Quantcast
Channel: Fortinet Cookbook
Viewing all 690 articles
Browse latest View live

Redundant Internet Connections (Video)

August 11, 2016, 1:05 pm
$
0
0

Watch more videos

In this video you will learn how to create a virtual Wide Area Network link that provides your FortiGate unit with redundant Internet connections from two Internet Service Providers or ISPs. The virtual WAN link combines both connections into a single interface.

This example uses weighted load balancing set up so that one primary ISP handles most of your Internet traffic, and the secondary ISP provides automatic failover if your primary ISP connection fails.

The recipe for this video is available here.

The post Redundant Internet Connections (Video) appeared first on Fortinet Cookbook.

Search

WiFi with WSSO using Windows NPS and FortiGate Groups

August 15, 2016, 5:19 pm
$
0
0

This is an example of wireless single sign-on (WSSO) with a FortiGate. The WiFi users are students at a school. They belong to a Windows Active Directory (AD) group called WiFiAccess. When a student enters the WiFi username and password, the FortiGate checks the local group set up with remote RADIUS authentication, then the FortiGate authenticates the student against Network Policy Server (NPS) or RADIUS server, if the student is authenticated successfully, the FortiGate checks for a policy that allows an AD group access.

1. Registering the FortiGate as a RADIUS client on NPS
From the NPS, right click on RADIUS Clients,  and create an entry for the FortiGate. Enter the FortiGate’s IP address. Enter the Shared secret (password).

2. Creating a Connection Request Policy
Right click Connection Request Policies under Policies and select New. Leave default values for Overview and Settings tab. Under Conditions tab, enter Client IPv4 Address as the FortiGate’s IP address.

3. Creating a Network Policy
Right click Network Policies under Policies and select New to create a new policy. Leave default values in Overview tab. In Conditions tab, click on Add, select Windows Group, then select Add. Finally Add Groups, then enter WiFiAccess, and select OK.
In Constraints tab, under Authentication Methods, click Add, then select Microsoft: Protected EAP (PEAP) then OK. Next select Microsoft Encrypted Authentication version 2 (MS-CHAP-v2), and finally select User can change password after it has expired and select OK.

4. Configuring FortiGate to use the RADIUS server
On the FortiGate, go to User & Device > RADIUS Servers. Select Create New DC-RADIUS. Enter the Domain Controller IP address and the Server Secret that you entered on NPS. Optionally, you can click Test Connectivity. Enter a RADIUS user’s ID and password. The result should be “Successful”.

5. Configuring a user group on the FortiGate
Go to User & Device > User Groups. Create a group named WiFi. Click on Create New under Remote groups, then enter DC-RADIUS for Remote Server, and Any for Groups. Select OK, and OK again.

6. Creating an SSID with RADIUS authentication
Go to WiFi & Switch Controller > SSID. Create an SSID and set up DHCP for clients.
Set WPA2-Enterprise with Local authentication, and choose the local group WiFi.

7. Creating a security policy
Go to Policy & Objects > IPv4 Policy. Create a WiFi-to-Internet policy. Use WiFi group as the Source.

8. Results
Connect to the WiFi network, authenticate, and browse the Internet. Try this with a user that belongs to the WiFiAccess Windows AD Group.
Go to Monitor > Firewall User Monitor. You can see the User Name, User Group and verify that WSSO authentication Method was used.

The post WiFi with WSSO using Windows NPS and FortiGate Groups appeared first on Fortinet Cookbook.

IPsec VPN with native Mac OS X client

August 16, 2016, 10:45 am
$
0
0

In this recipe, you will learn how to create an IPsec VPN on a FortiGate, and connect to it using the default Mac OS X client.

This configuration allows Mac users to securely access an internal network and browse the Internet through the VPN tunnel. This recipe assumes that a user group (mac-users) has already been created.

This recipe was tested using Mac OS X El Capitan version 10.11.5.

1. Configuring the IPsec VPN using the Wizard

Go to VPN > IPsec Wizard.

Name the VPN connection, set Template Type to Remote Access, select the Cisco Client remote device type, and select Next

Set Incoming Interface to the Internet-facing interface.

Select the Pre-shared Key authentication method and enter a pre-shared key.

Apply the appropriate User Group and select Next.

Set Local Interface to the internal interface and set Local Address to all.

Enter a Client Address Range for VPN users and select Create.

Disable split tunneling if you want all traffic (Internet and internal) to go through the IPsec VPN tunnel.

The VPN Creation Wizard provides a summary of created objects.

2. Creating a security policy for remote access to the Internet

Go to Policy & Objects > IPv4 Policy and create a new policy that allows remote users to securely access the Internet.

Set Incoming Interface to the newly created tunnel interface and set Outgoing Interface to the Internet-facing interface.

Set Source to all, Destination Address to all, Schedule to always, and Service to ALL.

Enable NAT and select OK.

3. Results
On the Mac, go to System Preferences > Network and select the Plus (+) button.
Set Interface to VPN, set VPN Type to Cisco IPsec, and select Create.
Set Server Address to the IP address of the FortiGate, enter the network account details for the user, and open Authentication Settings.

Select the Shared Secret authentication and enter the same pre-shared key that was entered in the IPsec VPN Wizard, then select OK.

Be sure to Apply your network configuration.

In the Network window on the Mac, select the VPN and select Connect.

You should now be able to browse the Internet and have access to the internal network.

On the FortiGate, go to Monitor > IPsec Monitor and confirm that the tunnel Status is Up.

You must select Cisco Client because the native Mac OS client is a Cisco client. If you require an IPsec VPN created for Mac mobile devices (such as iPhones and iPads), select the iOS Native remote device type.

The post IPsec VPN with native Mac OS X client appeared first on Fortinet Cookbook.

WiFi with WSSO using FortiAuthenticator RADIUS and Attributes

August 17, 2016, 9:00 am
$
0
0

This is an example of wireless single sign-on (WSSO) with a FortiGate and FortiAuthenticator. The WiFi users are teachers and students at a school. These users each belong to a user group, either teachers (smaguire) or students (whunting). The FortiAuthenticator performs user authentication and passes the user group name to the FortiGate so that the appropriate security policy is applied.

This recipe assumes that an SSID and a FortiAP are configured on the FortiGate unit. In this configuration, you will be changing the existing SSID’s WiFi settings so authentication is provided by the RADIUS server. To learn more about configuring FortiAP, see Setting up WiFi with a FortiAP.

For this example, the student security policy applies a more restrictive web filter.

Find this recipe for other FortiOS versions
5.2 | 5.4

1. Registering the FortiGate as a RADIUS client on the FortiAuthenticator

On the FortiAuthenticator, go to Authentication > RADIUS Service > Clients and create a new account.

Enter a Name, the Internet-facing IP address of the FortiGate in Client name/IP, and enter a Secret.

Select the Password-only authentication method, select the Local users realm, and enable all EAP types.

2. Creating users on the FortiAuthenticator

Go to Authentication > User Management > Local Users and select Create New.

Create one teacher user (smaguire) and another student user (whunting).

 

Note that, after you create a user, RADIUS Attributes appears as an option.

If your configuration involves multiple users, it is more efficient to add RADIUS attributes in their respective user groups, in the next step.

3. Creating user groups on the FortiAuthenticator

Go to Authentication > User Management > User Groups and create two user groups: teachers and students.

Add the users to their respective groups.

Once created, edit both user groups—RADIUS Attributes becomes available.

Select Add Attribute.

Add the Fortinet-Group-Name RADIUS attribute to each group, which specifies the user group name to be sent to the FortiGate.

4. Configuring FortiGate to use FortiAuthenticator as the RADIUS server

On the FortiGate, go to User & Device > RADIUS Servers and select Create New.

Enter a Name, the Internet-facing IP address of the FortiAuthenticator in Primary Server IP/Name, and enter the same Primary Server Secret as you entered on the FortiAuthenticator.

You can optionally select Test Connectivity. Enter a RADIUS user’s name and password. The result should be Successful.

5. Configuring user groups on the FortiGate

Go to User & Device > User Groups and create two groups named the same as the ones created on the FortiAuthenticator.

Do not add any members to either group.

6. Creating security policies

Go to Policy & Objects > IPV4 Policy and select Create New.

Create two policies with WiFi-to-Internet access: one policy with Source set to the students user group, and the other set to teachers. Make sure to add the SSID address (example-wifi) to both policies also.

The student policy has a more restrictive Web Filter enabled.

7. Configuring the SSID to RADIUS authentication

Go to WiFi & Switch Controller > SSID and edit your pre-existing SSID interface.

Under WiFi Settings, set Security Mode to WPA2 Enterprise, set Authentication to RADIUS Server, and add the RADIUS server configured on the FortiGate earlier from the dropdown menu.

8. Results
Connect to the WiFi network as a student.
Then on the FortiGate go to Monitor > Firewall User Monitor. From here you can verify the user, the user group, and that the WSSO authentication method was used.
You can also go to FortiView > Policies to verify that the appropriate security policy was applied.

The post WiFi with WSSO using FortiAuthenticator RADIUS and Attributes appeared first on Fortinet Cookbook.

Configuring LDAP over SSL with Windows Active Directory

August 22, 2016, 5:15 pm
$
0
0

In this recipe you will learn how to configure LDAP over SSL (LDAPS) with Windows Server 2012. This external authentication server provides secure password checking for selected FortiGate users or groups.

The Lightweight Directory Access Protocol (LDAP) is used to read from Active Directory. By default, LDAP traffic is transmitted unsecured. You can make LDAP traffic confidential and secure by using Secure Sockets Layer (SSL).

The goal is to generate and export a CA certificate from the AD server, then import it, as an external CA certificate, into the FortiGate. Finally, enable the CA certificate in the LDAPS server object.

Active Directory Certificate Services (AD CS) must be installed in your Windows Server 2012.

1. Exporting the LDAPS Certificate in Active Directory (AD)

Open the Command Prompt, type mmc and hit enter. Select File and then click Add/Remove Snap-in. Select Certificates and then click Add. In Certificates snap-in select Computer account and then click Next.

In Select Computer, if you are working at the LDAP server requiring the certificate, select Local. Otherwise, select Another computer and click Browse to locate the LDAP server requiring the certificate. Once you have the correct computer selected, click OK and then click Finish.

In the console tree, expand Certificates (<computer>). In the certificates console of a computer that contains a certificate that can be used for Server Authentication, right-click the root certificate, click All Tasks, and then click Export.

On the Certificate Export Wizard welcome screen, click Next. On the Export Private Key screen, select No, then click Next

On the Export File Format screen, select DER.

On the File to Export screen, enter a path, file name, and .cer file extension in the File name box and then click Next. Confirm the settings on the completion screen and then click Finish. You should see a pop-up message indicating that the export was successful. Click OK.

2. Importing the LDAPS Certificate into the FortiGate

Go to System > Config > Features, and enable Certificates.

Go to System > Certificates and select Import > CA Certificate. Select Local PC and Choose File, then browse for certificate file and click OK.
You may rename the system-generated CA_Cert_1 to be more descriptive.
 
CLI Example:
FGT # config vpn certificate ca
FGT (ca) # rename CA_Cert_1 to LDAPS-CA
FGT (ca) # end

The Name under External CA Certificates now shows as LDAPS-CA.

3. Creating the LDAPS Server object in the FortiGate

User DN must have server administrator access.

4. Results
Verifying that the LDAPS Server object is authenticating correctly.
 
On the FortiGate use the following diagnose command to test authenticating with the LDAPS server. When you enter the command use an actual username and password on the LDAPS server (in the example administrator and pa$$w0rd). If everything is configured correctly, the command output should indicate that authentication has succeeded and also list the group memberships.
 
FGT # diagnose test authserver ldap LDAPS administrator pa$$w0rd
authenticate 'administrator' against 'LDAPS' succeeded!
Group membership(s) - CN=Domain Admins,CN=Users,DC=fortinet,DC=local
                      CN=Administrators,CN=Builtin,DC=fortinet,DC=local
                      CN=Domain Users,CN=Users,DC=fortinet,DC=local

 

The post Configuring LDAP over SSL with Windows Active Directory appeared first on Fortinet Cookbook.

Make it a policy to learn before configuring policies

August 24, 2016, 9:34 am
$
0
0

There is always an underlying assumption that system administrators know what is passing through their networks. While this may be true most of the time, there are always the old truisms about what happens when you make assumptions. Sometimes it’s the system administrators themselves making this assumption. To help correct any differences between assumptions and reality, the feature “Policy Learning” was introduced in FortiOS 5.4. Its purpose is to help inform sysadmins what is actually moving through their networks.

Policy Learning is very simple to set up. All it takes is a simple mouse click to choose the new option and enable the feature on an individual firewall policy. It is however, worth going over how to use the feature and to know what is going on in the background. And just as important, is going over why you should be using this feature.

To keep things simple and generic, we will use the fictional working environment of an existing network that has just installed a brand new FortiGate. To make it more fun we’ll say it’s your first day on the job at a brand new company. This way we can be sure you haven’t developed any bad habits yet.

When installing a new FortiGate, the first policy set up is usually one that goes from the inside to the Internet with fairly little in the way of restrictions. After all, first you want to make sure that you can connect to things before the access is limited for policy reasons. Once you have verified that you have that first connection and that everyone can access the Internet it is time to start locking things down. Wouldn’t it be nice to know which traffic you should be locking down, which you should be letting through and which should be managed instead of prevented?

To make life easy for the purposes of this example, we will work on the premise that you have a little bit of time before you have to complete and finalize all of your policies. Take that first policy, the one that  most outbound traffic will be going through. When it was first set up, the Action field was  set to ACCEPT.

 
The options for this field are ACCEPT, DENY, LEARN, and IPsec.

  • ACCEPT allows all match traffic to go through the policy.
  • DENY drops all of the matching packets.
  • IPsec is for setting up IPsec VPN policies.

The option that interests us now is LEARN.

Selecting the Learn option for policies

As cool as it would be for the FortiGate to be the one doing the learning, the purpose of this particular option is to make it easier for the system administrator to learn what sort of traffic is occurring on the network.

When the LEARN option is selected, a few things will be going on in the background.

The profiles

The first thing you are likely to notice is that all of the Security Profile options that you would normally see in the configuration window will no longer be displayed. You don’t need them because a number of predefined, hard coded profiles have been assigned to the policy for you.

These profiles:

  • Are all flow-based
  • Are static and cannot be changed
  • Have SSL inspection disabled
  • Are configured to monitor all the traffic that goes through the policy

Profiles not included are:

  • DNS Filter – There is no Flow mode for this profile
  • Web Application Firewall – There is no Flow mode for this profile
  • CASI – (Almost all signatures in CASI require SSL deep inspection. Without SSL inspection, turning on CASI serves little purpose.)

Logging and Reporting

Select the Learning Report from the MenuMonitoring the traffic is of little use unless the system administrator can make use of it. Once the learning policy has been active sufficiently long enough to collect some useful information, reports built from the analyzed logs can be viewed in an area of the Log and Reporting session set aside specifically for these reports.

To get to the Learning Report Window, go to Log & Report and select Learning Report.

Here you can select whether you want a Full Report which includes all of the details or a Report Summary. You also choose from the different time frames of

  • the past 5 minutes
  • the past hour
  • the past 24 hours

Both the Full Report and the Report Summary will include, but with different levels of granularity, these topic headings:

  • Deployment Methodology
    • Test Details
    • Start time
    • End time
    • Model
    • Firmware
    • Policy List
  • Executive Summary
    • Total Attacks Detected
    • Top Application Category
    • Top Web Category
    • Top Web Domain
    • Top Host by Bandwidth
    • Host with Highest Session Count
  • Security and Threat Prevention
    • High Risk Applications
    • Application Vulnerability Exploits
    • Malware, botnets and Spyware/Adware
    • At-Risk Devices and Hosts
  • User Productivity
    • Application Usage
      • Top Application Categories
      • Top Social Media Applications
      • Top Video/Audio Streaming Applications
      • Top Peer to Peer Applications
      • Top Gaming Applications
    • Web Usage
      • Top Web Categories
      • Top Web Applications
      • Top Web Domains

Why do you want to know this information?

Once you have this information you can perform the most important aspect of a system administrators role; make informed decisions.  It makes no sense to be configuring policies based upon what you think is happening on your network. You may have a policy that locks down the usage of peer to peer traffic because you’re worried about people using the company bandwidth to download their torrents, because that’s what happened at the last place you were at. Trouble is at this new place nobody cares about torrents because there spending all of their time playing Facebook games.

This is the scenario for one policy, going in one direction. Every time a new policy is set up it is worth spending an hour or a day to find out what is going through that policy before determining what restrictions are necessary to put on it. Not only is it a good idea to discover the different ways in which policies are being used for unintended purposes, but it is also good to verify that policies are being used for the intended purpose. If you set up a policy specifically to manage the traffic between some internal servers and a third party service on the Internet, it’s worth your time to verify that the intended traffic is going through that policy and not another one.

In order to be an effective system administrator it helps to have current and actual data to base decisions on.

Once you have a realistic idea what is going through your network you can start to make plans on how to manage that traffic. The intended traffic should go through, but do you just allow it and forget about it or do you monitor it? As for the less desirable traffic, do you block it, schedule it for specific time periods or do you set up quotas for it? Some choices will be easier than others. For malicious traffic or traffic that is against organizational policy, the decision has already been made. For traffic that isn’t dangerous, other than to productivity, there may need to be some discussions with stake holders and those with appropriate levels of authority.

Maintenance

This feature doesn’t have to be only for new policy configurations. Like any other complex system, network environments evolve over time. The traffic that was captured when you were first setting up the policy may have also changed over time. It could be because new people are now on the network, the network configuration has changed or there are new roles for people and devices on your network. As part of your maintenance plan set aside some time for relearning what traffic is going through your policies so that you can update your policies accordingly.

The obligatory warning

Because the profiles that are used in the learning mode only monitor and do not block anything, it is only recommended that they be used on outbound policies or policies between segments of the internal network. The time an unsecured system is available to the Internet without an attempt by someone trying to compromise it is measured in seconds. If you are going to set up learning on an incoming policy make sure that your danger of being compromised is as limited as possible.

The post Make it a policy to learn before configuring policies appeared first on Fortinet Cookbook.

Security Fabric Overview (Video)

September 7, 2016, 6:25 am
$
0
0

This video provides an overview of Security Fabric. Enterprise networks can become overly complex with many moving parts, and it’s often difficult to know how each device is being used. This short overview video shows how the Security Fabric ties your network together, and how it can be used to visualize what’s going on using FortiView. This is achieved by viewing both the Physical Topology and the Logical Topology.

This video is part of the Cooperative Security Fabric collection. It can also be used as a standalone video.

Watch more videos

The post Security Fabric Overview (Video) appeared first on Fortinet Cookbook.

IPsec VPN with iOS 9 (Video)

September 14, 2016, 7:17 am
Search

Adding FortiManager to a security fabric

September 21, 2016, 8:00 am
$
0
0

In this recipe, you will add a FortiManager to a network that is already configured as a Cooperative Security Fabric (CSF). This will simplify network administration because you can manage all of the FortiGates in the fabric from the FortiManager.

This recipe is part of the Cooperative Security Fabric collection. It can also be used as a standalone recipe.

In this example, the FortiManager is added to an existing security fabric. The FortiManager, as well as a FortiAnalyzer, both connect to the same port on the upstream FortiGate, called External, to provide services to the entire network.

1. Connecting the External FortiGate and the FortiManager

In this example, the External FortiGate’s port 16 will connect to port 2 on the FortiManager.

On the External FortiGate, go to Network > Interfaces and edit port 16. Set an IP/Network Mask for the interface (in the example, 192.168.55.2).

Configure Administrative Access to allow FMG-Access and FortiTelemetry.

  

On the FortiManager, go to System Settings > Network, select All Interfaces, and edit port2.

Set IP Address/Netmask to an internal IP (in the example, 192.168.55.20/255.255.255.0).

  
Connect the External FortiGate and the FortiManager.
On the FortiManager, go to System Settings > Network. Port 2 is now shown as the management interface. Add a Default Gateway, using the IP address of the External FortiGate’s port 16.  
If you previously configured a FortiAanlyzer using the recipe Adding a FortiAnalyzer to a security fabric, you may be able to skip the next two steps in this recipe, provided that the FortiAnalyzer and FortiManager both connect to the same port on the External FortiGate.

2. Configuring OSPF routing to the FortiManager
On the External FortiGate, go to Network > OSPF and create a new Network. Set IP/Netmask to 192.168.55.0/255.255.255.0 (the subnet that includes FortiManager’s port 1) and Area to 0.0.0.0.
 

3. Allowing internal FortiGates to access the FortiManager
On the External FortiGate, go to System > Feature Select. Under Additional Features, select Multiple Interface Policies.  

Go to Policy & Objects > IPv4 Policy and create a policy allowing the internal FortiGates (Accounting and Marketing) to access the FortiManager.

Do not enable NAT.

  

4. Configuring central management

On the External FortiGate, go to  System > Settings. Under Central Management, select FortiManager and enter the IP/Domain Name.

  

On the FortiManager, go to Device Manager > Unregistered Devices. Select the External FortiGate, then select + Add.
 
Add the device to the root ADOM.
 

The External FortiGate is now on the Managed FortiGates list.
 

Connect to the External FortiGate. A warning message appears, stating that the FortiGate is now managed by a FortiManager.

Select Login Read-Only.

  

Go to  System > Settings. The Central Management Status is now Registered on FortiManager.

  

On the ISFW FortiGates, make sure that the interface connected to the External FortiGate allows FMG-Access. You can then repeat the above steps to configure central management for these FortiGates.

  

5. Results 
All three FortiGates are shown in the FortiManager’s Managed FortiGates list.   

 

The post Adding FortiManager to a security fabric appeared first on Fortinet Cookbook.

FortiAuthenticator Certificate with SSL Inspection (Video)

September 21, 2016, 12:03 pm

Adding online FortiGates to FortiManager 5.4.1 ADOMs

September 22, 2016, 3:23 pm
$
0
0

This example illustrates how enable administrative domains (ADOMs) in FortiManager, create an ADOM, and add an online FortiGate device to the ADOM. 

1. Enable ADOMs.

Go to System Settings > Dashboard. In the System Information widget, go to Administrative Domain, and toggle On.

Click Yes in the confirmation dialog box. FortiManager logs you out of the GUI.

 


Enabling ADOMs

Log into the GUI, and select a default ADOM, such as root.  

2. Create an ADOM.

Go to System Settings > All ADOMs, and click Create New.

  

Creating a new ADOM

Complete the options, and click OK. The ADOM is created.

In this example, the ADOM name is Test.

  

Creating an ADOM

3. Add a FortiGate device to a FortiManager ADOM.

Tip: You are in the ADOM named Test that you just created, and the device will be added to the ADOM named Test. You can select a different ADOM by clicking ADOM in the top-right corner of the GUI.

On the Device Manager > Device & Groups pane, click Add Device. The Add Device wizard is displayed.

  

Select Discover to add an online FortiGate device.

In the IP Address box, type the IP address of the FortiGate.

In the User Name and Password boxes, type the username and password for the FortiGate, and click Next. The wizard discovers the device and displays the configurable options. 

Complete the options, and click Next. The wizard adds the device.

  

Click Import Now to import policies and objects from the FortiGate device. 

The wizard displays the list of policies and objects for the FortiGate device. Click Next to import them.

  

Click Finish to close the Wizard.

4. Result: The device is added to the FortiManager ADOM named Test.
On the Device Manager > Device & Groups pane, click Managed FortiGates. The content pane displays the managed FortiGate devices. 

 

The post Adding online FortiGates to FortiManager 5.4.1 ADOMs appeared first on Fortinet Cookbook.

Learning Mode Policy (Video)

September 27, 2016, 3:19 pm
$
0
0

This video describes the new Learning Mode Policy feature introduced in FortiOS 5.4.1. When you set the action in a security policy to the LEARN mode, you’ll accept and monitor all traffic on the policy. Then, you can view an assessment report to understand how your security policies are being used in detail. This video also provides examples of how to customize your policies based on your learning report results.

The recipe for this video is available here.

Watch more videos

The post Learning Mode Policy (Video) appeared first on Fortinet Cookbook.

FortiAuthenticator user self-registration

September 30, 2016, 1:00 pm
$
0
0

For this recipe, you will configure the FortiAuthenticator self-service portal to allow users to add their own account and create their own passwords.

Note that enabling and using administrator approval requires the use of an email server, or SMTP server. Since administrators will approve requests by email, this recipe describes how to add an email server to your FortiAuthenticator.  You will create and use a new server instead of the unit’s default server.

1. Creating a self-registration user group

Go to Authentication > User Management > User Groups and create a new user group for self-registering users.

Enter a Name and select OK. Users will be added to this group once they register through the self-registration portal.

2. Editing self-registration settings

Go to Authentication > Self-service Portal > General.

Enter a Site name, add an email signature that you would like appended to the end of outgoing emails, and select OK.

3. Enabling self-registration

Go to Authentication > Self-service Portal > Self-registration and select Enable.

Enable Require administrator approval and Enable email to freeform addresses, enter the administrator’s email address in the field provided, and configure basic account information to be sent to the user by Email.

Open the Required Field Configuration dropdown and enable First name, Last name, and Email address.

4. Creating a new SMTP server
Go to System > Messaging > SMTP Servers and create a new email server for your users.

Enter a name, the IP address of the FortiAuthenticator, and leave the default port value.

Enter the administrator’s email address, account name, and password.

Note that, for the purpose of this recipe, Secure connection will not be set to STARTTLS, as a signed CA certificate would be needed. 

Once created, highlight the new server and select Set as Default.

The new SMTP server will now be used for future user registration.

5. Results – Self-registration

When the user visits the login page, https://<FortiAuthenticator-IP>/auth/register/, they can click the Register button, and is then prompted to enter their information.

They will need to enter and confirm a Username, PasswordFirst name, Last name, and Email address. These are the only required fields, as configured in the FortiAuthenticator earlier.

Select Submit.
The user’s registration is successful, and their information has been sent to the administrator for approval.
When the administrator has enabled the user’s account, 

the user will receive an activation welcome email.

The user’s login information will be listed.

Select the link and log in to the user’s portal.

The user is now logged into their account where they can review their information.

As recommended in the user’s welcome email, the user may change their password. However, this is optional.

6. Results – Administrator approval

After the user requests for registration, in the FortiAuthenticator as the administrator, go to Authentication > User Management > Local Users. The user has been added, but their Status is listed as Unknown.

In the administrator’s email account, open the Approval Required email. In it, the user’s full name will appear in the email’s subject, along with their username.

Select the link to approve or deny the user.

The link will take you to the New User Approval page, where you can review the user’s information and either approve or deny the user’s full registration.

Select Approve.

 

The user has now been approved and activated by the administrator.

This can be confirmed by going back to Authentication > User Management > Local Users. The user’s Status has changed to Enabled.

7. Verifying the results
On the FortiAuthenticator, go to Logging > Log Access > Log to view the successful login of the user and more information.
Although the FortiAuthenticator can be configured to send emails from the built-in mail server (localhost), this is not recommended. Anti-spam methods such as IP lookup, DKIM, and SPF can cause mail from such ad-hoc mail servers to be blocked. It is highly recommended that email is relayed via an official mail server for your domain.
Alternatively, you can go to System > Messaging > Email Services, set both Administrators and Users to use the new SMTP server, and select Save.
Note that the email may have been marked as Spam.

The post FortiAuthenticator user self-registration appeared first on Fortinet Cookbook.

Expanding storage for FortiAnalyzer 5.2.x units

October 3, 2016, 12:36 pm
$
0
0

This example illustrates how to expand storage capacity to over 16 TB for a FortiAnalyzer 5.2.x VM or device. 

You can use the Log Aggregation feature in aggregation mode to temporarily forward logs from one FortiAnalyzer unit to a temporary FortiAnalyzer unit while you increase the storage capacity of the FortiAnalyzer unit to over 16 TB.

You should also reconfigure FortiGate to send logs to the temporary FortiAnalyzer unit to avoid losing any logs while you increase storage capacity of your FortiAnalyzer unit.

After you increase storage capacity, you can use the Log Aggregation feature to return the logs from the temporary FortiAnalyzer unit to the FortiAnalyzer unit that now has increased storage capacity. Don’t forget to reconfigure FortiGate to send logs to the FortiAnalyzer unit again. 

You can use this procedure when upgrading the default 12 HDD (hard disk drive) for FAZ-4000B or FAZ-3500E to the maximum 24 HDD.

1. (Server) Configuring the temporary FortiAnalyzer unit to receive logs 

Ensure that you have configured an administrator account with a Super_User profile. You can use the default admin account, which is assigned the Super_User profile. Alternately, you can create a custom administrator account by going to System Settings > Admin > Administrator. The client will need to provide the login credentials of this Administrator account to get authenticated by the server.

  Administrator profiles

Add the FortiAnalyzer for which you want to increase storage capacity to the temporary FortiAnalyzer by going to Device Manager > Add Device. The Add Device wizard is displayed. Follow the wizard to add the device.

  Add Device wizard

Enable the log aggregation service by going to System Settings > Dashboard.  In the CLI Console widget, enter the following CLI commands:

config system aggregation-service
    set accept-aggregation enable
end

get system aggregation-service
accept-aggregation  : enable
aggregation-disk-quota: 20000
password            : *   <-- set for password

config system interface
edit port<number> 
set ip <ip address> <netmask>
set allowaccess ping https ssh snmp telnet http webservice aggregator fgfm
end

 CLI Console widget

2. (Client) Configuring log forwarding on the FortiAnalyzer unit for which you want to increase storage capacity.

Configure log forwarding in aggregation mode by going to System Settings > Dashboard.  In the CLI Console widget, enter the following CLI commands:

config system aggregation-client
    edit 1
        set mode aggregation
        set server-ip <ip address>
        set agg-password <password>

 

3. Reconfigure FortiGate to send logs to the temporary FortiAnalyzer unit.

4. Increase storage capacity for the FortiAnalyzer unit.

Add new hard disks with a total size greater than 16 TB to FortiAnalyzer.

Format the FortiAnalyzer disks to have more than 16TB of storage capacity.

5. Return logs to the FortiAnalyzer unit with increased storage capacity.

Set up log forwarding as follows to return the logs to the FortiAnalyzer:

  • Configure the FortiAnalyzer unit with the new storage capacity as the log-forwarding server.
  • Configure the temporary FortiAnalyzer as the log-forwarding client.

The log-forwarding client sends all of the logs to the log-forwarding server. As a result, the log-forwarding feature returns all of the logs to the FortiAnalyzer unit with increased storage capacity.

6. Reconfigure FortiGate to send logs to the FortiAnalyzer unit with increased storage capacity.

7. Results
FortiAnalyzer has increased storage capacity and is receiving logs from FortiGate again.

The post Expanding storage for FortiAnalyzer 5.2.x units appeared first on Fortinet Cookbook.

Blocking Windows XP traffic

October 7, 2016, 7:50 am
$
0
0

This recipe demonstrates how you can use the Application Control security profile to block web traffic from PCs running Windows NT 5 operating systems, including Windows XP and Windows Server 2003 (includes Windows virtual machines).

When a computer’s operating system lacks vendor support, it becomes a threat to the network because newly discovered exploits will not be patched. Using the FortiGate application control feature, you can restrict these computers from accessing external resources.

Find this recipe for other FortiOS versions:
5.2 | 5.4

1. Enabling Application Control
Go to System >  Feature Select. Under Security Features, enable Application Control. GUI for Feature Select - enable Application Control

2. Creating a custom application signature

Go to Security Profiles >  Application Control and select View Application Signatures in the upper right-hand corner. Create a new signature with the syntax presented here.

 

 

You can copy and paste this text into the Signature field.

 

syntax for custom signature

F-SBID(--attack_id 8151; --vuln_id 8151; name "Windows.NT.5.Web.Surfing"; --default_action drop_session; --service HTTP; --protocol tcp; --app_cat 25; --flow from_client; --pattern !"FCT"; --pattern "Windows NT 5.1"; --no_case; --context header; weight 40; )

The signature will appear at the top of the application list in the Web.Client category.

Custom signature at top of list

 3. Adding the signature to the default Application Control profile 

Go to Security Profiles > Application Control and edit the default policy.

Under Application Overrides, select Add Signatures.

 add signature to application control profile / application overrides

The new signature should appear at the top of the list. If it does not, search for the signature’s name (in the example, block-windows-nt5).

Select the signature, then click on Use Selected Signatures at the bottom of the page.

 Select custom signture for application control override

4. Adding the default profile to a security policy 

Go to Policy & Objects > IPv4 Policy and edit the policy that allows connections from the internal network to the Internet.

Under Security Profiles, enable Application Control and use the default profile.

 Add application control profile to policy

5. Results
When a PC running one of the affected operating systems attempts to connect to the Internet using a browser, a replacement message appears.
 
PCs running other operating systems, including later versions of Windows, are not affected.
 Results: Application Blocked message 

Go to Log & Report > Forward Traffic. Filter the results to show denied traffic.

You will see that the application control signature, Windows.NT.5.Web.Surfing, appears in the Application column and was used to block traffic from PCs running Windows XP (device writer-0735721d).

 Reults: Log of blocked applications
For further reading, check out Custom Application & IPS Signatures in the FortiOS 5.4 Handbook.
This recipe will only block web traffic from computers running the designated operating systems. If you wish to block these computers from being on the network entirely, further action will be necessary. However, the logs generated by this recipe can be used to identify the computers you wish to block.
Because Application Control uses flow-based inspection, if you apply an additional security profile to your traffic that is proxy-based, the connection will simply timeout rather than display the replacement message. However, Application Control will still function.

The post Blocking Windows XP traffic appeared first on Fortinet Cookbook.

Search

Supported Upgrade Paths – FortiAP

October 11, 2016, 7:45 am
$
0
0

Upgrading to 5.4

This table shows the upgrade path from earlier versions of the supported firmware to the latest version of FortiAP 5.4.

To make it easier to find the correct row for your upgrade, enter the current firmware version running on your FortiAP in the Search field. Only rows with the contents of the Search field will be shown.

Supported Upgrade Path to Latest FortiAP Version 5.4

Starting Version Build # Path                          
5.4.1 339 Latest build
5.4.0 327 >> 5.4.1
5.2.6 262 >> 5.4.1
5.2.5 254 >> 5.4.1
5.2.4 245 >> 5.4.1
5.2.3 234 >> 5.2.4 >> 5.4.1
5.2.2 225 >> 5.2.4 >> 5.4.1
5.2.1 216 >> 5.2.4 >> 5.4.1
5.2.0 212 >> 5.2.4 >> 5.4.1
5.0.10 98 >> 5.2.4 >> 5.4.1
5.0.9 86 >> 5.2.3 >> 5.2.4 >> 5.4.1
5.0.8 75 >> 5.2.2 >> 5.2.4 >> 5.4.1
5.0.7 64 >> 5.2.0 >> 5.2.4 >> 5.4.1
5.0.6 60 >> 5.2.0 >> 5.2.4 >> 5.4.1
5.0.5 48 >> 5.0.7 >> 5.0.8 >> 5.0.9 >> 5.0.10 >> 5.2.0 >> 5.2.4 >> 5.4.1
5.0.4 39 >> 5.0.7 >> 5.0.8 >> 5.0.9 >> 5.0.10 >> 5.2.0 >> 5.2.4 >> 5.4.1
5.0.3 32 >> 5.0.7 >> 5.0.8 >> 5.0.9 >> 5.0.10 >> 5.2.0 >> 5.2.4 >> 5.4.1
5.0.2 31 >> 5.0.7 >> 5.0.8 >> 5.0.9 >> 5.0.10 >> 5.2.0 >> 5.2.4 >> 5.4.1
5.0.1 24 >> 5.0.7 >> 5.0.8 >> 5.0.9 >> 5.0.10 >> 5.2.0 >> 5.2.4 >> 5.4.1
5.0.0 21 >> 5.0.7 >> 5.0.8 >> 5.0.9 >> 5.0.10 >> 5.2.0 >> 5.2.4 >> 5.4.1

A comprehensive post of all supported FortiOS versions, build numbers, and their supported upgrade pathways can be found here:

Supported Upgrade Paths – FortiOS

The post Supported Upgrade Paths – FortiAP appeared first on Fortinet Cookbook.

DMARC, SPF, and DKIM in FortiMail (video)

October 13, 2016, 8:06 am

FortiMail Troubleshooting: Bootup Issues

October 13, 2016, 8:26 am
$
0
0

The Troubleshooting recipes are here to assist you in diagnosing and remedying any problems you experience when using your FortiMail unit.

This recipe guides you through the process of troubleshooting problems you may experience in rare cases when powering up your FortiMail unit.

If the following suggestions do not remedy the issue, please be sure to contact customer support.

When you cannot connect to the FortiMail unit through the network using CLI or the web UI, connect a PC directly to the FortiMail unit’s management console using a serial connection. (The cable varies with the FortiMail model. See the model’s quickstart guide for details.)

Open a terminal emulation interface, such as HyperTerminal, to act as the console. The issues covered in this section all refer to various potential bootup issues.

Once you have a direct console connection to the FortiMail unit, work through the following questions and keep a copy of the console’s output messages.

Boot Options Menu

Do you see the boot options menu?

NO: ensure that your serial communication parameters are set to no flow control and check that the correct baud rate is correctly set (usually 9600, data bits 8, parity none, stop bits 1) and reboot the FortiMail unit.

Yes: Proceed to the next section.

Console Text
  1. Do you see a console message?

    NO: Go to the next section.
    YES: Ensure your console communication settings are correct. Check the FortiMail QuickStart Guide for settings specific to your model.

  2. Are the console messages incoherent?

    NO: Your problem should be fixed. If not, contact customer support.
    YES: Ensure your console communication settings are correct for your unit. Check the FortiMail QuickStart Guide for system specific settings.

  3. Do the console messages stop before the prompt: Press Any Key to Download Boot Image?

    NO: Follow the console instruction Press any key to download Boot Image and go to the next step.
    YES: Proceed to the Defective FortiMail Unit section.

  4. Do you see one of the following messages when pressing a key?

    [G] Get Firmware image from TFTP server
    [F] Format boot device
    [B] Boot with backup firmware and act as default
    [Q] Quit menu and continue to boot with default firmware
    [H] Display this list of options

    NO: Ensure your serial communication parameters are set to no flow control, check that the correct baud rate is set. Change settings if needed and reboot the unit.
    YES: Proceed to the Defective FortiMail Unit section.

  5. Did the reboot fix the problem?

    NO: Proceed to the Defective FortiMail Unit section 

Visible Power Problems

Do you have a visible power problem?

  1. Is the LED light on the FortiMail unit on?

    NO: Ensure the power is on.
    YES: Continue

  2. Are you using an external power adapter?

    NO: Proceed to the Defective FortiMail Unit section.
    YES: Replace the power adapter.

  3. Is the power supply defective?

    NO: Proceed to the Defective FortiMail Unit section.
    YES: Replace the power supply and test again.

Defective FortiMail Unit
If you have followed the previous steps and have determined that there is a good chance your unit is defective, be sure to contact Fortinet customer support.

The post FortiMail Troubleshooting: Bootup Issues appeared first on Fortinet Cookbook.

FortiMail Troubleshooting: Slow Performance

October 13, 2016, 8:26 am
$
0
0

The Troubleshooting recipes are here to assist you in diagnosing and remedying any problems you experience when using your FortiMail unit.

This recipe guides you through the process of troubleshooting resource issues, such as slow performance.

 

Problem: Slow Performance

The FortiMail unit is suffering from slow or stalled performance.

The Solution

Use the CLI to view a list of the most system-intensive processes. From the CLI you will be able to see what processes are using the most resources. For example: 
diagnose system top 10
The above command generates a report of processes every ten seconds. The report provides the process names, their process ID (pid), status, CPU usage, and memory usage. 

The report continues to refresh and display in the CLI window until you enter q (quit).

The post FortiMail Troubleshooting: Slow Performance appeared first on Fortinet Cookbook.

FortiMail Troubleshooting: HA Issues

October 13, 2016, 8:26 am
$
0
0

The Troubleshooting recipes are here to assist you in diagnosing and remedying any problems you experience when using your FortiMail unit.

This recipe guides you through the process of troubleshooting HA issues, such as a active-passive HA cluster failure and unviewable mail queues.

 

Problem #1: Not Switching After Failure

Active-passive HA cluster does not switch to the backup unit after a failure.

The Solution

If an individual service has failed that does not disrupt the HA heartbeat, an active-passive HA cluster may not fail over. For example, one or more services (such as SMTP, IMAP, POP3, web access, or a hard drive or network interface) could fail on the primary unit (master) without affecting the HA heartbeat. To cause failover when an individual service fails, configure service monitoring on both the primary unit and backup unit. See Configuring Service Based Failover in the Administrator Guide.

Problem #2: Cannot See Mail Queues

Mail queues do not appear on the HA backup unit.

The Solution

In order to display queue content in the backup unit, mail data must be synchronized from the primary unit. If the Backup MTA queue directories option is disabled, mail queues will not be synchronized. You can enable MTA spool synchronization to view the mail queues from either the backup unit or the primary unit.

Important: Synchronization of MTA spool directories can result in a decrease in performance and may not allow you to view all email in the mail queues, as mail queue content can change more rapidly than synchronization occurs.

The post FortiMail Troubleshooting: HA Issues appeared first on Fortinet Cookbook.

Viewing all 690 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>