Quantcast
Channel: Fortinet Cookbook
Viewing all 690 articles
Browse latest View live

FortiMail Troubleshooting: Server Connection Issues

October 13, 2016, 8:26 am
$
0
0

The Troubleshooting recipes are here to assist you in diagnosing and remedying any problems you experience when using your FortiMail unit.

This recipe guides you through the process of troubleshooting connection issues.

 

Problem #1: FDN Server Connection Problems

The FortiMail unit cannot connect to the FDN servers to use FortiGuard AntiVirtus and/or FotiGuard Antispam services.

The Solution

FortiGuard Antivirus and FortiGuard Antispam subscription services use multiple types of connections with the FortiGuard Distribution Network (FDN). For details on verifying FDN connection, see “Verifying connectivity with FortiGuard services” on page 218.

For all FortiGuard connection types, you must satisfy the following requirements

  1. Register your FortiMail unit with the Fortinet Technical Support web site, https://support.fortinet.com/.
  2. Obtain a trial or purchased service contract for FortiGuard Antispam and/or FortiGuard Antivirus and apply it to your FortiMail unit.

    If you have multiple FortiMail units, including those operating in high availability (HA), you must obtain separate contracts for each FortiMail unit.

  3. Configure your FortiMail unit to connect with a DNS server that can resolve the domain names of FortiGuard servers. For more information, see “Configuring DNS” in the FortiMail Administrator Guide.
  4. Verify that you have satisifed DNS and routing requirments by typing the following commands in the CLI:
    execute nslookup name service.fortiguard.net
    execute nslookup name fdsl.fortinet.com
    execute traceroute <address_ipv4>     (where address_ip4 is one of the FortiGuard servers)

If you have satisfied these requirements, verify that you have satisfied the requirements specific tot he type of connection that is failing. Consult the following table:

Scheduled Updates
  1. Configure the system time of the FortiMail unit, including its time zone.
  2. Make sure intermediary firewall devices allow the FortiMail unit to use HTTPS on TCP port 443 to connect to the FDN.
  3. Use the CLI command set system autoupdate tunneling to enable the FortiMail unit to connect to the FDN through the proxy.
  4. Override the FortiGuard server to which the FortiMail unit is connecting and connect to a non-default server for your time zone.
Push Updates
  1. Satisfy all the requirments for scheduled updates listed above.
  2. If there is a NAT device installed between the FortiMail unit and the FDN, configure it to forward push traffic (UDP port 9443) to the FortiMail unit. You will also need to configure “Use override push IP”. For more information, see “Configuring push updates” in the FortiMail Administrator Guide.
Ratting Queries Intermediary firewall devices must allow the FortiMail unit to use UDP port 53 to connect to the FDN.

The post FortiMail Troubleshooting: Server Connection Issues appeared first on Fortinet Cookbook.

Search

FortiMail Troubleshooting: Antispam Issues

October 13, 2016, 8:26 am
$
0
0

The Troubleshooting recipes are here to assist you in diagnosing and remedying any problems you experience when using your FortiMail unit.

This recipe guides you through the process of troubleshooting a wide variety of antispam issues you may encounter when using FortiMail, such as low spam detection, email users being spammed by DSN, and SMTP failure.

 

Problem #1: Low Spam Detection Rate

The spam detection rate is low.

The Solution

Make sure no SMTP traffic is bypassing the FortiMail unit due to an incorrect routing
policy. Configure routers and firewalls to direct all SMTP traffic to or through the FortiMail unit to be scanned. If the FortiMail unit is operating in gateway mode, for each protected domain, modify public DNS records to keep only a single MX record entry that points to the FortiMail unit.

Do not whitelist protected domains. White lists bypass antispam scan, email with spoofed sender addresses in the protected domains could bypass antispam features. Also, use white lists with caution, a white list entry *.edu would allow all email from all domains in the .edu top level domain to bypass antispam scans.

Make sure all protected domains have matching policies and proper protection profiles.

Enable adaptive antispam features such as greylisting and sender reputation.

Important: Enable additional antispam features gradually. Excessive antispam scans could decrease the performance of your FortiMail unit.

Problem #2: Faulty Send Spam

Email users are spammed by DSN for email they did not actually send.

The Solution

Spammers sometimes use the delivery status notification (DSN) mechanism to bypass
antispam measures. In this attack, sometimes called “backscatter”, the spammer spoofs the email address of a legitimate sender and intentionally sends spam to an undeliverable recipient, expecting that the recipient’s email server will send a DSN back to the sender to notify him/her of the delivery failure. Because this attack utilizes innocent email servers and a standard notification mechanism, many antispam mechanisms may be unable to detect the difference between legitimate and spoofed DSN.

To detect backscatter

1. Enable bounce address tagging and configure an active key (see “Configuring  bounce verification and tagging” on page 598).
2. Next, disable both the Bypass bounce verification option (see “Configuring protected domains” on page 355) and the Bypass bounce verification check option (see “Configuring session profiles” on page 453).
3. In addition, verify that all outgoing and incoming email passes through the FortiMail unit. The FortiMail unit cannot tag email, or recognize legitimate DSN for previously sent email, if all email does not pass through it. For details, see “Configuring bounce verification and tagging” on page 598.

Problem #3: Temporary Failure SMTP reply Code

Email users cannot release and delete quarantined messages by email.

The Solution

Two common reasons are:

• The domain name portion of the recipient email address (for example, fortimail.example.com
in release-ctrl@fortimail.example.com) could not be resolved by the DNS server into the FortiMail unit’s IP address.
• The sender’s email address in the release message was not the same as the intended
recipient of the email that was quarantined. If you have configured your mail client to handle multiple email accounts, verify that the release/delete message is being sent by the email address corresponding to that per-recipient quarantine. For example, if an email for user@example.com is quarantined, to release that email, you must send a release message from user@example.com.

Problem #4: Attachment Issues
Your attachment is less than the 10 MB configured limit and your message is not deliverable.

The Solution

The message limit is a total maximum for the entire transmitted email: the message body, message headers, all attachments, and encoding, which in some cases can expand the size of the email. For example, depending on the encoding and the content of the email, an email with an 8 MB attachment could easily exceed the transmitted message size limit of 10 MB.

Therefore, attachments should be smaller than the configured limit.

Problem #5: Email Archive Issues

The exported email archive is an empty file.

The Solution

Make sure you select the check boxes of archived email (see “Configuring email archiving accounts” on page 618) that you want to export. Only email whose Status column contains a check mark will be exported.

 

The post FortiMail Troubleshooting: Antispam Issues appeared first on Fortinet Cookbook.

FortiMail Troubleshooting: SMTP Failure

October 13, 2016, 8:27 am
$
0
0

The Troubleshooting recipes are here to assist you in diagnosing and remedying any problems you experience when using your FortiMail unit.

This recipe guides you through the process of troubleshooting SMTP problems, such as recipient verification failure and 451 error messages.

 

Problem #1: Recipient Verification Failure

Recipient verification through SMTP fails.

The Solution

If recipient verification fails despite enabling Recipient Address Verification there are some possible causes:

  1. The SMTP server may not be available
  2. The network connection between the FortiMail and the SMTP server is not reliable.
  3. The SMTP server does not support ESMTP.EHLO, as defined in ESMTP, is a part of the SMTP verification process. If the SMTP server does not support ESMTP, the recipient verification will fail.
  4. The server is a Microsoft Exchange server and SMTP recipient verification is not enabled and configured.

When the SMTP server is unavailable for recipient verification, the FortiMail unit returns the 451 SMTP reply code. The email would remain in the sending queue of the sending MTA for the next retry.

Problem #2: 451 Error Message

SMTP clients receive the message 451 Try again later.

The Solution

The two primary reasons you may be experiencing a 451 error message is:

  • The greylist routine encountered an unknown sender or the greylist entry expired for the existing sender and recipient pair.This behavior is normal and will typically resolve itself when the SMTP client retries its delivery later during the greylist window.
  • Recipient verification is enabled and the FortiMail unit is unable to connect to the recipient
    verification server. There should be some related entries in the antispam log, such as Verify <user@example.com> Failed, return TEMPFAIL. If this occurs, verify that the server is correctly configured to support recipient verification and that connectivity with the recipient verification server has not been interrupted.

Problem #3: Temporary Failure SMTP reply Code

The FortiMail unit replies with a temporary failure SMTP reply code and the even log shows Milter (fas_milter): timeout before data read

The Solution

The timeout is caused by the FortiMail unit not responding within 4 minutes.

Slow or unresponsive DNS server response for DNSBL and SURBL scans can cause the FortiMail unit’s antispam scans to be unable to complete before the timeout. When this occurs, the FortiMail unit will report a temporary failure. In most cases, the sending MTA will retry delivery later. If this problem is persistent, verify connectivity  with your DNSBL and SURBL servers, and consider providing private DNSBL/SURBL servers on your local network.

 

The post FortiMail Troubleshooting: SMTP Failure appeared first on Fortinet Cookbook.

FortiMail Troubleshooting: UI Connection Problems

October 13, 2016, 8:27 am
$
0
0

The Troubleshooting recipes are here to assist you in diagnosing and remedying any problems you experience when using your FortiMail unit.

This recipe guides you through the process of troubleshooting connection issues, such as an administrator account unable to connect to the basic mode of the web interface.

 

Problem #1: Inaccessible Basic UI

An administrator account can’t connect to the basic mode of the web interface or the CLI, despite being able to connect to the advanced mode of the web UI.

The Solution

Set the administrator account’s Domain to System. Domain administers, also known as tiered administrators, cannot access the CLI or the basic mode of the GUI. For more information, see FortiMail operation modes on page 23 of the Administrator Guide.

Problem #2: Log in Issues

Administrators cannot log in to the web UI or the CLI.

The Solution

First, make sure you’re using the correct admin name and password.

Each FortiMail interface has a set of administrator access protocols. These are the methods an administrator uses to connect to FortiMail. Any or all of these protocols can be disabled on any interface.

IMPORTANT: For security purposes, you should only enable access that is required. If you open access for troubleshooting, remember to disable it when you’re done. Failure to disable access may result in a security breach.

To enable administrator access on the dmz interface

  1. Log in as administrator.
  2. Go to System > Network > Interface.
  3. Select the interface and select
  4. Select the protocols you wish to use to acess the interface in the Access
  5. Select

Repeat for each interface where administrative access is required.

Problem #3: Trusted Host Issues

The trusted hosts for the admin account will not allow the current IP.

The Solution

If an external administrator login is required, a secure VPN tunnel can be established with a set IP address or range of addresses that are entered as a trusted address.

Trusted host login issues occur when an administrator attempts to log in from an IP address that is not included in the trusted host list.

To verify trusted host login issues

  1. Record the IP address where the administrator is attempting to log in to the FortiMail unit.
  2. Log in to the web UI and go to System > Administrator > Administrator.
  3. Select the administrator account in question and click the Edit icon.
  4. Compare the list of trusted hosts to the problem IP address. If there is a match, the problem is not due to trusted hosts.
  5. If there is no match and the new address is valid (secure), add it to the list of trusted hosts.
  6. Select OK.

If the problem was due to trusted hosts, the administrator can now log in.

The post FortiMail Troubleshooting: UI Connection Problems appeared first on Fortinet Cookbook.

FortiAuthenticator User Self-Registration (Video)

October 14, 2016, 12:50 pm

FGCP High Availability Troubleshooting

October 17, 2016, 6:00 am
$
0
0

This post is intended to help you find and fix some common and not so common FortiGate Clustering Protocol (FGCP) HA problems.

1. Before you set up a cluster

Before you set up an FortiGate FGCP cluster ask yourself these questions:

  • Do all the FortiGates have the same hardware version and the same hardware configuration?
  • Do all the FortiGates have the same firmware build?
  • Are all the FortiGates set to the same operating mode (NAT or Transparent)?
  • Are all the FortiGates operating in single VDOM mode?
  • If the FortiGates are operating in multiple VDOM mode do they all have the same VDOM configuration?

In some cases you may be able to form a cluster if your FortiGates have different firmware builds, different VDOM configurations, and are in different operating modes. However, if you encounter problems when forming a cluster you may be able to resolve them by installing the same firmware build on each unit and giving them the same VDOM configuration and operating mode. If possible you could also reset them all to factory defaults and start over.

2. Troubleshooting hardware revisions

Many FortiGate platforms have gone through multiple hardware versions and in some cases the hardware changes may prevent cluster formation. If you run into this problem you can use the following command on each FortiGate in the cluster to cause the cluster to ignore different hardware versions:

execute ha ignore-hardware-revision enable

This command is only available on FortiGates that have had multiple hardware revisions. So if the command isn’t present then hardware version issues should not prevent cluster formation.

By default the command is set to prevent cluster formation between FortiGates with different hardware revisions. You can enter the following command to view its status:

execute ha ignore-hardware-revision status

Usually the incompatibility is caused by different hardware versions having different hard disks and enabling this command disables each FortiGate’s hard disks. As a result of disabling hard disks the cluster will not support logging to the hard disk or WAN Optimization.

If the FortiGates do have compatible hardware versions or if you want to run a FortiGate in standalone mode you can enter the following command to disable ignoring the hardware revision and enable the hard disks:

execute ha ignore-hardware-revision disable

Affected models include but are not limited to:

  • FortiGate-100D
  • FortiGate-300C
  • FortiGate-600C
  • FortiGate-800C
  • FortiGate-80C and FortiWiFi-80C
  • FortiGate-60C

3. Troubleshooting the initial cluster configuration

This step describes how to check a cluster when it first starts up to make sure that it is configured and operating correctly. This section assumes you have already configured your HA cluster and it appears to be up and running normally.

To verify that a cluster can process traffic and react to a failure:

  1. Add a basic security policy configuration and send network traffic through the cluster to confirm connectivity. For example, if the cluster is installed between the Internet and an internal network, set up a basic internal to external security policy that accepts all traffic. Then from a PC on the internal network, browse to a website on the Internet or ping a server on the Internet to confirm connectivity.
  2. From your management PC, set ping to continuously ping through the cluster, and then start a large download, or in some other way establish ongoing traffic through the cluster.
  3. While traffic is going through the cluster, disconnect the power from one of the cluster units. You could also shut down or restart a cluster unit. Traffic should continue with minimal interruption.
  4. Start up or reconnect the cluster unit that you disconnected. The FortiGate should re-join the cluster with little or no affect on traffic.
  5. Disconnect a cable from one of the HA heartbeat interfaces. The cluster should keep functioning, using the other HA heartbeat interface.
  6. If you have port monitoring enabled, disconnect a network cable from a monitored interface. Traffic should continue with minimal interruption.
  

4. Verifying the cluster configuration from the GUI

If a cluster is formed you can do the following to verify its status and configuration.
 

Log into the cluster GUI. Verify that the System Information widget lists all of the cluster units.

  1-trbl-system-information
Check the Unit Operation widget to verify that the correct cluster unit interfaces are connected.  2-trbl-unit-operation
Go to System > HA or on the System Information dashboard widget select HA Status > Configure and verify that all of the cluster units are displayed on the  HA Cluster list.  3-trbl-cluster-list
From the cluster members list, edit the primary unit (master) and verify the cluster configuration.  4-trbl-ha-config

5. Troubleshooting the cluster configuration from the GUI

Try this if the FortiGates don’t successfully form a cluster:

Connect to each cluster unit GUI and verify that the HA configurations are the same. The HA configurations of all cluster units must be identical. Even though the HA configuration is very simple you can easily make a small mistake that prevents a FortiGate from joining a cluster. (I speak form personal experience here.)

If the configurations are the same, try re-entering the HA password on each cluster unit in case you made an error typing the password when configuring one of the cluster units.

Check that the correct interfaces of each cluster unit are connected. Check the cables and interface LEDs. Use the Unit Operation dashboard widget, system network interface list, or cluster members list to verify that each interface that should be connected actually is connected. If a link is down re-verify the physical connection. Try replacing network cables or switches as required.
  

6. Verifying the cluster configuration from the CLI

If a cluster is formed you can do the following to verify its status and configuration.

Log into each cluster unit CLI. You can use the GUI CLI console, SSH, or a direct console port connection.

Enter the command get system status. Look for the current HA mode in the command output. If the cluster is operating correctly and you have connected to the primary unit you should see something like this:

Current HA mode: a-a, master

You can connect to the backup or subordinate unit using a console port or by connecting to the console CLI and using the execute ha manage command to connect to the backup unit. If the cluster is operating correctly you will see something like this:

Current HA mode: a-a, backup

If the FortiGate is not operating in HA mode the get system status command output is something like this:

Current HA mode: standalone

Verify that the get system ha status command displays all of the cluster units. For example, for a cluster of three FortiGate units, the command output should contain something like this:

Master: 5001d-slot3     , FG-5KD3914800344
Slave : 5001d-slot5     , FG-5KD3914800353
Slave : 5001d-slot4     , FG-5KD3914800284

Enter the get system ha command to verify that the HA configuration is correct and the same for each cluster unit.

get system ha
group-id : 0
group-name : External-HA-cluster
mode : a-p
password : *
hbdev : "port3" 50 "port4" 50
.
.
.

7. Troubleshooting the cluster configuration from the CLI

If the FortiGates don’t successfully form a cluster, try using the following command to re-enter the cluster password.  Do this for each cluster unit in case you made an error typing the password when configuring one of the cluster units.

config system ha
    set password <password>
end

Check that the correct interfaces of each cluster unit are connected. Check the cables and interface LEDs. Use the get hardware nic <interface_name> command to confirm that each interface is connected. If the interface is connected the command output should contain a Link: up entry similar to the following:

get hardware nic port1
.
.
.
Link: up
.
.
.

If the link is down, re-verify the physical connection. Try replacing network cables or switches as required.

More troubleshooting information

Much of the information in the  HA guide can be useful for troubleshooting HA clusters. Here are some links to sections with more information.

  • If sessions are lost after a failover you may need to change route-ttl to keep synchronized routes active longer. See Synchronizing kernel routing tables.
  • In rare cases, sometimes after a cluster unit has been replaced it is possible that a cluster will not form because the disk partition sizes of the cluster units are different. You can use the following command to check the disk storage checksum of each cluster unit. If the checksums are different then contact Fortinet support for help in setting up compatible storage partitions.
diagnose sys ha showcsum 1 system | grep storage
  • To control which cluster unit becomes the primary unit, you can change the device priority and enable override. See Controlling primary unit selection using device priority and override.
  • Changes made to a cluster can be lost if override is enabled. See Configuration changes can be lost if override is enabled.
  • When override is enabled, after a failover traffic may be disrupted if the primary unit rejoins the cluster before the session tables are synchronized or for other reasons such as if the primary unit is configured for DHCP or PPPoE. See Delaying how quickly the primary unit rejoins the cluster when override is enabled.
  • In some cases, age differences among cluster units result in the wrong cluster unit becoming the primary unit. For example, if a cluster unit set to a high priority reboots, that unit will have a lower age than other cluster units. You can resolve this problem by resetting the age of one or more cluster units. See Primary unit selection and age. You can also adjust how sensitive the cluster is to age differences. This can be useful if large age differences cause problems. See Cluster age difference margin (grace period) and Changing the cluster age difference margin.
  • If one of the cluster units needs to be serviced or removed from the cluster for other reasons, you can do so without affecting the operation of the cluster. See Disconnecting a cluster unit from a cluster.
  • The web-based manager and CLI will not allow you to configure HA if you have enabled FGSP HA. See FortiGate Session Life Support Protocol (FGSP).
  • The GUI and CLI will not allow you to configure HA if one or more FortiGate unit interfaces is configured as a PPTP or L2TP client.
  • The FGCP is compatible with DHCP and PPPoE but care should be taken when configuring a cluster that includes a FortiGate interface configured to get its IP address with DHCP or PPPoE. Fortinet recommends that you turn on DHCP or PPPoE addressing for an interface after the cluster has been configured. See FortiGate HA compatibility with DHCP and PPPoE.
  • Some third-party network equipment may prevent HA heartbeat communication, resulting in a failure of the cluster or the creation of a split brain scenario. For example, some switches use packets with the same Ethertype as HA heartbeat packets use for internal functions and when used for HA heartbeat communication the switch generates CRC errors and the packets are not forwarded. See Heartbeat packet Ethertypes.
  • Very busy clusters may not be able to send HA heartbeat packets quickly enough, also resulting in a split brain scenario. You may be able to resolve this problem by modifying HA heartbeat timing. See Modifying heartbeat timing.
  • Very busy clusters may suffer performance reductions if session pickup is enabled. If possible you can disable this feature to improve performance. If you require session pickup for your cluster, several options are available for improving session pickup performance. See Improving session synchronization performance.
  • If it takes longer than expected for a cluster to failover you can try changing how the primary unit sends gratuitous ARP packets. See Changing how the primary unit sends gratuitous ARP packets after a failover on page 1.
  • You can also improve failover times by configuring the cluster for subsecond failover. See Subsecond failover and Failover performance on page 1.
  • When you first put a FortiGate unit in HA mode you may loose connectivity to the unit. This occurs because HA changes the MAC addresses of all FortiGate unit interfaces, including the one that you are connecting to. The cluster MAC addresses also change if you change some HA settings such as the cluster group ID. The connection will be restored in a short time as your network and PC updates to the new MAC address. To reconnect sooner, you can update the ARP table of your management PC by deleting the ARP table entry for the FortiGate unit (or just deleting all ARP table entries). You may be able to delete the arp table of your management PC from a command prompt using a command similar to arp -d.
  • Since HA changes all cluster unit MAC addresses, if your network uses MAC address filtering you may have to make configuration changes to account for the HA MAC addresses.
  • A network may experience packet loss when two FortiGate HA clusters have been deployed in the same broadcast domain. Deploying two HA clusters in the same broadcast domain can result in packet loss because of MAC address conflicts. The packet loss can be diagnosed by pinging from one cluster to the other or by pinging both of the clusters from a device within the broadcast domain. You can resolve the MAC address conflict by changing the HA Group ID configuration of the two clusters. The HA Group ID is sometimes also called the Cluster ID. See Diagnosing packet loss with two FortiGate HA clusters in the same broadcast domain.
  • The cluster CLI displays slave is not in sync messages if there is a synchronization problem between the primary unit and one or more subordinate units. See How to diagnose HA out of sync messages.
  • If you have configured dynamic routing and the new primary unit takes too long to update its routing table after a failover you can configure graceful restart and also optimize how routing updates are synchronized. See Configuring graceful restart for dynamic routing failover and Synchronizing kernel routing tables.
  • Some switches may not be able to detect that the primary unit has become a subordinate unit and will keep sending packets to the former primary unit. This can occur after a link failover if the switch does not detect the failure and does not clear its MAC forwarding table. See Updating MAC forwarding tables when a link failover occurs.
  • If a link not directly connected to a cluster unit (for example, between a switch connected to a cluster interface and the network) fails you can enable remote link failover to maintain communication. See Remote link failover.
  • If you find that some cluster units are not running the same firmware build you can reinstall the correct firmware build on the cluster to upgrade all cluster units to the same firmware build. See Synchronizing the firmware build running on a new cluster unit.

The post FGCP High Availability Troubleshooting appeared first on Fortinet Cookbook.

Signature vs. Adaptive vs. Behavioral

October 17, 2016, 9:55 am
$
0
0

I recently came across a forum thread about the differences between signature-based, behavior-based and adaptive measures.  I thought it was all fairly  obvious until I realized that it was obvious to me, only because I’d been doing this for so long. I forgot that I too, once had a puzzled look on my face when I came across terms from the “real world” inserted into the IT world without the context to help it make sense. 

When you look at products such as FortiDB, FortiWeb or FortiDDoS, the documentation describes them as having adaptive and behavioral security measures to compliment the signature measures and CPRL found in the FortiGate firewall. These terms are often used as if it is assumed that everybody understands what they mean. Most of us do, but not necessarily in the context of IT. To understand why these measure dove-tail for a defense-in-depth set of counter measures, let’s look at each of them so that we can understand how they complement each other.

Signature-based

Signature – n. A distinctive mark, characteristic, or feature indicating identity.

The IT world has been dealing with malware for years. As new malware is discovered, it is analyzed for something unique that sets it apart from safe code. This is used to make up a signature of the malware. These signatures are recorded and shared. Signature-based measures operate by searching for known signatures in traffic or files. It’s a simple and straightforward approach, comparing strings of code with other strings of code. It’s one of those things that computers were build to do. They do it well and they do it fast. In addition to checking the code itself, some signatures can be make up of the hashes of files so the computer can hash the file and compare it to known hashes of malware files.

While signature-based IDS and antivirus are very efficient at sniffing out known attacks, it does depend on maintaining a good database of known signatures. The best way to do this is receive regular signature updates. This means your database will be keeping up with variations in existing attacks as well as newly discovered attacks. As far as it goes, the signature measure is highly efficient and very effective but its limitation is that it is only as good as its database of stored signatures.

Adaptive

Adaptive (root: adapt) – v. To make suitable to or fit for a specific use or situation.

Adaptive measure are ones that are flexible enough to take into account the nature of adaptive attacks. Hackers, being the intelligent though malicious people they are, are aware of the signature-based measures used to protect systems and networks and sometimes take measures to avoid detection by using techniques to make the malware change itself with each instance.

Example of an adaptive attack: a hacker takes a virus file, encrypts a portion of it and sets up another executable with it to decrypt portions of the virus slowly and download the last bits of payload. A signature will not catch this because the string in its database is not what will be seen as the traffic arrives. The working malware is not present until later.

The CPRL in the FortiGate mitigates this attack by using pattern recognition which takes into account specific fragments of a file as well as chunking and encryption techniques. The FortiWeb furthers this protection by checking patterns and thresholds found in attacks to a web server or database. It does not track multiple sessions that have different purposes. For example, an infected host will attempt outbound C&C connections before downloading new payloads and attempting to spread through attacks or scans made to other hosts (through other sessions).

Behavior-Based or Heuristic

Behavioral (root: behavior) – n. The actions or reactions of a person or animal in response to external or internal stimuli.

Behavior-based measures go beyond simple threshold and pattern matching and instead of just analyzing the content of the traffic or the file, analyzes their behaviour. This technology can track behaviors of specific hosts on an internal or external network. C&C behavior, attack behavior, multi-session scanning, and attack differentiation. It is not typically used as an in-line appliance (FortiDB). Typically, it runs log analysis and change analysis. It will also track session handling and permission changes. Typically this employs a machine-learning engine that tracks standard deviation and mean.

As impressive as it is, the weakness of this type of measure is that it is a resource hungry technology. It often uses virtual environments to run the file and/or traffic before allowing it access to the system or network. This takes memory and CPU cycles. In a high traffic environment this sort of analysis is normally done by powerful or dedicated appliances with resources designed for the task.

Even this type of protection doesn’t always take into account side-channel or Out-Of-Band (OOB) behaviors like IRC, Tor, posting boards, and encrypted messaging (other than HTTPS or SSL) through torrent or UDP.

Though not one of the 3 measures reference in the title, this shortcoming brings up a completely different type of measure that some refer to as “threat intelligence”. Threat intelligence combines machine learning and a technique called Deep Learning. Deep Learning is a branch of machine learning based on algorithms that attempt to model high-level abstractions (similar to human emotion or intent) in data by using multiple processing layers with complex structures or otherwise, composed of multiple non-linear transformations.

Imagine a case where the technology takes pieces of information from a number of sources such as attack staging honeypots, posting boards, IP reputation, and encrypted messaging traffic and correlates all of this information with real-time traffic measures such as the three main ones already mentioned.  It’s sort of like a digital detective putting seemingly unrelated clues together.

Currently, threat intelligence is the “next great thing” to strive for; sort of the “Holy Grail” of malware threat countermeasures. Just like most fundamental leaps forward, the mechanics of how it all works is fairly difficult for most lay people to wrap their heads around. I freely admit that, other than in the abstract, it is beyond me. However, signature-based, adaptive and behavior-based measures currently make up the bulk of counter threat measures being used and understanding how they work in your network is not only doable, it is worth doing.

 

 

 

 

The post Signature vs. Adaptive vs. Behavioral appeared first on Fortinet Cookbook.

Announcement: New FortiCast Podcast is coming out soon

October 19, 2016, 9:43 am
$
0
0

 

We’re pumped to announce that Fortinet will be releasing a new podcast channel, FortiCast, in the near future. 

This podcast will be hosted by one of our friendly Cookbook technical writers, Victoria Martin. The show is produced by Michael Strickland and Bill Dickie. Our executive producer is Darren Turnbull.

We’re working with Fortinet experts, including Product Managers and Technical Assistance Center specialists, to line up exciting network security topics for you. You’ll be able to tune in to listen to Fortinet conversations from anywhere you like.

If you’re wondering what to expect, here’s a sneak preview: our inaugural episode may feature wave 2 wireless technology.

Watch this space! FortiCast will be available in iTunes and you can expect more details on the Cookbook site. Our podcast will go live at the end of this month (October 2016), so don’t forget to share this exciting news!

The post Announcement: New FortiCast Podcast is coming out soon appeared first on Fortinet Cookbook.

Search

IPsec VPN to Microsoft Azure

October 20, 2016, 6:12 am
$
0
0

The following recipe describes how to configure a site-to-site IPsec VPN tunnel. In this example, one site is behind a FortiGate and another site is hosted on Microsoft Azure™, for which you will need a valid Microsoft Azure account.

Using FortiOS 5.4, the example demonstrates how to configure the tunnel between each site, avoiding overlapping subnets, so that a secure tunnel can be established with your configured security policies.

1. Configuring the Microsoft Azure virtual network

Log into Microsoft Azure and click New. In the Search the marketplace field, type “Virtual Network”. Locate Virtual Network from the returned list and click to open the Virtual Network blade.

 capture1

Near the bottom of the Virtual Network blade, from the Select a deployment model list, select Resource Manager, and then click Create.

 capture2

On the Create virtual network blade, fill in the values for your Virtual Network settings and click Create.

 capture3

2. Specifying the Microsoft Azure DNS server
On the Settings page for your virtual network, navigate to DNS Servers and click to open the DNS servers blade. Enter the IP address of the DNS server and click Save at the top of the blade. capture4

3. Creating the Microsoft Azure virtual network gateway

In the portal, go to New. Type “Virtual Network Gateway” in search. Locate Virtual network gateway in the search return and click the entry. This opens the Create virtual network gateway blade.

 capture5

Click Create at the bottom of the Virtual network gateway blade. The Create virtual network gateway blade will open. Fill in the values for your virtual network gateway and click Create.

 capture6

4. Creating the Microsoft Azure local network gateway

 The ‘local network gateway’ refers to your on-premises location. Give the local network gateway a name by which Azure can refer to it.

In the portal, from All resources, click +Add. In the Everything blade search box, type Local network gateway, then click to search. This will return a list. Click Local network gateway to open the blade, then click Create to open the Create local network gateway blade.

 capture7
Fill in the values for your local network gateway. capture8

5. Configuring the FortiGate tunnel

Go to VPN > IPsec Wizard and select Custom.

Enter a Name for the tunnel and click Next.

 capture9

Set the Remote Gateway to Static IP Address, and include the gateway IP Address provided by Microsoft Azure.

Set the Local Interface to wan1.

Disable NAT Transversal and Dead Peer Detection.

 capture10

Under Authentication, enter a Pre-shared Key and ensure that you enable IKEv2.

 capture11

Under Phase 1 Proposal set the Encryption algorithm to AES 128 and the Authentication algorithm to SHA1.

Select 2 for Diffie-Hellman Group.

 capture12

Scroll down to Phase 2 Selectors and set Local Address to the local subnet and Remote Address to the VPN tunnel endpoint subnet (found under Virtual Network Address Spaces in Microsoft Azure).

Enable the encryption types to match Phase 1.

 capture13

6. Creating the FortiGate firewall addresses

Go to Policy & Objects> Addresses and configure a firewall address for the local network.

 capture14

Create another firewall object for the Azure VPN tunnel subnet.

 capture15

7. Creating the FortiGate firewall policies

Go to Policy & Objects > IPv4 Policy and create a new policy for the site-to-site connection that allows outgoing traffic

Set the Source Address and Destination Address using the firewall objects you just created. Make sure that NAT is disabled.

 capture16

When you are done, create another policy for the same connection to allow incoming traffic.

This time, invert the Source Address and Destination Address.

 capture17

8. Creating the FortiGate static route
Go to Network > Static Routes and create a new static route forcing outgoing traffic destined to the Microsoft Azure network to flow through the route based IPsec VPN tunnel by setting the Administrative Distance to a value lower than the value set for the existing default route. capture18

9. Creating a Microsoft Azure Site-to-Site VPN connection

Locate your virtual network gateway and click All settings to open the Settings blade.

On the Settings blade, click Connections, and then click Add at the top of the blade to open the Add connection blade.

Fill in the values for your connection and click Create.

 Make sure that the Shared Key (PSK) matches the shared key configured earlier in FortiGate unit.

 capture19

10. Results

Go to Monitor > IPsec Monitor. You see the tunnel is UP with incoming and outgoing Data.

 capture20

Go to Log & Report > VPN Events

Select an entry to view more information and verify the connection.

 capture21

Return to the Microsoft Azure portal, click All resources and navigate to your virtual network gateway.

On the blade for your virtual network gateway, click Connections. You can see the status of each connection.

Click the name of the connection that you want to verify to open Essentials. In Essentials, you can view more information about your connection. The Status is ‘Connected’ when you have made a successful connection. Ingress and egress bytes confirm traffic flowing through the tunnel.

 capture22

 

The post IPsec VPN to Microsoft Azure appeared first on Fortinet Cookbook.

L2TP IPsec VPN on FortiGate

October 24, 2016, 7:00 am
$
0
0

In this recipe, you will learn how to create an L2TP IPsec tunnel that allows remote users running the Windows 7 L2TP client to securely connect to a private network.

The FortiGate implementation of L2TP enables a remote user to establish an L2TP IPsec tunnel with the FortiGate. For the tunnel to work you configure a remote client (abhassan) to connect using an L2TP IPsec VPN connection.

This recipe assumes that the FortiGate unit is operating in NAT/Route mode and that it has a static public IP address. This recipe is designed as a policy-based IPsec VPN, not route-based.

Most of the configuration occurs in the CLI Console, as L2TP settings are not configurable in the GUI. You can access the FortiGate CLI Console from the FortiGate GUI using the administration menu or from the CLI Console Dashboard widget.

1. Creating an L2TP user and user group
Go to User & Device > User Definition and create a new L2TP user via the creation wizard (abhassan).
Next go to User & Device > User Groups and create a new user group for L2TP users (L2TP-group), and add abhassan to the group.

2. Enabling L2TP in the CLI Console

Enter the following CLI command to set up an L2TP tunnel that includes the user group just created and defines the L2TP client IP address range (start IP (sip) to end IP (eip)):

config vpn l2tp
   set sip 10.20.100.1
   set eip 10.20.100.101
   set status enable
   set usrgrp L2TP-group
end

3. Configuring the L2TP/IPsec phases

Enter the following CLI command to configure Phase 1 (named l2tp-p1 below):

config vpn ipsec phase1
   edit l2tp-p1
      set type dynamic
      set interface wan1
      set dhgrp 2
      set keylife 86400
      set peertype dialup
      set dpd disable
      set proposal 3des-sha1 aes192-sha1 aes256-md5
      set usrgrp L2TP-group
      set psksecret <preshared_key>
end

Enter the following CLI command to configure Phase 2 (named l2tp-p2 below):

config vpn ipsec phase2
   edit l2tp-p2
      set phase1name l2tp-p1
      set l2tp enable
      set proposal 3des-sha1 aes192-sha1 aes256-md5
      set pfs disable
      set encapsulation transport-mode
      set keylifeseconds 86400
end

4. Creating a firewall address for L2TP clients

Go to Policy & Objects > Addresses and create a new firewall address.

Enter a Name, set Type to IP Range, and enter the same IP range as configured earlier when enabling L2TP in the CLI Console.

5. Creating Security Policy for access to the internal network and the Internet
Go to System > Feature Select, enable Policy-based IPsec VPN, and select Apply.
Next go to Policy & Objects > IPv4 Policy, and create an IPsec VPN security policy that allows inbound and outbound traffic.

Set Incoming Interface to the internal network and Source Address to all.

Set Outgoing Interface to wan1Destination Address to allService to ALL, and Action to IPsec.

Under VPN Tunnel, select Use Existing and select the name of the Phase 1 configuration that you created (l2tp-p1).

6. Configuring a remote Windows 7 L2TP client
On a PC, open the Start menu, search for VPN, and select Set up a virtual private network (VPN) connection.
Enter the FortiGate’s IP address, enter a Destination name, and make sure to select the Don’t connect now… checkbox. Then select Next.

Enter the same User name and Password as configured earlier on the FortiGate and select Create.

 

The connection is now ready to use. Select Close.

Next, go to Start > Control Panel > Network and Sharing Center and select Connect to a network.

 

Open the L2TP VPN configured earlier.

Enter the L2TP IPsec VPN’s user credentials and select Connect.

You will then be connected to the VPN.

7. Results
On the FortiGate, go to Monitor > IPsec Monitor. The tunnel shows a Status of Up, with incoming and outgoing data.
You can also go to Log & Report > VPN Events, where you can select an entry and view more details. The user has been assigned an IP address from within the L2TP client range.

 

The post L2TP IPsec VPN on FortiGate appeared first on Fortinet Cookbook.

Limiting bandwidth with traffic shaping (Video)

October 25, 2016, 12:30 pm
$
0
0

In this video, you learn how to use Traffic Shaping on your FortiGate to limit the bandwidth for a specific IP address. When a particular IP address uses too many resources you can prevent that IP from consuming your bandwidth indiscriminately.

First, you will enable traffic shaping and create an address object to target a specific internal IP address. Then, you will create a shared shaper and a security policy that uses that specific IP address as the source address.

This recipe also explains how to configure traffic shaping to set a maximum bandwidth limit for uploads and/or downloads to 200 kb/s.

The recipe for this video is available here.

Watch more videos

The post Limiting bandwidth with traffic shaping (Video) appeared first on Fortinet Cookbook.

Using virtual IPs to configure port forwarding

October 27, 2016, 8:35 am
$
0
0

This recipe demonstrates how to use Virtual IPs (VIPs) to configure port forwarding on a FortiGate unit. This configuration allows users on the Internet to connect to your server protected behind a FortiGate firewall, without knowing the server’s internal IP address and only through ports that you choose.

In this example, TCP ports 80 (HTTP), 21 (FTP), and 22 (SSH) are opened for remote users to communicate with a server behind the firewall. The external IP address used is 172.20.121.67 and is mapped to 192.168.100.1 by the VIP.

Find this recipe for other FortiOS versions:
5.2 | 5.4

1. Creating three VIPs

Go to Policy & Objects > Virtual IPs > Create New > Virtual IP.

Enter the External IP Address/Range. Next, enter the Mapped IP Address/Range.

Enable Port Forwarding and add a VIP for TCP port 80, webserver-http.

 

Next, create a second VIP for TCP port 21, webserver-ftp.

Finally, create a third a VIP for TCP port 22, webserver-ssh.

2. Adding VIPs to a VIP group

Go to Policy & Objects > Virtual IPs > Create New > Virtual IP Group.

Create a VIP group, in this example, webserver group. Under Members, include all three VIPs previously created.

  

3. Creating a security policy

Go to Policy & Objects > IPv4 Policy and create a security policy allowing access to a server behind the firewall.

Set Incoming Interface to your Internet-facing interface, Outgoing Interface to the interface connected to the server, and Destination Address to the VIP group (webserver group). Set Service to allow HTTP, FTP, and SSH traffic.

Use the appropriate Security Profiles to protect the servers.

  

4. Results

To ensure that TCP port 80 is open, connect to the web server from a remote connection on the other side of the firewall.

  

Next, ensure that TCP port 21 is open by using an FTP client to connect to the FTP server from a remote connection on the other side of the firewall.

Finally, ensure that TCP port 22 is open by connecting to the SSH server from a remote connection on the other side of the firewall.

  

For further reading, check out Virtual IPs in the FortiOS 5.4 Handbook.

While this example maps port 80 to port 80, any valid External Service port can be mapped to any listening port on the destination computer.
If the FortiGate has Central NAT enabled, the VIP objects will not be available for selection in the policy editing window.

The post Using virtual IPs to configure port forwarding appeared first on Fortinet Cookbook.

Episode 1: Introduction to FortiCast

October 27, 2016, 12:55 pm

MAC access control with a WiFi network

October 31, 2016, 1:15 pm
$
0
0

This recipe demonstrates how to add device definitions to your FortiGate using Media Access Control (MAC) addresses. These definitions are then used to identify which devices can access the WiFi network.

By using a MAC address for identification, you can also assign a reserved IP for exclusive use by the device when it connects to the WiFi network.

Warning: Since MAC addresses can be easily spoofed, using MAC to control access should not be considered a security measure.

Find this recipe for other FortiOS versions:
5.2 | 5.4

1. Finding the MAC address of a device

For Windows devices:

Open the command prompt and type ipconfig /all to display configuration information for all network connections.

The MAC address of your Windows device is the Physical Address, under information about the wireless adapter.

For Mac OS X devices:

Open Terminal and type ifconfig en1 | grep ether.

Take note of the displayed MAC address.

For iOS devices:

Open Settings > General > About.

The Wi-Fi Address  is the MAC address of your iOS device.

For Android devices:

Open Settings > General > About Phone > Hardware Info.

Take note of the Wi-Fi MAC address of your Android device.

2. Defining a device using its MAC address

Go to User & Device > Custom Devices & Groups and create a new device definition.

Set MAC Address to the device’s address and set the other fields as required. In the example, a device definition is created for an iPhone with the MAC Address B0:9F:BA:71:D8:BB.

Go to User & Device > Device Inventory. The new definition now appears in your device list.

 

3. Creating a device group

Go to User & Device > Custom Devices & Groups and create a new group.

Add the new device to the Members list.

4. Reserving an IP address for the device

Go to Network > Interfaces and edit the wireless interface.

Under DHCP Server, expand Advanced. Create a new entry in the MAC Reservation + Access Control list that reserves an IP address within the DHCP range for the device’s MAC address.

  

5. Creating a security policy for wireless traffic

Go to Policy & Objects > IPv4 Policy and create a new policy.

Set Incoming Interface to your wireless interface, Source Device Type to the device group, and Outgoing Interface to the Internet-facing interface.

Ensure that NAT is turned on.

6. Results

Connect to the wireless network with a device that is a member of the device group. The device should be able to connect and allow Internet access.

Connection attempts from a device that is not a group member will fail.

Go to  FortiView > All Sessions and view the results for now. Filter the results using the reserved Source IP (in the example, 10.10.1.12), to verify that it is being used exclusively by the wireless device.

For further reading, check out Managing “bring your own device” in the FortiOS 5.4 Handbook.

The instructions below were written for the most recent OS
versions. Older versions may use different methods.
If you have enabled device identification on the wireless interface, device definitions will be created automatically. You can then use MAC addresses to identify which device a definition refers to.
If the FortiAP is in bridge mode, you will need to edit the internal interface.

The post MAC access control with a WiFi network appeared first on Fortinet Cookbook.

Fixed Port Range IP Pools algorithm

November 2, 2016, 9:12 am
$
0
0

IP pools are a useful tool in NATing where the basic principles are fairly straightforward and the more basic options are used with great success. However, this SysAdmin Note is going to concentrate on one of the lesser used IP Pool types – Fixed Port Range. To focus on something even more low level, we’re going to look at how the IP addresses and ports are selected.

In a Fixed Port Range type of IP pool there is nothing to force the internal and external ranges to be the same size so there isn’t an obvious way to predict what the external IP address is going to be based on the internal or source address. There is no one-to-one relationship between the addresses.

Here’s an example scenario for when you might want to use Fixed Port Range IP pool:

  • Internal IP subnet of computers using an IP pool: 172.16.4.1 – 172.16.7.255. This means there are 1022 usable IP addresses.
  • The company has what used to be called a C-class address which is 254 usable addresses on the Internet. Of these, 64 have been set aside for the IP pool.

While there isn’t any obvious method of prediction, in some situations there can be a requirement to be able to predict the relationship between the source IP address and the one that it is given from the IP pool. This can occur in situations, that for security reasons, the public IP address of a session needs to be known because communications between sites are limited to specific IP addresses.

Determining the IP address from the pool

I apologize for those that hoped they wouldn’t have to deal with math and formulas after leaving high school or college but let’s face it, computers are all about numbers. The following is the logic used to determine the IP address.

Defining the variables

The first step in having the algorithm make sense is to define the variables we will be using:

Variable Name Description
src_start Starting IP address of the IP pool’s source IPs
src_end End or last IP address of the IP pool’s source IPs
start Starting IP of the IP pool’s translated IP addresses
end End or last IP of the IP pool’s translated IP addresses
src_ip

Incoming IP address from the source device. This will fall in the range [src_start, src_end])

 

The equations

Now that we have defined the variables, we can start to place them in the algorithm. In order to make the algorithm more manageable and understandable, it is broken into 2 parts.

fixed-port-range-ip-pools-algorithm

 

Note: You should be aware that floating point calculations are not used so the result from the factor calculation will be an integer. The value is truncated, not rounded, so 36/10=3, not 4, as would be the case if rounded to the nearest integer.

Setting values for the example

Because spanning multiple subnets make the math trickier we are going to use a simpler example of a Fixed Port Range IP pool.

Variable Value
Source (internal) range 192.168.1.100 – 192.168.1.200
External range 10.1.1.50 – 10.1.1.80
example source IP address 160

 

First equation – determining the factor

fixed-port-range-ip-pools-algorithm-factor-with-values

 

Second equation – determining the IP address from the pool

fixed-port-range-ip-pools-algorithm-newip-with-values

 

If a computer with the IP address 192.168.1.160 initiates a session through a policy using the example IP pool, 10.1.1.65 will be assigned as the NATed address.

These calculations get more complicated when you overlap subnets, but this example should give the basic principles behind the process for assigning IP addresses.

TCP ports

The TCP port being use in a session could also be used to help determine which computer is the originating source of the session, if it could be narrowed down far enough. This is more difficult than working with the IP addresses. The problem is that determining which ports are assigned can have less to do with a unique computer identity than the order in which he sessions were initiated.

There can be some narrowing down from the total of possibilities, but normally the scope of probable TCP ports is a larger range of numbers than the scope of IP addresses.

Defining the variables

Just like we did when determining the IP addresses, we’ll start by defining some variables and values.

Variable name Description
snat_port_begin The beginning of the range of NATed ports
snat_port_end The end of the range of NATed ports
port_share The range size that the total number of available ports will be divided into in order to distribute the ports among the sessions
first_port_choice The number the port that the system will try to use first for the session
  • src_ip
  • src_start
  • factor
 These variable were all defined in the previous algorithm

 

Setting values for the example

Now that we know what all of the variables mean, let’s give some values to a few in order to begin the calculations.

Variable Value
snat_port_begin 5117
snat_port_end 65533

 

These values are the default ones in the system. With an entire port range of possibilities from 5117 (snat_port_begin) to 65533 (snat_port_end), It makes for a large number of possibilities. It does get narrowed down a little by using the factor equation ( see the section for calculating the IP addresses) to divide the range into shares for the sessions to use.

The equations

This equation is used to divide the total number of available ports into port shares that are of equal size for the sessions to be divided between.

fixed-port-range-ip-pools-port_share

To determine the first choice of ports for a session, second equation is used.

fixed-port-range-ip-pools-1st-choice-port

This equation make use of the modulus function, of as shown in the equation, MOD. The use of MOD makes this equation a little more interesting because we are multiplying by the remainder, instead of the resulting value from that portion of the equation. This has the effect of distributing the ports for session not like a continuous stream but more like dealing out cards from a deck to players. Session from IP address x goes to port share 1. Session from IP address x+1 goes to port share 2 and so on until we run out of shares that we start over from the beginning.

Using the information from the previous example, walking the calculations through step by step looks like this:

First equation – determining the port share

We know the factor is 4, so determining the port_share is straightforward.

fixed-port-range-ip-pools-port_share-with-data

Second equation – determining the first port choice for the session

Before running the whole second equation let’s solve the MOD portion.

fixed-port-range-ip-pools-1st-choice-port-mod-portion

It happens in this case that 4 went into 60 cleanly with no remainder, making the value 0 and forcing us to multiply by 0, which nobody likes, but it will still work in the final equation. If the src_ip was 162, the remainder would have ended up being 2

fixed-port-range-ip-pools-1st-choice-port-result

To add a little ambiguity, the value produced by this equation does not guarantee that it will be the port used. Ports are assigned on a first come, first served basis. If the first_choice_port is being used by another session already, then the FortiGate will use generic logic going up the port list incrementally, to search for the next available port.

This methodology in determining the port used for a session tries to strike the balance between assigning specific port numbers and making sure that every session can be assigned a port. Because some computers will generate a lot more sessions than others a certain amount of flexibility has to be built in. With that flexibility comes unpredictability.

If the options for the port were limited to the scope of the port_share, one could expect the options for the ports assigned to sessions from the IP address in the example to be anywhere from 5117 to 20220. 20220 being the number before the  first_port_choice in the next port share. If the remainder for the MOD portion of the equation been 1 instead of 0, the first_port_choice value would have been 20221. However, because the system keeps going up the port list until it finds a free one, if for some reason all of the ports in the first range are already in use, the system will keep going through the list until it finds a free port, even if it is a number above 20221.

The algorithm for assigning ports works very will for making sure that whenever possible, every attempted session gets a port for the purposes of NATing. The drawback is that it, while it gives a probable port range, it doesn’t guarantee the sessions will be within the range. This means that reversing the algorithm to determine the source computer for the purposes of forensic analysis will not give a definite conclusion.

Additional information

The post Fixed Port Range IP Pools algorithm appeared first on Fortinet Cookbook.

Search

Episode 2: Wave 2 Wireless

November 2, 2016, 2:06 pm

FortiAuthenticator as a Certificate Authority (Video)

November 7, 2016, 5:55 am

Logging traffic with FortiCloud

November 7, 2016, 6:40 am
$
0
0

This recipe demonstrates how to use FortiCloud, an online logging service provided by Fortinet, to store logs of your FortiGate unit’s traffic. In this example, the log shows sites visited by users on the internal network.

You can access logs using the FortiGate and also through the FortiCloud website.

Find this recipe for other FortiOS versions
5.2 | 5.4

1. Activating FortiCloud
Go to Dashboard and locate the License Information widget. In the FortiCloud row, select Activate. widget showing where to activate FortiCloud
Use an existing FortiCloud account or create a new one. create FortiCloud account
Information about your FortiCloud account now appears in the License Information widget. FortiCloud account information

2. Sending logs to FortiCloud
Go to Log & Report > Log Settings and disable local logging.  Disable local logging
Enable Send Logs to FortiCloud and confirm that Upload Option is set to Realtime. Send logs to FortiCloud 
Select Test Connectivity to verify the connection between your FortiGate and FortiCloud. Test connectivity
Adjust the Event Logging settings as desired and set the GUI Preferences to Display Logs From FortiCloud. Display FortiCloud logs

3. Enabling logging in your Internet access security policy
Go to Policy & Objects > IPv4 and edit the policy that allows connections from the internal network to the Internet. Scroll down to view Logging Options. In order to confirm that logs are being sent to FortiCloud, enable Log Allowed Traffic and select All Sessions. Log all session in policy

4. Results
Browse the Internet. Then, go to Log & Report > Forward Traffic. In the top right corner of the screen, the Log location is shown as FortiCloud.  FortiCloud log report

Go to Dashboard. In the FortiCloud row of the License Information widget, select Launch Portal.

A screen will open in your browser, showing all the devices linked with your FortiGate account. Select the appropriate unit.

You can also access your FortiCloud account by going to www.forticloud.com

 FortiCloud device

After you select your device, the FortiCloud Dashboard appears, displaying information about traffic.

From the portal’s top menu bar, you can also access options for FortiView, Drilldown, Reports, and Management.

For more information about using FortiCloud, see the FortiCloud FAQ.

 FortiCloud dashboard

For further reading, check out FortiCloud in the FortiOS 5.4 Handbook.

Before you can use FortiCloud, you must register your FortiGate. For more information, see FortiGate registration and basic settings.
It is recommended to use a common FortiCloud account for all your Fortinet logs.
If traffic does not appear in FortiCloud right away, wait 10-15 minutes and try again.

The post Logging traffic with FortiCloud appeared first on Fortinet Cookbook.

Configuring Administrator Accounts and Profiles in FortiVoice Enterprise

November 9, 2016, 7:00 am
$
0
0

FortiVoice Enterprise features a single administrator account by default. FortiVoice units, however, support multiple administrator accounts. This recipe guides you through the process of creating additional administrator accounts with restricted permissions.

 

Configuring Administrator Accounts

To configure administrator accounts

  1. Go to System > Admin > Administrators.
  2. Select New to add an account or double-click an existing account.
  3. Enter the name of the administrator account 
  4. Select the extension of the administrator account from the Sing sign-on manager dropdown menu. Once you select the desired extension, the Managed departments section appears.
  5. Expand the Managed departments section. Select the call center departments you want the administrator to manage and then select the right arrow to move it to the Selected section.

    Providing the administrator access to specific call center departments allows the admin to view information like recorded calls and reports. 

  6. Select your preferred authentication type. If you select LDAP, you will need to configure an LDAP profile.
  7. Enter an IPv4 or IPv6 address into the Trusted hosts field. If you want the administrator to access the FortiVoice unit from any IP address, use 0.0.0.0/0.0.0.0.
  8. Select the name of an admin profile that determines which functional areas the administrator account may view or affect and  then select the language and theme. 
  9. Select Create
  admin-account

Configuring Administrator Profiles

The Admin Profile tab displays a list of administrator access profiles.

Administrator profiles govern which areas of the web-based manager and CLI that an administrator can access and modify.

To configure administrator access profiles

  1. Go to System > Admin > Admin Profile
  2. Select New or modify an existing profile.
  3. Enter a profile name.
  4. Select the desired privileges you wish the administrator to be able to access and modify.
  5. Select Create.
  privileges

The post Configuring Administrator Accounts and Profiles in FortiVoice Enterprise appeared first on Fortinet Cookbook.

Recording Calls in FortiVoice Enterprise

November 11, 2016, 10:26 am
$
0
0

Let’s say you wanted to monitor or have a permanent record of a particularly important phone call. Thankfully, FortiVoice Enterprise supports call recording, so you can monitor and supervise incoming and outgoing calls. 

This recipe guides you through the process of configuring call recordings and archiving recorded calls.

 

Recording Calls

First we’ll need to establish and configure call recording in FortiVoice Enterprise. 

  1. Go to Call Features > Call Recording > Policy
  2. Select New.
  3. Enter a name and then enable the policy.
  4. Select your desired category of call you want to record. Depending on what you select, you’ll have to enter some new information. Department, for example, will require you to enter a department extension number so that if a client calls Sales, the call will always be recorded.
  5.  Select the file format that the downloaded recorded call generates.
  6. Select Create.

There are some additional file settings in the Call Features > Call Recording > Setting section that let you choose between a high or low quality recording. 

  call-recording

Archiving Recorded Calls

Once you’ve established and configured call recording, you can now dictate how FortiVoice Enterprise archives calls for future use.

To configure the recording archive settings

  1. Go to Call Features > Call Recording > Archive.
  2. Enter the recorded file rotation size and time.  FortiVoice saves the recording and generates a new file the second the indicated time or size is reached.
  3. Select what you want FortiVoice to do when the disk is full. 
  4. Select an archiving destination. The total disk quota cannot exceed 50 percent of the total data disk size. The FortiVoice unit will remove the oldest archived call if it exceeds this limit. Selecting Remote will require more configuration.
  5. Select the protocol that the FortiVoice unit will use to connect to the remote storage server.
  6. Enter the IP address of the remote storage server and the user name and password for the FortiVoice account.
  7. Enter the directory path on the remote storage where the FortiVoice unit stores archived calls and then enter the FortiVoice cache quota.
  8. Select Apply.
  archive-recording

The post Recording Calls in FortiVoice Enterprise appeared first on Fortinet Cookbook.

Viewing all 690 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>