This recipe demonstrates how to establish a more secure IPsec VPN tunnel using high-level “Brainpool curves” for greater encryption, as specified in RFC 6954.

Such high-level cryptography improves the confidentiality, authenticity, and integrity of an IKEv2 IPsec VPN tunnel, which is typically limited by the weakest cryptographic primitive applied to the tunnel.

This recipe assumes that a VPN user group already exists. The example is demonstrated with a site-to-site IPsec VPN tunnel between an ‘HQ’ FortiGate and a ‘Remote Office’ FortiGate.

PREP 20 mins      COOK 5 mins      TOTAL 25 mins

1. Creating the HQ tunnel
For the sake of simplicity, you will create a site-to-site IPsec VPN tunnel using the VPN Creation Wizard. You will later convert it to a custom tunnel. Go to VPN > IPsec Wizard.
Enter a Name for the tunnel. Select the Site to Site template and set the Remote Device Type to FortiGate. Click Next.
Set IP address to the remote gateway interface. The Outgoing Interface should populate automatically. Enter a Pre-shared Key and click Next.
Select the Local Interface and set the Local Subnets and Remote Subnets. Ensure that the subnets do not overlap. Click Create.
The VPN Creation Wizard provides a summary of the VPN configuration. Click Show Tunnel List.
2. Customizing the HQ tunnel
In the IPsec Tunnels list, highlight the new tunnel and select Edit.
In the Edit VPN Tunnel dialog, click Convert to Custom Tunnel.
Edit the Authentication section and enable IKE Version 2.
Edit the Phase 1 Proposal section. Deselect Diffie-Hellman groups 5 and 14 and select groups 28, 29, and 30.
Edit the Phase 2 Selectors section (don’t click the Add Button) and click Advanced…. Once again, deselect Diffie-Hellman groups 5 and 14 and select groups 28, 29, and 30. Click OK.
3. Creating and customizing the Remote Office tunnel
Repeat steps 1 and 2 on the Remote Office FortiGate, alternating names and IP addresses appropriately. Ensure that the same Phase 1 and Phase 2 selectors are applied and that there are no overlapping subnets.
4. Results
On either FortiGate, navigate to Monitor > IPsec Monitor and verify that the tunnel status is Up.
You can confirm the use of Brainpool curves by performing diagnostics on the tunnel: Go to Monitor > IPsec Monitor, highlight the tunnel and select Bring Down. Open the CLI Console (>_) and enter the following command: diagnose debug application ike 63 diagnose debug enable Return to Monitor > IPsec Monitor and bring the tunnel up again, then view the CLI Console. While the SA proposal negotiates the tunnel, the output of the diagnose command should be similar to the following, where I’ve highlighted the relevant parts: FGT_1 # ike 0: comes 172.25.177.56:500->172.25.176.56:500,ifindex=5.... ike 0: IKEv2 exchange=INFORMATIONAL id=262e65aad12e5e8e/598faf8398c7acbe:00000001 len=80 ike 0:HQ_to_Remote:7: received informational request ike 0:HQ_to_Remote:7: processing delete request (proto 3) ike 0:HQ_to_Remote: deleting IPsec SA with SPI 00f82773 ike 0:HQ_to_Remote:HQ_to_Remote: deleted IPsec SA with SPI 00f82773, SA count: 0 ike 0:HQ_to_Remote: sending SNMP tunnel DOWN trap for HQ_to_Remote ike 0:HQ_to_Remote:7: sending delete ack ike 0:HQ_to_Remote:7: sent IKE msg (INFORMATIONAL_RESPONSE): 172.25.176.56:500->172.25.177.56:500, len=80, id=262e65aad12e5e8e/598faf8398c7acbe:00000001 ike 0: comes 172.25.177.56:500->172.25.176.56:500,ifindex=5.... ike 0: IKEv2 exchange=CREATE_CHILD id=262e65aad12e5e8e/598faf8398c7acbe:00000002 len=656 ike 0:HQ_to_Remote:7: received create-child request ike 0:HQ_to_Remote:7: responder received CREATE_CHILD exchange ike 0:HQ_to_Remote:7: responder creating new child ike 0:HQ_to_Remote:7:1: peer proposal: ike 0:HQ_to_Remote:7:1: TSi_0 0:192.168.180.0-192.168.180.255:0 ike 0:HQ_to_Remote:7:1: TSr_0 0:192.168.1.0-192.168.1.255:0 ike 0:HQ_to_Remote:7:HQ_to_Remote:1: trying ike 0:HQ_to_Remote:7:HQ_to_Remote:1: matched phase2 ike 0:HQ_to_Remote:7:HQ_to_Remote:1: accepted proposal: ike 0:HQ_to_Remote:7:HQ_to_Remote:1: TSi_0 0:192.168.180.0-192.168.180.255:0 ike 0:HQ_to_Remote:7:HQ_to_Remote:1: TSr_0 0:192.168.1.0-192.168.1.255:0 ike 0:HQ_to_Remote:7:HQ_to_Remote:1: autokey ike 0:HQ_to_Remote:7:HQ_to_Remote:1: incoming child SA proposal: ike 0:HQ_to_Remote:7:HQ_to_Remote:1: proposal id = 1: ike 0:HQ_to_Remote:7:HQ_to_Remote:1: protocol = ESP: ike 0:HQ_to_Remote:7:HQ_to_Remote:1: encapsulation = TUNNEL ike 0:HQ_to_Remote:7:HQ_to_Remote:1: type=ENCR, val=AES_CBC (key_len = 128) ike 0:HQ_to_Remote:7:HQ_to_Remote:1: type=INTEGR, val=SHA ike 0:HQ_to_Remote:7:HQ_to_Remote:1: type=DH_GROUP, val=ECP512BP ike 0:HQ_to_Remote:7:HQ_to_Remote:1: type=DH_GROUP, val=ECP384BP ike 0:HQ_to_Remote:7:HQ_to_Remote:1: type=DH_GROUP, val=ECP256BP ike 0:HQ_to_Remote:7:HQ_to_Remote:1: type=ESN, val=NO ike 0:HQ_to_Remote:7:HQ_to_Remote:1: matched proposal id 1 ike 0:HQ_to_Remote:7:HQ_to_Remote:1: proposal id = 1: ike 0:HQ_to_Remote:7:HQ_to_Remote:1: protocol = ESP: ike 0:HQ_to_Remote:7:HQ_to_Remote:1: encapsulation = TUNNEL ike 0:HQ_to_Remote:7:HQ_to_Remote:1: type=ENCR, val=AES_CBC (key_len = 128) ike 0:HQ_to_Remote:7:HQ_to_Remote:1: type=INTEGR, val=SHA ike 0:HQ_to_Remote:7:HQ_to_Remote:1: type=DH_GROUP, val=ECP512BP ike 0:HQ_to_Remote:7:HQ_to_Remote:1: type=ESN, val=NO ike 0:HQ_to_Remote:7:HQ_to_Remote:1: lifetime=43200 ike 0:HQ_to_Remote:7:HQ_to_Remote:1: PFS enabled, group=30 ike 0:HQ_to_Remote:7:HQ_to_Remote:1: replay protection enabled ike 0:HQ_to_Remote:7:HQ_to_Remote:1: set sa life soft seconds=42929. ike 0:HQ_to_Remote:7:HQ_to_Remote:1: set sa life hard seconds=43200. ike 0:HQ_to_Remote:7:HQ_to_Remote:1: IPsec SA selectors #src=1 #dst=1 ike 0:HQ_to_Remote:7:HQ_to_Remote:1: src 0 7 0:192.168.1.0-192.168.1.255:0 ike 0:HQ_to_Remote:7:HQ_to_Remote:1: dst 0 7 0:192.168.180.0-192.168.180.255:0 ike 0:HQ_to_Remote:7:HQ_to_Remote:1: add IPsec SA: SPIs=2bf96e39/00f82774 ike 0:HQ_to_Remote:7:HQ_to_Remote:1: added IPsec SA: SPIs=2bf96e39/00f82774 ike 0:HQ_to_Remote:7:HQ_to_Remote:1: sending SNMP tunnel UP trap ike 0:HQ_to_Remote:7:HQ_to_Remote:1: responder preparing CREATE_CHILD message ike 0:HQ_to_Remote:7: sent IKE msg (CREATE_CHILD_RESPONSE): 172.25.176.56:500->172.25.177.56:500, len=336, id=262e65aad12e5e8e/598faf8398c7acbe:00000002 Note how the SA proposal finds the first matching encryption type, in this case ECP512BP (DH Group 30), which represents ‘Elliptic Curve Parameter 512-bit Brainpool Primitive’. The diagnostic debug will run for 30 minutes, but you can stop it with these commands: diagnose debug disable diagnose debug reset

The post Brainpool curves in IKEv2 IPsec VPN appeared first on Fortinet Cookbook.

This example illustrates how to set up FortiAnalyzer Analyzer and Collector modes and make them work together to increase the overall performance of log receiving, analysis, and reporting.

The types of logs forwarded are: log files and log related archive files.

FortiAnalyzer provides two operation modes: Analyzer and Collector. Analyzer mode is the default mode that supports the full FortiAnalyzer features, while the primary task of a Collector is receiving logs from connected devices and uploading the logs to an Analyzer. Instead of writing logs to the database, the Collector retains the logs in their original (binary) format and sends the logs to the Analyzer. The following table shows a comparison of the supported features of the Analyzer and Collector modes:

In this example, Company A has a branch network with a FortiGate and a FortiAnalyzer 400E deployed in Collector mode. In its head office, Company A has another FortiGate and a FortiAnalyzer 3000D deployed in Analyzer mode. Collector mode forwards the FortiGate logs in the remote branch to the Analyzer in the head office for data analysis and report generation. The Collector will also be used to archive logs.

1. Setting up the Collector
Configure the Operation Mode. Go to System Settings > Dashboard. In the System Information widget > Operation Mode > select Collector.
Check the storage policy of the Collector.  Go to Device Manager, and click the Storage Used tab in the quick status bar.
Configure the storage policy of the Collector To edit the date policy when ADOMs are enabled: Go to System Settings > All ADOMs, double-click the ADOM your Analyzer/Collector belongs to . On the Edit ADOM Storage Configurations page, edit the log storage policy.  To edit log storage settings when ADOMs are disabled: Go to System Settings > Dashboard. In the System Information widget, click the edit icon for Log Storage Policy. In the Edit Log Storage Policy dialog box, change the settings.	A configuration example of the Collector storage policy
Note: For the Collector, you should allocate most of the disk space for compressed logs. You should keep the compressed logs long enough to meet the regulatory requirements of your organization. After this initial configuration, you can monitor the storage usage and adjust it as you go.
Prepare an Analyzer administrator account with a Super_User profile You can use the default admin account of the Analyzer, or create a custom administrator account on the Analyzer. The Collector will need to provide the login credentials of this administrator account to get authenticated by the Analyzer for log aggregation.
Configure log forwarding Go to System Settings > Log Forwarding. Click Create New. Set Name to a name you prefer. Set branch Server Type to FortiAnalyzer. Set Server IP to the IP address of the Analyzer to which this Collector will forward logs. Click Select Device and select the FortiGate device of the branch office.
2. Setting up the Analyzer
Configure the Operation Mode. Go to System Settings > Dashboard. In the System Information widget > Operation Mode > select Analyzer.
Check and configure the storage policy of the Analyzer.  See the corresponding instructions above for the Collector.	A configuration example of the Analyzer storage policy
Note: For the Analyzer, you should allocate most of the disk space for indexed logs. You may want to keep the indexed logs for 30–90 days. After this initial configuration, you can monitor the storage usage and adjust it as you go.
Add the branch office FortiGate to the Analyzer. Go to Device Manager, and click Unregistered Device in the quick status bar. Select the FortiGate device, and click Add. In the Add Device dialog box, select the ADOM you want to to add to the FortiGate device (if ADOM is disabled, select root), and give the device a name. Once the FortiGate device is added, you can see it under the Device Total tab.
4. Results
At this point, the Collector will start to forward logs to the Analyzer. Log in to the Analyzer GUI and go to Log View. Select the branch office FortiGate device from the device list, and select Real-time Log from the Tools drop-down. You will see real-time logs arriving from the branch office FortiGate.

The post FortiAnalyzer Analyzer-Collector Configuration for 5.6.0 and later appeared first on Fortinet Cookbook.

The FortiMail Security Email Gateway for Microsoft Azure is deployed as a virtual appliance in Microsoft Azure cloud (Iaas). This recipe shows you how to install and configure a single instance FortiMail-VM virtual appliance in Microsoft Azure.

1. Registering and downloading your license
If you’re deploying a FortiMail-VM in the Microsoft Azure marketplace, you must obtain a license to activate it. FortiMail-VM for Microsoft Azure supports a bring-your-own-license (BYOL) licensing model. Licenses can be obtained through any Fortinet partner. If you don’t have a partner, contact azure@fortinet.com for assistance in purchasing a license. After you purchase a license or obtain an evaluation license (60-day term), you will receive a PDF with an activation code.
Go to https://support.fortinet.com/ and either create a new account or log in with an existing account.
Go to Asset > Register/Renew to start the registration process. In the Specify Registration Code field, enter your license activation code and select Next to continue registering the product. Fill in the other fields with your information.
At the end of the registration process, download the license (.lic) file for your FortiMail-VM. After registering a license, Fortinet servers may take up to 30 minutes to fully recognize the new license. If you apply the license and get an error that the license is invalid, wait 30 minutes and try again.
2. Creating a FortiMail-VM
Log in to the Microsoft Azure Portal and select + New.
Search for and select Fortinet FortiMail Security Email Gateway from the search results.
Under Select a deployment model, ensure that Resource Manager is selected. Select Create.
In the Basics section, set a FortiMail-VM Name.  Set a FortiMail administrative username. This name can’t be admin or root. Choose a FortiMail password for the new account and confirm the password. This must be a complex password containing three of the following types of characters: numbers, capital letters, lowercase letters, and special characters. For security reasons, it’s not possible to reset this password through the Microsoft Azure portal, so make sure that you remember the password. Select the appropriate Subscription from the drop-down list. You may have only one option here. Create a new Resource group. Currently, it’s not possible to select an existing resource group for a Microsoft Azure Marketplace template set. Set a Location for the VM. Select OK.
The Network and Storage Settings and FortiMail IP address assignment sections contain FortiMail-VM settings that are optional, except for the virtual machine size and storage account, as explained below. Since you’re deploying the FortiMail-VM as a single instance on its own, you shouldn’t need to change the default values.  Select Virtual machine size and select the appropriate VM size for your deployment. Select Storage account and choose an existing storage account or create a new one. To accept the Network and Storage Settings values, select OK. To accept the FortiMail IP address assignment settings, select OK.
If your deployment model involves co-locating pre-existing resource group components such as storage, virtual network, subnet, public IP address, network security group, or availability set, you may need to modify these settings to fit into an existing topology. For more information about advanced deployments of cooperative products, see the Fortinet documentation.
Wait for Validation to pass, then select OK.
Select Purchase to buy the FortiMail-VM instance from Microsoft Azure.  Once the FortiMail-VM is deployed, you will see a “Deployment succeeded” message.
3. Connecting to the FortiMail-VM
To connect to the FortiMail-VM, you must find its public IP address. There are a number of ways to do this. One way is to select Virtual machines on the left bar and select the FortiMail-VM you created. Under Essentials, you will see the public IP address of the FortiMail-VM in the Public IP address field.  Connect to the FortiMail-VM using your browser and the FortiMail-VM IP address. Log in to the FortiMail-VM with the FortiMail administrative username and FortiMail password that you configured above.
Upload your license (.lic) file to activate the FortiMail-VM. Restart the FortiMail-VM and log in again. After you log in, you will see that the license has been uploaded. You need to wait for authentication with the registration servers. This can take up to 15 minutes. Select Return.
You will now see the FortiMail-VM dashboard.

The post Deploying FortiMail-VM virtual appliance in Microsoft Azure appeared first on Fortinet Cookbook.

The FortiGate Next-Generation Firewall for Microsoft Azure is deployed as a virtual appliance in Microsoft’s Azure cloud (IaaS). This recipe shows you how to install and configure a single instance FortiGate-VM virtual appliance in Microsoft Azure to provide a full NGFW/UTM security solution in front of Microsoft Azure IaaS resources. 

This recipe covers the deployment of simple web servers, but this type of deployment can be used for any type of public resource protection, with only slight modifications. With this architecture as a starting point, you can implement more advanced solutions, including multi-tiered solutions.

In this recipe, two subnets are created: Subnet1, which is used to connect the FortiGate-VM to the Microsoft Azure Virtual Gateway, and Subnet2, which is used to connect the FortiGate-VM and the web server.

1. Registering and downloading your license
FortiGate-VM for Microsoft Azure supports both bring-your-own-license (BYOL) and on-demand (PAYG) licensing models. If you’re deploying a FortiGate-VM in the Microsoft Azure marketplace with BYOL, you must obtain a license to activate it.  Licenses can be obtained through any Fortinet partner. If you don’t have a partner, contact azure@fortinet.com for assistance in purchasing a license. After you purchase a license or obtain an evaluation license (60-day term), you will receive a PDF with an activation code.
Go to https://support.fortinet.com/ and either create a new account or log in with an existing account.
Go to Asset > Register/Renew to start the registration process. In the Specify Registration Code field, enter your license activation code and select Next to continue registering the product. Fill in the other fields with your information.
At the end of the registration process, download the license (.lic) file for your FortiGate-VM. After registering a license, Fortinet servers may take up to 30 minutes to fully recognize the new license. When you upload the license (.lic) file to activate the FortiGate-VM (in step 5), if you get an error that the license is invalid, wait 30 minutes and try again.
2. Creating a Microsoft Azure VNet
This section shows you how to create a Microsoft Azure VNet and create two subnets in it. For many of the steps, you will have a choice to make that can be specific to your own environment.
Log in to the Microsoft Azure Portal and select + New.
Search for and select Virtual network from the search results.
Under Select a deployment model, ensure that Resource Manager is selected. Select Create.
Set a Name for your VNet. Select an Address space for your VNet. This is the range of IP addresses available within your VNet. It’s possible to extend this later. Set Subnet name to Subnet1. Set the Subnet address range. This must be a subset of your VNet address range and you must leave room for a second subnet. Choose a Subscription. Either create a new Resource group or select an existing one. Set a Location. This is the region of the world where your VNet will reside. In the next steps, when we deploy virtual machines, they must exist within the same location. Select Create.
Wait for the virtual network to be deployed. You will receive a “Deployment Succeeded” message.
Browse to your new virtual network and select it. There are a number of ways to do this. The simplest is to select Virtual networks on the left bar. If you don’t see text there, select the three horizontal lines near the top left of the Microsoft Azure portal to expand the left tool bar.
Under SETTINGS, select Subnets. Select + Subnet. Set Subnet name to Subnet2. Select an address space for the subnet from the available range or ranges in your VNet. Leave Network security group and Route table set to None. Select OK.
3. Installing the FortiGate-VM in the VNet
This section shows how to install a FortiGate NGFW in the VNet that was created in the previous section.
In the Microsoft Azure Dashboard, select + New and search for FortiGate. Select the option FortiGate NGFW Single VM and select Create.
In the Basics section, set a FortiGate-VM Name. Select the PAYG/BYOL License option that corresponds to the license type that you purchased. Set a FortiGate administrative username. This name can’t be admin or root. An account named admin will also be created that has a randomly generated password. After the installation, you should change the password of the admin account.  Choose a FortiGate Password for the new account and confirm the password. This must be a complex password containing three of the following types of characters: numbers, capital letters, lowercase letters, and special characters. For security reasons, it’s not possible to reset this password through the Microsoft Azure portal, so make sure that you remember the password. Select the appropriate Subscription from the drop-down list. You may have only one option here. Create a new Resource group. Currently, it’s not possible to select an existing resource group for a Microsoft Azure Marketplace template set. Set the same Location as you did when you created the VNet in the previous section. Select OK.
In the Network Settings and Instance section, select Virtual network, then select the VNet that you created in the previous step.
Select Configure subnets. Set Outside Subnet to Subnet1. This will be the subnet on which the WAN port resides. Set Internal Subnet to Subnet2. This will be the subnet on which the protected port resides. Select OK.
Select the Virtual machine size of the FortiGate from the Recommended choices, or select View all to get additional options. Select OK.
In the FortiGate IP Address Assignments section, set a resource name for the new public IP address. Choose between a Dynamic or Static public IP. A static IP may have associated costs, while a dynamic public IP may be replaced if your FortiGate reboots. Select OK.
Wait for Validation to pass, then select OK.
Select Purchase to buy the FortiGate-VM instance from Microsoft Azure.  Once the FortiGate-VM is deployed, you will see a “Deployment succeeded” message.
4. Associating the route tables with the subnets You must associate both Subnet1 and Subnet2 to their corresponding Route tables (in this example, FortiGate-Subnet1-routes and FortiGate-Subnet2-routes).
In the Microsoft Azure Dashboard, select Resource groups. Select the resource group that you created when you created the FortiGate-VM in step 3 (in this example, FortiGateRG1).
In the Overview screen, you will see two Route tables listed. Select the route table for internal routes (in this example, FortiGate-Subnet2-routes).
You must associate the route table to a subnet. Under Settings, select Subnets. Select + Associate.
In the Associate subnet section, select Virtual network, then select the VNet that you created when you created the FortiGate-VM in step 2 (in this example, FortiGateProtectedVNet1).
Select your second subnet (in this example, Subnet2). Select OK. Wait about 30 seconds for the route table to be associated with the subnet.
Repeat the steps in this section to associate Subnet1 with its corresponding Route table (in this example, FortiGate-Subnet1-routes).
5. Connecting to the FortiGate-VM
To connect to the FortiGate-VM, you must find its public IP address. There are a number of ways to do this. One way is to select Virtual machines on the left bar and then select the FortiGate-VM you created. Under Essentials, you will see the FortiGate-VM’s public IP address in the Public IP address field.
Connect to the FortiGate using your browser and the FortiGate-VM’s IP address. You will see a certificate error message from your browser, which is normal because the default FortiGate certificate is self-signed and isn’t recognized by browsers. Proceed past this error. At a later time, you can upload a publicly-signed certificate to avoid this error.  Log in to the FortiGate-VM with the FortiGate Administrative Username and FortiGate Password that you configured above.
If you’re using a BYOL license, upload your license (.lic) file to activate the FortiGate-VM. Restart the FortiGate-VM and log in again. After you log in, you will see that the license has been uploaded. You need to wait for authentication with the registration servers. This can take up to 15 minutes. Select Return.
You will now see the FortiGate-VM dashboard.

The post Deploying FortiGate-VM virtual appliance in Microsoft Azure appeared first on Fortinet Cookbook.

You may, or may not have, noticed in the What’s New for FortiOS 5.4.0, the introduction of the use the .lz4 compression format. Log files are compressed to save space on the disk and to increase performance when transmitting them between the FortiGate and other devices such as a FortiAnalyzer. The LZ4 format focuses on the time it takes to compress the files rather than how small a compression file can be made of the file. Log files are text files and will compress quite well regardless, but because this compression takes place in real time, the speed at which it compresses is a high priority.

The drawback to this use of compression is that if the files are being sent to something other than another Fortinet device, such as an FTP server for archival, the files cannot be read unaided.

LZ4 Reader

Seeing as how it would be cruel to point out a potential problem like this without providing a solution, there is a tool to read LZ4 files with the snazzy name of lz4_reader.  Provided that JDK is installed to run the script, the tool works on the following platforms:

• Windows
• Linux
• Mac

Tool availability

At the time of writing this article, the tool was not available for download from a publically accessible site. To get the tool contact TAC and they should be able to track it down for you.

If the technician is unfamiliar with the tool, you can impress them with your insider knowledge and tell them to check Mantis bug 0366327.

Installing the tool

Step #1 – Verify JDK is installed

How you determine if Java is already installed on your computer will depend on the platform that you are using, but if you haven’t got it, to get download the files you need, you can head over to http://www.oracle.com/technetwork/java/javase/downloads/index.html. 

Instructions for installing JDK are already on the Internet so we won’t go over them here.

If you skip this step and run the program, you could get an error like:

'java' is not recognized as an internal or external command, operable program or batch file.

This is a good indicator that you do not have JDK installed.

Another thing that you will want to be careful of is that it is not just Java that is installed but JDK specifically. The first time I tried to run the program on my Mac, I dutifully checked and made sure the latest version of Java was there and ready to go. When I ran the program I got:

talesian$ java -jar log_reader.jar tlog.FGT3HD3914800177.vd1.20160327162450 
Exception in thread "main" java.lang.UnsupportedClassVersionError: lz4_reader_main : Unsupported major.minor version 51.0
  at java.lang.ClassLoader.defineClass1(Native Method)
  at java.lang.ClassLoader.defineClassCond(ClassLoader.java:637)
  at java.lang.ClassLoader.defineClass(ClassLoader.java:621)
  at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:141)
  at java.net.URLClassLoader.defineClass(URLClassLoader.java:283)
  at java.net.URLClassLoader.access$000(URLClassLoader.java:58)
  at java.net.URLClassLoader$1.run(URLClassLoader.java:197)
  at java.security.AccessController.doPrivileged(Native Method)
  at java.net.URLClassLoader.findClass(URLClassLoader.java:190)
  at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
  at java.lang.ClassLoader.loadClass(ClassLoader.java:247)
  at java.lang.Class.forName0(Native Method)
  at java.lang.Class.forName(Class.java:249)
  at org.eclipse.jdt.internal.jarinjarloader.JarRsrcLoader.main(JarRsrcLoader.java:56)

Once I downloaded and installed the correct JDK everything worked smoothly.

Step #2 – Get the file

This is actually the most difficult part of the process. The file that you are looking for is lz4_reader.tar.gz.  It is not currently available to be downloaded by the public. You will have to get it from some helpful support person. It’s just a little over 3 MB. As you will notice by the extension, it is in a compressed file format as well.

Step #3 -Extract the files

Once you have downloaded the .tar.gz file, extract the files. This can be done with most compression or archive applications.

Windows

For the purposes of testing it on Windows, I used 7-zip, but most compression utilities will work just as well. This particular application had to extract the files in steps; first the gz layer and then the tar layer. Once you are at the level where the .bat and jar files are, take that folder and place it where it is easily accessible. If feasible, the root of the C: drive is a simple option; as it is nice and easy to find through the command line.

Linux and Mac

For the Mac users of the GUI , the Archive Utility app will extract the files directly to the lz4_reader folder without going through the steps the the 7-zip program did. For Linux users and Mac users that prefer the command line, you can use the tar utility.

$ tar xvzf lz4_reader.tar.gz 
x lz4_reader/._.DS_Store 
x lz4_reader/.DS_Store 
x lz4_reader/run.bat 
x lz4_reader/log_reader.jar 
x lz4_reader/

This will create a folder called lz4_reader in the same folder that you ran the command, though you won’t see the files that start with a “.” unless you have it set up to be able to view hidden files.

Running the tool

The tool is run from the command line. This means using cmd.exe in Windows or the terminal emulator in Linux and Mac. To keep things nice and simple, you can put the log file that you want to read in the same folder as the program.

To run a java command you have to start with java, and in this case because the program that we are going to be running is a .jar file, the -jar option also needs to be used.

Running the program is simple, in the command terminal go to the directory and run the command:

java -jar log_reader.jar <path><name of the file>

Windows

Change the context of the session to the folder or directory holding the utility and then run the command.

C:\lz4_reader> java -jar log_reader.jar tlog.FGT3HD3914800177.vd1.20160327162450 
All readable contents are saved to C:\lz4_reader\tlog.FGT3HD3914800177.vd1.20160327162450_readable. C:\lz4_reader>

If the log file is not in the same folder as the lz4_reader files, in this case, a subfolder called test, include the path in the file name.

C:\lz4_reader> java -jar log_reader.jar C:\lz4_reader\test\DISK_alog_FGVM010000017392_root_20160614_042922

A folder called tlog.FGT3HD3914800177.vd1.20160327162450_readable is created in the same folder as the original file and within that folder, there is a file called tlog.65485_readable.txt

Linux and Mac

In Linux and Mac, the program is run the same way with one notable difference. In Windows, a backslash is used to separate directories and in Linux and Mac a slash is used. The command in *nix based platform would be:

java -jar log_reader.jar test/tlog.FGT3HD3914800177.vd1.20160327162450 
All readable contents are saved to /Fortinet/working/lz4_reader/test/tlog.FGT3HD3914800177.vd1.20160327162450_readable.

Reading the file

Once the file has been converted into readable text, you need to pick an application to read it. For easy reading, I would not advise using word processor applications such as Notepad or Word to read the file. These products are intended to put words to paper so they have a tendency to impose formatting styles on them that may not be appropriate for log files. You are probably not going to print out all of the logs, so a code editor or something along those lines might be a better choice for quickly going through the logs for the purposes of looking for something specific.

To give an idea of the differences, I’ve copied the output of the first 5 lines of a test log file below using two different type of text applications. The first is a word processor/editor; in this case, it was openned using Microsoft Word the next example was openned using a code editor; in this case, Atom but something like Notepad++ produces the same results:

Word output:

date=2016-03-27 time=16:24:32 logid=0001000014 type=traffic subtype=local level=notice vd=vd1 srcip=172.16.200.2 srcport=49984 srcintf=”vd1″ dstip=172.16.95.16 dstport=53 dstintf=”port1″ sessionid=3378 proto=17 action=accept policyid=0 policytype=policy dstcountry=”Reserved” srccountry=”Reserved” trandisp=noop service=”DNS” app=”DNS” duration=476 sentbyte=7568 rcvdbyte=37905 sentpkt=118 rcvdpkt=76 appcat=”unscanned”
date=2016-03-27 time=16:24:39 logid=0000000013 type=traffic subtype=forward level=notice vd=vd1 srcip=144.20.202.235 srcport=55165 srcintf=”lo” dstip=112.250.20.205 dstport=53 dstintf=”lo” sessionid=1954188563 proto=17 action=close policyid=2 policytype=policy dstcountry=”China” srccountry=”Spain” trandisp=noop service=”DNS” appid=27457 app=”Windows.File.Sharing” appcat=”Network.Service” apprisk=elevated applist=”default” duration=0 sentbyte=1708 rcvdbyte=3717 sentpkt=0 rcvdpkt=0
date=2016-03-27 time=16:24:39 logid=0000000013 type=traffic subtype=forward level=notice vd=vd1 srcip=64.114.19.214 srcport=9953 srcintf=”lo” dstip=32.98.1.172 dstport=21 dstintf=”lo” sessionid=1954188564 proto=6 action=close policyid=0 policytype=policy dstcountry=”United States” srccountry=”Canada” trandisp=noop service=”FTP” appid=27946 app=”Fortiguard.Search” appcat=”Cloud.IT” apprisk=medium applist=”default” duration=0 sentbyte=2508 rcvdbyte=2038 sentpkt=0 rcvdpkt=0
date=2016-03-27 time=16:24:39 logid=0000000013 type=traffic subtype=forward level=notice vd=vd1 srcip=44.103.247.160 srcport=1390 srcintf=”dummy0″ dstip=168.125.107.178 dstport=25 dstintf=”lo” sessionid=1954188565 proto=17 action=close policyid=1 policytype=policy dstcountry=”United States” srccountry=”United States” trandisp=noop service=”udp/25″ appid=15895 app=”SSL” appcat=”Network.Service” apprisk=elevated applist=”default” duration=0 sentbyte=1084 rcvdbyte=3061 sentpkt=0 rcvdpkt=0
date=2016-03-27 time=16:24:39 logid=0000000013 type=traffic subtype=forward level=notice vd=vd1 srcip=44.103.247.160 srcport=30592 srcintf=”lo” dstip=16.62.205.154 dstport=443 dstintf=”lo” sessionid=1954188566 proto=6 action=close policyid=2 policytype=policy dstcountry=”United States” srccountry=”United States” trandisp=noop service=”HTTPS” appid=34789 app=”SNMP_GetRequest” appcat=”Network.Service” apprisk=elevated applist=”default” duration=0 sentbyte=3101 rcvdbyte=618 sentpkt=0 rcvdpkt=0

Atom output:

date=2016-03-27 time=16:24:32 logid=0001000014 type=traffic subtype=local level=notice vd=vd1 srcip=172.16.200.2 srcport=49984 srcintf="vd1" dstip=172.16.95.16 dstport=53 dstintf="port1" sessionid=3378 proto=17 action=accept policyid=0 policytype=policy dstcountry="Reserved" srccountry="Reserved" trandisp=noop service="DNS" app="DNS" duration=476 sentbyte=7568 rcvdbyte=37905 sentpkt=118 rcvdpkt=76 appcat="unscanned"
date=2016-03-27 time=16:24:39 logid=0000000013 type=traffic subtype=forward level=notice vd=vd1 srcip=144.20.202.235 srcport=55165 srcintf="lo" dstip=112.250.20.205 dstport=53 dstintf="lo" sessionid=1954188563 proto=17 action=close policyid=2 policytype=policy dstcountry="China" srccountry="Spain" trandisp=noop service="DNS" appid=27457 app="Windows.File.Sharing" appcat="Network.Service" apprisk=elevated applist="default" duration=0 sentbyte=1708 rcvdbyte=3717 sentpkt=0 rcvdpkt=0
date=2016-03-27 time=16:24:39 logid=0000000013 type=traffic subtype=forward level=notice vd=vd1 srcip=64.114.19.214 srcport=9953 srcintf="lo" dstip=32.98.1.172 dstport=21 dstintf="lo" sessionid=1954188564 proto=6 action=close policyid=0 policytype=policy dstcountry="United States" srccountry="Canada" trandisp=noop service="FTP" appid=27946 app="Fortiguard.Search" appcat="Cloud.IT" apprisk=medium applist="default" duration=0 sentbyte=2508 rcvdbyte=2038 sentpkt=0 rcvdpkt=0
date=2016-03-27 time=16:24:39 logid=0000000013 type=traffic subtype=forward level=notice vd=vd1 srcip=44.103.247.160 srcport=1390 srcintf="dummy0" dstip=168.125.107.178 dstport=25 dstintf="lo" sessionid=1954188565 proto=17 action=close policyid=1 policytype=policy dstcountry="United States" srccountry="United States" trandisp=noop service="udp/25" appid=15895 app="SSL" appcat="Network.Service" apprisk=elevated applist="default" duration=0 sentbyte=1084 rcvdbyte=3061 sentpkt=0 rcvdpkt=0
date=2016-03-27 time=16:24:39 logid=0000000013 type=traffic subtype=forward level=notice vd=vd1 srcip=44.103.247.160 srcport=30592 srcintf="lo" dstip=16.62.205.154 dstport=443 dstintf="lo" sessionid=1954188566 proto=6 action=close policyid=2 policytype=policy dstcountry="United States" srccountry="United States" trandisp=noop service="HTTPS" appid=34789 app="SNMP_GetRequest" appcat="Network.Service" apprisk=elevated applist="default" duration=0 sentbyte=3101 rcvdbyte=618 sentpkt=0 rcvdpkt=0

You can probably make the file even easier to sort through by converting it to a spreadsheet but I will leave that as an exercise for the reader.

The post Reading LZ4 log files appeared first on Fortinet Cookbook.

The FortiGate unit can be placed on any flat surface with the provided rubber feet, or mounted to a wall with the providing mounting hardware.

Electrostatic discharge (ESD) can damage your Fortinet equipment. Do not place heavy objects on the unit.

To Mount the Device on a Wall

1. Use the mounting bracket to mark the location of the mounting holes on a flat wall surface.
2. Drill the mounting holes in the marked locations.
   
3. Insert the provided anchors into the drilled holes then screw the screws into the anchors, leaving approximately 2mm of the screw exposed for connecting to the mounting bracket.
   
4. Fasten the mounting bracket securely to the back of the unit using the provided screws.
   
5. Position the device with the attached mounting bracket over the exposed screws in the wall, then slide the device downward to secure it in place.
   
6. Plug the provided power adapter into the rear of the unit, and then plug the transformer into a grounded electrical outlet or a separate power source such as an uninterruptible power supply (UPS) or a power distribution unit (PDU) with the provided power cable.

To Install the Unit on a Flat Surface

1. Ensure that the surface onto which the FortiGate unit to be installed is clean, level, and stable and that there is at least 1.5in (3.8cm) of clearance on all sides to allow for adequate airflow.
2. Attach the provided rubber feet to the bottom of the FortiGate unit.
3. Place the unit in the designated location.
4. Verify that the spacing around the FortiGate unit conforms to requirements and that the unit is level.
5. Plug the provided power adapter into the rear of the unit, and then plug the transformer into a grounded electrical outlet or a separate power source such as an uninterruptible power supply (UPS) or a power distribution unit (PDU) with the provided power cable.

The post FortiGate 80E/81E and 80E/81E POE Installation Guide appeared first on Fortinet Cookbook.

The FortiGate  3960E and 3980E units can be mounted on a flat surface, or in any standard 19 inch rack unit with the provided mounting hardware.

Electrostatic discharge (ESD) can damage your Fortinet equipment. To avoid personal injury or damage to the unit, it is recommended that two or more people install the unit into the rack. Do not place heavy objects on the unit.

Each power cable should be connected to a different power source. In this way, if one power source fails, the others may still be operational and the unit will not lose power. At least two power supplies must be providing power for device operation.

Four Post Rack Mount Installation

1. Attach the rack-mount rails to the rack using using eight rack-mount screws. Their length can be adjusted as necessary.
2. Set the unit onto the rails, then slide it back into the rack.
3. Ensure there is enough room around the unit to allow for sufficient air flow, then secure the device to the rack with rack-mount screws.
   
4. If possible, use the provided panhead screws to secure the device to the rails for added security.
5. Plug the supplied cables into the rear power supplies and affix them with the power cable straps, then plug them into separate, surge protected power supplies.

Two Post Rack-Mount Installation

1. Remove the mounting brackets from the sides of the device, and remove the handles from the mounting brackets.
2. Attach the mounting brackets to the sides of the device.
3. Attach the mid-mount trays to the rack using four rack-mount screws.
   
4. Set the unit onto the trays, then slide it back into the rack.
5. Ensure there is enough room around the unit to allow for sufficient air flow, then secure the device to the rack with rack-mount screws.
   
6. Plug the supplied cables into the rear power supplies and affix them with the power cable straps, then plug them into separate, surge protected power supplies.

Surface Mount Installation

1. Ensure that the surface onto which the FortiGate unit is to be installed is clean, level, and stable, and that there is at least 1.5in (3.8cm) of clearance on all sides to allow for adequate airflow.
2. Attach the six provided rubber feet to the bottom of the FortiGate unit.
3. Place the unit in the designated location.
4. Verify that the spacing around the FortiGate unit conforms to requirements and that the unit is level.
   
5. Plug the supplied cables into the rear power supplies and affix them with the power cable straps, then plug them into separate, surge protected power supplies.

The post FortiGate 3960E and 3980E Installation Guide appeared first on Fortinet Cookbook.

The FortiGate unit can be mounted in any standard 19 inch rack unit with the provided rack-mount brackets and screws.

Electrostatic discharge (ESD) can damage your Fortinet equipment. To avoid personal injury or damage to the unit, it is recommended that two or more people install the unit into the rack. Do not place heavy objects on the unit.

Installing the FortiGate into a Rack

1. Attach the provided rack-mount brackets to the sides of the unit using the provided screws.
2. Position the FortiGate unit in the rack. Ensure there is enough room around the unit to allow for sufficient air flow.
3. Line up the rack-mount bracket holes to the holes on the rack and ensure that the FortiGate unit is level.
4. Finger tighten four rack-mount screws to attach the unit to the rack.
5. Verify that the spacing around the FortiGate unit conforms to requirements and that the unit is level, then tighten the rack-mount screws with an appropriate screwdriver.
6. Plug the provided power cables into the rear of the unit, and then into grounded electrical outlets or separate power sources such as uninterruptible power supplies (UPS) or power distribution units (PDU).

DC models only: This product is only intended for installation and use in a Restricted Access Location. The DC power cables provided with the device are intended to be used only for in-rack wiring, must be routed away from sharp edges, and must be adequately fixed to prevent excessive strain on the wires and terminals.

Installing the Device on a Flat Surface

The FortiGate unit can be placed on any flat surface with the provided rubber feet.

Electrostatic discharge (ESD) can damage your Fortinet equipment. Do not place heavy objects on the unit.

1. Ensure that the surface onto which the FortiGate unit to be installed is clean, level, and stable and that there is at least 1.5in (3.8cm) of clearance on all sides to allow for adequate airflow.
2. Attach the provided rubber feet to the bottom of the FortiGate unit.
3. Place the unit in the designated location.
4. Verify that the spacing around the FortiGate unit conforms to requirements and that the unit is level.
   
5. Plug the provided power cables into the rear of the unit, and then into grounded electrical outlets or separate power sources such as uninterruptible power supplies (UPS) or power distribution units (PDU).

The post Basic FortiGate Installation Guide appeared first on Fortinet Cookbook.

The FortiGate 3960E and 3980E has two, hot swappable fan trays installed in the back of the chassis.

Fan Tray Replacement

1. Unscrew the four retention screws on the fan tray that is being replaced.
2. Pull the fan tray away from the chassis using the handles.
3. Put the outlet cover over the grill of the new fan tray. It will be held on by magnets.
4. Slide the new fan tray into the chassis. The fan cover will fall off as the fans power up.
5. Tighten the retention screws.

The post FortiGate 3960E and 3980E Cooling Fan Trays appeared first on Fortinet Cookbook.

The NEBS Optional Air Filter Installation applies the following FortiGate devices:

• 3700D
• 3815D

An air filter can be purchased to cover the front air intakes of the device.

To connect the air filter:

1. Remove the ears from the rack-mount brackets using an appropriate screwdriver.
   
2. Attach the Aluminum Filter Brackets to the rack-mount brackets using four M4x8 flat head countersink screws.
3. Insert the Air Filter into the Air Filter Cover, then screw the cover onto the filter brackets using an appropriate screwdriver.
   

NEBS SKU only, please check price list for NEBS SKU offering.

The post FortiGate 3000 Series NEBS Optional Air Filter Installation appeared first on Fortinet Cookbook.

NEBS Supplemental Unit Bonding and Grounding Guidelines applies to the following FortiGate devices:

• 3700D
• 3815D

To meet Network Equipment Building System (NEBS) and safety compliance requirements, the grounding point on the back of the device must be permanently connected to the central office or interior equipment grounding system.

Use the following parts to ensure a satisfactory ground connection to the FortiGate device:

• One UL Listed grounding lug with two M5 bolt holes with 15.88mm (0.625in) spacing between them
• A wire receptacle that accepts 6 AWG or larger, multistrand copper wire
• One grounding wire that is at least 6 AWG multistrand copper wire. The wire diameter and length depend on the device location and site environment
• Two screws with lock washers (provided).

NEBS SKU only, please check price list for NEBS SKU offering.

The post FortiGate 3000 Series NEBS Supplemental Unit Bonding and Grounding Guidelines appeared first on Fortinet Cookbook.

This installation guide is used for the following FortiGate 3000 models:

• 3700D
• 3700DX
• 3800D
• 3810D
• 3815D

FortiGate unit can be mounted in any standard 19 inch rack unit with the provided mounting hardware. AC models can also be surface mounted.

Electrostatic discharge (ESD) can damage your Fortinet equipment. To avoid personal injury or damage to the unit, it is recommended that two or more people install the unit into the rack. Please consult a licensed electrician before connecting this product to a DC power source, or hire a licensed electrician to perform all connections (DC models only). Do not place heavy objects on the unit.

Each power cable should be connected to a different power source. In this way, if one power source fails, the other may still be operational and the unit will not lose power. This product has a separate protective earthing terminal provided on the back of the product in addition to the grounding terminal of the attachment plug. This separate protective earthing terminal must be permanently connected to earth with a green with yellow stripe conductor minimum size 6 AWG and the connection is to be installed by a qualified service personnel.

DC models only: This product is only intended for installation and use in a Restricted Access Location. DC terminals accept UL approved ring terminals for 8/M4 stud with ext ring diameter < 9.8 mm. DC cables must be a minimum of 10 AWG.

Four Post Rack Mount Installation

1. Using the supplied hardware, attach the inner slide rails to each side of the unit using the two pan head screws, and attach the outer slide rails to the rack.
2. Attach the front handles to each side of the unit using eight flat head screws.
3. Ensure there is enough room around the unit to allow for sufficient air flow.
4. Slide the unit into your equipment rack.
5. For AC models, plug the supplied cables into the rear of the unit and into a surge protected power bar or power supply. For DC models, connect cables to the rear of the unit and then into your DC power source.

Two Post Rack Mount Installation

1. Attach the middle mounting brackets to each side of the unit using eight flat head screws.
2. Ensure there is enough room around the unit to allow for sufficient air flow.
3. Secure the unit into your equipment rack
4. For AC models, plug the supplied cables into the rear of the unit and into a surge protected power bar or power supply.
   For DC models, connect cables to the rear of the unit and then into your DC power source.

Surface Mount Installation (AC Models Only)

1. Ensure that the surface onto which the FortiGate unit to be installed is clean, level, and stable and that there is at least 1.5in (3.8cm) of clearance on all sides to allow for adequate airflow.
2. Attach the six provided rubber feet to the bottom of the FortiGate unit.
3. Place the unit in the designated location.
4. Verify that the spacing around the FortiGate unit conforms to requirements and that the unit is level.
5. Plug the supplied cables into the rear of the unit and into a surge protected power bar or power supply.

The post FortiGate 3000 Series Installation Guide appeared first on Fortinet Cookbook.

With certain FortiGate models, a transceiver may not successfully connect immediately when plugged into a port.  Configuration via the CLI is required.

This recipe shows how to configure the media type when ports using FG-TRAN-CFP2-LR4 will not become active. FortiGate models requiring this configuration with this transceiver are: FG-3800D, FG-3810D, FG-3815D, FIM-7910E, and FIM-7920E.

Configuring media type for FG-3800D, FG-3810D, and FG-3815D

Connect to the CLI of your FortiGate system using the management IP and enter the command below. The interface and transceiver indicated are examples. Be sure to enter the correct interface name and media type. 

config system interface
   edit port 1
       set mediatype CFP2-LR4
   end 

After you enter the CLI command, the FortiGate will reboot and the link to the transceiver is active.

Configuring media type for FIM-7910E & FIM-7920E

A manual reboot is required when changing the media type for the FIM-7910E but not for the FIM-7920E. The interface and transceiver indicated are examples. Be sure to enter the correct interface name and media type.

config system interface
    edit "2-C1"
        set mediatype lr
    next
end
execute reboot =====> only necessary for the FIM-7910E

For more details, consult the Fortinet Document Library’s hardware manuals.

The post Configuring media type for a transceiver appeared first on Fortinet Cookbook.

Crimping Guidelines

The following models require crimping:

• 3700D
• 3800D
• 3815D

The end of the 6 AWG ground wire must be fitted with a suitable 5/8-inch double-hole lug. Use the following information to crimp and prepare the wire.

Do not crimp energized wires.

Follow these crimping guidelines:

• Strip the insulation from cable. Be careful not to nick cable strands which may later result in stands breaking.
• Cable end should be clean: wire brush or clean with emery cloth if necessary. Insert cable into connector until it stops. The insertion length must approximate the stripped length of cable.
• Insert connector in die and compress between the markings beginning near the tongue of the connector. Using the wrong installing die may result in a defective connection.
• After crimping, remove all sharp edges, flashes, or burrs.

Connecting the Device to Ground

This product has a separate ground terminal provided on the back of the product in addition to the grounding terminal of the attachment plug. The ground terminal provides two connectors to be used with a double-holed lug. This connector must be connected to a local ground connection.

You need the following equipment to connect the device to ground:

• An electrostatic discharge (ESD) preventive wrist strap with connection cord.
• One green with yellow stripe 6 AWG stranded wire with listed closed loop double-hole lug suitable for minimum 6 AWG copper wire.

To connect the device to ground:

1. Attach the ESD wrist strap to your wrist and to an ESD socket or to a bare metal surface on the device or frame.
2. Make sure that the device and ground wire are not energized.
3. Connect the ground wire from the local ground to the ground connector on the device.
4. Secure the ground wire to the device.
5. Optionally label the wire GND.

The post FortiGate 3000 Series Crimping Guidelines appeared first on Fortinet Cookbook.

FortiManager for Microsoft Azure is deployed as a virtual appliance in Microsoft Azure cloud (IaaS). This recipe shows you how to install and configure a FortiManager-VM virtual appliance in Microsoft Azure.

1. Registering and downloading your license
If you’re deploying a FortiManager-VM in the Microsoft Azure marketplace, you must obtain a license to activate it. FortiManager-VM for Microsoft Azure supports a bring-your-own-license (BYOL) licensing model. Licenses can be obtained through any Fortinet partner. If you don’t have a partner, contact azure@fortinet.com for assistance in purchasing a license. After you purchase a license or obtain an evaluation license (60-day term), you will receive a PDF with an activation code.
Go to https://support.fortinet.com/ and either create a new account or log in with an existing account.
Go to Asset > Register/Renew to start the registration process. In the Specify Registration Code field, enter your license activation code and select Next to continue registering the product. Fill in the other fields with your information.
At the end of the registration process, download the license (.lic) file for your FortiManager-VM. After registering a license, Fortinet servers may take up to 30 minutes to fully recognize the new license. When you upload the license (.lic) file to activate the FortiManager-VM (in step 3), if you get an error that the license is invalid, wait 30 minutes and try again.
2. Creating a FortiManager-VM
Log in to the Microsoft Azure Portal and select + New.
Search for and select FortiManager Centralized Security Management from the search results.
Under Select a deployment model, ensure that Resource Manager is selected. Select Create.
In the Basics section, set a FortiManager-VM name in the FortiManager virtual appliance name field.  Set a FortiManager administrative username. This name can’t be admin or root. Choose a FortiManager password for the new account and confirm the password. This must be a complex password containing three of the following types of characters: numbers, capital letters, lowercase letters, and special characters. For security reasons, it’s not possible to reset this password through the Microsoft Azure portal, so make sure that you remember the password. Select the appropriate Subscription from the drop-down list. You may have only one option here. Create a new Resource group. Currently, it’s not possible to select an existing resource group for a Microsoft Azure Marketplace template set. Set a Location for the VM. Select OK.
In the Network and Storage Settings section, select Virtual network. You can either create a new virtual network (VNet) or select an existing one. In the Address space field, accept the default values or specify your own. Select OK.
In the Subnet section, the Subnet name and Subnet address prefix are pre-defined and you shouldn’t need to change the default values.  Select OK.
In the Virtual machine size section, select the appropriate VM size for your deployment.  In the Microsoft Azure Marketplace, the FortiManager virtual machines come in a variety of sizes, from A0 Standard to D4 Standard. Each virtual machine size within each series has different limits for the amount of memory, number of network interface cards (NIC), maximum number of data disks, size of cache, and maximum input/output operations per second (IOPS) and bandwidth. Select OK.
In the Storage account section, choose an existing storage account or create a new one. All resources should be in the same location. Storage types are created from a Microsoft Azure storage account. The Microsoft Azure storage account, in turn, determines certain characteristics for the storage, such as whether the storage is locally redundant or geo-redundant, and whether the storage is based on standard HDDs or SSDs. Set a Name for the storage account. Under Performance, choose a storage account type. Select the Replication option you want to use. The options are Locally redundant storage (LRS) or Geo-redundant storage (GRS). LRS is where all data in the Microsoft Azure storage account replicates synchronously to three different storage nodes within the primary region that was chosen when you created the Microsoft Azure storage account. GRS is where every entity is replicated into two data centers. The data in the Microsoft Azure storage account is always replicated in order to ensure durability and high availability. Some settings can’t be changed after the storage account is created. To accept the Network and Storage Settings values, select OK.
In the FortiManager IP address assignments section, select First public IP address resource name. In the Name field, set a name for the public IP address of the FortiManager. In the Assignment field, select Dynamic or Static. Select OK. In the Public IP address type field, select Static or Dynamic. Select OK.
Wait for validation to pass, then select OK.
Select Purchase to buy the FortiManager-VM instance from Microsoft Azure.  Once the FortiManager-VM is deployed, you will see a “Deployment succeeded” message.
3. Connecting to the FortiManager-VM
To connect to the FortiManager-VM, you must find its public IP address. There are a number of ways to do this. One way is to select Virtual machines on the left bar and select the FortiManager-VM you created. Under Essentials, you will see the public IP address of the FortiManager-VM in the Public IP address field.  Connect to the FortiManager-VM using your browser and the FortiManager-VM IP address. Log in to the FortiManager-VM with the FortiWeb administrative username and FortiManager password that you configured above.
Upload your license (.lic) file to activate the FortiManager-VM. Restart the FortiManager-VM and log in again. After you log in, you will see that the license has been uploaded. You need to wait for authentication with the registration servers. This can take up to 15 minutes. Select Return.
You will now see the FortiManager-VM dashboard.

The post Deploying FortiManager-VM virtual appliance in Microsoft Azure appeared first on Fortinet Cookbook.

Using the provided mounting hardware, the FortiAP unit can be attached to a drop ceiling, ceiling or wall.

To attach the unit to a ceiling using the T-rail mounting hardware kit:

1. Attach the T-rail connector to the bottom cover of the FortiAP unit using the four provided short screws.
   If extra space is required to accommodate drop ceiling tiles, use the taller T-rail connector.
   
2. Line up the connected T-rail connector with an appropriately sized rail and twist the unit onto the rail until it snaps into place.
3. Use the Kensington security slot to attach a cable lock (cable lock is not included) to protect your FortiAP device from unauthorized removal.
   You can now proceed with connecting your FortiAP unit.

To mount the unit using the mounting bracket:

1. Select an appropriate location, hold the mounting bracket against the wall or ceiling, and mark the locations where the four included anchors will be inserted.
2. Drill the mounting holes, then insert the anchors into the holes with an appropriate screwdriver.
3. Attach the mounting bracket to the anchors using the four included screws.
4. Push the FortiAP unit onto to mounting bracket until it snaps into place.
   

The unit can be removed from the bracket by pressing on the bracket tab and sliding the device out.

The post FortiAP 320C/B Installation Guide appeared first on Fortinet Cookbook.

The unit can be mounted on a ceiling using the provided ceiling mounting bracket.

To attach the unit to a ceiling using the ceiling mount bracket:

1. Attach the ceiling mount bracket to the bottom cover of the FortiAP unit by sliding the mount bracket from the left to the right onto the FortiAP Unit.
   If extra space is required to accommodate drop ceiling tiles, use the taller ceiling mount bracket.
   
2. Select an appropriate location, hold the device against the ceiling t-rail, and push the FortiAP unit onto the ceiling until it snaps into place.

The unit can be removed from the bracket by pressing on the bracket tab and sliding the device out.

Note: Four ceiling mount brackets are included; both standard and recessed ceiling mount brackets come in sizes: 1.43cm (9/16in) and 2.38cm (15/16in).

To protect your device from unauthorized removal, use the Kensington™ Security Slot to attach a cable lock (not included).

The post FortiAP 421E/423E Installation Guide appeared first on Fortinet Cookbook.

The FortiAP unit can be mounted on a wall or ceiling using the provided wall/ceiling mounting hardware kit, and to an appropriate ceiling using the T-rail mounting hardware kit.

To attach the unit to a wall or ceiling

1. Select an appropriate location, then mark the locations on the wall or ceiling where the anchors will be inserted.
2. Drill the mounting holes, then insert the anchors into the holes.
3. Attach the mounting bracket to the anchors using two P3.5×32 screws.
4. Insert two P2.6X12 screws into the bottom of the unit, leaving enough of the screws exposed so that the unit can be mounted to the mounting bracket. If extra space is required between the unit and the mounting bracket, use the spacers and P2.6×25 screws from the T-rail mounting hardware kit.
5. Mount the device on the mounted mounting bracket then rotate it clockwise to secure it in place.

To attach the unit to a T-rail

1. Attach the T-rail clips to the bottom of the unit using two P2.6X10 screws. If extra space is required to accommodate drop ceiling tiles, use the provided spacers and P2.6×25 screws.
   
   
   Note: Two sizes of T-rail clips are included in the mounting kit: 2.38cm (15/16in) and 1.43cm (9/16in). Line up the connected T-rail clips with an appropriately sized rail, then press the unit into the rail until it snaps into place.
   

   Note: To protect your device from unauthorized removal, use the Kensington
   Security Slot to attach a cable lock (not included).

The post FortiAP 321C Installation Guide appeared first on Fortinet Cookbook.

IMPORTANT NOTE: The FortiAP device must be professionally installed and must use the supplied antennae.

The unit is designed for outdoor use and may be attached to either a pole or wall. A waterproof connector is supplied to ensure a watertight seal for connecting the Ethernet cable to the device.

Note: The device can be mounted either outdoors or indoors. The included PoE injector and surge protector must be mounted indoors, as they are not weatherproof.

To mount the device on a wall

1. Using the wall-mount base as a template, mark the location of the mounting bolt holes on a flat wall surface.
2. Drill the mounting holes in the marked locations.
3. Fasten the wall-mount base securely to the back of the unit using the provided
   mounting screws.
   
4. Attach the unit and base assembly to the wall using the provided concrete mounting bolts.
   
5. Securely tighten the mounting bolts.

 To mount the FortiAP unit on a pole

1. Fasten the wall-mount base securely to the back of the unit using the provided
   mounting screws.
2. Attach the pole-mount bracket to the wall-mount base using with the provided
   screws.
   
   The pole-mount bracket can be attached either vertically or horizontally, as required.
   
3. Loop the provided pole strap through the slots on the pole-mount bracket and then around the pole.
   
4. Tighten the strap with an appropriate screw driver and ensure that the device is firmly in place.

The post FortiAP 222C Installation Guide appeared first on Fortinet Cookbook.

1. Select an appropriate location and mark the location on the wall where the anchors will be located.
2. Insert the anchors provided in the wall mount kit into the wall in the marked locations. If necessary, drill holes into the wall with an appropriately sized drill bit prior to inserting the anchors.
3. Screw the provided M3x16L screws into the two anchors, leaving enough of the
   screws exposed to ensure that the unit can be mounted on them.
4. Mount the FortiAP unit onto the screws and ensure that it is mounted securily.
   You can now proceed with connecting your FortiAP unit.

The post FortiAP 24D Installation Guide appeared first on Fortinet Cookbook.