Professional Documents
Culture Documents
® ® ®
Fortinet , FortiGate , and FortiGuard are registered trademarks of Fortinet, Inc. in the U.S. and other
jurisdictions, and other Fortinet names herein may also be trademarks, registered or otherwise, of
Fortinet. All other product or company names may be trademarks of their respective owners. Copyright
© 2002 - 2016 Fortinet, Inc. All rights reserved. Contents and terms are subject to change by Fortinet
without prior notice. No part of this publication may be reproduced in any form or by any means or
used to make any derivative such as translation, transformation, or adaptation without permission from
Fortinet, Inc., as stipulated by the United States Copyright Act of 1976.
Table of Contents
INTRODUCTION .............................................................................................4
MATERIALS ..................................................................................................5
System Requirements.............................................................................................................6
Linux ........................................................................................................................................13
Local-FortiGate .......................................................................................................................19
Local-Windows ........................................................................................................................21
FortiManager ...........................................................................................................................31
FortiAnalyzer ...........................................................................................................................33
Remote-FortiGate ...................................................................................................................33
Remote-Windows ....................................................................................................................34
TESTING ......................................................................................................36
Introduction
This guide explains how to configure the lab for the following Fortinet training courses:
FortiGate I 5.4.1 (NSE4 preparation)
FortiGate II 5.4.1 (NSE4 preparation)
In this environment, the FortiManager is acting as a local FortiGuard server. It validates the FortiGate
licenses and replies to FortiGuard Web Filtering rating requests from FortiGate VMs. The
FortiManager is configured in closed network mode, providing FortiGuard services to local FortiGate
VMs, without requiring Internet access.
To administer this lab as designed, you will:
1. Load, configure, and test the VM images required for this lab.
2. Save a VMware snapshot of the VM images.
3. Each time there is a class, deploy a copy of all VMs for each student.
Materials
To build the virtual lab required for this class, you must purchase or download:
1 VMware workstation installation per student
For hardware system requirements, see System Requirements.
2 FortiGate VM licenses
1 FortiAnalyzer VM license (registered with the IP address 10.0.1.210)
1 FortiManager VM license (registered with the IP address 10.0.1.241)
4 FortiCare contracts (one for each VM)
1 FortiGuard Web Filtering and IPS contract, bound to the first FortiGate VM
Note: One of the FortiGate VMs requires a valid FortiGuard Web Filtering and IPS
contract. This license will be installed on the Local-FortiGate. The other VMs do not
require a FortiGuard service contract.
System Requirements
Each workstation running VMware Workstation requires:
1 Ethernet interface
8 GB RAM
300 GB storage (hard disk, SAN, etc.)
Network Topology
port2
10.200.1.241
FortiManager FortiAnalyzer
LOCAL-WINDOWS port1 port1
10.0.1.10 10.0.1.241 10.0.1.210
10.0.1.254/24 port3
port3 10.200.1.210
LOCAL-FORTIGATE
port2 port1
10.200.2.1/24 10.200.1.1/24
LINUX
10.200.2.254 10.200.1.254
eth2 eth1
eth0
eth4 eth3
10.200.4.254 10.200.3.254
REMOTE-FORTIGATE
10.200.4.1/24 10.200.3.1/24
port5 port4
REMOTE-WINDOWS
10.0.2.10 port6
10.0.2.254/24
Click Add as many times as needed to create the six LAN segments:
1 1
2 2
3 3
4 4
5 5
6 6
7 3
1 3
2 1
2 3
4 1
This actually maps FortiAnalyzer port1 to LAN3, as VMWare port2 corresponds to FortiAnalyzer port1.
It also maps port3 to LAN1, as VMWare port4 corresponds to FortiAnalyzer port3.
For the Linux VM, map these network adapter:
1 VMnet0
2 1
3 2
4 4
5 5
Linux
Configure networking
1. From the network configuration tools, configure the interface IP addressing.
eth0 = LAN0 = Management network
eth1 = LAN1 = 10.200.1.254/24
eth2 = LAN2 = 10.200.2.254/24
eth3 = LAN4 = 10.200.3.254/24
eth4 = LAN5 = 10.200.4.254/24
2. Activate the network adaptors.
3. Enable routing and add iptables NAT policy:
sysctl -p /etc/sysctl.conf
5. Clear the existing iptables rules:
iptables –F
iptables –t nat –F
6. Add a single NAT rule to NAT all outing packets with the address obtained by DHCP on eth0:
iptables –t nat –L
/etc/sysconfig/network-scripts/ifcfg-eth0
/etc/sysconfig/network-scripts/ifcfg-eth1
/etc/sysconfig/network-scripts/ifcfg-eth2
/etc/sysconfig/network-scripts/ifcfg-eth3
/etc/sysconfig/network-scripts/ifcfg-eth4
In each of these files, find a line that says HWADDR=mac-address-here and delete the whole
HWADDR line.
touch /var/ftp/pub/test.text
setenforce 0
2. Edit the file:
/etc/selinux/config
and change the SELINUX setting to disabled:
SELINUX=disabled
3. Create two VSFTPd configuration files based on the default one:
cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd-222.conf
cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd-21.conf
rm /etc/vsftpd/vsftpd.conf
5. Edit the configuration file vsftpd-222.conf and add the following lines at the end of the file:
port_enable=YES
port_promiscuous=YES
pasv_enable=NO
listen_port=222
listen_address=10.200.3.254
6. Edit the configuration file vsftpd-21.conf and add the following line at the end of the file:
listen_address=10.200.1.254
7. Restart the FTP server:
Configure Syslog
1. The syslog package should already be installed. Enable remote logging on the service:
local6.* /var/log/fortinet
3. Restart syslog:
Configuring email
1. Enter the following commands:
chkconfig dovecot on
5. Edit the /etc/postfix/main.cf file using vi.
Uncomment :
mydomain = domain.tld
and replace domain.tld with the domain training.lab:
mydomain = training.lab
Uncomment:
myorigin = $mydomain
Uncomment:
myhostname = host.domain.tld
replace host.domain.tld with the hostname linux.training.lab:
myhostname = linux.training.lab
Uncomment :
mynetworks = 168.100.189.0/28
replace 168.100.189.0/28 with 10.0.0.0/8, 127.0.0.0/8
inet_interfaces = all
Comment:
Configuring OpenSSL
1. From the /root directory:
mkdir ssl
cd ssl
mkdir certs
mkdir newcerts
mkdir requests
mkdir keys
touch index.txt
touch serial
cp /etc/pki/tls/openssl.cnf
dir = /root/ssl,
search for the [ v3_ca ] section and uncomment:
Configure accounts
1. Open a terminal and type:
system-config-users
2. In the User Manager dialog box, click Add User and add the following accounts:
User Password
admin fortinet1
student fortinet1
FortiGate fortinet1
<html>
<head>
</head>
<body>
</body>
</html>
6. Click Save.
7. Click Close.
8. Still in /var/www/html, right-click and selec Create Document > Empty File.
9. Name it fileupload.html.
10. Right click and click Open with "Text Editor".
11. Copy and paste the html syntax as below:
<html>
<head>
</head>
<body>
<h4>File Upload</h4>
</form>
<h4>Text Input</h4>
</form>
</font>
</body>
</html>
12. Click Save.
13. Click Close.
Local-FortiGate
1. Start the Local-FortiGate VM and open the VM console.
2. Enter:
exec formatlogdisk
This formats the virtual disk, which is required to store data such as local reports or logs. The
device will reboot after the format is complete.
3. Enter this configuration to configure the network interfaces:
edit port1
next
edit port3
next
end
edit 1
next
end
edit 1
next
end
Local-Windows
The Local-Windows VM is used as the student's network management computer in the lab. Students
will initiate most client network connections from it, and administer Fortinet VMs.
7. On the Server Roles screen, select Active Directory Domain Services, DNS Server, and Web
Server (ISS). Add all the features for those three roles.
8. Click Next.
9. Click Next until you get the Confirmation screen.
10. Click Install. Wait until the installation finishes.
11. From the Server Manager, click the flag icon with the exclamation point and select Promote this
server to a domain controller:
7. Type Training! as the password. Disable User must change password at next logon and
enable Password never expires.
8. Repeat the process to create another user in the Training organizational unit, but this time call the
user aduser2. Use the same password (Training!).
8. Click OK.
7. Confirm the installation and reboot the VM after the installation finishes.
Configure Thunderbird
1. Open Mozilla Thunderbird and click the three bars icon in the upper right of the application.
2. Select Options > Account Settings.
3. Select Outgoing Server (SMTP) and click Add. Configure the following settings:
Setting Value
Port 25
Username student
4. Click OK.
5. From the bottom of the left menu of the Account Settings dialog, click Account Actions > Add
Mail Account.
6. Add the following account:
Password fortinet1
7. Click Continue.
8. Add the following incoming and outgoing server settings:
Password fortinet1
Configure FileZilla
1. Open FileZilla.
2. Click on the upper left icon to open the site manager.
A wizard opens.
4. Select SMB Share-Quick.
5. Click Next.
6. Select Type a custom path.
3. Click Save.
4. Repeat steps 2 and 3 for the following VMs:
c:\Perl64\bin
3. Add shortcuts to the Windows task bar and desktop for the following applications: File Explorer,
Firefox, PuTTY, command prompt, Notepad++, Windows Remote Desktop Connection, and
FileZilla.
4. Add the following paths to the Path System variable:
C:\Users\Administrator\Desktop\Resources\FortiGate-II\IPS\nikto-
2.1.5
C:\Users\Administrator\Desktop\Resources\FortiGate-I\Logging
C:\Users\Administrator\Desktop\Resources\FortiGate-II\IPv6
5. Open Mozilla and add the following four bookmarks to the bookmarks toolbar:
Local-FortiGate: http://10.0.1.254
Remote-FortiGate: http://10.200.3.1
FortiManager: https://10.0.1.241
FortiAnalyzer: https://10.0.1.210
FortiManager
Even though FortiManager is not the focus of FortiAnalyzer and FortiGate courses, it is required for
the lab setup due to the use of closed network mode. More information about the FortiManager closed
network mode can be found in this document:
http://docs.fortinet.com/uploaded/files/2153/LicensingIsolatedFortiGates.pdf
Note: Alternatively, as with registration, you can attach a spreadsheet that contains serial
and license numbers if you want to ask for entitlement files for two or more FortiGate VMs
at the same time. Fortinet Technical Support will provide one entitlement file that contains
validation information for all of your FortiGate VMs. All FortiGate VMs must be registered
with the same account;devices registered under different accounts cannot be combined
into the same entitlement file.
Within a day or two, you should receive an entitlement file from customer service.
edit port1
next
end
2. Connect to the GUI from the Local-Windows VM and restore the FortiManager-initial.dat
file from the folder Resources/FortiManager/.
3. Upload a valid FortiManager VM license.
force them to send a new VM license validation request to FortiManager. If validation succeeds,
the license status indicated on the dashboard should say Valid.
FortiAnalyzer
1. Start FortiAnalyzer and open the VM console. From the console make the following changes:
edit port1
next
end
2. Connect to the GUI from the Local-Windows VM and restore the file from the folder
Resources/FortiAnalyzer/FortiAnalyzer-initial.dat.
3. Upload the FortiAnalyzer VM license.
Remote-FortiGate
1. Start the Remote-Windows FortiGate VM and open the VM console.
2. Enter exec formatlogdisk to format the virtual disk, which is required to store data such as
local reports or logs. The device will reboot after the format is complete.
3. From the console, enter these commands:
edit port4
next
end
edit 1
next
end
4. Connect to the GUI from the Local-Windows VM and upload the remote-initial.conf file
from the folder Resources/FortiGate-I/Introduction.
5. Upload the VM license for this unit.
FortiGate should validate the license against FortiManager. None of the FortiGuard services are
required in this FortiGate.
Remote-Windows
Windows8.1-KB9089134-x64.exe
This file can be found compressed in the Lab Setup ZIP file.
If you get an error indicating that the hotfix has expired, change the Local-Windows system date to
April 1, 2015 and try the installation again. After the installation, you can change it back to the right
date.
2. Add shortcuts to the Windows task bar and desktop for the following applications: File Explorer,
Firefox, PuTTY, command prompt, and FortiClient.
Testing
Once you have all VMs installed, and have configured all LAN segments, host IP settings and virtual
network connections, test connectivity.
Creating snapshots
Once you have completed and tested your configuration, save a snapshot of each VM. These
snapshots are what you will deploy for each student in the class.
You can also re-deploy these snapshots to revert a student's VM if their configuration is not working
and they need to quickly restore it to a functional state.
Forums https://forum.fortinet.com/