Course Details
Oversikt
In this 3-day class, you will learn advanced FortiGate networking and security. Topics include features commonly in complex or larger enterprise/MSSP networks, such as advanced routing, transparent mode, redundant infrastructure, advanced IPsec VPN, IPS, SSO, data leak prevention, diagnostics, and fine-tuning performance.
Associated Certification:
This is part of the courses that prepare you for the NSE 4 certification exam.
New Version Available:
Mål
After completing FortiGate II course, you will be able to:
- Deploy FortiGate devices as an HA cluster for fault-tolerance & high performance
- Inspect traffic transparently, forwarding as a Layer 2 device
- Manage FortiGate device’s route table
- Route packets using policy-based and static routes for multi-path and load-balance deployments
- Connect virtual domains (VDOMs) without packets leaving FortiGate
- Implement a meshed / partially redundant VPN
- Diagnose failed IKE exchanges
- Fight hacking & denial of service (DoS)
- Diagnose IPS engine performance issues
- Offer Fortinet Single Sign On (FSSO) access to network services, integrated with Microsoft Active Directory
- Inspect SSL/TLS-secured traffic to prevent encryption used to bypass security policies
- Understand encryption functions and certificates
- Defend against data leaks by identifying files with sensitive data, and blocking them from leaving your private network
- Diagnose and correct common problems
- Optimize performance by configuring to leverage ASIC acceleration chips, such as CP or NPs, instead of only the CPU resources
- Implement IPv6 and hybrid IPv4-IPv6 networks
Innhold
1. Routing
- Routing table elements
- How FortiGate matches each packet with a route
- Static routes, policy routes, and dynamic routing
- Equal cost multi-path (ECMP)
- Link health monitor
- Loose and strict reverse path forwarding (RPF)
- Link aggregation
- Loopback interfaces and black hole routes
- WAN link load balancing
- How to diagnose broken routes
- Lab – Router Configuration & Troubleshooting
2. Virtual Domains
- VLANs and VLAN tagging
- Virtual Domains (VDOMs)
- Global and per-VDOM resources
- Per-VDOM administrative accounts
- Inter-VDOM Links
- Monitoring per-VDOM resources
- VDOM topologies
- Lab – Virtual Domains
3. Transparent Mode
- Transparent mode vs. NAT mode
- Transparent bridging
- Forwarding domains
- Port pairing
- STP configuration
- Monitoring the MAC address table
- Lab – Transparent Mode VDOMs
4. High Availability
- Active-passive vs. active-active mode
- How and HA cluster elects the primary
- Active-active traffic balancing
- HA failover
- Configuration synchronization
- Session synchronization
- Virtual clustering
- FortiGate session life support protocol (FGCP)
- Checking the status of a HA cluster
- Lab – High Availability
5. Advanced IPSec VPN
- Main vs. aggressive mode negotiations
- Extended authentication (Xauth)
- Static vs. dynamic peers
- Benefits and cost of VPN technologies
- Dialup VPN configuration
- Redundant VPNs
- Troubleshooting
- Lab – Advanced IPSec VPN
6. Intrusion Prevention System (IPS)
- Attacks vs. anomalies
- Protocol Decoders
- FortiGuard IPS Signatures and engines
- CVSS & FortiGuard severity levels
- Custom signature syntax
- Denial of Service (DoS) attacks
- One-arm deployment
- IPS logs
- Diagnostic commands
- Expected IPS engine CPU usage
- Lab – Intrusion Prevention System
7. Fortinet Single Sign-On (FSSO)
- DC agent mode vs. polling modes
- NTLM authentication
- Microsoft Active Directory access modes
- Collector agent configuration
- FortiGate FSSO configuration
- Monitoring FSSO
- Lab – Fortinet Single Sign On
8. Certificate Operations
- Securing traffic
- Symmetric cryptography
- Asymmetric cryptography
- Digital Certificates
- Certificate-based user authentication
- SSL handshake
- Generating and signing certificates
- Importing certificates
- Managing certificate revocation list
- SSL content inspection
- Certificate warnings
- Installing the proxy certificate as a root authority
- Configuration
- Inline SSL decoding
- Lab – Certificate Operations
9. Data Leak Prevention (DLP)
- Why use DLP ?
- Files vs. messages
- Sensors and filters
- Document fingerprinting
- Summary vs. full content archiving
- Lab – Data Leak Prevention
10. Diagnostics
- Why do you need to know precisely what is normal ?
- Network diagrams
- Monitoring network usage & system resource usage
- Physical layer troubleshooting
- Network layer troubleshooting
- Transport layer troubleshooting
- Resources issues
- Hardware testing
- How to load firmware into RAM only, not disk
11. Hardware Acceleration
- How to find which chip(s) your FortiGate model has
- Network Processor (NP) architecture
- Offloading from CPU to NP
- Session requirements for NP offloading
- NP features
- Security Processor (SP) features
- Content Processor (CP) features
- Integrated Processor, also called “system on a chip” (SoC)
- How to determine if your system is taking advantage of offloading
12. IPv6
- Identify IPv6 fundamentals
- Identify FortiOS IPv6 features
- Differentiate between different transition technologies
- Enable IPv6 on GUI and configure an IPv6 interface
- Configure the FortiGate to announce an IPv6 prefix
- Compare SLAAC and DHCPv6
- Create a NAT64 policy
- Create an 6in4 tunnel using IPSec
- Identify new and revised diagnostic commands
- Lab: IPv6 Transition Technologies
Målgruppe
Networking and security professionals involved in the design, implementation, and administration of a security infrastructure using FortiGate appliances.
This course assumes knowledge of basic yet FortiGate-specific fundamentals. As a result, if you know about firewalls, but are new to Fortinet, we do not recommend that you skip FortiGate I.
Forkunnskaper
- Knowledge of OSI layers
- Good knowledge of firewalling concepts in an IPv4 network
- Familiarity with all topics presented in the prerequisite FortiGate I course