Fortigate Concept

1. Virtual IP

Mapping a specific IP address to another specific IP address is usually called Destination NAT (DNAT). When this central NAT table is not used, FortiOS calls this a Virtual IP address (VIP). DNAT, or VIP, is are used to map an external IP address to an IP address or address range. The mapping can include all TCP/UDP ports or, if port forwarding is enabled, it only refers to the specific configured ports. As the central NAT table is disabled by default, the term VIP is usually used.
VIPs are typically used to NAT external or public IP addresses to internal or private IP addresses. 

2. Profile-based NGFW vs policy-based NGFW

Profile-based mode is the traditional mode where you create a profile (antivirus, web filter, and so on) and then apply the profile to a policy.

In policy-based NGFW mode, you allow applications and URL categories to be used directly in security policies, without requiring web filter or application control profiles.

In policy-based mode:

• Central NAT is always enabled. If no Central SNAT policy exists, you must create one. See Central SNAT for more information.
• Pre-match rules are defined separately from security policies, and define broader rules, such as SSL inspection and user authentication.

3. Speed test

    need FortiGuard SD-WAN Network Monitor license
    In Interface page,  click button Execute Speed Test, result is added Estimated bandwidth,

4. Application ID

   Go to fortiguard.com > Thread lookup > Application Control, each application has an unique ID.

   Look for session from CLI.
   diag sys session list |  grep 11111

5. Captive Portal
     LAN interface, turn on Security Mode.
     System>Replacement Message>Login Page, to customize it.
      System>Replacement Message>Manage Images

6. Traffic shaper to prioritize cloud access traffic.
      I. Application Control profile is assign to outbound policy
      II. Security Profiles > Application Signatures, create Application Group CloudApps to include applications such as aws, salesforce and office365.
      III. Policy and Objects > Traffic shaping policy, create two policies, one for CloudApps with high-priority shared shaper and reverse shaper, one for anything else with low-priority hared shaper and reverse shaper.

7. Conserve mode
A FortiGate goes into the "conserve mode" state as a self protection measure when a memory shortage appears on the system.

 8.shaper
     I. Traffic Shapers. 
         Shared: define MAX and Guaranteed BW for each Traffic Priority classes.
         Per IP shaper: With per-IP traffic shaping, you can limit each IP address's behavior to avoid a situation where one user uses all of the available bandwidth
    II. Traffic shaping policy.
        Specific what traffic, apply shaper as Action, 

9. Cryptocurrency miner
    I. Anti-Virus profile
    II. DNS Filter
    III. Application control
    IV. IPS

10. guest access
    I. Create a new Guest Group or use default gest-group
    II Guest Management to add new guest user
    III. To authorize other people to manage guest account, create an new ministrator account such as "guestadmin", turn on "Restrict admin to guest account provisioning only", specify the the guest group to manage.
    IV. Enable Captive portal on Guest interface, set "Restricted to Groups" to Guest Group.

11. LB
   I. System > Feature Visibility > Load Balance
   II. Policy & Objects > Virtual Servers
   III. Create firewall Policy, with destination is the virtual server,  Inspection Mode is Proxy-based.

12. local DNS server
    I. System > Feature Visibility > DNS Database
    II. Network > DNS Server

13.Use Per IP Shaper to set max concurrent sessions to a host.

14. Session info:
   https://kb.fortinet.com/kb/viewContent.do?externalId=FD30042

15. External Black list
     I. Create a black list and put it on a webserver for example.
     II. Security Fabric > External Connector >Threat Feeds - IP Address
     III. Security Profile > DNS Filter, turn on External IP Block Lists , point to the black list.  
     IV. Enable DNS Filter security profile in Firewall Policy

16. DNS translation
    Security Profile > DNS Filter, turn "DNS Translation"

17. Zone
     Remove interface IP and all other reference before it can be added to a zone.

18. Session Helper. (ALG)
      show system session-helper

19. Web Profile overrides (assign different Web Filter to specific user or group or IP)

20. Web Rating overrides. (reassign URL to another category, can create a custom category)

21. Security rating.

22. Internet Service Database (ISDB) used in Firewall policy 
      Cisco equivalent: Application control. 

23. Inspection Mode: Flow-based vs Proxy-based

Proxy-based: the proxy-based inspection involves buffering traffic and examining it as a whole before determining an action. 

The process of having the whole of the data to analyze allows for the examination of more data points than the flow-based.

 

Flow-based: the flow-based inspection method examines the data packets as they pass through the Forti

===========

RPF (Reverse Path Forwarding)

There are two RPF check modes; The default, feasible path (formerly known as loose) and strict.

In Feasible Mode, the packet is accepted as long as there is one active route to the source IP through the incoming interface.

In strict mode, FortiGate checks that the best route to the source IP address is through the incoming interface. The route not only has to be active (as in the case of feasible path mode), but it also has to be the best.