Index: 1.

0
Use Case: What's New in FortiOS
Objective Title: Description
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Fast Track Workshops: What’s New in FortiOS

To address today’s risks and deliver the industry’s most comprehensive cybersecurity platform
that enables digital innovation, Fortinet continues to enhance the Fortinet Security Fabric with
the latest version of its operating system, FortiOS. FortiOS ties all the Security Fabric’s security
and networking components together to ensure seamless integration. This enables the
convergence of networking and security functions to deliver a consistent user experience and
resilient security posture across all manner of environments including on-premises, cloud,
hybrid, and converging IT/OT/IoT infrastructure.
While this workshop focuses on new features introduced during the two latest major versions
of FortiOS, all VMs have been installed using the latest major version. Some features may have
changed slightly from the previous version to the most current version.
Index: 1.0 (a)
Use Case: What's New in FortiOS
Objective Title: Fast Track Workshops
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Fast Tracks are a free instructor-led hands-on workshop that introduce Fortinet
solutions for securing your digital infrastructure. These workshops are only an
introduction to what Fortinet security solutions can do for your organization.

For more in-depth training, we encourage you to investigate our full portfolio of NSE
training courses at https://training.fortinet.com.
Index: 1.0 (b)
Use Case: What's New in FortiOS
Objective Title: Topology
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Lab Topology
Index: 1.0 (c)
Use Case: What's New in FortiOS
Objective Title: Agenda
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Agenda

Topic Time Prerequisite

Lab 2.0 Fortinet Security Fabric 20 minutes 1.0
2a: Fabric Management Pane -
2b: Fabric Connectors -
Lab 3.0 General GUI Changes 15 minutes 2.0
3a: Dashboard and FortiView -
3b: Packet Capture and Debug Flow -
Lab 4.0 SD-WAN 15 minutes 3.0
4a: SD-WAN Overlay -
4b: Provision Template -
Lab 5.0 Zero Trust Network Access 15 minutes 4.0
5a: Endpoint Management Server -
5b: Logical AND Tag Matching Policy -
5c: Test Connection (Firewall OFF) -
5d: Test Connection (Firewall ON) -
Lab 6.0 Policy & Objects 15 minutes 5.0
6a: New Policy Layout -
6b: Workflow Management -
Lab 7.0 Secure Access Switching 10 minutes 6.0
7a: FortiSwitch Management -
Lab 8.0 Operational Technology 10 minutes 7.0
8a: FortiGate OT View -
Lab 9.0 Networking 20 minutes 8.0
9a: DHCP Shared Subnet -
9b: Route Tag Address Objects

Time to complete: 2 hours

Index: 1.0 (d)
Use Case: What's New in FortiOS
Objective Title: Instructions
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Instructions

1. Unless otherwise indicated all username/passwords for the various web consoles are:

• Username: admin
• Password: Fortinet1!

2. If you have a single monitor, you can split the screen side by side into two. Just drag
FortiFIED lab guide to one window and open another browser tab to browse through
the devices. Example shown below.
Index: 2.0
Use Case: Fortinet Security Fabric
Objective Title: Introduction
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Introduction
The Fortinet Security Fabric platform is built on a cybersecurity MESH architecture – similar to
what Gartner announced recently - “an architectural approach to create a collaborative
ecosystem of security tools operating beyond the traditional perimeter.”

The Security Fabric provides a suite of best-of-breed solutions, organically built from the ground
up to provide the best integration in the industry.

The Security Fabric enables organizations to achieve operational efficiencies through consistent
policies and automation, deep visibility across all their full deployments whether on the
network or in the cloud, and the ability to interoperate with a broad ecosystem of networking
and security solutions.

Time to Complete: 20 minutes

Index: 2.0 (a)
Use Case: Fortinet Security Fabric
Objective Title: Fabric Management Pane
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Background
The Firmware & Registration section allows you to authorize new Fabric devices and manage
the firmware running on each FortiGate, FortiAP, and FortiSwitch in the Security Fabric.
In this exercise, you will configure a Security Fabric connector on the downstream device
FGT-ISFW. You then connect to the root FortiGate, FGT-EDGE, and use the Fabric Management
page to authorize the device FGT-ISFW as part of the Security Fabric. You will also make sure all
Fabric devices are running current firmware versions.

Tasks

Add FGT-ISFW to Security Fabric

1. From the Lab Activity: FortiOS r04 tab, login into FGT-ISFW under the Core group via
HTTPS option.

Note: Unless otherwise indicated, all username and passwords for the various web
consoles are:

Username: admin Password: Fortinet1!

2. Click Security Fabric > Fabric Connectors.

3. Select the Security Fabric Setup card and click Edit.

4. Configure the following settings:

• Security Fabric Role: Join Existing Fabric

• Upstream FortiGate IP/FQDN: 10.10.30.14

• Turn on Allow downstream device REST API access

• Administrator profile: super_admin

• SAML Single Sign-On: Manual

 • Management IP/FQDN: Specify 192.168.0.103

• Management port: Use Admin Port

5. Click OK

6. Click OK to Confirm

7. Return to the Lab Activity tab, click FGT-EDGE in the sidebar menu under the Core
group, and click HTTPS to access the FGT-EDGE device.

8. Click System > Firmware & Registration. The donut charts shows that the Security
Fabric includes one FortiGate Up and that all firmware is up to date.

9. In the device list, select FGVM01TM19002141 (this is the serial number of FGT-ISFW).
Click Authorization > Authorize
 10. After a few moments, FGT-ISFW is shown in the donut charts at the top of the page,
along with the FortiSwitch that FGT-ISFW manages. Press F5 to refresh the browser tab
in case the device doesn’t appear. Ignore the FortiSwitch registration warning. This is
only a limitation to the current lab and not typical of an actual production environment.

Authorize EMS Server (FGT-ISFW)

1. From the browser tab, login into FGT-ISFW via web console.

2. Click Security Fabric > Fabric Connectors

3. Edit FortiClient EMS Fabric Connector

4. Click Authorize

5. Click Accept to verify the EMS server certificate.

6. Click Security Fabric > Fabric Connectors

7. The FortiClient EMS Fabric Connector should come up in a few seconds.

Note: In case the EMS Fabric Connector color doesn’t change from Amber to white,
press F5 to refresh the browser tab.
Index: 2.0 (b)
Use Case: Fortinet Security Fabric
Objective Title: MAC Address Threat Feed
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Background

A MAC address threat feed is a dynamic list that contains MAC addresses, MAC ranges, and
MAC OUIs. The list is periodically updated from an external server and stored in text file format
on an external server. After the FortiGate imports this list, it can be used as a source in firewall
policies, proxy policies, and ZTNA rules. For policies in transparent mode or virtual wire pair
policies, the MAC address threat feed can be used as a source or destination address.
Text file example:
01:01:01:01:01:01
01:01:01:01:01:01-01:01:02:50:20:ff
8c:aa:b5
The file can contain one MAC address, MAC range, or MAC OUI per line.

Tasks

The Security Admin at AcmeCorp finds out through the SOC team that Alice’s PC has been
compromised with a potential malware installed on the device. They now, need to right away
stop this device from accessing the AcmeCorp finance web portal. He/she instructs the security
team to add Alice’s sales network adapter MAC address to the MAC address threat feed list
hosted on one of the servers.

Test Connectivity (Pre-Threat Feed Integration)

1. From the Lab Activity: FortiOS r4 tab, login to Alice machine under Sales group via the
RDP option:

Username: alice Password: Fortinet1!

2. Open web browser and click the Finance_Portal boomark.

 3. The portal login page comes up. It implies access to the portal is allowed.

4. Close the web browser.

5. Open command prompt and type ipconfig /all

6. Scroll to the Sales Network adapter and review the associated MAC address.

Configure MAC Address Threat Feed

1. From the Lab Activity: FortiOS r4 tab, login to FGT-ISFW via the HTTPS option:

Username: admin Password: Fortinet1!

2. Click Security Fabric > External Connectors

3. Click +Create New

4. Under Threat Feeds, click MAC Address and use the following Connector Settings:

• Staus: Enabled

• Name: MAC_List

• Update Method: External Feed

• URL of external resource: http://192.168.0.53/mac

• HTTP basic authentication: Turn OFF

5. Click OK

6. In case the connector card doesn’t show green checkmark located at the bottom right
corner click refresh icon.
 7. Right-click MAC_List Fabric connector and click View Entries to view the MAC address
list.

Note: You will see Alice’s Sales network adapter MAC address listed here.

Configure Firewall Policy

1. Click Policy & Objects > Firewall Policy

2. Click Cancel on the New Policy Layout pop up window.

Note: You will check out this feature in a later lab exercise.

3. Click + Create New to add a new policy and use the following settings:

• Name: MAC_List_Deny

• Type: Standard

• Incoming Interface: Sales Network (port 2)

• Outgoing Interface: EDGE_ISFW Network (port4)

 • Source: Address > MAC_List > Click Close

• Destination: Finance_Web_Portal

• Schedule: always

• Service: ALL

• Action: DENY

4. Click OK

5. Click MAC_List_Deny policy. Hover the mouse cursor on the left corner and drag this
new policy to the top of the policy list.

Test Connectivity (Post-Threat Feed Integration)

1. From the browser tab, login into Alice machine via web console.

2. Open web browser and open a new incognito/private window.

3. Click Finance_Portal browser bookmark again.

4. Access to the portal is denied and not allowed anymore.

5. Close the web browser.

Index: 3.0
Use Case: General GUI Changes
Objective Title: Introduction
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Introduction

Each major release of FortiOS includes updates to the GUI that improve performance, process
flow, and ease of use. The following objectives explore some of these new GUI features.

Time to Complete: 15 minutes

Index: 3.0 (a)
Use Case: General GUI Changes
Objective Title: Dashboard and FortiView
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Background
Dashboard widgets and FortiView monitors are updated with new graphs, faster performance,
and other updates that improve the user experience.

Tasks
Initiate Web traffic (Alice)
1. From the Lab Activity: FortiOS r04 tab, login to Alice via RDP option using the following
credentials:
Username: alice Password: Fortinet1!
2. Open web browser. Right-click Blocked_Sites folder bookmark
3. Click Open all (5)
4. Close the web browser.

FortiView
1. From the Lab Activity: FortiOS r04 tab, login to FGT-EDGE via HTTPS option using the
following credentials:
Username: admin Password: Fortinet1!
2. Click Search icon on top left corner. FortiView pages can be found using the global
search.
3. In the search bar, type fortiview sources
4. In the FortiView Sources dashboard, click drop down arrow icon > click Preview
5. Set the time lapse to 5 minutes from the drop-down tab.
6. Drill down on Source 172.16.10.50 by selecting it and right-click Drill down

7. Click Threats tab. Right-click > Drill down on the failed-connection threat entry to drill
down further to apply a second level filter.
8. Click Websites to view blocked connections to various destinations like Bet365,
YouTube, Netflix, Bet365 etc. Click the X at top-right to remove the filter and show that
tab again.

8. Click View Session Logs to see the log list details.

9. Click X to close the session log window.
10. At the top, click +Add to dashboard
Note: Multiple FortiView widgets can be added to custom dashboards. Filters that are
applied to the expanded widgets will remain after refreshing the browser.

11. Click Create New Dashboard

12. Enter Name Training
13. Click OK
Note: The new Training dashboard has been created. Multiple FortiView widgets can be
added to custom dashboards.
14. Click FortiView Sessions widget.
15. Select any session entry and click End session(s) in the toolbar to end that session. On
the FortiView Sessions page, sessions can be ended by selecting the session or sessions
then clicking End session (s) in the toolbar or right-click menu.
Dashboards
1. Click Dashboard > Status. The Licenses and Security Fabric widgets are updated with
new visible icons all at one place to improve the user experience and provide faster
performance.

2. Expand the Security Fabric widget to see the Physical Topology

Note: The topology in your lab might differ from the screenshot below.

3. Click Logical Topology tab to see logical topology.

4. On the top right corner, click the Save as Monitor icon button.
5. Set Topology Type to Logical Topology

6. Click OK to save the topology as a dashboard monitor.

7. Click Dashboard > Assets & Identities

8. A time range can be specified in the Assets widget.
9. Expand Assets widget.
10. The expanded Assets widget is updated as compared to previous FortiOS versions to
create a more streamlined appearance and to conserve resources. The Asset Identity
Center page offers a unified view of asset information, consolidates data from various
sources, and can handle significantly larger sets of data.
Note: The Assets dashboard in the lab might differ from the screenshot below,
Index: 3.0 (b)
Use Case: General GUI Changes
Objective Title: Packet Capture and Debug Flow
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Background
The Network > Diagnostics page now supports launching multiple packet captures at a time.
From this page, you can run both packet captures and debug flows within the GUI and see
real-time information. For example, ingress and egress interfaces can be captured at the same
time to compare traffic or the physical interface and VPN interface can be captured using
different filters to see if packets are leaving the VPN. The packet capture dialog can be docked
and minimized to run in the background. The minimized dialog aligns with other CLI terminals
that are minimized.
In this exercise, you capture packets flowing from any interface on FGT-EDGE that reaches the
host 8.8.8.8 and host 8.8.4.4 using ICMP. Later in this exercise, you run debug flow from the
GUI to trace the flow of a packet through the FortiGate system.

Tasks

Run Simultaneous Packet Captures

1. From the Lab Activity tab, login to FGT-EDGE under the Core group via click HTTPS
option.
Username: admin Password: Fortinet1!
2. Click Network > Diagnostics > Packet Capture

3. Click + New packet capture

4. Set Interface to any.

5. Turn on Maximum captured packets and set the value to 10.

6. Turn on Filters and click Basic.

7. Set Host to 8.8.8.8 and set Protocol number to 1.

8. Click Start capture

9. Click _ to mimimize the packet capture window.

Note: Do NOT close the window.

10. Click + New packet capture

11. Set Interface to any.

12. Turn on Maximum captured packets and set the value to 10.

13. Turn on Filters and click Basic.

14. Set Host to 8.8.4.4 and set Protocol number to 1.

15. Click Start capture

16. Click _ to mimimize the packet capture window.

Note: Do NOT close the window.

17. Click the >_ button in the top-right corner to connect to the CLI console session.

18. Copy/paste the following commands and hit Enter:

execute ping-options repeat-count 10
execute ping 8.8.8.8

19. After ten ICMP pings are sent, copy/paste the following command and hit Enter:
execute ping 8.8.4.4
 20. After 10 IMCP pings are sent, click X to close the CLI console session window.

21. At the bottom, click and open the Packet Capture 1

22. Click on an individual packet to see more information about it.

23. Click Save as pcap to save a PCAP file of the capture for further analysis.

24. Click X to close Packet Capture 1 window.

25. At the bottom, click and open the Packet Capture 2. Click on an individual packet to see
more information about it.

26. Click Back. In the upper-left corner of the GUI is a list of Recent Capture Criteria. If you
want to run this specific capture again, click it to load the saved settings.

Run Debug Flow

1. In the FGT-EDGE GUI, click Network > Diagnostics > Debug Flow

2. Set Number of packets to 20.

3. Turn on Filters.

4. Set Filter type to Basic and set IP type to IPv4.

5. Set IP address to 8.8.8.8

6. Set Protocol to Any

7. Click Start debug flow.

8. Click the >_ button in the top-right corner to connect to the CLI. Type execute
ping-options repeat-count 20 and press Enter. Then type execute ping
8.8.8.8 and hit Enter. The FortiGate begins to ping 8.8.8.8 and will do so twenty
times.

9. Minimize the CLI screen. You can view the debug flow in real time.
10. After 20 packets, the debug ends. You can also end it manually by clicking Stop debug
flow

11. Click Save as CSV to export a file of the debug flow.

12. The current output can be filtered in the GUI using the Time and Message columns.
Index: 4.0
Use Case: SD-WAN
Objective Title: Introduction
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Introduction

In the reality of today’s market, digital innovation is a necessity. From moving faster and more
efficiently, to operating in uncertain environments at a global scale, it all starts with the
network.
Organizations and branches need both high-performance networks and strong security. The
Fortinet Security-Driven Networking solution is an integral component of the Fortinet Security
Fabric, which enables complete visibility and provides automated threat protection across the
entire attack surface. Powered by a single operating system, it delivers industry-leading security
and unmatched performance, all while reducing complexity.
FortiOS is a security-hardened, purpose-built network operating system that is the software
foundation of FortiGate, and the entire Fortinet Security Fabric. Designed to deliver tightly
integrated and intuitive security and networking capabilities across your entire network,
FortiOS delivers everything from core network functionality to software-defined wide-area
networking (SD-WAN) to best-in-class security that protects organizations end-to-end, including
the ability to extend the Fortinet Security Fabric to third-party solutions using application
programming interfaces (APIs) and Security Fabric connectors.
Seamless automation and orchestration built into FortiOS allows organizations to overcome
resource and skills gaps, and achieve desired digital innovation outcomes without compromise.

Time to Complete: 15 minutes

Index: 4.0 (a)
Use Case: SD-WAN
Objective Title: SD-WAN Overlay
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Background
FortiManager includes an automated SD-WAN overlay template with a wizard to automate and
simplify the process using recommended IPsec and BGP templates. FortiManager 7.4 takes it
one step further and now includes automated SD-WAN post overlay process that creates
policies to allow the health-checks traffic to flow between Branch and HUB. The SD-WAN
overlay template includes two new options in the wizard to automate the post-wizard
processes.
• Normalize Interfaces: Enable the Normalize Interfaces option to normalize the SD-WAN
zones created by the template
• Add Health Check Firewall Policy to Hub/Branch Policy Package: Enable the Add Health
Check Firewall Policy to Hub/Branch Policy Package option to create health check
firewall policies (or policy blocks) for HUB(s) and branches

Template Prerequisites
• Import the FortiGate devices that will make up the hub and branch devices into
FortiManager.
• Configure the ISP links and other interfaces on your imported devices.
• Create a device group for your branch devices

In this exercise, you configure an SD-WAN overlap template for a single HUB SD-WAN using the
managed FortiGate device.

Tasks
For this objective, you will be working on the FortiManager and on FGT-BR1.

1. From the Lab Activity tab, login to FortiManager under the Data Center group via the
HTTPS option.
Username: admin Password: Fortinet1!
2. Click Device Manager > Provisioning Templates > Template Groups. Confirm that no
 groups exist.
3. Click Provisioning Templates > IPsec Tunnel. Confirm that only the three default
templates exist.
4. Click Provisioning Templates > BGP. Confirm that only the two default templates exist.
5. Click Provisioning Templates > SD-WAN Overlay and click Create New to begin using
the SD-WAN overlay template wizard.
6. Set Name to HQ-Branch.
7. For Select New Topology, select Single HUB.

8. Click Next.
9. Set Standalone HUB to FGT-HQ.
10. For Branch, set Device Group Assignment to Branch.
11. Toggle ON Automatic Branch ID Assignment. When Automatic Branch ID Assignment is
enabled, FortiManager automatically assigns and tracks a branch ID for each device in
the branch device group. This also applies to devices added to the branch device group
in the future, as well as those added to the device group using a zero-touch provisioning
device blueprint
12. Click Next.
13. Configure the following Network Configuration settings:
• Standalone Hub:
• WAN Underlay 1: port2
• WAN Underlay 2: Private Link
• WAN Underlay 2: port5
• Branch Device Group:
• WAN Underlay 1: port2
• WAN Underlay 2: Private Link
• WAN Underlay 2: port5
14. Click Next.
15. Turn ON Normalize Interfaces
16. Turn ON Add Health Check Firewall Policy to Hub Policy Package and select FGT-HQ
from the drop down list.
17. Turn ON Add Health Check Firewall Policy to Branch Policy Package and select FGT-BR1
from the drop down list.
18. Click Next
19. Review the summary and click Finish
20. HQ-Branch appears in the template list.
21. Click Device Manager > Provisioning Templates > Template Groups. The SD-WAN
overlap template wizard created two new template groups.

22. Click Provisioning Templates > IPsec Tunnel. The SD-WAN overlap template wizard
created two new templates.

23. Click Provisioning Templates > BGP. The SD-WAN overlap template wizard created two
new templates.
Index: 4.0 (b)
Use Case: SD-WAN
Objective Title: Provision Template
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Background

In this objective, you push the SD WAN template configuration to FortiGates via FortiManager
Install Wizard and review the VPN status.

Goal or Tasks

1. In the FortiManager GUI, click Device & Groups > Managed FortiGate (2)
2. Click Install Wizard on the top of the screen.
3. Select Install Device Settings (only)

4. Click Next.
5. Select FGT-BR1 and FGT-HQ
6. Click Next.
7. After FortiManager shows both devices as Connection Up, click Install

8. Once the installation is complete, click Finish

9. Press F5 to refresh the FortiManager browser tab. The Provisioning Templates column
shows that the templates were installed successfully.

10. Click Policy & Objects > Policy Packages

11. Expand FGT-HQ and click Firewall Policy
12. Expand HQ-Branch_HBLK policy list. You see firewall policies (or policy blocks) are
 created automatically to allow SLA health checks to each device loopback. The SD-WAN
overlay template creates the policy block and applies it to the top of the HUB Policy
Package.

13. Click Policy & Objects > Advanced

14. Select the branch_id variable and Click Edit to review. When Automatic Branch ID
Assignment is enabled in the provisioning template configuration, FortiManager
automatically assigns and tracks a branch ID for each device in the branch device group.
This also applies to devices added to the branch device group in the future, as well as
those added to the device group using a zero-touch provisioning device blueprint.

Review VPN Connection Status

1. From the Lab Activity tab, login into FGT-BR1 under the Branch 1 group via HTTPS to
option using the following credentials:

Username: admin Password: Fortinet1!

2. An alert appears stating that this FortiGate is managed by a FortiManager. Click Login
Read-Only

3. Click Dashboard > Network. Locate and expand the IPsec widget. It shows the
HUB1-VPN1 is up and running.
Index: 5.0
Use Case: Zero Trust Network Access (ZTNA)
Objective Title: Introduction
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Introduction
ZTNA is a capability within Zero Trust Access (ZTA) that controls access to applications. It
extends the principles of ZTA to verify users and devices before every application session. ZTNA
confirms that they meet the organization’s policy to access that application.
Our unique approach, delivering Universal ZTNA as part of our FortiGate Next-Generation
Firewall (NGFW) makes it uniquely flexible, covering users when they are remote or in the
office. Universal ZTNA capabilities are automatically enabled on any device or service running
FortiOS 7.0 and higher. This includes hardware appliances, virtual machines in clouds, and the
FortiSASE service.

Time to Complete: 15 minutes

Index: 5.0 (a)
Use Case: Zero Trust Network Access (ZTNA)
Objective Title: Endpoint Management Server
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Background
FortiClient Endpoint Management Server (FortiClient EMS) is a security management solution
that enables scalable and centralized management of multiple endpoints. FortiClient
EMS provides efficient and effective administration of endpoints running FortiClient. It provides
visibility across the network to securely share information and assign security policies to
endpoints. It is designed to maximize operational efficiency and includes automated capabilities
for device management and troubleshooting.

Tasks
Configure Endpoint Policy
1. From the Lab Activity FortiOS r04 tab, login to FortiClient EMS via the HTTPS option
using the following credentials:
Username: admin Password: Fortinet1!
2. Click Endpoint Policy & Components
3. Click Manage Policies
4. On the top right corner, click +Add and use the following information:
• Endpoint Policy Name: ZTNA
• Endpoint Groups: Click Edit and checkmark All Groups. Click Save

• Leave Profile set to Default

 • On-Fabric Detection Rules: Click On-Net-172.16.10.0/24

5. Click Save

Configure EMS Tag Sharing

1. In the EMS, click Administration > Fabric Devices
2. Edit FGVM01TM19002141 (FGT-ISFW)
 3. For FortiClient Endpoint Sharing, select Share All FortiClients from the drop-down list.
4. For Tag Types Being Shared, choose both Classification Tags and Zero Trust Tags

5. Click Save

Configure Zero Trust Tagging Rule

1. In FortiClient EMS, click Zero Trust Tags > Zero Trust Tagging Rules
2. Click +Add and use the following information:
• Name: Windows_Firewall
• Tag Endpoint As: Firewall_Enabled_Tag & press Enter key
NOTE: Press ENTER key to save the tag
• Enabled: Turn ON
3. Click +Add Rule and use the following information:
• OS: Windows
• Rule Type: From the drop-down, choose Windows Security
• Windows Security: Windows Firewall is enabled
4. Click Save

5. Click Save
Index: 5.0 (b)
Use Case: Zero Trust Network Access (ZTNA)
Objective Title: Logical AND Tag Matching Policy
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Background
When configuring a firewall policy for IP- or MAC-based access control that uses different EMS
tag types (such as ZTNA tags and classification tags), a logical AND can be used for matching. By
separating each tag type into primary and secondary groups, the disparate tag types will be
matched with a logical AND operator.

Tasks

Configure Logical AND Tag Matching Policy

1. From the Lab Activity: FortiOS r04 tab, login to FGT-ISFW via HTTPS option using the
following credentials:
Username: admin Password: Fortinet1!
2. Click Policy & Objects > Firewall Policy
3. Click + Create New on top to create a new policy and use the following information:
• Name: Logical_AND_Policy_Match
• Type: Standard
• Incoming Interface: Sales Network (port2)
• Outgoing Interface: EDGE_ISFW Network (port4)
• Source: all
• IP/MAC Based Access Control: ZTNA IP Firewall_Enabled_Tag (Choose from the
list & click Close)
• Logical And With Secondary Tags: Specify
• Secondary Tags: CLASS IP Low (Choose from the list & click Close)
Note: Low risk endpoints are automatically tagged this EMS classification tag.
• Destination: DC_Server
• Schedule: always
• Service: ALL
• Action: ACCEPT
• NAT: Turn OFF
4. Click OK
5. Click Logical_AND_Policy_Match policy. Hover the mouse cursor on the left corner and
drag this new firewall policy to the top of the policy list above the two other policies.
Index: 5.0 (c)
Use Case: Zero Trust Network Access (ZTNA)
Objective Title: Test Connection (Firewall OFF)
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Background
FortiClient is a Fabric Agent that delivers protection, compliance, and secure access in a single,
modular lightweight client. A Fabric Agent is a bit of endpoint software that runs on an
endpoint, such as a laptop or mobile device, that communicates with the Fortinet Security
Fabric to provide information, visibility, and control to that device. It also enables secure,
remote connectivity to the Security Fabric.

Tasks

FortiClient Zero Trust Fabric Agent to EMS Server

1. From the Lab Activity: FortiOS tab, login to EMS using the HTTPS option
Username: admin Password: Fortinet1!
2. Click Zero Trust Tags > Zero Trust Tag Monitor
3. Expand Low EMS classification Tag category
Note: Alice machine has been tagged.

Test Connection (Windows Firewall OFF)

1. From the Lab Activity: FortiOS tab, login to Alice machine using the RDP option
Username: alice Password: Fortinet1!
2. From the Desktop, open FortiClient console.
3. Click Zero Trust Telemetry
 Note: Endpoint machine is centrally managed by the EMS server.
4. From the Alice Desktop, open web browser.
5. Click browser bookmark DC_Server
Note: Access to the web server is denied because there is no Logical AND policy
matched.
6. Close the web browser.
Index: 5.0 (d)
Use Case: Zero Trust Network Access (ZTNA)
Objective Title: Test Connection (Firewall ON)
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Background

In this lab objective, you turn on the Windows firewall and test ZTNA connectivity again.

Tasks

Turn ON Windows Firewall

1. On Alice machine, go to Control Panel > System & Security > Windows Firewall
2. On the left side pane, click Turn Windows Firewall on or off.
3. For both Private/Public network settings, click Turn on Windows Firewall
4. Click OK

Check EMS Tag Monitor

1. From the lab activity tab, login to FortiClient EMS using the HTTPS option.
Username: admin Password: Fortinet1!
 2. Click Zero Trust Tags > Zero Trust Tag Monitor
3. Expand Firewall_Enabled_Tag
Note: Alice machine has been successfully tagged with the new EMS tag. In case you
don’t see the EMS tag, wait for a few minutes.

Test Connection (Windows Firewall ON)

1. From the Lab Activity: FortiOS r04 tab, login to Alice using the RDP option.
Username: alice Password: Fortinet1!
2. From Alice Desktop, open web browser.
3. Click DC_Server browser bookmark.
4. Access to the corporate server is successful this time via matching EMS Tag policy.
Index: 6.0
Use Case: Policy & Objects
Objective Title: Introduction
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Introduction

This section includes information about policy and object related new features.

Time to Complete: 15 minutes

Index: 6.0 (a)
Use Case: Policy & Objects
Objective Title: New Policy Layout
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Background

Improvements to the FortiOS GUI backend have been implemented to speed up the loading of
a large number of policies. This is achieved by only loading the necessary data when needed,
rather than loading all the data at once. This can significantly improve performance and reduce
the time it takes to load a large number of policies. A new layout has also been introduced for
the policy list with the option to choose between the new layout and the old layout. To switch
between the classic and new policy list layout, select the style from the dropdown menu.

In this lab objective, you switch between the classic and new policy list layout, select the style
from the dropdown menu and review the new policy features.

Goal or Tasks

1. From the browser tab, login to FGT-EDGE using the web console.

2. Click Policy & Objects > Firewall Policy

3. Click Use new layout

4. Expand EDGE_DC Network (port3) -> ISP1 (port6) policy section and click DC_to_WAN1
policy.

Note: The new layout includes several features to enhance user experience. The edit,
 and delete buttons are identified through new icons along with words below the policy.
Selecting a policy also displays an inline menu with options to edit, insert, disable and
delete policies, with the option to Show more options when hovered over.

5. Click Insert > Above

6. A pane is used to insert, create, and edit policies instead of a separate page. When a
policy is inserted in Interface Pair View, the Incoming Interface and Destination
Interface fields will be automatically filled. You can confirm the location of the new
policy in the right-side gutter before inserting the policy.
7. Click Cancel

8. You can now right-click in Interface Pair View to Expand All and then, click Collapse All
sections.
Index: 6.0 (b)
Use Case: Policy & Objects
Objective Title: Workflow Management
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Background
The Policy change summary and Policy expiration features of the FortiOS Workflow
Management enforce an audit trail for changes to firewall policies and allow administrators to
set a date for the firewall policy to be disabled.
In this exercise, you set a policy expiration date and time with limited access to web for guest
network.

Tasks
1. From the Lab Activity: FortiOS r04 tab, login to FGT-EDGE via the HTTPS option using
the following credentials:
Username: admin Password: Fortinet1!
2. Click System > Feature Visibility
3. Under Additional Features, enable Workflow Management.

4. Click Apply
5. Click System > Settings
6. In Workflow Management section, review Policy change summary is set to Required
Note: The default value for Policy expiration is 30 days. This number can be changed in
the CLI or in System > Settings in the GUI to any value between zero and 365 days. If the
default value is set to zero, the Default state will disable the Policy expiration.
7. Click Apply.
8. Click Policy & Objects > Firewall Policy.
9. Expand EDGE_ISFW Network (port4) -> ISP1 (port6).
10. Edit the Guest_to_ISP1 firewall policy.
11. Under Workflow Management, enable Policy expiration.
12. Set Expiration date to tomorrow’s date and the time 5:00 PM.
Note: Use the appropriate date, which will differ from the screenshot.

13 Click OK.
14. The Workflow Management- Summarize Changes window will open.
15. In the Change Summary tab, type Policy expiration set.

16. Click OK.

17. From the Firewall Policy page, again Edit the Guest_to_ISP1 firewall policy.
18. Under Security Profiles, enable Web Filter and select default.
19. Click OK.
20. The Workflow Management- Summarize Changes window will open.
21. In the Change Summary tab, type Default Web Filter enabled.

22. Click OK.

23. From the Firewall Policy page, again edit Guest_to_ISP1 firewall policy.
24. Under Additional Information, click Audit Trail.

Note: Policy change summaries are used to track changes made to a firewall policy.
The Audit trail allow users to review the policy change summaries, including the date
and time of the change and which user made the change.
25. Click Close
26.Click Cancel
Index: 7.0
Use Case: Secure Access Switching
Objective Title: Introduction
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Introduction

FortiSwitch secure access switches are feature-rich, yet cost-effective, supporting the needs of
enterprise campus and branch office network connectivity. With high-density 24- and 48-port
models, which support 802.11at Power over Ethernet (PoE), you can power anything from
access points to VoIP handsets and surveillance cameras.
FortiSwitch integrates directly into FortiGate, allowing switch administration and access port
security to be managed from the same “single pane of glass.” Regardless of how users and
devices are connected to the network (wired, wireless, or VPN), you have complete visibility
and control over your network security and access.
FortiSwitch VLANs appear just like any other interface on a FortiGate, meaning you can apply
policies to FortiSwitch ports just as you can with FortiGate “WLAN” ports. You even have
visibility of per-port and switch-level PoE power usage. Unified control of switches through
FortiGate, together with security administration, simplifies remote management and
troubleshooting.

Time to Complete: 10 minutes

Index: 7.0 (a)
Use Case: Secure Access Switching
Objective Title: FortiSwitch Management
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Background

FortiOS includes features that enhance FortiSwitch management and further network
deployment with minimal technical expertise.

In this exercise, you go through features of the FortiGate switch controller. This includes the
FortiSwitch topology view, the FortiSwitch Clients page, configuring of flap guard through the
switch controller, and allowing the FortiSwitch console port login to be disabled.

Tasks
Enhanced FortiSwitch Topology View

1. From the Lab Activity: FortiOS r04 tab, login to FGT-ISFW via HTTPS using the following
credentials:
Username: admin Password: Fortinet1!
2. Click WiFi & Switch Controller > Managed FortiSwitches.

3. Right click FortiSwitch and click Diagnostics and Tools.

4. Check the Port Health section. When there are error frames, the port health is shown as
Poor. When there are no error frames, the port health is shown as Good.

5. Click Legend on the top right corner. It displays the Health Thresholds pane, which lists
the thresholds for the Good, Fair, and Poor ratings for General Health, Port Health, and
MC-LAG Health.

6. Click WiFi & Switch Controller > FortiSwitch Ports.

7. You can now clear port counters by right clicking a port and selecting Clear port
counters.
FortiSwitch Clients Page

1. Click WiFi & Switch Controller > FortiSwitch Clients. This page will list all devices
connected to the FortiSwitch unit for a particular VDOM.

2. Double-click the existing device to display the Device Info page. The page will display
matching NAC policies and dynamic port policies (if applicable).

3. You can create a Firewall Address and Quarantine Host by hovering mouse over the
device.
 4. Click Cancel.

Configure Flap Guard

Flap guard detects how many times a port changes status during a specified number of
seconds. If too many changes are detected, the system shuts down the port. After a port is shut
down, you can manually reset the port and restore it to the active state.

Flap guard is configured and enabled on each port through the switch controller. The default
setting is disabled.

1. Click >_ in the top-right corner to connect to the CLI.

2. To configure flap guard on port 3, enter the following:

config switch-controller managed-switch

edit S108DVNLY2Z7AU8C
config ports
edit port3
set flapguard enable
set flap-rate 15
set flap-duration 100
set flap-timeout 30
end
end
 3. To restore the port back to service if flap guard shuts down port 3, you use the following
command:

execute switch-controller flapguard reset S108DVNLY2Z7AU8C

port3

Note: Because flapguard has not triggered on port 3, the above command will not reset
the port at this time.

Disable the FortiSwitch Console Port Login

Administrators can use the FortiSwitch profile to control whether users can log in with the
managed FortiSwitchOS console port. By default, users can log in with the managed
FortiSwitchOS console port.

1. Click >_ in the top-right corner to connect to the CLI.

2. Enter the following commands to disable login on switch profile:

config switch-controller switch-profile

edit profile1
set login disable
end

3. Enter the following commands to apply the switch profile on the managed switch:

config switch-controller managed-switch

edit S108DVNLY2Z7AU8C
set switch-profile profile1
end
Index: 8.0
Use Case: Operational Technology
Objective Title: Introduction
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Introduction

Connections between IT and operational technology (OT) systems are no longer air gapped,
introducing the potential for hackers to penetrate industrial control systems, risking the safety
and availability of critical infrastructure. Security for OT requires visibility, control, and analytics
to meet safety and availability requirements.
AcmeCorp organization is looking to have visibility in their network and being able to identify
what type of device are connecting and connected. In this objective, you are going to explore
FortiGate OT asset visibility and network topology. Tabs are added in the Asset Identity Center
page to view the OT asset list and OT network topology using Purdue Levels.

Time to Complete: 10 minutes

Index: 8.0 (a)
Use Case: Operational Technology
Objective Title: FortiGate OT View
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Background

In this objective, you will go work on the FortiGate-ISFW to view the OT asset list and OT
network topology using Purdue Levels.

Tasks

1. From the Lab Activity: FortiOS r04 tab, login to FGT-ISFW via the HTTPS option using the
following credentials:

Username: admin Password: Fortinet1!

2. Click System > Feature Visibility.

3. Under Additional Features, review Operational Technology (OT) is turned ON.

4. Click Apply
5. Click Security Fabric > Asset Identity Center

6. In the column header top left corner, hover the mouse cursor and click settings gear box
icon once it appears as shown in the screenshot below.

7. Click Purdue Level and click Apply

8. You can see the discovered PLC VM ending with following MAC & IP addresses with
Purdue Level 3:

MAC: 00:0c:29:36:5f:9b & IP: 172.16.40.101

MAC: 00:0c:29:4e:a3:2d & IP: 172.16.40.102

Note: There are few other devices at the same Purdue Level 3
9. Click OT View on top.

Note: The OT View in your lab might differ from the screenshot shown below.
10. Click Unlock View. You care now able to freely drag and move devices to different
levels. Do NOT move any devices yet.

Note: FortiGate and managed FortiSwitch devices are statically assigned to Purdue Level
2, other detected devices are assigned to Purdue Level 3 by default and can be changed.
You will be assigning the PLC VMs behind OT Network port6 to Purdue Level 1 Basic
Control.

11. On the top-right corner, click >_ icon to open the CLI console session and enter the
following commands:

config system interface

 edit port6
set default-purdue-level 1
next
end
diag user device clear

12. On the OT View page wait for few minutes and click the refresh icon next to Unlock
View. You should be able to see PLC VMs moved to Purdue Level 1.

13. Click Asset Identity List

Note: The Purdue Levels for the recently moved devices is set to 1 now.
Index: 9.0
Use Case: Networking
Objective Title: Introduction
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Introduction

This section includes lab objectives about network related new FortiOS 7.4 features.

Time to Complete: 20 minutes

Index: 9.0 (a)
Use Case: Networking
Objective Title: DHCP Shared Subnet
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Background

A FortiGate can act as a DHCP server and assign IP addresses from different subnets to clients
on the same interface or VLAN based on the requests coming from the same DHCP relay agent.
A FortiGate may have more than one server and pool associated with the relay agent, and it can
assign IP addresses from the next server when the current one is exhausted. This way, the
FortiGate can allocate IP addresses more efficiently and avoid wasting unused addresses in
each subnet.
In this exercise, you will configure DHCP Relay on FGT-ISFW and two DHCP servers on
FGT-EDGE.

Tasks

Configure DHCP Relay (FGT-ISFW)

1. From the Lab Activity: FortiOS r4 tab, login into FGT-ISFW using the following
credentials:

Username: admin Password: Fortinet1!

2. Click Network > Interfaces

3. Click Sales Network (port2) > Edit
Note: DHCP clients Alice and Carol Windows machines are connected to Sales Network
(port2) interface of FGT-ISFW.
4. Scroll down to turn ON DHCP Server
5. Click Advanced and use the following settings:
• Mode: Relay
• Type: Regular
• DHCP Server IP: 10.10.30.14
 Note: 10.10.30.14 is FGT-EDGE port4 IP address. You will configure two DHCP
servers on port4 of the FGT-EDGE.

6. Click OK

Configure DHCP Server 1 (FGT-EDGE - Port 4)

1. From the Lab Activity: FortiOS r4 tab, login into FGT-EDGE via HTTPS option using the
following credentials:

Username: admin Password: Fortinet1!

2. Click Network > Interfaces

3. Click EDGE_ISFW Network (port4) > Edit
4. Scroll down to turn ON DHCP Server and use the following settings:
• DHCP status: Enabled
• Address range: 172.16.10.10-172.16.10.10
• Netmask: 255.255.255.0
• Default Gateway: Click Specify 172.16.10.254
• DNS Server: Same as System DNS
 5. Click OK
6. On the top-right corner, click >_ icon to open the CLI console session and copy/paste the
following commands to setup the FGT-ISFW Port2 (Sales Network) interface as the DHCP
relay agent:
config system dhcp server
edit 1
set shared-subnet enable
set relay-agent 172.16.10.254
end

Configure DHCP Server 2 (FGT-EDGE - Port 4)

1. In the FGT-EDGE, use the same CLI console session and copy/paste the following
commands to configure another DHCP server 2 (IP Address Range 172.16.30.x/24) on
the same interface Port4 and setup the FGT-ISFW Sales interface as the DHCP relay
agent:
config system dhcp server
edit 2
set default-gateway 172.16.30.254
set netmask 255.255.255.0
set interface "port4"
config ip-range
edit 1
set start-ip 172.16.30.200
set end-ip 172.16.30.200
next
end
set shared-subnet enable
set relay-agent 172.16.10.254
next
end
Review DHCP Server Configuration (FGT-EDGE)

1. In the FGT-EDGE, at the top-right corner, click >_ icon to open the CLI console session
and enter the following command:

show system dhcp server

Note: You will see DHCP server 1 and DHCP server 2 configuration with different IP
address ranges setup on the same port4 interface of FGT-EDGE and pointing to same
DHCP relay agent Sales (port2) interface IP of the FGT-ISFW.
Test DHCP Clients

Both Carol and Alice client machines are connected to the same port4 (Sales network) interface
on FGT-ISFW. In this objective, you will verify the DHCP IP leases assigned to these devices.

Configure DHCP Automatic IP Addressing (Carol)

1. From the Lab Activity: FortiOS r04 tab, login to Carol machine via RDP option using the
following credentials:
Username: carol Password: Fortinet1!
 2. Open Network and Sharing Center.
3. Double-click Sales Network Adapter > Properties > TCP/IPv4 > Obtain an IP address
automatically > Obtain DNS server address automatically
4. Click OK > OK > Close

Configure DHCP Automatic IP Addressing (Alice)

1. From the Lab Activity: FortiOS r04 tab, login to Alice machine via RDP option using the
following credentials:
Username: alice Password: Fortinet1!

2. Open Network and Sharing Center.

3. Double-click Sales Network Adapter > Properties > TCP/IPv4 > Obtain an IP address
automatically > Obtain DNS server address automatically
4. Click OK > OK > Close

Verify DHCP Lease (FGT-EDGE)

1. From the Lab Activity: FortiOS r04 tab, login to FGT-EDGE via HTTPS option using the
following credentials:
Username: admin Password: Fortinet1!

2. Click Dashboard > Network > DHCP widget.

3. Both Carol & Alice machine are assigned IP addresses by FGT-EDGE (DHCP server) from
two different subnets on the same interface as requests are coming from the same
DHCP relay agent FGT-ISFW. A FortiGate can assign IP addresses from the next server
when the first one is exhausted. This way, the FortiGate can allocate IP addresses more
efficiently and avoid wasting unused addresses in each subnet.
Index: 9.0 (b)
Use Case: Networking
Objective Title: Route Tag Address Objects
Points: 10
----------------------- Objective Section -----------------------
Objective Text:

Background

A route tag (route-tag) firewall address object can include IPv4 or IPv6 addresses associated
with a BGP route tag number, and is updated dynamically with BGP routing updates. The route
tag firewall address object allows for a more dynamic and flexible configuration that does not
require manual intervention to dynamic routing updates. This address object can be used
wherever a firewall address can be used, such as in a firewall policy, a router policy, or an
SD-WAN service rule.
In this lab objective, you will configure and apply a route tag address object. This address object
can be used wherever a firewall address can be used, such as in a firewall policy, a router policy,
or an SD-WAN service rule.
Note: The Route tag field has been removed from the Priority Rule configuration page (Network
> SD-WAN > SD-WAN Rules). The route-tag option has been removed from the config service
settings under config system sdwan.

Tasks

Configure and Apply a Route Tag Address Object

1. From the Lab Activity: FortiOS r04 tab, login to FGT-EDGE via the HTTPS option using
the following credentials:
Username: admin Password: Fortinet1!

2. At the top right corner, click >_ to open a CLI console session and copy/paste the
following commands:
config firewall address
edit sdwan_route_tag_10
set type route-tag
 set route-tag 10
next
end
3. Click Policy & Objects > Firewall Policy
4. Expand EDGE_ISFW Network (port4) -> ISP1 (port6) policy section.
5. Edit ISFW_to_WAN1 policy.
6. Set the Destination to sdwan_route_tag_10
7. Click Close
8. Click OK

9. In the Change summary dialog box, type Destination set to

sdwan_route_tag_10
10. Click OK
Add Address to SD-WAN Service Rule

1. In the FGT-Edge, click Network > SD-WAN

2. Select SD-WAN Rules tab.

3. Edit existing Rule #1.

4. In the Destination section, set the Address to sdwan_route_tag_10

5. Click Close & click OK

Review

Verify that the route tag firewall address is associated with firewall policy ID 2
(ISFW_to_WAN1):
1. At the top right corner, click >_ to open a CLI console session and copy/paste the
following command:
diagnose firewall iprope list | grep -A 15 index=2
2. Scroll the list and locate the policy with policy index=2 and route_tag(1): 10 assigned to
it.
Index: 10.0
Use Case: Conclusion
Objective Title: Review
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Review
After completing this Fast Track workshop, you should know, how to:

• Use the Security Fabric improvements to provide IT teams with a holistic view into
devices, traffic, applications, and events, in addition to the ability to stop a threat
anywhere along its attack chain.
• Enable the sharing and correlation of real-time threat intelligence by integrating devices
using open standards, common operating systems, and unified management platforms.
• Use FortiOS ZTNA, OT, SD-WAN capabilities to deliver unprecedented visibility, secure
networking and risk reduction for cyber-physical and industrial control systems.
Index: 10.0 (a)
Use Case: Conclusion
Objective Title: End of Session
Points: 0
----------------------- Objective Section -----------------------
Objective Text:

Fast Track Workshops: What’s New in FortiOS

Congratulations, you have completed this lab.

To get more information on this or other Fortinet solutions, please consider looking at:
FortiOS 7.4 New Features Guide:
https://docs.fortinet.com/document/fortigate/7.4.0/new-features/770045/overview
and
NSE Training from Fortinet:
https://training.fortinet.com/