Transcript Firewall Policies

台中市中小學防火牆基礎教育訓練
FortiGate 200D 使用環境及安裝設定
設備架構, 防火牆政策及障礙排除
Agenda
•
•
•
•
•
•
設備內容功能介紹
基本功能設定
防火牆政策定義
資訊安全功能設定
SSL VPN 功能設定
障礙排除
設備內容功能介紹
面板介面燈號, 系統登入, 功能介紹
面板介面及燈號說明
面板介面連接說明
FortiGate功能項目
• Application-level services
 Antivirus, intrusion protection, antispam, web content filtering
• Network-level services
 Firewall, IPSec and SSL VPN, traffic shaping
• Management, reporting, analysis products
 Authentication, logging, reporting, secure administration, SNMP
Firewall 基礎功能
• Controls flow of traffic between networks of different trust
level
• Allow good information through but block intrusions,
unauthorized users or malicious traffic
• Rules to allow or deny traffic
Internet
Firewall
Untrusted network
Trusted corporate network
運作模式 – NAT/Route（轉址）
Internal
192.168.1.99
192.168.1.3
WAN1
204.23.1.5
Internet
Routing policies control
traffic between internal
networks.
Router
DMZ
10.10.10.1
10.10.10.2
NAT mode policies control
traffic between internal
and external networks.
運作模式 – Transparent（透通）
Gateway to public network
WAN1
Internet
204.23.1.5
10.10.10.2
Router
Internal
Hub or switch
10.10.10.3
Page: 25
網路架構說明
設備管理方式
• Web Config (網頁設定)
 Configure and monitor device through web browser
• CLI （命令列介面）
 Command line interface
Page: 26
系統登入
https://163.17.x.x
帳號
密碼
建議使用
Firefox 37~
IE 11~
瀏覽器
Web Config (網頁設定)
CLI Console（命令列控制台）
設備資訊
系統資源
新增資訊面板
介面流量資訊 ＆ 設備作業狀態
基本功能設定
介面&靜態路由(IPv4/IPv6), GUI語系調整,
管理帳號, 功能項目調整
防火牆政策定義
政策項目, 地址&服務, 政策調整
資訊安全功能設定
防毒, 應用程式管控, 網頁過濾
SSL VPN 功能設定
登入帳號, Web Portal, 設定項目, 政策調整
障礙排除
FortiView, 網路問題, 限制問題IP
Lesson 4
Firewall Policies
Firewall Policies
• Control traffic passing through FortiGate
 What to do with connection request?
• Packet analyzed, content compared to policy
 ACCEPT
 DENY
• Source, destination and service must match policy
 Policy directs action
• Protection profile used with policy
 Apply protection settings
• Logging enabled to view connections using policy
Page: 137
Policy Matching
• Searches policy list for matching policy
 Based on source and destination
• Starts at top of the list and searches down for match
 First match is applied
 Arrange policies from more specific to more general
• Policies configured separately for each virtual domain
• Move policies in list to influence order evaluated
Page: 138-141
User Authentication to Firewall Policies
• User challenged to identify themselves before using policy
 Before matching policies not requiring authentication
• Available for policies with:
 Action set to ACCEPT
 SSL VPN
• Authentication methods






Username + Password
Digital certificates
LDAP
RADIUS
TACACS+
Active Directory
• FSAE required
Page: 142
Authentication Protocols
• Protocol used to issue authentication challenge specified
• Firewall policy must include protocol




Page: 142
HTTP
HTTPS
Telnet
FTP
Creating Policies
•
•
•
•
•
•
Source and destination address
Schedule
Service
Action
NAT
Options





Page: 143
Protection profile
Logging
Authentication
Traffic shaping
Disclaimers
Firewall Addresses
• Added to source and destination address
 Match source and destination IP address of packets received
• Default of ALL
 Represents any IP address on the network
• Address configured with name, IP address and mask
 Also use FQDN
 Must be unique name
• Groups can be used to simplify policy creation and
management
Page: 144-148
Firewall Schedules
• Control when policies are active or inactive
• One-time schedule
 Activate or deactivate for a specified period of time
• Recurring schedule
 Activate or deactivate at specified times of the day or week
Page: 149-150
Firewall Services
• Determine types of communications accepted or denied
• Predefined services applied to policy
 Custom service if not on predefined list
• Group services to simplify policy creation and management
Page: 151-153
Network Address Translation (NAT)
• Translate source address and port of packets accepted by
policy
Page: 154
Network Address Translation (NAT)
Client
FortiGate
internal
10.10.10.1
Page: 154
Server
wan1
Internet
172.16.1.1
Network Address Translation (NAT)
Client
FortiGate
internal
Server
wan1
172.16.1.1
10.10.10.1
Firewall Policy with NAT enabled
wan1 IP: 192.168.2.2
Page: 154
Internet
Network Address Translation (NAT)
Client
FortiGate
internal
Server
wan1
172.16.1.1
10.10.10.1
Firewall Policy with NAT enabled
wan1 IP: 192.168.2.2
Source IP:
10.10.10.1
Source Port: 1025
Destination IP:
172.16.1.1
Destination Port: 80
Page: 154
Internet
Network Address Translation (NAT)
Client
FortiGate
internal
Server
wan1
172.16.1.1
10.10.10.1
Firewall Policy with NAT enabled
wan1 IP: 192.168.2.2
Source IP:
10.10.10.1
Source Port: 1025
Destination IP:
172.16.1.1
Destination Port: 80
Page: 154
Internet
Source IP:
192.168.2.2
Source Port: 30912
Destination IP:
172.16.1.1
Destination Port: 80
Network Address Translation (NAT)
Client
FortiGate
internal
Server
wan1
172.16.1.1
10.10.10.1
Firewall Policy with NAT enabled
wan1 IP: 192.168.2.2
Page: 154
Internet
Source IP:
10.10.10.1
Source Port: 1025
Destination IP:
172.16.1.1
Destination Port: 80
Source IP:
192.168.2.2
Source Port: 30912
Destination IP:
172.16.1.1
Destination Port: 80
Original
New
Dynamic IP Pool
• Translate source address to an IP address randomly
selected from addresses in IP pool
Page: 155
Dynamic IP Pool
Client
FortiGate
internal
10.10.10.1
Page: 155
Server
wan1
Internet
172.16.1.1
Dynamic IP Pool
Client
FortiGate
internal
Server
wan1
172.16.1.1
10.10.10.1
Firewall Policy with NAT + IP Pool
IP Pool wan1: 172.16.12.12-172.16.12.12
Page: 155
Internet
Dynamic IP Pool
Client
FortiGate
internal
Server
wan1
172.16.1.1
10.10.10.1
Firewall Policy with NAT + IP Pool
IP Pool wan1: 172.16.12.12-172.16.12.12
Source IP:
10.10.10.1
Source Port: 1025
Destination IP:
172.16.1.1
Destination Port: 80
Page: 155
Internet
Dynamic IP Pool
Client
FortiGate
internal
Server
wan1
172.16.1.1
10.10.10.1
Firewall Policy with NAT + IP Pool
IP Pool wan1: 172.16.12.12-172.16.12.12
Source IP:
10.10.10.1
Source Port: 1025
Destination IP:
172.16.1.1
Destination Port: 80
Page: 155
Internet
Source IP:
172.16.12.12
Source Port: 30957
Destination IP:
172.16.1.1
Destination Port: 80
Dynamic IP Pool
Client
FortiGate
internal
Server
wan1
Internet
172.16.1.1
10.10.10.1
Firewall Policy with NAT + IP Pool
IP Pool wan1: 172.16.12.12-172.16.12.12
Source IP:
10.10.10.1
Source Port: 1025
Destination IP:
172.16.1.1
Destination Port: 80
Original
Page: 155
Source IP:
172.16.12.12
Source Port: 30957
Destination IP:
172.16.1.1
Destination Port: 80
New
Fixed Port
• Prevent NAT from translating the source port
 Some applications do not function correctly if source port translated
• If Dynamic Pool not enabled, policy with Fixed Port can only
allow one connection to that service at a time
Page: 156
Fixed Port
Client
FortiGate
internal
10.10.10.1
Page: 156
Server
wan1
Internet
172.16.1.1
Fixed Port
Client
FortiGate
internal
Server
wan1
172.16.1.1
10.10.10.1
Firewall Policy with NAT + IP Pool + Fixed Port
IP Pool wan1: 172.16.12.12-172.16.12.12
Page: 156
Internet
Fixed Port
Client
FortiGate
internal
Server
wan1
172.16.1.1
10.10.10.1
Firewall Policy with NAT + IP Pool + Fixed Port
IP Pool wan1: 172.16.12.12-172.16.12.12
Source IP:
10.10.10.1
Source Port: 1025
Destination IP:
172.16.1.1
Destination Port: 80
Page: 156
Internet
Fixed Port
Client
FortiGate
internal
Server
wan1
172.16.1.1
10.10.10.1
Firewall Policy with NAT + IP Pool + Fixed Port
IP Pool wan1: 172.16.12.12-172.16.12.12
Source IP:
10.10.10.1
Source Port: 1025
Destination IP:
172.16.1.1
Destination Port: 80
Page: 156
Internet
Source IP:
172.16.12.12
Source Port: 1025
Destination IP:
172.16.1.1
Destination Port: 80
Fixed Port
Client
FortiGate
internal
Server
wan1
172.16.1.1
10.10.10.1
Firewall Policy with NAT + IP Pool + Fixed Port
IP Pool wan1: 172.16.12.12-172.16.12.12
Page: 156
Internet
Source IP:
10.10.10.1
Source Port: 1025
Destination IP:
172.16.1.1
Destination Port: 80
Source IP:
172.16.12.12
Source Port: 1025
Destination IP:
172.16.1.1
Destination Port: 80
Original
New
Virtual IPs
• Allow connections using NAT firewall policies
• Addresses in packets are remapped and forwarded
 Client address does not appear in packet server receives
• Upon reply, session table used to determine what destination
address should be mapped to
Page: 157-158
DNAT
• NAT not selected in firewall policy
 Policy performs destination network address translation (DNAT)
• Accepts packet from external network intended for specific
address, translates destination address to IP on another
network
Page: 159
DNAT
Server
10.10.10.2
Internet
wan1
dmz
192.168.1.100
Server
10.10.10.1
Client
Page: 159
DNAT
Server
10.10.10.2
Internet
10.10.10.1
Client
Page: 159
wan1
Firewall Policy with
Destination Address VIP
VIP, Static NAT
Interface Wan1
Address 172.16.1.1  192.168.1.100
dmz
192.168.1.100
Server
DNAT
Server
10.10.10.2
Internet
10.10.10.1
Client
Page: 159
wan1
Firewall Policy with
Destination Address VIP
VIP, Static NAT
Interface Wan1
Address 172.16.1.1  192.168.1.100
Source IP:
10.10.10.1
Source Port: 1025
Destination IP:
172.16.1.1
Destination Port: 80
dmz
192.168.1.100
Server
DNAT
Server
10.10.10.2
Internet
10.10.10.1
Client
Page: 159
wan1
Firewall Policy with
Destination Address VIP
VIP, Static NAT
Interface Wan1
Address 172.16.1.1  192.168.1.100
Source IP:
10.10.10.1
Source Port: 1025
Destination IP:
172.16.1.1
Destination Port: 80
dmz
192.168.1.100
Server
Source IP:
172.16.12.12
Source Port: 1025
Destination IP:
192.168.1.100
Destination Port: 80
DNAT
Server
10.10.10.2
Internet
10.10.10.1
Client
Page: 159
wan1
Firewall Policy with
Destination Address VIP
VIP, Static NAT
Interface Wan1
Address 172.16.1.1  192.168.1.100
dmz
192.168.1.100
Server
Source IP:
10.10.10.1
Source Port: 1025
Destination IP:
172.16.1.1
Destination Port: 80
Source IP:
172.16.12.12
Source Port: 1025
Destination IP:
192.168.1.100
Destination Port: 80
Original
New
DNAT
Server
10.10.10.2
Internet
wan1
dmz
192.168.1.100
Server
10.10.10.1
Client
Page: 159
DNAT
Server
10.10.10.2
Firewall Policy with NAT
Internet
wan1
dmz
192.168.1.100
Server
10.10.10.1
Client
Page: 159
DNAT
Source IP:
192.168.1.100
Source Port: 1025
Destination IP:
10.10.10.2
Destination Port: 80
Server
10.10.10.2
Firewall Policy with NAT
Internet
wan1
dmz
192.168.1.100
Server
10.10.10.1
Client
Page: 159
DNAT
Source IP:
172.16.1.1.
Source Port: 1025
Destination IP:
10.10.10.2
Destination Port: 80
Server
10.10.10.2
Source IP:
192.168.1.100
Source Port: 1025
Destination IP:
10.10.10.2
Destination Port: 80
Firewall Policy with NAT
Internet
wan1
dmz
192.168.1.100
Server
10.10.10.1
Client
Page: 159
New
DNAT
Original
Source IP:
172.16.1.1.
Source Port: 1025
Destination IP:
10.10.10.2
Destination Port: 80
Server
10.10.10.2
Source IP:
192.168.1.100
Source Port: 1025
Destination IP:
10.10.10.2
Destination Port: 80
Firewall Policy with NAT
Internet
wan1
dmz
192.168.1.100
Server
10.10.10.1
Client
Page: 159
Server Load Balancing
• Dynamic one-to-many NAT mapping
• External IP address translated to a mapped IP address
 Determine by load balancing algorithm
• External IP address not always translated to same mapped
IP address
Page: 160
Server Load Balancing
wan1
dmz
FortiGate
Internet
Internet
10.10.10.1
10.10.10.2
Client
Page: 160
Client
Internet
10.10.10.3
Client
Server
Server
Server
Server Load Balancing
wan1
dmz
FortiGate
Internet
Internet
10.10.10.1
10.10.10.2
Client
Page: 160
Client
Internet
Firewall Policy with
Destination Address VIP
VIP, ServerLB
Interface Wan1
Address 172.16.1.1
 192.168.1.100
 192.168.1.101
 192.168.1.200
10.10.10.3
Client
Server
Server
Server
Server Load Balancing
wan1
dmz
FortiGate
Internet
Internet
10.10.10.1
10.10.10.2
Client
Client
Internet
10.10.10.3
Client
Source IP:
10.10.10.3
Source Port: 1025
Destination IP:
172.16.1.1
Destination Port: 80
Page: 160
Firewall Policy with
Destination Address VIP
VIP, ServerLB
Interface Wan1
Address 172.16.1.1
 192.168.1.100
 192.168.1.101
 192.168.1.200
Server
Server
Server
Server Load Balancing
wan1
dmz
FortiGate
Internet
Internet
10.10.10.1
10.10.10.2
Client
Client
Internet
10.10.10.3
Client
Source IP:
10.10.10.3
Source Port: 1025
Destination IP:
172.16.1.1
Destination Port: 80
Page: 160
Firewall Policy with
Destination Address VIP
VIP, ServerLB
Interface Wan1
Address 172.16.1.1
 192.168.1.100
 192.168.1.101
 192.168.1.200
Server
Server
Server
Server Load Balancing
wan1
dmz
FortiGate
Internet
Internet
10.10.10.1
10.10.10.2
Client
Client
Internet
10.10.10.3
Client
Source IP:
10.10.10.3
Source Port: 1025
Destination IP:
172.16.1.1
Destination Port: 80
Page: 160
Firewall Policy with
Destination Address VIP
VIP, ServerLB
Interface Wan1
Address 172.16.1.1
 192.168.1.100
 192.168.1.101
 192.168.1.200
Server
Source IP:
10.10.10.3
Source Port: 1025
Destination IP:
192.168.1.200
Destination Port: 80
Server
Server
Server Load Balancing
wan1
dmz
FortiGate
Internet
Internet
10.10.10.1
10.10.10.2
Client
Page: 160
Client
Internet
Firewall Policy with
Destination Address VIP
VIP, ServerLB
Interface Wan1
Address 172.16.1.1
 192.168.1.100
 192.168.1.101
 192.168.1.200
10.10.10.3
Client
Server
Source IP:
10.10.10.3
Source Port: 1025
Destination IP:
172.16.1.1
Destination Port: 80
Source IP:
10.10.10.3
Source Port: 1025
Destination IP:
192.168.1.200
Destination Port: 80
Original
New
Server
Server
Protection Profiles
• Control all content filtering
• Group of protection settings applied to traffic
 Types and levels of protection customized for each policy
• Enables settings for:








Page: 161
Protocol Recognition
Anti-Virus
IPS
Web Filtering
Spam Filtering
Data Leak Prevention Sensor
Application Control
Logging
Default Protection Profiles
• Strict
 Maximum protection
• Scan
 Applies virus scanning to HTTP, FTP, IMAP, POP3, SMTP
• Web
 Applies virus scanning and web content blocking to HTTP
• Unfiltered
 No scanning, blocking or IPS
Page: 162-172
Traffic Shaping
• Control bandwidth available to traffic processed by firewall
policy
 Which policies have higher priority?
• Improve quality of bandwidth-intensive traffic
 Does NOT increase total bandwidth available
Page: 173
Token Bucket Filter
• Dampening function
 Delays traffic by buffering bursts
 Does not schedule traffic
• Configured rate is never exceeded
Page: 174
Token Bucket Filter Mechanism
• Bucket has specified capacity
 Tokens added to bucket at mean rate
•
•
•
•
If bucket fills, new tokens discarded
Bucket requests number of tokens equal to packet size
If not enough tokens in bucket, packet buffered
Flow will never send packets more quickly than capacity of
the bucket
• Overall transmission rate does not exceed rate tokens placed
in bucket
Page: 175
Token Bucket Filter Mechanism
Token bucket
Destination Network
Regulator
End users
Buffer
Page: 175
FortiGate unit
Token Bucket Filter Mechanism
Token bucket
Data packets
Destination Network
Regulator
End users
Buffer
Page: 175
FortiGate unit
Token Bucket Filter Mechanism
Tokens
Token bucket
Data packets
Destination Network
Regulator
End users
Buffer
Page: 175
FortiGate unit
Token Bucket Filter Mechanism
Tokens
Token bucket
Data packets
Destination Network
Regulator
End users
Buffer
Page: 175
FortiGate unit
Token Bucket Filter Mechanism
Tokens
Token bucket
Data packets
Destination Network
Regulator
End users
Buffer
Page: 175
FortiGate unit
Token Bucket Filter Mechanism
Tokens
Token bucket
Data packets
Destination Network
Regulator
End users
Buffer
Page: 175
FortiGate unit
Traffic Shaping Considerations
• Attempt to normalize traffic peaks
 Prioritize certain flows over others
• Physical limitation to how much data can be buffered
 Packets may be dropped, sessions affected
• Performance on one traffic flow may be sacrificed to
guarantee performance on another
• Not effective in high-traffic situations
 Where traffic exceeds FortiGate unit’s capacity
 Packets must be received for being subject to shaping
• If shaping not applied to policy, default is high priority
Page: 176-177
Disclaimers
• Accept disclaimer before connecting
• Use with authentication or protection profile
• Can redirect to a URL after authentication
Page: 178
Lab
•
•
•
•
•
Creating Firewall Policy Objects
Configuring Firewall Policies
Testing Firewall Policies
Configuring Virtual IP Access
Debug Flow
Page: 179
Agenda
•
•
•
•
•
•
•
•
•
•
Introduction
Overview and System Setup
FortiGuard Subscription Services
Logging and Alerts
Firewall Policies
Basic VPN
Authentication
Antivirus
Spam Filtering
Web Filtering
Lesson 5
Basic VPN
Virtual Private Networks (VPN)
• Use public network to provide access to private network
• Confidentiality and integrity of data
• Authentication, encryption and restricted access
Page: 195
FortiGate VPN
• Secure Socket Layer (SSL) VPN
 Access through web browser
• Point-to-Point Tunneling Protocol (PPTP)
 Windows standard
• Internet Protocol Security (IPSec) VPN
 Dedicated VPN software required
 Well suited for legacy applications (not web-based)
Page: 195-196
SSL VPN Operating Modes
• Web-only mode
 Web browser only
 Secure connection between browser and FortiGate unit
 FortiGate acts as gateway
• Authenticates users
• Tunnel mode
 VPN software downloaded as ActiveX control
 FortiGate unit assigns client IP address from range of reserved
addresses
Page: 197-199
User Accounts
• Must have user account assigned to SSL VPN user group
• Users must authenticate





Username + Password
RADIUS
TACACS+
LDAP
Digital certificates
• User group provides access to firewall policy
• Split tunneling available
 Only traffic destined for tunnel routed over VPN
Page: 200-202
Web-Only Configuration
• Enable SSL VPN
• Create user accounts
 Assign to user group
• Create firewall policy
• Setup logging (optional)
Page: 204
Tunnel Mode Configuration
•
•
•
•
Enable SSL VPN
Specify tunnel IP range
Create user group
Create firewall policy
Page: 205
SSL VPN Settings
• Tunnel IP Range
 Reserve range of IPs for SSL VPN clients
• Server Certificate, Require Client Certificate
 Certificates must be installed
• Encryption Key Algorithm
• Idle Time-out
• Client Authentication Time-Out
 CLI only
• Portal Message
• Advanced
 DNS and WINS Servers
Page: 206-208
Firewall Policies
•
•
•
•
At least one SSL VPN firewall policy required
Specify originating IP address
Specify IP address of intended recipient or network
Configuration steps:




Page: 209
Specify source and destination IP address
Specify level of encryption
Specify authentication method
Bind user group to policy
Firewall Addresses
• Web-only mode
 Predefined source address of ALL
 Destination IP address where remote client needs to access
• Entire private network, range of private IPs, private IP of host
• Tunnel model
 Source is range of IP addresses that can be connected to FortiGate
• Restrict who can access FortiGate
 Destination IP address where remote client needs to access
• Entire private network, range of private IPs, private IP of host
Page: 209
Configuring Web-Only Firewall Policies
• Specify destination IP address




Name
Type
Subnet/IP range
Interface
• Define policy
 Action: SSL-VPN
 Add user group
Page: 210-212
Configuring Tunnel-Mode Firewall Policies
• Specify source IP addresses
 Addresses that can connect to FortiGate
• Specify destination IP address
 Addresses clients need to access
•
•
•
•
Specify level of encryption
Specify authentication type
Bind user group to policy
ssl.root
Page: 213-218
SSL VPN Bookmarks
• Hyperlinks to frequently accessed applications
 Web-only mode
• FortiGate forwards connection request to servers
• VPN > SSL > Portal
Page: 219-221
Connecting to the SSL VPN
• https://<FortiGate_IP_address>:10443
 Port customizable
• SSL-VPN Web Portal page displayed
 Bookmarks
• What appears is pre-determined by administrator’s settings
in User > User Group and VPN > SSL > Portal > Settings
Page: 222
Connecting to the SSL VPN
Page: 222
Connecting to the SSL VPN
PPTP VPN
• Point-to-Point (PPP) authentication protocol
 PPP software operates on tunneled links
• Encapsulates PPP packets within IP packets
 Not cryptographically protected
• PPTP packets not authenticated or integrity protected
• FortiGate unit assigns client IP address from reserved range
 Assigned IP used for duration of connection
• FortiGate unit disassembles PPTP packet and forwards to
correct computer on internal network
Page: 223
PPTP VPN
• FortiGate unit can act as PPTP server
• FortiGate unit can forward PPTP packets to PPTP server
Page: 224
FortiGate Unit as PPTP Server
Internet
FortiGate
PPTP Clients
Page: 224
Internal Network
FortiGate Unit Forwards Traffic to PPTP Server
Internet
FortiGate
PPTP Clients
Page: 225
PPTP
Server
Internal Network
PPTP Server Configuration
•
•
•
•
Configure user authentication for PPTP clients
Enable PPTP on FortiGate unit
Configure PPTP server
Configure client
Page: 226
PPTP Pass-Through Configuration
• Configuration required to forward PPTP packets to PPTP
server
• Define virtual IP that points to PPTP server
• Configure firewall policy
• Configure client
Page: 227
IPSec VPN
• Industry standard set of protocols
• Layer 3
 Applications do not need to be designed to use IPSec
• IP packets encapsulated with IPSec packets
 Header of new packet refers to end point of tunnel
• Phase 1
 Establish connection
 Authenticate VPN peer
• Phase 2
 Establish tunnel
Page: 228
IPSec Protocols
• Authentication Header (AH)
 Authenticate identity of sender
 Integrity of data
 Entire packet signed
• Encapsulating Security Payload (ESP)
 Encrypts data
 Signs data only
Page: 229
Authentication Header (AH)
Original IP
Header
Authentication
Header
TCP Header
Authenticated
Page: 229
Data
Encapsulating Security Payload (ESP)
Encrypted
New IP
Header
ESP
Header
Original IP
Header
TCP Header
Authenticated
Page: 229
Data
ESP
Trailer
ESP
Authentication
Trailer
Modes of Operation
• Tunnel mode
 Entire IP packet encrypted and/or authenticated
 Packet then encapsulated for routing
• Transport mode
 Only data in packet encrypted and/or authenticated
 Header not modified or encrypted
Page: 230
Security Association (SA)
• Defines bundle of algorithms and parameters
 Encrypt and authenticate one-directional data flow
• Agreement between two computers about the data
exchanged and protected
Page: 230
Internet Key Exchange (IKE)
• Allows two parties to setup SAs
 Secret keys
• Uses Internet Security Association Key Management
Protocol (ISAKMP)
 Framework for establishing SAs
• Two distinct phases
 Phase 1
 Phase 2
Page: 231
Phase 1
•
•
•
•
•
Authenticate computer involved in transaction
Negotiate SA policy between computers
Perform Diffie-Hellman key exchange
Set up secure tunnel
Main mode (three exchanges)
 Algorithms used agreed upon
 Generate secret keys and nonces
 Other side’s identity verified
• Aggressive mode (one exchange)
 Everything needed to complete exchange
Page: 231
Phase 2
• Negotiate SA parameters to set up secure tunnel
• Renegotiate SAs regularly
Page: 232
Gateway-to-Gateway Configuration
• Tunnel between two separate private networks
• All traffic encrypted by firewall policies
• FortiGate units at both ends must be in NAT/Route mode
Page: 234
Gateway-to-Gateway Configuration
Internet
FortiGate 1
Site 1
Page: 234
FortiGate 2
Site 2
Gateway-to-Gateway Configuration
• FortiGate receives connection request from remote peer
 Uses IPSec phase 1 parameters
• Establish secure connection
• Authenticate peer
• If policy permits, tunnel established
 Uses IPSec phase 2 parameters
 Applies policy
• Configuration steps
 Define phase 1 parameters
 Define phase 2 parameters
 Create firewall policies
Page: 234
Defining Phase 1 Parameters
Page: 235-236
Authenticating the FortiGate Unit
• Authenticate itself to remote peers
• Pre-shared key
 All peers must use same key
• Digital certificates
 Must be installed on peer and FortiGate
Page: 237-238
Authenticating Remote Clients
• Permit access using trusted certificates
 FortiGate configured for certificate authentication
• Permit access using peer identifier
• Permit access using pre-shared key
 Each peer or client must have user account
• Permit access using peer identifier and pre-shared key
 Each peer or client must have user account
Page: 239
XAuth Authentication
• Separate exchange at end of phase 1
 Increased security
• Draws on existing FortiGate user group definitions
• FortiGate can be XAuth server or XAuth client
Page: 239
IKE Negotiation Parameters
Page: 240-242
Defining Phase 2 Parameters
Page: 243-246
Firewall Policies
• Policies needed to control services and direction of traffic
• Firewall addresses needed for each private network
• Policy-Based VPN
 Specify interface to private network, remote peer and VPN tunnel
 Single policy for inbound, outbound or both direction
• Route-Based VPN
 Requires ACCEPT policy for each direction
 Creates Virtual IPSec interface on interface connecting to remote
peer
Page: 247-250
Lab
• Configuring SSL VPN for Full Access (Web Portal and
Tunnel Mode)
• Configuring a Basic Gateway-to-Gateway VPN
Page: 251
Agenda
•
•
•
•
•
•
•
•
•
•
Introduction
Overview and System Setup
FortiGuard Subscription Services
Logging and Alerts
Firewall Policies
Basic VPN
Authentication
Antivirus
Spam Filtering
Web Filtering
Lesson 6
Authentication
Authentication
• User or administrator prompted to identify themselves
 Only allowed individuals perform actions
• Can be configured for:




Page: 263
Any firewall policy with action of ACCEPT
PPTP and L2TP VPNs
Dial-up IPSEC VPN set up as XAuth server
Dial-up VPN accepting user group as peer ID
Authentication Methods
• Local user
 User names and passwords used to authenticate stored on
FortiGate
• Remote
 Use existing systems to authenticate
•
•
•
•
•
Page: 264-265
RADIUS
LDAP
PKI
Windows Active Directory
TACACS+
Users and User Groups
• Authentication based on user groups
 User created
 User added to groups
• User
 Account created on FortiGate or external authentication server
• User group
 Users or servers as members
 Specify allowed groups for each resource requiring authentication
 Group associated with protection profile
Page: 266-267
User Group Types
• Firewall
 Access to firewall policy that requires authentication
 FortiGate request user name and password (or certificate)
• Directory Service
 Allow access to users in DS groups already authenticated
• Single sign on
 Requires FSAE
• SSL VPN
 Access to firewall policy that requires SSL VPN authentication
Page: 268-270
Authentication overrides
• Require access to blocked site
 Override block for period of time
• Link to authenticate presented
Page: 271
Authentication Settings
Page: 272
PKI Authentication
• Valid certificate required
• SSL used for secure connection
• Trusted certificates installed on FortiGate and client
Page: 273
RADIUS Authentication
• User credentials sent to RADIUS server for authentication
• Shared key used to encrypt data exchanged
• Primary and secondary servers identified on FortiGate unit
Page: 274
LDAP Authentication
• User credentials sent to LDAP server for authentication
• LDAP servers details identified on FortiGate
Page: 275
TACACS+ Authentication
• User credentials sent to TACACS+ server for authentication
• Choice of authentication types:





Page: 276
Auto
ASCII
PAP
CHAP
MSCHAP
Microsoft Active Directory Authentication
• Transparently authenticate users
 Fortinet Server Authentication Extensions (FSAE) passes
authentication information to FortiGate
 Sign in once to Windows, no authentication prompts from FortiGate
Page: 277
FSAE Components
• Domain Controller Agent
 Installed on every domain controller
 Monitors user logons, sends to Collector Agent
• Collector Agent
 Installed on at least one domain controller
 Sends information collected to FortiGate
Page: 278
FSAE Configuration on Microsoft AD
• Configure Microsoft AD user groups
 All members of a group have same access level
 FSAE only send Domain Local Security Group and Global Security
Group to FortiGate
• Configure Collector Agent settings
 Domain controllers to monitor
• Global Ignore list
 Exclude system accounts
• Group filters
 Control logon information sent to FortiGate
Page: 279-280
FSAE Configuration on FortiGate
• Configure Collector Agents
 FortiGate to access at least one collector agent
 Up to five can be listed
• Configure user groups
 AD groups added to FortiGate user groups
• Configure firewall policy
• Allow guests
 Users not listed in AD
 Protection profile for FSAE firewall police
Page: 281
Labs
• Firewall Policy Authentication
• Adding User Disclaimers and Redirecting URLs
Page: 282
Agenda
•
•
•
•
•
•
•
•
•
•
Introduction
Overview and System Setup
FortiGuard Subscription Services
Logging and Alerts
Firewall Policies
Basic VPN
Authentication
Antivirus
Spam Filtering
Web Filtering
Lesson 7
Antivirus
Antivirus
• Detect and eliminate viruses, worms and spyware
• Scan HTTP and FTP traffic
• Scan SMTP, POP3, IMAP
Page: 289
Antivirus Elements
• File filter
 File pattern and file type recognition
• Virus scan
 Virus definitions kept up-to-date through FortiGuard Subscription
Services
• Grayware
• Heuristics
 Detect virus-like behavior
Page: 289-290
File Filter
• File pattern
 Name, extension or pattern
 Built-in patterns or custom
• File type
 Analyze file to determine type
 Types pre-configured
• Actions
 Allow
 Block
• Replacement message sent
Page: 291
Enabling File Filtering
Page: 292
File Name Pattern Filtering
Page: 295
File Type Filtering
Page: 296
File Pattern Filtering
Page: 297
Virus Scan
• Virus definitions used to detect and eliminate threats
 Updated regularly
 FortiGuard Subscription Services license required
Page: 298
Updating Antivirus Definitions
Page: 299
Grayware
• Unsolicited commercial software
 Often installed without consent
• Scans for grayware in enabled categories
 Categories and content updated regularly
Page: 300
Grayware Categories
• Adware
 Pop-up advertising content
• Browser Helper Objects
 Add capabilities to browser
• Dialers
 Unwanted calls through modem or Internet connection
• Downloaders
 Retrieve files
• Games
• Hacker Tools
 Subvert network and host security
Page: 301-303
Grayware Categories
• Hijackers
 Manipulate settings
• Jokes
• Key loggers
 Log input for later retrieval
• Misc
 Uncategorized (multiple functionalities)
• NMT (Network Management Tool)
 Cause network disruption
• P2P
 File exchanges containing viruses
Page: 301-303
Grayware Categories
• Plugins
 Add additional features to an existing application
• Remote Administration Tools (RAT)
 Remotely change or monitor a computer on a network
• Toolbars
 Augment capabilities of browser
Page: 301-303
Spyware
• Component of adware
 Track user activities online
 Report activities to central server
 Target advertising based on online habits
Page: 304-305
Quarantine
• Quarantine blocked or infected files
 FortiGate unit with hard drive
 FortiAnalyzer
• Files uploaded to Fortinet for analysis
Page: 306-307
Proxies
• Intercepts all connection requests and responses
• Buffers and scans response before flushing to client
• Splicing




Prevent client from timing out
Server sends part of response to client while buffering
Final part sent if response is clean
FTP uploads, email protocols (SMTP, POP3, IMAP)
• Client comforting
 Prevent timeout while files buffered and scanned by FortiGate
 Can provide visual status to user that progress being made
 HTTP and FTP downloads
Page: 308
Scanning Options
Page: 309-310
Lab
• Configuring Global Antivirus Settings
• Configuring a Protection Profile
• Testing Protection Profile Settings for HTTP/FTP Antivirus
Scanning
Page: 311
Agenda
•
•
•
•
•
•
•
•
•
•
Introduction
Overview and System Setup
FortiGuard Subscription Services
Logging and Alerts
Firewall Policies
Basic VPN
Authentication
Antivirus
Spam Filtering
Web Filtering
Lesson 8
Spam Filtering
Spam Filtering
• Manage unsolicited bulk email
 Detect spam messages
 Identify transmissions from known/suspected spam servers
Page: 321
Spam Filtering Methods
• IP address check
 Verify source IP address again list of known spammers
• URL check
 Extract URLs and verify against list of spam sources
• Email checksum check
 Calculate checksum of message and verify against list of known
spam messages
• Spam submission
 Inform FortiGuard
• Black/White list
 Check incoming IP and email addresses against known list
 SMTP only
Page: 322-323
Spam Filtering Methods
• HELO DNS lookup
 Check source domain name against registered IP address in DNS
• Return email DNS check
 Check incoming return address domain against registered IP in
DNS
• Banned word
 Check email against banned word list
• MIME headers check
 Check MIME headers against list
• DNSBL and ORDBL
 Check email against configured servers
Page: 322-323
FortiGuard Antispam Global Filters
•
FortiIP sender IP reputation database
 Reputation of IP based on properties related to address
• Email volume from a sender
 Compare sender’s recent volume with historical pattern
•
FortiSig
 Spam signature database
 FortiSig1
• Spamvertised URLs
 FortiSig2
• Spamvertised email addresses
 FortiSig3
• Spam checksums
•
FortiRule
 Heuristic rules
 FortiMail only
Page: 324-325
Customized Filters
•
•
•
•
•
Compliment FortiGuard
Banned word lists
Local black/white list
Heuristic rules
Bayesian
 FortiMail only
Page: 325
Enabling Antispam
Page: 326
Spam Actions
• Tag or discard spam email
 Add custom text to subject or instead MIME header and value
• Only discard if SMTP and virus check enabled
• Spam actions logged
Page: 327
Banned Word
• Block messages containing specific words or patterns
 Values assigned to matches
 If threshold exceeded, messages marked as spam
• Perl regular expressions and wildcards can be used
Page: 328-334
Black/White List
• IP address filtering
 Compare IP address of sender to IP address list
 If match, action is taken
• Email address filtering
 Compare email address of sender to email address list
 If match, action is taken
Page: 335
Configuring IP Address List
Page: 336-338
Configuring Email Address List
Page: 339-342
MIME Headers Check
• MIME headers added to email
 Describe content type and encoding
• Malformed headers can fool spam or virus filters
• Compare MIME header key-value of incoming email to list
 If match, action is taken
Page: 343
DNSBL and ORDBL
• Published lists of suspected spammers
• Add subscribed servers
 Define action
Page: 344
FortiMail Antispam
• Enhanced set of features for detecting and blocking spam
 Some techniques not available in FortiGate
• Stand-alone antispam system
 Can be second layer in addition to FortiGate
• Legacy virus protection
• Email quarantine
Page: 345
Agenda
•
•
•
•
•
•
•
•
•
•
Introduction
Overview and System Setup
FortiGuard Subscription Services
Logging and Alerts
Firewall Policies
Basic VPN
Authentication
Antivirus
Spam Filtering
Web Filtering
Lesson 9
Web Filtering
Web Filtering
• Process web content to block inappropriate or malicious
content
• Categorized content




76 categories
40 million domains
Billions of web pages
Automated updates
• Check web addresses against list
• Customizable
Page: 349
Order of Filtering
• URL Filtering
 Exempt, Block, Allow
• FortiGuard Web Filtering
• Content Exempt
 Customizable
• Content Block
 Customizable
• Script Filter
Page: 349
Web Content Block
• Block specific words or patterns
 Score assigned to pattern
 Page blocked if greater than threshold
 Perl regular expressions or wildcards can be used
Page: 350-353
Web Content Block
Page: 352
Web Content Exemption
• Override web content block
 Even if banned words appear
Page: 354-357
Web Content Exemption
Page: 356
Enabling Web Filtering
Page: 358
URL Filter
• Block specific pages
 Displays replacement message
• Text, regular expressions and wildcards can be used
Page: 359-362
URL Filter
Page: 361
FortiGuard Web Filter
• Managed web filtering solution
 Web pages rated and categorized
• Determines category of site
 Follows firewall policy
• Allow, block, log, or override
• Ratings based on:
 Text analysis
 Exploitation of web structure
 Human raters
Page: 363
Web Filtering Categories
• Categories based on suitability for enterprises, schools, and
home








Page: 364
Potentially liable
Controversial
Potentially non-productive
Potentially bandwidth consuming
Potential security risks
General interest
Business oriented
Others
Web Filtering Classes
• Classify web page based on media type or source
 Further refine web access
 Prevent finding material
• Classes







Page: 365
Cached contents
Image search
Audio search
Video search
Multimedia search
Spam URL
Unclassified
Enabling FortiGuard Web Filtering
Page: 366
Enabling FortiGuard Web Filtering Options
Page: 367-368
Web Filtering Overrides
• Give user ability to override firewall filter block
 Administrative overrides
 User overrides
• Override permissions configured at user group level or with
override rules
• User group level overrides
 Group of users have same level of overrides
 Assumes authentication enabled on policy
• Override rules
 Fine granularity
 Access domain, directory or category
Page: 369
Allowing Override at User Group Level
Page: 370
Configuring Override Rules (Directory or Domain)
Page: 371-372
Configuring Override Rules (Category)
Page: 373
Web Filtering Override Page
Page: 375
Web Filtering Authentication Page
Page: 375
Local Ratings
• Administrator controlled block of web sites
• Per protection profile basis
Page: 376
Local Categories
• Administrator controlled block on group of web sites
• Per protection profile basis
Page: 377
Thank you for attending
.