Notes for FortiADC Labs– Application Delivery Part 2 - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Thursday, November 28, 2024

Notes for FortiADC Labs– Application Delivery Part 2

 Configure Layer 7 Load Balancing

In this series of exercises, you explore the principles of configuring the basic elements required for load balancing at Layer 7. These elements include:

  • Layer 7 virtual server
  • Content routing in a virtual server
  • Cookie insertion persistence





Create a Layer 7 Virtual Server


Background

 

You will create another virtual server, but this time at Layer 7. This way, the FortiADC device will be able to inspect and change the HTTP traffic.
To create a server profile

  1. From the Lab Activity: FortiADC sidebar menu, access FortiADC-1 using the HTTPS option.

  2. Log in using the username: admin and the password: Fortinet1!.

  3. Click Server Load Balance > Application Resources > Application Profile.

  4. Click Create New to create a new profile using the following settings:
    • Name: HTTP_Profile
    • Type: HTTP

  5. Keep the default values for the remaining settings, and then click Save.

To delete the Layer 4 virtual server

  1. Click Server Load Balance > Virtual Server > Virtual Server.

  2. Select the virtual server TCP_VS.

  3. Click Delete.

  4. Click OK to confirm.


To create a new Layer 7 virtual server

  1. Click Server Load Balance > Virtual Server Virtual Server.

  2. Click Create New and select Advanced Mode to create a new virtual server using the following settings:
    • Name: HTTP_VS
    • Status: Enable
    • Type: Layer 7
    • Address Type: IPv4

  3. On the General tab, configure the following settings:
    • Address: 172.16.99.146
    • Port: 80
    • Interface: Port2
    • Profile: HTTP_Profile
    • Method: LB_METHOD_ROUND_ROBIN
    • Real Server Pool: Ap_Servers

  4. Keep the default values for all other settings, and then click Save.


Configure Content Routing in a Virtual Server


Background

FortiADC can be configured to make decisions based on the content of the HTTP traffic. This is called content routing. AppSrv3 has a resources folder, which does not exist on the other application servers. In this exercise, you configure FortiADC-1 to properly route all users attempting to connect to the resources folder, to AppSrv3, while still keeping the traffic to the home page balanced among all three of the application servers.


To configure content routing in a virtual server

  1. From the Lab Activity: FortiADC sidebar menu, access Kali using the RDP option.

  2. Open a web browser and connect to the following URL:

    http://172.16.99.146/resources

  3. Press CTRL+SHIFT+R several times to reload the website.

    Note: Approximately two out of three connection attempts will fail. They fail each time the device routes the traffic to AppSrv1 and AppSrv2 because the resources folder is located only on AppSrv3.

  4. To fix the problem, you will configure content routing. First, you must create a new real server pool using AppSrv3 as the only member.


To create a new real server pool

  1. From the Lab Activity: FortiADC sidebar menu, access FortiADC-1 using the HTTPS option.

  2. Log in as admin and password Fortinet1!

  3. Click Server Load Balance > Real Server Pool Real Server Pool.

  4. Click Create New to create a new real server pool using the following settings:
    • Name: Ap_3
    • Address Type: IPv4
    • Health Check: On

  5. In the Available Items list, double-click HTTP_Check to add it to the Selected Items list.

  6. Keep the default values for the remaining settings, and then click Save.


To add members to the real server pool

  1. Click the edit icon to edit the new real server pool named Ap_3.

  2. Scroll down to the Member pane and click Create New to create a new member using the following settings:
    • Status: Enable
    • Real Server: AppSrv3
    • Port: 80
    • Weight: 1

  3. Keep the default values for the remaining settings, click Save, and then click Save again.


To create content routes

  1. Click Server Load Balance > Virtual Server > Content Routing.

  2. Click Create New to create a new route using the following settings:
    • Name: Resources_Route
    • Type: Layer 7
    • Real Server Pool: Ap_3
    • Persistence: Inherit
    • Method: Inherit

  3. Click Save.

  4. Click Create New to create a second content route using the following settings:
    • Name: All
    • Type: Layer 7
    • Real Server Pool: Ap_Servers
    • Persistence: Inherit
    • Method: Inherit

  5. Click Save.

    You should now have two content routing rules, as follows:

 
To add match conditions to the content routes

  1. Click the edit icon ( ) to edit the Resources_Route.

  2. Scroll down to the Match Condition pane, and then click Create New to create a new rule using the following settings:
    • Object: HTTP Request URL
    • Type: String
    • Content: resources

  3. Click Save, and then click Save again.

  4. Click the edit icon ( ) to edit the All content route.

  5. Scroll down to the Match Condition pane, and then click Create New to create a new rule using the following settings:
    • Object: HTTP Host Header
    • Type: String
    • Content: 172.16.99.146

  6. Click Save, and then click Save again.



To select and enable content routes

  1. Click Server Load Balance Virtual Server > Virtual Server.

  2. Click the edit icon ( ) to edit HTTP_VS.

  3. In the Specifics pane, enable Content Routing.

  4. In the Available Items list, double-click Resources_Route to add it to the Selected Items list.

  5. In the Available Items list, double-click All to add it to the Selected Items list.

  6. The route All must be the second entry in the Selected Items list from top to bottom.


     
    If necessary, you can drag and drop the content routes to reorder them.

  7. Click the General tab.

  8. Scroll down to the Error Page pane, and then type the following message in the Error Message field to customize it:
    Server is not currently available. Please try again later.

  9. Click Save.


Test Content Routing



To test the content routes

  1. Return to the Kali tab and the browser that is running the connection to the resources folder at:
    http://172.16.99.146/resources.

  2. Press CTRL+SHIFT+R several times to refresh the browser.

  3. Now it works! Traffic is redirected by the content route only to AppSrv3.

  4. Open a new browser tab and connect to the virtual server at http://172.16.99.146.
        The FortiADC is still balancing the connections among the three application servers.


To test the error page

  1. From the Lab Activity: FortiADC sidebar menu, access AppSrv3 using the SSH option.

  2. Log in as root using the password Fortinet1!, and then run the following command:
    [root@AppSrv3 ~]# service httpd stop 

  3. Return to the Kali web browser and connect to the resources folder at:
    http://172.16.99.146/resources

  4. Press CTRL+SHIFT+R several times to refresh the browser.

  5. The customized error message displays.



  6. At the AppSrv3 command prompt, activate the web server using the following command:
    [root@AppSrv3 ~]# service httpd start

  7. Close the AppSrv3 SSH tab.


Configure Cookie Insertion Persistence


Background

Cookie insertion takes advantage of the browser’s cookie caching behavior. FortiADC inserts a cookie in the content that is forwarded to the user, so each time the client issues a GET request, the FortiADC uses that cookie to identify which server the HTTP GET should go to.

 

This allows FortiADC to ensure that any applications requiring session-based connections, such as those required by e-commerce transactions, remain established between the client and the same back-end server. Without this capability, each new GET request from the client could end up going to a different back-end application server.


In this exercise, you use cookie insertion persistence to route the traffic coming from the same user to the same server.


To configure cookie insert-based persistence

  1. From the Lab Activity: FortiADC sidebar menu, access FortiADC-1 using the HTTPS option.

  2. Log in using the username admin and the password Fortinet1!.

  3. Click Server Load Balance > Application Resources > Persistence.

  4. Click Create New to create a new persistence method using the following settings:
    • Name: Cookie_Insert
    • Type: Insert Cookie
    • Keyword: FastTrack
    • Timeout (sec): 300



  5. Click Save.

  6. Click Server Load Balance > Virtual Server > Virtual Server.

  7. Click the edit icon to edit the new virtual server HTTP_VS.

  8. Click the General tab, and scroll down to the Resources section.

  9. Select Cookie_Insert as the Persistence method.



  10. Click Save.

To test the Cookie-based persistence

  1. From the Lab Activity: FortiADC sidebar menu, access Kali using the RDP option.

  2. Open the web browser and connect to the virtual server at http://172.16.99.146.

  3. Press CTRL+SHIFT+R several times to refresh the browser.

  4. Traffic is now routed to the same application server.
    The FortiADC inserts a cookie named FastTrack that identifies requests made by the FortiADC. Your browser is appending the cookie to all requests made to the virtual server IP address.


To observe the cookie and its value

  1. In the Mozilla web browser, on the upper-right corner, click the Open Menu icon.

  2. From the menu, click Web Developer > Storage Inspector to open the developer tools panel.

  3. Expand the Cookies section on the left.

  4. Select the http://172.16.99.146 cookie to view the details.

  5. On the right pane, in the Name column, you will see the FastTrack cookie name that you created earlier.



  6. Close the Developer pane.


Install SSL Certificates




Background

To inspect and make decisions based on the SSL content, you will import the server’s signed digital certificate and the private key to the FortiADC.

The FortiADC, instead of the backend servers, will then present these to HTTPS clients.


To import the server’s signed digital certificate

  1. From the Lab Activity: FortiADC sidebar menu, access FortiADC-1 using the HTTPS option.

  2. Log in using the username: admin and the password: Fortinet1!.

  3. Click System Manage Certificates > Local Certificate.

  4. Click Import, and then enter the following settings:
    • Type: Certificate
    • Certificate Name: FastTrack_Cert
    • Input Type: Manual Input
    • Certificate: copy the following into this field:
      -----BEGIN CERTIFICATE-----
      MIIGPzCCBCegAwIBAgIBAjANBgkqhkiG9w0BAQ0FADCBujELMAkGA1UEBhMCQ0Ex
      EDAOBgNVBAgTB09udGFyaW8xDzANBgNVBAcTBk90dGF3YTERMA8GA1UEChMIRm9y
      dGluZXQxHTAbBgNVBAsTFEZvcnRpQURDIFRyYWluaW5nIENBMTAwLgYDVQQDEydG
      b3J0aUFEQyBUcmFpbmluZyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxJDAiBgkqhkiG
      9w0BCQEWFXRyYWluaW5nQGZvcnRpbmV0LmNvbTAeFw0xNjAyMTcxNjQzMDBaFw0y
      NjAyMTcxNjQzMDBaMIGZMQswCQYDVQQGEwJDQTEQMA4GA1UECBMHT250YXJpbzEP
      MA0GA1UEBxMGT3R0YXdhMREwDwYDVQQKEwhGb3J0aW5ldDEWMBQGA1UECxMNRm9y
      dGlBREMgTGFiczEWMBQGA1UEAxMNRm9ydGlBREMgTGFiczEkMCIGCSqGSIb3DQEJ
      ARYVdHJhaW5pbmdAZm9ydGluZXQuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A
      MIICCgKCAgEAwC5BNNNn+H/sp9ag4qOvav1xhNNIS44EI//QMg2buHNGNvEkbsgh
      o7viNbJou0rSjd31C3jDOMRTRCi0L8H9/zoq9PXjHoPhi8Rk527P2yQEs3/O69pf
      b6uE9CnvTNMhfc8xMKS7KSg3aXxzCO6EtpxbJomxMjSHdXTLXxkKeKySJdiS3IZT
      xrq/P3kOJZzCVl0Cp3pa8cFQDtYPSQwaV90RcZ3jg6Yo/1aDZrAOKKNVuLEgnhOD
      lQ5UoU6UZngI9dnEEe+GDKTxzvrhLQBvlpvxXncAqE/ckuHkzBCWs2eeXuiXqS+7
      Z3qE/YizBsl/ys4DJ0x7FHZ151Rg96jM5oW8N79oiHpf7XFGeryeDJnsdEolIXH6
      NXey8pOdD127xlYAEP4iAb/UkOXnc5RiZ5tUPAdsKHwL23Bpf2uoO2Xivq3VYyjL
      LisQHmWKR+kQkhWgt5onqngs6x6g6VG+p4tP7ruNPeiG5K8sfp4YnUMXGiGa/dfY
      Ax8dPsLmeApyG9Zf93GnPWnlib3QsxEpfSX1GFVRghWpT1lTYeCJvfs4QyxeBv+i
      PGdcfJsXtIMFRu0QDZdFOMuTii+ehBnrq99Ul2ZmGNDJvQFEBEyiVGWYcMITjvtj
      asMDh60/iox6Chi5N/s/kKou78nr4lIqlyf8TcRoHbgzx0+x5YByPJMCAwEAAaNv
      MG0wDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUpIBsXE2d679YwgWdHr1Bwl+sGScw
      CwYDVR0PBAQDAgXgMBEGCWCGSAGG+EIBAQQEAwIGQDAeBglghkgBhvhCAQ0EERYP
      eGNhIGNlcnRpZmljYXRlMA0GCSqGSIb3DQEBDQUAA4ICAQB/BbYWKLkkSjCP4cu8
      mNQ9IiTEUb9I0vTiWhJECHtWs5Xb11olRFMRN3D82NZSfQnEi58T0a70FVP5b4mm
      6oImdEuWRp2ykmQvXIfnA0sgSbrSuPtpPlNaaDINy7ecc3uSRFkAUK7DAFf+eILD
      Afz0hFztDSH+iQs51Y9/+4HcDoyq67INzOx+pgszpR86FlpXBgcNLMPL2VpR2YM1
      YvRPc948gy/N/aIOSArRSsW02XfonEAj4n2sE7ZQUU28Wa4w1xjyDKHyeZiiZFC3
      NtbBCk3W7g5L5VMM3UJfQkcM5/ENMZJyeCiA2aV6jNJFHH5+ryiSzzyq+6hX7f1r
      8/bissTS+tNUNi776NgOL4OMhFmJuzwfMF0+UTraVpuuLD6aax8SlxH0flwJrC9/
      882Esn0TSCBYbIV8VlK7+em8zLEurchsGI4QWSOOPeYAxbrkh7UMhw8xxoUTBXgL
      2SqjDWPYL0p0w8YSjFcLZvI3Dx6neuWyuh/oOCIyiZR2jNE+GBZYJz1HQXkubYX0
      teO/vHEreiCfbXuHuUmuJq8V4PRKUx9N5qrZv7VFeOO+Y+k0O7nHwADeu0hw+bFj
      GrlHSTeSWaLaeukJIk8D+8+cXByKHh8x9wddpLwxgYY+/0fzHonQkkxw2KlJc/RR
      bQFcG7EMSQu3cdsUk57vmLU1Cw==
      -----END CERTIFICATE-----


    • Key: Copy the following into this field:
      -----BEGIN RSA PRIVATE KEY-----
      MIIJKAIBAAKCAgEAwC5BNNNn+H/sp9ag4qOvav1xhNNIS44EI//QMg2buHNGNvEk
      bsgho7viNbJou0rSjd31C3jDOMRTRCi0L8H9/zoq9PXjHoPhi8Rk527P2yQEs3/O
      69pfb6uE9CnvTNMhfc8xMKS7KSg3aXxzCO6EtpxbJomxMjSHdXTLXxkKeKySJdiS
      3IZTxrq/P3kOJZzCVl0Cp3pa8cFQDtYPSQwaV90RcZ3jg6Yo/1aDZrAOKKNVuLEg
      nhODlQ5UoU6UZngI9dnEEe+GDKTxzvrhLQBvlpvxXncAqE/ckuHkzBCWs2eeXuiX
      qS+7Z3qE/YizBsl/ys4DJ0x7FHZ151Rg96jM5oW8N79oiHpf7XFGeryeDJnsdEol
      IXH6NXey8pOdD127xlYAEP4iAb/UkOXnc5RiZ5tUPAdsKHwL23Bpf2uoO2Xivq3V
      YyjLLisQHmWKR+kQkhWgt5onqngs6x6g6VG+p4tP7ruNPeiG5K8sfp4YnUMXGiGa
      /dfYAx8dPsLmeApyG9Zf93GnPWnlib3QsxEpfSX1GFVRghWpT1lTYeCJvfs4Qyxe
      Bv+iPGdcfJsXtIMFRu0QDZdFOMuTii+ehBnrq99Ul2ZmGNDJvQFEBEyiVGWYcMIT
      jvtjasMDh60/iox6Chi5N/s/kKou78nr4lIqlyf8TcRoHbgzx0+x5YByPJMCAwEA
      AQKCAgBj7ild7KfdobdPNt2FvBOVEKCcrrijAP/KMFT0EfttGBPksdN9/3buit3/
      ifvHmAqQVl/7TRpGRF//yyKWysrmkjqQEeO9lFoNsVu+s/JFQx9mrwjLv0ts58VE
      qSGT0x1RLBGp956SsiTOJzYx6MT9p6QGEAch0gq12rt9ganeQe3k3A7RuM+LQMP9
      n1bp2+95tPeSWp87ooecj1Z3Z2GzWnKdn7oUVKxwyW2eUeGq4/PJC+GoEQGU2lTL
      Y+7qsXQHUusPYHtVy9cpB29bVSSxLfl+Y2bmHlDV17x/GAkk1LaXJ17lTLqn/h91
      LkXZO6HFtQYSw0QkycxZM5kQbqfMNhPsUfmBrPdLERTforHgdoC6+9+juV61rhi/
      OuA/4r8SIMSNKJfCZjGoUhFhLeSWTJwWdYPkM2nld1HY5rWzLT9yIiWMMLD0Skr1
      3QSVlHRhzswRGmC1tGzU8WHz0hdha2icTrNmGqNNpBoOua/vmnzMnR3mwrA0dtuj
      h+pLMET0YZd0hhjLIB4FYwIGbCM4lEfL2APG/3m1mY6e7aAJ7RgauW6I0TqYf/sk
      GP4g3dc2CZ1ZTTuqUxVR1qgnx8IcGYp7zmugJRIALND43CRU5mQOXIMn92rbjfMU
      mfw1v6deu9YsltOIOTBxDOubqGAt0FK6lslZbS2X1KHOprgWoQKCAQEA/IkEx+Sh
      GRmtPLkTqxXVLvfJknlpk93yuf5+KjfYC00/Fx3JYJMdEQRLqnCoAO/ZfdFwo/vV
      htRclM1X6b52k8s2o4QBuXGVUqfSWEgbHwCK3R36IysIXBFbSVfjUaUjF7VuZ9cM
      XCA06G6uN/JIyrbZWNFL/Z+VedObVbe71hUSlpFZrFo8cBrvIiAiacrrZuAzecrb
      wx6ylA3vNJ+b0Oz4qR2frKejNRVT/IjcXATOCyu/cTlYR5vCiQ6YcHGzEd3bhs4k
      yPcusFZrplhjmnN36LGw1NE10d2xumfJ/5YUCLdanA+cLdVxBahj12SSdGOVM7mc
      BpVJsW7pe4tjeQKCAQEAwtFAmD9CmrSLWrMbvVbaTxtMX/+8ybvugikA8828HWN6
      lNFwIKdgI2rKxVRs1nznzTudt6XMQTWQ2Q+dZj+xqFHM7hbrFhjCdBSUh4nSVbqz
      8mhyvs3/PLyNdSrvhgw9UgJC+QMJfkSE5rsHQT60bXccouhYaHLhIUC53HgiyV+4
      eWWM05vuvo6KUGRdpRagmB7iXWoUrpNJ054tmkx8e65JtHJnHZY1LMggjN9kFuUo
      qUEtz9RR/SRZqFHxGfrKsgo7nmRiqijYshElduh4Q0HIe0Ih+zg70SvTiWVQShVy
      0NKzOJLlxX+I+RWXHqFfXqjpDWoRruwNykz+/XGxawKCAQBHdbpdmiuf/60O3sxb
      AE2YAdQPV73xcr/Js+MdrTm8UPqGXw5p/pceBpomu8Q+p6Biww5dyNhuU89y5/x1
      j0jcn4dxk9wtDqATiJu0EYtjJXMmCOKMaxPtgZfUVENmChW5EsUQK0E7HH38O72e
      5TeF7WHpiSg4t5zDoYZ2JgzIEqR06OJ4K/yoOGbswC0cxKgCL3VBhI7VUu1zidHj
      kTq1Tyk6KcDSSYmcbtGaR1wbydxIOvPsZS6+7KuKvw+R2gqzBpWlOtYb7B5RFdNW
      efKNdRk8RnPkdOMG5PXy6oW1hlFa+g9w09X8/kYCNNkzzSjIOJmyzlYBYuM8i0cU
      h6f5AoIBAGIMns4BSKxEIb7MVjG8/LLDsnS+aW2+wBOSP4B1EzBXWOJ9ZkmI88Hf
      hZ47F2v8AU4xqvc64soPA4+7ZCSJ+ggU42cQ8dB1NajmkrqEiu/Kv7ZJCzcsxkDz
      RN6rdVGp51LXAI4DEUwTgDAAAW68+GH/iNIUzioDZ3ss8F4duKRRIK84hOAbotUV
      OFetq9Pix4DISnVpZm9WgdmXyqvVwvEcjsvaqDsj1i9rqbY82EsNmqFUxJHM8lbN
      bLJiS04gAtQIgmj9bQrm8+jq6EgoSB7RhO1EI4YkjzZ/MD/+VaJzmQ2wfbMDe9Ei
      lvWGAEDSRwWFTYYK1EuNUoN2rP8xsXECggEBAOVHC+qkcRxNZz822HUlQ7qyS0CC
      AxVy2UkjbdkNCdnbwFlo+vXo3z4zsncQI6p/bRJHp/uXHv34BvtEheaeNN70w4Fw
      6dqyEinTpC++THElTv6sWAv+nKJvMj/2hSuxuGxll13KxDCs9xSZeEVzOYjID4LK
      LXymcgJWo0oUTPcE6nVx5u2OAzmqrAONlO+CaHzC0TXiyeovPLYCfTC1MHjD0FLP
      IaayVjp98M7DnOVZ1fqY6ZGXvAkkLfEFOrvksRlgK/BZgaWLlQ5W2Gw2zyqY3+ZW
      23T9OMSCsV3fNTXB9DWNViNKA9S1/p8DnkPuxJkJy2L+U5L7resOEr13T08=
      -----END RSA PRIVATE KEY-----

    • Password: fortinet

  5. Click Save.

 
To define a local certificate group

  1. Click System Manage Certificates > Local Certificate Group.

  2. Click Create New, and then enter the following setting:
    • Group Name: FastTrack

  3. Click Save.

  4. Click the edit icon ( ) to edit the new Local Certificate Group FastTrack.

  5. In the Group Member pane, click Create New, and then enter the following settings:
    • Default: On
    • Local Certificate: FastTrack_Cert

  6. Click Save, and then click Save again.


Create a New HTTPS Profile

Background

Now that you have imported the server certificates, you need to specify the digital certificate that will be presented to clients when they connect to the server.


To create a new HTTPS profile

  1. From the Lab Activity: FortiADC sidebar menu, access FortiADC-1 using the HTTPS option.

  2. Log in using the username: admin and the password: Fortinet1!

  3. Click Server Load Balance > Application Resources > Application Profile.

  4. Click Create New to create a new profile using the following settings:
    • Name: HTTPS_Profile
    • Type: HTTPS

  5. Keep the default values for the other settings, and then click Save.

 
To create a new client SSL profile

  1. Click Server Load Balance > Application Resources Client SSL.

  2. Click Create New to create a new profile using the following settings:
    • Name: FastTrack_Client
    • Local Certificate Group: FastTrack



  3. Keep the default values for the remaining settings, and then click Save.





Configure the Virtual Server to Use an SSL Certificate



Background

Finally, you create and configure a virtual server for the HTTPS service using the SSL certificate.


To create a virtual server

  1. Continuing on the FortiADC-1 GUI, click Server Load Balance > Virtual Server > Virtual Server.

  2. Click Create New, and then select Advanced Mode.

  3. On the Basic tab, configure the following settings:
    • Name: HTTPS_VS
    • Status: Enable
    • Type: Layer 7
    • Address Type: IPv4

  4. On the General tab, configure the following settings:
    • Address: 172.16.99.146
    • Port: 443
    • Interface: Port2
    • Profile: HTTPS_Profile
    • Client SSL Profile: FastTrack_Client
    • Method: LB_METHOD_ROUND_ROBIN
    • Real Server Pool: Ap_Servers



  5.  Click Save.

 
To test the HTTPS connection

  1. From the Lab Activity: FortiADC sidebar menu, access Kali using the RDP option.

  2. Open a new browser tab and connect to the virtual server at https://172.16.99.146.

  3. Accept the security certificate warning if it appears, click Advanced, and then select Accept the Risk and Continue.

  4. Press CTRL+SHIFT+R to refresh the web page.
    The device will evenly distribute your connections among the three application servers. The communication between your browser and the FortiADC device is now encrypted, while the communication between FortiADC and the application servers is not.

  5. Leave the Kali browser tab open, as you will be returning to it shortly.

To capture HTTPS traffic

  1. From the Lab Activity: FortiADC sidebar menu, access FortiADC-1 using the SSH option.

  2. Log in as username: admin and the password: Fortinet1!

  3. Enter the following CLI command to sniff and capture all TCP SYN packets in any interface:
        # diagnose sniffer packet any “tcp[13] & 2 == 2” 4

  4. Return to the Kali tab

  5. On the browser that is open on Kali, press CTRL+SHIFT+R to refresh the browser.

  6. Return to the FortiADC-1 SSH tab and observe the sniffer output: