essential devices that participate in the fabric
The essential devices that participate in the fabric core are the FortiAnalyzer and at least
two FortiGate devices running in NAT mode. Instead of FortiAnalyzer, a cloud-based solution
could be used. The fabric should be extended to other devices to provide a single pane of glass for
management and reporting purposes.

S&T România
 c. Understand the implementation of the Security Fabric

Interconnected devices can be viewed from the CLI with the #diagnose sys csf
up/downstream command.
d. Configure the solution on the root and downstream firewall
The FortiAnalyzer can be configured in advance. On the root fortigate, the Security Fabric
Connection setting must be enabled on the interfaces that face any downstream FortiGate devices.
Downstream devices must be added to the authorized device list. The required connector must
Serve as Fabric Root.
The downstream FortiGate devices must have the connection setting enabled as well. In
the Security Fabric Connection > Join Existing Fabric page, the IP address of the root device
must be specified.
Synchronization happens from root to downstream devices and is enabled by default.
Conflicts may be solved in the Security Fabric > Fabric Connectors page. Each FortiGate device
that participates in the fabric stores and maintain their own fabric map, which can be consulted
using the #diagnose sys csf neighbor list CLI command. This map contains the MAC and IP
addresses of all connected devices and their interfaces.
The Global > Security Fabric > Logical Topology window shows FortiGate devices with
multi-VDOMs mode, each with ports that have connected devices.

S&T România
 e. Understand device detection
The firewall detects most of the third-party devices in the network based on their traffic to
the FortiGate and shows them in the topology view. The device identification techniques include
agent-based and agentless method. Devices are identified by their MAC address. There are various
detection methods. Device detection is enabled from the Network > Interfaces window.
f. Understand automation stitches and threat responses
A stitch is an administrator defined automated workflow. It causes FortiGate to act in a
predefined way, based on if-then logic. It consist of a trigger and one or more configurable actions.
They can be set up for any device in the fabric. FortiOS has several stitches available and some
actions include an interval setting so jobs do not run more often than needed, nor notifications are
sent more than once for the same event. A custom automation stitch can be created in the Security
Fabric > Automation page.
g. Configure fabric connectors and external connectors
Exernal connectors allow integration of third-party multi-cloud support.
h. Understand the status widgets
The status widget shows a visual summary, including the names of the devices in the
Security Fabric. Icons idicate other objects participating in the fabric.
i. View and run the Rating Service (subscription-based)
This view contains three scorecards, such as the Security Posture, Fabric Coverage and
Optimization. A scorecard includes all passed and failed objects in a specific area. Security rating
reports can be generated in the root VDOM in multi-VDOM mode. The rating check schedule can
be reconfigured as well. Another feature is performing best practices, like password checks.
j. Understand the differences between the physical and logical topology views
The physical topology view shows the access layer devices which compose the Security
Fabric. It is used to authorize or deauth access of devices, such as FortiSwitches or APs, as well
as compromised clients. The devices are grouped based on the upstream device they are connected
to. Management tasks (upgrades and connections to devices CLI) can be performed from this view.
The bubble chart is created based on traffic volume.
The logical topology view shows information about the interfaces each device uses to connect.
The views are both available in the GUI. The complete network view is accessible via the
root FortiGate.

S&T România
 13. High Availability HA Clusters
a. Identify the different operation modes for high availability
FortiGate HA provides a solution for enhanced performance and increased reliability.
High Availability links and synchronizes two to four firewalls, in order to form a cluster
for redundancy. A cluster includes one device which acts as the primary FortiGate, also called the
active FortiGate. It syncs several options to the secondary (stand-by) devices.
The cluster shares one or more heartbeat interface among all devices (members).
High Availability requires all members have the same firmware version, model, licensing,
hard drive configuration and operating mode. They must have the same HA group ID, password
and heartbeat interface settings, as well as visibility among interfaces.
There are two operation modes available, namely active-active and active-passive.
In the active-active mode, all cluster members can process traffic, based on traffic type and
settings. The primary device can distribute traffic among the rest of the cluster members.
In active-passive mode, the primary firewall is the only FortiGate that processes traffic. Secondary
devices monitor the status of the primary device, while remaining in passive mode. If a problem
is detected, one of the stand-by devices takes over the primary role. This event is called a failover.
A failover can be forced via the #diagnose sys ha reset-uptime CLI command.
#execute ha failover set / unset
#execute ha failover status (permanent secondary role)

A typical cluster configuration can be visualised in the above diagram.

S&T România
 b. Understand the primary FortiGate election in a HA cluster
The process depends on the HA override setting. The election process stops at the first
matching criteria. The default order (override disabled) of criteria is as follows Connected
monitored ports > HA uptime > Priority > Serial number.
When override is enabled, priority is ahead of device uptime.
Failovers are usually triggered by changing the member priority.
c. Identify the primary and secondary device tasks
The primary FortiGate broadcasts hello-packets in order to monitor the cluster and discover
new members.
It syncs operation-related data such as config (verified through checksum) or subsequent
changes, FIB entries, DHCP leases, ARP table, IPsec SAs, FortiGuard definitions and sessions if
enabled.
The secondary devices synchronize data from the primary and monitor the health of the
primary. They also listen for and broadcast hello-packets. In active-active mode, they process
traffic distributed to them by the primary firewall.
d. Interpret how an HA cluster in active-active mode distributes traffic
The primary receives all traffic and redirects some proxy-based sessions to secondary
FortiGates. A detailed diagram presents the process below:

S&T România
 e. Identify high availability failover types
A failover means the secondary FortiGate ellects a new primary. The new primary should
resume traffic for the affected sessions. An HA failover occurs when the link status of a monitored
interface on the primary FortiGate fails.
Device failover occurs when members stop receiving hello packets from the primary.
Link failover occurs when the link of one or more interfaces goes down.
Remote link failover happens when the primary fails because the accumulated penalty of
all failed interfaces monitored using the link health monitor reaches the preconfigured threshold.
A memory-based failover happens when memory utilization on the primary exceeds the
configured threshold and monitoring period.
SSD failover occurs upon detection of errors in the extended filesystem (Ext-fs) of a drive.
Note that event logs and alert email records contain failover events.
f. Implement virtual clustering per VDOM in a HA cluster
Virtual clusters allow a device to act as a primary for one VDOM and as a secondary for
another. This feature is available in multi-VDOM mode. Only two FortiGates can be included in
such a cluster, and they must run in active-passive mode.
g. Verify the normal operation of a HA cluster
#get sys ha status
Dashboard > HA

#diagnose system ha checksum show

#diagnose system ha checksum cluster
#diagnose system ha checksum recalculate

h. Configure a HA management interface to connect to any member directly

The command #ha-mgmt-status-enable must be run and an IP should be assigned to the
reserved interface. This feature has a separate routing table.

S&T România
 14. Zero Trust Network Access (Z.T.N.A.)
a. Understand the benefits and fundamentals of zero-trust
This is a form of role-based application access control and authorisation. The zero-trust
model should be applied in the evolving network landscape. An attack might come from anywhere,
using any method and affect anything.
Zero Trust Network Access has two modes:
Access proxy (SSL-based authentication, eliminating the use of VPNs)
IP/MAC-based access control for endpoints on network premises
FortiClient EMS issues and signs the client certificate, synchronizes it to FortiGate and
uses tagging rules to tag endpoints. Tags are used for content check and enforcing access control
rules. The rules are sent to each endpoint, which are then grouped using the tag configured for
each rule. FortiGate maintains a continuous connection to the EMS for synchronization of endpoint
information. When device information changes, EMS updates the information stored on the
firewall. The included WAD daemon makes use of this when processing ZTNA traffic.

Dynamic endpoint groups are displayed in the Zero Trust Tags > Zero Trust Tag
Monitor page.
b. Understand how to establish device identity and trust
Zero-trust network access uses client device identification. Device identity is established
through client certificates. Client certificates can be revoked from the System Settings > EMS
Setting window. #diag endpoint record list <optional IP>

S&T România
 c. Understand SSL certificate-based authentication
An endpoint obtains a client certificate when it registers to FortiClient EMS. The certificate
is stored in the operating system cert store for subsequent connections.
Administration options are available only on the CLI. The default settings are #config
firewall access-proxy edit <name> set client-cert enable set empty-cert-action-block end.
ZTNA supports Chrome and Microsoft Edge web browsers.
d. Configure ZTNA access on FortiOS
Use the Policy & Objects > ZTNA > ZTNA Servers / Rules window.

Types of configurations:
HTTP proxy (w-w/out basic auth servers)
TCP Forwarding over HTTPS
SSH Access Proxy
IP/MAC Based Access Control (tags)

S&T România
 15. Intrusion Prevention Systems and Distributed Denial of Service
a. Configure an IPS sensor and apply IPS to network traffic
The purpose of the IPS feature is to protect the inside of the network from outside threats.
Botnet connections scanning is available on each sensor. Sensors are assigned to firewall policies.
The Security Profiles > Intrusion Prevention window contains the necessary settings for
configuring a sensor. The default action when identifying a matching signature is block.
Signatures may be added individually or in group, using filters. Order of evaluation is top
to bottom. The most likely matching filters should be at the top of the list. Each signature may
have multiple exemptions.
b. Manage FortiGuard IPS updates
Go to System > FortiGuard and schedule the update as required. Regular updates are
required to ensure the intrusion prevention system remains effective. The signature databases
available are the regular (enabled by default) and extended database. The #execute update-now
command initiates an update from update.fortiguard.net on port 443/TCP.
c. Identify a denial of service attack
The goal of DoS attacks is for the attacker to consume all resources, namely port numbers,
RAM and CPU. The implementation of a denial of service policy can be done in the Policy &
Objects > IPv4 DoS Policy. The policies apply the configured action when the configured
threshold is exceeded.
Fortinet identifies three types of denial of service attacks:
TCP SYN flood
ICMP sweep
Port scan

d. Troubleshoot common intrusion prevention system issues

#diag test application ipsmonitor <Integer> [1-99] (view administration manual)

S&T România
 16. Application Control
a. Use application control to detect types of application traffic
Application control uses flow-based scan techniques, regardless of the inspection method
selected. It compares traffic to known application patterns. It allows monitoring, blocking and
traffic shaping of known application traffic. Since many applications reuse protocols, they need to
be individually identified. Protocols were designed to be easy to trace (client – server architecture).
This feature supports inspection of P2P peer-to-peer applications. These applications have
a distributed architecture, each peer is a server with small bandwidth to share, delivering part of a
file. Because of the many sessions to many peers, they are P2P traffic is difficult to block. They
do not depend on port forwarding.
b. Apply application control profiles
Profiles are created in the Security Profiles > Application Control page. The scanning
order begins with the overrides and continues with the selected categories, after the IPS engine
identifies the application. Profiles must then be applied to policies, as well as the SSL/SSH
Inspection profile.
The Allow and log DNS traffic option should be enabled per profile.
Replacement pages with explanation for users benefit can be configured for HTTPS web
traffic. Block pages are similar.

S&T România
 c. Explain the relationship between applcation control and FortiGuard
The application control signature database is different from the intrusion prevention system
database, even though the IPS engine handles both features. Updates come as part of the standard
FortiCare subscription. FortiGate can be configured (scheduled) to automatically update the
database in the Dashboard > FortiGuard page.
d. Configure application control in profile mode and NGFW policy mode
There are two operation modes for application control on FortiGuard, namely profile mode
and next-gen firewall policy mode. It uses flow based scanning in both inspection modes.
In profile mode, an application profile must be created and associated with a firewall
policy. Profiles can be configured to take action based on app category, behaviour preconfigured
for specific signatures and other filters, such as popularity, risk, protocol and so on.
The NGFW policy mode requires SNAT or Central NAT and a valid SSL inspection profile,
which consolidates existing policies and can be configured in the Policy & Objects > SSL
Inspection & Authentication page. Profiles are no longer required. The behaviour of this mode
can be configured directly on the security policy, with ACCEPT or DENY specific actions. FortiOS
allows all traffic while forwarding it to the IPS engine, creating an entry in the session table with
the may_dirty flag. After IDing the application, the entry is updated with an ID and an app_valid
flag or a dirty flag, the latter forces the kernel to re-evaluate the traffic. This time, the kernel uses
the Layer 4 and Layer 7 traffic to match the traffic to a policy. The Policy & Objects > Security
Policy window is used for establishing security policies.
e. Use the application control traffic shaping policy
A rate limit can be applied to the profile instead of having it block the traffic completely.
This feature also limits port conflicts between usual and mission-critical applications.

S&T România
 17. Routin
a. Configure static routing
While in NAT mode (default), FortiGate acts as an IP router. Such a device forwards
packets between Layer3 networks.
IP routing is the process of determining the next hop to forward a packet to based on the
packet destination IP address. This process is repeated on each router across the path, until the
packet reaches its destination.
Routers maintain a routin table which contain a series of entries, known as routes. Each
route indicates the next hop (refers to the outgoing interface and gateway to use) for a particular
destination.
Static routes are manually configured. If the packet being sent has destination in a specific
range, it has to go through a specific interface, towards a specific router. Static routes might have
distance and priority attributes set.
Security policies should be configured based on routing settings.
b. Interpret the routing table on FortiGate
Route lookups are performed in IP routing. For any session, FortiGate performs two
lookups, one for the first packet sent by the origin and the first response packet. The information
is then written in the session table. All other packets for that session will use the same path. The
best route is the most specific one to the destination. Routing info is contained in two tables,
namely:
RIB (routin information base)
o Connected, static and dynamic routes

FIB (forwarding information base)

o Kernel perspective
o Used in lookups
o Contains mostly RIB entries, plus specific entries required by FortiOS
o #get router info kernel

S&T România
The routing table entries can be viewed using the #get router info routing-table all command.

Distance – the lowest distance duplicate route is considered the better one
Multiple equal-distance duplicate routes but with a different protocol should be avoided.

Priority attribute applies to all routes.

Inactive routes can be viewed with the #get router info routing-table database CLI command.
c. Implement policy routes
Policy routes have precedence over routing table entries. They maintain a separate table.
When a packet matches a policy route, FortiGate takes one of two actions:
Stop policy routing action skips policy routes and uses the FIB.
Forward traffic using the set outgoing interface and gateway. There must be a
matching route in the routing table, else the policy is considered invalid and skipped.
#diag firewall proute list

S&T România
 d. Route traffic for well-known internet services using ISDB routes
ISDB routes are policy routes and take precedence over the routing table.
Internet Service Database objects can be used to create static routes.
e. Implement ECMP routing
ECMP routes are duplicate routes which have the same distance and priority. All ECMP
routes are installed in the routing table. Lower priority means higher preference.
FortiGate employs four load-balancing algorithms for ECMP duplicates: source based,
source-destination ip based, weight based, spillover (threshold).
f. Block traffic from spoofed IP addresses using RPF
How does FortiGate detect IP spoofing? It checks for a return path to the source, in the
routing table. The route has to match the incoming IP source address and interface.
RPF is short for reverse path forwarding. It is only carried out on the first packet in the
session. RPF check could be strict or loose (also known as feasible path).
Strict mode ensures FortiGate chooses the best matching route in the table.

g. Understand Route Failover

Link health monitor verifies interface status. If an interface is marked as dead, traffic is
sent to a valid . Five probes are normally sent. Most accurate protocol supported is TWAMP, on
port 862/tcp//udp (testing).

S&T România
[*]Acronyms and abbreviations:

FDN – FortiGuard Distribution Network

WAF – Web Application Firewall
PPPoE – Point-to-point Over Ethernet
OCSP – On-line Certificate Status Protocol
CN – Common Name Identifier
FGCP – FortiGate Clustering Protocol
CDR – Content Disarm and Reconstruction
IOC – Indicator of Compromise
IPS – Intrusion Prevention System
ISDB – Internet Service Database
DHCP – Dynamic Host Configuration Protocol
DoT – DNS over TLS
DNS – Domain Name System

S&T România