臺北市立松山高級工農職業學校 臺北市政府教育局所屬市立高級中等以下學校 ( 不含幼兒園 ) 防火牆採購案 防火牆教育訓練 Syscom Jaco Yang January 2016
Topic Hardware Overview VLAN at FortiGate Product Register SSL VPN Web Mode Firmware Update SSL VPN Tunnel Mode with split Tunneling System Setup Logging Firewall Policy Fortinet Wireless Network UTM 常見問題
Fortinet FortiGate Hardware Overview January 2016
FortiGate 200D 設備簡介
FortiGate 200D 設備燈號說明
FortiGate 200D 出廠預設值 FortiGate200D 帳號 密碼 出廠預設值 admin 空白 FortiGate200D mgmt 埠 IP 位址網路遮罩出廠預設值 192.168.1.99 255.255.255.0 FortiGate200D lan 埠 IP 位址網路遮罩出廠預設值 192.168.100.99 255.255.255.0 FortiGate200D dmz 埠 IP 位址網路遮罩出廠預設值 10.10.10.1 255.255.255.0 To reset the FortiGate unit to the factory defaults, in the CLI type the command : execute factoryreset 原廠預設連線方式 : https://192.168.1.99
FortiGate 200D 整體效能 FortiGate 系統整體效能防火牆效能 (1518/512/64 byte UDP) IPSec VPN 效能 SSL VPN 效能 IPSec VPN 通道數 (Client-to-Gateway) 200D Base Unit 3/3/3 Gbps 1.3 Gbps 400 Mbps 5000 防病毒效能 600 IPS 效能 1.7 Gbps 最大同時連線數 1.4M 每秒新增連線數 77K 最大防火牆防火牆策略數 Local Storage 10,000 16 GB
什麼是 FortiASIC? 專為 UTM 設備打造的硬體加速晶片 FortiASIC-NP 專職網路層流量的加速, 有效提升防火牆 /VPN 的整體處理效能 大小封包皆提供全線速 (Wire-Speed) 的防火牆效能 提供異常網路流量防禦及網路品質管理 (QoS) 加速 FortiASIC-CP 專職內容過濾加速, 提升防毒等 UTM 功能過濾的處理效能 提供 IPSec/SSL VPN 加速及 SSL 內容檢測加速 * FortiASIC-NP only on FG-200D
Fortinet FortiGate Product Register January 2016
設備進行線上註冊 連線到 http://www.fortinet.com ( 原廠英文網站 ) 選取 "Service & Support", 再選取 "Support Login"
設備進行線上註冊 登入系統, 鍵入 "Account ID" 及 "Password" 進入系統
設備進行線上註冊 若無帳號密碼, 則需新增一組帳號密碼, 在畫面右上角選取 "Create an Account"
設備進行線上註冊 填入必須的資料 ( 此處 E-mail 為登入帳號 ) 如不確定中文地址如何英譯, 可至中華郵政網站進行線上翻譯, 網址如下 : http://www.post.gov.tw/post/internet/f_searchzone/index.jsp?id=190103
設備進行線上註冊 資料填完後, 按 Create Account 畫面就會帶到已登入的頁面
設備進行線上註冊 在 "Asset" 項目中, 選取 "Register/Renew" 進入註冊畫面
設備進行線上註冊 請輸入設備序號 : FG100D3G1280XXXX ( 此為範例, 請輸入正確序號 ), 完成後, 請按 Next", 進入下一畫面
設備進行線上註冊 Support Contract No: 輸入產品合約序號 Fortinet Partner : 選取 Syscom Inc. 完成後, 請按 Next, 進入下一程序 Agreement Verification Completion
註冊確認 註冊完成後可至 Information Entitlements 確認註冊資訊
Fortinet FortiGate Firmware Update January 2016
Upgrade patch http://docs.fortinet.com/d/upgrade-pathsto-fortios-5.2.0
Firmware 升級 (Web GUI)
Firmware 升級 (Web GUI) 續
Fortinet FortiGate System Setup January 2016
登入系統 使用瀏覽器輸入 https : 192.168.1.99 第一次登入請輸入 : admin / 空白
更改語系 逾時設定 選擇 System Admin Setting
建立管理帳號 選擇 Admin Administrators
設定管理權限 選擇 Admin Admin Profiles
更改系統時間 選擇 Status System Time
更改系統時間 將系統預設 GMT - 8 更改為 GMT + 8 Taipei
備份與恢復
網路介面參數設定 System Network Interfaces
自訂介面位址連線 如何更改 WAN 1 埠 IP 選擇 System Network Interfaces wan1 port edit wan1 port
設定 DHCP 連線
設定 PPPoE 連線
如何開啟遠端存取權限 System Network 選取要連線的 Interface ( 例如 :wan1 埠 ) 啟用系統管理存取 HTTPS 或其他連線方式
設定 Default Gateway Router Static Routes Gateway 設定為指定的路由器位址
Routing Table List 在 Route/NAT 模式中, 檢視各個路由的狀況和資訊
Policy Routes Router Policy Routes Create New
設定 DNS 選擇 Network DNS
如何開啟 / 關閉 DHCP Server System Network Interfaces 請注意系統預設 lan 埠 DHCP Server 為開啟 客戶可以依需求開啟或關閉 DHCP Server, 或依需求更改為所需網段 IP 位址
確認註冊資訊是否正確 登入 FortiGate 系統管理畫面 點選安裝的 FortiGate 設備, 出現畫面如下 : 正確信息為連線正常且燈號為綠色
確認功能是否開啟 System Config Features
Fortinet FortiGate Firewall Policy January 2016
如何新增一條防火牆政策 位址 預設 All Deny 服務 虛擬 IP 新增設定 防火牆政策 IP Pool
如何新增位址 Policy & Objects Objects Addresses Create New 新增一個內部 IP 位址 Address type 有四種類型 : FQDN Geography IP Range IP/Network
如何設定服務相關的連接埠 Policy & Objects Objects Service
如何設定服務相關的連接埠 Policy & Objects Objects Services Create New
Create Policy Policy & Objects Policy IPv4 Create New
Create Policy 設定阻擋 192.168.100.200 這個 IP 位址連線到 Internet
Create Policy 按 ok 後, 新增一條防火牆政策, 但會發現新增的防火牆政策無法生效 需要將 Deny 政策移動到 Accept 之前 ACCEPT 在 DENY 之前
移動防火牆政策到合適的位置 Deny 的防火牆政策必須在 Accept 之前 用滑鼠點 Seq.# 然後用拖拉方式移動 policy 更改後可阻擋 192.168.100.100 這個 IP 連線到 Internet
如何新增 IP Pool (SNAT) Policy & Objects Objects IP Pools Create New
如何新增 IP Pool (SNAT) Policy & Objects Policy IPv4 Create New Firewall / Network Options Use Dynamic IP Pool
如何新增伺服器 IP 位址對應 (DNAT) Policy & Objects Objects Virtual IPs Create New 新增一筆 Web Server 的 IP 對應, 讓外部 IP 對應到內部 IP
如何新增伺服器 IP 位址對應 (DNAT) 完成 Web Server 對應, 下一步需新增一筆防火牆政策
如何新增伺服器 IP 位址對應 (DNAT) 新增一筆由介面 port10 來源位址 all, 到介面 dmz 目的位址 Web Server, 服務 HTTP, 採取行動為 ACCEPT
如何新增伺服器 IP 位址對應 (DNAT) 完成圖
Fortinet FortiGate UTM January 2016
Antivirus Mode Flow-based: 封包掃毒, 會扣住最後一個封包作辨識 Proxy-based: 會將封包全部重組後在掃毒, 所以會較慢, 但可以設定過大檔案 pass 不掃 Flow-based 速度較快較不嚴謹較耗效能 Proxy-based 速度較慢較嚴謹可減輕效能
AntiVirus Security Profiles Antivirus
Antivirus- Chunked Bypass Policy Policy Proxy Options
Enable Antivirus profile
Web Filter Security Profiles Web Filter
URL Filter
Web Filter Override
Enable Web Filter Profile
Application Control Security Profiles Application Control
Application Override
Enable Application Profile
Intrusion protection Security Profiles Intrusion Protection
Enable IPS Profile
Fortinet FortiGate VLAN at FortiGate January 2016
Create VLAN System Network Interfaces Create New
View VLAN
VLAN (Firewall Policy) 防火牆 防火牆策略 Create New
Fortinet FortiGate SSL VPN Web Mode January 2016
Topology
Create User User & Device User User Definition Create New
Choose User Type
Enter Login Credentials
Enter Contact Info
Enter Extra Info
Configuring SSL VPN Setting VPN SSL Settings
Create Security Policy
Login Authentication page
Fortinet FortiGate SSL VPN Tunnel Mode with Split Tunneling January 2016
Create User User & Device User User Definition Create New
Create Tunnel Client Address Policy & Objects Objects Address Create New
Enter IP Address Range
Create Routeing
Configuring SSL VPN Setting VPN SSL Settings
Configuring web portals VPN SSL Portals Create New
Enable Split Tunneling
Create Security Policy Policy & Object IPv4 Create New
Configure SSL VPN Policy
Login Authentication page
Connect SSL VPN
Fortinet FortiGate Logging January 2016
Log Storage Locations Local Logging System Memory Overwrites older logs when capacity reached Logs lost when FortiGate reset or loses power Disk FortiGate unit must have hard disk
Log Storage Locations Remote Logging Syslog Forward logs to remote computer FortiGuard Analysis Service (FortiCloud) Subscription-based web service FortiAnalyzer Device dedicated to log collection, analysis and storage
Log Types and Subtypes Traffic Log Event Log Forward (Traffic passed/blocked by Firewall policies) Local (Traffic aimed directly at, or created by FortiGate device) Invalid (Packets considered invalid/malformed and dropped) System (System related events) Router, VPN, User, WanOpt & Cache, Wifi UTM Security Log Antivirus, Web Filter, Intrusion Protection, etc.
Traffic Log Default Behavior Forward Traffic Traffic passing through Local Traffic Management
Traffic Log extended-utm-log Enable extended-utm-log in UTM Security profiles (CLI) to revert behavior and have logs sent to individual UTM classification Not recommended Log consolidation done for performance reasons and allows for easier lookups config [antivirus/webfilter/spamfilter..] profile edit (profile name) set extended-utm-log enable end Enabled in profiles during upgrade Not enabled in new profiles by default
Traffic Log 滑鼠右鍵
Traffic Log 條件過濾中文過濾條件
Generating Logs in Event Log
Event Log 107
FortiView
Fortinet FortiGate Fortinet Wireless Network January 2016
傳統無線方案的瓶頸 複雜的管控 安全性不足 擴充的限制 過多的設備需要進行整合管控, 防毒 應用程式管控, 頻寬管理 等等 發生狀況時難以快速找到問題根本 建置成本日趨昂貴 無法針對量流量提供辨識與管控能力 無法防止來自內部行動設備所帶來的威脅與攻擊 需透過其他設備才能補強資安上的需求 無線傳輸是一個共享介質, 如何有效提高傳輸的效能會是新一代無線建置的重點 控制器的擴充能力與維護費用會是另一個思考重點 傳統的無線供應商已無法應付在資安功能上要求
建構絕佳安全的無線解決方案 Wireless Access Points Infrastructure Security with Integrated Wireless Controller Secure Wireless Space
完整的無線網路安全方案 多層次的威脅過濾防護基於應用層的程式控管 Advanced Network-Based Security 基於設備種類的政策管理使用者和設備的認證機制 高效能的無線傳輸 High- Performance Wireless Networking
智慧頻帶管理技術 (DARRP) Distributed Automatic Radio Resource Provisioning DARRP 技術允許每個 FortiAP 自動搜尋最佳的頻帶已確保每個連線用戶可以得到最佳得連線品質 有效減低 Controller 負載 大量減少 AP 之間的干擾 每五分鐘進行通道測試評估 客戶端自動信號遷移到新通道 相容於所有用戶系統軟體與硬體 充分利用現有的頻譜 簡易的使用介面與鄰近的 AP 加以區隔, 有效避免干擾源 與 802.11n 40Mhz 通道相容
Auto TX Power Control 功率自動調整 透過功率自動調整, 用戶可以讓每一個 AP 依照環境, 自動調適出最適合的功率大小 並且可以制定上下限制的閥值 有效提升 AP 的涵蓋範圍與傳輸效率
安全的訪客存取控管 透過用戶登入網頁 (captive portal) 提供給訪客或臨時雇員的身分認證簽入 支援多種認證資訊 :AD / LDAP / RADIUS / TACAS+ / Guest Guest Password
區間漫遊 (Fast Roaming) AP2 AP1 AP3 AP4
應用程式的管制 Bandwidth Control Uses Layer-7 inspection Ensures business critical applications are prioritized Ensures bandwidth allocation is fair Critical for optimization of WAN links Fortinet Application Control Sensors Over 3,000+ Apps Identified, 16 Categories Advanced IM & P2P control Application Control Traffic Shaping SSL Content Inspection Priority App Non- Priority App Non- Priority App FortiGate FortiAP INTERNET Client #1 Client #2
私接 AP 的偵測與抑制 File Server Ethernet Switch Radio 2 Client services FortiAP-220B/221B Radio 1 Air monitoring on 2.4GHz & 5GHz Rogue AP Rogue Client PCI reports generated by FortiAnalyzer Valid Client De-authentication Frames
BYOD Device Identification and Policy Identification Device User Application Policies Enforcement on Device/User/App
Thin AP architecture CAPWAP Control And Provisioning of Wireless Access Points. RFC5415 March 2009 CAPWAP is a standard, interoperable protocol that enables a controller to manage a collection of wireless access points, and uses UDP ports 5246 and 5247. Floor Wiring Closet CAPWAP Aggregation Thin AP tunnels all traffic to FortiGate Controller Data Cente FortiGate Controller Thin AP architecture tunnels all traffic to the FortiGate Controller for added security and ease of management
Remote AP with Local Bridging Headquarters Bridges Wi-Fi trafic to FortiAP Ethernet port No u-turn to HQ to access local network Resiliency in case of WAN failure WAN Internet
Integrated Captive Portal for Authentication HTML Customizable Captive Portal Allows users to log-in to the WLAN via a web browser Runs directly on the FortiGate No additional licensing required! Email address for anonymous login Address can be captured and logged Validates email address authenticity Enables Business Intelligence and marketing opportunities
Live Captive Portal HTML Customization
Single Radio Dual Radio FortiAP Product Matrix 3x3:3 FAP-320C 802.11ac FAP-321C 802.11ac FAP-222C 802.11ac FAP-223C 802.11ac 2x2:2 FAP-224D FAP-221C 802.11ac FAP-28C FAP-25D FAP-21D FAP-24D 1x1:1 FAP-14C FAP-11C FAP-112D FAP-112B Remote Outdoor Indoor
FortiAP-221C Specifications Target Environment Indoor Number of Radio 2 Ports Bands Tx / RX Stream (802.11n) Number of Antenna Power Supply Max Transmission Power 1 x GE RJ45 Interface Dual Concurrent Radios Radio 1-2.4/5GHz and Radio 2 2.4GHz 2x2 MIMO with Dual Spatial streams, 1167 Mbps Total 4 internal AC power supply, POE 802.3af 17 dbm a b g n ac
Fortinet FortiGate 常見問題 January 2016
常見問題 PC 無法連線到我的 FortiGate 設備? Ans: 確認 PC IP 與 FortiGate 可以連線確認 FortiGate 介面的 HTTP HTTPS TELNET SSH 服務有開啟 PC 無法上網? Ans:FortiGate 網路設定是否正確 PC gateway IP 是否設定為 FortiGate 介面 IP Firewall Policy 是否開啟
常見問題 我的 FortiGate 無法更新病毒碼? Ans:FortiGate 需要到美國原廠網站上註冊後, 才可更新病毒碼 如何測試防毒功能是否運作正常? http://www.eicar.org/ anti_virus_test_file.htm
常見問題 如何更改使用介面語系? Ans: System -> Admin -> Settings -> View Settings -> select Language 如何將防火牆使用紀錄保存在其他設備上? Ans: Log&Report -> Log config -> Log Settings
常見問題 密碼遺忘? Ans: 1. 重新開機, 由 Console(RS-232) 進入 CLI 2. 前 14 秒內以下列帳號登入 Login:maintainer Password : bcpbfgxxxxxxxxx 3. 更新系統管理員密碼 機器序號 #config system admin (admin)#edit admin (admin)#set password Pa$$w0rd (admin)#end
常見問題 如何知道封包有無進入設備? Ans: Trouble Shooting 功能 - Sniffer diag sniffer packet any host 192.168.5.99 4 監聽 any interface 上有關 IP 192.168.5.99 的資料流有 reply 代表正常,ping 有回又應
常見問題 如何知道封包有無進入設備? Ans: Trouble Shooting 功能 - Sniffer diag sniffer packet any host 192.168.5.99 4 監聽 any interface 上有關 IP 192.168.5.99 的資料流 代表封包有進入 Fortigate 設備但僅有 Request, 代表 ping 沒回應, 需檢查是否有開 ping or route 有問題
常見問題 如何檢視系統 CPU 使用狀況? Ans: Trouble Shooting 功能 diag sys top U is % of user space applications using CPU. S is % of system processes using CPU. I is % of idle CPU. T is the total FortiOS system memory in Mb. F is free memory in Mb. KF is the total shared memory pages used. cli is the process name. 96 is the process ID. R is the state that the process is running in. R running. S sleep. Z zombie. D disk sleep. 0.9 is the amount of CPU that the process is using. 0.7 is the amount of memory that the process is using.
常見問題 Asymmetric route 的問題跟解決方法? 此架構需開啟 Asymmetric route Asymmetric route 僅能在 Command 下開啟 config system settings set asymroute enable end
常見問題 Debug 指令如何使用? FGT# diagnose debug enable FGT# diagnose debug flow show console enable FGT # diagnose debug flow show function-name enable FGT# diagnose debug flow filter addr 192.168.1.77 FGT# diagnose debug flow filter port 8 FGT# diagnose debug flow trace start 20
Policy Deny id=36871 trace_id=1 func=resolve_ip_tuple_fast line=3769 msg= "vd-root received a packet(proto=1, 192.168.1.77:1->8.8.8.8:8) from internal. 第一個封包 (192.168.1.77:1->8.8.8.8:8) 從 internal 進入 Fortigate id=36871 trace_id=1 func=resolve_ip_tuple line=3909 msg="allocate a new session- 000066ca Fortigate 確認為一個新的 Session id=36871 trace_id=1 func=vf_ip4_route_input line=1591 msg="find a route: gw-10.0.101.254 via wan1 Fortigate 去看路由表, 確認有這筆路由 id=36871 trace_id=1 func=fw_forward_handler line=430 msg="denied by forward policy check 但找不到相對應的 Policy, 因此被 Deny by Policy
Policy Allow id=36871 trace_id=131 func=resolve_ip_tuple_fast line=3769 msg="vd-root received a packet(proto=6, 192.168.1.77:56231->74.125.232.239:80) from internal. 第一個封包 (192.168.1.77:1->74.125.232.239:80) 從 internal 進入 Fortigate id=36871 trace_id=131 func=resolve_ip_tuple line=3909 msg="allocate a new session-0000b19b Fortigate 確認為一個新的 Session id=36871 trace_id=131 func=vf_ip4_route_input line=1591 msg="find a route: gw-10.0.101.254 via wan1" Fortigate 去看路由表, 確認有這筆路由 id=36871 trace_id=131 func=get_new_addr line=1948 msg="find SNAT: IP- 10.0.101.135, port-19243 Fortigate 作 SNAT id=36871 trace_id=131 func=fw_forward_handler line=545 msg="allowed by Policy-6: SNAT Fortigate 去看 Policy 表確認有一條 Policy ID 6 id=36871 trace_id=131 func= ip_session_run_tuple line=2110 msg="snat 192.168.1.77->10.0.101.135:19243" 最後將 IP 192.168.1.77 NAT 成 10.0.101.135
Fortinet 資料參考網站 Fortinet 相關技術與設定參考文件放置網站 Product Information (www.fortinet.com) FortiOS Release Notes Knowledge Center (kb.fortinet.com) Technical Forums (support.fortinet.com/forum) FortiDocs (docs.fortinet.com)