NSE4 -FortiGate Security and Infrastructure

Delta between 6.4 and 7.0

FortiOS 7.0
© Copyright Fortinet Inc. All rights reserved. LastLast
Modified:
Modified:
Saturday,
Saturday,
August
August
19, 19,
20232023
FortiGate Security – 3 Days
1. Introduction and Initial Configuration
2. Security Fabric
3. Firewall Policies
4. Network Address Translation (NAT)
3 Days, 12 Lessons
5. Firewall Authentication
6. Logging and Monitoring
7. Certificate Operations
8. Web Filtering
9. Application Control
10. Antivirus
11. Intrusion Prevention and Denial of Service
12. SSL VPN

© Fortinet Inc. All Rights Reserved. 2

FortiGate Infrastructure – 2 Days
1. Routing
2. SDWAN_Local_Breakout Lesson renamed

3. Virtual Domains
4. Layer 2 Switching
2 Days, 8 Lessons
5. Site-to-Site IPsec VPN
6. Fortinet Single Sign-On (FSSO)
7. High Availability
8. Diagnostics

Lesson Removed: FortiGate_Inf_08_Web_Proxy

© Fortinet Inc. All Rights Reserved. 3

Power Point
• Template updated

© Fortinet Inc. All Rights Reserved. 4

FortiGate Security No significant changes

Introduction and Initial Configuration

FortiOS 7.0
© Copyright Fortinet Inc. All rights reserved. LastLast
Modified:
Modified:
Saturday,
Saturday,
August
August
19, 19,
20232023
FortiGate Security

Security Fabric

FortiOS 7.0
© Copyright Fortinet Inc. All rights reserved. LastLast
Modified:
Modified:
Saturday,
Saturday,
August
August
19, 19,
20232023
Synchronizing Objects Across Security Fabric
• By default, object synchronization is enabled in • If set configuration-sync is
fabric settings set to local, the downstream
config system csf device does not participate in
set status enable New slide
synchronization
set configuration-sync default config system csf
set fabric-object-unification default set status enable
end set configuration-sync local
• If set fabric-object-unification is end
set to local on the root FortiGate device,
global fabric objects are not synchronized to • Select per object option to
downstream FortiGate devices synchronized or not on the root
config system csf FortiGate
set status enable • By default, this option is disabled, and
fabric objects are kept as locally created
set group-name “fortinet“ objects on the FortiGate
set fabric-object-unification local • If disabled on the root FortiGate, objects
will not be synchronized to downstream
FortiGate devices

© Fortinet Inc. All Rights Reserved. 7

Synchronizing Objects Across Security Fabric (Contd)
Root FortiGate
Security Fabric > Fabric Connectors

2
Objects can be synchronized by
Automatic or Manual mode

One downstream FortiGate

device is not sycn with fabric

© Fortinet Inc. All Rights Reserved. 8

Synchronizing Objects Across Security Fabric (Contd)
Root FortiGate
Security Fabric > Fabric Connectors

3 4

© Fortinet Inc. All Rights Reserved. 9

VDOM Mode
• There are two VDOM modes:
split-vdom
split-vdom mode
mode
• split-vdom: FortiGate has two VDOMs in total, Global
Global> >System
System> >VDOM
VDOM
including root and FG-traffic
• Root: management work only and hidden
entries
• FG-traffic: can provide separate security
policies and allow traffic through FortiGate
• Cannot create new VDOMs New

• multi-vdom: Can create multiple VDOMs that root in

root in split-vdom
split-vdom FG-traffic in split-vdom
function as multiple independent units
Global >> System
Global System >> VDOM
VDOM

multi-vdom mode

© Fortinet Inc. All Rights Reserved. 10

Multi-VDOM in the Security Fabric New
Global > Security Fabric > Logical Topology

root and VDOM1 VDOMs in

multi-VDOM mode

© Fortinet Inc. All Rights Reserved. 11

FortiGate Security

Firewall Policies

FortiOS 7.0
© Copyright Fortinet Inc. All rights reserved. LastLast
Modified:
Modified:
Saturday,
Saturday,
August
August
19, 19,
20232023
Internet Service Database (ISDB)—Updates
• You can disable ISDB updates so they only occur during a change control window
• Control ISDB updates by using CLI command:

New
# config system fortiguard
set update-uwdb enable | disable allowlist update
next
end

• Once ISDB updates are disabled, other scheduled FortiGuard updates do not update
ISDB
• By default ISDB updates are enabled

© Fortinet Inc. All Rights Reserved. 13

FortiGate Security

Network Address Translation (NAT)

FortiOS 7.0
© Copyright Fortinet Inc. All rights reserved. LastLast
Modified:
Modified:
Saturday,
Saturday,
August
August
19, 19,
20232023
Matching Policies—VIP
• Default behavior: firewall address objects do not match VIPs
• Doesn’t block an egress-to-ingress connection, even when the deny policy is at the top of the list
• VIP policy (WAN to LAN)
Action = Deny

Can still access the VIP from the

• Two ways to resolve it by modifying the deny policy: policy below, even though the deny
policy is at the top of the list.
NEW
• Enable match-vip in deny policy Behavior changes • Set the destination address as VIP object
config firewall policy Only available for config firewall policy
edit <policy ID for deny> firewall policy when edit <policy ID for deny>
set match-vip enable the action of the set dstaddr “VIP object”
end policy is set to deny end

© Fortinet Inc. All Rights Reserved. 15

Central DNAT and VIPs
• Enabling central NAT changes the DNAT configuration

Central NAT Enabled Steps to Configure

Destination NAT (VIP) Define DNAT & Virtual IPs (No additional configurations required)

• As soon as a VIP is created, a rule is created in the kernel to allow DNAT to occur
• Firewall policy destination address—all or mapped IP of VIP
• VIP cannot be selected in the firewall policy as the destination address

• You can exclude a VIP by changing the status of the VIP to disable from CLI, to easily
manage VIP when central NAT is enabled
#config firewall vip
NEW
edit "name_of_the_VIP" Option

set status disable

next
16
end © Fortinet Inc. All Rights Reserved.
 NEW
Carrier-grade NAT Feature/slide

• You can control concurrent TCP and UDP • You can control the port quota in the fixed
connections through a connection quota port range IP pool
in the per-IP shaper
Policy & Objects > Traffic shaping Policy & Objects > IP Pools

• Use the configured IP pool in the firewall

policy

You can use carrier-grade NAT options to overcome NAT port exhaustion

© Fortinet Inc. All Rights Reserved. 17

FortiGate Security
No significant changes
Firewall Authentication

FortiOS 7.0
© Copyright Fortinet Inc. All rights reserved. LastLast
Modified:
Modified:
Saturday,
Saturday,
August
August
19, 19,
20232023
FortiGate Security

Logging and Monitoring

FortiOS 7.0
© Copyright Fortinet Inc. All rights reserved. LastLast
Modified:
Modified:
Saturday,
Saturday,
August
August
19, 19,
20232023
FortiAnalyzer and FortiManager Log Storage
• FortiGate can send logs to both FortiAnalyzer and
FortiManager (FortiGate must be a registered device) Log & Report > Log Settings

FortiGate
Register
FortiAnalyzer/FortiManager
New

# config log [fortianalyzer | fortianalyzer-

• Can configure up to three separate FortiAnalyzer and cloud|fortianalyzer2|fortianalyzer3] setting
FortiManager devices or one cloud FortiAnalyzer set status enable
instance using the CLI set server <server_IP>
• Multiple devices may be needed for redundancy end
• Generating and sending logs requires resources—
be aware! Commands not cumulative

© Fortinet Inc. All Rights Reserved. 20

Log Filtering
• Configure log filter settings to determine which logs are recorded
• Configure up to four remote syslog or FortiSIEM logging servers:

# config log [syslogd | syslogd2 | syslogd3 | syslogd4] filter

• Configure up to three FortiAnalyzer or FortiManager devices or one cloud FortiAnalyzer instance:

# config log [fortianalyzer | fortianalyzer-cloud | fortianalyzer2 |
fortianalyzer3] filter
New

• Filters include: • VOIP [enable/disable]

• Severity <level> • DLP archive [enable/disable]
• Forward traffic [enable/disable] • GTP [enable/disable]
• Local traffic [enable/disable] • Filter [string]
• Multicast traffic [enable/disable] • Filter type [include | exclude]
• Sniffer traffic [enable/disable]
• Anomaly [enable/disable]

© Fortinet Inc. All Rights Reserved. 21

FortiGate Security

Certificate Operations

FortiOS 7.0
© Copyright Fortinet Inc. All rights reserved. LastLast
Modified:
Modified:
Saturday,
Saturday,
August
August
19, 19,
20232023
Full SSL Inspection on Inbound Traffic—Part 2
• The inspection profile allows multiple
certificates defined in one profile for
multiple servers New—multiple
https://www.aaa.com
certificates in one profile
• FortiGate acts similar to the way it would
if the connection targets one server, Server 1 https://www.bbb.com

however, it hits a shared external IP

address: CA Server 2
• Certificate selection to a particular server is
based on SNI on each request compared
against CN on the certificate CA

• If no matching SNI, FortiGate selects the first https://www.ccc.com

certificate on the list
SNI: www.aaa.com Server 3
IP: 172.16.1.1
SNI: www.bbb.com
IP: 172.16.1.1 CA
SNI: www.ccc.com
Server 1 Server 2 Server 3
IP: 172.16.1.1 CA

© Fortinet Inc. All Rights Reserved. 23

FortiGate Security

Web Filtering

FortiOS 7.0
© Copyright Fortinet Inc. All rights reserved. LastLast
Modified:
Modified:
Saturday,
Saturday,
August
August
19, 19,
20232023
Video Filter Profile New security filter—video
filter

• Control YouTube content access:

• To allow, monitor, or block based on category
• To allow, monitor, or block access to channels
• To set restriction levels
• Separate FortiGuard license for video filtering
• Supported only on proxy-based firewall policy
• Requires full SSL inspection
• Requires YouTube API key
• Filter videos in two methods:
• FortiGuard categories
• Channel ID

© Fortinet Inc. All Rights Reserved. 25

YouTube API Key
• Access Google developer console
• Obtain YouTube API key
YouTube needs an active
• Create a new project project created on a
• Enable YouTube data API v3 Google developer account
• Create a credential
• Copy API key
• Enable YouTube key on CLI
• You can add multiple YouTube API
keys
New CLI configuration to
use YouTube video filter
YouTube data API v3 is
config videofilter youtube-key accessible through APIs
edit 1 and services library
set key “youtube_api_key”
next
end

© Fortinet Inc. All Rights Reserved. 26

Video Filter Profile—FortiGuard Categories
• FortiGuard categories for video filtering Security Profiles > Video Filter
are based on universal
Newclassification:
security profiles on
• Combine popular online
GUI video provider
to configure video filter Set the action to allow, monitor,
categories or block videos based on
FortiGuard category
• FortiGuard video categories:
• Applicable to videos from YouTube, Vimeo,
Dailymotion
• Require API to determine category and match
it on the video filter
• Security action determines the flow of security
checks:
• If set to allow, the reset of video filter profile
takes effect
• If set to monitor or block, bypass the remaining
instructions
11 local universal categories available
to match with API determined value
when accessing the content

© Fortinet Inc. All Rights Reserved. 27

Video Filter Profile—YouTube
Security Profiles > Video Filter
Set Moderate or Strict access to
YouTube

You can Allow, Monitor, or Block

New channel override list access to specific YouTube channels IDs
with specific security actions

Accessing the channel while on

YouTube is blocked as configured in You will see a replacement
the video filter profile message if you access a blocked
channel directly using the URL

© Fortinet Inc. All Rights Reserved. 28

DNS-Based Web Filtering
• Uses FortiGuard SDNS ratings of DNS queries to decide access
• FortiGate must use FortiGuard SDNS service for DNS lookups
• DNS queries redirected to FortiGuard SDNS server
• Lightweight
• Lacks the precision of HTTP filtering
• SSL inspection available DNS filter now inspect
encrypted DNS queries
• DNS over TLS (DoT)
• DNS over HTTPS (DoH)
• Cannot inspect a URL, only a host name
• DNS resolves host name
• Supports URL filtering and FortiGuard category only

© Fortinet Inc. All Rights Reserved. 29

File Filter
Security Profiles > File Filter
• File filter profile to inspect files over
HTTP and other protocols:
Proxy-based additionally
• Support most of the protocols in flow-based supports MAPI and SSH
New security filter—file filter protocols
• Proxy-based covers MAPI and
profiles SSH
is now a separate
profile
• Create rules to block or monitor files
based on file type
• Choose which direction of traffic
• Incoming
• Outgoing
You can create a rule or
• Both more to control file filter
based on protocols, traffic
• Specify files types in one rule or more— direction, and file types
depends on traffic direction and security New—more protocols to
action needed inspect part of file filter

Each rule has an action of

Monitor or Block

© Fortinet Inc. All Rights Reserved. 30

FortiGuard Connection
• FortiGuard category filtering requires a live connection
• Weight Calculation: default = (difference in time zone) x 10
• Goes down over time (never below default)
• Goes up if FortiGuard requests are lost

FortiGate-VM64 # diagnose debug rating

Locale : english

Service : Web-filter
Status : Enable
License : Contract
\ New—previously it was referred to
Num. of servers : 1 number of packets. This is now
Protocol : https
Port : 443
refered to as number of requests.
Anycast : Enable
Default servers : Included

-=- Server List (Wed Apr 21 13:59:43 2021) -=-

IP Weight RTT Flags TZ FortiGuard-requests Curr Lost Total Lost Updated Time
173.243.140.16 -72 101 DI 0 36 0 0 Wed Apr 21 13:58:13 2021

© Fortinet Inc. All Rights Reserved. 31

FortiGate Security
No significant changes
Application Control

FortiOS 7.0
© Copyright Fortinet Inc. All rights reserved. LastLast
Modified:
Modified:
Saturday,
Saturday,
August
August
19, 19,
20232023
FortiGate Security

Antivirus

FortiOS 7.0
© Copyright Fortinet Inc. All rights reserved. LastLast
Modified:
Modified:
Saturday,
Saturday,
August
August
19, 19,
20232023
Antivirus Scanning Techniques
• Antivirus scan:
• Detects and eliminates malware in real time
• Stops threats from spreading Order of scan
• Preserves the client reputation of your public IP
• Grayware scan: 1 Antivirus Scan

• Uses grayware signatures

• Detects and blocks unsolicited programs 2 Grayware Scan
• Antivirus actions apply
New—renamed heuristics scan to AI Optional (must be enabled in CLI)
• Machine learning (AI) scan: scanning with only one CLI
• Machine learning training command to enable or to monitor
model
• Trained by FortiGuard Labs 3 AI Scan
• Malware detection model
• To detect Windows Portable Executables (PEs)
• Mitigation process for zero-day attacks
• CLI command to enable config antivirus settings
set machine-learning-detection {enable| monitor | disable}
• Set status to enable, monitor, or disable end

© Fortinet Inc. All Rights Reserved. 34

Sandboxing
• FortiSandbox detects zero-day attacks Security Fabric > Fabric Connectors

with high certainty:

• FortiGate uploads files to FortiSandbox Cloud
or a FortiSandbox appliance
• Two type of cloud sandboxing
• FortiGate cloud: You must activate a
FortiCloud account
• FortiSandbox cloud: You will require an New—FortiSandbox appliance and
entitlement license embedded to FortiGate cloud are now configured
Security Fabric > Fabric Connectors
separately.
• Uploaded files are executed in an isolated
environment (VMs)
• FortiSandbox examines the effects of the
software to detect new malware
• You can configure FortiGate to receive a
signature database from FortiSandbox
Cloud or a FortiSandbox appliance to You need to enable FortiSandbox cloud
supplement the FortiGuard database option on CLI under system global with
the command on the CLI set gui-
fortigate-cloud-sandbox enable

© Fortinet Inc. All Rights Reserved. 35

Proxy Inspection Mode
• Uses extended or extreme antivirus database
• Buffers the whole file
• Antivirus engine starts scanning after the end of the file is detected
• Files bigger than buffer size are not scanned—can configure to pass or block
• Packets sent to the client after scan finishes—client must wait
• Highest perceived latency New—stream-based inspection for
large archive files to inspect while
• Provides granularity over performance uncompressing at the same time
• Weighted towards being more thorough and easily configurable
• Displays a block message immediately if a virus is detected
• Stream-based scanning supports FTP, SFTP, and SCP
• Optimizes memory utilization for large archive files by decompressing and scanning them on the fly
• Viruses are detected even if they are in the middle or end of the large files

© Fortinet Inc. All Rights Reserved. 36

FortiGate Security

Intrusion Prevention and Denial of Service

FortiOS 7.0
© Copyright Fortinet Inc. All rights reserved. LastLast
Modified:
Modified:
Saturday,
Saturday,
August
August
19, 19,
20232023
FortiGuard IPS Updates
System > FortiGuard
• IPS packages are updated by FortiGuard
• IPS signature databases
• Protocol decoders
• IPS engine
• Regular updates are required to ensure
IPS remains effective
• The default update setting is automatic,
and the update interval is calculated
based on the model and percentage of
valid subscriptions System > FortiGuard

• The Botnet IPs and Botnet Domains

subscription is part of a FortiGuard IPS
license
NEW
Behavior change

© Fortinet Inc. All Rights Reserved. 38

IPS Signature Filter Options—Hold Time
• IPS signature filter options include hold time
• Allows you to set the amount of time that signatures are held after a FortiGuard IPS signature update
per VDOM
• The signature mode is monitor
• New signatures are enabled after the hold time, to avoid false positives NEW
Option
• The hold time can be from 0 days and 0 hours (default) up to 7 days
• To configure the amount of time to hold and monitor IPS signatures:
# config system ips
set signature-hold-time 3d12h
set override-signature-hold-by-id enable
end
• When a signature that is on hold is matched, the log includes the message signature is on hold
date=2021-04-06 time=00:00:57 logid="0419016384" type="utm" subtype="ips" eventtype="signature"
level="alert" vd="vd1" eventtime=1278399657778481842 tz="-0700" severity="info" srcip=10.1.100.22
srccountry="Reserved" dstip=172.16.200.55 srcintf="port13" srcintfrole="undefined" dstintf="port14"
dstintfrole="undefined" sessionid=3620 action="detected" proto=6 service="HTTP" policyid=1
attack="Eicar.Virus.Test.File" srcport=52170 dstport=80 hostname="172.16.200.55" url="/virus/eicar"
direction="incoming" attackid=29844 profile="test" ref="http://www.fortinet.com/ids/VID29844"
incidentserialno=25165825 msg="file_transfer: Eicar.Virus.Test.File, (signature is on hold)"

© Fortinet Inc. All Rights Reserved. 39

IPS Signature Filter Options—CVE Pattern
• IPS signature filter options include CVE • For example, the CVE of the IPS signature
pattern Mozilla.Firefox.PluginArray.NsMimeType.Code.Ex
• Allows you to filter IPS signatures based on CVE ecution is CVE-2010-0177
IDs or with a CVE wildcard
• For example to configure CVE patterns for CVE- • This matches the CVE filter in the IPS sensor, so
2010-0177 traffic is blocked and logged
date=2021-04-13 time=15:44:56 logid="0419016384"
type="utm" subtype="ips" eventtype="signature"
# config ips sensor
level="alert" vd="vd1" eventtime=1594593896666145871
edit "cve" tz="-0700" severity="critical" srcip=10.1.100.22
NEW
set comment "cve" srccountry="Reserved" dstip=172.16.200.55
Option srcintf="port2" srcintfrole="undefined"
config entries
dstintf="port1" dstintfrole="undefined"
edit 1
sessionid=1638 action="dropped" proto=6
set cve "cve-2010-0177" service="HTTPS" policyid=1
set status enable attack="Mozilla.Firefox.PluginArray.NsMimeType.Code.E
set log-packet enable xecution" srcport=58298 dstport=443
hostname="172.16.200.55" url="/Mozilla"
set action block
direction="incoming" attackid=20853 profile="sensor-
next 1" ref="http://www.fortinet.com/ids/VID20853"
end incidentserialno=124780667 msg="web_client:
next Mozilla.Firefox.PluginArray.NsMimeType.Code.Execution
end ," crscore=50 craction=4096 crlevel="critical"

© Fortinet Inc. All Rights Reserved. 40

FortiGate Security

SSL VPN

FortiOS 7.0
© Copyright Fortinet Inc. All rights reserved. LastLast
Modified:
Modified:
Saturday,
Saturday,
August
August
19, 19,
20232023
Comparing SSL VPN and IPsec VPN
SSL VPN IPsec VPN
Tunnel • HTTPS tunnel • IPsec tunnel
type: o SSL/TLS layer o ESP layer

• FortiClient and FortiGate

• Browser and FortiGate
• FortiGate and FortiGate
• FortiClient and FortiGate
Can be • FortiGate and compatible SSL
• FortiGate (SSL Client)
between: third-party IPsec VPN gateway
and FortiGate (SSL
• FortiGate and compatible
Server)
third-party IPsec VPN clients
IPsec
New Feature
• HTTPS web page on
• IPsec client
FortiGate o Site-to-site doesn’t require
Log in
• FortiClient
through: o fortissl virtual adapter IPsec client
• FortiGate (SSL Client)

© Fortinet Inc. All Rights Reserved. 42

Tunnel Mode—FortiGate as Client
New feature
• Connect to server FortiGate device as SSL VPN client
• Use SSL VPN Tunnel interface type
• Devices connect to client FortiGate device can access the resources behind server FortiGate
• Tunnel establishes between two FortiGate devices
• Hub-and-spoke topology
• Client FortiGate dynamically adds route to remote subnets
• Assigns a virtual IP address to the client FortiGate device from a pool of reserved addresses
• Advantage:
• Any IP network application on the user machines connect to client FortiGate device can send traffic through the
tunnel
• Useful to avoid issues caused by intermediate devices, such as:
• ESP packets being blocked.
• UDP ports 500 or 4500 being blocked.
• Fragments being dropped, causing IKE negotiation that uses large certificates to fail if the peer does not support IKE
fragmentation.
• Disadvantage:
• Requires proper CA certificate on SSL VPN Server FortiGate
• SSL VPN Client FortiGate user uses PSK and PKI client certificate to authenticate

© Fortinet Inc. All Rights Reserved. 43

Tunnel Mode—FortiGate as Client New feature

1. SSL VPN client FortiGate initiates connection to SSL VPN server FortiGate
2. SSL VPN client FortiGate uses PSK(local user account) and PKI client to authenticate
3. The virtual SSL VPN tunnel interface creates the tunnel
• IP address assigned from SSL VPN server FortiGate
• Route is added to client to access subnets on remote FortiGate
4. User’s devices access resources through an encrypted tunnel (SSL/TLS)

Branch Office/Home HQ/Company

FortiGate FortiGate

SSL VPN Tunnel

SSL-VPN Client SSL-VPN Server

Remote Resources

User’s Devices
© Fortinet Inc. All Rights Reserved. 44
Tunnel Mode—Split Tunneling
• Disabled:
• All traffic routes through an SSL VPN tunnel to a remote FortiGate, then to the destination. This includes
internet traffic
• An egress firewall policy is required
• Traffic inspection and security features can be applied
• Enabled:
• Only traffic destined for the private network is routed through the remote FortiGate
• Internet traffic uses the local gateway; unencrypted route
Added new notes to
• Conserves bandwidth and alleviates bottlenecks explain split tunnel
behaviour in FortiGate
client mode

SSL VPN Tunnel

Split tunneling enabled Split tunneling disabled

© Fortinet Inc. All Rights Reserved. 45
Configuring SSL VPN—FortiGate as Client New feature
• SSL VPN Server FortiGate
1. Set up user accounts and groups for remote SSL VPN users
• Create two accounts: local/remote and PKI
• Requiring clients to authenticate using their certificates as well as username and password.
2. Configure SSL VPN portals
3. Configure SSL VPN settings
• Authentication rules include both accounts using CLI
4. Create a firewall policy to and from the SSL VPN interface Use CLI to create first PKI
user to get PKI menu on GUI
5. Create a firewall policy to allow SSL VPN traffic to the internet (optional)
User & Authentication > User Definition User & Authentication > PKI

config user peer

edit pki
set ca “CA_Cert_1
set cn “FGVM01TM905”
end

© Fortinet Inc. All Rights Reserved. 46

Configuring SSL VPN—FortiGate as Client New feature
• SSL VPN Client FortiGate
1. Create PKI user
• Select CA certificate that allows the FortiGate to complete the certificate chain and verify the server 's certificate
2. Create SSL VPN tunnel interface using ssl.<vdom> interface
3. Create and configure the SSL VPN Client settings on VPN > SSL-VPN Clients
4. Create a firewall policy from internal interface to the SSL VPN interface
VPN > SSL-VPN Clients > Create New
Network > Interface > Create New Client Name
Interface Name Virtual SSL interface
Server FortiGate IP
Type: ssl.<vdom_name> Interface
Address and Name
SSL Port
Select port to reach
Local and PKI user
server FortiGate
details including
local cert to identify
this client

Dynamic route
priority and distance
settings

© Fortinet Inc. All Rights Reserved. 47

FortiGate Infrastructure
No significant changes
Routing

FortiOS 7.0
© Copyright Fortinet Inc. All rights reserved. LastLast
Modified:
Modified:
Saturday,
Saturday,
August
August
19, 19,
20232023
 Lesson
FortiGate Infrastructure Name
Change
SD-WAN Local Breakout

FortiOS 7.0
© Copyright Fortinet Inc. All rights reserved. LastLast
Modified:
Modified:
Saturday,
Saturday,
August
August
19, 19,
20232023
 SD-WAN Configuration
• Specify at least two member interfaces and their associated gateways
• Interfaces should not be referenced by any other configuration element (for example, routes or policies)
• Supports aggregate, VLAN, and IPsec interfaces
• An implicit rule is automatically generated for balancing the traffic

Network > SD-WAN > SD-WAN Zones

Member interfaces
SD-WAN Zone

Network > SD-WAN > SD-WAN Rules

© Fortinet Inc. All Rights Reserved. 50

SD-WAN Zones
• You can divide SD-WAN members in zones
• You can create multiple zones
• SD-WAN zones can be used in firewall policies as source or destination interface
• SD-WAN individual members cannot be used in policy
• SD-WAN zones are included in the Security Fabric topology view

Default Zone

© Fortinet Inc. All Rights Reserved. 51

Configuring SD-WAN Zones and SD-WAN Members

Must configure
interface, a zone,
and a gateway

Network > SD-WAN > SD-WAN Zones

This field is optional,

you can add SD-
WAN member later
as well

© Fortinet Inc. All Rights Reserved. 52

Creating Routes and Firewall Policy
Network > Interfaces Policy & Objects > Firewall
Policy

Automatically
created
Network > Static Routes

Use SD-WAN
Must configure static routes zones
using this virtual interface

© Fortinet Inc. All Rights Reserved. 53

Performance SLA—Link Health Monitor
• You can use up to two servers to test the quality of a link
• You can specify which SD-WAN member(s) this performance SLA applies to
You can select a
Detections Mode for
measuring link quality
Network > SD-WAN > Performance SLA
based on active,
passive, and prefer
These protocols are available through the CLI: passive methods

ping PING link monitor

http HTTP-GET link monitor Use an IP
tcp-echo TCP echo link monitor address or FQDN
udp-echo UDP echo link monitor of a server
TWAMP Two-Way Active Measurement Protocol located beyond
DNS DNS link monitor the ISP gateway
tcp-connect Full TCP connection link monitor
ftp FTP link monitor
When disabled,
FortiGate will stop
sending out probe
packets

© Fortinet Inc. All Rights Reserved. 54

FortiGate Infrastructure

Virtual Domains (VDOMs)

FortiOS 7.0
© Copyright Fortinet Inc. All rights reserved. LastLast
Modified:
Modified:
Saturday,
Saturday,
August
August
19, 19,
20232023
Split-Task VDOM
Global > Physical Topology root > Physical Topology

Click Global > Physical Topology to Click root > Physical Topology
see the root FortiGate and all to see the root ForitGate and the
downstream FortiGate devices in the downstream FortiGate
same Security Fabric connected to the root VDOM
FG-traffic > Physical Topology

Click FG-Traffic > Physical Topology

to see the root FortiGate and all
downstream FortiGate devices
connected to the current VDOM

© Fortinet Inc. All Rights Reserved. 56

Multi-VDOM in the Security Fabric
Global > Security Fabric > Logical Topology

root and VDOM1 VDOMs in

multi-VDOM mode

© Fortinet Inc. All Rights Reserved. 57

Security Ratings in Multi-VDOM Mode
Global > Security Fabric > Security
Rating

Security rating details for each VDOM in multi-

VDOM mode

© Fortinet Inc. All Rights Reserved. 58

FortiGate Infrastructure

Layer 2 Switching

FortiOS 7.0
© Copyright Fortinet Inc. All rights reserved. LastLast
Modified:
Modified:
Saturday,
Saturday,
August
August
19, 19,
20232023
 New
Virtual Wire Pair Policies
Policy & Objects > Firewall Virtual Wire Pair Policy

Selected VWPs to
include in the policy

Select the traffic direction

for the policy

© Fortinet Inc. All Rights Reserved. 60

FortiGate Infrastructure

IPsec VPN

FortiOS 7.0
© Copyright Fortinet Inc. All rights reserved. LastLast
Modified:
Modified:
Saturday,
Saturday,
August
August
19, 19,
20232023
What Is the IPsec Protocol?
• Multiple protocols that work together config system settings
set ike-port <integer>
• Authentication Header (AH) provides integrity but not encryption set ike-natt-port <integer>
• AH is defined in the RFC, but it is not used by FortiGate end

• Port numbers and encapsulation vary by network address translation (NAT)

Protocol NAT No NAT

IKE IP protocol 17: IP protocol 17:New
New
RFC 2409 (IKEv1) UDP port 500 UDP port 500
RFC 4306 (IKEv2) (UDP 4500 for rekey, Use CLI command to
quick mode, mode-cfg) configure custom ports
for IKE and IKE NAT-T
ESP IP protocol 17: IP protocol 50
RFC 4303 UDP port 4500

• Some ISPs block UDP port 500, preventing an IPsec VPN from being established
• IKE and IKE NAT-T ports can be changed using CLI command

© Fortinet Inc. All Rights Reserved. 62

IPsec Lab- Exercise 2
• Students need to restore the local FortiGate configs after exercise 1 (Dialup)
• This is due to a static routing issue when changing from Dialup (exercise 1) to Static IP
Address (exercise 2) in the Remote Gateway field in phase1
• Work around is to reboot but students will restore the config in order to full fill the reboot
requirement.
• All the steps to config restore have been added in beginning of the exercise 2, lab guide

© Fortinet Inc. All Rights Reserved. 63

FortiGate Infrastructure

Fortinet Single Sign-On (FSSO)

No significant changes

FortiOS 7.0
© Copyright Fortinet Inc. All rights reserved. LastLast
Modified:
Modified:
Saturday,
Saturday,
August
August
19, 19,
20232023
FortiGate Infrastructure

High Availability (HA)

FortiOS 7.0
© Copyright Fortinet Inc. All rights reserved. LastLast
Modified:
Modified:
Saturday,
Saturday,
August
August
19, 19,
20232023
Failover Protection Types
• Device failover
• If the primary stops sending heartbeat packets, another FortiGate automatically takes its place
• Link failover
• The cluster can monitor some interfaces to determine if they are operating and connected
• If a monitored interface on the primary fails, the cluster elects a new primary
• Session failover
• When session pickup is enabled, the newly elected primary resumes active session, avoiding the need
New – Memory utilization failover
to restart active session
• Memory utilization failover
• When configured, an HA failover can be triggered when memory utilization exceeds the threshold for a
specific amount of time
• Event logs, SNMP traps, and alert email record failover events

© Fortinet Inc. All Rights Reserved. 66

HA Lab- Console output message
• Following console output can be observed after forming HA between primary and the
secondary
• Work around = Ctrl + C
• Mantis 0704861
• Cosmetic issue: no impact to any exercises

© Fortinet Inc. All Rights Reserved. 67

FortiGate Infrastructure

Diagnostics

FortiOS 7.0
© Copyright Fortinet Inc. All rights reserved. LastLast
Modified:
Modified:
Saturday,
Saturday,
August
August
19, 19,
20232023
What Happens During Conserve Mode?
• System configuration cannot be changed

• FortiGate skips quarantine actions (including FortiSandbox analysis)

New and updated – fail-open settings are
not only for conserve mode but also for
high cpu issues.
• For packets that require any inspection by the IPS engine:
When enabled no IPS scanning
config ips global When disabled, existing sessions work
the same as non-conserve mdoe
set fail-open [enable|disable]
end
• enable: Packets can still be transmitted without IPS scanning while in conserve mode
• disable: Packets are dropped for new incoming sessions, but try to make the existing sessions work the same
as non-conserve mode

© Fortinet Inc. All Rights Reserved. 69