Lab Guide

Index: 1.
0
Use Case: Fortinet Engineered for Remote and Secure Productivity
Objective Title: Introduction
Points: 0
----------------------- Objective Section -----------------------
Objective Text:
Fortinet Teleworker Solution
Organizations face different potential emergencies, such as illness, floods, hurricanes, and
power outages. Implementing a business continuity plan is essential to ensuring that the
organization can maintain operations in the face of adversity and prepare for potential
disasters.
An important consideration for organizations developing a business continuity plan is that they
may not sustain normal operations onsite. The ability to support remote employees is essential
to ensure both business continuity and security. Fortinet solutions offer an integrated solution
to support telework. FortiGate next-generation firewalls (NGFWs) have built-in support for
IPsec virtual private networks (VPNs), enabling remote workers to connect securely to the
company network. With endpoint protection, provided by FortiClient, and multi-factor
authentication (MFA) with FortiAuthenticator, organizations can securely support remote work
and maintain business continuity.
Index: 1.0 (a)
Objective Title: Topology
Points: 0
Objective Text:
Fortinet Teleworker Solution

Index: 1.0 (b)
Objective Title: Agenda
Points: 0
Objective Text:
Agenda
In the following lab exercises you will understand how to easy it is to provide remote
teleworkers with secure access to internal corporate resources by completing the following
objectives:
 Configure two-factor authentication necessary for secure access

 Create an inbound VPN policy on FortiGate that allows teleworkers to tunnel back to
corporate headquarters
 Configure Fortinet Endpoint Management Server (EMS) to protect remote users as
effectively as if they were located at the corporate office
 Demonstrate successful operation of these critical functions
Topic Time
Lab 1: Introduction, Topology and Agenda 1 Minute
Lab 2: Configure Remote User Authentication 5 Minutes
Lab 3: Configure FortiClient IPsec VPN 5 Minutes
Lab 4: Configure Remote User Protection 10 Minutes
Lab 5: Demonstrate Remote User Secure Productivity 5 Minutes
Lab 6: Zero Trust Network Access 10 Minutes
Lab 7: Demonstrate ZTNA Connection 5 Minutes
Lab 8: Deploy FortiGate Firewall at Home 5 Minutes
Lab 9: Configure FortiGate-to-FortiGate IPsec VPN 10 Minutes
Lab 10: Establish Remote Telephony 5 Minutes
Lab 11: Conclusion
NOTE:
 Objective 2(a) and 2(b) are optional. More information is provided in the
objective itself.
 If you start with use case #2.0, then make sure to complete all the use cases
from #2.0 to #7.0 first, before moving onto use case #8.0
Index: 2.0
Use Case: Configure Remote User Authentication
Points: 0
Objective Text:
Introduction
Remote teleworkers including basic, power and super users require secure access to internal
resources at corporate offices to remain productive when off-site. The first step in any remote
worker scenario is ensure that users can be properly authenticated regardless of location.
Time to Complete: 5 minutes

Index: 2.0 (a)
Objective Title: Import FortiToken Mobile and Enable Two-Factor Authentication
Points: 10
Objective Text:
Background
FortiAuthenticator’s authentication services ensure only the right person at the right time can
access your sensitive networks and data.
The following settings have been pre-configured on FortiAuthenticator:
1. Remote LDAP server to import Active Directory user/user groups and provide Windows
AD domain authentication using Kerberos.
2. FortiGate-Edge as a RADIUS client so that FortiAuthenticator can accept RADIUS
authentication requests from a FortiGate unit.
Tasks
CAUTION: If you would like to use the 2FA (Two-Factor Authentication) with
FortiClient and are willing to install Fortinet’s FortiToken Mobile app or add
another token to an existing FortiToken Mobile app on your own iOS or Android
smart phone, then follow the instructions outlined in this objective. Otherwise,
skip these steps and proceed to answer the stop and think question.
Create New FortiToken Mobile Tokens
1. From the Lab Activity: Teleworker tab, access FortiAuthenticator via HTTPS option
using the following credentials:
Username: admin Password: Fortinet1!
2. Once logged in to FortiAuthenticator, click Authentication > User Management >

FortiTokens.
Note: If there are any existing FortiTokens, select and delete all of them.
3. Click Create New.
4. Select Token Type: FortiToken Mobile.
5. Turn on Get FortiToken Mobile free trial tokens.
6. Click OK.
Note: FortiAuthenicator should import two FortiToken Mobile tokens. These tokens
come free with every install.
Assign FortiToken to LDAP User Account
1. In FortiAuthenticator, click Authentication > User Management > Remote Users.
2. Click the checkbox beside the user carol.

Note: User carol is an Active Directory user account that has been pre-imported into
FortiAuthenticator via LDAP integration with AD through Authentication > User
Management > Remote Users.
3. Click Edit.
4. Turn on Token-based authentication and choose the following:
 Deliver token code by: FortiToken
 FortiToken Mobile: FTKMOBxxxxx
Note: Token serial number will differ from the one shown in the screenshot
below
 Activation delivery method: Email
5. Expand User Information and make sure the following email address has been
configured:
 Email address: carol@acmecorp.net

6. Click OK and wait several seconds as FortiAuthenticator sends an email.
Note: You should see a message ‘Successfully edit remote LDAP user carol@LDAP
(172.16.100.10)’
CAUTION: If there is an error or failure sending the email, go to the Desktop and launch the
‘rebootmailu’ BAT script to reboot the mail server. Now, in FortiAuthenticator, edit user carol,
disable Token-based authentication, click OK. Again edit user carol, enable Token-based
authentication, choose one of the available free FortiTokens and click OK. You may have to run
the ‘rebootmailu’ script once more if it fails for the first time.
Stop and Think

Question: Which of the following are valid methods of administering FortiToken? (Choose all
that apply)
----------------------- Hint 1 Section -----------------------
Hint: 1 Points: 3
Hint Text:
Hint
In this exercise you just administered FortiToken through FortiAuthenticator
FortiAuthenticator provides centralized authentication services including SSO services,

certificate management, and guest management
----------------------- Hint 2 Section -----------------------
Hint: 2 Points: 3
Hint Text:
Hint
FortiToken Cloud provides everything needed for two-factor in a FortiGate environment
Key Features include:
 Manage two-factor deployments from provisioning to revocation
 Includes two factor tokens through FortiToken Mobile app which simplifies user input to
“click to accept”
 No additional onsite hardware, software, or ACL changes
 Easy expand and grow as needed.
----------------------- Hint 3 Section -----------------------
Hint: 3 Points: 3
Hint Text:
Hint
FortiTokens can even be managed directly on the FortiGate Devices themselves.
So, all answers are correct (a, b, c)

----------------------- Answer Section -----------------------
Answer: checkbox
Answer Text:
Answer
Answers a, b and c are all correct.
FortiToken is The Source of Identity for the Security Fabric.
This Solution Offers:
 Centralized Authentication
 Multifactor Authentication
 Cloud based Token IDaaS Service
 Single Sign-on
 Guest Management
 Device Onboarding
Answer Key:
✔ 1. via FortiAuthenticator
✔ 2. via FortiGate
✔ 3. via FortiToken Cloud
Index: 2.0 (b)
Objective Title: Register FortiToken Mobile
Points: 0
Objective Text:
Background
FortiToken confirms users' identity by adding a second factor to the authentication process
through physical or mobile application-based tokens.
CAUTION: The following steps are only applicable if you have followed all the
instructions outlined in objective 2.0(a) and are willing to install the Fortinet’s
FortiToken Mobile app or add another token to an existing FortiToken Mobile
app on your iOS or Android smart phone. If you have chosen to skip the
objective 2.0(a), click ‘Continue’ and move on to the next objective.
Tasks
Register FortiToken Mobile
1. From the Lab Activity: Telworker tab, access Carol machine via RDP option using the
following credentials:
Username: carol Password: Fortinet1!
2. Open Mozilla Thunderbird.
3. Check Carol’s inbox and open the email with the subject line FortiToken Mobile
Activation.
4. On your internet enabled smart phone, download and install the FortiToken Mobile
application from iOS App Store or Google Play Store depending on the OS platform that
the mobile device supports.
NOTE: If the FortiToken Mobile application is already installed on your mobile device,
then, skip this step.
5. Open the FortiToken Mobile application.
6. Press SCAN BARCODE and allow the device to take pictures.
NOTE: If you have been using the FortiToken Mobile application previously, then you
will see an existing token code already activated. In this case, you won’t be presented
with the SCAN BARCODE option. In such scenario, click + icon located at the top right
corner of the app to add another FortiToken.
7. Scan the barcode received in the email as shown below.
NOTE: If the mobile device is unable to take a picture, check your device settings and
make sure the FortiToken Mobile application has been allowed access to the device
camera.
8. The FortiToken should be activated right away.
9. Close Mozilla Thunderbird.

Index: 3.0
Use Case: Configure FortiClient IPsec VPN
Points: 0
Objective Text:
Introduction
Virtual Private Network (VPN) technology lets remote users connect to private computer
networks to gain access to their resources in a secure way. For example, an employee traveling
or working at home can use a VPN to securely access the office network through the Internet.
Instead of remotely logging into a private network using an unencrypted and unsecured
Internet connection, using a VPN ensures that unauthorized parties cannot access the office
network and cannot intercept information going between the employee and the office. Another
common use of a VPN is to connect the private networks of multiple offices.
Fortinet offers VPN capabilities in the FortiGate Unified Threat Management (UTM) appliance
and in the FortiClient Endpoint Security suite of applications. You can install a FortiGate unit on
a private network and install FortiClient software on the user’s computer.
For the purposes of this lab, we will be focusing on FortiClient IPsec Tunnels. This use case is
more applicable to a basic user.

Index: 3.0 (a)
Objective Title: Configure RADIUS Remote User Group
Points: 10
Objective Text:
Background
You will set up FortiAuthenticator to function as a RADIUS server for FortiGate to authenticate IPsec VPN
users with a FortiToken.
Tasks
Configure RADIUS Server on FortiGate
1. From the Lab Activity: Teleworker tab, access FGT-Edge using the HTTPS option
2. On the FortiGate-Edge, click User & Authentication > RADIUS Servers > Create New and use the
following information:
 Name: FAC_Server
 Primary Server IP/Name: 172.16.100.129
 Secret: Fortinet1!
3. Click Test Connectivity to make sure it returns Connection Successful.

4. Click OK.
Configure Remote User Group
1. On FortiGate-Edge, click User & Authentication > User Groups > Create New and use the
following information:
 Name: IPsec_VPN_Users
 Type: Firewall
2. Under Remote Groups, click Add.
 Remote Server: FAC_Server
 Groups: Any (Leave it set to default)
3. Click OK.
4. Click OK.
Stop and Think
Question: To confirm a user’s identity after authentication, which of the following is checked first?
(Choose one)
----------------------- Answer Section -----------------------
Answer: radio
Answer Text:
Answer
In most cases, the FortiGate unit authenticates users by requesting their username and
password. The FortiGate unit checks local user accounts first. If a match is not found, the
FortiGate unit checks the RADIUS, LDAP, or TACACS+ servers that belong to the user group.
Authentication succeeds when a matching username and password are found. If the user
belongs to multiple groups on a server, those groups will be matched as well.
Answer Key:
✘ 1. Radius
✘ 2. LDAP
✘ 3. TACACS+
✔ 4. FortiGate local user accounts
Index: 3.0 (b)
Objective Title: Configure IPsec VPN (FortiClient as Dialup Client)
Points: 10
Objective Text:
Background
In this objective, you will configure IPsec dial up VPN on FortiGate-Edge (HQ) with FortiClient as
a dial up client.
Tasks
Configure IPsec Dialup VPN
1. From the web browser, access the FGT-Edge web console.
2. Click VPN > IPsec Wizard.
3. Use the following information:
 Name: Teleworkers
 Template Type: Remote Access
 Remote Device Type: Client-based/FortiClient

3. Click Next.
4. Use the following Authentication settings:
 Incoming Interface: ISP1(port6)
 Authentication Method: Pre-shared key
 Pre-shared key: Fortinet1!
 User group: IPsec_VPN_Users

Note: IPsec_VPN_Users is the AD user group configured earlier.
5. Click Next.
6. Use the following Policy & Routing settings:
 Local Interface: LAN
 Local Address: DC_Network
 Client Address Range: 10.10.10.1-10.10.10.10
 Leave Subnet Mask, DNS Server, Enable IPv4 Split Tunnel and Allow Endpoint
Registration settings set to default.
Note: By default, IPv4 Split Tunnel is enabled. In this configuration, remote users
are able to securely access the HQ internal network through the HQ firewall, yet
browse the Internet without going through the head office.
7. Click Next.
8. Use the following Client Options settings:
 Save Password: Turn on
 Auto Connect: Turn on

Note: When FortiClient is launched, the VPN connection will automatically
connect.
 Always Up (Keep Alive): Turn on

Note: When selected, the VPN connection is always up, even when no data is
being processed. If the connection fails, keep alive packets sent to the FortiGate
will sense when the VPN connection is available and re-connect VPN.
9. Click Next and review the settings. Then click Create.
Note: After you create the tunnel, a summary page appears listing the objects which
have been added to the FortiGate's configuration by the wizard. If any of these are
wrong, you will have to delete the objects manually, starting with their dependencies.
Stop and Think

Question: (True or False) By enabling Split Tunnel you can avoid overloading system resources
on the HQ firewall and send the remote client’s Internet traffic (For example, YouTube, Netflix
etc.) through their local ISP router?
----------------------- Answer Section -----------------------
Answer: radio
Answer Text:
Answer
True
Answer Key:
✔ 1. True
✘ 2. False
Index: 4.0
Use Case: Configure Remote User Protection
Points: 0
Objective Text:
Introduction
Endpoints are frequently the target of initial compromise or attacks. One recent study found
that 30% of breaches involved malware being installed on endpoints. FortiClient Fabric Agent
strengthens endpoint security through integrated visibility, control, and proactive defense.
With the ability to discover, monitor, and assess endpoint risks, you can ensure endpoint
compliance, mitigate risks, and reduce exposure.
FortiClient Enterprise Management Server (FortiClient EMS) is a security management solution
that enables scalable and centralized management of multiple endpoint devices (computers).
FortiClient EMS meets the needs of small to large enterprises that deploy FortiClient Fabric
Agent on endpoints. Some of the benefits of deploying FortiClient EMS include:
 Remote deploying FortiClient Fabric Agent software to Windows PCs.
 Updating profiles for endpoint users regardless of access location, such as administering
antivirus, web filtering, VPN, and signature updates.
 Administering FortiClient endpoint registrations, such as accept, de-register, and block

registrations.
 Managing endpoints, such as status, system, and signature information.
 Identifying outdated versions of FortiClient Fabric Agent software.

Index: 4.0 (a)
Objective Title: Integrate EMS with Security Fabric
Points: 0
Objective Text:
Background
EMS connects to the FortiGate to participate in the Security Fabric. EMS
sends FortiClient endpoint information to the FortiGate. The FortiGate can also receive dynamic
endpoint group lists from EMS and use them to build dynamic firewall policies. EMS sends
group updates to FortiOS, and FortiOS uses the updates to adjust the policies based on those
groups. Its tight integration with the Security Fabric enables policy-based automation to contain
threats and control outbreaks. FortiClient Fabric Agent is compatible with Fabric-Ready
partners to further strengthen enterprises’ security posture.
Tasks
Configure EMS Fabric Connector
1. From the Lab Activity: Teleworker tab, access FGT-EDGE using the HTTPS option.
2. Click Security Fabric > Fabric Connectors

3. Click Create New
4. Click FortiClient EMS and use the following information:
 Type: FortiClient EMS
 Name: EMS
 IP/Domain: 192.168.0.125
 HTTPS port: 443
 EMS Threat Feed: Leave it set to enabled by default
 Synchronize firewall addresses: Leave it set to enabled by default

5. Click OK
Note: A ‘Verify EMS Server Certificate’ window should come up.
6. Click Accept
7. Click Security Fabric > Fabric Connectors.
Note: FortiClient EMS connector was automatically created based on the information
you just provided. Notice that this connector has a red arrow pointing downward, which
means that it is not communicating properly to its destination.
Authorize FortiGate-Edge Fabric Device on EMS Server

1. From the Lab Activity: Teleworker tab, access the FortiClient EMS using the HTTPS
option.
2. A Fabric Device Authorization Requests window for FortiGate-Edge should pop up.
3. Click Authorize
CAUTION: Click F5 to refresh browser window and wait for a few seconds in case the
Fabric Device Authorization Requests window doesn’t show up.
4. Click Administration > Fabric Devices

Note: FortiGate-EDGE should be authorized now.
Verify EMS Server Connection Status on Root FortiGate-Edge

1. From the web browser, access the FGT-EDGE using the web console.
2. Click Security Fabric > Fabric Connectors
3. FortiClient EMS Fabric Connector should have a successful up/green connection status.
Index: 4.0 (b)
Objective Title: Deploy Endpoint Protection Profile
Points: 0
Objective Text:
Background
EMS allows admins to update profiles for endpoint users regardless of access location, such as
administering antivirus, web filtering, VPN, and signature updates.
Tasks
Configure Endpoint Profile

1. From the Lab Activity: Teleworker tab, access FortiClient EMS using the HTTPS option.
2. Click Endpoint Profiles > Manage Profiles.
3. Select endpoint profile Teleworkers Profile and click Edit
4. Click Advanced on the top right corner.
5. Click Web Filter and turn ON the security feature.
7. Click VPN and make sure the VPN feature is turned ON

8. Scroll down to VPN Tunnels section.
Note: You will see IPSec VPN (HQ-VPN) with Remote Gateway pointing to
FortiGate-Edge (100.65.0.101) has been pre-configured. EMS will push the VPN settings
to an endpoint FortiClient registered with the EMS server, so that, the end user doesn’t
need to manually configure these settings.
9. Click Vulnerability Scan and turn ON the security feature.

10. Under Scanning, turn ON Scan on Registration
11. Click System Settings.

12. Under UI, turn ON Require Password to Disconnect from EMS.
13. Enter Password Fortinet1!
14. Click Save

Index: 4.0 (c)
Objective Title: Create Endpoint Policy
Points: 10
Objective Text:
Background
Endpoint policies make it simpler to provision endpoints. You can now create and manage
endpoint policies to assign profiles and Telemetry gateway lists to domains, OUs, and
workgroups. You can also create and manage Chromebook policies to assign profiles to Google
domains.
Tasks
Configure Endpoint Policy
1. Click Endpoint Policy & Components > Manage Policies.
2. Click Add.
3. Use the following information:
 Endpoint policy name: Teleworkers
 Endpoint groups: Click Edit > Checkmark acmecorp.net and All Groups > Save
Note: acmecorp.net domain has been pre-configured and added to FortiClient
EMS under Endpoints > Domains.
 Profile: Default
 Profile (Off-Fabric): Teleworkers Profile

Note: This profile is applied when the endpoint is off-network.
 On-Fabric Detection Rules: On-Net-HQ-172.16.100.0/24
 Enable the Policy: Turn ON
 Click Save
Stop and Think
Question: Which of the following subnets (pre-configured) determines if the endpoint is
On-Fabric? (Choose One)
----------------------- Hint 1 Section -----------------------
Hint: 1 Points: 4
Hint Text:
Hint
On the EMS check Policy Components > On-net Detection Rules
----------------------- Answer Section -----------------------
Answer: radio
Answer Text:
Answer
The endpoint has a status of on-net when the endpoint is inside one of the on-net subnets
defined in the FortiClient EMS under Policy Components > On-net Detection Rules. In this case,
On-Net-HQ-172.16.100.0/24 rule (pre-configured) defines any endpoint outside of
172.16.100.0/24 (HQ’s DC_Network) should be considered off-net.
Answer Key:
✘ 1. 100.64.11.0
✔ 2. 172.16.100.0
✘ 3. 127.0.0.1
✘ 4. 192.168.0.0
✘ 5. 0.0.0.0
Index: 5.0
Use Case: Demonstrate Remote User Secure Productivity
Points: 0
Objective Text:
Introduction
While working remotely employees need to utilize corporate resources and safely traverse the
internet from a remote location such as their home, a coffee shop, an airport, or customer
location. In the previous exercises you have addressed the need for a secure and private
connection across the public internet, as well as the ability to verify identity to the organization
when connecting to the network, sensitive applications, or protected data.
In the following exercises you will now demonstrate the power and protection these simple
efforts can bring to your organization and remote users.

Index: 5.0 (a)
Objective Title: Establish Remote Connection
Points: 0
Objective Text:
Background
Using FortiClient and the FortiToken Mobile application, remote users can quickly and securely
connect to the corporate network.
Tasks
Register FortiClient and Establish IPsec VPN Connection
1. From the Lab Activity: Telworker tab, access Carol machine using the RDP option
Username: carol Password: Fortinet1!
2. Open FortiClient console on desktop.
Note: Various security profiles such as antivirus, webfilter etc. are missing or have not
been activated yet.
3. Click Zero Trust Telemetry. Enter Server Address 100.65.0.101 and click Connect
Note: Within a few seconds, FortiClient Fabric Agent would sync with the EMS server via
Telemetry and start receiving configuration updates. This EMS synchronization enables
protection profiles such as Web Filter, Vulnerability Scan etc.
4. Click REMOTE ACCESS
5. Beside VPN Name, you should see IPSec VPN (HQ-VPN)
6. Click on the lines icon beside it and click View the selected connection to see the VPN
settings.
Note: If you remember, this VPN configuration has been pushed by the EMS via the
endpoint profile configured earlier.
7. Click Cancel
Login into HQ-VPN
1. Enter Username carol@acmecorp.net
2. Type Password Fortinet1!
Note: If the username/password prompt hasn’t shown up, navigate to any other section
in FortiClient and then click Remote Access
3. Click Connect
Note: If you have followed the instructions set out in objective 2(a) & 2(b), it means you
have enforced two-factor authentication for user Carol using FortiToken, therefore, a
token prompt should come up asking for a token code. Otherwise, skip to step #6.
4. Open the FortiToken Mobile application on your smart phone to view the six-digit code.
Note: If the token code is not visible, click on the eye icon to view the code. If the timer
is about to expire, wait for a new code because, by the time you enter the token code
into FortiClient, it may have already expired.
5. Enter the six-digit token code in FortiClient and click OK
Note: Make sure to use the newly installed FortiToken code. Due to certain limitations
on the hosted cloud environment, if you do not type the FortiToken code in 2 minutes,
you might loose RDP connectivity to Carol. In such scenario, wait for few minutes to
reconnect back to Carol machine via RDP and then repeat instructions #1-5.
6. The VPN connection should be up, and the client should be receiving an IP in the range
specified (10.10.10.1-10.10.10.10). FortiClient console will be minimized and can be
viewed from the system tray.
Index: 5.0 (b)
Objective Title: Secure Access to Corporate Resources
Points: 0
Objective Text:
Background
Once connected, access to remote folders, files, and other network resources is as seamless as
being in the office.
Tasks
Access Shared Corporate Resources Securely Over VPN
1. Now that the VPN is up and running, on Carol machine desktop, click Run icon, type the
path \\172.16.100.10\Marketing.
Note: 172.16.100.10 is the IP address of a Windows Server sitting in the HQ office. Since
you connect to HQ through VPN, you will have access to HQ resources, for example,
SMB file shares and shared folders, in the same manner as you would have while sitting
in your cubicle locally in HQ itself.
2. Click OK.
3. You can download/upload (copy/paste) the Expense_Report_Feb_2019 on your desktop

and work on it from home or any remote location.
Access Corporate Web Server
1. Open web browser.
2. Click Corp Web Server bookmark.
3. Ignore the certificate warning. Click Advanced and Proceed to website.
Note: FortiManager login page comes up. This implies carol can securely access a
corporate web server over the VPN connection from home.
Index: 5.0 (c)
Objective Title: Protect Endpoints
Points: 0
Objective Text:
Background
Working remotely does not mean that users must sacrifice security. Security policies for remote
vs. local users can be the same or adjusted to account for individual work requirements.
Tasks
Test Gambling Website Access
1. On Carol machine, open Google Chrome browser.

Note: Do not add the web filter Chrome extension if you see an installation prompt.
2. Click Fortiguard Gambling bookmark.
Note: Access to gambling websites would be allowed. Fortiguard has generated this
particular URL and classified it as a gambling site for our testing purposes.
3. Close the web browser.
Block FortiGuard Web Category Gambling on EMS

1. From the Lab Activity tab, access FortiClient EMS using the browser tab.
2. Click Endpoint Profiles > Manage Profiles.
3. Select Teleworkers Profile and click Edit.
4. Click Web Filter.
5. Scroll down to Site Categories. Click + to expand Adult/Mature Content FortiGuard web
category.
6. Click the drop-down icon beside Gambling web category and click Block.
7. Click Save.
Note: FortiClient EMS will eventually update Carol’s desktop, and there will be a popup
message on the bottom right of carol’s desktop running FortiClient.
Review Endpoint Details
1. Continuing in FortiClient EMS console, click Endpoints > All Endpoints.
2. Click user Carol and view Summary to see device information, IP address, location,
policy configuration, FortiClient version, events, and much more.
Note: FortiClient EMS provides visibility across the network to securely share
information and assign security profiles to endpoints.
3. Click Vulnerability Events and you will see a list of Critical, High, Medium and Low level
vulnerabilities detected on that machine.
Note: If you don’t see any vulnerability events listed, then click checkmark box for user
carol and click Scan > Vulnerability Scan to enforce a scan on carol’s machine and come
back again to view after few minutes. For more information on patching vulnerabilities
on the endpoint device, please refer to Fortinet NSE training.
Test Gambling Website Access Post-Configuration

1. From the web console, access Carol machine using the browser tab.
2. In Carol machine, open a new incognito/private window in Google Chrome web
browser.
Note: DON’T add the web filter Chrome extension if you see an installation prompt.
3. Click the FortiGuard Gambling browser bookmark.
Note: You might see a certificate error. Click Advanced to proceed to the website.
4. The block page means FortiClient blocked access to a gambling website.
Note: EMS pushed configuration updates to FortiClient after we changed the
Teleworkers endpoint profile’s web filter.
Index: 6.0
Use Case: Zero Trust Network Access
Points: 0
Objective Text:
Introduction
Zero Trust Network Access (ZTNA) is an access control method that uses client device
identification, authentication, and Zero Trust tags to provide role-based application access. It
gives administrators the flexibility to manage network access for On-net local users and Off-net
remote users. Access to applications is granted only after device verification, authenticating the
user’s identity, authorizing the user, and then performing context based posture checks using
Zero Trust tags.
ZTNA has two modes: Full ZTNA and IP/MAC filtering:
 Full ZTNA allows users to securely access resources through a SSL encrypted access
proxy. This simplifies remote access by eliminating the use of VPNs.
 IP/MAC filtering uses ZTNA tags to provide an additional factor for identification to
implement role-based zero trust access, typically for local on-net users. For remote
users, IP/MAC filtering is paired with VPNs.

Index: 6.0 (a)
Objective Title: Configure EMS Zero Trust Tags & Rules
Points: 0
Objective Text:
Background
EMS allows to create Zero Trust tagging rules for Windows, macOS, Linux, iOS, and Android
endpoints based on their OS versions, logged in domains, running processes, and other criteria.
EMS uses the rules to dynamically group endpoints.
Tasks
Configure Zero Trust Tagging Rule for Devices Running AntiVirus
1. From the Lab Activity: Teleworker tab, access FortiClient EMS using the HTTPS option.
2. Click Zero Trust Tags > Zero Trust Tagging Rules.

3. Click Add and use the following information.
 Name: AV_Enabled
 Tag: AV_Enabled_Tag (Press enter to save the tag)
4. Click +Add Rule and use the following information:

 OS: Windows
 Rule Type: AntiVirus Software
 AV Software: AV Software is installed and running
5. Click Save.
6. Click Save.
Note: This rule will tag the endpoints devices running an antivirus software.
Index: 6.0 (b)
Objective Title: Configure ZTNA Server
Points: 0
Objective Text:
Background
ZTNA server defines the access proxy VIP and the real servers that clients will connect to. The
access proxy VIP is the FortiGate ZTNA gateway that clients make HTTPS connections to. The
service/server mappings define the virtual host matching rules and the real server mappings of
the HTTPS requests.
Tasks
Enable ZTNA Security Feature
1. From the Lab Activity: Teleworker tab, access FGT-Edge using the HTTPS option
2. Click System > Feature Visibility
3. Under Security Features, turn ON Zero Trust Network Access
4. Click Apply
Configure ZTNA Server
1. Click Policy & Objects > ZTNA > ZTNA Servers

2. Click Create New and use the following information:
 Name: ZTNA_Web_Server
 Service: HTTPS
 External Interface: port6
 External IP: 100.65.0.102
 External Port: 9443
 Default certificate: AcmeCorpDevice
3. Under Service/server mapping, click Create New and use the following information:
 Service: HTTPS
 Virtual Host: Any Host
 Match path by: Substring
 Path: /
4. Under Servers, click Create New and use the following information:
 IP: 172.16.100.120
Note: 172.16.100.120 is the real HTTPS web server/FortiManager device sitting
behind FGT-EDGE in the DC network
 Port: 443
 Status: Active
5. Click OK
6. Click OK
7. Click OK
Index: 6.0 (c)
Objective Title: Configure ZTNA Rules & Full ZTNA Mode Firewall Policy
Points: 0
Objective Text:
Background
A ZTNA rule is a proxy policy used to enforce access control. ZTNA tags or tag groups can be
defined to enforce zero trust role based access. Security profiles can be configured to protect
this traffic.
Tasks
Review ZTNA Tags
1. Click Policy & Objects > ZTNA > ZTNA Tags

Note: Being a part of the same Security Fabric group, all the EMS Zero Trust Tags are
automatically imported into the FortiGate.
2. Under ZTNA IP Tag, you should see AV_Enabled_Tag EMS tag imported into FortiGate.
Configure ZTNA Allow Rule
1. Click Policy & Objects > ZTNA > ZTNA Rules

 Name: ZTNA_Allow_AV_Enabled
 Source: all
 ZTNA Tag: AV_Enabled_Tag
 ZTNA Server: ZTNA_Web_Server
 Action: ACCEPT
3. Click OK
Configure Full ZTNA Mode Firewall Policy

1. Click Policy & Objects > Firewall Policy
 Name: ZTNA-WAN
 ZTNA: Toggle ON > Full ZTNA
 Incoming Interface: ISP1 (port6)
 Source: all
 ZTNA Server: ZTNA_Web_Server
 Schedule: always
 Service: ALL
 Action: ACCEPT
 NAT: Toggle OFF
3. Click OK
Index: 7.0
Use Case: Demonstrate ZTNA Connectivity
Points: 0
Objective Text:
Introduction
Zero Trust Network Access (ZTNA) is an access control method that uses client device
identification, authentication, and Zero Trust tags to provide role-based application access. It
gives administrators the flexibility to manage network access for On-net local users and Off-net
remote users. Access to applications is granted only after device verification, authenticating the
user’s identity, authorizing the user, and then performing context based posture checks using
Zero Trust tags.

Index: 7.0 (a)
Objective Title: Test ZTNA Connection
Points: 0
Objective Text:
Background
ZTNA differs from traditional SSL VPN or IPsec VPN teleworking solutions in that it simplifies
remote access while adding additional security checks to authenticate the identity of the device
and the user, and to verify the overall security posture of the endpoint. Remote users only need
to register with the EMS server, then access the web resources directly from its browser.
Tasks
End VPN Connection

1. From the web console, access Carol machine using the browser tab.
2. Open FortiClient console.
3. Click REMOTE ACCESS
4. Click Disconnect to end the IPsec VPN connection.
5. Close FortiClient console.
Test Remote Access to the HTTPS Access Proxy

1. Open web browser and click ZTNA Web Server browser bookmark.
Note: The server is a FortiManager device behind a FGT-DC in the DC network.
2. You will receive a warning that the connection is not private (secure). If you view the
certificate details, you will see it matches the AcmeCorpDevice certificate specified in
the ZTNA server configuration. Click Advanced, and Proceed to webserver.acmecorp.net
3. The browser will prompt for the client certificate to use. Choose the EMS signed
certificate and click OK
4. A block page with Access Denied is presented.

Note: Since carol’s machine is not running any type of antivirus software, therefore it is
not deemed as safe and as such, access to Acmecorp’s web server or corporate assets is
not allowed.
5. Close the web browser.

Index: 7.0 (b)
Objective Title: Enable Malware Protection
Points: 0
Objective Text:
Background
The Malware Protection tab contains options for configuring AV, anti-ransomware, anti-exploit,
cloud-based malware detection, removable media access, exclusions list, and other options.
Tasks
Enable Malware Protection

1. From the web browser, access EMS using the web console.
2. Click Endpoint Profiles > Manage Profiles
3. Click Teleworkers profile and click Edit
4. Under Malware, turn ON AntiVirus Protection
5. Click Save
6. Click Zero Trust Tags > Zero Trust Tag Monitor
Note: Carol’s machine should be tagged with AV_Enabled Tag. If you don’t see the correct
tag information, wait for 1-2 minutes as Alice machine’s FortiClient configuration is sync’d
with the EMS server.
Confirm Malware Protection (Carol)
1. From the web browser, access Carol machine using the web console.
2. Open FortiClient console.
Note: Minimize or close the antivirus scan progress, if running. You should see Malware
Protection enabled now.
Index: 7.0 (c)
Objective Title: Re-Test ZTNA Connection
Points: 0
Objective Text:
Background
When On-net and Off-net FortiClient endpoints register to FortiClient EMS, device information,
log on user information, and security posture are all shared over ZTNA telemetry with the EMS
server. Clients also make a certificate signing request to obtain a client certificate from the EMS
that is acting as the ZTNA Certificate Authority (CA).
Based on the client information, EMS applies matching Zero Trust tagging rules to tag the
clients. These tags, and the client certificate information, are synchronized with the FortiGate in
real-time. This allows the FortiGate to verify the client's identity using the client certificate, and
grant access based on the ZTNA tags applied in the ZTNA rule.
Tasks
Test ZTNA Web Server Remote Connection

1. On Carol machine, open web browser.
2. Click ZTNA Web Server browser bookmark.
3. Ignore the certificate warning and proceed to website.
4. The browser will prompt for the client certificate to use. Choose the EMS signed
certificate and click OK
5. You are successfully allowed HTTPS access proxy remote connection to the
FortiManager.
Note: Carol’s machine is running an antivirus software now and as such, deemed
compliant. Therefore, it is tagged as AV_Enabled by EMS and is allowed by the ZTNA rule
configured in an earlier exercise. If you still see Access Denied page, wait for a few
minutes and refresh the browser tab as EMS may take some time to sync the tag
information on FortiGate-Edge.
Review Certificate Details on Client Machine

1. From the windows task bar, open Search Windows
2. In the search bar, type user certificate and click Manage user certificates
3. In the User Certificate store, open folder Personal > Certificates.
4. Choose the FCTEMS issued certificate and view its properties by double-clicking the cert.
5. Under General tab, you will find the client certificate ID to whom its issued to.
6. Under Details tab, you will find the Serial number (SN) of the certificate.
Review Endpoint Record on FGT-Edge
1. From the web console, access FGT-EDGE using the browser tab.
2. Click >_ icon located at top right to access the CLI console.
3. Type the following command and press enter
# diagnose endpoint record list
4. View the Client cert SN and FortiClient UID fields matching the endpoint record
information for this device.
Review Endpoint Information on EMS
1. From the web console, access FortiClient EMS using the browser tab.
2. Click Endpoints > All Endpoints
3. Click user entry Carol
4. Under Configuration, view the fields FortiClient ID and ZTNA Serial Number displaying
the matching info as the FortiClient and FortiGate.
Index: 8.0
Use Case: Deploy FortiGate Firewall at Home
Points: 0
Objective Text:
Introduction
There are certain requirements at the executive user level such as reduce packet loss for
latency dependent applications, connect remote devices or applications that cannot support
client VPN software, provide secure extension of on-premises layer-2 networking to remote
site, support for multicast applications over VPN, end-to-end layer 3-7 security and visibility,
low TCO & easy to deploy.
The certain advantages of deploying a Desktop FortiGate at an executive’s home includes:
 Small form factor fan-less designs
 Low power consumption thanks to ASIC technologies
 Built-in wireless or dedicated managed FortiAP’s available
 Fully featured FortiOS offering the same security as a Datacentre firewall
 Central management
 Easy to install at home
 Optional FortiExtender 3G/4G LTE connectivity offering SD-WAN capabilities

(improve application performance & provide resilience)
This particular use case is most applicable to an executive/super user.

Index: 8.0 (a)
Use Case: Deploy FortiGate Firewall at Home
Objective Title: Getting Started With FortiGate Firewall
Points: 0
Objective Text:
Background
In this objective, you will set up and configure your FortiGate firewall at your home. At the end
of this objective, you will be able to browse the internet with a computer connected directly to
the FortiGate.
Note: This exercise has the following assumptions:
 Your computer connects to port 2 (LAN) of the FortiGate firewall.

 Your ISP router connects to port 4 (WAN) interface of the FortiGate via Ethernet cables.
 Power and status lights on the FortiGate firewall are solid green.
Note: The above pictures show how to connect a computer to the Internal ports of a branch
office FortiGate, the FGT-60F. While the ports are slightly different than our virtual labs, the
concepts and configuration examples will be similar.
Tasks
Confirm an IP address on Ubuntu Desktop (David) in the same subnet as FortiGate's internal
port2 (internal) interface.
1. From the Lab Activity: Teleworker tab, access Ubuntu (David) using the RDP option.
User: David
Password: Fortinet1!
2. In the upper right-hand area, click the network icon
3. Select the Ethernet (ens160) Connected area
4. Expand the area and select Wired Settings

5. Click the gear icon next to the ens160 interface
6. Note the IP address given is the first of the DHCP range (192.168.1.100 –
192.168.1.120). Then click Cancel.
Note: By default, FortiOS assigns IP addresses from the 192.168.1.0/24 network. The
last octet of your address might be slightly different.
Connecting to the Web GUI
1. Open Firefox on Ubuntu (David) and go to https://192.168.1.99

Note: 192.168.1.99 is the default IP address of an out of the box FortiGate, which will be
visible on David's branch office LAN.
2. Click Advanced and then Accept the Risk to proceed to 192.168.1.99
Note: You will need to accept the security warning presented by your browser on your
first connection due to the FortiGate using a self-signed SSL certificate.
3. Login into the FortiGate using the following credentials.
 Username: admin
 Password: Fortinet1!
Note: When logging into a factory default out of the box FortiGate for the first
time, the password field will be blank. Due to certain limitations on the hosted
cloud lab environment, the password has been changed on this FortiGate
firewall.
Configuring Internet Connectivity on WAN1
1. Click Network > Interfaces.
Note: The network interface layout on this FortiGate firewall is a little different from an
actual out of the box FortiGate unit. The mgmt interface has already been
pre-configured and assigned an IP address. This has been done only to preserve the
licensing in the hosted cloud lab environment. But the outlined instructions in this
objective would stay same.
2. Click ISP1 Branch2 (port2) and click Edit.
3. Note that this firewall has been giving a static IP address, similar to below.
Note: Out of the box, the Addressing mode would be set to DHCP. However, in our
example, we have configured a static IP address. We will configure dialup VPN to work
regardless of which mode (DHCP or static) the WAN port has.
4. On the right-hand side of this same screen, verify that the port2 status for WAN is
connected.
5. Click OK.
Verifying FortiGate Firewall Policy and Enable AntiVirus Protection
1. Click Policy & Objects > Firewall Policy.
2. Expand Branch2 to ISP 1 section.
Note: Out of the box, FortiOS allows traffic to flow from the internal interfaces out the
WAN1 interface
3. Select the policy and click Edit.
4. Change the Name to Internal to WAN.
Note: Naming a policy helps to identify it in the future more easily
5. Enable AntiVirus.
Note: You will test this antivirus protection in a later objective.
6. Click OK.
Verifying Internet Connectivity
1. On Ubuntu (David), click Fortinet browser bookmark and make sure you have internet
connectivity.
Index: 9.0
Use Case: Configure FortiGate-to-FortiGate IPsec VPN
Points: 0
Objective Text:
Introduction
Executive/Super users may require access to critical remote devices or applications that cannot
support client VPN software. At times, they may also need to support multicast applications
over VPN.
The problem can be solved by leveraging client VPN software alternatives. Super/Executive
users can use a FortiGate unit to connect to the private HQ or corporate network instead of
using FortiClient software.

Index: 9.0 (a)
Objective Title: Configure IPsec VPN (Remote FortiGate as Dialup Client)
Points: 0
Objective Text:
Background
In a FortiGate dialup-client configuration, a FortiGate unit with a static IP address acts as a

dialup server. A FortiGate unit with a dynamic IP address initiates a VPN tunnel with the
FortiGate dialup server.
Note: FortiGate-Edge (HQ) has been pre-configured to act as an IPsec VPN dialup server. If you
login into FortiGate-Edge, you will see an Executive_VPN already configured to serve as the
dialup IPsec VPN server.
Tasks
Configure FortiGate-Executive as a dialup IPsec VPN client
1. From the Lab Activity: Teleworker tab, login into Ubuntu David executive desktop via
RDP option using the following credentials:
Username: david Password: Fortinet1!
2. Open the web browser and login into the local FortiGate by typing https://192.168.1.99
and use the following credentials.
Note: Alternatively, you could go to the Lab Activity: Teleworker tab and access
FGT-BR2 using the HTTPS option.
3. Click VPN > IPsec Wizard and use the following information:
 Name: Home-to-HQ
 Template Type: Site to Site
 NAT configuration: This site is behind NAT
 Remote Device Type: FortiGate
3. Click Next.
4. Use the following Authentication configuration:
 Remote device: IP Address

 Remote IP address: 100.65.0.101(Note: This is the external IP address of
FGT-Edge (HQ))
 Outgoing Interface: ISP1 Branch2 (port2)
 Authentication method: Pre-shared Key
 Pre-shared key: Fortinet1!
5. Click Next.
6. Use the following Policy & Routing configuration:
 Local interface: Branch2 (port4)

 Local subnets: 192.168.1.0/24
 Remote subnets: 172.16.100.0/24,10.10.30.0/24 (Click + icon to add

multiple subnets)
Note: 172.16.100.0/24 is the local DC_Network behind FGT-Edge (HQ), and
10.10.30.0/24 is the network which connects to other firewalls deployed in HQ.
 Internet Access: None
7. Review settings and click Create and view the summary list of created objects.
Index: 9.0 (b)
Objective Title: Establish IPsec VPN Secure Connection
Points: 0
Objective Text:
Background
In this objective, you will initiate the IPsec VPN connection and access critical Acme Corp
resources over a secure VPN connection.
Tasks
Initiate Dialup IPsec VPN Connection
1. On David (Ubuntu desktop), open command terminal.
2. Enter ping 172.16.100.10 and make sure you are able to successfully ping the
private IP address of Windows Server (HQ).
Note: The very first ping request may time out as the VPN connection is still down. But
the following pings should be successful. Hit control-c to stop pinging.
3. From David’s workstation, login into FortiGate-Executive at https://192.168.1.99 via

web browser.
4. Click Dashboard > Network.
5. Locate IPsec dashboard widget and click anywhere on the inside of the IPsec widget to
expand it to full screen.
6. Expand Site to Site-FortiGate section and you should see that Home-to-HQ VPN is up.
Access Critical Assets Over Secure VPN Connection
1. On David’s Ubuntu machine, open the files icon (left bar on Ubuntu desktop). IN the left
column, locate and click the Finance on 172.16.100.10 folder.
Note: Finance folder is a shared folder on the Windows Server (HQ). If you are asked for
a password prompt, enter Fortinet1! and click Unlock
2. In Finance folder, you will see a PDF.

3. Right-click on the 5_Yr_Business_Financial_Projection_Report. Click Copy to >
Documents > Select. David is now able to download and access critical and confidential
corporate information securely over a VPN connection.
Note: Once you have completed the lab objective, click Test. Wait for a few
seconds and click Continue. The Test button will automatically send a phishing
email to David’s email inbox. You will verify the results in the next lab objective.
Index: 9.0 (c)
Objective Title: Verify AntiVirus Protection
Points: 0
Objective Text:
Background
A hacker impersonates himself as CEO at Acme Corp and tries to trick David (our executive user)
into executing a malicious file.
We can stop this phishing attempt with FortiGate’s antivirus profile that we previously applied
on our firewall rule.
Goal or Tasks
1. On Ubuntu David, open Mozilla Thunderbird email client.
2. Click and open the email containing the subject Q4 Meeting Agenda received from
ceo@acmecrop.net
Note: AcmeCrop is an untrusted domain used by the hacker to send a phishing email to
David.
3. Click on the link provided in the email Click to download!!
Note: Ignore Thunderbird warning and click Yes

4. The download will be blocked due to antivirus protection enabled on the Internal to
WAN1 policy. The firewall should serve a page similar to the screenshot below.
Note: If you don’t immediately see the above FortiGuard block message, hit refresh on
the browser.
Home FortiGates provide consolidated advanced security and networking capabilities to
protect against cyber-attacks in a compact and affordable solution.
Index: 10.0
Use Case: Establish Remote Telephony
Points: 0
Objective Text:
Introduction
FortiFone provides unified voice communications with VoIP connectivity that is secured and
managed via FortiGate NGFWs. The FortiFone soft client interface allows users to make or
receive calls, access voicemail, check call history, and search the organization’s directory right
from a mobile device.
In this exercise you will demonstrate how super users can still access their office extension even
when working remotely.

Index: 10.0 (a)
Objective Title: Configure Remote User Extension
Points: 0
Objective Text:
Background
You will configure the softphone extension on FortiVoice.
Tasks
Configure Soft Phone Extension on FortiVoice
1. From the Lab Activity: Teleworker tab, access FortiVoice using the HTTPS option.
2. Click Extension > Extension > IP Extension.
Note: A softphone extension for Alice (ext. 5000) sitting on Windows 2019 (Domain
Controller) has been pre-configured.
3. Click New and use the following information:
 Number: 5500
 Display name: david
4. Click Soft Phone.
5. Set License Allocation: 1
6. Click OK
Verify Soft Phone Registration Settings
1. On FortiVoice, click Extension > Extension > IP Extension.
2. Select the entry with Display Name David and click Edit.
3. Click Soft Phone.
4. Click Desktop [View Login Information].

Index: 10.0 (b)
Objective Title: Register Soft Phone and Dial Remote Extension
Points: 0
Objective Text:
Background
You will now register FortiFone on the executive user machine to the FortiVoice server and test
the setup by dialing a remote phone extension.
Tasks
Register David’s FortiFone to FortiVoice
1. Return to David’s desktop (Ubuntu).

2. Open FortiFone desktop application on the Ubuntu desktop.
Note: Make sure HQ-VPN connection is up. If the VPN is down, establish the VPN
connection again before moving onto the next step.
3. Register the FortiFone as follows:
 Server: 172.16.100.135
Note: Since the HQ-VPN connects the branch office to HQ, FortiFone can register
to the FortiVoice server’s local IP address in the DC_Network.
 Username: 5500
Note: 5500 is the IP extension configured earlier for user David
 Password: 12345
5. Click Login.
Note: The FortiFone should be successfully registered to the FortiVoice server.
Connect Alice’s FortiFone to FortiVoice

1. From the Lab Activity: Teleworker tab, access Domain Controller via RDP option using
the following credentials.
Username: alice Password: Fortinet1!
2. Open FortiFone application on Desktop.
3. A warning prompt ‘Microphone not detected' will show up on Alice’s FortiFone. Click OK
Note: This error is expected behavior due to certain limitations in the hosted lab
environment.
4. On the top left corner, click the circle icon to reconnect Alice’s FortiFone to FortiVoice
server. The circle icon should turn to green, which means Alice’s FortiFone is now
successfully registered to FortiVoice server as well.
Dial Phone Extension over the VPN

1. Navigate to David machine using the browser tab.
2. Open FortiFone and type Alice’s extension 5000 using the keypad and click the dial
button.
3. Navigate to Domain Controller using the browser tab.
4. You should see an incoming call from David.
Note: If you decide to pick up the FortiFone installed on Alice machine, the call will drop
and a warning prompt ‘Microphone not detected' will show up on Alice’s FortiFone. This
error is expected behavior due to certain limitations in the hosted lab environment. The
setup should work seamlessly in a real production environment. The whole purpose of
this exercise is just to demonstrate remote telephony with FortiVoice and FortiFone.
Index: 11.0
Use Case: Conclusion
Objective Title: Review
Points: 0
Objective Text:
Review
After completing this Fast Track module, you should understand how to:
 Configure two-factor authentication necessary for secure access

 Create an inbound VPN policy on FortiGate that allows teleworkers to tunnel back to
corporate headquarters
 Configure Fortinet Endpoint Management Server (EMS) to protect remote users as
effectively as if they were located at the corporate office
 Deploy out of box FortiGate at home.
 Demonstrate successful operation of these critical functions
Index: 11.0 (a)
Use Case: Conclusion
Objective Title: End of Session
Points: 0
Objective Text:
You have successfully completed the
Fortinet Engineered for Remote and Secure

Productivity
Hands-On Lab
Thank You
To get more information on this or other Fortinet solutions, please consider

looking at Fortinet's NSE training.
Please take a moment to complete our short survey located within web portal tab above.

Lab Guide

Uploaded by

Lab Guide

Uploaded by

Index: 1.

Fortinet Teleworker Solution

Fortinet Teleworker Solution

 Configure two-factor authentication necessary for secure access

Time to Complete: 5 minutes

The following settings have been pre-configured on FortiAuthenticator:

Create New FortiToken Mobile Tokens

Username: admin Password: Fortinet1!

2. Once logged in to FortiAuthenticator, click Authentication > User Management >

3. Click Create New.

4. Select Token Type: FortiToken Mobile.

5. Turn on Get FortiToken Mobile free trial tokens.

Assign FortiToken to LDAP User Account

1. In FortiAuthenticator, click Authentication > User Management > Remote Users.

2. Click the checkbox beside the user carol.

4. Turn on Token-based authentication and choose the following:

 Deliver token code by: FortiToken

 FortiToken Mobile: FTKMOBxxxxx

 Activation delivery method: Email

 Email address: carol@acmecorp.net

Stop and Think

----------------------- Hint 1 Section -----------------------

In this exercise you just administered FortiToken through FortiAuthenticator

FortiAuthenticator provides centralized authentication services including SSO services,

FortiToken Cloud provides everything needed for two-factor in a FortiGate environment

Key Features include:

 Manage two-factor deployments from provisioning to revocation

 No additional onsite hardware, software, or ACL changes

 Easy expand and grow as needed.

----------------------- Hint 3 Section -----------------------

FortiTokens can even be managed directly on the FortiGate Devices themselves.

So, all answers are correct (a, b, c)

Answers a, b and c are all correct.

FortiToken is The Source of Identity for the Security Fabric.

This Solution Offers:

Username: carol Password: Fortinet1!

2. Open Mozilla Thunderbird.

5. Open the FortiToken Mobile application.

6. Press SCAN BARCODE and allow the device to take pictures.

corner of the app to add another FortiToken.

7. Scan the barcode received in the email as shown below.

9. Close Mozilla Thunderbird.

Time to Complete: 5 minutes

Username: admin Password: Fortinet1!

 Primary Server IP/Name: 172.16.100.129

3. Click Test Connectivity to make sure it returns Connection Successful.

Configure Remote User Group

2. Under Remote Groups, click Add.

 Remote Server: FAC_Server

 Groups: Any (Leave it set to default)

Stop and Think

 Template Type: Remote Access

 Remote Device Type: Client-based/FortiClient

 Incoming Interface: ISP1(port6)

 Authentication Method: Pre-shared key

 Pre-shared key: Fortinet1!

 User group: IPsec_VPN_Users

 Local Interface: LAN

 Local Address: DC_Network

 Client Address Range: 10.10.10.1-10.10.10.10

 Save Password: Turn on

 Auto Connect: Turn on

 Always Up (Keep Alive): Turn on

Stop and Think

----------------------- Answer Section -----------------------

 Remote deploying FortiClient Fabric Agent software to Windows PCs.

 Administering FortiClient endpoint registrations, such as accept, de-register, and block

 Managing endpoints, such as status, system, and signature information.

 Identifying outdated versions of FortiClient Fabric Agent software.

Time to Complete: 10 minutes

2. Click Security Fabric > Fabric Connectors

 Type: FortiClient EMS

 HTTPS port: 443

 EMS Threat Feed: Leave it set to enabled by default

 Synchronize firewall addresses: Leave it set to enabled by default

Authorize FortiGate-Edge Fabric Device on EMS Server