Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd
Upload
77 views

ADC Guide

This document provides a lab guide for demonstrating the functionality of FortiADC devices. It contains exercises for configuring load balancing, global load balancing, link load balancing, routing, rewriting, scripting, security features, and more on FortiADC virtual appliances. The lab environment contains two data centers with servers and FortiGates in DMZ1 and DMZ2, which can be accessed through the provided connectivity diagram and start webpage.

Uploaded by

Fathul Nurul
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
77 views

ADC Guide

This document provides a lab guide for demonstrating the functionality of FortiADC devices. It contains exercises for configuring load balancing, global load balancing, link load balancing, routing, rewriting, scripting, security features, and more on FortiADC virtual appliances. The lab environment contains two data centers with servers and FortiGates in DMZ1 and DMZ2, which can be accessed through the provided connectivity diagram and start webpage.

Uploaded by

Fathul Nurul
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 122

FortiADC Workshop

Student Lab Guide


FortiADC 5.3.3
LATAM CSE – Enhanced Technologies

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Revision History

Name Version Description Date


FCamilo 5.3.1v1 First Version FortiPoC Jul2019
OCifuentes 5.3.3v1 Update to V5.3.3 and Jan2020
ESX Infrastructure-
iLLB,defacement-
BruteForce

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Lab Exercises
FortiADC
Contents
Introduction ........................................................................................................... 5
1 Prerequisites .................................................................................................. 5
2 Connectivity Diagram ..................................................................................... 5
3 Initial Setup .................................................................................................... 6
3.1 Start webpage ........................................................................................ 6
3.2 Router/Bastion ........................................................................................ 7
3.3 Checking Initial FortiADC Device Settings .............................................. 7
3.4 Testing networking in FortiADC .............................................................. 9
4 L4 Server Load Balance .............................................................................. 12
4.1 in FAD1 Verify Health Check ................................................................ 12
4.2 Server Pools and Virtual Servers.......................................................... 12
4.3 Testing, monitor and logs ..................................................................... 15
4.4 Troubleshooting .................................................................................... 16
4.5 Working with Packet Forwarding Method ............................................. 16
4.6 Working with Persistence ..................................................................... 19
5 L7 Server Load Balance (HTTP).................................................................. 21
5.1 L7 HTTP SLB ....................................................................................... 22
5.2 Analyzing Logs ..................................................................................... 23
5.3 Testing Web Failures ............................................................................ 25
6 Global Load Balance ................................................................................... 27
6.1 Create a L7 SLB in FAD2 ..................................................................... 28
6.2 Create L7 SLB in FAD2 with a Public IP ............................................... 31
6.3 Create VIP on FG2 ............................................................................... 35
6.4 Testing SLB in FAD2 ............................................................................ 38
6.5 Configuring GLB in FAD1 ..................................................................... 40

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
6.6 Configuring GLB in FAD2 ..................................................................... 46
6.7 Gateway Monitoring .............................................................................. 52
6.8 Testing GLB.......................................................................................... 55
7 Link Load Balance ....................................................................................... 64
7.1 Configure Gateways ............................................................................. 65
7.2 Create a LLB Policy .............................................................................. 67
7.3 Create NATs ......................................................................................... 68
7.4 Testing LLB .......................................................................................... 70
8 ILLB and Link monitoring (Optional) ............................................................ 72
8.1 Modify FADC2 VS ................................................................................ 72
8.2 Link Gateway to VS on FAD2 ............................................................... 73
8.3 Create new FQDN ................................................................................ 74
8.4 Testing ILLB ......................................................................................... 77
9 HTTP Routing and Rewriting ....................................................................... 80
9.1 URL Rewriting ...................................................................................... 81
9.2 Content Routing.................................................................................... 84
10 Scripting ................................................................................................... 88
11 ADC Security............................................................................................ 92
11.1 Authentication ....................................................................................... 94
11.2 Web Application Firewall ...................................................................... 96
11.2.1 SQLInjection .................................................................................. 96
11.2.2 XSS ............................................................................................. 100
11.2.3 Command Execution ................................................................... 101
11.2.4 HTTP Protocol Constrain............................................................. 104
11.3 Web Vulnerability Scanner ................................................................. 106
11.4 Antidefacement ................................................................................... 108
11.5 Brute Force attack .............................................................................. 112
12 Advanced SLB ....................................................................................... 116
12.1 Preserve Client IP ............................................................................... 116
12.2 Connection reuse ............................................................................... 120

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Introduction

This document is intended to provide the SE with a tool to show to the Customers
and Partners the main functionalities of the Fortinet devices with virtual machine.
It has several step by step exercises to configure and setup all the devices and
how to show it to the customer.

This document includes FortiADC in 5.3.3 version

1 Prerequisites

The entire laboratory runs inside a ESX located Sunrise’ lab, so you only need a
browser or RDP client to access it.

If you still don’t have the VPN to Sunrise lab, ask for latam_cse@fortinet.com about
how to configure that.

2 Connectivity Diagram

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
In this scenario there are two different datacentes with services in DMZ1 and
DMZ2. Both places have SDWAN enabled in the FortiGates, with a dedicated
leased line (WAN1 and WAN3) where both DMZs are accessed, and another link
without any service published.

Webservers content are different between each other just to facilitate us to


discover where you are connected (in real life they would be probably mirrors from
each other).

This lab guide will indicate the required access to each VM.

3 Initial Setup
3.1 Start webpage

You can access to the start web page hosted in Router/bastion via
http://10.20.66.xx and there you will find the topology and shortcut to access via
web to all VM, also info about how to access the VMs via RDP or SSH

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
3.2 Router/Bastion
Access Router/Bastion via ssh

Check the DNS configuration of the server. Go to cd/etc and edit check the file
resolv.conf. Should have the next ip:

if needed edit it with nano command

3.3 Checking Initial FortiADC Device Settings

Connect to FAD1 GUI through HTTP with admin and no password.You’ll see a
welcome wizard that helps on initial configuration. Hit cancel since we will not use
it in this lab.

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Go to System > Settings and check the options. Confirm license is applied (serial
number is not FADV0000000):

Go to Networking > Interface, then Networking > Routing, and check configuration
(do not change it since it was previously configured as required for this lab):

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Check the same steps with FAD2.

There’s no need to configure anything, it was previously configured for you. The
intention is just to get familiarized with the FortiADC GUI.

3.4 Testing networking in FortiADC

Open SSh session in FAD1 and Test ping to the following IPs from FAD1:

- fortiguard.com (then you also test DNS)


- 198.51.100.130 (then you test you can reach FAD2)

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Now repeat test from FAD2

- fortiguard.com (then you also test DNS)


- 198.51.100.2 (then you test you can reach the other FAD)

In both FortiADC, go to Log & Report > Log Setting and enable all log options. This
will be necessary for some of the labs in this document:

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
899 Kifer Road
Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
4 L4 Server Load Balance

In this lab we will configure Layer4 Load Balance in FortiADC 1. We will create a
virtual server and load balance TCP traffic between WEB1 and WEB2.

4.1 in FAD1 Verify Health Check

There are some health checks created by default. Go to Shared Resources >
Health Check and see how they are configured. See the LB_HLTHCK_HTTP
details:

Question: should you define the destination address here?

4.2 Server Pools and Virtual Servers

Go to Server Load Balance > Real Server Pool > Real Server and create both
webservers:

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Then go to Real Server Pool and create a new pool as indicated. Verify and try to
understand all available options while adding the members to the pool:

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Then go to Server Load Balance > Virtual Server and create one in Advanced
Mode. Again, remember to verify the available options and try to understand all of
them.

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
4.3 Testing, monitor and logs

From FortiView section, check everything is working:

Now open a RDP session to Router-Bastion, open the web browser and try to
access http://198.51.100.10 and… it does not work!
Why????

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
4.4 Troubleshooting

To save some time, let’s consider (and that’s true) Router-Bastion and FGT are
correctly configured. So, let’s start with a packet capture in FAD1 through CLI.

Open a SSH session to FAD1 (not with the display option since it does not accept
some characters required here) and run the following command to capture
packets:

diagnose snifer packet any “host 203.0.113.17” 4

Then try accessing it again from Router-Bastion. You might see something like this
(203.0.113.17 is the Router-bastion IP):

Question: what happened? Why you can see traffic arriving at port2, leaving at
port3 to the real servers, but no traffic back from servers?

4.5 Working with Packet Forwarding Method

In our case, the traffic does not return from WebServers to FAD because they do
not have FAD as a default gateway. You could fix that by pointing a route to FAD
port3 IP, but what if you can’t do that for any reason?

By default, FAD L4 SLB Virtual Server uses the DNAT Packet Forwarding Method,
meaning it changes only the destination IP (from the VIP to the real server IP, as
we’ve seen in the packet capture). Another option is to set it as FullNAT, where
the source IP is also changed.

Edit the Virtual Server and change the forwarding method to FullNAT:

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
You will need to create an IP pool used for the source NAT. Click on create new:

Then select it in the Virtual Server Pool List and hit ok:

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Try again to access the server from Router-Bastion, it should work now.
Sometimes you might see Web1, then Web2.

Note: WebServers are different on purpose for this lab so we can identify
easily where we’ve connected, in real life they should have the same content
since it’s intended to load balance the same application.

In FAD1, go to FortiView > Virtual Server, click over VS_Web_DMZ1 and select
the Session section. You should see the sessions with information on the IP Pool
used as source IP and the webserver it has connected:

You can also see the traffic in Traffic log SLB L4

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
4.6 Working with Persistence

From the previous session list, we can see that there’s no persistence, since some
sessions go to WEB1 and others to WEB2.

To configure persistence, edit the Virtual Server and choose one method:

Go to Router Bations, then, run this command to connect to server several times
to see the behavior:

# while true; sleep 1; do curl http://198.51.100.10 -v; done;

If needed install curl

apt-get install curl

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Go to Log & Report > Log Browsing > Traffic Log and see the generated logs,
including the details:

Run the command to connect to server several times to see the behavior:

# while true; sleep 1; do curl http://198.51.100.10 -v; done;

Check again session table in FAD1 FortiView:

Go to Log & Report > Log Browsing > Traffic Log > SLB L4. You will also see that
all traffic is going to only one server due to persistence.

Check also the Persistance table

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Click to get log details. Notice there’s information only regarding layer 4, and no
information on the application (HTTP in our case). We will compare with L7 SLB
logs in next lab.

Remember to cancel the script running in Router-Bastion before moving on (use


ctrl+c).

5 L7 Server Load Balance (HTTP)

In this lab we will change the load balancing to be Layer 7, which enables a few
features compared to Layer 4 SLB. We will use FAD1 only.

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
5.1 L7 HTTP SLB

Go to Server Load Balance > Virtual Server and edit to change to Layer 7:

Question: notice that there’s no option to define the packet forwarding method, and
the NAT Source Pool is present, do you know why?

That’s because L7 SLB always works as Full Nat. If you do not define a NAT
Source Pool then FAD will use it’s own interface IP when connecting to the
webservers.

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
In this lab we will not use a NAT Source Pool, so you need to remove it.

Also, notice that there are two new options in the top for Security and Application
Optimization:

Verify it is working properly:

5.2 Analyzing Logs

From the Router-Bastion GUI, access http://198.51.100.10 through the browser.


You might either connect to Web1 or Web2 - but remember there’s a persistence
rule, so you won’t be directed to the other server for a while.

Click over some of the existing links or buttons of the website.

Then, from CLI, access it using this command line

curl http://198.51.100.10 -v

or just open the url on the router bastion RDP console.

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Go to Log & Report > Log Browsing > Traffic Log > SLB HTTP and check the logs
have much more information when compared with L4 SLB (like the URL):

Open the log details from the top log event (the last one that happened) and notice
the user agent:

Compare with other log events.

From the Router-Bastion, run the command to connect to server several times to
see the behavior:

# while true; sleep 1; do curl http://198.51.100.10 -v; done;

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Go to FortiView > Virtual Server and enable analytics:

Click over VS-Web-DMZ1 link and check all analytics options available:

Remember to stop the script in Router-Bastion before moving on.

5.3 Testing Web Failures

Connect to WEB2 SSH client, and run the following coomand:

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Don’t worry about any error presented related to Apache configuration. Wait a few
seconds and verify that WS1 is not available anymore:

Question: why is it considered offline when we also defined ping as a valid health
check option to the server?
Review the health check, it should be configured as ping AND http.

Test again navigating in the website from the Router-Bastion browser. Click over
the links in the webserver, then check SLB HTTP Traffic log details.

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Return to WEB2 and restart the webserver with the following command:

Wait a few seconds and verify that WEB2 is considered online again. Check logs
to see health check monitoring:

6 Global Load Balance

Now let’s suppose the network admin decided to replicate the same environment
in a second datacenter (with DMZ2, FAD2 and WEB3/4). The intention here is not
only having a SLB to local users from LAN2, but also provide redundancy for
external users accessing this service.

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
In this lab we will create a second datacenter behind FGT2, create a SLB also in
FAD2, then configure GSLB so an external user can keep the services running
even if one of the datacenters fail.

6.1 Create a L7 SLB in FAD2

Connect to FAD2 through HTTP:

Cancel the wizard popup, then go to Server Load Balance > Real Server Pool.
Create two new Real Servers for WEB3 and WEB4:

Then create a new Real Server Pool

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Finally, create a Virtual Server as L7 in advanced mode:

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
899 Kifer Road
Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
6.2 Create L7 SLB in FAD2 with a Public IP

Notice that the internal network DMZ1,2 is routed in Fortigates and Router, but if
you want to publish the VS in the WAN network or Internet, you can create a VS
with a WAN/Public in order to have a VS with a routed IP, instead of having a VS
with an internal IP that cannot be reached for external users.

Create a new VS L7 in FAD2

In general tab, create the VS with a Public IP assigned linked to WAN3 segment

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
This Public IP is used to GSLB feature, so in this case the FG2 must have a VIP
that publish that IP and translates to the VS IP in FADC 198.51.100.141
Add the same pool and enable log

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Do the same process now with a VS linked to WAN4

Add VS:

Create IP and Public IP

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Add Pool and enable traffic log

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
6.3 Create VIP on FG2

Crete VIPs that allow traffic to VS published using the Public IP option on VS in
the last step.

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
899 Kifer Road
Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Create the Policy From SDWAN to DMZ2

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
6.4 Testing SLB in FAD2

Check everything is OK from FortiView:

Before testing, go to Log & Report > Log Setting and enable all available logs:

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
From the Router-Bastion, try accessing http://198.51.100.140, http://203.0.113.52,
http://203.0.113.68. Since we didn’t configured persistence in this case, each
session might go to a different webserver (WEB3 or WEB4).

Review SLB HTTP traffic logs:

Notice that FG applies the VIPs to the VS IP.

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
6.5 Configuring GLB in FAD1

Now we can finally configure Global Load Balancing between datacenter1 (where
FAD1 is) and datacenter2 (where FAD2 is).

In a GLB environment, the participant FortiADCs (or another external, which is not
our case here) have to work as the authoritative DNS server for the domain they
are protecting. FortiADCs “talk” each other and validate which servers are up
before sending a DNS response to an external user, thus avoiding them to send
requests to broken/unavailable web servers.

Go to Global Load Balance > Global Object > Server and delete the existing default
DNS-Server object. Then, go to Data Center and check there’s an already created
default datacenter. Delete this one, then create 2 new datacenters named DC1
and DC2 (it will help us understanding GLB better later):

Go to Global Load Balance > Global Object > Server and create two new servers:

The first one is local, we will name it Servers-DMZ1 and enable the Auto Sync
option, so it loads automatically every SLB object (the Virtual Server) created:

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
The second one will be related to FAD2, we will name it Servers-DMZ2 and also
enable Auto Sync.

In the IP address field you need to set the FAD2 IP, so FAD1 can communicate
with it and get the SLB servers automatically (use the Discover button for that).
If you didn’t have communication with the other FAD, then you’d have to configure
it as Generic and set the virtual server manually.

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Go to Global Load Balance > FQDN Settings to create a new Virtual Server Pool.
Add both hosts, and leave the TTL for the members as “-1” to use the zone level
TTL. Finally only create the virtual server for the Public IP VS in FAD2.

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Go to Global Load Balance > FQDN Settings and create a new Host. Include the
created virtual server pool and set the default DNS Policy.

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Go to Zone Tools > Zone and change Zone settings to have a TTL=1 and Serial=1.
With that, DNS clients will not cache records and will always query for fortilab.local
name resolution:

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Finally, go to Zone Tools > General Settings and enable Global DNS Configuration
and Traffic Log:

So far we have already GSLB configured, but only one DNS server, so let’s
configure GSLB in the FAD2.

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
6.6 Configuring GLB in FAD2

Configuring FAD2 is exactly the same as we did for FAD1.

Go to Global Load Balance > Global Object > Server and delete the existing default
DNS-Server object. Then, go to Data Center and check there’s an already created
default datacenter. Delete this one, then create 2 new datacenters named DC1
and DC2 (it will help us understanding GLB better later):

Go to Global Load Balance > Global Object > Server and create two new servers:

The first one is local, we will name it Servers-DMZ2 and enable the Auto Sync
option, so it loads automatically every SLB object (the Virtual Server) created:

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
The second one will be related to FAD1, we will name it Servers-DMZ1 and also
enable Auto Sync.

In the IP address field you need to set the FAD1 IP, so FAD2 can communicate
with it and get the SLB servers automatically (use the Discover button for that).
If you didn’t have communication with the other FAD, then you’d have to configure
it as Generic and set the virtual server manually.

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Go to Global Load Balance > FQDN Settings to create a new Virtual Server Pool.
Add both hosts, and leave the TTL for the members as “-1” to use the zone level
TTL:

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Go to Global Load Balance > FQDN Settings and create a new Host. Include the
created virtual server pool and set the default DNS Policy.

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Go to Zone Tools > Zone and change Zone settings to have a TTL=1 and Serial=1.
With that, DNS clients will not cache records and will always query for fortilab.local
name resolution:

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Finally, go to Zone Tools > General and enable Global DNS Configuration and
Traffic Log:

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
6.7 Gateway Monitoring
In FAD1 side we can monito its gateway in order to define if a Server is available,
not only using the VS status, but also the link status for the FADC.

Go to Link Load balance > Link Group >Gateway and add a Gateway there

Now link that gateway to the VS of FAD1. Go to Global Load Balance>Global


Object>Servers and select Servers-DMZ1 and edit VS-Web-DMZ1

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
}

And select the gateway created InternalWan

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
You can check gateway availability on FortiView>Link Load Balance >Gateway

Now the VS from DC1 will be available if the link is available as well base don the
health check configured on the gateway settings.

To the same steps in FAD2, because the Sync option is enabled on GSLB
config, you will see the gateway seting configured on FAD1 in the FAD2

So link the InternalWan gateway on the VS-Web-DMZ1 in FAD2

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
6.8 Testing GLB

To test that the DNS is working properly, we will use the nslookup tool.

nslookup www.fortilab.local 198.51.100.2

This command queries the DNS server 198.51.100.2 (FAD1) about name
resolution for www.fortilab.local:

Since everything is ok with all FAD and servers, it returns both virtual servers.
Repeat the command several times, and you’ll see that it round-roubin the
sequence of servers:

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
This behavior can be changed in FQDN Settings > Virtual Server Pool by either
defining the preferred (Geo IP, RTT, Least Connection…) or setting a different
weight on each server member.

Now run the following command to test the same in FAD2:

nslookup www.fortilab.local 198.51.100.130

You should have the same results.

Now let’s simulate a failure links that connect datacenter2.

Connect to FGT2 and disable the WAN3 and WAN4 port.

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Repeat the dnslookup in FAD1:

In that case, FAD1 already discovered that FAD2 virtual server is not reachable,
then it removes this IP from the DNS answers to avoid external users to try
connecting to datacenter2.

Go to FortiView and check Global Load Balance logical topology:

Also check FortiView > GLB > Host > fortilabWeb graphs:

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
You can also test the Data Analytics by adding some widgets.

Then, go to Log & Report > Log Browsing and verify GLB generated logs:

From the Router-Bastion you won’t be able to reach FAD2 as DNS of course. But
let us check Fortiview on FAD, you will see that from FAD2 point of view, the
unavailable server is FAD1, so it keeps answering with its local IP but removes
FAD1 virtual server from the DNS answers.

Enable FortiGate WAN3,WAN4 interface again and verify that DNS resolution
returns in both virtual servers again.

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
As you note, GSLB based its pool availability on the health of VS on each FADC,
so a VS can be unavailable not only because its links fail or the FAD is
unreachable, but also its Real server are unavailable.

Go to FAD2 and make unavailable the WEB3 and WEB4 server changing the
health condition on Server Load balance> Real Server Pool. Just add another
Health check condition that real server do not respond as HTTPS HC.

You will se that the Pool will be unavailable

On Fortiview

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
If the real server are unavailable, the Virtual server will be as well. So it affects
GSLB.

Check nslookup again on Router-Bastion Server using FAD1

Same for FAD2

In this case links are available and both FADC too, but not the Real servers.

Go to GSLB Topology on Fortiview for both FADCs

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
You will see on Event logs for GLB that VS are disabled

Remove the HTTPs Healtch check for the Pool again and restore the GSLB
service.

Finally lets test the gateway availability configured in FAD1.

Go to FG1 and disable ping on interface DMZ1

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
You will see that in FAD1 the gateway monitoring will fail, so the VS attached to it,
will fail also. This will turn unavailable the VS despite the VS,RS and link are ok.

First check gateway availability on Fortiview

And server status on GSLB settings

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Also the status on GSLB FortiView

Finally run a nslookup to FAD1 and FAD2 from Bastion-Router

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Both FADs were informed that the gateway fail and must remove the VS attached
to it.

Enable Ping again on FG1 DMZ1 interface and check all VS are available now.

7 Link Load Balance


Now we are going to change the architecture, connecting FADC directly to the
router

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Check port 4 and port5 interface in FAD2, each one will be attached to WAN3 and
WAN4.

7.1 Configure Gateways


In FAD2 we will monitor a GW for each WAN link

Go to Link Load balance>Link Group > Gateway and create a gateway for each
link usinh Healtch Check ICMP.

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Now create a link group and the GWs created before

Ensure that you can see as available both GW on Fortiview

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
7.2 Create a LLB Policy

Create the policy that will match to this LLB group created. We are going to redirect
ICMP traffic to this Link Group.

Go to Link Load Balance> Link Policy

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
7.3 Create NATs

Now we need to create a NAT policy in order to enable outbound traffic to reach
Internet. Go to Networking>NAT>Source

For WAN3

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
For WAN4

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Now all traffic to all destination using ICMP will be balanced among the GW created
in the link group and use a NAT for each link.

7.4 Testing LLB

Open a ssh session to WEB3 server

Login with root:fortinet

Open a terminal console and create a Default gateway to FADC2

sudo route add default gateway 192.168.21.2

And ping to 4.2.2.2 IP.

To ensure 1 session use this command several times


ping 4.2.2.2 -c 1 | grep "64 bytes"

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Now go to Logs and check traffic logs for LLB

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
8 ILLB and Link monitoring (Optional)

ILLB or Multihoming allow to balance inbound traffic to our application published


in 2 or more links. For FADC ILLB is the same as GSLB but using only one
Datacener and server.

In the last exercise we create GSLB and base balance decision on VS and RS
status, in this exercise we are going to link a VS to a GW in order to make
Balance decision on the link health.

8.1 Modify FADC2 VS

Remember that in the exercise 7.2 we create a VS with the internal IP, but using
the Public IP feature in order to use that routable IP in GSLB, instead of the
internal one. Now we are going to modify those VS using Public IP attached to
the Port 4 and port 5

Go to Server Load Balnace> Virtual Server and Edit VS-DMZ2-WAN4 and VS-
DMZ2-WAN4 to use the public IP as the IP of the VS:

For VS-DMZ2-WAN3

Change the Address to 203.0.113.52, edit the interface to port4 and remove the
Public IPv4 field

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
For VS-DMZ2-WAN4

Change the Address to 203.0.113.68, edit the interface to port5 and remove the
Public IPv4 field

8.2 Link Gateway to VS on FAD2

Go to Global Load Balance > Global Object> Servers and edit Servers DMZ2

And link the gateways to VS-DMZ2-WAN3 and WAN4

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
You will se that server now are linked to gateways:

8.3 Create new FQDN


Go to Global Load Balnace>FQDN Settings>Virtual Server Pool and create a new
server pool and add as a members the VSs just created in Server-DMZ2

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Go to Host tab and create a new host and add the Virtual server pool for ILLB
created.

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Go to Global Load Balnace> Zone Tools> Zone and edit the
fqdn_generate_illbweb.local zone, define TTL and serial to 1.

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
In fortiView you can see both Hosts published

Now you have the domain www.illbweb.local published in WAN1 and WAN2 and
balanced among those links.

8.4 Testing ILLB

Open Router-Bastion terminal console and do a nslookup to the FAD2:

Do it several times and check how it is balanced.

Now lets simulate that one gateway fails for the Health Check, this could be that
it does not respond for a ping, the service monitored is down, among others, not

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
necessary the link is down, just it does not comply with the Health check
requirements

Go to Link Load Balance>Link Group> Gateway and edit WAN3. Add a second
health Check as HTTPS and change the Health Check Relationship form OR to
AND

This will turn unavailable gateway WAN1

Check it on Fortiview Link Load Balance

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
And in Fortiview Global Load balance you will see that the VS linked to that
Gateway, will be unavailable

Chet it via nslookup

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Notice that with this test, the Link is UP, the VS and RS are UP, but the link due
to Health Check reasons appears as unavailable, so the VS will be Unavailable
to be balanced in the GSLB decision.

9 HTTP Routing and Rewriting

Since our webservers are not exactly equal, we will enable maintain mode in
WEB2 to force all traffic to go to WEB1 and make our labs easier.

Go to FAD1 SLB > Real Server Pool, open the existing pool and enable maintain
in WEB2 (keeping only WEB1):

Confirm in FortiView that WEB1 is the only and working server.

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
9.1 URL Rewriting

From the Router-Bastion RDP, try accessing http://198.51.100.10/thecat.html


As expected, you’ll receive a not found message, since it really does not exist.

Now let’s create a rule to redirect someone that eventually tries that to go to
index.php instead of showing an error.

In the FAD1 GUI, go to Server Load Balance > Virtual Server > Content Rewriting
and create a new rule:

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Then edit the Virtual Server VS-WebServers-Wan1 and enable this content
rewriting:

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Try to access again http://198.51.100.10/thecat.html and you will see the index.php
page. Notice it is not a redirection since the browser still shows the requested page:

Turn back WEB 2 to enable

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
9.2 Content Routing

Now suppose we really have two different webservices: the default one is WEB2,
but when someone tries to access http://198.51.100.10/setup.php then it should
go to WEB1.

First let’s configure the virtual server to send traffic only to WEB2. We can do that
going to SLB > Real Server Pool, editing the VS_WEB-DMZ1, editing WEB2 and
disabling it:

Then, create a new server pool including only WEB1:

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Now go to Server Load Balance > Virtual Server and create two new Content
Routing rules.

The first is to route every access to setup.php to the pool with WEB1 (Webpool-
petsite):

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
The second to route to WEB2 pool by default (empty conditions match anything):

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Now edit the existing VS-WebServers-Wan1 virtual server and add both content
routing rules on it.

IMPORTANT: content routing rules are applied in sequence, so the default must
be the last one!

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
From the Router-Bastion VM try accessing http://198.51.100.10
Since there’s no match in the first content routing rule, you will reach the WEB2
server.

Now try accessing http://198.51.100.10/setup.php


From the match in the rule, you are routed to WEB1.
Go to the different Menus and check traffic logs for SLB HTTP

10 Scripting

Before start this lab, please remove all Content and rewrite rule created before in
the VS FADC1

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
FortiADC allows creation of scripts in the LUA programming language that can be
applied to the Virtual Server. We will test a simple script in this lab just to explain
how does it work.

Go to Server Load Balance > Scripting and create a new script named “Redirect-
curl”:

Here is the same content so you can copy-paste (we’re not that evil):

when HTTP_REQUEST{
agent = HTTP:header_get_value("User-Agent")
if agent:lower():find("curl") then
HTTP:redirect("http://www.fortinet.com")
end
}

Go to Server Load Balance > Virtual Server and edit the VS-Web-DMZ1 virtual
server to add this script:

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
From Router-Bastion, try accessing http://198.51.100.10 using the web browser.
You should see the WEB2 page.

Now open a terminal and try accessing it using curl:

curl http://198.51.100.10 -v

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
You will see that it is redirected to www.fortinet.com

Now edit the Redirect-curl script and set “mozilla” instead of “curl”:

Try from the web browser and using curl again to see the differences now.

Question 1: where to find which user-agent text to match? Look at the SLB HTTP
logs.

Question 2: why “mozilla” does work while “Mozilla” doesn’t?

This lab intention is to briefly explain how to start working with scripts. Check the
existing scripts to understand better how they are and have some ideas on what
is possible to do.

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
11 ADC Security

FortiADC includes since 5.3 a new set of WAF feature that covers all the OWAP
Top 10 domain, we will test some in the lab.

But before we start, let’s remove the scripts, HTTP rewrite and content routing
from the virtual server – this is only to remove variables and concentrate on
authentication only, but of course they can coexist in real life.

Also, we will keep only WEB1 enabled since this webserver was previously
prepared with lots of vulnerabilities required later in this lab (it is based in DVWA).

Go to Server Load Balance > Virtual Server, edit the VS-Web-DMZ1 and configure
as indicated:

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Then go to Server Load Balance > Real Server Pool, edit WebPool-DMZ1. Enable
WEB1 and remove WEB2.

Check it’s ok from FortiView:

Also test from Router-Bastion, you should see that fluffy cat 

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
11.1 Authentication

FortiADC can force authentication before allowing clients to connect to certain (or
any) section of the website. In our case we will authenticate any access to the
website with a local user.

Go to User Authentication > Local User and create a new user:

Create a new group and include this user:

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Create an Authentication Policy:

Edit the VS-Web-DMZ1 virtual server and set the authentication policy in General
Tab:

Try accessing http://198.51.100.10 from Router-Bastion, it will request you to


authenticate with the created user.

Check the log details in Traffic > SLB HTTP.

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Authentication could also be done in a RADIUS or LDAP server, or you could
define single sign-on authentication using Kerberos or SAML.

As a reference, the FortAuthenticator training material have a lab using SAML


together with FortiADC.

11.2 Web Application Firewall

FortiADC includes a WAF to protect against some common attacks and full
OWASP compliance at webserver, although it does not have all features compared
with a FortiWeb (AI for example as the most important). Our WEB1 VM have a lot
of vulnerabilities, we will test then first, then enable some WAF rules and repeat to
check results.

First, remove the authentication policy from VS-Web-DMZ1 virtual server to


simplify our testing (they do work simultaneously if you want to keep it).

Before we configure any WAF protection, let’s verify some known vulnerabilities in
our webserver.

From the Router-Bastion open http://198.51.100.10

11.2.1 SQLInjection
Click in the menu option Search user (SQL Injection).

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Type a number and hit Submit. Maybe you find one valid user…

Now suppose someone tries the following in the User ID field:

x' OR '1’=’1

Then you have a SQL injection:

Now go to WebApplication Firewall > Common Attacks Detection>SQL/XSS


Injection Detection and create a new one as indicated:

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Then go to WAF Profile, create a new profile and include this SQL Injection
protection on that:

Finally go to Server Load Balance > Virtual Server, edit VS-Web-DMZ1 and include
the WAF profile in the security section:

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Try again from Router-Bastion the SQL Injection, you will receive a HTTP 403
forbidden message instead:

Check the WAF Security logs in FortiADC:

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
11.2.2 XSS

Now let’s try two XSS attackas, first go to the menu Guestbook(XSS Stored)

And paste the following command

<script>alert(Forti)</script>

Yo will see that the script was executed.

Try with other XSS as


<img src=x onError=alert(‘xss2’)>
<body onload=alert(“XSS3”)>

Now enable XSS protection on the same profile.

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
And test the attacks again.

11.2.3 Command Execution

Lets try to execute some commands form the webserver, go to the Menu Bath
Time (Command injection) and type the command
;cat /etc/passwd
To show the local file passwd

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Now go to the same profile and enable Know attacks signature to the WAF profile
go to WebApplication Firewall>Know Web Attacks, check the High Level Security
profile and asure Generic Attacks are enable and deny, notice that it include
command execution

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Add the profile to the WAF profile in Web Attack Signature field

Run the command again in the web server and check the results and logs

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
11.2.4 HTTP Protocol Constrain

Another protection method consists in controlling HTTP parameters according to


our application, avoiding long URLs (that might be used to exploit a buffer
overflow), undesired HTTP methods, oversized header and paremeters, etc.

To protect against that, you can set a HTTP protocol constraint rule.

Go to Web Application Firewall >Common Attacks Detection> HTTP Protocol


constraint and create a new rule. In our case we will limit the URI size to 10
characters, then try accessing a fake url longer than that.

*Check the other options available.

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Now edit the WAF Profile WAFProfile01 to include this rule:

Try then accessing the website from Router-Bastion, but using a long URL (does
not matter the text, as long as it has more than 50 characters to trigger the rule):

Check the logs to see results:

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Now go to Web Application Firewall > Web Attack Signature and click to view the
existing High-Level-Security profile. Verify the options and the amount of
signatures that could be enabled.

We won’t test attacks for each option, so try to understand what each one is about
and ask for instructor’s explanation.

11.3 Web Vulnerability Scanner

FortiADC includes a Vulnerability scanner to analyze webservers and generate


reports.

Go to WebApplication Firewall > Web Vulnerability Scanner and create a new WVS
Login that indicates no login is required:

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Then create a new WVS Profile indicating the Server Pool it will scan:

Finally, create a WVS Task (it will request you to create a schedule too, that can
be also done in Shared Resources > Schedule Group):

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Click to run it and wait for results, click on WVS task to refresh:

Download and open the report to see al details. Navigate on its options.

11.4 Antidefacement

From 5.3.3 FADC include an Antidefacement Feature, Go to Web Application


profile>Web Anti-defacement and create a new one as follow

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
899 Kifer Road
Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
This profile uses ssh to go to the /var/www/html folder to gather the files stored
there, also will restore automatically when a change is detected.

Save and wait until the file be copied to FADC:

Now connect to WEB1 via ssh and delete the file index.php

Wait until you see the file restored again in the folder and then see on logs that
the file was restored

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
You can see also in the antidefacement tab that 1 file was restored

Click on it to verify the action

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
11.5 Brute Force attack
FortiADC can monitor a specific URL and prevent brute force logins attacks.

First Login into the Router-Bastion via ssh with user root password fortinet. Go to
the Folder /home/Fortinet/Login and run the script ml-test-attack.sh as follow

Check that the Script try to login with several username and password to the
server. Stop it some seconds later.

Check traffic logs to see that those logins arrive to the server:

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Now go to Web Application Firewall>Common Attacks Detection>Brute Force
Attack detection and a create a new Brute Force rule

Save and create the match condition

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Save it again

Now go to WAF profile created previously and link the Brute force rule to it.
Remove also HTTP Constraint in order to avoid detection in this setting.

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Run the script again and check security logs

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
12 Advanced SLB

To facilitate our packet captures in the next exercises, we need to disable HTTP
health check – otherwise we would have some difficulties to separate them from
the client traffic. To do so, go to Server Load Balance > Real Server Pool and edit
the WebPool-DMZ1. Keep only ICMP:

12.1 Preserve Client IP

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
As we’ve seen before, by default, FortiADC uses its own interface IP as source IP
when connecting to real servers using L7 Load Balance.

Go to FAD1 command line through SSH and run the following capture:

Then open the website from Router-Bastion again and see the captured packets.
Source IP is always from the FAD itself:

To change that, go to Server Load Balance > Application Resources and create a
new HTTP profile with the Source Address option enabled:

Then edit the VS-Web-DMZ1 virtual server to set this profile:

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Run the same capture again and verify the source IP used:

Another option to make the real client IP reach the server is by adding some
information in the header as X-Forwarded-For.

Edit the My-HTTP-Profile and enable X-Forwarded-For. Disable Source Address


option, since there’s no sense on keeping both enabled...

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Then go to FAD in Networking and create a Packet Capture:

Then click to run the capture:

Access the website from Router-Bastion again, stop the capture and download it
to your laptop.

If you don’t have Wireshark or any other equivalent tool, trust the picture below or
check with other students:

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
12.2 Connection reuse

From Router-Bastion, run a command to continuously access the webserver:

Then go to FortiADC SSH console and run the following command to get all TCP
SYN packets:

Notice that for each SYN packet received in port2 (DMZ1) there’s also a SYN
packet in port2 (SRV1) to the server.

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
To change that behavior, first edit the application profile being used as HTTP Mode
Server Close:

Now, from FortiADC SSH console, create a new connection pool:

Still from CLI, set this connection pool in the VS-Web-DMZ1 virtual server:

Stop the script running at Router-Bastion, then run the capture from FAD SSH
console again, then start the Router-Bastion script again.

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
Notice that only the first SYN is sent in port3. Why is that? Discuss with
instructor.

Tip: FortiADC is reusing the same TCP connection to the webserver for multiple
client connections.

899 Kifer Road


Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com

You might also like