VLAN1
VLAN10
Internet-Access
DMZ-Out
Web-server-access
system settings
NTP
get router info routing-table details 10.1.10.100
diag firewall iprope lookup 10.1.10.100 12123 1.1.1.2 80 tcp VLAN10
diag firewall iprope lookup 10.1.20.100 12123 1.1.1.2 80 tcp VLAN20
diag firewall iprope lookup 10.1.20.100 12123 1.1.1.2 80 tcp VLAN20
diagnose firewall iprope lookup 10.1.20.100 8 1.1.1.2 0 icmp VLAN20
diagnose firewall iprope lookup 10.1.1.100 8 1.1.1.2 0 icmp VLAN100
diag firewall iprope lookup 1.1.1.2 12123 1.1.1.5 80 tcp port1
execute log display
execute log display filter dump
execute log display filter dump
execute log filter free-style "(srcip 1.1.1.2) and (dstip 1.1.1.5)"
execute log filter free-style "(srcip 1.1.1.2) and (dstip 1.1.1.5)"
VDOM
two modes - split task & multi vdom
accounts - assigned to vdom with profile
admin-root -> vdom root -> profile prof-admin
admin-fw2 -> vdom fw2 -> profile prof-admin
admin -> vdom global -> profile super_admin -- > all vdom full access
interfaces assigned from global, policy + nat ect config individually
vdom link - > on the backplane connects vdom in a box , l3 interface
npu vdom link , hw processor
Transparent
Bridging with FW policy
1) make whole box in transparent mode 2) virtual wire allows TR but box in L3 mode
HA
same model + HW + SW + License + connections
FGCP
Heartbeat link - Exchanges hello , sync state+RT+ARP etc & config
TCP port 23 is used by FGCP for configuration synchronisation. also can enable
udp/icmp state sync.
add primary fw in ha , priority 200. factory reset secondary & ensure same model,
sw, transparent or nat mode, vdom mode etc and apply ha config with priority 100.
less down interfaces then high up time then pririty and finally s/n.
� restart primary , secondary takes over and no pre-emption. system uptime is also
considered choosing
active
reserve mgmt ip to individually manage fw in cluster, no virtual mac , physical
mac.
only clustered interface should be used to register with forti mgt or analyzer.
config not sync - mgmt int ip,
PKCS12 -> certificate , child cert + all keys
for outbound ssl , use policy based firewall policy then apply ssl profile
make devices trust CA 1) Import "CA cert" & add rootcert of CA internal 2) PC 3)
browsert
www.fortigaurd.com to search category of website
FG Allow/monitor/block/warning/authenticate
override 1) web profile change override 2) web category/rating change override
DNS filtering - Read DNS response & allow/deny. enforce safe search , block
C&C/botnet , certain IPs , external IP list, DNS translation, categories of dns
db has list of botnet-domain , botnet-ips list
allow, monitor,redirect to portal
Application
1) license , uses IPS engine. uses app DB
2) execute update now
accept, block, monitor,quarantine ( block ip for sometime)
application overide - block youtube,
application filter - category like video/audio
Fortimanager : -
Why - managed service provide , many FW 1) mass provisioning 2) config 3)
track/audit changes
Cloud a license feature + Appliance + VM
1.centralized config manage
2.ADOMs . one group of admin full access, admin group x to a set of firewall etc
3.local provisioing (FDN ) - save bw, delays - updates AV,IPS, web , email
filtering etc are centralized
4.firmware upgrade
5.sctipting to some fw
6.logging and reporting
FM - FAZ
FM can also act as FAZ but require additional resource + limited log/report
FM can manage FAZ ( store log) and generate report
conf sys interface
edit port1
set ip 192.168.1.x/24
end
conf
diagnose dvm adom list
diagnose system admin-session list
