FortiAP 112B Installation Guide

August 22, 2017, 10:17 am

≫ Next: Episode 16: FortiGate Troubleshooting – Common Issues & Solutions

≪ Previous: FortiManager 400E/2000E/3000F Installation Guide

Using the provided hardware, the FortiAP unit can be attached to a wall or pole.

To attach the unit to a wall:

Setup the provided anchors and screws in the desired wall.
Hang the FortiAP device on the screws.

To attach the unit to a pole:

Loop the wire belts through the slots on the rear of the device and then around the pole.
Tighten the belts to ensure that the device is firmly in place.

Antenna direction

The FortiAP 112B has a directional antenna located on the front of the device. The strongest signal is achieved in the 60 degree range shown in the below image.

For a reliable wireless connection, the units to which you would like to connect should be within this range.

Was this helpful?
Yes No

The post FortiAP 112B Installation Guide appeared first on Fortinet Cookbook.

↧

Episode 16: FortiGate Troubleshooting – Common Issues & Solutions

September 6, 2017, 2:56 pm

≫ Next: FortiManager: Third Party Blacklist Provider Workflow

≪ Previous: FortiAP 112B Installation Guide

Send us your questions! We’re looking to do a Q&A episode of FortiCast and we need your help. If you have a question that needs an answer, email us at forticast@fortinet.com.

How to troubleshoot common FortiGate issues.

Troubleshooting resources

Subscribe to FortiCast

Was this helpful?
Yes No

The post Episode 16: FortiGate Troubleshooting – Common Issues & Solutions appeared first on Fortinet Cookbook.

↧

FortiManager: Third Party Blacklist Provider Workflow

September 12, 2017, 8:44 am

≫ Next: Setting Up WiFi with FortiAP (Video)

≪ Previous: Episode 16: FortiGate Troubleshooting – Common Issues & Solutions

In this example, you learn how to use your FortiManager and a third party blacklist provider workFlow.

Overview

You must create a script that will handle the entire workflow. Make sure the script can convert the Third Party Blacklist into a FortiManager XML File.

From an external server, you must schedule the periodic execution of that script. Using the communication tools provided by the Third Party Blacklist Provider, the script will fetch the Blacklist from the Third Party.

1. Converting the Blacklist to a FortiManager XML File

The script will convert the Blacklist to a FortiManager XML File. This XML file allows you to assign a category to each URL in the list, in addition to a default category. The default category is used as the return value when there is no match.

Example of the FortiManager XML file format:

<custom_url_list version="1.0">
 <head>
 <default_cate>142</default_cate>
 <description>the description</description>
 </head>
 <body>
 <url_entry>
 <url>http://www.url-0000001.com</url>
 <cate>79</cate>
 </url_entry>
 <url_entry>
 <url>http://www.url-0000001.com</url>
 <cate>28</cate>
 [...]
 </body>

The category value in <cate></cate> could be either a normal Web Filter Category or a Local Category.

2. Upload the XML File into FortiManager

The script uses SSH to connect to FortiManager and upload the XML file.
CLI command:

execute fmupdate <ftp|scp|tftp> import custom-url <xml filename> <ftp|scp|tftp details>
 
 Example:
 #     execute fmupdate scp import custom-url 20M-custom-url.xml 000.000.000.000 00 tmp/FORTIGUARD my_login my_password
 This operation will replace the current <custom-url> package!
 Do you want to continue? (y/n)y
 
 Start getting file from remote SCP Host...
 SCP transfer successful.
 Packing installation is in process...This could take some time. 
 lccclient command result:Response=202|
 
 Update successfully

In this example, FortiManager will upload the file from the following file:

scp://my_login:my_password@000.000.000.000:00/temp/FORTIGUARD/20M-custom-url.xml

3. Configure FortiManager to use only its Local FortiGuard Database or Local Blacklist Database

Use the following command to use only its:

Local FortiGuard Database
Local Blacklist Database
Or Both

config fmupdate custom-url-list
 set db_selection <fortiguard-db|custom-url|both>
 end

4. Testing Custom URLs managed by FortiManager

Using the CLI in FortiManager, you can send categorization requests for custom URLs managed by FortiManager.

Example of the CLI command set:

#     diagnose fmupdate fgd-url-rating FGT SN 1 www.foo.com
 url rating flags: 0x2 (2:EXACT_MATCH, 1:PREFIX_MATCH)
 rates according to url: 0x37 0x00 0x00 0x00
 rates according to ip: 0x00 0x00 0x00 0x00
 num_dots:-1, num_slash:-1
 database version: 16.45562
      0 ms

The FGT SN can be any FortiGate SN.
The returned category is in a hexadecimal output: 0x37.
In decimal format, the category is 56 or Web Hosting.

The number of URLs FortiManager can manage is determined by the memory capacity of the unit.

5. Specify FortiManager as the FortiGuard Server in FortiGate

Go to your FortiGate CLI console and execute the following commands:

config system centralmanagement
  set type fortimanager
  set fmg "ip"
  config serverlist
    edit 1
       set servertype
       update rating
       set serveraddress FMG ip
    next
  end
  set includedefaultservers disable
end

For further FortiManager information, refer to the FortiManager Administration Guides available on the Fortinet Document Library.

Was this helpful?
Yes No

The post FortiManager: Third Party Blacklist Provider Workflow appeared first on Fortinet Cookbook.

↧

Setting Up WiFi with FortiAP (Video)

September 13, 2017, 10:50 am

≫ Next: Setting up WiFi with a FortiAP

≪ Previous: FortiManager: Third Party Blacklist Provider Workflow

In this video, you’ll learn how to set up a WiFi network with a FortiGate managing a FortiAP in Tunnel mode.

The FortiAP has two modes that you can configure it in – tunnel mode or bridge mode. Tunnel mode is the default and uses a wireless-only subnet for wireless traffic.

The recipe for this video is available here.

Watch more videos

Was this helpful?
Yes No

The post Setting Up WiFi with FortiAP (Video) appeared first on Fortinet Cookbook.

↧

Setting up WiFi with a FortiAP

September 13, 2017, 11:00 am

≫ Next: FortiConnect Guest on-boarding and using RSSO

≪ Previous: Setting Up WiFi with FortiAP (Video)

In this recipe, you will set up a WiFi network with a FortiGate managing a FortiAP in Tunnel mode.

You can configure a FortiAP unit in either Tunnel mode or Bridge mode. Tunnel mode is the default mode for a FortiAP. A FortiAP in Tunnel mode uses a wireless-only subnet for wireless traffic. When a FortiAP is in Bridge mode, the Ethernet and WiFi interfaces are connected (or bridged), allowing wired and wireless networks to be on the same subnet.

For information about using a FortiAP in Bridge mode, see Setting up a WiFi bridge with a FortiAP.

_{Find this recipe for other FortiOS versions}
_{5.2 | 5.4 | 5.6}

1. Connecting and authorizing the FortiAP unit
Go to Network > Interfaces and edit the interface that will connect to the FortiAP (in this example, port 16). Set Addressing Mode to Manual and set an IP/Network Mask. Under Administrative Access, enable CAPWAP and optionally enable PING to test your connection. Under Networked Devices, enable both Device Detection and Active Scanning.
Connect the FortiAP unit to the interface.
Go to WiFi & Switch Controller > Managed FortiAPs. The FortiAP is listed. The device is not yet authorized, as indicated by the in the State column. By default, FortiGate adds newly discovered FortiAPs to the Managed FortiAPs list but does not authorize them.
Right-click on the FortiAP, and select Authorize.
The device interface will be down initially, but after a few minutes, hit the Refresh button and a will confirm that the device is authorized.
Make sure that your FortiAP is on the latest firmware. If the OS Version shows the message “A new firmware version is available,” then check the release notes for your product on the Fortinet Support Site.
You can download the firmware images from the Support Site to your Local Hard Disk, or you can select A new firmware version is available and download the latest version directly from FortiGuard.
2. Creating an SSID
Go to WiFi & Switch Controller > SSID and create a new SSID. Set Traffic Mode to Tunnel. Select an IP/Network Mask for the wireless interface and enable DHCP Server. Enable Device Detection and Active Scanning. Name the SSID (in the example, MyNewWiFi). Set the Security Mode as required and enter a secure Pre-shared Key. Enable Broadcast SSID.
3. Creating a custom FortiAP profile
Go to WiFi & Switch Controller > FortiAP Profiles and create a new profile. Set Platform to the FortiAP model you are using (FAP221C in this recipe). Set the Country/Region and you have the option to set your AP Login Password. Make sure the Radio 1 is set to Access Point, and leave the SSID set to Auto.
Go to WiFi & Switch Controller > Managed FortiAPs and right-click on the FortiAP you added earlier. Select Assign Profile and set the FortiAP to use the new SSID profile (in the example, MyProfile). By default, the FortiGate assigns all SSIDs to this profile.
4. Allowing wireless access to the Internet
Go to Policy & Objects > IPv4 Policy and create a new policy. Set Incoming Interface to the SSID and Outgoing Interface to your Internet-facing interface. Confirm that NAT is enabled.
5. Results
Connect to the SSID with a wireless device. After a connection is established, browse the Internet to generate traffic.
From the policy list page, right-click on your wireless policy and select Show in FortiView or go directly to FortiView > All Sessions.
You can view more details by selecting various tabs (Sources, Destinations, Applications, Countries, Sessions).

For further reading, check out Configuring a WiFi LAN in the FortiOS 5.6 Handbook.

Was this helpful?
Yes No

Note that some FortiGate models may not have the Active Scanning option, and it is not required for the recipe.

It may take a few minutes for the FortiAP to appear.

You can disable this in the CLI. See Deploying Wireless Networks.

Alternatively, select the FortiAP unit on the list and select Authorize from the top menu.

The SSID defaults to automatically assign Tunnel-mode SSIDs.

Located under Policy & Objects > IPv4 Policy.

The post Setting up WiFi with a FortiAP appeared first on Fortinet Cookbook.

↧

FortiConnect Guest on-boarding and using RSSO

September 20, 2017, 8:39 am

≫ Next: Client-Side SD-WAN with IPsec VPN Deployment Scenario – Expert

≪ Previous: Setting up WiFi with a FortiAP

This recipe describes the usage of RADIUS-Single-Sign-On (RSSO), using Fortigate (used as firewall), FortiConnect (used for guest portal and RADIUS authentication) and FortiWLC (used for providing wireless access). The goal is to map Captive Portal users to user groups on the Fortigate, and apply security policies based on these user groups.

Authentication Flow:

User authenticates to WLC via a security profile, where a RADIUS authentication is established (802.1x / Captive Portal)
WLC validates user credentials at RADIUS server.
RADIUS servers authenticates user for access and sends access-accept back to WLC to allow connection (including class attribute)
WLC allows device/user to establish wireless connection.
WLC sends accounting packets to RADIUS server.
RADIUS server proxies those accounting packets and forwards it to the FortiGate.
FortiGate registers user and maps the user to an RSSO-user group.

1. Registering the WLC as a RADIUS client on the FortiConnect

Login to the admin page of your FortiConnect. Go to Devices > RADIUS clients and add your WLC as a RADIUS client. Name: Name of your WLC Device IP: IP address of your WLC. Secret: Choose a Shared Secret between FortiConnect and WLC) Type: Meru SD 8.0 & Later
Go to the Automatic Setup tab and fill in the information needed for the FortiConnect to perform WLC configuration. Device IP: IP address of your WLC Admin user: admin username at WLC Admin password: password of the WLC admin user Captive Portal Name: Name that will be used to create/name the Captive Portal Profile at WLC. This will create a RADIUS profile, a captive portal profile, and a Quality of Service (QoS) rule to allow access to the guest portal on the WLC. The QoS rule is similar to a firewall rule, to allow the wireless device to be redirected to FortiConnect Captive Portal before the user or device is authenticated.
Click Setup Controller and FortiConnect will establish a SSH connection to the WLC. It might take a minute or two for the actual configuration to finish.
When done you should see a message similar to this one.

2. Registering the FortiGate as a RADIUS Accounting Server on the FortiConnect

Go to Devices > RADIUS Accounting Servers
and add your WLC as a radius client.

Name: Name your FortiGate
Server IP: IP address of your FortiGate (matching the interface that will listen to the RADIUS Accounting messages)
Secret: Chosse a Shared Secret between FortiConnect and Fortigate)
Accounting port: 1813

3. Validating WLC configuration created from FortiConnect

Go to Configuration > Security > RADIUS and validate that FortiConnect has created the two RADIUS profiles.

Validate that the automatic setup process on FortiConnect has created the two RADIUS profiles.

IDAUxxx = Authentication profile
IDACxxx = Accounting profile

Go to Configuration > Security > Captive Portal and select the Captive Portal Profiles tab.

Validate that the Captive Portal profile is created.

If needed, hit the pencil icon the edit the profile.

4. Creating Security Profile on the WLC

Go to Configuration > Security > Profile and click the ADD bottom for creating a new Security Profile.

Fill in information:

Security Profile name: Name of your security profile
Security mode: Open
Captive Portal: WebAuth
Captive Portal profile: select the profile name that’s been created earlier
Captive Portal Authentication method: external (as we use FortiConnect Portal)
Pass-through Firewall Filter ID: Matching the name from the Automatic Setup used in FortiConnect earlier
Firewall Capabilities: radius-configured (allows the WLC to use RADIUS attributes)

5. Creating wireless ESS profile on the WLC

Go to Configuration > Wireless > ESS and click the ADD bottom for creating a new ESS profile.

Fill in information:

ESS Profile: Name the ESS profile
SSID: Name the SSID, (if left empty SSID will be same as ESS profile name)
Security Profile: Use the newly created security profile
RADIUS Accounting: Use the FortiConnect accounting profile (IDACxxxx)

Click SAVE, then accept the message that this is only for Virtual Cell AP’s (that’s what we use as the default option in WLC). Accept the message.

6. Enabling RADIUS Accounting listening on the FortiGate

Go to Network > Interfaces and edit the interface that is matching the IP address added as RADIUS Acounting Server at FortiConnect.

Enable RADIUS Accounting using the check-box.

7. Creating an RSSO Agent on the Fortigate

Go to User & Device > Authentication > Single Sign-On and create a new agent.

Type: RADIUS Single Sign-On Agent
Enable both Use RADIUS Shared Secret and Send RADIUS Responses.

8. Creating an RSSO User Group

Go to User & Device > User > User Groups and create a new user group.

Type: RADIUS Single Sign-On (RSSO)
RADIUS Attribute Value: Will match the RADIUS attribute from FortiConnect, In this example we use “staff” to identify a staff user. (remember the value is case-sensitive)

Setting RADIUS Attribute at FortiConnect for the corresponding Authorization Profile.

Attribute value used is “Class”

FortiConnect maps the user into the Account Group during the backend authentication to Microsft Active Directory.

9. Editing the RSSO Agent

Go to CLI of your FortiGate and edit the RSSO Agent

fw # config user radius

Then edit the RSSO entry

fw (radius) # edit RSSO\ Agent
fw (RSSO Agent) # set rsso-endpoint-attribute User-Name
fw (RSSO Agent) # end

Results

After a user from staff member group has done a proper login using the Captive Portal, the username is now populated in FortiGate.
And you can start creating firewall policies using the RSSO group as a parameter.

Was this helpful?
Yes No

The post FortiConnect Guest on-boarding and using RSSO appeared first on Fortinet Cookbook.

↧

Client-Side SD-WAN with IPsec VPN Deployment Scenario – Expert

September 20, 2017, 1:47 pm

≫ Next: Transparent Web Proxy

≪ Previous: FortiConnect Guest on-boarding and using RSSO

This advanced deployment scenario provides a high-level picture of how to combine SD-WAN, IPsec VPN, and BGP routing to provide a branch office with redundant connections to two remote data centers and the networks behind them. Using this deployment scenario allows you to replace private or MPLS connections to data centers with lower-cost encrypted SD-WAN connections over the Internet.

This scenario is intended for network engineers who are familiar with the FortiGate platform and are looking for an example FortiOS 5.6 SD-WAN configuration. It does not include all of the required configuration steps but the intention is to provide the information you need to implement SD-WAN technology.

Configuring the data center FortiGates

The configuration described here must be set up on Data Center 1 FortiGate and Data Center 2 FortiGate. The following steps show how to configure Data Center 1 FortiGate (as shown in the diagram). You can repeat this configuration for Data Center 2 FortiGate, substituting the proper IP addresses and interface names.

This configuration has the following objectives:

Zero touch IPsec VPN provisioning of new branches
Point-to-multipoint IPsec VPN
Central management of data center access from each data center firewall
Dynamic peering to share routing information between each branch and the data center

Each data center configuration includes dynamic (or dial-up) IPsec VPN, BGP, firewall policies to control access, and a blackhole route for each branch office.

1. Creating the data center side of the IPsec VPN
To facilitate zero touch provisioning of new spokes to establish VPNs on each data center FortiGate, this example uses dial-up VPNs with `auto-discovery-sender` enabled in the ADVPN configuration. Also, `add-route` is disabled to support multiple dynamic tunnels to the same host advertising the same network. This dynamic discovery of the network is facilitated by the BGP configuration. Wildcard security associations are used for phase 2 since BGP routes determine whether traffic is sent over the IPSec VPN tunnel. In this example, IPsec VPN is added to each FortiGate interface connected to the Internet.
The Phase 1 configuration includes: A dynamic VPN tunnel name that is 11 characters or less. Setting `type` to `dynamic` Setting `interface` to the Internet connected interface Setting `peertype` to `any` Setting `add-route` to `disable` Setting `auto-discovery-sender` to `enable`	config vpn ipsec phase1-interface edit "vpn-br1-1" set type dynamic set interface "vlan-3510" set peertype any set proposal aes256-sha256 set add-route disable set dhgrp 5 set auto-discovery-sender enable set psksecret <password> next edit "vpn-br1-2" set type dynamic set interface "vlan-3511" set peertype any set proposal aes256-sha256 set add-route disable set dhgrp 5 set auto-discovery-sender enable set psksecret <password> end
The Phase 2 configuration includes: Setting `phase1name` to the name of the phase 1 configuration Disabling `pfs` and `replay`	config vpn ipsec phase2-interface edit "vpn-br1-1_p2" set phase1name "vpn-isp-a" set proposal aes256-sha256 set pfs disable set replay disable next edit "vpn-br1-2_p2" set phase1name "vpn-isp-b" set proposal aes256-sha256 set pfs disable set replay disable end
2. Adding addresses to the tunnel interfaces
The BGP configuration requires IP addresses assigned to the IPsec VPN tunnel interfaces that BGP peers over. The ADVPN feature enabled by `set auto-discovery-sender enable` allows FortiOS to establish a point-to-multipoint connection to each FortiGate. The IPsec VPN tunnel interface `ip` is set to the IP address that the tunnels will connect to, and `remote-ip` is set to the highest unused IP address that is part of your tunnel network. This adds two host-based routes to the FortiGate’s routing table that point directly back to the branch FortiGate.
The IPsec VPN interface configuration includes: Setting the `ip` to `<vpn interface ip> 255.255.255.255` Setting `type` to `tunnel` Setting `remote-ip` to the highest unused IP address in the VPN subnet Setting `allowaccess` to `ping` to allow for confirmation that a point-to-point tunnel has been established between the data center FortiGate and the branch FortiGate.	config system interface edit "vpn-br1-1" set vdom "root" set ip 10.254.0.1 255.255.255.255 set allowaccess ping set type tunnel set remote-ip 10.254.0.254 set interface "port1" next edit "vpn-br1-2" set vdom "root" set ip 10.254.1.1 255.255.255.255 set allowaccess ping set type tunnel set remote-ip 10.254.1.254 set interface "port2" end
3. Implementing route discovery with BGP
Network route discovery is facilitated by BGP and EBGP, which prevent the redistribution of routes learned that are contained in the same autonomous system number as the host. Also, EBGP influences route selection on the branches because of AS-Path prepending. Enable `ebgp-multipath` to allow the FortiGate to dynamically discover multiple paths for networks advertised at branches. Configure `neighbor-range` and `neighbor-group` to allow peering relationships to be established without defining each individual peer. The branch IPsec VPN tunnel interface addresses must be in the BGP peer range.
The BGP configuration includes: Enabling `ebgp-multipath` Enabling `soft-reconfiguration` and link-down-failover for each BGP peer in the neighbor group Adding the branch `remote-as` (which is 65501) to each peer configuration Setting the `prefix` for the neighbor range to the network matching the BGP peers Configuring a `network` with the prefix of the network advertised into BGP To facilitate the fastest route failovers, the following timers are set to their lowest values: `scan-time` `advertisement-interval` `keep-alive timer` `holdtime-timer`	config router bgp set as 65500 set router-id 10.10.0.1 set ebgp-multipath enable set scan-time 5 set graceful-restart enable config neighbor-group edit "branch-peers-1" set advertisement-interval 1 set link-down-failover enable set soft-reconfiguration enable set remote-as 65501 set keep-alive-timer 1 set holdtime-timer 3 next edit "branch-peers-2" set advertisement-interval 1 set link-down-failover enable set soft-reconfiguration enable set remote-as 65501 set keep-alive-timer 1 set holdtime-timer 3 next end config neighbor-range edit 1 set prefix 10.254.0.0 255.255.255.0 set neighbor-group "branch-peers-1" next edit 2 set prefix 10.254.1.0 255.255.255.0 set neighbor-group "branch-peers-2" next end config network edit 1 set prefix 10.200.1.0 255.255.255.0 next edit 2 set prefix 10.200.0.0 255.255.255.0 next edit 3 set prefix 10.200.3.0 255.255.255.0 next end end
4. Controlling access to data center networks
Create firewall policies to allow users on the branch office networks to access the data center networks (behind the FortiGate). Security profiles can be added to these firewall policies to inspect of layer 7 traffic. Include a policy on the data center FortiGate to allow a branch FortiGate to check the health of the data center FortiGate by allowing the branch FortiGate to ping the data center FortiGate IPsec VPN interface: Source interface: IPsec VPN interface Destination interface: Internal interface Source Address: Tunnel IP addresses of branch Destination Address: Data Center 1 FortiGate Internal interface Action: Accept Schedule: Always Service: ICMP Policies to allow traffic from branch networks to reach data center networks should have the following firewall settings: Source interface: IPsec VPN interface Destination interface: Internal interface Source Address: Branch networks Destination Address: Date center networks Action: Accept Schedule: Always (or define a more restrictive schedule) Service: Allowed Service(s)
5. Pointing to branch offices with black hole routes
It is a best practice to create black hole routes with destinations set to each branch network. If the FortiGate temporarily loses connectivity with a branch network, traffic destined to that network is sent to the black hole until connectivity has been restored.
Each Black hole route includes: Setting `dst` to the branch network IP address Setting the `distance` to 255	config router static edit 1 set dst 10.0.0.0/14 set distance 255 set blackhole enable next end

Configuring Branch FortiGate

The following steps describe how to use the SD-WAN feature to set up the branch FortiGate with redundant connections to the two data centers. This configuration includes the following:

Client-side SD-WAN (intelligent load balancing based on link quality)
A configuration template for quick deployment of branch FortiGates
Split tunneling for Internet access from the branch office networks

The branch FortiGate configuration includes IPsec VPN, BGP, SD-WAN load balancing, and firewall policies to control access.

1. Creating the branch side of the IPsec VPN
The IPsec VPN configuration is similar to a normal site-to-site VPN configuration. Wildcard security associations are used for phase 2 since BGP routes determine whether traffic is sent over the IPSec VPN tunnel.
Create two Phase 1 configurations, one for each data center. These configurations include: Setting `peertype` to `any` Setting `remote-gw` to the IP address of the data center.	config vpn ipsec phase1-interface edit "vpn_dc1-1" set interface "vlan-3000" set peertype any set proposal aes256-sha256 set dhgrp 5 set remote-gw 172.20.10.10 set psksecret <password> next edit "vpn_dc1-2" set interface "vlan-3001" set peertype any set proposal aes256-sha256 set dhgrp 5 set remote-gw 172.20.11.10 set psksecret <password> next end
Create two Phase 2 configurations, one for each data center. These configurations include: Disabling `pfs` and `replay` Enabling `auto-negotiate` to ensure VPN establishment	config vpn ipsec phase2-interface edit "vpn_dc1-1_p2" set phase1name "vpn_dc1-1" set proposal aes256-sha256 set pfs disable set replay disable set auto-negotiate enable next edit "vpn_dc1-2_p2" set phase1name "vpn_dc1-2" set proposal aes256-sha256 set pfs disable set replay disable set auto-negotiate enable next end
2. Adding IP addresses to the tunnel interfaces
To establish the point-to-multipoint IPsec VPN between the branch and the data center, the tunnel interfaces must include the following IP addresses.
The IPsec VPN Interface configuration includes: Setting `ip` to the local IP address of the VPN interface Setting `remote-ip` to the data center FortiGate’s IPsec VPN interface IP address	config system interface edit "vpn_dc1-1" set vdom "root" set ip 10.254.0.2 255.255.255.255 set allowaccess ping set type tunnel set remote-ip 10.254.0.1 set interface "wan1" next edit "vpn_dc1-2" set vdom "root" set ip 10.254.1.2 255.255.255.255 set allowaccess ping set type tunnel set remote-ip 10.254.1.1 set interface "wan2" next end
3. Implementing route discovery with BGP
BGP allows the branch and data center FortiGates to dynamically discover routes from each other. To make this happen add the data center FortiGate IPsec VPN tunnel interface IP addresses to the branch BGP configuration as BGP peers. Routes that have the same network mask, administrative distance, and priority are automatically considered for SD-WAN when the interfaces where those routes are learned are added to the SD-WAN interface group.
The branch BGP configuration includes: Enabling `ebgp-multipath` Enabling `soft-reconfiguration` and `link-down-failover` for each BGP peer Adding the data center `remote-as` (which is 65500) to each peer configuration Setting the `prefix` for the neighbor range to the network matching the BGP peers To facilitate the fastest route failovers, the following timers are set to their lowest values: `scan-time` `advertisement-interval` `keep-alive timer` `holdtime-timer`	config router bgp set as 65501 set router-id 10.254.0.2 set keepalive-timer 1 set holdtime-timer 3 set ebgp-multipath enable set scan-time 5 set distance-external 1 config neighbor edit "10.254.0.1" set advertisement-interval 1 set link-down-failover enable set soft-reconfiguration enable set remote-as 65500 next edit "10.254.1.1" set advertisement-interval 1 set link-down-failover enable set soft-reconfiguration enable set remote-as 65500 next end end
4. Setting up the load balancing SD-WAN configuration
The SD-WAN configuration sets up load balancing based on link quality. Link quality is determined by health checking; which measures jitter, packet loss, and latency on each link. FortiOS dynamically creates policy routes that send traffic over the link with the highest quality.
Create an SD-WAN Interface (also called a virtual WAN link) and add the IPsec VPN tunnel interfaces to it. These members are also the BGP neighbors that are tied to specific interfaces.	config system virtual-wan-link set status enable config members edit 1 set interface "vpn_dc1-1" next edit 2 set interface "vpn_dc1-2" next end end
Create SD-WAN Health-Checks for each data center network. Set `server` to the IP address of a server on the data center network.	config system virtual-wan-link config health-check edit "datacenter1-net" set server "10.200.1.1" set interval 1 set failtime 1 set recoverytime 3 next edit "datacenter2-net" set server "10.200.2.1" set interval 1 set failtime 1 set recoverytime 3 end end
Add SD-WAN Service Rules to define the criteria for the policy routes. Criteria include: Protocol Destination Address Source Address Identity Based Group Internet Service Definition Source Port Destination Port Destination Tag To dynamically determine the networks the policy routes point to, the routes learned from a BGP neighbor are matched against a route map and matching routes are tagged. The service rules determine the routes to use based on these tags.	config system virtual-wan-link config service edit 1 set mode priority set dst-tag 10 set health-check "datacenter1-net" set priority-members 1 2 next edit 2 set mode priority set dst-tag 10 set health-check "datacenter2-net" set priority-members 1 2 next end end
5. Controlling access from branch networks
Create firewall policies to allow users on the branch office networks to access the data center networks. Security profiles can be enabled on these firewall policies to inspect layer 7 traffic. Policies to Allow traffic from the branch office to the data center networks: Source interface: Internal interface Destination interface: SD-WAN interface Source Address: Branch networks Destination Address: Data center networks Action: Accept Schedule: Always (or define a more restrictive schedule) Service: Allowed services Policies to allow traffic from the data center to the branch networks: Source interface: SD-WAN interface Destination interface: Internal interface Source Address: Data center networks Destination Address: Branch networks Action: Accept Schedule: Always (or define a more restrictive schedule) Service: Allowed Services

Was this helpful?
Yes No

The post Client-Side SD-WAN with IPsec VPN Deployment Scenario – Expert appeared first on Fortinet Cookbook.

↧

Transparent Web Proxy

September 20, 2017, 1:03 pm

≫ Next: FortiMail: Configuring Inbound Message Warnings

≪ Previous: Client-Side SD-WAN with IPsec VPN Deployment Scenario – Expert

In this recipe, you’ll learn how to create a basic transparent web proxy setup. You can use the transparent proxy to apply web authentication to HTTP traffic accepted by a firewall policy.

In previous versions of FortiOS, web authentication required using the Explicit Proxy. Now in addition to the Explicit Web Proxy, FortiOS now supports a Transparent Web Proxy. With the transparent web proxy, you can forward your user’s web traffic to the proxy without requiring your users to reconfigure their browsers or without needing to publish a proxy auto-configuration (PAC) file.

Note: This is just a basic setup, and authentication will be covered in a future recipe.

1. Configuring System and Network settings
Go to System > Settings, scroll to Operations Settings and set the inspection mode to Proxy.
Go to System > Feature Select and enable Explicit Proxy.
Go to Network > Explicit Proxy and enable Explicit Web Proxy. You can also change the HTTP port that the proxy listens on (default is 8080) or specify different ports for HTTPS, FTP, PAC, and other options.
2. Adding Proxy Options to your policy
Go to Security Profiles > Proxy Options. Create or edit a proxy options profile. Under Web Options, enable HTTP Policy Redirect.
Go to Policy & Objects > IPv4 Policy and create or edit a policy controlling the traffic that you want to apply authentication to. Select a security profile (in the example, AntiVirus) and then enable the Proxy Options edited in the previous step and enable SSL/SSH inspection.
3. Creating a Proxy Policy
Go to Policy & Objects > Proxy Policy and create a transparent policy to accept the traffic that you want to apply authentication to. Set the Proxy Type to Transparent Web. The Incoming Interface, Outgoing Interface, Destination Address, and Schedule should either match or be a subset of the source addresses defined in the IPv4 policy. Addresses added to the Source must match or be a subset of the source addresses added to the IPv4 policy. You can also add the users to be authenticated by the transparent policy to the Source Field.
4. Results
Open a browser and generate traffic for a few minutes. Then go to FortiView > Policies.
Right-click on a row in the table to drill down for details. You will see that traffic is flowing through the proxy policy.
Traffic is flowing through the IPv4 policy configured with the proxy security profile.

For more information, read about Transparent Web Proxy in What’s New for FortiOS 5.6.

Was this helpful?
Yes No

The post Transparent Web Proxy appeared first on Fortinet Cookbook.

↧

FortiMail: Configuring Inbound Message Warnings

September 22, 2017, 10:37 am

≫ Next: FortiMail Serial Console Connection and Configuration

≪ Previous: Transparent Web Proxy

Imagine you receive an email from your manager’s email account (JaneDoe@example.com) with an urgent request:

What if that email isn’t from your boss? What if it’s from someone spoofing their name and address from outside of the organization?

Thankfully, using Inbound Disclaimer, FortiMail can mark inbound messages with a warning to indicate it is originating from outside your organization:

This recipe guides you through the process of establishing inbound message warnings.

Configuring Inbound Disclaimer Rule

To setup the inbound disclaimer rule

Go to Domain & User > Domain > Domain.
Select the domain you wish to modify and then select Edit.
Expand the Advanced Settings and select the Disclaimer link.
Select “Use domain setting” from the Settings dropdown menu.
Expand Incoming and enable “Insert disclaimer at”.
Select “Start of message” from the dropdown menu.
Select Edit to create the desired message for both HTML and plain text messages, for example, “Warning – External Email”.
Select OK.

Was this helpful?
Yes No

The post FortiMail: Configuring Inbound Message Warnings appeared first on Fortinet Cookbook.

↧

FortiMail Serial Console Connection and Configuration

September 25, 2017, 12:51 pm

≫ Next: Using FGSP to load balance access to two active-active data centers – expert

≪ Previous: FortiMail: Configuring Inbound Message Warnings

You can access the FortiMail CLI commands via SSH, Telnet, or direct serial connection.

Local serial access is required in some cases. For example:

If you are installing your FortiMail unit for the first time and it is not yet configured to connect to your network, unless you reconfigure your computer’s network settings for a peer connection, you may only be able to connect to the CLI using a local serial console connection.
Restoring the firmware utilizes a boot interrupt. Network access to the CLI is not available until after the boot process has completed, and therefore local CLI access is the only viable option.

The following recipe details how to connect to your FortiMail unit through a local serial console connection and then quickly goes over some initial FortiMail setup using the CLI.

Connecting to the FortiMail serial console
Local console connections to the CLI are formed by directly connecting your management computer to the FortiMail unit, using its DB-9 or RJ-45 console port. Requirements a computer with an available serial communications (COM) port the RJ-45-to-DB-9 or null modem cable included in your FortiMail package terminal emulation software such as PuTTY Note: The following procedure describes connection using PuTTY software; steps vary with other terminal emulators. To connect to FortiMail CLI using a local serial console connection Using the null modem or RJ-45-to-DB-9 cable, connect the FortiMail unit’s console port to the serial communications (COM) port on your management computer. On your management computer, start PuTTY. In the Category tree on the left, go to Connection > Serial and configure the following: Serial line to connect to – COM1 (or, if your computer has multiple serial ports, the name of the connected serial port) Bits per second – 9600 Data bits – 8 Parity – None Stop bits – 1 Flow control – None In the Category tree on the left, go to Session (not the sub-node, Logging) and from Connection type, select Serial. Click Open. Press the Enter key to initiate a connection. The login prompt appears. Type a valid administrator account name (such as admin) and press Enter. Type the password for that administrator account then press Enter. (In its default state, there is no password for the admin account.) The CLI displays the following text, followed by a command line prompt: `Welcome!` You can now enter CLI commands.
Basic CLI configurations
Once you’ve physically connected your computer to the FortiMail unit, you can configure the basic FortiMail system settings through the CLI. If you require more information on other CLI commands, see the FortiMail CLI Guide. To change the admin password: `config system admin` `edit <admin_name>` `set password <new_password>` `end` To change the operation mode: `config system global` `set operation_mode {gateway \| server \| transparent}` `end` To configure the interface IP address: `config system interface` `edit <interface_name>` `set <ip_address>` `end` To configure the system route/gateway: `config system route` `edit <route_int>` `set destination <destination_ip4mask>` `set gateway <gateway_ipv4>` `set interface <interface_name>` `end` To configure the DNS servers: `config system dns` `set primary <ipv4_address>` `set secondary <ipv4_ address>` `end` To configure the NTP time synchronization: `config system time ntp` `set ntpserver {<address_ipv4 \| <fqdn_str>}` `set ntpsync {enable \| disable}` `set syncinterval <interval_int>` `end` To configure the SNMP v3 user settings: `config system snmp user` `edit <user_name>` `set query-status {enable \| disable}` `set query-port <port_number>` `set security-level {authnopriv \| authpriv \| no authnopriv}` `set auth-proto {sha1 \| md5}` `set aut-pwd <password>` `set status {enable \| disable}` `set trap-status {enable \| disable}` `set trapevent {cpu \| deferred-queue \| ha \| ip-change \| logdisk \| mem \| raid \| remote-storage \| spam \| system \| virus}` `set trapport-local <port_number>` `set trapport-remote <port_number>` `config host` `edit <host_no>` `set ip <class_ip>` `end` `end`

Was this helpful?
Yes No

The post FortiMail Serial Console Connection and Configuration appeared first on Fortinet Cookbook.

↧

Using FGSP to load balance access to two active-active data centers – expert

September 27, 2017, 8:00 am

≫ Next: Episode 17: FortiGate Troubleshooting: Tools and Methodologies

≪ Previous: FortiMail Serial Console Connection and Configuration

This advanced scenario describes how to configure FortiGate Session Life Support Protocol (FGSP) HA with four peer FortiGates protecting two active-active data centers.

In this configuration, two redundant active-active data centers process traffic from the Internet. Traffic is distributed to the FortiGates (named Peer-1, Peer-2, Peer-3 and Peer-4) by the routers or load balancers. All of the FortiGates are configured with two virtual domains: root and vdom1. All sessions processed by vdom1 are synchronized to all of the FortiGates. The synchronization link interface is port 3, which is in the root virtual domain. The IP addresses of port 3 are different for each FortiGate:

For Peer-1, the port 3 IP address is 10.10.10.1
For Peer-2, the port 3 IP address is 10.10.10.2
For Peer-3, the port 3 IP address is 10.10.10.3
For Peer-4, the port 3 IP address is 10.10.10.4

The port 1 and port 2 interfaces are added to vdom1. To keep the configuration very simple and applicable to many different networks, port 1 and port 2 are added to a virtual wire pair so these interfaces do not have IP addresses. This example includes a simple policy that allows all traffic across the virtual wire pair. The example policy applies the default VoIP profile to all VoIP traffic and otherwise applies virus scanning and application control.

This architecture supports different configurations on each FortiGate, but this is not recommended. Usually all of the FortiGates in an FGSP cluster have the same configuration. This example disables FGSP configuration synchronization and assumes you are using FortiManager to keep the configurations of the FortiGates synchronized.

1. Configuring the first FortiGate (Peer-1)
Configure Peer-1 with the following settings:
Enable virtual domain configuration, add vdom1, set vdom1 to proxy mode (to support VoIP profiles), and add port 1 and port 2 to vdom1.	config system global set vdom-admin enable end config vdom edit vdom1 config system settings set inspection-mode proxy end end config system global config system interface edit port1 set vdom vdom1 next edit port2 set vdom vdom1 end end
Create a virtual wire pair between port 1 and port 2.	config vdom edit vdom1 config system virtual-wire-pair edit my-wire-pair set member port1 port2 end end
Create a virtual wire pair policy to allow all traffic between port 1 and port 2. This example policy applies antivirus scanning, application control, and VoIP profiles.	config vdom edit vdom1 config firewall policy edit 1 set srcintf port1 port2 set srcintf port1 port2 set srcaddr all set dstaddr all set service ALL set schedule always set action allow set utm-status enable set av-profile default set application-list default set voip-profile default end
Configure Peer-1 for FGSP.	config system cluster-sync edit 1 set peerip 10.10.10.2 set peervd root set syncvd vdom1 next edit 2 set peerip 10.10.10.3 set peervd root set syncvd vdom1 next edit 3 set peerip 10.10.10.4 set peervd root set syncvd vdom1 end
2. Configuring the second FortiGate (Peer-2)
Configure Peer-2 with the same configuration as Peer-1: Enable virtual domain configuration, add vdom1, set vdom1 to proxy mode (to support VoIP profiles), and add port 1 and port 2 to vdom1. Create a virtual wire pair between port 1 and port 2. Create a virtual wire pair policy to allow all traffic between port 1 and port 2. This example policy applies antivirus scanning, application control, and VoIP profiles.
Configure Peer-2 for FGSP.	config system cluster-sync edit 1 set peerip 10.10.10.1 set peervd root set syncvd vdom1 next edit 2 set peerip 10.10.10.3 set peervd root set syncvd vdom1 next edit 3 set peerip 10.10.10.4 set peervd root set syncvd vdom1 end
3. Configuring the third FortiGate (Peer-3)
Configure Peer-3 with the same configuration as Peer-1: Enable virtual domain configuration, add vdom1, set vdom1 to proxy mode (to support VoIP profiles), and add port 1 and port 2 to vdom1. Create a virtual wire pair between port 1 and port 2. Create a virtual wire pair policy to allow all traffic between port 1 and port 2. This example policy applies antivirus scanning, application control, and VoIP profiles.
Configure Peer-3 for FGSP.	config system cluster-sync edit 1 set peerip 10.10.10.1 set peervd root set syncvd vdom1 next edit 2 set peerip 10.10.10.2 set peervd root set syncvd vdom1 next edit 3 set peerip 10.10.10.4 set peervd root set syncvd vdom1 end
4. Configuring the fourth FortiGate (Peer-4)
Configure Peer-4 with the same configuration as Peer-1: Enable virtual domain configuration, add vdom1, set vdom1 to proxy mode (to support VoIP profiles), and add port 1 and port 2 to vdom1. Create a virtual wire pair between port 1 and port 2. Create a virtual wire pair policy to allow all traffic between port 1 and port 2. This example policy applies antivirus scanning, application control, and VoIP profiles.
Configure Peer-4 for FGSP.	config system cluster-sync edit 1 set peerip 10.10.10.1 set peervd root set syncvd vdom1 next edit 2 set peerip 10.10.10.2 set peervd root set syncvd vdom1 next edit 3 set peerip 10.10.10.3 set peervd root set syncvd vdom1 end
5. Synchronizing TCP sessions
Synchronize TCP sessions so that if one of the FortiGates fails, its TCP sessions continue to be processed by the remaining FortiGates. The sessions to the failed FortiGate are redistributed by the router or load balancer. The remaining FortiGates continue to process these sessions because they have been synchronized to the session tables of all of the FortiGates in the FGSP cluster.
Enter this command on each FortiGate to synchronize TCP sessions among all of the FortiGates.	config system ha set session-pickup enable end
6. Synchronizing UDP and ICMP sessions
Enter this command on each FortiGate to synchronize UDP and ICMP sessions among all of the FortiGates. You must enable TCP session synchronization to synchronize other types of sessions.	config system ha set session-pickup enable set session-pickup-connectionless enable end
7. Synchronizing VoIP sessions
Synchronizing VoIP requires the FortiGates to automatically allow RTP sessions that should be allowed because of a previous SIP session, even if the SIP session was received by a different FortiGate. FortiOS calls these expectation sessions and synchronizing VoIP sessions requires expectation session synchronization. You can use the `diagnose sys session list expectation` command to display the synchronization state of expectation sessions on each FortiGate.
Enter the following command on each FortiGate to synchronize expectation sessions to support VoIP. You must enable TCP session synchronization to synchronize other types of sessions.	config system ha set session-pickup enable set session-pickup-expectation enable end
8. Synchronizing the configuration
You can use the built-in configuration synchronization feature of FGSP to keep the configuration of all of the FortiGates synchronized. If you are using FortiManager, you can disable configuration synchronization.
Enter the following command on each FortiGate to disable configuration synchronization.	config system ha set standalone-config-sync disable end

Was this helpful?
Yes No

FGSP supports up to 16 peer FortiGates.

The post Using FGSP to load balance access to two active-active data centers – expert appeared first on Fortinet Cookbook.

↧

Episode 17: FortiGate Troubleshooting: Tools and Methodologies

September 27, 2017, 8:48 am

≫ Next: Using FortiConnect as a RADIUS server in FortiCloud

≪ Previous: Using FGSP to load balance access to two active-active data centers – expert

Send us your questions! We’re looking to do a Q&A episode of FortiCast and we need your help. If you have a question that needs an answer, email us at forticast@fortinet.com.

Information about tools and methodologies you can use to troubleshoot your FortiGate.

Troubleshooting resources

Subscribe to FortiCast

Was this helpful?
Yes No

The post Episode 17: FortiGate Troubleshooting: Tools and Methodologies appeared first on Fortinet Cookbook.

↧

Using FortiConnect as a RADIUS server in FortiCloud

September 28, 2017, 8:34 am

≫ Next: Replacing FortiGate HA Pairs with Logging Enabled

≪ Previous: Episode 17: FortiGate Troubleshooting: Tools and Methodologies

In this recipe, we use a local on-premise FortiConnect as a RADIUS server for a FortiCloud-based Captive Portal network. A Fortigate will be used to allow access from FortiCloud to FortiConnect.

We assume that FortiAP is already in your FortiCloud inventory and at least one configured AP network. Refer to FortiCloud-managed FortiAP WiFi for guidance on using FortiCloud to configure a FortiAP.

1. Allowing FortiCloud to access the local FortiConnect
On your Fortigate go to Policy & Objects > Addresses and create a new address object for FortiConnect.
Next, create an address object for FortiCloud IP used by the Captive Portal. In this example, 208.91.113.117/32 is used by apau.forticloud.com
Go to Policy & Objects > Virtual IPs and create a new virtual IP, pointing from your WAN to the local FortiConnect.
Go to Policy & Object > IPv4 Policy and create a new policy to allow RADIUS requests from FortiCloud to FortiConnect.

2. Creating FortiCloud as a RADIUS client on the FortiConnect

On your FortiConnect go to Devices > RADIUS Clients and click Add RADIUS Client

Name: name the client
Device IP Address / Prefix Length: In this example, 208.91.113.117/32 is used by apau.forticloud.com
Secret: Shared Secret between FortiCloud and FortiConnect.

3. Creating FortiConnect as RADIUS Server on the FortiCloud

Open your FortiCloud account and go to AP Network > “your AP network” > Configure > My RADIUS Server.

Add My RADIUS Server in upper right corner
Name: Name the connection
Primary Server Name/IP: your wan IP
Primary Shared Secret: enter secret used between FortiCloud and FortiConnect.

4. Creating a new SSID on the FortiCloud

Go to SSIDs and click Add SSID.

SSID: Type SSID to be used
Enabled: checkmark
Captive Portal: FortiCloud Captive Portal
Sign On Method: My RADIUS server and select your RADIUS server, in this case, FortiConnect.

Tip: You will also see a note on the IP to use for FortiCloud access.

Configure the Security, Availability and Captive Portal as needed.

Once you get the Preview, hit Apply.

5. Results
Login to the FortiCloud Portal using the Portal.
On the FortiConnect go to REPORTS & LOGS > RADIUS Authentications. Find your successful authentication.
On your FortiCloud go to AP Network > “your AP network” > Monitor > Client. Find the client and verify that username is present.

For further reading, check the FortiCloud v3.1.2 FAQ and the 3.2 Release Notes for FortiCloud.

Was this helpful?
Yes No

The post Using FortiConnect as a RADIUS server in FortiCloud appeared first on Fortinet Cookbook.

↧

Replacing FortiGate HA Pairs with Logging Enabled

October 2, 2017, 2:44 pm

≫ Next: Site-to-site IPsec VPN with two FortiGates

≪ Previous: Using FortiConnect as a RADIUS server in FortiCloud

This recipe describes how to replace the primary and secondary FortiGate units in a high-availability (HA) pair, that are sending logs to FortiAnalyzer, when the connection to FortiAnalyzer goes down.

When the FortiGate units in an HA pair are synchronized and added to FortiAnalyzer, two members are displayed in the HA Cluster list in FortiAnalyzer.

In this example, FGT 60D4614007024 is the primary unit, but the connection to FortiAnalyzer is down.

To Replace the Primary Unit:

In FortiAnalyzer, do not delete the original primary FortiGate unit; if you do, you will lose logs associated with the device being replaced. Instead, add the new primary FortiGate unit to the HA Cluster list.

You can delete the original primary FortiGate unit at a later time, when the logs are no longer needed.

The FortiAnalyzer GUI displays three units in the HA Cluster List. It appears that the original FortiGate unit remains the primary unit in the HA cluster.

However, the new primary FortiGate unit in the HA cluster informs FortiAnalyzer which of the three units is the master.

If you would like to see the new primary FortiGate unit as the current device, change the device name in FortiAnalyzer. If the unit being replaced was the original master, the cluster’s device name may show the serial # of this device. If you wish, you can edit the cluster to reflect the serial # of the new device.

The process is the same if you want to replace the secondary unit in an HA pair.

Was this helpful?
Yes No

The post Replacing FortiGate HA Pairs with Logging Enabled appeared first on Fortinet Cookbook.

↧

Site-to-site IPsec VPN with two FortiGates

October 3, 2017, 11:00 am

≫ Next: FortiSandbox 2000E Installation Guide

≪ Previous: Replacing FortiGate HA Pairs with Logging Enabled

In this recipe, you create a route-based IPsec VPN tunnel to allow transparent communication between two networks that are located behind different FortiGates. The VPN will be created on both FortiGates using the VPN Wizard’s Site to Site – FortiGate template.

In this example, one FortiGate will be referred to as HQ and the other as Branch.

_{Find this recipe for other FortiOS versions}_{5.2 | 5.4 | 5.6}

1. Configuring the IPsec VPN on HQ
On HQ, go to VPN > IPsec Wizard and create a new tunnel. In the VPN Setup step, set Template Type to Site to Site and Remote Device Type to FortiGate.
In the Authentication step, set IP Address to the public IP address of the Branch FortiGate (in the example, 172.25.177.46). After you enter the IP address, an available interface will be assigned as the Outgoing Interface. If you want to use a different interface, select it from the drop-down menu. Set a secure Pre-shared Key.
In the Policy & Routing step, set Local Interface to LAN. The local subnet is added automatically. Set Remote Subnets to Branch’s local subnet (in the example, 192.168.13.0/24).
A summary page shows the configuration created by the wizard, including firewall addresses, static routes, and security policies.
2. Configuring the IPsec VPN on Branch
On Branch, go to VPN > IPsec Wizard and create a new tunnel. In the VPN Setup step, set Template Type to Site to Site and Remote Device Type to FortiGate.
In the Authentication step, set IP Address to the public IP address of the HQ FortiGate (in the example, 172.25.176.142). After you enter the IP address, an available interface will be assigned as the Outgoing Interface. If you want to use a different interface, select it from the drop-down menu. Set a secure Pre-shared Key that was used for the VPN on HQ.
In the Policy & Routing step, set Local Interface to LAN. The local subnet is added automatically. Set Remote Subnets to HQ’s local subnet (in the example, 192.168.37.0/24).
A summary page shows the configuration created by the wizard, including firewall addresses, static routes, and security policies.
3. Results
On either FortiGate, go to Monitor > IPsec Monitor to verify the status of the VPN tunnel. Right-click under Status and select Bring Up.
A user on either of the office networks should be able to connect to any address on the other office network transparently. If you need to generate traffic to test the connection, ping Branch’s LAN interface from a device on HQ’s internal network.

Was this helpful?
Yes No

The post Site-to-site IPsec VPN with two FortiGates appeared first on Fortinet Cookbook.

↧

FortiSandbox 2000E Installation Guide

October 4, 2017, 10:59 am

≫ Next: FortiCast: You have questions, we’ve got answers

≪ Previous: Site-to-site IPsec VPN with two FortiGates

The FortiSandbox unit can be placed on a flat surface using the provided rubber feet, or mounted in any standard 19 inch rack unit with the provided mounting hardware.

Electrostatic discharge (ESD) can damage your Fortinet equipment.

To avoid personal injury or damage to the unit, it is recommended that two or more people install the unit into the rack.

Do not place heavy objects on the unit.

To install the unit into a rack

Verify there is enough room around where the unit will be mounted to allow for
sufficient air flow.
Mount the outer rails to the rack.
Attach the inner rails to the device using the provided M4 waffle head screws.
Attach the rail handles to the device using the provided M4 flat head screws.
Check that the inner rails are properly connected to the device and that the outerrails are securely attached to the rack.
Align the inner rails with the outer rails then slide the device onto the rails. Ensure that even pressure is applied to both sides of the device while doing this.
For additional security, insert and tighten the provided M6 screws to hold the front of the unit to the rack.
Plug the provided power cables into the rear of the unit, and then into grounded electrical outlets or separate power sources, such as an uninterruptible power
supplies (UPS) or a power distribution units (PDU).

Each power cable should be connected to a different power source. In this
way, if one power source fails, the other may still be operational and the unit will not lose power.

Was this helpful?
Yes No

The post FortiSandbox 2000E Installation Guide appeared first on Fortinet Cookbook.

↧

FortiCast: You have questions, we’ve got answers

October 4, 2017, 1:56 pm

≫ Next: FortiGate-VM HA for RedHat OpenStack 10 – Expert

≪ Previous: FortiSandbox 2000E Installation Guide

We are preparing a FortiCast Q&A episode and we need your input. More specifically, we need your questions! All types of questions about Fortinet products are welcome, from in-depth troubleshooting to more general inquiries.

Send questions to forticast@fortinet.com or leave a comment below and stay tuned for the episode with the answers!

Was this helpful?
Yes No

The post FortiCast: You have questions, we’ve got answers appeared first on Fortinet Cookbook.

↧

FortiGate-VM HA for RedHat OpenStack 10 – Expert

October 6, 2017, 10:00 am

≫ Next: High Availability with FGCP (Expert)

≪ Previous: FortiCast: You have questions, we’ve got answers

This example shows how to set up FortiGate Clustering Protocol (FGCP) HA with two FortiGate VMs in a RedHat OpenStack 10 environment. The example includes the two FortiGate VMs connected to a private network (private01). The FortiGate-VMs protect two networks (network-l and network-r). Each network includes a CirrOS instance (cirros-l and cirros-r) for testing.

To support HA heartbeat communication, the OpenStack environment also includes a network named ha-sync configured with the subnet used by the HA heartbeat interfaces (169.254.0.0/24).

1. Setting up the networks in OpenStack
From the OpenStack environment command line, enter the following commands to create network-r and network-l and the ha-sync network.
$ source overcloudrc_tenant01 $ openstack network create network-r $ openstack subnet create subnet-r --network network-r --subnet-range 172.32.0.0/24 --dns-nameserver 208.91.112.53 $ openstack network create network-l $ openstack subnet create subnet-l --network network-l --subnet-range 172.33.0.0/24 --dns-nameserver 208.91.112.53 $ openstack network create ha-sync $ openstack subnet create subnet-ha --network ha-sync --subnet-range 169.254.0.0/24 --dns-nameserver 208.91.112.53
Add the CirrOS instances to network-r and network-l:
$ openstack server create --flavor m1.tiny --image cirros035 --security-group web --nic net-id=network-r cirros-r $ openstack server create --flavor m1.tiny --image cirros035 --security-group web --nic net-id=network-l cirros-l
2. Deploy two FortiGate-VMs
From the OpenStack command line, enter the following commands to deploy two FortiGate-VM instances (fgt-vm-1 and fgt-vm-2). These commands use the standard license files you receive when you register your FortiGate-VMs (in this example, FGVM080000103268.lic and FGVM080000109643.lic).
$ openstack server create --flavor m1.fortigate --image fgtb1486 --user-data /home/stack/openstack/cloud-init/userdata.txt --config-drive=true --file license=/home/stack/FG-licenses/FGVM080000103268.lic --security-group web --nic net-id=private01 --nic net-id=network-r --nic net-id=network-l --nic net-id=ha-sync fgt-vm-1 $ openstack server create --flavor m1.fortigate --image fgtb1486 --user-data /home/stack/openstack/cloud-init/userdata.txt --config-drive=true --file license=/home/stack/FG-licenses/FGVM080000109643.lic --security-group web --nic net-id=private01 --nic net-id=network-r --nic net-id=network-l --nic net-id=ha-sync fgt-vm-2
Here is an example `userdata.txt` file used for fgt-vm-1. The `userdata.txt` file for fgt-vm-2 would be the same except for the hostname. The `userdata.txt` file allows you to set up a FortiGate-VM with a basic default configuration customized for your environment and requirements. This example configures interfaces, adds a DNS server, and adds two firewall policies that allow any traffic to pass between the port2 and port3 interfaces. These policies make it easier to test HA failover. In addition, the MTU of the port4 interface is set to be compatible with the OpenStack 10 environment. By default, OpenStack 10 networks have an MTU of 1446. The `userdata.txt` file sets the MTU of port4 to 1400. This setting is required for the HA heartbeat interfaces to be able to communicate effectively over the ha-sync network.	#FGT VM Config File config sys global set hostname fgt-vm-1 end config system interface edit port1 set mode dhcp set allowaccess http https ssh ping next edit port2 set mode dhcp set defaultgw disable set allowaccess http https ssh ping next edit port3 set mode dhcp set defaultgw disable set allowaccess http https ssh ping next edit port4 set mtu-override enable set mtu 1400 next end config system dns set primary 208.91.112.53 end config firewall policy edit 1 set name "Allow port2 to port3" set dstintf "port2" set srcintf "port3" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat enable next edit 2 set name "Allow port3 to port2" set dstintf "port3" set srcintf "port2" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat enable end config system central-management set include-default-servers disable set type fortimanager set fmg 10.210.8.25 config server-list edit 1 set server-type update rating set server-address 10.210.8.25 end end
You can use the OpenStack Horizon Networks view to verify the MTU assigned to the ha-sync network.
3. Disable port security for the FortiGate-VM and CirrOS instances
Use the RedHat OpenStack Horizon Instances view to verify the IP addresses of the FortiGate-VM, the CirrOS instances, and the networks the interfaces are connected to. For example:
From the OpenStack command line, run the following bash script to disable port security on the FG-VM interfaces.
#!/bin/bash echo echo 'Disable port_security on fgt-vm-1' echo echo `source /home/stack/overcloudrc_tenant01` FGT='fgt-vm-1' IPADDR=`openstack server show $FGT \| grep addresses \| awk -F "\|" '{print $3}' \| awk -F "=" '{print $2}' \| awk -F ";" '{print $1}'` PORTID=`openstack port list \| grep $IPADDR \| awk -F "\|" '{print $2}'` neutron port-update $PORTID --no-security-groups --port_security_enabled=False echo echo $IPADDR echo `openstack port show $PORTID` echo IPADDR=`openstack server show $FGT \| grep addresses \| awk -F "\|" '{print $3}' \| awk -F "=" '{print $3}' \| awk -F ";" '{print $1}'` PORTID=`openstack port list \| grep $IPADDR \| awk -F "\|" '{print $2}'` `neutron port-update $PORTID --no-security-groups --port_security_enabled=False` echo echo $IPADDR echo `openstack port show $PORTID` echo IPADDR=`openstack server show $FGT \| grep addresses \| awk -F "\|" '{print $3}' \| awk -F "=" '{print $4}' \| awk -F ";" '{print $1}'` PORTID=`openstack port list \| grep $IPADDR \| awk -F "\|" '{print $2}'` `neutron port-update $PORTID --no-security-groups --port_security_enabled=False` echo echo $IPADDR echo `openstack port show $PORTID` echo IPADDR=`openstack server show $FGT \| grep addresses \| awk -F "\|" '{print $3}' \| awk -F "=" '{print $5}' \| awk -F ";" '{print $1}'` PORTID=`openstack port list \| grep $IPADDR \| awk -F "\|" '{print $2}'` `neutron port-update $PORTID --no-security-groups --port_security_enabled=False` echo echo $IPADDR echo `openstack port show $PORTID` echo echo 'Disable port-security on fgt-vm-2' echo FGT='fgt-vm-2' IPADDR=`openstack server show $FGT \| grep addresses \| awk -F "\|" '{print $3}' \| awk -F "=" '{print $2}' \| awk -F ";" '{print $1}'` PORTID=`openstack port list \| grep $IPADDR \| awk -F "\|" '{print $2}'` neutron port-update $PORTID --no-security-groups --port_security_enabled=False echo echo $IPADDR echo `openstack port show $PORTID` echo IPADDR=`openstack server show $FGT \| grep addresses \| awk -F "\|" '{print $3}' \| awk -F "=" '{print $3}' \| awk -F ";" '{print $1}'` PORTID=`openstack port list \| grep $IPADDR \| awk -F "\|" '{print $2}'` `neutron port-update $PORTID --no-security-groups --port_security_enabled=False` echo echo $IPADDR echo `openstack port show $PORTID` echo IPADDR=`openstack server show $FGT \| grep addresses \| awk -F "\|" '{print $3}' \| awk -F "=" '{print $4}' \| awk -F ";" '{print $1}'` PORTID=`openstack port list \| grep $IPADDR \| awk -F "\|" '{print $2}'` `neutron port-update $PORTID --no-security-groups --port_security_enabled=False` echo echo $IPADDR echo `openstack port show $PORTID` echo IPADDR=`openstack server show $FGT \| grep addresses \| awk -F "\|" '{print $3}' \| awk -F "=" '{print $5}' \| awk -F ";" '{print $1}'` PORTID=`openstack port list \| grep $IPADDR \| awk -F "\|" '{print $2}'` `neutron port-update $PORTID --no-security-groups --port_security_enabled=False` echo echo $IPADDR echo `openstack port show $PORTID` echo
From the OpenStack command line, associate floating IPs to the two FortiGate-VMs, by entering the following commands:
openstack server add floating ip fgt-vm-1 10.210.9.10 openstack server add floating ip fgt-vm-2 10.210.9.14
4. Complete the FortiGate-VM configuration
From each FortiGate-VM instance CLI, enter the following commands to change the FortiGate-VM interfaces from DHCP to static, add IP addresses, and add a static route. The IP addresses assigned to the interfaces must be on the subnets of the networks the interfaces are connected to. The example shows the fgt-vm-1 configuration. The fgt-vm-2 configuration would be the same except for the interface IP addresses.	config system interface edit "port1" set mode static set ip 172.31.0.3 255.255.255.0 set allowaccess ping https ssh http next edit "port2" set mode static set ip 172.32.0.9 255.255.255.0 set allowaccess ping https ssh http next edit "port3" set mode static set ip 172.33.0.4 255.255.255.0 set allowaccess ping https ssh http next end config router static edit 1 set gateway 172.31.0.1 set device "port1" next end
From each FortiGate-VM instance CLI, configure both FortiGate-VMs for HA. Both FortiGate-VMs must have the same HA configuation.	config system ha set group-name "group-01" set mode a-p set password <password> set hbdev "port4" 50 set override disable set monitor "port2" end
5. CirrOS instance configuration
From each CirrOS CLI, configure each CirrOS instance with a default gateway that points at the FortiGate-VM interface connected to the same network as the CirrOS instance. Enter the following commands from each CirrOS CLI:	sudo route del default sudo ip route add default via <FG-IP-Address>
6. Testing cluster operation and failover
On the cirros-l instance console, start a continuous ping to the IP address of cirros-r. On the cirros-r instance console, start a continuous ping to the IP address of cirros-l:
On both FortiGate-VMs, use the command `diagnose sniffer packet any 'icmp' 4` to sniff ICMP packets. You should only see packets going through the primary unit.
Now shut down the primary unit. You can do this from the OpenStack Horizon Instances list.
After failover, on the new primary unit enter the command `diagnose sniffer packet any 'icmp' 4` to verify that the pings are now going through it.
7. Troubleshooting diagnose commands
On either FortiGate-VM you can use the `diagnose sys ha status` command to verify the status of the cluster.
fgt-vm # diagnose sys ha status HA information Statistics traffic.local = s:0 p:42311 b:9008646 traffic.total = s:0 p:42316 b:9009528 activity.fdb = c:0 q:0 Model=80008, Mode=2 Group=0 Debug=0 nvcluster=1, ses_pickup=0, delay=0 [Debug_Zone HA information] HA group member information: is_manage_master=1. FGVM080000109643: Master, serialno_prio=0, usr_priority=128, hostname=fgt-vm FGVM080000103268: Slave, serialno_prio=1, usr_priority=128, hostname=fgt-vm [Kernel HA information] vcluster 1, state=work, master_ip=169.254.0.1, master_id=0: FGVM080000109643: Master, ha_prio/o_ha_prio=0/0 FGVM080000103268: Slave, ha_prio/o_ha_prio=1/1
The command `get system ha status` shows similar information.
fgt-vm # get system ha status HA Health Status: OK Model: FortiGate-VM64-KVM Mode: HA A-P Group: 0 Debug: 0 Cluster Uptime: 0 days 02:04:26 Cluster state change time: 2017-09-01 03:08:19 Master selected using: <2017/09/01 03:08:19> FGVM080000109643 is selected as the master because it has the largest value of serialno. ses_pickup: disable override: disable Configuration Status: FGVM080000109643(updated 2 seconds ago): in-sync FGVM080000103268(updated 0 seconds ago): out-of-sync System Usage stats: FGVM080000109643(updated 2 seconds ago): sessions=4, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=55% FGVM080000103268(updated 0 seconds ago): sessions=0, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=54% HBDEV stats: FGVM080000109643(updated 2 seconds ago): port4: physical/10000full, up, rx-bytes/packets/dropped/errors=15043566/61878/0/0, tx=158364378/146977/0/0 FGVM080000103268(updated 0 seconds ago): port4: physical/10000full, up, rx-bytes/packets/dropped/errors=29442835/61625/49/0, tx=25246662/68626/0/0 MONDEV stats: FGVM080000109643(updated 2 seconds ago): port2: physical/10000full, up, rx-bytes/packets/dropped/errors=1892/8/0/0, tx=173710/307/0/0 FGVM080000103268(updated 0 seconds ago): port2: physical/10000full, up, rx-bytes/packets/dropped/errors=174390/306/0/0, tx=2352/13/0/0 Master: fgt-vm , FGVM080000109643 Slave : fgt-vm , FGVM080000103268 number of vcluster: 1 vcluster 1: work 169.254.0.1 Master:0 FGVM080000109643 Slave :1 FGVM080000103268
The command `diagnose system ha checksum show` shows whether the configurations of the FortiGate-VMs in the cluster are synchronized. If the configurations are synchronized both sets of checksums should match.
fgt-vm # diagnose sys ha checksum show is_manage_master()=1, is_root_master()=1 debugzone global: 33 6f ee 5b 78 a5 22 84 39 ec 36 d3 1c 54 7c 78 root: 40 0d fb 04 12 41 df ad f1 64 14 03 ff ec f5 01 all: d3 2f 6f bb a6 e7 77 db 27 75 81 b2 94 f3 fd 68 checksum global: 33 6f ee 5b 78 a5 22 84 39 ec 36 d3 1c 54 7c 78 root: 40 0d fb 04 12 41 df ad f1 64 14 03 ff ec f5 01 all: d3 2f 6f bb a6 e7 77 db 27 75 81 b2 94 f3 fd 68
If the checksums do not match, you can use the `diagnose sys ha checksum show` and `diagnose sys ha checksum show global` commands to show more detailed checksum results, the following example shows the first few lines of output of the `diagnose sys ha checksum show global` command:
diagnose sys ha checksum show global system.global: 2c79958c132639dfe61ab782a2f213ec system.accprofile: 7d79452c78377be2616149264a18fd5c system.vdom-link: 00000000000000000000000000000000 wireless-controller.inter-controller: 00000000000000000000000000000000 wireless-controller.global: 00000000000000000000000000000000 wireless-controller.vap: 00000000000000000000000000000000 system.switch-interface: 00000000000000000000000000000000 system.interface: 8690699bc33c7c15b20e017876cf1e37 ...
If the configurations are synchronized all of the checksums displayed using these commands from both of the FortiGate-VMs should match. If they do not you can use the output to see what parts of the configuration are not synchronized.

Was this helpful?
Yes No

See these pages for more information on RedHat OpenStack networks and MTU values:

The post FortiGate-VM HA for RedHat OpenStack 10 – Expert appeared first on Fortinet Cookbook.

↧

High Availability with FGCP (Expert)

October 11, 2017, 1:46 pm

≫ Next: Episode 18: Fortinet Innovators – FortiGate 7000 Series

≪ Previous: FortiGate-VM HA for RedHat OpenStack 10 – Expert

This recipe describes how to enhance the reliability of a network protected by a FortiGate unit by adding a second FortiGate unit and setting up a FortiGate Clustering Protocol (FGCP) High Availability cluster.

The FortiGate already on the network will be configured to become the primary unit by:

Licensing it (if required)
Enabling HA
Increasing its device priority
Enabling override

The new FortiGate will be prepared by:

Setting it to factory defaults to wipe any configuration changes
Licensing it (if required)
Enabling HA without changing the device priority and override
Connecting it to the FortiGate already on the network.

The new FortiGate becomes the backup unit and its configuration is overwritten by the primary unit.

The recipe contains instructions for both the GUI and the CLI, with some parts of the configuration requiring use of the CLI. A simplified HA recipe that only requires use of the GUI is available here.

Before you start, the FortiGates should be running the same FortiOS firmware version and interfaces should not be configured to get their addresses from DHCP or PPPoE.

_{Find this recipe for other FortiOS versions}
_{5.2 | 5.4 | 5.6}

1. Configuring the primary FortiGate
Connect to the primary FortiGate and locate the System Information Dashboard widget. Click on the System Information dashboard widget and select Configure settings in System > Settings. Change the unit’s Host name to identify it as the primary FortiGate.
You can also enter this CLI command:	config system global set hostname External-Primary end
Register and apply licenses to the primary FortiGate before configuring it for HA operation. This includes licensing for FortiCare Support, IPS, AntiVirus, Web Filtering, Mobile Malware, FortiClient, FortiCloud, and additional virtual domains (VDOMs). All FortiGates in the cluster must have the same level of licensing for FortiGuard, FortiCloud, FortiClient, and VDOMs. FortiToken licenses can be added at any time because they are synchronized to all cluster members.
You can also install any third-party certificates on the primary FortiGate before forming the cluster. Once the cluster is formed, third-party certificates are synchronized to the backup FortiGate.
Enter this CLI command to set the HA mode to active-passive, set a group id, group name and password, increase the device priority to a higher value (for example, 250) and enable override.	config system ha set mode a-p set group-id 25 set group-name External-HA-Cluster set password set priority 250 set override enable set hbdev port3 200 port4 100 end
Enabling override and increasing the device priority means this unit should always become the primary unit. This command also selects port3 and port4 to be the heartbeat interfaces and sets their priorities to 200 and 100 respectively. Its a best practice to set different priorities for the heartbeat interfaces (but not a requirement). If you have more than one cluster on the same network, each cluster should have a different group id. Changing the group id changes the cluster interface virtual MAC addresses. If your group id setting causes MAC address conflict you can select a different group id.
You can also use the GUI (System > HA) to configure most of these settings.
Override and the group id can only be configured from the CLI.	config system ha set group-id 25 set override enable end
The FortiGate unit negotiates to establish an HA cluster. You may temporarily lose connectivity with the FortiGate unit as FGCP negotiation takes place and the MAC addresses of the FortiGate interfaces are changed to HA virtual MAC addresses. These virtual MAC addresses are used for failover. The actual virtual MAC address assigned to each FortiGate interface depends on the HA group ID. Since this example does not involve changing the HA group ID, the FortiGate unit’s interfaces will have the following MAC addresses: 00:09:0f:09:00:00, 00:09:0f:09:00:01, 00:09:0f:09:00:02 and so on. To reconnect sooner, you can update the ARP table of your management PC by deleting the ARP table entry for the FortiGate unit (or just deleting all ARP table entries). You can usually delete the ARP table from a command prompt using a command similar to `arp -d`. To confirm these MAC address changes, you can use the `get hardware nic` (or `diagnose hardware deviceinfo nic`) command to view the virtual MAC address of any FortiGate unit interface. Depending on the FortiGate model, the output from this command could include lines similar to the following: Current_HWaddr: 00:09:0f:09:00:00 Permanent_HWaddr 02:09:0f:78:18:c9
2. Configuring the backup FortiGate
Enter this command to reset the new FortiGate that will become the backup FortiGate to factory default settings. `execute factoryreset` You can skip this step if the new FortiGate is fresh from the factory. But if its configuration has been changed at all it is recommended to set it back to factory defaults to reduce the chance of synchronization problems. If required, change the firmware running on the new FortiGate to be the same version as is running on the primary unit.
Register and apply licenses to the new FortiGate unit before adding it to the HA cluster. This includes licensing for FortiCare Support, IPS, AntiVirus, Web Filtering, Mobile Malware, FortiClient, FortiCloud, and additional virtual domains (VDOMs). All FortiGates in the cluster must have the same level of licensing for FortiGuard, FortiCloud, FortiClient, and VDOMs. FortiToken licenses can be added at any time because they are synchronized to all cluster members.
Click on the System Information dashboard widget and select Configure settings in System > Settings. Change the FortiGate’s Host name to identify it as the backup FortiGate.
You can also enter this CLI command:	config system global set hostname External-Backup end
Duplicate the primary unit HA settings, except set the Device Priority to a lower value (for example, 50) and do not enable override.	config system ha set mode a-p set group-id 25 set group-name External-HA-Cluster set password set priority 50 set hbdev port3 200 port4 100 end
3. Connecting the cluster
Connect the HA cluster as shown in the network diagram. Making these connections will disrupt network traffic as you disconnect and re-connect cables. If possible, make direct Ethernet connections between the heartbeat interfaces of the two FortiGate units. Switches must be used between the cluster and the Internet and between the cluster and the internal networks as shown in the network diagram. You can use any good quality switches to make these connections. You can also use one switch for all of these connections as long as you configure the switch to separate traffic from the different networks. When connected, the primary and backup FortiGates find each other and negotiate to form an HA cluster. The Primary unit synchronizes its configuration with the backup FortiGate. Forming the cluster happens automatically with minimal or no disruption to network traffic.
4. Checking cluster operation and disabling override
Check the cluster synchronization status to make sure the primary and backup units have the same configuration. Log into the primary unit CLI and enter this command: diagnose sys ha checksum cluster The command output lists all cluster members’ configuration checksums. If both cluster units have identical checksums you can be sure that their configurations are synchronized. If the checksums are different, wait a short while and enter the command again. Repeat until the checksums are identical. It may take a while for some parts of the configuration to be synchronized. If the checksums never become identical contact Fortinet Support to help troubleshoot the problem.
The HA Status Dashboard widget also shows if the cluster units are synchronized. Mouse over each FortiGate in the cluster to verify that they both have the same checksum.
When the checksums are identical, disable override on the primary unit (recommended). config system ha set override disable end The HA cluster dynamically responds to network conditions. If you keep override enabled, the same FortiGate will always be the primary FortiGate. Because of this, however; the cluster may negotiate more often potentially increasing traffic disruptions. If you disable override it is more likely that the new FortiGate unit could become the primary unit. Disabling override is recommended unless its important that the same FortiGate remains the primary unit.
From the HA Status widget, select Configure Settings in System > HA (or go to System > HA) to view the cluster status.
From the HA Status widget you can also select Show HA Historical Events to see the most recent HA system status messages.
5. Results
Normally, traffic should now be flowing through the primary FortiGate. If the primary FortiGate is unavailable traffic fails over to the backup FortiGate. Failover also causes the primary and backup FortiGates to reverse roles, even when both FortiGates are available again.
To test this, ping the IP address 8.8.8.8 using a PC on the internal network. After a moment, power off the primary FortiGate. You will see a momentary pause in the ping results, until traffic diverts to the backup FortiGate, allowing the ping traffic to continue.

For further reading, check out FGCP configuration examples and troubleshooting in the FortiOS 5.6 Handbook.

Was this helpful?
Yes No

If the FortiGates in the cluster will be running FortiOS Carrier, apply the FortiOS Carrier license before configuring the cluster (and before applying other licenses). Applying the FortiOS Carrier license sets the configuration to factory defaults, requiring you to repeat steps performed before applying the license.

If these steps don’t start HA mode, make sure that none of the FortiGate’s interfaces use DHCP or PPPoE addressing.

This example uses two port3 and port4, but you can use any interfaces for HA heartbeat interfaces. A best practice is to use interfaces that do not process traffic, but this is not a requirement.

If you are using port monitoring, you can also unplug the primary FortiGate’s Internet-facing interface to test failover.

The post High Availability with FGCP (Expert) appeared first on Fortinet Cookbook.

↧

Episode 18: Fortinet Innovators – FortiGate 7000 Series

October 12, 2017, 2:18 pm

≫ Next: Security Fabric over IPsec VPN

≪ Previous: High Availability with FGCP (Expert)

Send us your questions! We’re looking to do a Q&A episode of FortiCast and we need your help. If you have a question that needs an answer, email us at forticast@fortinet.com.

In the first part of our Fortinet Innovators series, you get a behind-the-scenes look at the FortiGate 7000 series.

FortiGate 7000 Series resources

Subscribe to FortiCast

Was this helpful?
Yes No

The post Episode 18: Fortinet Innovators – FortiGate 7000 Series appeared first on Fortinet Cookbook.

↧

To attach the unit to a wall:

To attach the unit to a pole:

Antenna direction

Troubleshooting resources

Subscribe to FortiCast

Overview

1. Converting the Blacklist to a FortiManager XML File

2. Upload the XML File into FortiManager

3. Configure FortiManager to use only its Local FortiGuard Database or Local Blacklist Database

4. Testing Custom URLs managed by FortiManager

5. Specify FortiManager as the FortiGuard Server in FortiGate

1. Connecting and authorizing the FortiAP unit

2. Creating an SSID

3. Creating a custom FortiAP profile

4. Allowing wireless access to the Internet

5. Results

1. Registering the WLC as a RADIUS client on the FortiConnect

2. Registering the FortiGate as a RADIUS Accounting Server on the FortiConnect

3. Validating WLC configuration created from FortiConnect

4. Creating Security Profile on the WLC

5. Creating wireless ESS profile on the WLC

6. Enabling RADIUS Accounting listening on the FortiGate

7. Creating an RSSO Agent on the Fortigate

8. Creating an RSSO User Group

9. Editing the RSSO Agent

Results

Configuring the data center FortiGates

1. Creating the data center side of the IPsec VPN

2. Adding addresses to the tunnel interfaces

3. Implementing route discovery with BGP

4. Controlling access to data center networks

5. Pointing to branch offices with black hole routes

Configuring Branch FortiGate

1. Creating the branch side of the IPsec VPN

2. Adding IP addresses to the tunnel interfaces

3. Implementing route discovery with BGP

4. Setting up the load balancing SD-WAN configuration

5. Controlling access from branch networks

1. Configuring System and Network settings

2. Adding Proxy Options to your policy

3. Creating a Proxy Policy

4. Results

Configuring Inbound Disclaimer Rule

Connecting to the FortiMail serial console

Basic CLI configurations

1. Configuring the first FortiGate (Peer-1)

2. Configuring the second FortiGate (Peer-2)

3. Configuring the third FortiGate (Peer-3)

4. Configuring the fourth FortiGate (Peer-4)

5. Synchronizing TCP sessions

6. Synchronizing UDP and ICMP sessions

7. Synchronizing VoIP sessions

8. Synchronizing the configuration

Troubleshooting resources

Subscribe to FortiCast

1. Allowing FortiCloud to access the local FortiConnect

2. Creating FortiCloud as a RADIUS client on the FortiConnect

3. Creating FortiConnect as RADIUS Server on the FortiCloud

4. Creating a new SSID on the FortiCloud

5. Results

To Replace the Primary Unit:

1. Configuring the IPsec VPN on HQ

2. Configuring the IPsec VPN on Branch

3. Results

To install the unit into a rack

1. Setting up the networks in OpenStack

2. Deploy two FortiGate-VMs

3. Disable port security for the FortiGate-VM and CirrOS instances

4. Complete the FortiGate-VM configuration

5. CirrOS instance configuration

6. Testing cluster operation and failover

7. Troubleshooting diagnose commands

1. Configuring the primary FortiGate

2. Configuring the backup FortiGate

3. Connecting the cluster

4. Checking cluster operation and disabling override

5. Results

FortiGate 7000 Series resources

Subscribe to FortiCast