Friday, October 1, 2021

Introduction to FortiGate Next-Generation Firewall (NGFW)

The FortiGate Next-Generation Firewall (NGFW) are network firewalls powered by purpose-built security processing units (SPUs) including the latest NP7 (Network Processor 7). They enable security-driven networking, and are ideal network firewalls for hybrid and hyperscale data centers.

Fortinet NGFWs reduce cost and complexity by eliminating points products and consolidating industry-leading security capabilities such as secure sockets layer (SSL) inspection including the latest TLS1.3, web filtering, intrusion prevention system (IPS) to provide fully visibility and protect any edge. Fortinet NGFWs uniquely meet the performance needs of hyperscale and hybrid IT architectures, enabling organizations to deliver optimal user experience, and manage security risks for better business continuity.

Below are some of the basic CLI commands and initial configuration tasks in a FortiGate NGFW. Type the get system status to view the Fortigate serial number, operation mode, License status, System uptime, etc.

 

FortiGate-VM64 # get system status

Version: FortiGate-VM64 v6.4.4,build1803,201209 (GA)

Virus-DB: 1.00000(2018-04-09 18:07)

Extended DB: 1.00000(2018-04-09 18:07)

Extreme DB: 1.00000(2018-04-09 18:07)

IPS-DB: 6.00741(2015-12-01 02:30)

IPS-ETDB: 6.00741(2015-12-01 02:30)

APP-DB: 6.00741(2015-12-01 02:30)

INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)

Serial-Number: FGVMEVLBM63ZQG09

IPS Malicious URL Database: 1.00001(2015-01-01 01:01)

License Status: Valid

Evaluation License Expires: Tue May  4 02:20:49 2021

VM Resources: 1 CPU/1 allowed, 2010 MB RAM/2048 MB allowed

Log hard disk: Available

Hostname: FortiGate-VM64

Operation Mode: NAT

Current virtual domain: root

Max number of virtual domains: 1

Virtual domains status: 1 in NAT mode, 0 in TP mode

Virtual domain configuration: disable

FIPS-CC mode: disable

Current HA mode: standalone

Branch point: 1803

Release Version Information: GA

FortiOS x86-64: Yes

System time: Sat Apr 24 17:21:22 2021

 

 

Type ? to list all CLI options.

 

FortiGate-VM64 # show system ?

accprofile                        Configure access profiles for system administrators.

admin                             Configure admin users.

affinity-interrupt                Configure interrupt affinity.

affinity-packet-redistribution    Configure packet redistribution.

alias                             Configure alias command.

api-user                          Configure API users.

arp-table                         Configure ARP table.

auto-install                      Configure USB auto installation.

auto-script                       Configure auto script.

automation-action                 Action for automation stitches.

automation-destination            Automation destinations.

automation-stitch                 Automation stitches.

automation-trigger                Trigger for automation stitches.

autoupdate                        Configure automatic updates.

central-management                Configure central management.

cluster-sync                      Configure FortiGate Session Life Support Protocol (FGSP) session synchronization.

console                           Configure console.

csf                               Add this FortiGate to a Security Fabric or set up a new Security Fabric on this FortiGate.

custom-language                   Configure custom languages.

ddns                              Configure DDNS.

dhcp                              Configure DHCP.

dhcp6                             Configure DHCPv6.

dns                               Configure DNS.

dns-database                      Configure DNS databases.

dns-server                        Configure DNS servers.

dscp-based-priority               Configure DSCP based priority table.

email-server                      Configure the email server used by the FortiGate various things. For example, for sending email messages to users to support user authentication features.

external-resource                 Configure external resource.

fips-cc                           Configure FIPS-CC mode.

fortiguard                        Configure FortiGuard services.

fortisandbox                      Configure FortiSandbox.

fsso-polling                      Configure Fortinet Single Sign On (FSSO) server.

ftm-push                          Configure FortiToken Mobile push services.

geneve                            Configure GENEVE devices.

geoip-override                    Configure geographical location mapping for IP address(es) to override mappings from FortiGuard.

global                            Configure global attributes.

gre-tunnel                        Configure GRE tunnel.

ha                                Configure HA.

ha-monitor                        Configure HA monitor.

interface                         Configure interfaces.

ipip-tunnel                       Configure IP in IP Tunneling.

ips                               Configure IPS system settings.

ips-urlfilter-dns                 Configure IPS URL filter DNS servers.

ips-urlfilter-dns6                Configure IPS URL filter IPv6 DNS servers.

ipsec-aggregate                   Configure an aggregate of IPsec tunnels.

ipv6-neighbor-cache               Configure IPv6 neighbor cache table.

ipv6-tunnel                       Configure IPv6/IPv4 in IPv6 tunnel.

link-monitor                      Configure Link Health Monitor.

lldp                              Configure LLDP.

mobile-tunnel                     Configure Mobile tunnels, an implementation of Network Mobility (NEMO) extensions for Mobile IPv4 RFC5177.

nat64                             Configure NAT64.

nd-proxy                          Configure IPv6 neighbor discovery proxy (RFC4389).

netflow                           Configure NetFlow.

network-visibility                Configure network visibility settings.

ntp                               Configure system NTP information.

object-tagging                    Configure object tagging.

password-policy                   Configure password policy for locally defined administrator passwords and IPsec VPN pre-shared keys.

password-policy-guest-admin       Configure the password policy for guest administrators.

pppoe-interface                   Configure the PPPoE interfaces.

probe-response                    Configure system probe response.

proxy-arp                         Configure proxy-ARP.

replacemsg                        Configure replacement message.

replacemsg-group                  Configure replacement message groups.

replacemsg-image                  Configure replacement message images.

saml                              Global settings for SAML authentication.

sdn-connector                     Configure connection to SDN Connector.

sdwan                             Configure redundant Internet connections with multiple outbound links and health-check profiles.

session-helper                    Configure session helper.

session-ttl                       Configure global session TTL timers for this FortiGate.

settings                          Configure VDOM settings.

sflow                             Configure sFlow.

sit-tunnel                        Configure IPv6 tunnel over IPv4.

sms-server                        Configure SMS server for sending SMS messages to support user authentication.

snmp                              Configure SNMP.

speed-test-server                 Configure speed test server list.

sso-admin                         Configure SSO admin users.

standalone-cluster                Configure FortiGate Session Life Support Protocol (FGSP) cluster attributes.

storage                           Configure logical storage.

switch-interface                  Configure software switch interfaces by grouping physical and WiFi interfaces.

tos-based-priority                Configure Type of Service (ToS) based priority table to set network traffic priorities.

vdom-exception                    Global configuration objects that can be configured independently across different ha peers for all VDOMs or for the defined VDOM scope.

vdom-link                         Configure VDOM links.

virtual-wire-pair                 Configure virtual wire pairs.

vne-tunnel                        Configure virtual network enabler tunnel.

vxlan                             Configure VXLAN devices.

wccp                              Configure WCCP.

zone                              Configure zones to group two or more interfaces. When a zone is created you can configure policies for the zone instead of individual interfaces in the zone.

 

FortiGate-VM64 # show system interface ?

name    Name.

fortilink   static   0.0.0.0 0.0.0.0  169.254.1.1 255.255.255.0  up   disable   aggregate  enable  

port1   static   0.0.0.0 0.0.0.0  192.168.1.160 255.255.255.0  up   disable   physical  enable  

port2   static   0.0.0.0 0.0.0.0  0.0.0.0 0.0.0.0  up   disable   physical  enable  

port3   static   0.0.0.0 0.0.0.0  0.0.0.0 0.0.0.0  up   disable   physical  enable  

ssl.root   static   0.0.0.0 0.0.0.0  0.0.0.0 0.0.0.0  up   disable   tunnel  enable  

 

FortiGate-VM64 # show system interface port1

config system interface

    edit "port1"

        set vdom "root"

        set ip 192.168.1.160 255.255.255.0

        set allowaccess ping ssh http

        set type physical

        set snmp-index 1

    next

end

 

 

The show full-configuration command to all the configuration settings.

 

FortiGate-VM64 # show full-configuration system

accprofile                        Configure access profiles for system administrators.

admin                             Configure admin users.

affinity-interrupt                Configure interrupt affinity.

affinity-packet-redistribution    Configure packet redistribution.

alias                             Configure alias command.

api-user                          Configure API users.

arp-table                         Configure ARP table.

auto-install                      Configure USB auto installation.

auto-script                       Configure auto script.

automation-action                 Action for automation stitches.

automation-destination            Automation destinations.

automation-stitch                 Automation stitches.

automation-trigger                Trigger for automation stitches.

autoupdate                        Configure automatic updates.

central-management                Configure central management.

cluster-sync                      Configure FortiGate Session Life Support Protocol (FGSP) session synchronization.

console                           Configure console.

csf                               Add this FortiGate to a Security Fabric or set up a new Security Fabric on this FortiGate.

custom-language                   Configure custom languages.

 

FortiGate-VM64 # show full-configuration

alertemail             Alert email configuration.

antivirus              AntiVirus configuration.

application            Application control configuration.

authentication         authentication

credential-store       credential-store

dlp                    DLP configuration.

dnsfilter              DNS filter configuration.

dpdk                   FortiOS DPDK Helper configuration.

emailfilter            AntiSpam configuration.

endpoint-control       Endpoint control configuration.

extender-controller    FortiExtender controller configuration.

file-filter            file-filter

firewall               Firewall configuration.

ftp-proxy              FTP proxy configuration.

icap                   ICAP client configuration.

ips                    IPS configuration.

log                    Log configuration.

nsxt                   NSX-T configuration.

report                 Report configuration.

router                 Router configuration.

ssh-filter             SSH filter configuration.

switch-controller      External FortiSwitch configuration.

system                 System operation configuration.

user                   Authentication configuration.

voip                   VoIP configuration.

vpn                    VPN configuration.

waf                    Web Application Firewall configuration.

wanopt                 WAN optimization configuration.

web-proxy              Web proxy configuration.

webfilter              Web filter configuration.

wireless-controller    Wireless access point configuration.

 

FortiGate-VM64 # show full-configuration system

accprofile                        Configure access profiles for system administrators.

admin                             Configure admin users.

affinity-interrupt                Configure interrupt affinity.

affinity-packet-redistribution    Configure packet redistribution.

alias                             Configure alias command.

api-user                          Configure API users.

arp-table                         Configure ARP table.

auto-install                      Configure USB auto installation.

auto-script                       Configure auto script.

automation-action                 Action for automation stitches.

automation-destination            Automation destinations.

automation-stitch                 Automation stitches.

automation-trigger                Trigger for automation stitches.

autoupdate                        Configure automatic updates.

central-management                Configure central management.

cluster-sync                      Configure FortiGate Session Life Support Protocol (FGSP) session synchronization.

console                           Configure console.

csf                               Add this FortiGate to a Security Fabric or set up a new Security Fabric on this FortiGate.

custom-language                   Configure custom languages.

ddns                              Configure DDNS.

dhcp                              Configure DHCP.

dhcp6                             Configure DHCPv6.

dns                               Configure DNS.

dns-database                      Configure DNS databases.

dns-server                        Configure DNS servers.

dscp-based-priority               Configure DSCP based priority table.

email-server                      Configure the email server used by the FortiGate various things. For example, for sending email messages to users to support user authentication features.

external-resource                 Configure external resource.

fips-cc                           Configure FIPS-CC mode.

fortiguard                        Configure FortiGuard services.

fortisandbox                      Configure FortiSandbox.

fsso-polling                      Configure Fortinet Single Sign On (FSSO) server.

ftm-push                          Configure FortiToken Mobile push services.

geneve                            Configure GENEVE devices.

geoip-override                    Configure geographical location mapping for IP address(es) to override mappings from FortiGuard.

global                            Configure global attributes.

gre-tunnel                        Configure GRE tunnel.

ha                                Configure HA.

ha-monitor                        Configure HA monitor.

interface                         Configure interfaces.

ipip-tunnel                       Configure IP in IP Tunneling.

ips                               Configure IPS system settings.

ips-urlfilter-dns                 Configure IPS URL filter DNS servers.

ips-urlfilter-dns6                Configure IPS URL filter IPv6 DNS servers.

ipsec-aggregate                   Configure an aggregate of IPsec tunnels.

ipv6-neighbor-cache               Configure IPv6 neighbor cache table.

ipv6-tunnel                       Configure IPv6/IPv4 in IPv6 tunnel.

link-monitor                      Configure Link Health Monitor.

lldp                              Configure LLDP.

mobile-tunnel                     Configure Mobile tunnels, an implementation of Network Mobility (NEMO) extensions for Mobile IPv4 RFC5177.

nat64                             Configure NAT64.

nd-proxy                          Configure IPv6 neighbor discovery proxy (RFC4389).

netflow                           Configure NetFlow.

network-visibility                Configure network visibility settings.

ntp                               Configure system NTP information.

object-tagging                    Configure object tagging.

password-policy                   Configure password policy for locally defined administrator passwords and IPsec VPN pre-shared keys.

password-policy-guest-admin       Configure the password policy for guest administrators.

pppoe-interface                   Configure the PPPoE interfaces.

probe-response                    Configure system probe response.

proxy-arp                         Configure proxy-ARP.

replacemsg                        Configure replacement message.

replacemsg-group                  Configure replacement message groups.

replacemsg-image                  Configure replacement message images.

saml                              Global settings for SAML authentication.

sdn-connector                     Configure connection to SDN Connector.

sdwan                             Configure redundant Internet connections with multiple outbound links and health-check profiles.

session-helper                    Configure session helper.

session-ttl                       Configure global session TTL timers for this FortiGate.

settings                          Configure VDOM settings.

sflow                             Configure sFlow.

sit-tunnel                        Configure IPv6 tunnel over IPv4.

sms-server                        Configure SMS server for sending SMS messages to support user authentication.

snmp                              Configure SNMP.

speed-test-server                 Configure speed test server list.

sso-admin                         Configure SSO admin users.

standalone-cluster                Configure FortiGate Session Life Support Protocol (FGSP) cluster attributes.

storage                           Configure logical storage.

switch-interface                  Configure software switch interfaces by grouping physical and WiFi interfaces.

tos-based-priority                Configure Type of Service (ToS) based priority table to set network traffic priorities.

vdom-exception                    Global configuration objects that can be configured independently across different ha peers for all VDOMs or for the defined VDOM scope.

vdom-link                         Configure VDOM links.

virtual-wire-pair                 Configure virtual wire pairs.

vne-tunnel                        Configure virtual network enabler tunnel.

vxlan                             Configure VXLAN devices.

wccp                              Configure WCCP.

zone                              Configure zones to group two or more interfaces. When a zone is created you can configure policies for the zone instead of individual interfaces in the zone.

 

FortiGate-VM64 # show full-configuration system interface port1

config system interface

    edit "port1"

        set vdom "root"

        set vrf 0

        set fortilink disable

        set mode static

        set dhcp-relay-service disable

        set ip 192.168.1.160 255.255.255.0

        set allowaccess ping ssh http

        set fail-detect disable

        set pptp-client disable

        set arpforward enable

        set broadcast-forward disable

        set bfd global

        set l2forward disable

        set icmp-send-redirect enable

        set icmp-accept-redirect enable

        set vlanforward disable

        set stpforward disable

        set ips-sniffer-mode disable

        set ident-accept disable

        set ipmac disable

        set subst disable

        set substitute-dst-mac 00:00:00:00:00:00

        set status up

        set netbios-forward disable

        set wins-ip 0.0.0.0

        set type physical

        set dedicated-to none

        set ring-rx 0

        set ring-tx 0

        set netflow-sampler disable

        set sflow-sampler disable

        set src-check enable

        set sample-rate 2000

        set polling-interval 20

        set sample-direction both

        set explicit-web-proxy disable

        set explicit-ftp-proxy disable

        set proxy-captive-portal disable

        set tcp-mss 0

        set inbandwidth 0

        set outbandwidth 0

        set egress-shaping-profile ''

        set ingress-shaping-profile ''

        set disconnect-threshold 0

        set spillover-threshold 0

        set ingress-spillover-threshold 0

        set weight 0

        set external disable

        set description ''

        set alias ''

        set security-mode none

        set device-identification disable

        set lldp-reception vdom

        set lldp-transmission vdom

        set estimated-upstream-bandwidth 0

        set estimated-downstream-bandwidth 0

        set measured-upstream-bandwidth 0

        set measured-downstream-bandwidth 0

        set bandwidth-measure-time 0

        set monitor-bandwidth disable

        set vrrp-virtual-mac disable

        set role undefined

        set snmp-index 1

        set secondary-IP disable

        set preserve-session-route disable

        set auto-auth-extension-device disable

        set ap-discover enable

        set ip-managed-by-fortiipam disable

        set switch-controller-mgmt-vlan 4094

        set switch-controller-igmp-snooping-proxy disable

        set switch-controller-igmp-snooping-fast-leave disable

        set swc-first-create 0

        config ipv6

            set ip6-mode static

            set nd-mode basic

            set ip6-address ::/0

            unset ip6-allowaccess

            set icmp6-send-redirect enable

            set ip6-reachable-time 0

            set ip6-retrans-time 0

            set ip6-hop-limit 0

            set dhcp6-prefix-delegation disable

            set dhcp6-information-request disable

            set vrrp-virtual-mac6 disable

            set vrip6_link_local ::

            set ip6-send-adv disable

            set autoconf disable

            set dhcp6-relay-service disable

        end

        set speed auto

        set mtu-override disable

        set wccp disable

        set drop-overlapped-fragment disable

        set drop-fragment disable

    next

end

 

Configuration Backups

I've changed the FortiGate hostname: FG-1 to perform a configuration backup and restore.

 

FortiGate-VM64 # config sys global

 

FortiGate-VM64 (global) # set hostname FG-1

 

FortiGate-VM64 (global) # end

 

FG1 #

 

 

To backup the FortiGate configuration in the GUI, go to admin > Configuration > Backup.

 

Select Backup to: Local PC > leave Encryption deselected (gray toggle) > Save File > click OK.

It's good practice to always perform routine backup on the FortiGate device. An encrypted backup file hampers Fortinet support in their troubleshooting since they won't be able to read the backup file (and if you also forget the password). Consider saving backup files in plain-text and store them in a secure server instead.

I changed again the hostname to: FORTIGATE-1

 

FG-1 # config sys global

 

FG-1 (global) # set hostname FORTIGATE-1

 

FG-1 (global) # end

 

FORTIGATE-1 #

 

 

To restore the configuration from backup, go to admin > Configuration > Restore.

 

Select Restore from: Local PC > search/select the config file (.conf) > Upload > OK.

A confirmation message will be presented. Click OK to continue.

The FortiGate will auto reboot.

The web page will time out. Refresh the web GUI and re-login.


Notice the hostname: FG-1 was reverted back and displayed in the web page tab and under Dashboard > Status > System Information.

 

Configuring Administrator Accounts

To configure a new user administrator profile with read-only access, go to System > Admin Profiles > Create New.

 

Notice there are two Admin Profiles created by default: prof_admin and super_admin.

 

Below are the Access Permissions in the prof_admin profile.

Below are the Access Permissions in super_admin profile.

 

Notice none of the Access Control Permissions are configurable (grayed out).

 

For the new Admin Profile, type a Name: Sec_Admin_Prof > optionally type a Comment > set all Access Control Permissions to: Read except for Security Profile: Read/Write > click OK.

Create a new administrator account and assign to the Admin Profile just created, go to System > Administrators > Create New > Administrator.

 

Notice the admin with Admin Profile: super_admin is created by default.

 


Type the username: sec-admin > select Type: Local User > type Password: fortinet (type twice to confirm and click the eye icon to view clear text password) > select Administrator Profile: Sec_Admin_Prof > leave the other settings in default (deselected) > click OK.



Logout the current admin account (upper right corner) and login using the new sec-admin account.


I explored the web GUI options and noticed it can only view (read-only) some of the FortiGate options, i.e. Interfaces, System Settings while some options are configurable (read-write), i.e. Hostname, Time zone, Security Profiles.





You can restrict certain trusted subnets to manage the FortiGate. I was initially able to SSH from 192.168.1.140 (Cisco CSRv router).

 

CSRv#show ip interface brief

Interface              IP-Address      OK? Method Status                Protocol

GigabitEthernet1       192.168.1.140   YES NVRAM  up                    up     

GigabitEthernet2       unassigned      YES TFTP   administratively down down   

 

 

CSRv#ssh -l admin 192.168.1.160

Password:

FG-1 # 

 

 

Login using the admin account, go to System > Administrators > select admin > click Edit (with pencil icon).

 

 

Enable/toggle: Restrict login to trusted hosts > type Trusted Host 1: 192.168.1.100/32 (Windows 10) > click OK.

 

You can add more host IP or subnet by clicking the plus (+) icon.

 

 

I wasn't able to SSH from CSRv router afterwards.

 

CSRv#ssh -l admin 192.168.1.160

[Connection to 192.168.1.160 aborted: error status 0]

 

 

I added the CSRv IP address 192.168.1.140 via the FortiGate CLI.

 

FG-1 # config system admin

 

FG-1 (admin) # edit admin

 

FG-1 (admin) # set trusthost2 192.168.1.140/32

 

FG-1 (admin) # end

 

 

To view the current users, issue a get system info admin status command.

 

FG-1 # get system info

admin    admin

 

FG-1 # get system info admin

ssh       Show SSH status.

status    Show logged in administrators.

 

FG-1 # get system info admin status

Index  User name   Login type  From

Logged in users: 3

USERNAME        TYPE    FROM             TIME

admin           http    192.168.1.100    Mon May  3 19:29:15 2021

 

admin           ssh     192.168.1.100    Mon May  3 19:40:26 2021

 

admin           ssh     192.168.1.140    Mon May  3 19:41:49 2021

 

If you get an Evaluation license has expired error, just perform a factory reset and re-configure the FortiGate VM.

FG-1 # exec factoryreset    // NO SPACE IN factoryreset

This operation will reset the system to factory default!

Do you want to continue? (y/n)y


Once the initial management interface and HTTPS access is configured, perform a configuration restore. Go to admin (upper right corner) > Configuration > Restore.

 

Select Restore from: Local PC > click Upload > select .conf file > click OK.


The FortiGate will auto reboot and will get disconnected. Just refresh the web browser after 5 minutes.

 



No comments:

Post a Comment