Fortinet Certified Network Security Professional

谢俊英
2023-12-01
Fortinet Certified Network Security Professional Taining Notes
Implmenting FortiGate Security and Content Inspection
Course 925-201b Authorized Taining
Instructor: Florence Lau Fortinet Malaysia Sdn.Bhd.
Author:Bigradish
1,default IP : https://192.168.1.99 default access:https http ping
2,login:admin/no password
3,SOHO models :default fireall policy allows all traffic from internal to external
4,set addressing mode :manual.dhcp.pppoe,dynDNS,PPPOE mtu 1492
5,control administrative access,MTU,logging
6,Ping server for interface fail-over(exception FG50)
7,Support DDNS for both PPPoE and DHCP.
8,Dns forwarding feature(SOHO models only): request are sent to the Fortgate unit which forwards them to the configured DNS.
9,Timeouts
n       admin session idle: 5
n       firewall policy authentication idle: 15
10,Dead gateway detection: defautlt timers: 5
  
11,Firmware upgrade:
n       Use the web-based http(s)
n       CLI and TFTP server
12,Logging:Syslog server, webtrends server,local disk,Memory,Fortilog.
13,Fortilog only accepts log messages for registered devices.
14,FDS Registration:
n       after purchasing and installing a new fortigate unit
n       regester the unit to be able to receive antivirus and attack signature updates
n       after regedration.you have
1> a three month period to receive free update.
2>a one month free trial period for fortiguard.
15,fortinet knowledge center: http://kc.forticare.com
16,console access from the Web-based manager:
n       IE
n       Java must installl your PC.
17,HA 功能除FG50(A)以外的任何平台都可以去做。
18.Virtul domain虚拟域在NAT模式下只能有2个,transparent模式下可以有10个。
19,transparent default ip address:10.10.10.1 management
20, administrator access on: Internal interface: https http ping . wan1/external: ping dmz: https ping
21, support vlan 802.1q trunk ,一个端口可以有多个VLAN ID ,但不可能同时使用同一VLAN ID。
22,VLAN not support ip overlap .
23,all other models can have up to 4096 vlan ,50(A)have 10 vlan id.
24,physical and logical(vlan ) interfaces are assigned to zones; policies are defined between zones;
   routing is used to choose the correct policy set;
25, 在几个ZONE里有多个VLAN,同一VLAN ID的流量可以互通,除非指定Block intra-zone traffic.
26, 在fortinet version 3.0 里,多个virtual domain可以同时使用不同模式,即混合模式,所以说在FG中,要使用混合模式,必须通过VDOM来做,同一接口不能同时属于不同的VDOM。
   config sys gl
   set vdom-admin end
   end
27, 策略路由执行的级别的最高,在实行策略路由的时候,PING SERVER必须要开启。策略路由写的时候,gateway address这一项不需要去写,取0.0.0.0默认就可以了。
28,fortigate firewall policies permits traffic sessions based on where the traffic session first begins.
29, FG防火墙里的时间表执行的时候是根据Fortigate firewall里面所设的时间的。
30, nat mode polices to translate source address to address randomly selected from pool; supporting mulipie connection to a destination interface when using fixed ports; without ip pool outgoing interface ip address used in nat polices.
31, must include protocol with user-interface in policy serveices: http.ftp.telnet.auth timeout limits connection idle time;source ip address based.authentication user groups: local,ldap,radius.
32, protection profiles control fortigate content filtering by http,ftp,imap,smtp,pop3 five protocol;
   users authentication protection profiles than firewall protection profiles.
33, encrypt polices(ipsec vpn polices) are always on top.
34, pptp and l2tp users authentiocated by firewall policy; link firewall policy to pptp or l2tp vpn through user groups configure.local users matched first.
35,virtual ip(VIP) haved 2 modes:1>static nat : translation vip to the internal address for all incoming and outgoing traffic; tcp/udp port numbers not modefied.2>port forwarding: use external address 0.0.0.0 acts as dynamics external address.
36,fortios version2.8 mr8 or mr9 升级到MR10,11的时候,IPS以前的配置信息会被清除掉了。
37,针对IMP2P的软件一般来说可以阻止,不完全能够阻止,特别是使用新的版本的时候。
38,fortiguard autispam services is a worldwide network of services:
   phase 1: dnsbl check.
   Phase 2: url check.
39: autispam filter ordering smtp:
   1,ip address BWL check
  2,RBL&ORDBL check
   3,email address bwl check.
   4,mime headers check.
   5,ip address bwl check(for ips extracted for “received” headers)
   6,return email DNS check.
   7,bannerd word check.
   Autispam filter order imap pop3
   1,email address bwl check.
   2,mime headers check :ip bwl check.
   3,return email dns check(fortiguard services,DNSBL,ORDBL)
   4,bannerd word check.
40, file blocking is performed before autivirus scanning.
41, fortigate firewall virus list ,wild-list viruses:http://www.wildlist.org, http://www.eicar.org
42,session splicing is used when traffic is being scanned for viruses:
n       smtp: splicing enabled, stop smtp transfer error message sent to sender
           splicing disabled: attackment removed message to recipient
n       ftp upload: splicing enabled: buffers file for scanning and uploads to ftp server,stop ftp transfer, attempts to delete partially uploaded file.
Splicing disabled: buffers file for scanning before upload,if ‘clean’ upload to server.
n       default setting enabled(ftp and smtp).
n       configurable the CLI.
config firewall profile
    edit "12"
        unset imap
        unset pop3
        set smtp splice
    next
end
 
43,fortinet firewall upzip autivirus 12 layer.
44,fortigate units cannot scan fragmented email messages for viruses or use pattern blocking to remove restricted files,fortinet recommends: disable’pass fragmented email’、disable the fragmented of email messages by client email software.
45,heuristic run windows portable executable and log message show “suspicious”
u    
configuable the cli:
(heuristic)# sh
config antivirus heuristic
    set mode block
end
<!--[if !supportEmptyParas]--> <!--[endif]-->
46,session-helper的意思是指在设置session-helper里面的协议,不经过防火墙策略的控制,直接被防火墙扔出去,不进行autivirus 和其它的过滤。
47,设置防火墙定时重启:set daily_restart enable
                         set restart_time 10:30

48,web filtering order(web filtering use:udp 8888,autispam filtering use udp 8889)

    1,url filtering(web exempt list)
    2,usr block(web pattern block)
3, url block(web url block)
    4,category block(fortiguard web filtering)
    5,content block(web content block)
    6,script filtering(web script filter)
    7,autivirus scanning
 
47, fortinet supported vpn types:ipsec pptp,l2tp.at fortios 3.0 supported vpn types:ipsec pptp,l2tp.ssl vpn.
Fortinet ipsec features: ike main and aggressive modes,nat traversal,dead peer detection,internet browsing for forticlient, outbound nat mapping,dhcp over ipsec.
Cannot support dhcp over l2tp.
48 DDNS在国内支持网域科技和北京时代互联两家服务商,网域科技免费,软件为花生壳。
 
 类似资料:

相关阅读

相关文章

相关问答