Today we look more in detail about next generation firewalls such as Juniper SRX firewall and Fortinet firewalls, how they are different from each other, and their features. 

Juniper SRX Firewall

Juniper SRX is a single appliance having NGFW functionality, unified threat management (UTM) capability, and secure switching and routing. The SRX firewalls provide network wide threat visibility.

• It provides NGFW capabilities such as full packet inspection, appliance aware, UTM.
• It has inbuilt intrusion prevention to understand application behaviour and weaknesses.
• It defends the network from viruses, phishing attacks, malware, and intrusion.
• Adaptive threat intelligence is performed using spotlight secure to consolidate threat feeds from various sources to provide actionable insights into SRX gateway.
• Role of router and firewall into one appliance with switching capabilities.
• Juniper uses Junos Services Redundancy Protocol (JSRP) to enable it to set up two SRX gateways for high availability. 

Fortinet Firewall

Fortinet NGFW works at high speed and inspects encrypted traffic, identifies, isolates, and defuses live threats and protection from threats. Fortinet also provides web filtering, sandboxing, anti-virus, and intrusion prevention system (IPS) capabilities. Performing high speed secure socket layer (SSL) or transport layer (TLS) inspection. Consistent enforcement policies using central policy and device management having zero touch deployments. 

What is common between Juniper SRX firewall and Fortinet Firewall?

• Secure routing where inspection happens to analyze if traffic is legitimate before being forwarded across network 

Comparison: Juniper SRX firewall vs Fortinet Firewall

Download: Juniper SRX firewall vs Fortinet Firewall Comparison table

Continue Reading:

Palo Alto vs Fortinet Firewall: Detailed Comparison

Juniper SRX Firewall vs Palo alto Firewall

Today we look more in detail about comparison – FortiAnalyzer vs Panorama, understand their purpose, capabilities, and key differences.   

What is FortiAnalyzer?

FortiAnalyzer is a centralized network security management solution having logging and reporting capabilities for Fortinet network devices at network security fabric layer. It performs functions such as viewing and filtering individual event logs, security reports generation, event logs management, alerting based on suspicious behaviour, and investigation activity via drill down feature. 

FortiAnalyzer can orchestrate security tools, people, and processes to have streamlined execution, incident analysis and response. It can automate workflows and trigger actions with playbooks, connectors, and event handlers. Response in real time for network security attacks, vulnerabilities, and warnings of compromise suspicion.

What is Panorama?

Palo Alto Panorama is a centralized management platform to have insight into network wide traffic logs and threats. Reduction in complexity by simplification of configuration, management, and deployment of Palo Alto network security devices. Panorama provides a graphical summary of applications on the network, users, and potential security impact.

You can deploy enterprise-wide policies along with local policies to bring in flexibility. Delegation of appropriate levels of administrative control at network device level and role-based access management is available. Central analysis of logs, investigation and reporting on network traffic, security incidents and notifications is available.

Comparison: FortiAnalyzer vs Panorama

Download: FortiAnalyzer vs Panorama Comparison Table

Continue Reading:

Cisco SD-WAN vs Palo Alto Prisma: Detailed Comparison

Fundamentals of FortiGate Firewall: Essential Guide

Are You Preparing For Your Next Interview

If you want to learn more about Palo Alto or Fortigate (Fortinet), then check our e-book on Palo Alto Interview Questions & Answers and Fortinet Interview questions & Answers in easy to understand PDF Format explained with relevant Diagrams (where required) for better ease of understanding.

Intrusion prevention systems or IPS provide security for the networks and hosts within a network. They can detect and block network-based attacks. IPS sensors can be enabled based on IPS signatures, IPS patterns and IPS filters. Many service providers provide separate hardware or software for IPS functionality. However, certain high-end firewall providers bundle IPS capability into their firewall box itself which is actually a complete threat management solution in itself. 

In today’s topic we will learn about how to configure Intrusion prevention (IPS) on a FortiGate firewall. 

What is FortiGate Firewall IPS

FortiGate intrusion prevention is designed to provide real time threat protection for networks. It leverages signature-based behaviour and anomaly-based detection techniques to detect and prevent security threats. FortiGate applies intrusion prevention using a variety of operational modes. All three modes have their own benefits and limitations, which one to choose is based on the placement.  

• L3 (NAT/route mode): In this mode FortiGate places an L3 network where traffic is routed. IP addresses are configured statistically or dynamically on each interface. MAC based policies are applicable for IPS policy source address in NAT route mode.
• Virtual wire mode: In this mode it is deployed between two network segments. It operates like a virtual wire and does not perform routing or NAT. 
• Transparent mode: In this mode it acts like a bridge. All interfaces in the same VDOM are in the same L2 forwarding domain.

Configuring IPS on FortiGate Firewall

To configure IPS on FortiGate firewall 

Step 1

Choose endpoint policy🡪 Infranet Enforcer

Step 2

Click on New Infranet Enforcer and select FortiGate firewall in platform from drop down

Provide name of Intranet Enforcer: ‘FortiGate 12D’ 

Enter FortiGate firewall IP address

Enter shared secret 

Enter port number 

Step 3

Click on Save changes and create policies on FortiGate firewall for enforcement of traffic

FortiGate has IPS sensors which are collections of IPS signatures and filters which define what IPS engine will scan when the sensor is applied. An IPS sensor could have multiple signatures or filters. Custom IPS signatures can also be created to apply to an IPS sensor. 

Step 4

From Security profiles 🡪 Intrusion prevention pane – create new sensor and also view list of predefined sensors. FortiOS has a predefined list of sensors having associated signatures. 

IPS engine does not examine network traffic by default for all signatures. It examines network traffic for signatures mentioned in IPS sensors. You need to create an IPS sensor and specify which IPS signature it is going to use. 

Step 5

To view IPS sensors go to security profiles🡪 intrusion prevention and to create new sensor click on ‘New’

Step 6

Under IPS signatures and filters, click create new to create a set of IPS signatures or set of IPS filters. 

IPS sensors can be created for specific types of traffic. FortiGuard periodically adds predefined signatures to update and counter new threats. These are included automatically in IPS sensors which are configured to use filters when new signatures match with specifications of filters.

In today’s topic we will learn about how to configure route leaking between Virtual route forwarding (VRFs) FortiGate using command line interface (CLI). 

What is VRFs FortiGate?

Virtual routing and forwarding (VRFs) provides virtual router functionality on physical routers. Each VRF operates in isolation and maintains its routing table, configurations and interfaces. Each VRF is a self-realm in itself unaware of the existence of others. FortiGate is like a guardian who facilitates communication among these isolated VRFs. It has the capability to manage these delicate connections. FortiGate protects the pathway between VRFs.  

Configuring Route Leaking between VRFs FortiGate CLI   

VRF table routes can be leaked into the Global routing table to make traffic communication possible. This scenario requires enabling and configuring a BGP neighbour. 

1.Configure VDOM-Mode

Step 1:

Set the FortiGate to multi-vdom mode to create two inter-vdom links and assign them to separate VRFs. Multi-vdom creates one more virtual firewall on a single physical box. The inter-vdom created will remain in root vdom.

Configure system globa2

Set vdom-mode multi-vdom 

2. Subnet Overlapping 

Step 2:

By default, FortiGate on the same VDOM does not permit to configure duplicate or overlapping networks. The two inter-vdom links need to be on the same subnet.

configure vdom

edit root

config system settings

    set allow-subnet-overlap enable

3. Configuring Inter-VDOM links

Step 3:

On the same subnet, configure two inter-vdom links. The links are put in their respective VRFs using set vrf (<0> to <31>).

config vdom

edit root

config system interface

edit “npu1_vlink0”

        set vdom “root”

        set vrf 2

        set ip 10.300.0.1 255.255.255.0

        set allowaccess ping ssh snmp http https 

        set type physical

        set snmp-index 11

    next

    edit “npu1_vlink1”

        set vdom “root”

        set vrf 3

        set ip 10.300.0.2 255.255.255.0

        set allowaccess ping ssh snmp telnet http https

        set type physical

        set snmp-index 15

Put physical or virtual interfaces into respective VRFs using the below command. 

config system interface

edit “wan12”

        set vdom “root”

        set vrf 2

        set ip x.x.x.x 255.255.255.252

next 

  edit “vlan200”

        set vdom “root”

        set vrf 3

        set ip 10.200.0.254 255.255.255.0

end

wan12 is put in vrf 2 so that the default route from vrf2 to vrf 3 will be leaked so that vlan 200 can have Internet access.

4. Configuration of Prefix-list 

Configure the prefix-list of routes which you have intent to leak. We will be leaking here source subnet 10.200.0.0/24 of vrf3 and default route in vrf2. 

config router prefix-list

    edit “1”

        config rule

            edit 1

                set prefix 0.0.0.0 0.0.0.0

                unset ge

                unset le

            next

        end

    next

    edit “2”

        config rule

            edit 1

                set prefix 10.200.0.0 255.255.255.0

                unset ge

                unset le

            next

        end

    next

end

5. Configuring Route-Map 

Route map is used to identify subnets used in vrf leaking and matched against the prefix-list 

config router route-map

 edit “VRF2Routes”

        config rule

            edit 1

                set match-ip-address “1”

                unset set-ip-nexthop

                unset set-ip6-nexthop

                unset set-ip6-nexthop-local

                unset set-originator-id

            next

        end

    next

    edit “VRF3Routes”

        config rule

            edit 1

                set match-ip-address “2”

                unset set-ip-nexthop

                unset set-ip6-nexthop

                unset set-ip6-nexthop-local

                unset set-originator-id

            next

        end

    next

end

6. Configuring Route Leaking 

BGP neighbour connects to the dmz interface and this is specified in configuration using set update -source command in your interface. For vrf leaking to work any up neighbour is needed. 

config router bgp

    set as 65533

    set router-id 2.2.2.2

    config neighbor

        edit “198.168.2.254”

            set remote-as 65534

            set update-source “dmz”

        next

    end

    config redistribute “connected”

        set status enable

    end

    config redistribute “rip”

    end

    config redistribute “ospf”

    end

    config redistribute “static”

        set status enable

    end

    config redistribute “isis”

    end

    config redistribute6 “connected”

    end

    config redistribute6 “rip”

    end

    config redistribute6 “ospf”

    end

    config redistribute6 “static”

    end

    config redistribute6 “isis”

    end

    config vrf-leak

        edit “2”

            config target

                edit “1”

                    set route-map “VRF3Routes”

                    set interface “npu1_vlink1”

                next

            end

        next

        edit “1”

            config target

                edit “2”

                    set route-map “VRF2Routes”

                    set interface “npu1_vlink0”

                next

            end

        next

    end

end

7. Configure Firewall Policies

Configure policy from physical or VLAN interface to VDOM-link in vrf 3 and then policy from vdom-link to WAN interface in vrf 2. 

Fortigate Packet Flow Troubleshooting Issues

1. Incorrect Firewall Policies

• Issue: Traffic is dropped due to misconfigured firewall policies.
• Troubleshooting:
  • Verify that policies are correctly configured for source, destination, and services.
  • Check policy order and make sure no unintended policy is overriding the expected rule.
  • Use the command diagnose firewall proute list to check the routing of packets through policies.

2. NAT Misconfigurations

• Issue: Traffic fails due to incorrect or missing NAT configurations.
• Troubleshooting:
  • Check NAT rules with diagnose firewall iprope lookup.
  • Confirm source and destination NAT configurations.
  • Use packet capture (diagnose sniffer packet any) to confirm whether traffic is being translated correctly.

3. Routing Issues

• Issue: Traffic doesn’t reach the destination due to routing misconfigurations.
• Troubleshooting:
  • Verify the routing table with get router info routing-table all.
  • Use traceroute or ping to confirm reachability to the destination.
  • Check static and dynamic routing configurations (OSPF, BGP).

4. Session Handling

• Issue: Sessions may fail due to timeouts or not being properly cleared.
• Troubleshooting:
  • List sessions using diagnose sys session list.
  • Clear specific sessions using diagnose sys session clear.
  • Ensure session TTL (time-to-live) values are correctly set and not too aggressive.

5. Zone and Interface Mismatch

• Issue: Traffic dropped due to incorrect interface or zone configurations.
• Troubleshooting:
  • Verify interface assignments and zone configuration.
  • Use the command diagnose netlink brctl name list to check zone interface mappings.

6. SSL/TLS Decryption Issues

• Issue: Misconfigured SSL/TLS decryption profiles leading to traffic drop.
• Troubleshooting:
  • Check SSL/SSH inspection profile and confirm if traffic is being inspected as expected.
  • Analyze logs and packet captures to verify if decrypted traffic is handled correctly.
  • Review the certificate configuration for any mismatches or invalid certificates.

7. DNS Misconfigurations

• Issue: Incorrect DNS settings can prevent the firewall from resolving domain names.
• Troubleshooting:
  • Verify DNS server settings using get system dns.
  • Ensure that DNS servers are reachable and properly configured.
  • Check logs for DNS query failures.

8. High Availability (HA) Failover Issues

• Issue: Traffic disruption during HA failover or improper HA synchronization.
• Troubleshooting:
  • Verify HA status using get system ha status.
  • Check HA synchronization logs and event history for any failover issues.
  • Monitor traffic during failover events with packet captures.

9. IPS Blocking Legitimate Traffic

• Issue: False positives in IPS (Intrusion Prevention System) may block legitimate traffic.
• Troubleshooting:
  • Review IPS logs for blocked traffic patterns.
  • Create exceptions for legitimate traffic in the IPS profile.
  • Tune IPS signatures to reduce false positives.

10. Session Helpers (VoIP, FTP, etc.)

• Issue: Incorrect session helper configuration can cause issues with specific protocols (e.g., VoIP, FTP).
• Troubleshooting:
  • Check session helper configuration with show system session-helper.
  • Disable session helpers if causing issues and configure specific policies instead.
  • Review logs for protocol-specific traffic drops.

11. VLAN Misconfigurations

• Issue: Traffic dropped due to incorrect VLAN tagging or trunk configuration.
• Troubleshooting:
  • Verify VLAN settings with diagnose netlink vlan.
  • Ensure proper tagging on both FortiGate and connected switches.
  • Use packet captures to see if traffic is being tagged or dropped.

12. Licensing and Feature Restrictions

• Issue: Traffic blocked due to expired licenses or disabled features (e.g., antivirus, web filtering).
• Troubleshooting:
  • Verify license status using get system status.
  • Ensure all necessary features (web filtering, antivirus, etc.) are licensed and active.
  • Review logs for license-related blocking events.

13. IPSec VPN Issues

• Issue: IPSec tunnels may not establish or drop traffic due to misconfigurations.
• Troubleshooting:
  • Verify VPN settings and phase 1/phase 2 configuration.
  • Use diagnose vpn tunnel list to check the status of VPN tunnels.
  • Check logs for any negotiation or key exchange failures.

14. Traffic Shaping or Bandwidth Management Issues

• Issue: Traffic might be limited or dropped due to traffic shaping rules.
• Troubleshooting:
  • Verify traffic shaping policies with diagnose firewall shaper traffic-log.
  • Adjust bandwidth limits or create new shaping policies for critical traffic.

15. Multicast/Unicast Forwarding Issues

• Issue: FortiGate might drop multicast or broadcast traffic if not configured correctly.
• Troubleshooting:
  • Verify multicast routing configuration using get router info multicast.
  • Ensure proper multicast forwarding or IGMP settings.
  • Use packet captures to analyze multicast traffic flow.

Each of these issues can be diagnosed using FortiGate’s packet capture tools, session monitoring, and log analysis. Knowing where to look in the FortiGate system is key to efficiently troubleshooting packet flow problems.

• IPSec
• IKE
• Site to Site VPN between two FortiGate Sites
• Phase I and Phase II Parameters
• Tunnel Configuration
• Troubleshooting Commands

IPSec VPN Configuration: Fortigate Firewall

IPsec: It is a vendor neutral security protocol which is used to link two different networks over a secure tunnel. IPsec supports Encryption, data Integrity, confidentiality.

IPsec contains suits of protocols which includes IKE.

IKE is used to authenticate both remote parties, exchange keys, negotiate the encryption and checksum that is used in VPN Tunnel. IKE uses port 500 and USP 4500 when crossing NAT device.

IKE allows two remote parties involved in a transaction to set up Security Association.

Security Association are basis for building security functions into IPsec. IPsec parameters like encryption algorithm, authentication methods, Hash value, pre-shared keys must be identical to build a security association between two remote parties.

Site To Site VPN Between FortiGate FWs

Phase I and Phase II Parameters are:

Firewall -1, check internal interface IP addresses and External IP addresses

IPSec VPN Configuration Site-I

Follow below steps to Create VPN Tunnel -> SITE-I

1. Go to VPN > IPSec WiZard

2. Select VPN Setup, set Template type Site to Site

3. Name – Specify VPN Tunnel Name (Firewall-1)

4. Set address of remote gateway public Interface (10.30.1.20)

5. Egress Interface (Port 5)

6. Enter Pre-shared Key, Pre-shared key is used to authenticate the integrity of both parties. It must be same on both sides.

7. Select IKE version to communicate over Phase I and Phase II

8. Mode of VPN – Main mode/Aggressive Mode. Main mode is the suggested key-exchange method because it hides the identities of the peer sites during the key exchange.

9. Encryption Method, it must be identical with remote parties. Encryption method provides end-to-end confidentiality to the VPN traffic.

10. Authentication method – it must be identical with remote site. Authentication methods verify the identity of peer user which means traffic is coming from correct user and there is no man-in-middle attack.

11. DH Group- Must be identical with remote peer (DH-5). Diffie-Helliman is a key exchange protocol and creates a secure channel by exchanging public key /master key.

12. Key Lifetime – it defines when re-negotiation of tunnels is required. Key lifetime should be identical. However, if the lifetime of key mismatched then it may lead to tunnel fluctuations.

VPN Phase-II

13. Add Phase II proposals

14. Select Encrytpion method AES256

15. Select Authentication method SH-I

16. Enable Anti-Replay Detection è Anti-replay is an IPSec security method at a packet level which helps to avoid intruder from capturing and modifying an ESP packet.

17. PFS (Enable Perfect Forward Secrecy)-Must be enabled at both peers end,

18. DH Group- Select 5

19. Key lifetime for Phase II

Phase II Selector

20. Share Local LAN subnet which will communicate once VPN is established

21. Share remote end LAN subnet

Create Static Route towards VPN Tunnel Interface

22. Static Route

23. Local LAN subnet going via Tunnel Interface To-FG-2

24. Allocate Tunnel Interface

25. Assign Administrative distance 10 (static Routes)

Create VPN- Policy for interesting traffic & allow ports according to requirement

26. Assign name to the policy in IPV4 Policy Tab

27. Traffic incoming from Inside Zone/Interface and Outgoing Interface will be Tunnel Interface

28. Source address which will be 80.25.0/24

29. Destination address will be remote site Local LAN subnet 10.100.25.0/24

30. Services/protocol – select all or you can select specific servuces like FTP/HTTP/HTTPS

31. Accept the action.

32. NAT is OFF and Protocol Options are Default

33. Basic Anti-Virus has been enabled and Basic Application Control is enabled

34. SSL Certificate is enabled to authenticate over SSL Inspection/ Its completely optional

35. Enable ALL session logs

36. Add Policy Comment and Enable the Policy

37. Select OK

**If requires,  create a reverse clone policy for the connection to enable bi-direction action.

From Step 1 to Step 37, VPN configuration has been completed for Firewall -1/Site-1.

Let’s move to Firewall -2/Site II

• Check Internal and External Interface IP address and Ports

IPSec VPN Configuration Site-II

Start following step-1 to step-22 to complete the VPN configuration in Firewall-2.

• Monitor VPN traffic status in IPSec Monitor TAB for further Troubleshooting.

Troubleshooting Commands

Run debug and basic troubleshooting commands if tunnel status in not showing or visible in IPSec Monitor TAB,

Debug commands:

Initiate the connection and try to bring up the tunnel from GUI

Disable the Debug to stop packets

Continue Reading:

Routing Configuration in FortiGate Firewall: Static, Dynamic & Policy Based

Types of Firewall: Network Security

NAT is a process that enables a single device such as a firewall or router to act as an agent between the internet or public network to LAN or private segment. 

NAT is usually use for below reasons

• It proves security, addresses behind the NAT device is virtually hidden
• It provides Public IP address for private IP addresses to make traffic routable 

**In the FortiGate firewall we can apply NAT directly to the policy without creating a separate NAT policy. 

FortiGate NAT

FortiGate provides below NAT features in the Firewall:

1. SNAT
2. DNAT
3. PAT

FortiGate NAT Modes  

Firewall Policy NAT – SNAT and DNAT must be configured for Firewall policies. SNAT takes the outgoing interface IP address of the firewall as a source address. DNAT uses configured VIP.

Central NAT – SNAT and DNAT are configured as per the VDOM (virtual Domain)

• SNAT rule is implemented from central SNAT Policy
• DNAT is configured from DNAT and VIPs

Firewall Policy NAT

We can configure Firewall policy NAT by applying two different ways

1. Use outgoing interface as a NAT IP address
2. Use predefined pool (dynamic pool)

Firewall policies can be configured by using below types of NAT

1. Static SNAT
2. Dynamic SNAT

Static SNAT

In Static SNAT all internal IP addresses will be translated to a single Public IP address by using multiple source ports.

E.g.

10.10.10.1-> source port 1110-> NAT IP address 172.16.100.1:5001

10.10.10.2-> source port 1111-> NAT IP address 172.16.100.1:5002

10.10.10.3->source port 1112->NAT IP address 172.16.100.1:5003

How to configure Static SNAT

1. Create Security Policy -> IPV4 Policy

2. Give the details in the policy TAB, add source address/subnet

3. Add Destination address/subnet

4. Add Service/port

5. Accept the policy

6. Select NAT-ON, Select Outgoing Interface Address

Dynamic SNAT

Dynamic SNAT maps private IP addresses with the IP pool of Public IP.

4-types of IP Pool are available in FortiGate Firewall

Overload

It contains more than one Public IP addresses. Internal IP addresses can use available IP addresses from public pools to exit the firewall. Source and destination ports are mapped from 1024 to 65533.

Configure Overload Dynamic SNAT

1. Create IP Pool for Public IP address>> Go to Policy & Objects

2. Name the pool and select type>> Overload

3. Select Pool Subnet IP or range

4. Apply the pool in the security policy

5. Select NAT-ON>> IP Pool Configuration Use Dynamic IP Pool

6. Choose Overload Pool>> NAT_POOL

One-to-One Dynamic SNAT

It means there is one-to-one IP match of internal IP address with external IP address, example

10.10.1.1>>>172.168.1.1

10.10.1.2>>>172.168.1.2

10.10.1.3>>>172.168.1.3

If there are 100 users in a LAN network for which one-to-one SNAT is used, then we would require 100 Public IP range.

Fixed Port Range

In Fixed Port Range we need to mention Internal/LAN IP address range. Here, we can define internal and external public IP ranges both.

Further FortiGate devices can calculate port range for each combination from source IP address range to translated IP address range.

1. Create NAT_POOL for Fixed Port Range
2. Select type Fixed Port Range
3. Add External IP Range
4. Add Internal IP range detail

Apply the Pool in Security policy

Central NAT

Before discussing Central NAT, we should know about VIP objects.

VIP is DNAT objects, for session mapping. VIP means destination address is translated which means public IP address translated to local server IP address.

Default VIP type is static NAT. Static NAT is one-to-one mapping which applies to incoming and outgoing connections(bi-directional). 

** VIP address must be routable towards external facing traffic for return connection/traffic.

By default, Central NTA is disabled in the firewall. Two types of options are provided by using central NAT.

1. Central SNAT
2. DNAT and Virtual IP

Central NAT can only be configured in policy-based Firewall mode.

Central SNAT

Central SNAT provides us more granular control to customise the policy like, we can select exit interface, ingress IP or specify source port or destination port as per our requirement. Once policy matches happen, then source address / destination address is parsed as per the configured NAT criteria in Central SNAT policy.

Prerequisites to define Central SNAT policy

• Configure IP Pool/interface IP address (outgoing IP)
• Configure NAT policy

First, enable central NAT in Firewall from cli

Policy will be matched by using below criteria

• Source Interface -> Inside
• Destination outgoing Interface-> Outside
• Source address-> 192.168.2.0/24
• Destination address-> wildcarddropbox.com
• Protocol/application port-> any
• Source port-> any
• Outgoing IP address/translated IP address -> 172.16.100.100/32

Central DNAT & VIP

Additionally in firewall VIPs are created as a destination address in security policy. On FortiGate you can configure DNAT and VIPs for Destination NAT. As soon as you configure VIP it automatically creates a rule in the kernel to allow DNAT.

As we all know destination NAT means traffic comes from the outside world to access internal servers or services by using Public IP address of the server.

Prerequisites to configure DNAT with VIP

• External IP address (external user)-> 1.2.3.1
• Internal Local server IP which is mapped to external IP -> 192.168.1.50
• Forwarding port-> 25 (source side)
• Translated port-> 25

After creating DNAT and Virtual IP you only need to create a policy as per your requirement.

That’s it.

Continue Reading:

FortiGate Firewall Policy: Rules, Types & Configuration

FortiGate VDOM Configuration: Complete Guide

UTM (Unified Threat Management) is a feature of a firewall in which multiple security profiles combine and provide protection from threats and attacks. These features are antivirus, web filtering, IPS, anti-spam etc.

UTM is the consolidated solution for an organisation against attacks and malicious traffic. In other words, UTM is a capsule of multiple security features.

FortiGate UTM Profiles

Let’s discuss FortiGate UTM profiles one by one.

Anti-Virus Profile

Antivirus Scanning Modes

FortiGate Antivirus is used to detect viruses in the traffic or files. FortiGate uses many techniques to detect viruses. This detection technique includes:

1. Anti-Virus Scan: This is the simplest and fastest way to detect malware. It detects viruses that are an exact match for a signature in the anti-virus database.
2. Grayware Scan: This scan detects unsolicited program known as Grayware that have been installed without the knowledge of user or consent. Grayware is not technically a virus, it is a bundle of a software which produces unwanted side-effects in the network or system.  
3. Machine Learning AI Scan: It tests the possibility of attack like Zero-Day Attacks. Zero-Day Attacks are the malwares that are new and known hence have no existing associated signatures. If your network has a frequent target, enabling an AI scan may be worth it for performance cause because it helps you to detect performance issues and attack in the network. 

Anti-virus can operate by using flow-based or Proxy-based inspection mode. Both inspection modes use a full AV database.

Flow-based Scanning Mode

In this mode anti-virus engines reaches to the payload of packet and caches the real packet. Further it forwards the packet to the receiver. It consumes more CPU than other modes. 

If a virus is detected in a TCP session, some packets are already forwarded to the receiver, FortiGate resets the connection and does not send the last piece of file. However, the receiver has received almost part of the file, but the file is truncated and not able to open.

If an attacker tries to re-send the file to user, FortiGate firewall blocks the connection.

Proxy-based Inspection Mode

In this mode each protocol proxy picks up a connection and buffers the entire file first. Clients must wait for the scanning to be finished.

If a virus is detected, a block replacement page will be displayed. Because FortiGate must buffer the whole file, the firewall does the scanning which takes a long time to scan the data. Using a proxy-based scan process allows you to stream-based scanning which is enabled by default. Stream-based scanning scans large archive files by decompressing the files and scanning and extracting the files at the same time. This process optimises the memory process. Viruses can be detected in the middle of scan or at the end of scan.

Configuring Anti-Virus Profile and Policy

• Create Anti-virus Profile

• 1. Got to Security Profile TAB
  2. Select Antivirus Profile
  3. Create new Profile, name as ANTIVIRUS
  4. Select Scan Mode (proxy/Full or flow/Quick)
  5. Selection action if virus detected, Block—block the file. Monitor—generate alert of virus file.
  6. Select OK

• Apply Anti-Virus Profile to Security Policy

• 1. Create Internet Policy, Go to IPV4 Policy TAB
  2. Add Policy NAME- Antivirus Policy
  3. Go to the Security Profile section in Internet Policy and add ANTIVIRUS profile which is created above.
  4. Select OK.

Now traffic going to the internet will parse every file from anti-virus engine and take necessary action accordingly.

Web-Filter Profile

Web-filtering is the feature in FortiGate to control web traffic of firewalls by using block or allow action.

It uses two types of inspection mode for URL traffic

1. Flow Based: Default inspection mode and faster than other modes. 
2. Proxy Based: FortiGate buffers the traffic and examine it whole. It works as a mediator between client and web server.

Further NGFW modes are also used in Web-filtering configuration. These modes are:

Profile-based Mode: 

It requires application control and web-filter profiles and applies them to firewall policy. It uses flow-based OR proxy-based inspection. 

Policy-based Mode: 

Application control and web-filtering can directly apply to the firewall policy. It does not require profiles to be Application Control OR Web Filtering profiles.

Web-filtering has to control and manage the sites which people visited. It includes preserving employee productivity. It prevents network congestion by blocking malicious and un-authorised URLs. It prevents exposure of confidential data by scanning the web-URLs.

Configure Web-Filtering Profile 

1. Go to Security Profile
2. Select Web Filter
3. Create new Web Filter with name Web-Filter-Profile-1
4. Create a FortiGuard category-based filter and select customer categories.
5. Select any category which you wish to block/allow/monitor. Here the Potentially Liable category is blocked manually.
6. Select ok

Apply Web-Filter Profile in Security Policy

1. Create Security policy to apply web-filtering. Go to IPV4 Policy.
2. Create New policy name Internet-Policy-With-Webfilter
3. Assign incoming and outgoing interfaces.
4. Add source address
5. Add destination address
6. Add services
7. Select action as Accept
8. Go to Security Profiles and select Web Filter TAB. Select the web filtering profile which we have created above. And select OK. That’s it

IPS – Intrusion Prevention System Profile

We should implement IPS in our network to protect it from intrusion. IPS in FortiGate uses signature databases to detect anomalies and attacks. The purpose of the IPS filter is to protect the inside network from outside threats. Protocol decoders can also detect network errors and protocol anomalies. IPS engine can cover 

• Antivirus 
• Web Filter
• Email Filter
• Application Control

IPS Signature Updates

FortiGuard updates the IPS signatures and decoders with new signatures. That way IPS engines become effective against the new exploits. Regular updates or customised updates are configured in the FortiGate to fetch IPS signatures periodically. 

The default setting of updates is Automatic. Please refer to the image below to check the settings of IPS updates in FortiGate firewall.

After FortiGate downloads the FortiGuard package, new signatures will appear in the signature list. When configuring FortiGate you can change the action setting for each signature. However, the default action setting is often correct except in a few cases. We can create custom signatures with the help of the FortiGate DevOps team to parse custom applications. Sometimes false/positive alert triggers in the FortiGate IPS, you can enable/disable it as per the requirement. Moreover, FortiGate Support team can modify the false positive signature once you report the error on the support portal.

IPS Sensors

IPS Sensors contain a list of signatures in the profile which will later call-in security policy. There are two ways to configure IPS sensors 

1. Select the signatures individually, once you select sensors in the list, it automatically calls into the sensors database.
2.  You can add a sensor in IPS Profile by applying a filter in it. FortiGate adds all the sensors in profile which match the filters.

Configure IPS Profile in FortiGate Firewall

1. Go to Security Profiles
2. Select Intrusion Prevention
3. Create a new profile. Here we have created IPS Profile-1
4. Add Signature based IPS profile. Signature base means we can select signature from database of FortiGate IPS and add it into a single profile
5. Add filters in the profile and select a list of signatures from database.
6. Add signatures in the profile and apply it to the newly created Profile.

Apply IPS-Profile in Firewall Policy

      7. Now it’s turn to apply the IPS profile in firewall Policy. Go to IPV4 Firewall policy TAB. Add policy parameters            to which IPS profile is enabled, like source IP address, destination IP address and services or port.

      8. Go to Security Profiles section in Firewall policy and add IPS Profile-1

      9. Select OK to apply the parameters in policy.

DOS Policy Configuration in FortiGate

DOS- Denial of Service is a packet-based attack which consumes resources of infrastructure and makes it unavailable to legitimate traffic/users.

To block DOS attacks we can apply DOS-Policy on FortiGate that is located between the attacker and all the resources that you want to protect. DOS filtering is done early in the packet handling process which is handled by the kernel.

Let’s discuss type of DOS attack before implementing DOS policy in FortiGate firewall:

1. TCP SYN Flood: Incomplete TCP/IP connections are flooded to the victim which occupy the connection table of device and make it unavailable for legitimated users.
2. ICMP Sweep: ICMP traffic flood sent to the target device. Victim’s all sources become busy in responding to ICMP traffic which makes it unavailable for genuine users.
3. TCP Port Scan: Attacker sends TCP/IP connection to identify open ports in the network. Further the attacker exploits those ports and hampers network services.

Apply DOS Policy in FortiGate

1. Go to IPV4 DoS Policy
2. Create new policy, here we have named it DOS-Protection-1
3. Specify source and destination address and incoming interface
4. Specify service or port
5. Block/disable L3 anomalies
6. Select the source/destination session
7. Enable or disable DoS sessions and apply it to the incoming interface.

Application Control in FortiGate

• Application control detects applications that transfer over the network by using any port. Application control takes appropriate action on the application traffic to stop any malicious attack.
• Application controls detect application traffic like google talk, Facebook chat, Gmail hangout etc.
• This application works on port 443 or Web-browsing port. So, a firewall as a L4 device is not able to check if traffic is legitimated or there is any malicious content in the traffic.
• As we all know that port 443 carries normal browsing traffic and it also transfers application traffic like BitTorrent etc. Application control can differentiate the traffic based on the application used by it and block the site as per the policy configured in the firewall.
• Application control can be configured flow-based or Policy-based in the firewall. It performs a traffic scan which compares traffic to the known application patterns.
• It detects Peer-to-Peer applications. P2P traffic uses distributed architecture to forward traffic in the network.
• Traditional Client to Server Architecture uses client to server communication by using a simple port number which can easily be blocked by firewall policy.
• Peer to Peer download divides each file among the multiple peers and uses dynamic ports to transfer the data. Hence it is very difficult to identify the traffic and block it from firewall level based on port only. 

Application Control Signatures

FortiGuard subscription is required to download and enable application control signatures in the firewall. These signatures parse the traffic and scan dynamic application ports in the content.

Configure Application Control Policy

1. Go to Application Control
2. Create new Application control profile
3. Select category or application which you want to block, for example Proxy and P2P application is blocked in below image.
4. Select ok

You can add application signature by selecting Add Signatures Tab in Application Overrides

Apply Application Control Profile in the Policy

1. Go to IPV4 Policy
2. Enable Application Control and select the above created profile.

Continue Reading:

Fundamentals of FortiGate Firewall: Essential Guide

NGFW vs UTM

Fortinet covers many technologies within a single umbrella such as VPN, UTM, Security Profiles, FortiManager, FortiAnalyzer and many more.

Here, we will discuss all important features and technologies covered by Fortinet. Let’s start then…

Fundamentals of FortiGate Firewall

Below is the list of components supported by FortiGate. However, we have covered important components in this document.

FortiGate Firewall Dashboard

FortiOS Dashboard consists of graphical view and stats of alerts. Widgets are static views of the FortiGate properties. It consists of:

• System Information contains hostname, IP address, Serial Number Firmware
• Licenses shows list of licences installed on the system and respective expiry date
• ForitCloud represents statistics of FortiCloud data
• Security Fabric shows summary of devices who have using Security Fabric feature
• Administrator all connected admin and their logged in time along with IP address 
• CPU utilisation of device 
• Memory, live utilisation of device 
• Sessions shows number of sessions firewall is processing per second or minute

Other Widgets present in Dashboard

• HA status 
• Log rate
• Interface Bandwidth
• Botnet Activity
• Advanced threat Protection 

FortiGate Security Fabric

Fortinet Security Fabric involves different components that work together to secure the network.

Combination of below devices are required to create Security Fabric.

FortiGate Firewall

Firewall acts as a security component between ISP and downstream LAN devices. It secures networks from outside unknown attackers.

FortiAnalyzer

As its name defines, FortiAnalyzer can scan, monitor, collect logs of live traffic and create reports accordingly. It shows historical logs and events of any network which parse through the firewall.

FortiAnalyzer has below tabs available in the device to check logs:

• FortiView
• Threats
• Traffic
• Applications and Websites
• VPN
• System
• Security, Application Control, Web Filter, DNS
• Custom View
• Log Browse
• Log Group

LogView from FortiAnlyzer device:

FortiManager

FortiManager provides remote management to FortiGate Firewall. It uses port TCP 541 to communicate with the firewall.

FortiManager pushes Anti-virus, IPS and latest UTM updates from ForitManager to all connected devices.

FortiManager contains below tabs:

• Add Device
• Device Group
• Firmware
• License

FortiSandbox

It is a cloud-based technology which generates the latest signatures based on malicious attacks.  A FortiSandbox is a device that runs a sample in an isolated VM or cloud environment. 

Copy of threat logs forward to FortiSandbox where it can check if the traffic has malicious content in it. 

FortiSandbox has performed 3 types of scanning when receives any file from FortiGate

• Pre-Scan Group– it is the initial place where initial scan is performed by FortiSanbox. Several filtering is applied to the new file like pattern matching, checksum code sequence and TCP/IP attributes along with behavioural analysis of file/traffic pattern.
• Static Scan – Mainly deal with anti-virus and static AI scan. Antivirus is a traditional pattern matching feature however static AI scan uses machine learning to detect malware based on collected malware attributes from millions of samples.
• Dynamic Scan- It uses VM scan where the submitted file is processed in an isolated environment. Dynamic Scan also uses PEXBOX(code emulator) in which  window files are parsed.

FortiSandbox Dashboard

FortiADC

Application Delivery Controller is used to improve scalability of firewalls. It uses advanced server load balancer which routes traffic to available destination server based on the availability of backend server.

It helps to manage applications reliably, responsible and easy to manage.

ForiADC performs below task:

• Security
• Server Load Balancing 
• Link Load Balancing 
• Global Load Balancing 

FortiADC benefits:

• Scale application with server load balancing feature
• Apply persistence with servers to maintain connection
• Reduce bandwidth needs and improve user QoE 
• Provide redundancy and WAN optimization for applications
• We can apply traffic prioritization by applying QoS (Quality of Services)
• Improves SSL offloading win firewall for fast processing

Dashboard of FortiADC

FortiAP

FortiAP units are thin wireless access points supporting the latest Wi-Fi technologies and easy deployment. For larger deployment FortiAP controllers can carry a dedicated wireless network and FortiAP models support a dedicated monitor to check radio signals.

FortiAP, FortiAP-C, FortiAP-S, FortiAP-W2, and FortiAP-U units are offered in a diversity of models to address particular use cases and management modes.

Wireless access points can be added in any network to provide wireless connection to users. 

FortiClient 

FortiClient is a VPN (IPSec and SSL) client just like Cisco AnyConnect. It can be used as an Anti-virus client and a host vulnerability scanners. Moreover it supports Web Filtering as well.  In FortiGate you get at least 10 free licenses if you want to use those clients.

FortiClients helps to protect all the endpoints of your network including laptops, desktops and other devices.

These devices are either directly connected to your FortiGate devices or remotely connected through VPN.

• After admin set-up endpoint security on FortiGate , first time user with unregistered endpoints attempts to internet
• Captive portal will be displayed to download and install FortiCLient on the system.
• Once Installed FortiClient registered system to FortiGate 
• Endpoint security profiles will be applient through FortiClient to local user system
• After successful registration windows PC will become a compliant endpoint.

FortiMail

FortiMail is a secure email solution which can provide a protection against inbound attacks , outbound attack , data loss issues in the network. As it captures email related threats like phishing, spamming, malware, zero-day attacks.

It protects emails from: 

• Known and unknown threats
• Whaling Attack
• Spams
• Malicious link in email

4 types of modes used in FortiMail to protect emails from attack.

1. Gateway Mode – FortiMail acts as an email gateway or a device which is used for Mail Transfer Agent. It fetches emails, scans the content and transfers it to the email server. Change in network topology will be required to implement FortiMail in the existing network.
2. Transparent Mode – As the name specifies Fortimail acts as a Transparent proxy/device. It fetches the email, scans them and directly transfers it to the email server. No topology changes are required.
3. Server Mode—It acts as a Local email server to the emails. It receives emails, scans it, and directly forwards them to users. Yes, topology change is required in the implementation of this mode.

FortiGate VPN

FortiGate supports IPSec VPN and SSL VPN.

• SSL VPN – It is used for remote users to access applications from remote sites.

1. 1. Tunnel Mode- FortiClient VPN is required to install on users system to user system.
   2. Web Mode- Services are accessible via web-browser. But some applications and services are not supported.

• IPSec VPN – Site to Site tunnel needs to be created in the network  to transfer data in an encrypted format.

1. 1. Site to site VPN initiated between to end points or physical devices
   2. IPSec Remote VPN also used in organizations to provide remote access to the Network by using remote VPN.

Security Profiles

Profiles which contain security features are known as Fortinet Security Profiles.

It includes below information about configuration.

• Anti-Virus: It identifies and block virus after scanning network traffic. FortiGate has offered two types of anti-virus features.

1. Proxy-based: useful to mitigate suspicious malicious code.
2. Flow-based: high performance based

• Web Filter: This feature takes action on internet URLs based on allow/block category in firewall. You can customize the URL Category in the firewall as well.
• Intrusion Prevention: It detects  threat in network  and mitigate malicious traffic in the network by applying signatures. We can create custom signatures as well.

Log and Report

Logging and reporting are useful to check and understand any network logs. It covers event logs, system logs, VPN logs, threat logs, UTM logs and customized reports. 

FortiGate supports several other log  devices like FortiAnalyzer , Cloud, and syslog server.

Moreover, the log severity level is defined in every traffic log.

We can filter logs by using below options:

Conclusion

Fortinet brings high-performance network infrastructure security that ensures protection of any network, associated users, and components of traffic. FortiGate provides top rated solutions and centralized management systems to handle end to end security of an organisation.

Continue Reading:

FortiGate Firewall Policy: Rules, Types & Configuration

Palo Alto vs Fortinet Firewall: Detailed Comparison

We use Hairpin NAT or NAT reflection when our aim is to access an internal server from an internal workstation of a client by being able to access the Public IP that would be bound to an external interface on any firewall.

NAT reflection divides external and internal networks in a way that external users redirect to the Public IP address of server and Internal users can directly access server via internal IP address. In other words, a client from an internal network uses an external IP/Public IP address of the server to access the application, NAT reflection can rewrite the traffic so that the user’s traffic reaches the internal server via internal route without taking an external interface path which improves access speed and decreases load on firewall.

Let’s discuss above image to understand NAT reflection.

• User is trying to access server 192.100.1.10 from inside network
• 192.100.1.10 is public IP address of 100.0.0.10 server which resides in same network where user PC is connected
• User traffic reaches to Firewall for 192.100.1.10,
• Firewall checks that server public IP address is bind with internal IP address 100.0.0.10
• So, instead of sending traffic via external route firewall redirect traffic to internal route 
• And traffic takes a U-turn to reach private IP address of server
• That’s why it is called Hairpin or Loopback NAT 

In short, source address and destination address will be changed/modified by Firewall NAT feature so that devices can accept traffic to and from the correct locations.

Return traffic must reach the correct private IP address through the Firewall interface. And security policy must be placed for the correct source and destination to allow intra-zone communication between client and server.

Let’s take different scenarios where we can implement NAT Reflection in Firewall. (FortiGate Firewall)

CASE STUDY 1: When User and Webserver behind the DIFFERENT Firewall interface

As in diagram we have 3 ports configured in FortiGate firewall

• Port 1: Internal

• Port 2: External

• Port 3: Server Segment

Configure Virtual IPs for Hairpin network 

1. Go to Virtual IPs option
2. Name Virtual IP
3. Give External Public NAT IP address
4. Map to Server Private IP address
5. Enable Port forwarding 
6. Select Protocol TCP
7. External Port any random port range and Map to IPV4 Port 22. Click OK

Now first create external access of server to Public IP address

1. Go to firewall Policy 
2. Name firewall policy 
3. Select inside and outside port for connection
4. Select Source Any/All and destination VIPs which we have created above
5. Select services which you want to allow
6. Use outgoing interface and Click OK

Now our aim to move traffic of internal user from Port 1 -> Port 2 and then further Port 2 -> Port 3

First create Policy to enable access from Port 1 to Port 2 from internal Client 

1. Create Firewall policy
2. Allow access from port 1 to port 2
3. Select source Any and destination any
4. Service SSH
5. Action Accept 
6. Select OK

Now we have policy from Port1-> Port 2 and Port 2 -> Port 3

When user trying to access the server by using its public IP address from Internal segment then below output will receive in Firewall logs.

CASE STUDY 2: When User and Webserver behind the SAME Firewall interface

Now you can check Web Server IP address 192.168.0.100 and Client subnet range 192.168.0.0/24 

Here Client initiate connection to Port 1 and then traffic redirect to Port2 from where traffic forwards to Web Server again on Port 1

Internal Port 1 Connected to LAN-> Port 2

External Port 2 Connected to Internet-> Port 1

Let’s configure the Hairpin NAT for this case.

1. Create VIPs in the FortiGate Firewall
2. Assign Name to the VIP Policy
3. Select Interface 
4. Add external IP (Public IP) values and Mapped IP address in the tab
5. Enable port forwarding if requires in your network and click OK

Then Create Firewall policy and add below parameters to enable access.

Enable NAT so that external users can also access the internal web server.

Now we will create another firewall policy which allows traffic from Internal network to Port 2 and from External Port 2 to Internal NAT server IP.

Here we disable NAT in the policy as communication doesn’t require translation from Internal Client to Internal web server.

Click OK

External NAT and HAIR-PIN NAT Policy will look like as below.

NAT Reflection is now introduced in many other firewalls as well which includes Juniper SRX series, Cisco ASA and Checkpoint Firewall. It’s the simplest way to access an internal server by an internal Client via Public IP address.

Continue Reading:

FortiGate NAT Policy: Types & Configuration

NAT Configuration & NAT Types – Palo Alto

FortiGate VDOM or Virtual Domain split FortiGate device into multiple virtual devices. Each VDOM has independent security policies, routing table and by-default traffic from VDOM can not move to different VDOM which means two interfaces of different VDOM can share the same IP Address without any overlapping IP/subnet problem.

When VDOM is used in a firewall, a single FortiGate device becomes a virtual data centre of network security, UTM and secure network communication devices. By-default a FortiGate Firewall can support up to 10 VDOMs. However, anyone can customize and add further 10 more VDOMs in FortiGate High end firewall.

• Independent VDOMs: Some VDOMS are completely separated. There is no communication between them. Each VDOM has its own physical interface link to the internet. Such kind of set-up is used where multiple ISPs have been deployed in the network topology.
• Routing through the VDOM:  Traffic destined to the Internet will always be routed through the designated/assigned VDOM. Single routing VDOM will be used to route the traffic towards the internet. For example, if there are three VDOM in the firewall but they all will use the same routing VDOM to forward the traffic towards the outside world.
• Meshed VDOMs: VDOMs connect to the other VDOMs through inter-VDOM links. We can specify what kind of traffic goes to which VDOM.
• Management VDOM: It is used to forward system/Fortigate generated traffic such as system daemons, NTP traffic . It is the VDOM from where all management traffic for FortiGate firewall originates. Management VDOM must have access to all the global services like 
  • NTP
  • FortiGuard Update Queries
  • SNMP
  • DNS Filtering
  • Logs – Syslog and FortiAnalyzer 
  • Management related services 

FortiGate VDOM Administrators

Super_user OR admin account can configure and backup the VDOM. Select super_admin access profile when configuring the admin account similar to the account name Admin this account can configure all VDOMs.

• Per-VDOM Administrator: In most cases, creation of admin account per VDOM account is considered. Per-VDOM admin is solely responsible for its domain including the configuration backup of that VDOM. In larger organisations you may need to make multiple VDOM administrators. You can assign multiple administrators to each VDOM.  

*Per-VDOM admin can not access global settings of FortiGate Firewall*

• Create VDOM Administrator Account : Follow step 1 to step 5 to create VDOM admin Account in FortiGate Firewall

FortiGate VDOM Modes

There are two types of VDOMs modes in FortiGate – Split VDOM and Multi-VDOM.

• Split VDOM: In Split VDOM FortiGate has two VDOMs in total which includes root and FG-Traffic VDOM. You cannot add VDOM in Split VDOM mode. It keeps management and network traffic separate 

1. 1. Root :: management work can only allowed and has separate entries
   2. FG-Traffic :: can provide separate security policies and allow traffic through FortiGate. It is only for network traffic.

• Multi-VDOM : Can create multiple VDOMs that function as multiple independent units. We use multiple VDOM when we want to create multiple logical firewall features by using a single hardware device, each VDOM acts as an independent FortiGate Firewall. Such kind of configuration works for a setup for managed service provider leveraging multi tenant configuration or large enterprise organisation that desire departmental segmentation . You can give each individual tenant or department visibility and managed control  independently.

Configure & Enable VDOM in FortiGate Firewall

Login into the command line to enable VDOM property in FortiGate firewall.

1. Type command # config global system-> to enter global mode of firewall

2. Select VDOM mode by # set vdom-mode split-vdom OR set vdom-mode multi-vdom

3. Here we have selected multi-vdom mode

3.1 Let’s End the session

4. It will NOT Reboot the device to enable vdom mode, it just logs you out

5. Select Global VDOM from FortiGate WEB GUI

6. We can go to System

7. Select VDOM. By default root VDOM is available in the config

8. Lets create New VDOM

9. Name new VDOM – marketing 

10. NGFW Firewall mode->Profile based

11. WifiCountry-> select as per your available data in FortiGate Firewall

12. Select OK

Next step to add interfaces in new VDOM-> marketing 

13. Go to Global VDOM-> Select Network-> move to Interfaces

14. Select Physical/logical interface which you want to add in VDOM-marketing 

15. Choose Edit

16. Select marketing in Virtual domain field of interface LAN(port2)

17. Lets allocate another interface  port 3 in VDOM-marketing

18. Go to Edit button

19. Select marketing Virtual Domain in port 3 interface

20. Select marketing VDOM from FortiGate Firewall 

21. Move to the interfaces button and check if all the interfaces which are allocated to marketing domain are present in the interface TAB

22. Both port 2 and port 3 interfaces now available to marketing VDOM

This is how anyone can associate interfaces to virtual domains in FortiGate Firewall. Admin can configure each setting differently in VDOM. Examples are

• Firewall Policies
• Firewall Objects 
• Security Profiles , routes, network interfaces 
• Operating mode- NAT/route

Inter-VDOM Links

Inter-VDOM links route traffic between VDOMs. 

Each VDOM behaves like a separate FortiGate Firewall , with a separate FortiGate device we normally connect cables and configure routing and policies between them. Apparently VDOMs are on the same device/ FortiGate Firewall, then how should admin route traffic between them. 

The solution to the above requirement is Inter-VDOM-Link. Inter-VDOM-Link is a type of virtual interface that routes traffic between VDOMs. It removes the loop of physical cable requirement. 

Limitation -> Layer 3 interfaces are required, admin cannot interlink layer 2 or transparent mode interfaces in FortiGate.

Pre-requisites to configure Inter-VDOM links:

• Routes are required to forward the traffic from one VDOM to another
• Firewall policies are also required to allow traffic from other VDOMs , the same as the traffic coming from physical interface
• When creating inter-VDOM-link admin must create virtual interfaces 

Steps to Create Inter-VDOM-Link

1. Go to Global> Network >Interfaces

2. Select Create New> VDOM Link

3. Provide name to the link

4. Select the first FortiGate VDOM through which another VDOM link will be connected. Here first VDOM link is root and second VDOM link is marketing

5. We are creating point-to-point link hence we have give two IP addresses in IP/Netmask 10.10.100.1/30 in NAT mode

6. Select another V-link which is marketing

7. Provide IP address 10.10.100.2/30

8. Select OK to make the configuration changes

Now add static routing in marketing-VDOM to provide communication between root VDOM and Marketing VDOM.

9. Go to static routes

10. Add static route for marketing VDOM along with Gateway address and add vlink interface

Enable static routing in root VDOM as well

11. Assign marketing physical interface IP address as a destination. Here, we have taken port 2 whose IP address is 10.0.5.1/24

12. After login in root VDOM, go to static routes

13. Enter Destination IP address which is port 2 interface IP address of marketing VDOM

14. Gateway address

15. Interface of Marketing vlink

Enable Firewall Policy between FortiGate VDOMs

Now create firewall policy to allow traffic between two FortiGate VDOMs

1. Login in Marketing VDOM

2. Go to Security Policy and create policy between root and marketing VDOMs

3. Source Interface LAN Port 2

4. Destination interface interlink 1

5. Disable NAT>> NAT is not required between these VDOMs

Create same policy in root VDOM

1. Login in root VDOM

2. Go to Security Policy and create policy between root and marketing VDOMs

3. Source Interface inter_link0 (root interlink)

4. Destination interface port1 > WAN interface to internet

5. Enable NAT>> NAT is required to reach internet from FortiGate Firewall

After configuring firewall policies login in marketing VDOM and try to ping google.com. Policies are working fine if you get a ping response from google.com.

Related FAQs

Q.1 How many VDOMs can I create on my FortiGate?

The number of VDOMs you can create depends on the FortiGate model and the license purchased. Some models come with a base number of VDOMs, while others allow you to add more through licensing.

Q.2 What are the different VDOM modes in FortiGate?

• FortiGate supports two VDOM modes:
  NAT/Route Mode: The VDOM operates in routing mode, performing NAT and routing traffic between interfaces.
  Transparent Mode: The VDOM acts as a Layer 2 bridge, forwarding traffic between interfaces without changing IP addresses.

Q.3 Can I manage VDOMs separately?

Yes, each VDOM can be managed independently, including separate administrators, policies, routing, and configurations. You can assign specific administrators to specific VDOMs with different access levels.

Q.4 How do I enable VDOMs on a FortiGate device?

To enable VDOMs:
Log in to the CLI.
Use the command –

config system global
set vdom-admin enable
end

Reboot the device if necessary

Q.5 How do I assign an interface to a specific VDOM?

To assign an interface to a VDOM:
Access the CLI.
Use the command

config global
config system interface
edit <interface_name>
set vdom <vdom_name>
end

This will move the interface to the specified VDOM.

Q.6 Can I configure different security profiles for each VDOM?

Yes, each VDOM can have its own set of security profiles, including antivirus, web filtering, IPS, and more. These profiles are managed independently within each VDOM.

Q.7 Can I disable VDOM mode after enabling it?

Yes, you can disable VDOM mode by:
1. Accessing the CLI.
2. Using the command:

“`bash
config system global
set vdom-admin disable
end
“`

3. This will remove all VDOM configurations and reset the device to a single administrative domain. Ensure you back up your configurations before disabling VDOM mode.

Q.8  What is an inter-VDOM link?

An inter-VDOM link is a virtual interface that connects two VDOMs, allowing traffic to pass between them. This is useful for scenarios where different VDOMs need to communicate with each other while maintaining their own routing and firewall policies.

Continue Reading:

FortiGate SD-WAN Fundamentals

Palo Alto Security Profiles and Security Policies

In today’s topic we will learn about web filtering configuration in FortiGate firewall. 

What is Web Filtering? 

In order to regulate web usage and ensure productive online environment organizations rely on web filtering technology. This allows organizations to define and enforce policies of internet access for its employees. Organizations want to limit content their employees see or access online. Web filtering feature blocks inappropriate content in the workplace. Web filtering protects organization bandwidth and provides protection against malicious content. 

How to Configure Web Filtering in FortiGate 

With FortiGate web content filtering, we can control access to web content by blocking web pages having specific key words and patterns. This helps in prevention of access to pages with inappropriate material. 

Step 1:

Go to Security profiles🡪 Web filter go to static URL filter section and enable ‘Content filter’. This will display its options. 

Related: URL Filtering vs Content Filtering

Step 2:

Choose ‘Create new’ to display filter options. For Pattern type choose ‘regular expression’ and enter desired keyword in Pattern field (example: Marketing) as depicted in figure below 

Leave language as ‘Western’ 

Action – ‘Block’

Status – ‘Enable’ 

Select Ok and see Static URL filter section for update

Now you can validate the configuration by visiting the website with the word you defined in the pattern filter. 

Flow-based Web Filtering

We can also do flow-based web filtering in FortiGate which comes with following options:

Authenticate – For specific website categories authentication is required

Warn – Allows user to continue browsing website but with a warning

Override – Allow users having valid credentials to override <web filter profile>

Related: Cisco FTD URL Filtering: How does it work?

Enable authenticate and warning filter 

Step 1: Go to Security Profiles 🡪 Web filter in FortiGate GUI

Step 2: Right click selected category, view context menu

Step 3: Choose ‘Authenticate’ or ‘Warning’ 

Step 4: Select Apply 

To allow users to override blocked categories 

Step 1: Choose ‘Allow users to override block categories’

Provide below information 

• Groups to override
• Profile can switch to
• Switch applies to
• Switch duration

Step 2 : Choose Apply 

We are using below topology to troubleshoot the FortiGate VPN IPSec tunnel issues

• Peer A -> 27.67.38
• Peer B -> 83.200.6
• LAN A -> 10.10.150.1/24
• LAN B -> 68.0.1/24
• User A  -> 10.150.75/24
• User B -> 168.0.33/24

You can see in the image above that the setup is very simple. Two firewalls are connected over IPSec VPN which means PC A can communicate to PC B

We have both firewalls Peer A and Peer B, both firewalls are using FortiGate firewalls side by side

# get vpn ipsec tunnel summary

# diagnose vpn ike gateway list name to <ip address>

# diagnose vpn ike log-filter dst-addr4 <ip-address>
# diagnose debug application ike -1
# diagnose debug enable

Now the current situation is that both the FortiGate VPN of Site A and Site B are down and when we try to establish the traffic and send traffic over VPN tunnel which should bring the tunnel up.

>ping 192.168.0.33 -t

 You need to ping the VPN from one source to another source which will initiate traffic from one VPN

to another VPN and bring the VPN up. 

Troubleshooting FortiGate VPN CASE 1: Issue with Pre-shared Key

Now we have changed some configuration settings in firewall which will manually bring down the VPN IPSec site.

And will troubleshoot the issue to identify the root cause.

 We will perform debug through cli to check the issue. And run debug IKE to capture the packets.

• diagnose vpn ike log-filter destination <peer gateway IP>
• diagnose debug application ike -1

Now capture the logs from cli and run below command to stop the packet capture

• diagnose debug reset

Now we can see the pre-shared key is mismatched.

Troubleshooting FortiGate VPN CASE 2: Issue with Negotiation Algorithms

Now take another scenario. Again we have changed and take the debug again to see the root cause of the issue.

The error which we have got that Negotiations mismatch error further we need to determine why we are getting negotiation error here

• diagnose vpn ike log-filter destination <peer gateway IP>

• diagnose debug application ike -1

Now capture the logs from cli and run below command to stop the packet capture

• diagnose debug reset

If we search out in debug logs we can see that there is common proposal from Firewall B with the settings.

Crypto hash value is sha-265

 Here our work is to compare the configuration with firewall B like encryption DES and authentication SHA methods. When we checked the proposals and found that the authentication methods are using sha-256 so the firewall has to match the same proposals settings on the peer firewall side.

We have made the changes in Firewall A and after that VPN starts showing up.

CASE 3: Issue with Negotiation Algorithms

In Case 3 again we have done another change in configuration of the firewall IPSec VPN settings. Now apply debug on the firewall. It looks very similar to the case 2 vpn issues however we need to see the 2 important differences here.

1.  IPSec is a error which indicates error in VPN IPSec phase II
2.  mismatch error logs in the phase II proposals

 Here, we are getting ISAKMP errors,

Similarly check logs in Firewall A where we have found that the Firewall A is sending the negotiation to firewall B.

Here we are not seeing proposals that are not listed because we are not trying to match them with the remote peer. Furthermore we can see error statement in debug logs 

• IPSEC SA error (which means issue with Phase II)

When we scroll the debug logs little up in the cli and can found that the log stream is indicating about Phase II by issuing a statement “matched phase2”.

Whereas we got the message that means firewall being notifying that there is no Proposal chosen which means firewall B not able to find a match for proposal in Phase II negotiation. All analysis indicates the problem of the VPN.

To fix the issue we need to match the configuration of IPSec Phase 2 proposal in Firewall B.

After enabling the configuration will fix the issue. We will be able to get access to the VPN tunnel for phase II.

Continue Reading:

Partial Redundant Route Based VPN FortiGate

IPSec VPN Set Up – Palo Alto

In today’s topic we will learn about configuring site to site VPN between Fortigate and SonicWall using dynamic DNS as a peer. Site to site VPN use to provide uninterrupted and secure communication. 

Related: Introduction to Sonicwall Firewall

Establish: Site-to-site VPN between FortiGate and SonicWall with Dynamic DNS 

Let’s look at the prerequisites before we start the configuration steps.

• Admin access to both FortiGate and SonicWall firewall interfaces
• FortiGate version 6.x or beyond
• SonicWall version 6.x or beyond 
• Networking and firewall basic configuration 
• Active dynamic DNS account for both devices

Step 1: Configure FortiGate DDNS and FortiGate

1. Goto network 🡪 DNS 
2. Enable FortiGuard DDNS
3. Choose the interface having dynamic connection
4. Choose server having an account
5. Enter unique location
6. Click Apply

To configure DDNS using CLI 

config system ddns

    edit 1

        set ddns-server FortiGuardDDNS

        set ddns-domain “branch.float-zone.com”

        set monitor-interface “wan1”

    next

end

Goto VPN🡪 IPSec tunnels. Create a new tunnel and for the remote gateway select ‘Dynamic DNS’ and provide SonicWall remote DDNS name and choose the external interface (WAN) which is required to communicate to SonicWall.

Select ‘Aggressive Mode’ and under ‘Peer options’ 🡪 Accept types, select ‘Specific peer ID’ and in ‘Peer ID’ field provide SonicWall remote DDNS name. 

In ‘Phase 1 (P1) proposal, ensure all proposals selections are corresponding to proposals of SonicWall. The local ID field provides the FortiGate Dynamic DNS name. 

Configure ‘Local address’ and ‘Remote address’ to mention traffic of interest between local and remote sites and selected networks ensured to match as defined in SonicWall interface. 

In Phase 2 (P2) proposals selections are corresponding to proposals in SonicWall. Enable Auto-negotiate to ensure proper functioning. 

Step 2: Configure SonicWall DDNS and SonicWall

1. Login into SonicWall management interface 
2. Choose Network in navigation menu
3. Choose DNS 🡪 Dynamic DNS 
4. Click on ‘Add’ 
5. ‘Add DNS profile is displayed’ 
6. Click Ok 
7. Check if profile is ‘Enabled’ and status shown as On-line and correct IP is reflecting 

Once DNS is working fine, then setup the DDNS to allocate a domain name to SonicWall external interface (WAN) which will act as a peer to FortiGate device. 

1. To setup VPN goto Wizard section and choose “VPN Guide’ 
2. Select site-to-site VPN option
3. Fill the form by choosing the name for ‘Policy name’. Activate ‘I know my remote peer address or FQDN option and provide FortiGate Dynamic DNS name in ‘Remote Peer IP address’ or FQDN. Choose ‘Next’. 
4. In ‘Network selection’ tab choose ‘local’ and ‘destination network’
5. In the ‘destination’ network (If not set up yet), create by selecting the ‘create new address object’ option from the drop down menu.
6. Provide ‘Name’, select ‘Appropriate zone assignment’ and ‘type’ and provide destination network and mask and save. 
7. After selecting desired local and destination network click next 
8. Select appropriate proposals and ensure they are matching FortiGate configuration 
9. Click Apply 
10. Under VPN section choose ‘Rules and settings’ and edit the tunnel
11. Modify both local and peer IKE IDEs from IPv4 address to domain name
12. Enter the SonicWall Dynamic DNS name for ‘local IKE ID’ and FortiGate Dynamic DNS name for ‘Peer IKE ID’.
13. Review all configurations 
14. Select appropriate ‘Local network’ and ‘destination network’ to mention traffic of interest between local and remote sites 
15. Selected networks need to match as defined in FortiGate

To verify and test go to FortiGate:

monitor 🡪 IPSec Monitor

VPN shall appear as active

Continue Reading:

IPSec VPN Configuration: Fortigate Firewall

Site to Site VPN Configuration on FTD

SD-WAN zones allow grouping of underlay and overlay interfaces and are used in policy management. 

In today’s topic we will learn about SD-WAN zones, its features, how to create SD-WAN zones, assign SD-WAN members to zones, configure policy for SD-WAN zones.   

Related: FortiGate SD-WAN Fundamentals

About SD-WAN Zones

SD-WAN zones are the logical grouping of SD-WAN members to assign policies, static routes and SD-WAN rules. SD-WAN interfaces can be grouped together using multiple zones. SD-WAN zones are used by firewall policies, interfaces of source and destination. They provide more granular control of networks. The SD-WAN members can’t be assigned to policies directly. SD-WAN members can’t be shared between multiple SD-WAN zones. 

Creation of SD-WAN zone (CLI) 

Enable SD-WAN and create zone 

config system sdwan

    set status enable

    config zone

        edit “vpn-zone”

        next

    end

end

Creation of SD-WAN zone (GUI)

Step 1: Navigate to Network 🡪 SD-WAN zones

Step 2: click on Create 🡪 SD-WAN zone 

Step 3: Provide name for new zone

Step 4: Add SD-WAN members into the SD-WAN (already created ones)

Creation of SD-WAN interface member (CLI)

config system sdwan

    config members

        edit 1

            set interface “To_FG_A_root”

            set zone “vpn-zone”

        next

        edit 2

            set interface “GRE_A”

            set zone “vpn-zone”

        next

    end

end

Creation of SD-WAN interface member (GUI)

Step 1: Navigate to Network 🡪 SD-WAN zones

Step 2: Click on Create New 🡪 SD-WAN member 

Step 3: Choose an interface 

Interface can be set as none and provided later, or Click on +VPN for creation of IPSec VPN (for SD-WAN member)

Step 4: Choose an SD-WAN zone to which SD-WAN members will join. 

Step 5: setup gateway, cost and status as needed

Step 6: Click on OK

Network 🡪 Interfaces show SD-WAN zones and its SD-WAN members

Policy creation using SD-WAN zone (CLI)

config firewall policy

    edit <policy_id>

        set name <policy_name>

        set srcintf internal

        set dstintf vpn-zone

        set srcaddr all

        set dstaddr all

        set action accept

        set schedule always

        set service ALL

        set utm-status enable

        set ssl-ssh-profile <profile_name>

        set av-profile <profile_name>

        set webfilter-profile <profile_name>

        set dnsfilter-profile <profile_name>

        set emailfilter-profile <profile_name>

        set ips_sensor <sensor_name>

        set application-list <app_list>

        set voip-profile <profile_name>

        set logtraffic all

        set nat enable

        set status enable

    next

end

Policy creation using SD-WAN zone (GUI)

Step 1: Navigate to Policy & Objects 🡪 Firewall policy | Policy & Objects 🡪 Proxy policy | Policy & Objects 🡪 Security policy

Step 2: Click on Create new 

Step 3: Choose SD-WAN zone for incoming and outgoing interface and configure policy settings as required

Step 4: Click on OK

You can view SD-WAN zone topology from Security Fabric 🡪 Physical topology or Security Fabric 🡪 logical topology

Continue Reading:

Cisco SD-WAN vs Palo Alto Prisma: Detailed Comparison

Palo Alto Prisma SD WAN: CloudGenix SD WAN

Organizations need to keep pace with rapid increase in technology demands such as remote working, anywhere connectivity, lower latency , increased availability along with protection of infrastructure from a never ending list of threats and vulnerabilities. The firewalls are a crucial security product which provides capabilities to protect your networks and data residing within. Moving from stateful network firewalls to next generation firewalls is a game changer. 

A traditional firewall approach based on filtering incoming and outgoing traffic based upon Internet protocol (IP) port and IP addresses is replaced by next generation firewalls which provide add-on features like application control, intrusion prevention (IPS), URL filtering and advanced threat protection capabilities like sandboxing. 

Today we look more in detail about two most popular companies’ firewalls : Palo Alto vs Fortinet Firewall, key differences, features etc. 

About Palo Alto Firewall

Palo Alto is a global cyber security company based out of Santa Clara, it’s one of the core security products in cloud-based security offering is Palo Alto used by 85000 customers across 150+ countries. It has both physical and VM series firewalls – the PA-220, PA-800, PA-3200 series and PA-5200 series are next generation hardware while PA-7050 and PA-7080 are chassis-based architecture.

Release of PAN OS 9.0 new K2 series firewalls were introduced which was a 5G ready firewall designed for service provider mobile network deployments having 5G and IoT security needs. The VM series firewalls can be deployed in on premises or cloud environments. They use a unified licensing system which is platform agnostic. 

Features of Palo Alto Firewall

• License bundles antivirus, antispyware, and vulnerability protection . Threat prevention allows to obtain content updates for malware protection
• Able to create a copy of decrypted traffic from firewall and send it to traffic collection tool for archiving and analysis
• Ability to control access to websites based on category of URLs
• Receive antivirus signatures updates which include signatures discovery by wildfire 
• Special license for provision of extended VPN remote access connectivity which has multiple gateway usage, mobile apps, mobile security management, host information checks or internal gateway

About Fortinet Firewall

Fortinet was founded in 2000 by brothers Ken Xie and Michael Xie as a cybersecurity company. The name of Fortinet firewall is derived from the phrase ‘Fortified networks’. FortiOS is an operating system for hardware which is the base of security fabric.

Majority of Fortinet models use specialized accelerated hardware known as security processing units which can offload resource intensive processing from main processing resources. Having specialized content processors which accelerate a wide range of essential security functions such as virus scanning, attack detection, encryption, and decryption. 

Features of Fortinet Firewall

• Understand application layer protocols and applications
• Gives ability to block access to malicious, hacked, or inappropriate websites 
• Protects against viruses, spyware, and content level threats
• Performs dynamic analysis to identify unknown malware with automatic response and detection in the cloud
• Provides protection against threats on mobile devices by using detection engines to prevent both new and evolving threats to gain access to network and also personal information 
• Aggregates malicious source IP list 
• Controls access to risky industrial protocols
• Protection0 against spam at network perimeter, controls email attacks and infections

Comparison Table: Palo Alto vs Fortinet firewall

Below table summarizes the key points of differences between the two types of firewalls:

Download the comparison table: palo alto vs fortinet firewall

Continue Reading:

Palo Alto Firewall Architecture

Routing Configuration in FortiGate Firewall: Static, Dynamic & Policy Based

If you want to learn more about Palo Alto, then check our e-book on Palo Alto Interview Questions & Answers in easy to understand PDF Format explained with relevant Diagrams (where required) for better ease of understanding.

FortiAnalyzer aggregates log data from one or more Fortinet devices and creates a single platform to view all the reports and events. It can fetch logs from the Fortinet devices once devices are registered to FortiAnalyzer. FortiAnalyzer buffers, reorganises and stores device logs and generates reports according to the settings.

Admin can view, search, configure reports in the FortiAnalyzer portal.

Key Features of FortiAnalyzer 

• Reports: Reports of events, activities that occur on registered devices. Collected logs are achieved, filtered, and then checked for compliance or historical analysis purposes.

• Alerts: It identifies the security threat from traffic and quickly generates a notification in logs. We can view alerts through Event Monitor, email, SNMP, or syslog.

• Content Archiving: It verifies that sensitive information doesn’t leak or out of the network.

FortiAnalyzer Operating Modes

FortiAnalyzer has two modes of log collection. 

1. Analyzer: It is a default operating mode. When operating in Analyzer mode, the device accesses an essential log aggregator for one or more log collectors. 
2. Collector: Device collects logs from multiple devices and forwards those logs in binary format to another device. Example- forward logs to syslog server in network.

**SQL is the database language that FortiAnalyzer uses for logging and reporting. Advanced reporting capabilities require some knowledge of SQL and databases.

FortiAnalyzer Administration & Management

You can create multiple administrative accounts in FortiAnalyzer for multiple admins. You can divide administrative tasks among multiple admins like creating log reports, check event logs, monitor dashboard etc.

To protect your network, you can control or restrict administrative access using following methods

• Administrative Profiles: determine the level of access and privileges granted.
• Trusted Hosts: determine where connection can be hosted. It allows access to specific IP addresses or subnets.
• ADOMs: determines which device has access to admin to view and manage logs.

Different types of Administrative Profiles 

1. Super_User: All system and device privilege are enabled for super user admin. Super_User has maximum rights to access the device settings.
2. Standard_User: It has read-write access of device settings but no system access privileged.
3. Restricted_User: Read-only access for device tabs/settings and no access to system settings.

Two Factor Authentication in FortiAnalyzer

It means something you have (e-Token) and something you know (credentials/password).

To configure two-factor authentication you need 

• FortiAuthenticator: In FortiAnalyzer side you need to create RADIUS server that points to FortiAuthenticator. And then create an administrative account that points to RADIUS Server.
• Forti Token: It is used to verify the identity of user by using Kerberos server.

You can monitor auditing logs in FortiAnalyzer and fine-tune the logs by applying filters.

• Go to System setting 
• Select Event Logs
• Check logs after applying User filter in the Event Logs

How to Register Devices on FortiAnalyzer for Log Collection

FortiAnalyzer can collect logs from multiple devices. Those devices must be registered with FortiAnalyzer. 

There are 3-ways to register any device with FortiAnalyzer 

1. A request from a registration for a supported device. When an administrator receives a request to add any device, it can be accepted by the admin.
2. We can also add devices in Forti Analyzer by using Add Device Wizard which means devices can be added based on their serial number. If device details are correct, it is automatically added or detected by Forti Analyzer.
3. FortiAnalyzer admin uses Add Device Wizard along with a pre-shared key. Once a pre-shared key is configured on the device and matched properly, the device is added and registered automatically.

Add FortiAnalyzer in FortiGate Firewall

1. First add FortiAnalyzer to FortiGate firewall and make it reachable to each other over the network. Go to >> Security Fabric
2. Select Fabric Connectors
3. Select FortiAnalyzer Logging tab
4. Edit the setting
5. Once FortiAnalyzer section is open on the dashboard add other values
6. Enable the status of FortiAnalyzer setting
7. Add IP address of FortiAnalyzer device
8. Select logs upload option
9. Verify device certificate by using serial number of FortiAnalyzer
10. Select OK
11. Accept the serial number certificate verification notification tab.
12. Device now successfully added in FortiGate Firewall.

Now, Register FortiGate Firewall in FortiAnalyzer

1. Login to FortiAnalyzer ADOM and select root ADOM
2. You can see a notification for an unregistered device on the screen (FortiGate firewall and FortiAnalyzer are reachable to each other over network hence FortiAnalyzer can detect the unregistered device automatically). Select >>> Device Manager
3. Once you login to Device Manager, FortiGate firewall details are shown on the screen, but the device is showing Unregistered. Select unregistered device and edit the settings.
4. Add ADOM in which this device needs to be registered.
5. Verify Device Name, host name or serial number as to authorise the device.
6. Select OK
7. Once device registered in the FortiAnalyzer, verify Device name 
8. Verify FortiGate Firewall IP address

Logging

Log messages help you to picture what is going on your network devices, and it tracks service use and identifies any security breaches in a network.

Log type supported by Forti Devices

We can view logs in the Log View tab where we can restrict log view to one or more log group.

We can check below logs and types of logs in the Log View dashboard

• Threats: It fetch all the logs which has threat alerts. It covers Top Threats, Threat Map, Compromised Hosts and FortiSandbox Detection.
• Traffic: It captures normal traffic logs of registered devices. It covers top source and destination, top country/region, maximum policy hits and DNS logs.
• Applications & Websites: It covers cloud application traffic, website domains and categories and browsing users.
• VPN: It fetches VPN traffic of devices like SSL VPN or IPSec VPN.

Incidents and Events

FortiSOC has 3 dashboards that includes general overview and statistics of events. These dashboards monitor the traffic and identify the gap in the network.

Event dashboard includes total generated events, mitigated events, and top events by handler. SOC team can easily identify the type of events needs to checked and mitigate first based on severity or priority of events.

Incident Dashboards contain total incidents, unsolved incidents, and incident types. It can give a clear representation of the number of incidents hit by device.

Incidents & Events: It has Event Monitor tab which covers all events of devices. 

• All Events: All events generated by a device and its relevant threat are covered in this tab. Event handlers are responsible for determining if an event needs to be created. 
• Some predefined event handlers available which can be cloned or customised.
• Event Monitor can generate events which are viewed in All Events.

Incident can be created when an event is reported and require deep analysis. It can be created manually or automatically.

To view any incident detail, 

Go to Incident and select any incident. Right click the incident and click the analysis tab. Analysis page provides all the relevant information for the incident. Please check the below analysis of an incident.

Reports

The purpose of the report is to summarise large amounts of data. Based on certain parameters FortiAnalyzer extracts data and presents it in a graphical manner that makes it easier and quicker to read.

Files/data are saved in SQL databases. SQL database log selects the query and fetch reports, pulls the database for the specific information, and generates reports. This information of log populates charts or graphical views of logs.

Before you create or generate a report, consider a few factors that make the report as effective as possible.

• Audience: who is going to investigate the report.
• Purpose: why his piece of information is required
• Level of detail: best practice is to keep report short and concise. 
• Format: choose best way to represent the report.

Let’s generate a report

1. Go to All Reports in Report tab
2. Create New Report
3. Give name to report and apply filter of source or traffic type
4. Run Report as to generate the pdf file.
5. Download report once generated on the screen.
6. Check the pdf file and identify the host detail and forward it to the requestor. OR keep the data for records.

Conclusion

FortiAnalyzer is an import hardware device for monitoring purposes. It helps to detect and notify SOC admin for any threat or malicious activity in the network. It is a core graphical view of reports and provides multiple features in terms of monitoring tools.  It is designed for both large scale data and small offices. It is an important tool for the SOC team which improves visibility in monitoring hence recommended for all firewall or other devices monitoring teams.

Continue Reading:

Fundamentals of FortiGate Firewall: Essential Guide

FortiGate Firewall Policy: Rules, Types & Configuration

As in cloud networks physical boundaries have quickly diminished, organizations require complete visibility and insight into every network segment, device, appliance (physical or virtual, in cloud or on premises) along with centralized network security log management and reporting capabilities, alerting based on behaviours, event logs and so on.

Today we look more in detail about comparison between Fortinet products – FortiAnalyzer vs FortiManager, understand their purpose, capabilities, and key differences.

What is FortiAnalyzer? 

FortiAnalyzer collects logs from several Fortinet devices and provides a centralized view of security events happening in the network. Fortigate devices send logs to FortiAnalyzer. Alerts are generated based on configuration conditions in logs. It uses SQL to log and report events. The device can operate in two modes 0 Analyzer and collector. Analyzer is the default mode where it collects logs as well as analyses them and can also forward them to syslog servers. 

In the collector role, it only collects data from all devices and forward collected logs to FortiAnalyzer. There are no event management capabilities available in this mode. FortiAnalyzer can be used to log administrator activities such as configuration changes and logins. 

What is FortiManager?

FortiManager is used to manage several Fortinet devices centrally. Instead of logging to each and every device individually FortiManager can be used to manage all devices at same time from a single console. FortiManager provides a history of configuration changes on devices. Scheduling of new configuration changes or roll back to previous configurations. It lets you quickly create and modify policies/objects via a GUI interface. 

It acts as a local FortiGuard distribution network server to provide FortiGuard updates for all managed devices including firmware updates. FortiManager can also act as FortiAnalyzer and let you store logs from managed devices. For less volume of logs FortiManager can be used as FortiAnalyzer.

Comparison: FortiAnalyzer vs FortiManager

FortiAnalyzer and FortiManager are both products offered by Fortinet, a leading cybersecurity company, but they serve different purposes within the Fortinet ecosystem.

Download the comparison table: FortiAnalyzer vs FortiManager

Continue Reading:

FortiAnalyzer: The Complete Guide

Virtual Domain (VDOM) and Administrative Domain (ADOM) in Fortinet

Are you preparing for your next interview?

Please check our e-store for e-book on Fortinet Firewall Interview Q&A. All the e-books are in easy to understand PDF Format, explained with relevant Diagrams (where required) for better ease of understanding.

You can also download Fortinet CLI CheatSheet as a ready reckoner.

Today we look more in detail about comparison between Fortinet Administrative domains (ADOM) and Virtual Domain (VDOM), how they work, and how to configure ADOM/VDOM.  

What is VDOM or Virtual Domain in Fortinet?

Virtual domains (VDOM) allow to divide a single physical Fortigate unit into multiple virtual devices,  functioning as independent firewall having its own interfaces, configuration, and policies. This capability is useful in multi-tenant environments where logical segregation is required in network infrastructure. 

Each VDOM operates as a separate firewall allowing network administrators to create separate security policies and configurations for different network segments, physical resources are shared, segmentation of network improves security, VDOMs can also be used for traffic segmentation. By default, Fortinet operates in default VDOM called root and manages all other VDOMs global configurations. 

Related: FortiGate VDOM Configuration: Complete Guide

Configuring VDOM

To enable VDOM

Go to System > Settings > Under Operations Settings, enable Virtual Domains

From CLI use below command 

config system global

set vdom-mode multi-vdom

end

To create ADOM

Login to admin account 

Go to Global > System > VDOM. Create two VDOMS, VDOM-1 and VDOM-2. 

What is ADOM or Administrative Domain in Fortinet?

Administrative domains (ADOM) enable administrators to constraint other administrators access privileges to a subset of policies and host names (protected). This is useful in large enterprises having multi-tenant deployments like web hosting companies. The ADOM is not enabled by default. Enabling and configuring ADOM is performed by the administrator. 

When ADOM is enabled, functions available in GUI and CLI are altered. ADOM enabled interface will have additional options such as access to config global, can create administrator accounts and create and enter all ADOMs. Config global mode contains settings used by FortiWeb and for ADOMs. If ADOMs are enabled you can login as administrator of your ADOM and access only the logs, reports, policies, servers, and LDAP queries specific to your ADOM. 

By default, an administrator account apart from ‘admin’ is assigned the root ADOM having all policies and servers. With ADOMs having a subset of policies, servers, assignment of administrator accounts we can restrict other administrator accounts to a subset of FortiWeb overall protected servers. 

Configuring ADOM

To enable ADOM 

Go to System > Status > Status, in the System Information widget, in the Administrative Domains row, click Enable

From CLI use below command

config system global

set adom-status {enable | disable}

end

To create ADOM

Login to admin account 

Go to Global > System > Administrative Domain > Administrative Domain.

Click Create New, enter the Name, then click OK.

You can one of the following

• Assign another administrator account to configure ADOM
• Configure the ADOM 

VDOM vs ADOM: Difference

Definition

• VDOM – Logical segmentation of a physical FortiGate device into multiple independent firewalls, each with its own configuration and policies
• ADOM – Logical grouping of multiple FortiGate devices managed by a single FortiManager instance, each with its own configuration and policies.

Scope

• VDOM – Implemented within a single FortiGate device.
• ADOM – Implemented within a FortiManager management system managing multiple FortiGate devices.

Purpose

• VDOM – Divides Fortigate into two or more virtual units which function independently. VDOMs provide separate security policies, in NAT mode, separate configurations for VPN and routing services for connected networks.
• ADOM – ADOM functionality enables administrators to constrain access privileges to a subset of server load balancing virtual machines.

Isolation

• VDOM – Provides isolation between different virtual networks on the same physical device.
• ADOM –  Provides isolation between different FortiGate devices managed within the same FortiManager instance.

Functioning

• VDOM – VDOMs are managed via ADOMs
• ADOM – Multiple VDOMs could be managed under one ADOM.

Management

• VDOM – Managed locally on the FortiGate device through its GUI, CLI, or API.
• ADOM – Managed centrally through FortiManager, offering a single interface for managing multiple FortiGate devices.

Support

• VDOM – Fortigate unit support by default 10 VDOMs and some models support purchase of a license key to increase the maximum number
• ADOM – Maximum number of ADOMs support depends on FortiAnalyzer model.

Use Cases

• VDOM – Suitable for organizations needing to segregate network traffic within a single FortiGate device, such as service providers or large enterprises with multiple departments.
• ADOM – Suitable for Managed Service Providers (MSPs) or enterprises managing multiple FortiGate devices across distributed locations, allowing centralized management and control.

Scalability

• VDOM – Limited to the capacity and resources of the physical FortiGate device.
• ADOM – Scales with the capacity and resources of the FortiManager system, allowing management of a larger number of FortiGate devices.

Resource Usage

• VDOM – Each vDOM consumes resources (CPU, memory) from the physical device, potentially impacting performance.
• ADOM – ADOMs on FortiManager consume resources, but individual FortiGate devices within ADOMs do not share resources, ensuring optimal performance for each device.

Deployment Flexibility

• VDOM – Can be deployed standalone without requiring a FortiManager instance.
• ADOM – Requires FortiManager for centralized management, making it more suitable for distributed deployments or managed service environments.

VDOM vs ADOM: Comparison Table

Please find below a downloadable summarized table for better understanding:

Download the comparison table: VDOM vs ADOM

Continue Reading:

Fortinet FortiGate HA (High Availability): Detailed Guide

FortiGate NAT Policy: Types & Configuration

SD-WAN is a virtual interface which connects different link types using a group of member interfaces. Using SD-WAN simplifies configuration for administrators who can configure a single set of routes and firewall policies and deploy them to all member interfaces. One SD-WAN interface per VDOM is preferable.

SD-WAN is mainly used when multiple WAN links are used and effective WAN usage is achieved using various log balancing methods, such as bandwidth usage, session, or application over routing. Another important feature is link quality measurement, using ping or http echo FortiGate can determine latency, jitter or packet loss percentage for each link and dynamically select links based on these capacities, this guarantees high-availability HA for commercial-critical applications.

SD-WAN Load Balancing Methods

SD-WAN load balancing uses traffic distribution that is like ECMP, however SD-WAN link load balancing includes one more balancing method volume, by default the load balancing mode is set to Source IP based. But this can be changed to any of the following methods based on:

1. Source IP: All traffic from the source IP is sent to the same interface
2. Weight: Interface with higher weights have higher priority
3. Usage: All traffic is sent to first interface on the list, when the bandwidth on that interface exceeds the spillover limit new traffic is sent to next interface
4. Source Destination IP: All traffic from Source IP to destination IP is sent to the same
5. Measured Volume: Traffic is load balance based on traffic and volume, more traffic is sent to interface with higher volume ratios

FortiGate SD-WAN Zones

You can divide SD-WAN interface into smaller or larger groups called SD-WAN zones, you can use these SD-WAN zones in firewall policies to allow you to have more granular control over traffic being inspected and allowed.

Multiple SD-WAN zones can be created for SD-WAN members, by default, FortiGate Firewall has the virtual WAN link zone created.

However, SD-WAN members cannot be shared between multiple zones.

Creating Routes and Firewall Policies

After you enable SD-WAN and configure member interfaces in load balancing methods, a logical interface with name SD-WAN is automatically added to the interface list when you create a static route. Routes in the FortiGate Firewall through SD-WAN must be created by using this virtual interface. For configuring firewall policies, you must use SD-WAN zones as source interface or destination interface.

You must configure the default route while implementing SD-WAN, the default route configuration using SD-WAN interface doesn’t require a gateway address because FortiGate forwards packets to appropriate gateways based on member interface gateway information.

Performance SLA

Generally, three parts make up the performance SLA window: the link health monitor, SLA targets and status check.

1. Link Health Monitor:

It’s a mechanism which detects where the router on the path is stopped or degraded, FortiGate can check health and status of each SD-WAN member interface participating in a performance SLA, based on the detection mode you have selected.

• Active: Link health is measured by sending pro packets to the configured server.
• Passive: Link health is measured using session information that is captured on firewall policies that have passive health WAN measurement enabled.
• Prefer Passive: Link health is measured using traffic passing through SD-WAN members

GUI provide three protocol options through which to perform the status check Ping, HTTP and DNS but on CLI you have six options those are Ping, HTTP, DNS, TCP-echo, UDP-echo and TWAMP (Two-Way Active Management Protocol).

2. SLA Targets:

The quality of service for the traffic associated with this performance SLA is defined by the SLA target. An SD-WAN member assigned to this performance SLA must meet the SLA target to get selected over the other participating links. You can configure latency, Jitter and packet loss thresholds to meet your needs and create granular SLA targets to fine tune SD-WAN for specific applications.

3. Link Status:

The link status contains settings which specifies, how often a system checks the link status to determine if it needs to transfer traffic to another link. The failure before an active and restore link after setting prevents the system continuously sending traffic back and forth between links, the condition known as flapping.

Link Quality Measurement

The performance SLA or health checks measures the quality of links connected to the member interface participating in a performance SLA. Three different criteria are used for these measurements – latency, Jitter and Packet loss percentage.

SD-WAN Rules Internet Services and Applications

SD-WAN can use internet services databases as well as the application control database to steer applications along a specific link, FortiGuard maintains these databases and FortiGate periodically gets an updated copy. SSL inspection should be enabled for identifying applications accurately. SD-WAN can use ISDB and application control to route application-specific traffic.

FortiGate SD-WAN Rules

FortiGate SD-WAN offers four strategies for selecting outgoing interfaces: Manual, Best-Quality, Lowest Cost and Maximize Bandwidth (SLA).

• Manual: You can specify the interface priority you want to send traffic out from if the traffic matches the rule criteria the traffic will go out from the first available interface based on the interface preference.

• Best-Quality: This best-quality strategy is based on performance of the network. By default, the quality criteria are 10 percent, but you can change it. The quality check on the performance SLA is using only the server information and health check against the quality criteria. You can use options of Latency, Jitter and Packet loss percentage. You can also use the bandwidth options downstream-bandwidth, upstream-bandwidth, or bi-directional bandwidth, so that FortiGate selects the link based on available bandwidth of incoming, outgoing, or bi-directional traffic. The last option, custom profile one allows database link selection on the combination of its criteria values, the link quality is determined by the equation, the larger the value the more weight that criteria will have in the selection, leave that weight value at zero to exclude those criteria from the equation.

• Lowest Cost: When you use the lowest cost SLA strategy you select a SLA target from the performance SLA that you want to measure the traffic against, even if the performance SLA has multiple SLA targets you can select only one of the SLA targets from that particular performance SLA.

• Maximize Bandwidth (SLA) : This feature introduces a new load balance mode for SD-WAN rule. If traffic matches the rule specification, traffic is load balanced amongst the selected members that satisfies the SLA specification. Using this method FortiGate doesn’t take cost or priority into consideration.

FortiGate SD-WAN Diagnostics

FortiGate SD-WAN diagnostics components include monitoring SD-WAN Link Usage, SD-WAN Link Quality Status and SD-WAN Traffic Routing.

1. SD-WAN Link Usage: You can use this to view traffic distribution between the member interface based on Bandwidth, Volume and Sessions.

2. SD-WAN Link Quality Status: Monitoring link quality status of SD-WAN member interfaces, you can investigate any prolonged issues with packet loss and latency to ensure your network traffic doesn’t experience outage or degraded performance.

3. SD-WAN Traffic Routing: You can use the destination interface column in the forward traffic logs to verify traffic is egressing the SD-WAN member interfaces.

Continue Reading:

Routing Configuration in FortiGate Firewall: Static, Dynamic & Policy Based

IPSec VPN Configuration: Fortigate Firewall

• FortiGate1 has two WAN links and FortiGate2 has single WAN link
• Create site-to-site route based VPN with Redundant Connection
• Configure Dead-Peer-Detection failover
• Configure Link-Health

Partial Redundancy is where we don’t have primary and secondary WAN connections on both peer1 and peer2 sides so usually it can be headquarters that has multiple connections and there might be a remote office in which the setup has only one WAN link. To communicate in such a kind of network setup we need to create a redundant VPN. Redundant and partially redundant VPN uses Route Based VPN.

Create site-to-site route based VPN with Redundant Connection

In this example we have taken a FortiGate1 device with 2 WAN links and a FortiGate2 device with a single WAN. Hence redundancy will be established at FortiGate1 side because it has 2 different WAN links. (refer diagram shown above)

>>Configure Site-to-Site VPN in FortiGate1 (HQ) for WAN1 and WAN2-Route Based

Check WAN 1 and WAN2 interfaces and its IP addresses 

WAN 1 -> 10.200.3.1/24

WAN 2 -> 10.200.4.1/24

Check LAN IP address -> 10.10.1.0/24

Configure Phase-1 for WAN 1

1. Go to IPSec Wizard and select VPN Setup
2. Name VPN profile ToRemote1
3. Select Template Type -> Site to Site
4. NAT configuration is NO NAT
5. Select next tab Authentication
6. Select IP address
7. Select Remote IP Address of WAN1
8. Select Outgoing port WAN1
9. Enter Pre-shared Key which must be identical with peer site configuration
10. Select next tab Policy & Routing and add LAN interface port
11. Add Local subnets -> 10.10.1.0/24
12. Add remote site subnets-> 10.20.1.0/24
13.  Now Tunnel has been for WAN1 interface

Configure Tunnel for WAN 2

1. Add name for Phase 2 tunnel parameters
2. Add Remote Gateway outgoing IP address
3. Add WAN1 interface IP address
4. Select WAN 2 Port for outgoing interface
5. Enable Dead Peer detection
6. Add Authentication for phase 2 IDs. Add pre-shared keys.
7. Add Main Mode
8. Add encryption and Authentication methods
9. Enable Diffie-Hellman values
10. Add key-lifetime values.
11. Add local address -> 10.10.1.0/24
12. Add remote address -> 10.20.1.0/24

Both tunnels WAN1 and WAN2 have been created.

Configure Routes for WAN 1 and WAN 2 Tunnels

Go to tab Network > Static Routes.

1. Choose Create New, enter below entries and select OK:

Destination IP/Mask                 0.0.0.0/0.0.0.0

Device                                         WAN1

Gateway                                     10.200.3.1

Distance (Advanced)             10  -> Lower Values

Add another route for WAN2, now go to Network > Static Routes.

2. Choose Create New, enter below entries select OK:

Destination IP/Mask                 0.0.0.0/0.0.0.0

Device                                         WAN2

Gateway                                     10.200.4.1

Distance (Advanced)              15 -> Higher Value as it is secondary route

Create Security Policy for WAN 1 and WAN 2

>Create Security Policy for Wan 1 and WAN 2 traffic to communicate with Remote site

1. Go toPolicy & Objects > IPv4 Policy and select Create New-Policy.

2. Add below information in policy parameters:

Incoming Interface                   LAN

Outgoing Interface                   ToRemote2

Source Address                        LAN Subnets (Specific subnets which you want to allow)

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

Create Security Policy From Remote site to FortiGate-HQ site

3. Enter the following information, and select OK:

Incoming Interface                   ToRemote2

Outgoing Interface                   LAN

Source Address                        required subnets for remote sites

Destination Address                 Local Subnets

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

Configure Tunnel on Remote Peer FortiGate for WAN1

Configure tunnel on Remote Peer FortiGate for WAN1. Configure FortiGate in a similar way which we have configured FortiGate1-HQ. 

Two tunnels will be created on Remote-FortiGate, first for WAN1 link and second tunnel for WAN2 link. However Remote-FortiGate has a single link at their end.

1. Select VPN Wizard and go to VPN Setup
2. Name VPN Tunnel Name TOHQ1
3. Select Authentication Tab and add values to the mentioned parameters
4. Remote device IP address
5. Add IP address of Remote-FortiGate
6. Select Outgoing Interface WAN1 and add a pre-shared key which must be identical with FortiGate1-HQ’s pre-shared key.
7. Move to Policy & Routing tab, add parameters in secondary route
8. Add local subnets 10.20.1.0/24
9. Add remote subnets 10.10.1.0/24 and add these routes along with the tunnel and create the tunnel

Tunnel is ready on the Remote-FortiGate firewall for Link WAN1.  See below image to check added parameters.

Create Tunnel from Remote FortiGate to WAN 2

Now create another tunnel for FortiGate HQ with lower administrative distance. Here, we will select administrative distance 10 to prioritise the route.

Follow step 1 to step 10 to get the tunnel created on Remote FortiGate Firewall.

Configure Link-Health Monitor

>>Configure Link-Monitor on FortiGate-HQ

Here, probing is done by ToRemote1 interface.

We can also check the status of probing IP address by using below command

diagnose sys link-monitor status

>>Link-health monitor on Remote-FortiGate Firewall

These health monitors can probe the destination by sending signals to the WAN1 and WAN2 or vice-versa.  You can configure Link-Monitor through CLI only.

Continue Reading:

FortiGate NAT Policy: Types & Configuration

Routing Configuration in FortiGate Firewall: Static, Dynamic & Policy Based

Below is the network setup on which we will configure FortiGate SD-WAN with load balancing for two different ISPs.

Parameters which we have taken are

1. LAN Port & Segment -> LAN Port 3 & 10.10.10.108
2. WAN Port -> WAN1 -> ISP1
3. WAN Port 2-> ISP 2
4. WAN Port 1 Segment -> 192.168.0.108
5. WAN Port 2 Segment -> 14.140.40.108

1. Enable SD-WAN feature in FortiGate

Go to Feature Visibility option and select SD-WAN Interface. You must enable this feature to configure SD-WAN interfaces in the firewall.

• System ->Feature Visibility
• Select -> SD-WAN Interface
• Configure Interfaces as per above network diagram.
• Here, we have configured ISP1 (Port1)-> 192.168.0.108/24
• ISP2 (Port2) ->14.140.40.108/24
• Configure LAN port on port 3 (for downstream Switch)

2. Create SD-WAN Zone

• Create SD-WAN Zone
• Named as SD-WAN-Zone 
• Put WAN1 (ISP-1) and WAN2 (ISP-2) interfaces in it
• SD-WAN->Select SD-WAN-ZONE
• Create New ->SD-WAN-Member
• Add ISP-1 Values
• Interface-> ISP1 (port1)
• SD-WAN-Zone-> SD-WAN-ZONE
• Gateway-> 192.168.0.1
• Status-> Enable
• OK

In a similar way add ISP2 in SD-WAN-Zone member

• Interface->ISP2(port2)
• SD-WAN-ZONE (Zone must be same in both member 1 and member 2)
• Gateway-> 14.140.40.109
• Cost-> 1
• Status -> Enable
• OK

3. Configure Performance SLA

Next move to configure Performance SLAs Policy.

• Select -> SD-WAN
• Go to -> Performance SLAs

• Select-> Create New and add values in the tab
• Name-> SDWAN_SLA
• Detection Mode-> ACTIVE
• Protocol -> PING
• Server -> DNS Server/ Global DNS IP -> 8.8.8.8
• Enable SLA Target and put values in it
• Add values to Link Status
• Click OK

SLA Targets 

• Latency Threshold ->  maximum latency a link can manage to make decision
• Jitter Threshold ->Jitter for SLA to make the decisions
• Packet Loss Threshold->how much packet can loss when SD-WAN select SLA

Performance SLA shown in below diagram which contains values of both ISP1 and ISP2

1. Packet loss percentage of ISP1 and ISP2
2. Latency data of ISP1 and ISP2
3. Jitter values of ISP1 and ISP2

4. Configure SD-WAN Rules

• Go to SD-WAN ->SD-WAN Rules

• Source-Address -> LAN IP Gateway
• Destination -> Allow for ALL
• Protocol -> TCP/UDP or ANY
• Select strategy for how outgoing interfaces will be chosen

Manual: We can manually send traffic to any specific interface and provide preference to that particular WAN interface. However only one WAN interface can take part in Performance SLA and another WAN interface (example -WAN2) act as a backup link.

Best Quality: Decision based on Cost factor of link. SD-WAN will choose best link to forward the application traffic. For example, Management traffic is critical which means it should come under Best Quality option and must be forwarded to Best ISP link where latency and delay factors are low.

Lowest Cost: SLA preference goes to Lowest link. SD_WAN choses lowest link which forwards traffic to match the SLA.

Maximise Bandwidth (SLA): Traffic distributed among the available links however, load-balancing and transfer of traffic takes place after matching Latency parameter of link. By default, it uses the Round-Robin method.

• We have selected Maximum Bandwidth
• Interface Preferences -> Select Both port of ISP1 and ISP2
• Status -> Enable
• OK

5. Configure Static Routes

Now, it’s turn to configure static routes for the destination subnet. Here we have configured static routes from all internal subnets by SD-WAN interface.

• Create New Static Route Rule
• Destination ->0.0.0.0/0 or All
• Interface -> SD-WAN
• Status -> Enable

6. Firewall Policy

• Create Firewall policy to the Internet to allow LAN-to-WAN traffic.
• Name-> Add Policy Name
• Incoming Interface -> LAN (Port-3)
• Outgoing Interface -> SD-WAN
• Source IP Address -> LAN Subnet
• Destination -> ALL
• Service-> ALL
• Action-> Accept
• IP Pool Configuration -> Use Outgoing Interface Address
• OK

• Check Traffic stream from Firewall CLI.
• As per below logs traffic is going via ISP-1

Troubleshoot ISP1 and ISP2 Failover

As per above image traffic goes through ISP1, now we put ISP-1 down to check if traffic switches over to ISP 2.

• After enabling diagnosis logs in FortiGate CLI we have found that all the traffic moves to ISP-2

Load Balancing Algorithms

By default, SD-WAN uses the Round-Robin method to forward the traffic. However, we can change the selection of traffic by using different load-balancing traffic algorithms.

Two points must have been considered before selecting Load-balancing Algorithms

• We cannot apply Load-balancing algorithms on user defined policy
• Load-Balancing algorithms are applicable for implicit SD-WAN policies.

Let’s discussion the Algorithms in FortiGate Firewall (Version 7.0.0)

Load-Balancing modes and their definition:

• Source-IP-based ->Traffic is divided between WAN1 and WAN2 equally however session which starts communication from ISP1 will stick to same ISP till the end.
• Weight-based -> Percentage of sessions that are allowed are calculated by using weight parameter which is assigned to each interface. Then sessions are distributed to each interface accordingly.
• Usage-based -> threshold set on Ingress and Egress interface and distribution of sessions happens according to the percentage defined on each Ingress and Egress interfaces.
• Source-destination-IP-based -> Same source IP goes to same destination through-out the session. Means, the same source address sticks to the same destination.
• Measure-volume-based -> Volume weight is calculated by assigning weight to each interface and sessions are divided accordingly.

First, disable User based policy in SD-WAN-Rules. Load-Balancing is only applied to implicit rules.

#set load-balance-mode source-ip-based >>>>>>>>>>>>>>> CLI Configuration

Other methods are explained in Web-UI Format

Load Balancing Algorithm- Weight Based

• Select SD-WAN
• Select Implicit policy
• Edit Implicit Policy
• Select Sessions tab to enable weight-based Algorithm for load-balancing 
• Weight is divided here 98:2

Load Balancing Algorithm- Usage Based

• Select SD-WAN
• Select Implicit policy
• Edit Implicit Policy
• Select Sessions tab to enable usage-based Algorithm for load-balancing. This is also known as Spillover method
• Traffic is divided between Ingress and Egress interfaces.

Load Balancing Algorithm- Volume Based

In our network we will use VOLUME based selection of traffic.

• Select SD-WAN
• Select Implicit policy
• Edit Implicit Policy
• Select Volume tab to enable Volume-based Algorithm for load-balancing 
• Weight is divided here 90:10

When checked traffic in cli, 90% of traffic moves to ISP1 and 10% moves to ISP2

Most of the traffic has a destination IP of ISP1.

Thanks for reading!!

Continue Reading:

Palo Alto Prisma SD WAN: CloudGenix SD WAN

FortiGate SD-WAN Fundamentals

Stages of FortiGate Packet Flow

FortiGate packet flow consist of 4 stages which includes

• Ingress Check 
• Stateful Inspection 
• UTM
• Egress Check

Ingress Process: when packet comes on any Firewall interface, it extracts some layer 2/ layer 3 information and set information of interface on which it received.

Dos Policy: If you have configured DOS policy it checks by firewall here. 

IP Integrity: Check if the packet is genuine or real/valid. If the packet is malformed or not able to pass IP integrity, the packet will be discarded by Firewall.

IPSEC VPN Decryption: If packet is VPN packet, it will be decrypted by firewall and get IP address detail of original source from TCP/IP stack.

You can see the image below with packet flow. Traffic enters in VLAN 2 with protocol 6, source IP address -> 10.1.1.1 and destination IP address -> 2.2.2.2 destination port 443 and sequence number of packet 22334455

After the above checks the packet enters session table (Phase 2) and checks if it belongs to the existing session OR a new session.

Session path is further divided into TWO paths 

• Slow Path->For new session
• Fast Path->For existing Session Or once new session created by firewall after completion of phase1

Slow Path

A new session to a new packet will be allocated by Firewall with a new session-id.

• DNAT -> Firewall check if the packet IP address is used in Destination NAT.
• Routing -> Find the Route for source 

Why is Routing before Policy Lookup?

It saves process as routing policies are always less than Policies. Firewall can have 100-200 policies, but routing policies are less than 100. Hence routing is performed before policy lookup.

• Policy Lookup-> Check policy if source and destination is allowed by firewall else drop the packet.
• SNAT-> Check Source NAT to identify the original IP address.

Session Installed in session Table. You can see firewall packet messages in the below packet flow image.

Before sending a session in the next stage SSL decryption happens to identify the SSL traffic.

Now the session is installed in the firewall session table hence the packet moves to the Fast path of firewall packet flow.

Fast Path

• IPS-> Firewall check IPS signature against the packet of it contains any application traffic. IPS is the only UTM feature that gets triggered in a SYN packet. For other UTM features the packet must complete a 3-Way handshake. IPS is always FLOW Based. IPS further moves traffic to Application Control to identify which application it is.
• Application Control -> Check Application detail if it is yahoo, google, YouTube. Then packet moves to web-filtering stage
• Web filtering -> It checks URL, Category, domain-name. First it checks static/manual URL and then move to Category
• Then the packet is further processed for DLP and Anti-Virus. 

Why does Anti-Virus come after Web Filtering? 

Because first we browse any website and after that we download something from there. So, if content is malicious, it will be checked by Anti-Virus once downloaded from the website.

Note: If file size exceeds 10 MB it will skip by Firewall to perform Anti-Virus checks.

Once all above UTM features parsed by Firewall packet moves to Egress/exit interface.

This is the simplest form of FortiGate Packet flow.

Deep-dive: Packet Flow in FortiGate

You can read the article below for a better understanding of FortiGate packet Flow.

Ingress Process & Network Interface -> when packet comes on any Firewall interface, it extracts some layer 2/ layer 3 information and set information of interface on which it received.

Dos Policy-> If you have configured DOS policy it checks by firewall here. It stops DOS attacks.

IP Integrity ->Check if the packet is genuine or real/valid. If the packet is malformed or not able to pass IP integrity, the packet will be discarded by Firewall. It ensures the packer header is correct and valid.

IPSEC VPN Decryption -> If packet is VPN packet, it will be decrypted by firewall and get IP address detail of original source from TCP/IP stack.

ADMISSION CONTROL -> It verifies if the traffic is non malicious and not belongs to the QUARANTINE List,

• Quarantine->Files which contains viruses are placed in Quarantine list to avoid any direct contact with normal traffic.
• FortiHeartbeat -> Quarantine packet can only be accessed by FortiApp
• User Authentication ->User is authenticated by using Captive portal.

After authentication, the packet moves to Kernel Level process.

• Destination NAT ->  If destination NAT is applied on packet IP address, then NAT table is checked, and packet IP will be changed to assigned Destination NAT IP.
• Routing -> here routing table will be checked for packet, depending on source or destination address traffic redirect to the next step. Based on source address and interface routing decisions will be made in the FortiGate firewall.
• Policy Lookup -> Policy checks will be performed by checking stateful packet table in firewall.
• Session Helpers -> These helpers are used for dynamic ports or dynamic application like VoIP, SIP. FortiGate extracts information from the packet to check if the traffic belongs to a dynamic application and requires session helpers. Session helpers are

1. 1. PPTP
   2. H323
   3. FTP
   4. TFTP
   5. SIP etc.

• User Authentication-> User authentication is checked again
• SSL VPN-> if traffic has SSL traffic, then it will be checked by firewall.
• Local Management Traffic-> if firewall management by any management device, then traffic check performs for the same.

Now traffic moves to the UTM/NGFW mode

• FortiGate supports flow-based or proxy-based inspection
• Flow based is for single-pass processes
• Proxy-based inspection is for explicit tor transparent traffic.
• Botnet is checked against the traffic by using UTM feature of firewall
• IPS checks are performed in UTM/NGFW mode

Now traffic moves to another Kernel stage

• Source NAT -> here source NAT will be checked, and routing table is used to verify the correct exit interface of firewall.
• IPSec Encrypted ->  If traffic/packet belongs to IPSec tunnel then firewall performs encryption for the same.
• Traffic Shaping-> QoS/Cos (Quality of Service & Class of Service) will be performed on packet.
• WAN Optimization->  It imposes if traffic shaping is configured
• TCP/IP Stack->  Re-verification of packet, if packet checksum is correct or malformed.
• Network Interface->  Egress Interface

Continue Reading:

Packet Flow in Palo Alto – Detailed Explanation

What is Packet Capture?

• Routing in Fortinet FortiGate
• Configuration Steps of Static Routing
• Configuration Steps of Dynamic Routing (BGP)
• Policy Base Routing
• Routing Monitor GUI
• Troubleshooting Commands for Routing in FortiGate

Routing in Fortinet FortiGate Firewall

Routing means how a packet can be sent from a source to destination in a Network.

To perform routing every firewall has a routing table. A routing table contains series of rules which specify the next-hop and active routing sessions. Each routing hop in routing path requires a routing table lookup to pass the packet along as it reaches the destination.

Firewall first find the routing rule in routing table that matches based on the destination address in packet, when performing this match FortiGate evaluate the entire routing table and select most specific route before forwarding the packet to next hop.

What is route lookup?

When a packet arrives on a Firewall interface, Firewall inspects the IPv4 header, detects the destination IPv4 address, and proceeds through the route lookup process.

For each session FortiGate performs route lookup twice.

First lookup performs for the first packet sent by initiator and then for the first reply packet coming from responder. After completing these two lookups firewall updates routing information in session table.

Sequence of packets are routed according to the session table. After a routing table change, route information is flushed from the sessions and must be re-learned.

Static Route

Static Route: Manually configured route, when you are configuring static route, you are telling Firewall to see the packet for specific destination range and specific interface. Example shown in this slide is default static route which means all subnet (0.0.0.0/0) traffic will go via port 1 by using gateway 10.0.3.1 if no matches found in the routing table.

Static Route Configuration in FortiGate:

• GUI-> Network-> Static Routes
• Add New Static Route
• Destination->0.0.0/0
• Gateway-> Firewall Gateway (10.0.3.1)
• AD-> 10(value for static route)

Dynamic Route

For large Network manually configuring routes may not be a practical. Therefore, dynamic routing has been introduced in firewall to learn the route automatically.

Dynamic Routing Protocols supports by FortiGate Firewall

• RIP
• OSPF
• BGP
• IS-IS

In dynamic routing, FortiGate communicates with nearby routers to discover their paths and to advertise its zones to directly connected subnets. Discovered paths are automatically added to the routing table, so verify that neighbour routers are trusted and secure.

Refer below images to configure BGP in FortiGate Firewall.

You can verify the routes in Routing Monitor

Policy Based Routing

Policy based routes can match more than only destination IP address. For example if you have 2 ISP links 10 Gpbs and 5 Gbps , one is for higher management for fast internet access and another one for users for average internet reachability.

Policy Based routing has feature to forward traffic on the basis of policy criteria defined in the firewall. If packet matched the policy, firewall bypasses the any routing table. Policy Based route has maintained separate routing table apart for normal firewall routing table.

Moreover, in Policy Based routing Firewall performs

• Traffic is being forwarded by using specified egress interface to the specified gateways
• Uses the routing table instead and Stops policy routing

Routing Table Monitor

Routing Table Monitor: In the FortiGate Firewall, GUI shows the active routes. Routing Monitor captures static routes data, directly connected subnets assigned to FortiGate interfaces, connected routes.

If the link is not established or down, route will not be captured by the monitor tab

Steps to check Route Lookup in Routing Monitor

Select Route Lookup-> Add search Criteria -> Check Logs

Each of the route listed in routing table includes several attributes with associated values

Network Column: list the destination IP address and subnet mask which matched the routing table.

Interface Column: list the interface that will be used to deliver the packet

Distance Column: or administrative distance is used to rank routes from most preferred to least preferred. If multiple routes to the same destination, then smaller distance will be considered for packet transfer.

Routing Troubleshoot

CLI Command to check active Routes in FortiGate Firewall:

Active, Standby and Inactive Routes

Standby Route

Common Troubleshooting Commands for FortiGate Routing

Some of the commonly used FortiGate CLI commands are:

Continue Reading:

Types of Firewall: Network Security

Palo Alto Firewall Architecture

Are you preparing for your next interview?

If you want to learn more about Fortigate, then check our e-book on Fortigate Interview Questions and Answers in easy to understand PDF Format explained with relevant Diagrams (where required) for better ease of understanding.

Single Sign On (SSO) is a process that allows users to automatically log into every application after being identified, regardless of platform, technology, and domain.

FortiGate Single Sign On (FSSO) is a software agent that enables FortiGate to identify network users to access security policies or provide VPN access. FSSO is a process which allows users to access multiple applications without having to re-authenticate.

Users who are already authenticated by the network can access applications without providing credentials multiple times.

• FSSO can identify the user’s user-id, IP address, group membership
• FortiGate allows access based on membership in FSSO group configured on Firewall
• Each FSSO method gathers login events differently
• FSSO method uses directory services, such as Windows Active Directory or Novell eDirectory

FSSO deployment depends on the server which provides Active Directory services.
Microsoft Active Directory (AD) – It uses a collector agent for FSSO, Domain Controller.

Working Modes

Two working modes for user sign-on activities on windows

• DC Agent Mode
• Polling Mode

FSSO DC Agent Mode-

This mode is the most recommended mode. DC agents monitor and forward user login events to monitor collector agents. A collector agent is another FSSO component. Collector agent is generally installed on Windows Server that is the member of the domain you are trying to monitor.

A consolidate of events received from a DC agent and then forwards them to FortiGate. Collector agents are responsible for group verification, workstation checks and FortiGate updates of login records.

FSSO collector agent can send domain security group, Organisational Units and Global security information to FortiGate Firewalls. It can also be customized for global DNS.

Ways to Configure FortiGate Single Sign On in the Network

DC Agent mode- it is the most recommended mode in FSSO. One DC agent installed on each window DC. If any organisation has multiple DC which means multiple DC agents would require.

• User authentication done by Windows DC
• DC agents check the login event and forward the same to collector agent
• In a similar way collector agent forward the event log to FortiGate
• FortiGate knows the user based on IP address, so user doesn’t need authentication

Polling Mode –  can be collector agent based or Agentless.

First lets check the feature of collector agent based-polling mode. Like DC Agent Mode collector agent based mode require a collector agent which is installed on Windows server.

• NO FSSO DC Agent is required
•  The Collector Agent polls each DC for user login events in every few seconds. Collector Agent uses SMB -TCP-445 protocol to request the event logs and TCP-135, TCP-139 and UDP-137 as fallbacks
• Installation is less complex than other modes which reduces maintenance
• Polling Mode methods commonly users are
• NetAPI
• WinSecLog
• WMI

Collector Agent-Based Polling Mode Process

• User authenticates with DC
• Collector Agents polls DC to get the login events data
• Collector Agent forwards login data to FortiGate Firewall
• User doesn’t require to authenticate

Agentless Polling Mode Process

Another Method for polling is Agentless and is called as Agentless Polling Mode Process

• FortiGate frequently polls Domain Controller to get user event logs
• User authenticates with the Domain Controller
• FortiGate discovers polling login event in next poll
• User doesn’t need to authenticate as FotiGate already aware whose traffic it is receiving

FSSO Configuration and Installation

Step -1 FSSO Agent Installation

Download FSSO Agent on Window AD Server 

1. Visit FortiGate support website https://support.fortinet.com

2. Download🡪 Firmware Images

3. Select FortiGate and the click Download

4. Click v7.00 > 7.0 > 7.0.0 > FSSO 

Install the Collector Agent on PC as Administrator

1. Set Username for FSSO Domain Admin

2. Set Password for Domain Admin

3. Monitor user login sessions

4. Set Standard features

Step- 2 After installing FSSO Agent , move ahead for DC Agent Installation Process

Please follow step 1 to step 5

1. Set Collector Agent IP address  and Set Installation listening  port

2. Select domain which will be monitored 

3. Exempt any user which you don’t want to monitor or comes under exceptional list

4. Select domain controllers

5. Set working mode as DC Agent Mode

FSSO Collector Client Configuration

1. Enable 🡪 Monitor user login events

2. Enable/Disable NTLM authentication

3. Listening port for FortiGate firewall – 8000

4. Listening port for DC Agent – 8002

5. Enable authentication between FortiGate and Collector Agent and provide password for authentication validation

6. Set timer for polling 

Group Filter

FSSO collector Agent manages FortiGate Group filters. Group filters can decide which information of a user should be sent to FortiGate. Group Filters are associated with FortiGate Serial numbers. FortiGate has capability to support 256 Windows AD user groups.

1. Set Group Filter 

2. FortiGate Filter List TAB will open

3. Select ADD 

4. Create NEW Group filter and associate the Serial number of FortiGate device to it.

Configure FSSO in FortiGate Firewall

1. Configure LDAP , 

2. User & Device 🡪 LDAP Servers and Select Create NEW

3. Set AD server name and IP address

4.Set Common Name CN Identifier and its values

5. Provide Security Password and enable connection Successful

6. Go to Security Fabric

7. Select Fabric Connectors

8. Select SSO/Identity, select Fortinet Single Sign-On Agent.

9. Put Name for connector Setting

10.Add Primary FSSO Agent IP address and Password

11.Apply and Refresh configuration

12.Select View tab to add FSSO Group Filters

13.Add Group filter to the FSSO and Click OK

14.Again go to Users & Device 🡪 Users Group

15.Add new User Group, Name it and select Type of FSSO

16.Also Add FSSO in user members

17.Create Policy for User Group, Go to Policy & Objectsand select IPV4 Policy

18.Name Security policy

19.Add Source Zone , source IP address which is FSSO Users-members

20.Select destination Web-Browser, fill other details 

21.Select OK

Monitor Connectivity and Login Details of Users

Continue Reading:

Fortinet FortiGate HA (High Availability)

IPSec VPN Configuration: Fortigate Firewall

Why do we need to reset the firewall to factory default?

• Device is crashed and need to remove from network
• Remove all the configuration and there is requirement to re-configure the device with new configuration

Note: Don’t apply factory-default setting in production environment. It will erase all the firewall configuration and after which firewall will not be able to process the traffic.

Pre-requisites to reset FortiGate Firewall

1. Console Access -> You must have the access through console access
2. Admin rights
3. Local site Engineer who has physical access to the device. We require Local site Engineer at the site as to remove the device from network and provide us physical console access if device not able to boot up itself.

3 Ways to factory reset FortiGate Firewall

We have Three methods through which Factory reset can be performed on the FortiGate device

1. From Device Hardware (Hard Reset)
2. From Console Access (CLI)
3. From Console Access (Web GUI)

How to Reset FortiGate Firewall from Hardware Box?

Device Model Covers

• FortiGate 60E/61E-POE,
• FortiGate/FortiWiFi 60F/61F,
• FG/FWF 40F, FortiGate-80F,
• FortiGate/FortiWifi 60C,
• Small range FortiGate Firewalls

Step 1

• Local site contact must be available to perform Factory Reset to the device
• Go to the back side of the device where console/USB ports are available

Step 2

• A small button is available to perform the factory reset
• Press this RESET button and hold it for few 15-20 seconds

Step 3

• Device reboots and set itself to factory default settings 
• We are done with the Factory Reset process

How to Reset FortiGate Firewall from Console/CLI?

Device Scope

• This feature is available in all FortiGate firewalls.

Step 1

• Get access of Firewall Console 
• Reset admin password from console before resetting the firewall if you don’t have the admin password details.
• You can reset the admin password by using the below command on FortiGate Firewalls.

Step 2

• Now run command on CLI

# execute factoryreset 

• Firewall will ask you to continue the reset process.

• Do you want to continue? (y/n)

• Press Yes to continue

Step 3

Firewall starts to reboot on factory default setting using the default IP address https://192.168.1.99

How to Reset FortiGate Firewall from Web GUI?

1. Login into the device and select Main tab
2. Move to CLI Console symbol (right corner)
3. Open CLI Console
4. Run command for factory reset

#execute factoryreset

Firewall boot up to factory default settings.

Continue Reading:

How to Reset Palo Alto Firewall to Factory Default Settings

Routing Configuration in FortiGate Firewall: Static, Dynamic & Policy Based

Firewall policies define which traffic matches them and what FortiGate does when traffic does match, should the traffic be allowed? Initially FortiGate basis this decision on simple criteria, such as the source of the traffic then if the policy doesn’t block the traffic FortiGate begins a more computational security profile inspection often known as Unified Threat Management (UTM), such as Antivirus, Application Control and Web Filtering if you have chosen it in the policy. 

Those scans could block the traffic if for example it contains the virus otherwise the traffic is allowed. Will Network Translation Address NAT be applied if Authentication is required, firewall policies also determine answers to these questions. 

After processing is finished FortiGate forwards the packet towards its destination. FortiGate looks for matching firewall policies from top to bottom and if the match is found the traffic is processed based on the firewall policy, if no match is found the traffic is dropped by the Default Implicit Deny firewall policy.

FortiGate Firewall Policy Types & Components 

Each FortiGate Firewall policy matches traffic and applies security by referring to the objects that are identified such as addresses and profiles. 

1. Objects used by the policies: 

• Interface and Zone
• Address, User, and Internet service object
• Service definitions
• Schedules 
• Nat Rules 
• Security Profiles

2. Policy Types:

• Firewall Policy (IPv4, IPv6)
• Firewall Virtual wire pair (IPv4, IPv6)
• Proxy
• Multicast
• Local-in Policy (Origin and Destination is FortiGate itself)
• DoS
• Traffic shaping

How are Policy Matches Determined?

When a packet arrives each policy has a matching criterion which you can define using following objects:

• Incoming interface and Outgoing interface
• Source IP address, User, Internet services
• Destination IP address or Internet Service
• Service IP Protocol and Port number
• Schedule applies during configure times

When the traffic matches the firewall policy FortiGate applies action configured in firewall policy. If the action is set to deny FortiGate drops the session and if the action is set to accept FortiGate applies other configured setting for packet processing, such as Antivirus scanning, Web Filtering or Source NAT.

Interfaces and Zones

Packets arrive on incoming or ingress interface, routing determines the outgoing or egress interface. In each policy you must set a source and destination interface even if one or both are set to any. Both interfaces must match the interface policy criteria to be a successful match. You can group interfaces into logical zones. 

By default, you can select a single interface as incoming interface and a single interface as outgoing interface, however you can enable multiple interface selections from firewall GUI. When you choose ANY interface option you cannot select multiple interfaces for that interface.

Policy Matching Criteria

Matching By Source:

In each firewall policy you must select the source address object. You can refine the definition of source address by also selecting a User or User Group, FQDN (Fully Qualified Domain Name) can also be used as source address, but it must be resolved by DNS and cached in FortiGate. 

If a User is added as a source, then FortiGate must verify the user before allowing or denying access based on the firewall policy. There are different ways a user can authenticate for local users; the username and password are configured locally on FortiGate.

For remote user such as LDAP or Radius FortiGate receives the username and password from the remote user and passes this information to the authentication server, the authentication server verifies the user login credentials and updates FortiGate after firewall receives that information it creates access to the Network based on the firewall policy. FortiGate Single Sign On (SSO) user information is retrieved from the domain controller access is granted based on group information on FortiGate.

Matching By Destination:

FortiGate checks destination addresses for a match you can use address objects, Internet Service Database (ISDB) objects in a policy. The address object may be a hostname, IP subnet or range. If you configure FQDN as an address object make sure you configure the FortiGate device with DNS servers, FortiGate uses DNS to resolve FQDN address objects to IP addresses, which are what appears in the IP headers. You can use geographic addresses or ranges of IP addresses allocated to a Country; you can update these objects through FortiGuard.

Why is there no option to select a user? The user identification is determined at the ingress interface and packets are forwarded only to the egress interface after user authentication is successful.

Internet Service Objects

Internet service is a database that contains the list of IP addresses, IP Protocols and Port Numbers used by the most common internet services. FortiGate periodically downloads the newest version of this database from FortiGuard, you can select these as Source or Destination in the firewall policies.

What happens if you want to allow traffic only for a few well known internet service destinations such as Facebook or Dropbox? 

When configuring firewall policy you can use Internet service as the destination, which contains all the IP addresses, Ports and Protocols used by that service. You cannot mix regular objects with Internet Service Database (ISDB) objects, and you cannot select service on a firewall policy, as the ISDB object already has services information which is part coded. Compared with address objects which you need to check frequently to make sure that none of the IP addresses have changed or appropriate ports are allowed. Internet service helps make this type of deployment easier and simpler.

Policy Scheduling

Schedule adds a time element to a policy. You might use a policy to allow backup software to activate at night or create a test window for remote addresses that is allowed for testing purposes. Schedule can be configured and use 24 hours’ time clock there are few configurations settings worth mentioning:

• Recurring: If you enable all day traffic will be allowed for 24 hours for the day selected. While configuring recurring scheduler if you configure stop time earlier than the start time the stop time will occur the next day.

• One Time: The start date and time must be earlier than the stop date and time. You can also enable Pre-expiration event log, which will generate an event log and number of days before the schedule expires.

Configuring FortiGate Firewall Policy

When you configure a new firewall policy on the GUI, you must specify a unique name for the firewall policy because it is enabled by default. This helps the administrator to quickly identify the policy they are looking for. You can make this feature optional on the GUI on the feature visibility page by Allowing Unnamed Policies.

There are many options you can configure on the firewall policies such as Firewall and Network options, Security profiles, logging options and enabling and disabling a policy. When creating firewall objects or policies a UUID (Universally Unique Identifier) attribute is added so that logs can record these UUID’S and improves functionality interpreting with FortiAnalyzer.

When creating firewall policies remember FortiGate is a stateful firewall as a result you need to create only one firewall policy that matches the direction of the traffic that initiates the session, FortiGate will automatically remember source, destinations and allow replies.

Please refer step 1 to step 14 to configure Security policy in FortiGate firewall

1. Go to Firewall Policy
2. Select Create New Tab in left most corner
3. Fill options in the screen, Name the policy
4. Select Incoming interface of the traffic
5. Select outgoing interface of the connection
6. Select list of IP address/subnet of source
7. Select list of IP addresses from Address objects
8. Select destination Address
9. Select Action as Accept/deny as per requirement
10. Select port/service 
11. Select the services from Service object (right most corner)
12. Allow logging to the sessions 
13. Select OK
14. Policy will look like the pic below.

Security Profiles

One of the important features that a firewall policy can apply is security profile, such as an IPS and Antivirus. A security profile inspects each packet in the traffic flow when the session is already conditionally accepted by the firewall policy.
When inspecting traffic FortiGate can use one of two methods. Flow based inspection or Proxy Based inspection. Different security features are supported by each security type.
Security profiles configured in firewall policies protect the network by blocking threats, controlling access to certain applications and URLs, and preventing specific data from leaving your network.

Continue Reading:

FortiGate VDOM Configuration: Complete Guide

Routing Configuration in FortiGate Firewall: Static, Dynamic & Policy Based