# Table of Contents - [Introduction | Fabric Solutions Lab - Shopping](#introduction-fabric-solutions-lab-shopping) - [Introduction & Getting Started | Fabric Solutions Lab - Automate](#introduction-getting-started-fabric-solutions-lab-automate) - [Access Credentials | Fabric Solutions Lab - Automate](#access-credentials-fabric-solutions-lab-automate) - [Firmware Versions | Fabric Solutions Lab - Automate](#firmware-versions-fabric-solutions-lab-automate) - [Accessing the lab environment | Fabric Solutions Lab - Automate](#accessing-the-lab-environment-fabric-solutions-lab-automate) - [Attack & Defence #1 | Fabric Solutions Lab - Automate](#attack-defence-1-fabric-solutions-lab-automate) - [Scenario - Story/Narrative | Fabric Solutions Lab - Automate](#scenario-story-narrative-fabric-solutions-lab-automate) - [Attack - Scenario Steps | Fabric Solutions Lab - Automate](#attack-scenario-steps-fabric-solutions-lab-automate) - [Defence - Scenario Steps | Fabric Solutions Lab - Automate](#defence-scenario-steps-fabric-solutions-lab-automate) - [Defence - FortiSIEM | Fabric Solutions Lab - Automate](#defence-fortisiem-fabric-solutions-lab-automate) - [Attack & Defence #2 | Fabric Solutions Lab - Automate](#attack-defence-2-fabric-solutions-lab-automate) - [Defence - FortiClient | Fabric Solutions Lab - Automate](#defence-forticlient-fabric-solutions-lab-automate) - [Defence - FortiSOAR | Fabric Solutions Lab - Automate](#defence-fortisoar-fabric-solutions-lab-automate) - [Defence - FortiDeceptor | Fabric Solutions Lab - Automate](#defence-fortideceptor-fabric-solutions-lab-automate) - [Attack - RDP Host | Fabric Solutions Lab - Automate](#attack-rdp-host-fabric-solutions-lab-automate) - [Scenario - Story/Narrative | Fabric Solutions Lab - Automate](#scenario-story-narrative-fabric-solutions-lab-automate) - [Defence - FortiGate | Fabric Solutions Lab - Automate](#defence-fortigate-fabric-solutions-lab-automate) - [Scenario - Story/Narrative | Fabric Solutions Lab - Automate](#scenario-story-narrative-fabric-solutions-lab-automate) - [Show - FortiClient EMS | Fabric Solutions Lab - Automate](#show-forticlient-ems-fabric-solutions-lab-automate) - [Attack & Defence #3 | Fabric Solutions Lab - Automate](#attack-defence-3-fabric-solutions-lab-automate) - [Check - Windows Host | Fabric Solutions Lab - Automate](#check-windows-host-fabric-solutions-lab-automate) - [Analyze - FortiSOAR | Fabric Solutions Lab - Automate](#analyze-fortisoar-fabric-solutions-lab-automate) - [Defence - FortiSOAR | Fabric Solutions Lab - Automate](#defence-fortisoar-fabric-solutions-lab-automate) - [Defence - FortiSIEM | Fabric Solutions Lab - Automate](#defence-fortisiem-fabric-solutions-lab-automate) - [Analyze - FortiMail & FortiNDR | Fabric Solutions Lab - Automate](#analyze-fortimail-fortindr-fabric-solutions-lab-automate) - [Scenario - Story/Narrative | Fabric Solutions Lab - Automate](#scenario-story-narrative-fabric-solutions-lab-automate) - [Attack & Defence #4 | Fabric Solutions Lab - Automate](#attack-defence-4-fabric-solutions-lab-automate) - [Show - FortiDLP | Fabric Solutions Lab - Automate](#show-fortidlp-fabric-solutions-lab-automate) - [FortiMail & FortiSandbox | Fabric Solutions Lab - Automate](#fortimail-fortisandbox-fabric-solutions-lab-automate) - [Show - FortiGate | Fabric Solutions Lab - Automate](#show-fortigate-fabric-solutions-lab-automate) - [Scenario - Story/Narrative | Fabric Solutions Lab - Automate](#scenario-story-narrative-fabric-solutions-lab-automate) - [Attack - Scenario Steps | Fabric Solutions Lab - Automate](#attack-scenario-steps-fabric-solutions-lab-automate) - [Analyze - FortiSandbox | Fabric Solutions Lab - Automate](#analyze-fortisandbox-fabric-solutions-lab-automate) - [Access - Windows Host | Fabric Solutions Lab - Automate](#access-windows-host-fabric-solutions-lab-automate) - [Show - FortiGate | Fabric Solutions Lab - Automate](#show-fortigate-fabric-solutions-lab-automate) - [Scenario - Story/Narrative | Fabric Solutions Lab - Automate](#scenario-story-narrative-fabric-solutions-lab-automate) - [Review - FortiAnalyzer | Fabric Solutions Lab - Automate](#review-fortianalyzer-fabric-solutions-lab-automate) - [FortiIsolator & FortiSandbox | Fabric Solutions Lab - Automate](#fortiisolator-fortisandbox-fabric-solutions-lab-automate) - [FortiGate & FortiDeceptor | Fabric Solutions Lab - Automate](#fortigate-fortideceptor-fabric-solutions-lab-automate) - [Access - Webserver | Fabric Solutions Lab - Automate](#access-webserver-fabric-solutions-lab-automate) - [Defence - Scenario Steps | Fabric Solutions Lab - Automate](#defence-scenario-steps-fabric-solutions-lab-automate) - [Analyze - FortiSandbox | Fabric Solutions Lab - Automate](#analyze-fortisandbox-fabric-solutions-lab-automate) - [Attack - Scada Decoy | Fabric Solutions Lab - Automate](#attack-scada-decoy-fabric-solutions-lab-automate) - [Unknown](#unknown) - [Unknown](#unknown) - [Attack - VMWare Decoy | Fabric Solutions Lab - Automate](#attack-vmware-decoy-fabric-solutions-lab-automate) - [Scenario - Story/Narrative | Fabric Solutions Lab - Automate](#scenario-story-narrative-fabric-solutions-lab-automate) - [Analyze - FortiMail | Fabric Solutions Lab - Automate](#analyze-fortimail-fabric-solutions-lab-automate) - [Attack - Downloading Malware | Fabric Solutions Lab - Automate](#attack-downloading-malware-fabric-solutions-lab-automate) - [Defence - FortiDeceptor | Fabric Solutions Lab - Automate](#defence-fortideceptor-fabric-solutions-lab-automate) - [Defence - Downloading Malware | Fabric Solutions Lab - Automate](#defence-downloading-malware-fabric-solutions-lab-automate) - [Defence - FortiGate | Fabric Solutions Lab - Automate](#defence-fortigate-fabric-solutions-lab-automate) - [Unknown](#unknown) - [FortiIsolator & FortiMail | Fabric Solutions Lab - Automate](#fortiisolator-fortimail-fabric-solutions-lab-automate) - [Unknown](#unknown) - [Scenario - Story/Narrative | Fabric Solutions Lab - Automate](#scenario-story-narrative-fabric-solutions-lab-automate) - [Analyze - FortiDeceptor | Fabric Solutions Lab - Automate](#analyze-fortideceptor-fabric-solutions-lab-automate) - [Scenario - Story/Narrative | Fabric Solutions Lab - Automate](#scenario-story-narrative-fabric-solutions-lab-automate) - [FortiDLP & FortiSIEM | Fabric Solutions Lab - Automate](#fortidlp-fortisiem-fabric-solutions-lab-automate) - [Attack - Google Drive Upload | Fabric Solutions Lab - Automate](#attack-google-drive-upload-fabric-solutions-lab-automate) - [Attack - Trying to Disable FortiDLP | Fabric Solutions Lab - Automate](#attack-trying-to-disable-fortidlp-fabric-solutions-lab-automate) - [Task - Unlock Host | Fabric Solutions Lab - Automate](#task-unlock-host-fabric-solutions-lab-automate) - [Scenario - Story/Narrative | Fabric Solutions Lab - Automate](#scenario-story-narrative-fabric-solutions-lab-automate) - [Analyze - FortiSIEM | Fabric Solutions Lab - Automate](#analyze-fortisiem-fabric-solutions-lab-automate) - [FortiProxy & FortiSandbox | Fabric Solutions Lab - Automate](#fortiproxy-fortisandbox-fabric-solutions-lab-automate) - [Defence - Internal Mailbox | Fabric Solutions Lab - Automate](#defence-internal-mailbox-fabric-solutions-lab-automate) - [Analyze - FortiDLP | Fabric Solutions Lab - Automate](#analyze-fortidlp-fabric-solutions-lab-automate) - [Analyze - FortiWeb | Fabric Solutions Lab - Automate](#analyze-fortiweb-fabric-solutions-lab-automate) - [Defence - FortiSandbox | Fabric Solutions Lab - Automate](#defence-fortisandbox-fabric-solutions-lab-automate) - [Attack - Webserver | Fabric Solutions Lab - Automate](#attack-webserver-fabric-solutions-lab-automate) - [Scenario - Story/Narrative | Fabric Solutions Lab - Automate](#scenario-story-narrative-fabric-solutions-lab-automate) - [FortiWeb & FortiSandbox | Fabric Solutions Lab - Automate](#fortiweb-fortisandbox-fabric-solutions-lab-automate) - [Analyze - FortiSandbox | Fabric Solutions Lab - Automate](#analyze-fortisandbox-fabric-solutions-lab-automate) - [Attack - Malware Site | Fabric Solutions Lab - Automate](#attack-malware-site-fabric-solutions-lab-automate) - [Defence - FortiProxy | Fabric Solutions Lab - Automate](#defence-fortiproxy-fabric-solutions-lab-automate) - [Attack - Sending External Email | Fabric Solutions Lab - Automate](#attack-sending-external-email-fabric-solutions-lab-automate) - [Attack - Asking ChatGPT | Fabric Solutions Lab - Automate](#attack-asking-chatgpt-fabric-solutions-lab-automate) - [Attack - Webserver | Fabric Solutions Lab - Automate](#attack-webserver-fabric-solutions-lab-automate) - [Shared Resource Launcher | Fabric Solutions Lab - Shopping](#shared-resource-launcher-fabric-solutions-lab-shopping) - [Scenario Order | Fabric Solutions Lab - Shopping](#scenario-order-fabric-solutions-lab-shopping) - [Installation Checks | Fabric Solutions Lab - Shopping](#installation-checks-fabric-solutions-lab-shopping) - [Story/Narrative | Fabric Solutions Lab - Shopping](#story-narrative-fabric-solutions-lab-shopping) - [FortiPAM - RDP | Fabric Solutions Lab - Shopping](#fortipam-rdp-fabric-solutions-lab-shopping) - [Certificates at Scale | Fabric Solutions Lab - Shopping](#certificates-at-scale-fabric-solutions-lab-shopping) - [CIO & CTO Message | Fabric Solutions Lab - Shopping](#cio-cto-message-fabric-solutions-lab-shopping) - [FortiGate (FGT) Remote CA Configuration | Fabric Solutions Lab - Shopping](#fortigate-fgt-remote-ca-configuration-fabric-solutions-lab-shopping) - [Feedback | Fabric Solutions Lab - Shopping](#feedback-fabric-solutions-lab-shopping) - [Versions, Access & Credentials | Fabric Solutions Lab - Shopping](#versions-access-credentials-fabric-solutions-lab-shopping) - [Centralised Logging — PackTrack | Fabric Solutions Lab - Shopping](#centralised-logging-packtrack-fabric-solutions-lab-shopping) - [Downloading Malware (FCT) | Fabric Solutions Lab - Shopping](#downloading-malware-fct-fabric-solutions-lab-shopping) - [Verify FortiClient | Fabric Solutions Lab - Shopping](#verify-forticlient-fabric-solutions-lab-shopping) - [Scaling (FortiSIEM) | Fabric Solutions Lab - Shopping](#scaling-fortisiem-fabric-solutions-lab-shopping) - [Downloading Malware (FPX) | Fabric Solutions Lab - Shopping](#downloading-malware-fpx-fabric-solutions-lab-shopping) - [Probing the Decoys | Fabric Solutions Lab - Shopping](#probing-the-decoys-fabric-solutions-lab-shopping) - [Verifying using FortiClient | Fabric Solutions Lab - Shopping](#verifying-using-forticlient-fabric-solutions-lab-shopping) - [Inspecting What Staff Upload — Everywhere They Work | Fabric Solutions Lab - Shopping](#inspecting-what-staff-upload-everywhere-they-work-fabric-solutions-lab-shopping) - [Classification Tags | Fabric Solutions Lab - Shopping](#classification-tags-fabric-solutions-lab-shopping) - [FortiGate & FortiClient EMS | Fabric Solutions Lab - Shopping](#fortigate-forticlient-ems-fabric-solutions-lab-shopping) - [How does this scale? | Fabric Solutions Lab - Shopping](#how-does-this-scale-fabric-solutions-lab-shopping) - [Evidence Review (FortiDLP) | Fabric Solutions Lab - Shopping](#evidence-review-fortidlp-fabric-solutions-lab-shopping) - [Whats do we see and the response? | Fabric Solutions Lab - Shopping](#whats-do-we-see-and-the-response-fabric-solutions-lab-shopping) - [Configure WebProxy Firefox | Fabric Solutions Lab - Shopping](#configure-webproxy-firefox-fabric-solutions-lab-shopping) - [Mischievous user! | Fabric Solutions Lab - Shopping](#mischievous-user-fabric-solutions-lab-shopping) - [Automating (FortiSOAR) | Fabric Solutions Lab - Shopping](#automating-fortisoar-fabric-solutions-lab-shopping) - [FortiGate (FGT) CSR Request | Fabric Solutions Lab - Shopping](#fortigate-fgt-csr-request-fabric-solutions-lab-shopping) - [Centralised Logging — DailyGrind | Fabric Solutions Lab - Shopping](#centralised-logging-dailygrind-fabric-solutions-lab-shopping) - [FortiDeceptor Configuration | Fabric Solutions Lab - Shopping](#fortideceptor-configuration-fabric-solutions-lab-shopping) - [Using FortiSOAR to Tag a Endpoint | Fabric Solutions Lab - Shopping](#using-fortisoar-to-tag-a-endpoint-fabric-solutions-lab-shopping) - [FortiProxy Configuration | Fabric Solutions Lab - Shopping](#fortiproxy-configuration-fabric-solutions-lab-shopping) - [FortiAuthenticator (FAC) CSR Approval | Fabric Solutions Lab - Shopping](#fortiauthenticator-fac-csr-approval-fabric-solutions-lab-shopping) - [Tag-Driven ZTNA | Fabric Solutions Lab - Shopping](#tag-driven-ztna-fabric-solutions-lab-shopping) - [FortiWeb (FWB) Results | Fabric Solutions Lab - Shopping](#fortiweb-fwb-results-fabric-solutions-lab-shopping) - [How does this scale? | Fabric Solutions Lab - Shopping](#how-does-this-scale-fabric-solutions-lab-shopping) - [FortiAnalyzer (FAZ) Logs | Fabric Solutions Lab - Shopping](#fortianalyzer-faz-logs-fabric-solutions-lab-shopping) - [Configuring a webproxy in Firefox | Fabric Solutions Lab - Shopping](#configuring-a-webproxy-in-firefox-fabric-solutions-lab-shopping) - [Security Posture Tags | Fabric Solutions Lab - Shopping](#security-posture-tags-fabric-solutions-lab-shopping) - [The Threat in the Picture | Fabric Solutions Lab - Shopping](#the-threat-in-the-picture-fabric-solutions-lab-shopping) - [FortiADC (FAD) Configuration | Fabric Solutions Lab - Shopping](#fortiadc-fad-configuration-fabric-solutions-lab-shopping) - [Reviewing the logs | Fabric Solutions Lab - Shopping](#reviewing-the-logs-fabric-solutions-lab-shopping) - [FortiMail | Fabric Solutions Lab - Shopping](#fortimail-fabric-solutions-lab-shopping) - [FortiGate (FGT) Reviewing Dashboards | Fabric Solutions Lab - Shopping](#fortigate-fgt-reviewing-dashboards-fabric-solutions-lab-shopping) - [When Chatbots Go Rogue | Fabric Solutions Lab - Shopping](#when-chatbots-go-rogue-fabric-solutions-lab-shopping) - [Who's Talking to the AI? | Fabric Solutions Lab - Shopping](#who-s-talking-to-the-ai-fabric-solutions-lab-shopping) - [Centralised Logging — FortiStore | Fabric Solutions Lab - Shopping](#centralised-logging-fortistore-fabric-solutions-lab-shopping) - [Testing Using Windows Host | Fabric Solutions Lab - Shopping](#testing-using-windows-host-fabric-solutions-lab-shopping) - [FortiProxy Configuration #2 | Fabric Solutions Lab - Shopping](#fortiproxy-configuration-2-fabric-solutions-lab-shopping) - [Chatting to the Chatbot! | Fabric Solutions Lab - Shopping](#chatting-to-the-chatbot-fabric-solutions-lab-shopping) - [FortiGate (FGT) Configuration Check | Fabric Solutions Lab - Shopping](#fortigate-fgt-configuration-check-fabric-solutions-lab-shopping) - [Guilty Until Detonated | Fabric Solutions Lab - Shopping](#guilty-until-detonated-fabric-solutions-lab-shopping) - [The Trap Inside the Walls | Fabric Solutions Lab - Shopping](#the-trap-inside-the-walls-fabric-solutions-lab-shopping) - [FortiProxy Configuration | Fabric Solutions Lab - Shopping](#fortiproxy-configuration-fabric-solutions-lab-shopping) - [Sending the Mail | Fabric Solutions Lab - Shopping](#sending-the-mail-fabric-solutions-lab-shopping) - [FortiWeb (FWB) Configuration Check | Fabric Solutions Lab - Shopping](#fortiweb-fwb-configuration-check-fabric-solutions-lab-shopping) - [FortiGate (FGT) CSR Import | Fabric Solutions Lab - Shopping](#fortigate-fgt-csr-import-fabric-solutions-lab-shopping) - [FortiProxy Logs | Fabric Solutions Lab - Shopping](#fortiproxy-logs-fabric-solutions-lab-shopping) - [Mischievous user! (Continued) | Fabric Solutions Lab - Shopping](#mischievous-user-continued-fabric-solutions-lab-shopping) - [Testing the Load Balancing | Fabric Solutions Lab - Shopping](#testing-the-load-balancing-fabric-solutions-lab-shopping) - [Coaching, Then Consequences | Fabric Solutions Lab - Shopping](#coaching-then-consequences-fabric-solutions-lab-shopping) - [Browsing to Webserver | Fabric Solutions Lab - Shopping](#browsing-to-webserver-fabric-solutions-lab-shopping) - [Introduction & Getting Started | Fabric Solutions Lab - Mitre](#introduction-getting-started-fabric-solutions-lab-mitre) - [Introduction & Getting Started | Fabric Solutions Lab - Original](#introduction-getting-started-fabric-solutions-lab-original) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) --- # Introduction | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/introduction.md) . Welcome to the 2026 lab environment! Created by Senior Consulting Systems Engineer (CSE): Chris Eddisford - [LinkedIn Click Me!](https://www.linkedin.com/in/chris-eddisford-5b676462/) As the Fabric Solutions team, our focus is multi-product solutions — whether that's products with native integrations, or products that simply work well together to achieve an outcome the customer has outlined. We talk about a wide range of products as a team, and you'll come across plenty of them inside this lab. The goal, however, isn't a technical deep dive into any individual product. It's about what becomes possible when they work together. By the time you finish this lab, we hope you'll be able to take the multi-product solutions you've learnt here into the real world — and that along the way, you'll have discovered a product or two you'd never seen before. That's the goal! #### [](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping#a-few-things-to-know-before-you-start) A few things to know before you start You'll each receive a dedicated **Fabric Studio instance**, containing various Fortinet products and virtual hosts. With so many products on display, however, some run **outside** your Fabric Studio instance, and you'll interact with these via the virtual hosts or via FortiPAM. These external products are **shared between all attendees** — by design. We want you to get a genuine feel for how these products behave in a real deployment. Analytical platforms, for example, typically carry logs from many different sources, and that's exactly what you'll see here. Multiple Fabric Solutions labs are all feeding into the same shared appliances. Where it helps, some scenarios include tips on filtering the logs down to just your own activity. We'd absolutely encourage you to have a look around these shared products — there's plenty to explore. **If you're prompted to download or install new firmware when logging into an appliance, please ignore it.** This lab has been tested with the provided firmware versions, and the Fabric CSE team will continue to test and update the environment after thorough evaluation. Please note if you're an Fortinet employee, you need to request access to Fabric Solutions Lab via a Microsoft Form - [Click Me](https://forms.office.com/r/puBFVkkLFB) on completion of the form, you will be provided access to a self-serve portal immediately where you can spin up an instance and start labbing whenever time permits. We also allow technical employees to self-serve and host various Fabric Solutions Labs (Including this one), we can support up to 50 pods at once. Futher information can be found here - [Click Me](https://fortinet.sharepoint.com/sites/CSEFabricSolutionsEMEA/SitePages/CSE-Enablement-Lab.aspx) Some of the scenarios contain real attacks that will do major damage if detonated or used outside of the lab environment so please follow the lab guide carefully. #### [](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping#your-engagement) Your engagement In this lab, you'll be at the helm of a newly appointed partner, brought in following a breach at a major shopping centre. Head to [Story/Narrative](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/story-narrative) to meet your customer. [NextStory/Narrative](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/story-narrative) Last updated 14 days ago --- # Introduction & Getting Started | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/introduction-and-getting-started.md) . [](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate#introduction-and-getting-started) Introduction & Getting Started ---------------------------------------------------------------------------------------------------------------------------------------- Welcome to the lab environment created by the CSE Fabric Solutions team. This particular instance is unique in that **ALL** the configuration has been done for you, enabling you to conduct the scenarios quickly and effectively. Its purpose is to be used for customer-facing demonstrations where you don't have the time to do the configuration, and it's a combination of the scenarios from [Fabric Solutions Lab - Original](https://fabriclab-tech.gitbook.io/fabric-lab/) [Fabric Solutions Lab - Mitre](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-mitre) **The purpose** demonstrate how Fortinet products work together to enhance security. By integrating multiple Fortinet products, we can reduce attack risks and respond to threats automatically. The focus is on product integration rather than individual features. Each section of this lab is independent, so you can complete each secenario in any order. The instance within Fabric Studio is dedicated to you, but please avoid saving any configuration changes. Occasionally, you may need to connect to external resources, which are shared and secured separately from your Fabric Studio instance. If you are prompted to download or install new firmware when logging into an appliance, please **ignore it**. This lab has been tested with the provided firmware versions. The Fabric CSE team will continue to test and update the environment after thorough evaluation. Created by Consulting Systems Engineer (CSE): Chris Eddisford - [LinkedIn Click Me!](https://www.linkedin.com/in/chris-eddisford-5b676462/) ​ Please note if you're an internal Fortinet employee, you need to request access to Fabric Solutions Lab via a Microsoft Form - [Click Me](https://forms.office.com/r/puBFVkkLFB) once compleated you will be provided details for a self serve portal where you can spin up a instance on demand. Some of the scenarios contain real attacks that will do major damage if detonated or used outside of the lab environment so please refrain from doing this. [NextAccess Credentials](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/introduction-and-getting-started/access-credentials) Last updated 5 months ago --- # Access Credentials | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/introduction-and-getting-started/access-credentials.md) . Device Name Type Username Password Fabric Studio admin Fortinet1! FortiNDR FNDR admin Fortinet1! FortiEDR FEDR admin Fortinet1! FortiAuthenticator FAC admin Fortinet1! FortiSOAR FSR admin Fortinet1! FortiSIEM FSM admin Fortinet1! FortiDeceptor FDC admin Fortinet1! FortiSandbox FSA admin Fortinet1! FortiProxy FPX admin Fortinet1! FortiMail FML admin fortinet4A!! FortiGate FGT admin fortinet4A!! FortiWeb FWB admin fortinet4A!! External Attacker Windows Host None Required None Required Internal Host Windows Host fabriclab\\demouser5 Fortinet1! WebServer Windows Host None Required None Required Host-Kali Kali Host kali fortinet Host-Windows Windows Host None Required None Required Host-FileServer Windows Host None Required None Required Host-External Ubuntu Host ubuntu fortinet [PreviousIntroduction & Getting Started](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate) [NextFirmware Versions](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/introduction-and-getting-started/firmware-versions) Last updated 4 months ago --- # Firmware Versions | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/introduction-and-getting-started/firmware-versions.md) . Device Name Lab FortiOS Version FortiMail (FML) 7.4.5 FortiGate (FGT) 7.6.4 Shared FotiGate (FGT) 7.6.6 FortiWeb (FWB) 8.0.1 FortiNDR (FNDR) 7.4.3 FortiProxy (FPX) 7.4.3 FortiIsolator (FIS) 3.0.0 FortiSandbox (FSA) 4.4.6 FortiSIEM (FSM) 7.4.2 FortiSOAR (FSOAR) 7.6.5 FortiDeceptor (FDC) 5.3.0 FortiClient EMS (FCT) 7.4.1 [PreviousAccess Credentials](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/introduction-and-getting-started/access-credentials) [NextAccessing the lab environment](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/introduction-and-getting-started/accessing-the-lab-environment) Last updated 4 months ago --- # Accessing the lab environment | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/introduction-and-getting-started/accessing-the-lab-environment.md) . Inital setup is done via the self-serve-portal, to obtain the details you need to fill out the [Microsoft Form](https://forms.office.com/r/puBFVkkLFB) you will then be provided details to a Self-Serve-Portal where you can spin up a instance on demand! Insert Images [PreviousFirmware Versions](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/introduction-and-getting-started/firmware-versions) [NextAttack & Defence #1](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1) Last updated 5 months ago --- # Attack & Defence #1 | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1.md) . [Scenario - Story/Narrative](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/scenario-story-narrative) [Attack - Scenario Steps](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/attack-scenario-steps) [Defence - Scenario Steps](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/defence-scenario-steps) [Analyze - FortiMail & FortiNDR](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/analyze-fortimail-and-fortindr) [Defence - FortiSIEM](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/defence-fortisiem) [Analyze - FortiSOAR](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/analyze-fortisoar) [Defence - FortiSOAR](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/defence-fortisoar) [Defence - FortiClient](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/defence-forticlient) [PreviousAccessing the lab environment](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/introduction-and-getting-started/accessing-the-lab-environment) [NextScenario - Story/Narrative](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/scenario-story-narrative) --- # Scenario - Story/Narrative | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/scenario-story-narrative.md) . Just a reminder that this lab has little/no configuration if you wish to conduct the configuration yourself then please use the Fabric Solutions Lab - Orginal or Fabric Solultions Lab - Mitre versions! - Links to these can be found here [Click Me](https://fortinet.sharepoint.com/sites/CSEFabricSolutionsEMEA/SitePages/CSE-Enablement-Lab.aspx) and are selectable options in the self-serve portal. You are a malicious threat actor who is trying to penetrate into a company via sending malicious emails attaching malware to those emails. You then change to the defence side using various Fortinet products (FortiMail, FortiNDR, FortiClient, FortiSOAR, FortiSIEM) as part of the defence. You play both roles: 1. You are the attacker you will craft and send a malicious email with a malware attachment, exactly as a real threat actor would. 2. You are the defender you watch The email gets passed from FortiMail to FortiNDR. you observe the behaviour of both the Internal (Protected by FortiNDR) and the Unprotected mailboxes. For the Internal Mailbox you observe FortiNDR sending its verdict back to FortiMail. 3. However, you shouldn't stop there. You should then use FortiSIEM to understand if this is part of a wider threat. As an example, has this threat been seen across multiple mailboxes? Is it more of a concern than if it was just a single user. You then move to FortiSOAR to investigate further, quarantining the host using FortiClient. [PreviousAttack & Defence #1](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1) [NextAttack - Scenario Steps](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/attack-scenario-steps) Last updated 5 months ago --- # Attack - Scenario Steps | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/attack-scenario-steps.md) . ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252Fi0gbHUwZjGEK4KYGeV01%252FScreenshot%25202026-01-14%2520at%25203.09.01%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3De0b52c54-7934-49dc-a5d2-9396a1a826a2&width=768&dpr=3&quality=100&sign=8f537d0e&sv=2) Enter the login details, `Username: external / Password: fortinet` On logging in, click the Drafts button on the left-hand side. You should then see draft emails ready for selection. As we're doing the Attack & Defence #1 scenario, click that email ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252F2YZtlrXqWxZKHMJqQpHy%252FScreenshot%25202026-01-19%2520at%252010.17.55%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D597d5b42-ae73-496b-97ab-c6cafdd51ded&width=768&dpr=3&quality=100&sign=9205833a&sv=2) You will see that WannaCry.exe is pre-attached (Handle it with care!) press send! [PreviousScenario - Story/Narrative](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/scenario-story-narrative) [NextDefence - Scenario Steps](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/defence-scenario-steps) Last updated 5 months ago --- # Defence - Scenario Steps | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/defence-scenario-steps.md) . Open your Fabric Studio instance, locate the object "Inside Host", right-click it, access, and then display. Another browser tab should open. Open Google Chrome you will find a bookmark called Webmail click it. If your asked for a Username & Password for inside host its `Username: fabriclab\demouser5 / Password: Fortinet1!` Enter the login details, `Username: unprotected / Password: fortinet` and click Log In ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FqUGWskFCXFquqBE5Nw4u%252FScreenshot%25202026-01-14%2520at%25203.17.48%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D2f468576-74b2-496c-a20d-419962eb5273&width=768&dpr=3&quality=100&sign=719ce3a3&sv=2) You will find an email in the mailbox unfortunately, on clicking it, you will find that the malware has not been remediated and is present in the email. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FhWkz0mXcq4omFdYbGlVi%252FScreenshot%25202026-01-19%2520at%252010.25.18%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3Db524f081-9a1d-4869-bcce-aa025712ad22&width=768&dpr=3&quality=100&sign=2b0123e5&sv=2) For this mailbox (Unprotectred), this is by design because there were no AV profiles attached to the policy within FortiMail. However, if you go to the top right-hand corner and click "Unprotected," and then log out Enter the login details, `Username: internal / Password: fortinet` and click Log In ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FJ2cEjK11JfMX2Zpg7zoy%252FScreenshot%25202026-01-14%2520at%25203.27.29%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D66c2b920-0799-4989-8cf8-90db9f01645c&width=768&dpr=3&quality=100&sign=dd2b3457&sv=2) You will see that the WannaCry attachment has been stripped and that the email subject has now got a \[Malicious Header\] ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252F6oXrbhu5BdJQw5WqIzIB%252FScreenshot%25202026-01-19%2520at%252010.27.48%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D37df1225-5fa1-4f0b-ad51-c76cbf91981e&width=768&dpr=3&quality=100&sign=878ad969&sv=2) [PreviousAttack - Scenario Steps](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/attack-scenario-steps) [NextAnalyze - FortiMail & FortiNDR](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/analyze-fortimail-and-fortindr) Last updated 4 months ago --- # Defence - FortiSIEM | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/defence-fortisiem.md) . Please log in to [FortiSIEM](https://10.222.101.28/phoenix/login.html) using the hyperlink. `Username: EndGame / Password: Fortinet1! / Org: EndGame` In the top navigation bar, if you click "Incidents," the alter the list option to be by "time" ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FxIgce7TaYcw2jOFlmjIZ%252FScreenshot%25202026-01-19%2520at%252010.51.40%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D10170534-56ed-44e1-b650-5beec5901255&width=768&dpr=3&quality=100&sign=102e9d59&sv=2) You can see that FortiSIEM also has an understanding of the attack. This is via it sending syslog to the FortiSIEM Log Collector inside the Fabric Studio instance, which then forwards to the main FortiSIEM supervisor. The important information to us is the ID that is next to the severity column, please take a note of this, we will need this to import the incident into FortiSOAR as a event. Your ID will likely be different however as a example ours is 86396 [PreviousAnalyze - FortiMail & FortiNDR](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/analyze-fortimail-and-fortindr) [NextAnalyze - FortiSOAR](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/analyze-fortisoar) Last updated 5 months ago --- # Attack & Defence #2 | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2.md) . [Scenario - Story/Narrative](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2/scenario-story-narrative) [Attack - RDP Host](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2/attack-rdp-host) [Defence - FortiDeceptor](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2/defence-fortideceptor) [Defence - FortiSIEM](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2/defence-fortisiem) [Defence - FortiSOAR](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2/defence-fortisoar) [Defence - FortiGate](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2/defence-fortigate) [PreviousDefence - FortiClient](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/defence-forticlient) [NextScenario - Story/Narrative](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2/scenario-story-narrative) Last updated 5 months ago --- # Defence - FortiClient | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/defence-forticlient.md) . Using the hyperlink log into [FortiClient EMS](https://10.222.101.40/#/endpoints/page) `Username: FabricSolutionsLab / Password: Fortinet1!` On the left-hand pane, you should see EndPoints > All EndPoints click that, you should see a device called EndGame, click it. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FSNKljKjahNryJCKf7ifO%252FScreenshot%25202026-01-19%2520at%252012.56.52%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D571d5655-dec8-4861-978d-f50bc0479503&width=768&dpr=3&quality=100&sign=ae4ee252&sv=2) As you can see under classification tags, you can see the WannaCry entry. These can be used for all sorts of functions, such as automatically segmenting the device based on the WannaCry tag into its own isolated network. [PreviousDefence - FortiSOAR](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/defence-fortisoar) [NextAttack & Defence #2](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2) Last updated 5 months ago --- # Defence - FortiSOAR | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/defence-fortisoar.md) . Using the event that you should have opened from the previous task. If you look at the bottom of the page, you should see an actions button. Click it. Search for FortiClient and then expand the box, you should see many different automation options available ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FizAewvq9IcvOsRJNHPvM%252FScreenshot%25202026-01-19%2520at%252012.06.44%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D473d2703-fdbc-41b3-953b-7f36631c2d1b&width=768&dpr=3&quality=100&sign=82396846&sv=2) Select where it says "Get All Endpoints" another sub-window should open up, you don't need to enter any data, just click Execute Action ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252Fu1bVbl4S52DCO13ru5sF%252FScreenshot%25202026-01-19%2520at%252012.08.26%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Db36099ae-71c7-4130-89c2-6ff972ceb317&width=768&dpr=3&quality=100&sign=164433fe&sv=2) Once the data is loaded, just click the JSON button ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252F0fib2w08ccCsYA2nTfhD%252FScreenshot%25202026-01-19%2520at%252012.08.58%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Dfd61d3fc-54f7-4b7b-81c6-16792536409d&width=768&dpr=3&quality=100&sign=a6f963b2&sv=2) This FortiSOAR instance can get quite busy because it's a shared instancemeaning that you might see multiple FortiClient hosts I recommend entering "EndGame" in the filter box. Your looking for the device ID it should be 227. You will need to remember this for the next task At the bottom, click 'Actions' and search for "FortiClient" ![](https://fabriclab-tech.gitbook.io/fabric-lab/~gitbook/image?url=https%3A%2F%2F4195486220-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FBuGANls9sCzGfNwYlECu%252Fuploads%252FKBwEOcZVICFge25IxGC1%252Fimage.png%3Falt%3Dmedia%26token%3D1deb014f-b878-4a4f-a921-198e4611128b&width=768&dpr=4&quality=100&sign=68f46a44&sv=2) 1. Click where it says 'FortiClient EMS' 2. This time, find the Action "Create Custom Tag" 3. Under Tag Name enter "WannaCry" 4. Under Device ID Enter the ID you collected in the previous steps ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FTuKqfpscw8y0PhdN1MjC%252FScreenshot%25202026-01-19%2520at%252012.49.40%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Dad608808-ff36-45f0-9bd3-bdef931975ce&width=768&dpr=3&quality=100&sign=9f1795f2&sv=2) On clicking "Execute action," you should get confirmation with the success message ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FDmgLuuKVAeBJE0QEkgAa%252FScreenshot%25202026-01-19%2520at%252012.50.22%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D13e70693-c7e7-4b8a-a534-3e77e3b666fa&width=768&dpr=3&quality=100&sign=7c7fa86b&sv=2) [PreviousAnalyze - FortiSOAR](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/analyze-fortisoar) [NextDefence - FortiClient](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/defence-forticlient) Last updated 5 months ago --- # Defence - FortiDeceptor | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2/defence-fortideceptor.md) . Please log in to [FortiDeceptor](https://10.222.101.29/halo/login?returnUrl=%2F) using the hyperlink. `Username: admin / Password: Fortinet1!` On login, if you use the left-hand pane sidebar to browse to Incident > Analysis You should see the RDP event that you just created. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FzBTlekxNxaEMykKvSwrv%252FScreenshot%25202026-02-09%2520at%252012.01.09%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D07a1779b-da23-4253-b45d-d679c1b9b2e5&width=768&dpr=3&quality=100&sign=7e6fb963&sv=2) Double-click it for more information, you can see an exact timeline and the credentials used to actually log in. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FPZ9T9VuUnjqm3fw56H3T%252FScreenshot%25202026-02-09%2520at%252012.02.14%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D36500ebc-ee1b-474f-9259-446bcde868c3&width=768&dpr=3&quality=100&sign=8c89597f&sv=2) [PreviousAttack - RDP Host](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2/attack-rdp-host) [NextDefence - FortiSIEM](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2/defence-fortisiem) Last updated 5 months ago --- # Attack - RDP Host | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2/attack-rdp-host.md) . Open your Fabric Studio instance, locate the object "External Attacker ", right-click it, access, and then display. Another browser tab should open you have access to the virtual Windows instance. On the desktop, you should see a remote desktop icon. Double-click it. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FtB48eQWrz9JeN4h0TMiN%252FScreenshot%25202026-02-09%2520at%252011.28.27%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3Db66be1ea-34b4-420b-82cb-44cb9de95363&width=768&dpr=3&quality=100&sign=fec798f8&sv=2) Select either 10.222.102.223 or 10.222.102.224, click "Connect" and press "Yes" on the next pop-up. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FYUPcAWMIWYA9m6P97OCe%252FScreenshot%25202026-02-09%2520at%252011.30.48%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3Dddcc214d-dea9-4d00-b5dd-07db7d1043b8&width=768&dpr=3&quality=100&sign=a21d3c4&sv=2) Try and use your credentials that you found on the dark web to log into the administrator account `Username: Administrator / Password: Fortinet1!` this will fail! however, not to worry. You also have some credentials for Fabric Lab click this user and then enter the same password as above `Password: Fortinet1!` ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FBzD6PfCeRaM8d4uZpOZi%252Fimage.png%3Falt%3Dmedia%26token%3D6643599c-a8e6-4886-b93e-83727749b025&width=768&dpr=3&quality=100&sign=aaa4a8e3&sv=2) Eventually you should log in ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FXwKaUGuVSAuOQ6hvN5Ux%252FScreenshot%25202026-02-09%2520at%252011.34.38%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D5d60e1be-608c-4281-968c-07d7b91c2773&width=768&dpr=3&quality=100&sign=dcbc7e6e&sv=2) At this point, you don't need to do anything other than close the RDP session, this is done by clicking the 'X' in the middle at the top of the page. [PreviousScenario - Story/Narrative](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2/scenario-story-narrative) [NextDefence - FortiDeceptor](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2/defence-fortideceptor) Last updated 5 months ago --- # Scenario - Story/Narrative | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2/scenario-story-narrative.md) . You are a malicious threat actor who has obtained some credentials via the dark web to an RDP server that might be publicly exposed. You attempt to exploit these credentials by establishing an RDP connection to the server. What you don't know is that the RDP server that you are actually connecting to is a honeypot spawned by FortiDeceptor. The internal IT department is now onto you, with your every move being logged. However, we don't have the time to just sit and watch. There's actually various other products in FortiSIEM, FortiSOAR, and FortiGate ready to respond in an automated way, as you go through the scenario, you will see this. [PreviousAttack & Defence #2](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2) [NextAttack - RDP Host](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2/attack-rdp-host) Last updated 5 months ago --- # Defence - FortiGate | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2/defence-fortigate.md) . Please log in to [FortiGate](https://10.222.101.31/firewall/policy/policy/standard) using the hyperlink. `Username: admin / Password: Fortinet1!` If you look at the left-hand pane, Policy & Objects, Firewall Policies On the part1 to port1 You should see a firewall policy as below that has a destination which is the dynamic address object "FSOAR-DYN-BLK-GRP" ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FsOl89qk1dbB79EVMg2UH%252Fimage.png%3Falt%3Dmedia%26token%3Dcb584b00-46dd-4995-b5cf-b27ea17e865f&width=768&dpr=3&quality=100&sign=a87abb1e&sv=2) If you hover over "FSOAR-DYN-BLK\_GRP" you will see that the 10.222.102.45 address has been added to the address group, this is the source IP address of the host that accessed the RDP decoy. [PreviousDefence - FortiSOAR](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2/defence-fortisoar) [NextAttack & Defence #3](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-3) Last updated 4 months ago --- # Scenario - Story/Narrative | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-3/scenario-story-narrative.md) . You are a rogue user who likes to push the boundaries of the IT department, historically this has included trying to tamper with and disable various protections including Windows Firewall, FortiDLP & FortiEDR. Historically this hasn't always been trackable by the IT department because the user's identity hasn't always been known, for a long time the company was using computers that were not domain joined and local users... resulting in logs being very unusable as the admin just sees an IP address, they then need to access the DHCP server to find out who received that IP address at the specific time, think about this: when you have thousands of users it's not very scalable, is it? The IT department has started to roll out Active Directory and FortiClient with the Single Sign-on Mobility Agent (SSOMA) enabled, on login and log off this collects the user's username and ties it to the IP address, this also includes if the user switches from a wired to wireless connection. This information is shared with FortiAuthenticator that then shares with all downstream FortiGate appliances using FSSO. This collection of data is done natively via FortiClient, we are not polling the Active Directory servers directly (however it's possible) as we opted to reduce the load on the AD Servers and making this much more scalable. As a result of these recent changes the administrators now have the correct username visible in logs such as the local FortiGate & FortiAnalyzer. This means that we can reference AD groups for example in firewall policies, or we could increase the posture further by referencing ZTNA security posture tags in firewall policy. The IT team is now mandating the deployment of the following scenario, access to internal web servers needs to be controlled via security tags that are propagated via FortiClient as an example only endpoints that have FortiEDR and FortiDLP running are able to achieve this, in the event of this changing as a example a user tries to tamper with either of these two products then the tag is to be removed and the session should be terminated **immediately.** This is a major shift away from source and destination based firewalling, where the posture of the device itself is not taken into consideration. In the new world it is and it's far more secure! [PreviousAttack & Defence #3](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-3) [NextCheck - Windows Host](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-3/check-windows-host) Last updated 4 months ago --- # Show - FortiClient EMS | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-3/show-forticlient-ems.md) . Please log into [FortiClient EMS](https://10.222.101.40/#/signin) using the hyperlink `Username: FabricSolutionsLab / Password: Fortinet1!` On login if you use the left-hand sidebar to browse to security posture tags, tagging rules, have a look inside the rules that have been created. Take note that FortiEDR and Windows have pre-defined rules to be used (Meaning the user doesn't need to do any advanced configuration). ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FBCpyrkL0N9gJTQ262Kok%252FScreenshot%25202026-02-25%2520at%25201.08.16%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D97a50233-08bc-498e-afdf-56602328c8f1&width=768&dpr=3&quality=100&sign=a4778a95&sv=2) We will be using these tags that get applied to endpoints to further secure access to specific destinations via a FortiGate shortly. You can also use the Left hand pane > Security posture tags > Tag Monitor to view what tags are currently applied to what endpoints. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FwytEjdJ9CV4TnUaP5eoD%252FScreenshot%25202026-02-25%2520at%25201.13.25%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D6a74b9e1-1d17-4f16-bfd7-be7c14e145c2&width=768&dpr=3&quality=100&sign=30e0a7e6&sv=2) [PreviousCheck - Windows Host](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-3/check-windows-host) [NextShow - FortiGate](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-3/show-fortigate) Last updated 4 months ago --- # Attack & Defence #3 | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-3.md) . [Scenario - Story/Narrative](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-3/scenario-story-narrative) [Check - Windows Host](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-3/check-windows-host) [Show - FortiClient EMS](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-3/show-forticlient-ems) [Show - FortiGate](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-3/show-fortigate) [Access - Webserver](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-3/access-webserver) [Review - FortiAnalyzer](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-3/review-fortianalyzer) [PreviousDefence - FortiGate](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2/defence-fortigate) [NextScenario - Story/Narrative](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-3/scenario-story-narrative) --- # Check - Windows Host | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-3/check-windows-host.md) . Start by logging into the Fabric Studio instance, locating the object "Inside Host", right-clicking it, access, and then display. If your asked for a Username & Password for inside host its `Username: fabriclab\demouser5 / Password: Fortinet1!` Its very importnat you login as a domain user (As above) ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252Fsct4HbmFsxQ066g3NNQ0%252FScreenshot%25202025-12-04%2520at%252011.26.11%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D3232e19a-69e8-4f6e-bc09-b1dcb661eb14&width=768&dpr=3&quality=100&sign=36853488&sv=2) Once you're logged in, locate FortiClient. It should be in the taskbar in the bottom right-hand corner (Example below) ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252Fm440CSPp37cjwmwOhjJK%252FScreenshot%25202026-02-25%2520at%252012.55.18%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D0eac05fb-71ab-43f9-8fe6-71c178ded062&width=768&dpr=3&quality=100&sign=b2090335&sv=2) Make sure that you click the DemoUser5 profile, take a note of the security posture tags that are listed (FortiEDR\_Running & FortiDLP\_Running) [PreviousScenario - Story/Narrative](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-3/scenario-story-narrative) [NextShow - FortiClient EMS](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-3/show-forticlient-ems) Last updated 4 months ago --- # Analyze - FortiSOAR | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/analyze-fortisoar.md) . Please log into [FortiSOAR](https://10.222.101.22/login/) using the hyperlink. `Username: csadmin / Password: fortinet` To restrict the amount of logs being ingested from FortiSIEM into FortiSOAR, you need to manually ingest the specific Incident found in FortiSIEM. _Normally this would be automated._ 1. This is done by using the left hand pane > Automation > Data Ingestion 2. Find FortiSIEM ![](https://fabriclab-tech.gitbook.io/fabric-lab/~gitbook/image?url=https%3A%2F%2F4195486220-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FBuGANls9sCzGfNwYlECu%252Fuploads%252F8gDYYNIEjVBIdiAEccDD%252Fimage.png%3Falt%3Dmedia%26token%3Df8a102c8-87bb-4393-9597-e7de9c27dbe5&width=768&dpr=4&quality=100&sign=f3fef37e&sv=2) 1. Click Settings 2. Click "Let's start by fetching some data" 3. Change Fetch Mode to "By Sample Incident ID" this is the ID that you collected in the previous step [Defence - FortiSIEM](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/defence-fortisiem) ![](https://fabriclab-tech.gitbook.io/fabric-lab/~gitbook/image?url=https%3A%2F%2F4195486220-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FBuGANls9sCzGfNwYlECu%252Fuploads%252FRvpWuL5tUE6jm2Ek4fIk%252Fimage.png%3Falt%3Dmedia%26token%3D13d16d22-224f-4fea-9547-5da740c1849b&width=768&dpr=4&quality=100&sign=a8f3f9a6&sv=2) 1. Click Fetch Data 2. Do you want to schedule the ingestion? Please select "No" 3. Click "Save Settings & Continue" 4. Click "Trigger Ingestion Now" 5. Using the left-hand sidebar, if you navigate to Incident Response > Alerts. You should see an entry that says: FortiMail found malicious spam file attachment. WannaCry (Example of the nav bar and the alert below) ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FyA9flUqB293A9Zdu9aq6%252FScreenshot%25202026-01-19%2520at%252011.55.54%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D8b4a37f4-7419-48eb-b221-b034bcec4fe1&width=768&dpr=3&quality=100&sign=eb5d6f07&sv=2) 1. Double-click into the correct alert ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FjNZBbimmkApXiayHmOsI%252FScreenshot%25202026-01-19%2520at%252012.02.27%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3De60c72ce-4fa5-4b41-8955-f037fdff4ec6&width=768&dpr=3&quality=100&sign=283fd7a7&sv=2) [PreviousDefence - FortiSIEM](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/defence-fortisiem) [NextDefence - FortiSOAR](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/defence-fortisoar) Last updated 5 months ago --- # Defence - FortiSOAR | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2/defence-fortisoar.md) . Please log into [FortiSOAR](https://10.222.101.22/login/) using the hyperlink. `Username: csadmin / Password: fortinet` To restrict the amount of logs being ingested from FortiSIEM into FortiSOAR, you need to manually ingest the specific Incident found in FortiSIEM. _Normally this would be automated._ This is done by using the left hand pane > Automation > Data Ingestion, Find FortiSIEM ![](https://fabriclab-tech.gitbook.io/fabric-lab/~gitbook/image?url=https%3A%2F%2F4195486220-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FBuGANls9sCzGfNwYlECu%252Fuploads%252F8gDYYNIEjVBIdiAEccDD%252Fimage.png%3Falt%3Dmedia%26token%3Df8a102c8-87bb-4393-9597-e7de9c27dbe5&width=768&dpr=4&quality=100&sign=f3fef37e&sv=2) Click Settings, Click "Let's start by fetching some data", Change Fetch Mode to "By Sample Incident ID" this is the ID that you collected in the previous step [Defence - FortiSIEM](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2/defence-fortisiem) ![](https://fabriclab-tech.gitbook.io/fabric-lab/~gitbook/image?url=https%3A%2F%2F4195486220-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FBuGANls9sCzGfNwYlECu%252Fuploads%252FRvpWuL5tUE6jm2Ek4fIk%252Fimage.png%3Falt%3Dmedia%26token%3D13d16d22-224f-4fea-9547-5da740c1849b&width=768&dpr=4&quality=100&sign=a8f3f9a6&sv=2) Click Fetch Data, Do you want to schedule the ingestion? Please select "No", Click "Save Settings & Continue", Click "Trigger Ingestion Now", Now, using the left-hand sidebar, browse to the alert section one of the most recent alerts should read: Successful RDP login to decoy from ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FnoP3cVuXDWIrZ6CRH6dh%252FScreenshot%25202026-02-09%2520at%252012.32.32%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D887548aa-159b-4985-b19c-b11d8b5f0105&width=768&dpr=3&quality=100&sign=af51487&sv=2) Click the alert to enter into more details. Lots of correlated and enriched data can be found here ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FbWlKvRb52JUHj4FGUqnB%252FScreenshot%25202026-02-09%2520at%252012.34.48%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D1e1536d8-9774-4ea6-b73a-d504bf2dad76&width=768&dpr=3&quality=100&sign=526339d9&sv=2) If you scroll down very slightly, you will find a diagram. This is a correlation of every single time that FortiSASE has seen an attack that matches this vector, just to explain, the FortiSOAR instance is shared across many different lab environments. It's constantly being populated with attack simulation data from various other environments what it's done here is correlated all the different source IP addresses and created a logical diagram so you could see how just how many devices have attempted this attack. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252Fk3tuHl0tE7Xwjdo6IlAU%252Fimage.png%3Falt%3Dmedia%26token%3Dc3a38519-7877-4c97-a823-9cb69bddd709&width=768&dpr=3&quality=100&sign=45db67a4&sv=2) Now if you scroll back to the top where you've got alert details and playbooks, click playbooks ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FOVM7U358aRGRbVovK9OA%252Fimage.png%3Falt%3Dmedia%26token%3Df5b0c1e3-b556-4250-8a00-21887e508572&width=768&dpr=3&quality=100&sign=be644e86&sv=2) You will see that our playbook has also automatically initiated. The administrator has done this associated with the play, but with the updating of a record when the subject matches as below ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FRTNLQykLUDBTB3yKauww%252Fimage.png%3Falt%3Dmedia%26token%3Def35b036-36cf-4bde-8d3c-353291f0cc44&width=768&dpr=3&quality=100&sign=3238d7e7&sv=2) This then adds the source IP address of the attacker to a dynamic address group within the FortiGate firewall ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252F7FrQCMJpUPaLUgMhsaR3%252FScreenshot%25202026-02-09%2520at%25202.43.24%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Df7ae2bde-e754-4d10-9a84-0a1e0884faf5&width=768&dpr=3&quality=100&sign=a66d4a4c&sv=2) [PreviousDefence - FortiSIEM](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2/defence-fortisiem) [NextDefence - FortiGate](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2/defence-fortigate) Last updated 4 months ago --- # Defence - FortiSIEM | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2/defence-fortisiem.md) . Please log in to [FortiSIEM](https://10.222.101.28/phoenix/login.html) using the hyperlink. `Username: admin / Password: Fortinet1!/ Organization: super` ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252F3YJMaxb3Pltjwd0v3HL1%252FScreenshot%25202026-02-04%2520at%25201.29.38%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Da8c79a56-42d6-421e-beee-613942db2b2d&width=768&dpr=3&quality=100&sign=75bb9cba&sv=2) In the top right, click the exit button and then change organisation view ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252Fp4BqwfL8qA82BOAumvFe%252FScreenshot%25202026-02-04%2520at%25201.31.13%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Dc5090421-b8b8-4fd6-8a4c-725924eaf520&width=768&dpr=3&quality=100&sign=268da739&sv=2) Select admin view, local, and then press Change View ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FYmfOTRKCy5lPJtlG9pDr%252FScreenshot%25202026-02-04%2520at%25201.31.49%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D10d072c0-99ee-4550-bf11-cd943cb750b8&width=768&dpr=3&quality=100&sign=12b58101&sv=2) In the top nav bar, ensure that Dashboard is selected, using the drop-down menu on the left-hand side, ensure that Fortinet Security Fabric is selected and also FortiDeceptor. You will see that there's been some RDP events recorded ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FUECVi5pwhOmwmJZnZf4X%252Fimage.png%3Falt%3Dmedia%26token%3D7ae37191-9645-44f1-89bf-c1fb2e8ba126&width=768&dpr=3&quality=100&sign=413e28fd&sv=2) Using the top nav bar, click the bell icon to move over to incidents, you will see various incidents, but please note that you should see the FortiDeceptor successful RDP log in to decoy alert. Click the header as below in the screenshot ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FqDRFvtkBSa36JsKiPaNN%252FScreenshot%25202026-02-09%2520at%252012.23.06%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D0f080298-77db-4296-b56c-917a2c40e2e1&width=768&dpr=3&quality=100&sign=9bda4727&sv=2) This should open up another section like the screenshot below take a note/copy the incident ID (this will be different when you conduct your own scenario a will be needed for the further steps into FortiSOAR ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252Fcdr7dunFmzIM5NmYtVtX%252Fimage.png%3Falt%3Dmedia%26token%3D4901d048-5365-4699-829a-496e8538c7fe&width=768&dpr=3&quality=100&sign=6f7bc595&sv=2) [PreviousDefence - FortiDeceptor](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2/defence-fortideceptor) [NextDefence - FortiSOAR](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2/defence-fortisoar) Last updated 5 months ago --- # Analyze - FortiMail & FortiNDR | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/analyze-fortimail-and-fortindr.md) . Using your Fabric Studio instance, if you open up FortiMail, this is done by right-clicking it, access > HTTPS `Username: admin / Password: fortinet4A!!` Once you're logged in, if you use the left-hand navigation pane, under the monitor section, click Log, and then you will see that the history tab is already selected, click the AV tab. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FbLDrO1IjSC1ktc3Cms4P%252FScreenshot%25202026-01-19%2520at%252010.30.50%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3Daca86f50-1275-4b33-9f2d-5b513f58fff1&width=768&dpr=3&quality=100&sign=bcc2d644&sv=2) As you can see, Wanna Cry has been detected and blocked. if you require more information, you can actually double click into the header ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252Fd5ffM1TOsxfkVCUio5Zp%252FScreenshot%25202026-01-19%2520at%252010.31.54%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3De8c398dd-298e-41bf-b728-41d317e2fb8a&width=768&dpr=3&quality=100&sign=f2eb2ad0&sv=2) if you log in to [FortiNDR](https://10.222.101.20/sl/log/threatReport) by clicking the hyperlink `Username: admin / Password: Fortinet1!` click Log and report, then Malware log you should see the below ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FTUlaqMwPjTPViQaCQho9%252FScreenshot%25202026-01-19%2520at%252010.43.20%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D5af6601e-be4b-44e7-8bb0-0c430f4c3174&width=768&dpr=3&quality=100&sign=314acf28&sv=2) Regards to FortiNDR, just be mindful that it's a shared instance, so you will see lots of malware from different pods. [PreviousDefence - Scenario Steps](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/defence-scenario-steps) [NextDefence - FortiSIEM](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/defence-fortisiem) Last updated 5 months ago --- # Scenario - Story/Narrative | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-4/scenario-story-narrative.md) . As a company you become conscious of your users using AI prompts, while it's also understood that this can be more efficient, there's also a large concern around confidential and private data being inputted into the data lake that competitors could potentially exploit. As such there's been a C-level decision as part of phase one to monitor all AI access, within the company. Once this data has been collected, we'll then move to phase two where restrictions will be implemented. During this scenario you will play the role of a user trying to access various AI prompting sites (Gemini, Grok, Ect) you will see how various Fortinet products are able to aid in defence (FortiGate, FortiDLP) and how this can be viewable in consolidated reports (FortiAnalyzer). [PreviousAttack & Defence #4](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-4) [NextAccess - Windows Host](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-4/access-windows-host) Last updated 3 months ago --- # Attack & Defence #4 | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-4.md) . [Scenario - Story/Narrative](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-4/scenario-story-narrative) [Access - Windows Host](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-4/access-windows-host) [Show - FortiGate](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-4/show-fortigate) [Show - FortiDLP](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-4/show-fortidlp) [PreviousReview - FortiAnalyzer](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-3/review-fortianalyzer) [NextScenario - Story/Narrative](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-4/scenario-story-narrative) --- # Show - FortiDLP | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-4/show-fortidlp.md) . Please log in to [FortiDLP](https://ftnt-fabric-cse.reveal.nextdlp.com/) using the hyperlink. `Username: fabriclab / Password: Fortinet1!Fortinet1!` Once you're logged in, if you look on the left-hand pane navigate to "SaaS apps" and click it ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252Fg8hUT0FqnxdZS6X03Y6j%252FScreenshot%25202026-03-25%2520at%25201.36.56%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D250a6407-c3d7-4a12-966b-9340f194bd90&width=768&dpr=3&quality=100&sign=acb1b4ac&sv=2) As you can see in the screenshot, Grok, OpenAI, and Gemini have all been detected, if you click one of the entries, for example, we've used Grok here and then select Activity Feed you can find a summary of the user that used this AI Chatbot. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252F3LGSPELtsdxOmp28LqiT%252FScreenshot%25202026-03-25%2520at%25201.37.59%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D02f4d031-541e-45de-a54f-ef4891eee107&width=768&dpr=3&quality=100&sign=bfe87cc8&sv=2) The account username and other bits of metadata are also logged. [PreviousShow - FortiGate](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-4/show-fortigate) [NextFortiMail & FortiSandbox](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortimail-and-fortisandbox) Last updated 3 months ago --- # FortiMail & FortiSandbox | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortimail-and-fortisandbox.md) . [Scenario - Story/Narrative](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortimail-and-fortisandbox/scenario-story-narrative) [Defence - Scenario Steps](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortimail-and-fortisandbox/defence-scenario-steps) [Attack - Scenario Steps](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortimail-and-fortisandbox/attack-scenario-steps) [Analyze - FortiMail](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortimail-and-fortisandbox/analyze-fortimail) [Analyze - FortiSandbox](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortimail-and-fortisandbox/analyze-fortisandbox) [PreviousShow - FortiDLP](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-4/show-fortidlp) [NextScenario - Story/Narrative](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortimail-and-fortisandbox/scenario-story-narrative) --- # Show - FortiGate | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-4/show-fortigate.md) . Start by logging into the Fabric Studio instance, locating the object "FortiGate", right-clicking it, access, and then HTTPS, this should open a new browser tab with the FortiGate UI. `Username: admin Password: fortinet4A!!` Using the left-hand pane navigate to Dashboard > FortiView AI applications ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FvhBAuM0J22ovxS33IhPV%252Fimage.png%3Falt%3Dmedia%26token%3Dfa7a6069-b517-42f0-9025-2a6dbd03c614&width=768&dpr=3&quality=100&sign=b7f0661f&sv=2) As you can see we have identified Gemini, however if you double click into it, you can get more information, this includes the username that was used to log in to Gemini ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FKxjHLYCMOUDSaoG7KN6Z%252FScreenshot%25202026-03-20%2520at%252011.38.47%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3Da9a70a85-b88e-4062-897b-daf28d06926a&width=768&dpr=3&quality=100&sign=6a5f539b&sv=2) We also capture the data centre location that was used, this is useful for companies that potentially might have restrictions around this ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FkTdK6FnNhvid5zaFUfCH%252FScreenshot%25202026-03-20%2520at%252011.39.23%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3Dac19fed4-be2e-4802-a669-8535c5bed951&width=768&dpr=3&quality=100&sign=c93ca355&sv=2) If you click View session logs, you can actually see the prompt that the user entered ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FqmyDQR14Yw0AeJfeqKTk%252FScreenshot%25202026-03-20%2520at%252011.51.17%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3Dc680add0-ac86-4927-be86-6da78831cc6c&width=768&dpr=3&quality=100&sign=7e5a4d42&sv=2) [PreviousAccess - Windows Host](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-4/access-windows-host) [NextShow - FortiDLP](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-4/show-fortidlp) Last updated 3 months ago --- # Scenario - Story/Narrative | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortimail-and-fortisandbox/scenario-story-narrative.md) . Just a reminder that this lab has little/no configuration if you wish to conduct the configuration yourself then please use the Fabric Solutions Lab - Orginal or Fabric Solultions Lab - Mitre versions! - Links to these can be found here [Click Me](https://fortinet.sharepoint.com/sites/CSEFabricSolutionsEMEA/SitePages/CSE-Enablement-Lab.aspx) and are selectable options in the self-serve portal. You are a malicious threat actor who is trying to penetrate into a company via sending malicious emails attaching malware to those emails. You then change to the defence side using FortiMail and FortiSandbox You play both roles: 1. You are the attacker you will craft and send a malicious email with a malware attachment, exactly as a real threat actor would. 2. You are the defender You will watch FortiMail detect sending the file to FortiSandbox for further verdict. You will then see FortiSandbox execute the file in a safe environment, confirm it is malicious, generate the verdict and IOCs, and push the verdict indicators back to FortiMail that strips the attachments and ammends the subject line to contain \[Malicious\] [PreviousFortiMail & FortiSandbox](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortimail-and-fortisandbox) [NextDefence - Scenario Steps](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortimail-and-fortisandbox/defence-scenario-steps) Last updated 5 months ago --- # Attack - Scenario Steps | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortimail-and-fortisandbox/attack-scenario-steps.md) . Open your Fabric Studio instance, locate the object "External Attacker", right-click it, access, and then display. Another browser tab should open. Open Google Chrome you will find a bookmark called Webmail click it. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FyZp9oVZSpkmHakaTGa6p%252FScreenshot%25202025-12-04%2520at%252011.14.14%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D038eca11-febd-4b9b-96a8-3afe553e98f6&width=768&dpr=3&quality=100&sign=ad3bb571&sv=2) Enter the login details, `Username: external / Password: fortinet` and click Log In On logging in, click the Drafts button on the left-hand side. You should then see draft emails ready for selection. As we're doing the FortiMail and FortiSandbox scenario, click that email ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FvfLWnr8NqbC01CyLGS3J%252FScreenshot%25202025-12-04%2520at%252011.18.54%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D38b19184-3d5b-410c-a238-3c2372e27111&width=768&dpr=3&quality=100&sign=83e58bcc&sv=2) A side widget should open up on the right-hand side ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FrFFIO0SwDA29wjSw5KXB%252FScreenshot%25202025-12-04%2520at%252011.20.18%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D931629dc-9437-4e2d-ae5e-c38d5895cfdc&width=768&dpr=3&quality=100&sign=afc030ba&sv=2) The contents of the email Recivers, Subject, Message Body & the malware attachments have been done for you. Just click send [PreviousDefence - Scenario Steps](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortimail-and-fortisandbox/defence-scenario-steps) [NextAnalyze - FortiMail](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortimail-and-fortisandbox/analyze-fortimail) Last updated 5 months ago --- # Analyze - FortiSandbox | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortimail-and-fortisandbox/analyze-fortisandbox.md) . If you log into the FortiSandbox instance - [Click Me](https://10.222.101.23/) `Username: admin / Password: Fortinet1!` Then go over to Log & Report > All Events (Create a filter for `Message: Return`) ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FtToytBGQ1qoyeZSHxwsj%252FScreenshot%25202025-12-04%2520at%252012.19.27%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D82d2e4b0-ac92-4ede-8ddb-e909ee4707ed&width=768&dpr=3&quality=100&sign=13a788cf&sv=2) You can see FortiSandbox received the file, checked it and then passed the verdict back to FortiMail. [PreviousAnalyze - FortiMail](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortimail-and-fortisandbox/analyze-fortimail) [NextFortiGate & FortiDeceptor](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortigate-and-fortideceptor) Last updated 7 months ago --- # Access - Windows Host | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-4/access-windows-host.md) . Start by logging into the Fabric Studio instance, locating the object "Inside Host", right-clicking it, access, and then display. If your asked for a Username & Password for inside host its `Username: fabriclab\demouser5 / Password: Fortinet1!` Its very importnat you login as a domain user (As above) ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FJjec2mpsc3RxcHA1sXtW%252Fimage.png%3Falt%3Dmedia%26token%3D9a042b5f-a593-46b3-a4fa-82a7a3a5291d&width=768&dpr=3&quality=100&sign=a92c5c27&sv=2) This should open up a separate browser tab with a Windows host. Click the Google Chrome shortcut, there should be two bookmarks, one for Grok and one for Gemini (Click either) ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FGXLuYv2WzrKtkCjD3sd2%252FScreenshot%25202026-03-20%2520at%252011.16.01%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3Dd3c7cd48-c2aa-443f-b6cb-7e495ad1b4be&width=768&dpr=3&quality=100&sign=44d522d2&sv=2) We will use Gemini ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FGaihokJ9UM3Ot3hMfSn1%252FScreenshot%25202026-03-20%2520at%252011.36.31%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D640daa70-4e8e-459e-aac8-a7de724caf39&width=768&dpr=3&quality=100&sign=d460be97&sv=2) if you log in to Gemini using fabrcisolutionlabs@gmail.com / Fortinet1! then you will see that we're actually able to capture this username, This could potentially be useful for understanding if it's corporate or personal accounts that are being used. [PreviousScenario - Story/Narrative](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-4/scenario-story-narrative) [NextShow - FortiGate](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-4/show-fortigate) Last updated 3 months ago --- # Show - FortiGate | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-3/show-fortigate.md) . Start by logging into the Fabric Studio instance, locating the object "FortiGate", right-clicking it, access, and then HTTPS, this should open a new browser tab with the FortiGate UI. `Username: admin Password: fortinet4A!!` Using the left-hand pane navigate to Security Fabric, Fabric Connectors, and ensure that FortiClient EMS is connected as below. This is what shares the ZTNA tags that we will be using later with the FortiGate. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FqkckH5YTuftlJfHvrvdR%252FScreenshot%25202026-02-25%2520at%252012.58.36%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D8e3515a6-d0ac-49d9-9178-5c637053cd79&width=768&dpr=3&quality=100&sign=e4f735c2&sv=2) If you want to check these, you can go use the left-hand pane to browse the policy and objects, ZTNA, and then click the security posture tag ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FI2EJVobZifTdHlWQWYIk%252FScreenshot%25202026-02-25%2520at%25201.00.34%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Df566ceaa-d90b-4c0b-962c-6327df6f5062&width=768&dpr=3&quality=100&sign=ec19ed4e&sv=2) Now using the left-hand pane if you browse to Security Fabric External Connectors, make sure that FSSO Agent on Windows AD is connected, this is what shares the usernames and the groups from Active Directory, and also information from the Single Sign-on Mobility Agent that's capturing the username and tying it to an IP address all this information comes from FortiAuthenticator. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FDkDvIasRdTwVXSPEK9RA%252FScreenshot%25202026-02-25%2520at%25201.02.05%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D654dde17-e6b8-4050-9ca7-36a579d4378f&width=768&dpr=3&quality=100&sign=f7dfd637&sv=2) Using the left-hand pane, browse to Policy & Objects > Firewall Policy, review the two policies as below ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252F6yATFUN984dOSP3YTFXK%252FScreenshot%25202026-02-25%2520at%25201.17.16%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Da0d5b64c-fd86-474e-b158-7c0ac42c6855&width=768&dpr=3&quality=100&sign=f8868b47&sv=2) If you look inside the allow firewall policy, you will see that we're taking into consideration the security posture tags these are what's sent from FortiClient EMS. In our case Windows calculator must be running and and either FortiEDR or FortiDLP otherwise you are not permitted to access the product store application via (http or ping). ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FwbagIobjzan6z799j1P1%252FScreenshot%25202026-02-25%2520at%25201.18.20%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3De5ad3cbd-2fda-484f-86b5-bbc4f1116450&width=768&dpr=3&quality=100&sign=478eece1&sv=2) [PreviousShow - FortiClient EMS](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-3/show-forticlient-ems) [NextAccess - Webserver](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-3/access-webserver) Last updated 4 months ago --- # Scenario - Story/Narrative | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortisandbox/scenario-story-narrative.md) . You are an end user inside the corporation, you've been advised to go to a web server and download some files. Unfortunately, you don't know that the web server is malicious and the files that you're downloading contain very, very well-known malware. Your IT department has deployed FortiIsolator meaning that what you see in your web browser is essentially a stream of data coming from a virtualized and contained host that lives with inside FortiIsolator. On trying to download the malware, FortiIsolator will send it to FortiSandbox for detonation and analysis before receiving its verdict back, you will observe this behaviour via a widget that opens up in the top right-hand corner. Should this be successful, you will see that you are unable to actually download the file, this is because the combination between FortiIsolator and FortiSandbox has done its job and has deemed the file to be malicious. [PreviousFortiIsolator & FortiSandbox](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortisandbox) [NextAttack - Downloading Malware](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortisandbox/attack-downloading-malware) Last updated 5 months ago --- # Review - FortiAnalyzer | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-3/review-fortianalyzer.md) . Please log into [FortiAnalyzer](https://10.222.101.35/) using the hyperlink `Username: admin / Password: Fortinet1!` Ensure that you go into ADOM **Pod45** Then using the lefthand pane, browse to log view > logs > select the Fortinet logs > Ensure that FortiGate is selected and apply the filters as below ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FVfBp768WvQb42bmO0ReR%252FScreenshot%25202026-02-25%2520at%25201.43.26%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Dbd150abd-5f44-4d87-8f85-b6440386dcc8&width=768&dpr=3&quality=100&sign=dcd0981f&sv=2) As you can see these are the logs where access to the product store was denied. Remove the current filters and instead create a filter as below. Filtering based on the EMS tag these are the successful logs ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252Fblr9cFHHi6jM0Yu9YK2u%252FScreenshot%25202026-02-25%2520at%25201.47.42%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Daaacb0fa-f8ae-431b-b46c-39d7ba5ee918&width=768&dpr=3&quality=100&sign=9c147ab3&sv=2) However what is very important to know is if you look at the user field for both action denied and accepted, the actual AD user that you use to log in, **"Demo User 5",** is captured by the single sign-on mobility agent and sent to the FortiAuthenticator that then uses FSSO to forward to the downstream FortiGates. This solves the initial use case of the client wanting to have a deeper understanding of the user identity with a security enhancement! [PreviousAccess - Webserver](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-3/access-webserver) [NextAttack & Defence #4](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-4) Last updated 4 months ago --- # FortiIsolator & FortiSandbox | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortisandbox.md) . [Scenario - Story/Narrative](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortisandbox/scenario-story-narrative) [Attack - Downloading Malware](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortisandbox/attack-downloading-malware) [Defence - Downloading Malware](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortisandbox/defence-downloading-malware) [Analyze - FortiSandbox](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortisandbox/analyze-fortisandbox) [PreviousDefence - FortiGate](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortigate-and-fortideceptor/defence-fortigate) [NextScenario - Story/Narrative](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortisandbox/scenario-story-narrative) --- # FortiGate & FortiDeceptor | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortigate-and-fortideceptor.md) . [Scenario - Story/Narrative](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortigate-and-fortideceptor/scenario-story-narrative) [Attack - Scada Decoy](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortigate-and-fortideceptor/attack-scada-decoy) [Attack - VMWare Decoy](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortigate-and-fortideceptor/attack-vmware-decoy) [Analyze - FortiDeceptor](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortigate-and-fortideceptor/analyze-fortideceptor) [Defence - FortiDeceptor](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortigate-and-fortideceptor/defence-fortideceptor) [Defence - FortiGate](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortigate-and-fortideceptor/defence-fortigate) [PreviousAnalyze - FortiSandbox](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortimail-and-fortisandbox/analyze-fortisandbox) [NextScenario - Story/Narrative](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortigate-and-fortideceptor/scenario-story-narrative) --- # Access - Webserver | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-3/access-webserver.md) . Navigate back to your browser tab that has the Windows "Inside host" session active. Open up cmd and a ping to 198.51.100.100 this should fail. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FFAAvAhSgnCKt5eM4NnCm%252FScreenshot%25202026-02-25%2520at%25201.25.47%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D52928885-b539-4050-8839-ef9e9a65fced&width=768&dpr=3&quality=100&sign=baa4dbec&sv=2) Open up Google Chrome and click the bookmark product store, this should not load. the reason for this is we don't meet the criteria of the policy to have the Windows calculator running! ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FUe6tBUhetdgXPXG33aEW%252FScreenshot%25202026-02-25%2520at%25201.28.06%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D2f0ecbfa-0ce3-4c68-bd09-a1167dda077b&width=768&dpr=3&quality=100&sign=4fc9659b&sv=2) Minimise the Google Chrome browser so then you are displaying FortiClient and the ping side by side, it's important that we do this to demonstrate that ZTNA is a constant policy check what I mean by that is the next time that the client sends and receives an update from the EMS server the device's posture is updated. This is an enhancement on prior security because if the device's posture changes, for example, it becomes vulnerable then the session to the web server is terminated immediately as the device is no longer compliant! Your desktop should look as below ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252Fto0LSdK781xGqAIj74F8%252FScreenshot%25202026-02-25%2520at%25201.32.06%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D02e58d5d-232d-4b06-8b18-e2544ab0de30&width=768&dpr=3&quality=100&sign=52f23082&sv=2) Now open calculator, in our current configuration it can take anywhere between 1 and 60 seconds depending on where you catch the refresh cycle between the client and the server ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252Fr7FHogOKwmBHLE8y2Pvo%252FScreenshot%25202026-02-25%2520at%25201.33.40%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D2bf5373a-31f9-4011-b0fe-a1a2c116595d&width=768&dpr=3&quality=100&sign=5d70d3dd&sv=2) When the tag refresh has taken place. You will see that the Win\_Calculator\_Running tag has been added and the ping will now be successful. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FP6leIp0T8iD1qQhPJUdK%252FScreenshot%25202026-02-25%2520at%25201.34.49%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D57edcc2e-5447-4e09-b2fe-71c70d364c11&width=768&dpr=3&quality=100&sign=5e498f74&sv=2) Open up Google Chrome again and click the product store bookmark; this time it should load ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252Fi2CbT8AZ5UckD0hREskL%252FScreenshot%25202026-02-25%2520at%25201.37.16%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D5f168a98-f227-460c-b228-7c56aa73508d&width=768&dpr=3&quality=100&sign=27c461c2&sv=2) If you wish to test why this is an enhancement and the dynamic-ness, open up Task Manager, locate Calculator, and end all of the tasks ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FdcYv13ETsKzTjT5Xh4ER%252FScreenshot%25202026-02-25%2520at%25201.38.44%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Dc1669bad-921f-413e-9a67-750e8c2ac5c8&width=768&dpr=3&quality=100&sign=a4f9db9d&sv=2) Once the refresh period is completed access to the product store will again be revoked and you will see the ping fail. This is an important security enhancement because we are taking into consideration the **live** security posture of the device. [PreviousShow - FortiGate](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-3/show-fortigate) [NextReview - FortiAnalyzer](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-3/review-fortianalyzer) Last updated 4 months ago --- # Defence - Scenario Steps | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortimail-and-fortisandbox/defence-scenario-steps.md) . As the email has been sent, it's now time to check out the defence. We'll do this by using the Fabric Studio instance, locating the object "Inside Host", right-clicking it, access, and then display. If your asked for a Username & Password for inside host its `Username: fabriclab\demouser5 / Password: Fortinet1!` ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252Fsct4HbmFsxQ066g3NNQ0%252FScreenshot%25202025-12-04%2520at%252011.26.11%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D3232e19a-69e8-4f6e-bc09-b1dcb661eb14&width=768&dpr=3&quality=100&sign=36853488&sv=2) This should open another browser tab. Click it. once you're at the desktop, double-click the Google Chrome icon, and then click the Webmail bookmark. Enter the login credentials `Username: protected / Password: fortinet` ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FcfoPrI5abxcd6I6N4VFc%252FScreenshot%25202025-12-04%2520at%252011.27.42%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D72bee71c-e1b5-4cfa-81da-ee8ef0c8e9b8&width=768&dpr=3&quality=100&sign=d0ed603e&sv=2) Click Log In, and then you should see that there is a new email inside the inbox, double click it to open it up! ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FdI643bBVsNDbA8ltQlcp%252FScreenshot%25202025-12-04%2520at%252011.31.43%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D3f99f6ef-22d1-4aff-81e2-5780658d73a4&width=768&dpr=3&quality=100&sign=7e7404ab&sv=2) As you can see, the email has been received, but the malicious files have been stripped, and the subject has been prefixed with the malicious tag [PreviousScenario - Story/Narrative](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortimail-and-fortisandbox/scenario-story-narrative) [NextAttack - Scenario Steps](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortimail-and-fortisandbox/attack-scenario-steps) Last updated 4 months ago --- # Analyze - FortiSandbox | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortisandbox/analyze-fortisandbox.md) . Please log in to [FortiSandbox](https://10.222.101.23/ng/log_and_report/job_events) using the hyperlink. `Username: admin / Password: Fortinet1!` On login, if you use the left-hand pane sidebar to browse To Log & Report > Events > Job Events ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FSZ1C1QrXgiKFWcAnE5Ck%252FScreenshot%25202026-01-22%2520at%252010.51.56%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D0c40202d-8942-4adb-b872-a9d6e39595f3&width=768&dpr=3&quality=100&sign=ef2e24a1&sv=2) If you look at the screenshot above, you can see that the FortiSandbox received the file from FortiIsolator, it did its analysis on the file, determined that it was malicious, and then sent this verdict back to FortiIsolator this is the reason why you see a slight pause between the Download and the Blocked widget on UI. [PreviousDefence - Downloading Malware](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortisandbox/defence-downloading-malware) [NextFortiDLP & FortiSIEM](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem) Last updated 5 months ago --- # Attack - Scada Decoy | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortigate-and-fortideceptor/attack-scada-decoy.md) . Open your Fabric Studio instance, locate the object "Inside Host ", right-click it, access, and then display. If your asked for a Username & Password for inside host its `Username: fabriclab\demouser5 / Password: Fortinet1!` Another browser tab should open. Open Google Chrome you will find a bookmark called Scad - Decoy, Click it. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FcHFbYEMPkLYHqoF5at7g%252FScreenshot%25202026-01-20%2520at%252011.28.12%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D274d814c-acd7-4258-af54-2f9d07f12b50&width=768&dpr=3&quality=100&sign=5b67addb&sv=2) This should, open up a page like the below. Remember that this is a decoy! ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FAI2S22NjQoFJpUBRlMHs%252FScreenshot%25202026-01-20%2520at%252011.29.48%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D2d254e8a-c13e-4dd0-965c-21f2175d5451&width=768&dpr=3&quality=100&sign=30543f17&sv=2) [PreviousScenario - Story/Narrative](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortigate-and-fortideceptor/scenario-story-narrative) [NextAttack - VMWare Decoy](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortigate-and-fortideceptor/attack-vmware-decoy) Last updated 4 months ago --- # Unknown \# Fabric Solutions Lab - Shopping ## Fabric Solutions Lab - Shopping - \[Introduction\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/introduction.md) - \[Story/Narrative\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/story-narrative.md) - \[Scenario Order\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/scenario-order.md) - \[FortiPAM - RDP\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/fortipam-rdp.md) - \[Shared Resource Launcher\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/shared-resource-launcher.md) - \[Installation Checks\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/installation-checks.md) - \[Versions, Access & Credentials\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/versions-access-and-credentials.md) - \[Certificates at Scale\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/certificates-at-scale.md) - \[FortiGate (FGT) Remote CA Configuration\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/certificates-at-scale/fortigate-fgt-remote-ca-configuration.md) - \[FortiGate (FGT) CSR Request\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/certificates-at-scale/fortigate-fgt-csr-request.md) - \[FortiAuthenticator (FAC) CSR Approval\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/certificates-at-scale/fortiauthenticator-fac-csr-approval.md) - \[FortiGate (FGT) CSR Import\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/certificates-at-scale/fortigate-fgt-csr-import.md) - \[When Chatbots Go Rogue\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/when-chatbots-go-rogue.md) - \[FortiWeb (FWB) Configuration Check\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/when-chatbots-go-rogue/fortiweb-fwb-configuration-check.md) - \[Chatting to the Chatbot!\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/when-chatbots-go-rogue/chatting-to-the-chatbot.md) - \[FortiWeb (FWB) Results\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/when-chatbots-go-rogue/fortiweb-fwb-results.md) - \[FortiADC (FAD) Configuration\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/when-chatbots-go-rogue/fortiadc-fad-configuration.md) - \[Testing the Load Balancing\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/when-chatbots-go-rogue/testing-the-load-balancing.md) - \[Centralised Logging — FortiStore\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/when-chatbots-go-rogue/centralised-logging-fortistore.md) - \[The Threat in the Picture\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-threat-in-the-picture.md) - \[FortiMail\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-threat-in-the-picture/fortimail.md) - \[Sending the Mail\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-threat-in-the-picture/sending-the-mail.md) - \[Reviewing the logs\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-threat-in-the-picture/reviewing-the-logs.md) - \[How does this scale?\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-threat-in-the-picture/how-does-this-scale.md) - \[Centralised Logging — DailyGrind\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-threat-in-the-picture/centralised-logging-dailygrind.md) - \[Guilty Until Detonated\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/guilty-until-detonated.md) - \[FortiProxy Configuration\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/guilty-until-detonated/fortiproxy-configuration.md) - \[FortiProxy Configuration #2\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/guilty-until-detonated/fortiproxy-configuration-2.md) - \[Configure WebProxy Firefox\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/guilty-until-detonated/configure-webproxy-firefox.md) - \[Downloading Malware (FPX)\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/guilty-until-detonated/downloading-malware-fpx.md) - \[FortiProxy Logs\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/guilty-until-detonated/fortiproxy-logs.md) - \[Downloading Malware (FCT)\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/guilty-until-detonated/downloading-malware-fct.md) - \[Centralised Logging — PackTrack\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/guilty-until-detonated/centralised-logging-packtrack.md) - \[Who's Talking to the AI?\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/whos-talking-to-the-ai.md) - \[FortiGate (FGT) Configuration Check\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/whos-talking-to-the-ai/fortigate-fgt-configuration-check.md) - \[Testing Using Windows Host\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/whos-talking-to-the-ai/testing-using-windows-host.md) - \[FortiGate (FGT) Reviewing Dashboards\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/whos-talking-to-the-ai/fortigate-fgt-reviewing-dashboards.md) - \[FortiAnalyzer (FAZ) Logs\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/whos-talking-to-the-ai/fortianalyzer-faz-logs.md) - \[Coaching, Then Consequences\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/coaching-then-consequences.md) - \[Mischievous user!\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/coaching-then-consequences/mischievous-user.md) - \[Mischievous user! (Continued)\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/coaching-then-consequences/mischievous-user-continued.md) - \[Evidence Review (FortiDLP)\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/coaching-then-consequences/evidence-review-fortidlp.md) - \[Scaling (FortiSIEM)\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/coaching-then-consequences/scaling-fortisiem.md) - \[Automating (FortiSOAR)\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/coaching-then-consequences/automating-fortisoar.md) - \[Verify FortiClient\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/coaching-then-consequences/verify-forticlient.md) - \[The Trap Inside the Walls\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-trap-inside-the-walls.md) - \[FortiDeceptor Configuration\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-trap-inside-the-walls/fortideceptor-configuration.md) - \[Probing the Decoys\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-trap-inside-the-walls/probing-the-decoys.md) - \[Whats do we see and the response?\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-trap-inside-the-walls/whats-do-we-see-and-the-response.md) - \[How does this scale?\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-trap-inside-the-walls/how-does-this-scale.md) - \[Using FortiSOAR to Tag a Endpoint\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-trap-inside-the-walls/using-fortisoar-to-tag-a-endpoint.md) - \[Verifying using FortiClient\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-trap-inside-the-walls/verifying-using-forticlient.md) - \[Tag-Driven ZTNA\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/tag-driven-ztna.md) - \[FortiGate & FortiClient EMS\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/tag-driven-ztna/fortigate-and-forticlient-ems.md) - \[Security Posture Tags\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/tag-driven-ztna/security-posture-tags.md) - \[Classification Tags\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/tag-driven-ztna/classification-tags.md) - \[CIO & CTO Message\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/cio-and-cto-message.md) - \[Feedback\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/feedback.md) - \[Inspecting What Staff Upload — Everywhere They Work\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/bug-zone/inspecting-what-staff-upload-everywhere-they-work.md) - \[FortiProxy Configuration\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/bug-zone/inspecting-what-staff-upload-everywhere-they-work/fortiproxy-configuration.md) - \[Configuring a webproxy in Firefox\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/bug-zone/inspecting-what-staff-upload-everywhere-they-work/configuring-a-webproxy-in-firefox.md) - \[Browsing to Webserver\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/bug-zone/inspecting-what-staff-upload-everywhere-they-work/browsing-to-webserver.md) --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/introduction.md). # Introduction Welcome to the 2026 lab environment! Created by Senior Consulting Systems Engineer (CSE): Chris Eddisford - \[LinkedIn Click Me! \](https://www.linkedin.com/in/chris-eddisford-5b676462/) As the Fabric Solutions team, our focus is multi-product solutions — whether that's products with native integrations, or products that simply work well together to achieve an outcome the customer has outlined. We talk about a wide range of products as a team, and you'll come across plenty of them inside this lab. The goal, however, isn't a technical deep dive into any individual product. It's about what becomes possible when they work together. By the time you finish this lab, we hope you'll be able to take the multi-product solutions you've learnt here into the real world — and that along the way, you'll have discovered a product or two you'd never seen before. That's the goal! #### A few things to know before you start You'll each receive a dedicated \*\*Fabric Studio instance\*\*, containing various Fortinet products and virtual hosts. With so many products on display, however, some run \*\*outside\*\* your Fabric Studio instance, and you'll interact with these via the virtual hosts or via FortiPAM. These external products are \*\*shared between all attendees\*\* — by design. We want you to get a genuine feel for how these products behave in a real deployment. Analytical platforms, for example, typically carry logs from many different sources, and that's exactly what you'll see here. Multiple Fabric Solutions labs are all feeding into the same shared appliances. Where it helps, some scenarios include tips on filtering the logs down to just your own activity. We'd absolutely encourage you to have a look around these shared products — there's plenty to explore. \*\*If you're prompted to download or install new firmware when logging into an appliance, please ignore it.\*\* This lab has been tested with the provided firmware versions, and the Fabric CSE team will continue to test and update the environment after thorough evaluation. {% hint style="info" %} Please note if you're an Fortinet employee, you need to request access to Fabric Solutions Lab via a Microsoft Form - \[Click Me\](https://forms.office.com/r/puBFVkkLFB) on completion of the form, you will be provided access to a self-serve portal immediately where you can spin up an instance and start labbing whenever time permits. We also allow technical employees to self-serve and host various Fabric Solutions Labs (Including this one), we can support up to 50 pods at once. Futher information can be found here - \[Click Me\](https://fortinet.sharepoint.com/sites/CSEFabricSolutionsEMEA/SitePages/CSE-Enablement-Lab.aspx) {% endhint %} {% hint style="danger" %} Some of the scenarios contain real attacks that will do major damage if detonated or used outside of the lab environment so please follow the lab guide carefully. {% endhint %} #### Your engagement In this lab, you'll be at the helm of a newly appointed partner, brought in following a breach at a major shopping centre. Head to \[Story/Narrative\](/fabric-solutions-lab-shopping/story-narrative.md) to meet your customer. --- # Attack - VMWare Decoy | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortigate-and-fortideceptor/attack-vmware-decoy.md) . On the same Google Chrome instance you will find a bookmark called VMWare - ESXi - Decoy, again click it ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252Fx8yzyRYnRDKNoZpF81Go%252FScreenshot%25202026-01-20%2520at%252011.34.04%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D368607e0-04b8-454d-9678-9aba52616a0d&width=768&dpr=3&quality=100&sign=b78f732&sv=2) Now with this particular decoy, you can actually log in using the credentials `Username: fabriclab / Password: Fortinet1!` ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FkUmxEw1KAmqZBTgghawE%252FScreenshot%25202026-01-20%2520at%252011.36.35%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3Dabf4f760-ad03-4006-9d51-9635bc4ff3af&width=768&dpr=3&quality=100&sign=60584786&sv=2) [PreviousAttack - Scada Decoy](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortigate-and-fortideceptor/attack-scada-decoy) [NextAnalyze - FortiDeceptor](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortigate-and-fortideceptor/analyze-fortideceptor) Last updated 5 months ago --- # Scenario - Story/Narrative | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortigate-and-fortideceptor/scenario-story-narrative.md) . Just a reminder that this lab has little/no configuration if you wish to conduct the configuration yourself then please use the Fabric Solutions Lab - Orginal or Fabric Solultions Lab - Mitre versions! - Links to these can be found here [Click Me](https://fortinet.sharepoint.com/sites/CSEFabricSolutionsEMEA/SitePages/CSE-Enablement-Lab.aspx) and are selectable options in the self-serve portal. You are a malicious threat actor who is inside a company. You have obtained access into the environment via an RDP session using leaked credentials found on the dark web. You're now having a poke around to see what you can find that may be useful later. The attack phase consists of you clicking some bookmarks found on the remote desktop server. Unfortunately, what you don't know is this actually forms part of the defence because what you're actually accessing is a decoy Hosted on FortiDeceptor. It's tracking every single move that you make. Not only that, the source IP address of you that you access the decoys from gets propagated to the FortiGate firewall and into a quarantine list. Meaning that any traffic with that source IP address that passes through the FortiGate firewall is blocked halting any lateral movement attempts. [PreviousFortiGate & FortiDeceptor](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortigate-and-fortideceptor) [NextAttack - Scada Decoy](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortigate-and-fortideceptor/attack-scada-decoy) Last updated 5 months ago --- # Analyze - FortiMail | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortimail-and-fortisandbox/analyze-fortimail.md) . Using your Fabric Studio instance, if you open up FortiMail, this is done by right-clicking it, access > HTTPS `Username: admin / Password: fortinet4A!!` Once you're logged in, if you use the left-hand navigation pane, under the monitor section, click Log, and then you will see that the history tab is already selected. You will be able to see the analytics of the email that you just sent. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FT71m9owHbjqgR8UFNNTJ%252FScreenshot%25202025-12-04%2520at%252011.36.56%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3Df7c80acf-cb5c-4e47-b7aa-7dd9446e17a0&width=768&dpr=3&quality=100&sign=d9a83e1d&sv=2) If you double-click, you can see that FortiSandbox has classified the file amended the subject line with "malicious" and identified it as a threat ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FrDyaCOuuNsXkfmG5Inzr%252FScreenshot%25202025-12-04%2520at%252011.39.34%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D602e580c-cecc-40e7-b955-bf8cf782ec9e&width=768&dpr=3&quality=100&sign=eb841527&sv=2) You can also double-click the entry to get more information ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252F2LbBAEpuPZpHyYqtG5V9%252FScreenshot%25202025-12-04%2520at%252011.38.43%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D17255be0-3aa6-4465-b6d5-d3b2a126f3fd&width=768&dpr=3&quality=100&sign=f55da5e1&sv=2) [PreviousAttack - Scenario Steps](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortimail-and-fortisandbox/attack-scenario-steps) [NextAnalyze - FortiSandbox](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortimail-and-fortisandbox/analyze-fortisandbox) Last updated 5 months ago --- # Attack - Downloading Malware | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortisandbox/attack-downloading-malware.md) . Open your Fabric Studio instance, locate the object "Inside Host ", right-click it, access, and then display. Another browser tab should open. If your asked for a Username & Password for inside host its `Username: fabriclab\demouser5 / Password: Fortinet1!` Open Google Chrome you will find a bookmark called "Isolator & Sandbox" ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FgIjEHNsP6bwxFGf3NwGB%252FScreenshot%25202026-01-22%2520at%252010.34.32%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D45551499-da97-41bd-a08b-62da9de22e0e&width=768&dpr=3&quality=100&sign=b028c2cd&sv=2) you may well see an SSL certificate error. Just bypass this by clicking the "Advanced" dropdown and then Proceed. You should then reach this page as below, ensure that "Guest" is ticked, and then press "Login." ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FC8vHQKZOBfVRBadGqGEd%252FScreenshot%25202026-01-22%2520at%252010.39.12%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3Ddd7beabd-c5c2-4111-9817-7beb97c0e7bd&width=768&dpr=3&quality=100&sign=b73b7e87&sv=2) A page should load as below, what's really important is the **'I'** icon in the top left-hand corner, which essentially tells you that the page has been rendered from FortiIsolator. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FAEnVFoOaG8O2sgKOSCrA%252FScreenshot%25202026-01-22%2520at%252010.40.34%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3Dc1ff9b23-93c1-43ac-9cd6-c508a1dcbdf9&width=768&dpr=3&quality=100&sign=4f5f2f86&sv=2) [PreviousScenario - Story/Narrative](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortisandbox/scenario-story-narrative) [NextDefence - Downloading Malware](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortisandbox/defence-downloading-malware) Last updated 4 months ago --- # Defence - FortiDeceptor | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortigate-and-fortideceptor/defence-fortideceptor.md) . Now, in an attack scenario like this, it's very important that we have automation that is able to respond very quickly otherwise, it's just too late. So what we've already configured is an integration between FortiDeceptor and FortiGate. In the event of FortiDeceptor seeing an attack towards a decoy, the SRC\_IP of the attacker is logged. This is then passed from FortiDeceptor to FortiGate where the IP address is added to a quarantine list for a certain amount of time (The time period is configurable) If you want to see the configuration, it can be viewed on FortiDeceptor on the left-hand pane under Fabric Quarantine > Integration. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FfZ9V3RmkmFdfkTtplA74%252FScreenshot%25202026-01-20%2520at%252012.07.31%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Dd4288856-78cd-4616-90cc-4fd4fc8e8be5&width=768&dpr=3&quality=100&sign=7f9e9bc7&sv=2) This is also where you specify the period of time you would like the attacker to be blocked for as you can see, we have opted for an hour. I wanted to take the time to acknowledge that we also have integrations with many other third-party vendors, including a generic web hook and SSH connector, meaning you can essentially automate towards anything ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252F72MGpMNKAUPsZ7wNRn6Z%252FScreenshot%25202026-01-20%2520at%252012.09.18%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Dc5257058-730a-42e7-b094-e01ee37d6d9b&width=768&dpr=3&quality=100&sign=ae0b7609&sv=2) On the left-hand pane, you can also go to Fabric, Foreign Quarantine Status, for our list of all current active and historical quarantines. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252F8RFPP5i5OjhrA0KxsYff%252FScreenshot%25202026-01-20%2520at%252012.11.15%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Df6a08e60-0a6c-40ea-8754-b96a984625aa&width=768&dpr=3&quality=100&sign=f51a0ff5&sv=2) [PreviousAnalyze - FortiDeceptor](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortigate-and-fortideceptor/analyze-fortideceptor) [NextDefence - FortiGate](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortigate-and-fortideceptor/defence-fortigate) Last updated 5 months ago --- # Defence - Downloading Malware | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortisandbox/defence-downloading-malware.md) . Now using the existing page, click one of the malware links. We'll be using RaccoonStealer in our example here. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FjLJJeQ4vUVaPRkDctMKF%252FScreenshot%25202026-01-22%2520at%252010.43.07%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3De7134aa1-e3fb-4647-b545-cc10d457e6ae&width=768&dpr=3&quality=100&sign=1e67d35a&sv=2) After a couple of seconds, you should see the widget appear in the top right-hand corner saying that the file has been downloaded. However, you'll quickly notice that the action section is blank. This is normally where you will be able to download the file this is because the file was actually sent to FortiSandbox for further inspection and a verdict ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FMecMrYfpJam8fO8Jk1TK%252FScreenshot%25202026-01-22%2520at%252010.43.37%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3Dcbf06e43-e22c-4753-9c2b-9c8d324a4630&width=768&dpr=3&quality=100&sign=632ff8ad&sv=2) Eventually, the widget will update to inform the user that there has been Malware detected in the file, and you cannot download it ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FRbPOzlBn6xyw929Y0dYZ%252FScreenshot%25202026-01-22%2520at%252010.44.48%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3Dd67c3781-a851-425a-be28-98c8b844b347&width=768&dpr=3&quality=100&sign=9f975652&sv=2) It's important to know that what you're actually seeing is a virtual machine being rendered back to your web browser so you haven't actually handled the Malware on your local machine unless you actually downloaded it which has been blocked in this case. [PreviousAttack - Downloading Malware](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortisandbox/attack-downloading-malware) [NextAnalyze - FortiSandbox](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortisandbox/analyze-fortisandbox) Last updated 5 months ago --- # Defence - FortiGate | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortigate-and-fortideceptor/defence-fortigate.md) . Please log in to [Shared FortiGate](https://10.222.101.31/) using the hyperlink. `Username: admin / Password: Fortinet1!` Once you're logged in, if you use the left-hand sidebar to expand the dashboard, and then go down to Quarantine Monitor. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FwtaiIdIdrl04iIfllN9H%252FScreenshot%25202026-01-20%2520at%252012.52.01%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D06ef079d-0991-4e4a-94f2-852ebf1cde64&width=768&dpr=3&quality=100&sign=62d5f77f&sv=2) You should see that your pod IP address has been quarantined. to further validate this using the left-hand sidebar, you can go to Log and Report > System Events > Logs I recommend creating a philtre under "Message" for anything that contains the word "stitch" your output should be as below ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FBu6yOtFYb2aJTS9f43pm%252FScreenshot%25202026-01-20%2520at%252012.54.43%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D2d04d017-ff6e-4a4a-b80a-53fb28742464&width=768&dpr=3&quality=100&sign=6ebc0deb&sv=2) [PreviousDefence - FortiDeceptor](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortigate-and-fortideceptor/defence-fortideceptor) [NextFortiIsolator & FortiSandbox](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortisandbox) Last updated 5 months ago --- # Unknown \# Fabric Solutions Lab - Automate ## Fabric Solutions Lab - Automate - \[Introduction & Getting Started\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/introduction-and-getting-started.md) - \[Access Credentials\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/introduction-and-getting-started/access-credentials.md) - \[Firmware Versions\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/introduction-and-getting-started/firmware-versions.md) - \[Accessing the lab environment\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/introduction-and-getting-started/accessing-the-lab-environment.md) - \[Attack & Defence #1\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1.md) - \[Scenario - Story/Narrative\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/scenario-story-narrative.md) - \[Attack - Scenario Steps\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/attack-scenario-steps.md) - \[Defence - Scenario Steps\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/defence-scenario-steps.md) - \[Analyze - FortiMail & FortiNDR\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/analyze-fortimail-and-fortindr.md) - \[Defence - FortiSIEM\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/defence-fortisiem.md) - \[Analyze - FortiSOAR\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/analyze-fortisoar.md) - \[Defence - FortiSOAR\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/defence-fortisoar.md) - \[Defence - FortiClient\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/defence-forticlient.md) - \[Attack & Defence #2\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2.md) - \[Scenario - Story/Narrative\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2/scenario-story-narrative.md) - \[Attack - RDP Host\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2/attack-rdp-host.md) - \[Defence - FortiDeceptor\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2/defence-fortideceptor.md) - \[Defence - FortiSIEM\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2/defence-fortisiem.md) - \[Defence - FortiSOAR\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2/defence-fortisoar.md) - \[Defence - FortiGate\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2/defence-fortigate.md) - \[Attack & Defence #3\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-3.md) - \[Scenario - Story/Narrative\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-3/scenario-story-narrative.md) - \[Check - Windows Host\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-3/check-windows-host.md) - \[Show - FortiClient EMS\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-3/show-forticlient-ems.md) - \[Show - FortiGate\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-3/show-fortigate.md) - \[Access - Webserver\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-3/access-webserver.md) - \[Review - FortiAnalyzer\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-3/review-fortianalyzer.md) - \[Attack & Defence #4\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-4.md) - \[Scenario - Story/Narrative\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-4/scenario-story-narrative.md) - \[Access - Windows Host\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-4/access-windows-host.md) - \[Show - FortiGate\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-4/show-fortigate.md) - \[Show - FortiDLP\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-4/show-fortidlp.md) - \[FortiMail & FortiSandbox\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortimail-and-fortisandbox.md) - \[Scenario - Story/Narrative\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortimail-and-fortisandbox/scenario-story-narrative.md) - \[Defence - Scenario Steps\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortimail-and-fortisandbox/defence-scenario-steps.md) - \[Attack - Scenario Steps\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortimail-and-fortisandbox/attack-scenario-steps.md) - \[Analyze - FortiMail\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortimail-and-fortisandbox/analyze-fortimail.md) - \[Analyze - FortiSandbox\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortimail-and-fortisandbox/analyze-fortisandbox.md) - \[FortiGate & FortiDeceptor\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortigate-and-fortideceptor.md) - \[Scenario - Story/Narrative\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortigate-and-fortideceptor/scenario-story-narrative.md) - \[Attack - Scada Decoy\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortigate-and-fortideceptor/attack-scada-decoy.md) - \[Attack - VMWare Decoy\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortigate-and-fortideceptor/attack-vmware-decoy.md) - \[Analyze - FortiDeceptor\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortigate-and-fortideceptor/analyze-fortideceptor.md) - \[Defence - FortiDeceptor\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortigate-and-fortideceptor/defence-fortideceptor.md) - \[Defence - FortiGate\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortigate-and-fortideceptor/defence-fortigate.md) - \[FortiIsolator & FortiSandbox\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortisandbox.md) - \[Scenario - Story/Narrative\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortisandbox/scenario-story-narrative.md) - \[Attack - Downloading Malware\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortisandbox/attack-downloading-malware.md) - \[Defence - Downloading Malware\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortisandbox/defence-downloading-malware.md) - \[Analyze - FortiSandbox\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortisandbox/analyze-fortisandbox.md) - \[FortiDLP & FortiSIEM\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem.md) - \[Scenario - Story/Narrative\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/scenario-story-narrative.md) - \[Attack - Asking ChatGPT\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/attack-asking-chatgpt.md) - \[Attack - Google Drive Upload\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/attack-google-drive-upload.md) - \[Attack - Trying to Disable FortiDLP\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/attack-trying-to-disable-fortidlp.md) - \[Analyze - FortiDLP\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/analyze-fortidlp.md) - \[Analyze - FortiSIEM\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/analyze-fortisiem.md) - \[Task - Unlock Host\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/task-unlock-host.md) - \[FortiIsolator & FortiMail\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortimail.md) - \[Scenario - Story/Narrative\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortimail/scenario-story-narrative.md) - \[Attack - Sending External Email\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortimail/attack-sending-external-email.md) - \[Defence - Internal Mailbox\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortimail/defence-internal-mailbox.md) - \[FortiProxy & FortiSandbox\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiproxy-and-fortisandbox.md) - \[Scenario - Story/Narrative\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiproxy-and-fortisandbox/scenario-story-narrative.md) - \[Attack - Malware Site\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiproxy-and-fortisandbox/attack-malware-site.md) - \[Defence - FortiProxy\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiproxy-and-fortisandbox/defence-fortiproxy.md) - \[Defence - FortiSandbox\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiproxy-and-fortisandbox/defence-fortisandbox.md) - \[FortiWeb & FortiSandbox\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiweb-and-fortisandbox.md) - \[Scenario - Story/Narrative\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiweb-and-fortisandbox/scenario-story-narrative.md) - \[Attack - Webserver\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiweb-and-fortisandbox/attack-webserver.md) - \[Analyze - FortiWeb\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiweb-and-fortisandbox/analyze-fortiweb.md) - \[Analyze - FortiSandbox\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiweb-and-fortisandbox/analyze-fortisandbox.md) - \[Attack - Webserver\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiweb-and-fortisandbox/attack-webserver-1.md) --- # FortiIsolator & FortiMail | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortimail.md) . [Scenario - Story/Narrative](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortimail/scenario-story-narrative) [Attack - Sending External Email](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortimail/attack-sending-external-email) [Defence - Internal Mailbox](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortimail/defence-internal-mailbox) [PreviousTask - Unlock Host](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/task-unlock-host) [NextScenario - Story/Narrative](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortimail/scenario-story-narrative) --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/introduction-and-getting-started.md). # Introduction & Getting Started ## Introduction & Getting Started Welcome to the lab environment created by the CSE Fabric Solutions team. This particular instance is unique in that \*\*ALL\*\* the configuration has been done for you, enabling you to conduct the scenarios quickly and effectively. Its purpose is to be used for customer-facing demonstrations where you don't have the time to do the configuration, and it's a combination of the scenarios from \[Fabric Solutions Lab - Original \](https://fabriclab-tech.gitbook.io/fabric-lab/) \[Fabric Solutions Lab - Mitre\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-mitre) \*\*The purpose\*\* demonstrate how Fortinet products work together to enhance security. By integrating multiple Fortinet products, we can reduce attack risks and respond to threats automatically. The focus is on product integration rather than individual features. Each section of this lab is independent, so you can complete each secenario in any order. The instance within Fabric Studio is dedicated to you, but please avoid saving any configuration changes. Occasionally, you may need to connect to external resources, which are shared and secured separately from your Fabric Studio instance. If you are prompted to download or install new firmware when logging into an appliance, please \*\*ignore it\*\*. This lab has been tested with the provided firmware versions. The Fabric CSE team will continue to test and update the environment after thorough evaluation. Created by Consulting Systems Engineer (CSE): Chris Eddisford - \[LinkedIn Click Me! \](https://www.linkedin.com/in/chris-eddisford-5b676462/)​ {% hint style="info" %} Please note if you're an internal Fortinet employee, you need to request access to Fabric Solutions Lab via a Microsoft Form - \[Click Me\](https://forms.office.com/r/puBFVkkLFB) once compleated you will be provided details for a self serve portal where you can spin up a instance on demand. {% endhint %} {% hint style="info" %} Some of the scenarios contain real attacks that will do major damage if detonated or used outside of the lab environment so please refrain from doing this. {% endhint %} --- # Scenario - Story/Narrative | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/scenario-story-narrative.md) . You're a rogue employee inside an organisation who's thinking about leaving. In preparation of your resignation, you decide to try and extract some data to various different sources this includes to ChatGPT and a Personal Google Drive. On attempting this, you receive a pop-up from FortiDLP, resulting in you panicking and trying to disable the agent. During this scenario, you will conduct the attack and you will see the response that FortiDLP and FortiSIEM provide. FortiDLP blocks the attack and then forwards its events via an event stream to FortiSIEM, enabling more correlated analytics and the potential for a response. [PreviousFortiDLP & FortiSIEM](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem) [NextAttack - Asking ChatGPT](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/attack-asking-chatgpt) Last updated 5 months ago --- # Analyze - FortiDeceptor | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortigate-and-fortideceptor/analyze-fortideceptor.md) . Please log in to [FortiDeceptor](https://10.222.101.29/halo/login?returnUrl=%2F) using the hyperlink. `Username: admin / Password: Fortinet1!` On login, if you use the left-hand pane sidebar to browse to Incident and then Attack Map. This is usually a good place to start. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FBXCFgrd5AU1eFg7DH5Mm%252FScreenshot%25202026-01-20%2520at%252011.48.50%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3Da4cc0385-d093-437f-bef5-37b95ab46d22&width=768&dpr=3&quality=100&sign=c4f70066&sv=2) As you can see above, An attacker has tried to access the decoys, .221 = Scada / .222 = VMware. we have also logged the attacking source IP address .45 Please note that the attacking source IP address will change depending on what pod you're allocated as an example, we were using Pod 45 here it's always the last octets. If you were allocated Pod 1, the last octets of the source IP address conducting the attack would be .1 Using the left-hand pane, if you browse to Incident and Analysis. I've actually created a filter to filter by the attacker IP address. This is because the FortiDeceptor instance can get quite busy, as it is shared ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FL4cRZGFfesdhVi1Se1pG%252FScreenshot%25202026-01-20%2520at%252011.53.35%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D076736df-00ae-4058-8d73-8ff3fbe54f1b&width=768&dpr=3&quality=100&sign=845de7cf&sv=2) You can actually, double-click into any of the entries as well, which opens up a pane on the right-hand side, here you can see a timeline of absolutely everything that was conducted, such as the GET requests. This includes being able to download a PCAP file to be an analysing tool such as Wireshark ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FOusEYqeO6Hrt9dnV0NgI%252FScreenshot%25202026-01-20%2520at%252011.58.17%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D52cdc912-ce84-4e07-91c4-d88d105ea603&width=768&dpr=3&quality=100&sign=80f0deee&sv=2) Using the right-hand pane, if you click "Incident" and then "Campaign," this section creates a logical grouping, for example, if the source IP address is 10.222.102.45. You can actually see that this source IP address has attempted multiple attacks at different timeframes ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252F19ObIkLp6LiFNZxKZKMy%252FScreenshot%25202026-01-20%2520at%252012.01.11%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D094fa94d-78b1-4c1a-9d4c-ca2752573bc3&width=768&dpr=3&quality=100&sign=901250bb&sv=2) [PreviousAttack - VMWare Decoy](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortigate-and-fortideceptor/attack-vmware-decoy) [NextDefence - FortiDeceptor](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortigate-and-fortideceptor/defence-fortideceptor) Last updated 5 months ago --- # Scenario - Story/Narrative | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortimail/scenario-story-narrative.md) . The organisation you are working for has been susceptible to email phishing attacks containing malware links, and then users downloading them and detonating them on their local host. This has resulted in the IT team implementing a Remote Isolation Browser (RBI) - FortiIsolator, to work in conjunction with FortiMail. In the scenario, you will send an email with various different links from an external source. You will see that when they are received internally, FortiMail redirects to FortiIsolator using click protection. The instance that the user sees is actually being rendered via FortiIsolator, providing the user with absolute protection. [PreviousFortiIsolator & FortiMail](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortimail) [NextAttack - Sending External Email](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortimail/attack-sending-external-email) Last updated 5 months ago --- # FortiDLP & FortiSIEM | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem.md) . [Scenario - Story/Narrative](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/scenario-story-narrative) [Attack - Asking ChatGPT](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/attack-asking-chatgpt) [Attack - Google Drive Upload](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/attack-google-drive-upload) [Attack - Trying to Disable FortiDLP](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/attack-trying-to-disable-fortidlp) [Analyze - FortiDLP](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/analyze-fortidlp) [Analyze - FortiSIEM](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/analyze-fortisiem) [Task - Unlock Host](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/task-unlock-host) [PreviousAnalyze - FortiSandbox](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortisandbox/analyze-fortisandbox) [NextScenario - Story/Narrative](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/scenario-story-narrative) --- # Attack - Google Drive Upload | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/attack-google-drive-upload.md) . Using the same browser instance, click the Google Drive bookmark this should take you to a pre-logged-in Google Drive instance, click the My Drive button on the left-hand side and scroll down to the bottom where you will find the EndGame folder (As below) ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FFTOhZ0YlNw7qSFMMjvHq%252FScreenshot%25202026-02-04%2520at%252012.26.59%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D436ea34a-dcaf-4bbe-8abd-f79334fe24f0&width=768&dpr=3&quality=100&sign=e2a3e099&sv=2) Double Click into the endgame folder, you may well find that a file is already present in here. If it is, it doesn't matter. When you're prompted, simply overwrite it. Click "New" and then "File Upload" and browse to the desktop ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FnFaccCF20BeeaVZTs4NP%252FScreenshot%25202026-02-04%2520at%252012.28.59%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Dfb1abfa0-c9c2-47b9-950c-a33d4ce0e987&width=768&dpr=3&quality=100&sign=a4d54b91&sv=2) Select FDLP\_File.txt and click open (As below) ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FLagL6TuOz6nsGZSF3uHa%252FScreenshot%25202026-02-04%2520at%252012.30.13%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D43edf6c7-3675-4f48-87ab-a14e1a2c4bcb&width=768&dpr=3&quality=100&sign=f423ef3&sv=2) Almost immediately, you should see a FortiDLP file scan widget appear in the top right-hand corner. Shortly after, you will be asked to enter a valid policy violation reason, as it's a demo, enter whenever you want and click OK ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FdtIeIzSw5rTguL2PULiN%252FScreenshot%25202026-02-04%2520at%252012.31.41%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Dead6f5ec-e8d4-4cdb-8c74-c24034885a6e&width=768&dpr=3&quality=100&sign=7b56cda3&sv=2) You will notice that the file upload has actually been blocked check to ensure it is not present in Google Drive! [PreviousAttack - Asking ChatGPT](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/attack-asking-chatgpt) [NextAttack - Trying to Disable FortiDLP](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/attack-trying-to-disable-fortidlp) Last updated 5 months ago --- # Attack - Trying to Disable FortiDLP | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/attack-trying-to-disable-fortidlp.md) . As a result of the pop-ups that the user has seen, panic sets in, and they then try to gain an understanding of how to disable the FortiDLP agent via a web search. Using the same browser instance, simply type disable FortiDLP into the search bar and press return to conduct the search. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252F0SFfXh7rsCdq6oWDOchG%252FScreenshot%25202026-02-04%2520at%252012.37.03%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D90fba354-fa98-40b6-b687-3eab2389c7a8&width=768&dpr=3&quality=100&sign=be4abab2&sv=2) Almost immediately, you will be met with this block page as below. FortiDLP is actually quarantined the endpoint completely ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252Fu1NM7vvmuLQAiOZAdcUX%252FScreenshot%25202026-02-04%2520at%252012.37.57%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D054789cb-8638-40a6-8211-4f67909eebe8&width=768&dpr=3&quality=100&sign=a8eec51&sv=2) [PreviousAttack - Google Drive Upload](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/attack-google-drive-upload) [NextAnalyze - FortiDLP](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/analyze-fortidlp) Last updated 5 months ago --- # Task - Unlock Host | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/task-unlock-host.md) . Log in to FortiDLP using this specific link - [Click Me](https://ftnt-fabric-cse.reveal.nextdlp.com/#nodes/table) Find the EndGame Node, Locate the three dots to the right-hand side and select "Unlock this node." ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252Fy0Lq3Zhat32GK10ZSEZs%252FScreenshot%25202026-02-04%2520at%252012.53.04%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D46c319c1-60a9-4a79-9447-64840a2e70d9&width=768&dpr=3&quality=100&sign=90d0fec6&sv=2) [PreviousAnalyze - FortiSIEM](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/analyze-fortisiem) [NextFortiIsolator & FortiMail](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortimail) Last updated 5 months ago --- # Scenario - Story/Narrative | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiproxy-and-fortisandbox/scenario-story-narrative.md) . The organisation you are working for has a selection of remote workers and contractors.This has become an issue with installing client-side protection, so instead we have rolled out a proxy deployment. One of your users has gone a little bit rogue and they accessed a file server that has a selection of malware to be downloaded. Unfortunately, the user doesn't realise that the web browser traffic is being sent to a Proxy (FortiProxy) which then has an integration with a Sandbox (FortiSandbox) appliance, on trying to download the malware, you will notice that there is a delay this is because the file is being sent to FortiSandbox for analysis and a verdict. As part of this scenario, you will conduct both the attack and the defence. [PreviousFortiProxy & FortiSandbox](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiproxy-and-fortisandbox) [NextAttack - Malware Site](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiproxy-and-fortisandbox/attack-malware-site) Last updated 5 months ago --- # Analyze - FortiSIEM | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/analyze-fortisiem.md) . Please log in to [FortiSIEM](https://10.222.101.28/phoenix/login.html) using the hyperlink. `Username: admin / Password: Fortinet1!/ Organization: super` ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252F3YJMaxb3Pltjwd0v3HL1%252FScreenshot%25202026-02-04%2520at%25201.29.38%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Da8c79a56-42d6-421e-beee-613942db2b2d&width=768&dpr=3&quality=100&sign=75bb9cba&sv=2) In the top right, click the exit button and then change organisation view ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252Fp4BqwfL8qA82BOAumvFe%252FScreenshot%25202026-02-04%2520at%25201.31.13%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Dc5090421-b8b8-4fd6-8a4c-725924eaf520&width=768&dpr=3&quality=100&sign=268da739&sv=2) Select admin view, local, and then press Change View ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FYmfOTRKCy5lPJtlG9pDr%252FScreenshot%25202026-02-04%2520at%25201.31.49%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D10d072c0-99ee-4550-bf11-cd943cb750b8&width=768&dpr=3&quality=100&sign=12b58101&sv=2) Using the nav bar, select Analytics ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FQ5MZRMrxjgkEEjQFr25d%252FScreenshot%25202026-02-04%2520at%25201.33.13%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D08fc95d0-a370-4e16-9d00-d7c8c124c792&width=768&dpr=3&quality=100&sign=713b7c0a&sv=2) Click where it says "Edit filters and time range." Click where it says "Load." ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FwB55NGc8lqPV6JjnWINX%252FScreenshot%25202026-02-04%2520at%25201.34.22%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D819028e0-216a-41bf-9750-9702f2b21fd3&width=768&dpr=3&quality=100&sign=c1979cce&sv=2) Select the FortiDLP profile and then click Load ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252Fak7TJOwpgbESlP8M8fJ1%252FScreenshot%25202026-02-04%2520at%25201.35.04%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D8f71288f-32ab-466f-849b-a7c32fc23b04&width=768&dpr=3&quality=100&sign=5a8f3eab&sv=2) Set the time range to an appropriate number and then click "Apply" and run ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FxBj8fVddogocfRC7uDp2%252FScreenshot%25202026-02-04%2520at%25201.35.49%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D5e533345-39fa-4f2a-8a94-bf8c42b89246&width=768&dpr=3&quality=100&sign=4e451049&sv=2) You should see the results of your attack as below. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252Fc45T15O4Uv1uak8VDNf6%252FScreenshot%25202026-02-04%2520at%25201.40.53%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Dc7c9ea89-1248-43d4-a84b-a58b5967479c&width=768&dpr=3&quality=100&sign=9f1d3eb6&sv=2) [PreviousAnalyze - FortiDLP](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/analyze-fortidlp) [NextTask - Unlock Host](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/task-unlock-host) Last updated 5 months ago --- # FortiProxy & FortiSandbox | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiproxy-and-fortisandbox.md) . [Scenario - Story/Narrative](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiproxy-and-fortisandbox/scenario-story-narrative) [Attack - Malware Site](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiproxy-and-fortisandbox/attack-malware-site) [Defence - FortiProxy](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiproxy-and-fortisandbox/defence-fortiproxy) [Defence - FortiSandbox](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiproxy-and-fortisandbox/defence-fortisandbox) [PreviousDefence - Internal Mailbox](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortimail/defence-internal-mailbox) [NextScenario - Story/Narrative](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiproxy-and-fortisandbox/scenario-story-narrative) --- # Defence - Internal Mailbox | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortimail/defence-internal-mailbox.md) . Open your Fabric Studio instance, locate the object "Inside Host", right-click it, access, and then display. Another browser tab should open you have access to the virtual Windows instance. If your asked for a Username & Password for inside host its `Username: fabriclab\demouser5 / Password: Fortinet1!` Open Google Chrome, click the Webmail bookmark. Login using `Username: internal Password: fortinet` ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FotAxqcAXkMpMzfJnYiYm%252FScreenshot%25202026-02-05%2520at%252012.04.21%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D6d46ffc0-9a47-459c-b426-b2badd3f6a90&width=768&dpr=3&quality=100&sign=9bddb857&sv=2) Press "Log In" You should see a new email that says "FIS test", click it to open it ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FSvlLSH7YcNMjlKNjJdku%252FScreenshot%25202026-02-05%2520at%252012.05.48%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Dc9179d39-8763-4c30-adc5-27469554d02d&width=768&dpr=3&quality=100&sign=d14857a1&sv=2) Hover over one of the links. If you look in the bottom left-hand corner, you will notice that the URL has been prefixed to send via FortiIsolator ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FHoGArqMl9VvB23rp73mp%252FScreenshot%25202026-02-05%2520at%252012.47.28%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Dabcda864-0179-4a89-bbe5-0797feb6da72&width=768&dpr=3&quality=100&sign=511c47c&sv=2) Click any of the links. Proceed through any SSL certificate warnings, until you get to this page, ensure that guest tick box is ticked and then click "Login." ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252Foxg7tpMsntP91ylzPmZp%252FScreenshot%25202026-02-05%2520at%252012.49.20%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D46c5d1a5-c0b3-445e-b6a5-dd7a02bc6d6c&width=768&dpr=3&quality=100&sign=3ac07b2e&sv=2) The page that you requested will load via FortiIsolator, however this is being rendered to your browser. Think of it as screenshots being sent to you - you're actually accessing it via a secure, isolated instance meaning that if there was anything malicious, it wouldn't execute directly on your host. It would execute on the virtual instance. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FCybSPvrMgJi9FXbdIFEK%252FScreenshot%25202026-02-05%2520at%252012.50.33%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Daca65b21-967f-4d93-96fc-5eadde405f6a&width=768&dpr=3&quality=100&sign=4d7754e1&sv=2) You know that you've been protected by a FortiIsolator when you see the "I" icon in the top left-hand corner where my mouse is on the screenshot. [PreviousAttack - Sending External Email](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortimail/attack-sending-external-email) [NextFortiProxy & FortiSandbox](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiproxy-and-fortisandbox) Last updated 4 months ago --- # Analyze - FortiDLP | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/analyze-fortidlp.md) . Please log in to [FortiDLP](https://ftnt-fabric-cse.reveal.nextdlp.com/) using the hyperlink. `Username: fabriclab / Password: Fortinet1!Fortinet1!` Once you're logged in, if you look on the left-hand pane, there should be a policy option, Click it. Select the data tracking option and click it (As below) ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FejaCALiC3K1RUSnNFUlW%252Fimage.png%3Falt%3Dmedia%26token%3D24b784e1-1929-4f38-be16-7d094da03c13&width=768&dpr=3&quality=100&sign=20ba76d3&sv=2) Along the right-hand side, there should be a "Raise Incident" section. Click the filter icon and select "True." ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FagjIbNniiu8T0flvccPT%252FScreenshot%25202026-02-04%2520at%252012.47.13%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Da7452371-24b3-403b-88e3-adc18f252175&width=768&dpr=3&quality=100&sign=b6029afe&sv=2) The amount of visible policies will be dramatically reduced ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FJCvP28Veed3WxLN0M68Q%252FScreenshot%25202026-02-04%2520at%252012.47.50%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D6366da0e-3998-4afe-b3ad-7b0020e76b69&width=768&dpr=3&quality=100&sign=cdd55c11&sv=2) Please double-click into both of these policies to show the end user the configuration that has been set and was applied in the previous attack steps. Screenshots can be found below ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FtQveCdOji5lQj1xAM6fC%252FScreenshot%25202026-02-04%2520at%252012.49.55%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Dbb0b0d73-a8a6-45b9-9892-36926b08c4ee&width=768&dpr=3&quality=100&sign=51642a97&sv=2) ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FStD5Pzrf3po5MCLT7MT5%252FScreenshot%25202026-02-04%2520at%252012.50.26%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Df072b377-fd2e-464a-a888-0a1cb37ed1c5&width=768&dpr=3&quality=100&sign=4521e079&sv=2) It's important, as the presenter, that you provide the end user with a detailed explanation of just how much is able to be configured here. Please ensure that you take the time to expand the boxes and go through the configuration [PreviousAttack - Trying to Disable FortiDLP](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/attack-trying-to-disable-fortidlp) [NextAnalyze - FortiSIEM](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/analyze-fortisiem) Last updated 5 months ago --- # Analyze - FortiWeb | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiweb-and-fortisandbox/analyze-fortiweb.md) . Using your Fabric Studio instance, if you open up FortiWeb, this is done by right-clicking it, access > HTTPS `Username: admin / Password: fortinet4A!!` Once you're logged in, if you use the left-hand navigation pane, under Log & Report > Log access > Event Create a filter for "Action" 'sandbox-send-file' ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FLM2Hg59IM673Qc93Nb4L%252Fimage.png%3Falt%3Dmedia%26token%3D3c95d9cb-b3d4-4574-ab16-b5b25ce485f9&width=768&dpr=3&quality=100&sign=9295accb&sv=2) You can see that the file was indeed passed to FortiSandbox and the verdict that was returned. [PreviousAttack - Webserver](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiweb-and-fortisandbox/attack-webserver) [NextAnalyze - FortiSandbox](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiweb-and-fortisandbox/analyze-fortisandbox) Last updated 4 months ago --- # Defence - FortiSandbox | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiproxy-and-fortisandbox/defence-fortisandbox.md) . Please log in to [FortiSandbox](https://10.222.101.23/ng/log_and_report/job_events) using the hyperlink. `Username: admin / Password: Fortinet1!` Clicking the hyperlink above should take you to the job event section. If you look closely, you will see that the file was submitted from FortiProxy to FortiSandbox for analysia look at the various log entires that are associated with this before the verdict that the file is indeed malicious and an inline block request sent back to FortiProxy. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252Fo1uAq7zad1SLD0QJeRft%252FScreenshot%25202026-02-09%2520at%252011.05.06%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D474d1bbf-bde5-44b7-8687-8acaa7d2f692&width=768&dpr=3&quality=100&sign=9c00deb7&sv=2) [PreviousDefence - FortiProxy](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiproxy-and-fortisandbox/defence-fortiproxy) [NextFortiWeb & FortiSandbox](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiweb-and-fortisandbox) Last updated 5 months ago --- # Attack - Webserver | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiweb-and-fortisandbox/attack-webserver-1.md) . Open your Fabric Studio instance, locate the object "Webserver", right-click it, access, and then display. Another browser tab should open you have access to the virtual Windows instance. On the desktop, you will find a folder called "uploads" If you refresh the page, you should see that the virus.jpg file is now present. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FI7S5ETQsqhGwwkCeF46a%252Fimage.png%3Falt%3Dmedia%26token%3D7a324473-cc4f-4cbc-ba68-a48d15c2ca5f&width=768&dpr=3&quality=100&sign=9f7c27c6&sv=2) Of course, if the file was actually malicious and not just the .JPG file, then FortiSandbox would have determined this and sent the verdict back to FortiWeb, and the file would not be allowed to be uploaded. [PreviousAnalyze - FortiSandbox](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiweb-and-fortisandbox/analyze-fortisandbox) Last updated 4 months ago --- # Scenario - Story/Narrative | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiweb-and-fortisandbox/scenario-story-narrative.md) . Your company has deployed a web server, they are using FortiWeb to protect it. The web server has a file upload function that could potentially be exploited allowing malicious actors to upload malware and potential backdoors. You have developed a zero-day threat that will not have a signature on FortiWeb itself, so the file will be passed to FortiSandbox for detonation and analysis. Once the verdict is in, the result will passed back to FortiWeb. [PreviousFortiWeb & FortiSandbox](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiweb-and-fortisandbox) [NextAttack - Webserver](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiweb-and-fortisandbox/attack-webserver) Last updated 4 months ago --- # FortiWeb & FortiSandbox | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiweb-and-fortisandbox.md) . [Scenario - Story/Narrative](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiweb-and-fortisandbox/scenario-story-narrative) [Attack - Webserver](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiweb-and-fortisandbox/attack-webserver) [Analyze - FortiWeb](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiweb-and-fortisandbox/analyze-fortiweb) [Analyze - FortiSandbox](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiweb-and-fortisandbox/analyze-fortisandbox) [Attack - Webserver](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiweb-and-fortisandbox/attack-webserver-1) [PreviousDefence - FortiSandbox](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiproxy-and-fortisandbox/defence-fortisandbox) [NextScenario - Story/Narrative](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiweb-and-fortisandbox/scenario-story-narrative) --- # Analyze - FortiSandbox | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiweb-and-fortisandbox/analyze-fortisandbox.md) . Please log in to [FortiSandbox](https://10.222.101.23/ng/log_and_report/job_events) using the hyperlink. `Username: admin / Password: Fortinet1!` On login, if you use the left-hand pane sidebar to browse To Log & Report > Events > Job Events Create a filter for "Message" "FWB" ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252Fg9bB03qnozqUfJcIPcrV%252Fimage.png%3Falt%3Dmedia%26token%3D52bb4f36-ae4e-422c-9d4f-c4151124bf1b&width=768&dpr=3&quality=100&sign=b6821d19&sv=2) As you can see, FortiWeb did pass the file to FortiSandbox, and the verdict was passed back. [PreviousAnalyze - FortiWeb](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiweb-and-fortisandbox/analyze-fortiweb) [NextAttack - Webserver](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiweb-and-fortisandbox/attack-webserver-1) Last updated 4 months ago --- # Attack - Malware Site | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiproxy-and-fortisandbox/attack-malware-site.md) . Open your Fabric Studio instance, locate the object "Inside Host", right-click it, access, and then display. If your asked for a Username & Password for inside host its `Username: fabriclab\demouser5 / Password: Fortinet1!` . Another browser tab should open you have access to the virtual Windows instance Open Firefox, once Firefox has loaded, there should be a bookmark called FortiProxy - Malware click it to open the page. The Firefox instance has already had a PAC file loaded and as such, we'll redirect all traffic to FortiProxy. This is completely transparent to the user. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FkTTpJS7oiLoGtSwEc4lv%252FScreenshot%25202026-02-09%2520at%252010.46.42%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D17360b59-477e-4e86-9a64-dfabf06bf7df&width=768&dpr=3&quality=100&sign=a4c632de&sv=2) The page should look as below. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FtZxr0RHL0PgYUignC3ve%252FScreenshot%25202026-02-09%2520at%252010.47.35%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D25e7d42f-97d5-4f6e-85e6-29c906e057aa&width=768&dpr=3&quality=100&sign=fdab06dc&sv=2) Click one of the files to try and download it. We will use RaccoonStealer during the example. You will notice a slight delay in the loading of the page, however eventually you should get the block message as below ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FWO10wnyyvdSQXzvEOeN7%252FScreenshot%25202026-02-09%2520at%252010.48.59%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3Df87ea22f-d3e7-41cf-a3aa-6d3efb566e7d&width=768&dpr=3&quality=100&sign=c63788a5&sv=2) [PreviousScenario - Story/Narrative](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiproxy-and-fortisandbox/scenario-story-narrative) [NextDefence - FortiProxy](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiproxy-and-fortisandbox/defence-fortiproxy) Last updated 4 months ago --- # Defence - FortiProxy | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiproxy-and-fortisandbox/defence-fortiproxy.md) . Please log in to [FortiProxy](https://10.222.101.27/log/security-log?tab=summary&type=webfilter) using the hyperlink. `Username: admin / Password: Fortinet1!` We've configured the hyperlink to take you automatically to the security events section, Please click the anti-virus section as below. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FOz34XkWkVZxGG1xdhIKu%252FScreenshot%25202026-02-09%2520at%252010.58.05%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D54d576b7-71b2-416f-9804-c14040a2d573&width=768&dpr=3&quality=100&sign=9da9e065&sv=2) The page should load as below. Double-click the log to open up an additional side panel on the right-hand side that displays a lot more information ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FPNqWyMnqnJZZNP1DlBVA%252FScreenshot%25202026-02-09%2520at%252010.58.57%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D6d7ec649-990d-43e5-8b84-778444c75c7e&width=768&dpr=3&quality=100&sign=35a4f619&sv=2) As you can see, the verdicts came from FortiSandbox. Just to explain, FortiProxy actually has its own local AV database, as do many of our products. This has been disabled in this scenario to ensure that the files being detected are always passed to FortiSandbox. in most cases, the local DB would handle this, with files that don't have a local signature or match being passed to FortiSandbox. An example of this would be a zero-day. [PreviousAttack - Malware Site](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiproxy-and-fortisandbox/attack-malware-site) [NextDefence - FortiSandbox](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiproxy-and-fortisandbox/defence-fortisandbox) Last updated 5 months ago --- # Attack - Sending External Email | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortimail/attack-sending-external-email.md) . Open your Fabric Studio instance, locate the object "External Attacker ", right-click it, access, and then display. Another browser tab should open you have access to the virtual Windows instance Open Google Chrome, click the Webmail bookmark. Login using `Username: external Password: fortinet` ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FVoYXp4iQ6WSzEXuPgEcO%252FScreenshot%25202026-02-05%2520at%252011.50.04%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D8c1f92b5-b296-4223-87ef-5c90b5e76372&width=768&dpr=3&quality=100&sign=f22c256a&sv=2) On logging in, if you use the left-hand sidebar to navigate to "Drafts," you should see a saved email that says "FIS Test" click it and then press send! ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FsDtv6oaug0361lgrpDyr%252FScreenshot%25202026-02-05%2520at%252011.51.51%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3De2dce14d-509f-4a01-9551-540528f5b2ff&width=768&dpr=3&quality=100&sign=d1481aed&sv=2) [PreviousScenario - Story/Narrative](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortimail/scenario-story-narrative) [NextDefence - Internal Mailbox](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortimail/defence-internal-mailbox) Last updated 5 months ago --- # Attack - Asking ChatGPT | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/attack-asking-chatgpt.md) . Open your Fabric Studio instance, locate the object "Inside Host ", right-click it, access, and then display. If your asked for a Username & Password for inside host its `Username: fabriclab\demouser5 / Password: Fortinet1!` . Another browser tab should open you have access to the virtual Windows instance Open Google Chrome. Confirm that FortiDLP extension has been installed, locating the icon in the top right-hand corner and clicking it (As below) ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252Fs9wwhYx09FdPwaUdSlx7%252FScreenshot%25202026-02-04%2520at%252012.20.30%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D01a4235f-89ef-4653-8a80-d93cfa3fb1fe&width=768&dpr=3&quality=100&sign=cee4c7e4&sv=2) Please wait one minute before proceeding to the next task. It's important that FortiDLP loads properly inside the browser, and as this is running on a virtual instance, this can take some time. This is not comparable to the responsiveness of a real-world deployment, where it's real time. Inside the same web browser instance, there should be a ChatGPT bookmark, click it within 30 seconds, you should see a FortiDLP pop-up appear (As below) ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FpAm443fXwbvVYL1BElGf%252FScreenshot%25202026-02-04%2520at%252012.23.42%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Dc73ed03b-67c9-4b5c-b85f-e46d7eaaf899&width=768&dpr=3&quality=100&sign=e55e64f1&sv=2) Enter a reason for violation and then click "I acknowledge" and "OK." [PreviousScenario - Story/Narrative](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/scenario-story-narrative) [NextAttack - Google Drive Upload](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/attack-google-drive-upload) Last updated 4 months ago --- # Attack - Webserver | Fabric Solutions Lab - Automate For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiweb-and-fortisandbox/attack-webserver.md) . Open your Fabric Studio instance, locate the object "Webserver", right-click it, access, and then display. Another browser tab should open you have access to the virtual Windows instance. On the desktop, you will find a folder called "uploads." Double-click it. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252F24K4lw9iEPul1X0MelTK%252Fimage.png%3Falt%3Dmedia%26token%3Df1a2f27a-91dd-428e-9bc7-c76b1dc88d03&width=768&dpr=3&quality=100&sign=f4ff17b&sv=2) In your Fabric Studio instance, locate the object "External Attacker", right-click it, access, and then display. Another browser tab should open you have access to the virtual Windows instance. On the desktop, you will find Google Chrome, open it and then open the bookmark "DVWA Security: Low" Login with `Username: admin Password: password` ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FHDp0WSB6JnqxZJpcwgAH%252Fimage.png%3Falt%3Dmedia%26token%3Dbc73a488-1407-45aa-8c4d-a4034be28857&width=768&dpr=3&quality=100&sign=a1295e9a&sv=2) Once logged in scroll down to "DVWA Security", and ensure it is set to "Low" (It defaults to impossible) ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FpCM2uPxlH0BbwGwwcYIl%252Fimage.png%3Falt%3Dmedia%26token%3D2c0816e4-52af-47cc-a693-9b891131fded&width=768&dpr=3&quality=100&sign=c17ef76e&sv=2) Using the left-hand pane, now browse to File Upload and click Choose File, a Windows file selector will open. Go to your downloads folder and select virus.jpg then click "Open." ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252F5GrqRmdgd8ou2r9gePX5%252FScreenshot%25202026-02-11%2520at%252010.24.13%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D6323b9e7-6399-4385-bb59-b7ad0ef32128&width=768&dpr=3&quality=100&sign=dc1b390b&sv=2) Your instance should look like this. As long as it matches, click upload ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FxTOvbnQZyjHOf2HHNlQV%252FScreenshot%25202026-02-11%2520at%252010.25.04%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D9e0ee8fa-a487-4772-b183-850e04987043&width=768&dpr=3&quality=100&sign=e31065e1&sv=2) During the upload process, you should see a black page with a loading icon. This can take some time, this is an indicator that the file has been passed to faulty sandbox for analysis. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/~gitbook/image?url=https%3A%2F%2F3722493842-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FKLUrUt8WTgcBfY2Go8hm%252Fuploads%252FHs5o7GbJQ9CADczM1RCM%252FScreenshot%25202026-02-11%2520at%252010.26.57%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3Dcf9d49fb-6f8c-476b-95b8-5f5291033903&width=768&dpr=3&quality=100&sign=4364b8ee&sv=2) Eventually, the page will return that the file has been uploaded. This is to be expected as the file isn't actually malicious but FortiSandbox will have validated this and delivered its verdict. [PreviousScenario - Story/Narrative](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiweb-and-fortisandbox/scenario-story-narrative) [NextAnalyze - FortiWeb](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiweb-and-fortisandbox/analyze-fortiweb) Last updated 4 months ago --- # Shared Resource Launcher | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/shared-resource-launcher.md) . We get that having to click around many different products can be a little bit cumbersome, so we've developed a web page with all the Shared Resources in one page that we suggest you keep open. Please note, for devices that live **inside** Fabric Studio, you will still need to access them via Fabric Studio (Right click the Product icon Access > HTTPS) This will only work if you are connected via FortiClient or at an Event where a specific SSID is provided. [Product Launcher Click Me](http://10.237.9.1:8080/) ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FEPEWcM4GWKLGO0qKKKYR%252FCleanShot%25202026-06-18%2520at%25209%25E2%2580%25AF.56.06.png%3Falt%3Dmedia%26token%3D4f530a11-5fe6-4949-b9e1-773f95ab0b09&width=768&dpr=3&quality=100&sign=807685d1&sv=2) Clicking one of the icons will save the password to your clipboard and redirect you to the page, then you just need to enter the username and paste the password in. Please note that the username is not always admin. These have been separated at the bottom for these you will have to type the username. [PreviousFortiPAM - RDP](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/fortipam-rdp) [NextInstallation Checks](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/installation-checks) Last updated 1 day ago --- # Scenario Order | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/scenario-order.md) . To give you complete flexibility, this lab is designed to be modular. However, to get the absolute most out of the experience and see the story truly come together, we highly recommend working your way through all the scenarios from top to bottom. If you are attending an event such as Xperts, the lab has been timed to fit within your allocated session, making a start-to-finish run the ideal approach. To help you guide your own journey, we have ordered the scenarios for the optimal narrative flow and marked them with the following symbols: 🟢 **The Starting Point:** This scenario must be completed first to set the foundation. 🟠 **Independent:** No prerequisites required—dive straight in. 🔴 **Prerequisite Needed:** This builds on previous work. The scenario's introduction will clearly outline what is required and provide a direct link to it. Short on time? No problem at all. If you are pushed for time, feel free to pick and choose the specific scenarios that interest you most. The lab has been intentionally built to support this, so skipping ahead won't spoil your experience. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FvNYzw6JEkwS1wKHKPstF%252FCleanShot%25202026-07-02%2520at%25204%25E2%2580%25AF.58.04.png%3Falt%3Dmedia%26token%3D6935cc97-f6b5-4657-903f-3e6bf3fb0f42&width=768&dpr=3&quality=100&sign=d307c486&sv=2) [PreviousStory/Narrative](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/story-narrative) [NextFortiPAM - RDP](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/fortipam-rdp) Last updated 6 days ago --- # Installation Checks | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/installation-checks.md) . It's worth investing five minutes just to make sure that everything has started correctly. This year, we've invested a lot of time to ensure that you start labbing as soon as possible, and as much as we can automate has been. Information around how to log in to your Fabric Studio instance will either have been provided by the instructor or will be available via the self-serve portal. URL: 10.237.10. Username: **admin** Password: **Fortinet1!** ### [](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/installation-checks#fabric-studio) Fabric Studio On logging into your dedicated Fabric Studio instance, navigate to Fabric Workspace and double click the lab that is already running. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252F2UolKxrQXKpg228rwf9X%252FCleanShot%25202026-06-16%2520at%25204%25E2%2580%25AF.38.16.png%3Falt%3Dmedia%26token%3D551ed44f-bfc1-479a-9a6f-8909a94c600c&width=768&dpr=3&quality=100&sign=6e7df308&sv=2) This will open a diagram like below. What is important is that the sidebar on the right-hand side shows everything as “Running”. Anything that does not have this status, including if you have an exclamation mark (!) before “Running” means that you should ask an instructor for assistance as this is an indication that it has not started properly or that there is a licensing issue. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FFFdrsg4UcSs8sziAQ3W1%252FCleanShot%25202026-06-16%2520at%25204%25E2%2580%25AF.38.45.png%3Falt%3Dmedia%26token%3Defe41acb-768a-4eb8-86cd-f204f8cc9ce5&width=768&dpr=3&quality=100&sign=f48b2b81&sv=2) The Windows desktop environment that lives inside Fabric Studio is accessed via RDP via FortiPAM, for this lab, there is a script that runs on its initial boot that renames your host, installs FortiClient, and installs FortiDLP, if the installation is still running when you access the pod, just leave it; however, eventually you should see a PowerShell screen as below. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FVMaroeHlJAygwhBTqjCl%252FCleanShot%25202026-06-29%2520at%252010%25E2%2580%25AF.13.51.png%3Falt%3Dmedia%26token%3D2da0a67b-8aac-4571-a811-8871c8a29e26&width=768&dpr=3&quality=100&sign=c500768&sv=2) If you see that everything has successfully installed correctly and you see the Happy Labbing Prompt! You're good to go! ### [](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/installation-checks#forticlient) FortiClient In the bottom left-hand corner of the taskbar, find the FortiClient shortcut, right click it and open ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FKzQeUES4eWEf2x41eSKX%252FCleanShot%25202026-06-29%2520at%252010%25E2%2580%25AF.16.27.png%3Falt%3Dmedia%26token%3D67e5fa36-a1fa-4dd4-ad53-e5779f932cd7&width=768&dpr=3&quality=100&sign=56c8a81b&sv=2) Ensure that you see the connected status as above, in the event of you not seeing the connected status and instead seeing the disconnected status, enter the following IP address in the box `10.222.101.40` and click connect, this will manually enrol the endpoint to our FortiClient EMS server. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FZR2jf11uNhXEKHN5hSmY%252FCleanShot%25202026-06-23%2520at%25209%25E2%2580%25AF.53.22.png%3Falt%3Dmedia%26token%3D616eae8e-fef2-4bdb-a9b1-6cdfe8155abd&width=768&dpr=3&quality=100&sign=9fddec86&sv=2) [PreviousShared Resource Launcher](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/shared-resource-launcher) [NextVersions, Access & Credentials](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/versions-access-and-credentials) Last updated 10 days ago * [Fabric Studio](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/installation-checks#fabric-studio) * [FortiClient](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/installation-checks#forticlient) --- # Story/Narrative | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/story-narrative.md) . [](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/story-narrative#welcome-to-breachside-shopping-centre) **Welcome to Breachside Shopping Centre!** ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Breachside Shopping Centre is one of the region's largest retail destinations — a sprawling mall owned by a single parent company, home to dozens of stores: coffee shops, street food vendors, fashion outlets, electronics retailers, and everything in between. Each store runs its own operation, its own staff, and its own technology. For years, that independence was Breachside's charm. In 2025, it became its weakness. A major cyberattack tore through the mall. The parent company was hit first, and the attack spread to several stores — point-of-sale systems down, online stores offline and customer data exposed. Recovery took months, trust took longer. In the chaotic months after the breach — before any IT/OT leadership was in place — individual store managers took matters into their own hands. Some reached out to various cybersecurity vendors directly and procured whatever equipment they could get deployed quickly. The result: pockets of technology scattered across the mall, alongside gaps, overlaps, and no unified strategy. Then the parent company acted. A new CIO and CTO were appointed, with full authority over every technology decision across Breachside — parent company and stores alike. When they arrived, they inherited a patch job. The good news? They liked what they saw from the Fortinet deployments — and they've decided to build the recovery on that foundation. ### [](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/story-narrative#where-you-come-in) Where you come in As a trusted Fortinet partner, you've been engaged to rebuild Breachside's security posture, store by store. In each scenario, the CIO and CTO will hand you a problem statement — a real operational pain point from one of the stores. Your job is to design the solution, implement it using Fortinet products working together, and pitch it back to the CIO and CTO — exactly as you would in a live engagement. The technology has to work, and the story has to land. ### [](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/story-narrative#how-this-lab-works) How this lab works Every scenario is a store within Breachside, and every scenario is modular. Some stores reference each other, just as real environments do, but nothing blocks your path. Each scenario follows the same structure: 1. **Customer Requirement** — the problem statement, in the CIO and CTO's own words 2. **Products Included** — the Fortinet Fabric components you'll be working with 3. **Our Response** — what you, as the partner, are going to deliver [PreviousIntroduction](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping) [NextScenario Order](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/scenario-order) Last updated 9 days ago * [Welcome to Breachside Shopping Centre!](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/story-narrative#welcome-to-breachside-shopping-centre) * [Where you come in](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/story-narrative#where-you-come-in) * [How this lab works](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/story-narrative#how-this-lab-works) --- # FortiPAM - RDP | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/fortipam-rdp.md) . We’ve listened closely to your feedback from our previous 2024 [(Original)](https://fabriclab-tech.gitbook.io/fabric-lab) and 2025 [(Mitre)](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-mitre) labs, copy-paste functionality was a hassle. We heard you loud and clear! For this lab, every attendee gets their own [FortiPAM](https://10.222.101.36/) login. Inside your Fabric Studio instance is a Windows Host that a lot of the scenarios run through. We use FortiPAM to handle an HTML5-to-RDP connection directly in your browser. You'll get a fully passwordless, desktop-like experience. Finally need to copy and paste text into this environment? Simply press F8 to bring up the clipboard! (Examples Below) ### [](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/fortipam-rdp#logging-in-via-fortipam) Logging in via FortiPAM 1. Browse to [FortiPAM](https://10.222.101.36/) 2. Username: Pod**N** (I.E Pod46) **N** = Your Pod Number I.E Pod46 1. Password: Fortinet1! 2. Navigate to Secrets 3. Select Host\_Win11\_Internal 4. Launch Secret 5. Web RDP 6. A full web RDP session should open up ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252Ful9OHtYueP1k8BLWw9J0%252FCleanShot%25202026-06-18%2520at%252010%25E2%2580%25AF.40.47.gif%3Falt%3Dmedia%26token%3Df70a481a-6cb4-4e22-a951-ee311381c579&width=768&dpr=3&quality=100&sign=b86d72fa&sv=2) Once you have this RDP session established, we recommend that you just leave the tab open. It's used in almost all of the scenarios. In each scenario that it is used in, we will let you know, but instead of having to reopen and go through this entire process every time, just keep it open! ### [](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/fortipam-rdp#copy-and-paste-fortipam-session) Copy and Paste FortiPAM Session 1. Press F8 on your keyboard, a side menu should open 2. Select Clipboard 3. Paste the contents from your local machine into the clipboard 4. Select send to Remote Clipboard 5. In the RDP session Paste as you normally would ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FXMcn1GD5lwWVylEuOYmY%252FCleanShot%25202026-06-12%2520at%25209%25E2%2580%25AF.51.28.gif%3Falt%3Dmedia%26token%3D9f9c7974-ba1a-4ae8-9314-fb94e81162ba&width=768&dpr=3&quality=100&sign=c0722630&sv=2) [PreviousScenario Order](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/scenario-order) [NextShared Resource Launcher](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/shared-resource-launcher) Last updated 1 day ago * [Logging in via FortiPAM](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/fortipam-rdp#logging-in-via-fortipam) * [Copy and Paste FortiPAM Session](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/fortipam-rdp#copy-and-paste-fortipam-session) --- # Certificates at Scale | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/certificates-at-scale.md) . ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FB8XihO7fRsyYfbz22j5B%252Fimage.png%3Falt%3Dmedia%26token%3D75fdf0ca-3c8a-4e83-9fb7-9c233f19ec69&width=768&dpr=3&quality=100&sign=a2bf8224&sv=2) Every time we try to roll out SSL deep inspection, our staff see browser certificate warnings. They click through them or call the help desk — both are bad. I need a way to automate this across hundreds of FortiGate Firewalls and Endpoints. Certificate distribution and installation must be fully automated, with no manual work per device. We open new stores often, and staff roam between stores — their devices must trust every site they visit, from day one **Products In-Scope** FortiAuthenticator (FAC) FortiGate (FGT) FortiClient & FortiClient EMS (FCT) **Our Response** Since 2023, more than 95% of all traffic on the Internet is encrypted. That is good news for privacy — and bad news for security teams, because what you cannot see, you cannot protect 100%. Malware, phishing payloads and data theft all travel inside encrypted sessions, hidden from any firewall that only inspects in plain text. Several other scenarios in this lab depend on deep inspection being in place — this scenario is the foundation they build on. Certificate warnings appear because deep inspection works, by design, as a "trusted interception": the FortiGate decrypts the session and re-signs it with its own certificate. If the endpoint does not trust the certificate authority (CA) behind that certificate, the browser warns the user. The fix is not to suppress the warning — it is to build a chain of trust that every device in the business already holds. We deliver that chain in three layers: 1. **FortiAuthenticator as the certificate authority.** FortiAuthenticator hosts the root CA for the whole estate and exposes a Simple Certificate Enrolment Protocol (SCEP) endpoint. SCEP lets each FortiGate fetch the root CA certificate automatically — no engineer copying files between devices. When a new store opens, its FortiGate enrols itself. 2. **A signed sub-CA on every FortiGate.** Each FortiGate generates its own Certificate Signing Request (CSR) for a subordinate CA. FortiAuthenticator signs it, making each firewall's inspection certificate part of one trust hierarchy. The FortiGate then uses this sub-CA in its SSL/SSH inspection profile to re-sign decrypted traffic. 3. **FortiClient EMS pushes trust to every endpoint.** We import the root CA into the EMS default system profile. EMS installs it into the certificate store of every managed endpoint automatically. Because trust is anchored at the root, an endpoint trusts _every_ FortiGate sub-CA in the estate — so a user who roams from one store to another is trusted at both, with zero reconfiguration. The result: full SSL inspection across hundreds of sites with no warnings, no help-desk tickets, and no per-device manual work. New store? The FortiGate enrols via SCEP. New starter? EMS installs the root CA before they open a browser. And with visibility restored, every other control in this lab — sandboxing, threat detection, data protection — can finally see the traffic it is meant to inspect. [PreviousVersions, Access & Credentials](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/versions-access-and-credentials) [NextFortiGate (FGT) Remote CA Configuration](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/certificates-at-scale/fortigate-fgt-remote-ca-configuration) Last updated 14 days ago --- # CIO & CTO Message | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/cio-and-cto-message.md) . **Breachside Shopping Centre — a closing word from the CIO and CTO** When we took this on, Breachside had already been breached. The estate trusted anything inside its walls, our defences were a handful of disconnected tools, and we found out about incidents long after they mattered. We asked you to help us rebuild — not to buy more products, but to make the ones we had work as one. That work is now done. We began with trust, because nothing stands without it. The certificate authority we established gives every device a verifiable identity, and lets us inspect encrypted traffic cleanly across the estate. Everything else was built on it. Our shopfronts are no longer soft targets. The customer-facing applications turn away injection and keep trading through load, and both inbound routes — email and web download — are now intercepted and detonated before anything reaches a member of staff, all through the same analysis engine. That shared engine is the difference between owning tools and running a fabric. We have also closed the gap that worried us most: what leaves, not just what arrives. We can see how AI and sensitive data are being used, on the wire and on the device, and we coach our people before we penalise them. Where something moves laterally inside the estate, our own decoys catch it and flag the device automatically. Most importantly, all of that now feeds a single decision. Access is no longer granted by where someone sits on the network — it is earned continuously, from the health and behaviour of the device asking for it. Trust is proven, not assumed. Breachside is no longer a building that had been broken into. It is a security fabric that defends itself. Before we close, we would ask two things of you, both set out on the next page. The first takes a moment and shapes whether engagements like this happen again — if the time here was well spent, that is the place to say so. The second goes to the people who designed these scenarios, and is where candid detail matters most: what worked, what was unclear, and where it could be sharper. Looking ahead, we fully intend to keep this momentum going. Building on the foundation now in place, our roadmap includes reviewing how AI can further assist us—specifically by streamlining and automating event correlation and further automating the response across multiple products. We will be in touch soon to scope it, and a formal customer statement will follow shortly. **\[Easter Egg Detected\]:** If you're currently clicking through multiple products trying to correlate events manually, hold tight. Next year, the machines are taking over that entire chain reaction. Be nice to them! With our thanks, _— Office of the CIO & CTO, Breachside Shopping Centre_ [PreviousClassification Tags](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/tag-driven-ztna/classification-tags) [NextFeedback](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/feedback) Last updated 7 days ago --- # FortiGate (FGT) Remote CA Configuration | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/certificates-at-scale/fortigate-fgt-remote-ca-configuration.md) . First, Carat & Co's FortiGate needs to know who to trust. In this step, we point it at the FortiAuthenticator's SCEP service, and it fetches the root CA certificate on its own — exactly what would happen automatically at every new store Breachside opens. FortiGate (located inside Fabric Studio: right click it and access it HTTPS): Username: admin Password: fortinet4A!! Before we begin, we need to disable a firewall policy that was used for the initial provisioning of this instance. On the FortiGate, go to Policy & Objects > Firewall Policy. You will see a policy named Disable Me — select it and click Disable. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FSwwKNRwmN7bzRX7LeMAp%252FScreenshot%25202026-06-05%2520at%25209.06.23%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3Dcf642f03-2bd8-4f72-9548-ba3a4a84fa95&width=768&dpr=3&quality=100&sign=918413d5&sv=2) The policy should now appear greyed out, as below. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FbLKTkm5YU6IZnupHiiZD%252FScreenshot%25202026-06-05%2520at%25209.14.29%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3Dec265402-a83b-44cb-b63a-ea49ca742e98&width=768&dpr=3&quality=100&sign=ea4b30b9&sv=2) The root CA has already been configured on the FortiAuthenticator — **you do not need to create it**. In a real deployment, this is a one-time setup task for the whole estate. You only need to complete the steps below. On the FortiGate, go to System > Certificates. In the top-left corner, select Create/Import > CA Certificate. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252Flv3LX6Yu9Gw3N8uVVNzL%252FScreenshot%25202026-05-11%2520at%25209.41.26%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D6d19afce-0018-4415-be45-033d23e32372&width=768&dpr=3&quality=100&sign=cf6fd7f9&sv=2) You will see the window below. Select Online SCEP, and in URL of the SCEP server, enter the following `http://10.222.101.26/app/cert/scep/` and click OK This is the automation moment: the FortiGate contacts the FortiAuthenticator's SCEP endpoint and downloads the root CA certificate itself. No file was exported, emailed, or copied by hand — and this is what removes the per-device manual work when Breachside opens its next store. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FcnPRfN0JtbPQXweIsf61%252FScreenshot%25202026-05-11%2520at%25209.44.57%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3Dc854b848-fa2a-44dc-a7cb-a03f72adad7c&width=768&dpr=3&quality=100&sign=4c44fd27&sv=2) After a few moments, you will be returned to the Certificates page. Under Remote CA Certificates, you should now see CA\_Cert\_1 / CN = FabricLab Internal Security CA. The FortiGate now trusts Breachside's internal CA. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FJjPUEomgXwzM2NotuLB2%252FCleanShot%25202026-06-29%2520at%252010%25E2%2580%25AF.28.46.png%3Falt%3Dmedia%26token%3Dc8b29662-0532-4b70-9386-bccff2d50c22&width=768&dpr=3&quality=100&sign=379b2522&sv=2) Side note: the name CA\_Cert\_1 is auto-generated. If you want to rename it to something more meaningful, you can use the CLI commands below. In a large estate, a clear naming convention matters ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FA6pi8TFJloGV6KTOVYsE%252FScreenshot%25202026-05-11%2520at%25202.07.44%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D805757d8-7917-4f0d-bdb6-006b5186bcd2&width=768&dpr=3&quality=100&sign=92928844&sv=2) [PreviousCertificates at Scale](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/certificates-at-scale) [NextFortiGate (FGT) CSR Request](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/certificates-at-scale/fortigate-fgt-csr-request) Last updated 1 day ago --- # Feedback | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/feedback.md) . If you are attending an event (Such as Xperts), we ask that you provide two sets of feedback as outlined below. If you are not attending a event just skip to Feedback 2! ### [](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/feedback#feedback-1-event-app-feedback-i.e-xperts) Feedback 1 - Event App Feedback (I.E Xperts): * Where it goes: Directly to the central marketing and event planning teams. * Why it matters: This data determines our presence at future events. If you value these sessions and want to see our team on the agenda next year, completing this quick survey via your event app is the most effective way to ensure we return. ### [](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/feedback#feedback-2-portal-feedback) Feedback 2 - Portal Feedback: * Where it goes: Straight to the technical creators behind the Fabric Solutions Labs. * Why it matters: We thrive on granular, highly technical insights. Because our labs are constantly updated, your direct feedback allows us to make immediate adjustments and build the exact content you need for next year. > Our Commitment: We don't just collect data—our team thoroughly reviews every single piece of portal feedback to drive real updates. How to submit Lab Feedback: Log into the self-serve portal you used to access your lab resources, and click the Lab Feedback button. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FYW2ZiFUJmnpT7R8Qgk5P%252FCleanShot%25202026-07-02%2520at%252011%25E2%2580%25AF.13.55.png%3Falt%3Dmedia%26token%3D0965ecc0-798f-4e69-a431-c9ef00a5734d&width=768&dpr=3&quality=100&sign=f8383d94&sv=2) You will then be redirected to a form ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FDLTRODf9v6ZrgSiBq99H%252FCleanShot%25202026-07-02%2520at%252011%25E2%2580%25AF.15.32.png%3Falt%3Dmedia%26token%3D41836e26-2edb-4833-8351-827b543591f8&width=768&dpr=3&quality=100&sign=2cddaa23&sv=2) [PreviousCIO & CTO Message](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/cio-and-cto-message) Last updated 7 days ago * [Feedback 1 - Event App Feedback (I.E Xperts):](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/feedback#feedback-1-event-app-feedback-i.e-xperts) * [Feedback 2 - Portal Feedback:](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/feedback#feedback-2-portal-feedback) --- # Versions, Access & Credentials | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/versions-access-and-credentials.md) . As previously mentioned, within Fabric Solutions Labs, we have the concept of devices that live inside Fabric Studio (Dedicated to each user) and shared devices that live outside a Fabric Studio. The operating versions are constantly updated for both, below is a table of the current operating versions of the products that you will use inside this lab. For the shared resources, each product has a clickable hyperlink and a backup username and password, a clickable link is included in each scenario or alternatively, you can use the [Shared Resource Launcher](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/shared-resource-launcher) There are two FortiGate appliances inside this lab environment. Ensure that you read the documentation carefully to connect to the right one each time. ### [](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/versions-access-and-credentials#dedicated) Dedicated Product Name Version Location Username Password FortiWeb (FWB) 8.0.3 Inside Fabric Studio admin fortinet4A!! FortiADC (FAD) 8.0.2 Inside Fabric Studio admin fortinet4A!! FortiGate (FGT) 8.0.0 Inside Fabric Studio admin fortinet4A!! FortiMail (FML) 8.0.0 Inside Fabric Studio admin fortinet4A!! Debian13\_MCP\_Client 13 Trixie Inside Fabric Studio Debian13\_MCP\_Server 13 Trixie Inside Fabric Studio Debian13\_MCP\_Webserver 13 Trixie Inside Fabric Studio Host\_Win11\_Internal Windows 11 Pro Inside Fabric Studio ### [](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/versions-access-and-credentials#shared) Shared Product Name Version Location Username Password [FortiAuthenticator (FAC)](https://10.222.101.26/) 8.0.3 Outside Fabric Studio admin Fortinet1! [FortiAnalyzer (FAZ)](https://10.222.101.35/) 8.0.0 Outside Fabric Studio admin Fortinet1! [Shared FortiGate (FGT)](https://10.222.101.31/) 7.6.7 Outside Fabric Studio admin Fortinet1! [FortiProxy (FPX)](https://10.222.101.27/l) 7.6.6 Outside Fabric Studio admin fortinet4A!! [FortiSOAR (FSR)](https://10.222.101.22/login/) 7.6.6 Outside Fabric Studio csadmin Fortinet1! [FortiClient (FCT)](https://10.222.101.40/) 7.4.7 Outside Fabric Studio FabricSolutionsLab Fortinet1! [FortiSIEM (FSM)](https://10.222.101.28/) 7.4.2 Outside Fabric Studio admin Fortinet1! [FortiDeceptor (FDC)](https://10.222.101.29/) 6.1.0 Outside Fabric Studio admin Fortinet1! [FortiSandbox (FSA)](https://10.222.101.23/) 5.2.0 Outside Fabric Studio admin Fortinet1! [FortiPAM (FPAM)](https://10.222.101.36/) 1.9.0 Outside Fabric Studio Pod Fortinet1! [FortiDLP (FDLP)](https://ftnt-fabric-cse.reveal.nextdlp.com/) SaaS Outside Fabric Studio FabricLab Fortinet1!Fortinet1! [PreviousInstallation Checks](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/installation-checks) [NextCertificates at Scale](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/certificates-at-scale) Last updated 1 day ago * [Dedicated](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/versions-access-and-credentials#dedicated) * [Shared](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/versions-access-and-credentials#shared) --- # Centralised Logging — PackTrack | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/guilty-until-detonated/centralised-logging-packtrack.md) . If you remember, PackTrack's final requirement was that all of this activity must be visible in one place — they expect this to roll out at very large scale. You have generated evidence on two different paths through two different products. Time to find it all on one screen. Login your [FortiAnalyzer](https://10.222.101.35/) instance Username: admin Password: Fortinet1! The FortiAnalyzer is shared between all attendees — and so are the FortiProxy, FortiClient EMS and FortiSandbox you have been using. For this scenario, you therefore need to navigate into the **Fabric\_Lab\_Infrastructure** ADOM. Other attendees' logs will also be present in the next steps, so it is recommended to create a filter. A note on why this matters: in the other scenarios, your dedicated devices log into your own private ADOM. The shared infrastructure logs into a shared ADOM — which is exactly what a real estate looks like. Right now, you are an analyst staring at logs from fifty "stores" at once, and you need to isolate one. That filtering skill is the job. Go to Log View > Logs > Fortinet Logs (Tag) > Click FortiProxy, and select the Security — AntiVirus tab. If you wish to filter so you only see your logs then set a Source IP filter to your POD ID I.E (As Im using Pod47) Source IP=10.222.102.47 There are your proxy verdicts — the same events you saw on the FortiProxy itself, now in the central platform, alongside every other attendee's. One place to search, regardless of how many proxies feed it, and lets not discount the power of FortiAI Assist if you ask it will provide context around everything it can see. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252F6ZGzzJmdrEdfFoecgUin%252FScreenshot%25202026-05-27%2520at%25203.25.39%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D25537066-f3b2-4d2a-8dd6-b083066ed362&width=768&dpr=3&quality=100&sign=44bea88c&sv=2) ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FqNgqL8oxYpXsUNOywwY6%252FScreenshot%25202026-05-27%2520at%25203.24.14%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D78d64b8e-40fe-4563-8f09-621e388a9d45&width=768&dpr=3&quality=100&sign=ca5ce096&sv=2) Now Click FortiSandbox and select the Malware Tab ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FW2LA7TozVSjoKNo0uW5T%252FScreenshot%25202026-05-27%2520at%25203.26.56%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D3c975f14-ff56-4887-bdbf-16e8f83f635d&width=768&dpr=3&quality=100&sign=db7e7038&sv=2) And here is the sandbox's own account of the same story: the files, the hashes, the verdicts. Notice that you are now looking at evidence from two products describing one event — the proxy that held the file, and the sandbox that judged it. Add the FortiClient detections from your Chrome bypass, and the SOC can reconstruct the entire chain: this user, on this machine, tried to fetch this file, by this path, and here is what stopped it. That closes out PackTrack's engagement. Inspect every download before delivery: done, inline, with FortiSandbox verdicts gating the proxy. Cover the paths around the proxy: done, with FortiClient submitting to the same sandbox. Zero-day capable: done — behaviour-based detonation, not signatures. Everything visible in one place: you are looking at it. No verdict, no file — and no Patient Zero at Breachside. [PreviousDownloading Malware (FCT)](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/guilty-until-detonated/downloading-malware-fct) [NextWho's Talking to the AI?](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/whos-talking-to-the-ai) Last updated 24 days ago --- # Downloading Malware (FCT) | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/guilty-until-detonated/downloading-malware-fct.md) . Every proxy has a way around it. A misconfigured browser, a personal device, a USB stick from a supplier — sooner or later, a file will reach an endpoint without passing through the inspection path. This step shows what catches it when that happens: the user bypasses the proxy entirely, and FortiClient picks up the fight. Using the same RDP session as before, open Google Chrome — unlike Firefox, Chrome on this host is not configured to use the proxy, so its traffic goes straight out. Click the /tools bookmark, find sandbox\_demo.exe, and double-click it. Chrome's built-in security may resist the download — click Keep, then Download unverified file. Once you do, watch closely: an APT Scan pop-up appears, very briefly, as the file is passed to FortiSandbox and the verdict is received. As you can see below the file has been marked as clean. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FwUnMNhNQz3T0X6X4vRZg%252FScreenshot%25202026-05-27%2520at%25203.14.09%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3De70c3d08-f375-41a1-b5e0-9f6977e3657d&width=768&dpr=3&quality=100&sign=77ce9255&sv=2) Pause on what just happened: the proxy never saw this download — and the file _still_ went to the same FortiSandbox and got the same verdict. This time the submission came from the endpoint itself, via FortiClient. One sandbox, one verdict database, two completely different routes into it. That is the Fabric point of this whole scenario. Now click the /malware bookmark. You will find several files to try — download one or a selection, all of them work. The APT Scan widget will pop up again, but this time the verdict is malicious. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FpksyzxrtSzdxymMgnwgQ%252FScreenshot%25202026-05-27%2520at%25203.17.47%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Dcdb187f4-57cc-4cb2-8f10-bab320ecb03a&width=768&dpr=3&quality=100&sign=8e148a58&sv=2) Important: in this lab, FortiClient is deliberately running in monitor-only mode — the file is still downloaded to the host and remains executable. We have done this so you can see the detection and the resulting logs without the lab fighting you. In a production deployment, you would run FortiClient in blocking mode: the verdict you just watched arrive would quarantine the file before the user could run it. So PackTrack now has both doors covered. Through the proxy: the file is held and judged before it ever arrives. Around the proxy: FortiClient submits it to the same sandbox and acts on the same verdict. The attacker has to be lucky twice; the defence only has to be configured once. One last requirement remains — the customer wanted all of this visible in one place. Let's finish there. [PreviousFortiProxy Logs](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/guilty-until-detonated/fortiproxy-logs) [NextCentralised Logging — PackTrack](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/guilty-until-detonated/centralised-logging-packtrack) Last updated 28 days ago --- # Verify FortiClient | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/coaching-then-consequences/verify-forticlient.md) . The whole chain has run, and this is the proof at the end of it. What began as a paste into ChatGPT travelled through FortiDLP, FortiSIEM and FortiSOAR — and arrives here, as a single tag on the offending device. In this final step you'll confirm it landed. Log into the Shared [FortiClient EMS](https://10.222.101.40/) instance FortiClient is a shared resource across all attendees, and does not live inside your dedicated Fabric Studio instance. Use: Username: FabricSolutionsLab Password: Fortinet1! Go to Endpoints > All Endpoints and select your specific endpoint from the list. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252Fmu5tDQtu9n5F6pxOsz69%252FScreenshot%25202026-06-02%2520at%25205.23.54%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Dd5580160-aa4c-4166-9340-e621e0ee17a2&width=768&dpr=3&quality=100&sign=763c11e8&sv=2) Scroll down to the Classification Tags section. There is the FortiDLP incident tag you applied through FortiSOAR. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FTGgWilc5NgmOugYnE0H3%252Fimage.png%3Falt%3Dmedia%26token%3D97b12e3f-fc4a-4192-855e-d54325bfdc58&width=768&dpr=3&quality=100&sign=5a3d3862&sv=2) You may see other tags here too, depending on the order you've worked through the scenarios — for example, a Deceptor tag if you've done [The Trap Inside the Walls](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-trap-inside-the-walls) . That's realistic: in a real estate, a single device accumulates tags from every system that has something to say about it, and a firewall policy can weigh all of them together. Stop and trace what this one tag represents. It started when you, playing a departing developer, pasted code containing PII into an AI tool, then screenshotted and compressed it. FortiDLP coached you in the moment and recorded every action against its MITRE technique. FortiSIEM scored the whole pattern and recognised it as a genuine threat, not noise. FortiSOAR turned that judgement into an action and reached into EMS to mark the exact device. Four products, one continuous response — from a careless paste to a permanent, enforceable mark on the endpoint. And this is where "coaching, then consequences" becomes literal. The coaching already happened, on screen, the moment you pasted — a nudge, not a block, because most people only need reminding. The consequence is this tag. On its own it's a record; combined with firewall policy, it's a locked door. The Tag-Driven ZTNA scenario shows exactly that: a device carrying this FortiDLP tag is refused access to protected internal applications, even while every live health check says the device is fine. Coaching happened here; the consequence is enforced there. That completes the engagement. Walk it back to the CIO, against everything they asked for. See what's actually being pasted into AI tools, even in desktop apps and IDE plugins the firewall can't read — done, by FortiDLP watching on the device itself. Coach the careless majority rather than banning AI outright — done, with the on-screen nudge that reminds without blocking. Recognise the dangerous pattern when a watch-listed leaver ignores the nudge — done, by FortiSIEM scoring behaviour with UEBA rather than counting alerts. And act on its own, surgically, on that one person — done, by the FortiSOAR playbook that tags the single offending device for enforcement. The customer's last leaver was gone before anyone joined the dots. This time, the dots join themselves, and the door is already closing as the person reaches for it. [PreviousAutomating (FortiSOAR)](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/coaching-then-consequences/automating-fortisoar) [NextThe Trap Inside the Walls](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-trap-inside-the-walls) Last updated 1 day ago --- # Scaling (FortiSIEM) | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/coaching-then-consequences/scaling-fortisiem.md) . FortiDLP gave you the evidence on one device. But the customer's real fear wasn't a single laptop — it was not spotting the pattern across the whole organisation until it was too late. This is where FortiSIEM comes in: it takes the DLP signals from every endpoint, scores them by behaviour, and raises the ones that matter. This page also has a practical job — you'll collect the FortiSIEM Incident ID that the next step needs, so note it before moving on. Log into your [FortiSIEM](https://10.222.101.28/) instance FortiSIEM is a shared resource across all attendees, and does not live inside your dedicated Fabric Studio instance **UserID:** admin **Password:** Fortinet1! **Organization:** super **Domain:** local Because everyone shares this environment, the FortiDLP log ingestion is already set up for you. We've created a FortiSIEM rule that automatically raises a local incident whenever one is triggered in FortiDLP — so the moment your DLP violations fired, FortiSIEM already knew about them. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FQbSPu5puxMZ9aMl3R7KL%252Fimage.png%3Falt%3Dmedia%26token%3D777289cd-2d45-49b1-8240-12a77f5a1c98&width=768&dpr=3&quality=100&sign=9b378bc&sv=2) On logging into FortiSIEM, if you browse to Incidents > Select the List by Time View ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FdkHWoQJaTQlDJ1RHptxk%252Fimage.png%3Falt%3Dmedia%26token%3D7d3a58c1-6a05-4958-ba42-0c7d3aa67572&width=768&dpr=3&quality=100&sign=81f442a&sv=2) Your view should look like the one above. During busy sessions you'll see entries from other attendees too, so look for the ones matching your activity. Here is what FortiSIEM adds, and why it matters. FortiDLP told us what happened on each device. FortiSIEM applies UEBA — User and Entity Behaviour Analytics — to judge how those actions add up. It doesn't simply count alerts; it scores behaviour against what's normal for that user. One developer pasting one snippet into ChatGPT is low-risk and stays quiet. But the same user — already on a watch list as a leaver — taking screenshots, compressing files and exfiltrating code containing PII inside a single short window scores far higher, and surfaces as one high-confidence incident. This is the difference between a tool that floods a small team with six low-severity alerts to piece together, and one that hands them a single line that says "this person, right now, is the problem." That is what lets a small security team operate at the scale of a large organisation. Note down the ID of one of your incidents — you'll need it on the FortiSOAR page that follows. [PreviousEvidence Review (FortiDLP)](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/coaching-then-consequences/evidence-review-fortidlp) [NextAutomating (FortiSOAR)](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/coaching-then-consequences/automating-fortisoar) Last updated 24 days ago --- # Downloading Malware (FPX) | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/guilty-until-detonated/downloading-malware-fpx.md) . This is the moment the design proves itself. You will download two kinds of files from the same web server: one harmless, one malicious. The proxy should let one through and stop the other, without the user doing anything differently. Using the same RDP session as the previous and using Firefox, click the Index of /tools bookmark. Inside this web server, you will find a file called sandbox\_demo.exe — double-click it. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FdrIuqkU0M63fvm2IrZYf%252FScreenshot%25202026-05-27%2520at%252011.24.29%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D48f0a3f4-3a0a-4b80-ba55-46495d0b2f78&width=768&dpr=3&quality=100&sign=b32b9839&sv=2) The download should complete successfully — the file is not malicious. But note what just happened invisibly: the file was extracted by the FortiProxy, a verdict was obtained from FortiSandbox, and only then was the download released to you. A clean verdict feels like nothing at all — and that is exactly the point. Protection that users don't notice is protection they won't try to switch off. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FAUsEJuaBRUuhezCcipPA%252FScreenshot%25202026-05-27%2520at%252012.20.57%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D1723c76e-4ef7-4451-b744-def2c7ddf157&width=768&dpr=3&quality=100&sign=396b2039&sv=2) Now click the Index of /malware bookmark and double-click any of the .exe files. You may notice the malicious verdicts come back very quickly. That is the hash database at work: FortiSandbox has seen these files before and already holds a verdict for each hash, so it answers immediately rather than detonating the file again. A genuinely first-seen file takes longer, because it is being run and observed inside a sandbox VM. In a busy estate, this caching is what keeps the user experience fast — the expensive analysis happens once per file, not once per download. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252Fgw05m6FQX8vATHTxethi%252FScreenshot%25202026-05-27%2520at%252011.29.50%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3Da17d0413-7c0e-4564-81ec-96b45645ffd8&width=768&dpr=3&quality=100&sign=b2494a36&sv=2) This time, no download — a block page instead. The verdict came back malicious, and the file never left the proxy. This is inline scanning doing precisely what the previous pages promised: the endpoint never received the file, so there is nothing to clean up, no race against the AV engine, and no Patient Zero. Compare that with PackTrack's last incident — hours of dwell time and a command-and-control callback before anyone knew. Feel free to try several of the malware samples — and notice the user experience each time: a clear explanation of why the file was blocked, not a cryptic browser error that sends staff to the help desk. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FBwEiAmFMfzgR1iBINp9Q%252FScreenshot%25202026-05-27%2520at%252012.21.58%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D2a2ea88b-a377-408b-b65a-5d1c0980ca21&width=768&dpr=3&quality=100&sign=cdc9ed93&sv=2) ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252F52EEE4rrzZjiXEuXqV1u%252FScreenshot%25202026-05-27%2520at%252012.22.45%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Da029beab-8401-4608-bc0f-812bc9f6906c&width=768&dpr=3&quality=100&sign=4462969&sv=2) ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FZrbFO0dcFgsmrXk8NTUw%252FScreenshot%25202026-05-27%2520at%252012.22.59%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D5aff93b6-e2b6-4ace-9300-fa1f732e89b6&width=768&dpr=3&quality=100&sign=8dfb7dd&sv=2) The user's view is only half the evidence. Let's see what the proxy recorded. [PreviousConfigure WebProxy Firefox](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/guilty-until-detonated/configure-webproxy-firefox) [NextFortiProxy Logs](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/guilty-until-detonated/fortiproxy-logs) Last updated 10 days ago --- # Probing the Decoys | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-trap-inside-the-walls/probing-the-decoys.md) . Now you become the intruder. Imagine you have compromised a staff laptop at SecondStorey and you are looking around the internal network for something valuable — file servers, industrial systems, anything you can reach. In this step you will do exactly what a lateral mover does: probe the systems you find. The difference is that some of these systems are traps. Using FortiPAM to RDP to the Windows Host Inside Fabric Studio![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-trap-inside-the-walls/probing-the-decoys#using-fortipam-to-rdp-to-the-windows-host-inside-fabric-studio) Login your [FortiPAM](https://10.222.101.36/) instance **Username:** Pod**N** **N** = Your Pod Number its unique to you and will have been provided by the Portal or Instructor As a example Pod47 **Password:** Fortinet1! Navigate to Secrets select Shopping-Pod47\_Host\_Win11\_Internal and click Launch Secret > Web RDP ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FrJfTZmDddBdMZCcYcSyx%252FCleanShot%25202026-06-18%2520at%252010%25E2%2580%25AF.46.52.png%3Falt%3Dmedia%26token%3D5b3af4f3-e15d-4070-8dc6-d7a31f2237fd&width=768&dpr=3&quality=100&sign=e07741e0&sv=2) ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FD6Etqm2PtyN9ymBMkuCS%252FCleanShot%25202026-06-18%2520at%252010%25E2%2580%25AF.47.05.png%3Falt%3Dmedia%26token%3Dc09b60a7-632b-473a-827b-371062f30671&width=768&dpr=3&quality=100&sign=cae8ca33&sv=2) A seperate tab should open and the Windows Host should display in Full Resolution within your web browser. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FUSOSlZNz7QXtVr4aNNhU%252FScreenshot%25202026-05-12%2520at%25201.01.45%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D7dfb4cd8-07a9-45e8-a577-12038e82caad&width=768&dpr=3&quality=100&sign=5c97c024&sv=2) Once you arrive at the desktop, double-click the Google Chrome shortcut located on the Desktop. we have created two shortcuts for you 1. SCADA Decoy 2. VMware Decoy Click both, and spend some time browsing around the pages to generate traffic — this activity is needed for the later steps, so don't rush past it. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FQdxaWyWtl3i41LUHjYV2%252FScreenshot%25202026-06-02%2520at%25209.14.31%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3Db3e5e9b4-f807-49e7-983f-30891a9c9fb6&width=768&dpr=3&quality=100&sign=81be05b7&sv=2) ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252Fa5PfX7DtgZEulADKTJO2%252FScreenshot%25202026-06-02%2520at%25209.16.40%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D1aa2e1c5-0fe8-433c-af73-01fa2edba277&width=768&dpr=3&quality=100&sign=a0f9372&sv=2) You can login with Username: fabriclab Password: Fortinet1! ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252F28vLSe0EJT3RbCDwWHV4%252FScreenshot%25202026-06-02%2520at%25209.18.24%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D0f785fa4-afe6-463d-952a-5143c9e3ddee&width=768&dpr=3&quality=100&sign=bba16f22&sv=2) For a third and final probe, use the Windows host's Start menu to search for Remote Desktop. Create a session to 10.222.102.223 or 10.222.102.224, click the Fabric Lab user, and enter the password `Fortinet1!` ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FB26oRQ0GyXpZcZFMw0fh%252FScreenshot%25202026-06-02%2520at%25202.56.01%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D29916985-8261-4d01-9c3e-490808d52a18&width=768&dpr=3&quality=100&sign=43ebdadc&sv=2) This RDP connection is the probe that matters most. A successful RDP login to an internal server is one of the clearest signs of an attacker moving laterally — it is exactly how the breach last year spread from machine to machine. FortiSIEM is watching for precisely this, and on the next page you will see the alert it raises: "Successful RDP to a decoy" within FortiSIEM. You have now tripped the trap two different ways — Web and RDP. Let's switch back to the defender's chair and see what the Fabric saw, and what it did about it. [PreviousFortiDeceptor Configuration](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-trap-inside-the-walls/fortideceptor-configuration) [NextWhats do we see and the response?](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-trap-inside-the-walls/whats-do-we-see-and-the-response) Last updated 21 days ago --- # Verifying using FortiClient | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-trap-inside-the-walls/verifying-using-forticlient.md) . The whole chain has run, and this is the proof at the end of it. One probe against a decoy travelled through FortiDeceptor, FortiSIEM and FortiSOAR — and arrived here, on the endpoint itself. In this final step you will confirm the tag landed on the offending device. Log into the Shared [FortiClient EMS](https://10.222.101.40/) instance FortiClient is a shared resource across all attendees, and does not live inside your dedicated Fabric Studio instance Username: FabricSolutionsLab Password: Fortinet1! Navigate to Endpoints > All Endpoints select your specific endpoint from the list ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252Fmu5tDQtu9n5F6pxOsz69%252FScreenshot%25202026-06-02%2520at%25205.23.54%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Dd5580160-aa4c-4166-9340-e621e0ee17a2&width=768&dpr=3&quality=100&sign=763c11e8&sv=2) Scroll down until you find the Classification Tags section. There is the tag you applied through FortiSOAR — pushed automatically onto the endpoint by the playbook. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FBpNsYctSRZsmqXnWfMlC%252FScreenshot%25202026-06-02%2520at%25205.22.58%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3De800d476-d4b3-4055-b27d-e804f15f76c9&width=768&dpr=3&quality=100&sign=5132bb88&sv=2) Stop and trace what this single tag represents. It began when you touched a decoy you should never have touched. FortiDeceptor caught it, FortiSIEM correlated it into one clear incident, FortiSOAR turned that incident into an action, and FortiClient EMS carried that action down to the exact device — identified precisely, out of thousands. Six products, one continuous reflex, from "someone is probing the network" to "the guilty machine is marked", with the network already locked out in parallel. Why a tag, and what comes next? A tag in FortiClient EMS is not just a label — it is a trigger. EMS policies can key off a classification tag to change what an endpoint is allowed to do: move it into a restricted group, block its network access, or cut it off from sensitive systems. In this scenario we apply the tag, which is the decisive step — the moment the device is positively identified and marked. What you do with that tag is a policy choice, not a technical limitation: leave it as a flag for the security team to review, or let it drive enforcement automatically. The very next scenario shows exactly that — it uses this same classification tag to block a compromised endpoint from reaching an internal application. So the tag you just applied isn't the end of the story; it's the mechanism the next engagement is built on. That completes the engagement. Walk it back for SecondStorey's CIO, against everything they asked for. Catch an intruder the moment they probe the internal network — done, by FortiDeceptor, the instant a decoy is touched. No false alarms to chase — done, because a decoy has no legitimate use, so every hit is real. Cut the attacker off at the network automatically — done, by the FortiGate quarantine stitch, with no human in the loop. Reach the offending device itself — done, by the FortiSIEM–FortiSOAR–FortiClient chain that tags it for action. And a complete record to investigate afterwards — held in FortiAnalyzer and FortiSIEM. Last year, an intruder roamed Breachside for weeks. This time, they are caught, contained and identified before they take a second step. The trap doesn't sleep — which means the small team can! [PreviousUsing FortiSOAR to Tag a Endpoint](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-trap-inside-the-walls/using-fortisoar-to-tag-a-endpoint) [NextTag-Driven ZTNA](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/tag-driven-ztna) Last updated 14 days ago --- # Inspecting What Staff Upload — Everywhere They Work | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/bug-zone/inspecting-what-staff-upload-everywhere-they-work.md) . **Customer Requirement** Some of our staff now work from home or the road at least half the week, and we've noticed they're downloading all sorts of content during the working day — supplier catalogues, customer-supplied scans, attachments from partner portals, images from search results and shared links. Most of it is legitimate work material, but some of it absolutely is not — and our existing web filtering only categorises websites, not the actual image content of what's being pulled down. We've had at least one incident where a staff member downloaded firearm imagery onto a company laptop from a public site that wasn't on any block list, and our HR team only found out two weeks later. We need to inspect images at the moment of download, work the same whether the user is in the office or at a coffee shop, and pick up any malicious files coming through before they hit the endpoint. On top of that, we've recently signed Hardline Tactical, a specialist tenant inside the mall that sells firearms accessories, body armour and field equipment to defence and law-enforcement customers. They have legitimate reason to download product photography of weapons every day — supplier catalogues, B2B inventory feeds, training materials. Every other tenant absolutely does not, and we'd like to know immediately if a fashion retailer or a coffee chain starts pulling that kind of content down, because it's almost certainly either a misclicked link or somebody using the wrong account. We expect to roll this out on a very large scale. **Products In-Scope** FortiProxy (FPX) FortiClient (FCT) FortiSandbox (FSA) FortiAnalyzer (FAZ) **Our Response** FortiProxy (FPX) is deployed as the explicit web proxy for all corporate web traffic. The Image Analysis profile runs FortiProxy's pre-trained visual content classifiers — categories like Weapons, Gambling, Drugs, Gore and Extremism, each with its own confidence threshold and Allow / Monitor / Deny action. Every image transferred through the proxy is scored against these categories at download time, and the action fires before the image lands in the user's browser. FortiClient (FCT), pushed to every tenant endpoint via EMS, is what makes the per-tenant policy actually work. The EMS server forwards the authenticated user identity to FortiProxy as each session establishes, so when a member of Hardline Tactical's staff downloads firearm imagery, FortiProxy sees the request tagged with their group membership and applies the permissive profile. The same user moving to a different desk, different floor or different mall site gets the same policy because the policy is keyed to _who they are_, not _where they're plugged in_. This also means FortiAnalyzer logs show real usernames and group membership rather than just IP addresses, which is what makes "tell me about Sarah's downloads" a one-click query rather than an IP-correlation exercise. FortiSandbox (FSA) handles file-based payloads. Any executable, document or archive being downloaded through FortiProxy is submitted to FortiSandbox for full detonation, and the verdict comes back inline so the download is blocked before the file reaches the endpoint if it turns out to be malicious. Sandbox verdicts are also fed back to FortiClient EMS, so if the same file hash later turns up on a colleague's machine via a different channel it's already a known-bad indicator. FortiAnalyzer (FAZ) collects logs from FortiProxy, FortiClient EMS, and FortiSandbox into a single place — image-classifier verdicts, OCR findings, sandbox detonations, and the user/device context behind each one are correlated against the same identity. As the rollout scales we add more FortiProxy nodes behind a load balancer and a second FortiSandbox for capacity, all reporting back to the same FortiAnalyzer cluster, so the SOC always has one place to search regardless of how the back end grows. Last updated 1 month ago --- # Classification Tags | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/tag-driven-ztna/classification-tags.md) . **Important!** This part of the scenario depends on you having already completed either [The Trap Inside the Walls](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-trap-inside-the-walls) or [Coaching, Then Consequences](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/coaching-then-consequences) — we will use the Classification Tag you created in one of those scenarios. If you haven't done either yet, you can still read along to understand the concept, then come back once you have a tag to work with. So far, every tag you've used has been generated automatically by the device's own health. This page introduces the second kind — a tag that no health check could ever produce, because it represents a decision made elsewhere. This is the distinction the customer was most specific about, and now you'll see both types working together in a single policy. First, let's confirm you have a classification tag to work with. Log in to the shared FortiClient EMS instance. Log into the Shared [FortiClient EMS](https://10.222.101.40/) instance FortiClient is a shared resource across all attendees, and does not live inside your dedicated Fabric Studio instance Username: FabricSolutionsLab Password: Fortinet1! Navigate to All Endpoints > Locate your Endpoint (Im using Pod47 as the example) ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FPQ2fkLOOO7WrWs3QL945%252Fimage.png%3Falt%3Dmedia%26token%3D5cb80e2a-0f72-4e60-b01d-ba655308d695&width=768&dpr=3&quality=100&sign=892699a3&sv=2) As long as you completed one of the two prerequisite scenarios, you should see at least one Classification Tag on your device. Think back to where it came from: in [The Trap Inside the Walls](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-trap-inside-the-walls) , a FortiSOAR playbook reached into EMS and applied a tag to your endpoint after you tripped a decoy. That tag is still here. A health check on this device would show it as perfectly healthy — yet it carries a mark, placed by a SOAR platform, recording something that happened on the network that the device itself has no way of knowing. That is the whole point of a classification tag: it remembers what a posture check can't see. On the FortiGate FortiGate (Located inside Fabric Studio, right click it and access HTTPS Username: admin Password: fortinet4A!! Navigate to Policy & Objects > Firewall Policy Locate the LAN-to-DMZ rule you reviewed earlier and double-click it to edit. Scroll down to the security posture tag section, and add the classification tag (or tags) that your device holds. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FtSNqZsAxvQ0fFjZJdqfs%252Fimage.png%3Falt%3Dmedia%26token%3D65f036c1-f9f8-4d56-9c5f-6e35d4c0a55b&width=768&dpr=3&quality=100&sign=afd04498&sv=2) From this same view, you can also see live which endpoints currently hold which tags — posture and classification side by side. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FhW0yd4PnfUeoh3K6pWpI%252Fimage.png%3Falt%3Dmedia%26token%3Ddc6f9a3c-9d0d-4cf4-96de-194e1e628672&width=768&dpr=3&quality=100&sign=5dcaea83&sv=2) Here is the key move. On the FortiGate that resides inside your pod’s Fabric Studio, change the policy logic so it now requires both the “Win\_Calculator\_Running” posture tag and the classification tag together as the example below shows: ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FyX9zf4i9qcBrDLyj1kqv%252FCleanShot%25202026-06-15%2520at%252011%25E2%2580%25AF.37.35.png%3Falt%3Dmedia%26token%3D75a61cd2-0b29-4232-a1cf-66c4f995a81b&width=768&dpr=3&quality=100&sign=c05637f4&sv=2) ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252F9RtIhCAX4Cat6081wnvp%252FCleanShot%25202026-06-15%2520at%252011%25E2%2580%25AF.37.51.png%3Falt%3Dmedia%26token%3D87f35456-ca2f-41bd-8e34-fd6003266b57&width=768&dpr=3&quality=100&sign=d56b634a&sv=2) In FortiClient EMS remove one of the tags (Dependent on what scenarios you have done) ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FcLkxRltuJXvABQmS8cEu%252Fimage.png%3Falt%3Dmedia%26token%3Defaee825-83ae-4a18-adc9-dcfddb9eab88&width=768&dpr=3&quality=100&sign=a5b1e858&sv=2) With the policy now demanding both tags, your device must be both healthy and cleared to gain access. In the example, removing the FortiDeceptor\_Decoy\_Scanning classification tag — or requiring one the device doesn't have — immediately breaks the match. Even though Calculator is still running and the device is perfectly healthy, access to the StreetFork ordering site is withdrawn, because the second condition is no longer satisfied. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252Fq8ncVbVrNUIUgj4GigU2%252Fimage.png%3Falt%3Dmedia%26token%3Dcacd774f-7de3-4832-875a-9dde28b709ef&width=768&dpr=3&quality=100&sign=db83f622&sv=2) Stop and appreciate what that combination expresses. The posture tag says "this device is healthy right now." The classification tag says "this device has not been flagged for anything." Requiring both means access is granted only when the device is healthy and clear — and either condition, failing on its own, is enough to shut the door. A device compromised in the lateral-movement scenario could be running every required security process and still be denied, purely because of a tag a SOAR playbook placed on it. That is exactly the separation the customer asked for, enforced in a single firewall rule. Why have two kinds of tag at all? Because they answer two different questions. A Security Posture Tag answers "what is true on this device right now?" — something EMS can read directly by querying the endpoint. A Classification Tag answers "what do we know about this device that the device can't tell us itself?" — a verdict from a SOAR platform, a decision by IT, or a flag set by a third-party system via an API call. This is also why classification tags are so useful with non-Fortinet products and managed devices you can't directly query: the tag can be added or removed by an API call from almost anything. Posture for what the device knows; classification for what the organisation knows. That completes the engagement. Walk it back for StreetFood's CIO, against everything they asked for. Take device posture into account for sensitive applications, and cut access the instant it slips — done, with Security Posture Tags enforced in firewall policy and re-checked every 30 seconds. Make compliance something staff want — done, with the StreetFork discount site that simply stops working on an unhealthy device. Keep automatic posture tags and administrative classification tags clearly separate — done, two distinct tag types that a single policy can combine. And stay ready for Entra ID identity — done, with the SSOMA-to-FortiAuthenticator-to-FSSO path already built for when the rollout lands. One device, two kinds of trust — what it is, and what we know about it — and access granted only when both agree. [PreviousSecurity Posture Tags](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/tag-driven-ztna/security-posture-tags) [NextCIO & CTO Message](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/cio-and-cto-message) Last updated 14 days ago --- # FortiGate & FortiClient EMS | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/tag-driven-ztna/fortigate-and-forticlient-ems.md) . Before we watch posture control work, let's see how it's wired. In this step you will look at the firewall policy that demands a posture tag, and the EMS rule that grants or revokes it. This is the engine behind the whole scenario — once you see how the FortiGate and EMS talk to each other, the demonstration on the next page will make complete sense. On the FortiGate FortiGate (Located inside Fabric Studio, right click it and access HTTPS Username: admin Password: fortinet4A!! On the FortiGate, go to Security Fabric > Fabric Connectors and confirm that FortiClient EMS shows as Connected. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FER6uuTURpeBtygA5ovN4%252Fimage.png%3Falt%3Dmedia%26token%3D63d2c8e1-92f2-4744-b0b1-7a3a5031c6ee&width=768&dpr=3&quality=100&sign=9bec1842&sv=2) If it is not connected, configure FortiClient EMS as shown below. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FwRjWyfgcINTSoIeEpRow%252Fimage.png%3Falt%3Dmedia%26token%3D5c4ab23d-e8c3-488a-a69e-08f88b2dc6c5&width=768&dpr=3&quality=100&sign=7fe858ea&sv=2) Click the Authorize button ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252Fy2J2TlkxOhFCLoarojhU%252FCleanShot%25202026-07-03%2520at%25205%25E2%2580%25AF.00.52%25402x.png%3Falt%3Dmedia%26token%3D787a84db-ef5e-407f-809c-a8a9b972d244&width=768&dpr=3&quality=100&sign=51f155af&sv=2) After a few sections a side pannel will open on the right hand side asking you you accept the certificate click Accept ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FCt1gfmfIO3uL6bNafhDc%252FCleanShot%25202026-07-03%2520at%25205%25E2%2580%25AF.02.30%25402x.png%3Falt%3Dmedia%26token%3D2dabf1be-a6ce-4e29-a235-3cdcd09d17ef&width=768&dpr=3&quality=100&sign=478e2fdb&sv=2) This connector is the link that carries posture information. EMS knows the health of every endpoint; the FortiGate enforces access. The Fabric Connector is how one feeds the other — without it, the firewall would have no idea which devices are compliant. Now to go Security Fabric > External Connectors and make sure that you have an FSSO agent connection to FortiAuthenticator ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FAq7Emo4mLHNwX7veHRrt%252FCleanShot%25202026-06-15%2520at%252011%25E2%2580%25AF.28.59.png%3Falt%3Dmedia%26token%3D4d60ed54-87cd-474d-9ac1-96ec5674ee2b&width=768&dpr=3&quality=100&sign=49248370&sv=2) Now go to Policy & Objects > Firewall Policy. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FagG6mn3EryanImifdPxw%252Fimage.png%3Falt%3Dmedia%26token%3Df495bf9a-928d-40ce-8c21-5e444526b396&width=768&dpr=3&quality=100&sign=ec689be9&sv=2) You will see a LAN-to-DMZ rule: any source, any destination, all services. But look carefully at the conditions — the rule also requires a Security Posture Tag of Win\_Calculator\_Running to be present on the device. That single requirement changes everything. This is no longer a rule about where traffic comes from or where it's going; it's a rule about the health of the device sending it. If the tag is present, the policy matches and traffic flows. If the tag is absent, the policy does not match, and the device simply cannot reach the application. A quick word on what Win\_Calculator\_Running really stands for. In a real deployment, the posture check would be something like "is FortiDLP running?" or "is antivirus active?" — a genuine security control. In this lab we use the Windows Calculator process instead, for one simple reason: you can start and stop it on demand with a double-click. It lets you play the role of a device falling in and out of compliance, instantly and repeatably, without having to actually disable a security tool. Log into the Shared [FortiClient EMS](https://10.222.101.40/) instance FortiClient is a shared resource across all attendees, and does not live inside your dedicated Fabric Studio instance Username: FabricSolutionsLab Password: Fortinet1! Navigate to Fabric & Connectors > Fabric Devices > Standalone Devices Please note this may have already been done for you, it depends if your pod has been used previously, but please check otherwise, it will cause issues with the scenario. Create a filter based on Serial Number and Paste in your FortiGate (Located Inside Fabric Studio) Serial Number ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FOmKTmWEHFpV1ofYzzKcW%252FCleanShot%25202026-07-03%2520at%25205%25E2%2580%25AF.08.26%25402x.png%3Falt%3Dmedia%26token%3D466fc556-4a21-4e37-8ee5-2b42990831f9&width=768&dpr=3&quality=100&sign=bdb456ce&sv=2) Approve it (Step 2 Screenshot) and Click the Edit Button (Step 3 Screenshot) Select all four Tag Types Being Shared boxes and click Update ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FA8qv1P2PjAKEsI95uEvG%252FCleanShot%25202026-07-03%2520at%25205%25E2%2580%25AF.10.12%25402x.png%3Falt%3Dmedia%26token%3D4f060921-122e-4ee0-bcdb-6b5ec3f6cf36&width=768&dpr=3&quality=100&sign=8ff43238&sv=2) Navigate to Security Posture Tags > Tags ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252F83vVzq4KcBh3I9XQ71fS%252Fimage.png%3Falt%3Dmedia%26token%3D64eb0f9a-b2c5-4c7e-8087-1fabe6d51fc9&width=768&dpr=3&quality=100&sign=53c8a7fc&sv=2) It should look as above, click into the Win\_Calculator\_Running configuration ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252F0mGPGcXYldXysfXbWOXv%252Fimage.png%3Falt%3Dmedia%26token%3Db5985425-859c-4f6a-ae0e-e8bd67463313&width=768&dpr=3&quality=100&sign=ed23aeb9&sv=2) The rule is deliberately simple: EMS is looking for the CalculatorApp.exe process to be running. When it is, the tag is applied to the endpoint; when it isn't, the tag is removed. In our configuration, the longest this sync can take is 30 seconds — a number worth remembering, because you will be watching for it on the next page. Now go to Security Posture Tags > Tags Monitor. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FiHweKdgjgDFly3R5Eg2k%252Fimage.png%3Falt%3Dmedia%26token%3D37111563-3a41-4fbd-bb05-db544fc53431&width=768&dpr=3&quality=100&sign=1f82bcca&sv=2) This view shows which tags are currently applied to which endpoints — posture, live, across the estate. Depending on when you look, it may be busy: this lab supports up to 50 attendees at once, so you could be seeing 50 different endpoints being tagged and untagged in real time. Pause on that for a second — that's 50 devices being continuously health-checked and enforced, with no administrator touching anything. That is what continuous posture assessment looks like at scale. [PreviousTag-Driven ZTNA](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/tag-driven-ztna) [NextSecurity Posture Tags](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/tag-driven-ztna/security-posture-tags) Last updated 5 days ago --- # How does this scale? | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-trap-inside-the-walls/how-does-this-scale.md) . The customer's requirement, as always, is that this scales. One store with a handful of decoys is easy to watch — but Breachside has many stores, and as more of them adopt FortiDeceptor, every decoy interaction across the whole mall needs to land in one place. That place is FortiSIEM. All decoy logs flow into it, and it automatically raises an incident for any successful RDP login to a decoy — turning raw events from dozens of stores into a single, ranked list of things that matter. This page also does one practical job: you will collect the FortiSIEM Incident ID that the next step (FortiSOAR) needs. Note it down before you move on. Log into the Shared [FortiSIEM](https://10.222.101.28/) instance FortiDeceptor is a shared resource across all attendees, and does not live inside your dedicated Fabric Studio instance Userid: admin Organization: super Password: Fortinet1! If you navigate to Incidents ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FG9AqE052dAz4pXjgJJvW%252FScreenshot%25202026-06-02%2520at%25204.50.05%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Df21f6d00-84fb-4875-b996-d4519913e287&width=768&dpr=3&quality=100&sign=1c73691a&sv=2) Under Top Incidents, find the entry FortiDeceptor: Successful RDP Login to Decoy, and click the IP address 10.222.102.223. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252Fh1ZndYFPGcE4cm0KegZ9%252FScreenshot%25202026-06-02%2520at%25204.51.45%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Df3d43923-5866-416e-9c2c-ce936d86d67d&width=768&dpr=3&quality=100&sign=8fabf77d&sv=2) The incident detail is now on screen. Make a note of the **ID** — you'll need it on the FortiSOAR page coming up next. Also notice the **Honeypot Match Tag** that FortiSIEM has applied. It isn't used in this scenario, but it gives you a single place to review every source IP address that has hit that Honeypot. Now, where it says Related Incidents, click the number. This opens a submenu that tells the fuller story. It captures not just the RDP login, but your earlier probes too — the SCADA and VMware decoys you browsed over HTTP. Look at what FortiSIEM has done here: it has correlated three separate probes, across three different decoys, into one connected picture of a single attacker. That is the real value of a SIEM at scale. Any one event might be dismissed as noise; together, they are unmistakably an intruder working through the network. The small security team doesn't see three alerts to triage — they see one incident that says "this host is hostile". ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FHe9l0uSLYt79J2MbJ28k%252FScreenshot%25202026-06-02%2520at%25204.55.21%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D9c1355a3-8458-4a94-84a5-77ade0300761&width=768&dpr=3&quality=100&sign=4c05ae88&sv=2) This correlated incident is exactly what we hand to FortiSOAR next, where a playbook turns this knowledge into action. [PreviousWhats do we see and the response?](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-trap-inside-the-walls/whats-do-we-see-and-the-response) [NextUsing FortiSOAR to Tag a Endpoint](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-trap-inside-the-walls/using-fortisoar-to-tag-a-endpoint) Last updated 24 days ago --- # Evidence Review (FortiDLP) | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/coaching-then-consequences/evidence-review-fortidlp.md) . Step out of the insider's shoes and into the investigator's. Everything you just did was watched, recorded, and tagged — not by something sitting on the network, but by an agent on the device itself. In this step you'll review the evidence FortiDLP captured, and see just how complete that picture is. Log into your [FortiDLP](https://ftnt-fabric-cse.reveal.nextdlp.com/) instance: FortiDLP is a shared resource across all attendees, and does not live inside your dedicated Fabric Studio instance. Username: fabriclab Password: Fortinet1!Fortinet1! Go to Incidents. Because this console is shared, set a filter for your computer name first — otherwise you'll see activity from every other attendee. Start typing your pod number and it will appear. Make sure you don't pick an archived instance, and that the name ends in -S (for the "Shopping" lab). For example, for Pod 47 you would select `Windows-Pod47-S`. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FIPqJjp54ZBLTVxt6mFLi%252FScreenshot%25202026-06-05%2520at%252010.27.12%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D07546d0a-0bf9-4948-a458-ac0e7599400f&width=768&dpr=3&quality=100&sign=6e78c08&sv=2) ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FUVejcFKuaLvzljNd8vhL%252Fimage.png%3Falt%3Dmedia%26token%3Dda2490d2-5c72-4e2e-87e4-6518d11a046e&width=768&dpr=3&quality=100&sign=da7f3240&sv=2) The FortiDLP console can take a short while to update, but you should then see two alerts. Click into the "ChatGPT.com accessed" alert. This opens a detailed overview showing every node that has violated this policy — not just yours — so spend a moment looking around. What you're seeing is a single policy, deployed once, catching the same risky behaviour across an entire estate of devices. That's the scale point: you are looking at every attendee's identical violation in one view, which is exactly how a real security team would see the same careless paste happening across hundreds of real employees. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FyUFLEYjZQ9TVMqtCStC0%252FScreenshot%25202026-06-05%2520at%252010.33.50%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D62b52c20-e79b-4315-b805-e6e1e0339d35&width=768&dpr=3&quality=100&sign=a79c2769&sv=2) When you're ready, scroll to the bottom of the page and click the incident that relates to your specific node. A sidebar will open on the right. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FeqffDkeR1qJRhTNduw7t%252FScreenshot%25202026-06-05%2520at%252010.34.31%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3Dd934ef70-1a88-46aa-91e8-e9a99a2a796b&width=768&dpr=3&quality=100&sign=52bc13cf&sv=2) This is where you can see exactly what actions were performed on the node, and what FortiDLP did in response. In our policy, we instructed it to present a pop-up to the user and capture their typed response for an administrator to review later — so the coaching message you saw, and whatever you typed into it, are both recorded here as evidence. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FnWWRSfHsSJQZYfdPqdB4%252FCleanShot%25202026-06-29%2520at%25201%25E2%2580%25AF.06.12.png%3Falt%3Dmedia%26token%3D98caa5c1-3954-4a2f-94c9-8bf24476923a&width=768&dpr=3&quality=100&sign=68b31df3&sv=2) ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FmR4Fwtl3BSXpxSfHzLS8%252FScreenshot%25202026-06-05%2520at%252010.35.30%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D913552fe-18e4-4f42-852f-56de07517ed8&width=768&dpr=3&quality=100&sign=df2bd0d8&sv=2) Now work through the other incidents the same way. Each is one piece of the sequence you performed: Sensitive content submitted on a generative AI website — the code-with-PII paste. Windows Remote Desktop session initiated by 10.254.254.254 — your login to the host. Screenshot taken — the Snipping Tool capture. Compressed file created — the zip you made for removal. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FfuLGRP1p72biakWZjyDV%252FScreenshot%25202026-06-05%2520at%252010.37.19%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D2847f811-b681-4396-87c3-ec01d2a931f5&width=768&dpr=3&quality=100&sign=adc83b13&sv=2) Look at what FortiDLP reconstructed: the login, the paste, the screenshot, the compression — the complete story of an insider preparing to take data out, each step tied to its MITRE ATT&CK technique. Right now these are separate incidents, but FortiDLP lets an analyst group related incidents into a single case — one container that holds the whole sequence, the captured evidence, the user and device details, and the MITRE mapping together. Instead of leaving four scattered alerts in a list, the analyst builds them into one record that tells the story in order. That case then becomes the single source of truth: it can be assigned to an investigator, annotated, tracked through to a decision, and handed to HR or Legal as a complete, timestamped account. This is the evidence chain the customer said they never had last time, when "by the time anyone joined the dots, they had already gone." Here, the dots can be joined — into one case — and the evidence is preserved before the person leaves. Side task, if you have time: build a filter for your pod, then find the Activity Feed. FortiDLP records far more than policy violations — it sees effectively everything the device does. If you've completed [Certificates at Scale](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/certificates-at-scale) , you'll even find the certificate installation from that scenario captured here. This is worth understanding honestly: the power of endpoint visibility is also a responsibility, and in a real deployment you'd scope and govern it carefully. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FXpgW6A4BVwlwvxzIcv3A%252FScreenshot%25202026-06-05%2520at%252010.38.58%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3Dec4c237d-2b65-4252-a6bf-cea5efa7f82b&width=768&dpr=3&quality=100&sign=4c5d4fe5&sv=2) [PreviousMischievous user! (Continued)](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/coaching-then-consequences/mischievous-user-continued) [NextScaling (FortiSIEM)](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/coaching-then-consequences/scaling-fortisiem) Last updated 1 day ago --- # Whats do we see and the response? | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-trap-inside-the-walls/whats-do-we-see-and-the-response.md) . You tripped the trap; now see it through the defender's eyes. In this step you will watch FortiDeceptor record your every move, and then watch the network lock you out — automatically, without anyone lifting a finger. Still on the FortiDeceptor instance, go to Incident > Analysis. You should see your own probing activity, fully logged. Double-click one of the entries to open a detailed attack timeline — every step you took, reconstructed. To filter to just your own activity, use your attacker IP: 10.222.102. Remember, this is a shared instance, so you will see other attendees' probes here too — which is itself a small lesson. To the system, fifty attendees probing decoys looks like fifty intruders, each caught and contained independently. That is the scale story playing out live. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FuExwnnz5zOs5I7XC4zPW%252Fimage.png%3Falt%3Dmedia%26token%3D54b02070-ecc2-48f0-959e-0fc939b1f567&width=768&dpr=3&quality=100&sign=3caf376&sv=2) Look at what the timeline gives you: what was touched, from where, when, and how. This is the complete picture the customer asked for — the intelligence their last breach never produced, because nothing was watching the inside. Now go to Fabric > Quarantine Status. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FxJNZ6M41FJhI7XWQPPBy%252Fimage.png%3Falt%3Dmedia%26token%3Dc82727f7-ac62-4ec9-acc7-14373d341ad0&width=768&dpr=3&quality=100&sign=3a0f324a&sv=2) Quarantines have been issued towards the FortiGate — automatically, the instant you touched a decoy. No analyst reviewed it, no ticket was raised, no human approved it. The trap detected, and the Fabric responded. The last octet will differ for you, unless you were allocated Pod 47. As this is a shared instance, you will also see other attendees' quarantine entries. Now let's confirm the lockout on the enforcement device itself. Log into the Shared [FortiGate](https://10.222.101.31/) instance FortiGate is a shared resource across all attendees specifically for this scenario, and does not live inside your dedicated Fabric Studio instance Username: admin Password: Fortinet1! Navigate to Dashboard > Quarantine Monitor You should see a quarantine entry for your pod number, you will also see entries for other Pods ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FKuy12tAzYcgPbs0j95LX%252FScreenshot%25202026-06-02%2520at%25209.53.01%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3Df30de45d-f0d2-4d35-a05e-00525055ca7b&width=768&dpr=3&quality=100&sign=d528438b&sv=2) This is worth understanding precisely, because it is not an ordinary firewall block. Any traffic crossing this firewall that matches the attacker's IP is null-routed — silently dropped at the kernel, before any policy is even evaluated. A firewall policy is a rule you write in advance for traffic you expect; a quarantine is an immediate, dynamic lockout of a specific host the moment it misbehaves. The attacker is not denied by a policy — they are erased from the network's map. Detection to network containment, start to finish, with no human in the loop. This is the network half of the response, and it is fully automatic. The next pages show the endpoint half — how the same event reaches all the way down to the offending device itself. [PreviousProbing the Decoys](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-trap-inside-the-walls/probing-the-decoys) [NextHow does this scale?](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-trap-inside-the-walls/how-does-this-scale) Last updated 24 days ago --- # Configure WebProxy Firefox | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/guilty-until-detonated/configure-webproxy-firefox.md) . The inspection path is built — now we send a user into it. In this step, you will take your seat inside PackTrack confirming the browser is pointed at the FortiProxy, so that every download travels towards FortiSandbox. Using FortiPAM to RDP to the Windows Host Inside Fabric Studio![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/guilty-until-detonated/configure-webproxy-firefox#using-fortipam-to-rdp-to-the-windows-host-inside-fabric-studio) Login your [FortiPAM](https://10.222.101.36/) instance **Username:** Pod**N** **N** = Your Pod Number its unique to you and will have been provided by the Portal or Instructor As a example Pod47 **Password:** Fortinet1! Navigate to Secrets select Shopping-Pod47\_Host\_Win11\_Internal and click Launch Secret > Web RDP ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FrJfTZmDddBdMZCcYcSyx%252FCleanShot%25202026-06-18%2520at%252010%25E2%2580%25AF.46.52.png%3Falt%3Dmedia%26token%3D5b3af4f3-e15d-4070-8dc6-d7a31f2237fd&width=768&dpr=3&quality=100&sign=e07741e0&sv=2) ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FD6Etqm2PtyN9ymBMkuCS%252FCleanShot%25202026-06-18%2520at%252010%25E2%2580%25AF.47.05.png%3Falt%3Dmedia%26token%3Dc09b60a7-632b-473a-827b-371062f30671&width=768&dpr=3&quality=100&sign=cae8ca33&sv=2) A seperate tab should open and the Windows Host should display in Full Resolution within your web browser. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FUSOSlZNz7QXtVr4aNNhU%252FScreenshot%25202026-05-12%2520at%25201.01.45%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D7dfb4cd8-07a9-45e8-a577-12038e82caad&width=768&dpr=3&quality=100&sign=5c97c024&sv=2) Once you arrive at the desktop, double-click the Firefox shortcut. Select the hamburger menu in the top right and click Settings. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FuffpYhLuncieGpC1saSl%252FScreenshot%25202026-05-26%2520at%25201.51.05%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D423470d4-8e92-422d-808a-b25a502139c4&width=768&dpr=3&quality=100&sign=cfdead77&sv=2) In the settings page, type "Proxy" into the search bar and click Configure Proxy. We have configured this for you — but please check that the settings match the screenshot below. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FzHgiK3hp69t95j3NIynY%252FCleanShot%25202026-06-29%2520at%252011%25E2%2580%25AF.43.10.png%3Falt%3Dmedia%26token%3Df747d7dc-4ae8-428c-ad8b-7ce24b1b463b&width=768&dpr=3&quality=100&sign=a85bc903&sv=2) Check the configuration matches and click ok. The address 10.222.101.27 is the explicit web proxy on the FortiProxy. You are instructing the browser to send all of its web traffic to FortiProxy — no agent, no network changes, just a browser setting. This is the classic Secure Web Gateway (SWG) pattern, and it is particularly useful for users you cannot install software on: contractors and third parties, for example, can be fully protected with nothing more than a proxy setting. (In a managed estate, you would push this setting centrally rather than configure each browser by hand.) Worth pausing on what this means for PackTrack: the staff member browsing from this machine has no idea any of this exists. No new software, nothing to click, nothing to learn. The protection lives in the path, not on the device. Firefox is now sending everything through the FortiProxy. Time to download some malware. [PreviousFortiProxy Configuration #2](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/guilty-until-detonated/fortiproxy-configuration-2) [NextDownloading Malware (FPX)](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/guilty-until-detonated/downloading-malware-fpx) Last updated 10 days ago --- # Mischievous user! | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/coaching-then-consequences/mischievous-user.md) . In this scenario you play the part of the developer who has handed in their notice — and decided to take some of CodeCraft's work with them. You'll paste sensitive code into ChatGPT, take a screenshot, and compress it for exfiltration. Watch how you are treated: not blocked outright, but coached in the moment. Every action you take is being recorded, and on the later pages you'll see how the Fabric assembles it all into a single picture. Using FortiPAM to RDP to the Windows Host Inside Fabric Studio![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/coaching-then-consequences/mischievous-user#using-fortipam-to-rdp-to-the-windows-host-inside-fabric-studio) Login your [FortiPAM](https://10.222.101.36/) instance **Username:** Pod**N** **N** = Your Pod Number its unique to you and will have been provided by the Portal or Instructor As a example Pod47 **Password:** Fortinet1! Navigate to Secrets select Shopping-Pod47\_Host\_Win11\_Internal and click Launch Secret > Web RDP ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FrJfTZmDddBdMZCcYcSyx%252FCleanShot%25202026-06-18%2520at%252010%25E2%2580%25AF.46.52.png%3Falt%3Dmedia%26token%3D5b3af4f3-e15d-4070-8dc6-d7a31f2237fd&width=768&dpr=3&quality=100&sign=e07741e0&sv=2) ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FD6Etqm2PtyN9ymBMkuCS%252FCleanShot%25202026-06-18%2520at%252010%25E2%2580%25AF.47.05.png%3Falt%3Dmedia%26token%3Dc09b60a7-632b-473a-827b-371062f30671&width=768&dpr=3&quality=100&sign=cae8ca33&sv=2) A seperate tab should open and the Windows Host should display in Full Resolution within your web browser. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FUSOSlZNz7QXtVr4aNNhU%252FScreenshot%25202026-05-12%2520at%25201.01.45%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D7dfb4cd8-07a9-45e8-a577-12038e82caad&width=768&dpr=3&quality=100&sign=5c97c024&sv=2) Once you arrive at the desktop, open Google Chrome. First, confirm the FortiDLP extension has installed correctly — you'll find it in the top-right corner, as shown below. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FJzZUarHH8mU2gZ0bRGYS%252FScreenshot%25202026-06-05%2520at%25209.40.55%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3Df9e1f42b-96ef-4c5d-85ba-c7119d56ddf6&width=768&dpr=3&quality=100&sign=b579787a&sv=2) If the FortiDLP extension is not installed, tell the lab manager or instructor — there is little point continuing without it, as it's what observes your activity in the browser. Click the ChatGPT bookmark. After a short moment, a pop-up will appear — enter something into the Reason for violation text box and click OK. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FxDPgwq2Y61f8tVTyMmQI%252FScreenshot%25202026-06-05%2520at%25209.42.27%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3Ddddb0b53-14cb-482f-ad7a-9fa815ff3f30&width=768&dpr=3&quality=100&sign=1d3d8ba3&sv=2) That pop-up is FortiDLP coaching you. The moment it detected you heading to a generative-AI site, it stepped in and asked you to acknowledge the company's AI usage policy — capturing your typed response as evidence. Notice what it did not do: block you. This is the "coaching" half of the scenario in action. Most users, gently reminded, will think twice. The ones who don't are exactly who the later stages are designed to catch. Of course, the policy pop-up is completely customizable. You can reference internal policies and documentation if you wish. Now paste the code below into the chat prompt. It's a simple Python for-loop — but look closely at what it contains: names, email addresses, and Social Security numbers. This is precisely the kind of data that should never be pasted into a public AI tool. Information has been provided in the Introduction Section on how to Copy & Paste using the FortiPAM web based RDP Session [FortiPAM - RDP](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/fortipam-rdp) Almost immediately, you'll receive a second pop-up — another policy violation, this time for the sensitive content itself. Enter something into the text box and click OK. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FvHRJpMtea5I5ubcUkITM%252FScreenshot%25202026-06-05%2520at%25209.44.13%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D57912756-c0ff-4bd3-861a-2cc5b24639f5&width=768&dpr=3&quality=100&sign=50c2df7f&sv=2) Two violations, two coaching prompts — one for visiting the AI site, one for the sensitive data you pasted. FortiDLP saw not just where you went, but what you tried to send, right down to the PII inside the code. That is the difference between network visibility and endpoint visibility: the firewall sees the destination; FortiDLP sees the content. Keep going — you're about to add the actions that turn careless into suspicious. [PreviousCoaching, Then Consequences](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/coaching-then-consequences) [NextMischievous user! (Continued)](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/coaching-then-consequences/mischievous-user-continued) Last updated 10 days ago Copy people = [\ {"name": "Alice Johnson", "email": "alice@example.com", "ssn": "000-12-3456"},\ {"name": "Bob Smith", "email": "bob@example.com", "ssn": "000-45-6789"},\ {"name": "Carol White", "email": "carol@example.com", "ssn": "000-78-9012"},\ ] for person in people: print(f"Name: {person['name']}") print(f"Email: {person['email']}") print(f"SSN: {person['ssn']}") print("-" * 30) --- # Automating (FortiSOAR) | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/coaching-then-consequences/automating-fortisoar.md) . This is the "consequences" half of the scenario. FortiSIEM decided this behaviour matters; FortiSOAR is what turns that decision into action. You'll follow the incident from FortiSIEM into FortiSOAR and run the playbook that tags the offending endpoint — the tag that a later scenario [Tag-Driven ZTNA](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/tag-driven-ztna) uses to actually cut the user off. As before, you'll drive this by hand so you can see each step; in production it runs on its own. In a live deployment this entire path is automated end to end: FortiSIEM raises the incident, FortiSOAR ingests it and runs the playbook with no analyst involved. In the lab we do it manually, both so you can see exactly what each product contributes, and so we don't pull thousands of other attendees' incidents into one shared system. Think of it as watching, in slow motion, something that normally takes seconds. Log into the Shared [FortiSOAR](https://10.222.101.22/) instance FortiSOAR is a shared resource across all attendees, and does not live inside your dedicated Fabric Studio instance. Use: Username: csadmin Password: Fortinet1! First, we manually ingest the specific incident that FortiSIEM raised. In the left-hand pane, go to Automation > Data Ingestion and find FortiSIEM. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FSgcXPqQ5KgCzI0Bpn9Ei%252Fimage.png%3Falt%3Dmedia%26token%3Dee73ad3a-d833-46cb-b8fc-c9f314491c96&width=768&dpr=3&quality=100&sign=ea8888cb&sv=2) Click Settings, then "Let's start by fetching some data". Change the Fetch Mode to "By Sample Incident ID" and enter the FortiSIEM Incident ID you noted on the previous page. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252F1LCPT4FYFOpzHtm5hSs7%252Fimage.png%3Falt%3Dmedia%26token%3D1ca5d80c-c569-4976-818b-48983615aef7&width=768&dpr=3&quality=100&sign=384d200a&sv=2) Click Fetch Data and read through what comes back, so you can see what FortiSOAR is pulling across from FortiSIEM. Click "Save mapping and continue". When asked whether to schedule the ingestion, select "No", then click "Save Settings & Continue", and finally "Trigger Ingestion Now". With the incident now ingested, go to Incident Response > Alerts in the left-hand pane and find the alert matching the one you selected in FortiSIEM. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252F5XtBXbIo2AlPZw9JKZyU%252Fimage.png%3Falt%3Dmedia%26token%3D04da476d-f5be-4a53-98e4-ff0af14e9cfa&width=768&dpr=3&quality=100&sign=9d776d4d&sv=2) Tip: you can filter by the FortiSIEM incident ID to find it quickly — in the example, entering 54206 in the top-right search box jumps straight to it. Click into the incident within FortiSOAR. You'll see that all the detail has been carried across from FortiSIEM — the events, the identity, the context — now assembled in one place ready to act on. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252Fe7cxViW3ENjJn6Dx8ZMJ%252Fimage.png%3Falt%3Dmedia%26token%3D25f0d7bc-66ce-456b-84ba-59387e050252&width=768&dpr=3&quality=100&sign=8f65f9a3&sv=2) Click into the incident within FortiSOAR, you will see that all the information has been pulled from FortiSIEM into FortiSOAR. Pause on what FortiSOAR adds. FortiSIEM decided something mattered; FortiSOAR decides what to do about it, and does it. In a real deployment its playbook would enrich the incident with identity, device, watch-list and HR status, then act — restrict the user, open a case with the full evidence chain, and notify the manager and SOC in a single message, all in seconds. For the most serious actions, a one-click human approval step can be inserted, so a person stays in the loop where it counts. You're about to run the key action by hand: tagging the endpoint. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FxmyNzFryTeToJq1chSvp%252Fimage.png%3Falt%3Dmedia%26token%3Dd4155572-4182-4a63-bd7f-f2601b08108b&width=768&dpr=3&quality=100&sign=9aee47e5&sv=2) Now confirm which endpoint you're dealing with. At the bottom, under Actions, type FortiClient until it pre-fills, select it, open the submenu, choose Get All Endpoints ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252Ftq0Zm03eElBjcdmu5oUD%252Fimage.png%3Falt%3Dmedia%26token%3Da3a553e3-89b6-40e7-9243-f47cc3029285&width=768&dpr=3&quality=100&sign=f5ad7675&sv=2) Click Execute Action ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FFnxyFJEwE4PZotaWqEkK%252Fimage.png%3Falt%3Dmedia%26token%3D4c265a75-57e3-4767-a372-02c884d11c2a&width=768&dpr=3&quality=100&sign=5abc7e87&sv=2) The Results will be returned, click JSON, then press Ctrl + F on Windows or Cmd + F on Mac and search for your pod by typing Pod followed by your number — for example, Pod47. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FcjjVHyojG1ETsKPYRPhY%252Fimage.png%3Falt%3Dmedia%26token%3D42a84431-6820-4c57-b35a-40e44abee7bc&width=768&dpr=3&quality=100&sign=6043cf3e&sv=2) There will be hundreds of entries across all attendees, so this search jumps you straight to yours. Note down the device\_id for your pod — you'll need it in a moment — then click Close. This lookup is the join between two ways of naming the same machine: the incident identifies the user by their activity, while FortiClient EMS identifies the device by its device\_id. Matching the two is what an automated playbook does invisibly in production — here you do it by hand so you can see the link being made. Now, along the bottom, click Execute and select FortiClientEMS\_Add\_FortiDLP\_Tag. A pop-up will ask for the device\_id — enter it and click Execute. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252Ffk3ubJUo6QWWuAZS9ceK%252Fimage.png%3Falt%3Dmedia%26token%3D464be867-4b73-4b7f-b4a1-d90f110bb82d&width=768&dpr=3&quality=100&sign=7ff6c7e6&sv=2) That playbook has now applied a FortiDLP incident tag to the offending endpoint in FortiClient EMS. That tag is the whole point of the "consequences" stage: it's the permanent mark that records this user crossed the line — and on the next page you'll confirm it landed. In the [Tag-Driven ZTNA](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/tag-driven-ztna) , this same tag is what refuses the device access to protected applications. [PreviousScaling (FortiSIEM)](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/coaching-then-consequences/scaling-fortisiem) [NextVerify FortiClient](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/coaching-then-consequences/verify-forticlient) Last updated 1 day ago --- # FortiGate (FGT) CSR Request | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/certificates-at-scale/fortigate-fgt-csr-request.md) . Trust flows downwards. The FortiGate now asks to become a certificate authority in its own right — a subordinate CA, signed by Breachside's root. In this step, we generate the request; the signing happens in the next step. On the FortiGate navigate to System > Certificates in the top left-hand corner select Generate CSR. FortiGate (is located inside Fabric Studio: right click it and access using HTTPS): Username: admin Password: fortinet4A!! Where it says IP and Subject Alternative Name (SAN), you must replace the value with your unique Pod IP. This is always 10.237.10.x, where the last octet is your Pod number. Your Pod number is shown in the portal you used to access this lab guide. In the example below, we are using Pod 47. Please configure as below, ensure you change the information do not just copy the screenshot. **Certificate Name:** DPI\_SubCA **IP:** (i.e. 10.237.10.**N**) **SAN:** IP: (i.e. IP:10.237.10.**N**) where **N =** your unique pod number ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FFwgzFdlyiXJkSmqB9rz8%252FCleanShot%25202026-06-25%2520at%252011%25E2%2580%25AF.51.21.png%3Falt%3Dmedia%26token%3D2256d44c-790a-4785-9e91-70780b7a4f0f&width=768&dpr=3&quality=100&sign=f898b044&sv=2) A quick note on what you are filling in: the Common Name (CN) and SAN identify who this certificate belongs to. Browsers check these fields when deciding whether a certificate matches the device presenting it — which is why your Pod IP must be correct here, and why getting these fields right matters just as much in a real deployment. Click OK. You will be returned to the Certificates page, where the request you have just created will show in a pending state — pending because the certificate does not exist yet. A CSR is only a request: it must be signed by a certificate authority before it becomes a usable certificate. Select it and click Download. A file named DPI\_SubCA.csr will download to your machine. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252F0mfhMZlAX9Qygs1DIoLm%252FCleanShot%25202026-06-29%2520at%252010%25E2%2580%25AF.34.06.png%3Falt%3Dmedia%26token%3D8ebd65f8-4c31-4641-8bdc-44fd426c7993&width=768&dpr=3&quality=100&sign=1cc4ff0d&sv=2) In the next step, we take this request to the FortiAuthenticator — Breachside's root CA — to be signed. [PreviousFortiGate (FGT) Remote CA Configuration](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/certificates-at-scale/fortigate-fgt-remote-ca-configuration) [NextFortiAuthenticator (FAC) CSR Approval](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/certificates-at-scale/fortiauthenticator-fac-csr-approval) Last updated 1 day ago --- # Centralised Logging — DailyGrind | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-threat-in-the-picture/centralised-logging-dailygrind.md) . Every product in this scenario made a decision — FortiMail quarantined, FortiSandbox judged, the Fabric shared what it learned. This final step brings all of those decisions into one place, where DailyGrind's team can prove what happened and spot whether one email was a one-off or the start of a campaign. Login your [FortiAnalyzer](https://10.222.101.35/) instance Username: admin Password: Fortinet1! The FortiAnalyzer is shared between all attendees, but for this scenario you have your own ADOM — make sure you navigate into the one matching your Pod number. In the examples below, we are using Pod47. Go to Log View > Logs > Fortinet Logs (Tab), click FortiMail, and select the History tab. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FbM83EMmNfEbytPMEDhFr%252FScreenshot%25202026-06-04%2520at%252012.04.23%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Db259aa5c-51df-4e60-96f1-8c867ba85ace&width=768&dpr=3&quality=100&sign=ec159d&sv=2) This is the full delivery record — every message FortiMail handled for you, with the action it took on each. Both of your attacks are here, alongside the decision that stopped them. Now go to Log View > Logs, click FortiMail, and select the AntiVirus tab. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FfdySkCi89c92dvipTqFi%252FScreenshot%25202026-06-04%2520at%252012.00.36%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Debaf7271-3f8e-4828-820f-f47e116b6843&width=768&dpr=3&quality=100&sign=53d379ef&sv=2) Here is the attachment story: the files from your spoofed IT email, sent to the sandbox, and the verdicts that came back — including the WannaCry detection. This is the evidence a SOC analyst would attach to an incident report. Finally, go to Log View > Logs, click FortiMail, and select the Email Filter tab. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FzP5QcQ8HwBzQPDbKVPRy%252FScreenshot%25202026-06-04%2520at%252012.01.38%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Dbbc945e0-0071-46d0-a3d9-92abf4560506&width=768&dpr=3&quality=100&sign=f1e1fa26&sv=2) [PreviousHow does this scale?](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-threat-in-the-picture/how-does-this-scale) [NextGuilty Until Detonated](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/guilty-until-detonated) Last updated 14 days ago --- # FortiDeceptor Configuration | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-trap-inside-the-walls/fortideceptor-configuration.md) . Before we spring the trap, let's look at how it's set. In this step you will review the decoys FortiDeceptor has planted across SecondStorey's network, and the integration that lets a tripped decoy reach out and quarantine the intruder. Nothing to configure — your job is to understand the trap before you walk into it yourself. Log into the Shared [FortiDeceptor](https://10.222.101.29/) instance FortiDeceptor is a shared resource across all attendees, and does not live inside your dedicated Fabric Studio instance Username: admin Password: Fortinet1! Navigate to Deception > Decoy Status Because FortiDeceptor is shared, you do not need to make any configuration changes — it has all been done for you. Review and understand; don't modify. These are the decoys, already deployed to emulate the kinds of systems Breachside's stores actually run. Some stores use VMware and Windows RDP; others run SCADA systems — and both are live targets for attackers right now. Each decoy looks and behaves like a real production server, which is the whole point. Pause on why this works so well. A real server is busy — users log in, processes connect, legitimate traffic comes and goes, and picking an attacker out of that noise is hard. A decoy is the opposite: it has no legitimate users and no business purpose, so it should be completely silent. Any interaction at all is, by definition, someone who shouldn't be there. That is what gives deception its near-zero false-positive rate — there is no noise to filter, because the decoy should never be touched. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FFTrNjTNrHUqcap5YRCgc%252FScreenshot%25202026-06-02%2520at%25209.00.07%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3Dd063d654-a636-4306-8e0a-ac962dc01280&width=768&dpr=3&quality=100&sign=73d5202a&sv=2) Now go to Fabric > Quarantine Integration. You will see a Fabric upstream integration configured towards a FortiGate. This is not the FortiGate inside your Fabric Studio instance — it is a separate device dedicated to quarantining. The reason matters: if we quarantined the attacker on the same firewall that routes your lab environment, we would risk black-holing your own traffic. Using a separate enforcement device keeps the response clean. More on this when you see the quarantine take effect. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FsjEZZZGhP8EgHMFvV6K3%252FScreenshot%25202026-06-02%2520at%25209.04.32%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D65c47643-e359-45b1-97b6-833784ea5844&width=768&dpr=3&quality=100&sign=d5da8009&sv=2) Click Quarantine Integration with New Device and look at the list of supported vendors: Aruba, CrowdStrike, Cisco ISE, Palo Alto Networks, and a generic webhook for anything else. This is worth calling out in a real conversation — deception doesn't only contain through Fortinet. FortiDeceptor can trigger quarantine on a third-party network or endpoint estate too, which makes it a genuine fit for the mixed environments most customers actually have. For Breachside, with its patchwork of vendors from the post-breach scramble, that flexibility is the difference between protecting some stores and protecting all of them. The trap is set and wired to respond. Time to play the intruder and trip it. [PreviousThe Trap Inside the Walls](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-trap-inside-the-walls) [NextProbing the Decoys](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-trap-inside-the-walls/probing-the-decoys) Last updated 24 days ago --- # Using FortiSOAR to Tag a Endpoint | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-trap-inside-the-walls/using-fortisoar-to-tag-a-endpoint.md) . This is where the endpoint half of the response comes together. The network has already locked the attacker out. FortiSIEM has correlated your probes into a single incident and given you its ID. Now we follow that incident into FortiSOAR — the product that turns knowledge into action — and use it to reach all the way down to the offending device. You will drive this by hand so you can see every link in the chain. In production, this entire path is automated: FortiSIEM raises the incident, FortiSOAR ingests it and runs the playbook on its own, with no analyst involved. In the lab we do it manually, step by step, for two reasons — so you can see exactly what each product contributes, and so we don't pull thousands of other attendees' incidents into one shared system. Think of this as watching, in slow motion, something that normally happens in seconds. Log into the Shared [FortiSOAR](https://10.222.101.22/) instance FortiSOAR is a shared resource across all attendees, and does not live inside your dedicated Fabric Studio instance Username: csadmin Password: Fortinet1! First, we manually ingest the specific incident that FortiSIEM raised when you probed the decoys. Go to Automation > Data Ingestion (left-hand pane) and find FortiSIEM. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FSgcXPqQ5KgCzI0Bpn9Ei%252Fimage.png%3Falt%3Dmedia%26token%3Dee73ad3a-d833-46cb-b8fc-c9f314491c96&width=768&dpr=3&quality=100&sign=ea8888cb&sv=2) Click Settings, then "Let's start by fetching some data". Change the Fetch Mode to "By Sample Incident ID" and enter the FortiSIEM Incident ID you noted on the previous page. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252F1LCPT4FYFOpzHtm5hSs7%252Fimage.png%3Falt%3Dmedia%26token%3D1ca5d80c-c569-4976-818b-48983615aef7&width=768&dpr=3&quality=100&sign=384d200a&sv=2) Click Fetch Data, and read through the data that comes back so you can see what FortiSOAR is pulling in. Click "Save mapping and continue". When asked whether to schedule the ingestion, select "No", then click "Save Settings & Continue", and finally "Trigger Ingestion Now". With the incident now ingested, go to Incident Response > Alerts in the left-hand pane, find the alert matching the time and activity you generated — it should be near the top — and double-click it. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FgXSOag0bOl9Iwxkba3cs%252FScreenshot%25202026-06-02%2520at%25205.05.34%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D68f07a20-7638-4727-b05b-e0ef3f315709&width=768&dpr=3&quality=100&sign=c676ad4e&sv=2) Pause for a second on what just crossed between products. FortiSIEM watched the raw events, recognised the pattern of an attacker reaching a decoy, and raised one meaningful incident out of the noise. FortiSOAR has now pulled that incident in as an alert you can act on. This is the Fabric handing context from one specialist to the next — SIEM decides something matters, SOAR decides what to do about it. With the alert open, we first confirm which endpoint we are dealing with. At the bottom, under Actions, type FortiClient until it pre-fills, select it, open the submenu, choose Get All Endpoints, and click Execute Action. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FdFDE5wtsbcBzcypqxiXk%252FScreenshot%25202026-06-02%2520at%25205.07.44%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3De358122b-42bf-4f2e-a86b-68fac07c8a67&width=768&dpr=3&quality=100&sign=9d2efcc4&sv=2) ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FNF5coBFpX9KyeKszvX69%252FScreenshot%25202026-06-02%2520at%25205.09.59%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D7a6db626-2fae-4a75-8dee-ad9f8dadc71a&width=768&dpr=3&quality=100&sign=10552e8c&sv=2) Click JSON, then press Ctrl + F on Windows or Cmd + F on Mac and search for your pod by typing Pod followed by your number — for example, Pod47. There will be many entries across all attendees, so this search jumps you straight to yours. Note down the device\_id for your pod — you will need it in a moment — then click Close. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FMOGjk66iNMb5RkN1NxPH%252FScreenshot%25202026-06-02%2520at%25205.12.32%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D89e95445-4067-42ea-916b-6cf232066176&width=768&dpr=3&quality=100&sign=a5ba9680&sv=2) Why look it up rather than have it filled in automatically? Because this is the join between two ways of identifying the same machine. The incident knows the attacker by network identity; FortiClient EMS knows it by device\_id. Matching the two is exactly what an automated playbook does invisibly in production — here you do that join by hand, which is why you search for it yourself. Now, along the bottom, click Execute and select FortiClientEMS\_Add\_DeceptorTag. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252Fj97jIKE42Wxm2922acvR%252FScreenshot%25202026-06-02%2520at%25205.14.13%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Dc8f4e61d-60eb-4447-a23d-14356211d115&width=768&dpr=3&quality=100&sign=2f6b62f5&sv=2) A prompt will open asking for the device\_id you just noted — enter it and click Execute. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FY0v75zC9e8iVcNO2qCmQ%252FScreenshot%25202026-06-02%2520at%25205.16.12%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D599d507a-b7ec-4534-8fa5-1d5da330256e&width=768&dpr=3&quality=100&sign=475f336&sv=2) That playbook has now reached into FortiClient EMS and applied a tag to the offending endpoint. That tag is the pivot point of the whole endpoint response — on the next page you will confirm it landed, and look at what it can be made to trigger. Let's verify. [PreviousHow does this scale?](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-trap-inside-the-walls/how-does-this-scale) [NextVerifying using FortiClient](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-trap-inside-the-walls/verifying-using-forticlient) Last updated 27 days ago --- # FortiProxy Configuration | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/bug-zone/inspecting-what-staff-upload-everywhere-they-work/fortiproxy-configuration.md) . Log into your [FortiProxy](https://10.222.101.27/) instance FortiProxy is a shared resource across all attendees, and does not live inside your dedicated Fabric Studio instance Username: admin Password: fortinet4A!! Navigate to Content Analyses > Image Analysis double click the default profile As FortiProxy is a shared instance, you do not need to conduct any configuration it has been done for you! ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FyxWfx6owbNJgesBIwOKP%252FScreenshot%25202026-05-26%2520at%25201.42.11%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D95ef73c4-cad4-4d2a-b8aa-666af373b31c&width=768&dpr=3&quality=100&sign=844a23d&sv=2) ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252F4NqR62JBb0kfDQfC3bbg%252FScreenshot%25202026-05-26%2520at%25201.42.51%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Df9fe9cdc-4dd7-48e9-adec-f5e379c422cb&width=768&dpr=3&quality=100&sign=3c3f9248&sv=2) Navigate to Policy & Objects > Policy there is a Content Analysis policy that is slighty more specific than the policy below it this is because another lab ([Fabric Solutions Lab - Original](https://fabriclab-tech.gitbook.io/fabric-lab) ) has a different scenario that uses the second rule. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FAXAWIMQaZIXmBfI1VgRc%252FScreenshot%25202026-05-26%2520at%25201.47.16%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3De99c83c4-984e-4ec7-8e7d-f70ec15fa220&width=768&dpr=3&quality=100&sign=c1b4faee&sv=2) Under Secuirty Profiles you can see we have matched the Content Analyses profile as you saw above. Last updated 1 month ago --- # FortiAuthenticator (FAC) CSR Approval | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/certificates-at-scale/fortiauthenticator-fac-csr-approval.md) . Now we change hats. For this step, you are the certificate authority: the FortiGate's request lands on your desk, and you decide whether to sign it. This is the moment the firewall's sub-CA becomes part of Breachside's trust hierarchy. Login to the [FortiAuthenticator](https://10.222.101.26/) FortiAuthenticator is a shared resource across all attendees, and does not live inside your dedicated Fabric Studio instance. Username: admin Password: Fortinet1! Go to Certificate Management > Certificate Authorities > Local CAs and select Import. Choose CSR to sign and fill in the details. Make sure you change the first part of the Certificate ID to include your unique Pod IP. Example Name: `10.237.10.47_DPI_SubCA` This naming step matters: because everyone shares this CA, your Pod IP is what separates your certificate from everyone else's. It is the same discipline a real estate needs — one CA, hundreds of certificates, and a naming convention that tells you instantly which device each one belongs to. Upload the .csr file you downloaded in the previous step, [FortiGate (FGT) CSR Request](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/certificates-at-scale/fortigate-fgt-csr-request) . The example below shows how it should look: ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FNqPID3bsJHA4ZCpHcUbq%252FCleanShot%25202026-06-25%2520at%252011%25E2%2580%25AF.56.22.png%3Falt%3Dmedia%26token%3D99ba9512-f3ff-439e-b692-d788ebef9543&width=768&dpr=3&quality=100&sign=92f9f1a0&sv=2) Click Import. You will be returned to the Local CAs page. Select the Certificate ID you have just created and click Export Certificate. A .crt file will download to your local host. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FGBJs8J07Bd7ePs3SO5I7%252FScreenshot%25202026-05-11%2520at%252010.54.05%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D6f68a60f-ed7f-4b3d-b4c5-9faf24238961&width=768&dpr=3&quality=100&sign=a2cc893a&sv=2) During busy sessions, you will see many certificates in this list — this lab supports up to 50 attendees at once. Look at the list for a moment: every entry is another "store" going through the same enrolment you just completed. This is the scale point of the scenario, happening live in front of you. In the event of a duplicate name already being present that matches your assigned pod, just select it and click delete. [PreviousFortiGate (FGT) CSR Request](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/certificates-at-scale/fortigate-fgt-csr-request) [NextFortiGate (FGT) CSR Import](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/certificates-at-scale/fortigate-fgt-csr-import) Last updated 1 day ago --- # Tag-Driven ZTNA | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/tag-driven-ztna.md) . This scenario can be conducted on its own. However, it benefits you having finished [The Trap Inside the Walls](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-trap-inside-the-walls) and/or [Coaching, Then Consequences](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/coaching-then-consequences) sections as the second part of this scenario uses some Classification Tags that you created with FortiSOAR in the above scenarios. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252F8ijJGk8mKTRASBWPlfSZ%252FScreenshot%25202026-06-10%2520at%252011.03.54%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D81dc6ba5-f815-46ea-b5a1-5c527dc92d7f&width=768&dpr=3&quality=100&sign=8a80bc6c&sv=2) When employees reach our sensitive internal applications, we want the device's security posture taken into account — and if that posture slips, if a device becomes non-compliant, access must be cut off immediately, not at the next login. We also want to make staying compliant something employees actually want to do. We've built an internal food-ordering site called StreetFork as a pilot: staff on a compliant device can browse and order at a staff discount. The moment their device falls out of compliance, the site stops working for them. We think that's a gentler nudge than a policy email — when the discount disappears, people will bring their laptop to IT to find out why. This is just the first pilot; we have many internal applications we'll want to protect this way, each keyed to different tags. We're also mid-rollout on Microsoft Entra ID, so the logged-in user identity is out of scope for now — but build the solution so it's ready to consume that identity automatically when the rollout completes. One design requirement is firm: we need a clear separation between tags generated automatically from real-time posture checks (is antivirus actually running right now?) and administrative tags assigned by IT or a SOAR platform for classification and grouping. Those are two different things, and the system must treat them differently **Products In-Scope** FortiClient & FortiClient EMS (FCT) FortiGate (FGT) FortiAuthenticator (FAC) **Our Response** This is Zero Trust Network Access in its truest form: access is not granted once at the door and then trusted forever — it is re-evaluated continuously, and revoked the instant the device stops meeting the bar. The customer's requirement breaks into three engineering problems: continuous posture evaluation, identity readiness, and a clean separation between two kinds of tag. Continuous posture, enforced at the firewall. Every employee laptop runs FortiClient (FCT), which reports its posture to FortiClient EMS every 30 seconds (configurable). EMS evaluates that telemetry against defined rules — for example, "is FortiDLP running?" — and applies or removes a Security Posture Tag accordingly. The FortiGate (FGT) in front of the protected application consumes those tags through its EMS Fabric Connector and references them directly in firewall policy: no tag, no match, no access. Because the tag is re-checked every cycle, a device that falls out of compliance loses access within 30 seconds at most — access ceases mid-session, not at the next login. This is the mechanism behind the customer's incentive scheme: the StreetFork staff-discount site is simply an internal application whose firewall policy requires a compliance tag. Identity-ready for Entra ID. Identity is out of scope for the pilot, but the design already accommodates it. FortiClient can query the logged-in user and domain and pass that identity, via the Single Sign-On Mobility Agent (SSOMA), to FortiAuthenticator (FAC). FortiAuthenticator then distributes it through Fortinet Single Sign-On (FSSO) to the FortiGate and other Fabric products. When the Entra ID rollout completes, policies can combine who the user is with how healthy their device is — without re-architecting anything. The hook is already in place. Two kinds of tag, deliberately separated. This is the design requirement the customer was most specific about, and the Fabric meets it natively with two distinct tag types. **Security Posture Tags:** are generated automatically by EMS from real-time endpoint checks — a process running, antivirus active, a patch level met. They are dynamic: applied and removed by the endpoint's actual state, with no human involved. **Classification Tags:** are assigned administratively — by the IT team, or by a SOAR playbook via an API call — to mark a device for reasons that can't be read from a live posture check. The tag a FortiSOAR playbook applied to a compromised endpoint in the Catching the Lateral Mover scenario is exactly this kind of tag. A firewall policy can require both at once — a live posture tag and an administrative classification tag — which is how an automatic health check and a human (or SOAR) decision combine into a single access rule. That separation isn't cosmetic: it's the difference between "this device is healthy right now" and "this device has been flagged by something a health check can't see". [PreviousVerifying using FortiClient](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-trap-inside-the-walls/verifying-using-forticlient) [NextFortiGate & FortiClient EMS](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/tag-driven-ztna/fortigate-and-forticlient-ems) Last updated 14 days ago --- # FortiWeb (FWB) Results | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/when-chatbots-go-rogue/fortiweb-fwb-results.md) . You asked a question and got silence. The chatbot didn't crash, the database didn't refuse — something in between made a decision. Let's go and find the evidence. Back on the FortiWeb, go to Dashboard > Status and find the Attack Log widget. You should see one entry — provided you clicked the orange button! ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252F9a1xAIVqP6eHqGuCasy9%252FScreenshot%25202026-05-21%2520at%25209.08.15%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D319a4c39-7c7c-459e-a602-f603c355d236&width=768&dpr=3&quality=100&sign=8dc01376&sv=2) Double-click the log entry for the full detail. FortiWeb blocked the request because the payload contained a raw SQL query — a `SELECT` statement — travelling inside the MCP message. That behaviour matches a known SQL injection signature, and the request was flagged and blocked automatically. Take a moment with this log, because it tells the whole story of the attack. The question typed into the chatbot looked like text, but the MCP request it produced was carrying a database command. If it had reached the MCP server, the server would have run it with the chatbot's full database privileges — and the attacker would have walked away with data the chatbot was never meant to reveal. Instead, the FortiWeb — sitting silently in the path, speaking MCP, checking every message against its signatures — stopped it before the database ever saw it. Worth noticing, too, what this didn't require: no changes to the chatbot, no changes to the MCP server, no agent on either host. The out-of-the-box MCP protections you reviewed two steps ago did this on their own. This log entry exists in one more place — and for FortiStores's plans to scale, that other place matters more. On to the FortiAnalyzer. [PreviousChatting to the Chatbot!](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/when-chatbots-go-rogue/chatting-to-the-chatbot) [NextFortiADC (FAD) Configuration](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/when-chatbots-go-rogue/fortiadc-fad-configuration) Last updated 27 days ago --- # How does this scale? | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-threat-in-the-picture/how-does-this-scale.md) . DailyGrind's CIO asked for one more thing: when deeper analysis discovers something new, don't let that knowledge stay in one box. This page is where that requirement is met — and where a single email to one coffee shop becomes protection for the **entire estate**. Here is the idea. When FortiSandbox detonates a genuinely new threat — a zero-day with no existing signature — it does not just block that one file. It generates its own signature for the threat and stores it in its local database and that database can be shared. Many Fortinet products have a native Fabric connector to FortiSandbox, allowing them to consume those signatures and use them alongside the FortiGuard intelligence they already receive. The local engine catches what FortiGuard already knows; the FortiSandbox feed adds what your own environment has just discovered. Think about what that means for Breachside. WannaCry arrives in an email to DailyGrind. FortiSandbox judges it, generates a signature, and shares it. Minutes later, if the same file appears as a web download at PackTrack, the FortiProxy already knows it is malicious — without ever sending it to the sandbox. One detonation, and every connected product across the mall is now immune. The first store to be attacked protects all the others. Let's look at where this is configured across the stack. **FortiGate (FortiOS 8.0)** ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FbwoA5cedlhH8FXt5lmAJ%252Fimage.png%3Falt%3Dmedia%26token%3D9d8b137f-0705-46df-a026-a56a6d886c36&width=768&dpr=3&quality=100&sign=49e21de4&sv=2) On the FortiGate, the FortiSandbox connector lets the firewall pull verdicts from the sandbox database, complementing its own AntiVirus engine. A file crossing the firewall can be checked against everything the sandbox has learned. **FortiProxy (v8)** ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FtmEAvBh9uJTBjo4KmBuA%252FScreenshot%25202026-06-04%2520at%252011.16.27%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3Dcc2bd8ac-9681-4622-89dc-36bc24bf1167&width=768&dpr=3&quality=100&sign=4448f0c2&sv=2) The FortiProxy works the same way — the same sandbox intelligence you saw protect downloads in the Stopping Patient Zero scenario is enriched by every new verdict the sandbox generates. **FortiMail (v8)** ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FC3JG6EMj2N9jQvKckzOk%252FScreenshot%25202026-06-04%2520at%252011.22.39%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D4affac3b-535f-4386-872d-ffe922b4f86f&width=768&dpr=3&quality=100&sign=21653ce&sv=2) FortiMail is configured slightly differently, and it is worth understanding why. Instead of a "use the FortiSandbox database" toggle, you control the behaviour through the FortiSandbox integration itself. If you want FortiMail to rely on the sandbox database without submitting files, you instruct it not to pass files to the sandbox. FortiMail then understands that an integration exists, and whenever its local AV engine cannot match a signature, it makes an API call to check the FortiSandbox database before deciding. Same outcome, reached a different way. This is the Fabric working as one system rather than a set of separate products. Each appliance still does its own job, but they share what they learn — so the intelligence gathered at one store, in one product, raises the defences of every other. That is what "scale" really means here: not just more boxes, but boxes that get smarter together. [PreviousReviewing the logs](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-threat-in-the-picture/reviewing-the-logs) [NextCentralised Logging — DailyGrind](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-threat-in-the-picture/centralised-logging-dailygrind) Last updated 28 days ago --- # FortiAnalyzer (FAZ) Logs | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/whos-talking-to-the-ai/fortianalyzer-faz-logs.md) . One FortiGate showed you one office. The customer has many sites, and their real question is whether this visibility holds together across all of them. It does — because every FortiGate forwards its logs to FortiAnalyzer, where the whole estate's AI activity is correlated into one view also enables centralised reporting. Login your [FortiAnalyzer](https://10.222.101.35/) instance Username: admin Password: Fortinet1! Be mindful that the FortiAnalyzer is shared between all attendees, but all your individual logs go into an ADOM. Once logged in, please ensure you navigate into the ADOM that matches your Pod number (like Pod47 below) Navigate to Dashboards > AI Access Visability ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FCfvxR6rPReOfENxeGYzu%252FScreenshot%25202026-05-12%2520at%25202.27.07%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Db361c074-d494-4af3-b7f6-9c0f077770b1&width=768&dpr=3&quality=100&sign=cffb28d1&sv=2) This is a dashboard that correlates AI activity across the whole ADOM — and remember, an ADOM can contain many FortiGates. So this single view isn't one firewall's data; it's every site's AI usage in one place. You can see how many users are using AI tools, how many different applications are in play, and — most importantly to the customer — any DLP violations across the estate. This is the answer to "how does it scale?". On the FortiGate you saw one office in detail. Here, that same detail is aggregated across every FortiGate reporting in — one office or one hundred, the dashboard looks the same and the question is answered the same way. A regional security lead doesn't log into forty firewalls; they open one dashboard and see AI usage across all forty. That is what makes this workable for a business the size of Breachside. For more detailed reporting, go to Log View > Custom Views, where several views have been pre-created for you. Each isolates one signal: 1. Application\_GenAI\_1Day shows any GenAI application detected by Application Control. 2. DLP\_GenAI\_1Day shows any DLP violation matching the expression we set — the 0123456789 pattern. 3. WebFilter\_GenAI\_1Day shows any GenAI usage caught by WebFilter, where the category is Artificial Intelligence Technology. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FcXNl0ieATBgoCG32k23O%252FScreenshot%25202026-05-12%2520at%25202.34.31%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Dd1fd95ee-c64a-41da-8074-3c77167d2392&width=768&dpr=3&quality=100&sign=bdc68301&sv=2) Notice that three independent controls each catch AI usage from a different angle: Application Control by signature, WebFilter by site category, and DLP by content. That overlap is deliberate — if a brand-new AI tool has no application signature yet, WebFilter's category still catches it; if it slips the category, DLP still inspects what's being sent. Layered detection means a tool doesn't go unseen just because one method hasn't caught up with it. For a landscape that adds new AI services every week, that redundancy is exactly what keeps the visibility complete. That closes the engagement. Walk it back for InkPress's CIO, against everything they asked for. Know who is using which AI tool — done, by Application Control naming each model, with user and destination detail on the FortiGate dashboards. Catch sensitive data leaving — done, by DLP, demonstrated live and ready to switch from monitor to block. Cover staff in the office and working remotely — done, by the Always-On VPN that routes remote traffic through the same policy. And keep the door open to blocking specific models later — done, because the very signatures that monitor today can enforce tomorrow, with nothing new to deploy. The customer didn't want to ban AI. They wanted to see it clearly. Now they can — across every store in Breachside, from a single screen. [PreviousFortiGate (FGT) Reviewing Dashboards](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/whos-talking-to-the-ai/fortigate-fgt-reviewing-dashboards) [NextCoaching, Then Consequences](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/coaching-then-consequences) Last updated 1 day ago --- # Configuring a webproxy in Firefox | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/bug-zone/inspecting-what-staff-upload-everywhere-they-work/configuring-a-webproxy-in-firefox.md) . Login your [FortiPAM](https://10.222.101.36/) instance Username: for example Pod47 Password: Fortinet1! Navigate to Secrets select Host\_Win11\_Internal and click Launch Secret > Web RDP ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252Fn2m2Fyg7jDmbYggep8Gz%252FScreenshot%25202026-05-21%2520at%25202.11.12%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Dd4fc9088-796a-4773-8388-c346282c57ba&width=768&dpr=3&quality=100&sign=d3e645f2&sv=2) ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FR0oo03Gwe4gwojUEBucs%252FScreenshot%25202026-05-12%2520at%25201.02.37%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D3a00220c-5652-4717-b02e-d26018825487&width=768&dpr=3&quality=100&sign=288e577d&sv=2) A seperate tab should open and the Windows Host should display in Full Resolution within your web browser. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FUSOSlZNz7QXtVr4aNNhU%252FScreenshot%25202026-05-12%2520at%25201.01.45%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D7dfb4cd8-07a9-45e8-a577-12038e82caad&width=768&dpr=3&quality=100&sign=5c97c024&sv=2) Once you arrive at the desktop, double-click the Firefox shortcut located on the Desktop. Select the hamburger menu in the top right and click Setttings ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FuffpYhLuncieGpC1saSl%252FScreenshot%25202026-05-26%2520at%25201.51.05%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D423470d4-8e92-422d-808a-b25a502139c4&width=768&dpr=3&quality=100&sign=cfdead77&sv=2) In the menu that opens up there is a search bar type "Proxy" and click "Configure Proxy" ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FPw1ONZEb2IkL3rXz6fhi%252FScreenshot%25202026-05-26%2520at%25201.53.29%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D6683708f-c2b8-4c08-9d3c-6220592b44ed&width=768&dpr=3&quality=100&sign=bb94b7d7&sv=2) Configure as above and click ok. Please note 10.222.101.27 is the explicit web proxy configured on the FortiProxy. You're essentially instructing the browser to send all traffic towards FortiProxy, this can be extremely useful as a secure web gateway (SWG) where as a example contractors do not wish to have agents installed on their machines, but you still wish to secure them. Last updated 1 month ago --- # Security Posture Tags | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/tag-driven-ztna/security-posture-tags.md) . This is the page where it all comes to life. You are about to watch access appear and disappear in real time, driven entirely by the health of your device. Open the right process and the door opens; close it and the door shuts — automatically, within 30 seconds, with no one touching a firewall. Play with it. This is the kind of thing that makes a customer sit up in a demo. Using FortiPAM to RDP to the Windows Host Inside Fabric Studio![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/tag-driven-ztna/security-posture-tags#using-fortipam-to-rdp-to-the-windows-host-inside-fabric-studio) Login your [FortiPAM](https://10.222.101.36/) instance **Username:** Pod**N** **N** = Your Pod Number its unique to you and will have been provided by the Portal or Instructor As a example Pod47 **Password:** Fortinet1! Navigate to Secrets select Shopping-Pod47\_Host\_Win11\_Internal and click Launch Secret > Web RDP ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FrJfTZmDddBdMZCcYcSyx%252FCleanShot%25202026-06-18%2520at%252010%25E2%2580%25AF.46.52.png%3Falt%3Dmedia%26token%3D5b3af4f3-e15d-4070-8dc6-d7a31f2237fd&width=768&dpr=3&quality=100&sign=e07741e0&sv=2) ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FD6Etqm2PtyN9ymBMkuCS%252FCleanShot%25202026-06-18%2520at%252010%25E2%2580%25AF.47.05.png%3Falt%3Dmedia%26token%3Dc09b60a7-632b-473a-827b-371062f30671&width=768&dpr=3&quality=100&sign=cae8ca33&sv=2) A seperate tab should open and the Windows Host should display in Full Resolution within your web browser. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FUSOSlZNz7QXtVr4aNNhU%252FScreenshot%25202026-05-12%2520at%25201.01.45%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D7dfb4cd8-07a9-45e8-a577-12038e82caad&width=768&dpr=3&quality=100&sign=5c97c024&sv=2) Once you arrive at the desktop, in the bottom right corner find the FortiClient Shortcut right click it and select Open FortiClient Console ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FPZUpYKBlOfsWmUy9qh3S%252Fimage.png%3Falt%3Dmedia%26token%3D4592f62d-4e03-47a3-959f-72d980751674&width=768&dpr=3&quality=100&sign=124d512&sv=2) Confirm you see FortiClient — Connected, then click Admin. You will see the device currently has the security posture tag FortiDLP\_Running. Take note of which tags are present now — you are going to change them and watch what happens. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FTu23dKRVEuJVDLtUX9Pz%252Fimage.png%3Falt%3Dmedia%26token%3D6a49f4f7-b0a6-4419-9f16-4b52d08a28ba&width=768&dpr=3&quality=100&sign=562f52a7&sv=2) Let's confirm, first, that without the right tag there is no access. Open a command prompt and run: `ping 192.168.3.1 -t` ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252F1ifkog1KIrCeLWTPnYPc%252Fimage.png%3Falt%3Dmedia%26token%3D71d99964-2db9-439c-8d0e-663b805743ca&width=768&dpr=3&quality=100&sign=3e49a1d8&sv=2) The ping to 192.168.3.1 — the StreetFork web server — times out. This isn't a network fault; it's the firewall policy doing its job. Your device doesn't currently have the Win\_Calculator\_Running tag, so the LAN-to-DMZ rule doesn't match, and your traffic never reaches the server. Leave this ping running — it's your live monitor. Watch what happens to it in a moment. Now open Google Chrome and click the Food Order bookmark — StreetFork's ordering site. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FdHkuiZqtjUFfrryU6pjd%252Fimage.png%3Falt%3Dmedia%26token%3D7d0411d8-a142-450e-9691-aed8e18c47b0&width=768&dpr=3&quality=100&sign=da734e26&sv=2) The page will not load. Same reason: no tag, no access. As far as StreetFork is concerned, your device isn't allowed to talk to it at all. Now for the moment that makes the scenario. Go back to the desktop and open Calculator. Then watch — within 30 seconds, two things happen on their own: ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FLm7unziJPYHTg6fGhRkt%252Fimage.png%3Falt%3Dmedia%26token%3D2e5fc3c0-3abb-4ca3-b434-04f4b02d692d&width=768&dpr=3&quality=100&sign=cdcbed37&sv=2) First, in the FortiClient window, the Win\_Calculator\_Running tag is assigned. FortiClient detected the process, reported it to EMS, EMS applied the tag, and the FortiGate now sees your device as compliant. Second, your ping to 192.168.3.1 — which has been timing out this whole time — suddenly starts to reply. Nothing on the network changed. The only thing that changed was your device's posture, and the firewall responded to it within one sync cycle. Go back to Chrome and reload the Food Order bookmark. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FBNWmCz3iPx7nK0rUnoSn%252Fimage.png%3Falt%3Dmedia%26token%3Dc78cd002-1373-4e39-b859-c62022990377&width=768&dpr=3&quality=100&sign=4890059&sv=2) StreetFork loads. Your device is compliant, the tag is present, the policy matches, and access is granted — the staff-discount ordering site is open for business. Sit with what you just saw. You never touched the firewall. You never logged in or out. You simply started a process, and access to an internal application followed your device's health automatically. That is the entire promise of posture-based ZTNA in one click — and it's exactly the customer's incentive scheme working: a healthy device gets the discount site; an unhealthy one doesn't. Now close the loop the other way. Restart the Windows host ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FmuAYHU2cxA4myHMM1NOM%252Fimage.png%3Falt%3Dmedia%26token%3D21655ba8-fc94-4ac6-a553-32c2c380428b&width=768&dpr=3&quality=100&sign=a561c67d&sv=2) Watch once more. As soon as the next 30-second sync happens, the Win\_Calculator\_Running tag is removed, the device is no longer compliant, and access to StreetFork is withdrawn — your ping starts timing out again, and the site stops loading. This is the requirement the customer cared about most: not access granted once and trusted forever, but access that's withdrawn the moment the device falls out of compliance, mid-session, with no login required. That's posture-based access in both directions — granted when healthy, revoked when not. On the next page, we add the second kind of tag: one that a health check can't see, carried over from another scenario. [PreviousFortiGate & FortiClient EMS](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/tag-driven-ztna/fortigate-and-forticlient-ems) [NextClassification Tags](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/tag-driven-ztna/classification-tags) Last updated 10 days ago --- # The Threat in the Picture | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-threat-in-the-picture.md) . ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FyFTEzcqlOHjE4KQCV27D%252FScreenshot%25202026-06-10%2520at%252011.07.18%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Dfe3e4162-43d8-4d58-af9f-d14dc3401744&width=768&dpr=3&quality=100&sign=26980b08&sv=2) DailyGrind's staff are being hit by a wave of emails that our old email filter passes straight through: a short, polite message with a PDF attached — usually something like 'your MFA needs re-enrolling' — and inside the PDF is a QR code. To a filter, it's a clean email with a clean attachment; there is no link to inspect, because the link is hidden inside a picture. Staff scan the code with their phones, land on a phishing page, and type in their username and password. We need email security that actually opens these attachments, reads the QR codes, and judges where they point — before the mail ever reaches an inbox. If the URL is classified as phishing, quarantine the email. Secondly, staff are receiving carefully crafted emails that appear to come from our own IT department — sent from lookalike addresses such as [it@daily.grind.cafe](mailto:it@daily.grind.cafe) , one dot away from our real domain, dailygrind.cafe. They carry instructions and attached scripts, often sophisticated and zero-day — no known signature — so we need them passed somewhere for deeper analysis. And when that deeper analysis does discover something new, we don't want the intelligence to stay in one box. Share it with the rest of our stack **Products In-Scope** FortiMail (FML) FortiSandbox (FSA) FortiNDR (FNDR) FortiAnalyzer (FAZ) FortiGate (FGT) FortiProxy (FPX) **Our Response** Quishing — phishing by QR code — works because it moves the malicious link out of the email and into an image, and then moves the click off the protected laptop and onto a personal phone. Most mail filters inspect neither. Our design inspects both halves of the trick. FortiMail (FML) opens the attachments. It is configured to detect QR codes in message bodies and inside PDF attachments, extract the encoded URL, and check it against FortiGuard's web classification before delivery. A URL classified as phishing means the email is quarantined — the user never sees it, so there is nothing to scan. FortiNDR (FNDR) and FortiSandbox (FSA) handle the second wave: attachments with no known signature. The scan chain is tiered by cost. Files that FortiMail's local engine cannot judge go first to FortiNDR, whose neural-network analysis returns a verdict in under a second; only files that remain uncertain are escalated to FortiSandbox for full analysis — up to and including detonation in a sandboxed environment. Fast answers for most files, deep answers for the few that need it. Zero-day doesn't mean invisible; it just means nobody has watched it run yet. The intelligence is shared. When FortiSandbox identifies something new, it generates its own signature — and that database does not stay on the sandbox. FortiGate (FGT) and FortiProxy (FPX) can consume the FortiSandbox database directly through their Fabric connectors, complementing the FortiGuard signatures they already receive. A threat first seen in one email to DailyGrind becomes something the web proxy and the firewall recognise too. One detonation, estate-wide immunity. FortiAnalyzer (FAZ) holds the record: delivery history, QR extractions and classifications, NDR and Sandbox verdicts — one place to establish whether a single email was a one-off or part of a campaign hitting staff across multiple stores, and to hold the evidence for reporting. [PreviousCentralised Logging — FortiStore](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/when-chatbots-go-rogue/centralised-logging-fortistore) [NextFortiMail](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-threat-in-the-picture/fortimail) Last updated 14 days ago --- # FortiADC (FAD) Configuration | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/when-chatbots-go-rogue/fortiadc-fad-configuration.md) . The chatbot is protected — now for FortiStores's second complaint: the website that falls over every Black Friday. One server doing all the work is a single point of failure and a bottleneck. The fix is to put a FortiADC in front and share the load. As with the FortiWeb, the configuration is already in place — your job here is to understand the design before you test it. On the FortiADC FortiADC is located inside Fabric Studio: right click it and access it using HTTPS Username: admin Password: fortinet4A!! **If you are asked to do any setup of the FortiADC, just click Skip/Cancel, until you reach the Dashboard**. The configuration has been done for you. Navigate to Server Load Balance > Virtual Server and review the configuration. The design in this scenario is deliberately simple. The FortiADC presents a single Virtual IP address — 192.168.2.100 — and this is the only address users ever see or need. Behind it, the FortiADC load balances TCP port 80 connections across two web servers, .2 and .3, using a round-robin algorithm: first connection to one server, next connection to the other, and so on. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FigVEoWAWk2V9x8WjdcNo%252FScreenshot%25202026-05-21%2520at%25201.56.31%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Df7e00abe-1e2d-4652-ace8-3193034133c3&width=768&dpr=3&quality=100&sign=75333016&sv=2) ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252F40UYnkAckYUmZvUGICoP%252FCleanShot%25202026-06-22%2520at%252011%25E2%2580%25AF.18.50.png%3Falt%3Dmedia%26token%3Def9083ec-4b44-4d66-8031-e8ac6020f183&width=768&dpr=3&quality=100&sign=ef6150d8&sv=2) One design decision here is worth calling out: we are using Full NAT mode. The FortiADC translates both source and destination addresses, which guarantees that return traffic from the web servers has a valid path back through the FortiADC. The alternative would be making the FortiADC the default gateway of every web server — a change to every server's network configuration. With Full NAT, the web servers stay exactly as they are. This is the kind of detail that makes a solution easy to drop into a customer's existing network. Go to Server Load Balance > Real Server Pool and review the configuration Here you will find the two real servers behind the Virtual IP — .2 and .3 — hosting identical content. Both live inside your Fabric Studio instance, and they serve multiple purposes across this lab; both acting as webservers for FortiStore. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FElpePjDSsHGeGi9cmx3U%252FScreenshot%25202026-05-21%2520at%25202.05.44%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D97007487-b070-4b6e-9c27-441aca49cbd8&width=768&dpr=3&quality=100&sign=a31173d3&sv=2) And the scale story the customer asked about? This is one FortiADC and two servers — but the pattern is the answer. Need more capacity on Black Friday? Add real servers to the pool. Worried about the FortiADC itself? Deploy an HA pair. Rolling out to more stores? Each deployment reports into the same FortiAnalyzer you will visit shortly. The design grows; the architecture doesn't change. Next, let's prove the round-robin is actually working. [PreviousFortiWeb (FWB) Results](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/when-chatbots-go-rogue/fortiweb-fwb-results) [NextTesting the Load Balancing](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/when-chatbots-go-rogue/testing-the-load-balancing) Last updated 1 day ago --- # Reviewing the logs | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-threat-in-the-picture/reviewing-the-logs.md) . Back to the defender's chair. You sent two attacks; FortiMail saw both. In this step, you will read exactly what it did with each one — the QR links it extracted and classified, and the script it detonated. On the FortiMail FortiMail (Located inside Fabric Studio, right click it and access HTTPS Username: admin Password: fortinet4A!! Navigate to Monitor > Log > AntiSpam (Tab) Find the first email you sent — the one with the PDF. Look at what FortiMail did: it opened the PDF, found the QR code, and extracted the URLs hidden inside it. Each URL has been given an independent FortiGuard classification. Because one of them (As below) is classified as Phishing, the email was quarantined — it never reached the staff inbox. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252F5Ub6tiwWi6NLoYuV1so3%252FScreenshot%25202026-06-04%2520at%252010.33.18%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D52c25578-5e56-49ab-9ccd-a8483a2e72f8&width=768&dpr=3&quality=100&sign=849352d2&sv=2) Stop and appreciate what just happened. To DailyGrind's old filter, this was a clean PDF with no links in it. FortiMail looked inside the picture, read the destination the attacker was hiding, and made the call before delivery. The link the user would have scanned on their phone never got the chance. If you now navigate to the Antivirus Tab Here are the two attachments from your second email — the spoofed IT message. Both were sent to FortiSandbox for analysis. Look at the verdicts: one file, `MFAChecker.exe`, came back clean. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FF67GlH8ZjErpFDWRoohM%252FScreenshot%25202026-06-04%2520at%252010.37.14%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3Db0d051b7-d4ab-4aec-b7a6-cdd699dfab21&width=768&dpr=3&quality=100&sign=acf88c24&sv=2) The other, MFAInstallScript.exe, came back malicious. Click it, and a panel opens on the right — take a closer look. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FPgky9AhmfHHAZYXVuXR8%252FScreenshot%25202026-06-04%2520at%252010.41.07%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D91a4a8fe-f223-44dc-b29f-2644400f06b7&width=768&dpr=3&quality=100&sign=be4746c0&sv=2) The verdict names the threat: W32/WannaCryptor!tr.ransom — WannaCry, one of the most damaging ransomware families ever seen. A name like "MFAInstallScript.exe", arriving in a message that looks like it came from IT, is exactly how a real user gets caught. FortiSandbox judged it on what it does, not what it claims to be, and quarantined it. You can confirm the quarantine by clicking the History Tab ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FqPrxRcx9k6VKWVGpAcQE%252FScreenshot%25202026-06-04%2520at%252010.43.24%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3Dc754fdf7-e32b-4e3d-9d4d-2f68777e7c31&width=768&dpr=3&quality=100&sign=34277ef9&sv=2) Two emails, two completely different attack techniques, both stopped before delivery. One inbox protected — and on the next page, we will see why that protection gets stronger every time any FortiSandbox, anywhere, sees something new. This scan chain also integrates FortiNDR, which applies neural-network analysis to deliver a sub-second verdict on unknown files ahead of full sandbox detonation. The routing between FortiNDR and FortiSandbox depends on file type and verdict confidence, so in this lab you will typically see files analysed directly by FortiSandbox. Both engines feed the same outcome: a definitive verdict before the email is delivered. [PreviousSending the Mail](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-threat-in-the-picture/sending-the-mail) [NextHow does this scale?](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-threat-in-the-picture/how-does-this-scale) Last updated 10 days ago --- # FortiMail | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-threat-in-the-picture/fortimail.md) . Before we send any phishing emails, let's look at the mail gateway that will be judging them. The configuration has been done for you — your job here is to update the appliance and understand the two profiles that do the work: one that reads QR codes, and one that sends unknowns to the sandbox. On the FortiMail: FortiMail (Located inside Fabric Studio, right click it and access it using HTTPS): Username: admin Password: fortinet4A!! Using the bar at the very top, open the CLI Console ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252F7MZOFDys17Odx94uDKsw%252FScreenshot%25202026-06-03%2520at%252011.37.11%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D3b507e46-4e44-4b4b-a257-502765ea0b05&width=768&dpr=3&quality=100&sign=a34bc8ff&sv=2) When the console opens, type `execute update now` and press Enter. This pulls the latest updates from FortiGuard, so the appliance is judging your emails against current intelligence — exactly what you would do before putting a mail gateway into service. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252Fdi8q1vB1Q4u5Mj2gCikH%252FScreenshot%25202026-06-03%2520at%252011.38.41%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D432edc0b-aaa9-4b5f-ab5d-36917782864c&width=768&dpr=3&quality=100&sign=34e0b0aa&sv=2) Now let's review the configuration. Go to Policy > Recipient Policy. The configuration should match the screenshot below. In plain terms: any email addressed to [staff@dailygrind.cafe](mailto:staff@dailygrind.cafe) — DailyGrind's real domain — has the AntiSpam and AntiVirus profiles applied to it before delivery. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FEpPRX84bqRQQJbHx10T9%252FScreenshot%25202026-06-04%2520at%25208.40.58%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D86a5ef90-b0d8-4205-a864-1413f70b181a&width=768&dpr=3&quality=100&sign=48b102f7&sv=2) Click into each profile and review the settings, starting with AntiSpam. The key setting is at the bottom: Scan PDF attachment. This is what allows FortiMail to open a PDF and look inside it, rather than judging the attachment by its wrapper. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FQhV7rUBwnYKeGmJVUCyj%252FScreenshot%25202026-06-04%2520at%25208.52.18%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3Df8707ddf-79d3-49b8-a67d-4c01351bfdc9&width=768&dpr=3&quality=100&sign=94ffe0d2&sv=2) Opening the PDF is only half the job — extracting URLs from QR codes found inside requires a few CLI commands, which have been applied for you: Read those three lines back, because they are the answer to DailyGrind's first complaint: scan QR codes, in inline images and attached images, and inside PDFs. The link the attacker hid inside a picture is now just another URL for FortiGuard to classify. Now the AntiVirus profile. The configuration here is deliberately simple: files without a local verdict are passed to either FortiNDR or FortiSandbox. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FOSpg1dMu7RGh1EF49gqw%252Fimage.png%3Falt%3Dmedia%26token%3D5fd54bcb-673d-4062-876f-11e16a429f0e&width=768&dpr=3&quality=100&sign=48aaafe0&sv=2) For demo purposes, we have disabled FortiMail's local FortiGuard-powered AntiVirus engine, to make sure every file genuinely travels to FortiSandbox in front of you. We found that the FortiSandboxs AV was doing its job a little too well — once a file had been seen once, the local signature database was updated, and subsequent files were blocked locally without ever visiting the sandbox! In production you would leave the local engine on: instant verdicts for known threats, sandbox analysis only for true unknowns. The gateway is updated, the QR scanner is armed, and the sandbox is connected. Time to write some phishing emails! [PreviousThe Threat in the Picture](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-threat-in-the-picture) [NextSending the Mail](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-threat-in-the-picture/sending-the-mail) Last updated 1 day ago Copy config antispam settings set qr-code-url-scan-status enable set qr-code-url-scan-option inline-image attachment-image set qr-code-url-scan-pdf enable --- # FortiGate (FGT) Reviewing Dashboards | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/whos-talking-to-the-ai/fortigate-fgt-reviewing-dashboards.md) . You generated the traffic; now see what the FortiGate made of it. This is where the customer's question — "who is using what?" — gets its answer, on screen, in a purpose-built AI dashboard. Then we'll drill into the DLP block you triggered. On the FortiGate: FortiGate (located inside Fabric Studio, right click it and access it using HTTPS): Username: admin Password: fortinet4A!! If you naviate to Dashboard > FortiView > AI Applications (Tab) New in this FortiOS Version 8 submenus are now tabbed, making it quicker to move between the different views. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FS92hGWB0hbZJHlS51Rz8%252FScreenshot%25202026-05-12%2520at%25202.18.29%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D8433646e-c25c-4773-8080-c2d4141395a5&width=768&dpr=3&quality=100&sign=65356360&sv=2) Here are the AI tools you opened on the Windows host, detected and listed. Look closer at Gemini: you can see the specific AI model that was identified, and if you double-click into it, you get further detail — the username used to log in to the tool (none, in our case) and the data-centre location the traffic was sent to. Pause on what this view delivers. The customer didn't ask "is AI being used?" — they already knew it was. They asked who is using what. This dashboard answers exactly that: not a vague "AI traffic detected", but the specific tool, the model, the user identity where available, and where in the world the data was sent. For a business worried about which models its staff are feeding, that destination and identity detail is the difference between a concern and a fact. Want to see the username captured too? You can log in to a tool using: Username: [fabricsolutionslab@gmail.com](mailto:fabricsolutionslab@gmail.com) Password: Fortinet1! Once logged in, the dashboard can tie the AI session to that identity — turning "someone on this device used Gemini" into "this account used Gemini" If you navigate across to the FortiView AI Use Cases Tab ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FeNlbaOvPIqOc8hAqmJBs%252FScreenshot%25202026-05-12%2520at%25202.21.02%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D9a8a069a-180a-4a71-9aa7-23f8e5f6d436&width=768&dpr=3&quality=100&sign=300cd602&sv=2) This groups activity by what the AI was used for — here, Conversational Assistants. Double-click in for the same depth: logged-in user, applications, data-centre location. The use-case view is useful when you care less about which brand of tool and more about what kind of work is being sent to AI. For the most granular view, go to Log & Report > Security Events and click the specific event type you want. For our example, open the Data Loss Prevention section. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252Fqn6woWQLE7UDLUsTA6du%252FScreenshot%25202026-05-12%2520at%25202.53.12%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D86dbf522-5e33-4dfe-978d-1c41f4f8b8f8&width=768&dpr=3&quality=100&sign=9d9fd576&sv=2) Remember the `0123456789` you typed into a chatbot, and the DLP profile we set to catch it? Here is the proof it worked — the prompt was matched and stopped, logged in full detail. This is the customer's data-protection requirement, demonstrated end to end: sensitive content identified inside an AI prompt, and acted upon. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252Fwnf19ArRaLJb1L3A0otK%252FScreenshot%25202026-05-12%2520at%25202.55.42%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D58bb7d26-ad38-4390-8256-a546d8ea8b3a&width=768&dpr=3&quality=100&sign=d45bdc3b&sv=2) That proves the capability on one FortiGate, watching one office. But the customer has many sites. How does this hold up across hundreds of them? That's the next page. [PreviousTesting Using Windows Host](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/whos-talking-to-the-ai/testing-using-windows-host) [NextFortiAnalyzer (FAZ) Logs](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/whos-talking-to-the-ai/fortianalyzer-faz-logs) Last updated 1 day ago --- # When Chatbots Go Rogue | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/when-chatbots-go-rogue.md) . ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FP1n2bwLvKhIaiC4YxfDX%252FScreenshot%25202026-06-10%2520at%252011.07.40%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D13a14390-7956-486d-b147-117cfe36e3d3&width=768&dpr=3&quality=100&sign=59512694&sv=2) FortiStore, our event space and flagship store, has built an AI chatbot. Customers use it to ask about event speakers and about products in the store. The chatbot is powered by a trained model, and it reaches our backend database through an MCP server. We have heard horror stories about MCP being exploited — attackers tricking chatbots into handing over data they should never reveal. We need a product that sits between the MCP client and the MCP server, sees every message that passes between them, and blocks anything malicious. The logs must go to a central analytics platform, because we expect to roll this out to other stores. One more thing. On high-volume days like Black Friday, FortiStore website becomes unusable. We want a load balancer in front of the web servers, distributing connections across multiple servers — and this must scale too. We can see a future with HA pairs of FortiADC across several deployments, so again: all logs in one central place. **Products In-Scope** FortiWeb (FWB) FortiAnalyzer (FAZ) FortiADC (FAD) **Our Response** AI chatbots create a new attack surface. The Model Context Protocol (MCP) is the channel a chatbot uses to reach real systems — in FortiStore case, the product and events database. That makes it powerful, and it makes it a target: if an attacker can smuggle a malicious instruction through the chat, the MCP server may execute it against the database with the chatbot's full privileges. The user types a question; the database receives an attack. Our answer is to put inspection directly in the path: 1. **FortiWeb as a true transparent proxy.** Using V-zones, the FortiWeb sits invisibly between the MCP client and the MCP server — no IP addressing changes, no application reconfiguration, and no way for traffic to route around it. Every MCP message is forced through the FortiWeb. 2. **Native MCP protection.** FortiWeb understands the MCP protocol itself. Its signature database and poisoning attack protection inspect each request — so an injection attempt hidden inside an innocent-looking chat question is detected and blocked before it ever reaches the database. The user simply never gets an answer; the attack never gets executed. 3. **FortiAnalyzer as the central brain.** Every FortiWeb event is sent to FortiAnalyzer. As FortiStore model rolls out to other Breachside stores, each new FortiWeb reports into the same platform — one place to see every blocked attack across the estate. For the Black Friday problem, we deploy **FortiADC** in front of the web servers, presenting a single virtual IP and distributing connections round-robin across multiple real servers. The design uses full NAT, which guarantees a valid return path for traffic _without_ making the FortiADC the default gateway of every web server — a small design decision that makes the solution far easier to drop into an existing network. FortiADC logs flow into the same FortiAnalyzer, so capacity and security are watched from one console. [PreviousFortiGate (FGT) CSR Import](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/certificates-at-scale/fortigate-fgt-csr-import) [NextFortiWeb (FWB) Configuration Check](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/when-chatbots-go-rogue/fortiweb-fwb-configuration-check) Last updated 27 days ago --- # Who's Talking to the AI? | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/whos-talking-to-the-ai.md) . **Important!** This scenario has a pre-requisite: you must have completed the steps in [Certificates at Scale](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/certificates-at-scale) before. This ensures that we can really see inside the packets via deep-packet-inspection. If you have not already done that scenario, conduct it first. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FQYLUPzGumLrcIkONeNj7%252FScreenshot%25202026-06-10%2520at%252011.06.54%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Daaddf91b-69a8-451c-8f9c-a20e64c69fa7&width=768&dpr=3&quality=100&sign=d264e17d&sv=2) Half our workforce is already using ChatGPT, Gemini, Grok, Copilot and others. I need to know who is using what — and ideally to stop sensitive data leaving — whether staff are in the office or working remotely. To be clear: we do not want to block AI outright. For now, we just want to monitor it. We embrace the productivity AI brings, as long as it is controlled — though we do have concerns about a few specific models **Products In-Scope** FortiGate FortiClient FortiAnalyzer **Our Response** The customer's request is visibility first, control later — see who is using which AI tool, catch sensitive data on its way out, and keep the option to block specific models open without committing to it yet. The Fabric delivers this without deploying anything new, because the FortiGate already sees the traffic; it simply needs to be told what to look for. **Deep inspection makes AI traffic readable.** The FortiGates across the estate already perform deep packet inspection on traffic that crosses them — using the DPI certificate from the [Certificates at Scale](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/certificates-at-scale) scenario. Almost all AI traffic is encrypted, so without inspection the firewall would see only "a connection to openai.com", not what was sent. With it, the actual content becomes visible — which is what makes everything below possible. **Application Control identifies the specific tool.** FortiGuard's application signatures recognise individual AI services by name — ChatGPT, Gemini, Grok, Claude and thousands more — so the firewall reports not just "AI usage" but exactly which model each user reached. This is what answers the customer's concern about specific models: you can see them individually, and the same signatures that identify a model today can block it tomorrow, with no new architecture. **Data Loss Prevention catches sensitive content.** A DLP profile inspects what is actually typed into these tools and matches it against patterns — code secrets, PII, or a custom expression — in either monitor or block mode. FortiGuard also distributes maintained DLP pattern sets for specific data types and countries as a service, so the customer doesn't have to write the expressions themselves. The customer asked to monitor for now; DLP gives them the switch to enforce whenever they choose. **Always-On VPN extends the same policy to remote workers.** Staff working from home are covered by an Always-On VPN through FortiClient, which routes their traffic back through the same FortiGates. The in-office and remote experience are identical because the policy is identical — there is no gap for "I'll just do it from home". This directly answers the customer's "in-office or remote" requirement. **FortiGate dashboards and FortiAnalyzer provide the visibility.** The FortiGate's FortiView AI dashboards show AI usage live — by application, by user, by data-centre destination. All logs forward to FortiAnalyzer, where an AI-access dashboard correlates activity across every FortiGate in the estate, so the picture holds whether the customer has one site or hundreds. [PreviousCentralised Logging — PackTrack](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/guilty-until-detonated/centralised-logging-packtrack) [NextFortiGate (FGT) Configuration Check](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/whos-talking-to-the-ai/fortigate-fgt-configuration-check) Last updated 14 days ago --- # Centralised Logging — FortiStore | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/when-chatbots-go-rogue/centralised-logging-fortistore.md) . If you remember, the customer's requirement was that this must scale — FortiStore is the first deployment, not the last. Protection that works is only half the answer; the other half is being able to see every deployment from one place. That place is FortiAnalyzer. Login your [FortiAnalyzer](https://10.222.101.35/) instance Username: admin Password: Fortinet1! The FortiAnalyzer is shared between all attendees, but your logs are kept separate in your own ADOM. Once logged in, make sure you navigate into the ADOM that matches your Pod number — in the examples below, we are using Pod47. A quick word on ADOMs, because they are part of the scale story: an Administrative Domain is FortiAnalyzer's way of dividing one platform into isolated logical instances — separate devices, logs, and reports per domain. In this lab, one ADOM per attendee. In Breachside's future, the same mechanism could give every store its own view while the CIO and CTO keep sight of the whole estate — one platform, many tenants. Navigate to Log View > Logs > Fortinet Logs (Tab) > Click FortiWeb (Icon) ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FeXTlfzKt3DK0mbFbCIie%252FScreenshot%25202026-05-21%2520at%25202.43.39%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D7244c048-ca98-46b9-8331-dec8fb3c86eb&width=768&dpr=3&quality=100&sign=2894af1e&sv=2) There it is: the same MCP attack you triggered earlier, now sitting in the central platform. The FortiWeb saw the SQL injection inside the client–server MCP communication and blocked it — and FortiAnalyzer holds the record of the block that stopped someone obtaining far more information than they should have. When FortiStore's chatbot model rolls out to ten more stores, ten more FortiWebs report into this same view. Now click the FortiADC icon and select the Traffic tab — let's find the load-balancing logs. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FE2GbT9shdu40E1Aydxtw%252FScreenshot%25202026-05-21%2520at%25202.50.29%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D7970b5e5-517a-43b3-8b72-dbb2bfb1b9af&width=768&dpr=3&quality=100&sign=a6dc676c&sv=2) And there are your balanced sessions. Here's a trick: add a filter for Real Server Name. You will see the traffic alternating between .2 and .3, connection by connection — your round-robin configuration, proven in the logs. That completes the engagement. Walk back through what FortiStore's CIO and CTO asked for: inspection between the MCP client and server, with anything malicious blocked — delivered by FortiWeb as a true transparent proxy, speaking MCP natively. A load balancer to survive Black Friday — delivered by FortiADC, round-robin across real servers, dropped in without touching the web servers. And everything visible in one central place, ready to scale — delivered by FortiAnalyzer, where you have just seen both products' logs side by side. Two very different problems; one Fabric, one console. [PreviousTesting the Load Balancing](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/when-chatbots-go-rogue/testing-the-load-balancing) [NextThe Threat in the Picture](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-threat-in-the-picture) Last updated 27 days ago --- # Testing Using Windows Host | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/whos-talking-to-the-ai/testing-using-windows-host.md) . Now the fun part — you become the workforce. You'll open every major AI tool, send a few prompts, and then try to paste something sensitive. The FortiGate is watching all of it; on the next pages you'll see exactly what it captured. Using FortiPAM to RDP to the Windows Host Inside Fabric Studio![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/whos-talking-to-the-ai/testing-using-windows-host#using-fortipam-to-rdp-to-the-windows-host-inside-fabric-studio) Login your [FortiPAM](https://10.222.101.36/) instance **Username:** Pod**N** **N** = Your Pod Number its unique to you and will have been provided by the Portal or Instructor As a example Pod47 **Password:** Fortinet1! Navigate to Secrets select Shopping-Pod47\_Host\_Win11\_Internal and click Launch Secret > Web RDP ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FrJfTZmDddBdMZCcYcSyx%252FCleanShot%25202026-06-18%2520at%252010%25E2%2580%25AF.46.52.png%3Falt%3Dmedia%26token%3D5b3af4f3-e15d-4070-8dc6-d7a31f2237fd&width=768&dpr=3&quality=100&sign=e07741e0&sv=2) ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FD6Etqm2PtyN9ymBMkuCS%252FCleanShot%25202026-06-18%2520at%252010%25E2%2580%25AF.47.05.png%3Falt%3Dmedia%26token%3Dc09b60a7-632b-473a-827b-371062f30671&width=768&dpr=3&quality=100&sign=cae8ca33&sv=2) A seperate tab should open and the Windows Host should display in Full Resolution within your web browser. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FUSOSlZNz7QXtVr4aNNhU%252FScreenshot%25202026-05-12%2520at%25201.01.45%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D7dfb4cd8-07a9-45e8-a577-12038e82caad&width=768&dpr=3&quality=100&sign=5c97c024&sv=2) This host is your seat inside InkPress, and its setup is the whole point. It sits behind the FortiGate, with its default gateway set to Port 2 of the firewall — so every packet it sends routes through the FortiGate and gets inspected. FortiClient is installed on it, and that's what delivered the DPI certificate from the [Certificates at Scale](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/certificates-at-scale) scenario, allowing the firewall to read its encrypted traffic. In other words: this machine cannot reach an AI tool without the FortiGate seeing it. Once you reach the desktop, double-click the Google Chrome shortcut. You'll see bookmarks for the various AI providers. One by one open them, and for each one enter a prompt of your choosing — just remember what you typed. (In the screenshots, we use "test prompt".) ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FRWHZWDpkbPUtLx4Hm3gP%252FScreenshot%25202026-05-12%2520at%25202.01.22%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D9991764b-df6e-4d2a-8304-c67f99903d04&width=768&dpr=3&quality=100&sign=1c9adb9c&sv=2) Please note you may well receive a company violation pop-up from FortiDLP. This is used in one of the other scenarios, simply enter a reason and click OK ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FHasj7eDgdpLe2i2Ywn2R%252FCleanShot%25202026-06-15%2520at%252012%25E2%2580%25AF.57.35.png%3Falt%3Dmedia%26token%3Db5d8ee18-9015-4f37-859b-a074a0b21140&width=768&dpr=3&quality=100&sign=5d4ad78c&sv=2) You're now doing exactly what half the customer's workforce does every day — quietly using a spread of AI tools, with no thought given to whether anyone can see it. The difference is that here, everything you just typed crossed a FortiGate that was reading it. That's the shift from "we know people use AI" to "we know who used which tool, and what they sent". Now click the ChatGPT tab Occasionally, ChatGPT gets rather busy and they restrict access to only logged-in users. If you encounter this, just click the log-in button and use SSO to login via the Google account and, in the prompt, enter the magic number 0123456789. As you'll see, it's blocked. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FXgumVUNZIhTuFPTTFTVu%252FScreenshot%25202026-05-12%2520at%25202.50.23%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D715d9ba9-15d5-49ac-be99-7df63f4fe804&width=768&dpr=3&quality=100&sign=7ab41ed5&sv=2) That block is DLP doing its job. Remember, 0123456789 stands in for real sensitive data — a code secret, a customer record, a card number. In monitor mode, the firewall would have logged this and let it through; here it's set to block, so the moment the pattern appeared in your prompt, the FortiGate stopped it before it reached the AI service. The customer asked only to monitor for now — but you've just proven the block is one setting away whenever they want it. That's both halves demonstrated: ordinary AI usage that's now fully visible, and a sensitive-data paste that's caught in the act. Let's switch to the FortiGate and see how it all looks from the other side. [PreviousFortiGate (FGT) Configuration Check](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/whos-talking-to-the-ai/fortigate-fgt-configuration-check) [NextFortiGate (FGT) Reviewing Dashboards](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/whos-talking-to-the-ai/fortigate-fgt-reviewing-dashboards) Last updated 10 days ago --- # FortiProxy Configuration #2 | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/guilty-until-detonated/fortiproxy-configuration-2.md) . One more piece of the picture: the AntiVirus profile. This is where FortiProxy is told what to do with the files it extracts from web traffic — and in our case, the answer is "send them to the sandbox". Go to Security Profiles > AntiVirus. You will find a profile called AV\_FortiSandbox — double-click it. You dont need to make any configuration changes, just review the contents. What you are looking at is the link between the proxy and the verdict. When a download passes through FortiProxy, the file is extracted from the traffic stream and handed to this profile. With FortiSandbox inline scanning enabled here, the profile forwards the file for analysis and holds the download until the verdict returns — the mechanism you read about on the previous page, switched on in one screen. In a production deployment, this profile is also where defence-in-depth lives: the local AV engine gives an instant signature verdict on known malware, and only files that pass it — the unknowns — are sent on to the sandbox. Known-bad is blocked in microseconds; never-seen-before gets detonated. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FcYAmtD3ckfWXqignqD8f%252FScreenshot%25202026-05-27%2520at%252011.18.17%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D05d7c349-c765-4b4d-8694-2ab54667c746&width=768&dpr=3&quality=100&sign=72ff994a&sv=2) In this lab, we have deliberately disabled the local FortiProxy AV engine, so that every file is passed to FortiSandbox and you can watch the inline verdict process happen. This is not the recommended production configuration — in the real world, you would keep the local engine on and let the Sandbox handle only what the engine cannot judge. That's the full path configured: browser → FortiProxy → AV profile → FortiSandbox → Verdict → Release or Block. Now we need a browser to send traffic into it. [PreviousFortiProxy Configuration](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/guilty-until-detonated/fortiproxy-configuration) [NextConfigure WebProxy Firefox](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/guilty-until-detonated/configure-webproxy-firefox) Last updated 14 days ago --- # Chatting to the Chatbot! | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/when-chatbots-go-rogue/chatting-to-the-chatbot.md) . Time to play the customer — and then the attacker. In this step, you will talk to FortiStore's chatbot like a genuine shopper, and then try the question that should never be answered. Using FortiPAM to RDP to the Windows Host Inside Fabric Studio![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/when-chatbots-go-rogue/chatting-to-the-chatbot#using-fortipam-to-rdp-to-the-windows-host-inside-fabric-studio) Login your [FortiPAM](https://10.222.101.36/) instance **Username:** Pod**N** **N** = Your Pod Number its unique to you and will have been provided by the Portal or Instructor As a example Pod47 **Password:** Fortinet1! Navigate to Secrets select Shopping-PodN\_Host\_Win11\_Internal and click Launch Secret > Web RDP ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FrJfTZmDddBdMZCcYcSyx%252FCleanShot%25202026-06-18%2520at%252010%25E2%2580%25AF.46.52.png%3Falt%3Dmedia%26token%3D5b3af4f3-e15d-4070-8dc6-d7a31f2237fd&width=768&dpr=3&quality=100&sign=e07741e0&sv=2) ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FD6Etqm2PtyN9ymBMkuCS%252FCleanShot%25202026-06-18%2520at%252010%25E2%2580%25AF.47.05.png%3Falt%3Dmedia%26token%3Dc09b60a7-632b-473a-827b-371062f30671&width=768&dpr=3&quality=100&sign=cae8ca33&sv=2) A seperate tab should open and the Windows Host should display in Full Resolution within your web browser. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FUSOSlZNz7QXtVr4aNNhU%252FScreenshot%25202026-05-12%2520at%25201.01.45%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D7dfb4cd8-07a9-45e8-a577-12038e82caad&width=768&dpr=3&quality=100&sign=5c97c024&sv=2) This Windows host is your seat inside FortiStore — everything you do from here, you are doing as a user on the store network. Once you arrive at the desktop, double-click the Google Chrome shortcut. We have pre-populated some bookmarks for you — click "ChatBot". Interact with the bot. At the bottom, we have pre-populated some common questions — the kind a genuine customer would ask about events and products. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FNXsv9zs6DnqDFEQyM4vj%252Fimage.png%3Falt%3Dmedia%26token%3D195f27ed-0fb4-458f-be9f-32412b2889ea&width=768&dpr=3&quality=100&sign=535daab4&sv=2) Answers can take between 5 and 60 seconds. We are running a local LLM without a GPU — please be patient with it and just ask one question at a time! Notice what is happening underneath each answer: your question goes to the chatbot, the chatbot uses MCP to query the backend database, and the answer comes back through the same path. Every one of those MCP messages is silently crossing the FortiWeb you inserted in the previous step. One of the pre-populated options is highlighted in orange. That one is an attack. Click it, and you will notice something different: you never get an answer.... The question reached the chatbot — but the MCP request it generated never reached the database. Let's go and find out why. Challenge anyone that wants to go off script and wants to ask the questions yourself, you're fine to do this. If you find that you're able to successfully conduct a prompt injection where you do not get a response to the question asked, and in the logs of FortiWeb &/Or FortiAnalyzer sees your prompt as a attack let the instructor know! [PreviousFortiWeb (FWB) Configuration Check](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/when-chatbots-go-rogue/fortiweb-fwb-configuration-check) [NextFortiWeb (FWB) Results](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/when-chatbots-go-rogue/fortiweb-fwb-results) Last updated 14 days ago --- # FortiGate (FGT) Configuration Check | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/whos-talking-to-the-ai/fortigate-fgt-configuration-check.md) . Before we monitor any AI usage, let's confirm the FortiGate is set up to see it. Three things have to be in place: deep inspection to read encrypted traffic, the security profiles that identify AI tools and catch sensitive data, and current FortiGuard signatures. You'll check each one. Nothing to build — this is about understanding what makes the monitoring possible. On the FortiGate navigate to System > Security Profiles > SSL/SSH Inspection FortiGate (located inside Fabric Studio, right click it and access it using HTTPS): Username: admin Password: fortinet4A!! ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FstbBRYKG61vqP30WNAzH%252FScreenshot%25202026-05-12%2520at%252012.21.53%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D4f370b35-618c-4763-908b-9c1d46460256&width=768&dpr=3&quality=100&sign=83282538&sv=2) Open the deep-inspection-lab profile. Check the configuration matches the screenshot, and confirm it is using the `DPI_SubCA` certificate you created in the [Certificates at Scale](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/certificates-at-scale) scenario. This is why Certificates at Scale is a prerequisite. AI traffic is encrypted — without deep inspection, the FortiGate sees only that someone connected to a service, not what they sent. The DPI certificate is what lets the firewall open that traffic and read the prompt inside. No deep inspection, no visibility — everything else on this page depends on it. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252F4t8CAIXl5nMC4ck5lT6h%252FScreenshot%25202026-05-12%2520at%252012.23.05%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D60045441-7d82-4141-b0c8-b23f2079033a&width=768&dpr=3&quality=100&sign=3e47e0ce&sv=2) If you change anything, click OK. Now, in the left-hand pane, go to Policy & Objects > Firewall Policy. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FNm6SLakwXmUiPAdRzcse%252FCleanShot%25202026-06-15%2520at%252012%25E2%2580%25AF.49.58.png%3Falt%3Dmedia%26token%3D7313a73b-c097-4b67-ad1d-941fc5e003e0&width=768&dpr=3&quality=100&sign=d0932d8b&sv=2) Ensure that the Disable Me! policy is disabled. If it isn’t, then disable it! ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FhdrSZtvNq3NmHIKwB5fS%252FScreenshot%25202026-05-12%2520at%252012.28.07%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D95d6c1ad-2a45-4ee5-85b0-0ba0a8dffa27&width=768&dpr=3&quality=100&sign=ecc4449a&sv=2) Confirm that WebFilter, Application Control and the DLP Profile are all enabled on the policy, and that the correct SSL Inspection profile is selected. These three profiles each answer a different part of the customer's request: Application Control identifies which AI tool is being used, WebFilter recognises AI sites by category, and DLP inspects what is being typed into them. Click OK if you needed to make any change. Now, using the top bar, open the CLI Console in the top right. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252F7S5hLyZg3GQI8daxigdU%252FScreenshot%25202026-05-12%2520at%252012.17.25%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D07b28aa8-2952-44ae-b870-134384981d2d&width=768&dpr=3&quality=100&sign=5831977a&sv=2) ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252F50i2afctmdFYFEDv3fi6%252FScreenshot%25202026-05-12%2520at%252012.19.18%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Dcaaff67c-78c8-414a-89dc-52df836b070b&width=768&dpr=3&quality=100&sign=d7f866a7&sv=2) If you want some extra debug commands to see exactly what is happening you can use the below diagnose debug application update -1 diagnose debug console timestamp enable diagnose debug enable In the console, type `execute update-now` and press Enter. This pulls the latest signatures from FortiGuard. After 3–5 minutes, go to Security Profiles > Application Signatures — the count should be 3200 or more. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FXjja1V512S53ap1krP3J%252FScreenshot%25202026-05-12%2520at%252012.32.33%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D4a04e5b6-8d49-46c6-9969-1c8188d85313&width=768&dpr=3&quality=100&sign=5bf3d50a&sv=2) To be certain the AI signatures are present, type into the search box: `chatgpt, grok, claude, gemini.` You should see a signature for each. This is the heart of how the FortiGate tells AI tools apart. FortiGuard maintains signatures for thousands of applications, including individual AI services — so the firewall doesn't just report "AI traffic", it names the exact model: ChatGPT, Grok, Claude, Gemini. That precision is what answers the customer's concern about specific models. Today it powers monitoring; the very same signature can later be used to block a model, with nothing new to deploy. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FJspjGt79mdtVUEHRRYfG%252FScreenshot%25202026-05-12%2520at%252012.35.35%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D1e5f3bc1-59cc-413d-9bac-4ae1363cc331&width=768&dpr=3&quality=100&sign=f0511881&sv=2) Do not proceed unless you have these signatures — the rest of the scenario depends on them. Now for the data-protection requirement. Go to Security Profiles > Data Loss Prevention and look through the configuration. You'll see we've created a regular-expression match on 0123456789. That simple number is a stand-in. In a real deployment, the DLP profile matches genuinely sensitive patterns — code secrets, credit-card or PII formats, and so on. We use 0123456789 in the lab purely so you can trigger DLP on demand, by typing it into a chatbot, without having to paste anything actually sensitive. Wherever you see that number, read it as "a piece of sensitive data". ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252Fska7ABapeECK2EpmhQ4L%252FScreenshot%25202026-05-12%2520at%25202.43.59%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Deaf8bf07-ed71-48ba-9dce-5daf5a24c5b6&width=768&dpr=3&quality=100&sign=baa4d86c&sv=2) FortiGuard also distributes maintained DLP pattern sets for specific data types and countries as a service, so you don't have to write these expressions yourself — they're applied the same way you see here. The customer asked to monitor for now, but this is the exact control that switches from monitoring to blocking when they're ready. [PreviousWho's Talking to the AI?](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/whos-talking-to-the-ai) [NextTesting Using Windows Host](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/whos-talking-to-the-ai/testing-using-windows-host) Last updated 1 day ago --- # Guilty Until Detonated | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/guilty-until-detonated.md) . ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FSL5opzvGYaymqPVGbhEC%252FScreenshot%25202026-06-10%2520at%252011.04.22%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Df88840ec-f6e0-432e-906a-1d5d5017b899&width=768&dpr=3&quality=100&sign=43104171&sv=2) Staff at PackTrack — and across our tenant stores — download software constantly during the working day: POS helper apps, supplier-portal browser extensions, label printer drivers, freight tracker utilities, plugins for the various B2B systems each tenant uses. Most of it is harmless. But we have been hit twice in the last year by malicious bundled software that got past our web filtering, because the host site was not on any block list and did not sit in a suspicious category. Our endpoint antivirus did catch it eventually — but by then the file had been on the machine for hours, and in one case it had already reached out to a command-and-control server. We need every executable, installer and archive inspected at the moment of download, with a definitive verdict before the file reaches the user's machine — and that has to include zero-day threats. We expect to roll this out at very large scale, and we want all of the activity visible in one place. **Products In-Scope** FortiProxy (FPX) FortiClient (FCT) FortiSandbox (FSA) FortiAnalyzer (FAZ) **Our Response** The customer's two incidents share one root cause: their controls gave a verdict _after_ delivery. Reputation filtering judges the website, not the file — and a clean site can serve a poisoned installer. Endpoint AV judges the file, but only once it has already arrived. The gap between download and detection is where both breaches lived. Our design closes that gap: no verdict, no file. **FortiProxy** is deployed as the explicit web proxy for corporate web traffic. It extracts files matching executable, installer and archive types and holds them at the proxy while a verdict is obtained. With inline scanning, the file is released to the user only after it has been judged clean — if it is malicious, the user receives a clear block page instead, and the file never touches the endpoint. SSL deep inspection is enabled, so downloads over HTTPS — which today is essentially everything — pass through the same inspection path. **FortiSandbox** delivers the verdict. Genuinely unknown files are detonated in a sacrificial VM matching the target operating system, while FortiSandbox watches what they actually do: registry writes, network callbacks, dropped files, process injection, persistence attempts. This is what makes the design zero-day-capable — it judges behaviour, not signatures. Every verdict is stored against the file's hash, so the next time anyone in the estate meets the same file, the answer comes back in milliseconds. The user-visible wait only ever applies to genuinely first-seen files. **FortiClient**, managed by EMS, extends the same protection to the paths the proxy cannot see. A user who bypasses the proxy — a misconfigured browser, a USB stick from a supplier — is still covered: FortiClient submits unknown files to the same FortiSandbox and receives the same verdicts, on the endpoint itself. One sandbox, one verdict database, every path covered. **FortiAnalyzer** collects the lot — FortiProxy download decisions, FortiSandbox detonation reports, FortiClient endpoint events — in one place. The SOC gets a single view: this user, on this machine, downloaded this file; the sandbox saw these behaviours; here is the verdict. As the rollout scales to more proxies and additional sandboxes, everything continues to report into the same platform. [PreviousCentralised Logging — DailyGrind](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-threat-in-the-picture/centralised-logging-dailygrind) [NextFortiProxy Configuration](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/guilty-until-detonated/fortiproxy-configuration) Last updated 28 days ago --- # The Trap Inside the Walls | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-trap-inside-the-walls.md) . ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FBVybb8wC43WbdVoZ0frd%252FScreenshot%25202026-06-10%2520at%252011.04.04%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D223d9557-cd88-422c-8008-98600eea5f14&width=768&dpr=3&quality=100&sign=5d07ce38&sv=2) When we were breached last year, the attacker was inside our network for weeks before anyone noticed — quietly moving from machine to machine, looking for our payment systems and customer data. Every tool we had was watching the front door. Nothing was watching for someone already inside, moving sideways. We need to catch an intruder the moment they start probing our internal network — with no false alarms to chase — and we need the offending machine cut off automatically, both at the network level and on the device itself, before it can spread. Our security team is small. They cannot watch screens around the clock. **Products In-Scope** FortiDeceptor (FDC) FortiGate (FGT) FortiClient (FCT) FortiAnalyzer (FAZ) FortiSIEM (FSM) FortiSOAR (FSR) **Our Response** **FortiDeceptor** plants decoys across the internal network that look exactly like production systems — Windows RDP servers, VMware hosts, SCADA devices. No legitimate user or process has any reason to touch them. That single fact is what makes deception so powerful: any interaction with a decoy is malicious by definition. There is nothing to tune, no baseline to learn, and effectively zero false positives. The alarm only rings when someone is somewhere they should never be. The moment a decoy is touched, the network shuts the attacker out automatically: 1. **The network shuts the attacker out.** FortiDeceptor passes the alert into the Security Fabric, and a FortiGate automation stitch quarantines the source IP immediately — it loses all network access. Any packet from that address crossing the firewall is dropped at the kernel level, independent of any firewall policy. This happens in seconds, with no human involved. 2. **The endpoint is identified and tagged for action.** In parallel, the path runs through FortiSIEM and FortiSOAR: FortiSIEM's correlation rules recognise the decoy interaction and raise an incident, FortiSOAR enriches it and runs a playbook that applies a tag to the offending endpoint in FortiClient EMS. That tag is the pivot point. In this scenario we use it to mark the device, but a tag in EMS can drive policy directly — moving the endpoint into a restricted or quarantined posture that isolates it locally, so even traffic that never crosses the FortiGate is cut off. The same FortiSOAR playbook can also be extended to trigger that isolation outright. The framework is built; how aggressively you act on it is your choice. **FortiAnalyzer** records the whole timeline — what was probed, from where, and what action was taken — so the small security team investigates _after_ the event, with a complete picture, rather than scrambling during it. This is the answer to "our team cannot watch screens around the clock": the network response is fully automatic, and the endpoint response is staged and ready. Detection to network containment happens in seconds with no human in the loop; from there, the same Fabric gives the team a tagged, enriched, ready-to-action incident rather than a screen they have to be watching. Last year's intruder had weeks. This time, they are caught the moment they touch the trap! [PreviousVerify FortiClient](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/coaching-then-consequences/verify-forticlient) [NextFortiDeceptor Configuration](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-trap-inside-the-walls/fortideceptor-configuration) Last updated 28 days ago --- # FortiProxy Configuration | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/guilty-until-detonated/fortiproxy-configuration.md) . Before PackTrack's staff download anything, let's look at the machinery that will judge every file. In this step, you will review how the FortiProxy connects to the rest of the Fabric — the FortiSandbox that delivers verdicts, and FortiClient EMS that tells us who and what is behind every request. Log into your [FortiProxy](https://10.222.101.27/) instance FortiProxy is a shared resource across all attendees, and does not live inside your dedicated Fabric Studio instance: Username: admin Password: fortinet4A!! Because FortiProxy is shared, you do not need to make any configuration changes — it has all been done for you. Review and understand; don't modify. Go to Security Fabric > Fabric Connectors. You should see that both FortiSandbox and FortiClient EMS show a Connected status. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252Fhb0VHaFm4WlMQKenV8XQ%252FScreenshot%25202026-05-27%2520at%25209.49.57%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D80c66b8a-c00a-4625-9069-a6fcd4a11f70&width=768&dpr=3&quality=100&sign=80241226&sv=2) These two connectors are the whole scenario in one screen: FortiSandbox is where files go to be judged, and FortiClient EMS is how identity and device context flow into every decision and every log. Let's look at each. Double-click the FortiSandbox icon to open the Sandbox settings. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FXMEOzsrLUIJgcC5JqeJQ%252FScreenshot%25202026-05-27%2520at%25209.44.04%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3De1703d09-1bd9-49ec-937f-13f497bb643a&width=768&dpr=3&quality=100&sign=75031d70&sv=2) The setting that matters here is **Inline Scanning**. Most sandbox deployments work "post-transfer": the user receives the file while it is analysed in the background — so if the verdict comes back malicious, the malware is already on the endpoint. That first victim is "Patient Zero". Inline scanning reverses the order: the FortiProxy holds the file, FortiSandbox delivers the verdict, and only then is the file released — or blocked. No verdict, no file. Zero-day or unknown malware is stopped before it ever reaches an endpoint, which means there is no Patient Zero. You may have noticed the second connector: FortiClient EMS. This connection is quietly doing two important jobs. First, it unlocks ZTNA (Zero Trust Network Access) enforcement and posture awareness. FortiProxy now understands the state of each endpoint — and if a device's posture changes mid-session and it is no longer compliant, the session is terminated this is covered in another scenario. Second — and for this scenario, most importantly — EMS shares user identity with FortiProxy. When we review logs later, we will not be staring at bare IP addresses; we will see the user behind each request. At scale, this is the difference between an investigation and an archaeology dig: your analytical tools can answer "what was this user doing, on this day, at this time, across multiple products?" in one query. [PreviousGuilty Until Detonated](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/guilty-until-detonated) [NextFortiProxy Configuration #2](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/guilty-until-detonated/fortiproxy-configuration-2) Last updated 1 day ago --- # Sending the Mail | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-threat-in-the-picture/sending-the-mail.md) . Now you switch roles entirely. You have seen the defences; now you become the attacker. In this step, you will send DailyGrind two of the exact emails its CIO described — a QR-code phishing PDF, and a spoofed message from "IT" carrying scripts — and then watch FortiMail catch them both. Using FortiPAM to RDP to the Windows Host Inside Fabric Studio![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-threat-in-the-picture/sending-the-mail#using-fortipam-to-rdp-to-the-windows-host-inside-fabric-studio) Login your [FortiPAM](https://10.222.101.36/) instance **Username:** Pod**N** **N** = Your Pod Number its unique to you and will have been provided by the Portal or Instructor As a example Pod47 **Password:** Fortinet1! Navigate to Secrets select Shopping-Pod47\_Host\_Win11\_Internal and click Launch Secret > Web RDP ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FrJfTZmDddBdMZCcYcSyx%252FCleanShot%25202026-06-18%2520at%252010%25E2%2580%25AF.46.52.png%3Falt%3Dmedia%26token%3D5b3af4f3-e15d-4070-8dc6-d7a31f2237fd&width=768&dpr=3&quality=100&sign=e07741e0&sv=2) ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FD6Etqm2PtyN9ymBMkuCS%252FCleanShot%25202026-06-18%2520at%252010%25E2%2580%25AF.47.05.png%3Falt%3Dmedia%26token%3Dc09b60a7-632b-473a-827b-371062f30671&width=768&dpr=3&quality=100&sign=cae8ca33&sv=2) A seperate tab should open and the Windows Host should display in Full Resolution within your web browser. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FUSOSlZNz7QXtVr4aNNhU%252FScreenshot%25202026-05-12%2520at%25201.01.45%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D7dfb4cd8-07a9-45e8-a577-12038e82caad&width=768&dpr=3&quality=100&sign=5c97c024&sv=2) Open Google Chrome and click the Webmail bookmark. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FFlJbsqjbx4qJeOYCgRAf%252Fimage.png%3Falt%3Dmedia%26token%3D4442692d-4afb-4f26-948f-ae5ba7154841&width=768&dpr=3&quality=100&sign=69b62031&sv=2) Please log in with the below **Webmail Credentials** Username: it@daily.grind.cafe Password: fortinet Look closely at that sender address: [it@daily.grind.cafe](mailto:it@daily.grind.cafe) . DailyGrind's real domain is dailygrind.cafe — one word, no dot in the middle. The address you are sending from is a lookalike, daily.grind.cafe, designed to pass a quick glance. This is the second half of the attack: the QR code hides the link, and the lookalike domain hides the sender. You are now playing the attacker who registered that domain. ### [](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-threat-in-the-picture/sending-the-mail#attack-one-the-qr-phishing-pdf) Attack one — the QR phishing PDF Click Compose Mail and fill it in as shown below. Attach MFA.pdf, found in Documents > FML. Make sure the to address is [staff@dailygrind.cafe](mailto:staff@dailygrind.cafe) — DailyGrind's real staff, the target. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FEQj17VNSynTZnT0sLy0Q%252FScreenshot%25202026-06-04%2520at%252010.20.18%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D1e1befbd-e118-425c-a93f-8554df838735&width=768&dpr=3&quality=100&sign=bed7732&sv=2) The QR code inside this PDF contains **several** links to live, real phishing websites that we keep updated. Do not scan the QR code or visit any of the URLs. You will see FortiGuard's classification of them safely, in the logs, in the next step. When your email looks correct and the attachment is attached, click Send. ### [](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-threat-in-the-picture/sending-the-mail#attack-two-the-spoofed-it-email-with-scripts) Attack two — the spoofed IT email with scripts In the Webmail instance, go to Sent Items, find the email you just sent, double-click to open it, and click Reply. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FmPYOnNcPHUrkHF5NVBTx%252FScreenshot%25202026-06-04%2520at%252010.27.55%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D910e6d7e-22f6-4074-91f5-ca66173376cd&width=768&dpr=3&quality=100&sign=1d6ff567&sv=2) Add a brief message and attach the two files listed below, then click Send. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FQ8m0OGcm0zbefJXmsJ43%252FScreenshot%25202026-06-04%2520at%252010.29.29%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D4b11ef37-a202-409f-bdf0-3a0410e65f45&width=768&dpr=3&quality=100&sign=b7c33b7d&sv=2) Why reply to your own email? It threads the second attack onto the first, so in the logs you can follow a single conversation carrying two different threats — exactly how a real campaign escalates: a phishing lure first, then a follow-up with a malicious payload once the target is engaged. That is both attacks sent: a QR-code lure and a spoofed-sender payload. Now let's switch back to the defender's chair and see what FortiMail made of them. [PreviousFortiMail](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-threat-in-the-picture/fortimail) [NextReviewing the logs](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-threat-in-the-picture/reviewing-the-logs) Last updated 21 days ago * [Attack one — the QR phishing PDF](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-threat-in-the-picture/sending-the-mail#attack-one-the-qr-phishing-pdf) * [Attack two — the spoofed IT email with scripts](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-threat-in-the-picture/sending-the-mail#attack-two-the-spoofed-it-email-with-scripts) --- # FortiWeb (FWB) Configuration Check | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/when-chatbots-go-rogue/fortiweb-fwb-configuration-check.md) . Before we attack the chatbot, let's look at the trap that has been set for us. In this step, you will walk through the FortiWeb configuration and see exactly how it sits — invisibly — between the MCP client and the MCP server. Nothing to configure here; your job is to understand the design, because in a real engagement, this is the design you would be pitching. On the FortiWeb FortiWeb (located inside Fabric Studio, right click it and access it using HTTPS): Username: admin Password: fortinet4A!! Go to Dashboard > Status. In the System Information widget, notice that the operation mode is True Transparent Proxy. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FSwcmfcre07hPosvvucK2%252FScreenshot%25202026-05-21%2520at%25207.57.11%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D39325575-9c86-4437-bb28-18d040acadff&width=768&dpr=3&quality=100&sign=f3d654e1&sv=2) This mode is the heart of the design. The FortiWeb is not a routed hop and has no IP presence in the traffic path — the MCP client and server are completely unaware that it exists. Nothing needed re-addressing, and nothing needed reconfiguring on the application side. For FortiStore, that meant dropping protection into a live environment without touching the chatbot at all. Go to Network > V-Zone and double-click configuration entry 1. You will see that the interfaces Port 2 and Port 3 are selected as members of V-Zone ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FqreI20yXLeau1pdDpJKu%252Fimage.png%3Falt%3Dmedia%26token%3D58a3fc2a-789a-4ffe-a2d5-77f8f5712936&width=768&dpr=3&quality=100&sign=33a150d5&sv=2) The MCP client connects via Port 2, and the MCP server via Port 3. The V-Zone bridges the two, so every message between client and server is forced through the FortiWeb. There is no path around it — which is exactly what we want, because we can only inspect what passes through us. Go to Web Protection > Protocol > MCP and click into configuration entry 1. You will see that the out-of-the-box Signature Detection and Poisoning Attack Protection are enabled. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FlchHz6zp0Vn3bTscsONE%252FScreenshot%25202026-05-21%2520at%25208.04.07%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D2d58e768-dd9a-4fc6-a42f-0b38d3c3350b&width=768&dpr=3&quality=100&sign=34d309be&sv=2) This is what makes FortiWeb more than a bridge: it understands the MCP protocol itself. Signature detection catches known attack patterns hidden inside MCP messages, and poisoning attack protection guards the protocol's weak spot — attempts to manipulate the instructions and context that the model acts on. Keep these two protections in mind; you are about to trigger one of them. Go to Policy > Server Policy > Web Protection Profile, click the pencil next to Inline Standard Protection + MCP, and scroll down to Protocol. You should see that MCP Policy is enabled. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FW2moPubcxKxoW0UrUa2t%252Fimage.png%3Falt%3Dmedia%26token%3Dbdd749cb-6565-45f3-91de-4ce3354efd0f&width=768&dpr=3&quality=100&sign=a734a696&sv=2) This is where the protection is switched on: the MCP policy you just viewed is bound into the protection profile that the server policy applies to traffic crossing the V-zone. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252Fb2i7KMXTSdbORu5VxlRf%252FScreenshot%25202026-05-21%2520at%25208.10.57%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3Dbfd45fff-d842-4f5c-998c-acaecccee6f6&width=768&dpr=3&quality=100&sign=211b82d5&sv=2) Finally, the customer asked for centralised logging. Go to Log & Report > Log Policy > FortiAnalyzer Policy. Under entry number 1, you can see this FortiWeb is configured to send its logs to an upstream FortiAnalyzer. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FniFtOjC2ozaN8RLukd1X%252FScreenshot%25202026-05-21%2520at%25208.13.50%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D82d26a1b-dd59-4c6d-8eb1-d0f37ba7d8b7&width=768&dpr=3&quality=100&sign=ad4b5610&sv=2) So the chain is set: traffic cannot avoid the FortiWeb, the FortiWeb speaks MCP, and everything it sees is reported centrally. Time to put it to the test — let's go talk to the chatbot! [PreviousWhen Chatbots Go Rogue](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/when-chatbots-go-rogue) [NextChatting to the Chatbot!](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/when-chatbots-go-rogue/chatting-to-the-chatbot) Last updated 0 minutes ago --- # FortiGate (FGT) CSR Import | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/certificates-at-scale/fortigate-fgt-csr-import.md) . The signed certificate returns home. Once it is imported and bound to the deep-inspection profile, this FortiGate can decrypt and re-sign traffic with a certificate that every Breachside endpoint will trust. Back on the FortiGate, go to System > Certificates and select Certificate. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252Fra12v6LIeLyYmv0byjE9%252FScreenshot%25202026-05-11%2520at%252010.57.15%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3Ddd94e97c-0666-4674-90bc-e79dad8d3566&width=768&dpr=3&quality=100&sign=8aebc613&sv=2) **We already imported a CA cert via SCEP, why all the CSR work?** To perform deep inspection, the FortiGate must re-sign traffic on the fly. Signing requires a private key. The SCEP import in the first step gave us only the root CA's public certificate — enough to _trust_ certificates signed by the root, but not enough to _issue_ them. The root's private key never leaves the FortiAuthenticator, and it never should: whoever holds a CA's private key can impersonate any website on the internet to any device that trusts it. That is why we built a subordinate CA instead. The key pair was generated on the FortiGate itself when we created the CSR — the private key has never left the device. The FortiAuthenticator signed only the public half. The result: each FortiGate holds its own signing key, while the root key stays locked away on the CA. This also limits the blast radius. If a single store's FortiGate were ever compromised, only that sub-CA is affected — it can be revoked and reissued without touching the root or any other store. One root, many sub-CAs: trust flows down, but risk does not flow back up. A side menu will open, as below. Select Import Certificate. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252F4c0XxlgIyQpSjWNQcVo2%252FScreenshot%25202026-05-11%2520at%252010.58.13%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3De7184fc8-7f9d-447a-91a9-b68daf42bb02&width=768&dpr=3&quality=100&sign=8dc4aa73&sv=2) Select Type: Local Certificate and drag and drop the **.crt** file you just recived during [FortiAuthenticator (FAC) CSR Approval](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/certificates-at-scale/fortiauthenticator-fac-csr-approval) into the box and click Create Remember that we are using Pod 47 just as an example (10.237.10.47). Yours will likely be different, unless you are assigned Pod 47. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FiFoA6oGgdXnDMfodKnzW%252FCleanShot%25202026-06-25%2520at%252011%25E2%2580%25AF.59.21.png%3Falt%3Dmedia%26token%3D9425bb19-5e87-41ba-92b8-99e1a1808c2c&width=768&dpr=3&quality=100&sign=f54d7ef2&sv=2) You should receive the following menu confirming the Certificate has been imported. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252Fc56nYkNOB6tDLpztkmRq%252FScreenshot%25202026-05-11%2520at%252011.01.17%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3Dde5c8222-7b53-4f4b-8d4a-48b5dbec5cbc&width=768&dpr=3&quality=100&sign=9a636bb4&sv=2) Click OK. The DPI\_SubCA certificate should no longer show as pending — it now has an active state. Pending to active is the whole journey of this scenario in two words: the request you generated has come back signed, and the FortiGate can now use it. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252Fa17HXupQqksafAsN2yzZ%252FScreenshot%25202026-05-11%2520at%252011.02.29%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3Dbffeafef-d50b-4f69-a800-557d5e4d69c9&width=768&dpr=3&quality=100&sign=e2244b57&sv=2) One final step — and it is the one that makes everything before it count. Using the left-hand menu, go to Security Profiles > SSL/SSH Inspection and open the profile named deep-inspection-lab. Under Full SSL Inspection, the DPI\_SubCA certificate should now be selectable — select it and click OK. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FTTI86hoK00Xu2XBZHqSK%252FScreenshot%25202026-05-11%2520at%252011.08.23%25E2%2580%25AFam.png%3Falt%3Dmedia%26token%3D55415716-b8f7-4559-b206-2c97e37dbfbf&width=768&dpr=3&quality=100&sign=5522c092&sv=2) That completes the chain: FortiAuthenticator signs, the FortiGate inspects, and — with the root CA pushed to every endpoint by FortiClient EMS — users see no warnings. Breachside's CIO and CTO asked for certificate automation across hundreds of stores with zero manual work per device. You have just built the trust hierarchy that delivers it. If you wish to validate that the FortiGate is now inserting itself in the middle of the conversation using your FortiPAM instance Using FortiPAM to RDP to the Windows Host Inside Fabric Studio![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/certificates-at-scale/fortigate-fgt-csr-import#using-fortipam-to-rdp-to-the-windows-host-inside-fabric-studio) Login your [FortiPAM](https://10.222.101.36/) instance **Username:** Pod**N** **N** = Your Pod Number its unique to you and will have been provided by the Portal or Instructor As a example Pod47 **Password:** Fortinet1! Navigate to Secrets select Shopping-PodN\_Host\_Win11\_Internal and click Launch Secret > Web RDP ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FrJfTZmDddBdMZCcYcSyx%252FCleanShot%25202026-06-18%2520at%252010%25E2%2580%25AF.46.52.png%3Falt%3Dmedia%26token%3D5b3af4f3-e15d-4070-8dc6-d7a31f2237fd&width=768&dpr=3&quality=100&sign=e07741e0&sv=2) ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FD6Etqm2PtyN9ymBMkuCS%252FCleanShot%25202026-06-18%2520at%252010%25E2%2580%25AF.47.05.png%3Falt%3Dmedia%26token%3Dc09b60a7-632b-473a-827b-371062f30671&width=768&dpr=3&quality=100&sign=cae8ca33&sv=2) A seperate tab should open and the Windows Host should display in Full Resolution within your web browser. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FUSOSlZNz7QXtVr4aNNhU%252FScreenshot%25202026-05-12%2520at%25201.01.45%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D7dfb4cd8-07a9-45e8-a577-12038e82caad&width=768&dpr=3&quality=100&sign=5c97c024&sv=2) Once you arrive at the desktop, double-click the Google Chrome shortcut and in the address bar type google.co.uk the page should load as normal ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FomBgdukJRpofmWOOopMm%252FCleanShot%25202026-06-29%2520at%252010%25E2%2580%25AF.42.06.png%3Falt%3Dmedia%26token%3D4607f317-3fa2-4d71-9b30-88a8b6e8bfce&width=768&dpr=3&quality=100&sign=534c3f&sv=2) Once the page has loaded, click the settings menu on the right-hand side of the number 1 you see in the above diagram, select Connection is secure ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FrnefWtEavh3k4tmIixT4%252Fimage.png%3Falt%3Dmedia%26token%3De8b5c5c4-6a38-412a-8055-2c9adeb14f00&width=768&dpr=3&quality=100&sign=ce796cea&sv=2) Click where it says Certificate is valid ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FnUxEIatezsPtLDABcOXc%252FCleanShot%25202026-06-29%2520at%252010%25E2%2580%25AF.47.20.png%3Falt%3Dmedia%26token%3D79da3e4d-341d-4f94-b046-259be7f444ca&width=768&dpr=3&quality=100&sign=8b8897b3&sv=2) If you look, you can see that the certificate being used is the one that you just generated, this allows the FortiGate to sit in the middle of the communication and essentially see the encrypted data. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FYmCUPKU0xRsfwXXcXVJ0%252FCleanShot%25202026-06-29%2520at%252010%25E2%2580%25AF.47.29.png%3Falt%3Dmedia%26token%3D60cc2523-d776-4c5f-ae68-3307aaa3024a&width=768&dpr=3&quality=100&sign=8f3d54e1&sv=2) [PreviousFortiAuthenticator (FAC) CSR Approval](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/certificates-at-scale/fortiauthenticator-fac-csr-approval) [NextWhen Chatbots Go Rogue](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/when-chatbots-go-rogue) Last updated 1 day ago --- # FortiProxy Logs | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/guilty-until-detonated/fortiproxy-logs.md) . You saw the block as a user. Now switch sides — put your analyst hat on and find the evidence of what just happened. Log into your [FortiProxy](https://10.222.101.27/) instance FortiProxy is a shared resource across all attendees, and does not live inside your dedicated Fabric Studio instance Username: admin Password: fortinet4A!! Navigate to Log & Report > Security Events > AntiVirus (Section) ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FaMmqfo2qBYz7HjaqsNQ6%252FCleanShot%25202026-06-15%2520at%252010%25E2%2580%25AF.25.58.png%3Falt%3Dmedia%26token%3Da1586bad-4415-489a-b213-21cc4bb96905&width=768&dpr=3&quality=100&sign=9ef22625&sv=2) ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252Ff2gnQIiYh949ZtcY5T6Y%252FScreenshot%25202026-05-27%2520at%252012.27.21%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Dcbad2522-1f72-4cd3-87eb-0ee245d17ccc&width=768&dpr=3&quality=100&sign=a061ef5d&sv=2) The files you received block pages for are all here in the logs. Select one of them, and a submenu will open on the right-hand side — there you can see that the file was passed to FortiSandbox for a verdict. This log entry is the audit trail PackTrack asked for: the file, the user who requested it, the source, the verdict, and the fact that the sandbox made the call. And because the EMS connector is sharing identity with the proxy, the entry is tied to a user — not just an IP address that someone would have to chase through DHCP leases at three in the morning. Occasionally, you may see that a file was not passed to FortiSandbox at all. This is not a fault — FortiProxy keeps a local verdict database, synced from FortiSandbox. If the proxy already knows the file's hash and verdict, it answers instantly without submitting the file again. We have tried to limit this caching in the lab so you can watch the full submission flow, but it will occasionally win the race. In a real deployment, this behaviour is exactly what you want: if the verdict already exists, use it — never make a user wait for an answer the estate already knows. One observation worth carrying into the room: everything on this page happened on a shared proxy serving up to 50 attendees, and the verdicts still came back in seconds. That is the scaling story playing out live. The proxy path is proven. But what about the user who never goes through the proxy at all? Time to cheat. [PreviousDownloading Malware (FPX)](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/guilty-until-detonated/downloading-malware-fpx) [NextDownloading Malware (FCT)](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/guilty-until-detonated/downloading-malware-fct) Last updated 24 days ago --- # Mischievous user! (Continued) | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/coaching-then-consequences/mischievous-user-continued.md) . Pasting code was careless. What you do now is what turns a careless user into a suspicious one. A screenshot, then compressing it for easy removal — on their own — are ordinary actions. Together with what you just did, they form the shape of someone preparing to take data out of the building. Go back to the desktop and then click the search bar and click Snipping Tool ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FgL4Dhnm5pSEMrgfeUFn9%252Fimage.png%3Falt%3Dmedia%26token%3D1f60a4ef-de20-4586-8acd-30639ad91491&width=768&dpr=3&quality=100&sign=f4e0bb4a&sv=2) Take a screenshot and save it to the Desktop ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FpmcH7T3FKdjluNSLaN5J%252Fimage.png%3Falt%3Dmedia%26token%3D543f263e-2f11-49e0-9f78-d50420ce4b55&width=768&dpr=3&quality=100&sign=8bdeb79f&sv=2) Now right-click the screenshot you just saved on the Desktop and choose Compress to ZIP file. Save the compressed file to the Desktop, keeping the generated name. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FqFmF246EYi5dSLXt0ZRf%252Fimage.png%3Falt%3Dmedia%26token%3Dc5f36fdd-31ff-4a02-8e45-b7d534c78efd&width=768&dpr=3&quality=100&sign=2b9e5bec&sv=2) Think about how these actions look when joined together. Pasting sensitive code into an AI tool, capturing the screen, then compressing the result into a single file ready to move — this is the classic shape of data exfiltration. In the MITRE ATT&CK framework, you have just performed Archive Collected Data (the zip) alongside the earlier Exfiltration Over Web Service (the ChatGPT paste). No single step is alarming by itself; that's exactly why this kind of activity slips past tools that look at one event at a time. FortiDLP has recorded every one of these actions on the device — and on the next page, you'll see the full sequence laid out as evidence. You've now played the whole insider sequence: logged in, pasted code with PII, screenshotted, and compressed for removal. Time to step out of the role and become the investigator — let's see exactly what FortiDLP captured. [PreviousMischievous user!](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/coaching-then-consequences/mischievous-user) [NextEvidence Review (FortiDLP)](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/coaching-then-consequences/evidence-review-fortidlp) Last updated 1 day ago --- # Testing the Load Balancing | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/when-chatbots-go-rogue/testing-the-load-balancing.md) . Round-robin is easy to claim and easy to prove. In this step, you will browse to FortiStores's site twice — and watch the FortiADC send you to a different server each time. Using FortiPAM to RDP to the Windows Host Inside Fabric Studio![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/when-chatbots-go-rogue/testing-the-load-balancing#using-fortipam-to-rdp-to-the-windows-host-inside-fabric-studio) Login your [FortiPAM](https://10.222.101.36/) instance **Username:** Pod**N** **N** = Your Pod Number its unique to you and will have been provided by the Portal or Instructor As a example Pod47 **Password:** Fortinet1! Navigate to Secrets select Shopping-Pod47\_Host\_Win11\_Internal and click Launch Secret > Web RDP ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FrJfTZmDddBdMZCcYcSyx%252FCleanShot%25202026-06-18%2520at%252010%25E2%2580%25AF.46.52.png%3Falt%3Dmedia%26token%3D5b3af4f3-e15d-4070-8dc6-d7a31f2237fd&width=768&dpr=3&quality=100&sign=e07741e0&sv=2) ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FD6Etqm2PtyN9ymBMkuCS%252FCleanShot%25202026-06-18%2520at%252010%25E2%2580%25AF.47.05.png%3Falt%3Dmedia%26token%3Dc09b60a7-632b-473a-827b-371062f30671&width=768&dpr=3&quality=100&sign=cae8ca33&sv=2) A seperate tab should open and the Windows Host should display in Full Resolution within your web browser. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FUSOSlZNz7QXtVr4aNNhU%252FScreenshot%25202026-05-12%2520at%25201.01.45%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D7dfb4cd8-07a9-45e8-a577-12038e82caad&width=768&dpr=3&quality=100&sign=5c97c024&sv=2) If you still have the Windows host open from the chatbot step, you can skip straight to the browser. Once you arrive at the desktop, double-click the Google Chrome shortcut and click the pre-populated bookmark "FortiStore - LB". The page should load as below. Now look in the top right-hand corner: you will see the IP address of the node you were directed to — either 192.168.2.2 or 192.168.2.3. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FjgcUDMfe4hvfvisqhSbc%252FScreenshot%25202026-05-21%2520at%25202.15.25%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Da15a31c5-5498-452e-a1e9-ffe040a7e253&width=768&dpr=3&quality=100&sign=b148bef5&sv=2) See the Destination is .3 Remember, you browsed to the Virtual IP — 192.168.2.100. The address in the corner is the real server the FortiADC chose for you. The user never knows, and never needs to know, which server answered. To validate the round-robin, go back to the desktop and open Microsoft Edge — or a private browsing tab — and browse to 192.168.2.100. You should land on the opposite server from the one you received above. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FhgHDTpYGrWBca5ccNiVb%252FScreenshot%25202026-05-21%2520at%25202.33.28%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Daa2eb2bb-4ad1-42bd-8d1d-4f32082da492&width=768&dpr=3&quality=100&sign=98e2062b&sv=2) See the Destination is now .2 You can also use the following Powershell Command `1..30|%{[regex]::Match((iwr http://192.168.2.100 -useb).Content,'192.168.2.\d+').Value}|group|select Count,Name` Paste using your FortiPAM RDP Session, once you get the first result open up a new poweshell tab and paste again you should see .2 & .3 alternate ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FZ9xxnkvNtD9f0bJqtX6q%252FCleanShot%25202026-06-29%2520at%252011%25E2%2580%25AF.13.29.png%3Falt%3Dmedia%26token%3Df54fa8d4-e629-45a6-9613-33ccca56241b&width=768&dpr=3&quality=100&sign=b724f2ce&sv=2) ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FvD1xb0iJGxK1SxnDBKX4%252FCleanShot%25202026-06-29%2520at%252011%25E2%2580%25AF.13.38.png%3Falt%3Dmedia%26token%3D5d1525e7-a654-4691-8217-a346448354f6&width=768&dpr=3&quality=100&sign=5b617041&sv=2) Why a different browser or a private tab? A fresh browser means a fresh connection — and round-robin balances connections, not page clicks. If you simply refreshed the same tab, the browser might reuse its existing connection and you would land on the same server again, which looks like a fault but isn't. That's one user, two connections, two different servers — exactly what FortiStore needs when thousands of Black Friday shoppers arrive at once. And every one of these balanced sessions has been logged. Let's go and see them, all in one place. [PreviousFortiADC (FAD) Configuration](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/when-chatbots-go-rogue/fortiadc-fad-configuration) [NextCentralised Logging — FortiStore](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/when-chatbots-go-rogue/centralised-logging-fortistore) Last updated 10 days ago --- # Coaching, Then Consequences | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/coaching-then-consequences.md) . Important! This scenario has a pre-requisite: you must have completed the steps in [Certificates at Scale](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/certificates-at-scale) before. This ensures that we can really see inside the packets via deep-packet-inspection. If you have not already done that scenario, conduct it first. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FYBAoPYKOClaE8ugu5Edt%252FScreenshot%25202026-06-10%2520at%252011.07.05%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Dba4e0a5a-d0c5-48cd-be9c-3776c3c1508d&width=768&dpr=3&quality=100&sign=491086bc&sv=2) We embrace AI here, but we've realised our developers and analysts are pasting things into ChatGPT, Claude, Gemini and Copilot that should never leave the building — chunks of proprietary source code, customer datasets, sometimes personal data — just to 'tidy it up' or 'explain what this function does'. Our network team can see that people are visiting AI sites, but they can't see what's being typed or pasted into them, and increasingly these are desktop apps and IDE plugins that don't even look like a normal website to a firewall. Worse: we recently had a developer hand in their notice and immediately start behaving differently — taking screenshots, compressing files on their desktop and pasting code into ChatGPT that contains Personally identifiable information (PII), by the time anyone joined the dots, they had already gone. We don't want to ban AI outright — most people just need a nudge. But when someone already on a watch list ignores the nudge and keeps going, we want the system to recognise the whole pattern and act on its own, surgically — cutting that one person's access without waiting for our small security team to notice. **Products In-Scope** FortiDLP (FDLP) FortiSIEM (FSM) FortiSOAR (FSR) FortiClient (FCT) **Our Response:** The customer has drawn a subtle line: coach the many, act on the few. Most data leaks to AI tools are careless, not malicious — a developer pasting code to get it explained. The right response there is a nudge, not a lockout. But the same action from a watch-listed leaver, alongside screenshots and file compression, is not carelessness — it is exfiltration. The design has to tell those two situations apart and respond differently to each. **FortiDLP sees on the device, not on the wire.** It runs as an agent on every endpoint, observing actions as the user performs them — so it catches the paste into ChatGPT that a firewall never can, including in desktop apps and IDE plugins that never render as a website. In this scenario it captures the full sequence: the RDP login, the Snipping Tool screenshot, explorer.exe compressing that screenshot to a zip, and the browser POST to ChatGPT carrying a Python loop containing names, emails and SSNs. Each action is mapped to its MITRE ATT&CK technique — Archive Collected Data, Obfuscated Files, Exfiltration Over Web Service — and the risky paste is coached on screen in the moment, with screenshot evidence captured. This is the "coaching" half: the user is nudged, and the event is recorded. **FortiSIEM scores the pattern, not the alerts.** It ingests those events with identity context and applies UEBA (User and Entity Behaviour Analytics) to weigh them as a behaviour, not a count. One paste is low-risk. But a watch-listed leaver taking screenshots, compressing files, and exfiltrating code-with-PII inside a single window crosses the threshold at once — and surfaces as one high-confidence incident, rather than six disconnected low-severity events a tired analyst has to assemble by hand at midnight. **FortiSOAR turns the verdict into action.** When the pattern is recognised, a SOAR playbook enriches it — identity, device, watch-list status, HR status — and then acts: it applies a FortiDLP incident tag to the user's endpoint in FortiClient EMS, opens a case with the full evidence chain, and notifies the manager and SOC in one message. For the most serious actions, a one-click human approval step can be inserted. This is the "consequences" half — and it is surgical: one person's access, not a blanket ban. **The tag is the bridge to enforcement.** The FortiDLP incident tag applied here is a Classification Tag — an administrative mark, not a live posture reading. On its own it records a judgement; combined with firewall policy, it cuts access. That is exactly what the [Tag-Driven ZTNA](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/tag-driven-ztna) scenario does with this tag: a device carrying a FortiDLP incident tag is refused entry to protected applications, even while it looks perfectly healthy. Coaching happens here; the consequence is enforced there. [PreviousFortiAnalyzer (FAZ) Logs](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/whos-talking-to-the-ai/fortianalyzer-faz-logs) [NextMischievous user!](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/coaching-then-consequences/mischievous-user) Last updated 14 days ago --- # Browsing to Webserver | Fabric Solutions Lab - Shopping For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/bug-zone/inspecting-what-staff-upload-everywhere-they-work/browsing-to-webserver.md) . Once you have finished configuring your proxy then please click the Index of /tools bookmark ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FcOv0lzwtsRQEbrST1UTe%252FScreenshot%25202026-05-26%2520at%25202.09.52%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3D2cdf744f-cafb-42b4-9b24-fe3efd9dba53&width=768&dpr=3&quality=100&sign=cdebef49&sv=2) Double click gun.jpg just for your referance this is what the image looks like. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FrQhkMYXohXeJOmBza9pY%252Fgun.jpg%3Falt%3Dmedia%26token%3D6a1ba4d5-5539-4b9b-b251-7b9c17b33853&width=768&dpr=3&quality=100&sign=e6d599dd&sv=2) On clicking the image, ther will be a brief pause of around 5-30 seconds before you are redirected to the FortiProxy block page. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FCZnrdzRSXVImq8GZ9JUF%252Fimage.png%3Falt%3Dmedia%26token%3D82fa9f93-32e8-43b9-9389-025c487be83f&width=768&dpr=3&quality=100&sign=98eb1395&sv=2) As you successfully should see FortiProxy has reviewed the image using Optical character recognition (OCR) and and successfully blocks it from the user based on the Content Analysis Policy because the image clearly contains Weapons On FortiProxy if you browse to Log & Report > Correlation Log you can see the block logs. ![](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/~gitbook/image?url=https%3A%2F%2F416463229-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fa4j8HSC8eVLIBLtpTtsJ%252Fuploads%252FD0ymW3J8Xi3K6YPOAub0%252FScreenshot%25202026-05-26%2520at%25202.18.49%25E2%2580%25AFpm.png%3Falt%3Dmedia%26token%3Dd12120f5-861a-45ca-a0d3-624090aacd21&width=768&dpr=3&quality=100&sign=8953bcf5&sv=2) If you wish to validate further, if you go back to the Windows RDP session and click the Index of /tools bookmark there should be a .jpeg image called cute\_kittens.jpeg click it. Last updated 1 month ago --- # Introduction & Getting Started | Fabric Solutions Lab - Mitre For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-mitre/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-mitre/introduction-and-getting-started.md) . Welcome to the lab environment created by the CSE Fabric Solutions team. This lab demontrates various products capabilities in defending against real attacks. We will follow the MITRE ATT&CK Framework. By implementing multiple Fortinet products, we can reduce attack risks and respond to threats automatically. For this lab you need to go through each section in order (Starting at the top and working your way to the bottom). By the end of this lab, you will have explored various Fortinet products and their capabilities to address different threats effectively. Please note that for each tactic many Fortinet products could have been selected. Over time more products will be added. Its also possible that existing products that are inside the lab may be able to cover various tactics also. This lab is a mixture of theory (Reading) and hands on, some of the tactics just contain information on tactic coverage based on a threat intelligence platform such as FortiGuard. In most cases the products have been set into a "Monitor Only" state instead of being instructed to "Respond". This is because **we want the story to continue instead of the attacks being stopped at the first hurdle!** The instance within Fabric Studio is dedicated to you, but please avoid saving any configuration changes or making any alternations to the lab topology. Occasionally, you may need to connect to shared external resources, which are shared and secured separately from your Fabric Studio instance. If you are prompted to download or install new firmware when logging into an appliance, **please ignore it**. This lab has been tested with the provided firmware versions. The Fabric CSE team will continue to test and update the environment after thorough evaluation. Created by Consulting Systems Engineer (CSE): Chris Eddisford - [LinkedIn Click Me!](https://www.linkedin.com/in/chris-eddisford-5b676462/) If you are running through the lab environment at a physical Fortinet event such as xPerts, if you need any assistance, just raise your hand and an instructor will be happy to assist. Please note if you're an internal Fortinet employee, you need to request access to Fabric Solutions Lab via a Microsoft Form - [Click Me](https://forms.office.com/r/puBFVkkLFB) (After filling out you will be re-directed to a self-serve portal and can start the session when your ready) Some of the scenarios contain real attacks that will do major damage if detonated or used outside of the lab environment, so please refrain from doing this. [NextLab Credentials](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-mitre/introduction-and-getting-started/lab-credentials) Last updated 9 months ago --- # Introduction & Getting Started | Fabric Solutions Lab - Original For the complete documentation index, see [llms.txt](https://fabriclab-tech.gitbook.io/fabric-lab/llms.txt) . This page is also available as [Markdown](https://fabriclab-tech.gitbook.io/fabric-lab/introduction-and-getting-started.md) . Welcome to the lab environment created by the CSE Fabric Solutions team. This lab demonstrates how Fortinet products work together to enhance security. By integrating multiple Fortinet products, we can reduce attack risks and respond to threats automatically. The focus is on product integration rather than individual features. Each section of this lab is independent, so you can complete them in any order once you have completed [Introduction & Getting Started](https://fabriclab-tech.gitbook.io/fabric-lab) . We recommend finishing the entire lab to gain a comprehensive understanding and ensure that "attacks and quarantines" don’t interfere with other sessions. In this Lab, you will use various Fortinet products. The instance within Fabric Studio is dedicated to you, but please avoid saving any configuration changes. Occasionally, you may need to connect to external resources, which are shared and secured separately from your Fabric Studio instance. If you are prompted to download or install new firmware when logging into an appliance, please **ignore it**. This lab has been tested with the provided firmware versions. The Fabric CSE team will continue to test and update the environment after thorough evaluation. Created by Consulting Systems Engineer (CSE): Chris Eddisford - [LinkedIn Click Me!](https://www.linkedin.com/in/chris-eddisford-5b676462/) Please note if you're an internal Fortinet employee, you need to request access to Fabric Solutions Lab via a Microsoft Form - [Click Me](https://forms.office.com/r/puBFVkkLFB) (The lead time on access requests is 3 working days) Some of the scenarios contain real attacks that will do major damage if detonated or used outside of the lab environment so please refrain from doing this. [NextCreate RADIUS Account](https://fabriclab-tech.gitbook.io/fabric-lab/introduction-and-getting-started/create-radius-account) Last updated 6 months ago --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/introduction-and-getting-started/access-credentials.md). # Access Credentials | Device Name | Type | Username | Password | | --- | --- | --- | --- | | Fabric Studio | | admin | Fortinet1! | | FortiNDR | FNDR | admin | Fortinet1! | | FortiEDR | FEDR | admin | Fortinet1! | | FortiAuthenticator | FAC | admin | Fortinet1! | | FortiSOAR | FSR | admin | Fortinet1! | | FortiSIEM | FSM | admin | Fortinet1! | | FortiDeceptor | FDC | admin | Fortinet1! | | FortiSandbox | FSA | admin | Fortinet1! | | FortiProxy | FPX | admin | Fortinet1! | | FortiMail | FML | admin | fortinet4A!! | | FortiGate | FGT | admin | fortinet4A!! | | FortiWeb | FWB | admin | fortinet4A!! | | External Attacker | Windows Host | None Required | None Required | | Internal Host | Windows Host | fabriclab\\demouser5 | Fortinet1! | | WebServer | Windows Host | None Required | None Required | | Host-Kali | Kali Host | kali | fortinet | | Host-Windows | Windows Host | None Required | None Required | | Host-FileServer | Windows Host | None Required | None Required | | Host-External | Ubuntu Host | ubuntu | fortinet | --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/introduction-and-getting-started/firmware-versions.md). # Firmware Versions | Device Name | Lab FortiOS Version | | --------------------- | ------------------- | | FortiMail (FML) | 7.4.5 | | FortiGate (FGT) | 7.6.4 | | Shared FotiGate (FGT) | 7.6.6 | | FortiWeb (FWB) | 8.0.1 | | FortiNDR (FNDR) | 7.4.3 | | FortiProxy (FPX) | 7.4.3 | | FortiIsolator (FIS) | 3.0.0 | | FortiSandbox (FSA) | 4.4.6 | | FortiSIEM (FSM) | 7.4.2 | | FortiSOAR (FSOAR) | 7.6.5 | | FortiDeceptor (FDC) | 5.3.0 | | FortiClient EMS (FCT) | 7.4.1 | --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/introduction-and-getting-started/accessing-the-lab-environment.md). # Accessing the lab environment Inital setup is done via the self-serve-portal, to obtain the details you need to fill out the \[Microsoft Form\](https://forms.office.com/r/puBFVkkLFB) you will then be provided details to a Self-Serve-Portal where you can spin up a instance on demand! {% hint style="info" %} Insert Images {% endhint %} --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1.md). # Attack & Defence #1 - \[Scenario - Story/Narrative\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/scenario-story-narrative.md) - \[Attack - Scenario Steps\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/attack-scenario-steps.md) - \[Defence - Scenario Steps\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/defence-scenario-steps.md) - \[Analyze - FortiMail & FortiNDR\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/analyze-fortimail-and-fortindr.md) - \[Defence - FortiSIEM\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/defence-fortisiem.md) - \[Analyze - FortiSOAR\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/analyze-fortisoar.md) - \[Defence - FortiSOAR\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/defence-fortisoar.md) - \[Defence - FortiClient\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/defence-forticlient.md) --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/attack-scenario-steps.md). # Attack - Scenario Steps ![](https://fabriclab-tech.gitbook.io/files/9Wc8tFRDr9COa6znrVoN) Enter the login details, \`Username: external / Password: fortinet\` On logging in, click the Drafts button on the left-hand side. You should then see draft emails ready for selection. As we're doing the Attack & Defence #1 scenario, click that email ![](https://fabriclab-tech.gitbook.io/files/H70dRapWSIsZjRLPHOvF) You will see that WannaCry.exe is pre-attached (Handle it with care!) press send! --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/defence-scenario-steps.md). # Defence - Scenario Steps Open your Fabric Studio instance, locate the object "Inside Host", right-click it, access, and then display. Another browser tab should open. Open Google Chrome you will find a bookmark called Webmail click it. If your asked for a Username & Password for inside host its \`Username: fabriclab\\demouser5 / Password: Fortinet1!\` Enter the login details, \`Username: unprotected / Password: fortinet\` and click Log In ![](https://fabriclab-tech.gitbook.io/files/0lJKqRgQz3zT4dQe9QGH) You will find an email in the mailbox unfortunately, on clicking it, you will find that the malware has not been remediated and is present in the email. ![](https://fabriclab-tech.gitbook.io/files/WtyL9FGY12UJiGvtOL9i) For this mailbox (Unprotectred), this is by design because there were no AV profiles attached to the policy within FortiMail. However, if you go to the top right-hand corner and click "Unprotected," and then log out Enter the login details, \`Username: internal / Password: fortinet\` and click Log In ![](https://fabriclab-tech.gitbook.io/files/QRaQq8U0OkP44smfwHCt) You will see that the WannaCry attachment has been stripped and that the email subject has now got a \\\[Malicious Header\] ![](https://fabriclab-tech.gitbook.io/files/aUOtZFjgBUhkZRjsjqfV) --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/scenario-story-narrative.md). # Scenario - Story/Narrative {% hint style="warning" %} Just a reminder that this lab has little/no configuration if you wish to conduct the configuration yourself then please use the Fabric Solutions Lab - Orginal or Fabric Solultions Lab - Mitre versions! - Links to these can be found here \[Click Me\](https://fortinet.sharepoint.com/sites/CSEFabricSolutionsEMEA/SitePages/CSE-Enablement-Lab.aspx) and are selectable options in the self-serve portal. {% endhint %} You are a malicious threat actor who is trying to penetrate into a company via sending malicious emails attaching malware to those emails. You then change to the defence side using various Fortinet products (FortiMail, FortiNDR, FortiClient, FortiSOAR, FortiSIEM) as part of the defence. You play both roles: 1. You are the attacker you will craft and send a malicious email with a malware attachment, exactly as a real threat actor would. 2. You are the defender you watch The email gets passed from FortiMail to FortiNDR. you observe the behaviour of both the Internal (Protected by FortiNDR) and the Unprotected mailboxes. For the Internal Mailbox you observe FortiNDR sending its verdict back to FortiMail. 3. However, you shouldn't stop there. You should then use FortiSIEM to understand if this is part of a wider threat. As an example, has this threat been seen across multiple mailboxes? Is it more of a concern than if it was just a single user. You then move to FortiSOAR to investigate further, quarantining the host using FortiClient. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/defence-fortisoar.md). # Defence - FortiSOAR Using the event that you should have opened from the previous task. If you look at the bottom of the page, you should see an actions button. Click it. Search for FortiClient and then expand the box, you should see many different automation options available ![](https://fabriclab-tech.gitbook.io/files/6W1DJKRyjXtLexXt2ey8) Select where it says "Get All Endpoints" another sub-window should open up, you don't need to enter any data, just click Execute Action ![](https://fabriclab-tech.gitbook.io/files/hrV3E75MJi4DP0gOGKrR) Once the data is loaded, just click the JSON button ![](https://fabriclab-tech.gitbook.io/files/KiyQe5a6unXs8Q2QGKoS) This FortiSOAR instance can get quite busy because it's a shared instancemeaning that you might see multiple FortiClient hosts I recommend entering "EndGame" in the filter box. Your looking for the device ID it should be 227. You will need to remember this for the next task At the bottom, click 'Actions' and search for "FortiClient" ![](https://fabriclab-tech.gitbook.io/fabric-lab/~gitbook/image?url=https%3A%2F%2F4195486220-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FBuGANls9sCzGfNwYlECu%252Fuploads%252FKBwEOcZVICFge25IxGC1%252Fimage.png%3Falt%3Dmedia%26token%3D1deb014f-b878-4a4f-a921-198e4611128b&width=768&dpr=4&quality=100&sign=68f46a44&sv=2) 1\. Click where it says 'FortiClient EMS' 2. This time, find the Action "Create Custom Tag" 3. Under Tag Name enter "WannaCry" 4. Under Device ID Enter the ID you collected in the previous steps ![](https://fabriclab-tech.gitbook.io/files/blsXNcinw6s8G21tOSD9) On clicking "Execute action," you should get confirmation with the success message ![](https://fabriclab-tech.gitbook.io/files/iNxTE6BAEGljz5jW9cIm) --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/defence-forticlient.md). # Defence - FortiClient Using the hyperlink log into \[FortiClient EMS\](https://10.222.101.40/#/endpoints/page) \`Username: FabricSolutionsLab / Password: Fortinet1!\` On the left-hand pane, you should see EndPoints > All EndPoints click that, you should see a device called EndGame, click it. ![](https://fabriclab-tech.gitbook.io/files/mOH3QyJBtKwGuylW3rGk) As you can see under classification tags, you can see the WannaCry entry. These can be used for all sorts of functions, such as automatically segmenting the device based on the WannaCry tag into its own isolated network. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/defence-fortisiem.md). # Defence - FortiSIEM Please log in to \[FortiSIEM\](https://10.222.101.28/phoenix/login.html) using the hyperlink. \`Username: EndGame / Password: Fortinet1! / Org: EndGame\` In the top navigation bar, if you click "Incidents," the alter the list option to be by "time" ![](https://fabriclab-tech.gitbook.io/files/2ng9IwDIrUaNMHRPIRCw) You can see that FortiSIEM also has an understanding of the attack. This is via it sending syslog to the FortiSIEM Log Collector inside the Fabric Studio instance, which then forwards to the main FortiSIEM supervisor. The important information to us is the ID that is next to the severity column, please take a note of this, we will need this to import the incident into FortiSOAR as a event. {% hint style="warning" %} Your ID will likely be different however as a example ours is 86396 {% endhint %} --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2.md). # Attack & Defence #2 - \[Scenario - Story/Narrative\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2/scenario-story-narrative.md) - \[Attack - RDP Host\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2/attack-rdp-host.md) - \[Defence - FortiDeceptor\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2/defence-fortideceptor.md) - \[Defence - FortiSIEM\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2/defence-fortisiem.md) - \[Defence - FortiSOAR\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2/defence-fortisoar.md) - \[Defence - FortiGate\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2/defence-fortigate.md) --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2/defence-fortideceptor.md). # Defence - FortiDeceptor Please log in to \[FortiDeceptor \](https://10.222.101.29/halo/login?returnUrl=%2F)using the hyperlink. \`Username: admin / Password: Fortinet1!\` On login, if you use the left-hand pane sidebar to browse to Incident > Analysis You should see the RDP event that you just created. ![](https://fabriclab-tech.gitbook.io/files/CzisjMJhoJ0F3Gb5j6Q2) Double-click it for more information, you can see an exact timeline and the credentials used to actually log in. ![](https://fabriclab-tech.gitbook.io/files/B7zcn3DcuIeZASLvcBK0) --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2/attack-rdp-host.md). # Attack - RDP Host Open your Fabric Studio instance, locate the object "External Attacker ", right-click it, access, and then display. Another browser tab should open you have access to the virtual Windows instance. On the desktop, you should see a remote desktop icon. Double-click it. ![](https://fabriclab-tech.gitbook.io/files/NdGLurnz0DY8rlB92e5l) Select either 10.222.102.223 or 10.222.102.224, click "Connect" and press "Yes" on the next pop-up. ![](https://fabriclab-tech.gitbook.io/files/J4hepsqQyl3vev6AjKF6) Try and use your credentials that you found on the dark web to log into the administrator account \`Username: Administrator / Password: Fortinet1!\` this will fail! however, not to worry. You also have some credentials for Fabric Lab click this user and then enter the same password as above \`Password: Fortinet1!\` ![](https://fabriclab-tech.gitbook.io/files/8la0twRZPsRyl36RXrmK) Eventually you should log in ![](https://fabriclab-tech.gitbook.io/files/uXCjjsqIJFcmAC2o41em) At this point, you don't need to do anything other than close the RDP session, this is done by clicking the 'X' in the middle at the top of the page. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2/scenario-story-narrative.md). # Scenario - Story/Narrative You are a malicious threat actor who has obtained some credentials via the dark web to an RDP server that might be publicly exposed. You attempt to exploit these credentials by establishing an RDP connection to the server. What you don't know is that the RDP server that you are actually connecting to is a honeypot spawned by FortiDeceptor. The internal IT department is now onto you, with your every move being logged. However, we don't have the time to just sit and watch. There's actually various other products in FortiSIEM, FortiSOAR, and FortiGate ready to respond in an automated way, as you go through the scenario, you will see this. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2/defence-fortigate.md). # Defence - FortiGate Please log in to \[FortiGate\](https://10.222.101.31/firewall/policy/policy/standard) using the hyperlink. \`Username: admin / Password: Fortinet1!\` If you look at the left-hand pane, Policy & Objects, Firewall Policies On the part1 to port1 You should see a firewall policy as below that has a destination which is the dynamic address object "FSOAR-DYN-BLK-GRP" ![](https://fabriclab-tech.gitbook.io/files/N03LlmzcXg1qV4bobzUK) If you hover over "FSOAR-DYN-BLK\\\_GRP" you will see that the 10.222.102.45 address has been added to the address group, this is the source IP address of the host that accessed the RDP decoy. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-3.md). # Attack & Defence #3 - \[Scenario - Story/Narrative\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-3/scenario-story-narrative.md) - \[Check - Windows Host\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-3/check-windows-host.md) - \[Show - FortiClient EMS\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-3/show-forticlient-ems.md) - \[Show - FortiGate\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-3/show-fortigate.md) - \[Access - Webserver\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-3/access-webserver.md) - \[Review - FortiAnalyzer\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-3/review-fortianalyzer.md) --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-3/scenario-story-narrative.md). # Scenario - Story/Narrative You are a rogue user who likes to push the boundaries of the IT department, historically this has included trying to tamper with and disable various protections including Windows Firewall, FortiDLP & FortiEDR. Historically this hasn't always been trackable by the IT department because the user's identity hasn't always been known, for a long time the company was using computers that were not domain joined and local users... resulting in logs being very unusable as the admin just sees an IP address, they then need to access the DHCP server to find out who received that IP address at the specific time, think about this: when you have thousands of users it's not very scalable, is it? The IT department has started to roll out Active Directory and FortiClient with the Single Sign-on Mobility Agent (SSOMA) enabled, on login and log off this collects the user's username and ties it to the IP address, this also includes if the user switches from a wired to wireless connection. This information is shared with FortiAuthenticator that then shares with all downstream FortiGate appliances using FSSO. This collection of data is done natively via FortiClient, we are not polling the Active Directory servers directly (however it's possible) as we opted to reduce the load on the AD Servers and making this much more scalable. As a result of these recent changes the administrators now have the correct username visible in logs such as the local FortiGate & FortiAnalyzer. This means that we can reference AD groups for example in firewall policies, or we could increase the posture further by referencing ZTNA security posture tags in firewall policy. The IT team is now mandating the deployment of the following scenario, access to internal web servers needs to be controlled via security tags that are propagated via FortiClient as an example only endpoints that have FortiEDR and FortiDLP running are able to achieve this, in the event of this changing as a example a user tries to tamper with either of these two products then the tag is to be removed and the session should be terminated \*\*immediately.\*\* This is a major shift away from source and destination based firewalling, where the posture of the device itself is not taken into consideration. In the new world it is and it's far more secure! --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-4/scenario-story-narrative.md). # Scenario - Story/Narrative As a company you become conscious of your users using AI prompts, while it's also understood that this can be more efficient, there's also a large concern around confidential and private data being inputted into the data lake that competitors could potentially exploit. As such there's been a C-level decision as part of phase one to monitor all AI access, within the company. Once this data has been collected, we'll then move to phase two where restrictions will be implemented. During this scenario you will play the role of a user trying to access various AI prompting sites (Gemini, Grok, Ect) you will see how various Fortinet products are able to aid in defence (FortiGate, FortiDLP) and how this can be viewable in consolidated reports (FortiAnalyzer). --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-4.md). # Attack & Defence #4 - \[Scenario - Story/Narrative\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-4/scenario-story-narrative.md) - \[Access - Windows Host\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-4/access-windows-host.md) - \[Show - FortiGate\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-4/show-fortigate.md) - \[Show - FortiDLP\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-4/show-fortidlp.md) --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortimail-and-fortisandbox.md). # FortiMail & FortiSandbox - \[Scenario - Story/Narrative\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortimail-and-fortisandbox/scenario-story-narrative.md) - \[Defence - Scenario Steps\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortimail-and-fortisandbox/defence-scenario-steps.md) - \[Attack - Scenario Steps\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortimail-and-fortisandbox/attack-scenario-steps.md) - \[Analyze - FortiMail\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortimail-and-fortisandbox/analyze-fortimail.md) - \[Analyze - FortiSandbox\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortimail-and-fortisandbox/analyze-fortisandbox.md) --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/certificates-at-scale.md). # Certificates at Scale ![](https://fabriclab-tech.gitbook.io/files/DrNFMoarZ1fJDgJ40O9w) Every time we try to roll out SSL deep inspection, our staff see browser certificate warnings. They click through them or call the help desk — both are bad. I need a way to automate this across hundreds of FortiGate Firewalls and Endpoints. Certificate distribution and installation must be fully automated, with no manual work per device. We open new stores often, and staff roam between stores — their devices must trust every site they visit, from day one \*\*Products In-Scope\*\* FortiAuthenticator (FAC) FortiGate (FGT) FortiClient & FortiClient EMS (FCT) \*\*Our Response\*\* Since 2023, more than 95% of all traffic on the Internet is encrypted. That is good news for privacy — and bad news for security teams, because what you cannot see, you cannot protect 100%. Malware, phishing payloads and data theft all travel inside encrypted sessions, hidden from any firewall that only inspects in plain text. Several other scenarios in this lab depend on deep inspection being in place — this scenario is the foundation they build on. Certificate warnings appear because deep inspection works, by design, as a "trusted interception": the FortiGate decrypts the session and re-signs it with its own certificate. If the endpoint does not trust the certificate authority (CA) behind that certificate, the browser warns the user. The fix is not to suppress the warning — it is to build a chain of trust that every device in the business already holds. We deliver that chain in three layers: 1. \*\*FortiAuthenticator as the certificate authority.\*\* FortiAuthenticator hosts the root CA for the whole estate and exposes a Simple Certificate Enrolment Protocol (SCEP) endpoint. SCEP lets each FortiGate fetch the root CA certificate automatically — no engineer copying files between devices. When a new store opens, its FortiGate enrols itself. 2. \*\*A signed sub-CA on every FortiGate.\*\* Each FortiGate generates its own Certificate Signing Request (CSR) for a subordinate CA. FortiAuthenticator signs it, making each firewall's inspection certificate part of one trust hierarchy. The FortiGate then uses this sub-CA in its SSL/SSH inspection profile to re-sign decrypted traffic. 3. \*\*FortiClient EMS pushes trust to every endpoint.\*\* We import the root CA into the EMS default system profile. EMS installs it into the certificate store of every managed endpoint automatically. Because trust is anchored at the root, an endpoint trusts \*every\* FortiGate sub-CA in the estate — so a user who roams from one store to another is trusted at both, with zero reconfiguration. The result: full SSL inspection across hundreds of sites with no warnings, no help-desk tickets, and no per-device manual work. New store? The FortiGate enrols via SCEP. New starter? EMS installs the root CA before they open a browser. And with visibility restored, every other control in this lab — sandboxing, threat detection, data protection — can finally see the traffic it is meant to inspect. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/cio-and-cto-message.md). # CIO & CTO Message \*\*Breachside Shopping Centre — a closing word from the CIO and CTO\*\* When we took this on, Breachside had already been breached. The estate trusted anything inside its walls, our defences were a handful of disconnected tools, and we found out about incidents long after they mattered. We asked you to help us rebuild — not to buy more products, but to make the ones we had work as one. That work is now done. We began with trust, because nothing stands without it. The certificate authority we established gives every device a verifiable identity, and lets us inspect encrypted traffic cleanly across the estate. Everything else was built on it. Our shopfronts are no longer soft targets. The customer-facing applications turn away injection and keep trading through load, and both inbound routes — email and web download — are now intercepted and detonated before anything reaches a member of staff, all through the same analysis engine. That shared engine is the difference between owning tools and running a fabric. We have also closed the gap that worried us most: what leaves, not just what arrives. We can see how AI and sensitive data are being used, on the wire and on the device, and we coach our people before we penalise them. Where something moves laterally inside the estate, our own decoys catch it and flag the device automatically. Most importantly, all of that now feeds a single decision. Access is no longer granted by where someone sits on the network — it is earned continuously, from the health and behaviour of the device asking for it. Trust is proven, not assumed. Breachside is no longer a building that had been broken into. It is a security fabric that defends itself. Before we close, we would ask two things of you, both set out on the next page. The first takes a moment and shapes whether engagements like this happen again — if the time here was well spent, that is the place to say so. The second goes to the people who designed these scenarios, and is where candid detail matters most: what worked, what was unclear, and where it could be sharper. Looking ahead, we fully intend to keep this momentum going. Building on the foundation now in place, our roadmap includes reviewing how AI can further assist us—specifically by streamlining and automating event correlation and further automating the response across multiple products. We will be in touch soon to scope it, and a formal customer statement will follow shortly. {% hint style="warning" %} \*\*\\\[Easter Egg Detected\]:\*\* If you're currently clicking through multiple products trying to correlate events manually, hold tight. Next year, the machines are taking over that entire chain reaction. Be nice to them! {% endhint %} With our thanks, \*— Office of the CIO & CTO, Breachside Shopping Centre\* --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/certificates-at-scale/fortigate-fgt-remote-ca-configuration.md). # FortiGate (FGT) Remote CA Configuration First, Carat & Co's FortiGate needs to know who to trust. In this step, we point it at the FortiAuthenticator's SCEP service, and it fetches the root CA certificate on its own — exactly what would happen automatically at every new store Breachside opens. {% hint style="info" %} FortiGate (located inside Fabric Studio: right click it and access it HTTPS): Username: admin Password: fortinet4A!! {% endhint %} Before we begin, we need to disable a firewall policy that was used for the initial provisioning of this instance. On the FortiGate, go to Policy & Objects > Firewall Policy. You will see a policy named Disable Me — select it and click Disable. ![](https://fabriclab-tech.gitbook.io/files/MNlUyn0lKgQzTa7Eiy2v) The policy should now appear greyed out, as below. ![](https://fabriclab-tech.gitbook.io/files/6UlVFnFGVAo5Ms1ITfBk) {% hint style="danger" %} The root CA has already been configured on the FortiAuthenticator — \*\*you do not need to create it\*\*. In a real deployment, this is a one-time setup task for the whole estate. You only need to complete the steps below. {% endhint %} On the FortiGate, go to System > Certificates. In the top-left corner, select Create/Import > CA Certificate. ![](https://fabriclab-tech.gitbook.io/files/FExX8Y3VuDLAiuHxa73H) You will see the window below. Select Online SCEP, and in URL of the SCEP server, enter the following \`http://10.222.101.26/app/cert/scep/\` and click OK This is the automation moment: the FortiGate contacts the FortiAuthenticator's SCEP endpoint and downloads the root CA certificate itself. No file was exported, emailed, or copied by hand — and this is what removes the per-device manual work when Breachside opens its next store. ![](https://fabriclab-tech.gitbook.io/files/s76L7fhiyLXbNfTZnsnf) After a few moments, you will be returned to the Certificates page. Under Remote CA Certificates, you should now see CA\\\_Cert\\\_1 / CN = FabricLab Internal Security CA. The FortiGate now trusts Breachside's internal CA. ![](https://fabriclab-tech.gitbook.io/files/PdpwlIWWeEErCwL9cinm) Side note: the name CA\\\_Cert\\\_1 is auto-generated. If you want to rename it to something more meaningful, you can use the CLI commands below. In a large estate, a clear naming convention matters ![](https://fabriclab-tech.gitbook.io/files/NbxinfTG0WeD11VcU0Dr) --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiproxy-and-fortisandbox/scenario-story-narrative.md). # Scenario - Story/Narrative The organisation you are working for has a selection of remote workers and contractors.This has become an issue with installing client-side protection, so instead we have rolled out a proxy deployment. One of your users has gone a little bit rogue and they accessed a file server that has a selection of malware to be downloaded. Unfortunately, the user doesn't realise that the web browser traffic is being sent to a Proxy (FortiProxy) which then has an integration with a Sandbox (FortiSandbox) appliance, on trying to download the malware, you will notice that there is a delay this is because the file is being sent to FortiSandbox for analysis and a verdict. As part of this scenario, you will conduct both the attack and the defence. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-4/show-fortigate.md). # Show - FortiGate Start by logging into the Fabric Studio instance, locating the object "FortiGate", right-clicking it, access, and then HTTPS, this should open a new browser tab with the FortiGate UI. \`Username: admin Password: fortinet4A!!\` Using the left-hand pane navigate to Dashboard > FortiView AI applications ![](https://fabriclab-tech.gitbook.io/files/0qCYWDhZy0u2TIGnNYbz) As you can see we have identified Gemini, however if you double click into it, you can get more information, this includes the username that was used to log in to Gemini ![](https://fabriclab-tech.gitbook.io/files/O48kjnTQoT01cQnUJXmc) We also capture the data centre location that was used, this is useful for companies that potentially might have restrictions around this ![](https://fabriclab-tech.gitbook.io/files/suQeo7Qa01vppbYyhQTk) If you click View session logs, you can actually see the prompt that the user entered ![](https://fabriclab-tech.gitbook.io/files/knpYGCElFMDtK15llB5p) --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/feedback.md). # Feedback If you are attending an event (Such as Xperts), we ask that you provide two sets of feedback as outlined below. If you are not attending a event just skip to Feedback 2! ### Feedback 1 - Event App Feedback (I.E Xperts): \* Where it goes: Directly to the central marketing and event planning teams. \* Why it matters: This data determines our presence at future events. If you value these sessions and want to see our team on the agenda next year, completing this quick survey via your event app is the most effective way to ensure we return. ### Feedback 2 - Portal Feedback: \* Where it goes: Straight to the technical creators behind the Fabric Solutions Labs. \* Why it matters: We thrive on granular, highly technical insights. Because our labs are constantly updated, your direct feedback allows us to make immediate adjustments and build the exact content you need for next year. > Our Commitment: We don't just collect data—our team thoroughly reviews every single piece of portal feedback to drive real updates. How to submit Lab Feedback: Log into the self-serve portal you used to access your lab resources, and click the Lab Feedback button. ![](https://fabriclab-tech.gitbook.io/files/CEOlWi6Q35HJ9eGpLlAV) You will then be redirected to a form ![](https://fabriclab-tech.gitbook.io/files/aSApWUD46vCQMY47azxW) --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/certificates-at-scale/fortigate-fgt-csr-request.md). # FortiGate (FGT) CSR Request Trust flows downwards. The FortiGate now asks to become a certificate authority in its own right — a subordinate CA, signed by Breachside's root. In this step, we generate the request; the signing happens in the next step. On the FortiGate navigate to System > Certificates in the top left-hand corner select Generate CSR. {% hint style="info" %} FortiGate (is located inside Fabric Studio: right click it and access using HTTPS): Username: admin Password: fortinet4A!! {% endhint %} {% hint style="danger" %} Where it says IP and Subject Alternative Name (SAN), you must replace the value with your unique Pod IP. This is always 10.237.10.x, where the last octet is your Pod number. Your Pod number is shown in the portal you used to access this lab guide. In the example below, we are using Pod 47. Please configure as below, ensure you change the information do not just copy the screenshot. \*\*Certificate Name:\*\* DPI\\\_SubCA \*\*IP:\*\* \\ (i.e. 10.237.10.\*\*N\*\*) \*\*SAN:\*\* IP:\\ (i.e. IP:10.237.10.\*\*N\*\*) where \*\*N =\*\* your unique pod number {% endhint %} ![](https://fabriclab-tech.gitbook.io/files/445qtHDsN9TWDSayWlBH) {% hint style="info" %} A quick note on what you are filling in: the Common Name (CN) and SAN identify who this certificate belongs to. Browsers check these fields when deciding whether a certificate matches the device presenting it — which is why your Pod IP must be correct here, and why getting these fields right matters just as much in a real deployment. {% endhint %} Click OK. You will be returned to the Certificates page, where the request you have just created will show in a pending state — pending because the certificate does not exist yet. A CSR is only a request: it must be signed by a certificate authority before it becomes a usable certificate. Select it and click Download. A file named DPI\\\_SubCA.csr will download to your machine. ![](https://fabriclab-tech.gitbook.io/files/A8fYm2PWHv8i3iimmrSH) In the next step, we take this request to the FortiAuthenticator — Breachside's root CA — to be signed. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-4/show-fortidlp.md). # Show - FortiDLP Please log in to \[FortiDLP\](https://ftnt-fabric-cse.reveal.nextdlp.com/) using the hyperlink. \`Username: fabriclab / Password: Fortinet1!Fortinet1!\` Once you're logged in, if you look on the left-hand pane navigate to "SaaS apps" and click it ![](https://fabriclab-tech.gitbook.io/files/z6I5Xo5Z0Dd98ySOmA2V) As you can see in the screenshot, Grok, OpenAI, and Gemini have all been detected, if you click one of the entries, for example, we've used Grok here and then select Activity Feed you can find a summary of the user that used this AI Chatbot. ![](https://fabriclab-tech.gitbook.io/files/VSeUTpCCK5Wv6t9TavT4) The account username and other bits of metadata are also logged. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/versions-access-and-credentials.md). # Versions, Access & Credentials As previously mentioned, within Fabric Solutions Labs, we have the concept of devices that live inside Fabric Studio (Dedicated to each user) and shared devices that live outside a Fabric Studio. The operating versions are constantly updated for both, below is a table of the current operating versions of the products that you will use inside this lab. For the shared resources, each product has a clickable hyperlink and a backup username and password, a clickable link is included in each scenario or alternatively, you can use the \[Shared Resource Launcher\](/fabric-solutions-lab-shopping/shared-resource-launcher.md) {% hint style="danger" %} There are two FortiGate appliances inside this lab environment. Ensure that you read the documentation carefully to connect to the right one each time. {% endhint %} ### Dedicated | Product Name | Version | Location | Username | Password | | --- | --- | --- | --- | --- | | FortiWeb (FWB) | 8.0.3 | Inside Fabric Studio | admin | fortinet4A!! | | FortiADC (FAD) | 8.0.2 | Inside Fabric Studio | admin | fortinet4A!! | | FortiGate (FGT) | 8.0.0 | Inside Fabric Studio | admin | fortinet4A!! | | FortiMail (FML) | 8.0.0 | Inside Fabric Studio | admin | fortinet4A!! | | Debian13\_MCP\_Client | 13 Trixie | Inside Fabric Studio | | | | Debian13\_MCP\_Server | 13 Trixie | Inside Fabric Studio | | | | Debian13\_MCP\_Webserver | 13 Trixie | Inside Fabric Studio | | | | Host\_Win11\_Internal | Windows 11 Pro | Inside Fabric Studio | | | \### Shared | Product Name | Version | Location | Username | Password | | --- | --- | --- | --- | --- | | [FortiAuthenticator (FAC)](https://10.222.101.26/) | 8.0.3 | Outside Fabric Studio | admin | Fortinet1! | | [FortiAnalyzer (FAZ)](https://10.222.101.35/) | 8.0.0 | Outside Fabric Studio | admin | Fortinet1! | | [Shared FortiGate (FGT)](https://10.222.101.31/) | 7.6.7 | Outside Fabric Studio | admin | Fortinet1! | | [FortiProxy (FPX)](https://10.222.101.27/l) | 7.6.6 | Outside Fabric Studio | admin | fortinet4A!! | | [FortiSOAR (FSR)](https://10.222.101.22/login/) | 7.6.6 | Outside Fabric Studio | csadmin | Fortinet1! | | [FortiClient (FCT)](https://10.222.101.40/) | 7.4.7 | Outside Fabric Studio | FabricSolutionsLab | Fortinet1! | | [FortiSIEM (FSM)](https://10.222.101.28/) | 7.4.2 | Outside Fabric Studio | admin | Fortinet1! | | [FortiDeceptor (FDC)](https://10.222.101.29/) | 6.1.0 | Outside Fabric Studio | admin | Fortinet1! | | [FortiSandbox (FSA)](https://10.222.101.23/) | 5.2.0 | Outside Fabric Studio | admin | Fortinet1! | | [FortiPAM (FPAM)](https://10.222.101.36/) | 1.9.0 | Outside Fabric Studio | Pod | Fortinet1! | | [FortiDLP (FDLP)](https://ftnt-fabric-cse.reveal.nextdlp.com/) | SaaS | Outside Fabric Studio | FabricLab | Fortinet1!Fortinet1! | --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-threat-in-the-picture/centralised-logging-dailygrind.md). # Centralised Logging — DailyGrind Every product in this scenario made a decision — FortiMail quarantined, FortiSandbox judged, the Fabric shared what it learned. This final step brings all of those decisions into one place, where DailyGrind's team can prove what happened and spot whether one email was a one-off or the start of a campaign. Login your \[FortiAnalyzer\](https://10.222.101.35/) instance {% hint style="danger" %} Username: admin Password: Fortinet1! The FortiAnalyzer is shared between all attendees, but for this scenario you have your own ADOM — make sure you navigate into the one matching your Pod number. In the examples below, we are using Pod47. {% endhint %} Go to Log View > Logs > Fortinet Logs (Tab), click FortiMail, and select the History tab. ![](https://fabriclab-tech.gitbook.io/files/CqLQC6xmfEeFtItTYbPC) This is the full delivery record — every message FortiMail handled for you, with the action it took on each. Both of your attacks are here, alongside the decision that stopped them. Now go to Log View > Logs, click FortiMail, and select the AntiVirus tab. ![](https://fabriclab-tech.gitbook.io/files/xHpN3zWee35mZYkRXXaD) Here is the attachment story: the files from your spoofed IT email, sent to the sandbox, and the verdicts that came back — including the WannaCry detection. This is the evidence a SOC analyst would attach to an incident report. Finally, go to Log View > Logs, click FortiMail, and select the Email Filter tab. ![](https://fabriclab-tech.gitbook.io/files/ZHxGak6oZMBEtItDkRdN) --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/tag-driven-ztna.md). # Tag-Driven ZTNA {% hint style="danger" %} This scenario can be conducted on its own. However, it benefits you having finished \[The Trap Inside the Walls\](/fabric-solutions-lab-shopping/the-trap-inside-the-walls.md) and/or \[Coaching, Then Consequences\](/fabric-solutions-lab-shopping/coaching-then-consequences.md) sections as the second part of this scenario uses some Classification Tags that you created with FortiSOAR in the above scenarios. {% endhint %} ![](https://fabriclab-tech.gitbook.io/files/ZqrtvETyRTWDTtWTJLoY) When employees reach our sensitive internal applications, we want the device's security posture taken into account — and if that posture slips, if a device becomes non-compliant, access must be cut off immediately, not at the next login. We also want to make staying compliant something employees actually want to do. We've built an internal food-ordering site called StreetFork as a pilot: staff on a compliant device can browse and order at a staff discount. The moment their device falls out of compliance, the site stops working for them. We think that's a gentler nudge than a policy email — when the discount disappears, people will bring their laptop to IT to find out why. This is just the first pilot; we have many internal applications we'll want to protect this way, each keyed to different tags. We're also mid-rollout on Microsoft Entra ID, so the logged-in user identity is out of scope for now — but build the solution so it's ready to consume that identity automatically when the rollout completes. One design requirement is firm: we need a clear separation between tags generated automatically from real-time posture checks (is antivirus actually running right now?) and administrative tags assigned by IT or a SOAR platform for classification and grouping. Those are two different things, and the system must treat them differently \*\*Products In-Scope\*\* FortiClient & FortiClient EMS (FCT) FortiGate (FGT) FortiAuthenticator (FAC) \*\*Our Response\*\* This is Zero Trust Network Access in its truest form: access is not granted once at the door and then trusted forever — it is re-evaluated continuously, and revoked the instant the device stops meeting the bar. The customer's requirement breaks into three engineering problems: continuous posture evaluation, identity readiness, and a clean separation between two kinds of tag. Continuous posture, enforced at the firewall. Every employee laptop runs FortiClient (FCT), which reports its posture to FortiClient EMS every 30 seconds (configurable). EMS evaluates that telemetry against defined rules — for example, "is FortiDLP running?" — and applies or removes a Security Posture Tag accordingly. The FortiGate (FGT) in front of the protected application consumes those tags through its EMS Fabric Connector and references them directly in firewall policy: no tag, no match, no access. Because the tag is re-checked every cycle, a device that falls out of compliance loses access within 30 seconds at most — access ceases mid-session, not at the next login. This is the mechanism behind the customer's incentive scheme: the StreetFork staff-discount site is simply an internal application whose firewall policy requires a compliance tag. Identity-ready for Entra ID. Identity is out of scope for the pilot, but the design already accommodates it. FortiClient can query the logged-in user and domain and pass that identity, via the Single Sign-On Mobility Agent (SSOMA), to FortiAuthenticator (FAC). FortiAuthenticator then distributes it through Fortinet Single Sign-On (FSSO) to the FortiGate and other Fabric products. When the Entra ID rollout completes, policies can combine who the user is with how healthy their device is — without re-architecting anything. The hook is already in place. Two kinds of tag, deliberately separated. This is the design requirement the customer was most specific about, and the Fabric meets it natively with two distinct tag types. \*\*Security Posture Tags:\*\* are generated automatically by EMS from real-time endpoint checks — a process running, antivirus active, a patch level met. They are dynamic: applied and removed by the endpoint's actual state, with no human involved. \*\*Classification Tags:\*\* are assigned administratively — by the IT team, or by a SOAR playbook via an API call — to mark a device for reasons that can't be read from a live posture check. The tag a FortiSOAR playbook applied to a compromised endpoint in the Catching the Lateral Mover scenario is exactly this kind of tag. A firewall policy can require both at once — a live posture tag and an administrative classification tag — which is how an automatic health check and a human (or SOAR) decision combine into a single access rule. That separation isn't cosmetic: it's the difference between "this device is healthy right now" and "this device has been flagged by something a health check can't see". --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiproxy-and-fortisandbox.md). # FortiProxy & FortiSandbox - \[Scenario - Story/Narrative\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiproxy-and-fortisandbox/scenario-story-narrative.md) - \[Attack - Malware Site\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiproxy-and-fortisandbox/attack-malware-site.md) - \[Defence - FortiProxy\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiproxy-and-fortisandbox/defence-fortiproxy.md) - \[Defence - FortiSandbox\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiproxy-and-fortisandbox/defence-fortisandbox.md) --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/whos-talking-to-the-ai/fortianalyzer-faz-logs.md). # FortiAnalyzer (FAZ) Logs One FortiGate showed you one office. The customer has many sites, and their real question is whether this visibility holds together across all of them. It does — because every FortiGate forwards its logs to FortiAnalyzer, where the whole estate's AI activity is correlated into one view also enables centralised reporting. Login your \[FortiAnalyzer\](https://10.222.101.35/) instance {% hint style="info" %} Username: admin Password: Fortinet1! Be mindful that the FortiAnalyzer is shared between all attendees, but all your individual logs go into an ADOM. Once logged in, please ensure you navigate into the ADOM that matches your Pod number (like Pod47 below) {% endhint %} Navigate to Dashboards > AI Access Visability ![](https://fabriclab-tech.gitbook.io/files/6sj4MEQUV5tB8XhBr99r) This is a dashboard that correlates AI activity across the whole ADOM — and remember, an ADOM can contain many FortiGates. So this single view isn't one firewall's data; it's every site's AI usage in one place. You can see how many users are using AI tools, how many different applications are in play, and — most importantly to the customer — any DLP violations across the estate. {% hint style="info" %} This is the answer to "how does it scale?". On the FortiGate you saw one office in detail. Here, that same detail is aggregated across every FortiGate reporting in — one office or one hundred, the dashboard looks the same and the question is answered the same way. A regional security lead doesn't log into forty firewalls; they open one dashboard and see AI usage across all forty. That is what makes this workable for a business the size of Breachside. {% endhint %} For more detailed reporting, go to Log View > Custom Views, where several views have been pre-created for you. Each isolates one signal: 1. Application\\\_GenAI\\\_1Day shows any GenAI application detected by Application Control. 2. DLP\\\_GenAI\\\_1Day shows any DLP violation matching the expression we set — the 0123456789 pattern. 3. WebFilter\\\_GenAI\\\_1Day shows any GenAI usage caught by WebFilter, where the category is Artificial Intelligence Technology. ![](https://fabriclab-tech.gitbook.io/files/owMeEcP5FWE2LY7iU5Us) {% hint style="info" %} Notice that three independent controls each catch AI usage from a different angle: Application Control by signature, WebFilter by site category, and DLP by content. That overlap is deliberate — if a brand-new AI tool has no application signature yet, WebFilter's category still catches it; if it slips the category, DLP still inspects what's being sent. Layered detection means a tool doesn't go unseen just because one method hasn't caught up with it. For a landscape that adds new AI services every week, that redundancy is exactly what keeps the visibility complete. {% endhint %} That closes the engagement. Walk it back for InkPress's CIO, against everything they asked for. Know who is using which AI tool — done, by Application Control naming each model, with user and destination detail on the FortiGate dashboards. Catch sensitive data leaving — done, by DLP, demonstrated live and ready to switch from monitor to block. Cover staff in the office and working remotely — done, by the Always-On VPN that routes remote traffic through the same policy. And keep the door open to blocking specific models later — done, because the very signatures that monitor today can enforce tomorrow, with nothing new to deploy. The customer didn't want to ban AI. They wanted to see it clearly. Now they can — across every store in Breachside, from a single screen. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-threat-in-the-picture.md). # The Threat in the Picture ![](https://fabriclab-tech.gitbook.io/files/WlrCntMNLxB1NJXqKOcJ) DailyGrind's staff are being hit by a wave of emails that our old email filter passes straight through: a short, polite message with a PDF attached — usually something like 'your MFA needs re-enrolling' — and inside the PDF is a QR code. To a filter, it's a clean email with a clean attachment; there is no link to inspect, because the link is hidden inside a picture. Staff scan the code with their phones, land on a phishing page, and type in their username and password. We need email security that actually opens these attachments, reads the QR codes, and judges where they point — before the mail ever reaches an inbox. If the URL is classified as phishing, quarantine the email. Secondly, staff are receiving carefully crafted emails that appear to come from our own IT department — sent from lookalike addresses such as , one dot away from our real domain, dailygrind.cafe. They carry instructions and attached scripts, often sophisticated and zero-day — no known signature — so we need them passed somewhere for deeper analysis. And when that deeper analysis does discover something new, we don't want the intelligence to stay in one box. Share it with the rest of our stack \*\*Products In-Scope\*\* FortiMail (FML) FortiSandbox (FSA) FortiNDR (FNDR) FortiAnalyzer (FAZ) FortiGate (FGT) FortiProxy (FPX) \*\*Our Response\*\* Quishing — phishing by QR code — works because it moves the malicious link out of the email and into an image, and then moves the click off the protected laptop and onto a personal phone. Most mail filters inspect neither. Our design inspects both halves of the trick. FortiMail (FML) opens the attachments. It is configured to detect QR codes in message bodies and inside PDF attachments, extract the encoded URL, and check it against FortiGuard's web classification before delivery. A URL classified as phishing means the email is quarantined — the user never sees it, so there is nothing to scan. FortiNDR (FNDR) and FortiSandbox (FSA) handle the second wave: attachments with no known signature. The scan chain is tiered by cost. Files that FortiMail's local engine cannot judge go first to FortiNDR, whose neural-network analysis returns a verdict in under a second; only files that remain uncertain are escalated to FortiSandbox for full analysis — up to and including detonation in a sandboxed environment. Fast answers for most files, deep answers for the few that need it. Zero-day doesn't mean invisible; it just means nobody has watched it run yet. The intelligence is shared. When FortiSandbox identifies something new, it generates its own signature — and that database does not stay on the sandbox. FortiGate (FGT) and FortiProxy (FPX) can consume the FortiSandbox database directly through their Fabric connectors, complementing the FortiGuard signatures they already receive. A threat first seen in one email to DailyGrind becomes something the web proxy and the firewall recognise too. One detonation, estate-wide immunity. FortiAnalyzer (FAZ) holds the record: delivery history, QR extractions and classifications, NDR and Sandbox verdicts — one place to establish whether a single email was a one-off or part of a campaign hitting staff across multiple stores, and to hold the evidence for reporting. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/certificates-at-scale/fortiauthenticator-fac-csr-approval.md). # FortiAuthenticator (FAC) CSR Approval Now we change hats. For this step, you are the certificate authority: the FortiGate's request lands on your desk, and you decide whether to sign it. This is the moment the firewall's sub-CA becomes part of Breachside's trust hierarchy. Login to the \[FortiAuthenticator\](https://10.222.101.26/) {% hint style="info" %} FortiAuthenticator is a shared resource across all attendees, and does not live inside your dedicated Fabric Studio instance. Username: admin Password: Fortinet1! {% endhint %} Go to Certificate Management > Certificate Authorities > Local CAs and select Import. Choose CSR to sign and fill in the details. Make sure you change the first part of the Certificate ID to include your unique Pod IP. Example Name: \`10.237.10.47\_DPI\_SubCA\` This naming step matters: because everyone shares this CA, your Pod IP is what separates your certificate from everyone else's. It is the same discipline a real estate needs — one CA, hundreds of certificates, and a naming convention that tells you instantly which device each one belongs to. Upload the .csr file you downloaded in the previous step, \[FortiGate (FGT) CSR Request\](/fabric-solutions-lab-shopping/certificates-at-scale/fortigate-fgt-csr-request.md). The example below shows how it should look: ![](https://fabriclab-tech.gitbook.io/files/nZdYukLT20mY82RcMcsI) Click Import. You will be returned to the Local CAs page. Select the Certificate ID you have just created and click Export Certificate. A .crt file will download to your local host. ![](https://fabriclab-tech.gitbook.io/files/6DHz0gbCfYGPxNFBk6qj) {% hint style="info" %} During busy sessions, you will see many certificates in this list — this lab supports up to 50 attendees at once. Look at the list for a moment: every entry is another "store" going through the same enrolment you just completed. This is the scale point of the scenario, happening live in front of you. In the event of a duplicate name already being present that matches your assigned pod, just select it and click delete. {% endhint %} --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiweb-and-fortisandbox/analyze-fortiweb.md). # Analyze - FortiWeb Using your Fabric Studio instance, if you open up FortiWeb, this is done by right-clicking it, access > HTTPS \`Username: admin / Password: fortinet4A!!\` Once you're logged in, if you use the left-hand navigation pane, under Log & Report > Log access > Event {% hint style="info" %} Create a filter for "Action" 'sandbox-send-file' {% endhint %} ![](https://fabriclab-tech.gitbook.io/files/vy4u6QfoPePVHxNiUdJZ) You can see that the file was indeed passed to FortiSandbox and the verdict that was returned. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/attack-trying-to-disable-fortidlp.md). # Attack - Trying to Disable FortiDLP As a result of the pop-ups that the user has seen, panic sets in, and they then try to gain an understanding of how to disable the FortiDLP agent via a web search. Using the same browser instance, simply type disable FortiDLP into the search bar and press return to conduct the search. ![](https://fabriclab-tech.gitbook.io/files/U01ZbJaFbeIVZC5UcN3W) Almost immediately, you will be met with this block page as below. FortiDLP is actually quarantined the endpoint completely ![](https://fabriclab-tech.gitbook.io/files/62wSoocCmSdokSf684J3) --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-threat-in-the-picture/how-does-this-scale.md). # How does this scale? DailyGrind's CIO asked for one more thing: when deeper analysis discovers something new, don't let that knowledge stay in one box. This page is where that requirement is met — and where a single email to one coffee shop becomes protection for the \*\*entire estate\*\*. Here is the idea. When FortiSandbox detonates a genuinely new threat — a zero-day with no existing signature — it does not just block that one file. It generates its own signature for the threat and stores it in its local database and that database can be shared. Many Fortinet products have a native Fabric connector to FortiSandbox, allowing them to consume those signatures and use them alongside the FortiGuard intelligence they already receive. The local engine catches what FortiGuard already knows; the FortiSandbox feed adds what your own environment has just discovered. Think about what that means for Breachside. WannaCry arrives in an email to DailyGrind. FortiSandbox judges it, generates a signature, and shares it. Minutes later, if the same file appears as a web download at PackTrack, the FortiProxy already knows it is malicious — without ever sending it to the sandbox. One detonation, and every connected product across the mall is now immune. The first store to be attacked protects all the others. Let's look at where this is configured across the stack. \*\*FortiGate (FortiOS 8.0)\*\* ![](https://fabriclab-tech.gitbook.io/files/KLoetoanWgzyjx6rCCyw) On the FortiGate, the FortiSandbox connector lets the firewall pull verdicts from the sandbox database, complementing its own AntiVirus engine. A file crossing the firewall can be checked against everything the sandbox has learned. \*\*FortiProxy (v8)\*\* ![](https://fabriclab-tech.gitbook.io/files/7ELfCY8JYnFCjDPB2iGV) The FortiProxy works the same way — the same sandbox intelligence you saw protect downloads in the Stopping Patient Zero scenario is enriched by every new verdict the sandbox generates. \*\*FortiMail (v8)\*\* ![](https://fabriclab-tech.gitbook.io/files/uANqh5hgwZ7G4UTzgJNL) FortiMail is configured slightly differently, and it is worth understanding why. Instead of a "use the FortiSandbox database" toggle, you control the behaviour through the FortiSandbox integration itself. If you want FortiMail to rely on the sandbox database without submitting files, you instruct it not to pass files to the sandbox. FortiMail then understands that an integration exists, and whenever its local AV engine cannot match a signature, it makes an API call to check the FortiSandbox database before deciding. Same outcome, reached a different way. This is the Fabric working as one system rather than a set of separate products. Each appliance still does its own job, but they share what they learn — so the intelligence gathered at one store, in one product, raises the defences of every other. That is what "scale" really means here: not just more boxes, but boxes that get smarter together. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/when-chatbots-go-rogue/fortiweb-fwb-results.md). # FortiWeb (FWB) Results You asked a question and got silence. The chatbot didn't crash, the database didn't refuse — something in between made a decision. Let's go and find the evidence. Back on the FortiWeb, go to Dashboard > Status and find the Attack Log widget. You should see one entry — provided you clicked the orange button! ![](https://fabriclab-tech.gitbook.io/files/cscDeItsNxh1nYFn4QNr) Double-click the log entry for the full detail. FortiWeb blocked the request because the payload contained a raw SQL query — a \`SELECT\` statement — travelling inside the MCP message. That behaviour matches a known SQL injection signature, and the request was flagged and blocked automatically. Take a moment with this log, because it tells the whole story of the attack. The question typed into the chatbot looked like text, but the MCP request it produced was carrying a database command. If it had reached the MCP server, the server would have run it with the chatbot's full database privileges — and the attacker would have walked away with data the chatbot was never meant to reveal. Instead, the FortiWeb — sitting silently in the path, speaking MCP, checking every message against its signatures — stopped it before the database ever saw it. Worth noticing, too, what this didn't require: no changes to the chatbot, no changes to the MCP server, no agent on either host. The out-of-the-box MCP protections you reviewed two steps ago did this on their own. This log entry exists in one more place — and for FortiStores's plans to scale, that other place matters more. On to the FortiAnalyzer. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/whos-talking-to-the-ai.md). # Who's Talking to the AI? {% hint style="danger" %} \*\*Important!\*\* This scenario has a pre-requisite: you must have completed the steps in \[Certificates at Scale\](/fabric-solutions-lab-shopping/certificates-at-scale.md)before. This ensures that we can really see inside the packets via deep-packet-inspection. If you have not already done that scenario, conduct it first. {% endhint %} ![](https://fabriclab-tech.gitbook.io/files/GijGnAfdpGA1osRYvZ7C) Half our workforce is already using ChatGPT, Gemini, Grok, Copilot and others. I need to know who is using what — and ideally to stop sensitive data leaving — whether staff are in the office or working remotely. To be clear: we do not want to block AI outright. For now, we just want to monitor it. We embrace the productivity AI brings, as long as it is controlled — though we do have concerns about a few specific models \*\*Products In-Scope\*\* FortiGate FortiClient FortiAnalyzer \*\*Our Response\*\* The customer's request is visibility first, control later — see who is using which AI tool, catch sensitive data on its way out, and keep the option to block specific models open without committing to it yet. The Fabric delivers this without deploying anything new, because the FortiGate already sees the traffic; it simply needs to be told what to look for. \*\*Deep inspection makes AI traffic readable.\*\* The FortiGates across the estate already perform deep packet inspection on traffic that crosses them — using the DPI certificate from the \[Certificates at Scale\](/fabric-solutions-lab-shopping/certificates-at-scale.md) scenario. Almost all AI traffic is encrypted, so without inspection the firewall would see only "a connection to openai.com", not what was sent. With it, the actual content becomes visible — which is what makes everything below possible. \*\*Application Control identifies the specific tool.\*\* FortiGuard's application signatures recognise individual AI services by name — ChatGPT, Gemini, Grok, Claude and thousands more — so the firewall reports not just "AI usage" but exactly which model each user reached. This is what answers the customer's concern about specific models: you can see them individually, and the same signatures that identify a model today can block it tomorrow, with no new architecture. \*\*Data Loss Prevention catches sensitive content.\*\* A DLP profile inspects what is actually typed into these tools and matches it against patterns — code secrets, PII, or a custom expression — in either monitor or block mode. FortiGuard also distributes maintained DLP pattern sets for specific data types and countries as a service, so the customer doesn't have to write the expressions themselves. The customer asked to monitor for now; DLP gives them the switch to enforce whenever they choose. \*\*Always-On VPN extends the same policy to remote workers.\*\* Staff working from home are covered by an Always-On VPN through FortiClient, which routes their traffic back through the same FortiGates. The in-office and remote experience are identical because the policy is identical — there is no gap for "I'll just do it from home". This directly answers the customer's "in-office or remote" requirement. \*\*FortiGate dashboards and FortiAnalyzer provide the visibility.\*\* The FortiGate's FortiView AI dashboards show AI usage live — by application, by user, by data-centre destination. All logs forward to FortiAnalyzer, where an AI-access dashboard correlates activity across every FortiGate in the estate, so the picture holds whether the customer has one site or hundreds. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortimail/defence-internal-mailbox.md). # Defence - Internal Mailbox Open your Fabric Studio instance, locate the object "Inside Host", right-click it, access, and then display. Another browser tab should open you have access to the virtual Windows instance. If your asked for a Username & Password for inside host its \`Username: fabriclab\\demouser5 / Password: Fortinet1!\` Open Google Chrome, click the Webmail bookmark. Login using \`Username: internal Password: fortinet\` ![](https://fabriclab-tech.gitbook.io/files/vTDS5bzKHVndDvbWGNTV) Press "Log In" You should see a new email that says "FIS test", click it to open it ![](https://fabriclab-tech.gitbook.io/files/sy3tlVQ2gVzGrQLPRzjn) Hover over one of the links. If you look in the bottom left-hand corner, you will notice that the URL has been prefixed to send via FortiIsolator ![](https://fabriclab-tech.gitbook.io/files/H1KPsd6amGujL5QKoeVW) Click any of the links. Proceed through any SSL certificate warnings, until you get to this page, ensure that guest tick box is ticked and then click "Login." ![](https://fabriclab-tech.gitbook.io/files/A1ESD7ImPKjDkaknVxCN) The page that you requested will load via FortiIsolator, however this is being rendered to your browser. Think of it as screenshots being sent to you - you're actually accessing it via a secure, isolated instance meaning that if there was anything malicious, it wouldn't execute directly on your host. It would execute on the virtual instance. ![](https://fabriclab-tech.gitbook.io/files/7NJSxUDSrbCbFb4BoXvk) You know that you've been protected by a FortiIsolator when you see the "I" icon in the top left-hand corner where my mouse is on the screenshot. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/when-chatbots-go-rogue.md). # When Chatbots Go Rogue ![](https://fabriclab-tech.gitbook.io/files/woYbAtsS6TkEqoixumqh) FortiStore, our event space and flagship store, has built an AI chatbot. Customers use it to ask about event speakers and about products in the store. The chatbot is powered by a trained model, and it reaches our backend database through an MCP server. We have heard horror stories about MCP being exploited — attackers tricking chatbots into handing over data they should never reveal. We need a product that sits between the MCP client and the MCP server, sees every message that passes between them, and blocks anything malicious. The logs must go to a central analytics platform, because we expect to roll this out to other stores. One more thing. On high-volume days like Black Friday, FortiStore website becomes unusable. We want a load balancer in front of the web servers, distributing connections across multiple servers — and this must scale too. We can see a future with HA pairs of FortiADC across several deployments, so again: all logs in one central place. \*\*Products In-Scope\*\* FortiWeb (FWB) FortiAnalyzer (FAZ) FortiADC (FAD) \*\*Our Response\*\* AI chatbots create a new attack surface. The Model Context Protocol (MCP) is the channel a chatbot uses to reach real systems — in FortiStore case, the product and events database. That makes it powerful, and it makes it a target: if an attacker can smuggle a malicious instruction through the chat, the MCP server may execute it against the database with the chatbot's full privileges. The user types a question; the database receives an attack. Our answer is to put inspection directly in the path: 1. \*\*FortiWeb as a true transparent proxy.\*\* Using V-zones, the FortiWeb sits invisibly between the MCP client and the MCP server — no IP addressing changes, no application reconfiguration, and no way for traffic to route around it. Every MCP message is forced through the FortiWeb. 2. \*\*Native MCP protection.\*\* FortiWeb understands the MCP protocol itself. Its signature database and poisoning attack protection inspect each request — so an injection attempt hidden inside an innocent-looking chat question is detected and blocked before it ever reaches the database. The user simply never gets an answer; the attack never gets executed. 3. \*\*FortiAnalyzer as the central brain.\*\* Every FortiWeb event is sent to FortiAnalyzer. As FortiStore model rolls out to other Breachside stores, each new FortiWeb reports into the same platform — one place to see every blocked attack across the estate. For the Black Friday problem, we deploy \*\*FortiADC\*\* in front of the web servers, presenting a single virtual IP and distributing connections round-robin across multiple real servers. The design uses full NAT, which guarantees a valid return path for traffic \*without\* making the FortiADC the default gateway of every web server — a small design decision that makes the solution far easier to drop into an existing network. FortiADC logs flow into the same FortiAnalyzer, so capacity and security are watched from one console. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/whos-talking-to-the-ai/fortigate-fgt-reviewing-dashboards.md). # FortiGate (FGT) Reviewing Dashboards You generated the traffic; now see what the FortiGate made of it. This is where the customer's question — "who is using what?" — gets its answer, on screen, in a purpose-built AI dashboard. Then we'll drill into the DLP block you triggered. On the FortiGate: {% hint style="info" %} FortiGate (located inside Fabric Studio, right click it and access it using HTTPS): Username: admin Password: fortinet4A!! {% endhint %} If you naviate to Dashboard > FortiView > AI Applications (Tab) {% hint style="success" %} New in this FortiOS Version 8 submenus are now tabbed, making it quicker to move between the different views. {% endhint %} ![](https://fabriclab-tech.gitbook.io/files/9LQJNYyPZVoAEgfbjS4I) Here are the AI tools you opened on the Windows host, detected and listed. Look closer at Gemini: you can see the specific AI model that was identified, and if you double-click into it, you get further detail — the username used to log in to the tool (none, in our case) and the data-centre location the traffic was sent to. {% hint style="info" %} Pause on what this view delivers. The customer didn't ask "is AI being used?" — they already knew it was. They asked who is using what. This dashboard answers exactly that: not a vague "AI traffic detected", but the specific tool, the model, the user identity where available, and where in the world the data was sent. For a business worried about which models its staff are feeding, that destination and identity detail is the difference between a concern and a fact. Want to see the username captured too? You can log in to a tool using: Username: Password: Fortinet1! Once logged in, the dashboard can tie the AI session to that identity — turning "someone on this device used Gemini" into "this account used Gemini" {% endhint %} If you navigate across to the FortiView AI Use Cases Tab ![](https://fabriclab-tech.gitbook.io/files/hvMlZVg0vUw6vaMrowx5) This groups activity by what the AI was used for — here, Conversational Assistants. Double-click in for the same depth: logged-in user, applications, data-centre location. The use-case view is useful when you care less about which brand of tool and more about what kind of work is being sent to AI. For the most granular view, go to Log & Report > Security Events and click the specific event type you want. For our example, open the Data Loss Prevention section. ![](https://fabriclab-tech.gitbook.io/files/aMQEVFnJ5cNudQvb9uf3) Remember the \`0123456789\` you typed into a chatbot, and the DLP profile we set to catch it? Here is the proof it worked — the prompt was matched and stopped, logged in full detail. This is the customer's data-protection requirement, demonstrated end to end: sensitive content identified inside an AI prompt, and acted upon. ![](https://fabriclab-tech.gitbook.io/files/Pg1CWdyyhFWqdc1VDAWx) That proves the capability on one FortiGate, watching one office. But the customer has many sites. How does this hold up across hundreds of them? That's the next page. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/when-chatbots-go-rogue/fortiadc-fad-configuration.md). # FortiADC (FAD) Configuration The chatbot is protected — now for FortiStores's second complaint: the website that falls over every Black Friday. One server doing all the work is a single point of failure and a bottleneck. The fix is to put a FortiADC in front and share the load. As with the FortiWeb, the configuration is already in place — your job here is to understand the design before you test it. On the FortiADC {% hint style="info" %} FortiADC is located inside Fabric Studio: right click it and access it using HTTPS Username: admin Password: fortinet4A!! \*\*If you are asked to do any setup of the FortiADC, just click Skip/Cancel, until you reach the Dashboard\*\*. The configuration has been done for you. {% endhint %} Navigate to Server Load Balance > Virtual Server and review the configuration. The design in this scenario is deliberately simple. The FortiADC presents a single Virtual IP address — 192.168.2.100 — and this is the only address users ever see or need. Behind it, the FortiADC load balances TCP port 80 connections across two web servers, .2 and .3, using a round-robin algorithm: first connection to one server, next connection to the other, and so on. ![](https://fabriclab-tech.gitbook.io/files/zJmRxxXev7n5PN7pxu9g) ![](https://fabriclab-tech.gitbook.io/files/Njj7hVHxHjiMfjM8KAwF) {% hint style="info" %} One design decision here is worth calling out: we are using Full NAT mode. The FortiADC translates both source and destination addresses, which guarantees that return traffic from the web servers has a valid path back through the FortiADC. The alternative would be making the FortiADC the default gateway of every web server — a change to every server's network configuration. With Full NAT, the web servers stay exactly as they are. This is the kind of detail that makes a solution easy to drop into a customer's existing network. {% endhint %} Go to Server Load Balance > Real Server Pool and review the configuration Here you will find the two real servers behind the Virtual IP — .2 and .3 — hosting identical content. Both live inside your Fabric Studio instance, and they serve multiple purposes across this lab; both acting as webservers for FortiStore. ![](https://fabriclab-tech.gitbook.io/files/b82nTHaez4MJxoxSogvb) And the scale story the customer asked about? This is one FortiADC and two servers — but the pattern is the answer. Need more capacity on Black Friday? Add real servers to the pool. Worried about the FortiADC itself? Deploy an HA pair. Rolling out to more stores? Each deployment reports into the same FortiAnalyzer you will visit shortly. The design grows; the architecture doesn't change. Next, let's prove the round-robin is actually working. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-threat-in-the-picture/reviewing-the-logs.md). # Reviewing the logs Back to the defender's chair. You sent two attacks; FortiMail saw both. In this step, you will read exactly what it did with each one — the QR links it extracted and classified, and the script it detonated. On the FortiMail {% hint style="info" %} FortiMail (Located inside Fabric Studio, right click it and access HTTPS Username: admin Password: fortinet4A!! {% endhint %} Navigate to Monitor > Log > AntiSpam (Tab) Find the first email you sent — the one with the PDF. Look at what FortiMail did: it opened the PDF, found the QR code, and extracted the URLs hidden inside it. Each URL has been given an independent FortiGuard classification. Because one of them (As below) is classified as Phishing, the email was quarantined — it never reached the staff inbox. ![](https://fabriclab-tech.gitbook.io/files/khba4YBHuBHsk2IxuFQl) Stop and appreciate what just happened. To DailyGrind's old filter, this was a clean PDF with no links in it. FortiMail looked inside the picture, read the destination the attacker was hiding, and made the call before delivery. The link the user would have scanned on their phone never got the chance. If you now navigate to the Antivirus Tab Here are the two attachments from your second email — the spoofed IT message. Both were sent to FortiSandbox for analysis. Look at the verdicts: one file, \`MFAChecker.exe\`, came back clean. ![](https://fabriclab-tech.gitbook.io/files/6FbtcOjFzB1qG3xN2EbQ) The other, MFAInstallScript.exe, came back malicious. Click it, and a panel opens on the right — take a closer look. ![](https://fabriclab-tech.gitbook.io/files/KmbO2PBk0Sndy4K2Iczr) {% hint style="danger" %} The verdict names the threat: W32/WannaCryptor!tr.ransom — WannaCry, one of the most damaging ransomware families ever seen. A name like "MFAInstallScript.exe", arriving in a message that looks like it came from IT, is exactly how a real user gets caught. FortiSandbox judged it on what it does, not what it claims to be, and quarantined it. {% endhint %} You can confirm the quarantine by clicking the History Tab ![](https://fabriclab-tech.gitbook.io/files/etdsoeoCKLMVUgbmUm73) Two emails, two completely different attack techniques, both stopped before delivery. One inbox protected — and on the next page, we will see why that protection gets stronger every time any FortiSandbox, anywhere, sees something new. {% hint style="info" %} This scan chain also integrates FortiNDR, which applies neural-network analysis to deliver a sub-second verdict on unknown files ahead of full sandbox detonation. The routing between FortiNDR and FortiSandbox depends on file type and verdict confidence, so in this lab you will typically see files analysed directly by FortiSandbox. Both engines feed the same outcome: a definitive verdict before the email is delivered. {% endhint %} --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/when-chatbots-go-rogue/centralised-logging-fortistore.md). # Centralised Logging — FortiStore If you remember, the customer's requirement was that this must scale — FortiStore is the first deployment, not the last. Protection that works is only half the answer; the other half is being able to see every deployment from one place. That place is FortiAnalyzer. Login your \[FortiAnalyzer\](https://10.222.101.35/) instance {% hint style="info" %} Username: admin Password: Fortinet1! The FortiAnalyzer is shared between all attendees, but your logs are kept separate in your own ADOM. Once logged in, make sure you navigate into the ADOM that matches your Pod number — in the examples below, we are using Pod47. A quick word on ADOMs, because they are part of the scale story: an Administrative Domain is FortiAnalyzer's way of dividing one platform into isolated logical instances — separate devices, logs, and reports per domain. In this lab, one ADOM per attendee. In Breachside's future, the same mechanism could give every store its own view while the CIO and CTO keep sight of the whole estate — one platform, many tenants. {% endhint %} Navigate to Log View > Logs > Fortinet Logs (Tab) > Click FortiWeb (Icon) ![](https://fabriclab-tech.gitbook.io/files/UjGGrYfgFkHdk5jvY9vQ) There it is: the same MCP attack you triggered earlier, now sitting in the central platform. The FortiWeb saw the SQL injection inside the client–server MCP communication and blocked it — and FortiAnalyzer holds the record of the block that stopped someone obtaining far more information than they should have. When FortiStore's chatbot model rolls out to ten more stores, ten more FortiWebs report into this same view. Now click the FortiADC icon and select the Traffic tab — let's find the load-balancing logs. ![](https://fabriclab-tech.gitbook.io/files/22laysNY9E6FToqIn6fR) And there are your balanced sessions. Here's a trick: add a filter for Real Server Name. You will see the traffic alternating between .2 and .3, connection by connection — your round-robin configuration, proven in the logs. That completes the engagement. Walk back through what FortiStore's CIO and CTO asked for: inspection between the MCP client and server, with anything malicious blocked — delivered by FortiWeb as a true transparent proxy, speaking MCP natively. A load balancer to survive Black Friday — delivered by FortiADC, round-robin across real servers, dropped in without touching the web servers. And everything visible in one central place, ready to scale — delivered by FortiAnalyzer, where you have just seen both products' logs side by side. Two very different problems; one Fabric, one console. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/guilty-until-detonated/fortiproxy-configuration-2.md). # FortiProxy Configuration #2 One more piece of the picture: the AntiVirus profile. This is where FortiProxy is told what to do with the files it extracts from web traffic — and in our case, the answer is "send them to the sandbox". Go to Security Profiles > AntiVirus. You will find a profile called AV\\\_FortiSandbox — double-click it. {% hint style="info" %} You dont need to make any configuration changes, just review the contents. {% endhint %} What you are looking at is the link between the proxy and the verdict. When a download passes through FortiProxy, the file is extracted from the traffic stream and handed to this profile. With FortiSandbox inline scanning enabled here, the profile forwards the file for analysis and holds the download until the verdict returns — the mechanism you read about on the previous page, switched on in one screen. In a production deployment, this profile is also where defence-in-depth lives: the local AV engine gives an instant signature verdict on known malware, and only files that pass it — the unknowns — are sent on to the sandbox. Known-bad is blocked in microseconds; never-seen-before gets detonated. ![](https://fabriclab-tech.gitbook.io/files/pTUC1FRi1vv3XVxnbTSm) {% hint style="info" %} In this lab, we have deliberately disabled the local FortiProxy AV engine, so that every file is passed to FortiSandbox and you can watch the inline verdict process happen. This is not the recommended production configuration — in the real world, you would keep the local engine on and let the Sandbox handle only what the engine cannot judge. {% endhint %} That's the full path configured: browser → FortiProxy → AV profile → FortiSandbox → Verdict → Release or Block. Now we need a browser to send traffic into it. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/analyze-fortidlp.md). # Analyze - FortiDLP Please log in to \[FortiDLP\](https://ftnt-fabric-cse.reveal.nextdlp.com/) using the hyperlink. \`Username: fabriclab / Password: Fortinet1!Fortinet1!\` Once you're logged in, if you look on the left-hand pane, there should be a policy option, Click it. Select the data tracking option and click it (As below) ![](https://fabriclab-tech.gitbook.io/files/jecnwr0FT06dmgJ2AXKG) Along the right-hand side, there should be a "Raise Incident" section. Click the filter icon and select "True." ![](https://fabriclab-tech.gitbook.io/files/pgG66OoEXXN82seSa8Ob) The amount of visible policies will be dramatically reduced ![](https://fabriclab-tech.gitbook.io/files/zrsQKpK3LLHPszztZlgo) Please double-click into both of these policies to show the end user the configuration that has been set and was applied in the previous attack steps. Screenshots can be found below ![](https://fabriclab-tech.gitbook.io/files/16nxVbu9iU463W1laNsL) ![](https://fabriclab-tech.gitbook.io/files/CXxA9Whvj1CwIXaxGdUg) {% hint style="warning" %} It's important, as the presenter, that you provide the end user with a detailed explanation of just how much is able to be configured here. Please ensure that you take the time to expand the boxes and go through the configuration {% endhint %} --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-threat-in-the-picture/fortimail.md). # FortiMail Before we send any phishing emails, let's look at the mail gateway that will be judging them. The configuration has been done for you — your job here is to update the appliance and understand the two profiles that do the work: one that reads QR codes, and one that sends unknowns to the sandbox. On the FortiMail: {% hint style="info" %} FortiMail (Located inside Fabric Studio, right click it and access it using HTTPS): Username: admin Password: fortinet4A!! {% endhint %} Using the bar at the very top, open the CLI Console ![](https://fabriclab-tech.gitbook.io/files/YfvR0TiGkIiVEcjElWN6) When the console opens, type \`execute update now\` and press Enter. This pulls the latest updates from FortiGuard, so the appliance is judging your emails against current intelligence — exactly what you would do before putting a mail gateway into service. ![](https://fabriclab-tech.gitbook.io/files/XifXSjMp3jWIwbCums9K) Now let's review the configuration. Go to Policy > Recipient Policy. The configuration should match the screenshot below. In plain terms: any email addressed to — DailyGrind's real domain — has the AntiSpam and AntiVirus profiles applied to it before delivery. ![](https://fabriclab-tech.gitbook.io/files/2tPXjeDoDeGHZ987EmkA) Click into each profile and review the settings, starting with AntiSpam. The key setting is at the bottom: Scan PDF attachment. This is what allows FortiMail to open a PDF and look inside it, rather than judging the attachment by its wrapper. ![](https://fabriclab-tech.gitbook.io/files/owIATZemMg9S2f2h1a0I) Opening the PDF is only half the job — extracting URLs from QR codes found inside requires a few CLI commands, which have been applied for you: \`\`\` config antispam settings set qr-code-url-scan-status enable set qr-code-url-scan-option inline-image attachment-image set qr-code-url-scan-pdf enable \`\`\` Read those three lines back, because they are the answer to DailyGrind's first complaint: scan QR codes, in inline images and attached images, and inside PDFs. The link the attacker hid inside a picture is now just another URL for FortiGuard to classify. Now the AntiVirus profile. The configuration here is deliberately simple: files without a local verdict are passed to either FortiNDR or FortiSandbox. ![](https://fabriclab-tech.gitbook.io/files/tVdBcK73wYU0fICOKThm) {% hint style="info" %} For demo purposes, we have disabled FortiMail's local FortiGuard-powered AntiVirus engine, to make sure every file genuinely travels to FortiSandbox in front of you. We found that the FortiSandboxs AV was doing its job a little too well — once a file had been seen once, the local signature database was updated, and subsequent files were blocked locally without ever visiting the sandbox! In production you would leave the local engine on: instant verdicts for known threats, sandbox analysis only for true unknowns. {% endhint %} The gateway is updated, the QR scanner is armed, and the sandbox is connected. Time to write some phishing emails! --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/when-chatbots-go-rogue/chatting-to-the-chatbot.md). # Chatting to the Chatbot! Time to play the customer — and then the attacker. In this step, you will talk to FortiStore's chatbot like a genuine shopper, and then try the question that should never be answered. Using FortiPAM to RDP to the Windows Host Inside Fabric Studio! Login your \[FortiPAM\](https://10.222.101.36/) instance {% hint style="info" %} \*\*Username:\*\* Pod\*\*N\*\* \*\*N\*\* = Your Pod Number its unique to you and will have been provided by the Portal or Instructor As a example Pod47 \*\*Password:\*\* Fortinet1! {% endhint %} Navigate to Secrets select Shopping-PodN\\\_Host\\\_Win11\\\_Internal and click Launch Secret > Web RDP ![](https://fabriclab-tech.gitbook.io/files/7yzx1edlqrR8LVovgg34) ![](https://fabriclab-tech.gitbook.io/files/kWHqArhtPwSFabcSWIA1) A seperate tab should open and the Windows Host should display in Full Resolution within your web browser. ![](https://fabriclab-tech.gitbook.io/files/am9djl4IKnFora3wWRo6) This Windows host is your seat inside FortiStore — everything you do from here, you are doing as a user on the store network. Once you arrive at the desktop, double-click the Google Chrome shortcut. We have pre-populated some bookmarks for you — click "ChatBot". Interact with the bot. At the bottom, we have pre-populated some common questions — the kind a genuine customer would ask about events and products. ![](https://fabriclab-tech.gitbook.io/files/T8GFctcBMpR21FQ3xcAM) {% hint style="info" %} Answers can take between 5 and 60 seconds. We are running a local LLM without a GPU — please be patient with it and just ask one question at a time! {% endhint %} Notice what is happening underneath each answer: your question goes to the chatbot, the chatbot uses MCP to query the backend database, and the answer comes back through the same path. Every one of those MCP messages is silently crossing the FortiWeb you inserted in the previous step. One of the pre-populated options is highlighted in orange. That one is an attack. Click it, and you will notice something different: you never get an answer.... The question reached the chatbot — but the MCP request it generated never reached the database. Let's go and find out why. {% hint style="danger" %} Challenge anyone that wants to go off script and wants to ask the questions yourself, you're fine to do this. If you find that you're able to successfully conduct a prompt injection where you do not get a response to the question asked, and in the logs of FortiWeb &/Or FortiAnalyzer sees your prompt as a attack let the instructor know! {% endhint %} --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/whos-talking-to-the-ai/testing-using-windows-host.md). # Testing Using Windows Host Now the fun part — you become the workforce. You'll open every major AI tool, send a few prompts, and then try to paste something sensitive. The FortiGate is watching all of it; on the next pages you'll see exactly what it captured. Using FortiPAM to RDP to the Windows Host Inside Fabric Studio! Login your \[FortiPAM\](https://10.222.101.36/) instance {% hint style="info" %} \*\*Username:\*\* Pod\*\*N\*\* \*\*N\*\* = Your Pod Number its unique to you and will have been provided by the Portal or Instructor As a example Pod47 \*\*Password:\*\* Fortinet1! {% endhint %} Navigate to Secrets select Shopping-Pod47\\\_Host\\\_Win11\\\_Internal and click Launch Secret > Web RDP ![](https://fabriclab-tech.gitbook.io/files/7yzx1edlqrR8LVovgg34) ![](https://fabriclab-tech.gitbook.io/files/kWHqArhtPwSFabcSWIA1) A seperate tab should open and the Windows Host should display in Full Resolution within your web browser. ![](https://fabriclab-tech.gitbook.io/files/am9djl4IKnFora3wWRo6) This host is your seat inside InkPress, and its setup is the whole point. It sits behind the FortiGate, with its default gateway set to Port 2 of the firewall — so every packet it sends routes through the FortiGate and gets inspected. FortiClient is installed on it, and that's what delivered the DPI certificate from the \[Certificates at Scale\](/fabric-solutions-lab-shopping/certificates-at-scale.md) scenario, allowing the firewall to read its encrypted traffic. In other words: this machine cannot reach an AI tool without the FortiGate seeing it. Once you reach the desktop, double-click the Google Chrome shortcut. You'll see bookmarks for the various AI providers. One by one open them, and for each one enter a prompt of your choosing — just remember what you typed. (In the screenshots, we use "test prompt".) ![](https://fabriclab-tech.gitbook.io/files/NCl0YQIHIHK0zkxLGoMz) {% hint style="danger" %} Please note you may well receive a company violation pop-up from FortiDLP. This is used in one of the other scenarios, simply enter a reason and click OK {% endhint %} ![](https://fabriclab-tech.gitbook.io/files/4jnihTQyLgUgvPnWi0hL) {% hint style="info" %} You're now doing exactly what half the customer's workforce does every day — quietly using a spread of AI tools, with no thought given to whether anyone can see it. The difference is that here, everything you just typed crossed a FortiGate that was reading it. That's the shift from "we know people use AI" to "we know who used which tool, and what they sent". {% endhint %} Now click the ChatGPT tab Occasionally, ChatGPT gets rather busy and they restrict access to only logged-in users. If you encounter this, just click the log-in button and use SSO to login via the Google account and, in the prompt, enter the magic number 0123456789. As you'll see, it's blocked. ![](https://fabriclab-tech.gitbook.io/files/MsGDfefvzpwfp1R3Dvh7) {% hint style="info" %} That block is DLP doing its job. Remember, 0123456789 stands in for real sensitive data — a code secret, a customer record, a card number. In monitor mode, the firewall would have logged this and let it through; here it's set to block, so the moment the pattern appeared in your prompt, the FortiGate stopped it before it reached the AI service. The customer asked only to monitor for now — but you've just proven the block is one setting away whenever they want it. {% endhint %} That's both halves demonstrated: ordinary AI usage that's now fully visible, and a sensitive-data paste that's caught in the act. Let's switch to the FortiGate and see how it all looks from the other side. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiweb-and-fortisandbox.md). # FortiWeb & FortiSandbox - \[Scenario - Story/Narrative\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiweb-and-fortisandbox/scenario-story-narrative.md) - \[Attack - Webserver\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiweb-and-fortisandbox/attack-webserver.md) - \[Analyze - FortiWeb\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiweb-and-fortisandbox/analyze-fortiweb.md) - \[Analyze - FortiSandbox\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiweb-and-fortisandbox/analyze-fortisandbox.md) - \[Attack - Webserver\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiweb-and-fortisandbox/attack-webserver-1.md) --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/guilty-until-detonated.md). # Guilty Until Detonated ![](https://fabriclab-tech.gitbook.io/files/y9QgRYXhMhwa6gfAC20L) Staff at PackTrack — and across our tenant stores — download software constantly during the working day: POS helper apps, supplier-portal browser extensions, label printer drivers, freight tracker utilities, plugins for the various B2B systems each tenant uses. Most of it is harmless. But we have been hit twice in the last year by malicious bundled software that got past our web filtering, because the host site was not on any block list and did not sit in a suspicious category. Our endpoint antivirus did catch it eventually — but by then the file had been on the machine for hours, and in one case it had already reached out to a command-and-control server. We need every executable, installer and archive inspected at the moment of download, with a definitive verdict before the file reaches the user's machine — and that has to include zero-day threats. We expect to roll this out at very large scale, and we want all of the activity visible in one place. \*\*Products In-Scope\*\* FortiProxy (FPX) FortiClient (FCT) FortiSandbox (FSA) FortiAnalyzer (FAZ) \*\*Our Response\*\* The customer's two incidents share one root cause: their controls gave a verdict \*after\* delivery. Reputation filtering judges the website, not the file — and a clean site can serve a poisoned installer. Endpoint AV judges the file, but only once it has already arrived. The gap between download and detection is where both breaches lived. Our design closes that gap: no verdict, no file. \*\*FortiProxy\*\* is deployed as the explicit web proxy for corporate web traffic. It extracts files matching executable, installer and archive types and holds them at the proxy while a verdict is obtained. With inline scanning, the file is released to the user only after it has been judged clean — if it is malicious, the user receives a clear block page instead, and the file never touches the endpoint. SSL deep inspection is enabled, so downloads over HTTPS — which today is essentially everything — pass through the same inspection path. \*\*FortiSandbox\*\* delivers the verdict. Genuinely unknown files are detonated in a sacrificial VM matching the target operating system, while FortiSandbox watches what they actually do: registry writes, network callbacks, dropped files, process injection, persistence attempts. This is what makes the design zero-day-capable — it judges behaviour, not signatures. Every verdict is stored against the file's hash, so the next time anyone in the estate meets the same file, the answer comes back in milliseconds. The user-visible wait only ever applies to genuinely first-seen files. \*\*FortiClient\*\*, managed by EMS, extends the same protection to the paths the proxy cannot see. A user who bypasses the proxy — a misconfigured browser, a USB stick from a supplier — is still covered: FortiClient submits unknown files to the same FortiSandbox and receives the same verdicts, on the endpoint itself. One sandbox, one verdict database, every path covered. \*\*FortiAnalyzer\*\* collects the lot — FortiProxy download decisions, FortiSandbox detonation reports, FortiClient endpoint events — in one place. The SOC gets a single view: this user, on this machine, downloaded this file; the sandbox saw these behaviours; here is the verdict. As the rollout scales to more proxies and additional sandboxes, everything continues to report into the same platform. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-trap-inside-the-walls.md). # The Trap Inside the Walls ![](https://fabriclab-tech.gitbook.io/files/9xiorygI3TUutDCHjk54) When we were breached last year, the attacker was inside our network for weeks before anyone noticed — quietly moving from machine to machine, looking for our payment systems and customer data. Every tool we had was watching the front door. Nothing was watching for someone already inside, moving sideways. We need to catch an intruder the moment they start probing our internal network — with no false alarms to chase — and we need the offending machine cut off automatically, both at the network level and on the device itself, before it can spread. Our security team is small. They cannot watch screens around the clock. \*\*Products In-Scope\*\* FortiDeceptor (FDC) FortiGate (FGT) FortiClient (FCT) FortiAnalyzer (FAZ) FortiSIEM (FSM) FortiSOAR (FSR) \*\*Our Response\*\* \*\*FortiDeceptor\*\* plants decoys across the internal network that look exactly like production systems — Windows RDP servers, VMware hosts, SCADA devices. No legitimate user or process has any reason to touch them. That single fact is what makes deception so powerful: any interaction with a decoy is malicious by definition. There is nothing to tune, no baseline to learn, and effectively zero false positives. The alarm only rings when someone is somewhere they should never be. The moment a decoy is touched, the network shuts the attacker out automatically: 1. \*\*The network shuts the attacker out.\*\* FortiDeceptor passes the alert into the Security Fabric, and a FortiGate automation stitch quarantines the source IP immediately — it loses all network access. Any packet from that address crossing the firewall is dropped at the kernel level, independent of any firewall policy. This happens in seconds, with no human involved. 2. \*\*The endpoint is identified and tagged for action.\*\* In parallel, the path runs through FortiSIEM and FortiSOAR: FortiSIEM's correlation rules recognise the decoy interaction and raise an incident, FortiSOAR enriches it and runs a playbook that applies a tag to the offending endpoint in FortiClient EMS. That tag is the pivot point. In this scenario we use it to mark the device, but a tag in EMS can drive policy directly — moving the endpoint into a restricted or quarantined posture that isolates it locally, so even traffic that never crosses the FortiGate is cut off. The same FortiSOAR playbook can also be extended to trigger that isolation outright. The framework is built; how aggressively you act on it is your choice. \*\*FortiAnalyzer\*\* records the whole timeline — what was probed, from where, and what action was taken — so the small security team investigates \*after\* the event, with a complete picture, rather than scrambling during it. This is the answer to "our team cannot watch screens around the clock": the network response is fully automatic, and the endpoint response is staged and ready. Detection to network containment happens in seconds with no human in the loop; from there, the same Fabric gives the team a tagged, enriched, ready-to-action incident rather than a screen they have to be watching. Last year's intruder had weeks. This time, they are caught the moment they touch the trap! --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/guilty-until-detonated/fortiproxy-configuration.md). # FortiProxy Configuration Before PackTrack's staff download anything, let's look at the machinery that will judge every file. In this step, you will review how the FortiProxy connects to the rest of the Fabric — the FortiSandbox that delivers verdicts, and FortiClient EMS that tells us who and what is behind every request. Log into your \[FortiProxy\](https://10.222.101.27/) instance {% hint style="info" %} FortiProxy is a shared resource across all attendees, and does not live inside your dedicated Fabric Studio instance: Username: admin Password: fortinet4A!! {% endhint %} {% hint style="danger" %} Because FortiProxy is shared, you do not need to make any configuration changes — it has all been done for you. Review and understand; don't modify. {% endhint %} Go to Security Fabric > Fabric Connectors. You should see that both FortiSandbox and FortiClient EMS show a Connected status. ![](https://fabriclab-tech.gitbook.io/files/qGdfw9Kw2bBQiUl2cORF) These two connectors are the whole scenario in one screen: FortiSandbox is where files go to be judged, and FortiClient EMS is how identity and device context flow into every decision and every log. Let's look at each. Double-click the FortiSandbox icon to open the Sandbox settings. ![](https://fabriclab-tech.gitbook.io/files/9vMCpdGN0cWeH9LuE5Q0) {% hint style="info" %} The setting that matters here is \*\*Inline Scanning\*\*. Most sandbox deployments work "post-transfer": the user receives the file while it is analysed in the background — so if the verdict comes back malicious, the malware is already on the endpoint. That first victim is "Patient Zero". Inline scanning reverses the order: the FortiProxy holds the file, FortiSandbox delivers the verdict, and only then is the file released — or blocked. No verdict, no file. Zero-day or unknown malware is stopped before it ever reaches an endpoint, which means there is no Patient Zero. {% endhint %} {% hint style="info" %} You may have noticed the second connector: FortiClient EMS. This connection is quietly doing two important jobs. First, it unlocks ZTNA (Zero Trust Network Access) enforcement and posture awareness. FortiProxy now understands the state of each endpoint — and if a device's posture changes mid-session and it is no longer compliant, the session is terminated this is covered in another scenario. Second — and for this scenario, most importantly — EMS shares user identity with FortiProxy. When we review logs later, we will not be staring at bare IP addresses; we will see the user behind each request. At scale, this is the difference between an investigation and an archaeology dig: your analytical tools can answer "what was this user doing, on this day, at this time, across multiple products?" in one query. {% endhint %} --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/whos-talking-to-the-ai/fortigate-fgt-configuration-check.md). # FortiGate (FGT) Configuration Check Before we monitor any AI usage, let's confirm the FortiGate is set up to see it. Three things have to be in place: deep inspection to read encrypted traffic, the security profiles that identify AI tools and catch sensitive data, and current FortiGuard signatures. You'll check each one. Nothing to build — this is about understanding what makes the monitoring possible. On the FortiGate navigate to System > Security Profiles > SSL/SSH Inspection {% hint style="info" %} FortiGate (located inside Fabric Studio, right click it and access it using HTTPS): Username: admin Password: fortinet4A!! {% endhint %} ![](https://fabriclab-tech.gitbook.io/files/0WzyueG2y9a8VYABsjwH) Open the deep-inspection-lab profile. Check the configuration matches the screenshot, and confirm it is using the \`DPI\_SubCA\` certificate you created in the \[Certificates at Scale\](/fabric-solutions-lab-shopping/certificates-at-scale.md) scenario. {% hint style="info" %} This is why Certificates at Scale is a prerequisite. AI traffic is encrypted — without deep inspection, the FortiGate sees only that someone connected to a service, not what they sent. The DPI certificate is what lets the firewall open that traffic and read the prompt inside. No deep inspection, no visibility — everything else on this page depends on it. {% endhint %} ![](https://fabriclab-tech.gitbook.io/files/DiHbx91m8XVAjFpCKYJk) If you change anything, click OK. Now, in the left-hand pane, go to Policy & Objects > Firewall Policy. ![](https://fabriclab-tech.gitbook.io/files/Pjdy582n0c7v0TIfYOFF) Ensure that the Disable Me! policy is disabled. If it isn’t, then disable it! ![](https://fabriclab-tech.gitbook.io/files/xsMbgRgrtUk6975bNMdw) Confirm that WebFilter, Application Control and the DLP Profile are all enabled on the policy, and that the correct SSL Inspection profile is selected. These three profiles each answer a different part of the customer's request: Application Control identifies which AI tool is being used, WebFilter recognises AI sites by category, and DLP inspects what is being typed into them. Click OK if you needed to make any change. Now, using the top bar, open the CLI Console in the top right. ![](https://fabriclab-tech.gitbook.io/files/Aqx7dsi9Mi1BSN5N7Dw6) ![](https://fabriclab-tech.gitbook.io/files/HsNLvZyuVBPvgqQpY0lp) {% hint style="info" %} If you want some extra debug commands to see exactly what is happening you can use the below diagnose debug application update -1\\ diagnose debug console timestamp enable\\ diagnose debug enable {% endhint %} In the console, type \`execute update-now\` and press Enter. This pulls the latest signatures from FortiGuard. After 3–5 minutes, go to Security Profiles > Application Signatures — the count should be 3200 or more. ![](https://fabriclab-tech.gitbook.io/files/BvDYtz9Sia4sAVcROyY2) To be certain the AI signatures are present, type into the search box: \`chatgpt, grok, claude, gemini.\` You should see a signature for each. {% hint style="info" %} This is the heart of how the FortiGate tells AI tools apart. FortiGuard maintains signatures for thousands of applications, including individual AI services — so the firewall doesn't just report "AI traffic", it names the exact model: ChatGPT, Grok, Claude, Gemini. That precision is what answers the customer's concern about specific models. Today it powers monitoring; the very same signature can later be used to block a model, with nothing new to deploy. {% endhint %} ![](https://fabriclab-tech.gitbook.io/files/uB1QnpeRgG3Lpl5yIVE4) {% hint style="danger" %} Do not proceed unless you have these signatures — the rest of the scenario depends on them. {% endhint %} Now for the data-protection requirement. Go to Security Profiles > Data Loss Prevention and look through the configuration. You'll see we've created a regular-expression match on 0123456789. {% hint style="info" %} That simple number is a stand-in. In a real deployment, the DLP profile matches genuinely sensitive patterns — code secrets, credit-card or PII formats, and so on. We use 0123456789 in the lab purely so you can trigger DLP on demand, by typing it into a chatbot, without having to paste anything actually sensitive. Wherever you see that number, read it as "a piece of sensitive data". {% endhint %} ![](https://fabriclab-tech.gitbook.io/files/O1ka1b8p0hEjD3ugxBuD) FortiGuard also distributes maintained DLP pattern sets for specific data types and countries as a service, so you don't have to write these expressions yourself — they're applied the same way you see here. The customer asked to monitor for now, but this is the exact control that switches from monitoring to blocking when they're ready. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/coaching-then-consequences.md). # Coaching, Then Consequences {% hint style="danger" %} Important! This scenario has a pre-requisite: you must have completed the steps in \[Certificates at Scale\](/fabric-solutions-lab-shopping/certificates-at-scale.md) before. This ensures that we can really see inside the packets via deep-packet-inspection. If you have not already done that scenario, conduct it first. {% endhint %} ![](https://fabriclab-tech.gitbook.io/files/uNEyx4nOs3QKbBsuTccf) We embrace AI here, but we've realised our developers and analysts are pasting things into ChatGPT, Claude, Gemini and Copilot that should never leave the building — chunks of proprietary source code, customer datasets, sometimes personal data — just to 'tidy it up' or 'explain what this function does'. Our network team can see that people are visiting AI sites, but they can't see what's being typed or pasted into them, and increasingly these are desktop apps and IDE plugins that don't even look like a normal website to a firewall. Worse: we recently had a developer hand in their notice and immediately start behaving differently — taking screenshots, compressing files on their desktop and pasting code into ChatGPT that contains Personally identifiable information (PII), by the time anyone joined the dots, they had already gone. We don't want to ban AI outright — most people just need a nudge. But when someone already on a watch list ignores the nudge and keeps going, we want the system to recognise the whole pattern and act on its own, surgically — cutting that one person's access without waiting for our small security team to notice. \*\*Products In-Scope\*\* FortiDLP (FDLP) FortiSIEM (FSM) FortiSOAR (FSR) FortiClient (FCT) \*\*Our Response:\*\* The customer has drawn a subtle line: coach the many, act on the few. Most data leaks to AI tools are careless, not malicious — a developer pasting code to get it explained. The right response there is a nudge, not a lockout. But the same action from a watch-listed leaver, alongside screenshots and file compression, is not carelessness — it is exfiltration. The design has to tell those two situations apart and respond differently to each. \*\*FortiDLP sees on the device, not on the wire.\*\* It runs as an agent on every endpoint, observing actions as the user performs them — so it catches the paste into ChatGPT that a firewall never can, including in desktop apps and IDE plugins that never render as a website. In this scenario it captures the full sequence: the RDP login, the Snipping Tool screenshot, explorer.exe compressing that screenshot to a zip, and the browser POST to ChatGPT carrying a Python loop containing names, emails and SSNs. Each action is mapped to its MITRE ATT\\&CK technique — Archive Collected Data, Obfuscated Files, Exfiltration Over Web Service — and the risky paste is coached on screen in the moment, with screenshot evidence captured. This is the "coaching" half: the user is nudged, and the event is recorded. \*\*FortiSIEM scores the pattern, not the alerts.\*\* It ingests those events with identity context and applies UEBA (User and Entity Behaviour Analytics) to weigh them as a behaviour, not a count. One paste is low-risk. But a watch-listed leaver taking screenshots, compressing files, and exfiltrating code-with-PII inside a single window crosses the threshold at once — and surfaces as one high-confidence incident, rather than six disconnected low-severity events a tired analyst has to assemble by hand at midnight. \*\*FortiSOAR turns the verdict into action.\*\* When the pattern is recognised, a SOAR playbook enriches it — identity, device, watch-list status, HR status — and then acts: it applies a FortiDLP incident tag to the user's endpoint in FortiClient EMS, opens a case with the full evidence chain, and notifies the manager and SOC in one message. For the most serious actions, a one-click human approval step can be inserted. This is the "consequences" half — and it is surgical: one person's access, not a blanket ban. \*\*The tag is the bridge to enforcement.\*\* The FortiDLP incident tag applied here is a Classification Tag — an administrative mark, not a live posture reading. On its own it records a judgement; combined with firewall policy, it cuts access. That is exactly what the \[Tag-Driven ZTNA\](/fabric-solutions-lab-shopping/tag-driven-ztna.md) scenario does with this tag: a device carrying a FortiDLP incident tag is refused entry to protected applications, even while it looks perfectly healthy. Coaching happens here; the consequence is enforced there. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/certificates-at-scale/fortigate-fgt-csr-import.md). # FortiGate (FGT) CSR Import The signed certificate returns home. Once it is imported and bound to the deep-inspection profile, this FortiGate can decrypt and re-sign traffic with a certificate that every Breachside endpoint will trust. Back on the FortiGate, go to System > Certificates and select Certificate. ![](https://fabriclab-tech.gitbook.io/files/GhFWxiniTVMlDZns5ZZ4) {% hint style="info" %} \*\*We already imported a CA cert via SCEP, why all the CSR work?\*\* To perform deep inspection, the FortiGate must re-sign traffic on the fly. Signing requires a private key. The SCEP import in the first step gave us only the root CA's public certificate — enough to \*trust\* certificates signed by the root, but not enough to \*issue\* them. The root's private key never leaves the FortiAuthenticator, and it never should: whoever holds a CA's private key can impersonate any website on the internet to any device that trusts it. That is why we built a subordinate CA instead. The key pair was generated on the FortiGate itself when we created the CSR — the private key has never left the device. The FortiAuthenticator signed only the public half. The result: each FortiGate holds its own signing key, while the root key stays locked away on the CA. This also limits the blast radius. If a single store's FortiGate were ever compromised, only that sub-CA is affected — it can be revoked and reissued without touching the root or any other store. One root, many sub-CAs: trust flows down, but risk does not flow back up. {% endhint %} A side menu will open, as below. Select Import Certificate. ![](https://fabriclab-tech.gitbook.io/files/qdTakbvLjaewAXSsZoAi) Select Type: Local Certificate and drag and drop the \*\*.crt\*\* file you just recived during \[FortiAuthenticator (FAC) CSR Approval\](/fabric-solutions-lab-shopping/certificates-at-scale/fortiauthenticator-fac-csr-approval.md) into the box and click Create {% hint style="info" %} Remember that we are using Pod 47 just as an example (10.237.10.47). Yours will likely be different, unless you are assigned Pod 47. {% endhint %} ![](https://fabriclab-tech.gitbook.io/files/Ulr7TwJHgYKSdgnb82YV) You should receive the following menu confirming the Certificate has been imported. ![](https://fabriclab-tech.gitbook.io/files/CKIBsdXudkYfhiMeVq9W) Click OK. The DPI\\\_SubCA certificate should no longer show as pending — it now has an active state. Pending to active is the whole journey of this scenario in two words: the request you generated has come back signed, and the FortiGate can now use it. ![](https://fabriclab-tech.gitbook.io/files/Qib0bV7BpYGJOrWbgHtA) One final step — and it is the one that makes everything before it count. Using the left-hand menu, go to Security Profiles > SSL/SSH Inspection and open the profile named deep-inspection-lab. Under Full SSL Inspection, the DPI\\\_SubCA certificate should now be selectable — select it and click OK. ![](https://fabriclab-tech.gitbook.io/files/BBUCUFXtKRNJ8l7mBJgf) That completes the chain: FortiAuthenticator signs, the FortiGate inspects, and — with the root CA pushed to every endpoint by FortiClient EMS — users see no warnings. Breachside's CIO and CTO asked for certificate automation across hundreds of stores with zero manual work per device. You have just built the trust hierarchy that delivers it. If you wish to validate that the FortiGate is now inserting itself in the middle of the conversation using your FortiPAM instance Using FortiPAM to RDP to the Windows Host Inside Fabric Studio! Login your \[FortiPAM\](https://10.222.101.36/) instance {% hint style="info" %} \*\*Username:\*\* Pod\*\*N\*\* \*\*N\*\* = Your Pod Number its unique to you and will have been provided by the Portal or Instructor As a example Pod47 \*\*Password:\*\* Fortinet1! {% endhint %} Navigate to Secrets select Shopping-PodN\\\_Host\\\_Win11\\\_Internal and click Launch Secret > Web RDP ![](https://fabriclab-tech.gitbook.io/files/7yzx1edlqrR8LVovgg34) ![](https://fabriclab-tech.gitbook.io/files/kWHqArhtPwSFabcSWIA1) A seperate tab should open and the Windows Host should display in Full Resolution within your web browser. ![](https://fabriclab-tech.gitbook.io/files/am9djl4IKnFora3wWRo6) Once you arrive at the desktop, double-click the Google Chrome shortcut and in the address bar type google.co.uk the page should load as normal ![](https://fabriclab-tech.gitbook.io/files/evKFa9pdVpXrVt5jN2IS) Once the page has loaded, click the settings menu on the right-hand side of the number 1 you see in the above diagram, select Connection is secure ![](https://fabriclab-tech.gitbook.io/files/kcVtw7gkowMveFFwr13A) Click where it says Certificate is valid ![](https://fabriclab-tech.gitbook.io/files/IOGTcu194eXaSNDJEUWQ) If you look, you can see that the certificate being used is the one that you just generated, this allows the FortiGate to sit in the middle of the communication and essentially see the encrypted data. ![](https://fabriclab-tech.gitbook.io/files/Y5scG2pVNxZRuBG3kGY7) --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/guilty-until-detonated/fortiproxy-logs.md). # FortiProxy Logs You saw the block as a user. Now switch sides — put your analyst hat on and find the evidence of what just happened. Log into your \[FortiProxy\](https://10.222.101.27/) instance {% hint style="info" %} FortiProxy is a shared resource across all attendees, and does not live inside your dedicated Fabric Studio instance Username: admin Password: fortinet4A!! {% endhint %} Navigate to Log & Report > Security Events > AntiVirus (Section) ![](https://fabriclab-tech.gitbook.io/files/WIxxlIgNbxl54uxwBOEw) ![](https://fabriclab-tech.gitbook.io/files/o1C6t4hR9GaHJnqDSPoO) The files you received block pages for are all here in the logs. Select one of them, and a submenu will open on the right-hand side — there you can see that the file was passed to FortiSandbox for a verdict. This log entry is the audit trail PackTrack asked for: the file, the user who requested it, the source, the verdict, and the fact that the sandbox made the call. And because the EMS connector is sharing identity with the proxy, the entry is tied to a user — not just an IP address that someone would have to chase through DHCP leases at three in the morning. {% hint style="info" %} Occasionally, you may see that a file was not passed to FortiSandbox at all. This is not a fault — FortiProxy keeps a local verdict database, synced from FortiSandbox. If the proxy already knows the file's hash and verdict, it answers instantly without submitting the file again. We have tried to limit this caching in the lab so you can watch the full submission flow, but it will occasionally win the race. In a real deployment, this behaviour is exactly what you want: if the verdict already exists, use it — never make a user wait for an answer the estate already knows. {% endhint %} One observation worth carrying into the room: everything on this page happened on a shared proxy serving up to 50 attendees, and the verdicts still came back in seconds. That is the scaling story playing out live. The proxy path is proven. But what about the user who never goes through the proxy at all? Time to cheat. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/when-chatbots-go-rogue/fortiweb-fwb-configuration-check.md). # FortiWeb (FWB) Configuration Check Before we attack the chatbot, let's look at the trap that has been set for us. In this step, you will walk through the FortiWeb configuration and see exactly how it sits — invisibly — between the MCP client and the MCP server. Nothing to configure here; your job is to understand the design, because in a real engagement, this is the design you would be pitching. On the FortiWeb {% hint style="info" %} FortiWeb (located inside Fabric Studio, right click it and access it using HTTPS): Username: admin Password: fortinet4A!! {% endhint %} Go to Dashboard > Status. In the System Information widget, notice that the operation mode is True Transparent Proxy. ![](https://fabriclab-tech.gitbook.io/files/1ol0HVdD6LW2ZsUEVDSk) This mode is the heart of the design. The FortiWeb is not a routed hop and has no IP presence in the traffic path — the MCP client and server are completely unaware that it exists. Nothing needed re-addressing, and nothing needed reconfiguring on the application side. For FortiStore, that meant dropping protection into a live environment without touching the chatbot at all. Go to Network > V-Zone and double-click configuration entry 1. You will see that the interfaces Port 2 and Port 3 are selected as members of V-Zone ![](https://fabriclab-tech.gitbook.io/files/MNVqvgi4Cw9YsZzfElfL) The MCP client connects via Port 2, and the MCP server via Port 3. The V-Zone bridges the two, so every message between client and server is forced through the FortiWeb. There is no path around it — which is exactly what we want, because we can only inspect what passes through us. Go to Web Protection > Protocol > MCP and click into configuration entry 1. You will see that the out-of-the-box Signature Detection and Poisoning Attack Protection are enabled. ![](https://fabriclab-tech.gitbook.io/files/L8fmNBvhPS9cJmjAFwk5) This is what makes FortiWeb more than a bridge: it understands the MCP protocol itself. Signature detection catches known attack patterns hidden inside MCP messages, and poisoning attack protection guards the protocol's weak spot — attempts to manipulate the instructions and context that the model acts on. Keep these two protections in mind; you are about to trigger one of them. Go to Policy > Server Policy > Web Protection Profile, click the pencil next to Inline Standard Protection + MCP, and scroll down to Protocol. You should see that MCP Policy is enabled. ![](https://fabriclab-tech.gitbook.io/files/Zjn4RU4OgooikYw52oiO) This is where the protection is switched on: the MCP policy you just viewed is bound into the protection profile that the server policy applies to traffic crossing the V-zone. ![](https://fabriclab-tech.gitbook.io/files/lJ8AIXq1YjAhGe2YSwQl) Finally, the customer asked for centralised logging. Go to Log & Report > Log Policy > FortiAnalyzer Policy. Under entry number 1, you can see this FortiWeb is configured to send its logs to an upstream FortiAnalyzer. ![](https://fabriclab-tech.gitbook.io/files/n6sjG4kSXR5vzFAUsWtO) So the chain is set: traffic cannot avoid the FortiWeb, the FortiWeb speaks MCP, and everything it sees is reported centrally. Time to put it to the test — let's go talk to the chatbot! --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/the-threat-in-the-picture/sending-the-mail.md). # Sending the Mail Now you switch roles entirely. You have seen the defences; now you become the attacker. In this step, you will send DailyGrind two of the exact emails its CIO described — a QR-code phishing PDF, and a spoofed message from "IT" carrying scripts — and then watch FortiMail catch them both. Using FortiPAM to RDP to the Windows Host Inside Fabric Studio! Login your \[FortiPAM\](https://10.222.101.36/) instance {% hint style="info" %} \*\*Username:\*\* Pod\*\*N\*\* \*\*N\*\* = Your Pod Number its unique to you and will have been provided by the Portal or Instructor As a example Pod47 \*\*Password:\*\* Fortinet1! {% endhint %} Navigate to Secrets select Shopping-Pod47\\\_Host\\\_Win11\\\_Internal and click Launch Secret > Web RDP ![](https://fabriclab-tech.gitbook.io/files/7yzx1edlqrR8LVovgg34) ![](https://fabriclab-tech.gitbook.io/files/kWHqArhtPwSFabcSWIA1) A seperate tab should open and the Windows Host should display in Full Resolution within your web browser. ![](https://fabriclab-tech.gitbook.io/files/am9djl4IKnFora3wWRo6) Open Google Chrome and click the Webmail bookmark. ![](https://fabriclab-tech.gitbook.io/files/kmk5zxnA6qyPBJtOJzOL) Please log in with the below {% hint style="info" %} \*\*Webmail Credentials\*\* Username: Password: fortinet {% endhint %} {% hint style="danger" %} Look closely at that sender address: . DailyGrind's real domain is dailygrind.cafe — one word, no dot in the middle. The address you are sending from is a lookalike, daily.grind.cafe, designed to pass a quick glance. This is the second half of the attack: the QR code hides the link, and the lookalike domain hides the sender. You are now playing the attacker who registered that domain. {% endhint %} ### Attack one — the QR phishing PDF Click Compose Mail and fill it in as shown below. Attach MFA.pdf, found in Documents > FML. Make sure the to address is — DailyGrind's real staff, the target. ![](https://fabriclab-tech.gitbook.io/files/TWRSrZkl2ex2jEhZHEPe) {% hint style="danger" %} The QR code inside this PDF contains \*\*several\*\* links to live, real phishing websites that we keep updated. Do not scan the QR code or visit any of the URLs. You will see FortiGuard's classification of them safely, in the logs, in the next step. {% endhint %} When your email looks correct and the attachment is attached, click Send. ### Attack two — the spoofed IT email with scripts In the Webmail instance, go to Sent Items, find the email you just sent, double-click to open it, and click Reply. ![](https://fabriclab-tech.gitbook.io/files/uKauekPcK5S3LgX3zxpR) Add a brief message and attach the two files listed below, then click Send. ![](https://fabriclab-tech.gitbook.io/files/X2GR7Zs6rO0CbpPxDNgw) {% hint style="info" %} Why reply to your own email? It threads the second attack onto the first, so in the logs you can follow a single conversation carrying two different threats — exactly how a real campaign escalates: a phishing lure first, then a follow-up with a malicious payload once the target is engaged. {% endhint %} That is both attacks sent: a QR-code lure and a spoofed-sender payload. Now let's switch back to the defender's chair and see what FortiMail made of them. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/bug-zone/inspecting-what-staff-upload-everywhere-they-work.md). # Inspecting What Staff Upload — Everywhere They Work \*\*Customer Requirement\*\* Some of our staff now work from home or the road at least half the week, and we've noticed they're downloading all sorts of content during the working day — supplier catalogues, customer-supplied scans, attachments from partner portals, images from search results and shared links. Most of it is legitimate work material, but some of it absolutely is not — and our existing web filtering only categorises websites, not the actual image content of what's being pulled down. We've had at least one incident where a staff member downloaded firearm imagery onto a company laptop from a public site that wasn't on any block list, and our HR team only found out two weeks later. We need to inspect images at the moment of download, work the same whether the user is in the office or at a coffee shop, and pick up any malicious files coming through before they hit the endpoint. On top of that, we've recently signed Hardline Tactical, a specialist tenant inside the mall that sells firearms accessories, body armour and field equipment to defence and law-enforcement customers. They have legitimate reason to download product photography of weapons every day — supplier catalogues, B2B inventory feeds, training materials. Every other tenant absolutely does not, and we'd like to know immediately if a fashion retailer or a coffee chain starts pulling that kind of content down, because it's almost certainly either a misclicked link or somebody using the wrong account. We expect to roll this out on a very large scale. \*\*Products In-Scope\*\* FortiProxy (FPX) FortiClient (FCT) FortiSandbox (FSA) FortiAnalyzer (FAZ) \*\*Our Response\*\* FortiProxy (FPX) is deployed as the explicit web proxy for all corporate web traffic. The Image Analysis profile runs FortiProxy's pre-trained visual content classifiers — categories like Weapons, Gambling, Drugs, Gore and Extremism, each with its own confidence threshold and Allow / Monitor / Deny action. Every image transferred through the proxy is scored against these categories at download time, and the action fires before the image lands in the user's browser. FortiClient (FCT), pushed to every tenant endpoint via EMS, is what makes the per-tenant policy actually work. The EMS server forwards the authenticated user identity to FortiProxy as each session establishes, so when a member of Hardline Tactical's staff downloads firearm imagery, FortiProxy sees the request tagged with their group membership and applies the permissive profile. The same user moving to a different desk, different floor or different mall site gets the same policy because the policy is keyed to \*who they are\*, not \*where they're plugged in\*. This also means FortiAnalyzer logs show real usernames and group membership rather than just IP addresses, which is what makes "tell me about Sarah's downloads" a one-click query rather than an IP-correlation exercise. FortiSandbox (FSA) handles file-based payloads. Any executable, document or archive being downloaded through FortiProxy is submitted to FortiSandbox for full detonation, and the verdict comes back inline so the download is blocked before the file reaches the endpoint if it turns out to be malicious. Sandbox verdicts are also fed back to FortiClient EMS, so if the same file hash later turns up on a colleague's machine via a different channel it's already a known-bad indicator. FortiAnalyzer (FAZ) collects logs from FortiProxy, FortiClient EMS, and FortiSandbox into a single place — image-classifier verdicts, OCR findings, sandbox detonations, and the user/device context behind each one are correlated against the same identity. As the rollout scales we add more FortiProxy nodes behind a load balancer and a second FortiSandbox for capacity, all reporting back to the same FortiAnalyzer cluster, so the SOC always has one place to search regardless of how the back end grows. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/bug-zone/inspecting-what-staff-upload-everywhere-they-work/browsing-to-webserver.md). # Browsing to Webserver Once you have finished configuring your proxy then please click the Index of /tools bookmark ![](https://fabriclab-tech.gitbook.io/files/26VtzIeww9g2mTgG99yW) Double click gun.jpg just for your referance this is what the image looks like. ![](https://fabriclab-tech.gitbook.io/files/xwUXOeYdzpQ02YU4MDcp) On clicking the image, ther will be a brief pause of around 5-30 seconds before you are redirected to the FortiProxy block page. ![](https://fabriclab-tech.gitbook.io/files/7ErkbSd8CIL0rIibkDfl) As you successfully should see FortiProxy has reviewed the image using Optical character recognition (OCR) and and successfully blocks it from the user based on the Content Analysis Policy because the image clearly contains Weapons On FortiProxy if you browse to Log & Report > Correlation Log you can see the block logs. ![](https://fabriclab-tech.gitbook.io/files/kjkl4MtpbrGlb0WN8TQ2) If you wish to validate further, if you go back to the Windows RDP session and click the Index of /tools bookmark there should be a .jpeg image called cute\\\_kittens.jpeg click it. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/coaching-then-consequences/mischievous-user-continued.md). # Mischievous user! (Continued) Pasting code was careless. What you do now is what turns a careless user into a suspicious one. A screenshot, then compressing it for easy removal — on their own — are ordinary actions. Together with what you just did, they form the shape of someone preparing to take data out of the building. Go back to the desktop and then click the search bar and click Snipping Tool ![](https://fabriclab-tech.gitbook.io/files/TrtND1H3X2RrSdurwidR) Take a screenshot and save it to the Desktop ![](https://fabriclab-tech.gitbook.io/files/EyQcnU2zMi43rgkQhDql) Now right-click the screenshot you just saved on the Desktop and choose Compress to ZIP file. Save the compressed file to the Desktop, keeping the generated name. ![](https://fabriclab-tech.gitbook.io/files/GfIdRGfWsPUYzYeo0DIo) {% hint style="info" %} Think about how these actions look when joined together. Pasting sensitive code into an AI tool, capturing the screen, then compressing the result into a single file ready to move — this is the classic shape of data exfiltration. In the MITRE ATT\\&CK framework, you have just performed Archive Collected Data (the zip) alongside the earlier Exfiltration Over Web Service (the ChatGPT paste). No single step is alarming by itself; that's exactly why this kind of activity slips past tools that look at one event at a time. FortiDLP has recorded every one of these actions on the device — and on the next page, you'll see the full sequence laid out as evidence. {% endhint %} You've now played the whole insider sequence: logged in, pasted code with PII, screenshotted, and compressed for removal. Time to step out of the role and become the investigator — let's see exactly what FortiDLP captured. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/when-chatbots-go-rogue/testing-the-load-balancing.md). # Testing the Load Balancing Round-robin is easy to claim and easy to prove. In this step, you will browse to FortiStores's site twice — and watch the FortiADC send you to a different server each time. Using FortiPAM to RDP to the Windows Host Inside Fabric Studio! Login your \[FortiPAM\](https://10.222.101.36/) instance {% hint style="info" %} \*\*Username:\*\* Pod\*\*N\*\* \*\*N\*\* = Your Pod Number its unique to you and will have been provided by the Portal or Instructor As a example Pod47 \*\*Password:\*\* Fortinet1! {% endhint %} Navigate to Secrets select Shopping-Pod47\\\_Host\\\_Win11\\\_Internal and click Launch Secret > Web RDP ![](https://fabriclab-tech.gitbook.io/files/7yzx1edlqrR8LVovgg34) ![](https://fabriclab-tech.gitbook.io/files/kWHqArhtPwSFabcSWIA1) A seperate tab should open and the Windows Host should display in Full Resolution within your web browser. ![](https://fabriclab-tech.gitbook.io/files/am9djl4IKnFora3wWRo6) If you still have the Windows host open from the chatbot step, you can skip straight to the browser. Once you arrive at the desktop, double-click the Google Chrome shortcut and click the pre-populated bookmark "FortiStore - LB". The page should load as below. Now look in the top right-hand corner: you will see the IP address of the node you were directed to — either 192.168.2.2 or 192.168.2.3. ![](https://fabriclab-tech.gitbook.io/files/DwEjkKwBMFcArb8Kz6pg) See the Destination is .3 Remember, you browsed to the Virtual IP — 192.168.2.100. The address in the corner is the real server the FortiADC chose for you. The user never knows, and never needs to know, which server answered. To validate the round-robin, go back to the desktop and open Microsoft Edge — or a private browsing tab — and browse to 192.168.2.100. You should land on the opposite server from the one you received above. ![](https://fabriclab-tech.gitbook.io/files/OZCCzBF7hutpyIOlduAs) See the Destination is now .2 You can also use the following Powershell Command \`1..30|%{\[regex\]::Match((iwr http://192.168.2.100 -useb).Content,'192.168.2.\\d+').Value}|group|select Count,Name\` Paste using your FortiPAM RDP Session, once you get the first result open up a new poweshell tab and paste again you should see .2 & .3 alternate ![](https://fabriclab-tech.gitbook.io/files/19kICssUJ0944GgdPLgf) ![](https://fabriclab-tech.gitbook.io/files/nFLhlXAcoG2oiRsCItem) {% hint style="info" %} Why a different browser or a private tab? A fresh browser means a fresh connection — and round-robin balances connections, not page clicks. If you simply refreshed the same tab, the browser might reuse its existing connection and you would land on the same server again, which looks like a fault but isn't. That's one user, two connections, two different servers — exactly what FortiStore needs when thousands of Black Friday shoppers arrive at once. And every one of these balanced sessions has been logged. Let's go and see them, all in one place. {% endhint %} --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/bug-zone/inspecting-what-staff-upload-everywhere-they-work/fortiproxy-configuration.md). # FortiProxy Configuration Log into your \[FortiProxy\](https://10.222.101.27/) instance {% hint style="info" %} FortiProxy is a shared resource across all attendees, and does not live inside your dedicated Fabric Studio instance Username: admin Password: fortinet4A!! {% endhint %} Navigate to Content Analyses > Image Analysis double click the default profile {% hint style="danger" %} As FortiProxy is a shared instance, you do not need to conduct any configuration it has been done for you! {% endhint %} ![](https://fabriclab-tech.gitbook.io/files/CmdvRpCTNWEQjLGebB63) ![](https://fabriclab-tech.gitbook.io/files/RcXy4PTAnP844k05j91F) Navigate to Policy & Objects > Policy there is a Content Analysis policy that is slighty more specific than the policy below it this is because another lab (\[Fabric Solutions Lab - Original\](https://fabriclab-tech.gitbook.io/fabric-lab)) has a different scenario that uses the second rule. ![](https://fabriclab-tech.gitbook.io/files/F2bVti22F5CX9Xr1h0DL) Under Secuirty Profiles you can see we have matched the Content Analyses profile as you saw above. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/scenario-order.md). # Scenario Order To give you complete flexibility, this lab is designed to be modular. However, to get the absolute most out of the experience and see the story truly come together, we highly recommend working your way through all the scenarios from top to bottom. If you are attending an event such as Xperts, the lab has been timed to fit within your allocated session, making a start-to-finish run the ideal approach. To help you guide your own journey, we have ordered the scenarios for the optimal narrative flow and marked them with the following symbols: 🟢 \*\*The Starting Point:\*\* This scenario must be completed first to set the foundation. 🟠 \*\*Independent:\*\* No prerequisites required—dive straight in. 🔴 \*\*Prerequisite Needed:\*\* This builds on previous work. The scenario's introduction will clearly outline what is required and provide a direct link to it. Short on time? No problem at all. If you are pushed for time, feel free to pick and choose the specific scenarios that interest you most. The lab has been intentionally built to support this, so skipping ahead won't spoil your experience. ![](https://fabriclab-tech.gitbook.io/files/4Zr7MotYUxWTpF0HdmkD) --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/shared-resource-launcher.md). # Shared Resource Launcher We get that having to click around many different products can be a little bit cumbersome, so we've developed a web page with all the Shared Resources in one page that we suggest you keep open. Please note, for devices that live \*\*inside\*\* Fabric Studio, you will still need to access them via Fabric Studio (Right click the Product icon Access > HTTPS) {% hint style="info" %} This will only work if you are connected via FortiClient or at an Event where a specific SSID is provided. {% endhint %} \[Product Launcher Click Me\](http://10.237.9.1:8080/) ![](https://fabriclab-tech.gitbook.io/files/Xjdze0TVRfaUVU64KlWS) {% hint style="info" %} Clicking one of the icons will save the password to your clipboard and redirect you to the page, then you just need to enter the username and paste the password in. {% endhint %} {% hint style="danger" %} Please note that the username is not always admin. These have been separated at the bottom for these you will have to type the username. {% endhint %} --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/bug-zone/inspecting-what-staff-upload-everywhere-they-work/configuring-a-webproxy-in-firefox.md). # Configuring a webproxy in Firefox Login your \[FortiPAM\](https://10.222.101.36/) instance {% hint style="info" %} Username: \\ for example Pod47 Password: Fortinet1! {% endhint %} Navigate to Secrets select Host\\\_Win11\\\_Internal and click Launch Secret > Web RDP ![](https://fabriclab-tech.gitbook.io/files/DYGCkzjCISC7EXdIy7F0) ![](https://fabriclab-tech.gitbook.io/files/RXcJZGQMutfJNKLbsmo5) A seperate tab should open and the Windows Host should display in Full Resolution within your web browser. ![](https://fabriclab-tech.gitbook.io/files/am9djl4IKnFora3wWRo6) Once you arrive at the desktop, double-click the Firefox shortcut located on the Desktop. Select the hamburger menu in the top right and click Setttings ![](https://fabriclab-tech.gitbook.io/files/Kn1WtVHRL6JKdF6bPvBr) In the menu that opens up there is a search bar type "Proxy" and click "Configure Proxy" ![](https://fabriclab-tech.gitbook.io/files/02XQH97cJkV4PEv7VtTw) Configure as above and click ok. {% hint style="info" %} Please note 10.222.101.27 is the explicit web proxy configured on the FortiProxy. You're essentially instructing the browser to send all traffic towards FortiProxy, this can be extremely useful as a secure web gateway (SWG) where as a example contractors do not wish to have agents installed on their machines, but you still wish to secure them. {% endhint %} --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/fortipam-rdp.md). # FortiPAM - RDP We’ve listened closely to your feedback from our previous 2024 \[(Original)\](https://fabriclab-tech.gitbook.io/fabric-lab) and 2025 \[(Mitre)\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-mitre) labs, copy-paste functionality was a hassle. We heard you loud and clear! For this lab, every attendee gets their own \[FortiPAM\](https://10.222.101.36/) login. Inside your Fabric Studio instance is a Windows Host that a lot of the scenarios run through. We use FortiPAM to handle an HTML5-to-RDP connection directly in your browser. You'll get a fully passwordless, desktop-like experience. Finally need to copy and paste text into this environment? Simply press F8 to bring up the clipboard! (Examples Below) ### Logging in via FortiPAM 1. Browse to \[FortiPAM\](https://10.222.101.36/) 2. Username: Pod\*\*N\*\* (I.E Pod46) {% hint style="info" %} \*\*N\*\* = Your Pod Number I.E Pod46 {% endhint %} 2. Password: Fortinet1! 3. Navigate to Secrets 4. Select Host\\\_Win11\\\_Internal 5. Launch Secret 6. Web RDP 7. A full web RDP session should open up ![](https://fabriclab-tech.gitbook.io/files/DMa5OvkATXzdTTl9X6SO) {% hint style="info" %} Once you have this RDP session established, we recommend that you just leave the tab open. It's used in almost all of the scenarios. In each scenario that it is used in, we will let you know, but instead of having to reopen and go through this entire process every time, just keep it open! {% endhint %} ### Copy and Paste FortiPAM Session 1. Press F8 on your keyboard, a side menu should open 2. Select Clipboard 3. Paste the contents from your local machine into the clipboard 4. Select send to Remote Clipboard 5. In the RDP session Paste as you normally would ![](https://fabriclab-tech.gitbook.io/files/RlGI30wTcyEGfenA1fjj) --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/installation-checks.md). # Installation Checks It's worth investing five minutes just to make sure that everything has started correctly. This year, we've invested a lot of time to ensure that you start labbing as soon as possible, and as much as we can automate has been. Information around how to log in to your Fabric Studio instance will either have been provided by the instructor or will be available via the self-serve portal. {% hint style="info" %} URL: 10.237.10.\\ Username: \*\*admin\*\* Password: \*\*Fortinet1!\*\* {% endhint %} ### Fabric Studio On logging into your dedicated Fabric Studio instance, navigate to Fabric Workspace and double click the lab that is already running. ![](https://fabriclab-tech.gitbook.io/files/SLhnZzq3rvE9TTQfwK0o) This will open a diagram like below. What is important is that the sidebar on the right-hand side shows everything as “Running”. Anything that does not have this status, including if you have an exclamation mark (!) before “Running” means that you should ask an instructor for assistance as this is an indication that it has not started properly or that there is a licensing issue. ![](https://fabriclab-tech.gitbook.io/files/LeOu7Ct2G4CXt2gsFM5i) The Windows desktop environment that lives inside Fabric Studio is accessed via RDP via FortiPAM, for this lab, there is a script that runs on its initial boot that renames your host, installs FortiClient, and installs FortiDLP, if the installation is still running when you access the pod, just leave it; however, eventually you should see a PowerShell screen as below. ![](https://fabriclab-tech.gitbook.io/files/yIroEoBz9XOR8KUupT8E) If you see that everything has successfully installed correctly and you see the Happy Labbing Prompt! You're good to go! ### FortiClient In the bottom left-hand corner of the taskbar, find the FortiClient shortcut, right click it and open ![](https://fabriclab-tech.gitbook.io/files/a2ybgT6xAyJ8oycNbPq7) Ensure that you see the connected status as above, in the event of you not seeing the connected status and instead seeing the disconnected status, enter the following IP address in the box \`10.222.101.40\` and click connect, this will manually enrol the endpoint to our FortiClient EMS server. ![](https://fabriclab-tech.gitbook.io/files/2c9HXornyx4f34HKfI8D) --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-shopping/story-narrative.md). # Story/Narrative ## \*\*Welcome to Breachside Shopping Centre!\*\* Breachside Shopping Centre is one of the region's largest retail destinations — a sprawling mall owned by a single parent company, home to dozens of stores: coffee shops, street food vendors, fashion outlets, electronics retailers, and everything in between. Each store runs its own operation, its own staff, and its own technology. For years, that independence was Breachside's charm. In 2025, it became its weakness. A major cyberattack tore through the mall. The parent company was hit first, and the attack spread to several stores — point-of-sale systems down, online stores offline and customer data exposed. Recovery took months, trust took longer. In the chaotic months after the breach — before any IT/OT leadership was in place — individual store managers took matters into their own hands. Some reached out to various cybersecurity vendors directly and procured whatever equipment they could get deployed quickly. The result: pockets of technology scattered across the mall, alongside gaps, overlaps, and no unified strategy. Then the parent company acted. A new CIO and CTO were appointed, with full authority over every technology decision across Breachside — parent company and stores alike. When they arrived, they inherited a patch job. The good news? They liked what they saw from the Fortinet deployments — and they've decided to build the recovery on that foundation. ### Where you come in As a trusted Fortinet partner, you've been engaged to rebuild Breachside's security posture, store by store. In each scenario, the CIO and CTO will hand you a problem statement — a real operational pain point from one of the stores. Your job is to design the solution, implement it using Fortinet products working together, and pitch it back to the CIO and CTO — exactly as you would in a live engagement. The technology has to work, and the story has to land. ### How this lab works Every scenario is a store within Breachside, and every scenario is modular. Some stores reference each other, just as real environments do, but nothing blocks your path. Each scenario follows the same structure: 1. \*\*Customer Requirement\*\* — the problem statement, in the CIO and CTO's own words 2. \*\*Products Included\*\* — the Fortinet Fabric components you'll be working with 3. \*\*Our Response\*\* — what you, as the partner, are going to deliver --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiproxy-and-fortisandbox/defence-fortisandbox.md). # Defence - FortiSandbox Please log in to \[FortiSandbox\](https://10.222.101.23/ng/log\_and\_report/job\_events) using the hyperlink. \`Username: admin / Password: Fortinet1!\` Clicking the hyperlink above should take you to the job event section. If you look closely, you will see that the file was submitted from FortiProxy to FortiSandbox for analysia look at the various log entires that are associated with this before the verdict that the file is indeed malicious and an inline block request sent back to FortiProxy. ![](https://fabriclab-tech.gitbook.io/files/wYV6bxvnCSlolEnZ9WR4) --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortigate-and-fortideceptor/scenario-story-narrative.md). # Scenario - Story/Narrative {% hint style="warning" %} Just a reminder that this lab has little/no configuration if you wish to conduct the configuration yourself then please use the Fabric Solutions Lab - Orginal or Fabric Solultions Lab - Mitre versions! - Links to these can be found here \[Click Me\](https://fortinet.sharepoint.com/sites/CSEFabricSolutionsEMEA/SitePages/CSE-Enablement-Lab.aspx) and are selectable options in the self-serve portal. {% endhint %} You are a malicious threat actor who is inside a company. You have obtained access into the environment via an RDP session using leaked credentials found on the dark web. You're now having a poke around to see what you can find that may be useful later. The attack phase consists of you clicking some bookmarks found on the remote desktop server. Unfortunately, what you don't know is this actually forms part of the defence because what you're actually accessing is a decoy Hosted on FortiDeceptor. It's tracking every single move that you make. Not only that, the source IP address of you that you access the decoys from gets propagated to the FortiGate firewall and into a quarantine list. Meaning that any traffic with that source IP address that passes through the FortiGate firewall is blocked halting any lateral movement attempts. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiweb-and-fortisandbox/scenario-story-narrative.md). # Scenario - Story/Narrative Your company has deployed a web server, they are using FortiWeb to protect it. The web server has a file upload function that could potentially be exploited allowing malicious actors to upload malware and potential backdoors. You have developed a zero-day threat that will not have a signature on FortiWeb itself, so the file will be passed to FortiSandbox for detonation and analysis. Once the verdict is in, the result will passed back to FortiWeb. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiweb-and-fortisandbox/attack-webserver-1.md). # Attack - Webserver Open your Fabric Studio instance, locate the object "Webserver", right-click it, access, and then display. Another browser tab should open you have access to the virtual Windows instance. On the desktop, you will find a folder called "uploads" If you refresh the page, you should see that the virus.jpg file is now present. ![](https://fabriclab-tech.gitbook.io/files/1u4lYzzE0aju7CulEAuZ) Of course, if the file was actually malicious and not just the .JPG file, then FortiSandbox would have determined this and sent the verdict back to FortiWeb, and the file would not be allowed to be uploaded. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortimail/attack-sending-external-email.md). # Attack - Sending External Email Open your Fabric Studio instance, locate the object "External Attacker ", right-click it, access, and then display. Another browser tab should open you have access to the virtual Windows instance Open Google Chrome, click the Webmail bookmark. Login using \`Username: external Password: fortinet\` ![](https://fabriclab-tech.gitbook.io/files/gkH9nADrFDy0Zo3lJlwu) On logging in, if you use the left-hand sidebar to navigate to "Drafts," you should see a saved email that says "FIS Test" click it and then press send! ![](https://fabriclab-tech.gitbook.io/files/nluPE4eTlPw0SeqSgz3S) --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiproxy-and-fortisandbox/attack-malware-site.md). # Attack - Malware Site Open your Fabric Studio instance, locate the object "Inside Host", right-click it, access, and then display. If your asked for a Username & Password for inside host its \`Username: fabriclab\\demouser5 / Password: Fortinet1!\` . Another browser tab should open you have access to the virtual Windows instance Open Firefox, once Firefox has loaded, there should be a bookmark called FortiProxy - Malware click it to open the page. {% hint style="info" %} The Firefox instance has already had a PAC file loaded and as such, we'll redirect all traffic to FortiProxy. This is completely transparent to the user. {% endhint %} ![](https://fabriclab-tech.gitbook.io/files/486cC7RM0ihbE81gxuRu) The page should look as below. ![](https://fabriclab-tech.gitbook.io/files/cRUuVpak2nrOgKqTV2VM) Click one of the files to try and download it. We will use RaccoonStealer during the example. You will notice a slight delay in the loading of the page, however eventually you should get the block message as below ![](https://fabriclab-tech.gitbook.io/files/u7X8y1pxVauK6sr0LOsI) --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiproxy-and-fortisandbox/defence-fortiproxy.md). # Defence - FortiProxy Please log in to \[FortiProxy\](https://10.222.101.27/log/security-log?tab=summary\\&type=webfilter) using the hyperlink. \`Username: admin / Password: Fortinet1!\` We've configured the hyperlink to take you automatically to the security events section, Please click the anti-virus section as below. ![](https://fabriclab-tech.gitbook.io/files/S3zirZZpx12JKOXE8jYU) The page should load as below. Double-click the log to open up an additional side panel on the right-hand side that displays a lot more information ![](https://fabriclab-tech.gitbook.io/files/Tj1S7Yn2S6tZUN7sDZ4I) As you can see, the verdicts came from FortiSandbox. {% hint style="info" %} Just to explain, FortiProxy actually has its own local AV database, as do many of our products. This has been disabled in this scenario to ensure that the files being detected are always passed to FortiSandbox. in most cases, the local DB would handle this, with files that don't have a local signature or match being passed to FortiSandbox. An example of this would be a zero-day. {% endhint %} --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortimail-and-fortisandbox/attack-scenario-steps.md). # Attack - Scenario Steps Open your Fabric Studio instance, locate the object "External Attacker", right-click it, access, and then display. Another browser tab should open. Open Google Chrome you will find a bookmark called Webmail click it. ![](https://fabriclab-tech.gitbook.io/files/lfYrSDyTF7XnP4zwkZ3e) Enter the login details, \`Username: external / Password: fortinet\` and click Log In On logging in, click the Drafts button on the left-hand side. You should then see draft emails ready for selection. As we're doing the FortiMail and FortiSandbox scenario, click that email ![](https://fabriclab-tech.gitbook.io/files/LsvIAtDav8nIgbjYJ6JG) A side widget should open up on the right-hand side ![](https://fabriclab-tech.gitbook.io/files/KNA7nLSssMnKp8awg2kG) The contents of the email Recivers, Subject, Message Body & the malware attachments have been done for you. Just click send --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiweb-and-fortisandbox/attack-webserver.md). # Attack - Webserver Open your Fabric Studio instance, locate the object "Webserver", right-click it, access, and then display. Another browser tab should open you have access to the virtual Windows instance. On the desktop, you will find a folder called "uploads." Double-click it. ![](https://fabriclab-tech.gitbook.io/files/vkTZsd6qedGXGlb5J6Po) In your Fabric Studio instance, locate the object "External Attacker", right-click it, access, and then display. Another browser tab should open you have access to the virtual Windows instance. On the desktop, you will find Google Chrome, open it and then open the bookmark "DVWA Security: Low" Login with \`Username: admin Password: password\` ![](https://fabriclab-tech.gitbook.io/files/cWH56xZ9TUwPauJDBeku) Once logged in scroll down to "DVWA Security", and ensure it is set to "Low" (It defaults to impossible) ![](https://fabriclab-tech.gitbook.io/files/JSFAyAOSjvuASHFhokzk) Using the left-hand pane, now browse to File Upload and click Choose File, a Windows file selector will open. Go to your downloads folder and select virus.jpg then click "Open." ![](https://fabriclab-tech.gitbook.io/files/juUA9YHniq6tZCrkfmeq) Your instance should look like this. As long as it matches, click upload ![](https://fabriclab-tech.gitbook.io/files/qmjSuR21cFtkT21d8w9M) During the upload process, you should see a black page with a loading icon. This can take some time, this is an indicator that the file has been passed to faulty sandbox for analysis. ![](https://fabriclab-tech.gitbook.io/files/DY1NQBQIKnAdcjNNJzoY) Eventually, the page will return that the file has been uploaded. This is to be expected as the file isn't actually malicious but FortiSandbox will have validated this and delivered its verdict. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/analyze-fortisiem.md). # Analyze - FortiSIEM Please log in to \[FortiSIEM\](https://10.222.101.28/phoenix/login.html) using the hyperlink. \`Username: admin / Password: Fortinet1!/ Organization: super\` ![](https://fabriclab-tech.gitbook.io/files/GuFuFnR3Oa0AuGvWqFAo) In the top right, click the exit button and then change organisation view ![](https://fabriclab-tech.gitbook.io/files/xRResErnJ0eGJwONdgT7) Select admin view, local, and then press Change View ![](https://fabriclab-tech.gitbook.io/files/gxJ1QRTnVDEwypyAyitF) Using the nav bar, select Analytics ![](https://fabriclab-tech.gitbook.io/files/bqCVwcxHolgD5sOGkXgE) Click where it says "Edit filters and time range." Click where it says "Load." ![](https://fabriclab-tech.gitbook.io/files/bG771o1AoDcrigUqcRed) Select the FortiDLP profile and then click Load ![](https://fabriclab-tech.gitbook.io/files/IRlhrPQJc8JoDxgmTciq) Set the time range to an appropriate number and then click "Apply" and run ![](https://fabriclab-tech.gitbook.io/files/fMEcnOYfJyMg38a0BNsI) You should see the results of your attack as below. ![](https://fabriclab-tech.gitbook.io/files/5VA3S5YD7yfEfSvmpLAY) --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/task-unlock-host.md). # Task - Unlock Host Log in to FortiDLP using this specific link - \[Click Me\](https://ftnt-fabric-cse.reveal.nextdlp.com/#nodes/table) Find the EndGame Node, Locate the three dots to the right-hand side and select "Unlock this node." ![](https://fabriclab-tech.gitbook.io/files/c61xcyliH4Bi5bRWfopK) --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiweb-and-fortisandbox/analyze-fortisandbox.md). # Analyze - FortiSandbox Please log in to \[FortiSandbox\](https://10.222.101.23/ng/log\_and\_report/job\_events) using the hyperlink. \`Username: admin / Password: Fortinet1!\` On login, if you use the left-hand pane sidebar to browse To Log & Report > Events > Job Events {% hint style="info" %} Create a filter for "Message" "FWB" {% endhint %} ![](https://fabriclab-tech.gitbook.io/files/Fn6lA3dzuLD4V9MZn6OR) As you can see, FortiWeb did pass the file to FortiSandbox, and the verdict was passed back. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortimail-and-fortisandbox/scenario-story-narrative.md). # Scenario - Story/Narrative {% hint style="warning" %} Just a reminder that this lab has little/no configuration if you wish to conduct the configuration yourself then please use the Fabric Solutions Lab - Orginal or Fabric Solultions Lab - Mitre versions! - Links to these can be found here \[Click Me\](https://fortinet.sharepoint.com/sites/CSEFabricSolutionsEMEA/SitePages/CSE-Enablement-Lab.aspx) and are selectable options in the self-serve portal. {% endhint %} You are a malicious threat actor who is trying to penetrate into a company via sending malicious emails attaching malware to those emails. You then change to the defence side using FortiMail and FortiSandbox You play both roles: 1. You are the attacker you will craft and send a malicious email with a malware attachment, exactly as a real threat actor would. 2. You are the defender You will watch FortiMail detect sending the file to FortiSandbox for further verdict. You will then see FortiSandbox execute the file in a safe environment, confirm it is malicious, generate the verdict and IOCs, and push the verdict indicators back to FortiMail that strips the attachments and ammends the subject line to contain \\\[Malicious\] --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-4/access-windows-host.md). # Access - Windows Host Start by logging into the Fabric Studio instance, locating the object "Inside Host", right-clicking it, access, and then display. If your asked for a Username & Password for inside host its \`Username: fabriclab\\demouser5 / Password: Fortinet1!\` {% hint style="info" %} Its very importnat you login as a domain user (As above) {% endhint %} ![](https://fabriclab-tech.gitbook.io/files/DeV8mVSwyuum0Y07vSO6) This should open up a separate browser tab with a Windows host. Click the Google Chrome shortcut, there should be two bookmarks, one for Grok and one for Gemini (Click either) ![](https://fabriclab-tech.gitbook.io/files/0DCdHYLbSnmgWP1ZNScl) We will use Gemini ![](https://fabriclab-tech.gitbook.io/files/DrTlwlSF6AxOVJ5qYwMt) {% hint style="info" %} if you log in to Gemini using / Fortinet1! then you will see that we're actually able to capture this username, This could potentially be useful for understanding if it's corporate or personal accounts that are being used. {% endhint %} --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortisandbox/scenario-story-narrative.md). # Scenario - Story/Narrative You are an end user inside the corporation, you've been advised to go to a web server and download some files. Unfortunately, you don't know that the web server is malicious and the files that you're downloading contain very, very well-known malware. Your IT department has deployed FortiIsolator meaning that what you see in your web browser is essentially a stream of data coming from a virtualized and contained host that lives with inside FortiIsolator. On trying to download the malware, FortiIsolator will send it to FortiSandbox for detonation and analysis before receiving its verdict back, you will observe this behaviour via a widget that opens up in the top right-hand corner. Should this be successful, you will see that you are unable to actually download the file, this is because the combination between FortiIsolator and FortiSandbox has done its job and has deemed the file to be malicious. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortimail-and-fortisandbox/analyze-fortisandbox.md). # Analyze - FortiSandbox If you log into the FortiSandbox instance - \[Click Me\](https://10.222.101.23/) \`Username: admin / Password: Fortinet1!\` Then go over to Log & Report > All Events (Create a filter for \`Message: Return\`) ![](https://fabriclab-tech.gitbook.io/files/t3pRalm6xB3znMtx8bNV) You can see FortiSandbox received the file, checked it and then passed the verdict back to FortiMail. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortisandbox.md). # FortiIsolator & FortiSandbox - \[Scenario - Story/Narrative\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortisandbox/scenario-story-narrative.md) - \[Attack - Downloading Malware\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortisandbox/attack-downloading-malware.md) - \[Defence - Downloading Malware\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortisandbox/defence-downloading-malware.md) - \[Analyze - FortiSandbox\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortisandbox/analyze-fortisandbox.md) --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-3/review-fortianalyzer.md). # Review - FortiAnalyzer Please log into \[FortiAnalyzer\](https://10.222.101.35/) using the hyperlink \`Username: admin / Password: Fortinet1!\` Ensure that you go into ADOM \*\*Pod45\*\* Then using the lefthand pane, browse to log view > logs > select the Fortinet logs > Ensure that FortiGate is selected and apply the filters as below ![](https://fabriclab-tech.gitbook.io/files/qJNDNiv7DJTSkStjWqeD) As you can see these are the logs where access to the product store was denied. Remove the current filters and instead create a filter as below. Filtering based on the EMS tag these are the successful logs ![](https://fabriclab-tech.gitbook.io/files/touRL2Shnl3UzFr0VZej) However what is very important to know is if you look at the user field for both action denied and accepted, the actual AD user that you use to log in, \*\*"Demo User 5",\*\* is captured by the single sign-on mobility agent and sent to the FortiAuthenticator that then uses FSSO to forward to the downstream FortiGates. This solves the initial use case of the client wanting to have a deeper understanding of the user identity with a security enhancement! --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortigate-and-fortideceptor/attack-vmware-decoy.md). # Attack - VMWare Decoy On the same Google Chrome instance you will find a bookmark called VMWare - ESXi - Decoy, again click it ![](https://fabriclab-tech.gitbook.io/files/uxn6F50U0wqhJjVFiM5j) Now with this particular decoy, you can actually log in using the credentials \`Username: fabriclab / Password: Fortinet1!\` ![](https://fabriclab-tech.gitbook.io/files/EkyLVBv3B0gjUiPtwlCe) --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-3/show-fortigate.md). # Show - FortiGate Start by logging into the Fabric Studio instance, locating the object "FortiGate", right-clicking it, access, and then HTTPS, this should open a new browser tab with the FortiGate UI. \`Username: admin Password: fortinet4A!!\` Using the left-hand pane navigate to Security Fabric, Fabric Connectors, and ensure that FortiClient EMS is connected as below. This is what shares the ZTNA tags that we will be using later with the FortiGate. ![](https://fabriclab-tech.gitbook.io/files/ztxmnmNP6TDlU4YBf6iQ) If you want to check these, you can go use the left-hand pane to browse the policy and objects, ZTNA, and then click the security posture tag ![](https://fabriclab-tech.gitbook.io/files/8zCad0XDEzW1XETNag1v) Now using the left-hand pane if you browse to Security Fabric External Connectors, make sure that FSSO Agent on Windows AD is connected, this is what shares the usernames and the groups from Active Directory, and also information from the Single Sign-on Mobility Agent that's capturing the username and tying it to an IP address all this information comes from FortiAuthenticator. ![](https://fabriclab-tech.gitbook.io/files/XbL1CPKCROcTXib4zAo8) Using the left-hand pane, browse to Policy & Objects > Firewall Policy, review the two policies as below ![](https://fabriclab-tech.gitbook.io/files/MIEODMRV82yZ4D1Luxyr) If you look inside the allow firewall policy, you will see that we're taking into consideration the security posture tags these are what's sent from FortiClient EMS. In our case Windows calculator must be running and and either FortiEDR or FortiDLP otherwise you are not permitted to access the product store application via (http or ping). ![](https://fabriclab-tech.gitbook.io/files/n2VvFfd9RIacwmc9pzrf) --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortigate-and-fortideceptor.md). # FortiGate & FortiDeceptor - \[Scenario - Story/Narrative\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortigate-and-fortideceptor/scenario-story-narrative.md) - \[Attack - Scada Decoy\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortigate-and-fortideceptor/attack-scada-decoy.md) - \[Attack - VMWare Decoy\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortigate-and-fortideceptor/attack-vmware-decoy.md) - \[Analyze - FortiDeceptor\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortigate-and-fortideceptor/analyze-fortideceptor.md) - \[Defence - FortiDeceptor\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortigate-and-fortideceptor/defence-fortideceptor.md) - \[Defence - FortiGate\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortigate-and-fortideceptor/defence-fortigate.md) --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortisandbox/analyze-fortisandbox.md). # Analyze - FortiSandbox Please log in to \[FortiSandbox\](https://10.222.101.23/ng/log\_and\_report/job\_events) using the hyperlink. \`Username: admin / Password: Fortinet1!\` On login, if you use the left-hand pane sidebar to browse To Log & Report > Events > Job Events ![](https://fabriclab-tech.gitbook.io/files/klCWhsH8Xi2SAVqW1UOb) If you look at the screenshot above, you can see that the FortiSandbox received the file from FortiIsolator, it did its analysis on the file, determined that it was malicious, and then sent this verdict back to FortiIsolator this is the reason why you see a slight pause between the Download and the Blocked widget on UI. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortigate-and-fortideceptor/attack-scada-decoy.md). # Attack - Scada Decoy Open your Fabric Studio instance, locate the object "Inside Host ", right-click it, access, and then display. If your asked for a Username & Password for inside host its \`Username: fabriclab\\demouser5 / Password: Fortinet1!\` Another browser tab should open. Open Google Chrome you will find a bookmark called Scad - Decoy, Click it. ![](https://fabriclab-tech.gitbook.io/files/ilLnEtu412RkeNRoElLy) This should, open up a page like the below. Remember that this is a decoy! ![](https://fabriclab-tech.gitbook.io/files/93364faZoD13fDgLNOMN) --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortisandbox/attack-downloading-malware.md). # Attack - Downloading Malware Open your Fabric Studio instance, locate the object "Inside Host ", right-click it, access, and then display. Another browser tab should open. If your asked for a Username & Password for inside host its \`Username: fabriclab\\demouser5 / Password: Fortinet1!\` Open Google Chrome you will find a bookmark called "Isolator & Sandbox" ![](https://fabriclab-tech.gitbook.io/files/9KTfte4IbOeVZc0TISrO) you may well see an SSL certificate error. Just bypass this by clicking the "Advanced" dropdown and then Proceed. You should then reach this page as below, ensure that "Guest" is ticked, and then press "Login." ![](https://fabriclab-tech.gitbook.io/files/2oFaWIC8MuqkCdBK5BmK) A page should load as below, what's really important is the \*\*'I'\*\* icon in the top left-hand corner, which essentially tells you that the page has been rendered from FortiIsolator. ![](https://fabriclab-tech.gitbook.io/files/ZNE7ofT0LGv2Xcr1cuxX) --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortigate-and-fortideceptor/defence-fortideceptor.md). # Defence - FortiDeceptor Now, in an attack scenario like this, it's very important that we have automation that is able to respond very quickly otherwise, it's just too late. So what we've already configured is an integration between FortiDeceptor and FortiGate. In the event of FortiDeceptor seeing an attack towards a decoy, the SRC\\\_IP of the attacker is logged. This is then passed from FortiDeceptor to FortiGate where the IP address is added to a quarantine list for a certain amount of time (The time period is configurable) If you want to see the configuration, it can be viewed on FortiDeceptor on the left-hand pane under Fabric Quarantine > Integration. ![](https://fabriclab-tech.gitbook.io/files/FojDlXS1Lk77jm6ca0qk) This is also where you specify the period of time you would like the attacker to be blocked for as you can see, we have opted for an hour. I wanted to take the time to acknowledge that we also have integrations with many other third-party vendors, including a generic web hook and SSH connector, meaning you can essentially automate towards anything ![](https://fabriclab-tech.gitbook.io/files/VdgE8Hapk5iPCKBT8ReM) On the left-hand pane, you can also go to Fabric, Foreign Quarantine Status, for our list of all current active and historical quarantines. ![](https://fabriclab-tech.gitbook.io/files/hvhC05DvSvekZxOifs2r) --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-3/access-webserver.md). # Access - Webserver Navigate back to your browser tab that has the Windows "Inside host" session active. Open up cmd and a ping to 198.51.100.100 this should fail. ![](https://fabriclab-tech.gitbook.io/files/ROdWVZzHDALxgmK6M4Zb) Open up Google Chrome and click the bookmark product store, this should not load. the reason for this is we don't meet the criteria of the policy to have the Windows calculator running! ![](https://fabriclab-tech.gitbook.io/files/gHc4detf5SVTCIFYgb8P) Minimise the Google Chrome browser so then you are displaying FortiClient and the ping side by side, it's important that we do this to demonstrate that ZTNA is a constant policy check what I mean by that is the next time that the client sends and receives an update from the EMS server the device's posture is updated. This is an enhancement on prior security because if the device's posture changes, for example, it becomes vulnerable then the session to the web server is terminated immediately as the device is no longer compliant! Your desktop should look as below ![](https://fabriclab-tech.gitbook.io/files/CkYEVIqPdAQoL9BIu15V) Now open calculator, in our current configuration it can take anywhere between 1 and 60 seconds depending on where you catch the refresh cycle between the client and the server ![](https://fabriclab-tech.gitbook.io/files/L9E40yJGBW2tnHXUA0Pt) When the tag refresh has taken place. You will see that the Win\\\_Calculator\\\_Running tag has been added and the ping will now be successful. ![](https://fabriclab-tech.gitbook.io/files/TYA4qOCFbufN3gqPhoIo) Open up Google Chrome again and click the product store bookmark; this time it should load ![](https://fabriclab-tech.gitbook.io/files/u9ZfNFOtyXvJqeP5CxZv) If you wish to test why this is an enhancement and the dynamic-ness, open up Task Manager, locate Calculator, and end all of the tasks ![](https://fabriclab-tech.gitbook.io/files/cJ3iJcZzizMIatjeNYVx) Once the refresh period is completed access to the product store will again be revoked and you will see the ping fail. This is an important security enhancement because we are taking into consideration the \*\*live\*\* security posture of the device. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortisandbox/defence-downloading-malware.md). # Defence - Downloading Malware Now using the existing page, click one of the malware links. We'll be using RaccoonStealer in our example here. ![](https://fabriclab-tech.gitbook.io/files/9isuOtPgwxwzs4TtudoY) After a couple of seconds, you should see the widget appear in the top right-hand corner saying that the file has been downloaded. However, you'll quickly notice that the action section is blank. This is normally where you will be able to download the file this is because the file was actually sent to FortiSandbox for further inspection and a verdict ![](https://fabriclab-tech.gitbook.io/files/FfgOZespI0ECkmQG31Io) Eventually, the widget will update to inform the user that there has been Malware detected in the file, and you cannot download it ![](https://fabriclab-tech.gitbook.io/files/SRSOI3mW80oIzDWYM2b4) It's important to know that what you're actually seeing is a virtual machine being rendered back to your web browser so you haven't actually handled the Malware on your local machine unless you actually downloaded it which has been blocked in this case. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortimail/scenario-story-narrative.md). # Scenario - Story/Narrative The organisation you are working for has been susceptible to email phishing attacks containing malware links, and then users downloading them and detonating them on their local host. This has resulted in the IT team implementing a Remote Isolation Browser (RBI) - FortiIsolator, to work in conjunction with FortiMail. In the scenario, you will send an email with various different links from an external source. You will see that when they are received internally, FortiMail redirects to FortiIsolator using click protection. The instance that the user sees is actually being rendered via FortiIsolator, providing the user with absolute protection. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortimail-and-fortisandbox/analyze-fortimail.md). # Analyze - FortiMail Using your Fabric Studio instance, if you open up FortiMail, this is done by right-clicking it, access > HTTPS \`Username: admin / Password: fortinet4A!!\` Once you're logged in, if you use the left-hand navigation pane, under the monitor section, click Log, and then you will see that the history tab is already selected. You will be able to see the analytics of the email that you just sent. ![](https://fabriclab-tech.gitbook.io/files/m5qYtlktScjfJOpWykgB) If you double-click, you can see that FortiSandbox has classified the file amended the subject line with "malicious" and identified it as a threat ![](https://fabriclab-tech.gitbook.io/files/zvwgB3zIXry0vGWNZYgi) You can also double-click the entry to get more information ![](https://fabriclab-tech.gitbook.io/files/rVAnoKNrdKhbqu0IXNzY) --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortimail-and-fortisandbox/defence-scenario-steps.md). # Defence - Scenario Steps As the email has been sent, it's now time to check out the defence. We'll do this by using the Fabric Studio instance, locating the object "Inside Host", right-clicking it, access, and then display. If your asked for a Username & Password for inside host its \`Username: fabriclab\\demouser5 / Password: Fortinet1!\` ![](https://fabriclab-tech.gitbook.io/files/Lnp1aGrh4hvSJbJTyJDY) This should open another browser tab. Click it. once you're at the desktop, double-click the Google Chrome icon, and then click the Webmail bookmark. Enter the login credentials \`Username: protected / Password: fortinet\` ![](https://fabriclab-tech.gitbook.io/files/pRBiQGQ1qox8puJUUiNl) Click Log In, and then you should see that there is a new email inside the inbox, double click it to open it up! ![](https://fabriclab-tech.gitbook.io/files/kpb4tiWI5YsAJKCg6wLT) As you can see, the email has been received, but the malicious files have been stripped, and the subject has been prefixed with the malicious tag --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortimail.md). # FortiIsolator & FortiMail - \[Scenario - Story/Narrative\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortimail/scenario-story-narrative.md) - \[Attack - Sending External Email\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortimail/attack-sending-external-email.md) - \[Defence - Internal Mailbox\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortiisolator-and-fortimail/defence-internal-mailbox.md) --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/attack-google-drive-upload.md). # Attack - Google Drive Upload Using the same browser instance, click the Google Drive bookmark this should take you to a pre-logged-in Google Drive instance, click the My Drive button on the left-hand side and scroll down to the bottom where you will find the EndGame folder (As below) ![](https://fabriclab-tech.gitbook.io/files/oou5znqJF46i2K6dDk0t) Double Click into the endgame folder, you may well find that a file is already present in here. If it is, it doesn't matter. When you're prompted, simply overwrite it. Click "New" and then "File Upload" and browse to the desktop ![](https://fabriclab-tech.gitbook.io/files/1gCGqtKRVTsJrSfD2lbU) Select FDLP\\\_File.txt and click open (As below) ![](https://fabriclab-tech.gitbook.io/files/eAtqbkkZr8bOBVBCCMHY) Almost immediately, you should see a FortiDLP file scan widget appear in the top right-hand corner. Shortly after, you will be asked to enter a valid policy violation reason, as it's a demo, enter whenever you want and click OK ![](https://fabriclab-tech.gitbook.io/files/cuDHV0JdBVx0KAPGVpyt) You will notice that the file upload has actually been blocked check to ensure it is not present in Google Drive! --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/scenario-story-narrative.md). # Scenario - Story/Narrative You're a rogue employee inside an organisation who's thinking about leaving. In preparation of your resignation, you decide to try and extract some data to various different sources this includes to ChatGPT and a Personal Google Drive. On attempting this, you receive a pop-up from FortiDLP, resulting in you panicking and trying to disable the agent. During this scenario, you will conduct the attack and you will see the response that FortiDLP and FortiSIEM provide. FortiDLP blocks the attack and then forwards its events via an event stream to FortiSIEM, enabling more correlated analytics and the potential for a response. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortigate-and-fortideceptor/analyze-fortideceptor.md). # Analyze - FortiDeceptor Please log in to \[FortiDeceptor \](https://10.222.101.29/halo/login?returnUrl=%2F)using the hyperlink. \`Username: admin / Password: Fortinet1!\` On login, if you use the left-hand pane sidebar to browse to Incident and then Attack Map. This is usually a good place to start. ![](https://fabriclab-tech.gitbook.io/files/VQc2C0SZ8FpfNvDMgqat) As you can see above, An attacker has tried to access the decoys, .221 = Scada / .222 = VMware. we have also logged the attacking source IP address .45 {% hint style="warning" %} Please note that the attacking source IP address will change depending on what pod you're allocated as an example, we were using Pod 45 here it's always the last octets. If you were allocated Pod 1, the last octets of the source IP address conducting the attack would be .1 {% endhint %} Using the left-hand pane, if you browse to Incident and Analysis. I've actually created a filter to filter by the attacker IP address. This is because the FortiDeceptor instance can get quite busy, as it is shared ![](https://fabriclab-tech.gitbook.io/files/Dwf7YmKmyg6a1UVrT3My) You can actually, double-click into any of the entries as well, which opens up a pane on the right-hand side, here you can see a timeline of absolutely everything that was conducted, such as the GET requests. This includes being able to download a PCAP file to be an analysing tool such as Wireshark ![](https://fabriclab-tech.gitbook.io/files/hZm9ClEOyeg68RE0Jb3t) Using the right-hand pane, if you click "Incident" and then "Campaign," this section creates a logical grouping, for example, if the source IP address is 10.222.102.45. You can actually see that this source IP address has attempted multiple attacks at different timeframes ![](https://fabriclab-tech.gitbook.io/files/WRQR2Am0Du4V2QyY1GEx) --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortigate-and-fortideceptor/defence-fortigate.md). # Defence - FortiGate Please log in to \[Shared FortiGate\](https://10.222.101.31/) using the hyperlink. \`Username: admin / Password: Fortinet1!\` Once you're logged in, if you use the left-hand sidebar to expand the dashboard, and then go down to Quarantine Monitor. ![](https://fabriclab-tech.gitbook.io/files/9kOwnZkOnfeg1tJPYGY8) You should see that your pod IP address has been quarantined. to further validate this using the left-hand sidebar, you can go to Log and Report > System Events > Logs I recommend creating a philtre under "Message" for anything that contains the word "stitch" your output should be as below ![](https://fabriclab-tech.gitbook.io/files/kgd71X9K0F3DB9PqWLBY) --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem.md). # FortiDLP & FortiSIEM - \[Scenario - Story/Narrative\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/scenario-story-narrative.md) - \[Attack - Asking ChatGPT\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/attack-asking-chatgpt.md) - \[Attack - Google Drive Upload\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/attack-google-drive-upload.md) - \[Attack - Trying to Disable FortiDLP\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/attack-trying-to-disable-fortidlp.md) - \[Analyze - FortiDLP\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/analyze-fortidlp.md) - \[Analyze - FortiSIEM\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/analyze-fortisiem.md) - \[Task - Unlock Host\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/fortidlp-and-fortisiem/task-unlock-host.md) --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2/defence-fortisoar.md). # Defence - FortiSOAR Please log into \[FortiSOAR\](https://10.222.101.22/login/) using the hyperlink. \`Username: csadmin / Password: fortinet\` {% hint style="warning" %} To restrict the amount of logs being ingested from FortiSIEM into FortiSOAR, you need to manually ingest the specific Incident found in FortiSIEM. \*Normally this would be automated.\* {% endhint %} This is done by using the left hand pane > Automation > Data Ingestion, Find FortiSIEM ![](https://fabriclab-tech.gitbook.io/fabric-lab/~gitbook/image?url=https%3A%2F%2F4195486220-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FBuGANls9sCzGfNwYlECu%252Fuploads%252F8gDYYNIEjVBIdiAEccDD%252Fimage.png%3Falt%3Dmedia%26token%3Df8a102c8-87bb-4393-9597-e7de9c27dbe5&width=768&dpr=4&quality=100&sign=f3fef37e&sv=2) Click Settings, Click "Let's start by fetching some data", Change Fetch Mode to "By Sample Incident ID" this is the ID that you collected in the previous step \[Defence - FortiSIEM\](/fabric-solutions-lab-automate/attack-and-defence-2/defence-fortisiem.md) ![](https://fabriclab-tech.gitbook.io/fabric-lab/~gitbook/image?url=https%3A%2F%2F4195486220-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FBuGANls9sCzGfNwYlECu%252Fuploads%252FRvpWuL5tUE6jm2Ek4fIk%252Fimage.png%3Falt%3Dmedia%26token%3D13d16d22-224f-4fea-9547-5da740c1849b&width=768&dpr=4&quality=100&sign=a8f3f9a6&sv=2) Click Fetch Data, Do you want to schedule the ingestion? Please select "No", Click "Save Settings & Continue", Click "Trigger Ingestion Now", Now, using the left-hand sidebar, browse to the alert section one of the most recent alerts should read: Successful RDP login to decoy from ![](https://fabriclab-tech.gitbook.io/files/ASnjbJ46Tj4wXpTLatb6) Click the alert to enter into more details. Lots of correlated and enriched data can be found here ![](https://fabriclab-tech.gitbook.io/files/wLUctv5hCzMEQifr1r4c) If you scroll down very slightly, you will find a diagram. This is a correlation of every single time that FortiSASE has seen an attack that matches this vector, just to explain, the FortiSOAR instance is shared across many different lab environments. It's constantly being populated with attack simulation data from various other environments what it's done here is correlated all the different source IP addresses and created a logical diagram so you could see how just how many devices have attempted this attack. ![](https://fabriclab-tech.gitbook.io/files/ZdPRodHdozrRUF8r5H8i) Now if you scroll back to the top where you've got alert details and playbooks, click playbooks ![](https://fabriclab-tech.gitbook.io/files/LyNH8Pba9TJQXQBzMOOU) You will see that our playbook has also automatically initiated. The administrator has done this associated with the play, but with the updating of a record when the subject matches as below ![](https://fabriclab-tech.gitbook.io/files/jGvjEbaIA5waqfk7IJkm) This then adds the source IP address of the attacker to a dynamic address group within the FortiGate firewall ![](https://fabriclab-tech.gitbook.io/files/twe8wGTrRoOh8QNMLzeL) --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-3/show-forticlient-ems.md). # Show - FortiClient EMS Please log into \[FortiClient EMS\](https://10.222.101.40/#/signin) using the hyperlink \`Username: FabricSolutionsLab / Password: Fortinet1!\` On login if you use the left-hand sidebar to browse to security posture tags, tagging rules, have a look inside the rules that have been created. Take note that FortiEDR and Windows have pre-defined rules to be used (Meaning the user doesn't need to do any advanced configuration). ![](https://fabriclab-tech.gitbook.io/files/OjiYFd0l65SHZ79V43EQ) We will be using these tags that get applied to endpoints to further secure access to specific destinations via a FortiGate shortly. You can also use the Left hand pane > Security posture tags > Tag Monitor to view what tags are currently applied to what endpoints. ![](https://fabriclab-tech.gitbook.io/files/ALkaqtpsLlMheWpz7fce) --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/analyze-fortisoar.md). # Analyze - FortiSOAR Please log into \[FortiSOAR\](https://10.222.101.22/login/) using the hyperlink. \`Username: csadmin / Password: fortinet\` {% hint style="warning" %} To restrict the amount of logs being ingested from FortiSIEM into FortiSOAR, you need to manually ingest the specific Incident found in FortiSIEM. \*Normally this would be automated.\* {% endhint %} 1. This is done by using the left hand pane > Automation > Data Ingestion 2. Find FortiSIEM ![](https://fabriclab-tech.gitbook.io/fabric-lab/~gitbook/image?url=https%3A%2F%2F4195486220-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FBuGANls9sCzGfNwYlECu%252Fuploads%252F8gDYYNIEjVBIdiAEccDD%252Fimage.png%3Falt%3Dmedia%26token%3Df8a102c8-87bb-4393-9597-e7de9c27dbe5&width=768&dpr=4&quality=100&sign=f3fef37e&sv=2) 3\. Click Settings 4. Click "Let's start by fetching some data" 5. Change Fetch Mode to "By Sample Incident ID" this is the ID that you collected in the previous step \[Defence - FortiSIEM\](/fabric-solutions-lab-automate/attack-and-defence-1/defence-fortisiem.md) ![](https://fabriclab-tech.gitbook.io/fabric-lab/~gitbook/image?url=https%3A%2F%2F4195486220-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FBuGANls9sCzGfNwYlECu%252Fuploads%252FRvpWuL5tUE6jm2Ek4fIk%252Fimage.png%3Falt%3Dmedia%26token%3D13d16d22-224f-4fea-9547-5da740c1849b&width=768&dpr=4&quality=100&sign=a8f3f9a6&sv=2) 6\. Click Fetch Data 7. Do you want to schedule the ingestion? Please select "No" 8. Click "Save Settings & Continue" 9. Click "Trigger Ingestion Now" 10. Using the left-hand sidebar, if you navigate to Incident Response > Alerts. You should see an entry that says: FortiMail found malicious spam file attachment. WannaCry (Example of the nav bar and the alert below) ![](https://fabriclab-tech.gitbook.io/files/j6xzLck95jVgJTKHJB9D) 11\. Double-click into the correct alert ![](https://fabriclab-tech.gitbook.io/files/MYGPmlqITi9ZDwpy7v7U) --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-1/analyze-fortimail-and-fortindr.md). # Analyze - FortiMail & FortiNDR Using your Fabric Studio instance, if you open up FortiMail, this is done by right-clicking it, access > HTTPS \`Username: admin / Password: fortinet4A!!\` Once you're logged in, if you use the left-hand navigation pane, under the monitor section, click Log, and then you will see that the history tab is already selected, click the AV tab. ![](https://fabriclab-tech.gitbook.io/files/6fogXsLrdBDUagkIz0SG) As you can see, Wanna Cry has been detected and blocked. if you require more information, you can actually double click into the header ![](https://fabriclab-tech.gitbook.io/files/VUMXA5nYGGlOxkE0fX0v) if you log in to \[FortiNDR\](https://10.222.101.20/sl/log/threatReport) by clicking the hyperlink \`Username: admin / Password: Fortinet1!\` click Log and report, then Malware log you should see the below ![](https://fabriclab-tech.gitbook.io/files/93kbFODkuriuggTDAyzK) {% hint style="warning" %} Regards to FortiNDR, just be mindful that it's a shared instance, so you will see lots of malware from different pods. {% endhint %} --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-3/check-windows-host.md). # Check - Windows Host Start by logging into the Fabric Studio instance, locating the object "Inside Host", right-clicking it, access, and then display. If your asked for a Username & Password for inside host its \`Username: fabriclab\\demouser5 / Password: Fortinet1!\` {% hint style="info" %} Its very importnat you login as a domain user (As above) {% endhint %} ![](https://fabriclab-tech.gitbook.io/files/Lnp1aGrh4hvSJbJTyJDY) Once you're logged in, locate FortiClient. It should be in the taskbar in the bottom right-hand corner (Example below) ![](https://fabriclab-tech.gitbook.io/files/1WIUWQ8ScrkQTf4FUNcU) Make sure that you click the DemoUser5 profile, take a note of the security posture tags that are listed (FortiEDR\\\_Running & FortiDLP\\\_Running) --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fabriclab-tech.gitbook.io/fabric-solutions-lab-automate/attack-and-defence-2/defence-fortisiem.md). # Defence - FortiSIEM Please log in to \[FortiSIEM\](https://10.222.101.28/phoenix/login.html) using the hyperlink. \`Username: admin / Password: Fortinet1!/ Organization: super\` ![](https://fabriclab-tech.gitbook.io/files/GuFuFnR3Oa0AuGvWqFAo) In the top right, click the exit button and then change organisation view ![](https://fabriclab-tech.gitbook.io/files/xRResErnJ0eGJwONdgT7) Select admin view, local, and then press Change View ![](https://fabriclab-tech.gitbook.io/files/gxJ1QRTnVDEwypyAyitF) In the top nav bar, ensure that Dashboard is selected, using the drop-down menu on the left-hand side, ensure that Fortinet Security Fabric is selected and also FortiDeceptor. You will see that there's been some RDP events recorded ![](https://fabriclab-tech.gitbook.io/files/QIQAv7OzxZGloFmNIenr) Using the top nav bar, click the bell icon to move over to incidents, you will see various incidents, but please note that you should see the FortiDeceptor successful RDP log in to decoy alert. Click the header as below in the screenshot ![](https://fabriclab-tech.gitbook.io/files/XR9bv1OvINgHwcpJfUUt) This should open up another section like the screenshot below take a note/copy the incident ID (this will be different when you conduct your own scenario a will be needed for the further steps into FortiSOAR ![](https://fabriclab-tech.gitbook.io/files/pM1c65xkqz7oUxwnksEJ) ---