In this recipe, you will prevent users from receiving a security certificate warning when your FortiGate performs full SSL inspection on incoming traffic. There are several methods for doing this, depending on whether you are using your FortiGate’s default certificate, a self-signed certificate, or a CA-signed certificate. This recipe explains how you can prevent certificate warnings when you are using your FortiGate’s default certificate.

When full SSL inspection is used, your FortiGate impersonates the recipient of the originating SSL session, then decrypts and inspects the content. The FortiGate then re-encrypts the content, creates a new SSL session between the FortiGate and the recipient by impersonating the sender, and sends the content to the end user. This is the same process used in “man-in-the-middle” attacks, which is why a user’s device may show a security certificate warning.

For more information about SSL inspection, see Why you should use SSL inspection.

Often, when users receive security certificate warnings, they simply select Continue without understanding why the error is occurring. To avoid encouraging this habit, you can prevent the warning from appearing in the first place.

_{Find this recipe for other FortiOS versions}_{5.2 | 5.4 | 5.6}

Using the default certificate All FortiGates have a default certificate that is used for full SSL inspection. This certificate is also used in the default deep-inspection profile. To prevent users from seeing certificate warnings, you can install this certificate on users’ devices.
1. Generating a unique certificate Run the following CLI command to generate an SSL certificate that is unique to your FortiGate: exec vpn certificate local generate default-ssl-ca
2. Downloading the certificate used for full SSL inspection
Go to Security Profiles > SSL/SSH Inspection. Use the drop-down menu in the top right corner to select deep-inspection, which is the profile used to apply full SSL inspection.
The default FortiGate certificate is listed as the CA Certificate. Select Download Certificate.
3. Importing the certificate into web browsers
Once you have your FortiGate’s default certificate, you need to import the certificate into users’ browsers. The method you use for importing the certificate varies depending on the type of browser.
Internet Explorer, Chrome, and Safari (Windows and macOS): Internet Explorer, Chrome, and Safari use the operating system’s certificate store for Internet browsing. If users will be using these browsers, you must install the certificate into the certificate store for the OS.
If you are using Windows 7/8/10, double-click the certificate file and select Open. Select Install Certificate to launch the Certificate Import Wizard. Use the wizard to install the certificate into the Trusted Root Certification Authorities store. If a security warning appears, select Yes to install the certificate.
If you are using macOS, double-click the certificate file to launch Keychain Access. Locate the certificate in the Certificates list and select it. Expand Trust and select Always Trust. If necessary, enter the administrative password for your computer to make this change.
Firefox (Windows and macOS) Firefox has its own certificate store. To avoid errors in Firefox, you must install the certificate in this store, instead of the OS. If users are using Firefox, instead of being pushed to all of their devices, the certificate must be installed on each device.
In Firefox, go to Tools > Options > Advanced or Options > Advanced and select the Certificates tab. Select View Certificates, select the Authorities list. Import the certificate and set it to be trusted for website identification.
4. Results
Before you installed the certificate, an error message would appear in users’ browsers when they accessed a site that used HTTPS (this example shows an error message in Firefox). After you install the certificate, users should not experience a certificate security issue when they browse to sites on which the FortiGate unit performs SSL content inspection.
Users can view information about the connection and the certificate that is used. If users view information about the connection, they will see that it is verified by Fortinet.
If users view the certificate in the browser, they will see the certificate that is used and information about that certificate.

For further reading, check out SSL/SSH Inspection in the FortiOS 5.6 Handbook.

Was this helpful?
Yes No

If you have the right environment, such as the Windows Group Policy Management Console, you can push the certificate to users’ browsers using the Windows Group Policy Editor. In this case, you do not have to import the certificate into users’ browsers.

The post Preventing certificate warnings (default certificate) appeared first on Fortinet Cookbook.

In this recipe, you will prevent users from receiving a security certificate warning when your FortiGate performs full SSL inspection on incoming traffic. There are several methods for doing this, depending on whether you are using a CA-signed certificate, your FortiGate’s default certificate, or a self-signed certificate. This recipe explains how you can prevent certificate warnings when you are using a CA-signed certificate.

For more information about SSL inspection, see Why you should use SSL inspection.

_{Find this recipe for other FortiOS versions}_5.2 | 5.6

Using a CA-signed certificate In this method, you obtain a CA-signed certificate and install this certificate on your FortiGate for use with SSL inspection. You can use either FortiAuthenticator as a CA or a trusted private CA. If you use FortiAuthenticator as a CA, you generate a certificate signing request (CSR) on your FortiGate, have it signed on the FortiAuthenticator, import the certificate into your FortiGate, and configure your FortiGate so the certificate can be used for SSL deep inspection of HTTPS traffic. If you use a trusted private CA, you generate a CSR on your FortiGate, apply for an SSL certificate from a trusted private CA, import the certificate into your FortiGate, and configure your FortiGate so the certificate can be used for SSL deep inspection of HTTPS traffic. If your FortiAuthenticator is not configured as a CA, see FortiAuthenticator as a Certificate Authority for more information.
1. Generating a CSR on a FortiGate
On your FortiGate, go to System > Certificates and select Generate to create a new CSR. Enter a Certificate Name, the external IP of your FortiGate, and a valid email address. Make sure to set Key Type to RSA and Key Size to 2048 Bit. This will ensure the certificate is securely encrypted.
Once generated, the certificate will show a Status of Pending. Highlight the certificate and select Download. This will save a .csr file to your local drive.
2. Getting the certificate signed by a CA
Trusted private CA: If you want to use a trusted private CA to sign the certificate, use the CSR to apply for an SSL certificate with a trusted private CA.
FortiAuthenticator: If you want to use a FortiAuthenticator as a CA to sign the certificate, on the FortiAuthenticator, go to Certificate Management > Certificate Authorities > Local CAs and select Import. Set Type to CSR to sign, enter a Certificate ID, and import the Example-cert.csr file. Make sure to select the Certificate authority from the drop-down menu and set the Hash algorithm to SHA-256.
Once imported, you should see that Example-cert has been signed by the FortiAuthenticator, showing a Status of Active, and with the CA Type of Intermediate (non-signing) CA. Highlight the certificate and select Export. This will save a .crt file to your local drive.
3. Importing the signed certificate to your FortiGate
On your FortiGate, go to System > Certificates and select Local Certificate from the Import drop-down menu.
Browse to the certificate file and select OK.
You should now see that the certificate has a Status of OK.
4. Editing the SSL inspection profile
To use your certificate in an SSL inspection profile go to Security Profiles > SSL/SSH Inspection. Use the dropdown menu in the top right corner to select deep-inspection, which is the profile used to perform full SSL inspection. In FortiOS 5.6, the deep-inspection profile is read-only. In order to use your certificate for SSL inspection, you must create a new deep-inspection profile.
Set CA Certificate to use the new certificate.
5. Importing the certificate into web browsers Once you have your certificate signed by FortiAuthenticator, you need to import the certificate into users’ browsers. The method you use for importing the certificate varies depending on the type of browser.
Internet Explorer, Chrome, and Safari (on Windows and macOS): Internet Explorer, Chrome, and Safari use the operating system’s certificate store for Internet browsing. If users will be using these browsers, you must install the certificate into the certificate store for the OS.
If you are using Windows 7/8/10, double-click the certificate file and select Open. Select Install Certificate to launch the Certificate Import Wizard. Use the wizard to install the certificate into the Trusted Root Certificate Authorities store. If a security warning appears, select Yes to install the certificate.
If you are using macOS, double-click the certificate file to launch Keychain Access. Locate the certificate in the Certificates list and select it. Expand Trust and select Always Trust. If necessary, enter the administrative password for your computer to make this change.
Firefox (on Windows and macOS) Firefox has its own certificate store. To avoid errors in Firefox, the certificate must be installed in this store, rather than in the OS. If users are using Firefox, instead of being pushed to all of their devices, the certificate must be installed on each device.
In Firefox, go to Tools > Options > Advanced or Options > Advanced and select the Certificates tab. Select View Certificates, then select the Authorities list. Import the certificate and set it to be trusted for website identification.
6. Results
Before you installed the certificate, an error message would appear in the browser when users accessed a site that used HTTPS (the example shows an error message appearing in Firefox). After you install the certificate, users should not experience a certificate security issue when they browse to sites on which the FortiGate unit performs SSL content inspection.
Users can view information about the connection and the certificate that is used. If users view information about the connection, they will see that it is verified by Fortinet.
If users view the certificate in the browser, they will see which certificate is used and information about that certificate.

For further reading, check out SSL/SSH Inspection in the FortiOS 5.6 Handbook.

Was this helpful?
Yes No

The post Preventing certificate warnings (CA-signed certificate) appeared first on Fortinet Cookbook.

In this recipe, you will exempt Google websites from deep SSL inspection. Exempting these websites allows the Google Chrome browser to access them without errors.

You should use caution when exempting websites. In general, you should exempt only websites that you know you can trust. You could also consider exempting websites that do not function properly when subjected to SSL inspection, such as a site (or application) that uses certificate/public key pinning.

In this example, google.ca is exempted from SSL inspection. If necessary, substitute your local Google search domain.

The full CLI configuration can be found at the end of this recipe.

_{Find this recipe for other FortiOS versions}
_{5.2 | 5.6}

1. Using the default deep-inspection profile
Go to System > Feature Select. Under Additional Features, make sure Multiple Security Profiles is enabled. If necessary, Apply changes.
Go to Policy & Objects > IPv4 Policy and edit the policy that allows users on the internal network to access the Internet. Under Security Profiles, enable Web Filter using the default profile. SSL/SSH Inspection is enabled by default. Set it to use the deep-inspection profile.
When the deep-inspection profile is used, the FortiGate impersonates the recipient of the originating SSL session, then decrypts and inspects the content. The FortiGate then re-encrypts the content, creates a new SSL session between the FortiGate and the recipient by impersonating the sender, and sends the content to the sender. For more information, see Why you should use SSL inspection.
Using Chrome, browse to google.ca. An error appears that you cannot bypass.
This error occurs because Chrome uses certificate pinning (also called SSL pinning or public key pinning). This allows Chrome to determine that the certificate from the website does not match one belonging to Google. Because of this, Chrome believes that a “man in the middle” attack is occurring and blocks you from the compromised website.
2. Creating an SSL/SSH profile that exempts Google
In FortiOS 5.6, the two default profiles, certificate-inspection and deep-inspection, are read-only. In order to exempt Google, you must create a new profile.
Go to Policy & Objects > Addresses and create a new address. Set Type to Wildcard FQDN and set Wildcard FQDN to the domain name used by Google in your region (in the example, *.google.ca).
Go to Security Profiles > SSL/SSH Inspection and select the list view to view all profiles.
Select the deep-inspection profile, then select Clone to create a copy of this profile. This copy will have all the settings used by the default profile, while also being read-write.
Edit the new SSL profile and change its name (in the example, my-deep-inspection). Exempt web categories and addresses are listed under Exempt from SSL Inspection. Add the address for Google to the list of exempt Addresses.
Go to Policy & Objects > IPv4 and edit the policy that allows users on the internal network to access the Internet. Set SSL/SSH Inspection to use the new profile.
3. Results
Using Chrome, browse to google.ca. The site loads properly.

CLI Syntax

The below CLI syntax is from the configuration shown above. Remember to substitute you own names/values when necessary.

config firewall address
    edit "Google Canada"
        set uuid 64b58d54-4fb2-51e7-23ee-0d067557e7ac
        set type wildcard-fqdn
        set wildcard-fqdn "*.google.ca"
    next
end

config firewall ssl-ssh-profile
    edit "my-deep-inspection"
        set comment "Deep inspection."
        config https
            set ports 443
        end
        config ftps
            set ports 990
        end
        config imaps
            set ports 993
        end
        config pop3s
            set ports 995
        end
        config smtps
            set ports 465
        end
        config ssh
            set ports 22
        end
        config ssl-exempt
            edit 1
                set type address
                set address "Adobe Login"
            next
            edit 2
                set type address
                set address "Google Canada"
            next
            edit 3
                set type address
                set address "Gotomeeting"
            next
            edit 4
                set type address
                set address "Windows update 2"
            next
            edit 5
                set type address
                set address "adobe"
            next
            edit 6
                set type address
                set address "android"
            next
            edit 7
                set type address
                set address "apple"
            next
            edit 8
                set type address
                set address "appstore"
            next
            edit 9
                set type address
                set address "auth.gfx.ms"
            next
            edit 10
                set type address
                set address "autoupdate.opera.com"
            next
            edit 11
                set type address
                set address "citrix"
            next
            edit 12
                set type address
                set address "dropbox.com"
            next
            edit 13
                set type address
                set address "eease"
            next
            edit 14
                set type address
                set address "firefox update server"
            next
            edit 15
                set type address
                set address "fortinet"
            next
            edit 16
                set type address
                set address "google-drive"
            next
            edit 17
                set type address
                set address "google-play"
            next
            edit 18
                set type address
                set address "google-play2"
            next
            edit 19
                set type address
                set address "google-play3"
            next
            edit 20
                set type address
                set address "googleapis.com"
            next
            edit 21
                set type address
                set address "icloud"
            next
            edit 22
                set type address
                set address "itunes"
            next
            edit 23
                set type address
                set address "microsoft"
            next
            edit 24
                set type address
                set address "skype"
            next
            edit 25
                set type address
                set address "softwareupdate.vmware.com"
            next
            edit 26
                set type address
                set address "swscan.apple.com"
            next
            edit 27
                set type address
                set address "update.microsoft.com"
            next
            edit 28
                set type address
                set address "verisign"
            next
            edit 29
                set fortiguard-category 31
            next
            edit 30
                set fortiguard-category 33
            next
        end
    next
end

config firewall policy
    edit 1
        set name "Internet"
        set uuid 05bbbea0-4610-51e7-289b-434738fcb746
        set srcintf "lan"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set webfilter-profile "default"
        set profile-protocol-options "default"
        set ssl-ssh-profile "my-deep-inspection"
        set nat enable
    next
end

For further reading, check out SSL/SSH Inspection in the FortiOS 5.6 Handbook.

Was this helpful?
Yes No

The post Exempting Google from SSL inspection appeared first on Fortinet Cookbook.

In this recipe, you will set up a WiFi network with a FortiGate managing a FortiAP in Tunnel mode.

You can configure a FortiAP unit in either Tunnel mode or Bridge mode. Tunnel mode is the default mode for a FortiAP. A FortiAP in Tunnel mode uses a wireless-only subnet for wireless traffic. When a FortiAP is in Bridge mode, the Ethernet and WiFi interfaces are connected (or bridged), allowing wired and wireless networks to be on the same subnet.

For information about using a FortiAP in Bridge mode, see Setting up a WiFi bridge with a FortiAP.

_{Find this recipe for other FortiOS versions}
_{5.2 | 5.4 | 5.6}

1. Connecting and authorizing the FortiAP unit
Go to Network > Interfaces and edit the interface that will connect to the FortiAP (in this example, port 16). Set Addressing Mode to Manual and set an IP/Network Mask. Under Administrative Access, enable CAPWAP and optionally enable PING to test your connection. Under Networked Devices, enable both Device Detection and Active Scanning.
Connect the FortiAP unit to the interface.
Go to WiFi & Switch Controller > Managed FortiAPs. The FortiAP is listed. The device is not yet authorized, as indicated by the in the State column. By default, FortiGate adds newly discovered FortiAPs to the Managed FortiAPs list but does not authorize them.
Right-click on the FortiAP, and select Authorize.
The device interface will be down initially, but after a few minutes, hit the Refresh button and a will confirm that the device is authorized.
Make sure that your FortiAP is on the latest firmware. If the OS Version shows the message “A new firmware version is available,” then check the release notes for your product on the Fortinet Support Site.
You can download the firmware images from the Support Site to your Local Hard Disk, or you can select A new firmware version is available and download the latest version directly from FortiGuard.
2. Creating an SSID
Go to WiFi & Switch Controller > SSID and create a new SSID. Set Traffic Mode to Tunnel. Select an IP/Network Mask for the wireless interface and enable DHCP Server. Enable Device Detection and Active Scanning. Name the SSID (in the example, MyNewWiFi). Set the Security Mode as required and enter a secure Pre-shared Key. Enable Broadcast SSID.
3. Creating a custom FortiAP profile
Go to WiFi & Switch Controller > FortiAP Profiles and create a new profile. Set Platform to the FortiAP model you are using (FAP221C in this recipe). Set the Country/Region and you have the option to set your AP Login Password. Make sure the Radio 1 is set to Access Point, and leave the SSID set to Auto.
Go to WiFi & Switch Controller > Managed FortiAPs and right-click on the FortiAP you added earlier. Select Assign Profile and set the FortiAP to use the new SSID profile (in the example, MyProfile). By default, the FortiGate assigns all SSIDs to this profile.
4. Allowing wireless access to the Internet
Go to Policy & Objects > IPv4 Policy and create a new policy. Set Incoming Interface to the SSID and Outgoing Interface to your Internet-facing interface. Confirm that NAT is enabled.
5. Results
Connect to the SSID with a wireless device. After a connection is established, browse the Internet to generate traffic.
From the policy list page, right-click on your wireless policy and select Show in FortiView or go directly to FortiView > All Sessions.
You can view more details by selecting various tabs (Sources, Destinations, Applications, Countries, Sessions).

For further reading, check out Configuring a WiFi LAN in the FortiOS 5.6 Handbook.

Was this helpful?
Yes No

Note that some FortiGate models may not have the Active Scanning option, and it is not required for the recipe.

It may take a few minutes for the FortiAP to appear.

You can disable this in the CLI. See Deploying Wireless Networks.

Alternatively, select the FortiAP unit on the list and select Authorize from the top menu.

The SSID defaults to automatically assign Tunnel-mode SSIDs.

Located under Policy & Objects > IPv4 Policy.

The post Setting up WiFi with a FortiAP appeared first on Fortinet Cookbook.

This recipe demonstrates how to use Virtual IPs (VIPs) to configure port forwarding on a FortiGate unit. This configuration allows users on the Internet to connect to your server protected behind a FortiGate firewall, without knowing the server’s internal IP address and only through ports that you choose.

In this example, TCP ports 80 (HTTP), 21 (FTP), and 22 (SSH) are opened for remote users to communicate with a server behind the firewall. The external IP address used is 172.20.121.67 and is mapped to 192.168.100.1 by the VIP.

_{Find this recipe for other FortiOS versions:}_{5.2 | 5.4}

1. Creating three VIPs
Go to Policy & Objects > Virtual IPs > Create New > Virtual IP. Enter the External IP Address/Range. Next, enter the Mapped IP Address/Range. Enable Port Forwarding and add a VIP for TCP port 80, webserver-http.
Next, create a second VIP for TCP port 21, webserver-ftp.
Finally, create a third a VIP for TCP port 22, webserver-ssh.
2. Adding VIPs to a VIP group
Go to Policy & Objects > Virtual IPs > Create New > Virtual IP Group. Create a VIP group, in this example, webserver group. Under Members, include all three VIPs previously created.
3. Creating a security policy
Go to Policy & Objects > IPv4 Policy and create a security policy allowing access to a server behind the firewall. Set Incoming Interface to your Internet-facing interface, Outgoing Interface to the interface connected to the server, and Destination Address to the VIP group (webserver group). Set Service to allow HTTP, FTP, and SSH traffic. Use the appropriate Security Profiles to protect the servers.
4. Results
To ensure that TCP port 80 is open, connect to the web server from a remote connection on the other side of the firewall.
Next, ensure that TCP port 21 is open by using an FTP client to connect to the FTP server from a remote connection on the other side of the firewall.
Finally, ensure that TCP port 22 is open by connecting to the SSH server from a remote connection on the other side of the firewall.

For further reading, check out Virtual IPs in the FortiOS 5.4 Handbook.

Was this helpful?
Yes No

While this example maps port 80 to port 80, any valid External Service port can be mapped to any listening port on the destination computer.

If the FortiGate has Central NAT enabled, the VIP objects will not be available for selection in the policy editing window.

The post Using virtual IPs to configure port forwarding appeared first on Fortinet Cookbook.

In this example, you will set up a WiFi network with a FortiGate managing a FortiAP in Bridge mode.

You can configure a FortiAP unit in either Tunnel or Bridge mode. When a FortiAP is in Bridge mode, the Ethernet and WiFi interfaces are connected (or bridged), allowing wired and wireless networks to be on the same subnet. Tunnel mode is the default mode for a FortiAP. A FortiAP in Tunnel mode uses a wireless-only subnet for wireless traffic.

For information about using a FortiAP in Tunnel mode, see Setting up WiFi with a FortiAP.

_{Find this recipe for other FortiOS versions}
_{5.2 | 5.4 | 5.6}

1. Connecting and authorizing the FortiAP unit
Go to Network > Interfaces and edit the lan interface. Set Addressing Mode to Manual and set an IP/Network Mask. Under Administrative Access, enable CAPWAP and optionally enable PING to test your connection. Enable the DHCP Server. Under Networked Devices, enable both Device Detection and Active Scanning.
Connect the FortiAP to the lan interface.
Go to WiFi & Switch Controller > Managed FortiAPs. The FortiAP is listed. The device is not yet authorized, as indicated by the in the State column. By default, the FortiGate adds newly discovered FortiAPs to the Managed FortiAPs list but does not authorize them.
Right-click on the FortiAP, and select Authorize.
The device interface will be down initially, but after a few minutes, hit the Refresh button and a will confirm that the device is authorized.
Verify that your FortiAP is on the latest firmware. If the OS Version shows that a newer firmware version is available, check the release notes for your product.
You can download the firmware images from the Support Site to your Local Hard Disk, or you can select A new firmware version is available and download the latest version directly from FortiGuard.
2. Creating an SSID
Go to WiFi & Switch Controller > SSID and create a new SSID. Set Traffic Mode to AP Bridge, creating a local bridge with the FortiAP’s interface. Configure the WiFi Settings as you would for a regular wireless network and set a secure Pre-shared Key.
3. Creating a custom FortiAP profile
Go to WiFi & Switch Controller > FortiAP Profiles and create a new profile. Set Platform to the FortiAP model you are using (FAP221C). Select the Country/Region and you have the option change your AP Login Password. Under Radio 1, set the Mode to Access Point. Set SSID to use the new SSID profile (in the example, MyWiFi). Set Radio 2 to Disabled.
Go to WiFi & Switch Controller > Managed FortiAPs and right-click on the FortiAP. Select Assign Profile andset the FortiAP to use the new SSID profile (in the example, MyProfile).
4. Results
Connect to the SSID with a wireless device. After a connection is established, you can browse the Internet using the wireless network configured in this recipe.
On the policy list page, right-click on your lan to wan Internet access policy and click Show in FortiView.
Make sure to view the session details, including more information under the various tabs (Sources, Destination, Applications, Countries, Sessions).
Go to Log & Report > WiFi Events to see the detected client IP and authentication logs.
You can also go to Monitor > WiFi Client Monitor for user details and Monitor > WiFi Health Monitor for the AP Status.

For further reading, check out Wireless Networks in the FortiOS 5.6 Handbook.

Was this helpful?
Yes No

Some FortiGates may not have an Active Scanning option and it is not required.

It may take a few minutes for the FortiAP to appear.

You can disable this in the CLI. See Deploying Wireless Networks.

Alternatively, select the FortiAP unit on the list and select Authorize from the top menu.

Unless you wish to use a second radio.

Located under Policy & Objects > IPv4 Policy.

The post Setting up a WiFi Bridge with a FortiAP appeared first on Fortinet Cookbook.

The Cookbook website will undergo scheduled maintenance today (June 28, 2017) at approximately 12PM EST. Due to this maintenance, the website may experience some downtime.

Was this helpful?
Yes No

The post Website Maintenance – June 28, 2017 appeared first on Fortinet Cookbook.

The following recipe demonstrates how to configure a site-to-site IPsec VPN tunnel to Microsoft Azure™.

Using FortiOS 5.6, the example describes how to configure the tunnel between each site, avoiding overlapping subnets, so that a secure tunnel can be established.

PREP 10 mins COOK 25 mins TOTAL 35 mins

Ingredients

One (1) FortiGate with an Internet-facing IP address.
One (1) valid Microsoft Azure account.

Directions

1. Configuring the Microsoft Azure virtual network
Log into Microsoft Azure and click New. In the Search the marketplace field, type “Virtual Network”. Locate Virtual Network from the returned list and click to open the Virtual Network blade.
Near the bottom of the Virtual Network blade, from the Select a deployment model list, select Resource Manager, and then click Create.
On the Create virtual network blade, fill in the values for your Virtual Network settings and click Create.
2. Specifying the Microsoft Azure DNS server
Open the virtual network you just created, navigate to DNS Servers, and click to open the DNS servers blade. Enter the IP address of the DNS server and click Save at the top of the blade.
3. Creating the Microsoft Azure virtual network gateway
In the portal dashboard, go to New. Search for “Virtual Network Gateway” and select it to open the Create virtual network gateway blade.
In the Create virtual network gateway blade, fill in the values for your virtual network gateway.
Create a Public IP address if necessary and click Create at the bottom.
Provisioning the virtual network gateway may take some time. You will receive a notification about the deployment.
4. Creating the Microsoft Azure local network gateway
From the dashboard, select All resources. Click +Add and then choose to See all.
In the Everything blade search box, type Local network gateway, and select Create local network gateway.
Set IP address to the local network gateway address (the FortiGate’s external IP address). Fill in the remaining values for your local network gateway and click Create.
5. Configuring the FortiGate tunnel
Go to VPN > IPsec Wizard. Enter a Name for the tunnel, select Custom, and click Next.
Set the Remote Gateway to Static IP Address, and include the gateway IP Address provided by Microsoft Azure. Set the Local Interface to wan1. Disable NAT Traversal and set Dead Peer Detection to On Idle. Under Authentication, enter a Pre-shared Key and ensure that you enable IKEv2.
Under Phase 1 Proposal set the Encryption algorithm to AES 128 and the Authentication algorithm to SHA256. Select 2 for Diffie-Hellman Group. Set Key Lifetime (seconds) to 28800.
Scroll down to Phase 2 Selectors and expand the Advanced section. Set the Encryption type to match Phase 1. Disable Perfect Forward Secrecy. Set Key Lifetime Seconds to 27000.
6. Creating the Azure firewall object
Go to Policy & Objects > Addresses and create a firewall object for the Azure VPN tunnel subnet.
7. Creating the FortiGate firewall policies
Go to Policy & Objects > IPv4 Policy and create a new policy for the site-to-site connection that allows outgoing traffic. Set the Source Address and Destination Address using the firewall objects you just created. Ensure that NAT is disabled.
Create a second policy for the same connection to allow incoming traffic. This time, invert the Source Address and Destination Address.
8. Creating the FortiGate static route
Go to Network > Static Routes and create a new static route forcing outgoing traffic destined to the Microsoft Azure network to flow through the route-based tunnel.
Set the Administrative Distance to a value lower than the value set for the existing default route.
9. Creating a Microsoft Azure Site-to-Site VPN connection
In the Azure portal, locate and select your virtual network gateway. On the Settings blade, click Connections, and then click Add at the top of the blade to open the Add connection blade.
Fill in the values for your connection and click OK. Make sure that the Shared Key (PSK) matches the shared key configured on the FortiGate in step 5.
10. Results
Go to Monitor > IPsec Monitor. You should see that the tunnel is UP. If it is down, right-click the tunnel and select Bring Up.
Go to Log & Report > VPN Events Select an entry to view more information and verify the connection.
Return to the Microsoft Azure portal, click All resources and navigate to your virtual network gateway. On the blade for your virtual network gateway, click Connections. You can see the status of each connection. Click the name of the connection that you want to verify to open Essentials.
In Essentials, you can view more information about your connection.
The Status is ‘Connected’ when you have made a successful connection. Ingress and egress bytes confirm traffic flowing through the tunnel.

Was this helpful?
Yes No

This prep time assumes the time it takes to create a Microsoft Azure account.

“Cook” time is largely dependent on Azure resource deployment times, which may vary.

All times listed are approximations.

Located under All Resources > MyMainGateway (Virtual network gateway) > Overview > Public IP address. Note that it may take some time for this address to populate.

If the tunnel fails to come up, begin troubleshooting by double-checking the encryption algorithm and PSK settings match on both ends for Phase 1 and Phase 2. For other troubleshooting tips, refer to IPsec VPN Troubleshooting.

The post IPsec VPN to Microsoft Azure appeared first on Fortinet Cookbook.

In this example, you will allow WiFi traffic to specific destinations from Apple devices or Google Chromebooks to bypass your Captive Portal. This allows those devices to receive updates or device logon authentication, a process which a Captive Portal would interrupt.

Not all users or traffic types need to be authorized and authenticated by the Captive Portal. In some circumstances the authentication required by the Captive Portal can cause problems impacting the functionality of your users mobile device or laptop.

Chromebooks require user authentication to log onto the device, which can be blocked by the captive portals requirement for user authentication, to gain network access.

Apple devices make use of Captive Network Assistant (CNA) which can detect the use of a captive portal. The apple device attempts to visit the page captive.apple.com. If the apple device is successful, the CNA doesn’t load, but if it unsuccessful, then it launches a browser to prompt the user with the login page from the captive portal. When this browser is inadvertently closed or ignored, the device is disconnected from the network. Often times the user is unaware and does not know why email and updates are not being downloaded.

1. Creating a user account and user group
Go to User & Device > User Definition and create a Local user. Create additional users as needed. You can use any authentication method.
Go to User & Device > User Groups. Create a user group for employees and add the new user(s) to the group.
2. Creating firewall addresses
We need to create address objects to be used for the exemptions. Go to Policy & Objects > Addresses and create an FQDN address for accounts.google.com.
Create an FQDN address object for gstatic.com.
Create an IP/Netmask address object for the apple Subnet range 17.0.0.0/8.
Create an FQDN address object for captive.apple.com.
Create IP/Netmask address object(s) for any external DNS servers the client computers might use.
3. Creating the SSID
Go to WiFi Controller > SSID and configure your wireless network.
Configure DHCP addressing for clients.
Configure Captive Portal authentication using the Forti-WiFi-users user group. Set Exempt Destination Services to exempt the addresses created in the previous step.
4. Creating the security policy
Create an address for your SSID, using the same IP range that was set on the DHCP server.
Go to Policy & Objects > IPv4 Policy and create a policy allowing WiFi users to connect to the Internet. Select the Fortinet-WiFi-IP-range for the permitted Source Addresses. Enable NAT. The Web Filter and Application Control security profiles are enabled, so we can see the results of our configuration. Enable these profiles and others to provide secure internet access to your wireless clients.
5. Connecting and authorizing the FortiAP
Go to System > Interface and edit the interface the FortiAP connects to. Set Administrative Access to allow CAPWAP.
The FortiAP will broadcast for the controller using the CAPWAP protocol. Go to WiFi Controller > Managed FortiAPs. The FortiAP is listed, with a grey question mark beside it because the device is not authorized.
Highlight the FortiAP unit on the list and select Authorize.
A green check mark is now shown beside the FortiAP, showing that it is authorized and online.
Go to WiFi Controller > WiFi Network > FortiAP Profiles and edit the profile. For each radio: Enable Radio Resource Provision. Select your SSID.
6. Results
Connect your Chromebook or Apple device to the captive portal SSID. The user’s device shows the WiFi network as “open” and associates with it without requesting credentials. On the Chromebook you will be able to log onto the device and authenticate with Google accounts. On the Apple device you will not get the CNA prompt with the captive portal popup, requesting you to authenticate. The Apple device will stay connected to the WiFi.
Go to WiFi Controller > Monitor > Client Monitor to see connected users.
In this example a Chromebook is displayed with the IP address of 192.168.20.3. The user has authenticated against the portal. An iPhone is listed with the IP address of 192.168.20.4. A User is not listed as they have not yet authenticated against the portal. We can see in the Bandwidth TX/RX column, that there is bidirectional traffic.
Go to FortiView > Sources Review the current sessions of the connected network clients, by drilling down through each layer to view the related sessions.
In this example, we see the sessions for the connected Chromebook. You can see towards the bottom that the sessions happened prior to the user authentication against the portal. This proves the result of our exemption list.
Go to FortiView > Policies Review the current sessions of the connected network clients for the SSID to internet security policy, by drilling down through each layer to view the related sessions.
In this example, we see the sessions for the connected iPhone. We see that the user has not yet authenticated against the portal, but the iPhone is making DNS requests and accessing the apple subnet. This proves the result of our exemption list.
Go to Log & Report > Forward Traffic Log Review the traffic and destinations for the Apple iPhone.
In the these logs you can see that the iPhone is receiving push notifications prior to the captive portal logon.
The first time that a wireless user attempts to use a web browser, the captive portal login screen is displayed. Users who are members of the Forti-WiFi-users group can log on using their username and password and proceed to access the wireless network.

For more information, see Captive Portals in the FortiOS 5.4 handbook.

Was this helpful?
Yes No

The post Captive Portal bypass for Apple updates and Chromebook authentication appeared first on Fortinet Cookbook.

Avoiding certificate errors when SSL inspection is applied to traffic is an in-demand topic. There are a number of methods that you can use to prevent these warnings: installing self-signed certificates on client devices, using a certificate signed by a trusted CA, or using the certificate-inspection profile for SSL inspection. However, for all of these methods, certificate errors can still occur when you’ve blocked access to a page using web filtering and the FortiGate attempts to display a replacement message for that site using HTTPS.

This error occurs because, by default, the FortiGate does not use the same certificate for SSL inspection and the encryption of the replacement messages. To avoid these errors, you should first determine which certificate your FortiGate uses for replacement messages using the CLI. The command differs depending on which version of FortiOS you are using:

FortiOS 5.2 and earlier:

config webfilter fortiguard
# get 
cache-mode : ttl 
cache-prefix-match : enable 
cache-mem-percent : 2 
ovrd-auth-port-http : 8008 
ovrd-auth-port-https: 8010 
ovrd-auth-port-warning: 8020 
ovrd-auth-https : enable 
warn-auth-https : enable 
close-ports : disable 
request-packet-size-limit: 0 
ovrd-auth-hostname : 
ovrd-auth-cert : Fortinet_Firmware

The certificate Fortinet_Firmware is used by default. To avoid errors, you can either change this certificate to the certificate used for SSL inspection or you can install this certificate on all client devices. Which solution you choose depends on your own environment and what certificates you are already using.

FortiOS 5.4 and later:

config user setting 
# get
auth-type : http https ftp telnet 
auth-cert : Fortinet_Factory 
auth-ca-cert : 
auth-secure-http : disable 
auth-http-basic : disable 
auth-timeout : 5 
auth-timeout-type : idle-timeout 
auth-portal-timeout : 3 
radius-ses-timeout-act: hard-timeout 
auth-blackout-time : 0 
auth-invalid-max : 5 
auth-lockout-threshold: 3 
auth-lockout-duration: 0 
auth-ports:

The certificate Fortinet_Factory is used by default. To avoid errors, you can either change this certificate to the certificate used for SSL inspection or you can install this certificate on all client devices. Which solution you choose depends on your own environment and what certificates you are already using.

For more information about SSL inspection and certificate errors, see the following resources:

Preventing certificate warnings (5.2 | 5.4)
Why you should use SSL inspection

Was this helpful?
Yes No

The post Certificate errors for blocked websites appeared first on Fortinet Cookbook.

This recipe shows you have to install and remove SFP Transceivers from your device.

SFP transceivers are static sensitive devices. Use an ESD wrist strap or similar grounding device when handling transceivers.

Do not force the SFP transceivers into the cage slots. If the transceiver does not easily slide in and click into place, it may not be aligned correctly or may be upside down. If this happens, remove the SFP transceiver, realign it or rotate it and slide it in again.

Note: Installing and removing SFP transceivers can shorten their useful life. Do not
install or remove transceivers more than is necessary.

To Install the SFP Transceivers

Ensure that you are properly grounded.
Remove the caps from the SFP cage sockets on the front panel of the unit.
Position the SFP transceiver in front of the cage socket opening and ensure that the transceiver is correctly oriented. When the transceiver is correctly oriented, the extraction lever will be level with the socket latch.

Note: SFP cage socket orientation may vary. Ensure that the SFP transceiver module is correctly oriented each time that you are inserting a transceiver.
Hold the sides of the SFP transceiver and slide it into the cage socket until it clicks into place.
Press transceiver firmly into the cage socket with your thumb.
Verify that the transceiver is latched correctly by grasping the sides of the transceiver and trying to pull it out without lowering the extraction lever.
If the transceiver cannot be removed, it is installed and latched correctly.
If the transceiver can be removed, reinsert it and press harder with your thumb.

If necessary, repeat this process until the transceiver is securely latched into the cage socket.

To Remove the SFP Transceivers

Ensure that you are properly grounded.
If applicable, disconnect the fiber-optic cable from the transceiver connector and install a clean dust plug in the transceiver’s optical bores.
Pull the extraction lever out and down to eject the transceiver. If you are unable to use your finger to open the lever, use a small flat-head screwdriver or other similar tool to open the lever.
Hold the sides of the transceiver and carefully pull it away from the cage socket.
Replace the cap on the SFP cage socket and place the removed SFP transceiver into an antistatic bag.

Caution: Do not install or remove SFP transceivers while fiber-optic cables are still attached. This can cause damage to the cables, cable connectors, and the optical interfaces. It may also prevent the transceiver from latching correctly into the socket connector.

Note: Follow proper fiber-optic handling procedures when installing and removing SFP transceivers to ensure the devices remain clean and are not damaged.

Was this helpful?
Yes No

The post SFP Transceivers appeared first on Fortinet Cookbook.

The following FortiAnalyzer devices uses the basic installation guide.

200D
300D
400C
1000C
1000D
2000B
3000D
3000E
3500F
3900E
4000B
4000D-BD

The devices can be placed on any flat surface, or mounted in any standard 19 inch rack unit with the provided rack-mount brackets and screws.

If the unit has a redundant power supply, each power cable should be
connected to a different power source. In this way, if one power source fails, the other may still be operational and the unit will not lose power.

Installing the FortiAnalyzer into a Rack

Ensure that the FortiAnalyzer unit is placed on a stable
surface prior to rack-mount installation.
Attach the provided rack-mount brackets to the sides of
the unit using the provided bracket screws.
1. If you are installing the unit into a four-post rack, attach the rack-mount brackets with the handles aligned with the front of the FortiAnalyzer unit.
2. If you are installing the unit into a two-post rack, attach the rack-mount brackets with the handles aligned with the middle of the FortiAnalyzer unit.
Position the FortiAnalyzer unit in the rack. Ensure there is enough room around the unit to allow for sufficient air flow.
Line up the rack-mount bracket holes to the holes on the rack and ensure that the FortiAnalyzer unit is level.
Finger tighten four rack-mount screws to attach the unit to the rack.
Verify that the spacing around the FortiAnalyzer unit conforms to requirements and that the unit is level, then tighten the rack-mount screws with an appropriate screwdriver.
Plug the provided power cable into the rear of the unit and then into a grounded electrical outlet or a separate power source, such as an uninterruptible power supply (UPS) or a power distribution unit (PDU).

Installing the Device on a Flat Surface

Ensure that the surface onto which the FortiAnalyzer unit to be installed is clean, level, and stable and that there is at least 1.5in (3.8cm) of clearance on all sides to allow for adequate airflow.
Attach the provided rubber feet to the bottom of the FortiAnalyzer unit.
Place the unit in the designated location.
Verify that the spacing around the FortiAnalyzer unit conforms to requirements and that the unit is level.
Plug the provided power cable into the rear of the unit and then into a grounded electrical outlet or a separate power source, such as an uninterruptible power supply (UPS) or a power distribution unit (PDU).

Was this helpful?
Yes No

The post Basic FortiAnalyzer Installation Guide appeared first on Fortinet Cookbook.

The following FortiAnalyzer devices use this installation guide.

1000E
2000E
3000F
3700F

They can be mounted in any standard 19 inch rack unit with the provided mounting hardware.

A rack stabilizing mechanism must be in place, or the rack must be bolted to the floor, before you slide the unit out for servicing. Failure to stabilize the rack can cause the rack to tip over.

Do not pick up the device with the front handles. They are designed to pull the system from a rack only.

Electrostatic discharge (ESD) can damage your Fortinet equipment.

To avoid personal injury or damage to the unit, it is recommended that two or more people install the unit into the rack.

Do not place heavy objects on the unit.

Rack Precautions

Ensure the leveling jacks on the bottom of the rack are fully extended to the floor with the full weight of the rack resting on the jacks.

For single rack installation, stabilizers should be attached to the rack.
For multiple rack installations, the racks should be coupled together.
Ensure the rack is stable before extending a component from the rack.
Only extend one component at a time; extending two or more simultaneously may cause the rack to become unstable.

After installing the device into the rack, install the hard disk drives into the device.

Rail Rack Parts

The rail assembly consists of three parts:

Outer rail: connects to the rack
Middle rail: connects the inner and outer rails
Inner rail: connects to the device.

The inner rail has a locking tab that locks the device into place when it is installed and pushed into the rack. This prevents the device from sliding fully out of the rack when the device is being worked on.

There are five steps to install the device into the rack:

Disassemble the rail assembly
Attach the inner rails to the device
Install the outer rails on a rack
Install the device into the rack
Install the cable management arm

Disassembling the Rail Assembly

Identify the left and right rail assemblies.
Pull out the inner rail until it is fully extended.
Press down the locking tab to release the inner rail.
Remove the inner rail from the outer rail.
Repeat steps 2 – 4 for the remaining rail assembly.

Do not pick up the server by the front handles. They are designed to only pull the unit from the rack.

Attaching the Inner Rails to the Device

Ensure that the right and left rails are correctly identified.
Place the inner rail against the side of the device, enduring that the hooks on the side of the device align with the holes in the rail.
Slide the rail towards the front of the device until the rail clicks into the locked position.
Optionally, secure the rail to the device using the provided M4 Flat Head screws.
Repeat steps 2 – 4 for the remaining rail.

Installing the Outer Rails on a Rack

Press up on the locking tab on the back of the middle rail.
Push the middle rail back into the outer rail.
Hang the hooks on the front of the outer rail to the slots on the rack. Use two of the provided washers and M5 12L Flat Head screws to secure the rail to the rack.
Pull out the back of the outer rail to adjust its length until it fits properly in the rack.
Hang the hooks on the back of the rail to the slots on the back of the rack. Use two of the provided washers and M5 12L Flat Head screws to secure the rail to the rack.
Repeat steps 1 – 5 for the remaining rail.

Installing the Device into the Rack

Ensure that the inner rails are properly connected to the device, and the that the outer rails are securely attached to the rack.
Pull the middle rail out from the front of the outer rail until it locks.
Align the inner rails with the middle rails and slide the device onto the rails until the locking tab on the inner rails clicks into the front of the middle rails. Ensure that even pressure is applied to both sides of the device while doing this.
Push down the locking tabs on both sides at the same time, then push the device all the way into the rack.
When the unit has been completely pushed into the rack, the locking tabs will click into the locked position.
Install the hard disk drives into the device.

Installing the Cable Management Arm

Slide the device part way out of the rack to provide space for installing the cable management arm.
Attach the inner member connector to the back end of the right inner rail (when looking at the front of the device).
Attach the supporting bar connector to the back end of the right middle rail.
Attach the supporting bar connector to the back end of the left middle rail.
Attach the outer member connecter to the back end of the left outer rail.
Plug the supplied power cables into the power supplies on the back of the device, and connect any other required cables.
Open the red caps and route the cables through the wire carrier. This is important to ensure that cables are not damaged when sliding the device in and out of the rack.
Fasten the cables using the provided straps and the aluminum joints and U bracket. Use two straps on each joint and one on each connector.
Slide the chassis in and out to ensure that the cable management arm’s motion is smooth. If it is not, loosen the straps as required.
If required, adjust the location of the U bracket to ensure that it does not interfere with the power source.

Connecting the Device

Plug the power cables into grounded electrical outlets or a separate power sources, such as uninterruptible power supplies (UPS) or a power distribution units (PDU).
Insert the Ethernet cable into a router or switch that is connected to the Internet.
Press the power button on the system to turn on the device.

Both power supplies are required for normal operation.For additional security, secure the chassis handles to the front of the rack with the provided M5 20L Truss Head screws.

Was this helpful?
Yes No

The post FortiAnalyzer Installation Guide with Cable Management Arm appeared first on Fortinet Cookbook.

The FortiAnalyzer-400E can be mounted in any standard 19 inch rack unit with the
provided mounting hardware.

The rack must be stabilized before sliding the unit out for servicing.
Failure to stabilize may cause the rack to tip over.

Electrostatic discharge (ESD) can damage your Fortinet equipment.

To avoid personal injury or damage to the unit, it is recommended that two or more people install the unit into the rack.

Do not place heavy objects on the unit.

Rack Precautions

Ensure the leveling jacks on the bottom of the rack are fully extended to the floor with the full weight of the rack resting on the jacks.
For single rack installation, stabilizers should be attached to the rack.
For multiple rack installations, the racks should be coupled together.
Ensure the rack is stable before extending a component from the rack.
Only extend one component at a time; extending two or more simultaneously may cause the rack to become unstable.

Rail Rack Identification

The rail mount kit includes two rail assemblies. Each assembly consists of two sections:

A fixed inner rail that secures directly to the unit
A fixed outer rack that secures directly to the rack

Both rail assemblies have locking tabs. The tabs lock the unit into place when installed into the rack and when fully extended from the rack. This prevents the device from sliding fully out of the rack when the device is being worked on.

Inner Rail Extensions

Using the inner rail extensions is optional. Use the inner rail extensions to stabilize the unit within the rack.

Ensure you have correctly identified the left and right rail extensions.
Place the inner rail extension on the side of the unit and align the hooks on the unit with the holes on the rail extension. Make sure the inner rail extension faces out.
Slide the extension toward the front of the unit.
Secure the rail extension to the unit with the provided M4 6L inner rail screws.
Repeat steps 1-4 for the other inner rail extension.

Do not pick up the server by the front handles. They are designed to only pull the unit from the rack.

Outer Rails

The outer rails attach to the rack and hold the unit in place.

Attach the short bracket to the outside of the long bracket by aligning the pins with the slides. Both brackets must face the same direction.
Adjust the short and long brackets to the appropriate length so that they fit securely into the rack.
Secure the long bracket to the front side of the outer rail with the provided washers and M5 12L outer rail screws.
Secure the short bracket to the back side of the outer rail with the provided washers and M5 12L outer rail screws.
Repeat steps 1-4 for the other rail.

Rack Installation

Ensure that there is enough room around the unit to allow for sufficient air flow.
Ensure that the inner rails are properly connected to the device, and the that the outer rails are securely attached to the rack.
Align the inner rails with the rack rails and slide the device onto the rails. Ensure that even pressure is applied to both sides of the device while doing this.
When the unit has been completely pushed into the rack, the locking tabs will click into the locked position.
For additional security, insert and tighten the thumbscrews that hold the front of the unit to the rack.

After the device is installed in the rack and the hard disk drives are installed, plug the supplied power cables into the rear of the unit and then into grounded electrical outlets or separate power sources, such as uninterruptible power supplies (UPS) or power distribution units (PDU).

Was this helpful?
Yes No

The post FortiAnalyzer 400E Installation Guide appeared first on Fortinet Cookbook.

In a product that has and uses a number of sophisticated technical features, one of the things that causes confusion on a regular basis is the fairly straight-forward Feature Select section

The confusion arises not from how to use the interface, but in what it actually does. This misunderstanding probably arises from a perfectly understandable assumption, based upon how many products, and even the FortiGate in some contexts, work.

In the Feature Select panel, there is a list of a number of FortiGate features that can be used and configured. Next to the feature name is a sliding toggle icon. Slide the toggle to the left and the icon is grayed out. Slide the toggle to the right and it is a nice bright color. Which bright color, will depend on which color theme is being used on your FortiGate. The grayed out icon representing a disabled status and the colorful icon representing the feature is on.

The erroneous assumption that gets made here is that disabling the feature in this panel disables the feature on the FortiGate. What is actually happening is that the feature is being disabled within the GUI. It does not stop the feature from working on the FortiGate.

This screenshot shows what the Network section of the GUI looks like with every feature turned on.

Now, we go into the Feature Select and turn off Advanced Routing.

Then we go back to the Network section to see what changes have taken place.

You’ll notice that now there are fewer options under the Network heading. The following options are no longer available:

Policy Routes
RIP
OSPF
BGP
Multicast

There are reasons for this non-intuitive approach. The reason for having a setting to remove something from the GUI is that there are so many settings because the FortiGate can do so many things, that it is a good practice to remove the clutter of options that are not going to be needed. The reason that large chunks of features and functions are not disabled is that there is a lot of interconnectivity between the various feature and settings. Disabling a feature that you don’t think that you’ll be using may include some settings that, while you don’t see them, affect a feature that you do use.

Colorful Bonus:

It’s off topic, but this is a fairly short post so I thought that I’d through in a little bonus piece of information. Just because if made reference to the possible color variation of the toggle switches, here are the instructions for changing the color theme:

GUI

The option is located under System > Settings, down in View Settings.

Choose a color from the drop-down menu in the Theme field.

CLI

If you’re a command line cowboy, those settings are shown below.

# config system global

(global) # set gui-theme ?
green       Green theme.
red         Red theme.
blue        Light blue theme.
melongene   Melongene theme (eggplant color).
mariner     Mariner theme (dark blue color).

(global) # set gui-theme green

(global) # end

Was this helpful?
Yes No

The post Feature Select confusion appeared first on Fortinet Cookbook.

Send us your questions! We’re looking to do a Q&A episode of FortiCast and we need your help. If you have a question that needs an answer, email us at forticast@fortinet.com.

Members of the FortiOS documentation team shed some light on how Fortinet documentation gets made.

Technical Documentation resources

Fortinet Documentation Library
FortiOS Online Help
FortiOS CLI Reference
Fortinet Knowledge Base
Fuse Community
Fortinet Cookbook
Fortinet Video Library / YouTube Channel
Valentine’s Day White Paper
Fortinet Stories video series
Social WiFi Captive Portal [ Facebook | Twitter | Google+ | LinkedIn | Form-based ]
Take-out Menu

Subscribe to FortiCast

Was this helpful?
Yes No

The post Episode 13: Technical Documentation appeared first on Fortinet Cookbook.

This recipe describes how to decrypt Encapsulated Security Payload (ESP) traffic on a FortiGate using the Security Association (SA) information from diag vpn tunnel list. This is useful for tracking whether the FortiGate is properly encrypting/decrypting IPsec VPN packets, and whether there is any packet loss.

This recipe assumes that NPU offloading is disabled on phase1-interface and that NAT is disabled. The example simulates a lost packet in a site-to-site IPsec VPN tunnel.

1. Establishing the tunnel
If the tunnel is currently down, go to Monitor > IPsec Monitor, right-click the tunnel, and select Bring Up.
2. Capturing packets
Go to Network > Packet Capture and create a new entry. Set Interface to the external-facing interface (in this case, wan1). Select Enable Filters and enter Protocol 50 (the protocol number for ESP).
In the Packet Capture list, highlight the new entry and select Start/Resume Capturing to begin capturing packets for the next step.
Ping through the tunnel to populate the packet capture with traffic.
For example, in Windows Command Prompt, enter: `ping x.x.x.x -n 100`, where `x.x.x.x` is the remote tunnel endpoint (`-n 100` will ping 100 times).
In the Packet Capture list on the FortiGate, select the Download option to save the .pcap file to your computer once the packets have been captured.
3. Configuring Wireshark
In Wireshark, open the .pcap file saved previously.
Go to Edit > Preferences and navigate to Protocol > ESP. Check all BUT Attempt to detect/decode NULL encrypted ESP payloads. Select Edit… to open the ESP SAs configuration table.
On the FortiGate, open the CLI Console and enter the command `diag vpn tunnel list`. Make note of the information next to dec: and enc:. You will need the SPI information, as well as the ESP and AH keys for both the remote and local FortiGates.
In Wireshark’s ESP SAs configuration table, add a new entry for each direction of the tunnel.
Note the image in the example: Src IP and Dest IP refer to the gateway addresses. The SPI information in the diag output will help you determine which encryption and authentication keys to use for each direction. Note that `0x` must be prepended to the SPI entries as well as each of the Encyrption and Authentication Keys. Click OK when you are done.
4. Results
In this example, a missing packet is identified in the packet capture by the ICMP error “No response seen to ICMP request“.
Shown here is a packet capture without any errors.

Was this helpful?
Yes No

The post Decrypting ESP payloads using Wireshark appeared first on Fortinet Cookbook.

In this recipe, a backup FortiGate unit will be installed and connected to a previously installed primary FortiGate to provide redundancy if the primary FortiGate fails.

Before you begin, the FortiGates should be running the same FortiOS firmware version and interfaces should not be configured to get their addresses from DHCP or PPPoE.

This recipe is in the Security Fabric collection. It can also be used as a standalone recipe.

This setup, called FortiGate High Availability (HA), improves network reliability. The previously installed FortiGate will continue to operate as the primary unit and the new FortiGate will operate as the backup FortiGate.

_{Find this recipe for other FortiOS versions}
_{5.2 | 5.4 | 5.6}

1. Setting up registration and licensing
Make sure both FortiGates are running the same FortiOS firmware version. Register and apply licenses to the new FortiGate unit before adding it to the cluster. This includes activation of FortiCloud and licenses for FortiGuard, FortiSandbox, and FortiClient, as well as entering a license key if you purchased more than 10 Virtual Domains (VDOMS). All FortiGates in the cluster must have the same level of licensing for FortiGuard, FortiCloud, FortiClient and VDOMs. FortiToken licenses can be added at any time because they are synchronized to all cluster members.
You can also install any third-party certificates on the primary FortiGate before forming the cluster. Once the cluster is formed third-party certificates are synchronized to the backup FortiGate.
2. Configuring the Primary FortiGate for HA
Connect to the primary FortiGate GUI and go to System > Settings and change the Host Name to identify this as the primary FortiGate in the HA cluster.
Go to System > HA and set the Mode to Active-Passive. Set the Device Priority to a higher value than the default to make sure this FortiGate will always be the primary FortiGate. Also set a Group Name and Password. Make sure that two Heartbeat Interfaces (port3 and port4 in this case) are selected and their priorities are both set to 50. Since the backup FortiGate is not available, when you save the HA configuration, the primary FortiGate will form a cluster of one FortiGate but will keep operating normally.
If there are other FortiOS clusters on your network you may need to change the cluster group id using this CLI command.	`config system ha` `set group-id 25` `end`
3. Connecting the backup FortiGate
Connect the backup FortiGate to the primary FortiGate and the network as shown in the network diagram at the top of the recipe. Making these network connections will disrupt traffic so you should do this when the network is quiet.
If possible, make direct Ethernet connections between the heartbeat interfaces of the two FortiGate units. Switches must be used between the cluster and the Internet and between the cluster and the internal networks as shown in the network diagram. You can use any good quality switches to make these connections. You can also use one switch for all of these connections as long as you configure the switch to separate traffic from the different networks.
4. Configuring the backup FortiGate for HA
Connect to the backup FortiGate GUI and go to System > Settings and change the Host Name to identify this as the backup FortiGate.
Go to System > HA and duplicate the HA configuration of the primary FortiGate (except for the Device Priority): set the Mode to Active-Passive, set the Device Priority to a lower value than the default to make sure this FortiGate will always be the backup FortiGate. Also set the same Group Name and Password as the primary FortiGate. Make sure that the same two Heartbeat Interfaces (port3 and port4) are enabled and their priorities are both set to 50.
Change the cluster group id if you changed it for the primary unit using this CLI command.	`config system ha` `set group-id 25` `end`
When you save the backup FortiGate’s HA configuration, if the heartbeat interfaces are connected, the FortiGates will find each other and form a cluster. Network traffic may be disrupted for a few seconds while the cluster is negotiating.
5. Viewing the cluster status
Connect to the primary FortiGate GUI. The HA Status widget displays the cluster mode, group name, and includes the host name of the primary unit (master). Hover over the primary unit host name to verify that the cluster is synchronized and operating normally. You can also click on the widget to change the HA configuration or view a list of recently recorded cluster events such as members joining or leaving the cluster and so on.
Click on the HA Status widget and select Configure settings in System > HA (or go to System > HA) to view the cluster status.
If the cluster is part of a security Fabric, the FortiView Physical and Logical Topology views show information about the cluster status.
6. Results
Traffic is now passing through the primary FortiGate. However, if the primary FortiGate becomes unavailable, traffic should failover and the backup FortiGate will process traffic. Failover also causes the primary and backup FortiGate to reverse roles, even when both FortiGates are available again.
To test this, ping the IP address 8.8.8.8 using a PC on the internal network. After a moment, power off the primary FortiGate. You will see a momentary pause in the ping results, until traffic diverts to the backup FortiGate, allowing the ping traffic to continue.
7. (Optional) Upgrading the firmware for the HA cluster
When a new version of the FortiOS firmware becomes available, upgrading the firmware on the primary FortiGate automatically upgrades the backup FortiGate’s firmware. Both FortiGates are updated with minimal traffic disruption. Always review the Release Notes and Supported Upgrade Paths before installing new firmware.
From the admin menu, select Configuration > Backup. Always remember to back up your configuration before upgrading the firmware.
Click the System Information widget and select the option to update firmware. Update the firmware from FortiGuard or by uploading a firmware image file. The firmware loads onto both the primary and the backup FortiGates with minimal traffic interruption.
After the upgrade is complete, verify that the System Information widget shows the new firmware version.

For further reading, check out FGCP configuration examples and troubleshooting in the FortiOS 5.6 Handbook.

Was this helpful?
Yes No

If you have not already installed a FortiGate, see Installing a FortiGate in NAT/Route mode.

Also, you cannot use a switch port as a HA heartbeat interface, if necessary convert the switch port to individual interfaces (see Choosing your FortiGate’s switch mode.

If the FortiGates in the cluster will be running FortiOS Carrier, apply the FortiOS Carrier license before configuring the cluster (and before applying other licenses). Applying the FortiOS Carrier license sets the configuration to factory defaults, requiring you to repeat steps performed before applying the license.

If these steps don’t start HA mode, make sure that none of the FortiGate’s interfaces use DHCP or PPPoE addressing.

This example uses two FortiGate-600Ds and the default heartbeat interfaces are used (port3 and port4). You can use any interfaces for HA heartbeat interfaces. A best practice is to use interfaces that do not process traffic, but this is not a requirement.

If these steps don’t start HA mode, make sure that none of the FortiGate’s interfaces use DHCP or PPPoE addressing.

If you are using port monitoring, you can also unplug the primary FortiGate’s Internet-facing interface to test failover.

For information about accessing firmware images, see Verifying and updating the FortiGate unit’s firmware.

The post High Availability with two FortiGates appeared first on Fortinet Cookbook.

Send us your questions! We’re looking to do a Q&A episode of FortiCast and we need your help. If you have a question that needs an answer, email us at forticast@fortinet.com.

Learn all about the new features in FortiManager 5.6.

FortiManager 5.6 resources

FortiManager 5.6 documentation:
- Release Notes
- Upgrade Guide
- Administration Guide (PDF | HTML)
- CLI Reference (PDF | HTML)
FortiManager @ Fortinet.com

Subscribe to FortiCast

Was this helpful?
Yes No

The post Episode 14: FortiManager 5.6 appeared first on Fortinet Cookbook.

This example illustrates how to migrate logs from an old FortiAnalyzer to a new FortiAnalyzer.

When migrating logs, the firmware versions must be the same. For example, if you are migrating logs from an old FortiAnalyzer running 5.2 to a new FortiAnalyzer running 5.4, you must upgrade the 5.2 FortiAnalyzer to 5.4 firmware before aggregating and migrating logs to the new 5.4 FortiAnalyzer.

Migrating Prerequisites

Make the old and new FortiAnalyzer the same firmware version.
5.4.0 or later is preferred.
Migrate the Device Manager settings from the old FortiAnalyzer to the new one.

Enable the GUI display by using the following command:

conf sys admin setting > show-device-import-export: enable

In the old FortiAnalyzer, export the Device List from the Device Manager.
In the new FortiAnalyzer, import the Device List from the Device Manager.

Setting up the Aggregation Client

FortiAnalyzer 5.6.0 and later, Log Aggregation is only available from the CLI.

Use the following command to set up the Aggregation Client:

config system aggregation-client
     edit 1
          set mode aggregation 
          set agg-user [ENTER ADMIN USER FOR NEW FORTIANALYZER]
          set agg-password [ENTER PASSWORD FOR NEW FORTIANALYZER]
          set agg-time 1 [LOG AGGREGATION START TIME]
          set server-ip [ENTER NEW FORTIANALYZER IP ADDRESS]
     next
end

Setting up the Aggregation Server

Use the following command to set up the Aggregation Server:

config system aggregation-service
     set accept-aggregation enable
end

After running the command, take note of the Instance ID. You will need to enter the Instance ID when running the aggregation command in the Client CLI.

Log Aggregation is not supported on all FortiAnalyzer models, check your specific device’s datasheet.

Running Aggregation in the Client CLI

You can initiate log aggregation via the GUI or the CLI console.

In the GUI, go to System > Log Forwarding > select Aggregation Profile > click Aggregate Now.

In the CLI, use the following command to aggregate logs in the Client:

exec log-aggregation all

Checking the Aggregation Progress on the Client

On the old FortiAnalyzer, go to System Settings > Event Log. When the log aggregation is completed, the following message will be displayed: Log aggregation session completed.

Rebuilding the Database

If you are migrating a large amount of logs, you will need to rebuild the database after log aggregation.

Use the following command to rebuild the database:

exec sql-local rebuild-db

Debugging Log Aggregation

To debug log aggregation, use the following CLI command:

dia debug application log-aggregate 255
dia deb en

Was this helpful?
Yes No

The post FortiAnalyzer: Log Data Migration from an Old to a New FortiAnalyzer appeared first on Fortinet Cookbook.

Using the default certificate

1. Generating a unique certificate

2. Downloading the certificate used for full SSL inspection

3. Importing the certificate into web browsers

Internet Explorer, Chrome, and Safari (Windows and macOS):

Firefox (Windows and macOS)

4. Results

Using a CA-signed certificate

1. Generating a CSR on a FortiGate

2. Getting the certificate signed by a CA

Trusted private CA:

FortiAuthenticator:

3. Importing the signed certificate to your FortiGate

4. Editing the SSL inspection profile

5. Importing the certificate into web browsers

Internet Explorer, Chrome, and Safari (on Windows and macOS):

Firefox (on Windows and macOS)

6. Results

1. Using the default deep-inspection profile

2. Creating an SSL/SSH profile that exempts Google

3. Results

1. Connecting and authorizing the FortiAP unit

2. Creating an SSID

3. Creating a custom FortiAP profile

4. Allowing wireless access to the Internet

5. Results

1. Creating three VIPs

2. Adding VIPs to a VIP group

3. Creating a security policy

4. Results

1. Connecting and authorizing the FortiAP unit

2. Creating an SSID

3. Creating a custom FortiAP profile

4. Results

Ingredients

Directions

1. Configuring the Microsoft Azure virtual network

2. Specifying the Microsoft Azure DNS server

3. Creating the Microsoft Azure virtual network gateway

4. Creating the Microsoft Azure local network gateway

5. Configuring the FortiGate tunnel

6. Creating the Azure firewall object

7. Creating the FortiGate firewall policies

8. Creating the FortiGate static route

9. Creating a Microsoft Azure Site-to-Site VPN connection

10. Results

1. Creating a user account and user group

2. Creating firewall addresses

3. Creating the SSID

4. Creating the security policy

5. Connecting and authorizing the FortiAP

6. Results​

To Install the SFP Transceivers

To Remove the SFP Transceivers

Installing the FortiAnalyzer into a Rack

Installing the Device on a Flat Surface

Rack Precautions

Rail Rack Parts

Disassembling the Rail Assembly

Attaching the Inner Rails to the Device

Installing the Outer Rails on a Rack

Installing the Device into the Rack

Installing the Cable Management Arm

Connecting the Device

Rack Precautions

Rail Rack Identification

Inner Rail Extensions

Outer Rails

Rack Installation

Colorful Bonus:

GUI

CLI

Technical Documentation resources

Subscribe to FortiCast

1. Establishing the tunnel

2. Capturing packets

3. Configuring Wireshark

4. Results

1. Setting up registration and licensing

2. Configuring the Primary FortiGate for HA

6. Results