FortiGate III Student Guide-Online
521
0
0
Full text
(2) DO NOT REPRINT © FORTINET FortiGate III Student Guide for FortiGate 5.2.1 Last Updated: 20 July 2015 We would like to acknowledge the following major contributors: Francois Ropert, David Chan, Adrian Buckley, Ondrej Holecek, Stephane Hamelin, and Mike Lobban ®. ®. ®. Fortinet , FortiGate , and FortiGuard are registered trademarks of Fortinet, Inc. in the U.S. and other jurisdictions, and other Fortinet names herein may also be trademarks, registered or otherwise, of Fortinet. All other product or company names may be trademarks of their respective owners. Copyright © 2002 - 2015 Fortinet, Inc. All rights reserved. Contents and terms are subject to change by Fortinet without prior notice. No part of this publication may be reproduced in any form or by any means or used to make any derivative such as translation, transformation, or adaptation without permission from Fortinet, Inc., as stipulated by the United States Copyright Act of 1976..
(3) DO NOT REPRINT © FORTINET Table of Contents VIRTUAL LAB BASICS ...................................................................................7 Topology..................................................................................................................................8 Logging In ...............................................................................................................................8 Disconnections/Timeouts .............................................................................................................................13. Transferring Files to the VM....................................................................................................13 Using HTML5 Instead of Java ................................................................................................13 Screen Resolution ...................................................................................................................14 International Keyboards ..........................................................................................................14 Troubleshooting Tips ..............................................................................................................15. SYSTEM RESOURCES ...................................................................................17 Objectives ...............................................................................................................................17 Time to Complete ....................................................................................................................17 System, Processes and Crashlog...........................................................................................18. NETWORK ....................................................................................................21 Objectives ...............................................................................................................................21 Time to Complete ....................................................................................................................21 Exploring the Session Table ...................................................................................................22 Traffic sniffer ...........................................................................................................................25 Break and Fix: Connectivity Issues .........................................................................................28 Tips for Troubleshooting ...............................................................................................................................28.
(4) DO NOT REPRINT © FORTINET FIREWALL POLICIES .....................................................................................30 Objectives ...............................................................................................................................30 Time to Complete ....................................................................................................................30 Traffic Shaping ........................................................................................................................31 Break and Fix: FTP Traffic ......................................................................................................32 Tips for Troubleshooting ...............................................................................................................................33. FIREWALL AUTHENTICATION .........................................................................34 Objectives ...............................................................................................................................34 Time to Complete ....................................................................................................................34 Break and Fix: LDAP Authentication ......................................................................................35 Tips for Troubleshooting ...............................................................................................................................35. FSSO ..........................................................................................................37 Objectives ...............................................................................................................................37 Time to Complete ....................................................................................................................37 Installing FSSO .......................................................................................................................38 Break and Fix: FSSO ..............................................................................................................42 Tips for Troubleshooting ...............................................................................................................................42. IPSEC ..........................................................................................................44 Objectives ...............................................................................................................................44 Time to Complete ....................................................................................................................44 Break and Fix: IPsec VPN ......................................................................................................45 Tips for Troubleshooting ...............................................................................................................................45. SECURITY PROFILES ....................................................................................47 Objectives ...............................................................................................................................47 Time to Complete ....................................................................................................................47.
(5) DO NOT REPRINT © FORTINET Break and Fix: Protection Profiles Part 1 ................................................................................48 Tips for Troubleshooting ...............................................................................................................................48. Break and Fix: Protection Profiles Part 2 ................................................................................49 Tips for Troubleshooting ...............................................................................................................................50. EXPLICIT WEB PROXY ..................................................................................51 Objectives ...............................................................................................................................51 Time to Complete ....................................................................................................................51 Break and Fix: Web Proxy ......................................................................................................52 Tips for Troubleshooting ...............................................................................................................................53. OPERATION MODES......................................................................................55 Objectives ...............................................................................................................................55 Time to Complete ....................................................................................................................55 Transparent Mode ...................................................................................................................56 NAT/Route Mode ....................................................................................................................60 Break and Fix: NAT/Route Mode ............................................................................................62 Tips for Troubleshooting ...............................................................................................................................62. EXTERNAL BGP ...........................................................................................63 Objectives ...............................................................................................................................63 Time to Complete ....................................................................................................................63 Break and Fix: BGP ................................................................................................................64 Tips for Troubleshooting ...............................................................................................................................64. OSPF ..........................................................................................................66 Objectives ...............................................................................................................................66 Time to Complete ....................................................................................................................66 Break and Fix: OSPF ..............................................................................................................67 Tips for Troubleshooting ...............................................................................................................................67.
(6) DO NOT REPRINT © FORTINET HIGH AVAILABILITY ......................................................................................69 Objectives ............................................................................................................................ 69 Time to Complete ................................................................................................................. 69 Break and Fix: High Availability ............................................................................................ 70 Tips for Troubleshooting ...............................................................................................................................71. APPENDIX A: ADDITIONAL RESOURCES........................................................72 APPENDIX B: PRESENTATION SLIDES ...........................................................73 Module 1: Troubleshooting Concepts...................................................................................74 Module 2: System Resources...............................................................................................97 Module 3: Network..............................................................................................................147 Module 4: Firewall Policies.................................................................................................174 Module 5: Firewall Authentication.......................................................................................211 Module 6: FSSO.................................................................................................................241 Module 7: IPsec..................................................................................................................275 Module 8: Security Profiles.................................................................................................312 Module 9: Explicit Web Proxy.............................................................................................368 Module 10: Operation Modes.............................................................................................390 Module 11: External BGP...................................................................................................424 Module 12: OSPF...............................................................................................................456 Module 13: High Availability...............................................................................................496.
(7) DO NOT REPRINT © FORTINET. Virtual Lab Basics. Virtual Lab Basics In this class, you will use a virtual lab for hands-on exercises. This section explains how to connect to the lab and its virtual machines. It also shows the topology of the virtual machines in the lab. Note: If your trainer asks you to use a different lab, such as devices physically located in your classroom, please ignore this section. This applies only to the virtual lab accessed through the Internet. If you do not know which lab to use, please ask your trainer.. FortiGate III Student Guide. 7.
(8) DO NOT REPRINT © FORTINET. Virtual Lab Basics. Topology FORTIMANAGER port2 10.200.1.241 port1 10.0.1.241. 10.200.1.1/24 port1. 10.200.1.254 eth1. LINUX. 10.200.3.254 eth3. STUDENT port3 10.0.1.254/24. FortiGate. port2 10.200.2.1/24. 10.200.3.1/24 port4 REMOTE. eth2 10.200.2.254. port6 10.0.2.254/24. FortiGate. eth4 10.200.4.254. port5 10.200.4.1/24. Internet WIN-STUDENT 10.0.1.10. WIN-REMOTE 10.0.2.10. Logging In 1. Run the System Checker. This will fully verify both: . compatibility with the virtual lab environment's software, and that your computer can connect. It can also diagnose problems with your Java Virtual Machine, firewall, or web proxy. Use the URL for your location. North America/South America: https://remotelabs.training.fortinet.com/training/syscheck/?location=NAM-West Europe/Middle East/Africa: https://remotelabs.training.fortinet.com/training/syscheck/?location=Europe Asia/Pacific: https://remotelabs.training.fortinet.com/training/syscheck/?location=APAC If a security confirmation dialog appears, click Run.. FortiGate III Student Guide. 8.
(9) DO NOT REPRINT © FORTINET. Virtual Lab Basics. If your computer successfully connects to the virtual lab, the result messages for the browser and network checks will each display a check mark icon. Continue to the next step. If a browser test fails, this will affect your ability to access the virtual lab environment. If a network test fails, this will affect the usability of the virtual lab environment. For solutions, either click the Support Knowledge Base link or ask your trainer. 2. With the user name and password from your trainer, log into the URL for the virtual lab. Either: https://remotelabs.training.fortinet.com/. FortiGate III Student Guide. 9.
(10) DO NOT REPRINT © FORTINET. Virtual Lab Basics. https://virtual.mclabs.com/. 3. If prompted, select the time zone for your location, and then click Update. This ensures that your class schedule is accurate. 4. Click Enter Lab.. A list of virtual machines that exist in your virtual lab should appear. From this page, you can access the console of any of your virtual devices by either: . clicking on the device’s square, or selecting System > Open.. FortiGate III Student Guide. 10.
(11) DO NOT REPRINT © FORTINET. FortiGate III Student Guide. Virtual Lab Basics. 11.
(12) DO NOT REPRINT © FORTINET. Virtual Lab Basics. 5. Click Win-Student to open a connection to that server.. A new window should open within a few seconds. (Depending on your account’s preferences, the window may be a Java applet. If this fails, you may need change browser settings to allow Java to run on this web site. You also may need to review and accept an SSL certificate.). Depending on the virtual machine, the applet provides access to either the GUI or a textbased CLI. Connections to Windows machines will use a Remote Desktop-like GUI. The applet should automatically log in, then display the Windows desktop. For most lab exercises, you will connect to this VM. FortiGate III Student Guide. 12.
(13) DO NOT REPRINT © FORTINET. Virtual Lab Basics. Disconnections/Timeouts If your computer’s connection with the virtual machine times out or if you are accidentally disconnected, to regain access, return to the initial window/tab that contains your session’s list of VMs and open the VM again. If your session frequently times out or does not connect, ask your instructor.. Transferring Files to the VM When using the Java applet to connect to a VM, you can drag-and-drop files from your computer to the VM. For example, if you have a FortiGate configuration file that you want to upload to your lab VM, you could create it on your computer, and then drag it into the Java application window that is connected to the Windows VM. Usually the destination folder is C:\Uploads. Alternatively, if you store files in a cloud service such as Dropbox or SugarSync, you can use the web browser to download them to your VM instead.. Using HTML5 Instead of Java When you open a VM, your browser may download and use a Java application to connect to the virtual lab’s VM. This means that Java must be installed, updated, and enabled in your browser. Alternatively, you can use HTML5 instead. Click the Settings button, and then select Use Java Client. Click Save & Disconnect, then log in again. (To use this preference, your browser must allow cookies.). FortiGate III Student Guide. 13.
(14) DO NOT REPRINT © FORTINET. Virtual Lab Basics. When connecting to a VM, your browser should then open a display in a new window or tab.. Screen Resolution Some Fortinet devices' user interfaces require a minimum screen size. In the Java client, to configure the screen resolution, click the arrow at the top of the window.. In the HTML 5 client, to configure screen resolution, open the System menu.. International Keyboards If characters in your language don’t display correctly, keyboard mappings may not be correct.. FortiGate III Student Guide. 14.
(15) DO NOT REPRINT © FORTINET. Virtual Lab Basics. To solve this in the HTML 5 client, open the Keyboard menu at the top of the window. Choose to either display an on-screen keyboard, or send text from your computer to the VM's clipboard.. To solve this in the Java client, copy and paste between your computer and the Java applet. This sends special characters or combinations using the keyboard icon at the top of the applet window.. Troubleshooting Tips . If the HTML 5 client does not work, try the Java client instead. Remembering this preference requires that your browser allow cookies.. . Do not connect to the virtual lab environment through a low-bandwidth or high-latency connection, including VPN tunnels or wireless such as 3G or Wi-Fi. For best performance, use a stable broadband connection such as a LAN.. . Do not disable or block Java applets. On Mac OS X since early 2014, to improve security, Java has been disabled by default. In your browser, you must allow Java for this web site. On Windows, if the Java applet is allowed and successfully downloads, but does not appear to launch, you can open the Java console while troubleshooting. To do this, open the Control Panel, click Java, and change the Java console setting to be Show console. Network firewalls can also block Java executables. Note: JavaScript is not the same as Java.. FortiGate III Student Guide. 15.
(16) DO NOT REPRINT © FORTINET. . Virtual Lab Basics. Prepare your computer's settings: o. Disable screen savers. o. Change the power saving scheme so that your computer is always on, and does not go to sleep or hibernate. . If disconnected unexpectedly from any of the virtual machines (or from the virtual lab portal), please attempt to reconnect. If unable to reconnect, please notify the instructor.. . If during the labs, particularly when reloading configuration files, you see a message similar to the one shown below, the VM is waiting for a response to the authentication server.. . To retry immediately, go to the console and enter the CLI command: exec update-now. FortiGate III Student Guide. 16.
(17) DO NOT REPRINT © FORTINET. System Resources. System Resources During this lab, you will learn to use some system and memory debug commands to describe the status of the unit. Additional, you will generate and analyze a crashlog entry after intentionally killing one of the FortiGate processes.. Objectives . Use debug commands to diagnose system problems. . Use the crashlog for diagnostics. Time to Complete Estimated: 15 minutes. FortiGate III Student Guide. 17.
(18) DO NOT REPRINT © FORTINET. System Resources. System, Processes and Crashlog 1. From the Win-Student server, log on to the Student FortiGate’s GUI using the account admin with no password: http://10.0.1.254 2. From System -> Dashboard -> Status click the Restore link inside the System Information widget:. 3. Click Browse and select the configuration file for this lab: Resources\FortiGate III\System\Student\student-system.conf Click Restore. The Student FortiGate will reboot. Wait a few minutes until it is back up. 4. Using PuTTY, connect SSH to the Student FortiGate CLI (use the account admin with no password) and execute these commands to check the memory usage: # get system status # get system performance status # diagnose hardware sysinfo memory # diagnose hardware sysinfo shm Analyze the outputs from the above commands and answer these questions: . Is this unit running a 32-bit or 64-bit FortiOS? Does it have a hard disk for logging? How much memory is available? Is the unit in conserve mode? Why are the total high memory (HighTotal) and available high memory (HighFree) 0 MB?. FortiGate III Student Guide. 18.
(19) DO NOT REPRINT © FORTINET. System Resources. 5. Execute now the following command to display the top 50 processes: # diagnose sys top 6. Try to find one of these three processes: reportd, miglogd, or ipshelper. Write down its process ID (the first number from left to right):. 7. Use the following command to "kill" the chosen process: # diagnose sys kill 11 <process_id> 11 is the kill signal. In this case the FortiGate kills the process by sending a segmentation fault (number 11) signal. Caution: We use the kill command in this exercise to reproduce a process failure. Be careful although when doing it in a FortiGate that is in production. Improperly killing a process might make a FortiGate system unstable. 8. Execute the following command one more time: # diagnose sys top Observe that the killed process is running again, but this time it is using a higher ID number. Each time a process starts, it uses the next available process ID number. 9. Now, check the crashlog: # diagnose debug crashlog read The output should contain some entries similar to these ones: 93: 2015-03-04 07:47:34 Signal <11> was sent to process <00065> by user <admin> 94: 2015-03-04 07:47:34 <00065> firmware FortiGate-VM64 v5.2.1,build0618b618,140915 (GA) (Release) 95: 2015-03-04 07:47:34 <00065> application reportd. FortiGate III Student Guide. 19.
(20) DO NOT REPRINT © FORTINET. System Resources. 96: 2015-03-04 07:47:34 <00065> *** signal 11 (Segmentation fault) received *** 97: 2015-03-04 07:47:34 <00065> Register dump: 98: 2015-03-04 07:47:34 <00065> RAX: fffffffffffffffc 0000000000000000. RBX:. 99: 2015-03-04 07:47:34 <00065> RCX: ffffffffffffffff 0000000000000400. RDX:. 100: 2015-03-04 07:47:34 <00065> R8: 0000002a95d49de0. 0000000000000000. R9:. ... 120: 2015-03-04 07:47:35 <00065> [0x0043d14f] => /bin/reportd 121: 2015-03-04 07:47:35 <00065> [0x0043abfa] => /bin/reportd 122: 2015-03-04 07:47:35 <00065> [0x2a95c40475] => ../lib/libc.so.6 (__libc_start_main+0x000000f5) 123: 2015-03-04 07:47:35 liboffset 00021475 124: 2015-03-04 07:47:35 <00065> [0x0043aca1] => /bin/reportd 125: 2015-03-04 07:47:35 reportd received a signal - 11 126: 2015-03-04 07:47:36 the killed daemon is /bin/reportd: status=0x0 Check the first three lines. They contain the FortiOS build number, the name of the process that failed (or was killed) and the kill signal number.. FortiGate III Student Guide. 20.
(21) DO NOT REPRINT © FORTINET. Network. Network The following lab exercises show how to use some debug commands to troubleshoot connectivity problems. You will analyze the information in the FortiGate session table, run the built-in sniffer and use the debug flow to understand how the FortiGate is processing each IP packet.. Objectives . Analyze the information in the session table. . Capture traffic using the built-in sniffer tool. . Use some CLI troubleshooting utilities and tools. Time to Complete Estimated: 50 minutes. FortiGate III Student Guide. 21.
(22) DO NOT REPRINT © FORTINET. Network. Exploring the Session Table During this exercise you will analyze the information displayed in the FortiGate session table. 1. From the Win-Student server, log on to the Remote FortiGate’s GUI first using the account admin with no password: http://10.200.3.1 2. Find the Resource folder on the desktop and upload the Remote configuration file for this lab: Resources\FortiGate III\General\Remote\remote-general.conf The Remote FortiGate will reboot. Wait a few minutes until it is back up. 3. Log on to the Student FortiGate’s GUI using the account admin with no password: http://10.0.1.254 4. Upload the Student configuration file for this lab: Resources\FortiGate III\General\Student\student-general.conf The Student FortiGate will reboot. Wait a few minutes until it is back up. 5. Open a command prompt window in the Win-Student server and execute a ping to the Student FortiGate's default gateway: > ping 10.200.1.254 6. Using PuTTY, connect SSH to the Student FortiGate CLI and execute these commands: # diagnose sys session filter clear # diagnose sys session filter proto 1 # diagnose sys session filter dst 10.200.1.254 # diagnose sys session list Analyze the information related with the ICMP session created for the test traffic: session info: proto=1 proto_state=00 duration=726 expire=63276 timeout=64000 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3 origin-shaper= reply-shaper= per_ip_shaper= ha_id=0 policy_dir=0 tunnel=/ state= may_dirty none app_ntf. FortiGate III Student Guide. 22.
(23) DO NOT REPRINT © FORTINET. Network. statistic(bytes/packets/allow_err): org=240/4/1 reply=240/4/1 tuples=2 orgin->sink: org pre->post, reply pre->post dev=4->2/2->4 gwy=10.200.1.254/10.0.1.10 hook=post dir=org act=snat 10.0.1.10:1>10.200.1.254:8(10.200.1.1:62464) hook=pre dir=reply act=dnat 10.200.1.254:62464>10.200.1.1:0(10.0.1.10:1) misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0 serial=00000243 tos=ff/ff ips_view=0 app_list=0 app=0 dd_type=0 dd_mode=0 Observe the following from the session: . The may_dirty flag The line containing statistics, which should correctly display the amount of ICMP packets sent and received The source NAT information The ID of the policy matching the traffic The protocol state, whose value is always 00 for the case of ICMP traffic. You will also notice that the expiration timer (expire) and timeout are unusually high. The default timeout for ICMP sessions is 60 seconds. For the purpose of giving more time to analyze the session information, the ICMP session timeout was increased to 64.000 seconds. You can see this configuration by typing the CLI command: # show system session-ttl 7. Stop the ping (if it is still running) and access the Student FortiGate GUI. Go to Policy & Objects > Policy > IPv4 and edit the firewall policy with the sequence number 1 (the first one from top to bottom). Click Enable this policy and then OK. After a firewall policy configuration change, the FortiGate adds the dirty flag to all the session with the may_dirty flag. Next time there is traffic matching any of those sessions, the FortiGate will re-evaluate the action to take. 8. Execute this command in the Student FortiGate CLI and observe that the session has the dirty flag now: # diagnose sys session list 9. Run the ping one more time from the Win-Student server to 10.200.1.254: > ping 10.200.1.254 It should fail as the firewall policy enabled earlier is blocking ICMP traffic. Check quickly the session information one more time: # diagnose sys session list If you do it fast enough, you will notice that the session is still there but the block flag was added. All traffic matching a session with that flag is denied. Also, the session expiration. FortiGate III Student Guide. 23.
(24) DO NOT REPRINT © FORTINET. Network. time is much smaller now. The session will remain in the FortiGate memory until this timer expires (30 seconds). 10. Before proceeding to the next lab exercise, go to Policy & Objects > Policy > IPv4 and disable the firewall policy with the sequence number 1 (the one blocking the ICMP traffic.). FortiGate III Student Guide. 24.
(25) DO NOT REPRINT © FORTINET. Network. Traffic sniffer During this exercise, you will use the FortiGate built-in sniffer to capture traffic. After that, you will use a Perl script to convert the capture to a PCAP file that can be analyzed by a packet analyzer, such as Wireshark. 1. Open a SSH connection to the Student FortiGate using PuTTY. 2. Click on the upper left icon and select Change Settings:. Go to Session -> Logging and select All session output. Then click Browse and select the folder c:\Perl64\bin. Click Save, and then Apply. With this change, PuTTY will save all the sniffer output into a text file name putty.log:. FortiGate III Student Guide. 25.
(26) DO NOT REPRINT © FORTINET. Network. 3. Type the following command in the Student FortiGate CLI to start the sniffer: # diagnose sniffer packet port1 "host 10.200.1.254 and port 80" 3 4. Open a browser and access this URL: http://10.200.1.254 You should observe the packets captured in the PuTTY window. 5. Close PuTTY and open a command prompt window. Execute these commands: > cd \Perl64\bin > perl fgt2eth.pl –in putty.log The Perl script fgt2eth.pl converts the output captured to a PCAP file with the name putty.log.pcap. 6. Use Windows File Explorer and double click the created file: c:\Perl64\bin\putty.log.pcap This starts Wireshark and opens the file for analysis. 7. Observe the information in the packets captured. Right click any packet and select Follow TCP Stream:. FortiGate III Student Guide. 26.
(27) DO NOT REPRINT © FORTINET. Network. Observe the new Window that pops up. It shows the application-layer data between the client and the server for that specific TCP session:. Note: Follow TCP Stream is a useful tool to troubleshoot problems at the application layer.. FortiGate III Student Guide. 27.
(28) DO NOT REPRINT © FORTINET. Network. Break and Fix: Connectivity Issues In this exercise, your environment is simulating the following customer network:. 10.200.1.254/24 STUDENT FortiGate. 10.200.1.1/24 port1. Web server 10.200.3.254. port3 10.0.1.254/24. port2 10.200.2.1/24 10.200.2.10/24 WIN-STUDENT 10.0.1.10. REMOTE HOST 10.200.4.1/24. There are however four problems: 1. Although the Telnet protocol is enabled for administrative access in the Student FortiGate's port3 (10.0.1.254), you cannot access the unit's CLI using telnet. 2. You cannot access the web server (http://10.200.3.254) from Win-Student. 3. You cannot ping the remote host (10.200.4.1) from Win-Student. 4. You cannot access the GUI of the router 10.200.1.254 from Win-Student. The router GUI must be accessible by using the URL: http://10.200.1.254:88 Find the causes of these problems by using first debug commands, before looking for configuration mistakes. In which of the four problems the FortiGate is doing something wrong and in which ones it is not?. Tips for Troubleshooting . Can you ping the destination IP address from the Win-Student server?. . Use the sniffer tool to verify that the traffic is actually arriving to the FortiGate's port3. Use verbosity 4 or 6 and a filter that can capture the traffic both ways. . If the traffic is not intended to terminate in the FortiGate, use the sniffer to check that it is actually been forwarded to the next hop IP address (use the network diagram provided.) Again, use a filter in the sniffer that can capture the traffic both ways. FortiGate III Student Guide. 28.
(29) DO NOT REPRINT © FORTINET. Network. . Check the session table. Is the FortiGate creating the session? Check the session protocol state. Do you see anything wrong there?. . Clear the related session (if any) from the session table, enable the debug flow and generate more test traffic. Do you see any debug flow error?. . Try to ping the next hop IP address from the Student FortiGate. Sniffer the traffic to the next hop IP address while doing it. You can have two simultaneous SSH connections, one running the sniffer and another one running the ping. FortiGate III Student Guide. 29.
(30) DO NOT REPRINT © FORTINET. Firewall Policies. Firewall Policies During these lab exercises you will configure and monitor traffic shaping. Additionally, you will troubleshoot and fix a connection problem to a FTP server.. Objectives . Monitor statistics related with traffic shaping. . Troubleshoot a FTP connection issue. Time to Complete Estimated: 40 minutes. FortiGate III Student Guide. 30.
(31) DO NOT REPRINT © FORTINET. Firewall Policies. Traffic Shaping 1. Log on to the Student FortiGate’s GUI using the account admin with no password: http://10.0.1.254 2. Upload the Student configuration file for this lab: Resources\FortiGate III\Firewall-Policies\Student\student-policy.conf The Student FortiGate will reboot. Wait a few minutes until it is back up. 3. Go to Policy & Objects > Objects > Traffic Shapers and click Create New. Configure the following settings: Type. Shared. Name. SharedPolicy. Apply shaper. All policies using this shaper. Traffic Priority. High. Max Bandwidth. 10 Kb/s. Click OK. 4. Go to Policy & Objects > Policy > IPv4 and edit the first policy on the top. Enable Shared Shaper and select SharedPolicy. Click OK. 5. From a browser in Win-Student go to http://www.youtube.com and play some videos. 6. While plying the videos, execute these CLI commands: # diagnose firewall shaper traffic-shaper stats # diagnose firewall shaper traffic-shaper list Locate the counters for packet drops. Execute the above commands a few times more and notice how those counters increase with the traffic. 7. Before proceeding to the next lab exercise, go to Policy & Objects > Policy > IPv4 and edit the first policy on the top one more time. Disable Shared Shaper and click OK.. FortiGate III Student Guide. 31.
(32) DO NOT REPRINT © FORTINET. Firewall Policies. Break and Fix: FTP Traffic A FTP server is running in the Linux server 10.200.3.254:222. The network administrator has installed FileZilla in all the workstations. The administrator has also added a pre-configured Site profile to FileZilla called FTPsite. To connect to the server from any workstation, users open FileZilla, click Site Manager, select the site FTPsite and click Connect:. However, you cannot connect to the FTP server from Win-Student. FileZilla shows this error after each connection attempt:. The problem only happens with the workstations connected behind the Student FortiGate. Workstations in other subnets can connect successfully. FortiGate III Student Guide. 32.
(33) DO NOT REPRINT © FORTINET. Firewall Policies. Can you find out what the FortiGate is doing wrong? What has to be done to fix the problem?. Tips for Troubleshooting . Understand first which TCP ports are used for this connection. The control channel is using port TCP 222. The data channel is using the standard port TCP 20. . Understand also how the traffic flows. Is this a FTP server working in active or passive mode? In active mode the data channel is initiated by the server. In passive mode the data channel is initiated by the client. Sniffer the traffic in the FortiGate and Linux server to determine who is initiating the data channel. To run the sniffer in the Linux server follow these steps: 1. Connect SSH to the Linux server (10.200.1.254). Use the username root with the password password 2. Execute the following command to sniffer the data channel: # tcpdump -v -i any -nn port 20 You can also sniffer the control channel traffic with this other command: # tcpdump -v -i any -nn port 222. . Use the FortiGate's built-in sniffer to capture the control channel traffic (port 222) before and after the FortiGate. Use a verbosity level of either 3 or 6 and save the output to a file. After that, use the Perl script to convert it to Wireshark (as explained in an earlier lab exercise) and analyze it. . Run the debug flow over the FTP control channel and analyze the output. Is there anything missing there?. FortiGate III Student Guide. 33.
(34) DO NOT REPRINT © FORTINET. Firewall Authentication. Firewall Authentication During this lab you will learn to use the authentication and LDAP debug commands to troubleshoot an authentication issue.. Objectives . Monitor the status of authenticated users. . Troubleshoot problems related with LDAP authentication. Time to Complete Estimated: 40 minutes. FortiGate III Student Guide. 34.
(35) DO NOT REPRINT © FORTINET. Firewall Authentication. Break and Fix: LDAP Authentication 1. Log on to the Student FortiGate’s GUI using the account admin with no password: http://10.0.1.254 2. Upload the Student configuration file for this lab: Resources\FortiGate III\Firewall-Authentication\Student\studentauthentication.conf The Student FortiGate will reboot. Wait a few minutes until it is back up. An administrator has configured the Student FortiGate to do LDAP authentication against the Windows AD server located at 10.0.1.10 (Win-Student). However, authentication is failing. Two LDAP users have been created in the Windows AD Server: . Username: student, password: Fort1net Must not have access to information technology sites, such as www.fortinet.com Belongs to the Windows AD group: CN=Domain Users,CN=Users,DC=trainingAD,DC=training,DC=lab Traffic from this user must match the firewall policy crated for the user group LDAPUsers, which contains the web filter profile NoITSites. Do not change this web filtering configuration.. . Username: administrator, password: password Must have unrestricted access to the Internet Belongs to the Windows AD group: CN=Enterprise Admins,CN=Users,DC=trainingAD,DC=training,DC=lab Traffic from this user must match the firewall policy created for the user group Enterprise Admins, which does not have any web filter profile. Do not create any web filter profile for this policy. Leave it without any.. Use the authentication and LDAP debug commands learned to isolate and fix the problem. Can you explain why the FortiGate is not challenging users to authenticate? Can you change the FortiGate configuration to fix the problem? Can you change the FortiGate configuration to properly restrict the Internet access to the user student, while leaving unrestricted access to the user administrator?. Tips for Troubleshooting . First, test the LDAP authentication from the CLI after enabling the real time debug command: diagnose debug application fnbamd -1 diagnose debug enable. FortiGate III Student Guide. 35.
(36) DO NOT REPRINT © FORTINET. Firewall Authentication. diagnose test authserver ldap WindowsLDAP administrator password diagnose test authserver ldap WindowsLDAP student Fort1net . Check the Distinguished Name (DN) for student and administrator, by running these commands in Win-Student: dsquery user -name student dsquery user -name administrator. . Once the LDAP CLI test works, check the firewall authentication by browsing the Internet from Win-Student. Look at the session table or run the debug flow to know which firewall policy is matching the traffic. . The output of the LDAP test command shows the user groups for each user. Compare them with the groups configured in each firewall policy. . After any configuration change, de-authenticate the users from the FortiGate and clear the browser cache (or refresh the page with the F5 key). It is also recommended to clear the related entries in the session table: # diagnose sys session filter dport 80 # diagnose sys session clear To de-authenticate a user, go to User & Device -> Monitor -> Firewall, select the user and click on De-authenticate. FortiGate III Student Guide. 36.
(37) DO NOT REPRINT © FORTINET. FSSO. FSSO During this lab you will install the FSSO collector agent and troubleshoot a FSSO problem.. Objectives . Check the connectivity between the FortiGate and the CA. . Track user logon events in the DC, CA and FortiGate. . List the active FSSO users. . Troubleshoot a FSSO problem. Time to Complete Estimated: 40 minutes. FortiGate III Student Guide. 37.
(38) DO NOT REPRINT © FORTINET. FSSO. Installing FSSO 1. Log on to the Student FortiGate’s GUI using the account admin with no password: http://10.0.1.254 2. Upload the Student configuration file for this lab: Resources\FortiGate III\FSSO\Student\student-FSSO.conf The Student FortiGate will reboot. Wait a few minutes until it is back up. 3. On Win-Student, right-click the Fortinet Single Sign On (FSSO) installation file located in Resources\FSSO, then select Run as administrator. This should launch the Fortinet Single Sign On Agent Installation Wizard. Follow the wizard to install the agent on Win-Student. 4. When prompted for the Windows server administrator password, enter "password":. Click Next. 5. In the Install Options window, accept the default settings:. Click Next. 6. Click Install to complete the installation. FortiGate III Student Guide. 38.
(39) DO NOT REPRINT © FORTINET. FSSO. 7. At the end of the Single Sign On Agent installation, the Launch DC Agent Install Wizard option will be selected. Click Finish to complete the collector agent Installation. This launches the Domain Controller Agent Installation Wizard. 8. In the Install DC Agent Wizard, accept the Collector Agent IP Address of 10.0.1.10 and the Collector Agent Listening Port of 8002.. Click Next. 9. Select the TRAININGAD:trainingAD.training.lab domain to monitor. Click Next. 10. Only the student account needs to be monitored in this exercise. Expand the TRAININGAD domain and disable all the users in the TRAININGAD domain EXCEPT for student:. Click Next. 11. Set the Working Mode to Polling Mode and select Check Windows Security Event Logs.. FortiGate III Student Guide. 39.
(40) DO NOT REPRINT © FORTINET. FSSO. Click Next. 12. After the installation, open the Windows start screen and run the application Configure Fortinet Single Sign-on. Perform the following tasks in the Fortinet single sign-on agent configuration window: . Change the Password to Fortinet. Change the Workstation verify interval to 0 Change the Log level to Information Enable Log logon events in separate logs. Click Apply. 13. Click Show Monitored DCs to verify the communication between the collector agent and the domain controller agent. The IP address of 10.0.1.10 should show as being logged in. Click Close. 14. Click Select Domains to Monitor and verify that the TRAININGAD:trainingAD.training.lab domain is selected. Click OK.. FortiGate III Student Guide. 40.
(41) DO NOT REPRINT © FORTINET. FSSO. 15. Click Set Group Filters. Click Add and enable the Default filter. Click Advanced and expand the domain name of TRAININGAD. From the expanded list select Users and Domain Admins. Click Add, then OK.. Click OK. Click Save & Close to close the Fortinet single sign-on agent configuration window.. FortiGate III Student Guide. 41.
(42) DO NOT REPRINT © FORTINET. FSSO. Break and Fix: FSSO In this network the collector agent has been installed in Win-Student. An administrator has configured the Student FortiGate to allow Internet access only to active FSSO users. However, it is not working as desired. Active FSSO users do not have Internet access. Use the authentication and FSSO debug commands learned to isolate and fix the problem. To test the FSSO authentication, generate first a login event following these steps: 1. On Win-Student, run the Windows Remote Desktop Connections application. 2. Enter the computer IP address 10.0.1.10:. Log in with these credentials: Username:. Student. Password:. Fort1net. Ignore the error message indicating that the user is not authorized for remote login. The objective of these steps is just to generate a logon event without rebooting the server. 3. After that, test the Internet access from a browser. Can you explain why the FortiGate is blocking the traffic? Can you change the FortiGate or/and collector agent configurations to fix the problem?. Tips for Troubleshooting . Check the active FSSO users in the collector agent by clicking Show logon users. . Use the following command to check the active FSSO users in the FortiGate: # diagnose debug authd fsso list. . Use the FortiGate real time debug command for FSSO: # diagnose debug application authd 8256 # diagnose debug enabled. . Check the collector agent logs. FortiGate III Student Guide. 42.
(43) DO NOT REPRINT © FORTINET . FSSO. Use the Windows Remote Desktop Connections application after each configuration change to generate new login events. FortiGate III Student Guide. 43.
(44) DO NOT REPRINT © FORTINET. IPsec. IPsec During this lab you will troubleshoot an IPsec VPN problem.. Objectives . Use the IKE real time debug to isolate problems during the phase 1 and phase 2 negotiations. . Use the debug flow tool to isolate IPsec traffic flow issues. . Monitor the status of an IPsec VPN. Time to Complete Estimated: 90 minutes. FortiGate III Student Guide. 44.
(45) DO NOT REPRINT © FORTINET. IPsec. Break and Fix: IPsec VPN 1. From the Win-Student server, log on to the Student FortiGate’s GUI using the account admin with no password: http://10.0.1.254 2. Upload the Student configuration file for this lab: Resources\FortiGate III\VPN\Student\student-vpn.conf The Student FortiGate will reboot. Wait a few minutes until it is back up. 3. Log on to the Remote FortiGate’s GUI first using the account admin with no password: http://10.200.3.1 Upload the Remote configuration file for this lab: Resources\FortiGate III\VPN\Remote\remote-vpn.conf The Remote FortiGate will reboot and load the new configuration. An administrator has created an IPsec VPN between the Student FortiGate and the Remote FortiGate. The objective is to encrypt the traffic both ways between the subnets 10.0.1.0/24 and 10.0.2.0/24. For the purpose of this lab, assume that the IP address of the Remote FortiGate will be changing frequently, so the administrator has configured the VPN in the Student FortiGate side as Dialup User. The name of the VPN in the Student side is RemoteSite. The name of the VPN in the Remote side is ToHub. There is another VPN created (for a different purpose) in the Student FortiGate with the name DialUpUsers. The VPN IPsec between Student and Remote is down. Your objective is to fix the problem, so that the tunnel comes up and you can ping from Win-Student to Win-Remote. Use the IPsec debug commands learned in this lesson to isolate and fix the problem. The solution requires: . Keeping the Remote Gateway type in the VPN RemoteSite as Dialup User (for the reason explained before). . No configuration changes in the DialUPUsers VPN in the Student FortiGate, as this VPN is already operative and working as expected (you do not need to test this VPN, assume that it is working). Tips for Troubleshooting . Check first why the tunnel is not coming up, use the IKE real time debug in both sides to troubleshoot the problem: # diagnose debug application ike -1 # diagnose debug enable. . After the tunnel is established, check that you can ping from Win-Student to Win-Remote. If. FortiGate III Student Guide. 45.
(46) DO NOT REPRINT © FORTINET. IPsec. there is a problem, sniffer the traffic and use the debug flow. FortiGate III Student Guide. 46.
(47) DO NOT REPRINT © FORTINET. Security Profiles. Security Profiles During the following exercises you will use debug commands to fix FortiGuard and web filtering issues.. Objectives . Troubleshoot FortiGuard problems. . Troubleshoot web filtering problems. . Fix certificate warnings during full SSL inspection. . Investigate virus infections. Time to Complete Estimated: 45 minutes. FortiGate III Student Guide. 47.
(48) DO NOT REPRINT © FORTINET. Security Profiles. Break and Fix: Protection Profiles Part 1 1. Log on to the Student FortiGate’s GUI using the account admin with no password: http://10.0.1.254 2. Upload the Student configuration file for this lab: Resources\FortiGate III\UTM\Student\student-UTM-1.conf The Student FortiGate will reboot. Wait a few minutes until it is back up. 3. The configuration contains two VDOMs. Go to Virtual Domains -> root -> Policy & Objects -> Policy -> IPv4. Check the firewall policy from port3 to port1. It has antivirus and web filtering enabled. 4. Then go to Virtual Domains -> root -> Policy & Objects -> Security Profiles -> Web Filter and review the profile WebFilterUsers. Some categories, such as malicious websites, streaming media, hacking and proxy avoidance are being blocked. Open a browser in Win-Student and go to these restricted web sites: http://www.youtube.com http://www.proxyavoidance.com The FortiGate is not blocking the access to those sites. Indeed, web filter does not seem to be working at all. Why isn't the FortiGate blocking the access to any restricted web site? Can you change the FortiGate configuration to fix the problem? Note: Your lab environment uses a FortiManager as a local FDS server. It contains a local copy of the FDS web rating database. The FortiGate devices validate their VM licenses against the FortiManager. They also send the rating requests to the FortiManager IP address (10.0.1.241) instead of the public FDS servers. Do not change this configuration, as it will affect the FortiGate license status.. Tips for Troubleshooting . Use the web filtering real time debug: # diagnose debug application urlfilter -1 # diagnose debug enable. . Use the FortiGuard real time debug: # diagnose debug application update -1 # diagnose debug enable. FortiGate III Student Guide. 48.
(49) DO NOT REPRINT © FORTINET. Security Profiles. Break and Fix: Protection Profiles Part 2 1. Log on to the Student FortiGate’s GUI using the account admin with no password: http://10.0.1.254 2. Upload the Student configuration file for this lab: Resources\FortiGate III\UTM\Student\student-UTM-2.conf The Student FortiGate will reboot. Wait a few minutes until it is back up. This configuration is similar to the previous one but it contains the fix to the problem that was troubleshot during the first exercise of this lab. The configuration also includes a web filter profile to block, among others, the following FortiGuard categories: . Proxy Avoidance Streaming Media and Download Hacking. All the restricted sites seem to be properly blocked now, such as: http://www.youtube.com (Streaming Media and Download) http://www.elite-hackers.com (Hacking) http://www.proxyavoidance.net (Proxy Avoidance) However, the administrator complains that the following two sites should be blocked, and they are not. According to him, they belong to blocked categories: http://www.metacafe.com http://www.eicar.org Additionally, customers are reporting two more problems: . They receive certificate warnings each time they connect to an HTTPS site Even though antivirus is enabled, they can still download the virus sample eicar.com located at the ftp server 10.200.3.254:222. To test it, open FileZilla and connect to the preconfigured site FTPSite. Select the Desktop as the local site folder and pub as the remote site folder. Right click the eicar.com file and select Download:. FortiGate III Student Guide. 49.
(50) DO NOT REPRINT © FORTINET. Security Profiles. Why are those two sites reported by the administrator not being blocked? How can you change the FortiGate configuration to fix it? Why are users getting SSL certificate warnings? How can you resolve it? Why isn't FortiGate detecting the EICAR virus?. Tips for Troubleshooting For the web filtering problem: . Enable the following real time debug and attempt to browse the two websites not being blocked: # diagnose debug application urlfilter -1 # diagnose debug enable The output can be verbose, so save it from PuTTY to a local file.. . Remember to clear the browse cache and FortiGate session after doing any configuration change. For the antivirus problem: . Sniffer the FTP traffic and analyze the output of the debug flow. . Check the entry in the FortiGate session table for the FTP session. FortiGate III Student Guide. 50.
(51) DO NOT REPRINT © FORTINET. Explicit Web Proxy. Explicit Web Proxy During this lab you will troubleshoot some explicit web proxy problems.. Objectives . Monitor web proxy traffic and sessions. . Monitor web proxy DNS traffic. . Use the web proxy real time debug. Time to Complete Estimated: 40 minutes. FortiGate III Student Guide. 51.
(52) DO NOT REPRINT © FORTINET. Explicit Web Proxy. Break and Fix: Web Proxy 1. Log on to the Student FortiGate’s GUI using the account admin with no password: http://10.0.1.254 2. Upload the Student configuration file for this lab: Resources\FortiGate III\Web-Proxy\Student\student-web-proxy.conf The Student FortiGate will reboot. Wait a few minutes until it is back up. 3. Open Firefox and click Open menu. Then click Options:. 4. Go to Advanced -> Network and click Settings:. FortiGate III Student Guide. 52.
(53) DO NOT REPRINT © FORTINET. Explicit Web Proxy. 5. Select Automatic proxy configuration URL and type the following URL: http://10.0.1.254:8080/proxy.pac 6. Restart the browser. Test the proxy by accessing any web site. Additionally, access to the Fortinet web site is essential for users. So, test it using the following URL: http://www.fortinet.com Why isn't the web proxy working at all? Can you change the FortiGate configuration to fix the problem? After fixing the web proxy, test the access to the Fortinet web site. Why isn't working yet? Can you also fix it?. Tips for Troubleshooting . Sniffer the traffic in port 8080 (web proxy traffic). . Sniffer the traffic coming from the browser: # diagnose sniffer packet any 'host 10.0.1.254 and not port 22 and not port 443' 4. . Sniffer the traffic going to the web proxy IP address: # diagnose sniffer packet any 'host 10.0.1.10 and not port 22 and not port 443' 4. . Use the following debug commands to check the status of the web proxy connections: # diagnose wad session list # diagnose test application wad 2200 # diagnose test application wad 110 # diagnose test application wad 104. . Run the web proxy real time debug using the filter below: # config web-proxy debug-url edit fortinet set url-pattern www.fortinet.com set status enable set exact enable next edit fortiguard. FortiGate III Student Guide. 53.
(54) DO NOT REPRINT © FORTINET. Explicit Web Proxy. set url-pattern www.fortiguard.com set status enable set exact enable next end # diagnose wad debug-url enable # diagnose wad console-log enable # diagnose debug enable After that, try to browse these two web sites and compare the results: http://www.fortinet.com http://www.fortiguard.com . Remember to restart the browser after any change to the PAC file. FortiGate III Student Guide. 54.
(55) DO NOT REPRINT © FORTINET. Operation Modes. Operation Modes This lab has 3 exercises. The first exercise includes a FortiGate in transparent mode. During exercises 2 and 3 you will troubleshoot routing problems with two FortiGate devices in NAT/route mode.. Objectives . Describe how FortiGate routes traffic. . Diagnose routing problems due to reverse path forwarding check. . Identify the existing sessions that will be routed through a different path after a change in the routing table. . Use debug commands to troubleshoot routing problems. . Segment a layer-2 network into different broadcast domains using a FortiGate in transparent mode. Time to Complete Estimated: 45 minutes. FortiGate III Student Guide. 55.
(56) DO NOT REPRINT © FORTINET. Operation Modes. Transparent Mode Port1 and port3 of a FortiGate in transparent mode are connected to a network. An administrator wants to create 4 broadcast domains. For that purpose, the administrator segmented the network into 4 VLANs: VLAN Name. VLAN tag. FortiGate interfaces. Native VLAN. No tag. port1 port3. VLAN 20. 20. port1-VLAN20 port3-VLAN20. VLAN 30. 30. port1-VLAN30 port3-VLAN30. VLAN 40. 40. port1-VLAN40 port3-VLAN40. The Win-Student server is connected to the native VLAN in port 3. The following diagram summarizes this network topology:. 1. First, check that Firefox is not configured to use an explicit web proxy. 2. Click Open menu. Then click Options:. FortiGate III Student Guide. 56.
(57) DO NOT REPRINT © FORTINET. Operation Modes. Go to Advanced -> Network and click Settings:. Check that No proxy is selected and click OK. 3. Log on to the Student FortiGate’s GUI using the account admin with no password: http://10.0.1.254 4. Upload the Student configuration file for this lab: Resources\FortiGate III\Operation-Modes\Student\student-operationmodes-transparent.conf The Student FortiGate will reboot. Wait a few minutes until it is back up. This changes the FortiGate to transparent mode and adds all the VLAN sub-interfaces. 5. Connect to the Student FortiGate using SSH and start this sniffer: diagnose sniffer packet any "arp and host 10.0.1.15" 4 FortiGate III Student Guide. 57.
(58) DO NOT REPRINT © FORTINET. Operation Modes. 6. From Win-Student command prompt, do a ping to 10.0.1.15: > ping 10.0.1.15 This IP address is not active, so you will not receive any echo reply. However, the ping triggers ARP traffic that can be captured by the previous sniffer. 7. The output of the sniffer will be similar to this:. So, broadcast traffic is being forwarded to all the VLAN sub-interfaces. Each VLAN is not a different broadcast domain, as the administrator wants. Why is this happening? What configuration change must be done in the FortiGate to actually make each VLAN a different broadcast domain? 8. From the FortiGate CLI, execute these configuration changes: # config system interface edit port1-VLAN20 set forward-domain 20 next edit port1-VLAN30 set forward-domain 30 next edit port1-VLAN40 FortiGate III Student Guide. 58.
(59) DO NOT REPRINT © FORTINET. Operation Modes. set forward-domain 40 next edit port3-VLAN20 set forward-domain 20 next edit port3-VLAN30 set forward-domain 30 next edit port3-VLAN40 set forward-domain 40 next end 9. Execute the sniffer and ping one more time. Now you will see that the ARP packets are confined only to the native VLAN.. FortiGate III Student Guide. 59.
(60) DO NOT REPRINT © FORTINET. Operation Modes. NAT/Route Mode 1. Log on to the Student FortiGate’s GUI using the account admin with no password: http://10.0.1.254 2. Upload the Student configuration file for this lab: Resources\FortiGate III\Operation-Modes\Student\student-operationmodes-NAT.conf The Student FortiGate will reboot. Wait a few minutes until it is back up. 3. Log on to the Remote FortiGate’s GUI using the account admin with no password: http://10.200.3.1 4. Upload the Remote configuration file for this lab: Resources\FortiGate III\Operation-Modes\Remote\remote-operationmodes-NAT.conf The Remote FortiGate will reboot. Wait a few minutes until it is back up. 5. Check the IPsec VPN configuration in both FortiGate units. Go to VPN -> IPsec -> Tunnels. Check also the firewall policy and the routing table in both devices. Go to Policy & Objects -> Policy -> IPv4, then check Router -> Monitor -> Routing Monitor. You will notice that there is an IPsec VPN created between both units to encrypt the traffic between the subnets 10.0.1.0/24 and 10.0.2.0/24. You will also see a route in the Student FortiGate to the subnet 10.0.2.0/24 using the IPsec tunnel. 6. Execute a continuous ping from the Win-Student command prompt to Win-Remote: > ping -t 10.0.2.10 You will receive the echo reply from Win-Remote as an indication that the tunnel is operating normally. 7. Without stopping the ping, access the Remote FortiGate and go to System -> Network -> Interfaces. Click the plus icon besides port4 to expand it, and edit the interface ToStudent:. FortiGate III Student Guide. 60.
(61) DO NOT REPRINT © FORTINET. Operation Modes. Change the Administrative Status of this interface to Down. Click OK. 8. Wait a few seconds and then check the status of the VPN in the Student FortiGate. Go to VPN -> Monitor -> IPsec Monitor. As the remote virtual IPsec interface is administratively down, the VPN is down. Check now the routing table. As the VPN is down, the route to 10.0.2.0/24 was removed. Check also the ping running in Win-Student. It is failing. 9. Proceed to bring back up the remote IPsec interface. Access the Remote FortiGate, go to System -> Network -> Interface and edit the ToStudent interface. Change the Administrative Status to Up and click OK. 10. Go back to the Student FortiGate and check the status of the VPN. Go to VPN -> Monitor -> IPsec Monitor. If the VPN is still down, right click it and select Bring Up. The tunnel will come up. 11. Check the routing table. Go to Router -> Monitor -> Routing Monitor. You will notice that the route to the subnet 10.0.2.0/24 is back to the routing table. 12. Check one more time the ping running in Win-Student. It is not working yet. 13. Sniffer this traffic. Connect to the Student FortiGate's CLI and execute this command: # diagnose sniffer packet any "icmp and host 10.0.2.10" 4 Why is the ping not working if the VPN is up and the route is back? Why is the FortiGate still routing the ping traffic through out port1 (and not through ToRemote)? What can be done to prevent this problem?. FortiGate III Student Guide. 61.
(62) DO NOT REPRINT © FORTINET. Operation Modes. Break and Fix: NAT/Route Mode 1. Log on to the Remote FortiGate’s GUI using the account admin with no password: http://10.200.3.1 2. Upload the Remote configuration file for this lab: Resources\FortiGate III\Operation-Modes\Remote\remote-operationmodes-NAT.conf The Remote FortiGate will reboot. Wait a few minutes until it is back up. 3. Log on to the Student FortiGate’s GUI using the account admin with no password: http://10.0.1.254 4. Upload the Student configuration file for this lab: Resources\FortiGate III\Operation-Modes\Student\student-operationmodes-NAT.conf The Student FortiGate will reboot. Wait a few minutes until it is back up. . The administrator is reporting two problems: 1. You cannot ping 10.200.4.1 from Win-Student 2. The Student FortiGate configuration includes two default routes, one using port1, and the other one using port2. However, only one of them is active in the routing table Can you fix these two problems?. Tips for Troubleshooting . Sniffer the ping to 10.200.4.1. . Use the debug flow while running the ping to 10.200.4.1. . Use these commands to check the routing table: # get router info routing-table database # get router info routing-table all. . Check the status of the link health monitors (if any) under System -> Monitor -> Link Monitor. FortiGate III Student Guide. 62.
(63) DO NOT REPRINT © FORTINET. External BGP. External BGP During this lab you will troubleshoot some BGP issues between two FortiGate devices.. Objectives . Monitor and check the status of a BGP communication. . Troubleshoot some common external BGP issues. Time to Complete Estimated: 30 minutes. FortiGate III Student Guide. 63.
(64) DO NOT REPRINT © FORTINET. External BGP. Break and Fix: BGP 1. Log on to the Remote FortiGate’s GUI using the account admin with no password: http://10.200.3.1 2. Upload the Remote configuration file for this lab: Resources\FortiGate III\BGP\Remote\remote-BGP.conf The Remote FortiGate will reboot. Wait a few minutes until it is back up. 3. Log on to the Student FortiGate’s GUI using the account admin with no password: http://10.0.1.254 4. Upload the Student configuration file for this lab: Resources\FortiGate III\BGP\Student\student-BGP.conf The Student FortiGate will reboot. Wait a few minutes until it is back up. An administrator has configured BGP between Student and Remote. The Student FortiGate belongs to the autonomous system 65500 and the Remote FortiGate belongs to the autonomous system 65001. However, the BGP peering is currently down. The objective is to bring up the BGP connection between both units. Also, each FortiGate must advertise all its locally connected subnets. Try not to compare both BGP configurations to find mismatches. You should troubleshoot the problem using the BGP debug commands learned during this lesson. Explain each problem supporting your arguments with the output of sniffers and BGP debug commands.. Tips for Troubleshooting . Use these BGP debug commands and sniffer: # get router info routing-table all # get router info bgp summary # get router info bgp network # get router info bgp neighbors # get router info bgp neighbors <peer-IP> advertise # diagnose sniffer packet any “port 179” 4. . Use the BGP real time debug: # diagnose debug enable. FortiGate III Student Guide. 64.
(65) DO NOT REPRINT © FORTINET. External BGP. # diagnose ip router bgp all enable # diagnose ip router bgp level info . Use this command to restart the BGP connection any time: # execute router clear bgp all Stop and Think After fixing the BGP connectivity, you might notice that you cannot reach Win-Remote from Win-Student yet, even when both FortiGate routing tables are ok. You do not need to fix this problem during this lab, but can you find out what is causing this issue?. FortiGate III Student Guide. 65.
(66) DO NOT REPRINT © FORTINET. OSPF. OSPF During this lab you will troubleshoot some OSPF over IPsec issues between two FortiGate devices.. Objectives . Establish OSPF adjacency between FortiGate devices. . Use debug commands to troubleshoot some OSPF problems. . Monitor the status of a OSPF network. Time to Complete Estimated: 40 minutes. FortiGate III Student Guide. 66.
(67) DO NOT REPRINT © FORTINET. OSPF. Break and Fix: OSPF 1. Log on to the Remote FortiGate’s GUI using the account admin with no password: http://10.200.3.1 2. Upload the Remote configuration file for this lab: Resources\FortiGate III\OSPF\Remote\remote-OSPF.conf The Remote FortiGate will reboot. Wait a few minutes until it is back up. 3. Log on to the Student FortiGate’s GUI using the account admin with no password: http://10.0.1.254 4. Upload the Student configuration file for this lab: Resources\FortiGate III\OSPF\Student\student-OSPF.conf The Student FortiGate will reboot. Wait a few minutes until it is back up. An administrator has configured an IPsec tunnel between the Student FortiGate and the Remote FortiGate. OSPF has been configured to run over the tunnel, so that each FortiGate can advertise its networks to its remote peer. The tunnel is currently up, however the OSPF adjacency is down. The objective is to have the OSPF routes correctly learned by both FortiGate units. Also, the IPsec VPN must remain stable. Try not to compare both OSPF configurations to find mismatches. You should troubleshoot the problem using the OSPF debug commands learned in this lesson. Explain each problem supporting your arguments with the output of the debug commands.. Tips for Troubleshooting . Check the routing table and OSPF neighbor status: # get router info routing-table all # get router info ospf status # get router info ospf neighbor Is the neighbor adjacency established? Are OSPF routes present?. . Run the real time debug: # diagnose ip router ospf all enable # diagnose ip router ospf level info # diagnose debug enable. FortiGate III Student Guide. 67.
(68) DO NOT REPRINT © FORTINET . OSPF. Once the OSPF issues are resolved, go to the VPN event logs. Is the IPsec VPN stable? Watch the log messages for a few minutes Compare the Student routing table when the tunnel is down with the table when it is up. What is causing the tunnel to bounce?. FortiGate III Student Guide. 68.
(69) DO NOT REPRINT © FORTINET. High Availability. High Availability During this lab you will troubleshoot some high availability problems between two FortiGate devices.. Objectives . Monitor a HA cluster. . Check the status of the HA configuration and session synchronization. . Troubleshoot some common HA problems. Time to Complete Estimated: 30 minutes. FortiGate III Student Guide. 69.
(70) DO NOT REPRINT © FORTINET. High Availability. Break and Fix: High Availability. FortiGate. REMOTE port3. port1 LINUX 10.200.1.254 eth1. port2. port2. port3 10.0.1.254/24 WIN-STUDENT 10.0.1.10. port1 10.200.1.1/24. STUDENT FortiGate. LAN3 0.0.0.0. eth0 LAN0 0.0.0.0. 1. Log on to the Remote FortiGate’s GUI using the account admin with no password: http://10.200.3.1 2. Upload the Remote configuration file for this lab: Resources\FortiGate III\High-Availability\Remote\remote-ha.conf The Remote FortiGate will reboot. Wait a few minutes until it is back up. 3. Log on to the Student FortiGate’s GUI using the account admin with no password: http://10.0.1.254 4. Upload the Student configuration file for this lab: Resources\FortiGate III\High-Availability\Student\student-ha.conf The Student FortiGate will reboot. Wait a few minutes until it is back up. After loading both configurations, the cluster is not forming. The Remote unit cannot join the HA cluster. Use the debug commands learned in this lesson to troubleshoot the problem.. FortiGate III Student Guide. 70.
(71) DO NOT REPRINT © FORTINET. High Availability. Tips for Troubleshooting . Run the HA real time debug in the CLI of both units: # diagnose debug application hatalk 255 # diagnose debug application hasync 255 # diagnose debug enable. . Use these additional HA debug commands: # diagnose sys ha status # diagnose sys ha showcsum. . For easy access to each unit while the cluster is down, each FortiGate starts with different IP addresses in their port3: Student: 10.0.1.254 Remote: 10.0.1.253 So, while Remote cannot join the cluster, you can connect to its port3 IP address via SSH and run the debug commands Stop and Think After the Remote FortiGate joins the cluster, you will notice that you cannot access the Remote FortiGate using the IP address 10.0.1.253 anymore. Can you explain why?. FortiGate III Student Guide. 71.
(72) DO NOT REPRINT © FORTINET. Appendix A: Additional Resources. Appendix A: Additional Resources Training Services. http://training.fortinet.com. Technical Documentation. http://help.fortinet.com. Knowledge Base. http://kb.fortinet.com. Forums. https://forum.fortinet.com/. Customer Service & Support. https://support.fortinet.com. FortiGuard Threat Research & Response. http://www.fortiguard.com. FortiGate III Student Guide. 72.
(73) DO NOT REPRINT © FORTINET. Appendix B: Presentation Slides. Appendix B: Presentation Slides. FortiGate III Student Guide. 73.
(74) DO NOT REPRINT © FORTINET. Troubleshooting Concepts. This lesson is about troubleshooting concepts.. FortiGate III Student Guide. 74.
(75) DO NOT REPRINT © FORTINET. Troubleshooting Concepts. In this lesson, we will review troubleshooting strategies. We will also introduce some of the troubleshooting tools available in the FortiGate GUI and CLI.. FortiGate III Student Guide. 75.
(76) DO NOT REPRINT © FORTINET. Troubleshooting Concepts. Let’s being by reviewing some troubleshooting concepts and strategies.. FortiGate III Student Guide. 76.
(77) DO NOT REPRINT © FORTINET. Troubleshooting Concepts. Good administrators know their network well before any problem happens. That includes an understanding of the normal behavior related with traffic volume, network applications, traffic flows and devices' CPU and memory utilization. So, when a problem happens, good administrators identify quickly what is behaving abnormally. This information speeds up the troubleshooting process and helps to isolate the cause of the problem. Many tools can be used to gather statistics and information while the network is operating normally: SNMP, logging, sFlow, and the monitors located in the FortiGate GUI.. FortiGate III Student Guide. 77.
(78) DO NOT REPRINT © FORTINET. Troubleshooting Concepts. It is also important to keep the network documentation up-to-date. Network diagrams should include physical connections, interface names and subnets. Good network documentation also includes change control records to track any change in the network: Who did the change? When was done? What was changed?. FortiGate III Student Guide. 78.
(79) DO NOT REPRINT © FORTINET. Troubleshooting Concepts. If a problem happens, the first step is to define it well. For example, if the problem definition is “web filtering is not working”, the scope of the problem is too imprecise. Too many things could cause this. This makes troubleshooting slow. So, we must ask questions to understand the details: Is the problem happening with one web site? Is it happening with all users? Is it happening randomly? How can you reproduce the problem? After answering the right questions, we can define the problem with details. For example: “the web filtering is not blocking the web site X for the user Y”. This provides a better place to start the troubleshooting.. FortiGate III Student Guide. 79.
Outline
Related documents
No matter what your present status is in the Catholic Church; no matter your family or marital status; no mat- ter where you are in the practice of faith; no matter your
(2014) examine the role of international collaborations in securing the patent grant. Our contributions to this study and the associated growing literature are the following: i) in
With the Florida Board of Governors’ recent approval of FAU’s proposed medical education program and partnership with the Scripps Institute Kellogg School of Science and Technology to
Dalam pemberitaan CNN mengenai ISIS, kerangka cerita (frame) media terhadap ISIS secara umum cocok dengan budaya analisis kerangka berita terhadap terorisme Islam
History should include: the duration of headache disorder; frequency and duration of attacks; severity of pain; site of maximum pain; quality of pain if the child is able to
Finally, Ad-hoc conference model adopts a simple structure where the central media server or MCU (Multipoint Control Unit) processes all the signaling messages and performs
compared to “concussion.” The term “concussion” will have longer expected recovery as measured by higher total scores on the recovery timeline subscale of the IPQ-R compared to no
The concrete application of Possible Worlds Theory has an affinity with the kind of theatre that demands the audience’s active participation and challenges the traditional separation
