Quantcast
Channel: Fortinet Cookbook
Viewing all 690 articles
Browse latest View live

FortiAP 320C Installation Guide

August 22, 2017, 10:30 am
$
0
0

Using the provided hardware, the FortiAP unit can be attached to a ceiling or wall.

To attach the unit to a wall using the wall mounting hardware kit:

  1. Insert the anchors provided in the wall mounting hardware kit into an appropriate location on a wall.
  2. Insert the screws provided in the wall mounting hardware kit into the
    anchors.
  3. Mount the FortiAP unit onto the screws.
  4. Use the Kensington security slot to attach a cable lock (cable lock is not
    included) to protect your FortiAP device from unauthorized removal.
    You can now proceed with connecting your FortiAP unit.

To attach the unit to a ceiling using the T-rail mounting hardware kit:

  1. Attach the T-rail connector to the bottom cover of the FortiAP unit using the four provided short screws.
    If extra space is required to accommodate drop ceiling tiles, use the taller T-rail connector.
  2. Line up the connected T-rail connector with an appropriately sized rail and twist the unit onto the rail until it snaps into place.
  3. Use the Kensington security slot to attach a cable lock (cable lock is not included) to protect your FortiAP device from unauthorized removal. You can now proceed with connecting your FortiAP unit.
  • Was this helpful?
  • Yes   No

The post FortiAP 320C Installation Guide appeared first on Fortinet Cookbook.

Search

Deploying FortiGate-VM virtual appliance in Microsoft Azure

August 22, 2017, 10:00 am
$
0
0

The FortiGate Next-Generation Firewall for Microsoft Azure is deployed as a virtual appliance in Microsoft’s Azure cloud (IaaS). This recipe shows you how to install and configure a single instance FortiGate-VM virtual appliance in Microsoft Azure to provide a full NGFW/UTM security solution in front of Microsoft Azure IaaS resources. 

This recipe covers the deployment of simple web servers, but this type of deployment can be used for any type of public resource protection, with only slight modifications. With this architecture as a starting point, you can implement more advanced solutions, including multi-tiered solutions.

In this recipe, two subnets are created: Subnet1, which is used to connect the FortiGate-VM to the Microsoft Azure Virtual Gateway, and Subnet2, which is used to connect the FortiGate-VM and the web server.

1. Registering and downloading your license

FortiGate-VM for Microsoft Azure supports both bring-your-own-license (BYOL) and on-demand (PAYG) licensing models. If you’re deploying a FortiGate-VM in the Microsoft Azure marketplace with BYOL, you must obtain a license to activate it. 

Licenses can be obtained through any Fortinet partner. If you don’t have a partner, contact azure@fortinet.com for assistance in purchasing a license.

After you purchase a license or obtain an evaluation license (60-day term), you will receive a PDF with an activation code. 
Go to https://support.fortinet.com/ and either create a new account or log in with an existing account. 

Go to Asset > Register/Renew to start the registration process.

In the Specify Registration Code field, enter your license activation code and select Next to continue registering the product. Fill in the other fields with your information.

At the end of the registration process, download the license (.lic) file for your FortiGate-VM.

After registering a license, Fortinet servers may take up to 30 minutes to fully recognize the new license. When you upload the license (.lic) file to activate the FortiGate-VM (in step 5), if you get an error that the license is invalid, wait 30 minutes and try again.

2. Creating a Microsoft Azure VNet

This section shows you how to create a Microsoft Azure virtual network (VNet) and create two subnets in it. For many of the steps, you will have a choice to make that can be specific to your own environment. 

Log in to the Microsoft Azure Portal and select + New

Search for and select Virtual Network from the search results.

Under Select a deployment model, ensure that Resource Manager is selected. Select Create.

Set a Name for your VNet.

Select an Address space for your VNet. This is the range of IP addresses available within your VNet. It’s possible to extend this later.

Set Subnet name to Subnet1.

Set the Subnet address range. This must be a subset of your VNet address range and you must leave room for a second subnet.

Choose a Subscription.

Either create a new Resource group or select an existing one.

Set a Location. This is the region of the world where your VNet will reside. In the next steps, when we deploy virtual machines, they must exist within the same location.

Select Create.
Wait for the virtual network to be deployed. You will receive a “Deployment Succeeded” message. 

Browse to your new virtual network and select it.

There are a number of ways to do this. The simplest is to select Virtual networks on the left bar. If you don’t see text there, select the three horizontal lines near the top left of the Microsoft Azure portal to expand the left tool bar.

  

Under SETTINGS, select Subnets. Select + Subnet.

Set Subnet name to Subnet2.

Select an address space for the subnet from the available range or ranges in your VNet.

Leave Network security group and Route table set to None.

Select OK.

 

 

3. Installing the FortiGate-VM in the VNet 
This section shows how to install a FortiGate NGFW in the VNet that was created in the previous section.

In the Microsoft Azure Dashboard, select + New and search for FortiGate.

Select the option FortiGate NGFW Single VM Template and select Create.

In the Basics section, set a FortiGate VM Name.

Select the PAYG/BYOL License option that corresponds to the license type that you purchased.

Set a FortiGate administrative username. This name can’t be admin or root. An account named admin will also be created that has a randomly generated password. After the installation, you should change the password of the admin account. 

Choose a FortiGate Password for the new account and confirm the password. This must be a complex password containing three of the following types of characters: numbers, capital letters, lowercase letters, and special characters. For security reasons, it’s not possible to reset this password through the Microsoft Azure portal, so make sure that you remember the password.

Select the appropriate Subscription from the drop-down list. You may have only one option here.

Create a new Resource group. Currently, it’s not possible to select an existing resource group for a Microsoft Azure Marketplace template set.

Set the same Location as you did when you created the VNet in the previous section.

Select OK.

In the Network Settings and Instance section, select Virtual networkthen select the VNet that you created in the previous step.

Select Configure subnets.

Set Outside Subnet to Subnet1. This will be the subnet on which the WAN port resides.

Set Internal Subnet to Subnet2. This will be the subnet on which the protected port resides.

Select OK.

Select the Virtual machine size of the FortiGate from the Recommended choices, or select View all to get additional options. Select OK.

In the FortiGate IP Address Assignments section, set a resource name for the new public IP address. Choose between a Dynamic or Static public IP. A static IP may have associated costs, while a dynamic public IP may be replaced if your FortiGate reboots.

Select OK.

Wait for validation to pass, then select OK.

Select Purchase to buy the FortiGate-VM instance from Microsoft Azure. 

Once the FortiGate-VM is deployed, you will see a “Deployment succeeded” message.

4. Associating the route tables with the subnets

You must associate both Subnet1 and Subnet2 to their corresponding Route tables (in this example, FortiGate-Subnet1-routes and FortiGate-Subnet2-routes).
In the Microsoft Azure Dashboard, select Resource groups. Select the resource group that you created when you created the FortiGate-VM in step 3 (in this example, FortiGateRG1).  
In the Overview screen, you will see two Route tables listed. Select the route table for internal routes (in this example, FortiGate-Subnet2-routes).

You must associate the route table to a subnet.

Under Settings, select Subnets.

Select + Associate.

In the Associate subnet section, select Virtual network, then select the VNet that you created when you created the FortiGate-VM in step 2 (in this example, FortiGateProtectedVNet1).
 

Select your second subnet (in this example, Subnet2). Select OK.

Wait about 30 seconds for the route table to be associated with the subnet.
Repeat the steps in this section to associate Subnet1 with its corresponding Route table (in this example, FortiGate-Subnet1-routes).

5. Connecting to the FortiGate-VM

To connect to the FortiGate-VM, you must find its public IP address. There are a number of ways to do this. One way is to select Virtual machines on the left bar and then select the FortiGate-VM you created. Under Essentials, you will see the public IP address of the FortiGate-VM in the Public IP address field. 

Connect to the FortiGate using your browser and the FortiGate-VM IP address. You will see a certificate error message from your browser, which is normal because the default FortiGate certificate is self-signed and isn’t recognized by browsers. Proceed past this error. At a later time, you can upload a publicly-signed certificate to avoid this error. 

Log in to the FortiGate-VM with the FortiGate administrative username and FortiGate Password that you configured above. 

If you’re using a BYOL license, upload your license (.lic) file to activate the FortiGate-VM. Restart the FortiGate-VM and log in again.

After you log in, you will see that the license has been uploaded. You need to wait for authentication with the registration servers. This can take up to 15 minutes.

Select Return.
You will now see the FortiGate-VM dashboard.
  • Was this helpful?
  • Yes   No

The post Deploying FortiGate-VM virtual appliance in Microsoft Azure appeared first on Fortinet Cookbook.

Deploying FortiMail-VM virtual appliance in Microsoft Azure

August 22, 2017, 10:45 am
$
0
0

The FortiMail Security Email Gateway for Microsoft Azure is deployed as a virtual appliance in Microsoft Azure cloud (IaaS). This recipe shows you how to install and configure a single instance FortiMail-VM virtual appliance in Microsoft Azure.

1. Registering and downloading your license

If you’re deploying a FortiMail-VM in the Microsoft Azure marketplace, you must obtain a license to activate it. FortiMail-VM for Microsoft Azure supports a bring-your-own-license (BYOL) licensing model.

Licenses can be obtained through any Fortinet partner. If you don’t have a partner, contact azure@fortinet.com for assistance in purchasing a license.

After you purchase a license or obtain an evaluation license (60-day term), you will receive a PDF with an activation code. 
Go to https://support.fortinet.com/ and either create a new account or log in with an existing account. 

Go to Asset > Register/Renew to start the registration process.

In the Specify Registration Code field, enter your license activation code and select Next to continue registering the product. Fill in the other fields with your information.

  

At the end of the registration process, download the license (.lic) file for your FortiMail-VM.

After registering a license, Fortinet servers may take up to 30 minutes to fully recognize the new license. When you upload the license (.lic) file to activate the FortiMail-VM (in step 3), if you get an error that the license is invalid, wait 30 minutes and try again.

2. Creating a FortiMail-VM

Log in to the Microsoft Azure Portal and select + New

Search for and select Fortinet FortiMail Security Email Gateway from the search results.

  

Under Select a deployment model, ensure that Resource Manager is selected. Select Create.

In the Basics section, set a FortiMail-VM name in the FortiMail virtual appliance name field. 

Set a FortiMail administrative username. This name can’t be admin or root.

Choose a FortiMail password for the new account and confirm the password. This must be a complex password containing three of the following types of characters: numbers, capital letters, lowercase letters, and special characters. For security reasons, it’s not possible to reset this password through the Microsoft Azure portal, so make sure that you remember the password.

Select the appropriate Subscription from the drop-down list. You may have only one option here.

Create a new Resource group. Currently, it’s not possible to select an existing resource group for a Microsoft Azure Marketplace template set.

Set a Location for the VM.

Select OK.

The Network and Storage Settings and FortiMail IP address assignment sections contain FortiMail-VM settings that are optional, except for the virtual machine size and storage account, as explained below. Since you’re deploying the FortiMail-VM as a single instance on its own, you shouldn’t need to change the default values. 

Select Virtual machine size and select the appropriate VM size for your deployment.

Select Storage account and choose an existing storage account or create a new one.

To accept the Network and Storage Settings values, select OK.

To accept the FortiMail IP address assignment settings, select OK.

  

If your deployment model involves co-locating pre-existing resource group components such as storage, virtual network, subnet, public IP address, network security group, or availability set, you may need to modify these settings to fit into an existing topology. For more information about advanced deployments of cooperative products, see the Fortinet documentation.

Wait for validation to pass, then select OK.

  

Select Purchase to buy the FortiMail-VM instance from Microsoft Azure. 

Once the FortiMail-VM is deployed, you will see a “Deployment succeeded” message.

  

3. Connecting to the FortiMail-VM

To connect to the FortiMail-VM, you must find its public IP address. There are a number of ways to do this. One way is to select Virtual machines on the left bar and select the FortiMail-VM you created. Under Essentials, you will see the public IP address of the FortiMail-VM in the Public IP address field. 

Connect to the FortiMail-VM using your browser and the FortiMail-VM IP address. Log in to the FortiMail-VM with the FortiMail administrative username and FortiMail password that you configured above.  

Upload your license (.lic) file to activate the FortiMail-VM. Restart the FortiMail-VM and log in again.

After you log in, you will see that the license has been uploaded. You need to wait for authentication with the registration servers. This can take up to 15 minutes.

Select Return.

You will now see the FortiMail-VM dashboard.

 

 

  • Was this helpful?
  • Yes   No

The post Deploying FortiMail-VM virtual appliance in Microsoft Azure appeared first on Fortinet Cookbook.

Deploying FortiManager-VM virtual appliance in Microsoft Azure

August 22, 2017, 11:00 am
$
0
0

FortiManager for Microsoft Azure is deployed as a virtual appliance in Microsoft Azure cloud (IaaS). This recipe shows you how to install and configure a FortiManager-VM virtual appliance in Microsoft Azure.

1. Registering and downloading your license

If you’re deploying a FortiManager-VM in the Microsoft Azure marketplace, you must obtain a license to activate it. FortiManager-VM for Microsoft Azure supports a bring-your-own-license (BYOL) licensing model.

Licenses can be obtained through any Fortinet partner. If you don’t have a partner, contact azure@fortinet.com for assistance in purchasing a license.

After you purchase a license or obtain an evaluation license (60-day term), you will receive a PDF with an activation code. 
Go to https://support.fortinet.com/ and either create a new account or log in with an existing account. 

Go to Asset > Register/Renew to start the registration process.

In the Specify Registration Code field, enter your license activation code and select Next to continue registering the product. Fill in the other fields with your information.

At the end of the registration process, download the license (.lic) file for your FortiManager-VM.

After registering a license, Fortinet servers may take up to 30 minutes to fully recognize the new license. When you upload the license (.lic) file to activate the FortiManager-VM (in step 3), if you get an error that the license is invalid, wait 30 minutes and try again.

2. Creating a FortiManager-VM
Log in to the Microsoft Azure Portal and select + New
Search for and select FortiManager Centralized Security Management from the search results.
Under Select a deployment model, ensure that Resource Manager is selected. Select Create.

In the Basics section, set a FortiManager-VM name in the FortiManager virtual appliance name field. 

Set a FortiManager administrative username. This name can’t be admin or root.

Choose a FortiManager password for the new account and confirm the password. This must be a complex password containing three of the following types of characters: numbers, capital letters, lowercase letters, and special characters. For security reasons, it’s not possible to reset this password through the Microsoft Azure portal, so make sure that you remember the password.

Select the appropriate Subscription from the drop-down list. You may have only one option here.

Create a new Resource group. Currently, it’s not possible to select an existing resource group for a Microsoft Azure Marketplace template set.

Set a Location for the VM.

Select OK.

In the Network and Storage Settings section, select Virtual network. You can either create a new virtual network (VNet) or select an existing one.

In the Address space field, accept the default values or specify your own.

Select OK.

In the Subnet section, the Subnet name and Subnet address prefix are pre-defined and you shouldn’t need to change the default values. 

Select OK.

In the Virtual machine size section, select the appropriate VM size for your deployment. 

In the Microsoft Azure Marketplace, the FortiManager virtual machines come in a variety of sizes, from A0 Standard to D4 Standard. Each virtual machine size within each series has different limits for the amount of memory, number of network interface cards (NIC), maximum number of data disks, size of cache, and maximum input/output operations per second (IOPS) and bandwidth.

Select OK.

In the Storage account section, choose an existing storage account or create a new one. All resources should be in the same location.

Storage types are created from a Microsoft Azure storage account. The Microsoft Azure storage account, in turn, determines certain characteristics for the storage, such as whether the storage is locally redundant or geo-redundant, and whether the storage is based on standard HDDs or SSDs.

Set a Name for the storage account.

Under Performance, choose a storage account type.

Select the Replication option you want to use. The options are Locally redundant storage (LRS) or Geo-redundant storage (GRS). LRS is where all data in the Microsoft Azure storage account replicates synchronously to three different storage nodes within the primary region that was chosen when you created the Microsoft Azure storage account. GRS is where every entity is replicated into two data centers.

The data in the Microsoft Azure storage account is always replicated in order to ensure durability and high availability. Some settings can’t be changed after the storage account is created.

To accept the Network and Storage Settings values, select OK.

In the FortiManager IP address assignments section, select First public IP address resource name. In the Name field, set a name for the public IP address of the FortiManager. In the Assignment field, select Dynamic or Static. Select OK.

In the Public IP address type field, select Static or Dynamic. Select OK.
Wait for validation to pass, then select OK.

Select Purchase to buy the FortiManager-VM instance from Microsoft Azure. 

Once the FortiManager-VM is deployed, you will see a “Deployment succeeded” message.

3. Connecting to the FortiManager-VM

To connect to the FortiManager-VM, you must find its public IP address. There are a number of ways to do this. One way is to select Virtual machines on the left bar and select the FortiManager-VM you created. Under Essentials, you will see the public IP address of the FortiManager-VM in the Public IP address field. 

Connect to the FortiManager-VM using your browser and the FortiManager-VM IP address. Log in to the FortiManager-VM with the FortiWeb administrative username and FortiManager password that you configured above. 

Upload your license (.lic) file to activate the FortiManager-VM. Restart the FortiManager-VM and log in again.

After you log in, you will see that the license has been uploaded. You need to wait for authentication with the registration servers. This can take up to 15 minutes.

Select Return.
You will now see the FortiManager-VM dashboard.
  • Was this helpful?
  • Yes   No

The post Deploying FortiManager-VM virtual appliance in Microsoft Azure appeared first on Fortinet Cookbook.

Configuring media type for a transceiver

August 22, 2017, 11:01 am
$
0
0

With certain FortiGate models, a transceiver may not successfully connect immediately when plugged into a port.  Configuration via the CLI is required.

This recipe shows how to configure the media type when ports using FG-TRAN-CFP2-LR4 will not become active. FortiGate models requiring this configuration with this transceiver are: FG-3800D, FG-3810D, FG-3815D, FIM-7910E, and FIM-7920E.

Configuring media type for FG-3800D, FG-3810D, and FG-3815D

Connect to the CLI of your FortiGate system using the management IP and enter the command below. The interface and transceiver indicated are examples. Be sure to enter the correct interface name and media type. 

config system interface
   edit port 1
       set mediatype CFP2-LR4
   end

After you enter the CLI command, the FortiGate will reboot and the link to the transceiver is active.

Configuring media type for FIM-7910E & FIM-7920E

A manual reboot is required when changing the media type for the FIM-7910E but not for the FIM-7920E. The interface and transceiver indicated are examples. Be sure to enter the correct interface name and media type.

config system interface
    edit "2-C1"
        set mediatype lr
    next
end
execute reboot =====> only necessary for the FIM-7910E

For more details, consult the Fortinet Document Library’s hardware manuals.

  • Was this helpful?
  • Yes   No

The post Configuring media type for a transceiver appeared first on Fortinet Cookbook.

Reading LZ4 log files

August 22, 2017, 11:15 am
$
0
0

You may, or may not have, noticed in the What’s New for FortiOS 5.4.0, the introduction of the use the .lz4 compression format. Log files are compressed to save space on the disk and to increase performance when transmitting them between the FortiGate and other devices such as a FortiAnalyzer. The LZ4 format focuses on the time it takes to compress the files rather than how small a compression file can be made of the file. Log files are text files and will compress quite well regardless, but because this compression takes place in real time, the speed at which it compresses is a high priority.

The drawback to this use of compression is that if the files are being sent to something other than another Fortinet device, such as an FTP server for archival, the files cannot be read unaided.

LZ4 Reader

Seeing as how it would be cruel to point out a potential problem like this without providing a solution, there is a tool to read LZ4 files with the snazzy name of lz4_reader.  Provided that JDK is installed to run the script, the tool works on the following platforms:

  • Windows
  • Linux
  • Mac

Tool availability

At the time of writing this article, the tool was not available for download from a publically accessible site. To get the tool contact TAC and they should be able to track it down for you.

If the technician is unfamiliar with the tool, you can impress them with your insider knowledge and tell them to check Mantis bug 0366327.

Installing the tool

Step #1 – Verify JDK is installed

How you determine if Java is already installed on your computer will depend on the platform that you are using, but if you haven’t got it, to get download the files you need, you can head over to http://www.oracle.com/technetwork/java/javase/downloads/index.html

Instructions for installing JDK are already on the Internet so we won’t go over them here.

If you skip this step and run the program, you could get an error like:

'java' is not recognized as an internal or external command, operable program or batch file.

This is a good indicator that you do not have JDK installed.

Another thing that you will want to be careful of is that it is not just Java that is installed but JDK specifically. The first time I tried to run the program on my Mac, I dutifully checked and made sure the latest version of Java was there and ready to go. When I ran the program I got:

talesian$ java -jar log_reader.jar tlog.FGT3HD3914800177.vd1.20160327162450 
Exception in thread "main" java.lang.UnsupportedClassVersionError: lz4_reader_main : Unsupported major.minor version 51.0
  at java.lang.ClassLoader.defineClass1(Native Method)
  at java.lang.ClassLoader.defineClassCond(ClassLoader.java:637)
  at java.lang.ClassLoader.defineClass(ClassLoader.java:621)
  at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:141)
  at java.net.URLClassLoader.defineClass(URLClassLoader.java:283)
  at java.net.URLClassLoader.access$000(URLClassLoader.java:58)
  at java.net.URLClassLoader$1.run(URLClassLoader.java:197)
  at java.security.AccessController.doPrivileged(Native Method)
  at java.net.URLClassLoader.findClass(URLClassLoader.java:190)
  at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
  at java.lang.ClassLoader.loadClass(ClassLoader.java:247)
  at java.lang.Class.forName0(Native Method)
  at java.lang.Class.forName(Class.java:249)
  at org.eclipse.jdt.internal.jarinjarloader.JarRsrcLoader.main(JarRsrcLoader.java:56)

Once I downloaded and installed the correct JDK everything worked smoothly.

Step #2 – Get the file

This is actually the most difficult part of the process. The file that you are looking for is lz4_reader.tar.gz.  It is not currently available to be downloaded by the public. You will have to get it from some helpful support person. It’s just a little over 3 MB. As you will notice by the extension, it is in a compressed file format as well.

Step #3 -Extract the files

Once you have downloaded the .tar.gz file, extract the files. This can be done with most compression or archive applications.

Windows

For the purposes of testing it on Windows, I used 7-zip, but most compression utilities will work just as well. This particular application had to extract the files in steps; first the gz layer and then the tar layer. Once you are at the level where the .bat and jar files are, take that folder and place it where it is easily accessible. If feasible, the root of the C: drive is a simple option; as it is nice and easy to find through the command line.

Linux and Mac

For the Mac users of the GUI , the Archive Utility app will extract the files directly to the lz4_reader folder without going through the steps the the 7-zip program did. For Linux users and Mac users that prefer the command line, you can use the tar utility.

$ tar xvzf lz4_reader.tar.gz 
x lz4_reader/._.DS_Store 
x lz4_reader/.DS_Store 
x lz4_reader/run.bat 
x lz4_reader/log_reader.jar 
x lz4_reader/

This will create a folder called lz4_reader in the same folder that you ran the command, though you won’t see the files that start with a “.” unless you have it set up to be able to view hidden files.

Running the tool

The tool is run from the command line. This means using cmd.exe in Windows or the terminal emulator in Linux and Mac. To keep things nice and simple, you can put the log file that you want to read in the same folder as the program.

To run a java command you have to start with java, and in this case because the program that we are going to be running is a .jar file, the -jar option also needs to be used.

Running the program is simple, in the command terminal go to the directory and run the command:

java -jar log_reader.jar <path><name of the file>

Windows

Change the context of the session to the folder or directory holding the utility and then run the command.

C:\lz4_reader> java -jar log_reader.jar tlog.FGT3HD3914800177.vd1.20160327162450 
All readable contents are saved to C:\lz4_reader\tlog.FGT3HD3914800177.vd1.20160327162450_readable. C:\lz4_reader>

If the log file is not in the same folder as the lz4_reader files, in this case, a subfolder called test, include the path in the file name.

C:\lz4_reader> java -jar log_reader.jar C:\lz4_reader\test\DISK_alog_FGVM010000017392_root_20160614_042922

A folder called tlog.FGT3HD3914800177.vd1.20160327162450_readable is created in the same folder as the original file and within that folder, there is a file called tlog.65485_readable.txt

Linux and Mac

In Linux and Mac, the program is run the same way with one notable difference. In Windows, a backslash is used to separate directories and in Linux and Mac a slash is used. The command in *nix based platform would be:

java -jar log_reader.jar test/tlog.FGT3HD3914800177.vd1.20160327162450 
All readable contents are saved to /Fortinet/working/lz4_reader/test/tlog.FGT3HD3914800177.vd1.20160327162450_readable.

Reading the file

Once the file has been converted into readable text, you need to pick an application to read it. For easy reading, I would not advise using word processor applications such as Notepad or Word to read the file. These products are intended to put words to paper so they have a tendency to impose formatting styles on them that may not be appropriate for log files. You are probably not going to print out all of the logs, so a code editor or something along those lines might be a better choice for quickly going through the logs for the purposes of looking for something specific.

To give an idea of the differences, I’ve copied the output of the first 5 lines of a test log file below using two different type of text applications. The first is a word processor/editor; in this case, it was openned using Microsoft Word the next example was openned using a code editor; in this case, Atom but something like Notepad++ produces the same results:

Word output:

date=2016-03-27 time=16:24:32 logid=0001000014 type=traffic subtype=local level=notice vd=vd1 srcip=172.16.200.2 srcport=49984 srcintf=”vd1″ dstip=172.16.95.16 dstport=53 dstintf=”port1″ sessionid=3378 proto=17 action=accept policyid=0 policytype=policy dstcountry=”Reserved” srccountry=”Reserved” trandisp=noop service=”DNS” app=”DNS” duration=476 sentbyte=7568 rcvdbyte=37905 sentpkt=118 rcvdpkt=76 appcat=”unscanned”
date=2016-03-27 time=16:24:39 logid=0000000013 type=traffic subtype=forward level=notice vd=vd1 srcip=144.20.202.235 srcport=55165 srcintf=”lo” dstip=112.250.20.205 dstport=53 dstintf=”lo” sessionid=1954188563 proto=17 action=close policyid=2 policytype=policy dstcountry=”China” srccountry=”Spain” trandisp=noop service=”DNS” appid=27457 app=”Windows.File.Sharing” appcat=”Network.Service” apprisk=elevated applist=”default” duration=0 sentbyte=1708 rcvdbyte=3717 sentpkt=0 rcvdpkt=0
date=2016-03-27 time=16:24:39 logid=0000000013 type=traffic subtype=forward level=notice vd=vd1 srcip=64.114.19.214 srcport=9953 srcintf=”lo” dstip=32.98.1.172 dstport=21 dstintf=”lo” sessionid=1954188564 proto=6 action=close policyid=0 policytype=policy dstcountry=”United States” srccountry=”Canada” trandisp=noop service=”FTP” appid=27946 app=”Fortiguard.Search” appcat=”Cloud.IT” apprisk=medium applist=”default” duration=0 sentbyte=2508 rcvdbyte=2038 sentpkt=0 rcvdpkt=0
date=2016-03-27 time=16:24:39 logid=0000000013 type=traffic subtype=forward level=notice vd=vd1 srcip=44.103.247.160 srcport=1390 srcintf=”dummy0″ dstip=168.125.107.178 dstport=25 dstintf=”lo” sessionid=1954188565 proto=17 action=close policyid=1 policytype=policy dstcountry=”United States” srccountry=”United States” trandisp=noop service=”udp/25″ appid=15895 app=”SSL” appcat=”Network.Service” apprisk=elevated applist=”default” duration=0 sentbyte=1084 rcvdbyte=3061 sentpkt=0 rcvdpkt=0
date=2016-03-27 time=16:24:39 logid=0000000013 type=traffic subtype=forward level=notice vd=vd1 srcip=44.103.247.160 srcport=30592 srcintf=”lo” dstip=16.62.205.154 dstport=443 dstintf=”lo” sessionid=1954188566 proto=6 action=close policyid=2 policytype=policy dstcountry=”United States” srccountry=”United States” trandisp=noop service=”HTTPS” appid=34789 app=”SNMP_GetRequest” appcat=”Network.Service” apprisk=elevated applist=”default” duration=0 sentbyte=3101 rcvdbyte=618 sentpkt=0 rcvdpkt=0

Atom output:

date=2016-03-27 time=16:24:32 logid=0001000014 type=traffic subtype=local level=notice vd=vd1 srcip=172.16.200.2 srcport=49984 srcintf="vd1" dstip=172.16.95.16 dstport=53 dstintf="port1" sessionid=3378 proto=17 action=accept policyid=0 policytype=policy dstcountry="Reserved" srccountry="Reserved" trandisp=noop service="DNS" app="DNS" duration=476 sentbyte=7568 rcvdbyte=37905 sentpkt=118 rcvdpkt=76 appcat="unscanned"
date=2016-03-27 time=16:24:39 logid=0000000013 type=traffic subtype=forward level=notice vd=vd1 srcip=144.20.202.235 srcport=55165 srcintf="lo" dstip=112.250.20.205 dstport=53 dstintf="lo" sessionid=1954188563 proto=17 action=close policyid=2 policytype=policy dstcountry="China" srccountry="Spain" trandisp=noop service="DNS" appid=27457 app="Windows.File.Sharing" appcat="Network.Service" apprisk=elevated applist="default" duration=0 sentbyte=1708 rcvdbyte=3717 sentpkt=0 rcvdpkt=0
date=2016-03-27 time=16:24:39 logid=0000000013 type=traffic subtype=forward level=notice vd=vd1 srcip=64.114.19.214 srcport=9953 srcintf="lo" dstip=32.98.1.172 dstport=21 dstintf="lo" sessionid=1954188564 proto=6 action=close policyid=0 policytype=policy dstcountry="United States" srccountry="Canada" trandisp=noop service="FTP" appid=27946 app="Fortiguard.Search" appcat="Cloud.IT" apprisk=medium applist="default" duration=0 sentbyte=2508 rcvdbyte=2038 sentpkt=0 rcvdpkt=0
date=2016-03-27 time=16:24:39 logid=0000000013 type=traffic subtype=forward level=notice vd=vd1 srcip=44.103.247.160 srcport=1390 srcintf="dummy0" dstip=168.125.107.178 dstport=25 dstintf="lo" sessionid=1954188565 proto=17 action=close policyid=1 policytype=policy dstcountry="United States" srccountry="United States" trandisp=noop service="udp/25" appid=15895 app="SSL" appcat="Network.Service" apprisk=elevated applist="default" duration=0 sentbyte=1084 rcvdbyte=3061 sentpkt=0 rcvdpkt=0
date=2016-03-27 time=16:24:39 logid=0000000013 type=traffic subtype=forward level=notice vd=vd1 srcip=44.103.247.160 srcport=30592 srcintf="lo" dstip=16.62.205.154 dstport=443 dstintf="lo" sessionid=1954188566 proto=6 action=close policyid=2 policytype=policy dstcountry="United States" srccountry="United States" trandisp=noop service="HTTPS" appid=34789 app="SNMP_GetRequest" appcat="Network.Service" apprisk=elevated applist="default" duration=0 sentbyte=3101 rcvdbyte=618 sentpkt=0 rcvdpkt=0

You can probably make the file even easier to sort through by converting it to a spreadsheet but I will leave that as an exercise for the reader.

  • Was this helpful?
  • Yes   No

The post Reading LZ4 log files appeared first on Fortinet Cookbook.

Packet capture

August 23, 2017, 8:59 am
$
0
0

In this example you will look inside the headers of the HTTP and HTTPS packets on your network.

Packet capture is also called a network tapping, packet sniffing, or logic analyzing.

To use packet capture, your FortiGate model must have internal storage and disk logging must be enabled. If you are not sure whether your model supports disk logging, check the FortiGate Feature/Platform Matrix.

Find this recipe for other FortiOS versions
5.2 | 5.6

1. Creating packet capture filters
Go to Network > Packet Capture and create a new filter.
 
If the Packet Capture option does not appear in the main GUI, you can also use the URL https://[management-IP]/ng/page/p/firewall/sniffer/ to access this menu, substituting the correct IP address.
The simplest filter just captures all of the packets received by an interface. This filter captures 10 packets received by the lan interface.
 
You can select Enable Filters to be more specific about the packets to capture.
 
This filter captures 100 HTTP and HTTPS packets (port 80 and 443) received by the lan interface that have a source or destination address in the range 192.168.100.100-192.168.100.200.
  

This filter captures the first 4000 Stream Control Transmission Protocol (SCTP) packets received by the wan1 interface.
This filter captures the first 1000 DNS packets (port 53) querying the Google DNS server (IP address 8.8.8.8) with VLAN IDs 37 or 39.
  

2. Results

Running packet capture filters may affect FortiGate performance.

Go to Network > Packet Capture, choose a filter, and select the Play icon. You can watch the filter capture packets. When the number of packets specified in the filter are captured the filter stops.

You can stop and restart multiple filters at any time.

After a filter runs, select and edit it. The option to download the capture packets is available.

You can open the file with a .pcap file viewer like Wireshark.

For further reading, check out Packet Capture in the FortiOS 5.6 Handbook.

 

  • Was this helpful?
  • Yes   No
This URL may show the Packet Capture menu on all FortiGates, even those that do not have disk logging enabled (and cannot use the feature).
Protocols are identified using IP protocol numbers; for example, SCTP is protocol 132.

The post Packet capture appeared first on Fortinet Cookbook.

Episode 15: FortiCloud 3.2

August 23, 2017, 11:40 am
Search

Shared VLAN using Transparent Mode switching

August 23, 2017, 2:50 pm
$
0
0

In this recipe, we will look at how a common VLAN can be shared with multiple VDOMs using FortiOS.

There are many circumstances where a security architecture may call for multiple virtual firewalls (VDOMs) to be connected to the same shared segment, usually in the form of a VLAN tagged on a single logical interface on a physical FortiGate. The default rules regarding interfaces and VDOMs is that any given logical interface can only belong to a single VDOM, which effectively prevents this scenario from being deployed. However, the use of a feature of transparent VDOMs called “forwarding domains” can provide a solution.

In the diagram a typical scenario more common to MSSPs and enterprises but also seen in other niche usage cases is represented. A singular VLAN representing a given subnet is connected to a physical interface on the FortiGate and must be shared to multiple VDOMs which must all access the same subnet. While this scenario may be addressed by using the same VLAN number on multiple physical interfaces mapped to each distinct VDOM, this quickly becomes an issue as the number of VDOM augments as each requires a distinct physical port on both the firewall and the switching infrastructure. This becomes even more prohibitive when physical interfaces used are high end 10/40/100Gbps whereas the usual approach is to use link-aggregation.

As pictured above, a very effective means to address this issue while deriving some additional benefits is to use a transparent mode VDOM, called “switch” in our example. Our example has 3 additional NAT/route VDOMs called “vdomA”, “vdomB” and “vdomC”.

A transparent mode VDOM behaves in a unique manner with VLAN tags, whereas it will strip incoming VLAN information for configured interfaces and replace those with another identifier called “forwarding domain ID”. This happens internally and isn’t seen on external traffic.

A forwarding domain’s behaviour is simple: all interfaces belonging to the same forwarding domain will effectively be layer 2 bridged. That is, so long as the policies allow the traffic – policies are very much still an enforcement criteria in transparent mode VDOMs and in fact, most policy aspects are identical to NAT/route mode operation. Behind the scene however, each forwarding domain is a separate “inner VLAN” in which MAC addresses learned from each interface belonging to the same domain populate the domain’s forwarding table.

As mentioned previously, VLAN information is stripped on arrival and inserted when leaving. This is important to our solution as it allows us to perform VLAN rewriting and therefore make use of additional VLAN IDs when exchanging traffic over the NPU vlink between “switch” and the other VDOMs.

This recipe is documented in CLI but the majority of this configuration can be accomplished through the GUI. Note that this is an expert recipe which assumes good comfort level with FortiOS.

Configuration: Transparent mode VDOM

The below configuration creates the transparent VDOM and assigns the external VLAN100 logical interface along with three logical interfaces on npu0-vlink0 (VLANs 1001,1002,1003 – arbitrary values) to VDOM “switch”. We then create a policy allowing layer2 traffic to flow between all four interfaces in forwarding domain 10. Note that there is a great level of flexibility in what you chose to do at this layer: UTM features and traffic-shaping profiles can be applied to traffic. A minimalist, often implemented measure when this is used for multi-tenant environments is to allow traffic between the shared VLAN and the VDOMs, but not between the VDOMs (tenants) themselves. Finally, the author is using a somewhat bogon IP address for the transparent VDOM manageip – feel free to use any unused address that will not transit through the transparent VDOM. If you require the VDOM to leverage external features that require it to communicate with the outside world, you would configure a valid address. In this case we are managing the appliance from the root VDOM which isn’t shown in this example.

 
config vdom
 edit switch
  config sys settings 
  set opmode transparent
  set manageip 1.1.1.1/32
 end
end
config global
 config sys interface
    edit "VLAN100"
        set vdom "switch"
        set forward-domain 10
        set interface "port9"
        set vlanid 100
    next
    edit "VLAN100_vdomA"
        set vdom "switch"
        set forward-domain 10
        set interface "npu0_vlink0"
        set vlanid 1001
    next
    edit "VLAN100_vdomB"
        set vdom "switch"
        set forward-domain 10
        set interface "npu0_vlink0"
        set vlanid 1002
    next 
    edit "VLAN100_vdomC"
        set vdom "switch"
        set forward-domain 10
        set interface "npu0_vlink0"
        set vlanid 1003
    next
 end
end
config vdom
 edit switch
  config firewall policy
    edit 0
        set name "Allow all switched traffic"
        set srcintf "VLAN100" "VLAN100_vdomA" "VLAN100_vdomB" "VLAN100_vdomC"
        set dstintf "VLAN100" "VLAN100_vdomA" "VLAN100_vdomB" "VLAN100_vdomC"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
  end
end

Configuration: Routed VDOMs

The routed VDOMs connected to the transparent VDOM have little that warrants extensive explanations, short of that they use the same matching VLAN on the opposing npu0-vlink1 interface. For more information on NPU-vlink, consult FortiOS Handbook on NPU-accelerated VDOM-links. This example is specifically limited to platforms equipped with NPU ASICs, however one could implement similar switching behaviour in software using standard vdom-link interfaces.

 
config vdom
 edit vdomA
 next
 edit vdomB
 next
 edit vdomC
end
config global
 config sys interface
    edit "vdomA-wan"
        set vdom "vdomA"
        set ip 192.168.100.101 255.255.255.0
        set allowaccess ping
        set interface "npu0_vlink1"
        set vlanid 1001
    next
    edit "vdomB-wan"
        set vdom "vdomB"
        set ip 192.168.100.102 255.255.255.0
        set allowaccess ping
        set interface "npu0_vlink1"
        set vlanid 1002
    next
    edit "vdomC-wan"
        set vdom "vdomC"
        set ip 192.168.100.103 255.255.255.0
        set allowaccess ping 
        set interface "npu0_vlink1"
        set vlanid 1003
    next
 end
end

 

  • Was this helpful?
  • Yes   No

The post Shared VLAN using Transparent Mode switching appeared first on Fortinet Cookbook.

Security Fabric installation and audit

August 24, 2017, 12:30 pm
$
0
0

In this recipe, you will configure a Fortinet Security Fabric that consists of four FortiGates and a FortiAnalyzer. One of the FortiGates will act as the network edge firewall and root FortiGate of the Security Fabric, while the others function as Internal Segmentation Firewalls (ISFWs).

Once the network has been configured, a Security Fabric Audit is run, to analyze the Security Fabric and recommend changes to help improve the configuration.

This recipe is in the Security Fabric Collection. It can also be used as a standalone recipe.

In the example network, the following FortiGate aliases are used:

  • External: the root FortiGate in the Security Fabric. This FortiGate is named “External” because it is the only FortiGate that directly connects to the Internet. This role is also known as the edge or gateway FortiGate.
  • Accounting: an ISFW FortiGate that connects to External.
  • Marketing: an ISFW FortiGate that connects to External.
  • Sales: an ISFW FortiGate that connects to Marketing.

This recipe was created using FortiOS 5.6.1. If you are using 5.6.0, GUI paths related to the Security Fabric and the appearance of some pages will differ from what is shown.

Find this recipe for other FortiOS versions
5.4 | 5.6

1. Configuring External

In the Security Fabric, External is the root FortiGate. This FortiGate receives information from the other FortiGates in the Security Fabric and is used to run the Security Fabric Audit.

In the example, the following interfaces on External are used to connect to other network devices:

  • Port 9 connects to the Internet (this interface was configured when External was initially installed)
  • Port 10 connects to Accounting (IP address: 192.168.10.2)
  • Port 11 connects to Marketing (IP address: 192.168.200.2)
  • Port 16 connects to the FortiAnalyzer (IP address: 192.168.55.2)

On External, go to Network > Interfaces and edit port 10. Set an IP/Network Mask for the interface (in the example, 192.168.10.2/255.255.255.0).

Set Administrative Access to allow FortiTelemetry, which is required for communication between FortiGates in the Security Fabric.

Repeat this step to configure the other interfaces with the appropriate IP addresses, as listed above.

Go to Policy & Objects > IPv4 Policy and create a policy for traffic from Accounting to the Internet.

Enable NAT.
Repeat this step to create a similar policy for Marketing.
On External, go to System > Feature Select. Under Additional Features, enable Multiple Interface Policies.

Go to Policy & Objects > IPv4 Policy and create a policy allowing Accounting and Marketing to access the FortiAnalyzer.

To enable communication between the FortiGates in the Security Fabric, go to Security Fabric > Settings and enable FortiGate Telemetry. Set a Group name and Group password.

FortiAnalyzer Logging is now enabled by default. Set IP address to an internal address that will later be assigned to port 1 on the FortiAnalyzer (in the example, 192.168.55.10).
Select Test Connectivity. An error appears because the FortiGate is not yet authorized on the FortiAnalyzer. This authorization will be configured in a later step.

2. Installing Accounting and Marketing

On Accounting, go to Network > Interfaces and edit WAN1.

Set an IP/Network Mask for the interface that is on the same subnet as port 10 on External (in the example, 192.168.10.10/255.255.255.0).

Edit the internal interface.

Set Addressing mode to Manual and set the IP/Network Mask to a private IP address (in the example, 10.10.10.1/255.255.255.0).

Set Administrative Access to allow FortiTelemetry.

If you require the FortiGate to provide IP addresses using DHCP to devices that connect to this interface, enable DHCP Server.

Under Networked Devices, enable Device Detection.

Go to Network > Static Routes and add a static route. Set Gateway to the IP address of port 10 on External.

Go to Policy & Objects > IPv4 Policy and create a policy to allow users on the Accounting network to access External.

Go to Security Fabric > Settings to add Accounting to the Security Fabric. Enable FortiGate Telemetry, then enter the same Group name and Group password that you set previously on External.

Enable Connect to upstream FortiGate and enter the IP address of port 10 on External.

FortiAnalyzer Logging is enabled by default. Settings for the FortiAnalyzer will be retrieved when Accounting connects to External.

If you have not already done so, connect WAN1 on Accounting to port 10 on External.

Connect and configure Marketing, using the same method you used to configure Accounting. Make sure to complete the following steps:

  • Configure WAN1 to connect to External (IP address: 192.168.200.10/255.255.255.0)
  • Configure the LAN interface for the Marketing network (IP address: 10.10.200.1/255.255.255.0)
  • Create a static route pointing traffic to port 11 on External
  • Create a policy to allow users on the Marketing network to access External
  • Add Marketing to the Security Fabric

3. Installing Sales

On Marketing, go to Network > Interfaces and edit the interface that Sales will connect to (in the example, internal14).

Set an IP/Network Mask for the interface (in the example, 192.168.35.2/255.255.255.0).

Set Administrative Access to allow FortiTelemetry.

Go to Policy & Objects > IPv4 Policy and create a policy for traffic from Sales to External.

Enable NAT.

On Sales, go to Network > Interfaces and edit WAN2.

Set an IP/Network Mask for the interface that is on the same subnet as the internal 14 interface on Marketing (in the example, 192.168.135.10/255.255.255.0).

Edit the LAN interface.

Set Addressing Mode to Manual, and set the IP/Network Mask to a private IP address (in the example, 10.10.135.1/255.255.255.0).

Set Administrative Access to allow FortiTelemetry.

If you require the FortiGate to provide IP addresses, using DHCP, to devices that connect to this interface, enable DHCP Server.

Under Networked Devices, enable Device Detection.

Go to Network > Static Routes and add a route. Set Gateway to the IP address of the internal 14 interface on Marketing.
Go to Policy & Objects > IPv4 Policy and create a policy to allow users on the Sales network to access Marketing.

Go to Security Fabric > Settings to add Sales to the Security Fabric. Enable FortiGate Telemetry, then enter the same Group name and Group password that you set previously.

Enable Connect to upstream FortiGate and enter the IP address of the internal 14 interface on Marketing.

FortiAnalyzer Logging is enabled by default. Settings for the FortiAnalyzer will be retrieved when Accounting connects to External.
If you have not already done so, connect WAN 2 on Sales to the internal 14 interface on Marketing.

4. Configuring the FortiAnalyzer
To use the FortiAnalyzer in the Security Fabric, make sure that the firmware is compatible with the version of FortiOS on the FortiGates. To check for compatibility, see the FortiAnalyzer Release Notes.

On the FortiAnalyzer, go to System Settings > Network, select All Interfaces, and edit port 1. Set IP Address/Netmask to the IP address used for the Security Fabric configuration on External (192.168.55.10/255.255.255.0).

Add a Default Gateway, using the IP address of port 16 on External.

Go to Device Manager. The FortiGates are listed as Unregistered.

Select the FortiGates, then select +Add.
The FortiGates now appear as Registered.

After a moment, a warning icon appears beside External because the FortiAnalyzer needs administrative access to the root FortiGate in the Security Fabric.

Select the FortiGate, then enter the administrative authentication information.
On External, go to Security Fabric > Settings. FortiAnalyzer Logging now shows Storage usage information.

5. Running a Security Fabric Audit

You can use the Security Fabric Audit to analyze your Security Fabric deployment, identify potential vulnerabilities, and highlight best practices. Using the Security Audit helps you improve your network configuration, deploy new hardware and software, and gain more visibility and control over your network.

By regularly checking your network’s Security Score, which is determined by how many checks your network passes or fails during the Security Audit, and making the recommended improvements, you can have confidence that your network is getting more secure over time.

You must run the Security Fabric Audit on the root FortiGate in the Security Fabric.

On External, go to Security Fabric > Audit.

All the FortiGates in the Security Fabric are shown. Select Next.

At the top of the page, you can see your network’s Security Score, as well as the overall count of how many checks were passed or failed, with the failed checks divided by severity.

Further down, you can see information about each failed check, including which FortiGate failed the check, the effect on your network’s score, and the recommendation for fixing the issue.

Easy Apply recommendations may be automatically applied by the wizard in the next stage.

By using Easy Apply, you can change the configuration of any FortiGate in the Security Fabric, not just the root FortiGate.

Select all the changes you want to make, then select Apply Recommendations.

6. Results

On External, go to Dashboard > Main. The Security Fabric widget displays the names of the FortiGates in the Security Fabric.

The icons on the top indicate which other Fortinet devices can be used in a Security Fabric. Devices in blue are detected in your network, devices in gray are not detected in your network, and devices in red are also not detected in your network but are recommended for a Security Fabric.

Also located on the Dashboard is the Security Fabric Score widget, which displays your network’s current score.

If either of these widgets do not appear on your dashboard, they can be added using the settings button in the bottom right corner. This button appears when your mouse hovers over any part of the dashboard.

Go to Security Fabric > Physical Topology. This page shows a visualization of access layer devices in the Security Fabric.

Security Fabric Audit recommendations are also shown in the topology, next to the icon of the device the recommendations apply to.

Go to Security Fabric > Logical Topology. This dashboard displays information about the interface (logical or physical) that each device in the Security Fabric is connected to.

On the FortiAnalyzer, go to Device Manager. The FortiGates are now shown as part of a Security Fabric group. The * beside External indicates that it is the root FortiGate in the Security Fabric.

Right-click on the Security Fabric group and select Fabric Topology. The topology of the Security Fabric is displayed.

7. (Optional) Adding security profiles to the Security Fabric

The Security Fabric allows you to distribute security profiles to different FortiGates in your network, which can lessen the workload of each device and avoid creating bottlenecks. For example, you can implement antivirus scanning on External while the ISFW FortiGates apply application control and web filtering.

This results in distributed processing between the FortiGates in the Security Fabric, which reduces the load on each one. It also allows you to customize the web filtering and application control for the specific needs of the Accounting network as other internal networks may have different application control and web filtering requirements.

This configuration may result in threats getting through External, which means you should very closely limit access to the network connections between the FortiGates in the network.

On External, go to Policy & Objects > IPv4 Policy and edit the policy allowing traffic from Accounting to the Internet.

Under Security Profiles, enable AntiVirus and select the default profile.

Do the same for the policy allowing traffic from Marketing to the Internet.

On Accounting, go to Policy & Objects > IPv4 Policy and edit the policy allowing traffic from the Accounting network to the Internet.

Under Security Profiles, enable Web Filter and Application Control. Select the default profiles for both.

Repeat this step for both Marketing and Sales.

For further reading, check out Security Fabric in the FortiOS 5.6 Handbook.

  • Was this helpful?
  • Yes   No
This FortiGate has already been installed in NAT/Route mode in the “Installing a FortiGate in NAT/Route mode” recipe.
In this recipe, the policy is called Access-External-Device because more Fortinet devices, such as a FortiSandbox, will be added to the subnet currently used by the FortiAnalyzer.
Only Fortinet devices will be shown.
Only Fortinet devices will be shown.

The post Security Fabric installation and audit appeared first on Fortinet Cookbook.

FortiSandbox in the Security Fabric

August 24, 2017, 12:32 pm
$
0
0

In this recipe, you will add a FortiSandbox to your Security Fabric and configure each FortiGate in the network to send suspicious files to FortiSandbox for sandbox inspection. The FortiSandbox scans and test these files in isolation from your network.

This recipe is in the Security Fabric Collection. It can also be used as a standalone recipe.

This example uses the Security Fabric configuration created in the following recipe: Security Fabric installation. The FortiSandbox will connect to the root FortiGate in the Security Fabric, known as External. There will be two connections between the devices:

  • FortiSandbox port 1 (administration port) connects to External port 16
  • FortiSandbox port 3 (VM outgoing port) connects to External port 13

This recipe was created using FortiOS 5.6.1. If you are using 5.6.0, GUI paths related to the Security Fabric and the appearance of some pages will differ from what is shown.

Find this recipe for other FortiOS versions
5.4 | 5.6

1. Running a Security Fabric Audit before installing the FortiSandbox

On External (the root FortiGate in the Security Fabric), go to Security Fabric > Audit. Select Next to run an Audit for the Security Fabric.

Since you have not yet installed a FortiSandbox in your network, the Security Fabric fails the Advanced Threat Protection check.

In the example, the Security Score decreases by 30 points for each of the four FortiGates in the Security Fabric.

2. Connecting the FortiSandbox and External

On the FortiSandbox, go to Network > Interfaces and configure port 1. This port will be used for communication between the FortiSandbox and the rest of the Security Fabric.

Set IP Address/Netmask to an internal IP address. In this example, the FortiSandbox will connect to the same subnet as the previously installed FortiAnalyzer, using the IP address 192.168.55.20.

  

Go to Network > Interfaces and configure port 3. This port will be used for outgoing communication by the virtual machines (VMs) running on the FortiSandbox. It is recommended to connect this port to a dedicated interface on your FortiGate to protect the rest of the network from threats currently being investigated by the FortiSandbox.

Set IP Address/Netmask to an internal IP address (in the example, 192.168.179.10/255.255.255.0).

  

Go to Network > System Routing and add a static route for port 1. Set Gateway to the IP address of the FortiGate interface that port 1 connects to (in the example, 192.168.55.2).

  
On External, go to Network > Interfaces and configure port 13. Set IP/Network Mask to an address on the same subnet as port 3 on the FortiSandbox (in the example, 192.168.179.2/255.255.255.0)  
Port 3 on the FortiSandbox must be able to connect to the Internet. On the FortiGate, go to Policy & Objects > IPv4 Policy and create a policy allowing connections from the FortiSandbox to the Internet.  

If you have not already done so, connect the FortiSandbox to the Security Fabric, as shown in the diagram at the beginning of this recipe.

3. Activating the FortiSandbox VMs

On the FortiSandbox, go to Scan Policy > General.

Select Allow Virtual Machines to access external network through outgoing port3. Set Gateway to the IP address of port 13 on the FortiGate.

  

Wait for the FortiSandbox to confirm that it has access to the Internet. Once this occurs, it will start to activate and initialize Windows VM and Microsoft Office.

Go to the Dashboard and locate the System Information widget. When the VMs are ready, green checkmarks will appear beside them.

  

4. Adding the FortiSandbox to the Security Fabric 

On External, go to Security Fabric > Settings. Enable Sandbox Inspection.

Make sure FortiSandbox Appliance is selected and set Server to the IP address of port 1 on the FortiSandbox.
 
Select Test Connectivity. An error message appears because External has not been authorized on the FortiSandbox.  
On the FortiSandbox, go to Scan Input > Device. External is listed but the Auth column indicates that it is unauthorized.  
Select the Edit button located beside External’s name. Under Permissions & Policies, select Authorized.  
On External, go to Security Fabric > Settings and test the Sandbox Inspection connectivity again. External is now connected to the FortiSandbox.  
Repeat these steps for the other FortiGates in the Security Fabric.

5. Adding sandbox inspection to AntiVirus, Web Filter, and FortiClient Profiles

Sandbox inspection can be applied with three types of security inspection: AntiVirus, Web Filter, and FortiClient Profiles. In this step, sandbox inspection is added to all FortiGates in the Security Fabric individually, using the profiles that each FortiGate applies to network traffic.

In order to pass the Advanced Threat Protection audit check, all FortiGates in the Security Fabric must have sandbox inspection added to an AntiVirus profile.

Go to Security Profiles > AntiVirus and edit the default profile.

Under Inspection Options, set Send Files to FortiSandbox Appliance for Inspection to All Supported Files.

  

Enable Use FortiSandbox Database, so that if FortiSandbox discovers a threat, a signature for that file is added to the FortiGate’s antivirus signature database.

Go to Security Profiles > Web Filter and edit the default profile.

Under Static URL Filter, enable Block malicious URLs discovered by FortiSandbox.

  

If the FortiSandbox discovers a threat, the URL that threat came from will be added to the list of URLs that will be blocked by the FortiGate.

Go to Security Profiles > FortiClient Profiles and edit the default profile. Enable Security Posture Check

Enable Realtime Protection and Scan with FortiSandbox.

  

6. Results

If a FortiGate in the Security Fabric discovers a suspicious file, it is sent to the FortiSandbox.

You can view information about scanned files on either the FortiGate that sent the file or the FortiSandbox.

On one of the FortiGates, go to the Dashboard and locate the Advanced Threat Protection Statistics widget. This widget shows files scanned by both the FortiGate and FortiSandbox, with the FortiSandbox files on the bottom half of the widget.
 

On the FortiSandbox, go to System > Status and view the Scanning Statistics widget.

  

On External (the root FortiGate), go to Security Fabric > Audit and run an audit. When it is finished, select the All Results view.

In the example, all four FortiGates in the Security Fabric have passed the Advanced Threat Protection check and the Security Score has increased by 9.7 points for each FortiGate.

For further reading, check out Sandbox Inspection in the FortiOS 5.6 Handbook.

  • Was this helpful?
  • Yes   No

The post FortiSandbox in the Security Fabric appeared first on Fortinet Cookbook.

FortiManager in the Security Fabric

August 24, 2017, 12:33 pm
$
0
0

In this recipe, you will add a FortiManager to a network that is already configured as a Security Fabric. This will simplify network administration because you can manage all of the FortiGates in the network from the FortiManager.

This recipe is in Security Fabric Collection. It can also be used as a standalone recipe.

In this example, the FortiManager is added to an existing Security Fabric, with an HA cluster, called External, configured as the root FortiGate. In this network, the subnet 192.168.55.0 is used for external devices, such as a FortiAnalyzer. The FortiManager will be added to this subnet.

This recipe was created using FortiOS 5.6.1. If you are using 5.6.0, GUI paths related to the Security Fabric and the appearance of some pages will differ from what is shown.

Find this recipe for other FortiOS versions
5.4 | 5.6

1. Connecting External and the FortiManager

In this example, External’s port 16 will connect to port 2 on the FortiManager.

On External, go to Network > Interfaces and edit port 16.

Configure Administrative Access to allow FMG-Access.

On the FortiManager, go to System Settings > Network, select All Interfaces, and edit port 2.

Set IP Address/Netmask to an internal IP address (in the example, 192.168.55.30/255.255.255.0).

Select Routing Table and add a default route for port 2. Set Gateway to the IP address of External’s port 16.
If you have not already done so, connect port 2 on the FortiManager to port 16 on External.

2. Configuring central management on External

On External, go to System > Settings. Under Central Management, select FortiManager and enter the IP/Domain Name.

After you select Apply, a message appears stating that the FortiGate’s message was received by the FortiManager and is now waiting for confirmation.

On the FortiManager, go to Device Manager > Unregistered Devices. Select External, then select + Add.
Add External to the root ADOM.

External is now on the Managed FortiGates list and shown as part of a Security Fabric group. The * beside External indicates that it is the root FortiGate in the Security Fabric.

Connect to External. A warning message appears stating that the FortiGate is now managed by a FortiManager.

Select Login Read-Only.

Go to System > Settings. Under Central Management, the Status is now Registered on FortiManager.

3. Configuring central management on the ISFW FortiGates

For each FortiGate in the Security Fabric, make sure that the interface connected to External allows FMG-Access.

Once this is confirmed, you can repeat the process shown in Step 2 for all FortiGates in the Security Fabric.

4. Results

All FortiGates in the Security Fabric are shown in the Managed FortiGates list on the FortiManager.

To show all FortiGates in the Security Fabric group, right-click on External (the root FortiGate), and select Refresh Device.

Right-click on the Security Fabric group and select Fabric Topology. The topology of the Security Fabric is displayed.

For further reading, check out Central Management in the FortiOS 5.6 Handbook.

  • Was this helpful?
  • Yes   No
You may also need to refresh the page before all devices are shown in the Security Fabric group.

The post FortiManager in the Security Fabric appeared first on Fortinet Cookbook.

Security Fabric Collection

August 24, 2017, 12:34 pm
$
0
0

The Fortinet Security Fabric links various security sensors and tools together to collect, coordinate, and respond to malicious behavior, in real time, anywhere it occurs on your network.

Below, you will find the Security Fabric Collection: a list of recipes about configuring and using the Security Fabric. By using these recipes in the order listed, you can create a network similar to the one shown above. This collection is a work in progress. Check back regularly for new recipes.

You can find more information about the Security Fabric at the Fortinet Document Library.

Screenshots of the Security Fabric topology views are shown after most of the recipes, to visualize how the network configuration changes. Physical Topology shows all access layer devices, and Logical Topology shows information about the interface (logical or physical) that each device is connected to. To view the complete network, the topology views must be accessed on the root FortiGate in the Security Fabric.

This collection supports the following Fortinet firmware:

  • FortiOS 5.6.0 and higher
  • FortiAnalyzer 5.6.0 and higher
  • FortiSandbox 2.4.0 and higher
  • FortManager 5.6.0 and higher

1. Installing a FortiGate in NAT/Route mode

This recipe shows you how to install a single FortiGate in your network using NAT/Route mode, which is the most commonly used operation mode.

In later recipes, this FortiGate will be the “External” FortiGate in the network, because it is the only FortiGate that directly connects to the Internet, with the other FortiGates located behind it. This role is also known as the edge or gateway FortiGate.

This FortiGate will also be the root FortiGate in the Security Fabric. The root FortiGate receives information from all other FortiGates in the Security Fabric and is used to run the Security Fabric Audit. For more information about this, refer to the next recipe in the collection.

Because a Security Fabric has not yet been created, the Security Fabric topology views have not been included here.

2. Security Fabric installation and audit

This recipe shows you how to add three additional FortiGates to the network, with each functioning as an Internal Segmentation Firewall (ISFW). A FortiAnalyzer is also added to collect and view logs.

After the ISFW FortiGates and FortiAnalyzer are installed, the Security Fabric is configured. External, the FortiGate from the previous recipe, becomes the root FortiGate in the Security Fabric, with the other FortiGates sending their information upstream to External.

All of the FortiGates and the FortiAnalyzer now appear in the Security Fabric topology views, which must be viewed using External. The ISFW FortiGates (Accounting, Sales, and Marketing) are connected to the root FortiGate (External).

Physical topology:

Logical topology:

3. FortiSandbox in the Security Fabric

This recipe shows you how to add a FortiSandbox to the Security Fabric, so that any suspicious files discovered by the FortiGates can be scanned and tested in isolation from the rest of the network.

After the FortiSandbox is added to the Security Fabric, it appears in the topology views.

Physical topology:

Logical topology:

4. High availability with two FortiGates

This recipe shows you how to create an HA cluster by connecting a backup FortiGate to the root FortiGate in the Security Fabric. This will provide redundancy if the root FortiGate, now called External-Primary, fails.

After the HA cluster is created, it appears in the topology views.

Physical topology:

Logical topology:

5. FortiManager in the Security Fabric

This recipe shows you how to add a FortiManager to the Security Fabric. This provides central management of the FortiGates in the Security Fabric.

After the FortiManager is added to the Security Fabric, it appears in the topology views.

Physical topology:

Logical topology:

  • Was this helpful?
  • Yes   No

The post Security Fabric Collection appeared first on Fortinet Cookbook.

Deploying FortiWeb-VM virtual appliance in Microsoft Azure

August 27, 2017, 10:40 pm
$
0
0

FortiWeb for Microsoft Azure is deployed as a virtual appliance in Microsoft Azure cloud (IaaS). This recipe shows you how to install and configure a FortiWeb-VM virtual appliance in Microsoft Azure.​

1. Registering and downloading your license

If you’re deploying a FortiWeb-VM in the Microsoft Azure marketplace, you must obtain a license to activate it. FortiWeb-VM for Microsoft Azure supports a bring-your-own-license (BYOL) licensing model.

Licenses can be obtained through any Fortinet partner. If you don’t have a partner, contact azure@fortinet.com for assistance in purchasing a license.

After you purchase a license or obtain an evaluation license (60-day term), you will receive a PDF with an activation code. 
Go to https://support.fortinet.com/ and either create a new account or log in with an existing account. 

Go to Asset > Register/Renew to start the registration process.

In the Specify Registration Code field, enter your license activation code and select Next to continue registering the product. Enter your details in the other fields.

At the end of the registration process, download the license (.lic) file for your FortiWeb-VM.

After registering a license, Fortinet servers may take up to 30 minutes to fully recognize the new license. When you upload the license (.lic) file to activate the FortiWeb-VM (in step 3), if you get an error that the license is invalid, wait 30 minutes and try again.

2. Creating a FortiWeb-VM
Log in to the Microsoft Azure Portal and select + New
Search for Fortinet Web Application Firewall – FortiWeb and select it from the search results.
Under Select a deployment model, ensure that Resource Manager is selected. Select Create.  

In the Basics section, set a FortiWeb VM Name

Set a FortiWeb Administrative Username. This name can’t be admin or root.

Choose a FortiWeb Password for the new account and confirm the password. For security reasons, it’s not possible to reset this password through the Microsoft Azure portal, so make sure that you remember the password.

Select the appropriate Subscription from the drop-down list. You may have only one option here.

Create a new Resource group. Currently, it’s not possible to select an existing resource group for a Microsoft Azure Marketplace template set.

Set a Location for the VM.

Select OK.

In the Network and Storage Settings section, select Virtual network. You can either create a new virtual network (VNet) or select an existing one.

If you select an existing VNet, it needs to have at least two subnets so the FortiWeb-VM can route between them. In a typical deployment, the outside subnet is used only to connect the outside interface of the FortiWeb-VM to the Microsoft Azure Public Load Balancer, so it doesn’t need to be very large.

Select OK.

In the Subnets section, the Outside Subnet nameOutside Subnet address prefixInside Subnet name, and Inside Subnet address prefix are pre-defined and you shouldn’t need to change the default values. 

Select OK.

In the Virtual machine size section, select the appropriate VM size for your deployment. 

In the Microsoft Azure Marketplace, the FortiWeb virtual machines come in a variety of sizes, from A0 Standard to D4 Standard. Each virtual machine size within each series has different limits for the amount of memory, number of network interface cards (NIC), maximum number of data disks, size of cache, and maximum input/output operations per second (IOPS) and bandwidth.

Select OK.

In the Storage Account section, choose an existing storage account or create a new one. All resources should be in the same location.  

Set a Name for the storage account.

Under Performance, choose a storage account type.

Select the Replication option you want to use. The options are Locally redundant storage (LRS) or Geo-redundant storage (GRS). LRS is where all data in the Microsoft Azure storage account replicates synchronously to three different storage nodes within the primary region that was chosen when
you created the Microsoft Azure storage account. GRS is where every entity is replicated into two data centers.

The data in the Microsoft Azure storage account is always replicated in order to ensure durability and high availability. Some settings can’t be changed after the storage account is created.

Select OK.
To accept the Network and Storage Settings values, select OK

In the FortiWeb IP Address Assignments section, select Public IP address name. In the Name field, set a name for the public IP address of the FortiWeb. In the Assignment field, select Dynamic or Static. Select OK.

In the Domain name label field, set a resource name for the FortiWeb-VM. Select OK.

In the Public IP Address Type, select Static or Dynamic. Select OK.
Wait for validation to pass, then select OK.

Select Purchase to buy the FortiWeb-VM instance from Microsoft Azure. 

Once the FortiWeb-VM is deployed, you will see a “Deployment succeeded” message.

 3. Connecting to the FortiWeb-VM

To connect to the FortiWeb-VM, you must find its public IP address. There are a number of ways to do this. One way is to select Virtual machines on the left bar and select the FortiWeb-VM you created. Under Essentials, you will see the public IP address of the FortiWeb-VM in the Public IP address field. 

Connect to the FortiWeb-VM using your browser and the FortiWeb-VM IP address. Log in to the FortiWeb-VM with the FortiWeb Administrative Username and FortiWeb Password that you configured above. 
 

Upload your license (.lic) file to activate the FortiWeb-VM. Restart the FortiWeb-VM and log in again.

After you log in, you will see that the license has been uploaded. You need to wait for authentication with the registration servers. This can take up to 15 minutes.

Select Return.
You will now see the FortiWeb-VM dashboard.
  • Was this helpful?
  • Yes   No
This must be a complex password containing three of the following types of characters: numbers, capital letters, lowercase letters, and special characters.
Storage types are created from a Microsoft Azure storage account. The Microsoft Azure storage account, in turn, determines certain characteristics for the storage, such as whether the storage is locally redundant or geo-redundant, and whether the storage is based on standard HDDs or SSDs.

The post Deploying FortiWeb-VM virtual appliance in Microsoft Azure appeared first on Fortinet Cookbook.

How to disable the IPMI port to use other ports

August 28, 2017, 11:12 am
$
0
0

In this recipe you will learn to change the IPMI port LAN interface setting to Dedicate to prevent the IPMI port from sending a DHCP request in FortiManager/FortiAnalyzer.

  1. Set up a DHCP server if it does not currently exist in the Network.
  2. Connect a RJ-45 cable into the IPMI port.
  3. Open the new assigned IP address through a web browser. The default username and password is ADMIN/ADMIN.
  4. Go to Configuration > Network > LAN Interface, and change the setting from Failover to Dedicate.
  5. Use the IPMI View to discover the newly assigned IP address if there are several other devices in the same Network.

 

  • Was this helpful?
  • Yes   No

The post How to disable the IPMI port to use other ports appeared first on Fortinet Cookbook.

Search

Basic FortiSandbox Installation Guide

August 30, 2017, 8:11 am
$
0
0

The FortiSandbox unit can be placed on a flat surface using the provided rubber feet, or mounted in any standard 19 inch rack unit with the provided mounting hardware.

Electrostatic discharge (ESD) can damage your Fortinet equipment.

To avoid personal injury or damage to the unit, it is recommended that two or more people install the unit into the rack.

Do not place heavy objects on the unit.

To install the unit into a rack

  1. Attach the provided rack-mount brackets to the sides of the unit usingthe provided screws.
  2. Position the FortiSandbox unit in the rack. Ensure there is enough room around the unit to allow for sufficient air flow.
  3. Line up the rack-mount bracket holes to the holes on the rack and ensure that the unit is level.
  4. Finger tighten four rack-mount screws to attach the unit to the rack.
  5. Verify that the spacing around the unit conforms to requirements and that the unit is level, then tighten the rackmount screws with an appropriate screwdriver.
  6. Plug the provided power cable into the rear of the unit, and then into grounded electrical outlets or separate power sources, such as an uninterruptible power supplies (UPS) or a power distribution units (PDU).
Each power cable should be connected to a different power source. In this way, if one power source fails, the other may still be operational and the unit will not lose power.

To install the unit on a flat surface

  1. Ensure that the surface onto which the FortiSandbox unit to be installed is clean, level, and stable, and that there is at least 1.5in (3.8cm) of clearance on all sides to allow for adequate airflow.
  2. Attach the provided rubber feet to the bottom of the unit.
  3. Place the unit in the designated location.
  4. Verify that the spacing around the unit conforms to requirements and that the unit is level.
  5. Plug the provided power cables into the rear of the unit, and then into grounded electrical outlets or separate power sources, such as an uninterruptible power supplies (UPS) or a power distribution units (PDU).
Each power cable should be connected to a different power source. In this way, if one power source fails, the other may still be operational and the unit will not lose power.
  • Was this helpful?
  • Yes   No

The post Basic FortiSandbox Installation Guide appeared first on Fortinet Cookbook.

FortiSandbox 3500D Installation Guide

August 30, 2017, 8:11 am
$
0
0

The FortiSandbox unit can be mounted in any standard 19 inch rack unit with the
provided mounting hardware.

Electrostatic discharge (ESD) can damage your Fortinet equipment.

To avoid personal injury or damage to the unit, it is recommended that two or more people install the unit into the rack.

Do not place heavy objects on the unit.
  1. Using the supplied hardware, attach the inner slide rails to each side of the unit.
    Align the two, square holes on each rail to the hooks on the sides of the unit.
    Securely attach the rail to the unit using M4 flat head screws.
  2. Attach the outer slide rails to the rack. Keep the sliding rail guides facing into the rack and screw the assembly securely to the rack using the provided brackets. Ensure that both rails are at the same height.
  3. Ensure there is enough room around the unit to allow for sufficient air flow.
  4. Slide the unit into your equipment rack using equal pressure on both sides. You may have to depress the locking tabs when inserting the unit. When the unit has been completely pushed into the rack, the locking tabs should
    click into place.
  5. Plug the supplied power cables into the rear of the unit and then into grounded
    electrical outlets or a separate power sources, such as uninterruptible power
    supplies (UPS) or a power distribution units (PDU).
 Each power cable should be connected to a different power source. In this
way, if one power source fails, the other may still be operational and the unit will not lose power.
Turning on the device does not always power up all of the inserted blades. If
a blade does not automatically power up, use the blade’s power button to turn on the blade.
  • Was this helpful?
  • Yes   No

The post FortiSandbox 3500D Installation Guide appeared first on Fortinet Cookbook.

Basic FortiManager Installation Guide

September 5, 2017, 8:46 am
$
0
0

The FortiManager unit can be placed on any flat surface, or mounted in any standard 19 inch rack unit with the provided rack-mount brackets and screws.

Electrostatic discharge (ESD) can damage your Fortinet equipment.

Do not place heavy objects on the unit.

To avoid personal injury or damage to the unit, it is recommended that two or more people install the unit into the rack.
If the unit has a redundant power supply, each power cable should be connected to a different power source. In this way, if one power source fails, the other may still be operational and the unit will not lose power.

To install the FortiManager unit into a rack

  1. Ensure that the FortiManager unit is placed on a stable surface prior to rack-mount installation.
  2. Attach the provided rack-mount brackets to the sides of the unit using the provided bracket screws.
    1. If you are installing the unit into a four-post rack, attach the rack-mount brackets with the handles aligned with the front of the FortiManager unit.
    2. If you are installing the unit into a two-post rack, attach the rack-mount brackets with the handles aligned with the middle of the FortiManager unit.
  3. Position the FortiManager unit in the rack. Ensure there is enough room around the unit to allow for sufficient air flow.
  4. Line up the rack-mount bracket holes to the holes on the rack and ensure that the FortiManager unit is level.
  5. Finger tighten four rack-mount screws to attach the unit to the rack.
  6. Verify that the spacing around the FortiManager unit conforms to requirements and that the unit is level, then tighten the rack-mount screws with an appropriate screwdriver.
  7. Plug the provided power cable into the rear of the unit and then into a grounded electrical outlet or a separate power source, such as an uninterruptible power supply (UPS) or a power distribution unit (PDU).

To install the unit on a flat surface

  1. Ensure that the surface onto which the FortiManager unit to be installed is clean, level, and stable and that there is at least 1.5in (3.8cm) of clearance on all sides to allow for adequate airflow.
  2. Attach the provided rubber feet to the bottom of the FortiManager unit.
  3. Place the unit in the designated location.
  4. Verify that the spacing around the FortiManager unit conforms to requirements and that the unit is level.
  5. Plug the provided power cable into the rear of the unit and then into a grounded electrical outlet or a separate power source, such as an uninterruptible power supply (UPS) or a power distribution unit (PDU).
  • Was this helpful?
  • Yes   No

The post Basic FortiManager Installation Guide appeared first on Fortinet Cookbook.

FortiManager 300E Installation Guide

September 5, 2017, 8:46 am
$
0
0

The FortiManager unit can be mounted in any standard 19 inch rack unit with the
provided mounting hardware.

The rack must be stabilized before sliding the unit out for servicing. Failure to stabilize may cause the rack to tip over.

Electrostatic discharge (ESD) can damage your Fortinet equipment.

To avoid personal injury or damage to the unit, it is recommended that two or more eople install the unit into the rack.

Do not place heavy objects on the unit.

Rack Precautions

  • Ensure the leveling jacks on the bottom of the rack are fully extended to the floor with the full weight of the rack resting on the jacks.
  • For single rack installation, stabilizers should be attached to the rack.
  • For multiple rack installations, the racks should be coupled together.
  • Ensure the rack is stable before extending a component from the rack.
  • Only extend one component at a time; extending two or more simultaneously may cause the rack to become unstable.

Rack Rail Identification

The rail mount kit includes two rail assemblies. Each assembly consists of two sections:

  • A fixed inner rail that secures directly to the unit
  • A fixed outer rack that secures directly to the rack

Both rail assemblies have locking tabs. The tabs lock the unit into place when installed into the rack and when fully extended from the rack. This prevents the device from sliding fully out of the rack when the device is being worked on.

Inner Rail Extensions


Using the inner rail extensions is optional. Use the inner rail extensions to stabilize the unit within the rack.

  1. Ensure you have correctly identified the left and right rail extensions.
  2. Place the inner rail extension on the side of the unit and align the hooks on the unit with the holes on the rail extension. Make sure the inner rail extension faces out.
  3. Slide the extension toward the front of the unit.
  4. Secure the rail extension to the unit with the provided M4 6L inner rail screws.
  5. Repeat steps 1-4 for the other inner rail extension.
Do not pick up the server by the front handles. They are designed to only
pull the unit from the rack.

Outer Rails

The outer rails attach to the rack and hold the unit in place.

  1. Attach the short bracket to the outside of the long bracket by aligning the pins with the slides. Both brackets must face the same direction.
  2. Adjust the short and long brackets to the appropriate length so that they fit securely into the rack.
  3. Secure the long bracket to the front side of the outer rail with the provided washers and M5 12L outer rail screws.
  4. Secure the short bracket to the back side of the outer rail with the provided washers and M5 12L outer rail screws.
  5. Repeat steps 1-4 for the other rail.

Rack Installation

  1. Ensure that there is enough room around the unit to allow for sufficient air flow.
  2. Ensure that the inner rails are properly connected to the device, and the that theouter rails are securely attached to the rack.
  3. Align the inner rails with the rack rails and slide the device onto the rails. Ensure that even pressure is applied to both sides of the device while doing this.
  4. When the unit has been completely pushed into the rack, the locking tabs will click into the locked position.
  5. For additional security, insert and tighten the thumbscrews that hold the front of the unit to the rack.

After the device is installed in the rack and the hard disk drives are installed, plug the supplied power cables into the rear of the unit and then into grounded electrical outlets or separate power sources, such as uninterruptible power supplies (UPS) or power distribution units (PDU).

  • Was this helpful?
  • Yes   No

The post FortiManager 300E Installation Guide appeared first on Fortinet Cookbook.

FortiManager 400E/2000E/3000F Installation Guide

September 5, 2017, 8:47 am
$
0
0

The FortiManager unit can be mounted in any standard 19 inch rack unit with the
provided mounting hardware.

The rack must be stabilized before sliding the unit out for servicing. Failure to stabilize may cause the rack to tip over.

Electrostatic discharge (ESD) can damage your Fortinet equipment.

To avoid personal injury or damage to the unit, it is recommended that two or more people install the unit into the rack.

Do not place heavy objects on the unit.

Rack Precautions

  • Ensure the leveling jacks on the bottom of the rack are fully extended to the floor with the full weight of the rack resting on the jacks.
  • For single rack installation, stabilizers should be attached to the rack.
  • For multiple rack installations, the racks should be coupled together.
  • Ensure the rack is stable before extending a component from the rack.
  • Only extend one component at a time; extending two or more simultaneously may cause the rack to become unstable.
After installing the device into the rack, install the hard disk drives into the
device.

Rack Rail Parts

The rail assembly consists of three parts:

  • Outer rail: connects to the rack
  • Middle rail: connects the inner and outer rails
  • Inner rail: connects to the device

The inner rail has a locking tab that locks the device into place when it is installed and pushed into the rack. This prevents the device from sliding fully out of the rack when the device is being worked on.

There are four steps to install the device into the rack:

  1. Disassemble the rail assembly
  2. Attach the inner rails to the device
  3. Install the outer rails on a rack
  4. Install the device into the rack

Disassemble the rail assembly

  1. Identify the left and right rail assemblies.
  2. Pull out the inner rail until it is fully extended.
  3. Press down the locking tab to release the inner rail.
  4. Remove the inner rail from the outer rail.
  5. Repeat steps 2 – 4 for the remaining rail assembly
Do not pick up the server by the front handles. They are designed to only
pull the unit from the rack.

Attach the inner rails to the device

  1. Ensure that the right and left rails are correctly identified.
  2. Place the inner rail against the side of the device, enduring that the hooks on the side of the device align with the holes in the rail.
  3. Slide the rail towards the front of the device until the rail clicks into the locked
    position.
  4. Optionally, secure the rail to the device using the provided M4 Flat Head screws.
  5. Repeat steps 2 – 4 for the remaining rail.

Install the outer rails on a rack

  1. Press up on the locking tab on the back of the middle rail.
  2. Push the middle rail back into the outer rail.
  3. Hang the hooks on the front of the outer rail to the slots on the rack. Use two of the provided washers and M5 12L Flat Head screws to secure the rail to the rack.
  4. Pull out the back of the outer rail to adjust its length until it fits properly in the rack.
  5. Hang the hooks on the back of the rail to the slots on the back of the rack. Use two of the provided washers and M5 12L Flat Head screws to secure the rail to the rack.
  6. Repeat steps 1 – 5 for the remaining rail.

Install the device into the rack

  1. Ensure that the inner rails are properly connected to the device, and the that theouter rails are securely attached to the rack.
  2. Pull the middle rail out from the front of the outer rail until it locks.
  3. Align the inner rails with the middle rails and slide the device onto the rails until the locking tab on the inner rails clicks into the front of the middle rails.
    Ensure that even pressure is applied to both sides of the device while doing this.
  4. Push down the locking tabs on both sides at the same time, then push the device all the way into the rack.
  5. When the unit has been completely pushed into the rack, the locking tabs will click into the locked position.
  6. For additional security, secure the chassis handles to the front of the rack with the provided M5 20L Truss Head screws.

After the device is installed in the rack and the hard disk drives are installed, plug the supplied power cables into the rear of the unit and then into grounded electrical outlets or separate power sources, such as uninterruptible power supplies (UPS) or power distribution units (PDU).

Each power cable should be connected to a different power source. In this
way, if one power source fails, the other may still be operational and the unit will not lose power.
  • Was this helpful?
  • Yes   No

The post FortiManager 400E/2000E/3000F Installation Guide appeared first on Fortinet Cookbook.

Viewing all 690 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>