Installing the Device into the Rack

1. Ensure that the inner rails are properly connected to the device, and the that the outer rails are securely attached to the rack.
   
2. Pull the middle rail out from the front of the outer rail until it locks.
3. Align the inner rails with the middle rails and slide the device onto the rails until the locking tab on the inner rails clicks into the front of the middle rails. Ensure that even pressure is applied to both sides of the device while doing this.
4. Push down the locking tabs on both sides at the same time, then push the device all the into the rack.
5. If your device came with front handles, you can use screws to secure the device to the rack for security purposes. See Front Handles for more information.

Next, see Engaging and Releasing the Slam Latch.

The post Installing the Device into the Rack appeared first on Fortinet Cookbook.

Removing the Device from the Rack

1. Find the lock levers on the front ends of the inner rails.
   
2. Pull each lever up into the release position to unlock the device.
3. Grab the sides of the device and pull it forward and up to unseat it from the J-slots, then lift the device up and away from the rack and place it on a clean, level surface.

The post Removing the Device from the Rack appeared first on Fortinet Cookbook.

Front Handles

Some devices include front handles that aid in pulling the device in and out. They can also be screwed into the rack to help secure the device to the rack.

Attach the front handles to the device

1. After attaching the requisite rails to the device, but before installing the device into the rack, attach the provided rack-mount brackets to the sides of the unit using the provided screws.
   
2. Continue with installing the device into the rack.
3. To secure the device into the rack after it has been installed, insert rack-mounting screws through the holes in the front handles in the rack.

The post Front Handles appeared first on Fortinet Cookbook.

Mounting rail installation varies depending on if you have a 4-post or 2-post rack. For a 2-post rack, the installation will also vary depending on if you are center-mounting or flush-mounting the rails.

Installing RapidRails into a 4 Post Rack

1. Position one of the mounting rails so that its mounting-bracket flange fits in the location where you will be installing the device.
   The top of the mounting hook on the front of the flange should enter the top hole of the unit where you are installing your device.
   
2. Push the mounting rail forward until the mounting hook enters the square hole, then push down on the mounting-bracket flange until the mounting hook seats and the push button extends through the lower hole.
3. At the back of the cabinet, pull back on the mounting-bracket flange until the mounting hook enters the upper square hole, then push down on the flange until the mounting hook seats and the push button extends the lower hole.
4. Repeat the process for the remaining rail.
   Confirm that both rails are mounted at the same vertical position on both sides of the rack.

If you need to install VersaRails into a 4 Post Rack, See Installing VersaRails into a 4 Post Rack.

The post Installing RapidRails into 4 Post Rack appeared first on Fortinet Cookbook.

Installing the Cable Management Arm Tray

The Cable Management Arm is intended to be installed on sliding rail kits only.

The CMA can be installed on either the right or left mounting rail, depending on how the cables must be routed from the device.

1. Fit the ends of the tray between the ends of the mounting rails at the back of the device, then slide the tray towards the device until it latches.
   
2. In preparation for installing the CMA, press the catch at the center of the retention latch, and rotate the latch downwards.

Installing the Cable Management Arm

1. Ensure that the retention latch is down.
   
2. Fit the latch on the front end of the CMA onto the innermost bracket of the rail assembly at the back of device until the latch engages.
3. Fit the latch on the unattached end of the CMA onto the outermost bracket of the rail assembly until the latch engages.

Next, see Routing Cables through the Cable Management Arm.

The post Installing the Cable Management Tray and Arm appeared first on Fortinet Cookbook.

In this example, you will provide a Security Assertion Markup Language (SAML) FSSO cloud authentication solution using FortiAuthenticator as the service provider (SP) and Okta, a cloud-based user directory, as the identity provider (IdP).

Okta is a secure authentication and identity-access management service that offer secure SSO solutions. Okta can be implemented with a variety of technologies and services including Office 365, G Suite, Dropbox, AWS, and more.

A user will start by attempting to make an unauthenticated web request (1). The FortiGate’s captive portal will offload the authentication request to the FortiAuthenticator’s SAML SP portal (2), which in turn redirects that client/browser to the SAML IdP login page (3). Assuming the user successfully logs into the portal (4), a positive SAML assertion will be sent back to the FortiAuthenticator (5), converting the user’s credentials into those of an FSSO user (6).

The FortiGate has a WAN IP address of 172.25.176.92, and the FortiAuthenticator has the WAN IP address of 172.25.176.141. Note that, for testing purposes, the FortiAuthenticator’s IP and FQDN have been added to the host’s file of trusted host names; this is not necessary for a typical network.

This configuration assumes that you have already created an Okta developer account. It is also assumed that two user groups have been created on the FortiAuthenticator both called saml_users: one local user group, and an SSO user group. Note that SAML version 2.0 is used for this configuration.

1. Configure DNS and FortiAuthenticator’s FQDN
On the FortiAuthenticator, go to System > Dashboard > Status. In the System Information widget, select Change next to Device FQDN. Enter a domain name; for this example, fac.school.net. This will help identify where the FortiAuthenticator is located in the DNS hierarchy.
Enter the same name for the Host Name. This is so you can add the unit to the FortiGate’s DNS list, so that the local DNS lookup of this FQDN can be resolved.
On the FortiGate, open the CLI Console and enter the following command, entering the FortiAuthenticator’s host name and Internet-facing IP address: config system dns-database    edit school.net       config dns-entry          edit 1             set hostname fac.school.net             set ip 172.25.176.141          next       end       set domain school.net    next end
2. Enable FSSO and SAML on the FortiAuthenticator
On the FortiAuthenticator, go to Fortinet SSO Methods > SSO > General and set FortiGate SSO options. Make sure to Enable authentication. Enter a Secret key and select OK to apply your changes. This key will be used on the FortiGate to add the FortiAuthenticator as the FSSO server.
Then go to Fortinet SSO Methods > SSO > SAML Authentication and select Enable SAML portal. All necessary URLs are automatically generated: Portal url – Captive Portal URL for the FortiGate and user. Entity id – Used in the Okta SAML IdP application setup. ACS (login) url – Assertion POST URL used by the SAML IdP. Enable Implicit group membership and assign the saml_users group from the dropdown menu. This will place SAML authenticated users into this group.
Keep this window open as these URLs will be needed during the IdP application configuration and for testing. Note that, at this point, you will not be able to save these settings, as IdP information — IDP entity id, IDP single sign-on URL, and IDP certificate fingerprint — needs to be entered. These fields will be filled once the IdP application configuration is complete.
3. Configure the Okta developer account IDP application
Open a browser, log in to your Okta developer account, and select Admin under your user settings.
Go to the Applications tab and select Add Application.
Select Create New App and create a new application with the SAML 2.0 sign on method.
Enter a custom App name and select Next (upload an App logo if you wish). Note that the name entered here is the name of the portal the user will log into.
Under A – SAML Settings, set Single sign on URL and Audience URI (SP Entity ID) to the ACS and Entity URLs (respectively) from the Edit SAML Portal Settings page on the FortiAuthenticator. Users will be required to provide their email address as their username, and their first and last names (as seen in the example).
Before continuing, make sure to select Download Okta Certificate. This will be imported to the FortiAuthenticator later. You do not need to configure group attributes or section B below.
In the last step, confirm that you are an Okta customer, and set the App type to an internal app. Then select Finish.
Once created, open the Sign On tab and download the Identity Provider metadata.
Finally, open the Assignments tab and select Assign > Assign to People. Assign the users you wish to add to the application. This will permit the user to log in to the application’s portal. Save your changes and select Done.
The user is successfully assigned. This concludes the steps necessary in configuring SAML 2.0.
4. Import the IDP certificate and metadata on the FortiAuthenticator
Back on the FortiAuthenticator, go to Fortinet SSO Methods > SSO > SAML Authentication and import the IDP metadata and certificate downloaded earlier. This will automatically fill the IDP fields (as shown in the example). Make sure to select OK to save these changes.
Next, go to Fortinet SSO Methods > SSO > FortiGate Filtering and create a new FortiGate filter. Enter a name and the FortiGate’s wan-interface IP address, and select OK. Once created, enable Fortinet Single Sign-On (FSSO). Select Create New to create an SSO group filtering object (as shown already created in the example), and select OK to apply all changes.
Note that the name entered for the filter must be the same as the group name created for SAML users (saml_users). Failing to enter the exact same name will result in the SSO information not being pushed to the FortiGate.
5. Configure FSSO on the FortiGate
On the FortiGate, go to User & Device > Single Sign-On and select Create New. Set Type to Fortinet Single Sign-On Agent, enter a Name, the FortiAuthenticator’s wan-interface IP, and the password, using the secret key entered into the FortiAuthenticator earlier.
Select Apply & Refresh. The SAML user group name has been successfully pushed to the FortiGate from the FortiAuthenticator, appearing when you select View. Note that you may have to wait a few minutes before the user group appears.
Once created, the server will be listed. Mouse over the entry under the Users/Groups column and make sure that the FSSO group has been pushed down.
Then go to User & Device > User Groups and create a new user group. Enter a Name, set Type to Fortinet Single Sign-On (FSSO), and add the FSSO group as a Member.
6. Configure Captive Portal and security policies
On the FortiGate, go to Network > Interface and edit the internal interface.
Under Admission Control, set Security Mode to Captive Portal. Set Authentication Portal to External, and enter the SAML authentication portal URL. Set User Access to Restricted to Groups, and set User Groups to any local group, as you’ll notice the FSSO group is not available; this local group won’t be used for access.
Next go to Policy & Objects > Addresses and add the FortiAuthenticator as an address object.
Then create five FQDN objects: one of your Okta developer page and the following: eum-col.appdynamics.com login.okta.com ocsp.digicert.com op1static.oktacdn.com As these are FQDN’s, make sure to set Type to FQDN.
Then go to Policy & Objects > IPv4 Policy and create all policies shown in the examples shown: one policy for DNS, FortiAuthenticator access, for Okta bypass, and the last policy for FSSO, including the SAML user group. When finished, open the CLI Console and configure the following setting for each policy except the FSSO policy: config firewall policy    edit <policy-id>       set captive-portal-exempt enable    next end This will exempt users of this policy from the captive portal interface.
Results: Testing
To test the connection, open a new browser window and attempt to browse the Internet. The browser will redirect to the FortiAuthenticator SAML portal, which pushes the browser to the SAML IdP. Alternatively, you can directly navigate to the portal URL.
Enter the user’s credentials and select Sign In.
The assertion is pushed back to the FortiAuthenticator where the user is authenticated.
On the FortiAuthenticator, go to Monitor > SSO > SSO Sessions to view the user and assigned user group.
On the FortiGate, go to Monitor > Firewall User Monitor to view user information, and confirm that the user has been authenticated via FSSO.

The post SAML FSSO with FortiAuthenticator and Okta appeared first on Fortinet Cookbook.

Mounting rail installation varies depending on if you have a 4-post or 2-post rack. For a 2-post rack, the installation will also vary depending on if you are center-mounting or flush-mounting the rails.

Installing VersaRails into a 4 Post Rack

1. Position one of the mounting rails so that its mounting-bracket flange fits in the location where you will be installing the device.
   The three holes on the front of the flange should align with the holes of the unit where you are installing your device.
   
2. Install two of the provided screws through the rack holes into the upper and lower holes in the flange to secure the rail to the rack.
3. At the back of the rack, pull back on the flange until the mounting holes align with the holes on the back of the rail.
4. Install two of the provided screws through the rack holes into the upper and lower holes in the flange to secure the rail to the back rack.
5. Repeat the process for the remaining rail.
6. Confirm that both rails are mounted at the same vertical position on both sides of the rack.

If you need to install RapidRails into a 4 Post Rack, see Installing RapidRails into a 4 Post Rack.

The post Installing VersaRails into a 4 Post Rack appeared first on Fortinet Cookbook.

Installing Center Mount Rails into a 2 Post Rack

1. Locate the right mounting rail and push the adjustable mounting bracket towards the back of the rail.
2. Position the right mounting rail in the 2 post rack at the required location, then push the adjustable mounting bracket forward until it is against the rack frame and the secure the mounting flange and adjustable mounting bracket to the rack with four of the provided screws.
   
3. Repeat the process for the left mounting rail.
4. Confirm that both rails are mounted at the same vertical position on both sides of the rack.

If you have a Flush Mount Rails, see Installing Flush Mount Rails into a 2 Post Rack.

The post Installing Center Mount Rails into a 2 Post Rack appeared first on Fortinet Cookbook.

Hemant Jain and Alenka Chandnani discuss how to graph and analyze FortiDDoS data, as well as integrating it with other products.

FortiDDoS resources

• FortiDDoS website
• FortiDDoS datasheet

Subscribe to FortiCast

The post Episode 12: FortiDDoS Graphing appeared first on Fortinet Cookbook.

Avoiding certificate errors when SSL inspection is applied to traffic is an in-demand topic. There are a number of methods that you can use to prevent these warnings: installing self-signed certificates on client devices, using a certificate signed by a trusted CA, or using the certificate-inspection profile for SSL inspection. However, for all of these methods, certificate errors can still occur when you’ve blocked access to a page using web filtering and the FortiGate attempts to display a replacement message for that site using HTTPS.

This error occurs because, by default, the FortiGate does not use the same certificate for SSL inspection and the encryption of the replacement messages. To avoid these errors, you should first determine which certificate your FortiGate uses for replacement messages using the CLI. The command differs depending on which version of FortiOS you are using:

FortiOS 5.2 and earlier:

config webfilter fortiguard
# get 
cache-mode : ttl 
cache-prefix-match : enable 
cache-mem-percent : 2 
ovrd-auth-port-http : 8008 
ovrd-auth-port-https: 8010 
ovrd-auth-port-warning: 8020 
ovrd-auth-https : enable 
warn-auth-https : enable 
close-ports : disable 
request-packet-size-limit: 0 
ovrd-auth-hostname : 
ovrd-auth-cert : Fortinet_Firmware

The certificate Fortinet_Firmware is used by default. To avoid errors, you can either change this certificate to the certificate used for SSL inspection or you can install this certificate on all client devices. Which solution you choose depends on your own environment and what certificates you are already using.

FortiOS 5.4 and later:

config user setting 
# get
auth-type : http https ftp telnet 
auth-cert : Fortinet_Factory 
auth-ca-cert : 
auth-secure-http : disable 
auth-http-basic : disable 
auth-timeout : 5 
auth-timeout-type : idle-timeout 
auth-portal-timeout : 3 
radius-ses-timeout-act: hard-timeout 
auth-blackout-time : 0 
auth-invalid-max : 5 
auth-lockout-threshold: 3 
auth-lockout-duration: 0 
auth-ports:

The certificate Fortinet_Factory is used by default. To avoid errors, you can either change this certificate to the certificate used for SSL inspection or you can install this certificate on all client devices. Which solution you choose depends on your own environment and what certificates you are already using.

For more information about SSL inspection and certificate errors, see the following resources:

• Preventing certificate warnings (5.2 | 5.4)
• Why you should use SSL inspection

The post Certificate errors for blocked websites appeared first on Fortinet Cookbook.

“Dynamic range” means the difference between the largest and the smallest usable signal level. This term is commonly used in audio, electronics, photography and various other fields. In video, like with the human eye, it refers to the limited light range that can be seen in one scene. A lit room will appear dark after spending time in the summer sun; similarly, the outside can be blinding white after spending time in a dark room. Wide Dynamic Range (WDR) provides a broader spectrum of coverage for visibility in both a dark room and outdoor daylight at the same time. By applying this concept to a camera, Wide Dynamic Range means that it can sense and capture both dim and bright light scene details in a single image. This white paper discusses how cameras achieve wide dynamic range image capture, where to use cameras with WDR technology, and how WDR cameras are configured in FortiRecorder. It also provides sample snapshots of WDR pictures from FortiCamera models.

Wide Dynamic Range (WDR) in IP Surveillance Cameras

The post Wide Dynamic Range (WDR) in IP Surveillance Cameras appeared first on Fortinet Cookbook.

The post Understanding IP Surveillance Camera Bandwidth appeared first on Fortinet Cookbook.

Installing Flush Mount Rails into a 2 Post Rack

1. Place the two mounting rails on a smooth work surface with the front ends of both rails facing you.
2. Remove the two bracket nuts from the adjustable mounting bracket using an appropriate wrench or nut-driver.
3. Place the mounting bracket on either the 7.62cm or 15.24cm (3in or 6in) wide flush-mount threaded studs.
4. Finger tighten the previously removed bracket nuts to secure the mounting bracket.
   
5. Repeat steps 2 to 4 for the remaining mounting rail.
6. Holding the left mounting rail at the required location, position the mounting flange against the front of the 2-post rack and secure it to the rack with two of the provided screws.
   
7. Slide the adjustable mounting flange so that it is against the back of the rack post, then secure it to the post with two of the provided screws.
8. Repeat steps 6 and 7 to install the right mounting rail.
9. Confirm that both rails are mounted at the same vertical position on both sides of the rack.
10. Tighten the bracket nuts on the adjustable mounting bracket using an appropriate wrench or nut-driver.

If you have Center Mount Rails, see Installing Center Mount Rails into a 2 Post Rack.

The post Installing Flush Mount Rails into a 2 Post Rack appeared first on Fortinet Cookbook.

The quality of VoIP phone calls through a firewall often suffers when the firewall is busy and the bandwidth available for the VoIP traffic fluctuates. This can be irritating, leading to unpredictable results and caller frustration. This recipe describes how to add traffic shaping to your FortiGate to guarantee that enough bandwidth is available for VoIP traffic, regardless of any other activity on the network.

To achieve high-quality real-time voice transmissions, VoIP traffic requires priority over other types of traffic, minimal packet loss, and jitter buffers. You will limit bandwidth consuming services, like FTP, while providing a consistent bandwidth for day-to-day email and web-based traffic. First, you will customize three existing traffic shaper profiles—high priority, medium priority, and low priority—and then create a separate traffic shaping policy for each service type.

1. Enabling Traffic Shaping and VoIP features
Go to System > Feature Select and enable both Traffic Shaping and VoIP. Apply your changes.
2. Creating a high priority VoIP traffic shaper
Go to Policy & Objects > Traffic Shapers and edit the default high-priority traffic shaper. Set Type to Shared. Set Apply shaper to Per Policy. Set Traffic Priority to High. Select Max Bandwidth and enter 1000 Kbps. Select Guaranteed Bandwidth and enter 800 Kbps.
3. Creating a low priority FTP traffic shaper
Go to Policy & Objects > Traffic Shapers and edit the default low-priority traffic shaper. Set Type to Shared. Set Apply shaper to All policies using this shaper. Set Traffic Priority to Low. Set Max Bandwidth and Guaranteed Bandwidth to 200 Kbps.
4. Creating a medium priority daily traffic shaper
Go to Policy & Objects > Traffic Shapers and edit the default medium-priority traffic shaper. Set Type to Shared. Set Apply shaper to Per Policy. Select Max Bandwidth and enter 600 Kbps. Set Traffic Priority to Medium. Select Guaranteed Bandwidth and enter 600 Kbps.
5. Adding a VoIP security profile to your Internet access policy
Go to Policy & Objects > IPv4 Policy and edit your Internet access policy. Under Security Profiles enable VoIP and change the logging options to All Sessions to test the results later. Note your Source, Destination and Outgoing Interface for Step 6.
6. Creating three traffic shaping policies
Go to Policy & Objects > Traffic Shaping Policy and create a new high-priority traffic shaping policy for SIP traffic. Set the Matching Criteria to the same settings as the Internet access policy you would like to apply traffic shaping to. Enable Shared Shaper and Reverse Shaper and select high-priority.
Follow the same process, to create a new low-priority traffic shaping policy for FTP traffic. Set Service to FTP and Shared Shaper and Reverse Shaper to low-priority.
Now create a medium-priority traffic shaping policy for daily traffic. Set Service to ALL and Shared Shaper and Reverse Shaper to medium-priority.
Arrange your policies in the following order: High-priority (SIP/VoIP traffic) Low-priority (FTP traffic) Medium-priority (Day-to-day traffic)
6. Results
Browse the Internet using a PC on your internal network to generate daily web traffic. Then, generate FTP traffic. The FTP sessions should occur slowly.
Finally, generate SIP traffic. Go to FortiView > Traffic Shaping and look at the three active traffic shapers.
If the standard traffic volume is high enough, it will top out at the maximum bandwidth defined by each shaper. The high-priority VoIP (SIP) policy should show no dropped bytes, but either of the other two policies may show dropped bytes if the set bandwidth is maxed out. You will have normal voice quality on your VoIP call, even with daily traffic and FTP downloads running.
Select the graph icon to switch to the bubble graph view, and sort by Bandwidth. Mouse over a shaper to view more details, or double-click to drill down.

For further reading, check out Traffic Shaping in the FortiOS 5.6 Handbook.

The post Traffic shaping for VoIP appeared first on Fortinet Cookbook.

The following video guides you through the process of configuring a call center in FortiVoice Enterprise.

The post Configuring a Call Center in FortiVoice (Video) appeared first on Fortinet Cookbook.

The following video guides you through the process of connecting the Property Management System (PMS) to the FortiVoice unit. For the purposes of this video, we’ll be focusing on the hospitality industry.

The post Configuring Property Management in FortiVoice (Video) appeared first on Fortinet Cookbook.

Installing the Device into Static Rails

1. Lift the device into position so that the device rails are aligned with the mounting rails on the rack.
   
2. Push the device into the mounting rails as far as possible.
3. If applicable, secure the device to the rack.
   Different devices have different options for securing the device to the rack, such as: thumbscrews built into the front panel of the device, or front handles. See Front Handles.
4. Find the reusable tie wrap attachment points, located on the back of the two back mounting-bracket flanges, and use the tie wraps to secure the cables to the mounting rails.
   
5. Push the tie wrap’s fastener through the attachment point.
6. Push the tie wrap’s plunger until it snaps, securing the tie wrap to the mounting rail.
7. Secure the device’s cables to the mounting rail using the tie wrap.

If you have Sliding Rails, see Installing the Device into Sliding Rails. 
If you need to remove your device from the rack, see Removing the Device from the Rack.

The post Installing the Device into Static Rails appeared first on Fortinet Cookbook.

Installing the Device into Sliding Rails

1. Pull the two inner slide rails out of the rack until they lock in the fully extended position.

2. Lift the device into position above the extended inner slide rails.
   The three shoulder screws on each side of the device fit into the corresponding J-slots on the inner slide rails.
3. Lower the back of the device while aligning the back shoulder screws with the back J-slots.
4. Engage the back shoulder screws into their respective J-slots.
5. Lower the front of the device and fit the middle and front shoulder screws into the J-slots.
6. The release latch at the front of the inner slide rail will snap back as the shoulder screw passes into the front slot. Use this release latch when you wish to remove the device from the rails.
7. Press the slide-release latch on the outside of each inner slide rail, then push the device into the rack.
8. If required, install the cable management arm. See Installing the cable management arm.
9. If applicable, secure the device to the rack.
   Different devices have different options for securing the device to the rack, such as: thumbscrews built into the front panel of the device, or front handles. See Front Handles.

If you have Static Rails, see Installing the Device into Static Rails.
If you need to remove your device from the rack, see Removing the Device from the Rack.

The post Installing the Device into Sliding Rails appeared first on Fortinet Cookbook.

In this example, you will allow remote users to access the corporate network using an IPsec VPN that they connect to using FortiClient for Mac OS X, Windows, or Android. The remote users Internet traffic will also be routed through the FortiGate (split tunneling will not be enabled).

In this example, FortiClient 5.4.2.523 for Mac OS X is used.

_{Find this recipe for other FortiOS versions
5.2 | 5.4 | 5.6}

1. Creating a user group for remote users
Go to User & Device > User Definition. Create a local user account for an IPsec VPN user.
Go to User & Device > User Groups. Create a user group for IPsec VPN users and add the new user account.
2. Adding a firewall address for the local network
Go to Policy & Objects > Addresses and create an address for the local network. Set Type to IP/Netmask, Subnet/IP Range to the local subnet, and Interface to an internal port.
3. Configuring the IPsec VPN using the IPsec VPN Wizard
Go to VPN > IPsec Wizard and create a new tunnel using a pre-existing template. Name the VPN connection. Set Template to Remote Access, and set Remote Device Type to FortiClient VPN for OS X, Windows, and Android.
Set the Incoming Interface to the internet-facing interface and Authentication Method to Pre-shared Key. Enter a pre-shared key and select the new user group, then click Next.
Set Local Interface to an internal interface (in the example, lan) and set Local Address to the local LAN address. Enter an Client Address Range for VPN users. Make sure Enable IPv4 Split Tunnel is not selected, so that all Internet traffic will go through the FortiGate.
Select Client Options as desired.
After you create the tunnel, a summary page appears listing the objects which have been added to the FortiGate’s configuration by the wizard.
4. Creating a security policy for access to the Internet
The IPsec wizard automatically created a security policy allowing IPsec VPN users to access the internal network. However, since split tunneling is disabled, another policy must be created to allow users to access the Internet through the FortiGate.
Go to Policy & Objects > IPv4 Policies and create a new policy. Set a policy name that will identify what this policy is used for (in the example, IPsec-VPN-Internet) Set Incoming Interface to the tunnel interface and Outgoing Interface to wan1. Set Source to the IPsec client address range, Destination Address to all, Service to ALL, and enable NAT. Configure any remaining firewall and security options as desired.
5. Configuring FortiClient
Open FortiClient, go to Remote Access and Add a new connection.
Set the Type to IPsec VPN and Remote Gateway to the FortiGate IP address. Set Authentication Method to Pre-Shared Key and enter the key below.
6. Results
On FortiClient, select the VPN, enter the username and password, and select Connect.
Once the connection is established, the FortiGate assigns the user an IP address and FortiClient displays the status of the connection, including the IP address, connection duration, and bytes sent and received.
On the FortiGate, go to Monitor > IPsec Monitor and verify that the tunnel Status is Up. Under Remote Gateway, the monitor shows the FortiClient user’s assigned gateway IP address.
Browse the Internet, then go to FortiView > All Segments > Policies and select the now view. You can see traffic flowing through the IPsec-VPN-Internet policy.
Right-click on the policy, then select Drill Down to Details. You can see more information about the traffic. Under Source, you can also see the IP address assigned to the FortiClient user (10.10.100.1).

For further reading, check out IPsec VPN Overview in the FortiOS 5.6 Handbook.

The post IPsec VPN with FortiClient appeared first on Fortinet Cookbook.

In this recipe, you will prevent users from receiving a security certificate warning when your FortiGate performs full SSL inspection on incoming traffic. There are several methods for doing this, depending on whether you are using a self-signed certificate, your FortiGate’s default certificate, or a CA-signed certificate. This recipe explains how you can prevent certificate warnings when you are using a self-signed certificate.

When full SSL inspection is used, your FortiGate impersonates the recipient of the originating SSL session, then decrypts and inspects the content. The FortiGate then re-encrypts the content, creates a new SSL session between the FortiGate and the recipient by impersonating the sender, and sends the content to the end user. This is the same process used in “man-in-the-middle” attacks, which is why a user’s device may show a security certificate warning.

For more information about SSL inspection, see Why you should use SSL inspection.

Often, when users receive security certificate warnings, they simply select Continue without understanding why the error is occurring. To avoid encouraging this habit, you can prevent the warning from appearing in the first place.

_{Find this recipe for other FortiOS versions
5.2 | 5.4 | 5.6}

Using a self-signed certificate In this method, you create a self-signed certificate using OpenSSL. You then install this certificate on the FortiGate for use with SSL inspection. In this recipe, OpenSSL for Windows version 1.1.0f is used.
1. Creating a certificate with OpenSSL
If necessary, download and install Open SSL. Make sure that the openssl.cnf file is located in the BIN folder for OpenSSL. Using Command Prompt (CMD), navigate to the BIN folder (in this example, the command is cd c:\OpenSSL-Win64\bin).
Generate an RSA key with the following command: openssl genrsa -aes256 -out fgcaprivkey.pem 2048 -config openssl cnf This RSA key uses AES-256 encryption and a 2048-bit key. When prompted, enter a passphrase for encrypting the private key.
Use the following command to launch OpenSSL, submit a new certificate request, and sign the request: openssl req -new -x509 -days 3650 -extensions v3_ca -key fgcaprivkey.pem -out fgcacert.pem -config openssl.cnf The result is a standard x509 binary certificate that is valid for 3650 days (approximately 10 years) When prompted, re-enter the passphrase for encryption, then enter the details required for the certificate request, such as location and organization name. Two new files are created: a public certificate (fgcacert.pem) and a private key (fgcaprivkey.pem).
2. Importing the self-signed certificate
Go to System > Certificates and select Import > Local Certificate. Set Type to Certificate, then select your Certificate file and Key file. Enter the Password used to create the certificate.
The certificate now appears on the Local CA Certificates list.
3. Editing the SSL inspection profile
To use your certificate in an SSL inspection profile go to Security Profiles > SSL/SSH Inspection. Use the drop-down menu in the top right corner to select deep-inspection, which is the profile used to apply full SSL inspection. In FortiOS 5.6, the deep-inspection profile is read-only. In order to use your certificate for SSL inspection, you must create a new deep-inspection profile.
Set CA Certificate to use the new certificate. Select Download Certificate, to download the certificate file needed in the next step.
4. Importing the certificate into web browsers Once you have your self-signed certificate, you need to import the certificate into users’ browsers. The method you use for importing the certificate varies depending on the type of browser.
Internet Explorer, Chrome, and Safari (Windows and macOS): Internet Explorer, Chrome, and Safari use the operating system’s certificate store for Internet browsing. If users will be using these browsers, you must install the certificate into the certificate store for the OS.
If you are using Windows 7/8/10, double-click the certificate file and select Open. Select Install Certificate to launch the Certificate Import Wizard. Use the wizard to install the certificate into the Trusted Root Certification Authorities store. If a security warning appears, select Yes to install the certificate.
If you are using macOS, double-click the certificate file to launch Keychain Access. Locate the certificate in the Certificates list and select it. Expand Trust and select Always Trust. If necessary, enter the administrative password for your computer to make this change.
Firefox (Windows and macOS) Firefox has its own certificate store. To avoid errors in Firefox, the certificate must be installed in this store, instead of the OS. If users are using Firefox, instead of being pushed to all of their devices, the certificate must be installed on each device.
In Firefox, go to Tools > Options > Advanced or Options > Advanced and select the Certificates tab. Select View Certificates, then select the Authorities list. Import the certificate and set it to be trusted for website identification.
5. Results
Before you installed the certificate, an error message would appear in users’ browsers when they accessed a site that used HTTPS (this example shows an error message in Firefox). After you install the certificate, users should not experience a certificate security issue when they browse to sites on which the FortiGate unit performs SSL content inspection.
Users can view information about the connection and the certificate that is used. If users view information about the connection, they will see that it is verified by Fortinet.
If users view the certificate in the browser, they will see the certificate that is used and information about that certificate.

For further reading, check out SSL/SSH Inspection in the FortiOS 5.6 Handbook.

The post Preventing certificate warnings (self-signed certificate) appeared first on Fortinet Cookbook.