1. Enabling Application Control

Go to System > Feature Select to ensure that Application Control is enabled.

2. Blocking Tor traffic in Application Control using the default profile

Go to Security Profiles > Application Control to edit the default profile.

Under Application Overrides, select Add Signatures.

Filter by Category: Tor and Proxy: Name to search for Tor.

Two signatures will appear: one for the web-based Tor usage and one for the Tor client.

Highlight both signatures and click Use Selected Signatures.

Both signatures now appear in the Application Overrides list, with the Action set to Block.

3. Adding application control to your security policy

Go to Policy & Objects > IPv4 Policy to edit the policy that allows connections from the internal network to the Internet.

Set Source to all.

4. Results

Browse the Internet using the Tor browser. The Tor browser will be blocked.

Configuring Administrator Accounts

To configure administrator accounts

1. Go to System > Admin > Administrators.
2. Select New to add an account or double-click an existing account.
3. Enter the name of the administrator account 
4. Select the extension of the administrator account from the Sing sign-on manager dropdown menu. Once you select the desired extension, the Managed departments section appears.
5. Expand the Managed departments section. Select the call center departments you want the administrator to manage and then select the right arrow to move it to the Selected section.

   Providing the administrator access to specific call center departments allows the admin to view information like recorded calls and reports. 

6. Select your preferred authentication type. If you select LDAP, you will need to configure an LDAP profile.
7. Enter an IPv4 or IPv6 address into the Trusted hosts field. If you want the administrator to access the FortiVoice unit from any IP address, use 0.0.0.0/0.0.0.0.
8. Select the name of an admin profile that determines which functional areas the administrator account may view or affect and  then select the language and theme. 
9. Select Create. 

Configuring Administrator Profiles

The Admin Profile tab displays a list of administrator access profiles.

Administrator profiles govern which areas of the web-based manager and CLI that an administrator can access and modify.

To configure administrator access profiles

1. Go to System > Admin > Admin Profile
2. Select New or modify an existing profile.
3. Enter a profile name.
4. Select the desired privileges you wish the administrator to be able to access and modify.
5. Select Create.

1. Enabling web filtering and multiple profiles

Go to System > Feature Select to enable Web Filter and Multiple Security Profiles.

Apply changes if necessary.

2. Creating a user group and two users

3. Creating a web filter profile and an override

Go to Security Profiles > Web Filter to create a new profile (block-bandwidth-consuming).

Enable FortiGuard category based filter, then right-click Bandwidth Consuming and select Block.

Go to Security Profiles > Web Filter to enable Allow users to override blocked categories.

Set Groups that can override to web-filter-override, Profile can switch to default, Switch applies to User Group, and Switch Duration to Ask.

4. Adding the new web filter profile to a security policy

Go to Policy & Objects > IPv4 Policy to edit the policy that allows connections from the internal network to the Internet.

Set Source all, bwayne, and web-filter-override.

Under Security Profiles, enable Web Filter and select the block-bandwidth-consuming profile.

5. Results

Browse to youtube.com, a website that is part of the Bandwidth Consuming category.

Authenticate using the bwayne account. The website is blocked.

Go to Monitor > Firewall User Monitor and De-authenticate bwayne.

Browse to youtube.com again, this time authenticating the ckent account. You can access the website until the override expires.

 Configuring Alert Recipients

Before the FortiVoice unit begins sending out alerts, you’ll first need to establish who should be on the alert recipient list.

To configure recipients of alert email messages

1. Go to Log > Alerts > Configuration.
2. Select New to add the email address of the recipient.
3. Enter the email address of the individual you wish to be notified and then select Create.
   Repeat the process to add more users.

 Establishing Alert Types

So now that we’ve established who will receive an email when an event occurs, we’re going to need to configure the alert categories to determine what events will trigger the email messages.

To establish alert types

1. Go to Log > Alerts > Categories.
2. Select one or more of the events by selecting the appropriate checkbox.

   Let’s go over a few of the ones that may not be self-explanatory:
   Critical events: Whenever the FortiVoice unit detects a system error that could impact its operation, like a hardware failure.
   Deferred email quota: Selecting this option will have the FortiVoice unit send you an email letting you know that you’ve exceeded the email message queue.
   Daily call summary: This is a great way to get a summary of a variety of different call information, like the total amount of calls, the number of long distance calls, and the amount of international calls.
   Trunk lines are saturated: Sends an alert amil when the SIP/PSTN/PRI trunk lines are fully occupied. SIP trunk alert only works if you select Overflow check when configuring the SIP trunk.

3. Select Apply.

1. Windows 10 certificate

While it is not the goal of this article to cover Microsoft’s Certificate Authority and its operation, suffice to note that our test user (user1) has been issued a standard “User” template certificate for which he has enrolment permissions for.

In our case, we duplicated the standard “User” template and made certain that we have the User Principal Name included in the subject name of the issued certificate – this is the user field we will be using to search LDAP during the connection attempt.

For reference, UPN designates the format “user@domain”, with domain being the Active Directory domain.

2. Requesting and installing a server certificate for FortiOS

Using our Microsoft Certificate Authority’s web interface, we request a “Web Server” type certificate and use the CSR generated from FortiOS’s GUI to obtain a trusted certificate. Do note that “trusted” in this example is limited in scope to the organization’s assets – you would use a public CA to generate a certificate for FortiOS if you expect non-corporate assets to connect to the SSL VPN as those are unlikely to trust the Active Directory CA we are using in our example.

While the below process goes through the manual certificate request process, FortiOS is SCEP capable which can be used to automate the certificate request process with a SCEP-compliant CA server (Microsoft CA does support SCEP).

Export the CA certificate from your CA using the available methods. In our case, we use the Windows CA web interface to download our CA cert in BASE64 format.

Go to System > Certificates and select Import > CA Certificate.

Select the Microsoft CA certificate file.

The CA certificate now appears in the list of Certificates. Note that it is named “G_CA_Cert_1″ – keep that in mind as we refer to this later in the article.

Next, we generate a CSR on FortiOS which we will use to obtain a signed certificate from our CA, again in our case the Microsoft CA. The domain name used should match the domain name users will be connecting to using FortiClient and is generally what resolves to the IP of the interface listening for SSL VPN.

Download the generated CSR, which is a text file containing the BASE64 certificate request.

We again use our Microsoft CA web interface to submit our CSR and obtain a certificate of type “Web Server”.

Download the resulting signed request in BASE64 format.

Finally, import that signed request as a local certificate on FortiOS to finalize our SSL VPN server certificate. 

Our request is complete and our certificate is now usable. We will use this certificate later in our SSL VPN configuration.

3. Configuring LDAP, PKI and a group

As we will be validating incoming VPN requests using the UserPrincipalName found in the trusted certificates used by clients, we need to define our LDAP server.

Go to User & Device > LDAP Servers and create a new LDAP server definition.

This definition is common, except for the fact that we will be using UserPrincipalName as our Common Name Identifier – the UPN field is what we are extracting from the certificates and need to match to locate users in LDAP.

Next, head to the CLI. This is the only part of this article that requires a CLI definition.

Create a PKI “peer” object as shown. This is a relatively static object which will not require frequent visits to the CLI.

config user peer
    edit "FORTIQC_CERTS"
        set ca "G_CA_Cert_1"
        set ldap-server "FORTIQC"
        set ldap-mode principal-name
    next
end

A PKI “peer” object is created in order to instruct FortiOS to match an incoming certificate’s UserPrincipalName to a target LDAP server object, providing that certificate is signed by the designated CA and is valid. You will recognize the G_CA_Cert_1 as the name of the CA certificate we imported earlier.

The “ldap-mode” parameter is important as it dictates that authentication is not explicit (the user does not need to pass a username and password) and instead is based on validating that the UserPrincipalName found in the certificate does exist. We will extend  this in a moment to also request that the user be a member of a specific LDAP group.

4. Configuring a group

Next, we configure the group object that will assemble our previously configured LDAP and PKI objects together.

Go to User & Device > User groups and create a new group.

Add the PKI peer object previously created as a local member of the group.

Next add a remote group on the LDAP server and select the group of interest you need these users to be members of using the LDAP browser window.

 What just happened here?

This configuration is counter-intuitive at first glance as matching against a group object generally means matching at least one of its members.

However when using a PKI object in the “member” field, the group object’s behaviour change and instead, the group will only match if the PKI object is true (the certificate is valid and trusted and the user exists in LDAP) AND the group memberships obtained from LDAP for the user also match one of the remote LDAP groups defined.

We will look at connection debug information later to see this process happening.

5. Configuring the SSL VPN settings

Go to VPN > SSL-VPN Settings.

Ensure that the “Require Client Certificate” option is checked.

Select the certificate we generated earlier for FortiOS.

If needed, map our newly created group to a specific portal definition. This is only necessary if the default portal (designated by “All Other Users/Groups” entry) is not the right one. In our case, it wasn’t necessary to define the group to portal mapping as the default portal was the same.

6. Configuring the policy

Finally, under Policy & Objects > IPv4 Policy create or modify your existing SSL VPN policies to incorporate your new group.

7. Results

Our FortiClient is configured with the target hostname and local certificate issued to the user. Connecting to the VPN requires neither username or password – only the user’s certificate.

Lets look at the output of “diag debug app fnbamd -1” while the user connects. We have shortened the output of the diag in a few locations to focus on the important parts.

We can see the lookups being done to find the group memberships (3 groups total) of the user and that the correct group being found results in a match.

We can also use “diag firewall auth list” to validate that a firewall user entry exists for our SSLVPN user and is part of the right groups.

As a reference, fnbamd is short for “Fortinet Non-Blocking Authentication Management Daemon” and is the process responsible for the vast majority of explicit authentication duties found in FortiOS.

MN140D-1 (root) # diag debug reset
diag debug
MN140D-1 (root) # diag debug app fnbamd -1
Debug messages will be on for 30 minutes.

[1590] cert_check_group_list-checking group type 1 group name 'FORTIQC_PKI_GrpCertAuth'
[1425] quick_check_peer-Cert subject 'CN = user1'
[1483] check_add_peer-check peer user 'FORTIQC_CERTS' in group 'FORTIQC_PKI_GrpCertAuth', result is 4
[1614] cert_check_group_list-Status pending for group 'FORTIQC_PKI_GrpCertAuth'
[804] resolve_ldap_FQDN-Resolved address 192.168.129.40, result 192.168.129.40
[1185] fnbamd_ldap_init-search filter is: (&(userPrincipalName=user1@fortiqc.local)
    (!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

[1189] fnbamd_ldap_init-search base is: dc=fortiqc,dc=local

[258] start_search_dn-base:'dc=fortiqc,dc=local' filter:(&(userPrincipalName=user1@fortiqc.local)
    (!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
...
[306] get_all_dn-Found 1 DN's
[556] start_user_attrs_lookup-Adding attr 'memberOf'
[577] start_user_attrs_lookup-base:'CN=user1,CN=Users,DC=fortiqc,DC=local' filter:cn=*
...
[1851] fnbamd_ldap_get_result-Going to DONE state res=0
[141] __ldap_copy_grp_list-copied CN=GrpCertAuth,CN=Users,DC=fortiqc,DC=local
[141] __ldap_copy_grp_list-copied CN=testgroup,CN=Users,DC=fortiqc,DC=local
[141] __ldap_copy_grp_list-copied CN=Domain Users,CN=Users,DC=fortiqc,DC=local
[1845] __match_ldap_group-Matching server 'FORTIQC' - 'FORTIQC'
[1853] __match_ldap_group-Matching group 
       'CN=GrpCertAuth,CN=Users,DC=fortiqc,DC=local' - 'CN=GrpCertAuth,CN=Users,DC=fortiqc,DC=local'
[1953] fnbamd_auth_cert_poll-Result for ldap svr[0] '192.168.129.40' is SUCCESS
[1959] fnbamd_auth_cert_poll-matched user 'FORTIQC_CERTS', matched group 'FORTIQC_PKI_GrpCertAuth'
...


MN140D-1 (root) # diag firewall auth list

10.212.134.200, cn=user1, FORTIQC_PKI_GrpCertAuth
	type: fw, id: 0, duration: 181, idled: 0
	expire: 28797, allow-idle: 28797
	flag(a0): idle sslvpn
	packets: in 1427 out 1505, bytes: in 291364 out 359030
	group_id: 2
	group_name: FORTIQC_PKI_GrpCertAuth

----- 1 listed, 0 filtered ------


 

8. Logs

Finally, our logs show our LDAP user’s traffic:

9. Summary

This article presented a technique allowing for “credential-less” VPN connectivity using certificates while maintaining the ability to authorize access with policies that are based on LDAP groups. As a side note, this technique may not be suitable to the levels of security requirements of all environments as it foregoes explicit authentication in addition to PKI authentication. Your organization’s security versus ease-of-use requirements ultimately dictate the requirements.

1. FortiGate Configuration Script

The configuration script for a FGT-VM is in standard CLI syntax. The key thing to remember is to enter a #<comment> in the first line, and then the fill the following lines with standard CLI syntax. Here is a simple example below, where the hostname is Example-Day0 and port1 is configured to use DHCP to get an IP address.

aaberra@ubuntu:/var/tmp$ cat config-drive/openstack/latest/user_data

#Example FGT Day0 Configuration

 

config system global

   set hostname Example-Day0

end

 

config system interface

edit port1

set mode dhcp

set allowaccess https ssh ping

end

aaberra@ubuntu:/var/tmp$

2. Create the Config Drive ISO

3. Results

command.

1. Subscribing to FortiAnalyzer-VM

2. Uploading the FortiAnalyzer template

Log in to your AWS account and select CloudFormation.

Select Create Stack.

Complete the Specify Details form with the values shown.

Select Next.

3. Logging into the FortiAnalyzer

4. Results 

 Configuring PMS Settings

First we’ll need to configure PMS settings. 

1. Go to Hotel Management Settings > Setting > PMS.
2. Select the Enabled box.
3. Select FortiVoice from the dropdown Protocol menu.
4. Enter the port number that connects to the PMS.

   Note: You need to use an adapter for the FortiVoice-PMS connection. We recommend using iPocket 232 by Precidia.

5. Enter the IP address and netmask of the PMS. You can enter multiple trusted hosts if you have multiple property management systems. 
6. Select Apply.

 Establishing Hotel Management Options

Now we’ll need to configure management check in and check out actions. 

1. Go to Hotel Management > Setting > Option.
2. Select the guest information to make a room check-in ready. Privilege enables phone call restrictions. Guest name displays the room or guest name on the room extension. Room condition clears any condition set for the room.
3. Set the guest information and room condition to make a room check-out ready. Voice mail clears all voicemail for the room extension and Wake-up call clears all wake-up calls setup for the room extension. 
4. Select the first item clients select when placing an order from the front desk. For example, if you selected code first and the client wanted two waters (code 4), the client would dial 4*2. 
5. Select Apply.
6. Select the Mini Bar Code tab.
7. Select New.
8. Enter the item name, for example, Water and then enter the item’s code, for example, 4. 
9. Select Create.

 Configuring Hotel Room Status

Now that we have the PMS and the FortiVoice unit properly connected, we can configure the hotel room statuses.

To batch-configure hotel room statuses

1. Go to Hotel Management > Room Status > Room Status.
   A green dot in the top menu bar indicates that the FortiVoice unit is connected with the PMS. 
   
2. Select the rooms you wish to edit. A green dot indicates the guest’s room extension is bound with the room.
3. Select Edit.
4. Select the Guest Phone checkbox to make the room a guest room.
5. Select the room status to configure: Checked-out or Checked-in.
6. Enter the Guest name (if you selected Checked-in) and set their privilege. 
7. Select DND if the guest does not want to be disturbed and VIP if f they should receive special treatment.
8. Select OK.

 Configuring a Static Conference Call

A static conerference call would be one that may occur on a regular schedule.

To configure a static conference call

1. Go to Call Features > Conferencing > Conferencing.
2. Select New.
3. Select Enabled if not already activated.
4. Enter an extension number that callers can call and enter the user PIN to join the conference call.
5. Enter a descriptive name for the conference call extension. For example, HR.
6. Enter a user PIN, which will be the password clients must enter to join the conference call. A caller needs to dial the conference number and then enter the password.
7. Enter the Admin PIN, which is the password used by an admin to begin a conference call.
8. Enable Recursive Schedules if you want conference calls to be on a repeated schedule.  For example, a recursive schedule will make sure that users can only join the conference call during the scheduled time period by entering the configured password.
9. Enable One Time Schedules if you only want users to have access to a single conference call without the use of passwords.
10. Select Create.

 Configuring a Dynamic Conference Call

A dynamoic conference call would be one that is likely to only occur once.

To configure a dynamic conference call

1. Go to Call Features > Conferencing > Conferencing.
2. Select New.
3. Enter the conference call name.
4. Enter the conference call extension number that callers enter to join the call.
5. Enter the displayed name that will appear on the call extension, such as HR.
6. Enable Quite mode if you don’t want the call to announce and record the participant’s name. 
7. Select Create.
8. Select your newly created conference call.
9. enter the extension number that callers can call and enter their user PIN.
10. Double-click the date to schedule an event and select OK.