FortiGate MultiThreat Security Systems Administration and Content Inspection

1
FortiGate Multi-ThreatSecurity Systems
Administration and Content Inspection
2
Topics

• System setup
• Logging and Alerts
• Firewall Policies
• Antivirus Scanning and Content Inspection
• Web Filtering
• IM and P2P Filtering
• Administration and Maintenance
• Transparent Mode

3
System SetupFortiGate Multi-Threat Security
Systems - Administration and Content Inspection
4
FortiGate Antivirus Firewall

• Network-level Services
• Firewall
• Intrusion prevention and detection
• VPN
• Traffic shaping
• Application-level Services
• Firewall
• Intrusion prevention and detection
• Virus protection
• Content filtering for web connections and email

5
Web-based Manager

• HTTP or HTTPS
• Web browser
• Windows
• Mac
• Linux
• Configure and monitor a FortiGate unit
• Configuration changes effective immediately
• Download, save, and restore configurations

6
Command Line Interface

• Serial port
• RS232
• Network
• Telnet
• SSH
• Same configuration capabilities as the web-based
  manager
• Advanced configuration capabilities

7
Factory Default Settings

• The FortiGate unit is shipped with a factory
  default configuration that allows you to connect
  to and use the FortiGate web-based manager to
  configure the unit onto the network
• Internal interface 192.168.1.99/24
• https , ping access is enabled
• External interface 192.168.100.99/24
• ping is enabled
• Firmware upgrade using TFTP is done using the
  internal interface only (interrupt boot process)

8
Modes of Operation

• NAT/Route Mode
• Default out of box configuration
• Each interface is on a different network
• Allows the firewall to operate as a bastion
  gateway
• Transparent Mode
• Firewall operates as a bridge
• Administration performed via a management IP
  address
• Allows for most FortiGate features without
  altering IP infrastructure of network

9
NAT/Route Mode

• Hide your internal addressing scheme behind a
  firewall

10
Transparent Mode

• The firewall acts as a bridge and requires an IP
  address for management and updates
• The FortiGate unit is invisible to the network

11
System Dashboard

• Shown after a successful GUI login
• Displays firewall status at a glance including
• FortiGuard Subscriptions status
• Statistics for content archiving and IPS
• Current system time and uptime
• CPU and memory utilization

12
System Dashboard
13
FortiGuard Distribution Network Updates

• For updating Antivirus and IPS signatures
• World wide points of presence.
• There are three ways to update via FDN
• Scheduled
• Push
• Manual

14
FortiGuard Distribution Network Updates
15
Administrative Access

• Options for access to the firewall for purpose of
  administration and maintenance
• Enabled per interface
• Administrative access options are
• HTTP (GUI)
• HTTPS (GUI)
• Telnet (CLI)
• SSH (CLI)
• SNMP
• PING

16
Administrative Users

• Accounts responsible for firewall administration
• Have CLI / GUI access to the firewall
• User account can be held locally or via RADIUS
• Logins and passwords are case sensitive

17
Administrative Users

• Accounts can be limited by use of Access Profiles
• The default administrative account is admin
• The default access profile is prof_admin. This
  profile has all permissions

18
IP Addressing

• IP addresses can be assigned in three ways
• Static
• DHCP
• PPPoE
• Dynamic DNS (DDNS) supported for major providers
• Administrative access is configured per interface

19
VLANs

• Highly flexible, efficient network segmentation
• Supported on models 60 and higher
• IEEE 802.1Q
• Segregate devices logically instead of physically
  by adding 802.1Q VLAN tags to all packets sent
  and received by the devices
• A single FortiGate unit can provide security
  services and control connections between multiple
  security domains
• NAT/Route and Transparent modes

20
Virtual Domains

• ease of management
• lower costs one system with multiple firewalls
• each virtual domain functions like a single
  FortiGate unit
• exclusive firewall and routing services to
  multiple networks
• traffic from each network is effectively
  separated for every other network
• packets never cross virtual domain borders
• NAT/Route and Transparent modes

21
DHCP Server

• A DHCP server may be configured on any interface
  with a static IP address
• The firewall can support multiple DHCP servers on
  a single interface.

22
DHCP Relay

• Allows the firewall to relay a DHCP request to a
  remote DHCP server

23
Static Routes

• Default gateway entry. Required for public
  network access
• Routing decision is based on destination network
• The outgoing interface and metric can be
  specified
• Multiple routes to the same destination can
  exist, but only one is preferred

24
Logging and AlertsFortiGate Multi-Threat
Security Systems - Administration and Content
Inspection
25
Overview

• Ability to log session transaction data and
  downloaded files
• Ability to log to multiple locations
  simultaneously
• Seamless integration with FortiAnalyzer appliance
• Alert e-mail system

26
Configuration

• Choose the location and level
• FortiAnalyzer
• SysLog
• Memory
• Enable logging
• Protection Profile (Content, Content Archiving)
• Event log
• Firewall Policy or Interface (Traffic)

27
FortiAnalyzer

• A logging and security center point on the
  network
• Allows for IPSec encrypted log transfer from the
  firewall
• Full reporting functions
• Required for content and file archiving functions

28
Viewing Log Files

• View logs located on the FortiAnalyzer from the
  firewalls GUI

29
Event Logging

• Responsible for
• Core system events
• VPN events
• Administration events

30
Content Archiving

• The ability to log session transaction data for
• HTTP
• FTP
• NNTP
• IM (AIM, ICQ, MSN, Yahoo!)
• Mail (POP3, IMAP, SMTP)
• Ability to archive downloaded files and e-mails
• Requires a FortiAnalyzer appliance

31
Log Message Priorities

• All messages have a Priority level
• Emergency
• Alert (IPS Signature)
• Critical (IPS Anomaly)
• Error (Category rating, network address)
• Warning (Content filtering, system event)
• Notice (Configuration change)
• Information (traffic, authentication, content)
• 2006-03-22 142337 log_id0104032126 typeevent
  subtypeadmin prinotice vdroot useradmin
  uiGUI(192.168.96.1) seq3 msg"User admin added
  new firewall policy 3 from GUI(192.168.96.1)"

32
Alert E-mail

• Generates an e-mail upon detection of a message
  meeting a defined severity level
• Supports multiple recipients
• Supports servers requiring SMTP authentication

33
Traffic Logging

• Cannot be logged to memory
• Traffic logging is enabled within
• Firewall policies
• Interfaces
• Logging traffic per firewall policy is usually
  preferred

34
Firewall PoliciesFortiGate Multi-Threat
Security Systems - Administration and Content
Inspection
35
Description

• Allows traffic to pass through the firewall from
  one interface to another
• Traffic cannot pass through a firewall unless
  matched exactly by a firewall policy

36
Firewall Policies

• Are comprised of an interface pair source and
  destination
• In NAT/Route mode the firewall policy dictates
  whether traffic will NAT or route
• There are two primary types of firewall policies
• Accept
• Deny

37
Firewall Policy Example
Interface pair
Schedule
Service
NAT/Route
38
Firewall Address Objects

• Two types of addresses
• IP / IP Range
• Fully Qualified Domain Name (FQDN)
• Several ways to declare an IP / IP Range
• 192.168.1.99
• 192.168.1.0/255.255.255.0
• 192.168.1.0/24
• 192.168.1.99-192.168.1.105
• 192.168.1.99-105

39
Firewall Addresses - FQDN

• The firewall must have functioning DNS entries to
  utilize FQDN address objects
• FQDN resolution cache is dictated by the DNS
  server

40
Firewall Address Object Groups

• Used to group multiple address objects
• Object groups are available for selection in
  firewall policies

41
Firewall Service Objects

• Allows firewall policies to use specific
  protocol-port combinations
• The firewall has many predefined service objects
• Creation of custom service objects
• Can create service groups for additional
  flexibility

42
Firewall Service Objects - Custom

• Three types of custom service objects
• TCP/UDP
• ICMP
• IP

43
NAT

• Default NAT behavior
• Source IP translated to destination interfaces
  IP
• Sessions differentiated by port
• Fixed Port behavior
• Source IP translated to destination interfaces
  IP
• Source and destination port not altered
• IP Pool behavior
• Source IP translated to available IP within
  selected IP Pool

44
Virtual IP Description

• Used to allow the public limited access to an
  internal host
• Two primary types
• Static NAT
• Load Balance
• Ability to perform port forwarding

45
Virtual IP Static NAT

• Creates a bi-directional translation between an
  internal IP and an external IP
• The source IP of traffic originating from the
  internal host will be translated
• It is possible to utilize IP ranges
• Port Forwarding can be used to alter the source
  or destination ports

46
Virtual IP - Load Balancing

• External IP address is mapped to multiple
  internal IP addresses
• A single IP address seen by the outside
• External IP address must be static, and not
  assigned to an interface
• Round robin is utilized for load balancing

47
Firewall Policy Authentication Description

• Enabled within a firewall accept policy
• Users must authenticate with the firewall in
  order for sessions to pass
• Authentication occurs against object(s) in a user
  group or an active directory

48
Firewall Authentication

• User groups may contain
• Radius server
• LDAP directory
• Local users
• Selection of protection profile is now in the
  user group
• To authenticate against an Active Directory the
  FSAE extensions must be installed

49
Firewall Authentication Protocols

• The firewalls allows authentication on the
  following protocols
• HTTP/HTTPS
• FTP
• Telnet
• Service groups can be used to force
  authentication of protocols not directly
  supported
• Default authentication timeout is 15 minutes

50
Antivirus Scanningand Content InspectionFortiGa
te Multi-Threat Security Systems -
Administration and Content Inspection
51
Content Inspection

• Antivirus is a component of the Content
  Inspection System
• Content inspection is comprised of many services
  including
• Antivirus
• Spam filtering
• Web filtering
• Instant Message (IM) filtering
• Logging
• Content archiving

52
Content Inspection

• Content inspection applies to the following
  protocols
• HTTP
• FTP
• Mail (IMAP, POP3, SMTP)
• IM (AIM, ICQ, MSN, Yahoo!)
• NNTP

53
Content Inspection Configuration

• For traffic to flow two parts are necessary
• A source-destination interface pair
• A firewall policy permitting the traffic
• Content inspection requires an additional
  component
• Protection Profile
• The Protection Profile is applied to either
• Firewall policy
• Authentication group

54
Protection Profile

• Each content inspection system has its own
  configuration area
• The Protection Profile is where content
  inspection is enabled

55
Protection Profiles - Defaults

• There are four preconfigured Protection Profiles
• Web (HTTP AV scan, Basic WF)
• Scan (All AV scan)
• Strict (All AV, Full WF, No Oversize, IPS)
• Unfiltered
• A custom Protection Profile is recommended.

56
Protection Profile Creation

• For firewalls up to the FortiGate 1000 a maximum
  of 32 Protection Profiles can be created
• For firewalls beyond the FortiGate 1000 a maximum
  of 200 Protection Profiles can be created

57
Antivirus

• To decrease the chance of malicious code
  execution by clients
• Accelerated by proprietary FortiASIC
• Capable of protecting
• HTTP
• FTP
• Mail (IMAP, POP3, SMTP)
• IM (AIM, ICQ, MSN, Yahoo!)
• NNTP

58
Antivirus Features

• The Antivirus system has many components
  including
• Real-time scanning of traffic
• File pattern blocking
• Fragmented e-mail blocking
• Oversized file/e-mail blocking
• E-mail signatures
• Logging

59
Antivirus Updates

• The Antivirus has two components that require
  regular update
• Engine
• Signatures
• The updates can be retrieved from
• FortiGuard Distribution Network (FDN)
• Packages located on the support site

60
Antivirus Scanning - Archives

• Scanning of archives
• Scanning of packers
• Scanning of encoded files
• The uncompression size limit may need to be
  changed

61
Antivirus Engine

• The Antivirus system is port based
• It is possible to add additional ports to each
  supported protocol
• Only active in a session when a file transfer is
  detected

62
Grayware / Spyware

• The firewall supports scanning for grayware and
  spyware threats such as
• Adware
• Browser Helper Objects (BHO)
• Spyware
• Disabled by default
• Can be selectively enabled in the Antivirus config

63
File Pattern Blocking

• Configured in the File Pattern section of
  Antivirus
• Can be enabled in Protection Profile for all
  protocols supported by Antivirus scanning
• Performed before Antivirus scanning

64
Client Comforting

• Can be enabled within the Protection Profile
• Passes data to the client during scanning process
• Available for
• HTTP
• FTP

65
Oversized Files

• Firewalls below the enterprise class can scan
  files up to 10 of total memory size
• Files above this threshold are termed Oversized
  files
• The oversized file threshold can be lowered to
  improve performance
• The firewall can be configured to pass or block
  oversized files

66
Quarantine

• Allows the firewall to quarantine files to a
  FortiAnalyzer for later retrieval or analysis
• Blocked HTTP and FTP files cannot be quarantined

67
Web FilteringFortiGate Multi-Threat Security
Systems - Administration and Content Inspection
68
Description

• Web Filtering is a content inspection service
  that allows for control of HTTP data through a
  firewall
• Blocked content is replaced with a customizable
  replacement page

69
Web Filtering - Features

• The firewalls web filter includes the following
• FortiGuard Web Filter
• Score based content blocking
• URL filtering
• Content exempting
• URL exempting
• ActiveX, cookie, and Java applet filter
• Web resume download blocking

70
URL Filtering

• Allows for the filtering of a URL using
• Simple
• Regular Expression (regex)
• The following actions can be taken
• Block
• Allow (Allowed, and processed by AV)
• Exempt (Allowed, and not processed by AV)
• These rules are sensitive to ordering

71
Content Blocking

• Allows for blocking of web content using
• Wildcards
• Regular expressions
• Ability to assign a score to individual banned
  patterns
• Choose a score threshold within the Protection
  Profile

72
Content Exemption

• Can be used with content blocking to only allow
  selected content
• Language sensitive
• Content exempted is not processed by AV

73
FortiGuard Web Filter

• Managed web filtering solution with 76 categories
• Allows for selective override and local
  categorization
• Images can be blocked based on URL

74
FortiGuard Web Filter - Override

• Manual override of ratings can be based upon
• Domain (www.fortinet.com)
• Directory (www.fortinet.com/support)
• Categories (Information Technology)
• The override can be effective for
• Users
• User Groups
• IP
• Protection Profile

75
IM and P2P FilteringFortiGate Multi-Threat
Security Systems - Administration and Content
Inspection
76
IM Features

• IM protocols supported
• MSN Messenger
• ICQ
• AOL Instant Messenger (AIM)
• Yahoo! Instant Messenger (Yahoo!)
• Features
• Protocol block/allow
• User block/allow
• Usage statistics
• File transfer and audio blocking

77
IM Features - FortiAnalyzer

• IM chat summary information
• Full IM chat information
• Archiving copies of files transferred

78
IM Configuration

• For all IM functions the appropriate protocols
  must be enabled in the Protection Profile

79
IM/P2P Overview Screen

• Ability to view for each IM protocol
• Amount of current users
• Amount of chat sessions / total messages
• Amount of file transfers / voice chats
• Ability to view for each P2P protocol
• Total number of bytes transferred
• Average bandwidth utilization

80
Protocol Screen

• Allows for more detailed information for each IM
  protocol including
• Amount of group chats
• Amount of private chats
• Amount of messages sent/received
• Amount of voice chats received/blocked

81
IM Users

• By default all IM traffic is automatically
  blocked
• Users that are allowed/blocked automatically are
  added to the temporary users list
• Users can then be permanently blocked/allowed on
  a per protocol basis
• Current IM users can be viewed

82
Extended Options IM Protection Profile

• Block audio/voice transfer
• Block file transfers
• Block logins (per protocol)
• Enable detection for IM traffic on non-standard
  ports

83
IM Antivirus

• Features
• Antivirus scanning for file transfers
• File pattern blocking
• Must be enabled within the Anti-Virus section of
  the Protection Profile
• If a virus is detected during an IM session a
  message will appear within the window stating
  that a virus has been blocked

84
P2P Features

• Ability to block pass or block traffic for
• Bit Torrent
• eDonkey
• Gnutella
• KaZaa
• Skype
• WinNY
• Ability to limit transfer rates (KB/s) for all
  but Skype traffic

85
FortiAnalyzerFortiGate Multi-Threat Security
Systems - Administration and Content Inspection
86
Description

• A purpose-built appliance for centralized logging
  and network security analysis

87
Features

• Hardened, IPSec capable appliance
• Certain models allow for hard disc redundancy
  using RAID
• Full suite of reports
• Enables quarantine of potentially malicious files

88
Features

• Forensic analysis and aggregation of log data
• Network vulnerability scanning
• Ability to function as a secured NAS device

89
Configuration

• The firewall must have the FortiAnalyzer selected
  as a logging destination
• The firewall must be registered on the
  FortiAnalyzer

90
Log Browser

• Ability to view specific log types for individual
  devices

91
Reporting Features

• Three types of reports
• Scheduled
• On demand
• Built in summary
• Reporting in several output formats
• HTML
• PDF
• MS Word
• Text

92
Reporting Features

• Ability to use IP aliases
• Reports can have custom graphics and titles
• High degree of selection granularity

93
Quarantine

• The FortiAnalyzer allows all FortiGates to have a
  quarantine
• Automatic uploading of files can be enabled
• Automatic ticketing system
• Only one copy of a quarantined file is held on
  the FortiAnalyzer.

94
FortiAnalyzer Quarantine

• FortiAnalyzer quarantine example

95
Security Events

• Can view recent security events for
• Virus
• Intrusion (IPS)
• Suspicious

96
Vulnerability Scan

• Can scan hosts/subnets for security
  vulnerabilities
• Can be scheduled or on demand

97
Log Rolling and FTP archive

• Log files can be rolled based on
• File size
• Time
• Logs can be uploaded to an FTP server

98
Log Viewer

• Allows for real-time viewing of log messages
• Full filtering capability

99
Administration and MaintenanceFortiGate
Multi-Threat Security Systems - Administration
and Content Inspection
100
Maintenance

• Maintenance of firewalls includes many tasks such
  as
• Configuration backup
• IPS signature updates
• Antivirus signature updates
• FortiGuard Center
• Firmware upgrades
• FortiGuard Services registration / maintenance

101
Configuration Backup

• Configuration can be backed up from
• GUI
• CLI
• The backup file can be sent to
• FortiUSB
• Local PC GUI (HTTP)
• Local PC CLI (TFTP)

102
Configuration Backup

• There are two types of backup
• Clear text (default)
• Password protected
• Password protected backups provide
• Backup of IPSec certificates
• Protection from alteration (checksum)

103
Configuration Restore

• A password protected backup will be invalid
• Password is forgotten
• Backup file is altered or corrupted

104
Registration

• Registering your firewall provides many benefits
  including
• FortiGuard Services activation and trials
• Service and support contracts
• Centralized device information
• Creation of support tickets
• Technical support forum access
• Access to firmware updates

105
Fortinet Support Registration
Product Information
Service agreements
Active support tickets
106
FortiGuard Distribution Network

• A Fortinet maintained world wide network for
  update distribution
• Antivirus signatures
• IPS signatures
• There are three ways to update using FDN
• Scheduled
• Push
• Manual

107
FDN Push Updates

• When Push updating is configured the FDN network
• Sends a token to your firewall when an update is
  available
• Update occurs on 9443/UDP
• The firewall will require a virtual IP on any NAT
  device between it and the public network

108
Firmware Maintenance

• Fortinet makes firmware updates available at
  support.fortinet.com
• A configuration backup should be performed before
  any firmware maintenance
• Firmware files are platform specific

109
Firmware Upgrades

• Firmware can be updated in three ways
• FortiUSB
• GUI
• CLI (TFTP)
• During a firmware upgrade the configuration will
  be retained

110
Firmware Testing and Multiple Images

• Starting with the FortiGate 100A, firewalls have
  two partitions within NVRAM.
• This allows these models to have
• Two independent firmware images
• Two independent configuration files

111
http//www.fortinet.com/FortiGuardCenter

• Fortinets most current Malware information and
  security alerts
• Advisories
• Virus and Spyware encyclopedias
• Latest IPS vulnerabilities
• Global threat statistics
• FortiGuard URL lookup
• and more!

112
Transparent ModeFortiGate Multi-Threat Security
Systems - Administration and Content Inspection
113
Description

• A mode that enables the firewall to behave like a
  layer 2 bridge and still retain its content
  inspection capabilities

114
Positioning

• Reasons to use Transparent mode
• Network diagnostics
• Not wanting to alter IP addressing scheme
• Wishing to try out the firewall
• A drop in solution for content inspection and
  filtering (including AV, IPS, web filter)

115
Configuration

• Enabling transparent mode can be done in a few
  ways
• GUI
• CLI or console
• LCD (on supported models)
• Most configuration performed in NAT/Route mode
  will be lost
• The GUI and CLI must now be accessed using the
  management IP

116
Configuration

• The default management IP is 10.10.10.1
  accessible via the Internal or Port 1 of the
  firewall
• Administrative access is still performed on a per
  interface basis
• Firewall policies remain necessary for traffic to
  flow through the firewall

117
Limits of Transparent Mode

• Transparent mode cannot
• Perform NAT/Route of traffic
• SSL VPN
• PPTP/L2TP VPN
• DHCP server

118
FortiGuard

• The firewall must have a valid default gateway
• FortiGuard Services require Internet access, and
  occur on 53/UDP by default or optionally on
  8888/UDP
• Push updates will require a virtual IP on the
  gateway pointing to the management IP

119
Interfaces

• For a transparent mode firewall to pass VLAN
  traffic it must have
• VLAN interfaces with appropriate VLAN ID
• Firewall policy permitting the exact traffic
• VLAN interfaces must be present on any ports in
  which tagged packets will flow

120
System Health Monitoring

• Firewall health monitoring
• CPU utilization history
• Memory utilization history
• Active session table
• FortiAnalyzer disc space

121
Firewall Session Table

• View current sessions on the firewall
• Filter based on
• Protocol
• Source IP/Port
• Destination IP/Port
• Firewall Policy ID
• Allows session removal

122

• THANK YOU