Hands on Experience in Fortinet Firewall 

Module-I

After completing these courses, you will be able to:

Describe capabilities of FortiGate UTM
Neutralize threats / misuse: viruses, torrents, and inappropriate web sites
Control network access based on device type
Authenticate users via firewall policies
Offer an SSL VPN for secure access to your private network
Establish an IPsec VPN tunnel between two FortiGate appliances
Compare policy- vs. tunnel-based IPsec VPN
Apply port forwarding, source NAT, and destination NAT
Interpret log entries
Generate reports
Use the GUI and CLI for administration
Deploy the right operation mode
Deploy an explicit proxy with firewall policies, authentication, and caching
Simplify protocol handling with application control

Module-II

After completing these modules, you will be able to:

Deploy FortiGate devices as an HA cluster for fault-tolerance & high performance
Inspect traffic transparently, forwarding as a Layer 2 device
Manage FortiGate device's route table
Route packets using policy-based and static routes for multi-path and load-balance deployments
Connect virtual domains (VDOMs) without packets leaving FortiGate
Implement a meshed / partially redundant VPN
Diagnose failed IKE exchanges
Fight hacking & denial of service (DoS)
Diagnose IPS engine performance issues
Offer Fortinet Single Sign On (FSSO) access to network services, integrated with Microsoft Active Directory
Inspect SSL/TLS-secured traffic to prevent encryption used to bypass security policies
Understand encryption functions and certificates
Defend against data leaks by identifying files with sensitive data, and blocking them from leaving your private network
Diagnose and correct common problems
Optimize performance by configuring to leverage ASIC acceleration chips, such as CP or NPs, instead of only the CPU resources
Implement IPv6 and hybrid IPv4-IPv6 networks

Module-III

After completing this course, you will be able to:

Monitor traffic passing through FortiGate
Optimize FortiGate memory usage
Diagnose using FortiGate tools such as the built-in sniffer and "diagnose debug flow" command
Monitor statistics for user traffic, traffic shaping, user authentication, IPsec, web proxy, BGP, OSPF and HA
Troubleshoot issues with conserve mode, high CPU, firewall policies, session helpers, user authentication, IPsec, FortiGuard, UTM inspection, explicit web proxy, routing, and HA
Describe the processing flow of FortiGate packet inspection
Configure FortiGate for external BGP and OSPF

Cisco Firewall - PIX

Configure and Trouble shoot PIX Firewall


PIX
Building configuration... 
: Saved 

PIX Version 6.3(3) 
nameif gb-ethernet0 outside security0 
nameif gb-ethernet1 inside security100 
nameif ethernet0 intf2 security10 
nameif ethernet1 intf3 security15 
enable password 8Ry2YjIyt7RRXU24 encrypted 
passwd 2KFQnbNIdI.2KYOU encrypted 
hostname pixfirewall 


!--- Output Suppressed

 !--- Create an access list to allow pings out !--- and return packets back in. 

access-list 100 permit icmp any any echo-reply  
access-list 100 permit icmp any any time-exceeded  
access-list 100 permit icmp any any unreachable  

 !--- Allows anyone on the Internet to connect to !--- the web, mail, and FTP servers. 

access-list 100 permit tcp any host 10.1.1.3 eq www  
access-list 100 permit tcp any host 10.1.1.4 eq smtp  
access-list 100 permit tcp any host 10.1.1.5 eq ftp 
pager lines 24 

 !--- Enable logging. 

logging on 
no logging timestamp 
no logging standby 
no logging console 
no logging monitor 

 !--- Enable error and more severe syslog messages !--- to be saved to the local buffer. 

logging buffered errors 

 !--- Send notification and more severe syslog messages !--- to the syslog server. 

logging trap notifications 
no logging history 
logging facility 20 
logging queue 512 

 !--- Send syslog messages to a syslog server !--- on the inside interface. 

logging host inside 192.168.1.220 

 !--- All interfaces are shutdown by default. 

interface gb-ethernet0 1000auto 
interface gb-ethernet1 1000auto 
interface ethernet0 auto shutdown 
interface ethernet1 auto shutdown 
mtu outside 1500 
mtu inside 1500 
mtu intf2 1500 
mtu intf3 1500 
ip address outside 10.1.1.2 255.255.255.0 
ip address inside 192.168.1.1 255.255.255.0 
ip address intf2 127.0.0.1 255.255.255.255 
ip address intf3 127.0.0.1 255.255.255.255 
ip audit info action alarm 
ip audit attack action alarm 
no failover 
failover timeout 0:00:00 
failover poll 15 
failover ip address outside 0.0.0.0 
failover ip address inside 0.0.0.0 
failover ip address intf2 0.0.0.0 
failover ip address intf3 0.0.0.0 
arp timeout 14400 

 !--- Define a Network Address Translation (NAT) pool that !--- internal hosts use when going out to the Internet.

global (outside) 1 10.1.1.15-10.1.1.253 

 !--- Define a Port Address Translation (PAT) address that !--- is used once the NAT pool is exhausted.

global (outside) 1 10.1.1.254 

 !--- Allow all internal hosts to use !--- the NAT or PAT addresses specified previously.

nat (inside) 1 0.0.0.0 0.0.0.0 0 0 

 !--- Define a static translation for the internal !--- web server to be accessible from the Internet.

static (inside,outside) 10.1.1.3 192.168.1.4 
   netmask 255.255.255.255 0 0 

 !--- Define a static translation for the internal !--- mail server to be accessible from the Internet.

static (inside,outside) 10.1.1.4 192.168.1.15 
   netmask 255.255.255.255 0 0 

 !--- Define a static translation for the internal !--- FTP server to be accessible from the Internet.

static (inside,outside) 10.1.1.5 192.168.1.10 
   netmask 255.255.255.255 0 0 

 !--- Apply access list 100 to the outside interface.

access-group 100 in interface outside 

 !--- Define a default route to the ISP router.

route outside 0.0.0.0 0.0.0.0 10.1.1.1 1 


!--- Output Suppressed

 !--- Allow the host 192.168.1.254 to be able to !--- Telnet to the inside of the PIX. 

telnet 192.168.1.254 255.255.255.255 inside 
: end 
[OK] 


!--- Output Suppressed

Configuring PIX/ASA 7.x and later

Note: Nondefault commands are shown in bold.
PIX/ASA
pixfirewall# sh run
: Saved
:
PIX Version 8.0(2)
!
hostname pixfirewall
enable password 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 10.1.1.2 255.255.255.0
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!


!--- Output Suppressed

!--- Create an access list to allow pings out !--- and return packets back in.


access-list 100 extended permit icmp any any echo-reply
access-list 100 extended permit icmp any any time-exceeded
access-list 100 extended permit icmp any any unreachable

!--- Allows anyone on the Internet to connect to !--- the web, mail, and FTP servers. 


access-list 100 extended permit tcp any host 10.1.1.3 eq www
access-list 100 extended permit tcp any host 10.1.1.4 eq smtp
access-list 100 extended permit tcp any host 10.1.1.5 eq ftp
pager lines 24


!--- Enable logging.


logging enable

!--- Enable error and more severe syslog messages !--- to be saved to the local buffer. 


logging buffered errors

!--- Send notification and more severe syslog messages !--- to the syslog server. 


logging trap notifications

!--- Send syslog messages to a syslog server !--- on the inside interface. 

logging host inside 192.168.1.220

mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400

!--- Define a Network Address Translation (NAT) pool that !--- internal hosts use when going out to the Internet.


global (outside) 1 10.1.1.15-10.1.1.253

!--- Define a Port Address Translation (PAT) address that !--- is used once the NAT pool is exhausted.


global (outside) 1 10.1.1.254

!--- !--- Allow all internal hosts to use !--- the NAT or PAT addresses specified previously.


nat (inside) 1 0.0.0.0 0.0.0.0

!--- Define a static translation for the internal !--- web server to be accessible from the Internet.


static (inside,outside) 10.1.1.3 192.168.1.4 netmask 255.255.255.255

!--- Define a static translation for the internal !--- mail server to be accessible from the Internet.


static (inside,outside) 10.1.1.4 192.168.1.15 netmask 255.255.255.255

!--- Define a static translation for the internal !--- FTP server to be accessible from the Internet.


static (inside,outside) 10.1.1.5 192.168.1.10 netmask 255.255.255.255

!--- Apply access list 100 to the outside interface.


access-group 100 in interface outside

!--- !--- Define a default route to the ISP router.


route outside 0.0.0.0 0.0.0.0 10.1.1.1 1


!--- Output Suppressed

!--- Allow the host 192.168.1.254 to be able to !--- Telnet to the inside of the PIX. 


telnet 192.168.1.254 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
: end

Featured Workshops

  • FORTINET Firewall
  • Cisco 4506 Core Switch
  • Cisco Express Call Manager
  • Cisco 4400 WLAN
  • Juniper VPN
  • Cisco Catalyst 3560
  • Cisco WAN Optimizer
  • PIX 525 Firewall
  • Cisco 2900 Router
  • Linksys Office Connect