This is an old revision of the document!

Lab 5. Fortigate introduction

Setup

Story

After gaining some experience with Cisco FTD, our company decided to a firewall product from a different vendor: Fortinet, called FortiGate. It will be used firstly to create simple configs (like the ones did on lab3): create the qemu image path, create the node and deploy the machine, configure the interfaces and policy rules between interfaces.

Lab infra

The FortiOS version of our FortiGate machine (FGT) is 6.4.2. You can find qcow2 image located in your $HOME directory, called virtioa.qcow2 (this is based on [[https://www.eve-ng.net/index.php/documentation/qemu-image-namings/|this]] qemu images naming conventions). t0. ssh to the eve-ng machine (use user root and -X flag) - for win use putty or mobaxterm: user: root password: student <code> user@host:~# ssh -l root -X 10.3.0.A (where A is your 4th byte in ipv4 address) </code> t1. create the directory of the FGT image, using the format **fortinet-FGT-vX-buildABCD** (where X is the max version, in our case 6 and ABCD is the fortios build, in our case 1723): <code> root@SRED:~# cdq root@SRED:/opt/unetlab/addons/qemu# mkdir fortinet-FGT-v6-build1723 </code> t2. move the qcow2 image (found in your home dir) to this path <code> root@SRED:~# mv virtioa.qcow2 /opt/unetlab/addons/qemu/fortinet-FGT-v6-build1723 </code> t3. solve the permissions: <code> root@SRED:~# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions </code> t4. go to eve-ng webui from your browser (http://10.3.0.A) and create a new lab by closing the old one (left > expand > close lab), create a new one (add new lab + add name lab5) and open it. Create a new node for the FGT: Right click > Add new object Node > Search for 'Fortinet FortiGate' (if you cannot find it, go back to steps t1,t2 and t3) > select the required image name (it is based on the folder name): {{:sred:fgt_node2.png?400|}} See the configuration (based on [[https://help.fortinet.com/fmgr/vm-install/60/Content/Document/200_Licenses/400_Minimum%20HW%20Required.htm|these]] hardware requirements): - ram 2 GB - 1 vCPUs (for more than 1 vCPU, the trial license will not be accepted, so stick to only 1) - 4 ethernet interfaces **Q**: why do we need 4 ethernet interfaces? On FGT machines, interfaces are named portX, where X is a digit from 1+ (in our case port1->4): - the first interface, called port1 (you can name it outside - see below how), is the management one and also used for Internet access (remember **outside interface** - G0/0 on FTD). It has by default a static route to 0.0.0.0/0 via def gw of ESX vswitch: <code> FGT81 # get router info routing-table details Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default Routing table for VRF=0 S* 0.0.0.0/0 [5/0] via 10.3.255.254, port1 C 10.3.0.0/16 is directly connected, port1 </code> - the next interfaces are used as traffic ports. In this lab we are going to use only the first 2 for internal clients (inside1 and inside2) and the third one will be kept for the next ones (maybe for an attacker). t5. As the traffic is forwarded to Internet via the mgmt interface (port1), we are going to need only 1 Network Cloud Node. Create a new network (Right click > Network) and select type Management(Cloud0). Attach a wire from this Cloud to FGT (select the first interface - port1=). Using this, it will take an ip address from the ESX vswitch (via dhcp). <note important> Regarding the license, we will use for now the 15-days eval one: see [[https://docs.fortinet.com/vm/kvm/fortigate/6.4/kvm-cookbook/6.4.0/504166/fortigate-vm-evaluation-license|here]] more. </note> t6. Save forti node and create 2 new ones for Linux devices: - 1 node with Linux image linux-ubuntu-18.04-client1_machine (keep default config - 1 eth intf also) with name **client1**. Connect it to interface port2 on FGT - 1 node with Linux image linux-ubuntu-18.04-client2_machine (keep also default config - 1 eth intf also) with name **client2**. Connect it to interface port3 on FGT To create links node - node, simply hover over the node until you see the plug logo and drag it to the correspondent node/network. Create the topology as seen below: {{:sred:lab5_topology.png?500|}} t7. Start all nodes (go to left > expand > More Actions > Start all nodes). Access firstly the FGT machine from vnc/rdp and wait for it to boot (this will take 1,2 minutes). t8. enter default credentials: user: admin; password: null (press enter) You will need to change the default password after the first login (use password: **student**). <note important> Regarding the MAC addresses: you must change the default one to a custom go to cli of forti: <code> # config sys int # edit <interface> # set macaddr <MAC address> - use here the format: 50:00:00:byte_2_eveng_ip:byte3_eveng_ip:byte4_eveng_ip # end # exec router restart </code> </note> t9. from cli, find the interface ip address: <code> FGT81 # show system interface ? # you will see here all ports configuration here, including port1, which needs to be in subnet 10.3.0.0/16. # And based on different MAC addresses assigned, your ip must be unique </code> t10. for port1, there are by default multiple administrative services are activated (like ping, http, snmp etc.) Access from your browser the WEBUI of FGT: http://PORT1_IP. It should be available instantly. t11. Do the webui setup: - for the hostname, you can use the following format: **FGTlast_byte_eve_ng_address** (for example: for student-1 is FGT45) - select for dashbord Optimal (the newest dashboard available). The second option can be used by users that were used to the old version of WEBUI (this can interchanged anytime from the menu). From the cli (you can access also from webui), check the network connection: <code> FGT81 # execute ping google.com PING google.com (142.250.74.206): 56 data bytes 64 bytes from 142.250.74.206: icmp_seq=0 ttl=116 time=29.5 ms 64 bytes from 142.250.74.206: icmp_seq=1 ttl=116 time=29.3 ms ^C </code> t12. Configure the rest of 2 interfaces (port2 and port3): - for port2 use network 172.16.0.0/24 with .1 ip for forti - for port3 use network 192.168.0.0/24 with .1 ip for forti For each interface, configure also DHCP servers with range .2 - .254, with default gw the same interface, DNS server the same and activate ping for admin access. <note important> After doing any config, you are not required to deploy/commit anything. Only configure and check. </note> t13. Go to Linux clients via vnc/rdp, authenticate using credentials eve/eve and obtain the ip address for eth0: <code> user@host:~# sudo dhclient eth0 </code> Check the ping to def gw. t14. As expected, clients cannot access anything from Internet, due to default firewall policy: Implicit Deny (which is like 'deny any any' from acls). You can enable logging for this rule and try to ping google.com from client1. You will see on log & report > forward traffic, that this will drio anything (with Deny: policy violation). We need to create for each interface, a rule for letting any traffic outside: - inside1 <-> outside (any source and any destination, any service) with action ACCEPT - inside2 <-> outside (any source and any destination, any service) with action ACCEPT Try again to access from browser from each client, an Internet resource. ==== Exercises ==== === e1. [8p] Full setup === Go through all steps t1→ t14 from tutorial and make sure both clients have internet access. === e2. [1p] Filter ping === Filter for client1 the ping to any destination. The rest of traffic (dns, http, smtp) should not be affected. === e3. [1p] Filter web === We want for client2 to filter access to facebook.com. Configure a web filter object with static URL filter and create a new security rule for filtering traffic to that website (using also the security profile). <note important> Discussion regarding website blocking: 1. If you configure on Web Filter the URL **www.facebook.com** (exact match or regex), all traffic to www.facebook.com will be blocked, but traffic to facebook.com won't as no exact match is seen. Example: <code> user@host:~/$ curl -I www.facebook.com HTTP/1.1 403 Forbidden </code> The client will send get req:

GET / HTTP/1.1

Host: www.facebook.com […]

which will match the one configured on web filter.

Let's try now to send a req to facebook.com:

eve@ubuntu:~/$ curl -I facebook.com
HTTP/1.1 301 Moved Permanently
[...]

See that now we are receiving a 301 code with the https link (http-https redirection) - which means web filtering is no longer done.

This is the main reason why you should configure url for web filter with subdomain.subdomain.domain.tld, without www.

2. See that for http traffic we are receiving a 'Replacement Message' with a html page from the firewall.

But, when the traffic is via https explicitly sent by client, this page cannot be seen anymore:

eve@ubuntu:~/$ curl -I https://facebook.com
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to facebook.com:443

The reason for this is that traffic is dropped on tls handshake, on Client Hello message (based on extension server_name):

</note>

Remote setup

Local setup

SRED project 2023

Cookbooks:

Courses

See them on course page

Lectures

Labs

Support

Useful resources

Lab 5. Fortigate introduction
- Setup
  - - Story
    - Lab infra

sred/lab5.1607126052.txt.gz · Last modified: 2020/12/05 01:54 by horia.stoenescu

Old revisions

Media Manager Back to top