FortiGate Security

Introduction to FortiGate

FortiOS 6.0.0

© Copyright Fortinet Inc. All rights reserved. Last Modified: Saturday, May 15, 2021
The Modern Context of Network Security
• Firewalls are more than gatekeepers on the network perimeter.
• Today’s firewalls are designed in response to multi-faceted and multi-device
environments with no identifiable perimeter:
o Mobile workforce
o Partners accessing your network services
o Public and private clouds
o Internet of things (IoT)
o Bring your own device (BYOD)
• Firewalls are expected to perform different functions within a network.
o Different deployment modes:
• Distributed enterprise firewall
• Next-generation firewall
• Internal segmentation firewall
• Data center firewall
o DNS, DHCP, web filter, intrusion prevention system (IPS), and so on

2
 Platform Design

FortiGuard Subscription Services

• Threat intelligence • Centralized management

Next gen. Web FortiWeb

FortiClient firewall
Antivirus
filter
IPS …

FortiSandbox FortiMail
FortiOS

FortiASIC optimized hardware/hypervisor

Integration

3
Modes of Operation
NAT Transparent

• FortiGate is an OSI Layer 3 router • FortiGate is an OSI Layer 2 switch or

• Interfaces have IP addresses bridge
• Packets are routed by IP • Interfaces do not have IPs
• Cannot route packets, only forward or
block

4
Factory Default Settings
• Port1 or internal interface IP: 192.168.1.99/24
• PING, HTTP, HTTPS, and SSH protocol management enabled
• Built-in DHCP server is enabled on port1 or internal interface
o Only on entry-level models that support DHCP server
• Default login:
User: admin
Password: (blank)
o Both are case sensitive
o Modify the default (blank)
root password
• Can access FortiGate on the CLI
o Console: without network
o CLI Console widget and terminal emulator, such as PuTTY or Tera Term

5
FortiGuard Subscription Services
• Internet connection and contract required
• Provided by FortiGuard Distribution Network (FDN)
o Major data centers in North America, Asia, and Europe
• Or, from FDN through your FortiManager
o FortiGate prefers data center in nearest time zone,
but will adjust by server load
• Package updates: FortiGuard Antivirus and IPS
o update.fortiguard.net
o TCP port 443 (SSL)
• Live queries: FortiGuard Web Filtering, DNS Filtering, and Antispam
o service.fortiguard.net
o Proprietary protocol on UDP port 53 or 8888

6
Administration Methods

CLI
Console, SSH, Telnet, GUI Widget

GUI
FortiExplorer, Web Browser (HTTP, HTTPS)

7
 Basic CLI Commands
• Use the following commands to check the system status and list all or only non-
default attribute values for an interface.
• Use <command set> ? to list commands that you can use with it. For example,
get ? And list sub-commands under <command set> <command>. For
example, execute backup ?

What to investigate… CLI commands to Use…

What is the current status of FortiGate? get system status
What are all the attribute values for the system show full-configuration system interface <port>
interface?
What are the non-default attribute values for show system interface <port>
the system interface?

8
Administrator Profiles: Permissions
System > Admin Profiles

9
Administrator Profiles: Hierarchy

super_admin custom_profile1 prof_admin

Full global access Partial global access Full access in virtual domain

Partial access in VDOM

custom_profile2

10
Two-Factor Authentication

Password (one factor)

+
FortiToken (two factor)

11
Resetting a Lost Admin Password
User: maintainer
Password: bcpb<serial-number>
All letters in <serial-number> must be upper case, for example, FGT60.

• All FortiGate models and some other Fortinet device types

• Only after hard power cycle
o Soft cycle (reboot) does not work for security reasons.
• Only during first 60 seconds after boot (varies by model)
o Tip: Copy serial number into the terminal buffer, then paste.
• Only through hardware console port
o Requires physical access for security reasons.
o If compliance/risk of physical access requires, maintainer can be disabled.
config sys global
set admin-maintainer disable
end

12
Administrative Access: Protocols
Network > Interfaces
• Enable acceptable management
protocols on each interface
independently:
o Separate IPv4 and IPv6
o IPv6 options hidden by default
• Also protocols where FortiGate is the
destination IP:
o FortiTelemetry
o CAPWAP
o FMG-Access
o FTM
o RADIUS Accounting

13
Features Hidden by Default
• By default, some features like System > Feature Visibility
IPv6 are hidden on the GUI.
o Hidden features are not disabled.
• In Feature Visibility, select to
hide/show groups of features
commonly used together.

14
Interface IPs
• In NAT mode, interfaces cannot be Network > Interfaces
used until they have an IP address:
o Manually assigned Note that the One-Arm Sniffer
is available only when editing
o Automatic
an unreferenced interface
• DHCP
• PPPoE

• Exceptions:Dedicated to FortiSwitch
and the One-Arm Sniffer

15
Interface Role Compared to Alias
Network > Interfaces
• Role defines interface settings
typically grouped together.
o Avoids accidental misconfiguration
o Four types:
• WAN
• LAN
• DMZ
• Undefined (show all settings)
o Not in list of policies Alias Role

• Alias is a friendly descriptor for the

interface. Policy & Objects > IPv4 Policy
o Used in list of policies to label
interfaces by purpose

16
Static Gateway
• Must be at least one default
gateway
• If the interface is DHCP or
PPPoE, the gateway can be
added dynamically.
Network > Static Routes

17
Link Aggregation
• Bundles several physical ports
to form a single point-to-point
logical channel with greater
bandwidth.
o Increases redundancy for higher
availability

Network > Interfaces

18
FortiGate as a DHCP Server
Network > Interfaces

19
FortiGate as a DNS Server
• Resolves DNS lookups from the internal network
o Enabled per interface
o Not appropriate for Internet service because of load, and therefore should not be public facing.
• One DNS database can be shared by all FortiGate interfaces.
o Can be separate per VDOM
• Resolution methods:
o Forward: relay requests to the next server (in DNS settings).
o Non-recursive: use FortiGate DNS database only to try to resolve queries.
o Recursive: use FortiGate DNS database first; relay unresolvable queries to next server (in DNS
settings).

20
Configuration File: Backup and Restore
• Configuration can be saved to an external device
o Optional encryption
o Can back up automatically
• Upon logout
• Not available on all models

• To restore a previous configuration, upload file.

o Reboots FortiGate

21
Configuration File Format
Model Build
Plain text
number
Build
number

Firmware major version

• Only non-default and important settings (smaller file size) Encrypted

• Header shows device model and firmware

o After the header, the encrypted file is not readable.
Model
• Restoring configuration
o Encrypted? Same device/model + build + password required. Firmware major version
o Unencrypted? Same model required.

22
Upgrade Firmware
• The current firmware version can be
viewed on the Dashboard or in
System > Firmware (or on the CLI:
get system status).
• If there is an updated firmware
version, you will be notified.
• Firmware can be updated by clicking
Upload Firmware or selecting the
upgrade option in the notification icon
drop-down list.
• Make sure you read the Release
Notes to verify the upgrade path and
other details.

23
Upgrade Firmware Process
1. Back up the configuration (full config backup on GUI or CLI).
2. Download a copy of the current firmware, in case reversion is needed.
3. Have physical access, or a terminal server connected to local console, in case
reversion is needed.
4. Read the Release Notes; they include the upgrade path and other useful
information.
5. Perform the upgrade.

24
Downgrade Firmware Process
1. Get the pre-upgrade configuration file.
2. Download a copy of the current firmware, in case reversion is needed.
3. Have physical access, or a terminal server connected to the local console, in
case reversion is needed.
4. Read the Release Notes. (Does downgrade preserve configuration?)
5. Downgrade the firmware.
6. If required, upload the configuration that matches the firmware version.

25