0% found this document useful (0 votes)

532 views229 pages

Enterprise Firewall 7.6 Administrator Lab Guide

Uploaded by

Jorge Daniel

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

532 views229 pages

Enterprise Firewall 7.6 Administrator Lab Guide

Uploaded by

Jorge Daniel

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 229

Brave-Dumps.

com
DO NOT REPRINT
© FORTINET

Enterprise Firewall Administrator

Lab Guide
FortiOS 7.6
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Fortinet Training Institute - Library

https://training.fortinet.com

Fortinet Product Documentation

https://docs.fortinet.com

Fortinet Knowledge Base

https://kb.fortinet.com

Fortinet Fuse User Community

https://fusecommunity.fortinet.com/home

Fortinet Forums

https://forum.fortinet.com

Fortinet Product Support

https://support.fortinet.com

FortiGuard Labs

https://www.fortiguard.com

Fortinet Training Program Information

https://www.fortinet.com/nse-training

Fortinet | Pearson VUE

https://home.pearsonvue.com/fortinet

Fortinet Training Institute Helpdesk (training questions, comments, feedback)

https://helpdesk.training.fortinet.com/support/home

5/12/2025
Brave-Dumps.com
DO NOT REPRINT
© FORTINET

TABLE OF CONTENTS

Firmware Version 7
Network Topology 8
Lab Device Credentials 9
Lab 1: Network Security Architecture 10
Lab 2: Central Management 11
Exercise 1: Running Remote, Device, and Policy Scripts 12
Network Topology 12
Run a Script Using the Remote Method 12
Run a Script Using the Device Database Method 16
Run a Script Using the Policy Package or ADOM Database Method 19
Exercise 2: Configuring LTP 22
Network Topology 22
Configure the Metadata Variables 22
Add Metadata Variables to the Pre-CLI Template 24
Add BR2-FGT-1 to FortiManager 26
Register BR2-FGT-1 on FortiManager 32
Add BR3-FGT-1 to FortiManager 34
Register BR3-FGT-1 on FortiManager 38
Lab 3: VLANs and VDOMs 41
Exercise 1: Configuring VDOMs and VLANs on ISFW 42
Network Topology 42
Enable VDOMs 42
Create the Zone1 and Zone2 VDOMs 43
Create VLAN101 and VLAN102 46
Create Inter-VDOM Links 49
Create Static Routes in VDOMs 53
Install Firewall Policies in VDOMs 55
Validate the Communication Between HQ-PC-2 and HQ-PC-3 58
Validate the Communication From HQ-PC-2 to HQ-Web-1, the Internet, and 4.2.2.2 60
Lab 4: High Availability 62
Exercise 1: Configuring VDOM Partitioning 63
Network Topology 63
Verify the HA Status 63
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Configure VDOM Partitioning 64
Analyze Traffic Distribution 67
Perform a Failover and Analyze the Traffic 68
Exercise 2: Configuring FGSP 71
Network Topology 71
Configure FGSP 71
Test ICMP Session Synchronization Between BR1-FGT-1 and BR1-FGT-2 72
Analyze the Asymmetric Traffic 74
Exercise 3: Encrypting the Session Synchronization 79
Encrypt the Session Synchronization 79
Lab 5: Dynamic Routing Protocols 82
Exercise 1: Configuring OSPF With ECMP 83
Configure OSPF on HQ-DCFW 83
Configure OSPF on HQ-ISFW 86
Configure OSPF on HQ-NGFW 89
Check the OSPF Status on the HQ-ISFW Root VDOM 92
Enable OSPF ECMP on the HQ-ISFW Root VDOM 95
Enable OSPF ECMP on HQ-NGFW 96
Verify OSPF ECMP 97
Check the OSPF Status on HQ-DCFW and HQ-NGFW 98
Check Connectivity 99
Exercise 2: Configuring BGP 100
Configure BGP on FortiManager 100
Exercise 3: Configuring a Loopback Interface as a BGP Source 108
Configure a Loopback Interface as a BGP Source on BR1-FGT-2 108
Establish the BGP connection 110
Lab 6: Security Profiles 112
Exercise 1: Solving an IPS False Positive 113
Apply the IPS_Block Security Profile 113
Install the Policy 114
Test Using hping to HQ-Web-1 115
Verify That HQ-DCFW Detects the Jumbo Packets 116
Solve the IPS False Positive 118
Install the Policy 119
Test Using hping to HQ-Web-1 119
Verify That HQ-DCFW Detects the Jumbo Packets 120
Exercise 2: Protecting Against Unencrypted Attacks 122
Apply the IPS_Monitor Security Profile 122
Install the Policy 123
Access the Website 124
Simulate the Attack 124
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Verify That HQ-DCFW Detects the Attack 125
Block an Attack on Unencrypted Traffic 126
Install the Policy 128
Simulate the Attack 128
Verify That HQ-DCFW Blocks the Attack 128
Exercise 3: Protecting Against Encrypted Attacks 131
Create a Dynamic Local Certificate and an SSL/SSH Profile 131
Block an Attack on Encrypted Traffic 133
Verify That HQ-DCFW Drops the Attack 134
Lab 7: IPsec VPN (IKEv2) 136
Exercise 1: Configuring IPsec Templates 137
Configure IPsec Templates 137
Create a Normalized Interface for the Hub 148
Configure the Firewall Policies 149
Check the Status of the VPN Tunnels 150
Delete the IPsec Tunnels 151
Lab 8: Auto-Discovery VPN 161
Exercise 1: Configuring ADVPN and IBGP 164
Configure IPsec Templates 164
Configure the BGP Templates 171
Install the Policies 175
Bring Up the On-Demand Tunnel 177
Exercise 2: Configuring ADVPN IBGP and EBGP 180
Prerequisites 180
Configure ADVPN IBGP and EBGP 181
Bring Up the On-Demand Tunnel 184
Lab 9: Security Fabric 188
Exercise 1: Configuring the Security Fabric and SAML SSO 189
Configure the Security Fabric on HQ-NGFW-1 189
Configure the Security Fabric on HQ-DCFW 191
Configure the Security Fabric on HQ-ISFW 193
Access Security Fabric Devices With SAML SSO 194
Exercise 2: Configuring Automatic Configuration Backup 199
Manage Security Fabric Devices on FortiManager 199
Configure an Automation on FortiManager 200
Verify the Stitch on the Security Fabric Devices 205
Exercise 3: Configuring the Automation With a Script 208
Configure the Automation 208
Test the Automation Stitch and View the Email Alert 211
Lab 10: Use Cases 215
Exercise 1: Configuring the HR Network 219
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Network Topology 219
Requirements 220
Test the Configuration 220
Exercise 2: Configuring ADVPN 222
Network Topology 222
Requirements 222
Test the Configuration 223
Exercise 3: Configuring Automatic Backups 226
Network Topology 226
Requirements 226
Test the Configuration 227
Brave-Dumps.com
DO Firmware
NOTVersion
REPRINT
© FORTINET
Firmware Version

The Enterprise Firewall course content is based on the following products and firmware versions:

Product Firmware Version

FortiGate 7.6.2

FortiManager 7.6.2

FortiAnalyzer 7.6.2

Enterprise Firewall 7.6 Administrator Lab Guide 7

Fortinet Technologies Inc.
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Network Topology

8 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Lab Device Credentials

Below are the credentials for all the devices used in the lab guide.

VM Usernames and Passwords

VM Username Password

HQ-PC-1 Administrator Fortinet1!

HQ-PC-2 Administrator Fortinet1!

HQ-PC-3 Administrator Fortinet1!

BR1-PC-1 Administrator Fortinet1!

BR2-PC-1 Administrator Fortinet1!

BR3-PC-1 Administrator Fortinet1!

HQ-Web-1 fortinet Fortinet1!

HQ-ISFW admin Fortinet1!

HQ-DCFW admin Fortinet1!

HQ-NGFW-1 admin Fortinet1!

HQ-NGFW-2 admin Fortinet1!

BR1-FGT-1 admin Fortinet1!

BR1-FGT-2 admin Fortinet1!

BR2-FGT-1 admin Fortinet1!

BR3-FGT-1 admin Fortinet1!

HQ-FMG-1 admin Fortinet1!

HQ-FAZ-1 admin Fortinet1!

Enterprise Firewall 7.6 Administrator Lab Guide 9

Fortinet Technologies Inc.
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Lab 1: Network Security Architecture

There is no lab associated with this lesson.

10 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Lab 2: Central Management

FortiManager is one of the key pieces of an enterprise firewall solution. Without it, managing multiple FortiGate
devices would be cumbersome. Using FortiManager, you can centralize the management of all FortiGate devices
and create common security policies that multiple devices can easily share. In enterprise networks, FortiManager
ADOMs are used to organize your FortiGate devices into groups whose members all share similar security roles
and policies.

Objectives
l Run remote, device, and policy scripts
l Add BR2-FGT-1 and BR3-FGT-1 using the model device and pre-shared key method to deploy them as if you were
using the low-touch provisioning (LTP) model

Time to Complete
Estimated: 55 minutes

Enterprise Firewall 7.6 Administrator Lab Guide 11

Fortinet Technologies Inc.
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Exercise 1: Running Remote, Device, and Policy Scripts

In this exercise, you will find the differences between running remote, device, and policy scripts.

Network Topology

Run a Script Using the Remote Method

You will create a local certificate using the remote FortiGate direct method (using the CLI).

To run a script using the remote method to create a local certificate

1. Log in to the FortiManager GUI with the following credentials:
l Username: admin
l Password: Fortinet1!
2. In the Select an ADOM window, select the EFW ADOM.
3. Click Device Manager > Scripts.
You will see the scripts that are shown in the following image:

12 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Running
REPRINT
Remote, Device, and Policy Scripts Run a Script Using the Remote Method

4. Select the ACME Certificate checkbox, and then click Run Script.

5. In the Available Entries field, select the HQ-DCFW checkbox, move it to the Selected Entries field, and then click
Run Now.

Enterprise Firewall 7.6 Administrator Lab Guide 13

Fortinet Technologies Inc.
Brave-Dumps.com
DO Run
NOT a ScriptREPRINT
Using the Remote Method Exercise 1: Running Remote, Device, and Policy Scripts

7. Click Close to close the Run Script window.

After the configuration is applied directly to your FortiGate, for the purposes of this
learning experience, it is recommended that you verify the following configurations:
l FortiManager has triggered an automatic retrieval process to receive the
configuration from FortiGate.
l The FortiGate device database at the device layer has been updated with the
configuration.

You will have a better view of the HQ-DCFW objects that are available in the device layer if you enable the
vertical menu.

8. Click Device Manager > Device & Groups > Managed FortiGate > HQ-DCFW, and then click the Toggle
Vertical Menu icon.

9. Click Device Manager > Device & Groups > Managed FortiGate > HQ-DCFW > Dashboard > Summary.
10. In the Configuration and Installation widget, in the Revision section, in the Total Revision field, click the
Revision History icon.

You can see that the script_manager created the last event, which triggered a Retrieved operation.

14 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Running
REPRINT
Remote, Device, and Policy Scripts Run a Script Using the Remote Method

Next, you will enable the visibility of HQ-DCFW certificates, so you can check if the configuration has been
applied to the device database.

11. Click HQ-DCFW > Feature Visibility, and then select the Certificates checkbox.

12. Click OK.

13. Click HQ-DCFW > System > Certificates, and then ensure that the HQ-DCFW acmetest certificate is in the
certificates section.

Enterprise Firewall 7.6 Administrator Lab Guide 15

Fortinet Technologies Inc.
Brave-Dumps.com
DO Run
NOT a ScriptREPRINT
Using the Device Database Method Exercise 1: Running Remote, Device, and Policy Scripts

At this point, the ACME certificate has been pushed to HQ-DCFW and its device database has been
updated without you having to manually install the database. FortiManager automatically triggers a retrieve
after it runs a remote script to update the database. This process is registered in the HQ-DCFW revision
history without affecting the status of the device database and policy layer (which were synchronized before
you ran the script).

You should avoid using the remote method to modify, delete, or create objects that are used in firewall
policies. Otherwise, you will trigger a conflict status in the policy layer. If you modify firewall objects using a
remote script, you should also make the same changes in the policy package that your firewall is using.

You should also log in to the HQ-DCFW GUI or CLI with read-only permissions and
validate that the certificate has been installed, so that you can compare this with the
scripts that you will be running next.

Run a Script Using the Device Database Method

You will create a static route using the device database method.

To run a script using the device database method

1. Log in to the FortiManager GUI with the following credentials:
l Username: admin
l Password: Fortinet1!
2. In the Select an ADOM window, select the EFW ADOM.
3. Click Device Manager > Scripts.
4. Select the Static Route checkbox, and then click Run Script.

5. In the Available Entries field, select the HQ-DCFW checkbox, move it to the Selected Entries field, and then click
Run Now.

16 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Running
REPRINT
Remote, Device, and Policy Scripts Run a Script Using the Device Database Method

6. In the Confirm Running Script window, click OK to confirm that you want to run the script.

7. Click Close to close the Run Script window.

8. Click Device Manager > Device & Groups > Managed FortiGate.
You can see the HQ-DCFW device database (Config Status column) with an orange warning triangle, which
indicates that it has been modified.

9. Click Managed FortiGate > HQ-DCFW > Network > Static Routes, and then verify that the static route is in the
HQ-DCFW device database.

Enterprise Firewall 7.6 Administrator Lab Guide 17

Fortinet Technologies Inc.
Brave-Dumps.com
DO Run
NOT a ScriptREPRINT
Using the Device Database Method Exercise 1: Running Remote, Device, and Policy Scripts

At this time, you have not pushed any static routes to FortiGate. Using scripts on the device database is
helpful when you want to try new configurations, but you are not ready to push configuration changes to
FortiGate. Device layer scripts are used to modify only device-level settings such as interfaces, DNS, static
routes, dynamic routes, system settings, log settings, or any other part of the FortiGate configuration that
does not affect firewall policy rules.

10. Click Managed FortiGate, select the HQ-DCFW checkbox, click Install, and then select Install Wizard to install
the static route on HQ-DCFW.

11. Select Install Policy Package & Device Settings, and then in the Policy Package field, select DCFW.

You can leave the Create ADOM Revision setting enabled or disable it. You will not
be using this feature in any of the labs, so this setting will not affect the configuration.
Also, you can use any name in the Revision Name field.

18 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Running
Scripts
Remote, Device, and Policy
REPRINT Run a Script Using the Policy Package or ADOM Database
Method

© FORTINET
12. Click Next.
13. Click Next.
14. Click Install preview to see what FortiManager will push to HQ-DCFW.
15. Click Close.
16. Click Install.

Stop and think!

Even if you made changes only to the device layer, it is recommended that you install the policy package
and device settings at the same time to avoid an unknown policy package status. An unknown policy
package status is generated when you run a script in the device layer.

In real-world environments, you must use the install preview option to accept the changes that FortiManager
will push.

If there are no changes, FortiManager shows a No commands to be installed or No preview status.

17. After the installation is done, click Finish.

You should see HQ-DCFW synchronized in both layers.

Run a Script Using the Policy Package or ADOM Database Method

You will create a firewall policy using the policy package or ADOM database method.

To run a script using the policy method to create a firewall policy

1. Log in to the FortiManager GUI with the following credentials:
l Username: admin
l Password: Fortinet1!
2. In the Select an ADOM window, select the EFW ADOM.

Before you run the script to create the policy, it is recommended that you view what is
in the DCFW policy package, in order to see how the policy script is working and what
the firewall policy is creating.

Enterprise Firewall 7.6 Administrator Lab Guide 19

Fortinet Technologies Inc.
Brave-Dumps.com
DO Run
NOT a Script Using the Policy Package or ADOM Database
Method REPRINT Exercise 1: Running Remote, Device, and Policy
Scripts

© FORTINET
3. Click Policy & Objects > Policy Packages > DCFW > Firewall Policy.
4. Verify that there is one firewall policy in the DCFW policy package.

5. Click Device Manager > Scripts to run the policy script to add one firewall policy to the DCFW policy package.
6. Select the Firewall rule checkbox, and then click Run Script.

7. In the Run script on policy package field, select DCFW, and then click Run Now.

8. Click Close to close the Run Script window.

9. Click Policy & Objects > Policy Packages > DCFW > Firewall Policy.
10. Verify that there are two firewall policies in the DCFW policy package.

20 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Running
Scripts
Remote, Device, and Policy
REPRINT Run a Script Using the Policy Package or ADOM Database
Method

You selected the DCFW policy package previously because there was a firewall policy to create. However, if
you need to create only firewall addresses, services, virtual IP addresses, IP pools, security profiles, user,
user groups, or anything related to the policy layer, you can select any policy package—for example, the
default policy package, which is usually not being used. You should only select a specific policy package if
you create a firewall policy.

Running policy scripts is useful when you need to import hundreds of objects into the policy layer database,
which saves the effort a policy package import requires when you already have FortiGate devices added to
your FortiManager. You can try to generate an object, but make sure that it is not pushed to a FortiGate, and
that you do not reference the object in any policy rules.

11. In the drop-down list beside Install Wizard, select Re-install Policy to reinstall the policy package.

12. Click OK.

You can reinstall a policy package after you install the policy package the first time.
This applies whether you assign a policy package to FortiGate or you import it, and
then install it for the first time.

Also, reinstalling a policy package shows you an installation preview, which you must
view if you do not know the changes that FortiManager will push.

13. Click Install preview to see what FortiManager will push to HQ-DCFW, and then click Close.
You can see that FortiManager will push one firewall policy.

14. Click Next.

15. After the installation is done, click Finish.
You should see HQ-DCFW synchronized in both layers.

Enterprise Firewall 7.6 Administrator Lab Guide 21

Fortinet Technologies Inc.
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Exercise 2: Configuring LTP

You will add two FortiGate devices using the model device and link them to FortiManager with the pre-shared key
method. The general process is the following:

1. Configure the metadata variables.

2. Configure the pre-CLI template.
3. Add the BR2-FGT-1 model to FortiManager.
4. Add the pre-CLI template and install the policy package.
5. Register BR2-FGT-1 on FortiManager.
6. Add the BR3-FGT-1 model to FortiManager.
7. Add the pre-CLI template and install the policy package.
8. Register BR3-FGT-1 on FortiManager.

Network Topology

Configure the Metadata Variables

You will configure the metadata variables.

To configure the metadata variables

1. Log in to the FortiManager GUI with the following credentials:
l Username: admin
l Password: Fortinet1!
2. In the Select an ADOM window, select the EFW ADOM.
3. Click Policy & Objects > Advanced > Metadata Variables > Create New.
4. In the Name field, type IP_port2.

22 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT2: Configuring
REPRINT LTP Configure the Metadata Variables

5. Click OK.
You can see the metadata variables shown in the following image:

Enterprise Firewall 7.6 Administrator Lab Guide 23

Fortinet Technologies Inc.
Brave-Dumps.com
DO Add
NOT REPRINT
Metadata Variables to the Pre-CLI Template Exercise 2: Configuring LTP

© FORTINET
The GW, Hostname, IP_port1, IP_port4, and LAN_BR variables have been
preconfigured for you to save time. At this stage, creating the metadata variables
consists of creating an object only. After the FortiGate is added as a model device,
you will assign a value to the object.

FortiManager creates the vm_interface_number variable by default, which is useful

for creating a number of interfaces on FortiGate VM models.

Add Metadata Variables to the Pre-CLI Template

You will add metadata variables to the pre-CLI template.

To add metadata variables to the pre-CLI template

1. Log in to the FortiManager GUI with the following credentials:
l Username: admin
l Password: Fortinet1!
2. In the Select an ADOM window, select the EFW ADOM.
3. Click Device Manager > Provisioning Templates > CLI.
4. Expand Pre-Run CLI Template, right-click Pre-CLI Template, and then select Edit.

5. In the Script Details section, in the port2 part of the script, at the end of the set ip line, type $, and then in the list
that appears, select (IP_port2).

24 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT2: Configuring
REPRINT LTP Add Metadata Variables to the Pre-CLI Template

The IP_port4, IP_port1, GW, and Hostname metadata variables have been
preconfigured for you in Pre-CLI Template to save time.

Your script should look like the following image:

Enterprise Firewall 7.6 Administrator Lab Guide 25

Fortinet Technologies Inc.
Brave-Dumps.com
DO Add
NOT REPRINT
BR2-FGT-1 to FortiManager Exercise 2: Configuring LTP

The dollar sign ($) must precede any metadata variable (enclosed in parentheses).
Otherwise, you will receive an error when you try to install them.

6. Click OK.

Stop and think!

You have created the metadata variables that you will assign when you add new FortiGate devices using
the LTP model. Once you add a FortiGate, you must define each value according to each site.

Add BR2-FGT-1 to FortiManager

You will add BR2-FGT-1 to FortiManager using the model device method.

To add BR2-FGT-1 to FortiManager as a model device

1. Log in to the FortiManager GUI with the following credentials:
l Username: admin
l Password: Fortinet1!
2. In the Select an ADOM window, select the EFW ADOM.
3. Click Device Manager > Device & Groups > Add Device, and then select Add Model Device.

26 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT2: Configuring
REPRINT LTP Add BR2-FGT-1 to FortiManager

4. Configure the following settings:

Field Value

Name BR2-FGT-1

Link Device By Pre-shared Key

Pre-shared Key 123456789

Device Model FortiGate-VM64-KVM

Port Provisioning 4

Pre-Run CLI Template Pre-CLI Template

Assign Policy Package BR

Metadata Variables Click Edit Variable Mapping, and then continue to the next step.

Enterprise Firewall 7.6 Administrator Lab Guide 27

Fortinet Technologies Inc.
Brave-Dumps.com
DO Add
NOT REPRINT
BR2-FGT-1 to FortiManager Exercise 2: Configuring LTP

5. In the Mapping Value field, configure the following settings:

When you add a metadata variable, ensure that you click the check mark so that the
metadata variable is saved.

Variable Name Mapping Value

$(GW) 100.65.2.254

28 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT2: Configuring
REPRINT LTP Add BR2-FGT-1 to FortiManager

$(Hostname) BR2-FGT-1

$(IP_port1) 192.168.1.112/16

$(IP_port2) 100.65.2.112/24

$(IP_port4) 172.20.2.254/24

$(LAN_BR) 172.20.2.0/24

The vm_interface_number metadata variable is automatically assigned a mapping

value of 4, if you selected Port Provisioning in step 4. This way, you do not need to
configure it in this section.

6. Click OK.
7. Click Next.
8. Click Finish.
You can see that BR2-FGT-1 is available in the device database.

If your view is different from the following image, you can rearrange the table columns
to display the Policy Package Status column, using the gear icon in the upper-right
corner.

Enterprise Firewall 7.6 Administrator Lab Guide 29

Fortinet Technologies Inc.
Brave-Dumps.com
DO Add
NOT REPRINT
BR2-FGT-1 to FortiManager Exercise 2: Configuring LTP

Stop and think!

BR2-FGT-1 has been added to the FortiManager device database and it has already been assigned a
name, pre-shared key, device model, port provisioning, pre-run CLI template, policy package, and metadata
variables.

Notice that, at this step, the IP interfaces are configured.

The static route is configured.

But there are no firewall policies.

30 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT2: Configuring
REPRINT LTP Add BR2-FGT-1 to FortiManager

Pre-run CLI templates are designed for LTP model devices. After you install one for the first time, you will
notice that the template is automatically unassigned from the firewall.

CLI templates are assigned and stick until you remove them, but pre-run CLI templates are removed
automatically, as you can see in this example.

9. Click Device Manager > Device & Groups > Managed FortiGate.
10. Select BR2-FGT-1, click Install, and then select Install Wizard to install the policy package in the device layer.
11. Click Install Policy Package & Device Settings.
12. In the Policy Package field, select BR.

13. Click Next.

14. Click Next one more time.
15. Click Install.
16. Click Finish.
Now, the BR2-FGT-1 device database also shows one firewall policy besides the host name, IP addresses in
port1, port2, and port4, and static route.

Once the FortiGate is connected to FortiManager, the firewall is ready to receive all configurations.

The BR2-FGT-1 configuration should look like the following image:

Enterprise Firewall 7.6 Administrator Lab Guide 31

Fortinet Technologies Inc.
Brave-Dumps.com
DO Register
NOTBR2-FGT-1
REPRINT
on FortiManager Exercise 2: Configuring LTP

Register BR2-FGT-1 on FortiManager

You will register BR2-FGT-1 on FortiManager.

To register BR2-FGT-1 on FortiManager

1. Log in to the BR2-FGT-1 serial console with the following credentials:
l Username: admin
l Password: Fortinet1!
2. Enter the following commands:
config system interface
edit "port2"
set ip 100.65.2.112 255.255.255.0
set allowaccess ping https ssh fgfm
end
config router static
edit 1
set device port2
set gateway 100.65.2.254
end

Notice that after you create the default static route, the following message appears:
The destination is set to 0.0.0.0/0 which means all IP
addresses.

config system central-management

set type fortimanager
set fmg 100.65.0.120
end

Notice that after you configure the central-management settings, the following
message appears:
The Serial Number for FortiManager is not entered.

If serial number is not set, connection will be set as

unverified.

FortiGate can establish a connection to obtain the serial

number. Do you want to try to connect now? (y/n)

3. Type y.

32 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT2: Configuring
REPRINT LTP Register BR2-FGT-1 on FortiManager

© FORTINET
After typing y, you must not press Enter. The following message appears:
Obtained serial number from FortiManager 100.65.0.120 is: FMG-
VMTM24012945

Do you confirm that this is the correct serial number? (y/n)

4. Type y.

The following message appears:

Successfully registered to FortiManager. This device may need
to be authorized on FortiManager.

Stop and think!

Notice that this firewall does not have any other configuration except port2 and the FortiManager acting as a
local FortiGuard Distribution Server (FDS). In your topology environments, as long as your firewall has
internet access through a valid internet connection, so it can validate its FortiGuard license, this is enough
since FortiGate must have a valid license to work correctly.

5. Return to the BR2-FGT-1 serial console, and then enter the following command to register FortiGate on
FortiManager:
execute central-mgmt register-device FMG-VMTM24012945 123456789

Ensure that you type the command correctly—if it is not correct, the FortiGate will not
connect to FortiManager.

6. Return to the FortiManager GUI, and then in ADOM EFW, click System Settings > Task Monitor.
In the upper-right corner, you can see that the autolink device process started automatically.

You can also see the autolink and installation configuration process running in ADOM EFW > System
Settings > Task Monitor.

Enterprise Firewall 7.6 Administrator Lab Guide 33

Fortinet Technologies Inc.
Brave-Dumps.com
DO Add
NOT REPRINT
BR3-FGT-1 to FortiManager Exercise 2: Configuring LTP

7. Return to the BR2-FGT-1 serial console.

You will notice that the host name has changed. You can also verify other configurations like firewall policies.

After you register BR2-FGT-1 on FortiManager, it should not take more than 2 minutes
to finish the installation process. If you registered the device and you do not see any
logs in the task monitor, it means that you should check the spelling of the previous
commands, such as the FortiManager serial number or the correct IP address when
you typed it directly on the BR2-FGT-1 console.

Add BR3-FGT-1 to FortiManager

You will register BR3-FGT-1 on FortiManager.

Take the Expert Challenge!

Add and register BR3-FGT-1 on FortiManager using the following settings:

$(GW): 100.65.3.254

$(Hostname): BR3-FGT-1

$(IP_port1): 192.168.1.113/16

$(IP_port2): 100.65.3.113/24

$(IP_port4): 172.20.3.254/24

$(LAN_BR): 172.20.3.0/24

Policy Package: BR

If you require assistance, or to verify your work, use the step-by-step instructions that follow.

After you complete the challenge, see "Configuring LTP" on page 38.

34 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT2: Configuring
REPRINT LTP Add BR3-FGT-1 to FortiManager

© FORTINET
To register BR3-FGT-1 on FortiManager
1. Log in to the FortiManager GUI with the following credentials:
l Username: admin
l Password: Fortinet1!
2. In the Select an ADOM window, select the EFW ADOM.
3. Click Device Manager > Device & Groups > Add Device, and then select Add Model Device.

You do not need to create any templates since you have already done this. Now, you
will add new branches.

4. Configure the following settings:

Field Value

Name BR3-FGT-1

Link Device By Pre-shared Key

Pre-shared Key 987654321

Device Model FortiGate-VM64-KVM

Port Provisioning 4

Pre-Run CLI Template Pre-CLI Template

Assign Policy Package BR

Metadata Variables Click Edit Variable Mapping, and then continue to the next step.

Enterprise Firewall 7.6 Administrator Lab Guide 35

Fortinet Technologies Inc.
Brave-Dumps.com
DO Add
NOT REPRINT
BR3-FGT-1 to FortiManager Exercise 2: Configuring LTP

© FORTINET
Notice that you are using a different pre-shared key. Since you can add multiple
firewalls, it is recommended that you use a different password based on the firewall
you will be adding.

5. In the Metadata Variables field, configure the following settings:

Variable Name Mapping Value

$(GW) 100.65.3.254

$(Hostname) BR3-FGT-1

$(IP_port1) 192.168.1.113/16

$(IP_port2) 100.65.3.113/24

$(IP_port4) 172.20.3.254/24

$(LAN_BR) 172.20.3.0/24

36 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT2: Configuring
REPRINT LTP Add BR3-FGT-1 to FortiManager

Think about all the possibilities that you can configure using metadata variables, based on the necessities of
your firewalls or sites. At this stage, you have configured three simple parameters: GW, host name, and
network segment. However, you can go beyond the dynamic objects you need to use at the beginning of the
setup of your LTP implementation and your pre-run CLI template, which are only assigned at the beginning
of adding your device to FortiManager.

6. Click OK.
7. Click Next.
8. Click Finish.
You can see that BR3-FGT-1 is available in the device database.

9. Click Device Manager > Device & Groups > Managed FortiGate.
10. Select BR3-FGT-1, click Install, and then select Install Wizard to install the policy package in the device layer.
11. Click Install Policy Package & Device Settings.
12. In the Policy Package field, select BR.

Enterprise Firewall 7.6 Administrator Lab Guide 37

Fortinet Technologies Inc.
Brave-Dumps.com
DO Register
NOTBR3-FGT-1
REPRINT
on FortiManager Exercise 2: Configuring LTP

13. Click Next.

If you leave the BR2-FGT-1 checkbox selected, you will see No commands to be
installed at the next step.

14. Click Next.

15. Click Install.
16. Click Finish.
Now, the BR3-FGT-1 device database shows the host name, IP addresses in port1, port2, and port4, static
route, and one firewall policy.

Once FortiGate is connected to FortiManager, the firewall is ready to receive all configurations.

The BR3-FGT-1 configuration should look like the following image:

Register BR3-FGT-1 on FortiManager

You will register BR3-FGT-1 on FortiManager.

To register BR3-FGT-1 on FortiManager

1. Log in to the BR3-FGT-1 serial console with the following credentials:
l Username: admin
l Password: Fortinet1!
2. Enter the following commands:
config system interface

38 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT2: Configuring
REPRINT LTP Register BR3-FGT-1 on FortiManager

© FORTINET
edit "port2"
set ip 100.65.3.113 255.255.255.0
set allowaccess ping https ssh fgfm
end
config router static
edit 1
set device port2
set gateway 100.65.3.254
end
config system central-management
set type fortimanager
set fmg 100.65.0.120
end
3. Type y to obtain the FortiManager serial number.
4. Type y to confirm the serial number.
5. Enter the following command to register FortiGate on FortiManager:
execute central-mgmt register-device FMG-VMTM24012945 987654321

Ensure that you type the command correctly—if it is not correct, FortiGate will not
connect to FortiManager.

6. Return to the FortiManager GUI, and then in ADOM EFW, click System Settings > Task Monitor.
In the upper-right corner, you can see that the autolink device process started automatically.

You can also see the autolink and installation configuration process running in ADOM EFW > System
Settings > Task Monitor.

7. Return to the BR3-FGT-1 serial console.

You will notice that the host name has changed.

Enterprise Firewall 7.6 Administrator Lab Guide 39

Fortinet Technologies Inc.
Brave-Dumps.com
DO Register
NOTBR3-FGT-1
REPRINT
on FortiManager Exercise 2: Configuring LTP

© FORTINET
After you register BR3-FGT-1 on FortiManager, it should not take more than 2 minutes
to finish the installation process. If you registered the device, and you do not see any
logs in the task monitor, it means that you should check the spelling of the previous
commands, such as the FortiManager serial number or the correct IP address when
you typed it directly on the BR3-FGT-1 console.

40 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Lab 3: VLANs and VDOMs

In this lab, you will configure VLANs and enable VDOMs. Then, you will allow inter-VDOM traffic and configure
internet access using inter-VDOM routing.

Objectives
l Configure VLANs on ISFW
l Enable VDOMs on ISFW
l Allow inter-VDOM traffic between the Zone1 VDOM and Zone2 VDOM
l Configure internet access using inter-VDOM routing from the Zone1 VDOM to the root VDOM

Time to Complete
Estimated: 50 minutes

Prerequisites
Before you begin this lab, you must complete the previous lab. If you haven’t done so, tell your instructor.

Enterprise Firewall 7.6 Administrator Lab Guide 41

Fortinet Technologies Inc.
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Exercise 1: Configuring VDOMs and VLANs on ISFW

In this exercise, you will enable VDOMs and VLANs. Then, you will assign VLANs and use an inter-VDOM link to
interconnect each of them with other resources in your network.

Network Topology

Enable VDOMs

You will enable VDOMs on HQ-ISFW using FortiManager.

42 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Configuring
REPRINT VDOMs and VLANs on ISFW Create the Zone1 and Zone2 VDOMs

© FORTINET
To enable VDOMs
1. Connect to the FortiManager GUI, and then log in with the following credentials:
l Username: admin
l Password: Fortinet1!
2. In the Select an ADOM window, select the EFW ADOM.
3. Click Device Manager > Device & Groups > Managed FortiGate > HQ-ISFW > Dashboard > Summary.
4. In the System Information widget, in the VDOM field, click the Edit VDOM icon.

5. In the VDOM Mode field, select Multi VDOM, and then click Apply.

Create the Zone1 and Zone2 VDOMs

You will create the Zone1 and Zone2 VDOMs on HQ-ISFW.

To create the Zone1 VDOM

1. Click Managed FortiGate > HQ-ISFW > Feature Visibility.
2. In the System section, select the Virtual Domain checkbox.

Enterprise Firewall 7.6 Administrator Lab Guide 43

Fortinet Technologies Inc.
Brave-Dumps.com
DO Create
NOT REPRINT
the Zone1 and Zone2 VDOMs Exercise 1: Configuring VDOMs and VLANs on ISFW

3. Click OK.
4. Click Managed FortiGate > HQ-ISFW > System > Virtual Domain > Create New.

5. Configure the following settings:

Field Value

VDOM Name Zone1

Interface Members port4

44 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Configuring
REPRINT VDOMs and VLANs on ISFW Create the Zone1 and Zone2 VDOMs

6. Click OK.

To create the Zone2 VDOM

1. Click Managed FortiGate > HQ-ISFW > System > Virtual Domain > Create New.
2. Configure the following settings:

Field Value

VDOM Name Zone2

Interface Members port5

3. Click OK.

Enterprise Firewall 7.6 Administrator Lab Guide 45

Fortinet Technologies Inc.
Brave-Dumps.com
DO Create
NOT REPRINT
VLAN101 and VLAN102 Exercise 1: Configuring VDOMs and VLANs on ISFW

Create VLAN101 and VLAN102

You will create VLAN101 and VLAN102 on HQ-ISFW.

To create VLAN101 and VLAN102

1. Click Managed FortiGate > HQ-ISFW > Network > Interfaces.
2. Click Create New, and then select Interface.

3. Configure the following settings:

Ensure that you configure the VLAN interface settings correctly because you will use
them as normalized interfaces associated between device models and the KVM. If the
settings are not spelled or configured correctly, you will have to delete them and create
the configuration again.

Field Value

Interface Name VLAN101

Interface port4

VLAN ID 101

Virtual Domain Zone1

Addressing Mode Manual

46 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Configuring
REPRINT VDOMs and VLANs on ISFW Create VLAN101 and VLAN102

IP/Netmask 10.0.2.254/255.255.255.0

Administrative Access (IPv4) PING

4. Click OK.
5. Click Managed FortiGate > HQ-ISFW > Network > Interfaces.
6. Click Create New, and then select Interface.
7. Configure the following settings:

Field Value

Interface Name VLAN102

Interface port5

VLAN ID 102

Virtual Domain Zone2

Addressing Mode Manual

IP/Netmask 10.0.3.254/255.255.255.0

Administrative Access (IPv4) PING

Enterprise Firewall 7.6 Administrator Lab Guide 47

Fortinet Technologies Inc.
Brave-Dumps.com
DO Create
NOT REPRINT
VLAN101 and VLAN102 Exercise 1: Configuring VDOMs and VLANs on ISFW

8. Click OK.
Your interface configuration should look like the following image:

48 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Configuring
REPRINT VDOMs and VLANs on ISFW Create Inter-VDOM Links

If your VLAN interface configuration is correct, the Normalized Interface page shows that VLAN101 and
VLAN102 were automatically assigned as normalized interfaces. This is because VLAN101 and VLAN102
have already been configured as normalized interfaces for you using the per-platform method.

Create Inter-VDOM Links

You will create inter-VDOM links.

To create inter-VDOM links

1. Click Managed FortiGate > HQ-ISFW > Network > Interfaces.
2. Click Create New, and then select VDOM Link.

3. Configure the following settings:

Field Value

Name A

Virtual Domain root

IP/Netmask 172.16.1.253/255.255.255.252

Enterprise Firewall 7.6 Administrator Lab Guide 49

Fortinet Technologies Inc.
Brave-Dumps.com
DO Create
NOT REPRINT
Inter-VDOM Links Exercise 1: Configuring VDOMs and VLANs on ISFW

Administrative Access PING

IPv6 Address ::/0

Virtual Domain Zone1

IP/Netmask 172.16.1.254/255.255.255.252

Administrative Access PING

IPv6 Address ::/0

4. Click OK.
5. Click Managed FortiGate > HQ-ISFW > Network > Interfaces.
6. Click Create New, and then select VDOM Link.
7. Configure the following settings:

Field Value

Name B

50 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Configuring
REPRINT VDOMs and VLANs on ISFW Create Inter-VDOM Links

Virtual Domain Zone1

IP/Netmask 172.16.1.245/255.255.255.252

Administrative Access PING

IPv6 Address ::/0

Virtual Domain Zone2

IP/Netmask 172.16.1.246/255.255.255.252

Administrative Access PING

IPv6 Address ::/0

8. Click OK.
9. Click Managed FortiGate > ISFW > Network > Interfaces.
10. Click Create New, and then select VDOM Link.
11. Configure the following settings:

Enterprise Firewall 7.6 Administrator Lab Guide 51

Fortinet Technologies Inc.
Brave-Dumps.com
DO Create
NOT REPRINT
Inter-VDOM Links Exercise 1: Configuring VDOMs and VLANs on ISFW

Name C

Virtual Domain root

IP/Netmask 172.16.1.249/255.255.255.252

Administrative Access PING

IPv6 Address ::/0

Virtual Domain Zone2

IP/Netmask 172.16.1.250/255.255.255.252

Administrative Access PING

IPv6 Address ::/0

12. Click OK.

13. Click Network > Interfaces.
Your interface configuration should look like the following image:

52 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Configuring
REPRINT VDOMs and VLANs on ISFW Create Static Routes in VDOMs

Stop and think!

You have created inter-VDOM links, which act like physical interfaces between your virtual firewalls.

Also, the A0, A1, B0, B1, C0, and C1 normalized interfaces have been created for you. Therefore,
FortiManager automatically associates the normalized interfaces with the interfaces you have created.

Create Static Routes in VDOMs

You will create static routes in the Zone1, Zone2, and root VDOMs.

To create static routes in the Zone1 VDOM

1. Click Managed FortiGate > HQ-ISFW > Zone1 > Network > Static Routes.
2. Click Create New, and then select IPv4 Static Route.
3. Configure the following settings:

Field Value

Destination 0.0.0.0/0.0.0.0

Gateway Address 172.16.1.253

Interface A1

4. Click OK.
You will see the following message:
Using default destination route 0.0.0.0 0.0.0.0. Are you sure you want to
inject default routes?

5. Click OK.
6. Click Managed FortiGate > HQ-ISFW > Zone1 > Network > Static Routes.
7. Click Create New, and then select IPv4 Static Route.
8. Configure the following settings:

Enterprise Firewall 7.6 Administrator Lab Guide 53

Fortinet Technologies Inc.
Brave-Dumps.com
DO Create
NOT REPRINT
Static Routes in VDOMs Exercise 1: Configuring VDOMs and VLANs on ISFW

Destination 10.0.3.0/255.255.255.0

Gateway Address 172.16.1.246

Interface B0

9. Click OK.
You should see the static routes shown in the following image in the Zone1 VDOM:

Stop and think!

You will push these changes once you assign the policy package to all VDOMs. This way, you will save time
by installing these changes once instead of twice. If you do it the other way, you would install the device
settings, and then install the policy packages.

To create a static route in the Zone2 VDOM

1. Click Managed FortiGate > HQ-ISFW > Zone2 > Network > Static Routes.
2. Click Create New, and then select IPv4 Static Route.
3. Configure the following settings:

Field Value

Destination 10.0.2.0/255.255.255.0

Gateway Address 172.16.1.245

Interface B1

4. Click OK.
You should see the static route shown in the following image in the Zone2 VDOM:

54 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Configuring
REPRINT VDOMs and VLANs on ISFW Install Firewall Policies in VDOMs

© FORTINET
To create a static route in the root VDOM
1. Click Managed FortiGate > HQ-ISFW > root > Network > Static Routes.
2. Click Create New, and then select IPv4 Static Route.
3. Configure the following settings:

Field Value

Destination 10.0.2.0/255.255.255.0

Gateway Address 172.16.1.254

Interface A0

4. Click OK.
You should see the static routes shown in the following image in the root VDOM:

You could install device settings only to all VDOMs. But, since you still need to push
policy changes, in this example, you will add the policies, and then install the policy
package and device settings.

Install Firewall Policies in VDOMs

You will run a script on the Policy Package or ADOM Database target for the root_ISFW policy package. Then,
you will install the associated policy packages in the Zone1, Zone2, and root VDOMs.

To run a script on the Policy Package or ADOM Database target for the root_ISFW policy
package
1. Click Device Manager > Scripts.
2. Select the root_ISFW checkbox, and then click Run Script.

Enterprise Firewall 7.6 Administrator Lab Guide 55

Fortinet Technologies Inc.
Brave-Dumps.com
DO Install
NOT REPRINT
Firewall Policies in VDOMs Exercise 1: Configuring VDOMs and VLANs on ISFW

4. Click Close to close the Run Script window.

5. Click Policy & Objects > Policy Packages > root_ISFW > Firewall Policy to validate the firewall policies
created in the root_ISFW policy package.

6. Click Install Wizard to install policies in the root VDOM.

7. In the Choose What to Install (1/4) window, select the root_ISFW policy package, and then click Next.

Because this is the first time installation is being done from FortiManager to these
VDOMs, you will see more than the policies being pushed to the VDOMs. After you
install this the first time, consecutive installations should show only the changes you
applied to the policy package or device database installations.

8. In the Select Devices to Install (root_ISFW) (2/4) window, ensure that the root [NAT] (Management) VDOM is
selected, and then click Next.
9. In the Validate Devices (root_ISFW) (3/4) window, click Install.
10. In the Installation Progress (root_ISFW) (4/4) window, click Finish.

To configure firewall policies in the Zone1 VDOM

1. Click Policy & Objects > Policy Packages > Zone1 > Installation Targets > Edit.
2. In the Available Entries field, select the HQ-ISFW - Zone1 checkbox, move it to the Selected Entries field, and
then click OK.

56 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Configuring
REPRINT VDOMs and VLANs on ISFW Install Firewall Policies in VDOMs

3. Click Zone1 > Firewall Policy, and then verify the firewall policies that will be installed.

4. Click Install Wizard to install the policies in the Zone1 VDOM.

5. In the Choose What to Install (1/4) window, select the Zone1 policy package, and then click Next.
6. In the Select Devices to Install (Zone1) (2/4) window, ensure that the Zone1 [NAT] VDOM is selected, and then
click Next.
7. In the Validate Devices (Zone1) (3/4) window, click Install.
8. In the Installation Progress (Zone1) (4/4) window, click Finish.

To configure firewall policies in the Zone2 VDOM

1. Click Policy & Objects > Policy Packages > Zone2 > Installation Targets > Edit.
2. In the Available Entries field, select the HQ-ISFW - Zone2 checkbox, move it to the Selected Entries field, and
then click OK.

Enterprise Firewall 7.6 Administrator Lab Guide 57

Fortinet Technologies Inc.
Brave-Dumps.com
DO Validate
NOTtheREPRINT
Communication Between HQ-PC-2 and HQ-PC-3 Exercise 1: Configuring VDOMs and VLANs on ISFW

3. Click Zone2 > Firewall Policy, and then verify the firewall policies that will be installed.

4. Click Install Wizard to install the policies in the Zone2 VDOM.

5. In the Choose What to Install (1/4) window, select the Zone2 policy package, and then click Next.
6. In the Select Devices to Install (Zone2) (2/4) window, ensure that the Zone2 [NAT] VDOM is selected, and then
click Next.
7. In the Validate Devices (Zone2) (3/4) window, click Install.
8. In the Installation Progress (Zone2) (4/4) window, click Finish.

Validate the Communication Between HQ-PC-2 and HQ-PC-3

You will validate the communication between HQ-PC-2 and HQ-PC-3.

58 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Configuring
REPRINT VDOMs and VLANs on ISFW Validate the Communication Between HQ-PC-2 and HQ-PC-3

To validate the communication from HQ-PC-3 to HQ-PC-2

1. Connect to HQ-PC-3 with the following credentials:
l Username: Administrator
l Password: Fortinet1!
2. Open a terminal window.
3. Enter the following command to ping HQ-PC-2:
ping 10.0.2.51

4. Enter the following command to validate the traceroute to HQ-PC-2:

traceroute 10.0.2.51

You should see the following jumps:

1 10.0.3.254
2 172.16.1.245
3 10.0.2.51

To validate the communication from HQ-PC-2 to HQ-PC-3

1. Connect to HQ-PC-2 with the following credentials:
l Username: Administrator
l Password: Fortinet1!
2. Open a terminal window.
3. Enter the following command to ping HQ-PC-3:
ping 10.0.3.52

4. Enter the following command to validate the traceroute to HQ-PC-3:

traceroute 10.0.3.52

You should see the following jumps:

1 10.0.2.254
2 172.16.1.246
3 10.0.3.52

Enterprise Firewall 7.6 Administrator Lab Guide 59

Fortinet Technologies Inc.
Brave-Dumps.comExercise 1: Configuring VDOMs and VLANs
DO Validate
NOT
and
the Communication From HQ-PC-2 to HQ-Web-1, the Internet,
4.2.2.2 REPRINT on ISFW

You will validate that HQ-PC-2 can communicate with HQ-Web-1 and the internet. You will notice in the traceroute
the IP address of the virtual interface—172.16.1.253—that was created using the inter-VDOM link.

To validate the communication from HQ-PC-2 to HQ-Web-1, the internet, and 4.2.2.2
1. Continuing on HQ-PC-2, enter the following commands to ping HQ-Web-1, the internet (www.fortinet.com),
and 4.2.2.2:
ping 10.0.5.11

ping www.fortinet.com

ping 4.2.2.2

2. Enter the following commands to validate the traceroute to HQ-Web-1, the internet (www.fortinet.com), and
4.2.2.2:
traceroute 10.0.5.11

traceroute www.fortinet.com

60 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT
on
1: Configuring VDOMs and VLANs
ISFW REPRINT
Validate the Communication From HQ-PC-2 to HQ-Web-1, the Internet,
and 4.2.2.2

You should see the following jumps for 10.0.5.11:

1 10.0.2.254
2 172.16.1.253
3 10.0.12.253
4 10.0.5.11

You should see the following jumps for www.fortinet.com:

1 10.0.2.254
2 172.16.1.253
3 10.0.12.254
4 ...

You should see the following jumps for 4.2.2.2:

1 10.0.2.254
2 172.16.1.253
3 10.0.11.254
4 ...

Notice that the root VDOM will send the traffic to either HQ-DCFW (10.0.12.253),
Core1 (10.0.12.254) or Core2 (10.0.11.254), depending on the destination IP address.

Enterprise Firewall 7.6 Administrator Lab Guide 61

Fortinet Technologies Inc.
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Lab 4: High Availability

In this lab, you will configure VDOM partitioning. Then, you will configure a FortiGate Session Life Support
Protocol (FGSP) cluster inspecting asymmetric traffic with a layer 3 connection, and encrypt the session
synchronization.

Objectives
l Configure virtual clustering on HQ-NGFW-1 and HQ-NGFW-2
l Analyze session handling in VDOM partitioning
l Configure an FGSP cluster with BR1-FGT-1 and BR1-FGT-2 over a layer 3 connection
l Analyze asymmetric traffic across the FGSP cluster
l Configure encryption for the session synchronization

Time to Complete
Estimated: 55 minutes

Prerequisites
Before you begin this lab, you must complete the previous lab. If you haven’t done so, tell your instructor.

62 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Exercise 1: Configuring VDOM Partitioning

In this exercise, you will configure a virtual cluster between HQ-NGFW-1 and HQ-NGFW-2. HA is configured in
active-passive mode between HQ-NGFW-1 and HQ-NGFW-2. Using VDOM partitioning, you will configure virtual
clustering between the Core1 and Core2 VDOMs in a way that traffic for Core1 will be processed by HQ-NGFW-1,
and traffic for Core2 will be processed by HQ-NGFW-2.

Network Topology

Verify the HA Status

Before you configure VDOM partitioning, you will check the HA synchronization status between HQ-NGFW-1 and
HQ-NGFW-2.

Enterprise Firewall 7.6 Administrator Lab Guide 63

Fortinet Technologies Inc.
Brave-Dumps.com
DO Configure
NOTVDOM REPRINT
Partitioning Exercise 1: Configuring VDOM Partitioning

© FORTINET
To check the HA status
1. Connect to the HQ-NGFW-1 GUI.
2. Log in with the following credentials:
l Username: admin
l Password: Fortinet1!
3. Click Login Read-Only.
4. Click System > HA, and then analyze the information displayed.

Two green check marks indicate both devices are synchronized with each other. HQ-NGFW-1 is acting as the
primary device and HQ-NGFW-2 is acting as a secondary device.

Ensure that both devices are in sync before moving to the next task.

Configure VDOM Partitioning

You will configure Core1 for virtual cluster 1 and Core2 for virtual cluster 2 using FortiManager.

To configure VDOM partitioning

1. Connect to the FortiManager GUI.
2. Log in with the following credentials:
l Username: admin
l Password: Fortinet1!
3. Click EFW.
4. Click Device Manager > Device & Groups.
5. Click Managed FortiGate > HQ-NGFW > CLI Configurations.
6. Expand system.

64 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Configuring
REPRINT VDOM Partitioning Configure VDOM Partitioning

7. Click ha.
8. Enable vcluster-status.

9. In the vcluster section, click Create New.

10. Configure the first virtual cluster with the following settings:

Field Value

vcluster-id 1

priority 200

vdom root, Core1

11. Click OK to save the VDOMs in virtual cluster 1.

12. Click OK to save the virtual cluster settings.
13. In the vcluster section, click Create New.
14. Configure the second virtual cluster with the following settings:

Enterprise Firewall 7.6 Administrator Lab Guide 65

Fortinet Technologies Inc.
Brave-Dumps.com
DO Configure
NOTVDOM REPRINT
Partitioning Exercise 1: Configuring VDOM Partitioning

vcluster-id 2

priority 50

vdom Core2

15. Click OK to save the VDOM in virtual cluster 2.

16. Click OK to save the virtual cluster settings.
The configuration should be similar to the following example:

You might need to click the gear icon in the upper-right corner to enable the priority
and vdom columns. Once they appear in the table, move them to the left.

17. Click Apply.

18. In the menu at the top, click Install Wizard.
19. Select Install Device Settings (only).
20. Click Next.
21. Confirm that HQ-NGFW is selected, and then click Next.
22. Click Install.
23. Wait until the installation finishes, and then click Finish.

To verify the virtual clustering status

1. Return to the HQ-NGFW-1 GUI, and then click System > HA.
Your HA configuration should look like the following example:

66 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Configuring
REPRINT VDOM Partitioning Analyze Traffic Distribution

You should see HQ-NGFW-1 as the primary for virtual cluster 1 and HQ-NGFW-2 as the primary for virtual
cluster 2.

Stop and think!

How did HQ-NGFW-2 become the primary for virtual cluster 2?

The default priority for virtual clusters is 128. On HQ-NGFW-1, you configured this priority as 50, which is
lower than the default value. Because the priority is the deciding factor in selecting a primary device in this
setup, the device with the highest priority is elected as the primary for the cluster.

Analyze Traffic Distribution

You will generate traffic by running a continuous ping from HQ-PC-2, and then use the sniffer to analyze traffic
distribution.

To generate traffic
1. On HQ-PC-2, open a terminal session, and then enter the following command to start a continuous ping to 8.8.8.8:
ping 8.8.8.8
2. Open a new terminal session, and then enter the following command to start a continuous ping to 4.2.2.2:
ping 4.2.2.2
3. Keep both terminal windows open and leave the pings running.

To analyze traffic for virtual cluster 1

1. Connect over SSH to HQ-NGFW-1.
2. Log in with the following credentials:
l Username: admin
l Password: Fortinet1!
3. Enter the following commands to view the active ICMP sessions on Core1:
config vdom
edit Core1
get system session list | grep icmp
You should see the session information for the continuous ping going to 8.8.8.8.

Enterprise Firewall 7.6 Administrator Lab Guide 67

Fortinet Technologies Inc.
Brave-Dumps.com
DO Perform
NOTa Failover
REPRINT
and Analyze the Traffic Exercise 1: Configuring VDOM Partitioning

To analyze traffic for virtual cluster 2

1. Connect over SSH to HQ-NGFW-1.
2. Log in with the following credentials:
l Username: admin
l Password: password
3. Enter the following commands to view the active ICMP sessions on Core2:
config vdom
edit Core2
get system session list | grep icmp

Stop and think!

Why do you not see traffic destined for 4.2.2.2?

You are sending 4.2.2.2 traffic through Core2, which belongs to virtual cluster 2. HQ-NGFW-2 is the primary
device for virtual cluster 2. You must connect to HQ-NGFW-2 to see traffic destined for 4.2.2.2.

4. Continuing in the same SSH session, enter the following commands to connect to HQ-NGFW-2:
end
config global
execute ha manage 0 admin
5. At the prompt, type the password Fortinet1!, and then press Enter.
6. Enter the following commands to view the active ICMP sessions on Core2:
config vdom
edit Core2
get system session list | grep icmp
You should see session information for the continuous ping going to 4.2.2.2.

7. Close the SSH window.

Perform a Failover and Analyze the Traffic

You will perform a manual failover for virtual cluster 2 by increasing the priority for HQ-NGFW-1. Then, you will
analyze the traffic.

To perform a manual failover

1. Continuing on the FortiManager GUI, click Device Manager > Device & Groups.
2. Click Managed FortiGate > HQ-NGFW > CLI Configurations.
3. Expand system.
4. Click ha.

68 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Configuring
REPRINT VDOM Partitioning Perform a Failover and Analyze the Traffic

© FORTINET
5. In the vcluster section, select the checkbox for the row with a value of 2 in the vcluster-id column, and then click
Edit.

6. In the priority field, type 150.

7. Click OK.
8. Click Apply.
9. In the menu at the top, click Install Wizard.
10. Select Install Device Settings (only).
11. Click Next.
12. Confirm that HQ-NGFW is selected, and then click Next.
13. Click Install.
14. Wait until the installation finishes, and then click Finish.

To verify the failover

1. Continuing on the HQ-NGFW-1 GUI, click System > HA.
After you change the priority, you should see HQ-NGFW-1 as the primary for both virtual clusters.

To analyze traffic after a failover

1. Connect over SSH to HQ-NGFW-1.
2. Log in with the following credentials:
l Username: admin
l Password: Fortinet1!
3. Enter the following commands to view the active ICMP sessions on Core2:
config vdom
edit Core2
get system session list | grep icmp
You should see that the session for 4.2.2.2 is now active on NGFW-1.

Enterprise Firewall 7.6 Administrator Lab Guide 69

Fortinet Technologies Inc.
Brave-Dumps.com
DO Perform
NOTa Failover
REPRINT
and Analyze the Traffic Exercise 1: Configuring VDOM Partitioning

After the failover, HQ-NGFW-1 handles all the traffic for the Core1 and Core2 VDOMs.

4. Close the SSH window.

5. On HQ-PC-2, close the terminal windows.

70 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Exercise 2: Configuring FGSP

In this exercise, you will configure FGSP on BR1-FGT-1 and BR1-FGT-2, which handle asymmetric traffic. Port7
on BR1-FGT-1 and port7 on BR1-FGT-2 are both in the same LAN subnet. You will apply the session
synchronization using a layer 3 connection and analyze the asymmetric traffic.

Network Topology

Configure FGSP

Before you test the session synchronization, you will configure FGSP between BR1-FGT-1 and BR1-FGT-2.

To configure FGSP on BR1-FGT-1

1. Connect over SSH to BR1-FGT-1.
2. Log in with the following credentials:
l Username: admin
l Password: Fortinet1!
3. Enter the following CLI commands to enable FGSP on BR1-FGT-1:
config system standalone-cluster
set standalone-group-id 5

Enterprise Firewall 7.6 Administrator Lab Guide 71

Fortinet Technologies Inc.
Brave-Dumps.com
DO Test
NOT REPRINT
ICMP Session Synchronization Between BR1-FGT-1 and BR1-FGT-2 Exercise 2: Configuring FGSP

© FORTINET
set group-member-id 1
config cluster-peer
edit 1
set peerip 10.1.6.253
next
end
end
4. Type y.
5. Leave the SSH session open.

To configure FGSP on BR1-FGT-2

1. Connect over SSH to BR1-FGT-2.
2. Log in with the following credentials:
l Username: admin
l Password: Fortinet1!
3. Enable FGSP on BR1-FGT-2 following the procedure you used for BR1-FGT-1 and using the following information:

Command Value

standalone-group-id 5

group-member-id 2

peerip 10.1.6.254

The standalone-group-id must be the same value for all members. The ID can be
a value from 1–255. The group-member-id can be a value from 1–15 and must be
different for each member in the same group.

Test ICMP Session Synchronization Between BR1-FGT-1 and BR1-FGT-2

You will test ICMP session synchronization.

To enable ICMP session synchronization

1. Connect over SSH to BR1-FGT-1.
2. Enter the following CLI commands to enable ICMP session synchronization on BR1-FGT-1:
config system ha
set session-pickup enable
set session-pickup-connectionless enable
end
3. Leave the SSH session open.

To test ICMP session synchronization

1. On BR1-PC-1, open a terminal window, type ping 35.183.176.123, and then press Enter.
2. Do not close the terminal window.

72 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT2: Configuring
REPRINT FGSP Test ICMP Session Synchronization Between BR1-FGT-1 and BR1-FGT-2

© FORTINET
3. Connect over SSH to BR1-FGT-2.
4. Log in with the following credentials:
l Username: admin
l Password: Fortinet1!
5. Enter the following command to view the session:
get system session list | grep icmp
The result should be similar to the following output:

6. Connect over SSH to BR1-FGT-1.

7. Enter the following command to view the session:
get system session list | grep icmp
The result should be similar to the following output:

Stop and think!

Why is the ICMP session not synchronized on BR1-FGT-1?

You must configure ICMP synchronization on both members.

FGSP does not synchronize the configuration by default. Here, the traffic is asymmetric and therefore the
configuration, like the firewall policy, is asymmetric also. Therefore, you cannot use standalone
configuration synchronization.

To enable ICMP session synchronization on BR1-FGT-2

1. Connect over SSH to BR1-FGT-2.
2. Enter the following CLI commands to enable ICMP session synchronization on Remote-2:
config system ha
set session-pickup enable
set session-pickup-connectionless enable
end
3. Leave the SSH session open.

To confirm ICMP session synchronization

1. On BR1-PC-1, open a terminal window, type ping www.fortinet.com, and then press Enter.
The result should be similar to the following output:
$ ping www.fortinet.com
PING ipv6.lb-2.ca-central-1.aws.waas-online.net (35.182.106.253) 56(84) bytes of
data.
64 bytes from ec2-35-182-106-253.ca-central-1.compute.amazonaws.com (35.182.106.253):
icmp_seq=l ttl=50 time=15.2 ms

Enterprise Firewall 7.6 Administrator Lab Guide 73

Fortinet Technologies Inc.
Brave-Dumps.com
DO Analyze
NOTtheREPRINT
Asymmetric Traffic Exercise 2: Configuring FGSP

© FORTINET
64 bytes from ec2-35-182-106-253.ca-central-1.compute.amazonaws.com (35.182.106.253):
icmp_seq=2 ttl=50 time=15.6 ms
64 bytes from ec2-35-182-106-253.ca-central-1.compute.amazonaws.com (35.182.106.253):
icmp_seq=3 ttl=50 time=15.9 ms
2. Connect over SSH to BR1-FGT-1.
3. Enter the following command to view the session:
# get system session list | grep icmp
The result should be similar to the following output:

4. On BR1-PC-1, close the terminal sessions.

Analyze the Asymmetric Traffic

You will confirm the asymmetric path that FGSP allowed.

To confirm the asymmetric path through the FGSP cluster

1. Connect over SSH to BR1-FGT-1.
2. Enter the following CLI command to sniff the HTTPS traffic:
diagnose sniffer packet port2 'port 443' 4 6
3. Connect over SSH to BR1-FGT-2.
4. Enter the following CLI command to sniff the HTTPS traffic:
diagnose sniffer packet port3 'port 443' 4 6
5. On BR1-PC-1, open a browser, and then enter the following URL:
www.fortinet.com

6. Return to the BR1-FGT-1 SSH session.

The result should be similar to the following output:

7. Return to the BR1-FGT-2 SSH session.

The result should be similar to the following output:

74 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT2: Configuring
REPRINT FGSP Analyze the Asymmetric Traffic

The sniffer trace confirms that the traffic is exiting from port3 of BR1-FGT-2 and the
return traffic is entering from port2 of BR1-FGT-1.

Stop and think!

The firewall policy configured on BR1-FGT-1 allows only sessions from port4 to port2.

How does BR1-FGT-1 allow the return traffic from port2?

FGSP synchronizes the session over the layer 3 connection, which means port7 on BR1-FGT-1 and BR1-
FGT-2.

To confirm the TCP session with asymmetric traffic that FGSP allowed
1. Connect to BR1-PC-1.
2. Open a browser, and then enter the following URL:
www.fortinet.com

3. Return to the BR1-FGT-1 SSH session, and then enter the following command to view the session information:
get system session list | grep 443
The result should be similar to the following output:

Enterprise Firewall 7.6 Administrator Lab Guide 75

Fortinet Technologies Inc.
Brave-Dumps.com
DO Analyze
NOTtheREPRINT
Asymmetric Traffic Exercise 2: Configuring FGSP

© FORTINET
4. In the BR1-FGT-2 SSH session, enter the same command to view the session information:
get system session list | grep 443
The result should be similar to the following output:

Both FortiGate devices show the same TCP session, allowing the asymmetric traffic with FGSP.

The above session lists are extracts because the lists have many entries.

You can use http://portquiz.net:8080 instead of www.fortinet.com. You

can use the get system session list | grep 8080 command on the BR1-
FGT-1 and BR1-FGT-2 SSH sessions to list the corresponding TCP sessions .
Alternatively, you may use the HQ-FMG-1 VIP address (100.65.0.120) and the
get system session list | grep 100.65.0.120 command on the BR1-
FGT-1 and BR1-FGT-2 SSH sessions.

If the session does not appear in the list, refresh the browser page.

To confirm the TCP session FGSP synchronized

1. Connect to BR1-PC-1.
2. Open a browser, and then enter the following URL:
http://portquiz.net:8080

3. Return to the BR1-FGT-1 SSH session, and then enter the following command to view the session information:
diagnose sys session filter dport 8080
diagnose sys session list
The result should be similar to the following output:

76 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT2: Configuring
REPRINT FGSP Analyze the Asymmetric Traffic

4. Return to the BR1-FGT-2 SSH session, and then enter the following command to view the session information:
diagnose sys session filter dport 8080
diagnose sys session list
The result should be similar to the following output:

Enterprise Firewall 7.6 Administrator Lab Guide 77

Fortinet Technologies Inc.
Brave-Dumps.com
DO Analyze
NOTtheREPRINT
Asymmetric Traffic Exercise 2: Configuring FGSP

© FORTINET
The BR1-FGT-2 session list shows a synced flag, which means that BR1-FGT-2 has
synchronized these sessions with its peer (BR1-FGT-1).

It is confirmed in the BR1-FGT-1 session list, which shows a syn_ses flag.

78 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Exercise 3: Encrypting the Session Synchronization

In this exercise, you will examine the protocol that handles the layer 3 session synchronization. Then, you will
configure the encryption of the session synchronization.

Encrypt the Session Synchronization

You will verify the protocol that handles the session synchronization, and then configure the encryption.

To verify the protocol handling the session synchronization

1. Connect over SSH to BR1-FGT-1.
2. Log in with the following credentials:
l Username: admin
l Password: Fortinet1!
3. Enter the following CLI command:
diagnose sniffer packet port7 '' 1 6
The result should be similar to the following output:

By default, the session synchronization over a layer 3 connection is encapsulated in

UDP packets.

To configure session synchronization encryption

1. Continuing in the BR1-FGT-1 SSH session, enter the following commands to enable encryption:

Enterprise Firewall 7.6 Administrator Lab Guide 79

Fortinet Technologies Inc.
Brave-Dumps.com
DO Encrypt
NOTthe REPRINT
Session Synchronization Exercise 3: Encrypting the Session Synchronization

© FORTINET
config system standalone-cluster
set encryption enable
set psksecret fortinet
end
2. Connect over SSH to BR1-FGT-2.
3. Log in with the following credentials:
l Username: admin
l Password: Fortinet1!
4. Enter the following commands to enable encryption:
config system standalone-cluster
set encryption enable
set psksecret fortinet
end

To verify session synchronization encryption

1. Continuing in the BR1-FGT-2 SSH session, enter the following command:
diagnose sniffer packet port7 '' 1 6
The result should be similar to the following output:

2. Enter the following command:

diagnose vpn tunnel list
The result should be similar to the following output:

80 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT3: Encrypting
REPRINT the Session Synchronization Encrypt the Session Synchronization

The session synchronization over layer 3 is now encapsulated in ESP packets and
therefore encrypted in the SESSYNC_1 IPsec tunnel.

3. Close the SSH windows.

Enterprise Firewall 7.6 Administrator Lab Guide 81

Fortinet Technologies Inc.
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Lab 5: Dynamic Routing Protocols

In this lab, on FortiManager, you will configure the FortiGate devices to use OSPF as the dynamic routing protocol
for the enterprise network. You will also configure BGP on NGFW and use a loopback interface as a BGP source
on BR1-FGT-2.

Objectives
l Use OSPF to dynamically distribute the routes in an enterprise network
l Configure OSPF equal-cost multi-path (ECMP)
l Configure BGP using a FortiManager BGP template
l Implement a loopback interface as a BGP source

Time to Complete
Estimated: 60 minutes

Prerequisites
Before you begin this lab, you must complete the previous lab. If you haven’t done so, tell your instructor.

Which Network Segment Will You Work On?

On FortiManager, you will configure OSPF between the HQ-ISFW, HQ-DCFW, and HQ-NGFW FortiGate devices.
Then, you will enable BGP between HQ-NGFW Core1 and Core2 using FortiManager, and configure BGP on
BR1-FGT-2 using a loopback interface.

82 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Exercise 1: Configuring OSPF With ECMP

In this exercise, you will configure OSPF on the three FortiGate devices that are part of the hub network: HQ-
ISFW, HQ-DCFW, and HQ-NGFW. The objective is to remove all static routes from the three firewalls and use
only OSPF to route traffic internally. You will use three OSPF areas and enable the rfc1583-compatible setting to
provide OSPF ECMP for external routes.

Configure OSPF on HQ-DCFW

First, you will configure OSPF on HQ-DCFW. Next, you will remove the static routes. Finally, you will install the
changes.

Enterprise Firewall 7.6 Administrator Lab Guide 83

Fortinet Technologies Inc.
Brave-Dumps.com
DO Configure
NOTOSPF REPRINT
on HQ-DCFW Exercise 1: Configuring OSPF With ECMP

© FORTINET
To configure OSPF on HQ-DCFW
1. Log in to the FortiManager GUI with the following credentials:
l Username: admin
l Password: Fortinet1!
2. Click EFW.
3. Click Device Manager.
4. Click Device & Groups > Managed FortiGate > HQ-DCFW > Feature Visibility.

5. On the Global Feature Visibility tab, in the Network section, click OSPF.

By default, the OSPF settings are hidden on the FortiManager GUI.

6. Click OK.
7. Click Device & Groups > Managed FortiGate > HQ-DCFW > Network > OSPF.
8. Configure the following settings:

Field Value

Router ID 0.0.0.2

Areas 0.0.0.0

Networks 10.0.5.0/24 and 10.0.12.0/24

The configuration should look like the following image:

84 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Configuring
REPRINT OSPF With ECMP Configure OSPF on HQ-DCFW

9. Click Apply.

To remove the static routes

1. Continuing on the FortiManager GUI, click Network > Static Routes.
2. Select the checkbox for the static route used to route internal traffic (don’t select the default routes), and then click
Delete.

3. Click OK to confirm.

To install the configuration changes

1. Continuing on the FortiManager GUI, click Install Wizard.
2. Verify that Install Device Settings (only) is selected, and then click Next.
3. Verify that only HQ-DCFW is selected, and then click Next.
4. Click Install.

Enterprise Firewall 7.6 Administrator Lab Guide 85

Fortinet Technologies Inc.
Brave-Dumps.com
DO Configure
NOTOSPF REPRINT
on HQ-ISFW Exercise 1: Configuring OSPF With ECMP

Configure OSPF on HQ-ISFW

You will configure OSPF on the HQ-ISFW Zone1 VDOM and root VDOM through FortiManager. Try to do this
yourself using the procedure you followed to configure OSPF on HQ-DCFW.

To configure OSPF on the HQ-ISFW Zone1 VDOM

1. Continuing on the FortiManager GUI, in the Managed FortiGate list, click HQ-ISFW > Zone1.
2. Click Network > OSPF.
3. Configure the following settings:

Field Value

Router ID 0.0.0.4

Areas 0.0.0.1 (with the type STUB)

Networks 172.16.1.252/30 (for area 0.0.0.1)

10.0.2.0/24 (for area 0.0.0.1)

The configuration should look like the following image:

86 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Configuring
REPRINT OSPF With ECMP Configure OSPF on HQ-ISFW

The type of area is STUB because there is no further routing expected with the Zone2
VDOM.

4. Click Apply.
5. Click Network > Static Routes.
6. Delete the static route used to route internal traffic (don’t delete the default route).

7. Install the configuration changes for the HQ-ISFW Zone1 VDOM.

To configure OSPF on the HQ-ISFW root VDOM

1. Continuing on the FortiManager GUI, in the Managed FortiGate list, click HQ-ISFW > root > Network > OSPF.
2. Configure the following settings:

Enterprise Firewall 7.6 Administrator Lab Guide 87

Fortinet Technologies Inc.
Brave-Dumps.com
DO Configure
NOTOSPF REPRINT
on HQ-ISFW Exercise 1: Configuring OSPF With ECMP

Router ID 0.0.0.3

Areas 0.0.0.0 (with the type Regular)

0.0.0.1 (with the type STUB)

0.0.0.2 (with the type Regular)

Networks 10.0.12.0/24 (for area 0.0.0.0)

172.16.1.252/30 (for area 0.0.0.1)

10.0.11.0/24 (for area 0.0.0.2)

The configuration should look like the following image:

The HQ-ISFW root VDOM router is connected to multiple areas and is then an area
border router (ABR).

88 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Configuring
REPRINT OSPF With ECMP Configure OSPF on HQ-NGFW

© FORTINET
3. Click Apply.
4. Delete the two static routes used to route internal traffic (don’t delete the default route or the route to
4.2.2.2/255.255.255.255).

5. Install the configuration changes for the HQ-ISFW root VDOM.

Configure OSPF on HQ-NGFW

You will configure OSPF on the HQ-NGFW Core1 VDOM and Core2 VDOM through FortiManager. Try to do this
yourself using the procedure you followed to configure OSPF on HQ-DCFW and HQ-ISFW.

To configure OSPF on the Core1 VDOM

1. Continuing on the FortiManager GUI, in the Managed FortiGate list, click HQ-NGFW > Core1 > Network > OSPF.
2. Configure the following settings:

Field Value

Router ID 0.0.0.5

Areas 0.0.0.0

Networks 10.0.12.0/24

The configuration should look like the following image:

Enterprise Firewall 7.6 Administrator Lab Guide 89

Fortinet Technologies Inc.
Brave-Dumps.com
DO Configure
NOTOSPF REPRINT
on HQ-NGFW Exercise 1: Configuring OSPF With ECMP

3. In the Redistribute section, select the static checkbox, and then click Edit.

The Core1 VDOM has a static route preconfigured to reach the IP address
100.75.5.1. You will enable the static route redistribution to import it into OSPF.

4. Enable Status, and then click OK.

The configuration should look like the following image:

5. Click Apply.
6. Delete the two static routes used to route internal traffic (don’t delete the default route or the route to
100.75.5.1/255.255.255.255).

90 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Configuring
REPRINT OSPF With ECMP Configure OSPF on HQ-NGFW

7. Install the configuration changes for the HQ-NGFW Core1 VDOM.

To configure OSPF on the Core2 VDOM

1. Continuing on the FortiManager GUI, in the Managed FortiGate list, click HQ-NGFW > Core2 > Network > OSPF.
2. Configure the following settings:

Field Value

Router ID 0.0.0.6

Areas 0.0.0.2

Networks 10.0.11.0/24 (for area 0.0.0.2)

The configuration should look like the following image:

3. In the Redistribute section, select the static checkbox, and then click Edit.

Enterprise Firewall 7.6 Administrator Lab Guide 91

Fortinet Technologies Inc.
Brave-Dumps.com
DO Check
NOT REPRINT
the OSPF Status on the HQ-ISFW Root VDOM Exercise 1: Configuring OSPF With ECMP

© FORTINET
The same static route to reach the IP address 100.75.5.1 is preconfigured in the
Core2 VDOM. You will enable the static route redistribution to import it into OSPF.

4. Enable Status, and then click OK.

The configuration should look like the following image:

5. Click Apply.
6. Delete the static route used to route internal traffic (don’t delete the default route or the route to
100.75.5.1/255.255.255.255).

7. Install the configuration changes for the HQ-NGFW Core2 VDOM.

Check the OSPF Status on the HQ-ISFW Root VDOM

You will run OSPF diagnostic commands on the HQ-ISFW root VDOM to verify OSPF operation.

To check the OSPF status on the HQ-ISFW root VDOM

1. Connect over SSH to HQ-ISFW.
2. Log in with the following credentials:
l Username: admin
l Password: Fortinet1!
3. Enter the following commands:
config vdom
edit root
get router info ospf neighbor
You should see four neighbors: HQ-DCFW, the HQ-NGFW Core1 and Core2 VDOMs, and the HQ-ISFW
Zone1 VDOM. The State column should display Full.

92 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Configuring
REPRINT OSPF With ECMP Check the OSPF Status on the HQ-ISFW Root VDOM

Stop and think!

Can you identify from this output what the designated router (DR) is?

The State of the DR is displayed as Full/DR. If neither of the routers in the backbone area display this
state, it means that the DR is the local FortiGate. In this case, the DR is HQ-DCFW.

4. Enter the following command:

get router info ospf status
The output should be similar to the following output:

Enterprise Firewall 7.6 Administrator Lab Guide 93

Fortinet Technologies Inc.
Brave-Dumps.com
DO Check
NOT REPRINT
the OSPF Status on the HQ-ISFW Root VDOM Exercise 1: Configuring OSPF With ECMP

This confirms that the HQ-ISFW root VDOM is connected to three OSPF areas and is
therefore an ABR. You can also see that OSPF ECMP (defined with the
RFC1583Compatibility flag) is disabled by default.

5. Enter the following command:

get router info routing-table all

You should see that the ISFW root VDOM has learned the routes to the 10.0.5.0/24 and 10.0.2.0/24
subnets through OSPF.

94 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Configuring
REPRINT OSPF With ECMP Enable OSPF ECMP on the HQ-ISFW Root VDOM

Stop and think!

Why is the external route to 100.75.5.1/32 available only through the NGFW Core2 VDOM, meaning
10.0.11.254?

This is because the OSPF ECMP rfc1583-compatible setting is disabled by default.

Enable OSPF ECMP on the HQ-ISFW Root VDOM

You will enable and install OSPF ECMP on the HQ-ISFW root VDOM.

To enable OSPF ECMP on the HQ-ISFW root VDOM

1. Log in to the FortiManager GUI with the following credentials:
l Username: admin
l Password: Fortinet1!
2. Click EFW.
3. Click Device Manager.
4. Click Device & Groups.
5. In the Managed FortiGate list, click HQ-ISFW > root > Network > OSPF.
6. Click Advanced Options.
7. Enable rfc1583-compatible.
The configuration should look like the following image:

Enterprise Firewall 7.6 Administrator Lab Guide 95

Fortinet Technologies Inc.
Brave-Dumps.com
DO Enable
NOT REPRINT
OSPF ECMP on HQ-NGFW Exercise 1: Configuring OSPF With ECMP

8. Click Apply.

To install the configuration changes

1. Continuing on the FortiManager GUI, in the menu at the top, click Install Wizard.
2. Verify that Install Device Settings (only) is selected, and then click Next.
3. Verify that only HQ-ISFW and root [NAT] (Management) are selected, and then click Next.
4. Click Install.
5. Wait until the installation finishes.
6. Click Finish.

Enable OSPF ECMP on HQ-NGFW

You will enable and install OSPF ECMP on the HQ-NGFW Core1 and Core2 VDOMs.

Take the Expert Challenge!

On FortiManager, enable and install OSPF ECMP on the HQ-NGFW Core1 and Core2 VDOMs using the
procedure you followed to enable the rfc1583-compatible setting on the HQ-ISFW root VDOM.

If you require assistance, or to verify your work, use the step-by-step instructions that follow.

After you complete the challenge, see Check Connectivity on page 99.

96 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Configuring
REPRINT OSPF With ECMP Verify OSPF ECMP

© FORTINET
To enable OSPF ECMP on the HQ-NGFW Core1 VDOM
1. Continuing on the FortiManager GUI, in the Managed FortiGate list, click HQ-NGFW > Core1 > Network > OSPF.
2. Click Advanced Options.
3. Enable rfc1583-compatible.
4. Click Apply.

To enable OSPF ECMP on the HQ-NGFW Core2 VDOM

1. Continuing on the FortiManager GUI, in the Managed FortiGate list, click HQ-NGFW > Core2 > Network > OSPF.
2. Click Advanced Options.
3. Enable rfc1583-compatible.
4. Click Apply.

To install the configuration changes

1. Continuing on the FortiManager GUI, in the menu at the top, click Install Wizard.
2. Verify that Install Device Settings (only) is selected, and then click Next.
3. Verify that only the HQ-NGFW, Core1 [NAT], and Core2 [NAT] checkboxes are selected, and then click Next.

4. Click Install.
5. Wait until the installation finishes.
6. Click Finish.

Verify OSPF ECMP

You will verify that the HQ-ISFW root VDOM has multiple routes to the same destination with different next hops.

To verify OSPF ECMP on the HQ-ISFW root VDOM

1. Connect over SSH to HQ-ISFW.
2. Log in with the following credentials:
l Username: admin
l Password: Fortinet1!
3. Enter the following commands:
config vdom
edit root

Enterprise Firewall 7.6 Administrator Lab Guide 97

Fortinet Technologies Inc.
Brave-Dumps.com
DO Check
NOT REPRINT
the OSPF Status on HQ-DCFW and HQ-NGFW Exercise 1: Configuring OSPF With ECMP

4. Enter the following command:

get router info routing-table all
The output should be similar to the following output:

With OSPF ECMP enabled, the HQ-ISFW root VDOM can now load balance the traffic
to 100.75.5.1/32 with the two routes of the same cost installed with the OSPF
protocol.

Check the OSPF Status on HQ-DCFW and HQ-NGFW

You will run OSPF diagnostic commands on HQ-DCFW and HQ-NGFW to verify OSPF operation.

98 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Configuring
REPRINT OSPF With ECMP Check Connectivity

1. Connect over SSH to HQ-DCFW.

2. Enter the following commands to verify OSPF operation on HQ-DCFW:
l get router info ospf neighbor
l get router info routing-table all
3. Connect over SSH to HQ-NGFW.
4. Enter the following commands to verify OSPF operation on the HQ-NGFW Core1 and Core2 VDOMs:
l get router info ospf neighbor
l get router info routing-table all
After you complete the challenge, see Check Connectivity on page 99.

Check Connectivity

You will confirm that the FortiGate devices are routing traffic correctly by running a ping from HQ-PC-2 to HQ-
Web-1.

To check connectivity
1. On HQ-PC-2, open a terminal window.
2. Run a ping to HQ-Web-1 (10.0.5.11).
The ping should succeed, which confirms that the FortiGate devices are correctly routing the traffic between
the 10.0.2.0/24 and 10.0.5.0/24 subnets.

3. Run a traceroute to www.fortinet.com and 4.2.2.2:

traceroute www.fortinet.com

traceroute 4.2.2.2

The traceroute should succeed, which confirms that the OSPF protocol is correctly handling your internal
enterprise network routing.

4. Close the terminal windows.

Enterprise Firewall 7.6 Administrator Lab Guide 99

Fortinet Technologies Inc.
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Exercise 2: Configuring BGP

HQ-NGFW has two connections to the internet—one using port2 in the Core1 VDOM and the other using port3 in
the Core2 VDOM. You will configure BGP on HQ-NGFW so Core1 and Core2 become BGP peers.

Configure BGP on FortiManager

You will create metadata variables and use them in a BGP template. Then, you will install the template in the two
VDOMs, Core1 and Core2.

To create metadata variables

1. Log in to the FortiManager GUI with the following credentials:
l Username: admin
l Password: Fortinet1!
2. Click EFW.
3. Click Policy & Objects > Advanced.
4. Click Metadata Variables, and then click Create New.
5. In the Name field, type Neighbor_IP.
6. Click Per-Device Mapping, and then click Create New.
7. In the Mapped Device field, select HQ-NGFW [Core1].
8. In the Value field, type 100.66.0.101.
9. Click OK.
10. Create a second Per-Device Mapping with the following settings:

Field Value

Mapped Device HQ-NGFW [Core2]

Value 100.65.0.101

11. Click OK.

The configuration should look like the following image:

100 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT2: Configuring
REPRINT BGP Configure BGP on FortiManager

12. Click OK.

13. Click Create New to create a second metadata variable.
14. In the Name field, type Router_ID.
15. Click Per-Device Mapping, and then click Create New.
16. Create a Per-Device Mapping with the following settings:

Field Value

Mapped Device HQ-NGFW [Core1]

Value 172.16.1.1

17. Create a second Per-Device Mapping with the following settings:

Field Value

Mapped Device HQ-NGFW [Core2]

Value 172.16.2.1

The configuration should look like the following image:

Enterprise Firewall 7.6 Administrator Lab Guide 101

Fortinet Technologies Inc.
Brave-Dumps.com
DO Configure
NOTBGP REPRINT
on FortiManager Exercise 2: Configuring BGP

18. Click OK.

19. Click Create New to create a third metadata variable.
20. In the Name field, type AS.
21. Click Per-Device Mapping, and then click Create New.
22. Create a Per-Device Mapping with the following settings:

Field Value

Mapped Device HQ-NGFW [Core1]

Value 65100

23. Create a second Per-Device Mapping with the following settings:

Field Value

Mapped Device HQ-NGFW [Core2]

Value 65200

The configuration should look like the following image:

102 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT2: Configuring
REPRINT BGP Configure BGP on FortiManager

24. Click OK.

25. Click Create New to create a fourth metadata variable.
26. In the Name field, type Remote_AS.
27. Click Per-Device Mapping, and then click Create New.
28. Create a Per-Device Mapping with the following settings:

Field Value

Mapped Device HQ-NGFW [Core1]

Value 65200

29. Create a second Per-Device Mapping with the following settings:

Field Value

Mapped Device HQ-NGFW [Core2]

Value 65100

The configuration should look like the following image:

Enterprise Firewall 7.6 Administrator Lab Guide 103

Fortinet Technologies Inc.
Brave-Dumps.com
DO Configure
NOTBGP REPRINT
on FortiManager Exercise 2: Configuring BGP

30. Click OK.

To display the BGP settings on the FortiManager GUI

1. Continuing on the FortiManager GUI, click Device Manager > Provisioning Templates.

By default, the BGP settings are hidden on the FortiManager GUI. You will enable
them in the Feature Visibility section.

2. Click Feature Visibility.

3. Select the BGP checkbox.

4. Click OK.

To configure BGP
1. Continuing on the FortiManager GUI, in the menu at the top, click BGP.
2. Click Create New.

104 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT2: Configuring
REPRINT BGP Configure BGP on FortiManager

Field Value

Name BGP_NGFW

Local As $(AS)

Router ID $(Router_ID)

4. Create a neighbor with the following settings:

Field Value

IP $(Neighbor_IP)

Remote AS $(Remote_AS)

Connect Timer 120

When you type $ in the Local AS, Router ID, IP, Remote AS field, you can then select
(AS), (Router_ID), (Neighbor_IP), and (Remote_AS) in the metadata variables list
that appears.

5. Expand Advanced Options, and then enable ebgp-enforce-multihop.

Enterprise Firewall 7.6 Administrator Lab Guide 105

Fortinet Technologies Inc.
Brave-Dumps.com
DO Configure
NOTBGP REPRINT
on FortiManager Exercise 2: Configuring BGP

6. Click OK.
The configuration should look like the following image:

7. Click OK.
8. Select the BGP_NGFW checkbox, and then click Assign to Device/Group.

9. Move HQ-NGFW [Core1] and HQ-NGFW [Core2] from the Available Entries field to the Selected Entries field,
and then click OK.

106 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT2: Configuring
REPRINT BGP Configure BGP on FortiManager

© FORTINET
To install the BGP configuration
1. Continuing on the FortiManager GUI, click Install Wizard.
2. Verify that Install Device Settings (only) is selected, and then click Next.
3. Verify that the HQ-NGFW, Core1 [NAT], and Core2 [NAT] checkboxes are selected, and then click Next.
4. Click Install.
5. Wait until the installation finishes.
6. Click Finish.

You can check the installation and BGP status in the two VDOMs—Core1 and Core
2—using the following commands:
get router info bgp summary

get router info bgp neighbors

Enterprise Firewall 7.6 Administrator Lab Guide 107

Fortinet Technologies Inc.
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Exercise 3: Configuring a Loopback Interface as a BGP
Source

In this exercise, you will create a loopback interface and configure BGP on BR1-FGT-2, and then establish a BGP
connection with the ISP router.

Configure a Loopback Interface as a BGP Source on BR1-FGT-2

Since FortiManager does not manage BR1-FGT-2, you must perform the loopback and BGP configurations on
BR1-FGT-2.

To configure the loopback interface as the BGP source

1. Connect over SSH to BR1-FGT-2.
2. Log in with the following credentials:
l Username: admin
l Password: Fortinet1!
3. Enter the following commands to create the loopback interface:
config system interface
edit Loopback_BR
set vdom root
set ip 100.75.5.1 255.255.255.0
set allowaccess ping
set type loopback
next
end
4. Continuing in the same SSH session, enter the following commands to configure BGP:
config router bgp
set as 65300
set router-id 172.75.5.1
config neighbor
edit 100.66.0.101
set remote-as 65200
set update-source Loopback_BR
next
end
end

To update the BGP configuration on HQ-NGFW Core2

1. Log in to the FortiManager GUI with the following credentials:
l Username: admin
l Password: Fortinet1!
2. Click EFW.
3. Click Device Manager > Provisioning Templates > BGP.

108 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT3: Configuring
Source REPRINT a Loopback Interface as a BGP Configure a Loopback Interface as a BGP Source on BR1-
FGT-2

Field Value

IP 100.75.5.1

Remote AS 65300

Connect Timer 120

6. Expand Advanced Options, and then enable ebgp-enforce-multihop.

7. Click OK.
The configuration should look like the following image:

8. Click OK.

To install the BGP configuration on Core2

1. Select the BGP_NGFW checkbox, and then click Assign to Device/Group.
2. Move HQ-NGFW-1[Core1] from the Selected Entries field to the Available Entries field, and then click OK.
3. Click Install Wizard.
4. Verify that Install Device Settings (only) is selected, and then click Next.
5. Verify that only the HQ-NGFW and Core2 [NAT] checkboxes are selected, and then click Next.
6. Click Install.
7. Wait until the installation finishes.
8. Click Finish.

Enterprise Firewall 7.6 Administrator Lab Guide 109

Fortinet Technologies Inc.
Brave-Dumps.com
DO Establish
NOTtheREPRINT
BGP connection Exercise 3: Configuring a Loopback Interface as a BGP Source

You will verify the BGP status, finalize the BGP configuration, and establish the BGP connection.

To verify the BGP status

1. Connect over SSH to BR1-FGT-2.
2. Log in with the following credentials:
l Username: admin
l Password: Fortinet1!
3. Enter the following command:
get router info bgp neighbors
You should see that the BGP neighbor is not directly connected.

Stop and think!

Why is the peer not directly connected?

Because a loopback interface adds one hop, you must always enable multihop in the BGP configuration that
includes a loopback interface.

To finalize the BGP configuration on BR-1-FGT-2

1. Continuing in the same SSH session, enter the following commands to finalize the BGP configuration:
config router bgp
config neighbor
edit 100.66.0.101
set ebgp-enforce-multihop enable
next
end
end
2. Enter the following command:
get router info bgp summary
You should see that the BGP connection is established.

110 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT3: Configuring
REPRINT a Loopback Interface as a BGP Source Establish the BGP connection

You may see the BGP state showing Connect. You can then enter the get router
info bgp summary command again to confirm that the BGP connection is
established.

Enterprise Firewall 7.6 Administrator Lab Guide 111

Fortinet Technologies Inc.
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Lab 6: Security Profiles

In this lab, you will learn how to solve false positive scenarios in your network. Then, you will learn how to protect
against PHP code injection attacks over encrypted and unencrypted traffic.

Objectives
l Use IPS profiles with clients and servers as targets to protect your network resources
l Use IPS profiles to protect against PHP code injection attacks over unencrypted protocols
l Configure a certificate signed by an internal CA to block code injection occurrences over an encrypted protocol

Time to Complete
Estimated: 55 minutes

Which Network Segment Will You Work On?

You will modify the existing IPS profiles from FortiManager and push the changes to HQ-DCFW.

Prerequisites
Before you begin this lab, you must complete the previous lab. If you haven’t done so, tell your instructor.

112 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Exercise 1: Solving an IPS False Positive

In this exercise, you will learn how to solve false positive scenarios in your network. You will configure IPS profiles
with clients and servers as targets to protect your network resources.

Apply the IPS_Block Security Profile

You will modify the existing DCFW policy in the FortiManager policy package to apply the IPS_Block profile.

To apply the security profile

1. Log in to the FortiManager GUI with the following credentials:
l Username: admin
l Password: Fortinet1!
2. Click EFW.
3. Click Policy & Objects > Policy Packages.
4. Click DCFW > Firewall Policy.
5. Select the checkbox for the To HQ-Web-1 policy, and then click Edit > Edit.

6. Configure the following settings:

Field Value

Inspection Mode Flow-based

Security Profile Status Enable

Profile Type Use Standard Security Profiles

IPS IPS_Block

SSL/SSH Inspection certificate-inspection

The configuration should look like the following example:

Enterprise Firewall 7.6 Administrator Lab Guide 113

Fortinet Technologies Inc.
Brave-Dumps.com
DO Install
NOT REPRINT
the Policy Exercise 1: Solving an IPS False Positive

7. Click OK.

Install the Policy

You will install the policy and object changes on HQ-DCFW.

To install the policy

1. Continuing on the FortiManager GUI, click Install Wizard.
2. In the Install Policy Package & Device Settings window, confirm that the DCFW policy package is selected.
3. Click Next.
4. Confirm that HQ-DCFW is selected, and then click Next.
5. Click Install Preview to see the changes that will be applied to the FortiGate.

114 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Solving
REPRINT
an IPS False Positive Test Using hping to HQ-Web-1

© FORTINET
6. On the Install Preview page, click Close.
7. Click Install.
8. Wait until the installation finishes.
9. Click Finish.

Test Using hping to HQ-Web-1

You will confirm that HQ-DCFW is not allowing ICMP oversized packets.

To test using hping to HQ-Web-1

1. Connect to HQ-PC-2.
2. On HQ-PC-2, open a terminal window, and then enter the following command to send a jumbo packet to the Linux
server:
sudo hping3 -1 -d 654001 -c 4 10.0.5.11

3. When you are prompted for the student account, enter the password Fortinet1!.

hping3 is the program that is used to generate and send the ICMP packets. -1
instructs hping3 to use ICMP for sending packets. -d 654001 sets the ICMP packet
size to 654001 bytes, a size that exceeds the maximum transmission unit (MTU). -c 4
instructs hping3 to send 4 ICMP packets. 10.0.5.11 is the destination IP address
for the ICMP packets.

HQ-Web-1 fails to receive packets from HQ-PC-2.

Enterprise Firewall 7.6 Administrator Lab Guide 115

Fortinet Technologies Inc.
Brave-Dumps.com
DO Verify
NOT REPRINT
That HQ-DCFW Detects the Jumbo Packets Exercise 1: Solving an IPS False Positive

You can see that HQ-DCFW is blocking the jumbo packets, which means that suspected risky traffic is being
blocked according to the assigned IPS profile.

Verify That HQ-DCFW Detects the Jumbo Packets

You will verify that HQ-DCFW detects jumbo packets as a possible attack.

To verify the HQ-DCFW logs

If the Security section does not appear, you can click Log View > Logs again to
refresh the page.

The log may then take a few minutes to appear.

5. In the All Devices drop-down list, select the HQ-DCFW checkbox, and then click OK.

116 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Solving
REPRINT
an IPS False Positive Verify That HQ-DCFW Detects the Jumbo Packets

6. Double-click one of the dropped PING logs.

You will notice that the traffic has been blocked by the HQ-DCFW firewall policy with the policy ID 2 and attack
name ICMP.Oversized.Packet. Optionally, you can click the attack name to see more details.

Enterprise Firewall 7.6 Administrator Lab Guide 117

Fortinet Technologies Inc.
Brave-Dumps.com
DO Solve
NOT REPRINT
the IPS False Positive Exercise 1: Solving an IPS False Positive

© FORTINET
This example of jumbo ICMP packets illustrates a hypothetical scenario where HQ-PC-
2 is trying to transfer, connect, or sync an application to HQ-Web-1, and FortiGate
mistakenly flags it as intrusive. Such occurrences are common when you use IPS
profiles that are aimed at blocking. However, not all flagged traffic is genuinely
malicious. It is important to consider the possibility of false positives when you block
IPS traffic.

Solve the IPS False Positive

You will modify the IPS_Block profile to allow false positive jumbo packets.

To modify and install the IPS_Block profile

7. In the IPS Signatures and Filters section, click Create New.

8. In the Type field, select Signature.
9. Configure the following settings:

Field Value

Action Monitor

Packet logging Enable

Status Enable

Signatures ICMP.Oversized.Packet

10. In the Signatures field, click Add Signature.

11. In the search field, search for ICMP.Oversized.Packet.
12. Select the ICMP.Oversized.Packet signature, and then click Use Selected Signatures.

118 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Solving
REPRINT
an IPS False Positive Install the Policy

15. Click OK to save the changes.

16. Click Close to close the Select Entries window.
17. Click OK to save the changes to the policy.

Install the Policy

You will install the policy and object changes on HQ-DCFW.

To install the policy

Test Using hping to HQ-Web-1

You will confirm that HQ-DCFW is allowing ICMP oversized packets.

To test using hping to HQ-Web-1

1. Connect to HQ-PC-2.
2. On HQ-PC-2, open a terminal window, and then enter the following command to send a jumbo packet to HQ-Web-
1:
sudo hping3 -1 -d 654001 -c 4 10.0.5.11

3. When you are prompted for the student account, enter the password Fortinet1!.
HQ-Web-1 is receiving packets from HQ-PC-2.

Enterprise Firewall 7.6 Administrator Lab Guide 119

Fortinet Technologies Inc.
Brave-Dumps.com
DO Verify
NOT REPRINT
That HQ-DCFW Detects the Jumbo Packets Exercise 1: Solving an IPS False Positive

The HQ-DCFW firewall now detects the new signature oversized packet as the action monitor, so it allows the
traffic and also generates a log.

Verify That HQ-DCFW Detects the Jumbo Packets

You will verify that HQ-DCFW detects the jumbo packets and allows the traffic.

To verify the HQ-DCFW logs

1. Log in to the FortiAnalyzer GUI with the following credentials:
l Username: admin
l Password: Fortinet1!
2. Click EFW.
3. Click Log View > Logs > Fortinet Logs.
4. Select Security > Intrusion Prevention.
5. In the All Devices drop-down list, select the HQ-DCFW checkbox, and then click OK.
6. Double-click one of the detected PING logs.
You will notice that the HQ-DCFW firewall policy with the policy ID 2 and attack name
ICMP.Oversized.Packet allowed the traffic, and the action is detected.

If the log with the detected action does not appear, you can click Log View > Logs
again to refresh the page.

120 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Solving
REPRINT
an IPS False Positive Verify That HQ-DCFW Detects the Jumbo Packets

If you encounter scenarios where an IPS signature blocks your native traffic, and an
application that you are using is considered hostile, you should set the application
signature to monitor, at the top of your rules.

Enterprise Firewall 7.6 Administrator Lab Guide 121

Fortinet Technologies Inc.
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Exercise 2: Protecting Against Unencrypted Attacks

In this exercise, you will learn how to protect against a PHP code injection attack that is acting as an unencrypted
protocol. You will also learn to identify the issue, and then rectify the issue using an IPS profile.

Apply the IPS_Monitor Security Profile

You will modify the existing DCFW policy in the FortiManager policy package to apply the IPS_Monitor profile.

To apply the security profile

Field Value

IPS IPS_Monitor

SSL/SSH Inspection certificate-inspection

The configuration should look like the following example:

122 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT2: Protecting
REPRINT Against Unencrypted Attacks Install the Policy

7. Click OK.

Install the Policy

You will install the policy and object changes on HQ-DCFW.

To install the policy

Enterprise Firewall 7.6 Administrator Lab Guide 123

Fortinet Technologies Inc.
Brave-Dumps.com
DO Access
NOT REPRINT
the Website Exercise 2: Protecting Against Unencrypted Attacks

You will test to see if the http://acmetest.com website is accessible, which is hosted on HQ-Web-1.

To access the website

1. Connect to HQ-PC-2.
2. Open a browser, and then enter the http://acmetest.com URL.
You should be able to access the website, which is hosted on HQ-Web-1.

Simulate the Attack

You will simulate an attack to access the files on HQ-Web-1 using a URL with a PHP code injection.

124 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT2: Protecting
REPRINT Against Unencrypted Attacks Verify That HQ-DCFW Detects the Attack

© FORTINET
To simulate the attack
1. Connect to HQ-PC-2.
2. Navigate to Desktop > Resources > Enterprise-FW.
3. Open the PHP injection.txt file.
4. In the Exercise 2 section, copy the URL.
The URL is http://www.acmetest.com/dir_command.php?arg="; echo system('dir'); //.

5. Open a browser, open a new private window, and then paste the URL.

Stop and think!

This HTTP URL triggers the dir command on HQ-Web-1. For example, if you are an administrator user,
accessing the URL in an external browser displays the following files:
dir_command.php
index.html
index_old.html

These files are located in the following directory on HQ-Web-1: Other

Locations/Computer/var/www/html.

Verify That HQ-DCFW Detects the Attack

You will verify that HQ-DCFW detects the attack.

Enterprise Firewall 7.6 Administrator Lab Guide 125

Fortinet Technologies Inc.
Brave-Dumps.com
DO Block
NOT REPRINT
an Attack on Unencrypted Traffic Exercise 2: Protecting Against Unencrypted Attacks

© FORTINET
To verify the HQ-DCFW logs
1. Log in to the FortiAnalyzer GUI with the following credentials:
l Username: admin
l Password: Fortinet1!
2. Click EFW.
3. Click Log View > Logs > Fortinet Logs.
4. Select Security > Intrusion Prevention.
5. In the All Devices drop-down list, select the HQ-DCFW checkbox, and then click OK.
6. Double-click one of the detected HTTP logs.
You will notice that the HQ-DCFW firewall policy with the policy ID 2 and attack name
PHP.URI.Code.Injection identified the traffic. Optionally, you can click the attack name to see more details.

The attacker was able to successfully run the CLI command on HQ-Web-1 (HTTP)
because the IPS profile is set to monitor only.

This PHP command, or instruction, clearly demonstrates how, without having access
to the remote server, there could potentially be an attempt to exploit a security
vulnerability known as remote code execution (RCE). Specifically, the URL includes a
query parameter that injects PHP code. This type of code injection is malicious
because attackers can use any type of CLI command without having administrative
credentials for HQ-Web-1.

Block an Attack on Unencrypted Traffic

You will learn how to modify the IPS_Monitor profile to block PHP code injection attacks.

To modify and install the IPS_Block profile

1. Log in to the FortiManager GUI with the following credentials:
l Username: admin
l Password: Fortinet1!

126 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT2: Protecting
REPRINT Against Unencrypted Attacks Block an Attack on Unencrypted Traffic

© FORTINET
2. Click EFW.
3. Click Policy & Objects > Policy Packages.
4. Click DCFW > Firewall Policy.
5. Select the checkbox for the To HQ-Web-1 policy, and then click Edit > Edit.
6. In the IPS field, click IPS_Monitor, and then click the Edit icon.

7. In the IPS Signatures and Filters section, click Create New.

8. Configure the following settings:

Field Value

Type Signature

Action Block

Packet logging Enable

Status Enable

Signatures PHP.URI.Code.Injection

9. Click OK.
10. Move the PHP.URI.Code.Injection signature to the top of the table.

11. Click OK.

12. Click Close to close the Select Entries window.
13. Click OK to save the changes to the policy.

Enterprise Firewall 7.6 Administrator Lab Guide 127

Fortinet Technologies Inc.
Brave-Dumps.com
DO Install
NOT REPRINT
the Policy Exercise 2: Protecting Against Unencrypted Attacks

You will install the policy and object changes on HQ-DCFW.

To install the policy

Simulate the Attack

You will simulate an attack to access the files on HQ-Web-1 using a URL with a PHP code injection.

To simulate the attack

1. Connect to HQ-PC-2.
2. Navigate to Desktop > Resources > Enterprise-FW.
3. Open the PHP injection.txt file.
4. In the Exercise 2 section, copy the URL.
The URL is http://www.acmetest.com/dir_command.php?arg="; echo system('dir'); //.

5. Open a browser, open a new private window, and then paste the URL.
This time, you can see that the attacker cannot access the HQ-Web-1 file.

Verify That HQ-DCFW Blocks the Attack

You will verify that HQ-DCFW blocks the attack.

128 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT2: Protecting
REPRINT Against Unencrypted Attacks Verify That HQ-DCFW Blocks the Attack

© FORTINET
To verify the HQ-DCFW logs
1. Log in to the FortiAnalyzer GUI with the following credentials:
l Username: admin
l Password: Fortinet1!
2. Click EFW.
3. Click Log View > Logs > Fortinet Logs.
4. Select Security > Intrusion Prevention.
5. In the All Devices drop-down list, select the HQ-DCFW checkbox, and then click OK.
6. Double-click one of the HTTP dropped logs.
You will notice that the HQ-DCFW firewall policy with the policy ID 2 and attack name
PHP.URI.Code.Injection blocked the traffic. Optionally, you can click the attack name to see more details.

When an attack like this occurs, one recommendation from the FortiGuard Labs Threat
Encyclopedia is to block it. Ensure that you add a signature at the top of the signature
list to prioritize blocking this attack. When the PHP URI code is considered malicious,
the firewall will drop packets, and the browser will show a connection reset error
because the code can no longer pass through the firewall.

Stop and think!

In this exercise, you have used only unencrypted traffic (HTTP) to access HQ-Web-1. What happens if a
code injection occurs over an encrypted protocol? Will a policy with an IPS profile and certificate inspection
be sufficient to analyze HTTPS traffic? In this scenario, FortiGate will detect HTTPS traffic, but it will not
detect an attack. FortiGate will not decrypt packets to analyze if there is a possible attack.

Enterprise Firewall 7.6 Administrator Lab Guide 129

Fortinet Technologies Inc.
Brave-Dumps.com
DO Verify
NOT REPRINT
That HQ-DCFW Blocks the Attack Exercise 2: Protecting Against Unencrypted Attacks

© FORTINET
If you use HTTPS (encrypted) traffic, HQ-DCFW will not be able to detect the attack. The attacker will be able
to access the files on HQ-Web-1, as shown in the following example:

When you receive the Potential Security Risk Ahead warning, click Advanced >
Accept the Risk and Continue to access www.acmetest.com (unsafe).

Stop and think!

This HTTPS URL triggers the dir command on HQ-Web-1. Why didn’t HQ-DCFW block the HTTPS
attack?

The PHP.URI.Code.Injection signature is set to block in the profile, but HQ-DCFW cannot open the packet
because the traffic is encrypted, and certificate inspection on its own does not help HQ-DCFW to see the
encrypted traffic.

130 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Exercise 3: Protecting Against Encrypted Attacks

In this exercise, you will learn how to simulate a PHP code injection attack over an encrypted protocol. You will
use a certificate signed by an internal CA to block code injection occurrences over an encrypted protocol.

Create a Dynamic Local Certificate and an SSL/SSH Profile

You will learn how to block encrypted packets on FortiGate. You must use an SSL protection server on your
SSL/SSH profile.

To create a dynamic local certificate

1. Log in to the FortiManager GUI with the following credentials:
l Username: admin
l Password: Fortinet1!
2. Click EFW.
3. Click Policy & Objects > Advanced.
4. Click Tools > Feature Visibility.

5. In the Advanced section, enable Dynamic Local Certificate.

6. Click OK.
7. Click Dynamic Local Certificate > Create New.
Configure the following settings:

Field Value

Name Enable_HTTPS

Per-Device Mapping HQ-DCFW

Local Certificate acmetest

Enterprise Firewall 7.6 Administrator Lab Guide 131

Fortinet Technologies Inc.
Brave-Dumps.com
DO Create
NOT REPRINT
a Dynamic Local Certificate and an SSL/SSH Profile Exercise 3: Protecting Against Encrypted Attacks

8. Click OK.
9. Click OK again to save the changes.
The configuration should look like the following example:

To create an SSL/SSH inspection profile

1. Click Policy & Objects > Security Profiles > SSL/SSH Inspection.

2. Click Create New.

Configure the following settings:

Field Value

Name HTTPS_Profile

Enable SSL Inspection of Protecting SSL Server

Server Certificate Enable_HTTPS

The configuration should look like the following example:

132 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT3: Protecting
REPRINT Against Encrypted Attacks Block an Attack on Encrypted Traffic

3. Click OK to save the profile.

Stop and think!

Why did you have to dynamically map the local certificate? When you have a local certificate, you cannot
use it directly in the policy layer. The local certificate exists only in the device layer. To use the device layer
local certificate in the policy layer, you must use dynamic mapping.

Block an Attack on Encrypted Traffic

You will learn how to modify the policy to use the certificate that you created in the previous task to block a PHP
code injection attack on encrypted traffic.

To modify and install the policy

1. Continuing on the FortiManager GUI, click Policy & Objects > Policy Packages.
2. Click DCFW > Firewall Policy.
3. Select the To HQ-Web-1 policy, and then click Edit > Edit.
4. In the Inspection Mode field, select Proxy-based.
5. Click SSL/SSH Inspection > certificate-inspection.
6. Select HTTPS_Profile > Close.
7. Click OK to save the changes.
The policy configuration should look like the following example:

8. Continuing on the FortiManager GUI, click Install Wizard.

9. In the Install Policy Package & Device Settings window, confirm that the DCFW policy package is selected.
10. Click Next.

Enterprise Firewall 7.6 Administrator Lab Guide 133

Fortinet Technologies Inc.
Brave-Dumps.com
DO Verify
NOT REPRINT
That HQ-DCFW Drops the Attack Exercise 3: Protecting Against Encrypted Attacks

© FORTINET
11. Confirm that HQ-DCFW is selected, and then click Next.
12. Click Install Preview to see the changes that will be applied to the FortiGate.
13. On the Install Preview page, click Close.
14. Click Install.
15. Click Finish.

To simulate the attack again with the server certificate

1. Connect to HQ-PC-2.
2. Navigate to Desktop > Resources > Enterprise-FW.
3. Open the PHP injection.txt file.
4. In the Exercise 3 section, copy the URL.
The URL is https://www.acmetest.com/dir_command.php?arg="; echo system('dir'); //.

5. Open a browser, open a new incognito window, and then paste the URL.
You can see that HQ-DCFW is blocking the attack.

Verify That HQ-DCFW Drops the Attack

You will verify that HQ-DCFW drops the attack.

To verify the HQ-DCFW logs

1. Log in to the FortiAnalyzer GUI with the following credentials:
l Username: admin
l Password: Fortinet1!
2. Click EFW.
3. Click Log View > Logs.
4. Select Security > Intrusion Prevention.
5. In the All Devices drop-down list, select the HQ-DCFW checkbox, and then click OK.
6. Double-click one of the HTTPS dropped logs.

134 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT3: Protecting
REPRINT Against Encrypted Attacks Verify That HQ-DCFW Drops the Attack

© FORTINET
You will notice that the HQ-DCFW firewall policy with the policy ID 2 and attack name
PHP.URI.Code.Injection blocked the traffic. Optionally, you can click the attack name to see more details.

Stop and think!

Why does HQ-DCFW block the attack this time?

With the internally signed CA certificate, HQ-DCFW can inspect the HTTPS traffic and identify the attack.

Enterprise Firewall 7.6 Administrator Lab Guide 135

Fortinet Technologies Inc.
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Lab 7: IPsec VPN (IKEv2)

In this lab, you will configure a hub-and-spoke VPN network using the FortiManager IPsec templates.

Objectives
l Configure a hub-and-spoke topology using IPsec templates on FortiManager
l Use automatic routing to interconnect remote network segments
l Use a zone interface to group spoke interfaces in a hub
l Use a custom configuration of the VPN IPsec templates
l Identify and apply the process to delete IPsec templates

Time to Complete
Estimated: 45 minutes

Prerequisites
Before you begin this lab, you must complete the previous lab. If you haven't done so, tell your instructor.

136 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Exercise 1: Configuring IPsec Templates

In this exercise, you will configure a hub-and-spoke topology using IPsec templates.

Configure IPsec Templates

You will configure IPsec templates for a hub-and-spoke topology.

To configure the spokes IPsec template

1. Log in to the FortiManager GUI with the following credentials:
l Username: admin
l Password: Fortinet1!
2. Click EFW.
3. Click Device Manager > Provisioning Templates > IPsec Tunnel > Create New.
4. In the Name field, type Spokes.

5. Click Create New, and then configure the following settings:

Field Value

Tunnel Name To_hub

IP Address 100.65.0.101

Interface port2

Remote Subnet 10.0.12.0/255.255.255.0

Pre-shared Key 123456789

Phase 1 Proposal AES256 and SHA256

Enterprise Firewall 7.6 Administrator Lab Guide 137

Fortinet Technologies Inc.
Brave-Dumps.com
DO Configure
NOTIPsec REPRINT
Templates Exercise 1: Configuring IPsec Templates

Diffie-Hellman Groups 20

Phase 2 selectors Click Create New, and then continue to the next step.

138 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Configuring
REPRINT IPsec Templates Configure IPsec Templates

Make sure that the FEC Health Check field remains empty.

Stop and think!

Make sure that you distinguish names. You have created the spokes template with the name Spokes, but
the interfaces are named To_hub. This will help you recognize interfaces that are connected to other peers.
When you go to BR2-FGT-1, you will find the hub interface, which will refer to the IPsec VPN connected to
the hub.

6. Configure the following settings:

Field Value

Name PH2_to_hub

Proposal aes256-sha256

Advanced Options dhgrp 20

You will find multiple advanced options for IPsec phase2. You can press Ctrl+F to
find dhgrp.

7. Click OK.

Enterprise Firewall 7.6 Administrator Lab Guide 139

Fortinet Technologies Inc.
Brave-Dumps.com
DO Configure
NOTIPsec REPRINT
Templates Exercise 1: Configuring IPsec Templates

8. Click OK.
9. Click OK.

To configure the hub IPsec template

1. Continuing on the FortiManager GUI, click Create New to create a second IPsec template.
2. In the Name field, type Hub.

3. Click Create New, and then configure the following settings:

Field Value

Tunnel Name To_BR2-FGT-1

IP Address 100.65.2.112

Interface port2

Remote Subnet 172.20.2.0/255.255.255.0

Pre-shared Key 123456789

Proposal AES256 and SHA256

Diffie-Hellman Groups 20

Phase 2 selectors Click Create New, and then continue to the next step.

140 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Configuring
REPRINT IPsec Templates Configure IPsec Templates

Stop and think!

Make sure to distinguish names. You have created the hub template with the name Hub, but the interface
for BR2-FGT-1 is To_BR2-FGT-1 and BR3-FGT-1 will be To_BR3-FGT-1. This will help you recognize
interfaces that are connected to the spokes.

4. Configure the following settings:

Enterprise Firewall 7.6 Administrator Lab Guide 141

Fortinet Technologies Inc.
Brave-Dumps.com
DO Configure
NOTIPsec REPRINT
Templates Exercise 1: Configuring IPsec Templates

Name PH2_to_BR2-FGT-1

Proposal aes256-sha256

Advanced Options dhgrp 20

5. Click OK.

6. Click OK again.
7. Click Create New, and then configure the following settings:

142 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Configuring
REPRINT IPsec Templates Configure IPsec Templates

Tunnel Name To_BR3-FGT-1

IP Address 100.65.3.113

Interface port2

Remote Subnet 172.20.3.0/255.255.255.0

Pre-shared Key 123456789

Proposal AES256 and SHA256

Diffie-Hellman Groups 20

Phase 2 selectors Click Create New, and then continue to the next step.

Enterprise Firewall 7.6 Administrator Lab Guide 143

Fortinet Technologies Inc.
Brave-Dumps.com
DO Configure
NOTIPsec REPRINT
Templates Exercise 1: Configuring IPsec Templates

8. Configure the following settings:

Field Value

Name PH2_to_BR3-FGT-1

144 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Configuring
REPRINT IPsec Templates Configure IPsec Templates

Proposal aes256-sha256

Advanced Options dhgrp 20

9. Click OK.

10. Click OK.

11. Click OK.

Enterprise Firewall 7.6 Administrator Lab Guide 145

Fortinet Technologies Inc.
Brave-Dumps.com
DO Configure
NOTIPsec REPRINT
Templates Exercise 1: Configuring IPsec Templates

Make sure to distinguish names. You have created the hub template with the name Hub, but the interface
for BR2-FGT-1 is To_BR2-FGT-1 and BR3-FGT-1 is To_BR3-FGT-1. This will help you recognize
interfaces from Core1 that are connected to each spoke.

12. On the IPsec Tunnel tab, select the Hub checkbox, and then click Assign to Device/Group to assign the Hub
IPsec template.

13. In the Available Entries field, select the HQ-NGFW [Core1] checkbox, and then move it to the Selected Entries
field.
14. Click OK.
15. On the IPsec Tunnel tab, select the Spokes checkbox, and then click Assign to Device/Group to assign the
Spokes IPsec template.
16. In the Available Entries field, select the BR2-FGT-1 and BR3-FGT-1 checkboxes, and then move them to the
Selected Entries field.
17. Click OK.

146 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Configuring
REPRINT IPsec Templates Configure IPsec Templates

© FORTINET
You can see what the template will install if you right-click the template, and then
select Preview CLI Configuration.

Stop and think!

You are installing the following settings:

config firewall address
config vpn ipsec phase1-interface
config system interface
config vpn ipsec phase2-interface
config router static

If you need to delete your IPsec template, you must consider the objects that the template has created.
FortiManager cannot delete the objects that the template created because there are some dependencies.

18. Click Device Manager > Device & Groups > Managed FortiGate, and then select the Core1, BR2-FGT-1, and
BR3-FGT-1 checkboxes.
19. Click Install > Install Wizard.
20. Verify that Install Device Settings (only) is selected, and then click Next.
21. Verify that BR2-FGT-1, BR3-FGT-1, HQ-NGFW, and Core1 are selected, and then click Next.
22. Click Install.

Stop and think!

Notice that once you have installed the templates, FortiManager can automatically detect normalized
interfaces that IPsec templates create.

This normalized interface (To_hub) was created for you before you started this lab. But, consider that every
time you use the IPsec template, the interfaces should be mapped to normalized interfaces. You can use
per device mapping or per platform mapping. If you use per platform mapping, ensure that the spelling of the
platform is correct because it is case sensitive. For example, To_hub will not be the same as To_Hub.

Enterprise Firewall 7.6 Administrator Lab Guide 147

Fortinet Technologies Inc.
Brave-Dumps.com
DO Create
NOT REPRINT
a Normalized Interface for the Hub Exercise 1: Configuring IPsec Templates

You will create a normalized interface for the hub, so that you can manipulate the same firewall policies for all
hubs that you have in your topology.

To create a zone interface for the hub

1. Continuing on the FortiManager GUI, click Policy & Objects > Normalized Interface > Create New.
2. In the Name field, type Zone_spokes.
3. In the Per-Platform Mapping section, click Create New.
4. In the Match Platform field, select FortiGate-VM64-KVM, and then in the Mapped Interface Name field, type
Zone_spokes.
5. Click OK.

6. Click OK.
7. Click Device Manager > Device & Groups.
8. Click Core1 > Network > Interfaces.
9. Click Create New > Device Zone.
10. Configure the following settings:

Field Value

Zone Name Zone_spokes

Interface Member To_BR2-FGT-1 and To_BR3-FGT-1

11. Click OK.

148 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Configuring
REPRINT IPsec Templates Configure the Firewall Policies

Stop and think!

Using a zone in the hub makes it much faster to configure firewall policies for spokes, but everything
depends on your requirements.

Configure the Firewall Policies

After you install the VPN configuration on all FortiGate devices, the interfaces are available to configure the
firewall policies.

To configure the firewall policies on Core1

1. Continuing on the FortiManager GUI, click Device Manager > Scripts.
2. Click the VPN_Core1 checkbox, and then click Run Script.
3. Select the Core1 policy package, and then click Run Now.

You are installing two firewall policies that use the Zone_spokes normalized
interface.

4. Click Close.
5. Click Device Manager > Device & Groups > Managed FortiGate.
6. Select the Core1 checkbox, and then click Install Wizard.
7. Select Install Policy Package & Device Settings.
8. In the Policy Package field, select Core1.
9. Click Next.
10. Click Next.
11. Click Install.
12. Click Finish.

Enterprise Firewall 7.6 Administrator Lab Guide 149

Fortinet Technologies Inc.
Brave-Dumps.com
DO Check
NOT REPRINT
the Status of the VPN Tunnels Exercise 1: Configuring IPsec Templates

© FORTINET
To configure the firewall policies on the spokes
1. Continuing on the FortiManager GUI, click Device Manager > Scripts.
2. Click the VPN_Spokes checkbox, and then click Run Script.
3. Select the BR policy package, and then click Run Now.

You are installing two firewall policies that use the To_hub normalized interface.

4. Click Close.
5. Click Device Manager > Device & Groups > Managed FortiGate.
6. Select the BR2-FGT-1 and BR3-FGT-1 checkboxes, and then click Install Wizard.
7. Select Install Policy Package & Device Settings.
8. In the Policy Package field, select BR.
9. Click Next.
10. Click Next.
11. Click Install.
12. Click Finish.

Check the Status of the VPN Tunnels

You will check the status of the VPN tunnels.

To check the status of the VPN tunnels

1. Continuing on the FortiManager GUI, click Device Manager > Monitors > VPN Monitor.
2. Enable Show Table.
The table should contain four VPN tunnels.

In VPN Monitor,the message Internal Server Error appears instead of the

map because HQ-FMG-1 is in a closed environment without internet access.

150 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Configuring
REPRINT IPsec Templates Delete the IPsec Tunnels

Unsetting the template does not delete the configuration in the device layer and on the FortiGate. In this case, you
must remove the associated firewall policies where you reference IPsec interfaces and objects that were
generated in the IPsec templates. The general steps are:

1. Delete the policies in the policy and device layers.

2. Delete the zone interface (only in Core1).
3. Delete the static routes in the device layer.
4. Delete the firewall addresses in the device layer.
5. Delete phase 2 in the device layer.
6. Delete phase 1 in the device layer.

To unassign IPsec templates

1. Continuing on the FortiManager GUI, click Device Manager > Provisioning Templates > IPsec Tunnel.
2. Unassign the Hub and Spokes IPsec templates.

3. Delete the Hub and Spokes IPsec templates.

To delete the IPsec tunnels on Core1

1. Continuing on the FortiManager GUI, click Policy & Objects > Policy Packages > Core1 > Firewall Policy.
2. Expand Core1, and then click Firewall Policy.
3. Delete the policies that are using the Zone_spokes interface in the policy layer.

Enterprise Firewall 7.6 Administrator Lab Guide 151

Fortinet Technologies Inc.
Brave-Dumps.com
DO Delete
NOT REPRINT
the IPsec Tunnels Exercise 1: Configuring IPsec Templates

4. Click OK.
5. Click Device manager > Device & Groups > Managed FortiGate > HQ-NGFW > Core1 > CLI Configurations >
firewall > policy.
6. Click Core1 > CLI Configurations > firewall > policy.

Enable srcintf and dstintf in the engine icon tool, located in the upper-right
corner, so that you can easily identify policies that are using a specific interface. Then,
move the srcintf and dstintf columns to the left.

7. Delete the same policies you deleted in the policy layer for Core1—the ones that use the Zone_spokes interface.

8. Click OK.
9. Click Core1 > Network > Interfaces.
10. Select the Zone_spokes checkbox, and then click Delete.

152 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Configuring
REPRINT IPsec Templates Delete the IPsec Tunnels

11. Click OK.

12. Click Core1 > Network > Static Routes, select all Static routes that the IPsec template generated, and then click
Delete.

13. Click OK.

14. Click Core1 > CLI Configurations > firewall > address.
15. Select the To_BR2-FGT-1_remote_subnet_1 and To_BR3-FGT-1_remote_subnet_1 checkboxes, and then
click Delete.

Enterprise Firewall 7.6 Administrator Lab Guide 153

Fortinet Technologies Inc.
Brave-Dumps.com
DO Delete
NOT REPRINT
the IPsec Tunnels Exercise 1: Configuring IPsec Templates

16. Click OK.

17. Click Core1 > VPN > IPsec Phase 2.
18. Select the IPsec Phase 2 that FortiManager created, and then click Delete.

19. Click OK.

20. Click Core1 > VPN > IPsec Phase 1.
21. Select the IPsec Phase 1 that the IPsec template created, and then click Delete.

154 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Configuring
REPRINT IPsec Templates Delete the IPsec Tunnels

22. Click OK.

23. Click Device Manager > Device & Groups > Managed FortiGate, and then select the Core1 checkbox.
24. Click Install > Re-install Policy.
25. Click OK.
26. Click Next, and then click Finish.

Make sure you have deleted all previous objects. Otherwise, when you reinstall, you
will receive an error that the policy package cannot be installed.

Take the Expert Challenge!

Delete all objects that IPsec templates installed on BR2-FGT-1 and BR3-FGT-2 and reinstall the BR policy
package on both firewalls. There should be no errors at the end of your installation.

If you require assistance, or to verify your work, use the step-by-step instructions that follow.

To delete the IPsec template on BR2-FGT-1

1. Continuing on the FortiManager GUI, click Policy & Objects > Policy Packages > BR > Firewall Policy.
2. Delete the policies in the policy layer that are using the To_hub interface.

Enterprise Firewall 7.6 Administrator Lab Guide 155

Fortinet Technologies Inc.
Brave-Dumps.com
DO Delete
NOT REPRINT
the IPsec Tunnels Exercise 1: Configuring IPsec Templates

© FORTINET
3. Click OK.
4. Click Device Manager > Device & Groups > Managed FortiGate.
5. Click BR2-FGT-1 > CLI Configurations > firewall > policy.
6. Delete the policies in the device layer that are using the To_hub interface.

7. Click OK.
8. Click Network > Static Routes.
9. Delete the static routes that the IPsec template generated in the device layer.

10. Click OK.

11. Click CLI Configurations > firewall > address.
12. Delete the To_hub_remote_subnet_1 address in the device layer.

156 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Configuring
REPRINT IPsec Templates Delete the IPsec Tunnels

16. Click OK.

17. Click VPN > IPsec Phase 1.
18. Delete the IPsec Phase 1 that the IPsec template created.

19. Click OK.

20. Click Device Manager > Device & Groups > Managed FortiGate, and then select the BR2-FGT-1 checkbox.
21. Click Install > Re-install Policy.
22. Click OK.
23. Click Next, and then click Finish.

To delete the IPsec template on BR3-FGT-1

1. Continuing on the FortiManager GUI, click Device Manager > Device & Groups > Managed FortiGate.
2. Click BR3-FGT-1 > CLI Configurations > firewall > policy.
3. Delete the policies in the device layer that are using the To_hub interface.

Enterprise Firewall 7.6 Administrator Lab Guide 157

Fortinet Technologies Inc.
Brave-Dumps.com
DO Delete
NOT REPRINT
the IPsec Tunnels Exercise 1: Configuring IPsec Templates

4. Click OK.

You do not need to delete the firewall policies in the policy layer because you have
deleted policies in the BR policy package in previous steps.

5. Click Network > Static Routes.

6. Delete the static routes that the IPsec template created.

7. Click OK.
8. Click CLI Configurations > firewall > address.
9. Delete the To_hub_remote_subnet_1 address in the device layer.

158 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Configuring
REPRINT IPsec Templates Delete the IPsec Tunnels

10. Click OK.

11. Click VPN > IPsec Phase 2.
12. Delete the IPsec Phase 2 that FortiManager created.

13. Click OK.

14. Click VPN > IPsec Phase 1.
15. Delete the IPsec Phase 1 that the IPsec template created.

16. Click OK.

17. Click Device Manager > Device & Groups > Managed FortiGate, and then select the BR3-FGT-1 checkbox.
18. Click Install > Re-install Policy.
19. Click OK.
20. Click Next, and then click Finish.

Enterprise Firewall 7.6 Administrator Lab Guide 159

Fortinet Technologies Inc.
Brave-Dumps.com
DO Delete
NOT REPRINT
the IPsec Tunnels Exercise 1: Configuring IPsec Templates

© FORTINET
You can connect to the Core1, BR2-FGT-1, and BR3-FGT-1 GUI to confirm that all
objects related to the IPsec template have been deleted.

160 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Lab 8: Auto-Discovery VPN

You will modify the IPsec VPN configuration to enable auto-discovery VPN (ADVPN). You will create an on-
demand tunnel between the two spokes. You will configure IBGP with route reflector enabled on the hub device to
manage the routing.

Objectives
l Configure ADVPN using IPsec templates in a hub-and-spoke topology using IBGP as dynamic routing
l Configure ADVPN using IPsec templates in a dual hub-and-spoke topology using IBGP and EBGP as dynamic
routing

Time to Complete
Estimated: 45 minutes

Prerequisites
Before you begin this lab, you must force HQ-NGFW-1 to be the primary FortiGate. Then, you must restore the
initial configuration files on FortiManager, BR2-FGT-1, BR3-FGT-1, and HQ-NGFW-1. The configuration files are
located on HQ-PC-1.

To force HQ-NGFW-1 to be the primary FortiGate

1. Connect over SSH to HQ-NGFW-1, and then log in with the following credentials:
l Username: admin
l Password: Fortinet1!
2. On the CLI, enter the following commands:
config global
config system ha
config vcluster
edit 1
set override enable
next
edit 2
set override enable
next
end
end
end

You must restore the configuration files in the recommended order (FortiManager,
BR2-FGT-1, BR3-FGT-1, and then HQ-NGFW-1) to keep the synchronization with the
FortiManager at the end.

Enterprise Firewall 7.6 Administrator Lab Guide 161

Fortinet Technologies Inc.
Brave-Dumps.com
DO NOT REPRINT Lab 8: Auto-Discovery VPN

© FORTINET
To restore the FortiManager configuration file
1. On HQ-PC-1, open a browser.
2. Connect to the HQ-FMG-1 GUI, and then log in with the following credentials:
l Username: admin
l Password: Fortinet1!
3. Click root.
4. In the System Information widget, in the System Configuration field, click the Restore icon.

5. In the Backup File field, click Add Files.

6. Click Desktop > Resources > Enterprise-FW > ADVPN > Starting_Point, select HQ-FMG-1_ADVPN_
initial.dat, and then click Select.
7. In the Password field, type Fortinet1!.
8. Click OK.

To restore the BR2-FGT-1 configuration file

1. On HQ-PC-1, open a browser.
2. Connect to the BR2-FGT-1 GUI, and then log in with the following credentials:
l Username: admin
l Password: Fortinet1!
3. In the upper-right corner, click admin, and then click Configuration > Restore.
4. Click Local PC, and then click Upload.
5. Click Desktop > Resources > Enterprise-FW > ADVPN > Starting_Point, select BR2-FGT-1_ADVPN_
initial.conf, and then click Select.
6. Click OK.
7. Click OK to reboot.

To restore the BR3-FGT-1 configuration file

1. On HQ-PC-1, open a browser.
2. Connect to the BR3-FGT-1 GUI, and then log in with the following credentials:

162 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Lab
NOT REPRINT
8: Auto-Discovery VPN

© FORTINET
l Username: admin
l Password: Fortinet1!
3. In the upper-right corner, click admin, and then click Configuration > Restore.
4. Click Local PC, and then click Upload.
5. Click Desktop > Resources > Enterprise-FW > ADVPN > Starting_Point, select BR3-FGT-1_ADVPN_
initial.conf, and then click Select.
6. Click OK.
7. Click OK to reboot.

To restore the HQ-NGFW-1 configuration file

1. On HQ-PC-1, open a browser.
2. Connect to the HQ-NGFW-1 GUI, and then log in with the following credentials:
l Username: admin
l Password: Fortinet1!
3. In the upper-right corner, click admin, and then click Configuration > Restore.
4. Click Local PC, and then click Upload.
5. Click Desktop > Resources > Enterprise-FW > ADVPN > Starting_Point, select HQ-NGFW-1_ADVPN_
initial.conf, and then click Select.
6. Click OK.
7. Click OK to reboot.

After the reboot, you can verify that HQ-NGFW-1 remains the primary FortiGate.

To disable offline mode on FortiManager

1. Connect to the FortiManager GUI, and then log in with the following credentials:
l Username: admin
l Password: Fortinet1!
2. Click root.
3. Click System Settings > Advanced > Misc Settings.
4. Disable Offline Mode.

Enterprise Firewall 7.6 Administrator Lab Guide 163

In this exercise, you will configure ADVPN in a hub-and-spoke topology. You will use Core1 as a hub, and BR2-
FGT-1 and BR3-FGT-1 as spokes.

Configure IPsec Templates

You will configure IPsec templates for Core1, BR2-FGT-1, and BR3-FGT-1.

To configure the metadata variables

1. Log in to the FortiManager GUI with the following credentials:
l Username: admin
l Password: Fortinet1!
2. Click EFW.
3. Click Policy & Objects > Advanced > Metadata Variables.
4. Click Create New, and then in the Name field, type Tunnel_IP.
5. In the Per-Device Mapping section, configure the following settings:

164 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Configuring
REPRINT ADVPN and IBGP Configure IPsec Templates

BR2-FGT-1 [global] 172.16.1.2/255.255.255.255

BR3-FGT-1 [global] 172.16.1.3/255.255.255.255

6. Click OK.
7. Click Create New, and then in the Name field, type Local_ID.
8. In the Per-Device Mapping section, configure the following settings:

Field Value

BR2-FGT-1 [global] BR2-FGT-1

BR3-FGT-1 [global] BR3-FGT-1

Enterprise Firewall 7.6 Administrator Lab Guide 165

Fortinet Technologies Inc.
Brave-Dumps.com
DO Configure
NOTIPsec REPRINT
Templates Exercise 1: Configuring ADVPN and IBGP

9. Click OK.
10. Click Policy & Objects > Advanced > Metadata Variables.
11. Select Router_ID, and then click Edit.
12. In the Per-Device Mapping section, configure the following settings:

Field Value

BR2-FGT-1 [global] 172.16.1.2

BR3-FGT-1 [global] 172.16.1.3

166 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Configuring
REPRINT ADVPN and IBGP Configure IPsec Templates

13. Click OK.

To configure the IPsec template for Core1

1. Continuing on the FortiManager GUI, click Device Manager.
2. Click Provisioning Templates, and then select IPsec Tunnel.
3. Right-click the HUB_IPsec_Recommended template, and then select Activate.

4. Configure the following settings:

Enterprise Firewall 7.6 Administrator Lab Guide 167

Fortinet Technologies Inc.
Brave-Dumps.com
DO Configure
NOTIPsec REPRINT
Templates Exercise 1: Configuring ADVPN and IBGP

Template Name Hub_overlay1

Enable ADVPN Enabled

Outgoing Interface port2

IPv4 Start IP 172.16.1.2

IPv4 End IP 172.16.1.254

IPv4 Netmask 255.255.255.0

Pre-shared Key 123456789

5. Click OK.
6. Right-click the Hub_overlay1 template, and then select Edit.
7. Right-click the VPN1 template, and then select Edit.
8. Disable Mode Config.
9. In the Transport field, select UDP.

10. In the Tunnel Interface Setup section, configure the following settings:

168 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Configuring
REPRINT ADVPN and IBGP Configure IPsec Templates

IP 172.16.1.1/255.255.255.255

Remote IP 172.16.1.254/255.255.255.0

11. Click OK.

12. Click OK.
13. Right-click the Hub_overlay1 template, and then select Assign to Device/Group.
14. In the Available Entries field, select the HQ-NGFW [Core1] checkbox, and then move it to the Selected Entries
field.
15. Click OK.

To configure the IPsec template for the branches

1. Continuing on the FortiManager GUI, right-click the BRANCH_IPsec_Recommended template, and then select
Activate.
2. Configure the following settings:

Field Value

Template Name Branches_overlay1

Enable ADVPN Enabled

Outgoing Interface port2

Local ID $(Local_ID)

Remote Gateway 100.65.0.101

Pre-shared Key 123456789

Enterprise Firewall 7.6 Administrator Lab Guide 169

Fortinet Technologies Inc.
Brave-Dumps.com
DO Configure
NOTIPsec REPRINT
Templates Exercise 1: Configuring ADVPN and IBGP

3. Click OK.
4. Right-click the Branches_overlay1 template, and then select Edit.
5. Right-click HUB1-VPN1, and then select Edit.
6. Disable Mode Config.
7. In the Transport field, select UDP.

8. In the Tunnel Interface Setup section, configure the following settings:

Field Value

IP $(Tunnel_IP)

Remote IP 172.16.1.1/255.255.255.0

9. Click OK.
10. Click OK.

170 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Configuring
REPRINT ADVPN and IBGP Configure the BGP Templates

© FORTINET
11. Right-click the Branches_overlay1 template, and then select Assign to Device/Group.
12. In the Available Entries field, select the BR2-FGT-1 and BR3-FGT-1 checkboxes, and then move them to the
Selected Entries field.
13. Click OK.

To install the device settings

1. Continuing on the FortiManager GUI, click Install Wizard.
2. In the Install Wizard window, select Install Device Settings (only), and then click Next.
3. Ensure that BR2-FGT-1, BR3-FGT-1, HQ-NGFW, and Core1 are selected.
4. Click Next.
5. Click Install.
6. Click Finish.

Configure the BGP Templates

You will create BGP templates for the FortiGate devices.

To configure the BGP template for Core1

1. Continuing on the FortiManager GUI, click Device Manager.
2. Click Provisioning Templates, and then select BGP.

If the BGP section is not available, you can enable BGP in the Feature Visibility
section.

3. Click Create New.

4. Configure the following settings:

Enterprise Firewall 7.6 Administrator Lab Guide 171

Fortinet Technologies Inc.
Brave-Dumps.com
DO Configure
NOTtheREPRINT
BGP Templates Exercise 1: Configuring ADVPN and IBGP

Name Hub_overlay1

Local As 65100

Router ID 172.16.1.1

5. Create a Neighbor Group with the following settings:

Field Value

Name Overlay1

Remote AS 65100

Route Reflector Client (IPv4) Enable

Next Hop Self (IPv4) Enable

6. Click OK.

7. Create a Neighbor Range with the following settings:

172 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Configuring
REPRINT ADVPN and IBGP Configure the BGP Templates

Prefix 172.16.1.0/255.255.255.0

Neighbor Group Overlay1

Max Neighbor Number 2

8. Click OK.
9. In the Networks field, type 10.0.12.0/255.255.255.0.

10. Click OK.

11. Right-click the Hub_overlay1 template, and then select Assign to Device/Group.
12. In the Available Entries field, select the HQ-NGFW [Core1] checkbox, and then move it to the Selected Entries
field.
13. Click OK.

To configure the BGP template for the branches

1. Continuing on the FortiManager GUI, click Create New.

Field Value

Name Branches_overlay1

Local As 65100

Router ID $(Router_ID)

2. Create a Neighbor with the following settings:

Enterprise Firewall 7.6 Administrator Lab Guide 173

Fortinet Technologies Inc.
Brave-Dumps.com
DO Configure
NOTtheREPRINT
BGP Templates Exercise 1: Configuring ADVPN and IBGP

IP 172.16.1.1

Remote AS 65100

Connect Timer 120

3. Click OK.

4. In the Networks field, type $(LAN_BR).

5. Click OK.
6. Right-click the Branches_overlay1 template, and then select Assign to Device/Group.
7. In the Available Entries field, select the BR2-FGT-1 and BR3-FGT-1 checkboxes, and then move them to the
Selected Entries field.
8. Click OK.

174 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Configuring
REPRINT ADVPN and IBGP Install the Policies

To install the device settings

1. Continuing on the FortiManager GUI, click Install Wizard.
2. In the Install Wizard window, select Install Device Settings (only), and then click Next.
3. Verify that the BR2-FGT-1, BR3-FGT-1, HQ-NGFW, and Core1 checkboxes are selected.
4. Click Next.
5. Click Install.
6. Click Finish.

Install the Policies

You will run scripts to create policies in the Core1 and BR policy packages. Then, you will install the policies.

To run the scripts

1. Continuing on the FortiManager GUI, click Device Manager > Scripts.
2. Select the ADVPN_Core1_ex1 checkbox, and then click Run Script.
3. Select the Core1 policy package, and then click Run Now.
4. Click Close to close the Run Script window.
You have created three policies in the Core1 policy package.

Enterprise Firewall 7.6 Administrator Lab Guide 175

Fortinet Technologies Inc.
Brave-Dumps.com
DO Install
NOT REPRINT
the Policies Exercise 1: Configuring ADVPN and IBGP

5. Click Device Manager > Scripts.

6. Select the ADVPN_Branches checkbox, and then click Run Script.
7. Select the BR policy package, and then click Run Now.
8. Click Close to close the Run Script window.
You have created two policies in the BR policy package.

To install the policies

1. Continuing on the FortiManager GUI, click Device Manager > Device & Groups > Managed FortiGate.
2. Select the BR2-FGT-1, BR3-FGT-1, and Core1 checkboxes.
3. Click Install > Reinstall policy.
4. Click OK.
5. Verify that Core1, BR2-FGT-1, and BR3-FGT-1 are selected.
6. Click Next.
7. Click Finish.

176 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Configuring
REPRINT ADVPN and IBGP Bring Up the On-Demand Tunnel

Before you generate traffic to trigger the on-demand tunnel, it is a good idea to verify that the IPsec VPN tunnels
are up and the BGP route databases are in sync.

To verify the IPsec tunnel status

1. Continuing on the FortiManager GUI, click Device Manager.
2. Click Monitors, and then select VPN Monitor.
3. Click Show Table to enable the table.

To check the BGP routes

1. Log in to the HQ-NGFW (Core1) CLI with the following credentials:
l Username: admin
l Password: Fortinet1!
2. Enter the following commands:
get router info routing-table bgp
get vpn ipsec tunnel summary

BGP may take about 1 minute to establish and advertise the routes. You can enter the
get router info routing-table bgp command again to refresh the BGP
routing table.

Stop and think!

Core1 has learned BGP network segments through IBGP (AS 65100). You should see the network segment
172.20.2.0/24 (from BR2-FGT-1) and 172.20.3.0/24 (from BR3-FGT-1).

Notice that the tunnels are connected to IP addresses 100.65.2.112 (BR2-FGT-1) and 100.65.3.113
(BR3-FGT-1).

3. Log in to the BR2-FGT-1 CLI with the following credentials:

Enterprise Firewall 7.6 Administrator Lab Guide 177

Fortinet Technologies Inc.
Brave-Dumps.com
DO Bring
NOT Up theREPRINT
On-Demand Tunnel Exercise 1: Configuring ADVPN and IBGP

© FORTINET
l Username: admin
l Password: Fortinet1!
4. Enter the following commands:
get router info routing-table bgp
get vpn ipsec tunnel summary

5. Log in to the BR3-FGT-1 CLI with the following credentials:

l Username: admin
l Password: Fortinet1!
6. Enter the following commands:
get router info routing-table bgp
get vpn ipsec tunnel summary

To bring up the on-demand tunnel

1. Return to the BR2-FGT-1 CLI, and then enter the following commands:
execute ping-options source 172.20.2.254
execute traceroute-options source 172.20.2.254
2. Enter the following commands to trigger the on-demand tunnel:
execute ping 172.20.3.254
execute traceroute 172.20.3.254

To validate the on-demand tunnel

1. Return to the BR2-FGT-1 and BR3-FGT-1 CLIs, and then enter the following command:

178 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Configuring
REPRINT ADVPN and IBGP Bring Up the On-Demand Tunnel

The ADVPN tunnel has been created with the IP address 100.65.3.113 and the next hop is 172.16.1.3.

Enterprise Firewall 7.6 Administrator Lab Guide 179

In this exercise, you will configure ADVPN IBGP and EBGP.

Prerequisites

You must unassign the IPsec templates from the previous exercise.

To delete the IPsec templates

To delete the BGP templates

1. Continuing on the FortiManager GUI, click Device Manager > Provisioning Templates > BGP.
2. Select, and then right-click the Hub_overlay1 and Branches_overlay1 templates.
3. Click Delete.
4. Click OK.

180 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT2: Configuring
REPRINT ADVPN IBGP and EBGP Configure ADVPN IBGP and EBGP

You will run a script to enable ADVPN IBGP and EBGP on Core1, Core2, BR2-FGT-1, and BR3-FGT-1.

To run the script on HQ-NGFW, BR2-FGT-1, and BR3-FGT-1

1. Continuing on the FortiManager GUI, click Device Manager > Scripts.

You may edit the HQ_NGFW_ADVPN_ex2, BR2-FGT-1_ADVPN_ex2, and BR3-

FGT-1_ADVPN_ex2 scripts to view the configurations applied.

2. Right-click the HQ_NGFW_ADVPN_ex2 script, and then click Run Script.

3. In the Available Entries field, select the HQ-NGFW checkbox, and then move it to the Selected Entries field.
4. Click Run Now.
5. Click OK.
6. Click Close.
7. Right-click the BR2-FGT-1_ADVPN_ex2 script, and then click Run Script.
8. In the Available Entries field, select the BR2-FGT-1 checkbox, and then move it to the Selected Entries field.
9. Click Run Now.
10. Click OK.
11. Click Close.
12. Right-click the BR3-FGT-1_ADVPN_ex2 script, and then click Run Script.
13. In the Available Entries field, select the BR3-FGT-1 checkbox, and then move it to the Selected Entries field.
14. Click Run Now.
15. Click OK.
16. Click Close.

To assign the per device mapping

1. Continuing on the FortiManager GUI, click Policy & Objects > Normalized Interface.
2. In the upper-right corner, in the search field, search for VPN1.
3. Right-click the VPN1 interface, and then click Edit.
4. In the Per-Device Mapping field, click Create New.
5. Configure the following settings:

Field Value

Mapped Device HQ-NGFW [Core1]

Mapped Interface Name VPN1

6. Click OK.
7. In the Per-Device Mapping field, click Create New.
8. Configure the following settings:

Enterprise Firewall 7.6 Administrator Lab Guide 181

Fortinet Technologies Inc.
Brave-Dumps.com
DO Configure
NOTADVPN REPRINT
IBGP and EBGP Exercise 2: Configuring ADVPN IBGP and EBGP

Mapped Device HQ-NGFW [Core2]

Mapped Interface Name VPN12

9. Click OK.

10. Click OK.

11. Click Policy & Objects > Normalized Interface.
12. Search for HTH.
13. Right-click the HTH interface, and then click Edit.
14. In the Per-Device Mapping field, click Create New.
15. Configure the following settings:

Field Value

Mapped Device HQ-NGFW [Core1]

Mapped Interface Name hub_to_hub

16. Click OK.

17. In the Per-Device Mapping field, click Create New.
18. Configure the following settings:

182 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT2: Configuring
REPRINT ADVPN IBGP and EBGP Configure ADVPN IBGP and EBGP

Mapped Device HQ-NGFW [Core2]

Mapped Interface Name hub_to_hub2

19. Click OK.

20. Click OK.

To create policies on Core1 and Core2

1. Continuing on the FortiManager GUI, click Device Manager > Scripts.

You may edit the ADVPN_Core1_ex2 and ADVPN_Core2_ex2 scripts to view the
configurations applied.

2. Right-click the ADVPN_Core1_ex2 script, and then click Run Script.

3. In the Run script on policy package field, select Core1.
4. Click Run Now.
5. Click Close.
6. Right-click the ADVPN_Core2_ex2 script, and then click Run Script.
7. In the Run script on policy package field, select Core2.
8. Click Run Now.
9. Click Close.

Enterprise Firewall 7.6 Administrator Lab Guide 183

Fortinet Technologies Inc.
Brave-Dumps.com
DO Bring
NOT Up theREPRINT
On-Demand Tunnel Exercise 2: Configuring ADVPN IBGP and EBGP

© FORTINET
To install policies on Core1, Core2, BR2-FGT-1, and BR3-FGT12
1. Continuing on the FortiManager GUI, click Device Manager > Device & Groups > Managed FortiGate.
2. Select the Core1 and Core2 checkboxes.
3. Click Install, and then click Reinstall policy.
4. Verify that Core1 and Core2 are selected, and then click Next.
5. Click Finish.
6. Select the BR2-FGT-1 and BR3-FGT-1 checkboxes, and then click Install Wizard.
7. In the Choose What To Install (1/4) window, select Install Policy Package & Device Settings.
8. In the Policy Package field, select BR, and then click Next.
9. In the Select Devices to Install (BR) (2/4) window, click Next.
10. In the Validate Devices (BR) (3/4) window, make sure that BR2-FGT-1 and BR3-FGT-1 are selected, and then
click Install.
11. In the Installation progress (4/4) window, click Finish.
12. Click Device Manager > Scripts.
13. Right-click the HQ_NGFW_reinitialize script, and then click Run Script.
14. In the Available Entries field, select the HQ-NGFW checkbox, and then move it to the Selected Entries field.
15. Click Run Now.
16. Click OK.
17. Click Close.

After updating the configurations from the previous exercise, you must reboot HQ-
NGFW before checking ADVPN.

Bring Up the On-Demand Tunnel

Before you generate traffic to trigger the on-demand tunnel, it is a good idea to verify that the VPN IPsec tunnels
are up and the BGP route databases are in sync.

To verify the status of the IPsec tunnelscheck the BGP routes

1. Log in to the HQ-NGFW (Core1) CLI with the following credentials:
l Username: admin
l Password: Fortinet1!
2. Enter the following commands:
config vdom
edit Core1
get router info routing-table bgp
get vpn ipsec tunnel summary

184 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT2: Configuring
REPRINT ADVPN IBGP and EBGP Bring Up the On-Demand Tunnel

Notice that you do not need to change VDOMs to use the get, show, diagnose, or
execute commands. You can see more details in the following image:

3. Enter the following commands:

sudo Core2 get router info routing-table bgp
sudo Core2 get vpn ipsec tunnel summary

4. Log in to the BR2-FGT-1 CLI with the following credentials:

l Username: admin
l Password: Fortinet1!
5. Enter the following commands:
get router info routing-table bgp
get vpn ipsec tunnel summary

6. Log in to the BR3-FGT-1 CLI with the following credentials:

Enterprise Firewall 7.6 Administrator Lab Guide 185

Fortinet Technologies Inc.
Brave-Dumps.com
DO Bring
NOT Up theREPRINT
On-Demand Tunnel Exercise 2: Configuring ADVPN IBGP and EBGP

© FORTINET
l Username: admin
l Password: Fortinet1!
7. Enter the following commands:
get router info routing-table bgp
get vpn ipsec tunnel summary

BGP may take around one minute to establish and advertise the routes. You can type
again get router info routing-table bgp to refresh the BGP routing table.

To bring up the on-demand tunnel

To validate the on-demand tunnel

1. Return to the BR2-FGT-1 and BR3-FGT-1 CLIs, and then enter the following command:
get router info routing-table bgp
get vpn ipsec tunnel summary

186 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT2: Configuring
REPRINT ADVPN IBGP and EBGP Bring Up the On-Demand Tunnel

© FORTINET
The ADVPN tunnel has been created with the IP address 100.65.3.113 and the next hop is 172.16.2.2,
using a different network segment from AS 65100.

Enterprise Firewall 7.6 Administrator Lab Guide 187

In this lab, first, you will learn how to configure the Fortinet Security Fabric to enable SAML SSO. Next, you will
configure automation for configuration backups. Finally, you will also create a Security Fabric automation to run
CLI scripts if a configuration change occurs.

Objectives
l Use the Security Fabric to enable SAML SSO on all devices
l Use Security Fabric automation for automatic configuration backups
l Use Security Fabric automation to generate CLI scripts

Time to Complete
Estimated: 55 minutes

Which Network Segment Will You Work On?

In this lab, you will configure the HQ-ISFW, HQ-DCFW, and HQ-NGFW FortiGate devices.

188 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Exercise 1: Configuring the Security Fabric and SAML
SSO

In this exercise, you will configure the Security Fabric with SAML SSO in the lab network.

Configure the Security Fabric on HQ-NGFW-1

You will configure the root FortiGate in the Security Fabric to be the identity provider (IdP).

To configure the Security Fabric on HQ-NGFW-1

1. Log in to the HQ-NGFW-1 GUI with the following credentials:
l Username: admin
l Password: Fortinet1!
2. Click Login Read-Write, and then click Yes.
3. Click Security Fabric > Fabric Connectors.
4. In the Core Network Security Connectors section, click Security Fabric Setup, and then click Edit.

5. In the Security Fabric Settings window, in the Security Fabric role field, select Serve as Fabric Root.
6. In the Allow other Security Fabric devices to join field, select port5.
7. Click Close.
8. In the Fabric name field, type fortinet.
9. Enable SAML Single Sign-On.
10. In the IdP certificate field, select Fortinet_CA_SSL.
11. In the IdP address field, select Specify, and then in the field, type 10.0.12.254:443.

Enterprise Firewall 7.6 Administrator Lab Guide 189

Fortinet Technologies Inc.
Brave-Dumps.com
DO Configure
NOTtheREPRINT
Security Fabric on HQ-NGFW-1 Exercise 1: Configuring the Security Fabric and SAML SSO

12. Click OK.

To configure an administrator for SAML SSO on HQ-NGFW-1

1. Continuing on the HQ-NGFW-1 GUI, click System > Administrators.
2. Click Create new, and then select Administrator.
3. Configure the following settings:

Field Value

Username AdminSSO

password password

Administrator profile super_admin_readonly

4. Click OK.
The result should look similar to the following image:

190 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Configuring
REPRINT the Security Fabric and SAML SSO Configure the Security Fabric on HQ-DCFW

Configure the Security Fabric on HQ-DCFW

You will configure HQ-DCFW as one of the branches of the Security Fabric tree with SAML SSO.

To enable the Security Fabric on HQ-DCFW

1. Log in to the HQ-DCFW GUI with the following credentials:
l Username: admin
l Password: Fortinet1!
2. Click Login Read-Write, and then click Yes.
3. Click Security Fabric > Fabric Connectors.
4. In the Core Network Security Connectors section, click Security Fabric Setup, and then click Edit.
5. In the Security Fabric Settings section, configure the following settings:

Field Value

Security Fabric role Join Existing Fabric

Allow other Security Fabric devices to join port2

Upstream FortiGate IP/FQDN 10.0.12.254

Management IP/FQDN 10.0.12.253

Management port 443

Default admin profile super_admin

Enterprise Firewall 7.6 Administrator Lab Guide 191

Fortinet Technologies Inc.
Brave-Dumps.com
DO Configure
NOTtheREPRINT
Security Fabric on HQ-DCFW Exercise 1: Configuring the Security Fabric and SAML SSO

6. Click OK.
7. Click OK to confirm.

To authorize HQ-DCFW on HQ-NGFW-1

1. Return to the HQ-NGFW-1 GUI, and then click System > Firmware & Registration.
2. Click the device with the Unauthorized status, and then select Authorize.

HQ-NGFW-1 lists the HQ-DCFW as part of the Security Fabric. It may take a few minutes to authorize. You
may need to refresh the page.

192 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Configuring
REPRINT the Security Fabric and SAML SSO Configure the Security Fabric on HQ-ISFW

You must configure the Security Fabric on HQ-ISFW with SAML SSO and authorize it on HQ-NGFW-1.

Take the Expert Challenge!

Configure the Security Fabric on HQ-ISFW using the information in the following table, and then authorize
HQ-ISFW on HQ-NGFW-1:

Field Value

Security Fabric role Join Existing Fabric

Allow other Security Fabric devices to join port2

Upstream FortiGate IP/FQDN 10.0.12.254

Management IP/FQDN 10.0.2.254

Management port 443

Default admin profile super_admin_readonly

If you require assistance, or to verify your work, use the step-by-step instructions that follow.

After you complete the challenge, see Access Security Fabric Devices With SAML SSO on page 194.

To enable the Security Fabric on HQ-ISFW

1. Log in to the HQ-ISFW GUI with the following credentials:
l Username: admin
l Password: Fortinet1!
2. Click Login Read-Write, and then click Yes.
3. Click Security Fabric > Fabric Connectors.
4. In the Security Fabric Settings section, configure the following settings:

Field Value

Security Fabric role Join Existing Fabric

Allow other Security Fabric devices to join port2

Upstream FortiGate IP/FQDN 10.0.12.254

Management IP/FQDN 10.0.2.254

Management port 443

Default admin profile super_admin_readonly

Enterprise Firewall 7.6 Administrator Lab Guide 193

Fortinet Technologies Inc.
Brave-Dumps.com
DO Access
NOT REPRINT
Security Fabric Devices With SAML SSO Exercise 1: Configuring the Security Fabric and SAML SSO

5. Click OK.
6. Click OK to confirm.

To authorize HQ-ISFW on HQ-NGFW-1

1. Return to the HQ-NGFW-1 GUI, and then click System > Firmware & Registration.
2. Click the device with the Unauthorized status, and then select Authorize.
The result should look similar to the following image:

Access Security Fabric Devices With SAML SSO

You will use SAML SSO to access HQ-DCFW and HQ-ISFW.

194 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Configuring
REPRINT the Security Fabric and SAML SSO Access Security Fabric Devices With SAML SSO

© FORTINET
To access HQ-DCFW using SAML SSO
1. Connect to the HQ-PC-2 VM.
2. Open a browser, and then enter https://10.0.12.253.

3. Click Sign in with Security Fabric.

You are redirected to the IdP, which is HQ-NGFW-1, to log in with SSO provider credentials.

4. Log in with the following credentials:

l Username: AdminSSO
l Password: password
5. Click Login, and then click Continue.

Enterprise Firewall 7.6 Administrator Lab Guide 195

Fortinet Technologies Inc.
Brave-Dumps.com
DO Access
NOT REPRINT
Security Fabric Devices With SAML SSO Exercise 1: Configuring the Security Fabric and SAML SSO

6. Click Login Read-Only.

7. Click Later, and then click OK.
8. Click System > Administrators.
Your configuration should be similar to the following image:

You are logged in to HQ-DCFW at the IP address 10.0.12.253 with the newly
created SSO administrator, AdminSSO.

Stop and think!

On the root FortiGate, HQ-NGFW-1, you configured the AdminSSO administrator with the super_admin_
readonly profile. Why is HQ-DCFW showing AdminSSO with the super_admin profile?

When you configured the Security Fabric on HQ-DCFW, you selected super_admin in the Default admin
profile field. This configuration on the downstream FortiGate takes precedence over the configuration from
the root FortiGate.

To access HQ-ISFW using SAML SSO

1. On the HQ-PC-2 VM, open a new browser tab, and then enter https://10.0.12.252.

196 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Configuring
REPRINT the Security Fabric and SAML SSO Access Security Fabric Devices With SAML SSO

2. Click Sign in with Security Fabric.

After less than a minute, the result should be similar to the following image:

Stop and think!

Why is HQ-ISFW not reachable?

In the Security Fabric configuration on HQ-ISFW, you specified the management IP address as
10.0.2.254. After Security Fabric SAML SSO, this IP address must be reachable, along with the
corresponding administrative access.

3. Log in to the HQ-ISFW GUI with the following credentials:

l Username: admin
l Password: Fortinet1!
4. Click Login.
5. Click Login Read-Write, and then click Yes.
6. Click Network > Interfaces, and then click + to expand port4.

Enterprise Firewall 7.6 Administrator Lab Guide 197

Fortinet Technologies Inc.
Brave-Dumps.com
DO Access
NOT REPRINT
Security Fabric Devices With SAML SSO Exercise 1: Configuring the Security Fabric and SAML SSO

7. Select VLAN101, and then click Edit.

8. In the Administrative Access section, enable HTTPS.
9. Click OK.
10. In the upper-right corner, click admin, and then click Logout.
11. On the HQ-PC-2 VM, open a new browser tab, and then enter https://10.0.12.252.
12. Click Sign in with Security Fabric.
13. Click Continue.

Stop and think!

Why is the Login Read-Write option not available?

This is because you selected the super_admin_readonly administration profile in the Security Fabric
configuration on HQ-ISFW.

14. On the HQ-PC-2 VM, close the browser tabs.

198 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Exercise 2: Configuring Automatic Configuration Backup

You will configure a Security Fabric automation on FortiManager to create automatic configuration backups.

Manage Security Fabric Devices on FortiManager

On FortiManager, you will create the Fabric ADOM and move the Security Fabric devices into it.

To create the Fabric ADOM

1. Log in to the FortiManager GUI with the following credentials:
l Username: admin
l Password: Fortinet1!
2. Click Create New ADOM.
3. In the Name field, type Fabric_ADOM.
4. In the Type field, select Fabric.
5. In the Devices field, click Select Device.

6. Select the checkboxes for HQ-NGFW, HQ-ISFW, and HQ-DCFW, and then click Add to ADOM.
The result should be similar to the following image:

Enterprise Firewall 7.6 Administrator Lab Guide 199

Fortinet Technologies Inc.
Brave-Dumps.com
DO Configure
NOTanREPRINT
Automation on FortiManager Exercise 2: Configuring Automatic Configuration Backup

7. Click OK.

Configure an Automation on FortiManager

On FortiManager, you will configure the trigger and action to create an automatic configuration backup stitch.

To configure the trigger

1. Continuing on the FortiManager GUI, click Fabric_ADOM.
2. Click Device Manager > Device & Groups > Managed FortiGate.

200 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT2: Configuring
REPRINT Automatic Configuration Backup Configure an Automation on FortiManager

You may notice that fortinet is listed in the Device Name column. This confirms that
all the devices nested under fortinet belong to the same Security Fabric environment.

If fortinet is not listed, you must retrieve the HQ-NGFW configuration to update
FortiManager with the Security Fabric environment.

3. Click Managed FortiGate > HQ-NGFW > Feature Visibility.

By default, the Security Fabric options are not available. You must enable them in the
Feature Visibility section.

4. On the Customize tab, in the Security Fabric section, select the checkboxes for Automation Stitch,
Automation Trigger, and Automation Action.

Enterprise Firewall 7.6 Administrator Lab Guide 201

Fortinet Technologies Inc.
Brave-Dumps.com
DO Configure
NOTanREPRINT
Automation on FortiManager Exercise 2: Configuring Automatic Configuration Backup

5. Click OK.
6. Click Managed FortiGate > HQ-NGFW > Security Fabric, and then select Automation Trigger.

7. Click Create New, and then configure the following settings:

Field Value

Name Frequency

Type Schedule

Frequency Hourly

Minute Type the minutes of your current time plus 10 minutes.

For example, if the current time is 12:35 PM, you would add 10 minutes, and
then type 45 in the Minute field (12:35 + 10 minutes = 12:45).

Your configuration should look similar to the following image (with a value in the Minute field that is based on
your current time):

202 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT2: Configuring
REPRINT Automatic Configuration Backup Configure an Automation on FortiManager

When you set the Frequency field to Hourly, the stitch is triggered every hour when
the minutes match the number that is configured in the Minute field. You then have 10
minutes before the next stitch occurrence for the purposes of this lab.

In a production environment, you would configure the frequency according to the

frequency of configuration changes.

8. Click OK.

To configure the action

1. Click Security Fabric, and then select Automation Action.
2. Click Create New, and then configure the following settings:

Field Value

Name Automatic_Backup

Type System Action

Action Backup Configuration

Your configuration should look like the following image:

Enterprise Firewall 7.6 Administrator Lab Guide 203

Fortinet Technologies Inc.
Brave-Dumps.com
DO Configure
NOTanREPRINT
Automation on FortiManager Exercise 2: Configuring Automatic Configuration Backup

3. Click OK.

To configure the stitch

1. Click Security Fabric, and then select Automation Stitch.
2. Click Create New, and then configure the following settings:

Field Value

Name Backup_Stitch

Trigger Frequency

Action Object Automatic_Backup

Your configuration should look like the following image:

3. Click OK.

204 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT2: Configuring
REPRINT Automatic Configuration Backup Verify the Stitch on the Security Fabric Devices

You will install the stitch on the root FortiGate and verify the automatic configuration backup.

To install the stitch

1. In the menu at the top, click Install Wizard, and then select Install Device Settings (only).
2. Click Next.
3. Confirm that HQ-NGFW is selected, and then click Next.
4. Click Install.
5. Wait until the installation finishes, and then click Finish.

To verify the stitch installation on the root FortiGate

1. Connect to the HQ-NGFW-1 GUI, and then log in with the following credentials:
l Username: admin
l Password: Fortinet1!
2. Click Login Read-Write, and then click Yes.
3. Click Security Fabric > Automation > Stitch.
Your configuration should look like the following image:

To verify the stitch occurrence

1. Connect to the HQ-ISFW GUI, and then log in with the following credentials:
l Username: admin
l Password: Fortinet1!
2. Click Login Read-Write, and then click Yes.
3. In the upper-left corner, click HQ-ISFW, and then click root.

Enterprise Firewall 7.6 Administrator Lab Guide 205

Fortinet Technologies Inc.
Brave-Dumps.com
DO Verify
NOT REPRINT
the Stitch on the Security Fabric Devices Exercise 2: Configuring Automatic Configuration Backup

4. Click Log & Report > System Events.

5. Click the Logs tab.
The result should be similar to the following image:

In the Date/Time column, you can see that the stitch is triggered a few seconds after
the minutes configured in the automation trigger.

6. In the upper-right corner, click admin > Configuration > Revisions.

7. In the 7.6.2 build 3462 row, click + to expand the list.

206 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT2: Configuring
REPRINT Automatic Configuration Backup Verify the Stitch on the Security Fabric Devices

The automatic configuration backup is available as a revision.

The same automatic configuration backups are available on the other downstream
FortiGate devices because you configured the stitch to all FortiGates.

Enterprise Firewall 7.6 Administrator Lab Guide 207

Fortinet Technologies Inc.
Brave-Dumps.com
DO NOT REPRINT
© FORTINET
Exercise 3: Configuring the Automation With a Script

In this exercise, you will configure the automation stitch on FortiManager to take CLI commands from a script and
email the results.

Configure the Automation

On FortiManager, you will verify the preconfigured trigger based on configuration changes, create an action to
take CLI commands with a script, create an action to email the script results, and then add them to a stitch.

To verify the preconfigured automation trigger on FortiManager

1. Log in to the FortiManager GUI with the following credentials:
l Username: admin
l Password: Fortinet1!
2. Click Fabric_ADOM.
3. Click Device Manager > Device & Groups.
4. Click Managed FortiGate > HQ-NGFW.
5. Click Security Fabric, and then select Automation Trigger.
6. Select Configuration Change, and then click Edit.
The configuration should look like the following image:

7. Click Cancel.

To configure a CLI script automation action on FortiManager

1. Click Security Fabric, and then select Automation Action.
2. Click Create New, and then configure the following settings:

Field Value

Name Alert_Script

Type CLI Script

208 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT3: Configuring
REPRINT the Automation With a Script Configure the Automation

Script config global

exec time

get system admin list

get system performance status

Administrator Profile super_admin

Execute on Security Fabric Enable

Your configuration should look similar to the following image:

3. Click OK.

To configure an email notification automation action on FortiManager

1. Click Security Fabric > Automation Action.
2. Click Create New.
3. Configure the automation action using the following settings:

Field Value

Name Configuration_Change_Alert

Type Email

From [email protected]

Enterprise Firewall 7.6 Administrator Lab Guide 209

Fortinet Technologies Inc.
Brave-Dumps.com
DO Configure
NOTtheREPRINT
Automation Exercise 3: Configuring the Automation With a Script

Send to FortiCare Email Disabled

To [email protected]

Subject Configuration Change Alert

Body %%results%%

Your configuration should look like the following image:

4. Click OK.

To configure the automation stitch on FortiManager

1. Continuing on the FortiManager GUI, click Security Fabric > Automation Stitch.
2. Click Create New, and then configure the following settings:

Field Value

Name Config_Change_Alert

Trigger Configuration Change

Action Object Alert_Script

Delay 10

Action Object Configuration_Change_Alert

You must click + in the Action column to create a second action object.

210 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT3: Configuring
REPRINT the Automation With a Script Test the Automation Stitch and View the Email Alert

3. Click OK.

To install the automation stitch on the Security Fabric devices

Test the Automation Stitch and View the Email Alert

You will test the automation stitch by forcing a configuration change on HQ-NGFW-1, and then view the email
alert.

An SMTP mail server is required for email alerts to operate. Because configuring a mail
server is out of scope for this lab, one was configured for you. You can view the email
service configuration on the HQ-NGFW-1 GUI by clicking System > Settings, and
then scrolling down to the Email Service configuration.

To force a configuration change and view the email alert

1. On the HQ-PC-1 VM, open a browser.
2. Connect to the HQ-NGFW-1 GUI.
3. Log in with the following credentials:

Enterprise Firewall 7.6 Administrator Lab Guide 211

Fortinet Technologies Inc.
Brave-Dumps.com
DO Test
NOT REPRINT
the Automation Stitch and View the Email Alert Exercise 3: Configuring the Automation With a Script

© FORTINET
l Username: admin
l Password: Fortinet1!
4. Click Login Read-Write, and then click Yes.
5. Click VDOM: Global, and then click Core1.
6. Click Network > Diagnostics.
7. In the Packet capture window, click New packet capture.

8. Configure the new packet capture using the following settings:

Field Value

Interface port2

Name Email

Maximum captured packets 50

Filters Enabled

Host 100.65.0.254

Port 25

Your configuration should look like the following image:

212 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT3: Configuring
REPRINT the Automation With a Script Test the Automation Stitch and View the Email Alert

9. Click Start capture.

10. Connect over SSH to HQ-NGFW-1, and then log in with the following credentials:
l Username: admin
l Password: Fortinet1!
11. Enter the following commands:
config global
config system interface
edit port4
unset allowaccess
end
end
exit
12. On the HQ-PC-1 VM, the output should look like the following image:

Enterprise Firewall 7.6 Administrator Lab Guide 213

Fortinet Technologies Inc.
Brave-Dumps.com
DO Test
NOT REPRINT
the Automation Stitch and View the Email Alert Exercise 3: Configuring the Automation With a Script

13. Click Stop capture, and then click Save as .pcap.

14. On the HQ-PC-1 VM, in the Downloads folder, open the Email.pcap file.

On the HQ-PC-1 VM, Wireshark allows you to open the Email.pcap file.

15. Right-click the first SYN packet, and then click Follow > TCP Stream.
The email header should look similar to the following example:

This lab is one example. To get a more comprehensive understanding of the

management of all the devices integrated with the Security Fabric environment, you
can investigate the automation options further.

214 Enterprise Firewall 7.6 Administrator Lab Guide

In this lab, you will configure Fortinet devices based on requirements that a customer has provided. The lab is
preconfigured with IP addresses.

Objectives
l Complete all tasks to configure the network based on the customer requirements

Time to Complete
Estimated: 150 minutes

Which Network Segment Will You Work On?

In the first exercise, you will segment the HR network and connect its OSPF area to the backbone.

In the second exercise, you will implement ADVPN on HQ-NGFW with BR2-FGT-1 and BR3-FGT-1 as spokes.

In the third exercise, you will implement the Fortinet Security Fabric to create an automatic backup.

Enterprise Firewall 7.6 Administrator Lab Guide 215

Fortinet Technologies Inc.
Brave-Dumps.com
DO NOT REPRINT Lab 10: Use Cases

© FORTINET
Prerequisites
Before you begin this lab, you must restore the initial configuration files on the Fortinet devices. The configuration
files are located on the desktop of HQ-PC-1.

To restore the HQ-DCFW configuration file

1. On HQ-PC-1, open a browser.
2. Connect to the HQ-DCFW GUI.
3. Log in with the following credentials:
l Username: admin
l Password: Fortinet1!
4. In the upper-right corner, click admin, and then click Configuration > Restore.
5. Click Local PC, and then click Upload.
6. Click Desktop > Resources > Enterprise-FW > Use_Case, select HQ-DCFW_Use_Case_initial.conf, and
then click Select.
7. Click OK.
8. Click OK to reboot.

To restore the HQ-NGFW-1 configuration file

1. On HQ-PC-1, open a browser.
2. Connect to the HQ-NGFW-1 GUI.
3. Log in with the following credentials:
l Username: admin
l Password: Fortinet1!
4. In the upper-right corner, click admin, and then click Configuration > Restore.
5. Click Local PC, and then click Upload.
6. Click Desktop > Resources > Enterprise-FW > Use_Case, select HQ-NGFW-1_Use_Case_initial.conf,
and then click Select.
7. Click OK.
8. Click OK to reboot.

After the reboot, you can adjust the override setting and the HA priority on HQ-NGFW-
1 and HQ-NGFW-2, so HQ-NGFW-1 remains the primary FortiGate.

To restore the HQ-ISFW configuration file

1. On HQ-PC-1, open a browser.
2. Connect to the HQ-ISFW GUI.
3. Log in with the following credentials:
l Username: admin
l Password: Fortinet1!

216 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Lab
NOT 10: UseREPRINT
Cases

© FORTINET
4. In the upper-right corner, click admin, and then click Configuration > Restore.
5. Click Local PC, and then click Upload.
6. Click Desktop > Resources > Enterprise-FW > Use_Case, select HQ-ISFW_Use_Case_initial.conf, and
then click Select.
7. Click OK.
8. Click OK to reboot.

To restore the BR2-FGT-1 configuration file

1. On HQ-PC-1, open a browser.
2. Connect to the BR2-FGT-1 GUI.
3. Log in with the following credentials:
l Username: admin
l Password: Fortinet1!
4. In the upper-right corner, click admin, and then click Configuration > Restore.
5. Click Local PC, and then click Upload.
6. Click Desktop > Resources > Enterprise-FW > Use_Case, select BR2-FGT-1_Use_Case_initial.conf,
and then click Select.
7. Click OK.
8. Click OK to reboot.

To restore the BR3-FGT-1 configuration file

1. On HQ-PC-1, open a browser.
2. Connect to the BR3-FGT-1 GUI.
3. Log in with the following credentials:
l Username: admin
l Password: Fortinet1!
4. In the upper-right corner, click admin, and then click Configuration > Restore.
5. Click Local PC, and then click Upload.
6. Click Desktop > Resources > Enterprise-FW > Use_Case, select BR3-FGT-1_Use_Case_initial.conf,
and then click Select.
7. Click OK.
8. Click OK to reboot.

To restore the FortiManager configuration file

1. On HQ-PC-1, open a browser.
2. Connect to the HQ-FMG-1 GUI.
3. Log in with the following credentials:
l Username: admin
l Password: Fortinet1!
4. Click root.
5. In the System Information widget, in the System Configuration field, click the Restore icon.

Enterprise Firewall 7.6 Administrator Lab Guide 217

Fortinet Technologies Inc.
Brave-Dumps.com
DO NOT REPRINT Lab 10: Use Cases

6. In the Backup File field, click Add Files.

7. Click Desktop > Resources > Enterprise-FW > Use_Case, select HQ-FMG-1_Use_Case_initial.dat, and
then click Select.
8. In the Password field, type Fortinet1!.
9. Click OK.

After you restore the database on HQ-FMG-1, you must disable offline mode in
System Settings > Advanced > Misc Settings.

218 Enterprise Firewall 7.6 Administrator Lab Guide

In this exercise, you will configure the enterprise network based on the following basic customer requirements:
l Implement segmentation on the HQ-PC-3 HR network.
l Add dynamic routing.
l Allow the HR segment to access the internet and HQ-Web-1.

Network Topology

Review the current configuration, as shown in the following image, before you proceed to the next section:

The OSPF area 0.0.0.0 is already configured and includes HQ-DCFW, the Core1
VDOM, and the HQ-ISFW root VDOM.

Enterprise Firewall 7.6 Administrator Lab Guide 219

Fortinet Technologies Inc.
Brave-Dumps.com
DO Requirements
NOT REPRINT Exercise 1: Configuring the HR Network

To implement segmentation in the HR network

l On HQ-ISFW, create the Zone2 VDOM and VLAN102 interface with the PING option.
l Create the inter-VDOM link between the root VDOM and Zone2 VDOM.

To add dynamic routing

l On HQ-ISFW, configure the 0.0.0.1 OSPF area between the root VDOM and new Zone2 VDOM.
l Allow the OSPF protocol to inject the 10.0.3.0/24 subnet into the backbone area.

To allow the HR segment to access HQ-Web-1 and the internet

l Allow only ping from the HR segment to HQ-Web-1.
l Allow only ping and web traffic from the HR segment to the internet.

You may use the HQ-ISFW_root and HQ-ISFW_Zone2 scripts to configure the
corresponding policy packages.

Test the Configuration

Make sure you complete all the configuration steps before you test the configuration.

To test basic connectivity

You must be able to ping the VLAN102 interface from the HQ-PC-3 HR network.

To verify dynamic routing

l In the HQ-ISFW root VDOM, you must see the 0.0.0.1 area in the OSPF status with one fully adjacent neighbor.
The output should be similar to the following example:

220 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT1: Configuring
REPRINT the HR Network Test the Configuration

l On HQ-DCFW, you must have the 10.0.3.0/24 subnet learned with the OSPF protocol in the routing table.
The output should be similar to the following example:

To test the HR segmentation

l You must be able to ping HQ-Web-1 from the HQ-PC-3 HR network.
l You must be able to browse the internet from the HQ-PC-3 HR network.
l You must not be able to ping the HQ-PC-3 HR network from HQ-DCFW.

Enterprise Firewall 7.6 Administrator Lab Guide 221

In this exercise, you will configure the enterprise network based on the following basic customer requirements:
l Implement a VPN with HQ-NGFW as a hub, and BR2-FGT-1 and BR3-FGT-1 as spokes.
l Implement ADVPN on the hub and spokes.
l Allow traffic between the hub and spokes.
l Implement IBGP on the hub and spokes.

Network Topology

Review the current configuration, as shown in the following image, before you proceed to the next section:

Requirements

To implement a VPN with HQ-NGFW as a hub, and BR2-FGT-1 and BR3-FGT-1 as spokes
l Create a VPN tunnel as a hub on the Core1 VDOM.
l Create the corresponding VPN tunnels as spokes on BR2-FGT-1 and BR3-FGT-1.

To implement ADVPN on the hub and spokes

l Configure the tunnel interfaces with the overlay local IP addresses and remote subnet.
l Enable auto-discovery-sender on the hub.
l Enable auto-discovery-receiver on the spokes.

222 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT2: Configuring
REPRINT ADVPN Test the Configuration

© FORTINET
To allow traffic on the hub
l Allow traffic from the spokes to the Core1 VDOM.
l Allow traffic from the Core1 VDOM to the spokes.
l Allow traffic between the spokes.

To allow traffic on the spokes

l Allow traffic from the spokes to the hub.
l Allow traffic from the hub to the spokes.

To implement IBGP on the hub and spokes

l Use the same BGP autonomous system (AS).
l Configure the hub as a BGP route reflector.
l Configure the hub with neighbor groups and ranges.
l Configure the spokes with their corresponding network prefixes.

Test the Configuration

Make sure you complete all the configuration steps before you test the configuration.

To check the status of the VPN tunnels

l Make sure that you bring up the tunnels on the spokes with the following command:
diagnose vpn tunnel up <phase2_tunnel_name>
l Connect over SSH to the Core1 VDOM, BR2-FGT-1, and BR3-FGT-1, and get the tunnel list.
The output should look similar to the following example in the hub:

Enterprise Firewall 7.6 Administrator Lab Guide 223

Fortinet Technologies Inc.
Brave-Dumps.com
DO Test
NOT REPRINT
the Configuration Exercise 2: Configuring ADVPN

To verify the IBGP implementation

The output should look similar to the following example:

To validate the ADVPN implementation

l Enter the following commands on BR2-FGT-1:
execute ping-options source 172.20.2.254
execute ping 172.20.3.254

224 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT2: Configuring
REPRINT ADVPN Test the Configuration

© FORTINET
With the ping option, you generate a ping from the BR2-FGT-1 internal interface to the
BR3-FGT-1 internal interface to bring up the on-demand tunnel.

l On BR3-FGT-1, in the routing table, you must see the BR2-FGT-1 internal subnet 172.20.2.0/24 directly
connected with the on-demand tunnel.
The output should look similar to the following example:

Enterprise Firewall 7.6 Administrator Lab Guide 225

In this exercise, you will configure the enterprise network based on the following basic customer requirements:
l Implement the Security Fabric within the LAN FortiGate devices.
l Implement the automatic configuration backup of the devices in the Security Fabric environment.

Network Topology

Review the current configuration, as shown in the following image, before you proceed to the next section:

Requirements

To configure the Security Fabric

l Configure HQ-NGFW to be the root FortiGate.
l Configure HQ-DCFW and HQ-ISFW to join the Security Fabric environment.

226 Enterprise Firewall 7.6 Administrator Lab Guide

Fortinet Technologies Inc.
Brave-Dumps.com
DO Exercise
NOT3: Configuring
REPRINT Automatic Backups Test the Configuration

© FORTINET
To achieve automatic configuration backup
l Select the automation trigger based on configuration changes.
l Configure the automation action configuration backup.
l Create the stitch based on the automation trigger and action that you configured.

Test the Configuration

Make sure you complete all the configuration steps before you test the configuration.

To verify the Security Fabric configuration

In the FortiManager EFW_Use_Case ADOM, click Fabric View > Physical Topology.

The output should be similar to the following image:

To test the automatic configuration backup

1. Connect over SSH to HQ-DCFW, and then log in with the following credentials:
l Username: admin
l Password: password
2. Enter the following commands:
config system interface
edit port2
set description modification
next
end
exit
3. On HQ-DCFW, in the upper-right corner, click admin > Configuration > Revisions.
4. In the 7.6.2 build 3462 row, click + to expand the list.
The output should be similar to the following image:

Enterprise Firewall 7.6 Administrator Lab Guide 227

Fortinet Technologies Inc.
Brave-Dumps.com
DO Test
NOT REPRINT
the Configuration Exercise 3: Configuring Automatic Backups

5. On HQ-DCFW, click Log & Report > System Events > Logs.
6. Confirm that you see the Configuration changed stitch and Automation stitch triggered event logs.
The output should be similar to the following image:

228 Enterprise Firewall 7.6 Administrator Lab Guide

No part of this publication may be reproduced in any form or by any means or used to make any
derivative such as translation, transformation, or adaptation without permission from Fortinet Inc.,
as stipulated by the United States Copyright Act of 1976.
Copyright© 2025 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

Enterprise Firewall 7.4 Administrator Lab Guid
No ratings yet
Enterprise Firewall 7.4 Administrator Lab Guid
241 pages
FortiGate 7.4 Administrator Lab Guide
No ratings yet
FortiGate 7.4 Administrator Lab Guide
250 pages
FortiGate Infrastructure 7.2 Lab Guide-Online
No ratings yet
FortiGate Infrastructure 7.2 Lab Guide-Online
123 pages
Do Not Reprint © Fortinet: Fortigate Infrastructure Lab Guide
No ratings yet
Do Not Reprint © Fortinet: Fortigate Infrastructure Lab Guide
140 pages
Fortinet Fortigate Security Lab Guide For Fortios 72
100% (1)
Fortinet Fortigate Security Lab Guide For Fortios 72
204 pages
Fortigate Fortiwifi and Fortiap Configuration Guide 56
No ratings yet
Fortigate Fortiwifi and Fortiap Configuration Guide 56
205 pages
FortiGate 7.4 Administrator Course Description
0% (1)
FortiGate 7.4 Administrator Course Description
3 pages
SD-WAN 7.2 Exam Description
No ratings yet
SD-WAN 7.2 Exam Description
3 pages
Fortinet Fortinac Lab Guide For Fortinac 72
No ratings yet
Fortinet Fortinac Lab Guide For Fortinac 72
118 pages
FortiGate Wireless Lab Guide
No ratings yet
FortiGate Wireless Lab Guide
17 pages
Fortinet-Partner Training BGP-On-Loopback v72 Guide v0.4
No ratings yet
Fortinet-Partner Training BGP-On-Loopback v72 Guide v0.4
199 pages
SD-WAN 7.4 Architect Study Guide
No ratings yet
SD-WAN 7.4 Architect Study Guide
474 pages
Fortinet Fortiedr Lab Guide For Fortiedr 50
No ratings yet
Fortinet Fortiedr Lab Guide For Fortiedr 50
104 pages
FortiSwitch Study Guide For Fortiswitch 7.4
No ratings yet
FortiSwitch Study Guide For Fortiswitch 7.4
462 pages
FortiGate Security 7.2 Study Guide-Online-10
No ratings yet
FortiGate Security 7.2 Study Guide-Online-10
40 pages
LAB 7 - High Availability (HA)
100% (1)
LAB 7 - High Availability (HA)
17 pages
FortiSandbox-4 4 1-Administration - Guide
No ratings yet
FortiSandbox-4 4 1-Administration - Guide
256 pages
FortiNAC v9.2 Getting Started Guide Partner
100% (1)
FortiNAC v9.2 Getting Started Guide Partner
211 pages
FortiAnalyzer 6.0 Lab Guide
No ratings yet
FortiAnalyzer 6.0 Lab Guide
85 pages
FortiNAC-7.2 F-FortiGate Endpoint Management Integration Guide
No ratings yet
FortiNAC-7.2 F-FortiGate Endpoint Management Integration Guide
42 pages
Lab 2: Security Fabric: Do Not Reprint © Fortinet
No ratings yet
Lab 2: Security Fabric: Do Not Reprint © Fortinet
27 pages
FFT - SD-Branch LAN Edge Wired and Wireless - Presentation h1.0
No ratings yet
FFT - SD-Branch LAN Edge Wired and Wireless - Presentation h1.0
48 pages
VDOM Configuration
No ratings yet
VDOM Configuration
7 pages
FortiGate, FortiSwitch, and FortiAP - LAN Edge Deployment Guide
No ratings yet
FortiGate, FortiSwitch, and FortiAP - LAN Edge Deployment Guide
31 pages
FortiOS 7.2 ZTNA Guide
No ratings yet
FortiOS 7.2 ZTNA Guide
12 pages
FortiProxy 7.0 Administration Guide
No ratings yet
FortiProxy 7.0 Administration Guide
507 pages
FortiNAC FortiGate VPN Integration
No ratings yet
FortiNAC FortiGate VPN Integration
58 pages
NSE7 - Enterprise Firewall FortiOS 6.4 - Study Guide
100% (1)
NSE7 - Enterprise Firewall FortiOS 6.4 - Study Guide
533 pages
FortiOS 7.0.0 New Features Guide
No ratings yet
FortiOS 7.0.0 New Features Guide
355 pages
FortiGate 7.4 Operator Lesson Scripts
100% (1)
FortiGate 7.4 Operator Lesson Scripts
33 pages
LAB 9 - Antivirus
No ratings yet
LAB 9 - Antivirus
13 pages
FCSS NW Enterprise Firewall Administrator FortiOS 7 6 Study Guide
No ratings yet
FCSS NW Enterprise Firewall Administrator FortiOS 7 6 Study Guide
387 pages
FortiAnalyzer 6.4 Instructor Guide
No ratings yet
FortiAnalyzer 6.4 Instructor Guide
12 pages
FortiOS 7.4 Azure Admin Guide
No ratings yet
FortiOS 7.4 Azure Admin Guide
202 pages
NSE-8 Certification Public-Handbook
No ratings yet
NSE-8 Certification Public-Handbook
19 pages
FortiAuthenticator Study Guide
No ratings yet
FortiAuthenticator Study Guide
480 pages
FortiGate Security 7.0 Study Guide - FortiGate - Security - 7.0 - Study - Guide-Online
No ratings yet
FortiGate Security 7.0 Study Guide - FortiGate - Security - 7.0 - Study - Guide-Online
42 pages
Fortinet Fortianalyzer Administrator Study Guide For Fortianalyzer 72
No ratings yet
Fortinet Fortianalyzer Administrator Study Guide For Fortianalyzer 72
201 pages
Fortinet Advanced Analytics Lab Guide For Fortisiem 63
No ratings yet
Fortinet Advanced Analytics Lab Guide For Fortisiem 63
224 pages
FortiOS-7.4.4-SSL VPN To IPsec VPN Migration
No ratings yet
FortiOS-7.4.4-SSL VPN To IPsec VPN Migration
38 pages
FortiOS 6.0.4 FortiSwitch Management Guide
No ratings yet
FortiOS 6.0.4 FortiSwitch Management Guide
109 pages
FortiGate Infrastructure 7.0 Study Guide-Online Compressed
100% (1)
FortiGate Infrastructure 7.0 Study Guide-Online Compressed
387 pages
LAB 6 - Certificate Operations PDF
No ratings yet
LAB 6 - Certificate Operations PDF
16 pages
PCNSE Study Guide NEW 8 Notes PDF
No ratings yet
PCNSE Study Guide NEW 8 Notes PDF
134 pages
Fortinac: Fortigate VPN Device Integration
No ratings yet
Fortinac: Fortigate VPN Device Integration
45 pages
Fortinac Poc: A Guide To Poc Success
100% (1)
Fortinac Poc: A Guide To Poc Success
32 pages
FortiClient EMS 7.4.0 Administration Guide
No ratings yet
FortiClient EMS 7.4.0 Administration Guide
519 pages
NSE7 - EFW-7.0 Exam - Questions
No ratings yet
NSE7 - EFW-7.0 Exam - Questions
42 pages
FortiAuthenticator 6.6.0 Administration Guide
No ratings yet
FortiAuthenticator 6.6.0 Administration Guide
281 pages
Valid Fortinet NSE5 FMG-5.4 Exam Dumps
No ratings yet
Valid Fortinet NSE5 FMG-5.4 Exam Dumps
4 pages
FortiNAC 9.4.0 Admin Guide
No ratings yet
FortiNAC 9.4.0 Admin Guide
905 pages
Fortinac™: Data Sheet
No ratings yet
Fortinac™: Data Sheet
12 pages
FortiMail 6.0 Lab Guide-Online
No ratings yet
FortiMail 6.0 Lab Guide-Online
182 pages
FortiOS 7.4.3 Administration Guide
No ratings yet
FortiOS 7.4.3 Administration Guide
3,620 pages
FortiGate 7.6 Administrator Lab Guide
No ratings yet
FortiGate 7.6 Administrator Lab Guide
251 pages
FortiGate Security Lab Guide
No ratings yet
FortiGate Security Lab Guide
204 pages
Fortigate Administratior 7.4 Lab Guide
60% (5)
Fortigate Administratior 7.4 Lab Guide
250 pages
FortiGate Security 6.2 Lab Guide-Online
100% (3)
FortiGate Security 6.2 Lab Guide-Online
232 pages
Ebin - Pub Fortinet Fortimanager Lab Guide For Fortimanager 72
No ratings yet
Ebin - Pub Fortinet Fortimanager Lab Guide For Fortimanager 72
170 pages
60LAB Fotigate
100% (1)
60LAB Fotigate
226 pages
ISC2 CPE Credits - Lecture
No ratings yet
ISC2 CPE Credits - Lecture
1 page
FortiGate 7.4 Administrator Sample Questions - Attempt Review
75% (8)
FortiGate 7.4 Administrator Sample Questions - Attempt Review
9 pages
FortiOS 7.2 Exam Description
No ratings yet
FortiOS 7.2 Exam Description
3 pages
Ebin - Pub Fortinet Enterprise Firewall Study Guide For Fortios 72
No ratings yet
Ebin - Pub Fortinet Enterprise Firewall Study Guide For Fortios 72
390 pages
Cacti
No ratings yet
Cacti
1 page
3 - Moxa Edr g9004 Series Datasheet v1.2
No ratings yet
3 - Moxa Edr g9004 Series Datasheet v1.2
9 pages
FortiOS 7.0.0 New Features Guide
No ratings yet
FortiOS 7.0.0 New Features Guide
836 pages
2024 02 13T17 - 04 - 06 SMCRO 2022157722 F40F SFW01 (Root) Preview
No ratings yet
2024 02 13T17 - 04 - 06 SMCRO 2022157722 F40F SFW01 (Root) Preview
223 pages
DDWRT WireGuard Advanced Setup v25
No ratings yet
DDWRT WireGuard Advanced Setup v25
29 pages
Manual 20
No ratings yet
Manual 20
100 pages
Secure Remote Work Solutions
No ratings yet
Secure Remote Work Solutions
14 pages
VCD - 97 - Vcloud Director User's Guide
No ratings yet
VCD - 97 - Vcloud Director User's Guide
136 pages
Fortinet Network Port Guide
No ratings yet
Fortinet Network Port Guide
8 pages
Release Note For Vigor2910 Series Firmware Version: 3.2.5.3 Built Date: August 28, 2012 Applied Models: Vigor2910 Series New Features
No ratings yet
Release Note For Vigor2910 Series Firmware Version: 3.2.5.3 Built Date: August 28, 2012 Applied Models: Vigor2910 Series New Features
1 page
Huawei AirEngine 6760-X1 & AirEngine 6760-X1E Access Points Datasheet
No ratings yet
Huawei AirEngine 6760-X1 & AirEngine 6760-X1E Access Points Datasheet
15 pages
Nse7 Efw-7.2 3
No ratings yet
Nse7 Efw-7.2 3
9 pages
IP Security for Network Engineers
No ratings yet
IP Security for Network Engineers
22 pages
cr52 Ne40e x3 Base DC Datasheet
No ratings yet
cr52 Ne40e x3 Base DC Datasheet
4 pages
20413C ChangeLog
No ratings yet
20413C ChangeLog
14 pages
Deploying and Managing Enterprise Ipsec Vpns
No ratings yet
Deploying and Managing Enterprise Ipsec Vpns
55 pages
Module 6
No ratings yet
Module 6
68 pages
pfSense OpenVPN Remote Access Guide
No ratings yet
pfSense OpenVPN Remote Access Guide
57 pages
Cloud Security for CS Students
No ratings yet
Cloud Security for CS Students
23 pages
CISE Level - 2 - Network Security L2v2
No ratings yet
CISE Level - 2 - Network Security L2v2
1 page
Checkpoint Prepaway 156-215 80 v2020-01-03 by - Nolan - 302q
No ratings yet
Checkpoint Prepaway 156-215 80 v2020-01-03 by - Nolan - 302q
161 pages
Fortios v7.6.3 Release Notes
No ratings yet
Fortios v7.6.3 Release Notes
80 pages
Final - Accops Certified Sales Professional - Fundamentals
No ratings yet
Final - Accops Certified Sales Professional - Fundamentals
14 pages
Fortinet Product Matrix
No ratings yet
Fortinet Product Matrix
6 pages
Brksec 3433
No ratings yet
Brksec 3433
244 pages
Palo Alto Interview Questions
0% (1)
Palo Alto Interview Questions
5 pages
Cisco Sdwan Design Guide
No ratings yet
Cisco Sdwan Design Guide
102 pages
FortiGate 7.4 Exam Review
80% (10)
FortiGate 7.4 Exam Review
14 pages
FortiOS-7.4.5-Administration - Guide (2) - Parte1
No ratings yet
FortiOS-7.4.5-Administration - Guide (2) - Parte1
300 pages
Online Wind Tunnel Laboratory: June 2008
No ratings yet
Online Wind Tunnel Laboratory: June 2008
20 pages