Virtual-lab-setup-guide-fgt-6.2.pdf
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Virtual-lab-setup-guide-fgt-6.2.pdf as PDF for free.
More details
- Words: 7,055
- Pages: 50
Loading documents preview...
Virtual Lab Setup Guide for FortiGate 6.2
Fortinet Training http://www.fortinet.com/training
Fortinet Document Library http://docs.fortinet.com
Fortinet Knowledge Base http://kb.fortinet.com
Fortinet Forums https://forum.fortinet.com
Fortinet Support https://support.fortinet.com
FortiGuard Labs http://www.fortiguard.com
Fortinet Network Security Expert Program (NSE) https://www.fortinet.com/support-and-training/training/network-security-expert-program.html
Feedback Email: [email protected]
7/3/2019
TABLE OF CONTENTS Disclaimer Change Log Introduction Upgrading from 6.0.0 to 6.2.0 Resources folder Upgrading FortiGate devices to FortiOS 6.2.0 Restoring the FortiGates initial configuration Creating Snapshots
Materials Additional Files Required for the Labs System Requirements Network Topology
Loading the VMs in VMware Workstation Loading the Windows Server 2012 VMs on VMware Workstation 12 Loading the Fortinet VMs on VMware Workstation 12 Loading the Prebuilt Linux Image Loading the FIT VM
Configuring VMware Virtual Networking Configuring the VMs Local-FortiGate Local-Windows FortiManager FortiAnalyzer Restoring the Local-FortiGate Initial Configuration and License Remote-FortiGate Remote-Windows ISFW
Testing Creating Snapshots
4 5 6 7 7 7 8 10
11 11 13 13
14 14 14 15 15
16 19 20 21 37 40 41 42 43 45
47 49
Disclaimer Fortinet only supports lab environments that are built to the specifications outlined in this guide. Any modifications to, or deviations from, the environment described in this guide can impact the outcome of the student lab exercises. Lab exercises are used as a way to reenforce learning, and knowledge obtained from successfully performing these labs is essential for NSE certification preparation.
4
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
Change Log This section includes updates to this guide. At this time, there are no updates.
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
5
Introduction This guide explains how to configure the lab for the following Fortinet training courses: l
FortiGate Security 6.2 (NSE 4 preparation)
l
FortiGate Infrastructure 6.2 (NSE 4 preparation)
In this environment, FortiManager is acting as a local FortiGuard server. It validates the FortiGate licenses and replies to FortiGuard Web Filtering rating requests from FortiGate VMs. The FortiManager is configured in closed network mode, providing FortiGuard services to local FortiGate VMs, without requiring Internet access. To administer this lab as designed, you will: 1. Load, configure, and test the VM images required for this lab. 2. Save a VMware snapshot of the VM images. 3. Deploy a copy of all VMs for each student every time there is a class.
6
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
Upgrading from 6.0.0 to 6.2.0 If you have already built the environment for the FortiGate Security and FortiGate Infrastructure courses, based on the 6.0.0 firmware version, you can follow the instructions below to update the environment to the 6.2 firmware version. If you have not already built the environment for the FortiGate Security and FortiGate Infrastructure courses, based on the 6.0.0 firmware version, follow the instructions that start at Materials on page 11.
Resources folder The Resources folder on the Local-Windows VM includes the initial configurations for each lab, for both courses. You need to replace the current Resources folder on the Local-Windows VM with the Resources folder that contains the FortiOS 6.2 configurations.
To replace Resources folder on Local-Windows 1. Log in to the Local-Windows VM. 2. Delete the Resources folder located on the desktop. 3. Delete the Resources folder from Recycle Bin. 4. From the Virtual-Lab-Setup-Files-FGT-6.2 folder on the NSE Institute, copy the Resources folder to the desktop.
Upgrading FortiGate devices to FortiOS 6.2.0 You will now upgrade the Local-FortiGate and Remote-FortiGate to FortiOS version 6.2.0.
Upgrade path To upgrade the FortiGate device to 6.2.0, you will need to follow the following upgrade path. 6.0.0 > 6.0.2 > 6.0.4 > 6.2.0
To download the FortiGate VM firmware images 1. From the Local-Windows VM, open a new browser tab and log in to Fortinet Support site (www. support.fortinet.com). 2. Download the VM firmware image file for all the firmware included in the upgrade path.
To upgrade FortiGate VMs to FortiOS 6.2.0 Use the following steps to upgrade Remote-FortiGate, and Local-FortiGate. In NSE4-6.2 course, ISFW FGT-VM is also included. If you are teaching NSE5 FortiAnalyzer 6.2 class, which includes ISFW FGT-VM, you can use the following instructions to upgrade FGT-VM as well.
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
7
Restoring the FortiGates initial configuration
Upgrading from 6.0.0 to 6.2.0
If you are not teaching NSE5 FortiAnalyzer 6.0 class and does not have ISFW FGTVM, follow the instructions for ISFW: l
Licenses: Materials on page 11.
l
Topology: Network Topology on page 13
l
VMware Virtual Networking: Configuring VMware Virtual Networking on page 16
l
Configuring ISFW: ISFW on page 45.
1. Continuing on the Local-Windows VM, open a new browser tab and log in to the FortiGate GUI. 2. Click System > Firmware. 3. In the Upload Firmware section, click Browse. 4. Click Downloads and select the VM firmware image file for FortiGate 6.0.2. 5. Click Open. 6. Click Backup config and upgrade. 7. Click Continue. 8. Click Cancel. 9. Follow the steps 2 to 8 for each firmware, listed in the upgrade path, on FortiGate VMs to upgrade the FortiGates to 6.2.0. 10. Once the firmware is upgraded, delete the VM firmware image file for FortiGate 6.2.0 from the Downloads folder and the Recycle Bin.
Restoring the FortiGates initial configuration At this stage, you are ready to restore the Local-FortiGate, Remote-FortiGate and ISFW initial configuration.
To restore the Remote-FortiGate configuration file 1. On the Local-Windows VM, open a browser and log in to the Remote-FortiGate GUI at 10.200.3.1 with the user name admin and password password. 2. In the upper-right corner of the screen, click admin, and then click Configuration > Restore.
3. Click Local PC,and then click Upload. 4. Click Desktop > Resources > Initial-Configuration > remote-intial.conf, and then click Open.
8
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
Upgrading from 6.0.0 to 6.2.0
Restoring the FortiGates initial configuration
5. Click OK. 6. Click OK to reboot.
To restore the Local-FortiGate configuration file 1. On the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1.254 with the user name admin and password password. 2. In the upper-right corner of the screen, click admin, and then click Configuration > Restore.
3. Click Local PC,and then click Upload. 4. Click Desktop > Resources > Initial-Configuration > local-intial.conf, and then click Open. 5. Click OK. 6. Click OK to reboot.
To restore the ISFW-FortiGate configuration file 1. On the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1.200 with the user name admin and password password. 2. In the upper-right corner of the screen, click admin, and then click Configuration > Restore.
3. Click Local PC,and then click Upload. 4. Click Desktop > Resources > Initial-Configuration > ISFW-initial.conf, and then click Open. 5. Click OK. 6. Click OK to reboot.
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
9
Creating Snapshots
Upgrading from 6.0.0 to 6.2.0
Creating Snapshots Once you have completed and tested your configuration, save a snapshot of each VM. These snapshots are what you will deploy for each student in the class. You can also redeploy these snapshots to revert a student's VM, if their configuration is not working and they need to quickly restore it to a functional state.
10
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
Materials To build the virtual lab required for this class, you must purchase or download:
Resource
Information
1 VMware Workstation installation per student
For hardware system requirements, see System Requirements on page 13
3 FortiGate VM licenses
For Local-FortiGate, Remote-FortiGate, ISFW
1 FortiAnalyzer VM license
Must be registered with the IP address 10.0.1.210
1 FortiManager VM license
Must be registered with the IP address 10.0.1.241
3 FortiGuard Web Filtering, antivirus, and IPS contract
For Local-FortiGate, Remote-FortiGate, ISFW
3 Security Rating contracts
For Local-FortiGate, Remote-FortiGate, and ISFW
2 Windows Server 2012 VMs
For Local-Windows and Remote-Windows
1 Ubuntu Linux VM image
Prebuilt image is provided by Fortinet Training. The image is provided in the Virtual-Lab-Setup-Files-FGT-6.2 folder on the NSE Institute.
1 FIT VM image
Prebuilt image is provided by Fortinet Training. The image is provided in the Virtual-Lab-Setup-Files-FGT-6.2 folder on the NSE Institute.
VM firmware image files for: l
FortiGate 6.2.0
l
FortiAnalyzer 6.2.0
l
FortiManager 6.2.0
1 Resources folder that includes: l
After purchase, you can download the files from Fortinet Support (www.support.fortinet.com) by logging in with supplied credentials.
Prebuilt files are provided by Fortinet Training. The files are provided in theVirtual-Lab-Setup-Files-FGT-6.2 folder on the NSE Institute.
Initial configuration for each lab
Additional Files Required for the Labs The following software is also required on the Windows VMs.
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
11
Additional Files Required for the Labs
Materials
The executables are provided in the software sub-folder in the Virtual-LabSetup-Files-FGT-6.2 folder on the NSE Institute.
Virtual Machine
12
Software Mozilla Firefox 56.0.1
l
Local-Window
l
Remote-Windows
l
Local-Window
l
Remote-Windows
l
Local-Window
l
Remote-Windows
l
Local-Window
l
Remote-Windows
fgt2eth.pl: Perl script for converting FortiGate sniffer output to Wireshark PCAP (packet capture) format
l
Local-Window
Windows Server 2012 patch KB9089134
l
Remote-Windows
l
Local-Window
l
Remote-Windows
l
Local-Window
l
Remote-Windows
l
Local-Window
l
Remote-Windows
l
Local-Window
l
Remote-Windows
l
Local-Window
l
Remote-Windows
PuTTY 0.70 ActivePerl 5.24.2
Wireshark 2.4.2 Notepad++ 7.5.1
Adobe Reader 11.0.10 Adobe Flash Player 27.0.0.170
Java 8 Update 151
Local-Windows
FileZilla Client 3.28.0
Local-Windows
Mozilla Thunderbird 52.4.0
Remote-Windows
FortiClient 6.0.5 build 0209
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
System Requirements Each workstation running VMware Workstation requires: l
1 Ethernet interface
l
15 GB RAM
l
400 GB storage (hard disk, SAN, etc.)
Network Topology
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
13
Loading the VMs in VMware Workstation This section outlines how to load the VMs in VMware Workstation, including the Windows VMs, Fortinet VMs (FortiGate, FortiManager, and FortiAnalyzer), and the Linux VM.
The Virtual-Lab-Setup-Files-FGT-6.2 folder on the NSE Institute provides prebuilt images of the Linux VM and FIT VM, which do not require additional configuration. You only need to load them and deploy them.
Loading the Windows Server 2012 VMs on VMware Workstation 12 The following procedure outlines how to create Windows VMs on VMware Workstation 12.
To create a Windows VMs on VMware Workstation 12 1. Click File > New Virtual Machine. 2. Click Custom (advanced), and then click Next. 3. From the Hardware compatibility drop-down list, select Workstation 12.x, and click Next. 4. Select Installer disk image file (iso), browse to your Windows Server 2012 image file, and click Next. 5. In the Virtual machine name field, type the VM name according to the network topology diagram (i.e. LocalWindows and Remote-Windows) 6. Accept all other default settings. 7. Click Finish to build the VM.
Loading the Fortinet VMs on VMware Workstation 12 The following procedure outlines how to load the Fortinet VMs on VMware Workstation 12: l
Local-FortiGate
l
Remote-FortiGate
l
ISFW
l
FortiManager
l
FortiAnalyzer
To create the Fortinet VMs on VMware Workstation 12 1. Go to File > Open. 2. Select the Open Virtualization Format file format. 3. Select the file name FortiGate-VM.ovf. 4. Name the VM Local-FortiGate. 5. Repeat for each VM, naming the VMs according to the network topology diagram.
14
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
Loading the VMs in VMware Workstation
l
Remote-FortiGate
l
ISFW
l
FortiManager
l
FortiAnalyzer
Loading the Prebuilt Linux Image
Loading the Prebuilt Linux Image The following procedure outlines how to load the prebuilt Ubuntu 16.04 Linux image on VMware Workstation 12.
To load the prebuilt Linux image 1. Go to File > Open. 2. Select the Open Virtualization Format file format. 3. Select prebuilt image: Linux.ovf. 4. Name the VM Linux.
Loading the FIT VM The FIT (Firewall Inspection Tester) VM includes a traffic generation tool. The VM generates web browsing traffic, application control, botnet IP hits, malware URLs, and malware downloads. The following procedure outlines how to load the FIT VM image on VMware Workstation 12.
To load the FIT VM image 1. Go to File > Open. 2. Select the Open Virtualization Format file format. 3. Select prebuild image: FIT.ovf. 4. Name the VM FIT.
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
15
Configuring VMware Virtual Networking Once you've loaded the VMs, you must configure their virtual network adapters to make the lab's required virtual network topology. The following VMs should be inside each student’s virtual lab environment: l
Local-Windows
l
Remote-Windows
l
ISFW
l
Local-FortiGate
l
Remote-FortiGate
l
Linux
l
FortiAnalyzer
l
FortiManager
l
FIT (traffic generator)
The topology supports both HA and non-HA topology, which the students will switch between during the labs by reconfiguring their VMs; no VMware reconfiguration is required. The key to this flexible networking is the six LAN segments used in the current setup, plus the predefined interfaces: vmnet0 and vmnet1. l
vmnet0 bridges the physical NIC which provides the default route to the Internet.
l
vmnet1 is a host-only private network shared between the host and the guest systems.
By mapping the guest VMs’ virtual NICs to virtual LAN segments, you create the topology.
To configure VMWare virtual networking 1. Create one additional virtual NIC on each of your Windows VMs: l
Local-Windows: Add 1 more NIC (2 NICs total).
l
Remote-Windows: Add 1 more NIC (2 NICs total).
2. Ensure that the prebuilt Linux VM has five NICs. If not, add the as many as needed to have five. 3. Create the LAN segments: a. Right-click the Local-Windows VM and select Settings. b. Select any of the two Network Adapters. c. Click LAN Segments. d. Click Add as many times as needed to create the seven LAN segments:
16
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
Configuring VMware Virtual Networking
e. Click OK twice to close the windows. 4. Map the LAN segments to each vNIC: l
For the Local-Windows VM, map these network adapters:
Network Adapter
LAN Segment
1 (first)
LAN3
2
Custom: VMnet1 (Host-only)
l
For the Remote-Windows VM, map these network adapters:
Network Adapter
LAN Segment
1
LAN6
2
Custom: VMnet1 (Host-only)
l
For both FortiGate VMs (Local-FortiGate and Remote-FortiGate), map the first seven network adapters:
Network Adapter
LAN Segment
1
LAN1
2
LAN2
3
LAN3
4
LAN4
5
LAN5
6
LAN6
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
17
Configuring VMware Virtual Networking
Network Adapter
LAN Segment
7
LAN3
l
Network Adapter
LAN Segment
1
LAN3
3
LAN7
l
For the FortiManager VM, map these network adapters:
Network Adapter
LAN Segment
1
LAN3
2
LAN1
l
For the FortiAnalyzer VM, map these network adapters:
Network Adapter
LAN Segment
1
LAN3
3
LAN1
l
For the Linux VM, map these network adapters:
Network Adapter
LAN Segment
1
VMnet0
2
LAN1
3
LAN2
4
LAN4
5
LAN5
l
18
For the ISFW VM, map these network adapters:
For the FIT VM, map these network adapters:
Network Adapter
LAN Segment
1
LAN3
2
LAN7
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
Configuring the VMs Before you deploy the VMs, you must first install the required software and files on your Windows VM. You must also configure some initial settings on your Fortinet VMs so that they have network connectivity, and load their VM license.
The prebuilt Linux VM provided with the Virtual-Lab-Setup-Files-FGT-6.2 folder on the NSE Institute is already configured. The root password for the prebuilt VM is: password.
The prebuild FIT VM provided in the Virtual-Lab-Setup-Files-FGT-6.2 folder on the NSE Institute is already configured.
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
19
Local-FortiGate The following procedure outlines how to configure the network interfaces on Local-FortiGate.
To configure network interfaces on Local-FortiGate 1. Start the Local-FortiGate VM and open the VM console. 2. Log in as admin, and leave the password field empty. 3. Enter: exec formatlogdisk
This formats the virtual disk, which is required to store data such as local reports or logs. The device reboots after the format is complete. 4. Enter this configuration to configure the network interfaces: config system interface edit port1 set ip 10.200.1.1 255.255.255.0 set allowaccess http next edit port2 set ip 10.200.2.1 255.255.255.0 set allowaccess http next edit port3 set ip 10.0.1.254 255.255.255.0 set allowaccess http next end config router static edit 1 set gateway 10.200.1.254 set device port1 next end config firewall policy edit 1 set srcintf port3 set dstintf port1 set srcaddr all set dstaddr all set action accept set schedule always set service ALL set nat enable next end
20
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
Local-Windows The Local-Windows VM is used as the student's network management computer in the lab. Students will initiate most client network connections from it, and administer Fortinet VMs.
To copy the Resources folder to Local-Windows 1. From the Virtual-Lab-Setup-Files-FGT-6.2 folder on the NSE Institute, copy the Resources folder to the desktop.
To perform initial setup 1. On this VM, verify that the correct local time and time zone is set, and that the screen has a resolution of at least 1280x1024. (This ensures proper display of the FortiOS GUI.) 2. Change the administrator account password to password. (Disable password complexity check if required.) 3. Configure the IPv4 network settings for LAN3: IP address
10.0.1.10
Netmask
255.255.255.0
Default gateway
10.0.1.254
DNS
10.0.1.254
4. Configure the IPv6 network settings for LAN3: l
Obtain an IPv6 address automatically
l
Obtain DNS server address automatically
5. Install the following software:
All software applications are located in the Virtual-Lab-Setup-Files-FGT6.2 folder on the NSE Institute (in the software folder).
l
Firefox
l
PuTTY
l
ActivePerl
l
Thunderbird
l
FileZilla
l
Wireshark
l
Adobe Reader
l
Adobe Flash
l
Notepad++
l
Java
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
21
Local-Windows
6. VMnet1 is your guest access network. When editing this network adapter, choose a unique address. Do not configure a gateway. 7. Open Windows Firewall and disable Windows Firewall in all the network types.
To install AD, Web, and DNS Services 1. Open Server Manager and select Add roles and features. 2. Click Next. 3. Select Role-based or feature-based installation. 4. Click Next. 5. Select the server with the IP address 10.0.1.10. 6. Click Next. 7. On the Server Roles screen, select Active Directory Domain Services, DNS Server, and Web Server (ISS). 8. Add all the features for those three roles. 9. Click Next. 10. Click Next until you get the Confirmation screen. 11. Click Install and wait until the installation finishes. 12. From the Server Manager, click the flag icon with the exclamation point and select Promote this server to a domain controller:
13. Select Add a new forest. 14. Type trainingAD.training.lab as the domain name. 15. Click Next. 16. Type any DSRM password and click Next. 17. Omit the DNS warning and click Next. 18. Accept all the remaining default values and click Next until you get the Prerequisites Check screen. 19. Click Install, and wait until the installation finishes.
Creating users in Active Directory The following procedure outlines how to create two active directory users in the Users container: Student and ADadmin.
22
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
Local-Windows
You may need to disable password complexity requirements for Active Directory users. See In a Domain Environment, for an Active Directory Domain Server for the procedure.
To create the student user 1. Open Server Manager. 2. Click Tools. 3. Open Active Directory Users and Computer. 4. Expand the trainingAD.training.lab tree. 5. Right-click the Users container. 6. Select to New > User. 7. In the First name and User logon name fields, type student and then click Next. 8. In the Password and Confirm password fields, type password. 9. Disable User must change password at next logon and enable Password never expires. 10. Click Next. 11. Click Finish.
To create the ADadmin user 1. Continuing in Active Directory Users and Computerand the trainingAD.training.lab tree, right-click the Users container. 2. Select to New > User. 3. In the First name and User logon name fields, type ADadmin and then click Next. 4. In the Password andConfirm password fields, type Training! 5. Disable User must change password at next logon and enable Password never expires. 6. Click Next 7. Click Finish.
To create the Training Organizational Unit and additional users 1. Continuing in Active Directory Users and Computer, right-click trainingAD.training.lab from the tree. 2. Select New > Organizational Unit. 3. In the Name field, type Training. 4. Right-click Training from the tree and select New > User. 5. Create the following user and click Next.
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
23
Local-Windows
6. In the Password and Confirm password fields, type Training!as the password. 7. Disable User must change password at next logon and enable Password never expires. 8. Click Next. 9. Click Finish. 10. Repeat the process to create the following users in the Training organizational unit (same settings and password): l
aduser2
To create an Active Directory group 1. Open Active Directory Users and Computer. 2. Expand the trainingAD.training.lab tree, and right click the Training container. 3. Select New > Group. 4. Complete the following and click OK:
Field
Value
Group name
AD-users
Group scope
Global
Group type
Security
5. Double-click the AD-users group from the right pane. 6. Select the Members tab and add aduser1 and aduser2.
24
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
Local-Windows
7. Click OK.
To enable Remote Desktop access to the student user 1. On the Local-Windows desktop, click the Start menu. 2. Right-click This PC and select Properties. 3. Click Remote settings. 4. Select Allow remote connections to this computer. 5. Clear the Allow connections only from computers running Remote Desktop with Network Level Authentication checkbox.
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
25
Local-Windows
6. Click Apply. 7. Click OK.
To allow AD users to locally log in the Win-Server 1. On the Local-Windows desktop, click the Start menu. 2. Search for gpmc.msc and open the Group Policy Management tool. 3. Expand Forest: trainingAD.training.lab > Domains > trainingAD.training.lab > Group Policy Objects.
4. Right-click Default Domain Controllers Policy, and then click Edit. 5. Under Computer Configuration, expand Policies > Windows Settings > Security Settings > Local Policies.
6. Click User Rights Assignments. 7. In the main pane, right-click Allow log on locally and then click Properties. The Allow log on locally Properties dialog box appears. 8. In the Security Policy Setting tab, click Add User or Group. 9. Click Browse. 10. Enter aduser1, and then click Check Names.
aduser1 appears with it full AD domain description. 11. Click OK. 12. Click OK. 13. Click OK. 14. Repeat steps 7-13 for aduser2.
26
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
Local-Windows
To force the group policy update 1. In the Local-Windows VM, open the Command Prompt tool (cmd). 2. Enter the below command and press Enter: gpupdate /force
The group policy successful updates. You can now switch users to test the access to aduser1 session within the Local-Windows VM.
It is advised to personalize the desktop for the aduser1 and aduser2 with a different color than the administrator session. This will help to confirm students are working in the right session.
To configure Internet Information Services (IIS) 1. Open Server Manager. 2. Click Tools > Internet Information Services (IIS) Manager. 3. In the Connections pane, select the root node and double-click Server Certificates.
4. In the Actions pane, click Import.
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
27
Local-Windows
The Import Certificate dialog box appears. 5. In theCertificate file (.pfx) field, click the ... icon:
6. In the Virtual-Lab-Setup-Files-FGT-6.2 folder on the NSE Institute, browse to the software folder, and open webserver.pfx. 7. In the Password field, type fortinet. 8. From the Select Certificate Store drop-down menu, select Web Hosting:
9. Click OK. The imported certificate appears in the Server Certificates list.
28
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
Local-Windows
10. In the Connections pane, expand the root node. 11. Click Sites > Default Web Site. 12. In the Actions pane, click Bindings. The Site Bindings dialog box appears. 13. Click Add. 14. From the Type drop-down menu, select https. 15. From the SSL certificate drop-down menu, select 10.200.1.200. 16. Click OK. A caution prompt appears.
17. Click OK. 18. Click Close. 19. Close the Internet Information Services (IIS) Manager. You will install the root certificate in the next procedure.
Install the Training CA certificate in Windows 1. In the Virtual-Lab-Setup-Files-FGT-6.2 folder on the NSE Institute, browse to the software folder, and double-click Training.crt to open the file. The Certificate dialog box appears. 2. Click Install Certificate.
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
29
Local-Windows
3. Click Local Machine.
4. Click Next. 5. Click Place all certificates in the following storeand clickBrowse.
30
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
Local-Windows
6. Click Trusted Root Certification Authorities and click OK.
7. Click Next. 8. Click Finish. A successful import notification is displayed:
9. Click OK.
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
31
Local-Windows
To configure FileZilla 1. Open FileZilla. 2. Click on the upper left icon to open the site manager. 3. Click New Site to add a new site. 4. Name the new site FTPsite and configure as follows:
Field
Value
Host
10.200.3.254
Port
222
Protocol
FTP - Fire Transfer Protocol
Encryption
Only user plain FTP
Logon type
Anonymous
5. Click the Transfer Settings tab, and select Active as the transfer mode. 6. Click OK. 7. Click New Site to create a new site and name it Linux.
Field
Value
Host
10.200.1.254
Port
Protocol
FTP - Fire Transfer Protocol
Encryption
Use explicit FTP over TLS if available
Logon type
Anonymous
8. Click the Transfer Settings tab, and select Default as the transfer mode. 9. Click OK.
To configure Thunderbird outgoing server settings 1. From the Local-Windows desktop, open Mozilla Thunderbird. 2. Click the three bars icon in the upper right of the application. 3. Click Options > Account Settings. 4. Click Outgoing Server (SMTP) and click Add. 5. Configure the following settings:
32
Setting
Value
Server Name
10.200.1.254
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
Local-Windows
Setting
Value
Port
25
Connection security
None
Authentication Method
Password, transmitted insecurely
Username
student
6. Click OK.
To configure Thunderbird mail accounts 1. Still in Mozilla Thunderbird, click Options > Account Settings. 2. From the bottom of the left menu, click Account Actions > Add Mail Account. 3. Add the following account: Your name
admin
Email address
[email protected]
Password
@fortinet1
4. Click Continue. 5. Add the following incoming and outgoing server settings:
6. Click Done. 7. If prompted, accept the certificate exception. 8. Select Account Actions > Add Mail Account again to create a second user: Your name
student
Email address
[email protected]
Password
password
9. Click Continue. 10. Add the following incoming and outgoing server settings:
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
33
Local-Windows
11. Click Done. 12. Click OK.
Configuring SMB file share The Local-Window machine requires adding SMB file share.
To create a folder 1. Open File Explorer. 2. Go to C drive. 3. Create new folder with name of DLPshare.
To add the file share 1. Open Server Manager. 2. From the left pane, click File and Storage Services. 3. Click Shares. 4. From the TASKS drop-down menu, New Share.
A wizard opens. 5. Select SMB Share - Quick and click Next. 6. Select Type a custom path and click Browse. 7. Select the dlpshare folder you created in C drive and click Select Folder. 8. Click Next until you get to Permissions screen (see the left menu options). 9. On the Permissions screen, make sure BUILTIN\Administrators has full control.
10. Click Next. 11. Click Create.
34
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
Local-Windows
12. Click Close.
To disable HSTS in Firefox 1. Open Firefox. 2. In the URL field, type about:config. 3. Click I accept the risk! if prompted. 4. Right-click New > Integer. 5. Add an item named test.currentTimeOffsetSeconds and enter the value 11491200. 6. Confirm your time. 7. Clear the cache.
To disable certificate pinning 1. Open Firefox. 2. In the URL field, type about:config. 3. Click I accept the risk! if prompted. 4. In the Search field, type security.cert_pinning.enforcement_level. 5. Edit the setting and change value to 0. 6. Clear the cache.
To create bookmarks in PuTTY 1. Open PuTTY. 2. Complete the following: Host Name (or IP address field)
10.0.1.254.
Saved Sessions
LOCAL-FORTIGATE
3. Click Save. 4. Repeat steps 2 and 3 for the following VMs: Host Name (or IP address field)
10.200.3.1
Saved Sessions
REMOTE-FORTIGATE
Host Name (or IP address field)
10.0.1.200
Saved Sessions
ISFW
Host Name (or IP address field)
10.0.1.210
Saved Sessions
FORTIANALYZER
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
35
Local-Windows
Host Name (or IP address field)
10.0.1.241
Saved Sessions
FORTIMANAGER
Host Name (or IP address field)
10.0.1.254
Saved Sessions
LINUX
Host Name (or IP address field)
10.0.1.20
Saved Sessions
FIT
To install additional files 1. From the Resources folder that you copied to your Local-Windows desktop, copy the Perl script fgt2eth.pl to convert FortiGate sniffer capture to PCAP to the Active Perl bin folder: c:\Perl64\bin
2. Add shortcuts to the Windows task bar and desktop for the following applications: File Explorer, Firefox, PuTTY, command prompt, Notepad++, Windows Remote Desktop Connection, and FileZilla. 3. Open Mozilla and add the following four bookmarks to the bookmarks toolbar:
36
l
Local-FortiGate: http://10.0.1.254
l
Remote-FortiGate: http://10.200.3.1
l
ISFW: http://10.0.1.200
l
FortiManager: https://10.0.1.241
l
FortiAnalyzer: https://10.0.1.210
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
FortiManager Even though FortiManager is not the focus of the FortiGate courses, it is required for the lab setup due to the use of closed network mode. More information about the FortiManager closed network mode can be found in this document: https://docs.fortinet.com/
Requesting Closed Network Entitlement Files After you have purchased VM licenses and registered them on https://support.fortinet.com, you must request closed network entitlement files. These files are required for manually uploading FortiGate license validation information to FortiManager in close network mode.
To request closed network entitlement files 1. On the Fortinet Technical Support website (https://support.fortinet.com/), create a ticket with Fortinet Technical Support by going to Assistance > Create Ticket > Customer Service > Submit Ticket. 2. Enter the Serial Number. 3. Under Category, select CS Contact/License. 4. In the Comment field, ask for an entitlement file for your FortiGate VMs and provide the serial numbers and license numbers. If you don't remember them, you can find them in Asset > Manage View Products > <Select product>. Example: Serial Number: FGVM010000024628 License Number: FGVM0035444 Alternatively, as with registration, you can attach a spreadsheet that contains serial and license numbers if you want to ask for entitlement files for two or more FortiGate VMs at the same time. Fortinet Technical Support will provide one entitlement file that contains validation information for all of your FortiGate VMs. All FortiGate VMs must be registered with the same account; devices registered under different accounts cannot be combined into the same entitlement file. Within a day or two, you should receive an entitlement file from customer service.
To configure the FortiManager initial settings 1. Start the FortiManager and open the VM console. 2. From the console make the following changes: config system interface edit port1 set ip 10.0.1.241 255.255.255.0 set allowaccess http https ssh ping telnet next end
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
37
FortiManager
3. Connect to the GUI from the Local-Windows VM and restore the FMG-initial.dat file from the folder Resources/Initial-Configuration. 4. Upload a valid FortiManager VM license.
To configure FortiManager as a local FDN server 1. Log into the FortiManager GUI and click FortiGuard. 2. From the left menu, click Settings. 3. Turn on Enable Communication with FortiGuard Server and click Apply. 4. Turn on Enable AntiVirus and IPS Serviceand enable FortiGate 6.2 .
5. Turn on the following services: l
Enable Web Filter Service
l
Enable Email Filter Service
6. Click Apply. 7. Wait until FortiManager has downloaded and synchronized all the service packages and updates. This could take several hours. 8. Check the status of the updates through the following CLI commands: # diagnose fmupdate update-status fds # diagnose fmupdate update-status fgd
Once complete, the upullStat should say Synced. Note that it will sync after every package FortiManager downloads, so you can run these commands multiple times to verify the status. It should take several hours to complete. If you do not see any progress in the downloads, for example, theUpullStat remains in the Connected state, you can manually trigger the update through the following commands: # diagnose fmupdate updatenow fds # diagnose fmupdate updatenow fgd
38
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
FortiManager
9. Once complete, the file size for web filtering (FURL) and email filter (SPAM00x) under Query Server Management > Receive Status should be approximately as they appear in this screenshot:
10. After the FortiGuard packages and updates are synchronized, click Advanced Settings and turn off Enable Communication with FortiGuard Server. 11. Click Apply.
To upload the entitlement files to FortiManager 1. Log into the FortiManager GUI and click FortiGuard. 2. From the left menu, click Advanced Settings. 3. From the Upload Options for FortiGate/FortiMail section, click Upload for Service License.
4. Upload the following, one at a time:
Click Apply after each file upload.
l
Both FortiGate entitlement files
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
39
FortiAnalyzer The following procedure outlines how to configure the FortiAnalyzer system settings.
To configure the FortiAnalyzer initial settings 1. Start FortiAnalyzer and open the VM console. 2. From the console make the following changes: config system interface edit port1 set ip 10.0.1.210 255.255.255.0 set allowaccess http https ssh ping telnet next end
3. Connect to the GUI from the Local-Windows VM and restore the file from the folder Resources/Initial-Configuration/FAZ-initial.dat 4. Upload the FortiAnalyzer VM license.
40
Field
Value
Destination IP/Mask
0.0.0.0/0.0.0.0
Gateway
10.200.1.254
Interface
port3
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
Restoring the Local-FortiGate Initial Configuration and License At this stage, you are ready to restore the Local-FortiGate initial configuration and license.
To restore the Local-FortiGate initial configuration and license 1. On the Local-Windows VM, open a web browser and connect to the FortiGate VM's GUI. 2. Upload local-initial.conf from Resources/Initial-Configuration. 3. After that, upload the VM license. FortiGate should query FortiManager to validate its VM license and FortiGuard service contracts.
If the license status does not appear as Valid, run the following command: # execute update-now
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
41
Remote-FortiGate The following procedure outlines how to configure the network interfaces on Remotel-FortiGate.
To configure network interfaces on Remote-FortiGate 1. Start the Remote-FortiGate VM and open the VM console. 2. Log in as admin, and leave the password field empty. 3. Enter: exec formatlogdisk This formats the virtual disk, which is required to store data such as local reports or logs. The device reboot after the format is complete. 4. Enter this configuration to configure the network interfaces: config system interface edit port4 set ip 10.200.3.1 255.255.255.0 set allowaccess ping https ssh http fgfm next end config router static edit 1 set device port4 set gateway 10.200.3.254 next end
4. Connect to the GUI from the Local-Windows VM and upload the remote-initial.conf file from the folder Resources/Initial-Configuration. 5. Upload the VM license for this device. FortiGate should validate the license against FortiManager. None of the FortiGuard services are required in this FortiGate.
If the license status does not appear as Valid, run the following command: # execute update-now
42
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
Remote-Windows To configure initial settings 1. On this VM, verify that the correct local time and time zone is set, and that the screen has a resolution of at least 1280x1024 (this ensures proper display of the FortiOS GUI). 2. Configure the network settings for LAN6: l
IP address: 10.0.2.10
l
Netmask: 255.255.255.0
l
Default gateway: 10.0.2.254
l
DNS: 10.0.2.254
3. VMnet1 is your guest access network. When editing this network adapter, chose a unique address and do not configure a gateway on this adapter. 4. Open Windows Firewall and disable Windows Firewall in all the network types.
Installing the Microsoft patch for SSL VPN For SSL VPN tunnel mode to work properly, it is required the installation of a Microsoft hotfix that solves a Microsoft problem with the FortiSSL adapter.
To install the Microsoft patch for SSL VPN 1. Execute this command from the Remote-Windows command prompt: bcdedit -set testsigning on
2. After that, install the hotfix file named: Windows8.1-KB9089134-x64.exe
This file is in the Virtual-Lab-Setup-Files-FGT-6.2 folder on the NSE Institute (the software folder). If you get an error indicating that the hotfix has expired, change the Local-Windows system date to April 1, 2015 and try the installation again. After the installation, you can change it back to the right date.
Installing Additional Software You must install the following software:
All software applications are located in the Virtual-Lab-Setup-Files-FGT6.2 folder on the NSE Institute, in the software folder.
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
43
Remote-Windows
l
Firefox
l
PuTTY
l
Wireshark
l
Java
l
Adobe Flash
l
Notepad++
l
FortiClient (install only the VPN module)
Once installed, add shortcuts to the Windows task bar and desktop for the following applications:
44
l
File Explorer
l
Firefox
l
PuTTY
l
command prompt
l
FortiClient
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
ISFW The following procedure outlines how to configure the network interfaces on ISFW.
To configure network interfaces on ISFW 1. Start the ISFW VM and open the VM console. 2. Log in as admin, and leave the password field empty. 3. Enter: exec formatlogdisk
This formats the virtual disk, which is required to store data such as local reports or logs. The device reboots after the format is complete. 4. Enter this configuration to configure the network interfaces: config system interface edit port1 set ip 1.0.1.200 255.255.255.0 set allowaccess http next edit port3 set ip 10.0.3.254 255.255.255.0 set allowaccess http next end config router static edit 1 set gateway 10.0.1.254 set device port1 next end config firewall policy edit 1 set srcintf port3 set dstintf port1 set srcaddr all set dstaddr all set action accept set schedule always set service ALL set nat enable next end
5. Connect to the GUI from the Local-Windows VM and upload the ISFW-initial.conf file from the folder Resources/Initial-Configuration. 6. Upload the VM license for this device. FortiGate should validate the license against FortiManager. None of the FortiGuard services are required in this FortiGate.
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
45
ISFW
If the license status does not appear as Valid, run the following command: # execute update-now
46
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
Testing Once you have all VMs installed, and have configured all LAN segments, host IP settings and virtual network connections, test connectivity. From Local-Windows server, test connectivity to: 10.0.1.254
LAN3 Local-FortiGate_port3
10.0.1.241
FortiManager
10.0.1.200
ISFW
10.0.1.210
FortiAnalyzer
10.0.1.20
FIT
From Local-FortiGate, test connectivity to: 10.0.1.10
LAN3 Local-Windows
10.200.1.254
LAN1 LINUX_eth1
10.200.2.254
LAN2 LINUX_eth2
10.0.1.241
FortiManager
10.0.1.200
ISFW
10.0.1.210
FortiAnalyzer
4.2.2.2
To test IP forwarding and NAT on your Linux VM
10.0.1.20
LAN3 FIT
From the ISFW , test connectivity to: 10.0.1.254
LAN3 Local-FortiGate_port3
10.0.3.20
LAN7 FIT
From the Linux host, test connectivity to: 10.200.1.1
LAN1 Local-FortiGate_port1
10.200.2.1
LAN2 Local-FortiGate_port2
10.200.3.1
LAN4 Remote-FortiGate_port4
10.200.4.1
LAN5 Remote-FortiGate_port5
4.2.2.2
LAN0
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
47
Testing
From Remote-FortiGate, test connectivity to: 10.0.2.10
LAN6 Remote-Windows server
10.200.3.254
LAN4 LINUX_eth3
10.200.4.254
LAN5 LINUX_eth4
10.200.1.241
FortiManager
10.200.1.210
FortiAnalyzer
From Remote-Windows, test connectivity to: 10.0.2.254
LAN6 Remote-FortiGate_port6
From FortiAnalyzer, test connectivity to:
48
10.0.1.20
FIT
10.0.1.254
LAN3 Local-FortiGate_port3
10.200.1.254
LAN1 LINUX_eth1
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
Creating Snapshots Once you have completed and tested your configuration, save a snapshot of each VM. These snapshots are what you will deploy for each student in the class. You can also re-deploy these snapshots to revert a student's VM if their configuration is not working and they need to quickly restore it to a functional state.
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
49
No part of this publication may be reproduced in any form or by any means or used to make any derivative such as translation, transformation, or adaptation without permission from Fortinet Inc., as stipulated by the United States Copyright Act of 1976. Copyright© 2019 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.
Fortinet Training http://www.fortinet.com/training
Fortinet Document Library http://docs.fortinet.com
Fortinet Knowledge Base http://kb.fortinet.com
Fortinet Forums https://forum.fortinet.com
Fortinet Support https://support.fortinet.com
FortiGuard Labs http://www.fortiguard.com
Fortinet Network Security Expert Program (NSE) https://www.fortinet.com/support-and-training/training/network-security-expert-program.html
Feedback Email: [email protected]
7/3/2019
TABLE OF CONTENTS Disclaimer Change Log Introduction Upgrading from 6.0.0 to 6.2.0 Resources folder Upgrading FortiGate devices to FortiOS 6.2.0 Restoring the FortiGates initial configuration Creating Snapshots
Materials Additional Files Required for the Labs System Requirements Network Topology
Loading the VMs in VMware Workstation Loading the Windows Server 2012 VMs on VMware Workstation 12 Loading the Fortinet VMs on VMware Workstation 12 Loading the Prebuilt Linux Image Loading the FIT VM
Configuring VMware Virtual Networking Configuring the VMs Local-FortiGate Local-Windows FortiManager FortiAnalyzer Restoring the Local-FortiGate Initial Configuration and License Remote-FortiGate Remote-Windows ISFW
Testing Creating Snapshots
4 5 6 7 7 7 8 10
11 11 13 13
14 14 14 15 15
16 19 20 21 37 40 41 42 43 45
47 49
Disclaimer Fortinet only supports lab environments that are built to the specifications outlined in this guide. Any modifications to, or deviations from, the environment described in this guide can impact the outcome of the student lab exercises. Lab exercises are used as a way to reenforce learning, and knowledge obtained from successfully performing these labs is essential for NSE certification preparation.
4
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
Change Log This section includes updates to this guide. At this time, there are no updates.
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
5
Introduction This guide explains how to configure the lab for the following Fortinet training courses: l
FortiGate Security 6.2 (NSE 4 preparation)
l
FortiGate Infrastructure 6.2 (NSE 4 preparation)
In this environment, FortiManager is acting as a local FortiGuard server. It validates the FortiGate licenses and replies to FortiGuard Web Filtering rating requests from FortiGate VMs. The FortiManager is configured in closed network mode, providing FortiGuard services to local FortiGate VMs, without requiring Internet access. To administer this lab as designed, you will: 1. Load, configure, and test the VM images required for this lab. 2. Save a VMware snapshot of the VM images. 3. Deploy a copy of all VMs for each student every time there is a class.
6
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
Upgrading from 6.0.0 to 6.2.0 If you have already built the environment for the FortiGate Security and FortiGate Infrastructure courses, based on the 6.0.0 firmware version, you can follow the instructions below to update the environment to the 6.2 firmware version. If you have not already built the environment for the FortiGate Security and FortiGate Infrastructure courses, based on the 6.0.0 firmware version, follow the instructions that start at Materials on page 11.
Resources folder The Resources folder on the Local-Windows VM includes the initial configurations for each lab, for both courses. You need to replace the current Resources folder on the Local-Windows VM with the Resources folder that contains the FortiOS 6.2 configurations.
To replace Resources folder on Local-Windows 1. Log in to the Local-Windows VM. 2. Delete the Resources folder located on the desktop. 3. Delete the Resources folder from Recycle Bin. 4. From the Virtual-Lab-Setup-Files-FGT-6.2 folder on the NSE Institute, copy the Resources folder to the desktop.
Upgrading FortiGate devices to FortiOS 6.2.0 You will now upgrade the Local-FortiGate and Remote-FortiGate to FortiOS version 6.2.0.
Upgrade path To upgrade the FortiGate device to 6.2.0, you will need to follow the following upgrade path. 6.0.0 > 6.0.2 > 6.0.4 > 6.2.0
To download the FortiGate VM firmware images 1. From the Local-Windows VM, open a new browser tab and log in to Fortinet Support site (www. support.fortinet.com). 2. Download the VM firmware image file for all the firmware included in the upgrade path.
To upgrade FortiGate VMs to FortiOS 6.2.0 Use the following steps to upgrade Remote-FortiGate, and Local-FortiGate. In NSE4-6.2 course, ISFW FGT-VM is also included. If you are teaching NSE5 FortiAnalyzer 6.2 class, which includes ISFW FGT-VM, you can use the following instructions to upgrade FGT-VM as well.
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
7
Restoring the FortiGates initial configuration
Upgrading from 6.0.0 to 6.2.0
If you are not teaching NSE5 FortiAnalyzer 6.0 class and does not have ISFW FGTVM, follow the instructions for ISFW: l
Licenses: Materials on page 11.
l
Topology: Network Topology on page 13
l
VMware Virtual Networking: Configuring VMware Virtual Networking on page 16
l
Configuring ISFW: ISFW on page 45.
1. Continuing on the Local-Windows VM, open a new browser tab and log in to the FortiGate GUI. 2. Click System > Firmware. 3. In the Upload Firmware section, click Browse. 4. Click Downloads and select the VM firmware image file for FortiGate 6.0.2. 5. Click Open. 6. Click Backup config and upgrade. 7. Click Continue. 8. Click Cancel. 9. Follow the steps 2 to 8 for each firmware, listed in the upgrade path, on FortiGate VMs to upgrade the FortiGates to 6.2.0. 10. Once the firmware is upgraded, delete the VM firmware image file for FortiGate 6.2.0 from the Downloads folder and the Recycle Bin.
Restoring the FortiGates initial configuration At this stage, you are ready to restore the Local-FortiGate, Remote-FortiGate and ISFW initial configuration.
To restore the Remote-FortiGate configuration file 1. On the Local-Windows VM, open a browser and log in to the Remote-FortiGate GUI at 10.200.3.1 with the user name admin and password password. 2. In the upper-right corner of the screen, click admin, and then click Configuration > Restore.
3. Click Local PC,and then click Upload. 4. Click Desktop > Resources > Initial-Configuration > remote-intial.conf, and then click Open.
8
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
Upgrading from 6.0.0 to 6.2.0
Restoring the FortiGates initial configuration
5. Click OK. 6. Click OK to reboot.
To restore the Local-FortiGate configuration file 1. On the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1.254 with the user name admin and password password. 2. In the upper-right corner of the screen, click admin, and then click Configuration > Restore.
3. Click Local PC,and then click Upload. 4. Click Desktop > Resources > Initial-Configuration > local-intial.conf, and then click Open. 5. Click OK. 6. Click OK to reboot.
To restore the ISFW-FortiGate configuration file 1. On the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1.200 with the user name admin and password password. 2. In the upper-right corner of the screen, click admin, and then click Configuration > Restore.
3. Click Local PC,and then click Upload. 4. Click Desktop > Resources > Initial-Configuration > ISFW-initial.conf, and then click Open. 5. Click OK. 6. Click OK to reboot.
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
9
Creating Snapshots
Upgrading from 6.0.0 to 6.2.0
Creating Snapshots Once you have completed and tested your configuration, save a snapshot of each VM. These snapshots are what you will deploy for each student in the class. You can also redeploy these snapshots to revert a student's VM, if their configuration is not working and they need to quickly restore it to a functional state.
10
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
Materials To build the virtual lab required for this class, you must purchase or download:
Resource
Information
1 VMware Workstation installation per student
For hardware system requirements, see System Requirements on page 13
3 FortiGate VM licenses
For Local-FortiGate, Remote-FortiGate, ISFW
1 FortiAnalyzer VM license
Must be registered with the IP address 10.0.1.210
1 FortiManager VM license
Must be registered with the IP address 10.0.1.241
3 FortiGuard Web Filtering, antivirus, and IPS contract
For Local-FortiGate, Remote-FortiGate, ISFW
3 Security Rating contracts
For Local-FortiGate, Remote-FortiGate, and ISFW
2 Windows Server 2012 VMs
For Local-Windows and Remote-Windows
1 Ubuntu Linux VM image
Prebuilt image is provided by Fortinet Training. The image is provided in the Virtual-Lab-Setup-Files-FGT-6.2 folder on the NSE Institute.
1 FIT VM image
Prebuilt image is provided by Fortinet Training. The image is provided in the Virtual-Lab-Setup-Files-FGT-6.2 folder on the NSE Institute.
VM firmware image files for: l
FortiGate 6.2.0
l
FortiAnalyzer 6.2.0
l
FortiManager 6.2.0
1 Resources folder that includes: l
After purchase, you can download the files from Fortinet Support (www.support.fortinet.com) by logging in with supplied credentials.
Prebuilt files are provided by Fortinet Training. The files are provided in theVirtual-Lab-Setup-Files-FGT-6.2 folder on the NSE Institute.
Initial configuration for each lab
Additional Files Required for the Labs The following software is also required on the Windows VMs.
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
11
Additional Files Required for the Labs
Materials
The executables are provided in the software sub-folder in the Virtual-LabSetup-Files-FGT-6.2 folder on the NSE Institute.
Virtual Machine
12
Software Mozilla Firefox 56.0.1
l
Local-Window
l
Remote-Windows
l
Local-Window
l
Remote-Windows
l
Local-Window
l
Remote-Windows
l
Local-Window
l
Remote-Windows
fgt2eth.pl: Perl script for converting FortiGate sniffer output to Wireshark PCAP (packet capture) format
l
Local-Window
Windows Server 2012 patch KB9089134
l
Remote-Windows
l
Local-Window
l
Remote-Windows
l
Local-Window
l
Remote-Windows
l
Local-Window
l
Remote-Windows
l
Local-Window
l
Remote-Windows
l
Local-Window
l
Remote-Windows
PuTTY 0.70 ActivePerl 5.24.2
Wireshark 2.4.2 Notepad++ 7.5.1
Adobe Reader 11.0.10 Adobe Flash Player 27.0.0.170
Java 8 Update 151
Local-Windows
FileZilla Client 3.28.0
Local-Windows
Mozilla Thunderbird 52.4.0
Remote-Windows
FortiClient 6.0.5 build 0209
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
System Requirements Each workstation running VMware Workstation requires: l
1 Ethernet interface
l
15 GB RAM
l
400 GB storage (hard disk, SAN, etc.)
Network Topology
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
13
Loading the VMs in VMware Workstation This section outlines how to load the VMs in VMware Workstation, including the Windows VMs, Fortinet VMs (FortiGate, FortiManager, and FortiAnalyzer), and the Linux VM.
The Virtual-Lab-Setup-Files-FGT-6.2 folder on the NSE Institute provides prebuilt images of the Linux VM and FIT VM, which do not require additional configuration. You only need to load them and deploy them.
Loading the Windows Server 2012 VMs on VMware Workstation 12 The following procedure outlines how to create Windows VMs on VMware Workstation 12.
To create a Windows VMs on VMware Workstation 12 1. Click File > New Virtual Machine. 2. Click Custom (advanced), and then click Next. 3. From the Hardware compatibility drop-down list, select Workstation 12.x, and click Next. 4. Select Installer disk image file (iso), browse to your Windows Server 2012 image file, and click Next. 5. In the Virtual machine name field, type the VM name according to the network topology diagram (i.e. LocalWindows and Remote-Windows) 6. Accept all other default settings. 7. Click Finish to build the VM.
Loading the Fortinet VMs on VMware Workstation 12 The following procedure outlines how to load the Fortinet VMs on VMware Workstation 12: l
Local-FortiGate
l
Remote-FortiGate
l
ISFW
l
FortiManager
l
FortiAnalyzer
To create the Fortinet VMs on VMware Workstation 12 1. Go to File > Open. 2. Select the Open Virtualization Format file format. 3. Select the file name FortiGate-VM.ovf. 4. Name the VM Local-FortiGate. 5. Repeat for each VM, naming the VMs according to the network topology diagram.
14
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
Loading the VMs in VMware Workstation
l
Remote-FortiGate
l
ISFW
l
FortiManager
l
FortiAnalyzer
Loading the Prebuilt Linux Image
Loading the Prebuilt Linux Image The following procedure outlines how to load the prebuilt Ubuntu 16.04 Linux image on VMware Workstation 12.
To load the prebuilt Linux image 1. Go to File > Open. 2. Select the Open Virtualization Format file format. 3. Select prebuilt image: Linux.ovf. 4. Name the VM Linux.
Loading the FIT VM The FIT (Firewall Inspection Tester) VM includes a traffic generation tool. The VM generates web browsing traffic, application control, botnet IP hits, malware URLs, and malware downloads. The following procedure outlines how to load the FIT VM image on VMware Workstation 12.
To load the FIT VM image 1. Go to File > Open. 2. Select the Open Virtualization Format file format. 3. Select prebuild image: FIT.ovf. 4. Name the VM FIT.
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
15
Configuring VMware Virtual Networking Once you've loaded the VMs, you must configure their virtual network adapters to make the lab's required virtual network topology. The following VMs should be inside each student’s virtual lab environment: l
Local-Windows
l
Remote-Windows
l
ISFW
l
Local-FortiGate
l
Remote-FortiGate
l
Linux
l
FortiAnalyzer
l
FortiManager
l
FIT (traffic generator)
The topology supports both HA and non-HA topology, which the students will switch between during the labs by reconfiguring their VMs; no VMware reconfiguration is required. The key to this flexible networking is the six LAN segments used in the current setup, plus the predefined interfaces: vmnet0 and vmnet1. l
vmnet0 bridges the physical NIC which provides the default route to the Internet.
l
vmnet1 is a host-only private network shared between the host and the guest systems.
By mapping the guest VMs’ virtual NICs to virtual LAN segments, you create the topology.
To configure VMWare virtual networking 1. Create one additional virtual NIC on each of your Windows VMs: l
Local-Windows: Add 1 more NIC (2 NICs total).
l
Remote-Windows: Add 1 more NIC (2 NICs total).
2. Ensure that the prebuilt Linux VM has five NICs. If not, add the as many as needed to have five. 3. Create the LAN segments: a. Right-click the Local-Windows VM and select Settings. b. Select any of the two Network Adapters. c. Click LAN Segments. d. Click Add as many times as needed to create the seven LAN segments:
16
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
Configuring VMware Virtual Networking
e. Click OK twice to close the windows. 4. Map the LAN segments to each vNIC: l
For the Local-Windows VM, map these network adapters:
Network Adapter
LAN Segment
1 (first)
LAN3
2
Custom: VMnet1 (Host-only)
l
For the Remote-Windows VM, map these network adapters:
Network Adapter
LAN Segment
1
LAN6
2
Custom: VMnet1 (Host-only)
l
For both FortiGate VMs (Local-FortiGate and Remote-FortiGate), map the first seven network adapters:
Network Adapter
LAN Segment
1
LAN1
2
LAN2
3
LAN3
4
LAN4
5
LAN5
6
LAN6
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
17
Configuring VMware Virtual Networking
Network Adapter
LAN Segment
7
LAN3
l
Network Adapter
LAN Segment
1
LAN3
3
LAN7
l
For the FortiManager VM, map these network adapters:
Network Adapter
LAN Segment
1
LAN3
2
LAN1
l
For the FortiAnalyzer VM, map these network adapters:
Network Adapter
LAN Segment
1
LAN3
3
LAN1
l
For the Linux VM, map these network adapters:
Network Adapter
LAN Segment
1
VMnet0
2
LAN1
3
LAN2
4
LAN4
5
LAN5
l
18
For the ISFW VM, map these network adapters:
For the FIT VM, map these network adapters:
Network Adapter
LAN Segment
1
LAN3
2
LAN7
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
Configuring the VMs Before you deploy the VMs, you must first install the required software and files on your Windows VM. You must also configure some initial settings on your Fortinet VMs so that they have network connectivity, and load their VM license.
The prebuilt Linux VM provided with the Virtual-Lab-Setup-Files-FGT-6.2 folder on the NSE Institute is already configured. The root password for the prebuilt VM is: password.
The prebuild FIT VM provided in the Virtual-Lab-Setup-Files-FGT-6.2 folder on the NSE Institute is already configured.
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
19
Local-FortiGate The following procedure outlines how to configure the network interfaces on Local-FortiGate.
To configure network interfaces on Local-FortiGate 1. Start the Local-FortiGate VM and open the VM console. 2. Log in as admin, and leave the password field empty. 3. Enter: exec formatlogdisk
This formats the virtual disk, which is required to store data such as local reports or logs. The device reboots after the format is complete. 4. Enter this configuration to configure the network interfaces: config system interface edit port1 set ip 10.200.1.1 255.255.255.0 set allowaccess http next edit port2 set ip 10.200.2.1 255.255.255.0 set allowaccess http next edit port3 set ip 10.0.1.254 255.255.255.0 set allowaccess http next end config router static edit 1 set gateway 10.200.1.254 set device port1 next end config firewall policy edit 1 set srcintf port3 set dstintf port1 set srcaddr all set dstaddr all set action accept set schedule always set service ALL set nat enable next end
20
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
Local-Windows The Local-Windows VM is used as the student's network management computer in the lab. Students will initiate most client network connections from it, and administer Fortinet VMs.
To copy the Resources folder to Local-Windows 1. From the Virtual-Lab-Setup-Files-FGT-6.2 folder on the NSE Institute, copy the Resources folder to the desktop.
To perform initial setup 1. On this VM, verify that the correct local time and time zone is set, and that the screen has a resolution of at least 1280x1024. (This ensures proper display of the FortiOS GUI.) 2. Change the administrator account password to password. (Disable password complexity check if required.) 3. Configure the IPv4 network settings for LAN3: IP address
10.0.1.10
Netmask
255.255.255.0
Default gateway
10.0.1.254
DNS
10.0.1.254
4. Configure the IPv6 network settings for LAN3: l
Obtain an IPv6 address automatically
l
Obtain DNS server address automatically
5. Install the following software:
All software applications are located in the Virtual-Lab-Setup-Files-FGT6.2 folder on the NSE Institute (in the software folder).
l
Firefox
l
PuTTY
l
ActivePerl
l
Thunderbird
l
FileZilla
l
Wireshark
l
Adobe Reader
l
Adobe Flash
l
Notepad++
l
Java
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
21
Local-Windows
6. VMnet1 is your guest access network. When editing this network adapter, choose a unique address. Do not configure a gateway. 7. Open Windows Firewall and disable Windows Firewall in all the network types.
To install AD, Web, and DNS Services 1. Open Server Manager and select Add roles and features. 2. Click Next. 3. Select Role-based or feature-based installation. 4. Click Next. 5. Select the server with the IP address 10.0.1.10. 6. Click Next. 7. On the Server Roles screen, select Active Directory Domain Services, DNS Server, and Web Server (ISS). 8. Add all the features for those three roles. 9. Click Next. 10. Click Next until you get the Confirmation screen. 11. Click Install and wait until the installation finishes. 12. From the Server Manager, click the flag icon with the exclamation point and select Promote this server to a domain controller:
13. Select Add a new forest. 14. Type trainingAD.training.lab as the domain name. 15. Click Next. 16. Type any DSRM password and click Next. 17. Omit the DNS warning and click Next. 18. Accept all the remaining default values and click Next until you get the Prerequisites Check screen. 19. Click Install, and wait until the installation finishes.
Creating users in Active Directory The following procedure outlines how to create two active directory users in the Users container: Student and ADadmin.
22
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
Local-Windows
You may need to disable password complexity requirements for Active Directory users. See In a Domain Environment, for an Active Directory Domain Server for the procedure.
To create the student user 1. Open Server Manager. 2. Click Tools. 3. Open Active Directory Users and Computer. 4. Expand the trainingAD.training.lab tree. 5. Right-click the Users container. 6. Select to New > User. 7. In the First name and User logon name fields, type student and then click Next. 8. In the Password and Confirm password fields, type password. 9. Disable User must change password at next logon and enable Password never expires. 10. Click Next. 11. Click Finish.
To create the ADadmin user 1. Continuing in Active Directory Users and Computerand the trainingAD.training.lab tree, right-click the Users container. 2. Select to New > User. 3. In the First name and User logon name fields, type ADadmin and then click Next. 4. In the Password andConfirm password fields, type Training! 5. Disable User must change password at next logon and enable Password never expires. 6. Click Next 7. Click Finish.
To create the Training Organizational Unit and additional users 1. Continuing in Active Directory Users and Computer, right-click trainingAD.training.lab from the tree. 2. Select New > Organizational Unit. 3. In the Name field, type Training. 4. Right-click Training from the tree and select New > User. 5. Create the following user and click Next.
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
23
Local-Windows
6. In the Password and Confirm password fields, type Training!as the password. 7. Disable User must change password at next logon and enable Password never expires. 8. Click Next. 9. Click Finish. 10. Repeat the process to create the following users in the Training organizational unit (same settings and password): l
aduser2
To create an Active Directory group 1. Open Active Directory Users and Computer. 2. Expand the trainingAD.training.lab tree, and right click the Training container. 3. Select New > Group. 4. Complete the following and click OK:
Field
Value
Group name
AD-users
Group scope
Global
Group type
Security
5. Double-click the AD-users group from the right pane. 6. Select the Members tab and add aduser1 and aduser2.
24
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
Local-Windows
7. Click OK.
To enable Remote Desktop access to the student user 1. On the Local-Windows desktop, click the Start menu. 2. Right-click This PC and select Properties. 3. Click Remote settings. 4. Select Allow remote connections to this computer. 5. Clear the Allow connections only from computers running Remote Desktop with Network Level Authentication checkbox.
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
25
Local-Windows
6. Click Apply. 7. Click OK.
To allow AD users to locally log in the Win-Server 1. On the Local-Windows desktop, click the Start menu. 2. Search for gpmc.msc and open the Group Policy Management tool. 3. Expand Forest: trainingAD.training.lab > Domains > trainingAD.training.lab > Group Policy Objects.
4. Right-click Default Domain Controllers Policy, and then click Edit. 5. Under Computer Configuration, expand Policies > Windows Settings > Security Settings > Local Policies.
6. Click User Rights Assignments. 7. In the main pane, right-click Allow log on locally and then click Properties. The Allow log on locally Properties dialog box appears. 8. In the Security Policy Setting tab, click Add User or Group. 9. Click Browse. 10. Enter aduser1, and then click Check Names.
aduser1 appears with it full AD domain description. 11. Click OK. 12. Click OK. 13. Click OK. 14. Repeat steps 7-13 for aduser2.
26
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
Local-Windows
To force the group policy update 1. In the Local-Windows VM, open the Command Prompt tool (cmd). 2. Enter the below command and press Enter: gpupdate /force
The group policy successful updates. You can now switch users to test the access to aduser1 session within the Local-Windows VM.
It is advised to personalize the desktop for the aduser1 and aduser2 with a different color than the administrator session. This will help to confirm students are working in the right session.
To configure Internet Information Services (IIS) 1. Open Server Manager. 2. Click Tools > Internet Information Services (IIS) Manager. 3. In the Connections pane, select the root node and double-click Server Certificates.
4. In the Actions pane, click Import.
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
27
Local-Windows
The Import Certificate dialog box appears. 5. In theCertificate file (.pfx) field, click the ... icon:
6. In the Virtual-Lab-Setup-Files-FGT-6.2 folder on the NSE Institute, browse to the software folder, and open webserver.pfx. 7. In the Password field, type fortinet. 8. From the Select Certificate Store drop-down menu, select Web Hosting:
9. Click OK. The imported certificate appears in the Server Certificates list.
28
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
Local-Windows
10. In the Connections pane, expand the root node. 11. Click Sites > Default Web Site. 12. In the Actions pane, click Bindings. The Site Bindings dialog box appears. 13. Click Add. 14. From the Type drop-down menu, select https. 15. From the SSL certificate drop-down menu, select 10.200.1.200. 16. Click OK. A caution prompt appears.
17. Click OK. 18. Click Close. 19. Close the Internet Information Services (IIS) Manager. You will install the root certificate in the next procedure.
Install the Training CA certificate in Windows 1. In the Virtual-Lab-Setup-Files-FGT-6.2 folder on the NSE Institute, browse to the software folder, and double-click Training.crt to open the file. The Certificate dialog box appears. 2. Click Install Certificate.
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
29
Local-Windows
3. Click Local Machine.
4. Click Next. 5. Click Place all certificates in the following storeand clickBrowse.
30
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
Local-Windows
6. Click Trusted Root Certification Authorities and click OK.
7. Click Next. 8. Click Finish. A successful import notification is displayed:
9. Click OK.
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
31
Local-Windows
To configure FileZilla 1. Open FileZilla. 2. Click on the upper left icon to open the site manager. 3. Click New Site to add a new site. 4. Name the new site FTPsite and configure as follows:
Field
Value
Host
10.200.3.254
Port
222
Protocol
FTP - Fire Transfer Protocol
Encryption
Only user plain FTP
Logon type
Anonymous
5. Click the Transfer Settings tab, and select Active as the transfer mode. 6. Click OK. 7. Click New Site to create a new site and name it Linux.
Field
Value
Host
10.200.1.254
Port
Protocol
FTP - Fire Transfer Protocol
Encryption
Use explicit FTP over TLS if available
Logon type
Anonymous
8. Click the Transfer Settings tab, and select Default as the transfer mode. 9. Click OK.
To configure Thunderbird outgoing server settings 1. From the Local-Windows desktop, open Mozilla Thunderbird. 2. Click the three bars icon in the upper right of the application. 3. Click Options > Account Settings. 4. Click Outgoing Server (SMTP) and click Add. 5. Configure the following settings:
32
Setting
Value
Server Name
10.200.1.254
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
Local-Windows
Setting
Value
Port
25
Connection security
None
Authentication Method
Password, transmitted insecurely
Username
student
6. Click OK.
To configure Thunderbird mail accounts 1. Still in Mozilla Thunderbird, click Options > Account Settings. 2. From the bottom of the left menu, click Account Actions > Add Mail Account. 3. Add the following account: Your name
admin
Email address
[email protected]
Password
@fortinet1
4. Click Continue. 5. Add the following incoming and outgoing server settings:
6. Click Done. 7. If prompted, accept the certificate exception. 8. Select Account Actions > Add Mail Account again to create a second user: Your name
student
Email address
[email protected]
Password
password
9. Click Continue. 10. Add the following incoming and outgoing server settings:
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
33
Local-Windows
11. Click Done. 12. Click OK.
Configuring SMB file share The Local-Window machine requires adding SMB file share.
To create a folder 1. Open File Explorer. 2. Go to C drive. 3. Create new folder with name of DLPshare.
To add the file share 1. Open Server Manager. 2. From the left pane, click File and Storage Services. 3. Click Shares. 4. From the TASKS drop-down menu, New Share.
A wizard opens. 5. Select SMB Share - Quick and click Next. 6. Select Type a custom path and click Browse. 7. Select the dlpshare folder you created in C drive and click Select Folder. 8. Click Next until you get to Permissions screen (see the left menu options). 9. On the Permissions screen, make sure BUILTIN\Administrators has full control.
10. Click Next. 11. Click Create.
34
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
Local-Windows
12. Click Close.
To disable HSTS in Firefox 1. Open Firefox. 2. In the URL field, type about:config. 3. Click I accept the risk! if prompted. 4. Right-click New > Integer. 5. Add an item named test.currentTimeOffsetSeconds and enter the value 11491200. 6. Confirm your time. 7. Clear the cache.
To disable certificate pinning 1. Open Firefox. 2. In the URL field, type about:config. 3. Click I accept the risk! if prompted. 4. In the Search field, type security.cert_pinning.enforcement_level. 5. Edit the setting and change value to 0. 6. Clear the cache.
To create bookmarks in PuTTY 1. Open PuTTY. 2. Complete the following: Host Name (or IP address field)
10.0.1.254.
Saved Sessions
LOCAL-FORTIGATE
3. Click Save. 4. Repeat steps 2 and 3 for the following VMs: Host Name (or IP address field)
10.200.3.1
Saved Sessions
REMOTE-FORTIGATE
Host Name (or IP address field)
10.0.1.200
Saved Sessions
ISFW
Host Name (or IP address field)
10.0.1.210
Saved Sessions
FORTIANALYZER
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
35
Local-Windows
Host Name (or IP address field)
10.0.1.241
Saved Sessions
FORTIMANAGER
Host Name (or IP address field)
10.0.1.254
Saved Sessions
LINUX
Host Name (or IP address field)
10.0.1.20
Saved Sessions
FIT
To install additional files 1. From the Resources folder that you copied to your Local-Windows desktop, copy the Perl script fgt2eth.pl to convert FortiGate sniffer capture to PCAP to the Active Perl bin folder: c:\Perl64\bin
2. Add shortcuts to the Windows task bar and desktop for the following applications: File Explorer, Firefox, PuTTY, command prompt, Notepad++, Windows Remote Desktop Connection, and FileZilla. 3. Open Mozilla and add the following four bookmarks to the bookmarks toolbar:
36
l
Local-FortiGate: http://10.0.1.254
l
Remote-FortiGate: http://10.200.3.1
l
ISFW: http://10.0.1.200
l
FortiManager: https://10.0.1.241
l
FortiAnalyzer: https://10.0.1.210
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
FortiManager Even though FortiManager is not the focus of the FortiGate courses, it is required for the lab setup due to the use of closed network mode. More information about the FortiManager closed network mode can be found in this document: https://docs.fortinet.com/
Requesting Closed Network Entitlement Files After you have purchased VM licenses and registered them on https://support.fortinet.com, you must request closed network entitlement files. These files are required for manually uploading FortiGate license validation information to FortiManager in close network mode.
To request closed network entitlement files 1. On the Fortinet Technical Support website (https://support.fortinet.com/), create a ticket with Fortinet Technical Support by going to Assistance > Create Ticket > Customer Service > Submit Ticket. 2. Enter the Serial Number. 3. Under Category, select CS Contact/License. 4. In the Comment field, ask for an entitlement file for your FortiGate VMs and provide the serial numbers and license numbers. If you don't remember them, you can find them in Asset > Manage View Products > <Select product>. Example: Serial Number: FGVM010000024628 License Number: FGVM0035444 Alternatively, as with registration, you can attach a spreadsheet that contains serial and license numbers if you want to ask for entitlement files for two or more FortiGate VMs at the same time. Fortinet Technical Support will provide one entitlement file that contains validation information for all of your FortiGate VMs. All FortiGate VMs must be registered with the same account; devices registered under different accounts cannot be combined into the same entitlement file. Within a day or two, you should receive an entitlement file from customer service.
To configure the FortiManager initial settings 1. Start the FortiManager and open the VM console. 2. From the console make the following changes: config system interface edit port1 set ip 10.0.1.241 255.255.255.0 set allowaccess http https ssh ping telnet next end
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
37
FortiManager
3. Connect to the GUI from the Local-Windows VM and restore the FMG-initial.dat file from the folder Resources/Initial-Configuration. 4. Upload a valid FortiManager VM license.
To configure FortiManager as a local FDN server 1. Log into the FortiManager GUI and click FortiGuard. 2. From the left menu, click Settings. 3. Turn on Enable Communication with FortiGuard Server and click Apply. 4. Turn on Enable AntiVirus and IPS Serviceand enable FortiGate 6.2 .
5. Turn on the following services: l
Enable Web Filter Service
l
Enable Email Filter Service
6. Click Apply. 7. Wait until FortiManager has downloaded and synchronized all the service packages and updates. This could take several hours. 8. Check the status of the updates through the following CLI commands: # diagnose fmupdate update-status fds # diagnose fmupdate update-status fgd
Once complete, the upullStat should say Synced. Note that it will sync after every package FortiManager downloads, so you can run these commands multiple times to verify the status. It should take several hours to complete. If you do not see any progress in the downloads, for example, theUpullStat remains in the Connected state, you can manually trigger the update through the following commands: # diagnose fmupdate updatenow fds # diagnose fmupdate updatenow fgd
38
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
FortiManager
9. Once complete, the file size for web filtering (FURL) and email filter (SPAM00x) under Query Server Management > Receive Status should be approximately as they appear in this screenshot:
10. After the FortiGuard packages and updates are synchronized, click Advanced Settings and turn off Enable Communication with FortiGuard Server. 11. Click Apply.
To upload the entitlement files to FortiManager 1. Log into the FortiManager GUI and click FortiGuard. 2. From the left menu, click Advanced Settings. 3. From the Upload Options for FortiGate/FortiMail section, click Upload for Service License.
4. Upload the following, one at a time:
Click Apply after each file upload.
l
Both FortiGate entitlement files
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
39
FortiAnalyzer The following procedure outlines how to configure the FortiAnalyzer system settings.
To configure the FortiAnalyzer initial settings 1. Start FortiAnalyzer and open the VM console. 2. From the console make the following changes: config system interface edit port1 set ip 10.0.1.210 255.255.255.0 set allowaccess http https ssh ping telnet next end
3. Connect to the GUI from the Local-Windows VM and restore the file from the folder Resources/Initial-Configuration/FAZ-initial.dat 4. Upload the FortiAnalyzer VM license.
40
Field
Value
Destination IP/Mask
0.0.0.0/0.0.0.0
Gateway
10.200.1.254
Interface
port3
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
Restoring the Local-FortiGate Initial Configuration and License At this stage, you are ready to restore the Local-FortiGate initial configuration and license.
To restore the Local-FortiGate initial configuration and license 1. On the Local-Windows VM, open a web browser and connect to the FortiGate VM's GUI. 2. Upload local-initial.conf from Resources/Initial-Configuration. 3. After that, upload the VM license. FortiGate should query FortiManager to validate its VM license and FortiGuard service contracts.
If the license status does not appear as Valid, run the following command: # execute update-now
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
41
Remote-FortiGate The following procedure outlines how to configure the network interfaces on Remotel-FortiGate.
To configure network interfaces on Remote-FortiGate 1. Start the Remote-FortiGate VM and open the VM console. 2. Log in as admin, and leave the password field empty. 3. Enter: exec formatlogdisk This formats the virtual disk, which is required to store data such as local reports or logs. The device reboot after the format is complete. 4. Enter this configuration to configure the network interfaces: config system interface edit port4 set ip 10.200.3.1 255.255.255.0 set allowaccess ping https ssh http fgfm next end config router static edit 1 set device port4 set gateway 10.200.3.254 next end
4. Connect to the GUI from the Local-Windows VM and upload the remote-initial.conf file from the folder Resources/Initial-Configuration. 5. Upload the VM license for this device. FortiGate should validate the license against FortiManager. None of the FortiGuard services are required in this FortiGate.
If the license status does not appear as Valid, run the following command: # execute update-now
42
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
Remote-Windows To configure initial settings 1. On this VM, verify that the correct local time and time zone is set, and that the screen has a resolution of at least 1280x1024 (this ensures proper display of the FortiOS GUI). 2. Configure the network settings for LAN6: l
IP address: 10.0.2.10
l
Netmask: 255.255.255.0
l
Default gateway: 10.0.2.254
l
DNS: 10.0.2.254
3. VMnet1 is your guest access network. When editing this network adapter, chose a unique address and do not configure a gateway on this adapter. 4. Open Windows Firewall and disable Windows Firewall in all the network types.
Installing the Microsoft patch for SSL VPN For SSL VPN tunnel mode to work properly, it is required the installation of a Microsoft hotfix that solves a Microsoft problem with the FortiSSL adapter.
To install the Microsoft patch for SSL VPN 1. Execute this command from the Remote-Windows command prompt: bcdedit -set testsigning on
2. After that, install the hotfix file named: Windows8.1-KB9089134-x64.exe
This file is in the Virtual-Lab-Setup-Files-FGT-6.2 folder on the NSE Institute (the software folder). If you get an error indicating that the hotfix has expired, change the Local-Windows system date to April 1, 2015 and try the installation again. After the installation, you can change it back to the right date.
Installing Additional Software You must install the following software:
All software applications are located in the Virtual-Lab-Setup-Files-FGT6.2 folder on the NSE Institute, in the software folder.
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
43
Remote-Windows
l
Firefox
l
PuTTY
l
Wireshark
l
Java
l
Adobe Flash
l
Notepad++
l
FortiClient (install only the VPN module)
Once installed, add shortcuts to the Windows task bar and desktop for the following applications:
44
l
File Explorer
l
Firefox
l
PuTTY
l
command prompt
l
FortiClient
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
ISFW The following procedure outlines how to configure the network interfaces on ISFW.
To configure network interfaces on ISFW 1. Start the ISFW VM and open the VM console. 2. Log in as admin, and leave the password field empty. 3. Enter: exec formatlogdisk
This formats the virtual disk, which is required to store data such as local reports or logs. The device reboots after the format is complete. 4. Enter this configuration to configure the network interfaces: config system interface edit port1 set ip 1.0.1.200 255.255.255.0 set allowaccess http next edit port3 set ip 10.0.3.254 255.255.255.0 set allowaccess http next end config router static edit 1 set gateway 10.0.1.254 set device port1 next end config firewall policy edit 1 set srcintf port3 set dstintf port1 set srcaddr all set dstaddr all set action accept set schedule always set service ALL set nat enable next end
5. Connect to the GUI from the Local-Windows VM and upload the ISFW-initial.conf file from the folder Resources/Initial-Configuration. 6. Upload the VM license for this device. FortiGate should validate the license against FortiManager. None of the FortiGuard services are required in this FortiGate.
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
45
ISFW
If the license status does not appear as Valid, run the following command: # execute update-now
46
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
Testing Once you have all VMs installed, and have configured all LAN segments, host IP settings and virtual network connections, test connectivity. From Local-Windows server, test connectivity to: 10.0.1.254
LAN3 Local-FortiGate_port3
10.0.1.241
FortiManager
10.0.1.200
ISFW
10.0.1.210
FortiAnalyzer
10.0.1.20
FIT
From Local-FortiGate, test connectivity to: 10.0.1.10
LAN3 Local-Windows
10.200.1.254
LAN1 LINUX_eth1
10.200.2.254
LAN2 LINUX_eth2
10.0.1.241
FortiManager
10.0.1.200
ISFW
10.0.1.210
FortiAnalyzer
4.2.2.2
To test IP forwarding and NAT on your Linux VM
10.0.1.20
LAN3 FIT
From the ISFW , test connectivity to: 10.0.1.254
LAN3 Local-FortiGate_port3
10.0.3.20
LAN7 FIT
From the Linux host, test connectivity to: 10.200.1.1
LAN1 Local-FortiGate_port1
10.200.2.1
LAN2 Local-FortiGate_port2
10.200.3.1
LAN4 Remote-FortiGate_port4
10.200.4.1
LAN5 Remote-FortiGate_port5
4.2.2.2
LAN0
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
47
Testing
From Remote-FortiGate, test connectivity to: 10.0.2.10
LAN6 Remote-Windows server
10.200.3.254
LAN4 LINUX_eth3
10.200.4.254
LAN5 LINUX_eth4
10.200.1.241
FortiManager
10.200.1.210
FortiAnalyzer
From Remote-Windows, test connectivity to: 10.0.2.254
LAN6 Remote-FortiGate_port6
From FortiAnalyzer, test connectivity to:
48
10.0.1.20
FIT
10.0.1.254
LAN3 Local-FortiGate_port3
10.200.1.254
LAN1 LINUX_eth1
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
Creating Snapshots Once you have completed and tested your configuration, save a snapshot of each VM. These snapshots are what you will deploy for each student in the class. You can also re-deploy these snapshots to revert a student's VM if their configuration is not working and they need to quickly restore it to a functional state.
Virtual Lab Setup Guide for FortiGate 6.2 Fortinet Technologies Inc.
49
No part of this publication may be reproduced in any form or by any means or used to make any derivative such as translation, transformation, or adaptation without permission from Fortinet Inc., as stipulated by the United States Copyright Act of 1976. Copyright© 2019 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.
More Documents from "alejandro"
