Quantcast
Channel: Fortinet Cookbook
Viewing all 690 articles
Browse latest View live

Deploying FortiGate Autoscaling for new VPC OnDemand licenses

April 28, 2017, 11:20 am
$
0
0

In this recipe, you will deploy FortiGate Autoscaling into a new VPC OnDemand license for Amazon Web Services (AWS).

If you are not using an existing VPC for your deployment and have not purchased BYOL licenses from Fortinet, you need to launch the a new cloud formation template. These templates can be found on GitHub.

In most cases, the defaults provided in the template should be sufficient. See AWS Documentation for the parameter types if you need to change from defaults.

1. Uploading the template

In the AWS Management Console, go to CloudFormation Service and select Create New Stack.

Under Choose a template, enable Select a sample template, then select your new template for upload.

  

2. Configuring Autoscaling

In Specify Details, set the Stack Name to a Region Unique name. Set ASQueue to an SQS Queue Name that is unique within the scope of your queues.

Set AZForFirewall1 and AZForFirewall2 to Availability Zones with the region you wish to place FortiGate 1 and FortiGate 2 respectively.

 

In VPC Configuration, select a CIDR block (if different from the defaults provided) that will hold the subnets specified for Public1, Private1, Public2, Private2 subnets. Provide unique subnet range for each of the public and private subnets.

  
In FortiGate Instance Configuration, select an Instance Type for initial FortiGates. Set CIDRForFortiGateAccess to define the Security Group for FortiGate Access and FortiGateKeyPair to allow SSH access to the FortiGate instances.
  
In ELB Configuration, if you need to change the default values, refer to AWS Documentation.  
In Worker Node Instance Configuration, set ASKeypair to allow SSH access to the FortiGate instances and CIDRForASAccess to define the Security Group for FortiGate Access.  
In Options, you can add additional Tags, Permissions, or Advanced Notification Options as desires. For more information, refer to AWS Documentation.  
Review your parameters and acknowledge the IAM resources notification. Select Create.  

3. Results
Verify that the stack’s Status is shown as CREATE_IN_PROGRESS.  
You can also monitor Stack Creation Events.  

 

  • Was this helpful?
  • Yes   No
Availabilty Zone may not support the instance size of the FortiGate instance. If you get a warning that a specific instance size is not supported, choose a different size or choose a different zone.

The post Deploying FortiGate Autoscaling for new VPC OnDemand licenses appeared first on Fortinet Cookbook.

Search

FortiOS AntiVirus inspection modes

May 2, 2017, 8:19 am
$
0
0

If in FortiOS 5.0, 5.2, and 5.4, there are several AntiVirus (AV) scanning inspection modes available. FortiOS 5.0 includes proxy and flow-based virus scanning. FortiOS 5.2 also uses proxy-based and flow-based scanning, but the flow-based mode in FortiOS 5.2 uses a new approach to flow-based scanning (that is sometimes called deepflow or deep flow scanning). FortiOS 5.4 adds another flow-based mode, quick mode, to inspect traffic efficiently.

AV Scanning 101

AntiVirus scanning examines files in HTTP, HTTPS, email, and FTP traffic for threats as they pass through your FortiGate unit. If the AV scanner finds a threat such as a virus or some other malware, FortiOS protects your network by blocking the file.

FortiOS includes a number of AntiVirus features that make virus scanning more user-friendly. One of these features, called replacement messages, sends a customizable message to anyone whose file is blocked by AV scanning, to explain what happened and why. Other features make communication between the client and the server more seamless. The availability of these changes depending on the inspection mode.

Proxy-based AV scanning

Proxy-based AV scanning is the more feature-rich AV scanning mode.  This mode uses a proxy to manage the communication between client and server. The proxy extracts content packets from the data stream as they arrive and buffers the content until the complete file is assembled. Once the file is whole, the AV scanner examines the file for threats. If no threats are found, the file is sent to its destination. If a threat is found, the file is blocked.

Because proxy-based scanning is applied to complete files it provides very effective threat detection. Proxy-based scanning also supports the a full range of features, including replacement messages and client comforting, making proxy-based scanning the most user-friendly inspection mode. In addition the proxy manages the communication between the client and the server, so communication is cleaner.

Proxy-based scanning inspects all files under the oversized threshold. This threshold is 10 MB by default but can be reconfigured. Any files larger than the threshold are considered oversized and not inspected. 

Flow-based AV scanning

Although the name “flow-based scanning” is used in both FortiOS 5.0 and 5.2, the two different versions handle this mode in very different ways.

Flow AV in FortiOS 5.0

In FortiOS 5.0, flow-based AV scanning scans the content of individual data packets as they pass through the FortiGate. There is no proxy involved so packets are not changed by the proxy and files are not buffered for analysis. Potentially less memory and CPU resources are used, resulting in a potential performance increase compared to using proxy-based mode. FortiOS 5.0 flow-based AV scanning is also not limited by file size.

Flow AV uses the IPS engine and the AV database and is effective at many kinds of threat detection; however, because it can only analyze what is in an individual packet rather than a complete file, flow-based scanning cannot detect some types of malware, including polymorphic code. Malware in documents, compressed files, and some archives are also less likely to be detected.

Flow AV does not actually block files, it stops delivering the rest of the file once a threat has been detected. This means that parts of the file may already have been delivered when the threat has been detected and the recipient application is responsible for dealing with the partially complete content.

In addition flow AV can be less user-friendly. Replacement messages are not supported and clients may have to wait for sessions to time out without knowing why content has been blocked.

Flow AV in FortiOS 5.2 (deepflow or deep flow)

FortiOS 5.2 introduced a new type of flow-based AV scanning, that is sometimes called deepflow or deep flow, and that takes a hybrid approach where content packets are buffered while simultaneously being sent to their destination. When all of the files packets have been collected and buffered, but before the final packet is delivered, the buffered file is scanned. If a threat is found, the last packet is blocked and the client application has to deal with not getting the completed file. If no threat is found the final packet is sent and the user gets their file.

Deepflow AV scanning is as good as proxy-based AV scanning at detecting threats. There may be a small performance advantage over proxy-based AV as files get larger based on the difference between sending the whole file after analysis and just sending the last packet.  Deepflow’s most notable limitation is that, just like the flow-based AV in 5.0, it does not support many of the user-friendly features provided by proxy-based AV.

Flow AV in FortiOS 5.4 and later

In FortiOS 5.4 and later, there are two modes available for flow-based inspection: full and quick. Full mode is the same as flow-based scanning in FortiOS 5.2. Quick mode uses a compact antivirus database and advanced techniques to improve performance.

  • Was this helpful?
  • Yes   No

The post FortiOS AntiVirus inspection modes appeared first on Fortinet Cookbook.

MAC access control with a WiFi network

May 4, 2017, 7:00 am
$
0
0

This recipe demonstrates how to add device definitions to your FortiGate using Media Access Control (MAC) addresses. These definitions are then used to identify which devices can access the WiFi network.

By using a MAC address for identification, you can also assign a reserved IP for exclusive use by the device when it connects to the WiFi network.

Warning: Since MAC addresses can be easily spoofed, using MAC to control access should not be considered a security measure.

Find this recipe for other FortiOS versions:
5.2 | 5.4 

1. Finding the MAC address of a device

For Windows devices:

Open the command prompt and type ipconfig /all to display configuration information for all network connections.

The MAC address of your Windows device is the Physical Address, under information about the wireless adapter.

For Mac OS X devices:

Open Terminal and type ifconfig en1 | grep ether.

Take note of the displayed MAC address.

For iOS devices:

Open Settings > General > About.

The Wi-Fi Address  is the MAC address of your iOS device.

For Android devices:

Open Settings > General > About Phone > Hardware Info.

Take note of the Wi-Fi MAC address of your Android device.

2. Defining a device using its MAC address

Go to User & Device > Custom Devices & Groups and create a new device definition.

Set MAC Address to the device’s address and set the other fields as required. In the example, a device definition is created for an iPhone with the MAC Address B0:9F:BA:71:D8:BB.

Go to User & Device > Device Inventory. The new definition now appears in your device list.

 

3. Creating a device group

Go to User & Device > Custom Devices & Groups and create a new group.

Add the new device to the Members list.

4. Reserving an IP address for the device

Go to Network > Interfaces and edit the wireless interface.

Under DHCP Server, expand Advanced. Create a new entry in the MAC Reservation + Access Control list that reserves an IP address within the DHCP range for the device’s MAC address.

  

5. Creating a security policy for wireless traffic

Go to Policy & Objects > IPv4 Policy and create a new policy.

Set Incoming Interface to your wireless interface, Source Device Type to the device group, and Outgoing Interface to the Internet-facing interface.

Ensure that NAT is turned on.

6. Results

Connect to the wireless network with a device that is a member of the device group. The device should be able to connect and allow Internet access.

Connection attempts from a device that is not a group member will fail.

Go to  FortiView > All Sessions and view the results for now. Filter the results using the reserved Source IP (in the example, 10.10.1.12), to verify that it is being used exclusively by the wireless device.

For further reading, check out Managing “bring your own device” in the FortiOS 5.4 Handbook.

  • Was this helpful?
  • Yes   No
The instructions below were written for the most recent OS
versions. Older versions may use different methods.
If you have enabled device identification on the wireless interface, device definitions will be created automatically. You can then use MAC addresses to identify which device a definition refers to.
If the FortiAP is in bridge mode, you will need to edit the internal interface.

The post MAC access control with a WiFi network appeared first on Fortinet Cookbook.

Setup of FortiAnalyzer in AWS

May 8, 2017, 7:06 am

FortiGate AutoScaling for Existing VPC with On-Demand Deployment

May 9, 2017, 12:50 pm
$
0
0

In this recipe, you will deploy FortiGate Autoscaling into an existing VPC OnDemand deployment in Amazon Web Services (AWS).

If you do not already have the correct template, it can be found on GitHub.

1. Uploading the template

In the AWS Management Console, go to CloudFormation Service and select Create New Stack.

Under Choose a template, enable Select a sample template, then select the template for upload.
 

2. Configuring Autoscaling

In Specify Details, set the Stack Name to a Region Unique name. Set ASQueue to an SQS Queue Name that is unique within the scope of your queues.

Set AZForFirewall1 and AZForFirewall2 to Availability Zones with the region you wish to place FortiGate 1 and FortiGate 2 respectively.


 

In VPC Configuration, use the dropdown menu to set the VPC specific details, as well as the public and private subnets. These values are pulled from the existing VPCs.
 
In FortiGate Instance Configuration, select an Instance Type for initial FortiGates. Set CIDRForFortiGateAccess to define the Security Group for FortiGate Access and FortiGateKeyPair to allow SSH access to the FortiGate instances.
 
In ELB Configuration, if you need to change the default values, refer to AWS Documentation.
 
In Worker Node Instance Configuration, set ASKeypair to allow SSH access to the FortiGate instances and CIDRForASAccess to define the Security Group for FortiGate Access.
In Options, you can add additional Tags, Permissions, or Advanced Notification Options as desires. For more information, refer to AWS Documentation.
Review your parameters and acknowledge the IAM resources notification. Select Create.
 

3. Results
Verify that the stack’s Status is shown as CREATE_IN_PROGRESS.
You can also monitor Stack Creation Events.
 

 

  • Was this helpful?
  • Yes   No
Availabilty Zone may not support the instance size of the FortiGate instance. If you get a warning that a specific instance size is not supported, choose a different size or choose a different zone.

The post FortiGate AutoScaling for Existing VPC with On-Demand Deployment appeared first on Fortinet Cookbook.

FortiGate AutoScaling for New VPC with Mixed BYOL and On-Demand Deployment

May 10, 2017, 8:40 am
$
0
0

In this recipe, you will deploy FortiGate Autoscaling into a new VPC with mixed BYOL and On-Demand Deployment for Amazon Web Services (AWS).

If you are not using an existing VPC for your deployment and have not purchased BYOL licenses from Fortinet, you need to launch the a new cloud formation template. These templates can be found on GitHub.

In most cases, the defaults provided in the template should be sufficient. See AWS Documentation for the parameter types if you need to change from defaults.

You must make your BYOL licenses available to the autoscale script buy uploading the license file(s) to a predetermined S3 bucket. The template wizard will prompt you for the name of the S3 bucket. This can be done in advance of deploying the template or after the template is deployed. If the licenses are made available after the stack is deployed, the autoscale script will “sleep” until the licenses are available in the S3 bucket assigned by the template wizard.

1. Uploading BYOL licenses

In the AWS Services Menu, select S3 to create an S3 bucket to store licenses.

  
Select Create Bucket to add an S3 bucket to store licenses. Set a unique Bucket name and select your Region.  
Select the link for the new S3 bucket, then upload the FortiGate licenses. You can use either the AWS GUI or CLI to upload the licenses. The license file must have a “.lic” suffix.

 

2. Uploading the template

In the AWS Management Console, go to CloudFormation Service and select Create New Stack.

Under Choose a template, enable Select a sample template, then browse to the template’s location on local storage.

  

3. Configuring Autoscaling

In Specify Details, set the Stack Name to a Region Unique name. Set ASQueue to an SQS Queue Name that is unique within the scope of your queues.

Set AZForFirewall1 and AZForFirewall2 to Availability Zones with the region you wish to place FortiGate 1 and FortiGate 2 respectively.

 
In VPC Configuration, select a CIDR block (if different from the defaults provided) that will hold the subnets specified for Public1, Private1, Public2, Private2 subnets. Provide unique subnet range for each of the public and private subnets.   

In FortiGate Instance Configuration, select an Instance Type for initial FortiGates. Set CIDRForFortiGateAccess to define the Security Group for FortiGate Access and FortiGateKeyPair to allow SSH access to the FortiGate instances.

Provide the name of the S3LicenseBucket. If the S3 bucket does not currently exist, provide a valid S3 bucket name and create the bucket and upload the licenses after this template is deployed. The autoscale script will “sleep” waiting for the creation of the S3 bucket and the licenses to be uploaded.

  
In ELB Configuration, if you need to change the default values, refer to AWS Documentation.  
In Worker Node Instance Configuration, set ASKeypair to allow SSH access to the FortiGate instances and CIDRForASAccess to define the Security Group for FortiGate Access.  
In Options, you can add additional Tags, Permissions, or Advanced Notification Options as desires. For more information, refer to AWS Documentation.  
Review your parameters and acknowledge the IAM resources notification. Select Create.  

3. Results
Verify that the stack’s Status is shown as CREATE_IN_PROGRESS.  
You can also monitor Stack Creation Events.  

 

  • Was this helpful?
  • Yes   No
Availabilty Zone may not support the instance size of the FortiGate instance. If you get a warning that a specific instance size is not supported, choose a different size or choose a different zone.

The post FortiGate AutoScaling for New VPC with Mixed BYOL and On-Demand Deployment appeared first on Fortinet Cookbook.

FortiGate AutoScaling for Existing VPC with Mixed BYOL and On-Demand Deployment

May 11, 2017, 7:30 am
$
0
0

In this recipe, you will deploy FortiGate Autoscaling into an existing VPC OnDemand deployment in Amazon Web Services (AWS).

If you do not already have the correct template, it can be found on GitHub.

1. Uploading the template

In the AWS Management Console, go to CloudFormation Service and select Create New Stack.

Under Choose a template, enable Select a sample template, then select the template for upload.
 

2. Configuring Autoscaling

In Specify Details, set the Stack Name to a Region Unique name. Set ASQueue to an SQS Queue Name that is unique within the scope of your queues.

Set AZForFirewall1 and AZForFirewall2 to Availability Zones with the region you wish to place FortiGate 1 and FortiGate 2 respectively.


 

In VPC Configuration, use the dropdown menu to set the VPC specific details, as well as the public and private subnets. These values are pulled from the existing VPCs.
 

In FortiGate Instance Configuration, select an Instance Type for initial FortiGates. Set CIDRForFortiGateAccess to define the Security Group for FortiGate Access and FortiGateKeyPair to allow SSH access to the FortiGate instances.

Provide the name of the S3LicenseBucket. If the S3 bucket does not currently exist, provide a valid S3 bucket name and create the bucket and upload the licenses after this template is deployed. The autoscale script will “sleep” waiting for the creation of the S3 bucket and the licenses to be uploaded.
In ELB Configuration, if you need to change the default values, refer to AWS Documentation.
In Worker Node Instance Configuration, set ASKeypair to allow SSH access to the FortiGate instances and CIDRForASAccess to define the Security Group for FortiGate Access.
In Options, you can add additional Tags, Permissions, or Advanced Notification Options as desires. For more information, refer to AWS Documentation.
Review your parameters and acknowledge the IAM resources notification. Select Create.

3. Results
Verify that the stack’s Status is shown as CREATE_IN_PROGRESS.
You can also monitor Stack Creation Events.
 

 

  • Was this helpful?
  • Yes   No
Availabilty Zone may not support the instance size of the FortiGate instance. If you get a warning that a specific instance size is not supported, choose a different size or choose a different zone.

The post FortiGate AutoScaling for Existing VPC with Mixed BYOL and On-Demand Deployment appeared first on Fortinet Cookbook.

Episode 11: IoT – Is my toothbrush infected?

May 16, 2017, 8:56 am
$
0
0

Take our FortiCast feedback survey to help us improve the show!

Michael Strickland and Axelle Apvrille discuss the Internet of Things and some of the threats IoT added to the security landscape.

IoT resources

Subscribe to FortiCast

      

  • Was this helpful?
  • Yes   No

The post Episode 11: IoT – Is my toothbrush infected? appeared first on Fortinet Cookbook.

Search

Limiting bandwidth with traffic shaping

May 16, 2017, 1:42 pm
$
0
0

When a particular IP address uses too many resources, you can prevent the device with that IP from consuming your bandwidth indiscriminately. In this recipe, you learn how to use Traffic Shaping on your FortiGate to limit the bandwidth for a specific IP address.

This recipe also explains how to configure traffic shaping to set a maximum bandwidth limit for uploads and/or downloads to 200 kb/s.

Find this recipe for other FortiOS versions
5.2 | 5.4 | 5.6

1. Enabling Traffic Shaping

Go to System > Feature Select and under Additional Features enable Traffic Shaping.

 

2. Create a firewall address to limit

Go to Policy & Objects > Addresses to define the address you would like to limit. Select Create New and select Address from the drop down menu.

Enter a name: limited_bandwidth. Set Type to IP/Netmask. Set the Subnet/IP Range to the internal IP address you wish to limit. Set Interface to Any.

  

3. Configuring a traffic shaper to limit bandwidth

Go to Policy & Objects > Traffic Shapers and select Create New to define a new shared Traffic Shaper profile.

Set Type to Shared.

Enter the name limited_bandwidth for your shaper and set the Traffic Priority to Medium.

Select Max Bandwidth and enter 200 Kbps. If you would like to set a Guaranteed Bandwidth make sure the rate is lower than the Max Bandwidth. Apply your changes.

  

By default, shared shapers apply shaping by evenly distributing the bandwidth to all policies using it. You can also enable Per Policy shaping to apply shaping individually to each policy. Right-click your new limited_bandwidth shaper, and select Edit in CLI from the drop down menu.

  

Enter the following CLI commands:

config firewall shaper traffic-shaper
 edit "limited_bandwidth"
  set per-policy enable
 end

Now that Per Policy shaping is enabled, edit your limited_bandwidth shaper and set Apply Shaper to Per Policy.

4. Verifying your Internet access security policy

Go to Policy & Objects > IPv4 Policy and look at your general Internet access policy. Take a note of the Incoming interface, Outgoing Interface, Source and Destination.

If necessary, edit your policy and ensure that Logging Options is set to All Sessions for testing purposes.

 

  

5. Create two Traffic Shaping Policies

Go to Policy & Objects > Traffic Shaping Policy and select Create New to create a shaping policy that will set regular traffic to high priority.

Under Matching Criteria, set Source, Destination, Service to match your Internet Access policy.

Under Apply Shaper, set the Outgoing Interface to match your Internet Access policy and enable Shared Shaper and Reverse Shaper. Shared Shapers affect upload speeds and reverse shapers affect download speeds. Set both shapers to high-priority.

 

  

Select Create New to create a second traffic shaping policy that will affect the IP address you wish to limit.

Under Matching Criteria, set Source to limited_bandwidth. Set Destination and Service to ALL. Apply the shaper to the same Outgoing Interface. Enable Shared Shaper and Reverse Shaper and set both shapers to limited_bandwidth.

  

Order your traffic shaping policies so that your more granular limited_bandwidth policy is above your general high-priority Internet access policy.

 

6. Results

When a computer with the IP you have specified, 192.168.1.2, browses the Internet from your internal network, its bandwidth will be restricted by the amount you set in your shaper.

Go to FortiView > Traffic Shaping to view the current bandwidth usage for any active shapers. Users on the local network will have high-priority traffic.

The IP address you have specified will receive limited-bandwidth treatment and may experience dropped bytes. Your limited-bandwidth shaper should not exceed 200 Kbps. Note that the results show the Bytes (Sent/Received) in Megabytes (MB) and the Bandwidth in kilobits per second (Kbps).

  

You can also view these results in a bubble graph by changing the graph type in the drop down menu. Sort by Bandwidth to verify that your regular traffic is using more bandwidth.

  
 You can also double-click on either shaper to see more granular information. Select the Destinations tab to see which websites are using up the most bandwidth.  
  • Was this helpful?
  • Yes   No
Two new traffic shaping menus, Traffic Shapers and Traffic Shaping Policy, will appear under Policy & Objects.
In this example, 192.168.1.2/32.
Shared shapers affect upload speeds, Reverse shapers affect download speeds, and Per IP shapers affect both upload and download speeds simultaneously.
Setting a Traffic Priority will only have an impact if you have enabled Traffic Shaping in ALL your other Internet access policies using the same two interfaces. There must also be some variation, for example you will not see any differences while all policies are set to the default setting (High).
Now, each security policy using this shaper will have the same distribution of bandwidth, regardless of the number of policies using the shaper. In this example, 200 Kbps each.
Click on the far left column of the policy and move it up or down to change the sequence order.

The post Limiting bandwidth with traffic shaping appeared first on Fortinet Cookbook.

IPsec VPN with FortiClient

May 18, 2017, 9:20 am
$
0
0

In this example, you will allow remote users to access the corporate network using an IPsec VPN that they connect to using FortiClient for Mac OS X, Windows, or Android. The remote users Internet traffic will also be routed through the FortiGate (split tunneling will not be enabled).

In this example, FortiClient 5.4.2.523 for Mac OS X is used.

Find this recipe for other FortiOS versions
5.2 | 5.4 | 5.6

1. Creating a user group for remote users

Go to User & Device > User Definition. Create a local user account for an IPsec VPN user.
 
 
 
 
Go to User & Device > User Groups. Create a user group for IPsec VPN users and add the new user account.

2. Adding a firewall address for the local network

Go to Policy & Objects > Addresses and create an address for the local network.

Set Type to IP/NetmaskSubnet/IP Range to the local subnet, and Interface to an internal port.
 

3. Configuring the IPsec VPN using the IPsec VPN Wizard

Go to VPN > IPsec Wizard and create a new tunnel using a pre-existing template.

Name the VPN connection. Set Template to Remote Access, and set Remote Device Type to FortiClient VPN for OS X, Windows, and Android.
 

Set the Incoming Interface to the internet-facing interface and Authentication Method to Pre-shared Key.

Enter a pre-shared key and select the new user group, then click Next.

Set Local Interface to an internal interface (in the example, lan) and set Local Address to the local LAN address.

Enter an Client Address Range for VPN users.

Make sure Enable IPv4 Split Tunnel is not selected, so that all Internet traffic will go through the FortiGate.


 

Select Client Options as desired.
 

After you create the tunnel, a summary page appears listing the objects which have been added to the FortiGate’s configuration by the wizard.
 

4. Creating a security policy for access to the Internet

The IPsec wizard automatically created a security policy allowing IPsec VPN users to access the internal network. However, since split tunneling is disabled, another policy must be created to allow users to access the Internet through the FortiGate.

Go to Policy & Objects > IPv4 Policies and create a new policy. Set a policy name that will identify what this policy is used for (in the example, IPsec-VPN-Internet)

Set Incoming Interface to the tunnel interface and Outgoing Interface to wan1. Set Source to the IPsec client address range, Destination Address to all, Service to ALL, and enable NAT.

Configure any remaining firewall and security options as desired.

  

5. Configuring FortiClient

Open FortiClient, go to Remote Access and Add a new connection.
 

Set the Type to IPsec VPN and Remote Gateway to the FortiGate IP address.

Set Authentication Method to Pre-Shared Key and enter the key below.

6. Results

On FortiClient, select the VPN, enter the username and password, and select Connect.

Once the connection is established, the FortiGate assigns the user an IP address and FortiClient displays the status of the connection, including the IP address, connection duration, and bytes sent and received.
 

On the FortiGate, go to Monitor > IPsec Monitor and verify that the tunnel Status is Up.

Under Remote Gateway, the monitor shows the FortiClient user’s assigned gateway IP address.
 

Browse the Internet, then go to FortiView > All Segments > Policies and select the now view. You can see traffic flowing through the IPsec-VPN-Internet policy.

Right-click on the policy, then select Drill Down to Details. You can see more information about the traffic.

Under Source, you can also see the IP address assigned to the FortiClient user (10.10.100.1).

 

  • Was this helpful?
  • Yes   No
The tunnel name may not have any spaces in it and should not exceed 13 characters.
The pre-shared key is a credential for the VPN and should differ from the user’s password.
The IP range you enter here prompts FortiOS to create a new firewall object for the VPN tunnel using the name of your tunnel followed by the _range suffix (in the example, IPsec-FCT_range).
If you do select Enable Split Tunneling, traffic not intended for the corporate network will not flow through the FortiGate or be subject to the corporate security profiles.

The post IPsec VPN with FortiClient appeared first on Fortinet Cookbook.

Packet capture

May 18, 2017, 10:19 am
$
0
0

In this example you will look inside the headers of the HTTP and HTTPS packets on your network.

Packet capture is also called a network tapping, packet sniffing, or logic analyzing.

To use packet capture, your FortiGate must have disk logging enabled.

Find this recipe for other FortiOS versions
5.2 | 5.6

1. Creating packet capture filters
Go to Network > Packet Capture and create a new filter.
 
If the Packet Capture option does not appear in the main GUI, you can also use the URL https://[management-IP]/ng/page/p/firewall/sniffer/ to access this menu, substituting the correct IP address.
The simplest filter just captures all of the packets received by an interface. This filter captures 10 packets received by the lan interface.
 
You can select Enable Filters to be more specific about the packets to capture.
 
This filter captures 100 HTTP and HTTPS packets (port 80 and 443) received by the lan interface that have a source or destination address in the range 192.168.100.100-192.168.100.200.
  

This filter captures the first 4000 Stream Control Transmission Protocol (SCTP) packets received by the wan1 interface.
This filter captures the first 1000 DNS packets (port 53) querying the Google DNS server (IP address 8.8.8.8) with VLAN IDs 37 or 39.
  

2. Results

Running packet capture filters may affect FortiGate performance.

Go to Network > Packet Capture, choose a filter, and select the Play icon. You can watch the filter capture packets. When the number of packets specified in the filter are captured the filter stops.

You can stop and restart multiple filters at any time.

After a filter runs, select and edit it. The option to download the capture packets is available.

You can open the file with a .pcap file viewer like Wireshark.

For further reading, check out Packet Capture in the FortiOS 5.6 Handbook.

 

  • Was this helpful?
  • Yes   No
This URL will show the Packet Capture menu on all FortiGates, even those that do not have disk logging enabled (and cannot use the feature).
Protocols are identified using IP protocol numbers; for example, SCTP is protocol 132.

The post Packet capture appeared first on Fortinet Cookbook.

High Availability with two FortiGates

May 18, 2017, 11:15 am
$
0
0

In this recipe, a backup FortiGate unit will be installed and connected to a previously installed primary FortiGate to provide redundancy if the primary FortiGate fails.

Before you begin, the FortiGates should be running the same FortiOS firmware version and interfaces should not be configured to get their addresses from DHCP or PPPoE.

This recipe is part of the Security Fabric collection. It can also be used as a standalone recipe.

This setup, called FortiGate High Availability (HA), improves network reliability. The previously installed FortiGate will continue to operate as the primary unit and the new FortiGate will operate as the backup FortiGate.

Find this recipe for other FortiOS versions
5.2 | 5.4 | 5.6

1. Setting up registration and licensing

Make sure both FortiGates are running the same FortiOS firmware version. Register and apply licenses to the new FortiGate unit before adding it to the cluster. This includes activation of FortiCloud and licenses for FortiGuard, FortiSandbox, and FortiClient, as well as entering a license key if you purchased more than 10 Virtual Domains (VDOMS). All FortiGates in the cluster must have the same level of licensing for FortiGuard, FortiCloud, FortiClient and VDOMs. FortiToken licenses can be added at any time because they are synchronized to all cluster members.

You can also install any third-party certificates on the primary FortiGate before forming the cluster. Once the cluster is formed third-party certificates are synchronized to the backup FortiGate.

2. Configuring the Primary FortiGate for HA

Connect to the primary FortiGate GUI and go to System > Settings and change the Host Name to identify this as the primary FortiGate in the HA cluster.

Go to System > HA and set the Mode to Active-Passive. Set the Device Priority to a higher value than the default to make sure this FortiGate will always be the primary FortiGate. Also set a Group Name and Password.

Make sure that two Heartbeat Interfaces (port3 and port4 in this case) are selected and their priorities are both set to 50.

Since the backup FortiGate is not available, when you save the HA configuration, the primary FortiGate will form a cluster of one FortiGate but will keep operating normally.

If there are other FortiOS clusters on your network you may need to change the cluster group id using this CLI command. config system ha
set group-id 25
end

3. Connecting the backup FortiGate

Connect the backup FortiGate to the primary FortiGate and the network as shown in the network diagram at the top of the recipe. Making these network connections will disrupt traffic so you should do this when the network is quiet.

If possible, make direct Ethernet connections between the heartbeat interfaces of the two FortiGate units.

Switches must be used between the cluster and the Internet and between the cluster and the internal networks as shown in the network diagram. You can use any good quality switches to make these connections. You can also use one switch for all of these connections as long as you configure the switch to separate traffic from the different networks.

4. Configuring the backup FortiGate for HA

Connect to the backup FortiGate GUI and go to System > Settings and change the Host Name to identify this as the backup FortiGate.

Go to System > HA and duplicate the HA configuration of the primary FortiGate (except for the Device Priority): set the Mode to Active-Passive, set the Device Priority to a lower value than the default to make sure this FortiGate will always be the backup FortiGate. Also set the same Group Name and Password as the primary FortiGate.

Make sure that the same two Heartbeat Interfaces (port3 and port4) are enabled and their priorities are both set to 50.
Change the cluster group id if you changed it for the primary unit using this CLI command. config system ha
set group-id 25
end

When you save the backup FortiGate’s HA configuration, if the heartbeat interfaces are connected, the FortiGates will find each other and form a cluster. Network traffic may be disrupted for a few seconds while the cluster is negotiating.

5. Viewing the cluster status
Connect to the primary FortiGate GUI. The HA Status widget displays the cluster mode, group name, and includes the host name of the primary unit (master). Hover over the primary unit host name to verify that the cluster is synchronized and operating normally.  
Click on the HA Status widget and select Configure settings in System > HA (or go to System > HA) to view the cluster status.
If the cluster is part of a security Fabric, the FortiView Physical and Logical Topology views show information about the cluster status.

6. Results

Traffic is now passing through the primary FortiGate. However, if the primary FortiGate becomes unavailable, traffic should failover and the backup FortiGate will process traffic.

Failover also causes the primary and backup FortiGate to reverse roles, even when both FortiGates are available again.
To test this, ping the IP address 8.8.8.8 using a PC on the internal network. After a moment, power off the primary FortiGate. You will see a momentary pause in the ping results, until traffic diverts to the backup FortiGate, allowing the ping traffic to continue.  

7. (Optional) Upgrading the firmware for the HA cluster

When a new version of the FortiOS firmware becomes available, upgrading the firmware on the primary FortiGate automatically upgrades the backup FortiGate’s firmware. Both FortiGates are updated with minimal traffic disruption.

Always review the Release Notes and Supported Upgrade Paths before installing new firmware.
From the admin menu, select Configuration >  Backup. Always remember to back up your configuration before upgrading the firmware.
Click the System Information widget and select the option to update firmware. Update the firmware from FortiGuard or by uploading a firmware image file. The

firmware loads onto both the primary and the backup FortiGates with minimal traffic interruption.
After the upgrade is complete, verify that the System Information widget shows the new firmware version.

For further reading, check out FGCP configuration examples and troubleshooting in the FortiOS 5.6 Handbook.

  • Was this helpful?
  • Yes   No
If you have not already installed a FortiGate, see Installing a FortiGate in NAT/Route mode.
Also, you cannot use a switch port as a HA heartbeat interface, if necessary convert the switch port to individual interfaces (see Choosing your FortiGate’s switch mode.
If the FortiGates in the cluster will be running FortiOS Carrier, apply the FortiOS Carrier license before configuring the cluster (and before applying other licenses). Applying the FortiOS Carrier license sets the configuration to factory defaults, requiring you to repeat steps performed before applying the license.
If these steps don’t start HA mode, make sure that none of the FortiGate’s interfaces use DHCP or PPPoE addressing.
This example uses two FortiGate-600Ds and the default heartbeat interfaces are used (port3 and port4). You can use any interfaces for HA heartbeat interfaces. A best practice is to use interfaces that do not process traffic, but this is not a requirement.
If these steps don’t start HA mode, make sure that none of the FortiGate’s interfaces use DHCP or PPPoE addressing.
If you are using port monitoring, you can also unplug the primary FortiGate’s Internet-facing interface to test failover.
For information about accessing firmware images, see Verifying and updating the FortiGate unit’s firmware.

The post High Availability with two FortiGates appeared first on Fortinet Cookbook.

FortiManager in the Security Fabric

May 25, 2017, 8:50 am
$
0
0

In this recipe, you will add a FortiManager to a network that is already configured as a Security Fabric. This will simplify network administration because you can manage all of the FortiGates in the fabric from the FortiManager.

This recipe is in Security Fabric collection. It can also be used as a standalone recipe.

In this example, the FortiManager is added to an existing Security Fabric, with an HA Cluster called External configured as the root FortiGate. In this Fabric, the subnet 192.168.55.0 is used for external devices such as FortiAnalyzer. The FortiManager will be added to this subnet.

OSPF routing and a security policy have already been configured to allow devices in the fabric to access the 192.168.55.0 subnet. For more information about this configuration, see Security Fabric installation.

Find this recipe for other FortiOS versions
5.4 | 5.6

1. Connecting External and the FortiManager

In this example, External’s port 16 will connect to port 2 on the FortiManager.

On External, go to Network > Interfaces and edit port 16.

Configure Administrative Access to allow FMG-Access.

  

On the FortiManager, go to System Settings > Network, select All Interfaces, and edit port2.

Set IP Address/Netmask to an internal IP (in the example, 192.168.55.30/255.255.255.0).

  
Connect External and the FortiManager.
On the FortiManager, go to System Settings > Network and edit port 2. Add a Default Gateway, using the IP address of External’s port 16.

2. Configuring central management on External

On External, go to System > Settings. Under Central Management, select FortiManager and enter the IP/Domain Name.

  

A message appears, stating that the FortiGate’s message was received by the FortiManager and is now awaiting confirmation.

  

On the FortiManager, go to Device Manager > Unregistered Devices. Select External, then select + Add.
Add the device to the root ADOM.  

External is now on the Managed FortiGates list.

Connect to External. A warning message appears, stating that the FortiGate is now managed by a FortiManager.

Select Login Read-Only.

Go to System > Settings. The Central Management Status is now Registered on FortiManager.

3. Configuring central management on the ISFW FortiGates

For each FortiGate in the Security Fabric, make sure that the interface connected External allows FMG-Access.

Once this is confirmed, you can repeat the process shown in Step 2 for all FortiGates in the Fabric.

4. Results

All FortiGates in the Security Fabric are shown in the FortiManager’s Managed FortiGates list.

  

 

  • Was this helpful?
  • Yes   No

The post FortiManager in the Security Fabric appeared first on Fortinet Cookbook.

Episode 12: FortiDDoS Graphing

May 31, 2017, 11:47 am

Certificate errors for blocked websites

June 1, 2017, 11:02 am
$
0
0

Avoiding certificate errors when SSL inspection is applied to traffic is an in-demand topic. There are a number of methods that you can use to prevent these warnings: installing self-signed certificates on client devices, using a certificate signed by a trusted CA, or using the certificate-inspection profile for SSL inspection. However, for all of these methods, certificate errors can still occur when you’ve blocked access to a page using web filtering and the FortiGate attempts to display a replacement message for that site using HTTPS.

This error occurs because, by default, the FortiGate does not use the same certificate for SSL inspection and the encryption of the replacement messages. To avoid these errors, you should first determine which certificate your FortiGate uses for replacement messages using the CLI. The command differs depending on which version of FortiOS you are using:

FortiOS 5.2 and earlier:

config webfilter fortiguard
# get 
cache-mode : ttl 
cache-prefix-match : enable 
cache-mem-percent : 2 
ovrd-auth-port-http : 8008 
ovrd-auth-port-https: 8010 
ovrd-auth-port-warning: 8020 
ovrd-auth-https : enable 
warn-auth-https : enable 
close-ports : disable 
request-packet-size-limit: 0 
ovrd-auth-hostname : 
ovrd-auth-cert : Fortinet_Firmware

The certificate Fortinet_Firmware is used by default. To avoid errors, you can either change this certificate to the certificate used for SSL inspection or you can install this certificate on all client devices. Which solution you choose depends on your own environment and what certificates you are already using.

FortiOS 5.4 and later:

config user setting 
# get
auth-type : http https ftp telnet 
auth-cert : Fortinet_Factory 
auth-ca-cert : 
auth-secure-http : disable 
auth-http-basic : disable 
auth-timeout : 5 
auth-timeout-type : idle-timeout 
auth-portal-timeout : 3 
radius-ses-timeout-act: hard-timeout 
auth-blackout-time : 0 
auth-invalid-max : 5 
auth-lockout-threshold: 3 
auth-lockout-duration: 0 
auth-ports:

The certificate Fortinet_Factory is used by default. To avoid errors, you can either change this certificate to the certificate used for SSL inspection or you can install this certificate on all client devices. Which solution you choose depends on your own environment and what certificates you are already using.

For more information about SSL inspection and certificate errors, see the following resources:

  • Was this helpful?
  • Yes   No

The post Certificate errors for blocked websites appeared first on Fortinet Cookbook.

Search

Wide Dynamic Range (WDR) in IP Surveillance Cameras

June 2, 2017, 2:48 pm
$
0
0

“Dynamic range” means the difference between the largest and the smallest usable signal level. This term is commonly used in audio, electronics, photography and various other fields. In video, like with the human eye, it refers to the limited light range that can be seen in one scene. A lit room will appear dark after spending time in the summer sun; similarly, the outside can be blinding white after spending time in a dark room. Wide Dynamic Range (WDR) provides a broader spectrum of coverage for visibility in both a dark room and outdoor daylight at the same time. By applying this concept to a camera, Wide Dynamic Range means that it can sense and capture both dim and bright light scene details in a single image. This white paper discusses how cameras achieve wide dynamic range image capture, where to use cameras with WDR technology, and how WDR cameras are configured in FortiRecorder. It also provides sample snapshots of WDR pictures from FortiCamera models.

Wide Dynamic Range (WDR) in IP Surveillance Cameras

  • Was this helpful?
  • Yes   No

The post Wide Dynamic Range (WDR) in IP Surveillance Cameras appeared first on Fortinet Cookbook.

Understanding IP Surveillance Camera Bandwidth

June 2, 2017, 2:54 pm
$
0
0

This whitepaper introduces the video bandwidth generated by IP surveillance camera. It will guide IP surveillance beginner to understand how bandwidth affect the surveillance network using following key factors. – Video compression – Image quality level – Complexity of the scene – Video resolution – Frame rate per second – Number of cameras and viewing clients. The paper also reference the bandwidth related setup in FortiRecorder and FortiCamera to familiarize reader the real world configuration.

 Understanding IP surveillance Camera Bandwidth
  • Was this helpful?
  • Yes   No

The post Understanding IP Surveillance Camera Bandwidth appeared first on Fortinet Cookbook.

Traffic shaping for VoIP

June 6, 2017, 2:10 pm
$
0
0

The quality of VoIP phone calls through a firewall often suffers when the firewall is busy and the amount of bandwidth available for the VoIP traffic fluctuates. This can be irritating, leading to unpredictable results and caller frustration. This recipe describes how to add traffic shaping to guarantee that enough bandwidth is available for VoIP traffic, regardless of any other activity on the network.

To achieve high-quality real-time voice transmissions, VoIP traffic requires priority over other types of traffic, minimal packet loss, and jitter buffers. You will limit bandwidth consuming services, like FTP, while providing a consistent bandwidth for day-to-day email and web-based traffic. First, you will customize three existing traffic shaper profiles—high priority, medium priority, and low priority—and then create a separate traffic shaping policy for each service type.

Find this recipe for other FortiOS versions
5.4 | 5.6

1. Enabling Traffic Shaping and VoIP features

Go to System > Config > Features and enable both Traffic Shaping and VoIP. Apply your changes.

 

2. Configuring a high priority VoIP traffic shaper

Go to Policy & Objects > Traffic Shapers and edit the default high-priority traffic shaper.

Set Type to Shared. Set Apply shaper to Per Policy.

Set Traffic Priority to High. Select Max Bandwidth and enter 1000 Kbps. Select Guaranteed Bandwidth and enter 800 Kbps.

  

3. Configuring a low priority FTP traffic shaper

Go to Policy & Objects > Traffic Shapers and edit the default low-priority traffic shaper.

Set Type to Shared. Set Apply shaper to All policies using this shaper.

Set Traffic Priority to Low. Set Max Bandwidth and Guaranteed Bandwidth to 200 Kbps.

 
 

4. Configuring a medium priority daily traffic shaper

Go to Policy & Objects > Traffic Shapers and edit the default medium-priority traffic shaper.

Set Type to Shared. Set Apply shaper to Per Policy. Select Max Bandwidth and enter 600 Kbps. Set Traffic Priority to Medium. Select Guaranteed Bandwidth and enter 600 Kbps.  

  
 

5. Adding a VoIP security profile to your Internet access policy

Go to Policy & Objects > IPv4 Policy and edit your Internet access policy.

Under Security Profiles enable VoIP and change the logging options to All Sessions to test the results later.

Note your Source, Destination and Outgoing Interface for Step 6.

This shows the VoIP Security Profile enabled in the Internet access policy.

 

6. Creating three traffic shaping policies

Go to Policy & Objects > Traffic Shaping Policy and create a new high-priority traffic shaping policy for SIP traffic.

Set the Matching Criteria to the same settings as the Internet access policy you would like to apply traffic shaping to. Enable Shared Shaper and Reverse Shaper and select high-priority.

 

This shows the SIP shaping policy.
Follow the same process, to create a new low-priority traffic shaping policy for FTP traffic. Set Service to FTP and Shared Shaper and Reverse Shaper to low-priority.  This shows the FTP shaping policy.
Now create a medium-priority traffic shaping policy for daily traffic. Set Service to ALL and Shared Shaper and Reverse Shaper to medium-priority.  This image shows the medium-priority traffic shaping policy.

Arrange your policies in the following order:

    1. High-priority (SIP/VoIP traffic)
    2. Low-priority (FTP traffic)
    3. Medium-priority (Day-to-day traffic)

This image shows the policy list page.

 

 6. Results

Browse the Internet using a PC on your internal network to generate daily web traffic. Then, generate FTP traffic.

The FTP download or upload should occur slowly.

This shows the FTP file download.

 

Finally, generate SIP traffic.

Go to FortiView > Traffic Shaping and look at the three active traffic shapers. If the standard traffic volume is high enough, it will top out at the maximum bandwidth defined by each shaper. The high-priority VoIP (SIP) policy should show no dropped bytes, but either of the other two policies may show dropped bytes if the set bandwidth is maxed out.

You will have normal voice quality on your VoIP call, even with daily traffic and FTP downloads running.

 This shows how the high-priority policy has no dropped bytes. 

 

Select the graph icon to switch to the bubble graph view, and sort by Bandwidth. Mouse over a shaper to view more details, or double-click to drill down.

  

This shows the bandwidth flowing through all three policies.

For further reading, check out Traffic Shaping in the FortiOS 5.6 Handbook.

  • Was this helpful?
  • Yes   No
Before you apply QoS measures, ensure you have enough network bandwidth to support real-time voice traffic.
Traffic shaping rules and VoIP profiles can now be applied to firewall policies. 
Select Per Policy when you want each security policy for day-to-day business traffic to have the same distribution of bandwidth, regardless of the number of policies using the shaper. In this example, 800Kbps each.
Select All policies using this shaper to ensure that all policies using your shaper will be restricted to share a set amount of bandwidth. In this example, 200 Kbps total.
If you are creating a new traffic shaper, the Traffic Priority is set to High by default. A failure to set different shaper priorities will result in a lack of prioritized traffic.
Setting a low maximum bandwidth will prevent sudden spikes in traffic caused by large FTP file uploads and downloads. 
This shaper should be set to a moderate value and set to per policy so that day-to-day traffic has the same distribution of bandwidth. 
Make sure that you include a Reverse Shaper so that return traffic for a VoIP call has the same guaranteed bandwidth as an outgoing call.
Click on the far left of the column you want to move and drag it up or down to arrange it.
More specific restrictive policies, like the SIP and FTP policies, should always be placed at the top of the list, above the unrestricted general access policy that allows “all”.
In this example, a pdf file was downloaded from an FTP server.
In this example, SIP traffic was generated by placing a call with a VoIP FortiFone connected to the internal interface of the FortiGate.
In the screenshot, the SIP traffic is only using a small part of the allocated bandwidth.

The post Traffic shaping for VoIP appeared first on Fortinet Cookbook.

Configuring a Call Center in FortiVoice (Video)

June 7, 2017, 8:54 am

Configuring Property Management in FortiVoice (Video)

June 7, 2017, 8:57 am
Viewing all 690 articles
Browse latest View live
Search