Ethiopian Pharmaceutical Supply Service – EPSS

Supply, Installation and Commissioning of

Networking Infrastructure and Modular Data
Center

Security Low Level Design Document

Type of Document:

Security Low Level Design Document

Client Name:
EPSS
Prepared by:
IE NETWORK SOLUTIONS PLC

Version:

2.0
Date:
August, 2023

GET THE JOB DONE

 SI- IE-EPSS-LLD Network and Security

Table of Contents

1 Introduction 10

1.1 Document Purpose ...................................................................................... 11

1.2 Intended Audience ....................................................................................... 11

1.3 Scope ........................................................................................................... 11

1.4 Proposed Design.......................................................................................... 12

1.5 Requirements ............................................................................................... 13

2 FortiGate 13

2.1 Getting started.............................................................................................. 13

2.2 Accessing the FortiGate ............................................................................... 15

2.3 System configuration .................................................................................... 15

2.4 Configuring the hostname ............................................................................ 16

2.5 Registering FortiGate and Configuring the System Settings ........................ 17

2.6 Configuring Clustering .................................................................................. 18

2.6.1 HA active-passive cluster setup. ........................................................ 20

2.6.2 Check HA synchronization status ...................................................... 22

2.6.3 HA synchronization status in the CLI ................................................ 23

3 FortiManager 23

3.1 Connecting to the GUI .................................................................................. 23

3.2 FortiManager Setup wizard .......................................................................... 24

3.3 Activating VM licenses ................................................................................. 27

3.4 GUI overview.................................................................................................. 1

3.5 Using the CLI console .................................................................................... 3

Confidential© 2022 Page |i

 EPSS Security LLD

3.6 Using the Process Monitor ............................................................................. 3

3.7 Device Manager ............................................................................................. 4

3.8 Add devices.................................................................................................... 5

3.8.1 Adding online devices using discover mode ...................................... 5

3.9 Policy & Objects ............................................................................................. 7

3.9.1 Policy theory .......................................................................................... 8

3.10 AP Manager ................................................................................................. 10

3.11 Managed FortiAPs ....................................................................................... 10

3.11.1 To add a FortiAP............................................................................... 12

3.12 Authorizing and deauthorizing FortiAP devices ............................................ 13

3.13 SSIDs ........................................................................................................... 14

3.13.1 Creating SSIDs ................................................................................. 14

4 FortiAnalyzer 1

4.1 GUI overview.................................................................................................. 5

5 FortiAP 6

5.1 Important terms for FortiAP .......................................................................... 10

6 SD WAN For Enterprise 10

6.1 Solutions and technologies .......................................................................... 10

6.2 Fortigate SD WAN ........................................................................................ 11

6.2.1 Application identification .................................................................... 11

6.2.2 Increased performance ....................................................................... 12

6.2.3 Zero touch deployment ....................................................................... 12

Confidential© 2023 P a g e | ii
 EPSS Security LLD

6.2.4 API / automation .................................................................................. 12

6.3 FortiManager SD WAN................................................................................. 12

6.3.1 SD-WAN Monitor Map view ................................................................. 13

6.3.2 SD-WAN Table view ............................................................................. 14

6.3.3 SD-WAN device monitoring ................................................................ 15

6.3.4 Route table and device dashboards .................................................. 16

6.4 FortiAnalyzer ................................................................................................ 17

6.4.1 ADOMs, sizing, log storage, scaling, and enforcement ................... 18

6.4.2 SD-WAN logging .................................................................................. 19

6.5 Secure SD-WAN solution ............................................................................. 20

6.6 SD-WAN configuration ................................................................................. 20

6.7 SD-WAN routing logic .................................................................................. 24

6.8 Design principles .......................................................................................... 25

6.8.1 Underlay ............................................................................................... 26

6.8.2 Overlay ................................................................................................. 26

6.8.3 Routing ................................................................................................. 27

6.8.4 Security ................................................................................................ 28

6.8.5 SD-WAN ................................................................................................ 28

6.9 SD-WAN Architecture and design .................................................................. 1

6.9.1 SD-WAN Architecture and design for HQ ............................................ 1

6.9.2 SD-WAN Architecture and design for DR ............................................ 1

6.9.3 Intra-datacenter failover ........................................................................ 2

Confidential© 2023 P a g e | iii

 EPSS Security LLD

6.9.4 Inter-datacenter failover ........................................................................ 3

6.9.5 IPsec overlays ........................................................................................ 3

6.9.6 Route Exchange .................................................................................... 3

6.9.7 ADVPN .................................................................................................... 3

6.9.8 Traffic flow ............................................................................................. 3

7 Kaspersky Installation and Configuration 6

7.1 Introduction .................................................................................................... 6

7.2 MySQL 8.0.19 Installation .............................................................................. 7

7.2.1 Overview................................................................................................. 7

7.2.2 Download MySQL .................................................................................. 7

7.2.3 Installing MySQL on Windows ............................................................. 8

7.3 Kaspersky Security Centre ........................................................................... 20

7.3.1 Kaspersky Server centre 14 installation................................................. 21

7.4 Kaspersky Endpoint Detection and Response Optimum .............................. 32

7.4.1 Group and Policy Configuration......................................................... 35

7.4.2 Activating the Application....................................................................... 37

7.4.3 Kaspersky Security Network .............................................................. 38

7.5 Kaspersky Total Security.............................................................................. 39

7.5.1 How to install Kaspersky Total Security from the installation file ........... 41

7.5.2 How To use the application on multiple device ...................................... 43

7.5.3 Post installation recommendation ..................................................... 44

7.5.3.1 Update the databases for Kaspersky Total Security. .................... 44

Confidential© 2023 P a g e | iv
 EPSS Security LLD

7.5.3.2 Check the protection status in the application main window. ..... 44

7.5.3.3 Run a full scan of the computer. ..................................................... 45

8 DUO 2FA 47

8.1 Introduction .................................................................................................. 47

8.2 First-time Enrollment in Duo 48

8.3 Add or Manage Devices After Enrollment 63

8.4 Add Another Device 65

8.5 Rename or Remove a Device 67

9 Cisco ISE Installation 69

9.1 About Cisco Identity Services Engine (ISE) ................................................. 70

9.2 Hardware and Virtual Appliance Requirements for Cisco ISE ...................... 71

9.3 Install Cisco ISE ........................................................................................... 72

9.4 Define your BYOD requirements. ................................................................. 75

9.5 Solution Deployment Considerations ........................................................... 75

9.6 Endpoint Onboarding ................................................................................... 76

9.6.1 Windows OS & macOS ........................................................................ 77

9.6.2 Apple mobile devices (iOS) ................................................................ 77

9.6.3 Android devices ................................................................................... 78

9.6.4 Unsupported Endpoints ...................................................................... 78

9.6.5 Digital Certificates ............................................................................... 79

9.7 Single vs. Dual SSID Flow ........................................................................... 79

9.7.1 Single SSID flow: ................................................................................. 79

Confidential© 2023 Page |v

 EPSS Security LLD

9.7.2 dual SSID flow: .................................................................................... 80

9.8 Define Network Device ................................................................................. 80

9.9 Define Global settings .................................................................................. 81

9.10 Managing and Defining Certificate Template ............................................... 82

9.11 Defining BYOD Profiles and Resources ....................................................... 84

9.12 Manage Client Provisioning policy ............................................................... 86

9.13 Creating policy for Single-SSID BYOD flow ................................................. 88

9.14 Setting up Blacklist Portal (Optional) ............................................................ 89

9.15 Setting up My Devices Portal (Optional)....................................................... 90

9.16 Setting up Certificate provisioning portal (Optional) ..................................... 91

9.17 Posture Configuration Flow .......................................................................... 91

9.17.1 Posture Conditions.................................................................................... 93

1. USB Condition .......................................................................................... 93

2. Firewall Condition ..................................................................................... 93

3. Anti-malware Condition ............................................................................. 95

4. Critical Patch Condition............................................................................. 96

5. Application Condition ............................................................................. 97

9.17.2 Posture Remediations............................................................................... 99

9.17.3 Firewall Remediation ................................................................................ 99

9.17.4 USB Remediation ....................................................................................101

9.17.5 Posture Requirements .............................................................................102

9.17.6 Firewall Requirement ...............................................................................103

Confidential© 2023 P a g e | vi
 EPSS Security LLD

9.17.7 Critical Patch Requirement ......................................................................103

9.17.8 Application Requirement ..........................................................................104

9.17.9 Posture Policy ..........................................................................................104

9.17.10 Client Provisioning ................................................................................106

9.17.11 Access Policy .......................................................................................109

9.18 Cisco ISE Profiling Services ........................................................................111

9.18.1 ISE Profiling Global Configuration............................................................111

9.18.2 Procedure 1 Configure Global Profiling Settings from the Policy

Administration Node .................................................................................................111

9.18.3 Procedure 2 Enable Profiling Services on the Policy Service Node .........113

9.18.4 Procedure 3 Access and View the Profiling Configuration Page ..............113

9.18.5 Profiling Using the RADIUS Probe ...........................................................114

9.18.6 Configuring the RADIUS Probe................................................................114

9.18.7 Procedure 4 Enable the RADIUS Probe in ISE ........................................115

9.18.8 Procedure 5 Verify Access Device Is Configured in ISE ..........................115

9.18.9 Procedure 6 Verify That Access Devices Are Configured to Send RADIUS
to ISE PSN ...............................................................................................................116

Confidential© 2023 P a g e | vii

 SI- IE-EPSS-LLD Network and Security

List of Figures

Confidential© 2022 Page |1

 EPSS Security LLD

Figure 1 Login page .................................................................................. 14

Figure 2 interface Configuration ............................................................. 14

Figure 3 Administrative access for the interface .................................. 15

Figure 4 Configure system host name ................................................... 16

Figure 5 Forti cloude login page ............................................................. 17

Figure 6 Registering FortiGate firewall .................................................. 18

Figure 7 Registering FortiGate firewall .................................................. 18

Figure 8 FortiGate HA Interface Configuration ...................................... 21

Figure 9 FortiGate Master-Slave HA ....................................................... 22

Figure 10 FortiManager Welcome page .................................................. 24

Figure 11 Forti SSO .................................................................................. 25

Figure 12 Hostname .................................................................................. 26

Figure 13 Password .................................................................................. 27

Figure 14 License Activation ................................................................... 28

Confidential© 2023 Page |2

 EPSS Security LLD

Figure 15 Process Monitor ......................................................................... 4

Figure 16 Device Manager ......................................................................... 5

Figure 17 Add device .................................................................................. 6

Figure 18 Discover Device ......................................................................... 7

Figure 19 Policy and object ....................................................................... 8

Figure 20 Manage FortiAP........................................................................ 11

Figure 21 FortiAP Status .......................................................................... 12

Figure 22 FortiAP add ............................................................................... 13

Figure 23 how to use the FortiAnalyzer Setup wizard. .......................... 2

Figure 24 Register and SSO with FortiCare ............................................. 3

Figure 25 Password change ...................................................................... 4

Figure 26 set timezone ............................................................................... 4

Figure 27 Specify Hostname ...................................................................... 5

Figure 28 FortiAnalyzer GUI ...................................................................... 5

Confidential© 2023 Page |3

 EPSS Security LLD

Figure 29 FortiAP Overview ....................................................................... 7

Figure 30 Client by FortiAP ........................................................................ 8

Figure 31 FortiAP WiFi Dashboard ........................................................... 9

Figure 32 SD WAN MOnitor Map View .................................................... 14

Figure 33 SD WAN Table view ................................................................. 15

Figure 34 SD WAN device Monitoring .................................................... 16

Figure 35 Route and Device dashboard ................................................. 17

Figure 36 FortiAnalyzer ADOMS and storage ........................................ 19

Figure 37 SD WAN Logging ..................................................................... 20

Figure 38 SD WAN interface member ..................................................... 21

Figure 39 Performance SLA ..................................................................... 22

Figure 40 SD WAN rules ........................................................................... 23

Figure 41 SD WAN Strategy ..................................................................... 24

Figure 42 Design Principle ....................................................................... 25

Confidential© 2023 Page |4

 EPSS Security LLD

Figure 43 Overlay ...................................................................................... 27

Figure 44 SD-WAN Architecture and design for HQ ............................... 2

Figure 45 SD-WAN Architecture and design for DR ............................... 1

Figure 46 DIA ............................................................................................... 4

Figure 47 Branch to HQ Data Center ........................................................ 5

Figure 48 Branch to DR .............................................................................. 6

Figure 49 Download MySQL Installer 8, chose the write bit .................. 8

Figure 50 Collecting information from platform ...................................... 8

Figure 51 Selecting setup type .................................................................. 9

Figure 52 Checking the requirements ...................................................... 9

Figure 53 checking product requirements ............................................. 10

Figure 54 list of product that will be install ............................................ 10

Figure 55 Completion of product installation ........................................ 11

Figure 56 Product configuration ............................................................. 11

Confidential© 2023 Page |5

 EPSS Security LLD

Figure 57 HA .............................................................................................. 12

Figure 58 Type and Networking .............................................................. 13

Figure 59 Authentication method............................................................ 13

Figure 60 Accounts and Roles ................................................................ 14

Figure 61 Windows service and service name ...................................... 15

Figure 62 Apply Configuration ................................................................ 15

Figure 63 Finalizing applying Configuration......................................... 16

Figure 64 Product Configuration ............................................................. 16

Figure 65 MySQL Router Configuration ................................................. 17

Figure 66 Connect to server .................................................................... 18

Figure 67 Configuration Step .................................................................. 18

Figure 68 Configuration step done ......................................................... 19

Figure 69 Compilation of installation ..................................................... 19

Figure 70 Kaspersky security center 14 ................................................. 21

Confidential© 2023 Page |6

 EPSS Security LLD

Figure 71 welcome page .......................................................................... 21

Figure 72 EULA and Privacy Policy ....................................................... 22

Figure 73 Installation type........................................................................ 22

Figure 74 Custom installation ................................................................. 23

Figure 75 Network Size............................................................................. 23

Figure 76 Authentication mode ............................................................... 24

Figure 77 Account Type ........................................................................... 25

Figure 78 Administration Server Address .............................................. 26

Figure 79 Web Console welcome page .................................................. 27

Figure 80 EULA ......................................................................................... 27

Figure 81 web console Address and Port ............................................. 28

Figure 82 web console account settings ............................................... 29

Figure 83 client certificate ....................................................................... 29

Figure 84 Trusted Administration Servers ............................................. 30

Confidential© 2023 Page |7

 EPSS Security LLD

Figure 85 IAM ............................................................................................. 31

Figure 86 Completion of installation ...................................................... 31

Figure 87 Kaspersky Security center managed computer ................... 35

Figure 88 Kaspersky application activation........................................... 37

Figure 89 Welcome page .......................................................................... 41

Figure 90 EULA ......................................................................................... 42

Figure 91 Installation page ...................................................................... 42

Figure 92 Recommendation ..................................................................... 43

Figure 93 Completion of Installation ...................................................... 43

Figure 94 Welcome ................................................................................... 48

Figure 95 login option .............................................................................. 50

Figure 96 Cisco ISE installation initial wizard ....................................... 73

Figure 97 Solution Deployment Considerations ................................. 75

Figure 98 Windows OS & macOS onbording ........................................ 77

Confidential© 2023 Page |8

 EPSS Security LLD

Figure 99 Apple mobile devises (iOS) onbording ................................ 77

Figure 100 Android devices onboarding ................................................ 78

Figure 101 Single SSID flow .................................................................... 79

Figure 102 dual SSID flow ........................................................................ 80

Figure 103 Define Employee Registered Devices ................................. 81

Figure 104 Define client provisioning. .................................................... 82

Figure 105 Defining Certificate Template ............................................... 84

Figure 106 Agent configuration ............................................................... 86

Figure 107 client provisioning policy ..................................................... 87

Figure 108 Creating policy for Single-SSID BYOD flow........................ 88

Figure 109 Posture configuration flow ................................................... 92

Figure 110 USB Condition........................................................................ 93

Figure 111 Firewall Condition .................................................................. 95

Figure 112 Anti-malware Condition ........................................................ 96

Confidential© 2023 Page |9

 EPSS Security LLD

Figure 113 Critical Patch Condition ........................................................ 97

Figure 114 Application Condition ........................................................... 99

Figure 115 Firewall Remediation ........................................................... 101

Figure 116 USB Remediation ................................................................. 102

Figure 117 Client Provisioning Configration ....................................... 108

Figure 118 Global Profiler Configuration ............................................. 112

Figure 119 Enabling Profiling Services on the Policy Service Node 113

Figure 120 Access and View the Profiling Configuration Page ......... 114

Figure 121 : Enable the RADIUS Probe in ISE ..................................... 115

Figure 122 Adding Network Access Devices ....................................... 116

1 Introduction

Confidential© 2023 P a g e | 10
 EPSS Security LLD

1.1 Document Purpose

The main purpose of this document is to provide the low-level design for EPSS-HQ,
Branches and EPSS-DR Security design and implementation. This new infrastructure will
be deployed in EPSS-HQ. This document outlines the Cisco, Fortinet, Kaspersky
products and technologies that will be deployed in the Datacenter infrastructure networks.
The information contained in this document provides, among others, detailed
configuration templates for the new Security devices that will be deployed. As such, this
document will be used as the foundation for the Security Implementation Plan (SIP) and
the Network Ready for Use (NRFU) test plan that will be crafted in the next phases of the
project.

1.2 Intended Audience

For security and intellectual reasons, this document is prepared to be reviewed only by
members of the technical and management teams of EPSS and IE Network Solutions plc.
Any other party should get formal permissions from both EPSS and IE, before viewing
the contents of this document.

1.3 Scope
The scope of this document is limited to providing low level design information related to
the following product as listed in the Bill of Materials (BOM) for the new infrastructure:

• Deployment of Fortigate Firewall FG-601F

• Deployment of FortiGate Firewall FG-101F

• Deployment of FortiGate Firewall FG-81F

• Deployment of FortiAP FAP-431F-E

• Deployment of FortiManager FC1-10-FMGVS-448-01-60

• Deployment of FortiAnalyzer FC1-10-AZVMS-465-01-60

• Deployment of Cisco DUO-MFA

• Deployment of Cisco ISE Network Access Control/AAA.

• Deployment of Kaspersky Antivirus

Confidential© 2023 P a g e | 11
 EPSS Security LLD

1.4 Proposed Design

On the HQ design we have two core switches, two DMZ switches, two SAN switches,
two server farm switches, two management switches, six 48 port access switches,
twenty-one 24 port access switches and 2 edge firewalls. With the 2 core switches at
the center of the data center network and each will have a 10G redundant connectivity
with the access switches, SAN switches, server farm switches, management switches
and firewalls. The access switches will be connected to the APs with copper 1G link
(copper).

The database servers will be connected to the SAN and server farm switches with a
10G/25G redundant link. The application servers will be connected to the DMZ switch
with 10G redundant link and server farm switch with 10G/25G redundant link. Storage
will be connected with the SAN switch with 10G/25G redundant link. Backup server
will be connected to the server farm switch a 10G/25G redundant link. With a double
link to the server farm switches and to SAN switches the servers will have an extra
path to the network if one of the links fails to operate. As this will be making the system
run at the maximum level and time.

On the same note the DR site is a replica of the HQ site. On the DR site design we
have we have one core switches, one DMZ switches, one SAN switches, one server
farm switches, one management switches and one firewall. The connection is the
same as HQ design except for the DR there is no redundant link.

The proposed network topology is described in the following section. Prior to beginning
the detailed description, it is beneficial to define the main characteristics of the proposed
design:

➢ Connectivity between the Perimeter Fortinet Firewall (FG-601E-BDL-950-36) and

collapsed Core switches (C9500) will be 10G fiber uplinks.

➢ Connectivity between the collapsed Cores switches (C9500) and access switches
(C9300L-24P-4X-E) will be 10G fiber uplinks.

➢ Connectivity between the collapsed Core switch and the Server farm switch
(C9300X-24Y-E) will be 10G fiber link.

Confidential© 2023 P a g e | 12
 EPSS Security LLD

➢ Connectivity between the collapsed Core switch and Management Switch

(C9300L-24T-4X-E) will be 10G fiber link

➢ Connectivity between each access switches and FortiAP (FAP-431F-E) will be 1G

UTP link.

The architecture of the new infrastructure deployed for EPSS’s project comprises of the
Two-tier switching architecture design to be deployed.

1.5 Requirements
Based on our site survey we prepared and submitted a Site Preparation Guide (SPG).
On the SPG we listed some requirement than need to be fulfilled by EPSS in order to
implement the project. We like to remind you that those requirements should be fulfilled
before we start the implementation.

2 FortiGate

2.1 Getting started

Connecting using a web browser

In order to connect to the GUI using a web browser, an interface must be configured to
allow administrative access over HTTPS or over both HTTPS and HTTP. By default, an
interface has already been set up that allows HTTPS access with the IP address
192.168.1.99.

Browse to https://192.168.1.99 and enter your username and password. If you have not
changed the admin account’s password, use the default user name, admin, and leave the
password field blank.

Confidential© 2023 P a g e | 13
 EPSS Security LLD

Figure 1 Login page

The GUI will now display in your browser, and you will be required to provide a password
for the administrator account.

To use a different interface to access the GUI:

1. Go to Network > Interfaces and edit the interface you wish to use for access.
Take note of its assigned IP address.

Figure 2 interface Configuration

2. In Administrative Access, select HTTPS, and any other protocol you require.
You can also select HTTP, although this is not recommended as the
connection will be less secure.

3. Click OK.

Confidential© 2023 P a g e | 14
 EPSS Security LLD

Figure 3 Administrative access for the interface

Browse to the IP address using your chosen protocol. to to https:/192.168.1.99

The GUI will now be displayed in your browser.

2.2 Accessing the FortiGate

Connect to the FortiGate Unit via console port

At the prompt type Username(admin) & Password (no password at initial) and press the
enter tab:

FortiGate Login> admin

FortiGate password>

FortiGate#

2.3 System configuration

The Wizard located in the top toolbar for basic configuration including enabling central
management, setting the admin password, setting the time zone, and port configuration

Confidential© 2023 P a g e | 15
 EPSS Security LLD

2.4 Configuring the hostname

Setting the FortiGate’s hostname assists with identifying the device, and it is especially
useful when managing multiple FortiGates. Choose a meaningful hostname as it is used
in the CLI console, SNMP system name, device name for FortiGate Cloud, and to identify
a member of an HA cluster.

To configure the hostname in the GUI:

1. Go to System > Settings.

2. Enter a name in the Host name field.

3. Select time Zone

3. Click Apply.

Figure 4 Configure system host name

To configure the hostname in the CLI:

config system global

set hostname EPSS-UTM-01

end

Confidential© 2023 P a g e | 16
 EPSS Security LLD

2.5 Registering FortiGate and Configuring the System Settings

This section shows how to register your FortiGate unit and set the system time. You will
also configure several administrative account settings to prevent unauthorized access.

Step 1: Registering your FortiGate

Registering your FortiGate allows you to receive FortiGuard updates and is required for
firmware upgrades and access to https://support.fortinet.com/welcome/#/ . Before
registering your FortiGate unit, it must have Internet connectivity.

Log in by using your credential

Figure 5 Forti cloud login page

Confidential© 2023 P a g e | 17
 EPSS Security LLD

Figure 6 Registering FortiGate firewall

Figure 7 Registering FortiGate firewall

2.6 Configuring Clustering

High availability (HA) is usually required in a system where there is high demand for little
downtime. There are usually hot-swaps, backup routes, or standby backup units and as
soon as the active entity fails, backup entities will start functioning. This results in minimal
interruption for the users.

The FortiGate Clustering Protocol (FGCP) is a proprietary HA solution whereby

FortiGates can find other member FortiGates to negotiate and create a cluster. A
FortiGate HA cluster consists of at least two FortiGates (members) configured for HA
operation. All FortiGates in the cluster must be the same model and have the same
Confidential© 2023 P a g e | 18
 EPSS Security LLD

firmware installed. Cluster members must also have the same hardware configuration
(such as the same number of hard disks). All cluster members share the same
configurations except for their host name and priority in the HA settings. The cluster works
like a device but always has a hot backup device.

Critical cluster components

The following are critical components in an HA cluster:

• Identical heartbeat connections and interfaces: members will use this to

communicate with each other. In general, a two-member cluster is most common.
We recommend double back-to-back heartbeat connections (as demonstrated in
the topology).

• Identical connections for internal and external interfaces: we recommend similar

connections from each member to the switches for the cluster to function properly
(as demonstrated in the topology).

The system selects the primary node based on the following criteria:

Link health (if monitor ports links are down, the node is considered down)

• Remote IP monitor health check results

• Override setting (prefers priority to uptime)

Confidential© 2023 P a g e | 19
 EPSS Security LLD

• Most available ports

• Highest uptime value

• Lowest device priority number (1 has greater priority than 2)

• Highest-sorting serial number—Serial numbers are sorted by comparing each

character from left to right, where 9 and z are the greatest values. The system
gives preference to higher values over lower values.

There are two types of HA clusters:

• Active-passive—only the primary node is active, so it is the only node that

receives traffic from adjacent routers. Typically, there is one other node that is in
standby mode. It assumes active status if the primary node undergoes
maintenance or otherwise becomes unavailable. In an active-passive

cluster, only the management IP address for the primary node is active.
In an active-passive cluster, you can log into a node only when it has primary node
status and its IP address is active. To access the user interface of an appliance in
standby status (the active-passive slave), you must use a console port connection.

• Active-active—All nodes receive traffic. Active-active deployments support load

balancing and failover among up to eight cluster members. In an active-active
cluster, the IP addresses for all interfaces are unique, including the management
interface. When the appliance is in standalone mode, the physical port IP address
is active; when it is in HA mode, the address assigned to it in the HA node IP list
address is active. You can log into any node using the active IP address for its
management port.

2.6.1 HA active-passive cluster setup.

An HA Active-Passive (A-P) cluster can be set up using the GUI or CLI.

1. To configure HA on the FortiGate units you need to be logged in on both FortiGate

units.

• Make all the necessary connections

• Log into one of the FortiGates.

Confidential© 2023 P a g e | 20
 EPSS Security LLD

• Go to System > HA and set the following options:

Mode Active-Passive

Device priority 128 or higher

Group name EPSS

Heartbeat interfaces Port1 and Port2

Except for the device priority, these settings must be the same on all FortiGates in the
cluster.

Figure 8 FortiGate HA Interface Configuration

2. Leave the remaining settings as their default values. They can be changed after
the cluster is in operation.

Confidential© 2023 P a g e | 21
 EPSS Security LLD

3. Click OK.

The FortiGate negotiates to establish an HA cluster. Connectivity with the

FortiGate may be temporarily lost as the HA cluster negotiates and the FGCP
changes the MAC addresses of the FortiGate's interfaces.

4. Factory reset the other FortiGate that will be in the cluster, configure GUI access,
then repeat steps 1 to 3, omitting setting the device priority, to join the cluster.

The Devices will negotiate based on Device priority and the Device with higher priority
becomes master and the device with lower priority becomes a slave.

2.6.2 Check HA synchronization status

The HA synchronization status can be viewed in the GUI through either a widget on
the Dashboard or on the System > HA page. go to System > HA to see the
synchronization statuses of the members. A member that is out of synchronization will
have a red icon next to its name. Hover the cursor over the unsynchronized device to see
the tables that are out of synchronization and the checksum values.

Synchronized:

Figure 9 FortiGate Master-Slave HA

Confidential© 2023 P a g e | 22
 EPSS Security LLD

2.6.3 HA synchronization status in the CLI

In the CLI, run the get system ha status command to see if the cluster is in
synchronization. The synchronization status is reported under Configuration Status.

When both members are in synchronization:

# get system ha status

3 FortiManager

3.1 Connecting to the GUI

1. Connect the FortiManager unit to a management computer using an Ethernet cable.

2. Configure the management computer to be on the same subnet as the internal interface
of the FortiManager unit:

• IP address: 192.168.1.X

• Netmask: 255.255.255.0

3. On the management computer, start a supported web browser and browse to

https://192.168.1.99.

The login dialog box is displayed.

4. Type admin in the Name field, leave the Password field blank, and click Login. The
FortiManager Setup wizard is displayed.

5. Click Begin to start the setup process The FortiManager unit can be configured and
managed using the GUI or the CLI. This section will step you through connecting to the
unit via the GUI. FortiCare step cannot be skipped and must be completed before you
can access the FortiManager appliance or VM

Confidential© 2023 P a g e | 23
 EPSS Security LLD

6. If ADOMs are enabled, the Select an ADOM pane is displayed. Click an ADOM to
select it. The FortiManager home page is displayed.

7. Click a tile to go to that pane.

3.2 FortiManager Setup wizard

When you log in to FortiManager, the FortiManager Setup wizard is displayed to help you
set up FortiManager by performing the following actions:

• Registering with FortiCare and enabling FortiCare single sign-on

• Specifying the hostname

• Changing your password

• Upgrading firmware (when applicable)

The FortiManager Setup wizard requires that you complete the Register with FortiCare
step before you can access the FortiManager appliance or VM.

Figure 10 FortiManager Welcome page

Confidential© 2023 P a g e | 24
 EPSS Security LLD

To use the FortiManager setup wizard:

1. Log in to FortiManager.

The FortiManager Setup dialog box is displayed.

2. Click Begin to start the setup process now.

3. When prompted, register with FortiCare and enable FortiCare single sign-on. You must
complete the Register with FortiCare step before you can access the FortiManager
appliance or VM.

Figure 11 Forti SSO

4. When prompted, specify the hostname

Confidential© 2023 P a g e | 25
 EPSS Security LLD

Figure 12 Hostname
.5. In the Hostname box, type a hostname.

6. Click Next.

7. When prompted, change your password

Confidential© 2023 P a g e | 26
 EPSS Security LLD

Figure 13 Password
a. In the New Password box, type the new password.

b. In the Confirm Password box, type the new password again.

c. Click Next

8. When a new firmware version is available for your device on FortiGuard, the Upgrade
Firmware option in the wizard indicates that a new version is available, and you can click
Next to upgrade to the new firmware, or Later to upgrade later

9. Complete the setup by clicking Finish

3.3 Activating VM licenses

If you are logging in to a FortiManager VM for the first time by using the GUI, you are
required to activate a purchased license or activate a trial license for the VM.

To activate a license for FortiManager VM:

1. On the management computer, start a supported web browser and browse to https://<ip
address> for the FortiManager VM.

The login dialog box is displayed.

Confidential© 2023 P a g e | 27
 EPSS Security LLD

Figure 14 License Activation

2. Activate License

• Select Activate License, and click Login with FortiCloud.

• Use your FortiCloud account credentials to log in. FortiManager connects to

FortiCloud, and the license agreement is displayed.

• Read and accept the license agreement

Confidential© 2023 P a g e | 28
 SI- IE-EPSS-LLD Network and Security

3.4 GUI overview

When you log into the FortiManager GUI, the Dashboard pane is displayed. The
Dashboard contains widgets that provide performance and status information.

Use the navigation menu on the left to open another pane. The available panes vary
depending on the privileges of the current user.

Device Manager Add and manage devices and VDOMs. Create and assign scripts and
provisioning templates. You can also access the SD-WAN monitor and VPN monitor.

Policy & Objects Configure policy packages and objects.

VPN Manager Configure and manage VPN connections. You can create VPN topologies
and managed/external gateways.

AP Manager Configure and manage FortiAP access points. For more information.

FortiSwitch Manager Configure and manage FortiSwitch devices.

Extender Manager Configure and manage FortiExtenders

Log View View logs for managed devices. You can display, download, import, and delete
logs on this page. You can also define custom views and create log groups. This pane is
only available when FortiAnalyzer features are enabled.

Confidential© 2022 Page |1

 EPSS Security LLD

Fabric View Configure fabric connectors and view Security Fabric Ratings.

Incidents & Events Configure and view events for logging devices. This pane is only
available when FortiAnalyzer features are enabled.

Reports Generate reports. You can also configure report templates, schedules, and
output profiles, and manage charts and datasets. This pane is only available when
FortiAnalyzer features are enabled.

FortiGuard Manage communication between devices and the FortiManager using the
FortiGuard protocol

Management Extensions Enable and use management extension applications that are
released and signed by Fortinet.

System Settings Configure system settings such as network interfaces, administrators,

system time, server settings, and others. You can also perform maintenance and firmware
operations.

Menu Click to toggle the visibility of the navigation menu on the left.

HA status If HA is enabled, the status is shown.

ADOM If ADOMs are enabled, the required ADOM can be selected from the dropdown
list.If enabled, ADOMs can also be locked or unlocked. The ADOMs available from the
ADOM menu will vary depending on the privileges of the current user.

CLI Console Open the CLI console to configure the FortiManager unit using CLI
commands directly from the GUI, without making a separate SSH, or local console
connection to access the CLI.

• admin From this dropdown, you can:

• view the current firmware build of your FortiManager device.

• upgrade the firmware.

• open the Process Monitor.

• change your password.

• update your profile information, including the avatar and theme.

Confidential© 2023 Page |2
 EPSS Security LLD

• log out of the GUI

3.5 Using the CLI console

The CLI console is a terminal window that enables you to configure the FortiManager unit
using CLI commands directly from the GUI, without making a separate SSH, or local
console connection to access the CLI. When using the CLI console, you are logged in
with the same administrator account that you used to access the GUI. You can enter
commands by typing them, or you can copy and paste commands into or out of the
console.

3.6 Using the Process Monitor

The Process Monitor displays running processes with their CPU and memory usage as
well as their disk I/O levels. Administrators can sort, filter, and terminate processes within
the Process Monitor pane.

Confidential© 2023 Page |3

 EPSS Security LLD

Figure 15 Process Monitor

3.7 Device Manager

We will use the Device Manager pane to add and authorize devices for management by
FortiManager. We can also use the Device Manager pane to create device configuration
changes and install device and policy package configuration changes to managed
devices. You can also monitor managed devices from the Device Manger pane.

Confidential© 2023 Page |4

 EPSS Security LLD

Figure 16 Device Manager

3.8 Add devices

In FortiManager, we will add devices to Device Manager and authorize the devices for
management before we manage them. On the managed device, we will enable Central
Management to allow FortiManager to manage the device.

We will use Device wizard to add the following devices:

• Online or offline devices

• Online or offline FortiGate HA clusters

• Security Fabric group

Another method is to import detected devices to FortiManager for management. We will

also configure a device to request management by FortiManager. These devices appear
on the Device Manager pane in the unauthorized device list.

3.8.1 Adding online devices using discover mode

Use the Discover option for devices that are currently online and discoverable on your
network. When the wizard completes, the device is added to FortiManager and
authorized. Adding an online device does not result in an immediate connection to the
device. Device connection happens only when we successfully synchronize the device.

To add a device using Discover mode:

1. Go to Device Manager > Device & Groups.

2. Click Add Device. The wizard opens.

Confidential© 2023 Page |5

 EPSS Security LLD

Figure 17 Add device

4. Discover and authorize the device for management by FortiManager:

a. Select Discover Device.

b. In the box, type the management port IP address for the device, and click Next.

Confidential© 2023 Page |6

 EPSS Security LLD

Figure 18 Discover Device

A login window for the device is displayed.

3.9 Policy & Objects

Policy & Objects enables you to centrally manage and configure the devices that are
managed by the FortiManager unit. This includes the basic network settings to connect
the device to the corporate network, antivirus definitions, intrusion protection signatures,
access rules, and managing and updating firmware for the devices. All changes related
to policies and objects should be made on the FortiManager device, and not on the
managed devices.

Confidential© 2023 Page |7

 EPSS Security LLD

Figure 19 Policy and object

3.9.1 Policy theory

Security policies control all traffic attempting to pass through a unit between interfaces,
zones, and VLAN subinterfaces.

Security policies are instructions that units use to decide connection acceptance and
packet processing for traffic attempting to pass through. When the firewall receives a
connection packet, it analyzes the packet’s source address, destination address, and
service (by port number), and attempts to locate a security policy matching the packet.

Security policies can contain many instructions for the unit to follow when it receives
matching packets. Some instructions are required, such as whether to drop or accept and
process the packets, while other instructions, such as logging and authentication, are
optional.

Policy instructions may include Network Address Translation (NAT), or Port Address
Translation (PAT), or they can use virtual IPs or IP pools to translate source and
destination IP addresses and port numbers.

Confidential© 2023 Page |8

 EPSS Security LLD

Policy instructions may also include Security Profiles, which can specify application-layer
inspection and other protocol specific protection and logging, as well as IPS inspection at
the transport layer.

You configure security policies to define which sessions will match the policy and what
actions the device will perform with packets from matching sessions.

Sessions are matched to a security policy by considering these features of both the packet
and policy:

• Policy Type and Subtype

• Incoming Interface

• Source Address

• Outgoing Interface

• Destination Address

• Schedule and time of the session’s initiation

• Service and the packet’s port numbers.

If the initial packet matches the security policy, the device performs the configured action
and any other configured options on all packets in the session.

Packet handling actions can be ACCEPT, DENY, IPSEC, or SSL-VPN.

• ACCEPT policy actions permit communication sessions, and may optionally

include other packet processing instructions, such as requiring authentication to
use the policy, or specifying one or more Security Profiles to apply features such
as virus scanning to packets in the session. An ACCEPT policy can also apply
interface-mode IPsec VPN traffic if either the selected source or destination
interface is an IPsec virtual interface.

• DENY policy actions block communication sessions, and you can optionally log
the denied traffic. If no security policy matches the traffic, the packets are dropped,
therefore it is not required to configure a DENY security policy in the last position

Confidential© 2023 Page |9

 EPSS Security LLD

to block the unauthorized traffic. A DENY security policy is needed when it is

required to log the denied traffic, also called “violation traffic”

3.10 AP Manager
The AP Manager pane allows you to manage FortiAP access points that are controlled
by FortiGate devices and are managed by FortiManager. You can use AP Manager for
the following modes of management:

• Central management of managed access points: When central management is

enabled, you can view, create, edit, and import profiles. WiFi profiles share a
common database. You can apply profiles to any device, regardless of which
FortiGate controller it is connected to.

• Per-device management of managed access points: When per-device

management is enabled, you can change settings for each managed access point.
All FortiAP devices and WiFi profiles are managed at the device level with no
shared objects.

3.11 Managed FortiAPs

The Managed FortiAPs pane allows you to manage FortiAP devices that are controlled
by FortiGate devices and are managed by the FortiManager.

FortiAP devices are grouped based on the controller that they are connected to. The
devices can also be further divided into groups within a controller.

To manage FortiAP devices:

1. Go to AP Manager > Managed FortiAPs.

2. Select a Managed FortiGate.

APs for the selected managed FortiGate device are displayed.

Confidential© 2023 P a g e | 10
 EPSS Security LLD

Figure 20 Manage FortiAP

Quick status bar

We can quickly view the status of devices on the Managed FortiAPs pane with the quick
status bar, which contains the following charts:

• Status

• 2.4 GHz Radio Channel Utilization

• GHz Radio Channel Utilization

We can click each status in the legend to display in the content pane only the devices
referenced in the quick status.

Use the Show Charts dropdown and toggle to show or hide charts. From the dropdown,
select or de-select checkboxes to show or hide the respective chart.

To use charts in the quick status bar:

1. Go to AP Manager > Managed FortiAPs.

The quick status bar is displayed above the content pane.

Confidential© 2023 P a g e | 11
 EPSS Security LLD

Figure 21 FortiAP Status

3. Select a managed FortiGate. You can adjust the view by selecting List, Radio, or Group
from the view dropdown. The default is List.

4. Mouse over the charts to see more information about the data in a tooltip.

5. Click items in the legend to filter the devices displayed on the content pane. For
example, if Offline is available in the legend, click Offline to display only devices that are
currently offline.

You can click multiple items in the legend to apply multiple filters. A filter icon appears
next to the chart title when it is being used to filter the devices on the Managed FortiGate
pane.

6. To remove the filters, click the chart title with the filter icon.

7. Click More > View Rogue APs to open the rogue AP list in a pop-up window.

3.11.1 To add a FortiAP

1. From the Create New dropdown, select Managed AP. The Add FortiAP dialog box
opens.

Confidential© 2023 P a g e | 12
 EPSS Security LLD

Figure 22 FortiAP add

2. Enter the following information, then click OK to add the device:

FortiGate Select the FortiGate that the AP will be added to from the dropdown list. If you
have already selected a FortiGate in the tree menu, this field will contain that FortiGate.

Serials Number Enter the device's serial number.

Name Enter a name for the device.

FortiAP Profile Select an AP profile to apply to the device from the dropdown list.

FortiAP Configuration Profile Select a FortiAP configuration profile to apply to the

device from the dropdown list.

Enforce Firmware Version Toggle ON to enforce a firmware version and select the
firmware version from the drop-down menu. Toggle OFF to disable this feature.

3.12 Authorizing and deauthorizing FortiAP devices

To authorize FortiAP devices:

1. Go to AP Manager > Managed FortiAPs.

2. Select the FortiGate that contains the unauthorized FortiAP devices. Alternatively, you
can select a device in a group,

Confidential© 2023 P a g e | 13
 EPSS Security LLD

3. In the Status chart legend, click Unauthorized. The unauthorized FortiAP devices are
displayed in the content pane.

4. Select the FortiAP devices and click More > Authorize from the toolbar, or right-click
and select Authorize. The Authorize AP dialog opens.

5. Click OK to authorize the selected devices.

To deauthorize FortiAP devices:

1. Select the FortiGate that contains the FortiAP devices to be deauthorized.

2. Select the FortiAP devices and either click More > Deauthorize from the toolbar, or
right-click and select Deauthorize. The Deauthorize AP dialog opens.

3. Select OK to deauthorize the selected devices

3.13 SSIDs
3.13.1 Creating SSIDs
When creating a new SSID, the available options will change depending on the selected
traffic mode: Tunnel, Bridge, or Mesh. When you create SSID profiles, you can select a
QoS profile and/or an Access Control List profile.

To create a new SSID:

1. Go to AP Manager > SSIDs.

2. In the toolbar, click Create New > SSID. The Create New SSID Profile windows opens.

Confidential© 2023 P a g e | 14
 EPSS Security LLD

3. Enter the following information, then click OK to create the new tunnel to
wireless controller SSID:

Confidential© 2023 P a g e | 15
EPSS Security LLD

Confidential© 2023 P a g e | 16
EPSS Security LLD

Confidential© 2023 P a g e | 17
 SI- IE-EPSS-LLD Network and Security

4 FortiAnalyzer
The FortiAnalyzer unit can be configured and managed using the GUI or the CLI. This
section will step you through connecting to the unit via the GUI.

1. Connect the FortiAnalyzer unit to a management computer using an Ethernet cable.

2. Configure the management computer to be on the same subnet as the internal

interface of the FortiAnalyzer unit: l IP address: 192.168.1.X l Netmask: 255.255.255.0

3. On the management computer, start a supported web browser and browse to

https://192.168.1.99. The login dialog box is displayed.

4. Type admin in the Name field, leave the Password field blank, and click Login. The
FortiAnalyzer Setup wizard is displayed.

5. Perform one of the following actions: a. Click Begin to start the setup process now. See
FortiAnalyzer Setup wizard on Click Later to exit the FortiAnalyzer Setup wizard and
continue connecting to the GUI.

6. If ADOMs are enabled, the Select an ADOM pane is displayed. Click an ADOM to
select it. The FortiAnalyzer home page is displayed.

7. Click a tile to go to that pane. For example, click the Device Manager tile to go to the
Device Manager pane

When you log in to FortiAnalyzer, the FortiAnalyzer Setup wizard is displayed to help you
set up FortiAnalyzer by performing the following actions:

• Registering with FortiCare and enabling FortiCare single sign-on

• Changing your password

• Setting the time zone

• Specifying a hostname

You can choose whether to complete the wizard now or later. When actions are complete,
a green checkmark displays beside them in the wizard, and the wizard no longer displays
after you log in to FortiAnalyzer.

FortiAnalyzer Setup wizard when you log in to FortiAnalyzer, the FortiAnalyzer Setup
wizard is displayed to help you set up FortiAnalyzer by performing the following actions:

Confidential© 2022 Page |1

 EPSS Security LLD

• Registering with FortiCare and enabling FortiCare single sign-on

• Changing your password

• Setting the time zone

• Specifying a hostname

You can choose whether to complete the wizard now or later. When actions are complete,
a green checkmark displays beside them in the wizard, and the wizard no longer displays
after you log in to FortiAnalyzer.

Figure 23 how to use the FortiAnalyzer Setup wizard.

To use the FortiAnalyzer setup wizard:

Confidential© 2023 Page |2

 EPSS Security LLD

1. Log in to FortiAnalyzer. The FortiAnalyzer Setup dialog box is displayed.

2. Click Begin to start the setup process now. Alternately, click Later to postpone the
setup tasks.

3. When prompted, register with FortiCare and enable FortiCare single sign-on.

Figure 24 Register and SSO with FortiCare

a. In the Account ID/Email box, type your FortiCare account ID or email. If you do not yet
have a FortiCare account, click Register to create a new account.

b. In the Password box, type your FortiCare password. If you have forgotten your
FortiCare password, click forgot your password to proceed through the password
recovery process.

c. Set the FortiCloud Single Sign-On toggle to the ON or OFF position to enable or disable
Fort iCloud SSO sign on. When enabled, you must also enter the SP Server Address

d. Click Next.

4. When prompted, change your password.

Confidential© 2023 Page |3

 EPSS Security LLD

Figure 25 Password change

a. In the Old Password box, type the old password.

b. In the New Password box, type the new password.

c. In the Confirm Password box, type the new password again.

d. Click Next.

5. When prompted, set the time zone.

Figure 26 set timezone

a. From the list, select the time zone.

c. Click Next

6. When prompted, specify the hostname

Confidential© 2023 Page |4

 EPSS Security LLD

Figure 27 Specify Hostname

a. In the Hostname box, type a hostname.

b. Click Next.

7. When prompted, complete the setup by clicking Finish.

You are logged in to FortiAnalyzer.

4.1 GUI overview

When you log into the FortiAnalyzer GUI, the following home page of tiles is displayed:

Figure 28 FortiAnalyzer GUI

Select one of the following tiles to display the respective pane. The available tiles vary
depending on the privileges of the current user.

Confidential© 2023 Page |5

 EPSS Security LLD

Device Manager : Add and manage devices and VDOMs..

Fabric View Configure fabric connectors. .

Management Extensions Enable and use management extension applications that are
released and signed by Fortinet.

FortiView Summarizes SOC information in FortiView and Monitors dashboards, which

include widgets displaying log data in graphical formats, network security, WiFi security,
and system performance in real-time. This pane is not available when the unit is in
Collector mode.

Log View View logs for managed devices. You can display, download, import, and delete
logs on this page. You can also define custom views and create log groups.

FortiSoC FortiSoC is a subscription service that enables playbook automation for

security operations on FortiAnalyzer.

Reports Generate reports. You can also configure report templates, schedules, and
output profiles, and manage charts and datasets. This pane is not available when the unit
is in Collector mode.

FortiRecorder Manage FortiCamera devices and view camera streams and recordings
through the Monitors dashboard. This pane is only available in physical appliances and
is disabled by default. This pane is not available when the unit is in Collector mode.

System Settings Configure system settings such as network interfaces, administrators,

system time, server settings, and others. You can also perform maintenance and firmware
operations.

Incidents & Events Configure and view events for logging devices. This pane is only
visible when the FortiSoC pane is disabled. This pane is not available when the unit is in
Collector mode.

5 FortiAP

Confidential© 2023 Page |6

 EPSS Security LLD

The most common form of access at the LAN edge for users these days is WiFi. Wireless
access points can be added to any network to provide WiFi access to employees and
guests alike. The challenges of adding wireless to a deployment go far beyond the
physical installation of the hardware.

Figure 29 FortiAP Overview

Network IT demands more capability and reliable security from fewer components to save
on cost and simplify the environment. Fortinet’s wireless LAN equipment leverages
Security-Driven Networking to provide secure wireless access for the enterprise LAN
edge. Perfect for deployments from the campus to the SD-Branch, FortiAPs are Fortinet
Security Fabric enabled, providing the broad visibility, automated protection, and
integrated threat intelligence required to protect organizations’ valuable assets and data
worldwide. And that includes REST API support for most of the features used.

LAN edge equipment from Fortinet converges networking and security into a secure,
simple-to-manage architecture with a single focal point for management and
configuration. By leveraging Security-Driven Networking, Fortinet allows you to secure
the LAN edge without the need for costly and complex licensing schemes while benefiting
from all the current cutting-edge WiFi enhancements, depending on the models. From the

Confidential© 2023 Page |7

 EPSS Security LLD

same dashboard used to manage the NextGeneration Firewall and Policies, you also
have complete visibility over the wireless client details:

• Username

• Since when it is connected

• Type of encryption used

• Which SSID and VLAN it is connected to

• With which device (name, MAC address, IP address) using which operating
system type

• On which Fortinet wireless access point (which is also displayed on the WiFi
Maps)

• At what quality (signal strength, data rate, WiFi band, TX/RX bandwidth, spatial
streams)

Figure 30 Client by FortiAP

Confidential© 2023 Page |8

 EPSS Security LLD

Configuring and managing access points from the same known dashboard as the security
parameters also allows immediate visibility and troubleshooting advantages. One can
very quickly understand:

• Which access points are online or down

• The last join time and failure reason

• How many wireless clients are connected to each AP

• The WiFi channels used, the TX power, and at what utilization percentage of the
channel they operate

• The SSIDs being advertised and in which mode (tunneled, bridged, mesh)

• If the regulatory requirements are being met

• Which wireless IDS profiles are being used

Figure 31 FortiAP WiFi Dashboard

All of that allows for the easy operation of a live and evolving secure wired and wireless
network for administrators and a trusted infrastructure for users to perform their daily job
without worrying about the underlying connectivity.

Confidential© 2023 Page |9

 EPSS Security LLD

5.1 Important terms for FortiAP

The following terms are important to understand FortiAP:

• FortiAP is the hardware used to aggregate the wireless connections on the LAN
edge, providing different access modes, radio configuration capabilities, and all the
current cutting-edge WiFi enhancements (depending on the model.)

• FortiAP firmware is the operating system, CLI, and control system of FortiAP.

• Tunnel mode is the default mode for a FortiAP. A FortiAP in tunnel mode uses a
wireless-only subnet for wireless traffic and transports the traffic from the AP to the
FortiGate in an encapsulated way.

• Bridge mode When a FortiAP is in Bridge mode, the Ethernet and WiFi interfaces
are connected (or bridged), allowing wired and wireless networks to be on the
same subnet. In essence, the WiFi traffic will be mapped with one or multiple
VLANs on the FortiSwitches.

• Segmentation or SSID can easily be applied as the capability to create multiple

VLANs and SSIDs. An SSID is a WiFi LAN identifier to separate different network
segments, achieving a better network design and minimizing them spread of
potential breaches at Layer 2. Each SSID can be used in Tunneled or Bridge mode.
FortiSwitch VLANs can be automatically populated in this case by using the
embedded NAC to activate the port with the correct settings.

6 SD WAN For Enterprise

6.1 Solutions and technologies
EPSS Fortinet Secure SD-WAN consists of several components:

• FortiGate NGFW, which runs FortiOS, is the core of Secure SD-WAN

• Fortinet ZTNA Access Proxy, which runs natively in FortiOS, starting in FortiOS
7.0

• FortiManager for the orchestration and management plane

Confidential© 2023 P a g e | 10
 EPSS Security LLD

• FortiAnalyzer for advanced analytics and automation

EPSS Fortinet Secure SD-WAN solution can be extended to Secure SD-Branch. SD-
Branch consists of the following components:

• FortiAP to provide WiFi access to users

6.2 Fortigate SD WAN

With its underlying FortiOS firmware, FortiGate is the product at the foundation of
Fortinet’s Secure SD-WAN solution. A key differentiation from other SD-WAN vendors is
that the FortiGate Secure SD-WAN platform provides the following key capabilities:

• Built-in intelligence to decide the best path for a specific application

• Integrated and native Next-Generation Firewall security inspection

• Overlay network connectivity in the SD-WAN architecture

FortiGate also:

• Delivers advanced routing support (RIP, BGP, OSPF, and more)

• Participates in virtual private network (VPN) pairing as a spoke or hub

(concentrator)

• Brings WAN optimization by means of protocol optimization and byte and object
caching

• Supports traffic shaping and packet priority to ensure that business-critical

applications take precedence

6.2.1 Application identification

Application flow definition and detection is the cornerstone of any SD-WAN solution.
Policies for traffic engineering depend on precise and evolving definitions of application
traffic and traffic flows.

Confidential© 2023 P a g e | 11
 EPSS Security LLD

Fortinet’s FortiGuard maintains a database of more than 5,000 application definitions.

Fortinet’s applications detection capabilities are derived from mature data modeling
created and maintained by FortiGuard Labs. FortiGate also enables the ability to define
custom application flows where needed.

6.2.2 Increased performance

IPsec is the overlay technology recommended for the Fortinet Secure SD-WAN solution,
as it provides confidentiality, integrity, and mutual site authentication. The Security
Processing Unit (SPU) helps you achieve the best performance for the lowest cost, thanks
in part to its IPsec offloading capabilities. The number of tunnels and encryption
requirements

can grow exponentially with the number of edge devices (full mesh), making the efficiency
of tunnel management a critical part of the solution.

6.2.3 Zero touch deployment

Fortinet zero touch provisioning allows a self-service type of deployment of the FortiGate.
Simple cabling skills are the only technical requirement at every branch to add new
devices to the SD-WAN solution. The devices also have a predefined callback to Fortinet.
This enables the fully automated process of adding the device to FortiManager and
maintaining the evolving SD-WAN configuration.

6.2.4 API / automation

Every FortiGate exposes REST API, which provides complete management and
monitoring capabilities. APIs are a crucial component of the solution, allowing Fortinet
Secure SD-WAN to integrate with third-party orchestration and management systems if
required. More information on the FortiGate API can be found in the Fortinet Developer
Network.

6.3 FortiManager SD WAN

FortiManager offers all the necessary tools to manage and orchestrate Fortinet Secure
SD-WAN solutions. You can quickly deploy thousands of edge locations, trigger changes
to entire groups of devices, and consistently define security and SD-WAN policies
throughout your environment.

Confidential© 2023 P a g e | 12
 EPSS Security LLD

FortiManager reduces administration and workload costs with smart features, such as
device discovery, device group creation by administration domain, audit, and
management of complex SD-WAN architecture.

The key features are:

• Single console management: manage FortiGates and any subordinate

FortiSwitch, FortiAP, and FortiExtender devices. Provide signature updates to
FortiMail, FortiSandbox, and FortiClient.

• Multi-tenancy and administrative domains (ADOMs): separate customer data

and manage domains with ADOMs to be compliant and operationally effective.

• Centralized policy and device management: centrally manage up to 100,000+

devices and policies, such as firewalls, switches, and access points.

• Zero touch provisioning: automate workflows and configurations for Fortinet

firewalls, switches, and wireless infrastructure.

• Secure SD-WAN provisioning and monitoring: provision and monitor Secure

SD-WAN from one console across your network, branch offices, or campuses.

• Enterprise-grade high availability and integration: automate backups to up to

five nodes with streamlined software and security updates for all managed devices.

• Security automation: reduce complexity and costs by leveraging automated

REST API, scripts, connectors, and automation stitches.

6.3.1 SD-WAN Monitor Map view

From the SD-WAN Monitor Map, you can view your network availability and performance
from a single glance. SD-WAN branch and gateways are represented based on the geo-
coordinates configured for their locations, and colored indicators notify you of any
potential issues with the SD-WAN interfaces or SLAs. Only devices with performance
SLAs are displayed.

Confidential© 2023 P a g e | 13
 EPSS Security LLD

Figure 32 SD WAN MOnitor Map View

• Green Indicators: all performance SLAs for the given interface are being met.

• Yellow: one of more performance SLAs is not currently meeting minimum

requirements.

• Red: one of more performance SLAs is down or unreachable.

6.3.2 SD-WAN Table view

When Table View is selected, all devices in the network are displayed in a table format.
This gives you a quick snapshot of link performance across all devices. Like Monitor Map
view, interface colors represent the status of a given interface, according to its
performance SLA. Hovering over a given performance SLA, you can see more granular
detail about how that SLA is performing according to its configuration.

Confidential© 2023 P a g e | 14
 EPSS Security LLD

Figure 33 SD WAN Table view

• Green Indicators: all performance SLAs for the given interface are being met.

• Yellow: one of more performance SLAs is not currently meeting minimum

requirements.

• Red: one of more performance SLAs is down or unreachable.

6.3.3 SD-WAN device monitoring

Selecting a device from the Monitor Map or Table view will give you details about that
specific device. This is often one of the first places to check when you are troubleshooting
a potential network issue. Any links not meeting their minimum defined SLAs are
displayed, which helps you narrow down the scope of your investigation. Within the
selected device, you can see per-device metrics, such as:

• Interfaces participating in SD-WAN

• Health-check status over the specified time frame

• Bytes sent/received

• Bandwidth overview per interface

• Traffic growth per interface

Confidential© 2023 P a g e | 15
 EPSS Security LLD

Figure 34 SD WAN device Monitoring

6.3.4 Route table and device dashboards

There will be occasions where you may need to see more granular information on the
device, such as looking up a route or checking IPsec details. Managed FortiGate SD-
WAN devices will provide visibility into live monitors that can be quickly accessed from
FortiManager. These are equivalent to the dashboards that can be configured and viewed
from the device Admin page on the local box.

Confidential© 2023 P a g e | 16
 EPSS Security LLD

Figure 35 Route and Device dashboard

6.4 FortiAnalyzer
FortiAnalyzer collects information, such as traffic and security events, and reduces the
effort required to monitor the information system.

The FortiAnalyzer solution is responsible for the collection and the valuation of logs
generated by FortiGate, FortiMail, FortiClient solutions, FortiWeb, FortiManager,
FortiSandbox, FortiDDoS, and FortiCache. It receives logs, stores them, produces
predefined and customized reports, and supports configuration of advanced alerting.

FortiAnalyzer provides two operation modes: Analyzer and Collector. Analyzer mode is
the default mode that supports the full FortiAnalyzer features. The HQ task of a Collector
is to receive logs from connected devices and upload the logs to an Analyzer. Instead of
writing logs to the database, the Collector retains them in their original (binary) format and
sends them to the Analyzer.

The key features are:

• Security Fabric analytics: event correlation across all logs and real-time anomaly
detection, with Indicator of Compromise (IOC) service and threat detection,
reducing time-to-detect.

Confidential© 2023 P a g e | 17
 EPSS Security LLD

• Fortinet Security Fabric integration: correlates with logs from FortiClient,

FortiSandbox, FortiWeb, and FortiMail for deeper visibility and critical network
insights.

• Security automation: Reduce complexity and leverage automation via REST API,
scripts, connectors, and automation stitches to expedite security response.

• Multi-tenancy and administrative domains (ADOMs): separate customer data

and manage domains with ADOMs to be compliant and operationally effective

• Flexible deployment options and archival storage: supports deployment of an

appliance, VM, hosted or cloud storage. Use AWS, Azure, or Google to archive
logs as a DR storage.

6.4.1 ADOMs, sizing, log storage, scaling, and enforcement

When deploying a multitenant FortiAnalyzer, MSPs should standardize on maximum log
analytics. With FortiAnalyzer being licensed based on GB of logs per day (a system-wide
limit) and ADOMs (when using the FortiAnalyzer subscription license), this
standardization ensures MSPs know the maximum number of customer tenants
accommodated by the shared platform

Confidential© 2023 P a g e | 18
 EPSS Security LLD

Figure 36 FortiAnalyzer ADOMS and storage

The above image shows the creation of an ADOM called Branch, where parameters such
as analytics, log archival, and disk space are defined on a per-customer basis.

When standardizing on a multitenant platform, the MSP should ensure the parameters
detailed above are then written into the overall service level agreement between MSP
and end-customer.

This standardization ensures platform sizing and scalability are tested and documented,
and avoids situations where non-standard target customers could impact others on the
shared platform.

6.4.2 SD-WAN logging

FortiAnalyzer acts as the central monitoring platform. FortiGate acts as the branch CPE
in the SD-WAN solution. It utilizes SLA probes across the overlays to record latency, jitter,
and packet loss.

FortiAnalyzer requires logs from the branch FortiGate with latency, jitter, and packet loss
information to create and display SD-WAN graphs. It is mandatory to specify the sending
interval, which is configured in the FortiManager SDWAN template. The sending interval
is configured using set-fail-log-period (seconds) and set-pass-logperiod (seconds).

Confidential© 2023 P a g e | 19
 EPSS Security LLD

Figure 37 SD WAN Logging

6.5 Secure SD-WAN solution

It is essential to distinguish between Secure SD-WAN functionality and the Secure SD-
WAN solution. Secure SD-WAN functionality can be configured on any FortiGate device
without requiring a separate license or additional products and components. In other
words, any FortiGate device can provide this functionality in a completely autonomous
manner, including traffic steering intelligence, monitoring, and of course, security.

6.6 SD-WAN configuration

Fortinet SD-WAN configuration includes the following main steps:

1. SD-WAN interface members define your SD-WAN bundle. They are the
interfaces that will be controlled by SDWAN and where traffic can potentially flow.
Almost any interface supported by FortiGate devices can become an SD-WAN
member (including physical ports, VLAN interfaces, LAGs, IPsec/GRE/IPIP

Confidential© 2023 P a g e | 20
 EPSS Security LLD

tunnels, and even FortiExtender interfaces). Often it will include both your
underlays and overlays, but this is not a requirement. For EPSS we will configure
the overlays to be your SD-WAN members while keeping the underlay outside.

Figure 38 SD WAN interface member

2. Performance SLA are the health-check probes used by the edge devices to
actively measure the health of each available path. You can define what server to
probe and what protocol to use (including Ping, HTTP, TCP/UDP Echo, TWAMP,
or DNS). Each probe will measure latency, jitter, and packet loss percentage over
the configured subset of the SD-WAN members.

Confidential© 2023 P a g e | 21
 EPSS Security LLD

Figure 39 Performance SLA

3. SD-WAN rules combine all the elements. These are the actual set of business
rules used to steer a particular application to a specific SD-WAN member while
considering its current health and SLA status. Each rule has the following logical
parts:

Matching Criteria defines what applications or what kind of traffic will match this
rule. We can match based on a large variety of inputs, including:

• IP Address

• Applications

• Internet Service Database (ISDB)

• User Identity

• DSCP/ToS fields

Confidential© 2023 P a g e | 22
 EPSS Security LLD

• Route Tags

Figure 40 SD WAN rules

SD-WAN Strategy defines the logic applied to select one of the SD-WAN members to
steer this traffic. The following strategies will be configured:

• Best Quality—select an SD-WAN member with the best measured quality.

• Lowest Cost (SLA)—select the cheapest SD-WAN member that meets a given
SLA target.

• Maximize Bandwidth (SLA)—load-balance across all SD-WAN members that meet

a given SLA target.

• Manual—manually specify an SD-WAN member to select.

Confidential© 2023 P a g e | 23
 EPSS Security LLD

Figure 41 SD WAN Strategy

The SD-WAN rules probably remind you of the Firewall rules to some extent, and, indeed,
many of the same matching criteria are used. The SD-WAN rules are also evaluated in
the order of their configuration—just like Firewall rules.

• Firewall rules define how to secure a particular application, should a particular path
be selected.

• SD-WAN rules define how to select a particular path for a particular application.

Having both rulesets rely on the same inputs (such as Application Control Database,
Internet Service Database [ISDB], same User Identity providers, and so on) significantly
improves integration between different pillars and the consistency of the overall solution.

6.7 SD-WAN routing logic

Once configured, SD-WAN takes the responsibility of intelligent traffic steering. But how
does it interact with the traditional routing subsystem?

The following main rules will be applied for EPSS

1. SD-WAN rules are matched only if the best route to the destination points to SD-WAN.

The best route to the destination must point to any SD-WAN Member—not necessarily
the one selected to forward the traffic. This check allows you to easily fit SD-WAN
functionality into your existing network topology without disrupting services that are not
supposed to be handled by SD-WAN. For example, you may have an out-of-band
management network or a group of sites that have not (yet) migrated to SD-WAN. If the
best route to the destination does not point to your SD-WAN bundle, the traffic will be
handled by conventional routing.

Confidential© 2023 P a g e | 24
 EPSS Security LLD

2. SD-WAN member is selected only if it has a route to the destination.

This check happens at a later stage when an SD-WAN rule is already matched and
evaluated. Based on the configured strategy, one of the listed SD-WAN members will be
preferred. But the traffic will only be forwarded via that member if there is a route to the
destination through that path. Otherwise, the member will be skipped, and the next
optimal member will be checked.

6.8 Design principles

We will use Five-Pillar Approach:

Figure 42 Design Principle

The goal of the first four pillars (Underlay, Overlay, Routing, and Security) is to define and
secure all available paths to all possible destinations. In other words, at this stage, there
is still no decision about where specific traffic will flow, but all the edge (CPE) devices are
aware of all the options. These four pillars should not require human intervention during
regular operations and network functions. And this is despite the fact that the set of
Confidential© 2023 P a g e | 25
 EPSS Security LLD

available paths and destinations in the network can change dynamically due to network
failures, planned migrations, or even changes in traffic patterns. The Zero-Touch nature
of the first four pillars is achieved using two dynamic technologies that, once configured,
do not require further operator intervention.

6.8.1 Underlay
First, you must decide what underlay links you will use to connect all participating sites
and the public internet. Do you have multiple internet connections? Or an internet
connection and an MPLS link? Or will it be a broadband internet connection and an LTE
modem? In our Case we will use two internet connection from HQ.

Since all edge devices are full-featured FortiGate devices, the range of possibilities is
extensive. While each site can, in principle, be designed and configured differently from
the others, we will define a limited number of groups of sites with identical configurations
within each group. This will simplify provisioning and the operation of your SD-WAN
solution.

6.8.2 Overlay
Second, you must decide on the topology to interconnect your sites. In most cases, you
will build IPsec overlays over all the underlay transports to most likely form a set of hub-
and-spoke topologies. This way, you can secure your corporate (site-to-site) traffic, and
provide confidentiality, integrity, and mutual site authentication, as expected from an
industry standard IPsec suite. Hub-and-spoke topologies are highly scalable, and they
have a crucial zero-touch property: When adding or removing a spoke, the configuration
of all other devices remains untouched. Hub-and-spoke topologies can also be enhanced
with redundancy options (such as dual-hub). They can be extended to multiple regions
(multi-regional hub-and-spoke topologies interconnected together) for large-scale
deployments.

ADVPN—our dynamic tunneling technology—can be enabled in your hub-and-spoke

topologies. As mentioned earlier, ADVPN can dynamically build direct spoke-to-spoke
tunnels (called shortcuts) when they are needed. It preserves the zero-touch property of
hub-and-spoke while providing advantages of direct site-to-site communication without
bottlenecks.

Confidential© 2023 P a g e | 26
 EPSS Security LLD

For our multi-regional deployments, we will allow cross-regional ADVPN shortcuts, makes
our topology even more dynamic.

Figure 43 Overlay
We will use ADVPN as the most generic, dynamically adjustable topology for your
overlays.

6.8.3 Routing

The overlays provide us with multiple paths between the sites (over different underlay
transports). Still, we must also ensure that all edge devices have the correct routing
information needed to use these paths. We will use BGP to exchange routes between all
sites over the overlays.

BGP fits well into hub-and-spoke overlay topologies, and it is also the recommended
routing protocol to use with ADVPN. As we will show in design examples, the hubs will
act as BGP route reflectors (RR) so that the spokes will not have to peer directly with
each other—not even over ADVPN shortcuts! This design is in-line with the zero touch
strategy: once again, when adding or removing a spoke, the BGP configuration of all other
devices remains untouched.

Confidential© 2023 P a g e | 27
 EPSS Security LLD

A crucial difference between a traditional design and our SD-WAN solution is in the role
of the routing pillar. In a conventional design, routing oversees the steering of traffic. It is,
therefore, the responsibility of routing to select the best path out of all available options.
Multiple route policy techniques can be used to achieve this—some are protocol agnostic
(for example, weight), and others are protocol-specific (for example, BGP local-
preference, MED, AS_PATH prepending, and so on). While all these techniques remain
available on a full-featured FortiGate edge device, we must recall that our goal is only to
learn about all available paths to all possible destinations.

6.8.4 Security
Quite often, different security features must be applied to different paths. The most
common example is the difference between direct and remote internet access. In the
former case, the traffic breaks out directly from the edge device (through one or more
underlay links), making it crucial to apply the necessary level of security before it leaves
the site boundaries. In the latter case, the traffic might undergo additional security
inspection in the central location or use a cloud-based security solution before breaking
out to the public internet. As a result, the edge device has to apply a different set of
security features, depending on which of the two internet access methods was selected
for a particular session.

We achieve this granular security in our solution by grouping different interfaces into SD-
WAN zones and defining firewall rules on a per-zone basis. In EPSS, we would define
SD-WAN zone, and we would define separate firewall rules for the internet traffic exiting
through each one of them.

6.8.5 SD-WAN
We will consider all the available paths to the requested destination, compare their
measured health, and then apply a business strategy configured for a particular
application to make the optimal choice. Health measurement continues in real time. If the
conditions change, both new and existing sessions can quickly switch over to another
path. As we have covered earlier, SD-WAN configuration typically consists of the
following elements:

• SD-WAN interface members

Confidential© 2023 P a g e | 28
 EPSS Security LLD

• Performance SLAs

• SD-WAN rules

For the optimal configuration of your SD-WAN solution, we must understand and use the
following recommended principles:

The originating site should take the steering decision—that is, by the SD-WAN rules of
the edge device located at the site originating the session. If the decision is to break out
locally, the traffic will leave the boundaries of the SDWAN solution. Otherwise, the traffic
will flow via one of the active overlays. Hence it will pass through one or more additional
FortiGate devices that are part of your solution. All those devices are expected to
“respect” the SD-WAN choice made by the originating site. For example, in a hub-and-
spoke topology, if the originating site has selected an overlay over MPLS transport as its
next hop to the hub, the hub should prefer using the overlay over MPLS transport to
forward the traffic further toward the destination site. We also call this property the overlay
stickiness.

Confidential© 2023 P a g e | 29
 SI- IE-EPSS-LLD Network and Security

6.9 SD-WAN Architecture and design

6.9.1 SD-WAN Architecture and design for HQ

Confidential© 2022 Page |1

 EPSS Security LLD

Figure 44 SD-WAN Architecture and design for HQ

Confidential© 2023 Page |2

 SI- IE-EPSS-LLD Network and Security

6.9.2 SD-WAN Architecture and design for DR

Figure 45 SD-WAN Architecture and design for DR

Confidential© 2022 Page |1

 SI- IE-EPSS-LLD Network and Security

In this design, branch SD-WAN devices now have two (or more) gateways at separate
geo-redundant locations from which to steer traffic. A HQ gateway is usually HQ in the
preferred datacenter location while the DR gateway is at the DR location. Traffic will flow
through the HQ gateway under normal conditions and utilize the DR gateway as a backup.

In this design, each hub acts precisely as in the base design, and the hubs are
independent of each other. The spokes connect to the dial-up IPsec endpoints of both
hubs, over all available underlay transports. Effectively, each of the hubs defines its own
set of point-to-multipoint overlays. Each SD-WAN Gateway may provide one or multiple
services:

• Act as the IPsec dialup server for branch locations

• Provide centralized routing information and orchestrate dynamic branch-to-branch

communication (ADVPN)

• Protect the datacenter resources and private workloads by utilizing FortiGate Next-
Generation Firewall services

• Provide remote internet breakout for branch locations

6.9.3 Intra-datacenter failover

SD-WAN gateways at each datacenter operate as independent HA clusters to offer intra-
site redundancy from failures and issues at their location.

FortiGate HA offers several solutions for adding redundancy in the case where a failure
occurs on the FortiGate, or is detected by the FortiGate through monitored links, routes,
and other health checks. These solutions support fast failover to avoid lengthy network
outages and disruptions to your traffic.

FortiGate HA options:

Active/passive

Active/active

We will use recommended active-passive HA for SD-WAN gateways at a datacenter or

HQ location. If active-active is desired, it will not change our overall SD-WAN design
outlined below. Both HA modes will be designed in the same matter as described in this
section. In Active/ active more complex troubleshooting requirements due to the nature
of active-active load balancing.
Confidential© 2022 Page |2
 EPSS Security LLD

6.9.4 Inter-datacenter failover

Gateways at each datacenter location operate as independent clusters. Traffic from the
branch is steered between the HQ and DR datacenter locations using SD-WAN rules.
The SD-WAN device at the branch location may detect issues at a datacenter location
using its performance SLAs and steer traffic based on its preconfigured SD-WAN rules.

6.9.5 IPsec overlays

Each SD-WAN gateway acts as a dial-up IPsec server for the spokes, having a separate
dial-up IPsec endpoint terminate on each underlay interface. Branches will typically build
overlays over all available WAN ports to have multiple paths available to the gateway.
However, it can also happen that some of the branches do not have a similar WAN
transport. Hence, they will be able to connect only to a subset of the overlays

6.9.6 Route Exchange

The spokes establish separate IBGP sessions to each gateway over each overlay. The
BGP Neighbor Group feature is used on the gateway for this peering. Each spoke then
advertises its local site prefix(es) over each of the IBGP sessions. The gateway acts as
a BGP Route Reflector (RR), advertising the prefixes to all other spokes when ADVPN is
used. Additionally, each gateway advertises its prefixes (such as the datacenter LANs) to
every branch location. At the end of this process, all the sites exchange their routes over
all available overlays.

6.9.7 ADVPN
For the correct operation of ADVPN, it is required to preserve all sites’ prefixes
unchanged, including their original BGP next-hop values. Hence, it is impossible to
replace the specific routes with summaries (unlike in a static hub-and-spoke topology).
Hence, the BGP RR function is mandatory: the gateway must reflect the original routes
between the spokes without altering them.

6.9.8 Traffic flow

Once all the routes have been distributed across all the sites, the application traffic flow
can be controlled by SD-WAN rules according to the design principles described in the
previous chapter. SD-WAN rules may dictate how traffic is steered based on the business
requirement and desired redundancy.

Confidential© 2023 Page |3

 EPSS Security LLD

• Direct internet access (DIA): used when local internet breakout at a location is
required. In this scenario, the business application(s), such as a SaaS application
or website, is located on the internet, and the SD-WAN appliance is needed to
decide the best path between multiple WAN links. Traffic is routed directly to the
internet by using the preferred method in the SD-WAN rule.

Figure 46 DIA

• Branch to HQ datacenter: used when branch users require connectivity to an

application or workload located behind the gateway at the HQ datacenter. The DR
gateway located in the DR Datacenter will only be used as a backup. The branch
SD-WAN device should monitor all available overlay links, and choose the best
path according the business requirements.

Confidential© 2023 Page |4

 EPSS Security LLD

Figure 47 Branch to HQ Data Center

• Branch to DR Datacenter (geo-redundant datacenter failover): A catastrophic

failover at the HQ datacenter location causes traffic to route through the gateway
located in the DR Datacenter. In this scenario, the desired application either lives
in both datacenter locations, and the gateway has an alternative path to the HQ
datacenter.

Confidential© 2023 Page |5

 EPSS Security LLD

Figure 48 Branch to DR
7 Kaspersky Installation and Configuration

7.1 Introduction
In an increasingly interconnected digital landscape, ensuring the security of your systems,
data, and network infrastructure is of paramount importance. This guide has been
meticulously crafted to assist us in the seamless installation, configuration, and
optimization of Kaspersky's advanced cybersecurity solutions.

In this era of evolving cyber threats, organizations are confronted with sophisticated
attacks that target vulnerabilities across various endpoints. Kaspersky offers a suite of
cutting-edge cybersecurity tools, including Kaspersky Secure Center for centralized
management and Endpoint Detection and Response (EDR) for rapid threat detection and
mitigation. Leveraging these tools in conjunction with a MySQL database for data
management and storage, organizations can fortify their defenses and proactively
safeguard against a multitude of cyber risks.

Throughout this guide, we will delve into the step-by-step process of installing and
configuring Kaspersky security solutions. From setting up the MySQL database to serve
as a reliable repository of critical security data, to deploying Kaspersky Secure Center for

Confidential© 2023 Page |6

 EPSS Security LLD

streamlined security management, and finally, implementing Endpoint Detection and

Response to bolster threat identification and incident response capabilities.

Whether you are an IT administrator, a cybersecurity professional, or an organization

seeking to bolster its security posture, this guide aims to equip you with the knowledge
and practical insights needed to effectively install, configure, and harness the power of
Kaspersky's cybersecurity suite. By the end of this guide, you will be empowered to
harness the full potential of these tools, creating a robust and dynamic defense
mechanism that safeguards your digital assets against the ever-evolving landscape of
cyber threats.

7.2 MySQL 8.0.19 Installation

7.2.1 Overview
MySQL is one of the most popular relational database management software that is
widely used in today's industry. It provides multi-user access support with various storage
engines. It is backed by Oracle Company. In this section, we are going to learn how we
can download and install MySQL for beginners.

Prerequisites

The following requirements should be available in your system to work with MySQL:

• MySQL Setup Software

• Microsoft .NET Framework 4.5.2

• Microsoft Visual C++ Redistributable for Visual Studio 2019

• RAM 4 GB (6 GB recommended)

7.2.2 Download MySQL

Follow these steps:
Step 1: Go to the official website of MySQL and download the community server edition
software. Here, you will see the option to choose the Operating System, such as
Windows.

Confidential© 2023 Page |7

 EPSS Security LLD

Step 2: Next, there are two options available to download the setup. Choose the version
number for the MySQL community server, which you want. If you have good internet
connectivity, then choose the mysql-installer-web-community. Otherwise, choose the
other one.

Figure 49 Download MySQL Installer 8, chose the write bit

7.2.3 Installing MySQL on Windows

Step 1: After downloading the setup, unzip it anywhere and double click the MSI installer .exe
file. It will give the following screen:

Figure 50 Collecting information from platform

Step 2: In the next wizard, choose the Setup Type. There are several types available,
and we need to choose the appropriate option to install MySQL product and features.
Here, we are going to select the Full option and click on the Next button.

Confidential© 2023 Page |8

 EPSS Security LLD

Figure 51 Selecting setup type

This option will install the following things: MySQL Server, MySQL Shell, MySQL Router,
MySQL Workbench, MySQL Connectors, documentation, samples and examples, and
many more.

Step 3: Once we click on the Next button, it may give information about some features
that may fail to install on your system due to a lack of requirements. We can resolve them
by clicking on the Execute button that will install all requirements automatically or can
skip them. Now, click on the Next button.

Figure 52 Checking the requirements

Confidential© 2023 Page |9

 EPSS Security LLD

Step 4: In the next wizard, we will see a dialog box that asks for our confirmation of a few
products not getting installed. Here, we have to click on the Yes button.

Figure 53 checking product requirements

After clicking on the Yes button, we will see the list of the products which are going to be
installed. So, if we need all products, click on the Execute button.

Figure 54 list of product that will be install

Step 5: Once we click on the Execute button, it will download and install all the products.
After completing the installation, click on the Next button.

Confidential© 2023 P a g e | 10
 EPSS Security LLD

Figure 55 Completion of product installation

Step 6: In the next wizard, we need to configure the MySQL Server and Router. Here, I
am not going to configure the Router because there is no need to use it with MySQL. We
are going to show you how to configure the server only. Now, click on the Next button.

Figure 56 Product configuration

Confidential© 2023 P a g e | 11
 EPSS Security LLD

Step 7: As soon as you will click on the Next button, you can see the screen below. Here,
we have to configure the MySQL Server. Now, choose the Standalone MySQL
Server/Classic MySQL Replication option and click on Next. Here, we can also choose
the InnoDB Cluster based on your needs.

Figure 57 HA
Step 8: In the next screen, the system will ask you to choose the Config Type and other
connectivity options. Here, we are going to select the Config Type as 'Development
Machine' and Connectivity as TCP/IP, and Port Number is 3306, then click on Next.

Confidential© 2023 P a g e | 12
 EPSS Security LLD

Figure 58 Type and Networking

Step 9: Now, select the Authentication Method and click on Next. Here, I am going to
select the first option.

Figure 59 Authentication method

Step 10: The next screen will ask you to mention the MySQL Root Password. After filling
the password details, click on the Next button.

Confidential© 2023 P a g e | 13
 EPSS Security LLD

Figure 60 Accounts and Roles

Step 11: The next screen will ask you to configure the Windows Service to start the
server. Keep the default setup and click on the Next button.

Confidential© 2023 P a g e | 14
 EPSS Security LLD

Figure 61 Windows service and service name

Step 12: In the next wizard, the system will ask you to apply the Server Configuration. If
you agree with this configuration, click on the Execute button.

Figure 62 Apply Configuration

Step 13: Once the configuration has completed, you will get the screen below. Now, click
on the Finish button to continue.

Confidential© 2023 P a g e | 15
 EPSS Security LLD

Figure 63 Finalizing applying Configuration

Step 14: In the next screen, you can see that the Product Configuration is completed.
Keep the default setting and click on the Next-> Finish button to complete the MySQL
package installation.

Figure 64 Product Configuration

Step 15: In the next wizard, we can choose to configure the Router. So click on Next-
>Finish and then click the Next button.
Confidential© 2023 P a g e | 16
 EPSS Security LLD

Figure 65 MySQL Router Configuration

Step 16: In the next wizard, we will see the Connect to Server option. Here, we have to
mention the root password, which we had set in the previous steps.

Confidential© 2023 P a g e | 17
 EPSS Security LLD

Figure 66 Connect to server

In this screen, it is also required to check about the connection is successful or not by clicking on
the Check button. If the connection is successful, click on the Execute button. Now, the
configuration is complete, click on Next.
Step 17: In the next wizard, select the applied configurations and click on the Execute button.

Figure 67 Configuration Step

Confidential© 2023 P a g e | 18
 EPSS Security LLD

Step 18: After completing the above step, we will get the following screen. Here, click on
the Finish button.

Figure 68 Configuration step done

Step 19: Now, the MySQL installation is complete. Click on the Finish button.

Figure 69 Compilation of installation

Confidential© 2023 P a g e | 19
 EPSS Security LLD

Step 20: Verify MySQL installation

Once MySQL has been successfully installed, the base tables have been initialized, and
the server has been started, you can verify its working via some simple tests.
7.3 Kaspersky Security Centre
Kaspersky Security Centre is designed for centralized execution of basic administration
and maintenance tasks on an organization's network. The application provides the
administrator access to detailed information about the organization's network security
level; it allows configuring all the components of protection built using Kaspersky
applications.
Kaspersky Security Center is an application aimed at corporate network administrators
and employees responsible for protection of devices in a wide range of organizations.
Using Kaspersky Security Center, you can do the following:
• Create a hierarchy of Administration Servers to manage the organization's
network, as well as networks at remote offices or client organizations.
• The client organization is an organization whose anti-virus protection is ensured
by the service provider.
• Create a hierarchy of administration groups to manage a selection of client devices
as a whole.
• Manage an anti-virus protection system built based on Kaspersky applications.
• Create images of operating systems and deploy them on client devices over the
network, as well as perform remote installation of applications by Kaspersky and
other software vendors.
• Remotely manage applications by Kaspersky and other vendors installed on client
devices. Install updates, find and fix vulnerabilities.
• Perform centralized deployment of license keys for Kaspersky applications to client
devices, monitor their use, and renew licenses.
• Receive statistics and reports about the operation of applications and devices.
• Receive notifications about critical events during the operation of Kaspersky
applications.
• Manage mobile devices.
• Manage encryption of information stored on the hard drives of devices and
removable drives and users' access to encrypted data.

Confidential© 2023 P a g e | 20
 EPSS Security LLD

• Perform inventory of hardware connected to the organization's network.

• Centrally manage files moved to Quarantine or Backup by security applications,
as well as manage files for which processing by security applications has been
postponed.
7.3.1 Kaspersky Server centre 14 installation
Running the setup, we see a screen like this. Let’s start the installation with the option to
install Kaspersky Security Center 14.

Figure 70 Kaspersky security center 14

Figure 71 welcome page

Since the .NET framework is installed before, we continue by clicking the “Next” button.

Confidential© 2023 P a g e | 21
 EPSS Security LLD

Figure 72 EULA and Privacy Policy

We proceed with the “Custom” option for installation, you can choose the “Standard”
installation, and this will give us the advantage of making a more detailed installation.
Let’s continue with the next option.

Figure 73 Installation type

In the “Custom installation” window, the Management server is checked, and we
continue with “Next”.

Confidential© 2023 P a g e | 22
 EPSS Security LLD

Figure 74 Custom installation

Figure 75 Network Size

We select the database type in the “Database server” tab. If we are to choose SQL,
separate admin user settings must be configured

Confidential© 2023 P a g e | 23
 EPSS Security LLD

Figure 76 Authentication mode

We press to Next to continue with to generate the account automatically

Confidential© 2023 P a g e | 24
 EPSS Security LLD

Figure 77 Account Type

In the “Administration Server address” window, we will show the devices that have
Endpoint installed who the Security Center is. There are also three methods for this. If
you are going to transmit via DNS, you can choose one of the first two options. I am
proceeding on the IP address. Since the IPs of the server do not change easily, you can
continue over the IP address.

Confidential© 2023 P a g e | 25
 EPSS Security LLD

Figure 78 Administration Server Address

Since we continue with the Standard setup in the “Ready to install Kaspersky Security
Center 14 Administration Server” window, Kaspersky Security Center 14 will
automatically create its own connection ports on the Windows Firewall for us. We can
start the installation. You can start the installation by clicking the “Install” button.

In the “Installing Kaspersky Security Center Administrator Server” window, the required
installations are made in order.

If the installation is completed successfully, you can open the Console screen with the
“Finish” option. After the management console is opened, you can start using the
software with your license information.

The first step we should take after setting up your Security Center is organizing your
managed computers. In most cases, the best way is to break machines up into
Workstations and Servers. This way we can have separate policies and tasks for your
servers and workstations.

In this way, we manage all sites under a single workstation or server policy, and we can
have separate policies and tasks for your servers and workstations.

In the welcome window, click Next.

Confidential© 2023 P a g e | 26
 EPSS Security LLD

Figure 79 Web Console welcome page

In the License Agreement window, read and accept the terms of the End User License
Agreement. The installation continues after you accept the EULA, otherwise, the Next
button is unavailable.

Figure 80 EULA
In the Kaspersky Security Center 14 Web Console connection settings window,
specify the following information:
• The address of Kaspersky Security Center 14 Web Console (by default, 127.0.0.1).
Confidential© 2023 P a g e | 27
 EPSS Security LLD

• The port that Kaspersky Security Center 14 Web Console will use for incoming
connections, that is, the port that gives access to Kaspersky Security Center 14
Web Console from a browser (by default, 8080).

Figure 81 web console Address and Port

In the Account settings window, specify the account names and passwords.

We use default accounts.

Confidential© 2023 P a g e | 28
 EPSS Security LLD

Figure 82 web console account settings

In the Client certificate window, select one of the following:

• Generate new certificate. This option is recommended if we do not have a

browser certificate.

• Choose existing. we can select this option if we already have a browser

certificate; in this case, specify the path to it.

We will generate new certificate

Figure 83 client certificate

Confidential© 2023 P a g e | 29
 EPSS Security LLD

In the Trusted Administration Servers window, make sure that the Administration
Server is on the list and click Next to proceed to the last window of the installer.

If we need to add a new Administration Server to the list, click the Add button. In the
opened window, specify the properties of a new trusted Administration Server:

Figure 84 Trusted Administration Servers

In the Identity and Access Manager (IAM) window, specify whether we want to
install Identity and Access Manager (also referred to as IAM). If we choose to install
Identity and Access Manager, specify the following port numbers:

• KAS administrator port. By default, port 4445 is used to receive configuration

from the Kaspersky Security Center 14 Web Console for OAuth2.0 authorization
endpoint port.

• Facade administrator port. By default, port 2444 is used for the configuration of
Identity and Access Manager.

• Facade interaction port. By default, port 2445 is used for the connection of
Kaspersky OSMP KAS Service to Kaspersky OSMP Facade Service.

Confidential© 2023 P a g e | 30
 EPSS Security LLD

Figure 85 IAM

If we want, we can change the default port numbers. we will not be able to change them
in the future via Kaspersky Security Center 14 Web Console.

In the last window of the installer, click Install to begin the installation.

Figure 86 Completion of installation

Confidential© 2023 P a g e | 31
 EPSS Security LLD

After the installation successfully completes, a shortcut appears on the desktop, and we
can log in to Kaspersky Security Center 14 Web Console.

7.4 Kaspersky Endpoint Detection and Response Optimum

Kaspersky Endpoint Detection and Response (EDR) Optimum is a centralized automated
tool that addresses advanced and targeted attacks in ways that make it easy on both your
staff and your IT resources.

Kaspersky EDR adds protection power to an existing EPP solution. EPP specializes on
simpler mass attacks (viruses, Trojans etc), while the EDR concentrates on advanced
attacks. With this solution, analytics view malware activity as well as events with legit
software in the context of an attack, uncovering the whole kill chain.

Kaspersky EDR is fully integrated with Kaspersky Enterprise Security EPP, and it can
work with EPP solutions of other vendors. The EDR adds the following:

• Multi-host event visibility: aggregation of attack traces scattered around the IT

system

• Detection with “heavy” methods, which require much computation power

unavailable for regular user endpoints due to possible effect on regular user
workflow: advanced pre-processing, sandbox, heavy machine learning models,
including deep learning, and others. Heavy methods provide better-quality
detection

• Expert tools for incident investigation, proactive threat hunting and attack response

Essential EDR Functionality:

• Clear Visibility – discover threat on endpoints

o Avoid getting stuck in the black box – get vital information on automatic
detects and find lurking threats with Indicators of Compromise (IoC)

• Simple Analysis – investigation the full scope

Confidential© 2023 P a g e | 32
 EPSS Security LLD

o Perform root cause analysis in a single incident card to understand

where a threat came from, how it developed and what it managed to do.

• Automated response – act quickly to avoid damage

o Use easy ‘single-click’ actions and in-product guidance to prevent

threats from spreading – and automation to respond to threats on
discovery.

Hardware and software requirements

Kaspersky Endpoint Agent has the following hardware and software requirements:
Minimum hardware requirements:

o Processor: 1.4 GHz (single core) or higher.

o RAM: 256 MB (512 MB if a 64-bit operating system is used).

o Free disk space: 500 MB.

o Supported operating systems:

o Windows 7 SP1 Home / Professional / Enterprise 32-bit / 64-bit Windows

8.1.1 Professional / Enterprise 32-bit / 64-bit

o Windows 10 RS3 (version 1703) Home / Professional / Education /

Enterprise 32-bit / 64-bit

o Windows 10 RS4 (version 1803) Home / Professional / Education /

Enterprise 32-bit / 64-bit

o Windows 10 RS5 (version 1809) Home / Professional / Education /

Enterprise 32-bit / 64-bit

o Windows 10 19H1 (version 1903) Home / Professional / Education /

Enterprise 32-bit / 64-bit

o Windows 10 19H2 (version 1909) Home / Professional / Education /

Enterprise 32-bit / 64-bit

Confidential© 2023 P a g e | 33
 EPSS Security LLD

o Windows 10 20H1 (version 2004) Home / Professional / Education /

Enterprise 32-bit / 64-bit

o Windows 10 20H2 (version 2009) Home / Professional / Education /

Enterprise 32-bit / 64-bit

o Windows Server 2008 R2 Foundation / Standard / Enterprise 32-bit / 64-bit

o Windows Server 2012 Foundation / Standard / Enterprise 32-bit / 64-bit

o Windows Server 2012 R2 Foundation / Standard / Enterprise 32-bit / 64-bit

o Windows Server 2016 Essentials / Standard / Datacenter 32-bit / 64-bit

o Windows Server 2019 Essentials / Standard / Datacenter 32-bit / 64-bit

For Kaspersky Endpoint Agent operation as a part of Kaspersky Endpoint Detection and
Response Optimum solution:

o Kaspersky Security Center 14 or Kaspersky Security Center Cloud Console must

be installed.

o The application must be managed using Kaspersky Security Center 12.1 Web
Console or using the Cloud Administration Console, respectively.

o Kaspersky Endpoint Agent must be installed as part of the following EPP

applications:

o Kaspersky Endpoint Agent 3.9 as a part of:

▪ Kaspersky Endpoint Security 11 for Windows: 11.4, 11.5.

▪ Kaspersky Security 11 for Windows Server.

o Kaspersky Endpoint Agent 3.10 as a part of:

▪ Kaspersky Endpoint Security 11.6 for Windows

Confidential© 2023 P a g e | 34
 EPSS Security LLD

7.4.1 Group and Policy Configuration

The first step we should take after setting up your Security Center is organizing your
managed computers. In most cases, the best way is to break machines up into
Workstations and Servers. This way we can have separate policies and tasks for your
servers and workstations.

In this way, we manage all sites under a single workstation or server policy, and we can
have separate policies and tasks for your servers and workstations.

Figure 87 Kaspersky Security center managed computer

Installing Application

This section describes how to install Kaspersky Endpoint Security on your computer and
complete the Initial Configuration of Application.

Steps to Install Application

1. Making sure that the computer meets installation requirements

2. Welcome page of the installation procedure and Click Next

3. Viewing the License Agreement and Privacy Policy

in the section select the following checkboxes and click Next

Confidential© 2023 P a g e | 35
 EPSS Security LLD

• the terms and conditions of this EULA

• Privacy Policy describing the handling of data

4. Selecting application components to install

By default, all application components are selected for installation except the following
components

• Bad-USB Attack Prevention

• File Level Encryption on local computer drives

• Full Disk Encryption

• Full disk encryption using BitLocker Drive Encryption technology

• Endpoint Sensor

Note: In our Case We make this Feature Enable to make The Endpoint
Environment more secure.
5. Selecting the destination folder

• During this step, we can specify the path to the destination folder where
the application will be installed. To select the destination folder for the
application, click the Browse button.

6. Preparing for application installation

• It is recommended to protect the installation process because our

computer may be infected by malicious programs that could interfere
with the installation of Kaspersky Endpoint Security. Installation
process protection is enabled by default

7. Application installation

• Installation of the application can take some time. Wait for it to

complete.

Confidential© 2023 P a g e | 36
 EPSS Security LLD

• After Kaspersky Endpoint Security Installation Initial Configuration

wizard starts.

7.4.2 Activating the Application

To make use of the features of the application and its additional services, we must activate
the application.

This section provides information about application activation and other instructions
related to licensing.

Steps to activate the application

1. Check This window displays information about the license

Figure 88 Kaspersky application activation

2. Click the button in the lower part of the main application

window. The Licensing window opens

3. In the Licensing window, click the Activate the application under a new
license button. The Application Activation Wizard starts.

4. Follow the instructions of the Activation Wizard

Confidential© 2023 P a g e | 37
 EPSS Security LLD

7.4.3 Kaspersky Security Network

This section contains information about participation in Kaspersky Security Network To
protect your computer more effectively Kaspersky End Point Use Data Receive
Kaspersky Security Network is designed to receive such data.

We Enable This Features in Kaspersky Security Network

• Behavior Detection

• Exploit Prevention

• Remediation Engine

• Web Threat Protection

• Mail Threat Protection

• Host Intrusion Prevention

Creating and editing an application network rule

1. In the main application window, click Settings the button.

2. In the left part of the window, in the Essential Threat Protection section, select
Firewall

3. Click the Application Rule button

4. In the list of applications, select the application or group of applications for

which you want to create or edit a network rule

5. Right-click to bring up the context menu and select Application rights

6. Select the Network rules tab in the Application rights

7. create a new network rule, click Add the button.

8. In the Action drop-down list, select the action to be performed by Firewall on

detecting this kind of network activity
Confidential© 2023 P a g e | 38
 EPSS Security LLD

• Allow

• Block

9. In the Name Field Specify the name of the Network Service

10. Specify the data transfer protocol

11. In the Direction drop-down list, select the direction of the monitored network
activity.

• Inbound

• Inbound / Outbound

• Outbound

12. In the Network rule window, click OK

13. Click OK in the Application rights window

14. In the Firewall window, click OK

15. To save changes, click the Save button.

7.5 Kaspersky Total Security

Kaspersky Total Security for Business is the ultimate security solution. Intelligent endpoint
and server protection combines with web and mail gateway security to address threats at
every stage of incursion, further reducing your risk and keeping your organization, your
data and your users safe.

The following new features and improvements are introduced in Kaspersky Total Security:

• Improved Web Anti-Virus component:

o Improved notification texts that warn about attempts to visit phishing or

potentially phishing websites.

o When HTTPS traffic scan is off, Kaspersky Protection extension carries on

the protection.

Confidential© 2023 P a g e | 39
 EPSS Security LLD

• Improved interaction between the user and Technical Support. The application
now contains a link to Technical Support chat (not available in some application
versions).

• Improved notification about entering an activation code that is already in use.

• Fixed vulnerability issue that used to appear when creating Mozilla Firefox browser
files.

• Updated the installer icon consistent with the new brand style.

• Improved license expiration window.

• It is now possible to go to My Kaspersky light version directly from the application.

• It is now possible to hide removable drive scan window.

• Added support for Microsoft Windows 10 21H1.

• Fixed vulnerability issue of arbitrary file deletion when saving the application
operation report for Technical Support.

• Fixed vulnerability issue of arbitrary file deletion when deleting service data and
application operation reports.

General requirements

• 1500 MB free disk space on the hard drive

• Processor that supports the SSE2 instruction set

• Internet access (for the application installation and activation, for the use of
Kaspersky Security Network, and for updating databases and application modules)

• Microsoft Windows Installer 4.5 or later

• Microsoft .NET Framework 4 or later

Confidential© 2023 P a g e | 40
 EPSS Security LLD

Before installation:

• Check if your computer meets the system requirements.

• Check whether any applications installed on your computer are

incompatible with Kaspersky Total Security. We recommend removing all
incompatible software to ensure that Kaspersky Total Security works
correctly.

• Close all running applications.

7.5.1 How to install Kaspersky Total Security from the installation file
1. Download the Kaspersky Total Security installation package from the Kaspersky
website, or via the link in the email you received from the online store.
2. Run the downloaded installer.
3. Wait until the wizard finds the latest version of the application or click Skip to
install the current version.

Figure 89 Welcome page

4. Click the link to review the License Agreement. If you agree to its terms, click
Continue.

Confidential© 2023 P a g e | 41
 EPSS Security LLD

Figure 90 EULA
0. Click the link to review the KSN Statement. If you want to participate in Kaspersky
Security Network, leave the corresponding checkbox selected.

1. Click Install.

Figure 91 Installation page

2. Wait for the installation to complete. Make sure settings you want to apply are
selected and click Apply.

Confidential© 2023 P a g e | 42
 EPSS Security LLD

Figure 92 Recommendation
3. Click Done.

Figure 93 Completion of Installation

After the installation, activate Kaspersky Total Security.

7.5.2 How To use the application on multiple device

If you intend to use the application on several computers:

1. Install Kaspersky Total Security on all the computers.

2. Activate Kaspersky Total Security on all the computers with the same
activation code.
The following options for Kaspersky Total Security activation are offered:

Confidential© 2023 P a g e | 43
 EPSS Security LLD

• Activate application. Select this option and enter an activation

code.

If you specify an activation code for Kaspersky Internet Security or

Kaspersky Anti-Virus in the entry field, the procedure for switching to
Kaspersky Internet Security or Kaspersky Anti-Virus starts after
activation is completed.

• Activate trial version of the application. Select this activation

option if you want to install the trial version of the application before
making a decision on whether to purchase a license. You will be able
to use the application and all of its features during a short evaluation
period. When the trial license expires, the trial version of the
application cannot be activated for a second time.

N:B An Internet connection is required for activation of the

application.

7.5.3 Post installation recommendation

7.5.3.1 Update the databases for Kaspersky Total Security.
To run an update of databases and application modules:

1. Open the main application window and click the Database update
button.

2. The Database update window opens.

3. In the Database update window, click the Run update button.

7.5.3.2 Check the protection status in the application main

window.
Assessing computer protection status and resolving security issues Problems with
computer protection are symbolized by an indicator located in the upper part of the main
application window. Green indicates that your computer is protected. Yellow indicates that

Confidential© 2023 P a g e | 44
 EPSS Security LLD

there are protection problems and red indicates that your computer's security is at serious
risk. You are advised to fix problems and security threats immediately.

You can open the Notification Center window by clicking the Details button in the main
application window. This window provides detailed information about the protection status
of the computer and suggests possible actions for rectifying problems and threats.

Problems with protection are grouped by categories. For each problem, a list is displayed
of actions that you can take to solve the problem.

The Recommendations section lists actions that should be performed to optimize

operation of the application and use it more effectively.

The Show N ignored notifications section displays notifications to which the Ignore
action has been applied. Problems listed in this section do not affect the color of the
protection indicator in the main application window.

7.5.3.3 Run a full scan of the computer.

During a full scan, Kaspersky Total Security scans the following objects by
default:

• System memory

• Objects loaded on operating system startup

• System backup storage

• Hard drives and removable drive

We recommend running a full scan immediately after installing Kaspersky

Total Security to your computer.

To start a full scan:

• Open the main application window.

• Click the Scan button.

Confidential© 2023 P a g e | 45
 EPSS Security LLD

The Scan window opens.

• In the Scan window, select the Full Scan section.

• In the Full Scan section, click the Run scan button.

Kaspersky Total Security starts a full scan of your computer.

Confidential© 2023 P a g e | 46
 EPSS Security LLD

8 DUO 2FA

8.1 Introduction
Duo is a two-factor authentication solution that helps organizations boost security by
verifying user identity, establishing device trust, and providing a secure connection to
company networks and applications.
What is two-factor authentication?
Two-factor authentication enhances security by requiring the use of a secondary device
at log in to verify your identity. This ensures that others cannot access your account by
obtaining your password.

How does Duo work?

When a user logs in—whether from their home office, the corporate office, or another
remote location—Duo uses two-factor authentication and a zero-trust approach to
security. Before granting access, Duo will:

• Verify user trust. Duo uses a second form of validation, such as a smartphone, to

verify that a user is who they say they are before granting them access.
• Establish device trust. Once access is granted, Duo enables your organization to

see every device that is connected to your network and applications and easily
monitor device health and compliance.
• Enforce adaptive policies. You can set access levels based on role, device,

location, and other relevant factors.

• Grant secure access to users. Get even more secure access, beyond what a VPN

can provide, and verify the identities of users from wherever they choose to log
in.
• Grant secure access to apps. Provide users with single sign-on (SSO) for a

consistently easy login experience. A user-friendly dashboard provides

streamlined access to company apps.

Setting up Duo for Multiple Devices

The DUO provides multi-factor authentication that verifies your identity when you’re
logging in to key Getty applications. It is customizable – you can set it up to send you a
push, provide a passcode, or call you on a mobile device.

Confidential© 2023 P a g e | 47
 EPSS Security LLD

And now, you can enroll multiple devices – cell phones, tablets, or landlines - to ensure
that you can log in when you need to on the device you have at hand.

8.2 First-time Enrollment in Duo

Enrolment is the process that registers you as a user in Duo with a device capable of
performing two-factor authentication. Duo prompts you to enroll the first time you log into
a protected VPN or web application when using a browser or client application that shows
the interactive Duo web-based prompt. Follow the on-screen prompts to set up your Duo
authentication device.

Instead of enrolling when you log in to an application, you might receive an email from
your organization's Duo administrator with an enrollment link instead. This emailed link
takes you directly to the Duo enrollment portal. You'll see either the Universal Prompt
experience shown on this page or enrollment in the traditional Duo prompt depending on
your organization's email enrollment configuration.

Step One: Introduction

Logging into a Duo-protected application enabled for self-enrollment takes you to the
device management page to enroll. Click Next to learn why protecting your identity with
two-step verification is important and begin the setup process.

Figure 94 Welcome

Step Two: Choose Your Verification Method

Click the device type in the list that matches your desired authentication experience:

Confidential© 2023 P a g e | 48
 EPSS Security LLD

• Touch ID: Use the fingerprint sensor on Apple MacBooks and Magic
Keyboards. Requires Chrome 70 or later.

• Duo Mobile: Approve Duo Push verification requests on iOS or Android

devices, or generate a one-time passcode from the Duo Mobile app.

• Security key: Tap a WebAuthn/FIDO2 security key. Requires Chrome, Safari,

Firefox, or Edge.

• Phone number: Receive a one-time passcode in an SMS message or approve

a login attempt with a phone call from Duo.

Only your organization's Duo administrator or help desk can add hardware tokens and
Yubikey OTP tokens for you. These verification options do not show up in the list of
available options. Neither do any methods that your organization blocks from use; if your
Duo administrator applied a policy that doesn't allow authentication with text messages
or phone calls, the "Phone number" option will be missing when you enroll.

Duo recommends the most secure option of the methods available to you, so it's a good
idea to set up that method first if you have a device that supports it.

Confidential© 2023 P a g e | 49
 EPSS Security LLD

Figure 95 login option

Step Three: Add Your Chosen Method

Once you choose how to verify your identity, you will next complete the setup steps for
that method.

Touch ID

In order to use Touch ID with Duo, make sure you have the following:

• A MacBook Pro, MacBook Air, or Apple Magic Keyboard with a Touch ID

button.

• A fingerprint enrolled in Touch ID (see how to do this at the Apple Support site).

• Chrome 70 or later. Safari and other browsers on macOS are not supported.

1. Read the Touch ID information and click

Confidential© 2023 P a g e | 50
 EPSS Security LLD

2. Continue.

3. Chrome prompts you to verify your identity on duosecurity.com.

1.

2. Place your finger on the Touch ID button in the Touch Bar to complete Touch
ID enrollment.

Confidential© 2023 P a g e | 51
 EPSS Security LLD

3. When you receive confirmation that you added Touch ID as a verification

method click Continue.

You can now log in to Duo-protected applications that show the Duo prompt in a web
browser using your fingerprint sensor.

If you have more than one MacBook with which you'd like to approve Duo login requests
using Touch ID, you'll need to add each of them separately as a new Touch ID device in
Duo. To do this, your organization must have enabled self-service device management.

Duo Mobile

Duo Mobile is an app that runs on iOS and Android phones and tablets. It's fast and easy
to use, and doesn't require cell services. Duo pushes login requests to Duo Mobile when
you have mobile data or wifi connectivity to the internet. When you have no data service,
you can generate passcodes with Duo Mobile for logging in to applications.

The current version of Duo Mobile supports iOS 13.0 or greater and Android 8 or greater.

Confidential© 2023 P a g e | 52
 EPSS Security LLD

1. Select your country from the drop-down list and type your mobile phone
number, and then click Add phone number.

1. If you're going to use Duo Mobile on a tablet (like an iPad) with no phone
service, don't enter a phone number and click I have a tablet instead.

2. If you entered a phone number, double-check that you entered it correctly and
click Yes, it's correct to continue (or No, I need to change it to go back and
enter the number again).

Confidential© 2023 P a g e | 53
 EPSS Security LLD

If the phone number you entered already exists in Duo as the authentication device for
another user then you'll need to enter a code sent to that number by phone call or text
message to confirm that you own it. Choose how you want to receive the code and enter
it to complete verification and continue.

3. Download and install Duo Mobile on your phone or tablet from the Google Play
Store or Apple App Store. Once you have Duo Mobile installed click Next.

Confidential© 2023 P a g e | 54
 EPSS Security LLD

4. Open the Duo Mobile app on your phone or tablet and add this account by
scanning the QR code shown on-screen.

If you aren't able to scan the QR code, tap Get an activation link instead and then enter
your email address to send the activation link to yourself. Follow the instructions in the
email to activate the new account in Duo Mobile.

5. When you receive confirmation that Duo Mobile was added click Continue.

Confidential© 2023 P a g e | 55
 EPSS Security LLD

You can now log in to Duo-protected applications with Duo Push or with a Duo Mobile
passcode.

Security Key

A security key is an external device that when tapped or when the button is pressed sends
a signed response back to Duo to validate your login. Duo uses
the WebAuthn authentication standard to interact with your security keys. You may also
see WebAuthn referred to as "FIDO2".

To use a security key with Duo, make sure you have the following:

• A supported security key. WebAuthn/FIDO2 security keys

from Yubico or Feitian are good options. U2F-only security keys (like the
Yubikey NEO-n) can't be used with the Universal Prompt.

• A supported browser: Chrome, Safari, Firefox, or Edge. Refer to the Universal

Prompt browser support table for minimum browser versions with security key
support in Duo.

Confidential© 2023 P a g e | 56
 EPSS Security LLD

1. Read the security key information and click Continue.

2. Your browser prompts you to tap your security key to use it with Duo (Chrome
example shown).

3. When you receive confirmation that you added your security key as a verification
method click Continue.
Confidential© 2023 P a g e | 57
 EPSS Security LLD

You can now log in to Duo-protected applications that show the Duo prompt in a web
browser using your security key.

Phone for Call or Text

This option is suitable for mobile phones that can't run Duo Mobile, or office phones and
landlines.

1. Select your country from the drop-down list and type your phone number, and
then click Add phone number.

Confidential© 2023 P a g e | 58
 EPSS Security LLD

If this phone number is a landline and can't receive text messages, select the This is a
landline phone option before continuing.

2. If you opted to add a landline, you can enter the landline's extension on the next
screen and click Add extension or click Skip this step if you do not need to enter
an extension for your landline.

Confidential© 2023 P a g e | 59
 EPSS Security LLD

3. Verify that the phone number shown (and landline extension, if you entered one)
is accurate and click Yes, it's correct to continue (or No, I need to change it to
go back and enter the number again).

If the phone number you entered already exists in Duo as the authentication device for
another user then you'll need to enter a code sent to that number by phone call or text

Confidential© 2023 P a g e | 60
 EPSS Security LLD

message to confirm that you own it. Choose how you want to receive the code and enter
it to complete verification and continue.

4. When you receive confirmation of adding the new mobile phone number for texts
or calls, click Continue to login to log in to the application with a passcode
received via text message or a phone call from Duo.

5. When you receive confirmation of adding the new phone number for text
messaging, click Continue to log in to the application with a passcode received
via text message or a phone call from Duo.

Confidential© 2023 P a g e | 61
 EPSS Security LLD

If you added a landline phone number, click Continue to log in to the application with a
phone call from Duo.

Confidential© 2023 P a g e | 62
 EPSS Security LLD

8.3 Add or Manage Devices After Enrollment

If enabled by your administrator, you can add additional verification methods, manage your
existing devices, or reactivate Duo Mobile for Duo Push from the Duo Universal Prompt.

When logging in to an application with the Universal Prompt, click the Other options link on the
authentication page to view your list of available methods. If your organization enabled self-
service device management then you'll see a Manage devices choice at the end of the list. Click
that to enter the device management portal.

To access the device management you'll first need to verify your identity, just as you do when
logging in to a service or application protected by Duo. Click on an available option to verify your
identity. If you're visiting device management to delete or update a device you don't have anymore

Confidential© 2023 P a g e | 63
 EPSS Security LLD

(such as a phone you lost or replaced), be sure to pick a verification option that you still have with
you. If you don't have any devices you can use to authenticate to device management, contact
your organization's Duo administrator or help desk.

After approving a Duo authentication request, you can see all your registered devices in the device
management portal.

Confidential© 2023 P a g e | 64
 EPSS Security LLD

8.4 Add Another Device

To add a new method of verifying your identity in Duo, click Add a device and select one
of the verification options.

Confidential© 2023 P a g e | 65
 EPSS Security LLD

Duo takes you through the steps of adding the new device, just like first-time enrollment.
The difference between adding a new device from device management and during first-
time enrollment is that when you have finished enrolling the new device you return to the
device management page to view all your registered devices, including the new one,
instead of continuing to log into an application.

Confidential© 2023 P a g e | 66
 EPSS Security LLD

8.5 Rename or Remove a Device

Click Edit and then Rename to give a device a new name to help you identify it. This new
name shows up in the verification method list and on the authentication page when you
log in with Duo to make it easier for you to identify which device you're using.

Confidential© 2023 P a g e | 67
 EPSS Security LLD

To delete a device, click Edit and then Remove. You'll be able to confirm that you want
to remove this device before deleting it. Once deleted, a verification device can't be
restored, but if you still have the device available you can add it again. You can't delete
your only identity verification device.

Confidential© 2023 P a g e | 68
 EPSS Security LLD

9 Cisco ISE Installation

Confidential© 2023 P a g e | 69
 EPSS Security LLD

9.1 About Cisco Identity Services Engine (ISE)

Cisco Identity Services Engine (ISE) is, identity-based network access control and policy
enforcement system. It’s a common policy engine for controlling endpoint access and
network device administration for your enterprise. ISE allows an administrator to centrally
control access policies for wired wireless and VPN endpoints in the network.

ISE builds context about the endpoints that include users and groups (Who), device-type
(What), access-time (When), access-location (Where), access-type
(Wired/Wireless/VPN) (how), threats and vulnerabilities. Through the sharing of vital
contextual data with technology partner integrations and the implementation of Cisco
TrustSec® policy for software-defined segmentation, Cisco ISE transforms the network
from simply a conduit for data into a security enforcer that accelerates the time to
detection and time to resolution of network threats.

Cisco Identity Services Engine (ISE) can be installed on Cisco SNS hardware or virtual
appliances. To achieve performance and scalability comparable to the Cisco ISE

Confidential© 2023 P a g e | 70
 EPSS Security LLD

hardware appliance, the virtual machine should be allocated system resources equivalent
to the Cisco SNS 3500 or 3600 series appliances.

9.2 Hardware and Virtual Appliance Requirements for Cisco ISE

In this section the hardware, software, and virtual machine requirements required to install
Cisco ISE.

Cisco ISE supports the following VMware servers and clients:

• VMware Version 8 (default) for ESXi 5.x (5.1 U2 minimum)

• VMware version 11 (default) for ESXi 6.x

• VMware Version 13 (default) for ESXi 7.x

Cisco ISE offers the following OVA templates that you can use to install and deploy Cisco
ISE on virtual machines (VMs)

Table 1: Cisco ISE specification

Requirement Type Specifications

CPU Clock speed: 2.0 GHz or faster

Number of cores:

▪ Small: 12

▪ Medium: 16

▪ Large: 16

Memory Small: 16 GB

Medium: 64 GB

Large: 256

Hard Disks 300 GB to 2.4 TB of disk storage (size depends on deployment

and tasks).

Confidential© 2023 P a g e | 71
 EPSS Security LLD

Storage and File The storage system for the Cisco ISE virtual appliance requires
System a minimum write performance of 50 MB per second and a read
performance of 300 MB per second. Deploy a storage system
that meets these performance criteria and is supported by
VMware server.

You can use the show tech-support command to view the read
and write performance metrics.

We recommend the VMFS file system because it is most

extensively tested, but other file systems, transports, and media
can also be deployed provided they meet the above
requirements.

Disk Controller Paravirtual or LSI Logic Parallel

NIC 1 NIC interface required (two or more NICs are recommended;

six NICs are supported). Cisco ISE supports E1000 and
VMXNET3 adapters.

VMware Virtual VMware Virtual Machine Hardware Version 8 or higher on ESXi

Hardware 5.x (5.1 U2 minimum) and 6.x.
Version/Hypervisor

9.3 Install Cisco ISE

Step 1 Open VMware vSphere client.

Step 2 Log in to VMware host.

Step 3 Choose File > Deploy OVF Template from the VMware vSphere Client.

Step 4 Click Browse to select the OVA template and click Next.

Confidential© 2023 P a g e | 72
 EPSS Security LLD

Step 5 Confirm the details in the OVF Template Details page and click Next.

Step 6 Enter a name for the virtual machine in the Name and Location page to uniquely
identify it and click Next.

Step 7 Choose a data store to host the OVA.

Step 8 Click the Thick Provision radio button in the Disk Format page, and click Next.

Cisco ISE supports both thick and thin provisioning. However, we recommend that
you choose thick provisioning for better performance, especially for Monitoring
nodes. If you choose thin provisioning, operations such as upgrade, backup and
restore, and debug logging that require more disk space might be impacted during
initial disk expansion.

Step 9 Verify the information in the Ready to Complete page. Check the Power on after
deployment check box.

Step 10 Click Finish.

After the booting up completed, we will select available boot options. We will select option
one Cisco ISE Installation (Keyboard/Monitor) and press enter.

Figure 96 Cisco ISE installation initial wizard

The ISE Installation begins; allow approximately 30 minutes for the installation process
to complete. After the installation is complete the VM reboots, and the console prompts
the user to login.

Confidential© 2023 P a g e | 73
 EPSS Security LLD

Type setup to start the initial ISE configuration. Then enter the username (default is
admin) and password, this password will be used for CLI and WebGUI access.

When prompted enter the appropriate IP address, netmask, default gateway, DNS, NTP,
Time zone information

Figure 18 Cisco ISE initial Management configuration

After the initial management configuration, the installation will proceed and complete.

Once the configuration of ISE is completed, you should have access to the login prompt

Confidential© 2023 P a g e | 74
 EPSS Security LLD

Figure 19 Cisco ISE command login

9.4 Define your BYOD requirements.
BYOD as the term states is about bringing in and connecting personal devices to the
managed network. Now, this is simple enough concept, but the ‘connecting’ part can have
many different meanings for many different customers. For some it could simply mean
connecting to the guest network to access the Internet, for others it could mean providing
access to internal resources as well as the Internet, and yet for others it could mean
provisioning digital certificates and MDM agent and provide network admin some control
over the devices and providing access to the internal resources not available to guest
users. it is important to define what the requirements are for BYOD access. Requirements
may include, who will be allowed to bring in personal devices and how technically savvy
the users are, which level of access will be given to BYOD, what types of devices will be
allowed to be connected, how are you going to onboard the endpoint devices on to the
network to ensure the endpoints are securely configured? The following provides
guidance on the requirements:

9.5 Solution Deployment Considerations

Figure 97 Solution Deployment Considerations

Confidential© 2023 P a g e | 75
 EPSS Security LLD

There are different ways to onboard endpoints to the network. One way is to simply let
users connect their personal devices to the existing guest or internal network, where
endpoint simply gets Internet only access or in the case of internal network, the endpoint
will gain same level access as managed devices. The other end of the spectrum is where
endpoint is onboarded via ISE BYOD flow. When ISE BYOD onboards the endpoint, ISE
can issue Certificate Authority (CA) signed certificate as well as automatically configure
endpoint network settings to use the endpoint certificate that has been signed to gain
network access. At the same time, ISE can mark the device as BYOD endpoint and also
tie the endpoint with the user. Furthermore, the end user can logon to the ISE my devices
portal to manage the endpoint that he/she owns without the need of involvement from IT
team.

When it comes to ISE BYOD, there are two distinct ways to design the user experience
flows; Single SSID BYOD and Dual SSID BYOD flow.

9.6 Endpoint Onboarding

When leveraging ISE for BYOD, there are few actions that the endpoint needs to perform,
which includes starting the communication with proper ISE node via the BYOD portal,
creating digital certificate pairs, submitting certificate signing request, and configuring
network profile. Some O/S has provisions for such functions natively while others require
downloading and running an application temporarily to assist with the flow. Aside from
Apple mobile devices (iOS), ISE leverages Network Setup Assistant (NSA or AKA
Supplicant Provisioning Wizard (SPW)) to ease the BYOD flow for the users. NSA is an
application that is downloaded to the endpoint either from the ISE itself or from app store
for each of the endpoint types. NSA assists the user to generate certificate pair, install
signed certificate, and configure network and proxy settings on the endpoint.

Confidential© 2023 P a g e | 76
 EPSS Security LLD

9.6.1 Windows OS & macOS

Figure 98 Windows OS & macOS onbording

For Windows and macOS, the NSA is located on the ISE PSN itself. When the endpoint
goes through onboarding flow, ISE instructs the user to download and install NSA, which
in turn guides the user through the BYOD process. Since there are newer version of
Windows and macOS that are introduced to the market, admin user will need to update
the NSA on the ISE periodically to assure support for newer OS.

9.6.2 Apple mobile devices (iOS)

Figure 99 Apple mobile devises (iOS) onbording

The way Apple iOS work is different from other OS in that it doesn’t require ISE NSA
application for BYOD flow. Rather ISE will leverage iOS’ existing capabilities (Apple Over-
the-air (OTA)) to generate key pair, install signed certificate, and configure WiFi settings.
Even though ISE is leveraging OTA, iOS gets instructions from ISE in the form of profiles
which gets installed on the iOS. As there are no applications to download, iOS can be
onboarded without access to the Apple App store.

Confidential© 2023 P a g e | 77
 EPSS Security LLD

9.6.3 Android devices

Figure 100 Android devices onboarding

For Android devices, ISE will force installation of NSA during the onboarding flow if it is
not installed already. NSA assists the user to generate key pair, install signed certificate,
and configure WiFi settings. Since Android devices download applications from Google
Play store, the temporary ACL assigned during onboarding flow needs to be modified to
allow such access. Since it is not practical to use IP address based ACL to allow access
to play store, it is recommended to utilize DNS ACL on the NAD to allow access. This
ensures that access to play store is allowed even when there are IP changes for services
related to play store access. Aside from allowing access to the play store, it is also
recommended to guide users to pre-download the NSA via other means such as cellular
network or different WLAN to simplify the onboarding process when the endpoint is
connected to the network.

9.6.4 Unsupported Endpoints

As noted above, ISE supports Windows, macOS, iOS, Android, and Chromebooks for
BYOD flow. For other OSes, ISE global settings can be toggled to determine what access
will be given to unsupported devices. You can dictate what level of access will be given
in the case of unsupported devices using policy or unconditionally provide network
access. Another option is to manually onboard devices by issuing certificates from
certificate portal and enabling network settings to connect to the network. You can further
secure the network by forcing endpoints to be registered to the ISE by using my devices
portal. Lastly, if dual SSID BYOD flow is used, you can provide option to allow Internet
only access if user chooses not to go through the BYOD flow.

Confidential© 2023 P a g e | 78
 EPSS Security LLD

9.6.5 Digital Certificates

ISE relies on digital certificates for various aspects of the solution. As noted above, ISE
utilizes certificates to identify itself to the endpoints for EAP, but it also uses certificates
to identity itself for web portals. In some cases, the EAP identity certificate and web portal
certificate could be different, but in many cases, it could be using the same certificate for
both to save on management cost. This is especially true when the certificate is signed
by well-known Certificate Authority (CA).

One of the main benefit of ISE BYOD is that ISE can provide signed certificate for the
endpoints as part of the BYOD flow. For endpoint certificates, ISE can utilize internal CA
to issue signed certificates. ISE is already enabled with internal PKI which can be
integrated with customer’s existing PKI infrastructure and also provide web portal to
manage endpoint certificates. Here are characteristics of ISE Internal CA:

- Generally used for BYOD

- Can also be used for other purposes such as to secure pxGrid communication

- Full certificate lifecycle management including multiple templates, expiry, revocation

(OCSP)

- Supports validity dates up to 10 years for endpoint certificates

- Supports up to 1 million certificates

9.7 Single vs. Dual SSID Flow

9.7.1 Single SSID flow:

Figure 101 Single SSID flow

As its name signifies there is only one SSID used for the onboarding, which is secured
by 802.1X. User initially connects using username/password and is registered then

Confidential© 2023 P a g e | 79
 EPSS Security LLD

optionally can get a signed endpoint certificate issued to the endpoint which is used to
reconnect to the same SSID and gets elevated access.

9.7.2 dual SSID flow:

Figure 102 dual SSID flow

In the case of dual-SSID flow, user initially starts on one SSID which may be shared with
guest access. But once onboarded, the endpoint is reconnected to the secured SSID to
gain elevated access. The initial SSID may be secured via WPA-PSK if the WLC supports
WPA-PSK and ISE-NAC (RADIUS-NAC on the same WLAN).

Note that when guest portal is used for BYOD flow, all employee users will go through the
same BYOD portal as the BYOD portal is tied to the guest portal. Instead of using the
BYOD portal that is tied to the guest portal as seen above, multiple BYOD portal can be
used based on authorization condition. This flow allows, for instance, different user
groups to have different BYOD portal and also allows each groups to register the devices
into different endpoint groups.

9.8 Define Network Device

1. Go to Administration > Network Resources > Network Devices

2. Click on Add

3. Provide Name, IP

4. Check RADIUS Authentication Settings and the section will expand for more
options
Confidential© 2023 P a g e | 80
 EPSS Security LLD

5. Provide Shared Secret

6. Click Save

Attribute Value

Name Name of the NAD

IP IP address of the NAD

RADIUS Shared Shared secret between ISE

Secret and NAD

9.9 Define Global settings

Figure 103 Define Employee Registered Devices

To Control how many devices that can be registered by each user, go to Work Centers >
BYOD > Settings > Employee Registered Devices and change the value in the box. The
default is 5 devices, but can be set between 1 to 999 devices. Note that this applies to all
BYOD users globally.

The Retry URL allows administrator to configure URL that ISE will try to force a new URL-
Redirect when the initial onboarding flow failed for any reasons. For instance, if the user
abandoned the onboarding flow in the middle and came back, the existing session may
have been torn down and the user will need to re-initiate the flow. ISE re-initiates this by
forcing the browser to try the retry URL specified in the setting. By default, if the Retry
URL is not specified, ISE will try 1.1.1.1 to force a redirect.

By default, devices without NSA support follows the main authorization policy for network
access, but to allow network access unconditionally for unsupported devices, select
‘Allow Network Access’ for the ‘Native Supplicant Provisioning Policy Unavailable’ option.

Confidential© 2023 P a g e | 81
 EPSS Security LLD

Figure 104 Define client provisioning.

9.10 Managing and Defining Certificate Template

Existing certificate template should work for most environment, but it is recommended to
change the subject attributes to reflect the site that ISE is being deployed at. Additionally,
the certificate properties such as key type, key size, and valid period can be changed with
the template as well. To change the CN (organization, organization unit, city, state, and
country) and other certificate properties, follow the steps below.

1. Go to Administration > System > Certificates > Certificate Authority > Certificate
Templates

2. Click on Add (Or Edit to edit default ‘EAP_Authentication_Certificate_Template’)

3. Enter Site specific information in the Subject fields. CN field is auto populated by
ISE with the user ID of the user going through the BYOD process

4. ISE also auto populates endpoint MAC address in to the certificate SAN field. The
endpoint MAC address is collected during initial authentication of the endpoint
either via MAB or 802.1X and embedded in to the certificate for security purpose.
By doing so, ISE policy can be crafted to match the actual endpoint MAC address
and the certificate MAC address to prevent BYOD issued certificates from being
used for other endpoint other than the one that was issued for.

5. The template also allows settings to change Key Types (RSA & ECC), Key Size,
and Valid Period. Valid period for the certificates can be changed from default of 2
years to maximum of 10 years. Note that newer client OS requires key size of 2048
or bigger

Confidential© 2023 P a g e | 82
 EPSS Security LLD

Table 2:Defining Certificate Template

Attribute Value

Name Name of the Certificate Template. Provide descriptive name as this field can
be used as AuthC/Z condition

Subject CN is auto populated with the username that is going through the BYOD flow.
Other attributes can be entered here to reflect the site. If differentiating different
endpoint or users based on certificate is needed, then any of the attributes here
can be changed and can be used during AuthZ to provide differentiated access.
For instance if OU=HR, the endpoint can have access to HR resources, while
other endpoints cannot access HR resources

Subject Currently, only value available is the MAC Address. The MAC Address is pulled
Alternative from the RADIUS session from the endpoint that initiated the BYOD flow. This
Name (SAN) is one way ISE allows admin user to tie the certificate to the actual endpoint
that it was signed for.

Key Type RSA or ECC. ECC is currently supported by Windows and Android devices
only.

Key Size 1024, 2048, 4096. For compatibility, recommended minimum value is 2048.

SCEP RA ISE Internal CA. If using SCEP to 3rd party CA, then this setting can be changed
Profile to send certificate signing request to 3rd party CA

Valid Period 1 days to 10 years. Classic case of security vs. convenience.

Extended For the BYOD use, only Client Authentication option needs to be checked
Key Usage

Confidential© 2023 P a g e | 83
 EPSS Security LLD

Figure 105 Defining Certificate Template

9.11 Defining BYOD Profiles and Resources

Here you can manage Windows and macOS Network Setup Assistant (NSA) and also
compile Native Supplicant Profile (NSP). There are two predefined NSP; one for
Chromebook and another shared among all other supported OS. With Chromebook much
of the network setti ngs are pushed via G-Suite, so only setting to change within the NSP
is which certificate template is to be used. For other OS, multiple wireless profiles can be
automatically defined and created for any WLANs. Within the Wireless setting, proxy
settings, WPA settings, EAP type, and certificate template.

Native Supplicant Profile (NSP) controls certificate signing template, Wireless settings,
proxy settings, EAP type, and Wired network settings. At minimum, existing Native
Supplicant Profile (NSP) needs to be modified to reflect the SSID name of the secured
WLAN that is used. Follow the steps below to make changes to the existing NSP or create
a new NSP. If creating new NSP, then the Client provisioning policy needs to be modified
to use the newly created NSP.
Confidential© 2023 P a g e | 84
 EPSS Security LLD

1. Go to Policy > Policy Elements > Results > Client Provisioning > Resources

2. Edit Cisco-ISE-NSP (Or Add > Native Supplicant Profile)

3. If editing default NSP, there is existing SSID ‘ISE’, which can be edited for the
secure SSID used on site. Edit the default SSID by checking it and clicking on Edit

4. Change SSID Name

5. (Optional) Configure proxy related settings

6. Recommended to leave Security to WPA2 Enterprise

7. For Allowed Protocol, select among TLS (For digital certificate), PEAP (For
username & Password), or EAP-FAST (For macOS and iOS). Note that if TLS is
used, certificate template needs to be selected as well.

8. Expand Optional Settings can be used to configure additional settings:

1. For Windows endpoints, use of machine or user store for certificate settings
SSID broadcast settings can be set here

2. For iOS devices, SSID broadcast settings can be set here

9. Click Submit

10. If Wired interface is to be used, then ‘Wired Profile’ check box can be enabled for
Windows and macOS

Within the the Client Provisioning Resources page, updated version of NSA for Windows
and macOS can be downloaded. To download latest NSA, follow the directions here:

1. Click on Add > Agent Resources from Cisco site

2. After screen refreshes there will be list of available agents that can be downloaded
from Cisco site. This includes NSA as well as posture agents (If the ISE node does
not have access to the Internet, this page will not be able to download the NSA, in
that case, download the NSA manually from cisco.com and add them manually by
using Add > Agent Resources from local disk). Select latest version of
MacOsXSPWizard x.x.x.x and WinSPWizard x.x.x.x.

3. Click Save

Confidential© 2023 P a g e | 85
 EPSS Security LLD

4. Once downloaded, the newly downloaded NSA can be used in Client Provisioning
Policy

9.12 Manage Client Provisioning policy

Client Provisioning policy dictates what OS will be supported and which NSP will be used.
Designation of NSP also controls which certificate template will be used to sign endpoint
certificates. Also, if new NSA has been downloaded, Client Provisioning policy can be
updated to reflect which NSA will be used to assist user to onboard the device. This may
be necessary when new version of endpoint OS have been introduced to the market.

Figure 106 Agent configuration

Lastly, note that this same policy also affects posture client provisioning as well, which
controls which type of posture agent and compliance module will be enforced. Although
two different client settings are present in a single rule, ISE can enforce different client
settings based on the flow. The top portion titled ‘Agent Configuration’ controls posture
agent for the rule, while the bottom portion titled ‘Native Supplicant Configuration’ controls
settings for the BYOD provisioning. Following shows default Client Provisioning policy on
newly installed ISE 3.2 system which includes policy rule for ISE supported OS.

Confidential© 2023 P a g e | 86
 EPSS Security LLD

Figure 107 client provisioning policy

In general, the existing client provisioning policy should work for most environments,
however, if new NSA for Windows or macOS has been downloaded, then the client
provisioning policy will need to be updated to reflect the change. Also, if different native
supplicant profile other than the system provided one is used, then the client provisioning
policy needs to be updated to reflect the change. Lastly, if separate NSP is required for
certain set of users, ‘Other Conditions’ can be modified to match certain user groups to
specific NSP. To create new Client Provisioning rule:

1. Go to Policy > Client Provisioning

2. All of the OS policies are already predefined, however, if new policy is needed click
on the down arrow on the right of any rule and select ‘Insert new policy …’ (Note
that the policy works top down, so if there are more specific rule that needs to be
matched, ensure that the new rule is on top of other rules)

3. Provide Rule name

4. If specific rule should match on certain internal user or endpoint group, it can be
specified here

5. Select Operating Systems. If specific version of Windows or macOS needs to

specified, then it can be specified here

6. Use Other Conditions to further qualify policy rule. AD groups/attributes, location,

EAP-Types, etc. can be used here.

7. Result section dictates version of NSA and NSP. Note that version is only available
if Windows and macOS is selected for the Operating Systems as these two OS

Confidential© 2023 P a g e | 87
 EPSS Security LLD

downloads NSP directly from PSN, while other OS relies on native capability or
from cloud resources.

9.13 Creating policy for Single-SSID BYOD flow

When ISE is installed, there are set of AuthZ policy rules that are pre-created for BYOD
flow. Although the policy rules are in place, the rules are deactivated. Admin user can
simply enable the two rules to activate BYOD policy. The two rules are ‘Employee_EAP-
TLS’ and ‘Employee_Onboarding’.

When the user connects to the secured SSID using username and password, the user’s
endpoint does not have digital certificate, so the session will match
‘Employee_Onboarding’ policy rule which forces the endpoint to be onboarded. As the
endpoint goes through onboarding flow, the endpoint MAC address is registered to ISE
and the signed certificate is provisioned to the endpoint, at that point the endpoint will be
forced to reauthenticate to the same SSID where the session will match ‘Employee_EAP-
TLS’ policy rule and the endpoint gets PermitAccess permission.

Figure 108 Creating policy for Single-SSID BYOD flow

Although pre-configured policy rules work for simple deployments, when setting up ISE
Authentication and Authorization policies, it is recommended to create separate policy set
for each SSIDs. By doing so the policies are much easier to view and predictable. HeJre
we are going to create a policy set for Secured SSID used for single-SSID BYOD flow.
Initially the endpoints associate to the SSID using username & password using PEAP-
MSCHAPv2. When user opens up a web browser, instead of getting to the user’s browser

Confidential© 2023 P a g e | 88
 EPSS Security LLD

destination or home page, the user will get redirected to BYOD portal where the user is
guided to follow steps to get the endpoint onboarded.

1. Go to Policy > Policy Sets

2. Click on ‘+’

3. Change the new policy set name to ‘Secured SSID’

4. In the conditions use ‘Normalized RADIUS : SSID ends with SECURED’

5. Click on Use

6. Select Default Network Access for Allowed Protocols

7. Click Save

8. Click on ‘>’

9. Click on ‘>’ on Authorization policy

10. Click ‘x’ on Deny Access on Results:Profiles Column

11. Select NSP_Onboard

12. Click ‘+’ above default rule

13. Change name to ‘TLS’

14. Click on ‘+’

15. In the conditions use ‘Network Access:EAPAUthentication equals EAP-TLS’

(Other conditions such as matching on certificate SAN with the MAC address
learned from RADIUS session as well as BYOD registered status can be used here
as well)

16. For Results:Profiles Column select PermitAccess

17. Click Save

9.14 Setting up Blacklist Portal (Optional)

The blacklist portal is already setup but note that it runs on different TCP port 8444
compared to the guest or BYOD portal which runs on 8443. Also, the blacklist portal
Confidential© 2023 P a g e | 89
 EPSS Security LLD

utilizes different ACL on the WLC. The policy for Blacklisted devices is already created
and active, but following steps can be used to change the content that users are
presented when their devices are blacklisted:

1. Go to Administration > Device Portal Management > Blacklist

2. Click on Blackist Portal (default)

3. Click on Portal Page Customization

4. Page title and the message can be modified

5. Click Save

Note that the policy for blacklist is already setup and enabled on ISE, It still requires the
‘BLACKHOLE’ ACL to be present on the NAD to work.

9.15 Setting up My Devices Portal (Optional)

The My Devices Portal is hosted on the PSNs and already enabled by default. MDP is
typically used for non-guest end users to manage their personal devices. Follow the below
steps to reconfigure the behavior of My Devices Portal

1. Go to Work Centers > BYOD > Portals & Components > My Devices Portals

2. Click on My Devices Portal (default)

3. Expand Portal Settings

4. Certificate group tag

5. Fully qualified domain (FQDN) and host names (If FQDN is configured here, the
DNS server needs to be updated to point to PSNs as well in order to direct users
to the MDP using FQDN. Also, if the portal certificate used is not a wildcard
certificate, it should also contain the FQDN as SAN to avoid security popup on the
web browser trying to access the portal)

6. Endpoint identity group

7. Authentication method (Currently, there is no way to control access to the MDP

based on end user groups from internal ID or AD. In other words, if an ID store is
enabled to login to MDP, any user with valid user credential can access the MDP)

Confidential© 2023 P a g e | 90
 EPSS Security LLD

8. Scroll up and click on Portal Page Customization

9. Under Pages, click on Manage Device

10. Click on Settings on the right hand preview pane

11. You can select which options are available to end users

9.16 Setting up Certificate provisioning portal (Optional)

The Certificate Provisioning Portal is hosted on the PSNs but authorization groups need
to be assigned before user can login to the portal. Follow the below steps to reconfigure
the behavior of Certificate Provisioning Portal

1. Go to Administration > Device Portal Management > Certificate Provisioning

2. Click on Certificate Provisioning Portal (default)

3. Expand Portal Settings

4. Certificate group tag

5. Authentication method

6. Configure authorized groups

7. Fully qualified domain (FQDN) and host names (If FQDN is configured here, the
DNS server needs to be updated to point to PSNs as well in order to direct users
to the Certificate Provisioning Portal using FQDN. Also, if the portal certificate used
is not a wildcard certificate, it should also contain the FQDN as SAN to avoid
security popup on the web browser trying to access the portal)

9.17 Posture Configuration Flow

Configuring posture assessment in ISE requires several components to be taken into
consideration: Conditions, Remediations, Requirements, Posture Policy, Client
Provisioning and Access Policy.
Posture conditions are the set of rules in our security policy that define a compliant
endpoint. Some of these items include the installation of a firewall, anti-virus software,

Confidential© 2023 P a g e | 91
 EPSS Security LLD

anti-malware, hotfixes, disk encryption and more. Once posture conditions are defined,
posture remediations (if required) can be configured.
Posture remediations are the methods AnyConnect will handle endpoints that are out
of compliance. Some remediations can be automatically resolved through AnyConnect
while others might be resolved manually by the end user.
Posture requirements are the immediate actions steps taken by AnyConnect when an
endpoint is out of compliance. An endpoint is deemed compliant if it satisfies all the
posture conditions. Once configured, posture requirements can then be reference by
posture policy for compliance enforcement.
Client provisioning is the policy used to determine the version of AnyConnect used as
well as the compliance module that will be installed on the endpoint during the
provisioning process. The compliance module is a library that the posture agent uses to
determine if the endpoint is in compliance with defined posture conditions.
Access policy will enable our posture policy and define what form of policy the endpoint
will be subjected to if it is compliant, non-compliant or requires provisioning of
AnyConnect.

Figure 109 Posture configuration flow

Confidential© 2023 P a g e | 92
 EPSS Security LLD

9.17.1 Posture Conditions

Conditions form are the check we want to to perform against the endpoint to ensure our
security policy is being met.
1. USB Condition
In our security policy, the first check is to determine whether or not a USB device is being
used on the endpoint. Navigate to Work Centers > Posture > Policy Elements >
Conditions > USB to view the pre-configured USB check provided by ISE.

Figure 110 USB Condition

Note: The USB condition check only checks to see if a USB device is connected. It
currently does not differentiate between device types. Lastly, the USB check is a real
time check and not a periodic one.
2. Firewall Condition
The Firewall condition checks if a specific Firewall product is enabled on an endpoint. The
list of supported Firewall products is based on the OPSWAT support charts. You can
enforce policies during initial posture and Periodic Reassessment (PRA). Cisco ISE

Confidential© 2023 P a g e | 93
 EPSS Security LLD

provides default Firewall conditions for Windows and macOS. These conditions are
disabled by default however we are going to configure the firewall condition from scratch.
Navigate to Work Centers > Posture > Policy Elements > Conditions > Firewall
Condition.

Navigate to Work Centers > Posture > Policy Elements > Conditions > Firewall
Step 1 Condition

Step 2 Click the "+ Add" icon to configure a new Firewall Condition

Step 3 Give the new condition a name

Step 4 Select "4.x or later" for the Compliance module drop down

Step 5 Select "Windows All" for the operating system

Step 6 Select "Microsoft Corporation" from the vendor drop down

Step 7 Click the "Enable" check box

Step 8 Select "ANY / ANY" for the firewall name and version

Step 9 Click save

Confidential© 2023 P a g e | 94
 EPSS Security LLD

Figure 111 Firewall Condition

3. Anti-malware Condition
The anti-malware condition is a combination of the anti-spyware and antivirus conditions
and is supported by OESIS version 4.x or later compliance module. The intelligent
defaults in ISE have pre-configured anti-malware conditions for ease of use. Follow the
steps below to review the pre-configured anti-malware condition.

Confidential© 2023 P a g e | 95
 EPSS Security LLD

Step 1 Work Centers > Posture > Posture Elements > Conditions > Antimalware

Step 2 Select "ANY_am_win_inst"

Step 3 Click edit

Step 4 Review the configuration for the condition

Figure 112 Anti-malware Condition

4. Critical Patch Condition

The next item in our security policy concerns the installation of a critical patch. In this
example, we are going to use the predefined file check to ensure that our Windows 10
clients have the critical security patch installed to prevent the Wanna Cry malware. To
review the predefined file check follow the steps below.

Step 1 Work Centers > Posture > Posture Elements > Conditions > File

Step 2 Click the hopper icon on the far right to expose the search menu

Confidential© 2023 P a g e | 96
 EPSS Security LLD

Step 3 In the name field, enter: pc_W10_64_KB4012606_Ms17-010_1507_WC

Step 4 Check the box and click the view button at the top

Figure 113 Critical Patch Condition

5. Application Condition
The last condition required in our security policy is to check for the installation of a specific
application. There are two forms of application checks when doing ISE posture. one to
check is application is installed and other to check if application is running. Scenarios to
ensure a necessary application is installed and scenarios where any mischievous
applications are not installed can both be configured. In both scenarios the installation
check however remains the same. For the case of an unwanted application the required
remediation action needs to be tied to the condition to take actions to terminate/uninstall
the unwanted application. This security policy will check for the required installation of a
VPN client. We will cover the steps necessary to create application compliance for an
application that should not be installed on the endpoint later in this guide. To configure a
condition for an appliance installation, follow the steps below

Confidential© 2023 P a g e | 97
 EPSS Security LLD

Navigate to Work Centers > Posture > Policy Elements > Conditions >
Step 1 Application

Step 2 Click the "+ Add" icon to configure a new application condition

Step 3 Give the new condition a name

Step 4 Select "Windows All" as the operating system

Step 5 Select "Process" from the check by drop down

Step 6 Enter the process name in the process name field

Step 7 Select "Running" for the application operator drop down

Step 8 Select "ANY / ANY" for the firewall name and version

Step 9 Select "Cisco System, Inc" from the vendor drop down

Step 11 Click save

Confidential© 2023 P a g e | 98
 EPSS Security LLD

Figure 114 Application Condition

9.17.2 Posture Remediations

Posture remediations are the actions AnyConnect will take if it determines that the
endpoint is out of compliance. There are two main types of remediation
AnyConnect: automatic and manual.
Automatic remediation is performed by AnyConnect without intervention by the end user
of the endpoint.
Manual remediation requires the end user of the endpoint to resolve the compliance
issue before the endpoint is allowed network access.
9.17.3 Firewall Remediation
Our security policy requires that Windows firewall be enabled for endpoint accessing the
network. To configure a firewall remediation, follow the steps below.
Navigate to Work Centers > Posture > Policy Elements > Remediations >
Step 1 Firewall

Confidential© 2023 P a g e | 99
 EPSS Security LLD

Step 2 Click the "+ Add" icon to configure a new application condition

Step 3 Give the new condition a name

Step 4 Select "Windows All" as the operating system

Step 5 Select "Automatic" from the remediation type by drop down

Step 6 Enter values (in seconds) for interval and retry count field

Step 7 Select "Microsoft Corporation" from the vendor drop down

Step 8 Ensure "Remediation Options is to enable the Firewall" is checked

Step 9 Select "Windows Firewall 10.x"

Step 10 Click save

Confidential© 2023 P a g e | 100

 EPSS Security LLD

Figure 115 Firewall Remediation

9.17.4 USB Remediation

In addition to a preconfigured condition for USB, Cisco ISE also has a preconfigured
remediation for USB as well. To review the USB remediation, follow the steps below.

Confidential© 2023 P a g e | 101

 EPSS Security LLD

Navigate to Work Centers > Posture > Policy Elements > Remediations >
Step 1 USB

Step 2 Click the "USB_Block" icon then click "Edit"

Step 3 If required, you can modify the interval and retry count values

Step 4 Click save

Figure 116 USB Remediation

9.17.5 Posture Requirements

Now that we have our posture conditions and remediations defined to reflect our security
policy, it is time to tie them together using posture requirements. Like access policy,
posture requirements are a set of rules that outline the posture condition, operating
system, compliance module, agent type and remediation action. Just like posture
conditions, ISE has preconfigured posture requirement that allows you to quickly enable
posture requirements. However, this guide will outline the steps necessary to build them
from scratch (with the exception Follow the steps below to configure posture
requirements.

Confidential© 2023 P a g e | 102

 EPSS Security LLD

9.17.6 Firewall Requirement

Step 1 Navigate to Work Centers > Posture > Policy Elements > Requirements

Step 2 Click the "down arrow" icon to the right of the "Edit" hyperlink

Step 3 Select "Insert new requirement"

Step 4 Give the requirement a name

Step 5 Select "Windows All" as the operating system

Step 6 Select "4.x or later" for the compliance module

Step 7 Select "AnyConnect" as the posture type

Step 8 Select the name of the firewall condition configured earlier

Step 9 Select the name of the firewall remediation configured earlier

Step10 Click done

Step 11 Click save at the bottom of the page

9.17.7 Critical Patch Requirement

Note: Since the file check is specific to Windows 10, be sure you select Windows 10 as
the operating system when configuring the rule. Otherwise, it will not show up as an
option in the drop down box.
Step 1 Navigate to Work Centers > Posture > Policy Elements > Requirements

Step 2 Click the "down arrow" icon to the right of the "Edit" hyperlink

Step 3 Select "Insert new requirement"

Step 4 Give the requirement a name

Step 5 Select "Windows 10 All" as the operating system

Step 6 Select "4.x or later" for the compliance module

Confidential© 2023 P a g e | 103

 EPSS Security LLD

Step 7 Select "AnyConnect" as the posture type

Step 8 Select "pc_W10_KB4012606_Ms17-010_1507_WC"

Step 9 Select "Message Text" as the remediation

Step 10 Enter a message for the end user

Step 11 Click done

Step 12 Click save at the bottom of the page

9.17.8 Application Requirement

Step 1 Navigate to Work Centers > Posture > Policy Elements > Requirements

Step 2 Click the "down arrow" icon to the right of the "Edit" hyperlink

Step 3 Select "Insert new requirement"

Step 4 Give the requirement a name

Step 5 Select "Windows All" as the operating system

Step 6 Select "4.x or later" for the compliance module

Step 7 Select "AnyConnect" as the posture type

Step 8 Select the name of the application condition configured earlier

Step 9 Select "Message Text" as the remediation

Step 10 Enter a message for the end user

Step 11 Click done

Step 12 Click save at the bottom of the page

9.17.9 Posture Policy

A posture policy is a collection of posture requirements, which are associated with one or
more identity groups, and operating systems. The Dictionary Attributes are optional
Confidential© 2023 P a g e | 104
 EPSS Security LLD

conditions in conjunction with the identity groups and the operating systems that allow
you to define different policies for the clients. Cisco ISE provides an option to configure a
grace period for devices that become noncompliant. ISE caches the results of posture
assessment for a configurable amount of time. If a device is found to be noncompliant,
Cisco ISE looks for the previously known good state in its cache and provides grace for
the device, during which the device is granted access to the network. You can configure
the grace period in minutes, hours, or days (up to a maximum of 30 days). An endpoint
is eligible to utilize this grace period only if it has previously been in a good/compliant
state.
To configure posture policy, follow the steps below.
Step 1 Navigate to Work Centers > Posture > Posture Policy

Step 2 Click the "down arrow" icon to the right of the "Edit" hyperlink

Step 3 Select "Insert new policy"

Step 4 Give the rule a name

Step 5 Select "Windows 10 All" as the operating system

Step 6 Select "4.x or later" for the compliance module

Step 7 Select "AnyConnect" as the posture type

Step 8 In the requirements field, select all 5 requirement by using the "+" sign

Step 9 Click done

Step 10 Click Save

Confidential© 2023 P a g e | 105

 EPSS Security LLD

9.17.10 Client Provisioning

For clients, the client provisioning resource policies determine which users receive which
version (or versions) of resources (agents, agent compliance modules, and/or agent
customization packages/profiles) from Cisco ISE upon login and user session initiation.
For AnyConnect, resources can be selected from the client provisioning resources page
to create an AnyConnect configuration that you can use in the client provisioning policy
page. AnyConnect configuration is the AnyConnect software and its association with
different configuration files that includes AnyConnect binary package for Windows and
macOS X clients, compliance module. module profiles, customization and language
packages for AnyConnect.
There are two method for provisioning client with ISE alone. While enterprise software
product can allow for wide distribution of software, ISE can provision client in a couple of
ways: URL-Redirection and download or a provisioning URL. Before you begin, you will
need to download the AnyConnect software from cisco.com as it cannot be automatically
downloaded through provisioning resources such as the compliance module. The agent
configuration in client provisioning policy requires three components at minimum: an
AnyConnect profile, an AnyConnect configuration and a compliant module. Begin by
creating an AnyConnect profile.

Step 1 Navigate to Work Centers > Posture > Client Provisioning > Resources

Step 2 Click the "Add" button and select AnyConnect Posture profile

Step 3 Enter the configuration parameters for how AnyConnect will operate

Confidential© 2023 P a g e | 106

 EPSS Security LLD

Step 4 Click Save

Note: For a detailed explanation of the posture profile configuration parameters, please
reference the ISE Administration guide or by "launching page level help" from the menu
Now that that a posture profile has been configured, you can upload AnyConnect to ISE:
Step 1 Navigate to Work Centers > Posture > Client Provisioning > Resources

Step 2 Click the "Add" button

Step 3 Select "Agent resources from local disk"

Step 4 Select "Cisco provided packages" from the Category drop down

Select the AnyConnect software from the local disk by using the "browse"
Step 5 button

Step 6 Click Submit

Once AnyConnect is uploaded to ISE, we now need to download a compliance module:

Step 1 Navigate to Work Centers > Posture > Client Provisioning > Resources

Step 2 Click the "Add" button

Step 3 Select "Agent resources from Cisco site"

Step 4 Select the desired compliance module from the list

Step 5 Click Save

Finally, we can create the required AnyConnect configuration for use in client
provisioning policy:
Step 1 Navigate to Work Centers > Posture > Client Provisioning > Resources

Step 2 Click the "Add" button

Step 3 Select "AnyConnect Configuration"

Step 4 Select the AnyConnect version uploaded from cisco.com

Step 5 Give the configuration a name

Confidential© 2023 P a g e | 107

 EPSS Security LLD

Step 6 Select the compliance module downloaded from cisco.com

Step 7 Select the posture profile previously created

Step 8 Click Save

Figure 117 Client Provisioning Configration

Confidential© 2023 P a g e | 108

 EPSS Security LLD

Lastly, create client provisioning policy using the newly created AnyConnect
configuration:
Step 1 Navigate to Work Centers > Posture > Client Provisioning

Step 2 Click the "Edit" hyperlink for the preconfigured Windows rule

Step 3 Click the "+" icon in the results box

Step 4 Select the AnyConnect Configuration from the Agent drop down

Step 5 Click down

Step 6 Click save

9.17.11 Access Policy

The final section in our deploy section is the configuration of access policy. Cisco ISE is
a policy-based, network-access-control solution, which offers network access policy sets,
allowing you to manage several different network access use cases such as wireless,
wired, guest, and client provisioning. Policy sets (both network access and device
administration sets) enable you to logically group authentication and authorization policies
within the same set. You can have several policy sets based on an area, such as policy
sets based on location, access type and similar parameters. When you install ISE, there
is always one policy set defined, which is the default policy set, and the default policy set
contains within it, predefined and default authentication, authorization and exception
policy rules. This guide will use a preconfigured policy set to enforce the addition of the
example security policy.
Confidential© 2023 P a g e | 109
 EPSS Security LLD

Step 1 Navigate to Policy > Policy Sets

Select the Policy Set that will contain the enforcement conditions for the
Step 2 posture policy
Step 3 Select "Authorization Policy"
Step 4 Select the authorization rule that requires the compliant condition
Step 5 Click the condition field to open the condition studio
Step 6 Click the "New" button
Click to add a new attribute and select "session" from the Dictionaries drop
Step 7 down
Step 8 Select the "PostureStatus" attribute
Click "Choose from the list" and select "compliant"

Step 9
Step
10 Click "Use"
Step
11 Click the gear icon of the newly modified rule and select "duplicate below"
Step
12 Repeat steps 5 through 9 but select "noncompliant" instead of "compliant"
Step
13 Click "Use"
Step Change the "Results Profiles" to deny access and rename the authorization
14 rule
Step
15 Save the authorization policy

Confidential© 2023 P a g e | 110

 EPSS Security LLD

The new policy should resemble the below:

9.18 Cisco ISE Profiling Services

Cisco ISE Profiling Services provides dynamic detection and classification of endpoints
connected to the network. Using MAC addresses as the unique identifier, ISE collects
various attributes for each network endpoint to build an internal endpoint database. The
classification process matches the collected attributes to prebuilt or user-defined
conditions, which are then correlated to an extensive library of profiles.

9.18.1 ISE Profiling Global Configuration

Global Profiler Settings include configurations that impact the entire deployment so are
covered first. These settings will be referenced throughout the guide as they relate to a
particular feature or function. It is useful to be aware of these settings to understand why
some ISE Profiler functions behave (or misbehave) in a certain way.

9.18.2 Procedure 1 Configure Global Profiling Settings from the

Policy Administration Node
Step 1 Navigate to Work Centers > Profiler > Settings and select Profiler Settings from
the left-hand-side (LHS) pane.
Step 2 From the right-hand side (RHS) pane, choose the CoA Type to be used for
profiling transitions and Exception Actions . It is possible to override CoA response for a
specific Profile Policy or Exception Action, but the global configuration dictates the default
behavior in absence of more specific settings.

Confidential© 2023 P a g e | 111

 EPSS Security LLD

Figure 118 Global Profiler Configuration

If the goal is visibility only, leave the default value of No CoA. Furthermore, a setting of No
CoA overrides all per-profile settings and disables CoA for all profiler operations and
Exception Actions. If the goal is to immediately update access policy based on profile
changes, select Port Bounce. This will help ensure that even clientless endpoints will go
through complete reauthorization process, including an IP address refresh, if needed.
The Reauth option may be sufficient for cases where no VLAN or address change is
expected following reauthorization of the current session.
If multiple endpoints are detected on a wired switchport, ISE will automatically revert to
using the Reauth option to avoid service disruption of other connected devices. A
common example is a workstation connected to an IP phone where a port bounce would
interrupt communications for both workstation and phone.
Step 3 ISE Profiler supports the ability to scan endpoints and trigger an SNMP query
against the endpoint if determined to be SNMP-enabled. The default SNMP community
string used for these queries is public. To use a different community string or sequence
of strings, enter the new string values under Change custom SNMP community
strings and enter again to confirm correct spelling.
Values are hidden from passive viewers, but can be exposed by clicking the Show button
once saved. This setting will be covered in more detail under the NMAP probe section.
Step 4 Change the default setting for Endpoint Attribute Filter to Enabled. The filter
(also referred to as the “Whitelist Filter”) limits endpoint data collection to whitelisted
attributes. Whitelisted attributes include the endpoint data required for profiling and
maintenance. Other attributes are deemed extraneous and will be dropped (not saved or
replicated to the endpoint database). This can significantly improve the efficiency of
profiling operations as less data needs to be maintained and replicated.

Confidential© 2023 P a g e | 112

 EPSS Security LLD

9.18.3 Procedure 2 Enable Profiling Services on the Policy Service

Node
Step 1 Go to Work Centers > Profiler > Node Config > Deployment and select the
Policy Service node to perform profiling from list of deployed nodes on the RHS pane.
Step 2 Under the General Settings tab, verify that the node persona called Policy
Service is selected and that Enable Profiling Service is also selected (Figure 5).

Figure 119 Enabling Profiling Services on the Policy Service Node

9.18.4 Procedure 3 Access and View the Profiling Configuration

Page
Click the Profiling Configuration tab. View the various probes that can be enabled and
configured simply by checking the appropriate box and selecting optional probe
parameters (Figure 6).

Figure 6: Probe Configuration

Confidential© 2023 P a g e | 113

 EPSS Security LLD

Figure 120 Access and View the Profiling Configuration Page

Not all probes are enabled by default, and some are partially enabled even without an
explicit check mark displayed in the box.
The RADIUS probe is running by default, even for systems not configured for Profiling
Service to ensure ISE can track endpoint authentication and authorization details for use
in Context Visibility Services. The RADIUS probe and Profiling Services are also used to
track the creation and update times for registered endpoints for purposes of purge
operations. When the Profiling Service is enabled and probe enabled, then new attributes
learned from RADIUS will also trigger profiling. Otherwise, attributes are collected but
profiling is not triggered based on RADIUS-learned data, including Device Sensor.

9.18.5 Profiling Using the RADIUS Probe

The RADIUS probe collects RADIUS attributes sent by RADIUS clients (including wired
access switches and wireless controllers) to the RADIUS server (the ISE Policy Service
node running Session Services). Standard RADIUS ports include UDP/1645 or UDP/1812
for authentication and authorization, and ports UDP/1646 and UDP/1813 for RADIUS
accounting.

9.18.6 Configuring the RADIUS Probe

The RADIUS probe is one of the simplest probes to enable and deploy since the network
access devices are typically configured to send RADIUS packets to the ISE Policy Service
node running Session Services for network authentication, authorization, and accounting.
Confidential© 2023 P a g e | 114
 EPSS Security LLD

9.18.7 Procedure 4 Enable the RADIUS Probe in ISE

Step 1 Go to Work Centers > Profiler > Node Config > Deployment. From list of
deployed nodes on the RHS pane, select the Policy Service node to perform profiling.
Step 2 Select the Profiling Configuration tab and check the box to enable the RADIUS
probe. The probe is enabled by default on the interfaces configured for RADIUS services
(Figure 10):

Figure 121 : Enable the RADIUS Probe in ISE

Step 3 Click Save to commit the change.
Step 4 Repeat the steps in this procedure for all other Policy Service nodes configured
for RADIUS and Profiling Services.

9.18.8 Procedure 5 Verify Access Device Is Configured in ISE

This guide assumes that the network access devices (NAD) have already been
configured in ISE under Work Centers > Profiler > Network Devices for standard RADIUS
communications. If additional network devices need to be configured to support Device
Sensor, complete the following steps:
Step 1 Go to Work Centers > Profiler > Network Devices. If the switch or controller that
will be used for AAA or Device Sensor functions is not in the list, click Add from the menu
in RHS and complete the form (Figure 11):
A. Enter the Name of the network device. The name is often the same as the
NAD’s hostname or name entered in DNS. It is administratively useful if the
name indicates platform, location, and/or function.

Confidential© 2023 P a g e | 115

 EPSS Security LLD

Figure 122 Adding Network Access Devices

B. Enter the NAD IP Address that will be seen by ISE in RADIUS requests. It
is possible to enter a range using the IP Address drop-down box, or to add
multiple IP address entries using the gear icon to the right of the IP field.
Multiple entries can address the case where RADIUS requests may be
sourced from different interfaces. IP Ranges allow a single NAD entry to
include multiple NADs.
C. Select (enable) the RADIUS Authentication Settings checkbox and enter
the RADIUS Shared Secret key to be used between the NAS and ISE. This
value must match the value configured on the NAD! To view the key
entered, click the Show button to the right of the key (Figure 11).
D. For advanced configurations, RADIUS DTLS and KeyWrap may also be
configured.
E. Click Submit when finished.
9.18.9 Procedure 6 Verify That Access Devices Are Configured to Send RADIUS to
ISE PSN
This guide assumes that the network access devices have already been configured for
RADIUS authentication, authorization, and accounting to the ISE Policy Service node
(PSN). Here is a sample RADIUS configuration for a wired switch:
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting update newinfo periodic 2880
ip radius source-interface <Interface>
radius-server attribute 6 on-for-login-auth

Confidential© 2023 P a g e | 116

 EPSS Security LLD

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include
radius-server host <ISE_PSN_Address> auth-port 1812 acct-port 1813 key xxx
radius-server vsa send accounting
radius-server vsa send authentication

Confidential© 2023 P a g e | 117

 EPSS Security LLD

10 Document Acceptance Certificate

Name Name

Title Title

Company Company

Signature Signature

Date Date

Name Name

Title Title

Company Company

Signature Signature

Date Date

Name Name

Title Title

Company Company

Signature Signature

Date Date

Confidential© 2023 P a g e | 118