I took the Fortinet NSE 1 and NSE 2 training, which are free online courses in the Fortinet NSE Training Institute portal. These courses provide an introduction to Cybersecurity and Fortinet security products to mitigate Cyber threats.
The NSE 3 training is reserved for Fortinet employees and partners so I took the NSE 4 training instead. The NSE 4 is also an online free course and it's divided into two sections: Security and Infrastructure. You'll receive an electronic certificate of completion (PDF) after finishing the two courses. Your NSE certs (PDF) are found in the NSE Training Institute portal under the Dashboard (Completed tab) or Profile page.
To be a certified Fortinet NSE 4 Network Security Professional (exam code: NSE4_FGT-6.4), you'll need to book and pass the online exam via Pearson VUE. The exam cost is $400 USD as of this writing. The exam has 60 questions and passing rate is 60%. Once passed, the cert is valid for two years. Refer to the NSE 4 description and NSE Training Institute portal FAQ.
Below is the FortiGate virtual lab I used to study for NSE 4.
Open FortiGate VM in VM Workstation, go to File > Open.
Browse/select the OVF file: FortiGate-VM64 > click Open.
Rename
the VM: FortiGate-1 > click Import.
Click Accept to accept the End User License Agreement (EULA).
Click Edit virtual machine settings.
My
VMnet0 is configured as VMnet0 which is bridged to the Internet and other
virtual machines (Windows 10 host, Kali Linux, etc.). The VMnet1 is a LAN for
the Windows 7 VM. Select VMNet2 Network Adapter 3 (Host-only/for HA link).
Click Power on this virtual machine.
Notice the license error 'INVALID'. Just perform a factory reset on the VM to resolve the error.
Login
using the default username admin and just leave the password blank. You're forced to
change and input a new password upon initial login.
Issue a execute factoryreset command to resolve the invalid license error. Type y to continue and reboot the VM.
After the factory reset and reboot, the invalid license error was gone. Re-type the new password.
Issue
a show system interface command to view the available network interfaces.
Configure port1 (WAN) IP address. Note port1 already allows ping, HTTPS and SSH.
I was able to ping the FortiGate VM WAN IP address (192.168.1.160/24) from my Windows 10 machine (192.168.1.100/24).
C:\Users\User>ipconfig
Windows IP Configuration
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::c961:e77e:a95c:fcfb%21
IPv4 Address. . . . . . . . . . . : 192.168.1.100
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
C:\Users\User>ping 192.168.1.160
Pinging 192.168.1.160 with 32 bytes of data:
Reply from 192.168.1.160: bytes=32 time<1ms TTL=255
Reply from 192.168.1.160: bytes=32 time<1ms TTL=255
Reply from 192.168.1.160: bytes=32 time<1ms TTL=255
Reply from 192.168.1.160: bytes=32 time<1ms TTL=255
Ping statistics for 192.168.1.160:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
I was unable to intially HTTPS to FortiGate and due to a SSL/TLS cipher mismatch.
I tried to change to both TLSv1.1 and TLSv1.2 but I'm still unable to HTTPS to port1 (192.168.1.160).
Per checking Fortinet KB, the FortiGate VM only use a low encryption (no HTTPS administrative access).
All SecurityProfiles (UTM features) are enabled (Antivirus, Web Filter, Application Control, etc.) EXCEPT FortiGuard updates. The Evaluation license is valid for only 15 days.
I just allowed ping, HTTP and SSH on port1 for this lab.
I was able to HTTP to port1 (192.168.1.160) afterwards.
Click Later to skip the initial FortiGate Setup.
Toggle Don't show again (turn to green) and click OK to skip introduction video.
This is the landing page upon login, which is the System Information Dashboard.
Issue a get system status command to view the FortiGate version, license status, system uptime, etc.
FortiGate-VM64 # get system status
Version: FortiGate-VM64 v6.4.4,build1803,201209 (GA)
Virus-DB: 1.00000(2018-04-09 18:07)
Extended DB: 1.00000(2018-04-09 18:07)
Extreme DB: 1.00000(2018-04-09 18:07)
IPS-DB: 6.00741(2015-12-01 02:30)
IPS-ETDB: 6.00741(2015-12-01 02:30)
APP-DB: 6.00741(2015-12-01 02:30)
INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)
Serial-Number: FGVMEVLBM63ZQG09
IPS Malicious URL Database: 1.00001(2015-01-01 01:01)
License Status: Valid
Evaluation License Expires: Tue May 4 02:20:49 2021
VM Resources: 1 CPU/1 allowed, 2010 MB RAM/2048 MB allowed
Log hard disk: Available
Hostname: FortiGate-VM64
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 1
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Branch point: 1803
Release Version Information: GA
FortiOS x86-64: Yes
System time: Mon Apr 19 02:51:54 2021
Create a static default route, go to Network Static Routes > Create New.
Select default Destination: Subnet and 0.0.0.0/0.0.0.0 (quad zero route) > type Gateway Address: 192.168.1.1 (Cisco ASA Firewall) > select Interface: port1 (WAN: 192.168.1.160/24) > leave the Administrative Distance: 10 > leave the default Status: Enabled > click OK.
I configured FortiGate port2 (LAN) interface and allowed ping, SSH and HTTP.
FortiGate-VM64 # config system interface
FortiGate-VM64 (interface) # edit port2
FortiGate-VM64 (port2) # set mode static
FortiGate-VM64 (port2) # set ip 172.16.1.1 255.255.255.0
FortiGate-VM64 (port2) # set allowaccess ping ssh http
FortiGate-VM64 (port2) # end
I was able to ping and SSH using the FortiGate port2 172.16.1.1 IP address.
I was unable to reach the Internet (Google DNS 8.8.8.8) since there's no NAT policy configured yet.
The 15-day FortiGate VM Evaluation license is not long enough and it has already expired in my virtual lab.
I suspend the FortiGate VM when not in use to delay the Eval license expiration but I noticed its system time was automatically updated by NTP (FortiGuard). So I disable NTP after performing a factory reset.
FG-1 # get system status
Version: FortiGate-VM64 v6.4.4,build1803,201209 (GA)
Virus-DB: 1.00000(2018-04-09 18:07)
Extended DB: 1.00000(2018-04-09 18:07)
Extreme DB: 1.00000(2018-04-09 18:07)
IPS-DB: 6.00741(2015-12-01 02:30)
IPS-ETDB: 6.00741(2015-12-01 02:30)
APP-DB: 6.00741(2015-12-01 02:30)
INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)
Serial-Number: FGVMEVLBM63ZQG09
IPS Malicious URL Database: 1.00001(2015-01-01 01:01)
License Status: Expired
Evaluation License Expires: Tue May 4 02:20:49 2021
VM Resources: 1 CPU/1 allowed, 2010 MB RAM/2048 MB allowed
Log hard disk: Available
Hostname: FG-1
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 1
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Branch point: 1803
Release Version Information: GA
FortiOS x86-64: Yes
System time: Wed May 5 22:26:44 2021
FG-1 # get system ntp
ntpsync : enable
type : fortiguard
syncinterval : 60
source-ip : 0.0.0.0
source-ip6 : ::
server-mode : enable
authentication : disable
interface : "fortilink"
FG-1 # diagnose sys ntp status
synchronized: yes, ntpsync: enabled, server-mode: enabled
ipv4 server(ntp1.fortiguard.com) 208.91.112.61 -- reachable(0xff) S:1 T:629 selected
server-version=4, stratum=2
reference time is e43df7ec.6aae6822 -- UTC Thu May 6 05:06:52 2021
clock offset is 6.108305 sec, root delay is 0.001358 sec
root dispersion is 0.044479 sec, peer dispersion is 199951 msec
ipv4 server(ntp2.fortiguard.com) 208.91.112.62 -- reachable(0xff) S:1 T:629
server-version=4, stratum=2
reference time is e43df906.3b732f6 -- UTC Thu May 6 05:11:34 2021
clock offset is 12.211762 sec, root delay is 0.001221 sec
root dispersion is 0.040100 sec, peer dispersion is 217109 msec
ipv4 server(ntp2.fortiguard.com) 208.91.112.60 -- reachable(0xff) S:1 T:629
server-version=4, stratum=2
reference time is e43df4b7.e3f49e10 -- UTC Thu May 6 04:53:11 2021
clock offset is 8.142703 sec, root delay is 0.001236 sec
root dispersion is 0.057037 sec, peer dispersion is 133425 msec
ipv4 server(ntp1.fortiguard.com) 208.91.112.63 -- reachable(0xfd) S:1 T:637
server-version=4, stratum=2
reference time is e43df906.3b732f6 -- UTC Thu May 6 05:11:34 2021
clock offset is 6.128610 sec, root delay is 0.001221 sec
root dispersion is 0.040237 sec, peer dispersion is 200269 msec
FG-1 # execute time
current time is: 22:29:55
last ntp sync:Wed May 5 22:27:16 2021
Factory reset and re-configure the FortiGate VM to renew again the License.
FG-1 # exec factoryreset
This operation will reset the system to factory default!
Do you want to continue? (y/n)y
Disable NTP (FortiGuard Cloud).
FG-1 # config system ntp
FG-1 (ntp) # set ntpsync disable
FG-1 (ntp) # set type
fortiguard Use the FortiGuard NTP server.
custom Use any other available NTP server.
FG-1 (ntp) # set type custom
FG-1 (ntp) # end
FG-1 # get system ntp
ntpsync : disable
type : custom
syncinterval : 60
ntpserver:
source-ip : 0.0.0.0
source-ip6 : ::
server-mode : enable
authentication : disable
interface : "fortilink"
FG-1 # execute time
current time is: 22:57:05
Once you have initial FortiGate GUI access, perform a configuration backup. Go to admin (upper right corner) > Configuration > Backup.
Select Backup to: Local PC > click OK.
A .conf file will appear > Save File > click OK.