FortiGate II – Multi Threat Security Systems

In this 3-day class, you will learn advanced FortiGate networking and security. Topics include features commonly in complex or larger enterprise/MSSP networks, such as advanced routing, transparent mode, redundant infrastructure, advanced IPsec VPN, IPS, SSO, data leak prevention, diagnostics, and fine-tuning performance.

Associated Certification:

This is part of the courses that prepare you for the NSE 4 certification exam.

New Version Available:

• FortiGate Infrastructure 6.0

After completing FortiGate II course, you will be able to:

• Deploy FortiGate devices as an HA cluster for fault-tolerance & high performance
• Inspect traffic transparently, forwarding as a Layer 2 device
• Manage FortiGate device’s route table
• Route packets using policy-based and static routes for multi-path and load-balance deployments
• Connect virtual domains (VDOMs) without packets leaving FortiGate
• Implement a meshed / partially redundant VPN
• Diagnose failed IKE exchanges
• Fight hacking & denial of service (DoS)
• Diagnose IPS engine performance issues
• Offer Fortinet Single Sign On (FSSO) access to network services, integrated with Microsoft Active Directory
• Inspect SSL/TLS-secured traffic to prevent encryption used to bypass security policies
• Understand encryption functions and certificates
• Defend against data leaks by identifying files with sensitive data, and blocking them from leaving your private network
• Diagnose and correct common problems
• Optimize performance by configuring to leverage ASIC acceleration chips, such as CP or NPs, instead of only the CPU resources
• Implement IPv6 and hybrid IPv4-IPv6 networks

1. Routing

• Routing table elements
• How FortiGate matches each packet with a route
• Static routes, policy routes, and dynamic routing
• Equal cost multi-path (ECMP)
• Link health monitor
• Loose and strict reverse path forwarding (RPF)
• Link aggregation
• Loopback interfaces and black hole routes
• WAN link load balancing
• How to diagnose broken routes
• Lab – Router Configuration & Troubleshooting

2. Virtual Domains

• VLANs and VLAN tagging
• Virtual Domains (VDOMs)
• Global and per-VDOM resources
• Per-VDOM administrative accounts
• Inter-VDOM Links
• Monitoring per-VDOM resources
• VDOM topologies
• Lab – Virtual Domains

3. Transparent Mode

• Transparent mode vs. NAT mode
• Transparent bridging
• Forwarding domains
• Port pairing
• STP configuration
• Monitoring the MAC address table
• Lab – Transparent Mode VDOMs

4. High Availability

• Active-passive vs. active-active mode
• How and HA cluster elects the primary
• Active-active traffic balancing
• HA failover
• Configuration synchronization
• Session synchronization
• Virtual clustering
• FortiGate session life support protocol (FGCP)
• Checking the status of a HA cluster
• Lab – High Availability

5. Advanced IPSec VPN

• Main vs. aggressive mode negotiations
• Extended authentication (Xauth)
• Static vs. dynamic peers
• Benefits and cost of VPN technologies
• Dialup VPN configuration
• Redundant VPNs
• Troubleshooting
• Lab – Advanced IPSec VPN

6. Intrusion Prevention System (IPS)

• Attacks vs. anomalies
• Protocol Decoders
• FortiGuard IPS Signatures and engines
• CVSS & FortiGuard severity levels
• Custom signature syntax
• Denial of Service (DoS) attacks
• One-arm deployment
• IPS logs
• Diagnostic commands
• Expected IPS engine CPU usage
• Lab – Intrusion Prevention System

7. Fortinet Single Sign-On (FSSO)

• DC agent mode vs. polling modes
• NTLM authentication
• Microsoft Active Directory access modes
• Collector agent configuration
• FortiGate FSSO configuration
• Monitoring FSSO
• Lab – Fortinet Single Sign On

8. Certificate Operations

• Securing traffic
• Symmetric cryptography
• Asymmetric cryptography
• Digital Certificates
• Certificate-based user authentication
• SSL handshake
• Generating and signing certificates
• Importing certificates
• Managing certificate revocation list
• SSL content inspection
• Certificate warnings
• Installing the proxy certificate as a root authority
• Configuration
• Inline SSL decoding
• Lab – Certificate Operations

9. Data Leak Prevention (DLP)

• Why use DLP ?
• Files vs. messages
• Sensors and filters
• Document fingerprinting
• Summary vs. full content archiving
• Lab – Data Leak Prevention

10. Diagnostics

• Why do you need to know precisely what is normal ?
• Network diagrams
• Monitoring network usage & system resource usage
• Physical layer troubleshooting
• Network layer troubleshooting
• Transport layer troubleshooting
• Resources issues
• Hardware testing
• How to load firmware into RAM only, not disk

11. Hardware Acceleration

• How to find which chip(s) your FortiGate model has
• Network Processor (NP) architecture
• Offloading from CPU to NP
• Session requirements for NP offloading
• NP features
• Security Processor (SP) features
• Content Processor (CP) features
• Integrated Processor, also called “system on a chip” (SoC)
• How to determine if your system is taking advantage of offloading

12. IPv6

• Identify IPv6 fundamentals
• Identify FortiOS IPv6 features
• Differentiate between different transition technologies
• Enable IPv6 on GUI and configure an IPv6 interface
• Configure the FortiGate to announce an IPv6 prefix
• Compare SLAAC and DHCPv6
• Create a NAT64 policy
• Create an 6in4 tunnel using IPSec
• Identify new and revised diagnostic commands
• Lab: IPv6 Transition Technologies

Networking and security professionals involved in the design, implementation, and administration of a security infrastructure using FortiGate appliances.

This course assumes knowledge of basic yet FortiGate-specific fundamentals. As a result, if you know about firewalls, but are new to Fortinet, we do not recommend that you skip FortiGate I.

• Knowledge of OSI layers
• Good knowledge of firewalling concepts in an IPv4 network
• Familiarity with all topics presented in the prerequisite FortiGate I course