Quantcast
Channel: Fortinet Cookbook
Viewing all 690 articles
Browse latest View live

Security Fabric over IPsec VPN

October 16, 2017, 11:20 am
$
0
0

In this recipe, you will add FortiTelemetry traffic to an existing IPsec VPN site-to-site tunnel between two FortiGates, in order to add a remote FortiGate to your Security Fabric. You will also allow the remote FortiGate to access the FortiAnalyzer for logging.

If you do not already have an IPsec VPN tunnel configured, see Site-to-site IPsec VPN with two FortiGates.

This recipe requires FortiOS 5.6.1 or higher.

This recipe is in the Security Fabric Collection. It can also be used as a standalone recipe.

In this example, the root FortiGate in the Security Fabric is an HA cluster called External and the remote FortiGate is called Branch.

1. Configuring the tunnel interfaces

In order for FortiTelemetry traffic to flow securely through the IPsec VPN, FortiTelemetry traffic must travel between the tunnel interfaces, with the interface on External listening for this traffic.

The tunnel interfaces require IP addresses. In this example, the External tunnel interface is assigned the IP address 1.1.1.1 and the Branch tunnel interface is assigned the IP address 1.1.1.2.

On External, go to Network > Interfaces and edit the tunnel interface.

Set IP to the local IP address for this interface (1.1.1.1) and Remote IP to the local IP address for the Branch tunnel interface (1.1.1.2).

Under Administrative Access, enable FortiTelemetry.

  

On Branch, go to Network > Interfaces and edit the tunnel interface.

Set IP to the local IP address for this interface (1.1.1.2) and Remote IP to the local IP address for the External tunnel interface (1.1.1.1). 

  

2. Adding the tunnel interfaces to the VPN
On External, go to Policy & Objects > Addresses and create an address for the External tunnel interface.

Create a second address for the Branch tunnel interface.

For this address, enable Static Route Configuration.

Go to VPN > IPsec Tunnels and edit the VPN tunnel. Select Convert To Custom Tunnel.

Under Phase 2 Selectors, create a second Phase 2 allowing traffic between the External tunnel interface to the Branch tunnel interface.

  

Go to Network > Static Routes and create a route to the Branch tunnel interface.

Set Destination to Named Address and select the firewall address. Set Device to the tunnel interface.

  

Go to Policy & Objects > IPv4 Policy and edit the policy allowing local VPN traffic.

Set Source to include the External tunnel interface and Destination to include the Branch tunnel interface.

 
Edit the policy allowing remote VPN traffic to include the tunnel interfaces.

On Branch, repeat this step to include the following:

  • Addresses for both tunnel interfaces (the address for the Branch tunnel interface must have Static Route Configuration enabled)
  • A Phase 2 allowing traffic between the Branch tunnel interface and the External tunnel interface
  • A static route to the External tunnel interface
  • Edited policies that allow traffic to flow between the tunnel interfaces

Go to Monitor > IPsec Monitor and restart the VPN tunnel, allowing the new phase 2 to take effect.

3. Adding Branch to the Security Fabric

On Branch, go to Security Fabric > Settings and enable FortiGate Telemetry. Set the Group name and Group password of the Security Fabric.

  

Enable Connect to upstream FortiGate and set FortiGate IP to the IP address of the External tunnel interface.

Add lan to the list of FortiTelemetry enabled interfaces.
Go to Security Fabric > Logical Topology. Branch is shown connecting to External (identified by serial number in the screenshot) over the IPsec VPN tunnel. 

4. Allowing Branch to access the FortiAnalyzer

On Branch, go to Policy & Objects > Addresses and create an address for the FortiAnalyzer.

Enable Static Route Configuration.

Go to VPN > IPsec Tunnels and create a Phase 2 allowing traffic between the Branch tunnel interface and the FortiAnalyzer.

  

Go to Network > Static Routes and create a route to the FortiAnalyzer.

  
On External, go to Policy & Objects > Addresses and create an address for the FortiAnalyzer.
Go to VPN > IPsec Tunnels and create a Phase 2 allowing traffic between the FortiAnalyzer and the Branch tunnel interface.

Go to Policy & ObjectsIPv4 Policy and create a policy allowing traffic from the VPN tunnel to the FortiAnalyzer.

Enable NAT for this policy.
On Branch, go to Security Fabric > Settings. Under FortiAnalyzer Logging, an error appears because Branch is not yet authorized on the FortiAnalyzer.
On the FortiAnalyzer, go to Device Manager > Unregistered. Select Branch, then select +Add to register Branch.
Branch now appear as Registered.

5. Results
On External, go to Security Fabric > Logical Topology. Branch is shown as part of the Security Fabric, connecting over the IPsec VPN tunnel. 

6. (Optional) Using local logging for Branch

If you would prefer to use local logging for Branch, rather than sending logs to a remote FortiAnalyzer, you can do so using the following CLI command:

config system csf
  set logging-mode local
end

You can then go to Log & Report > Log Settings and configure local logging as required.

This option is available for all FortiGates in the Security Fabric, except for the root FortiGate.

 

 

  • Was this helpful?
  • Yes   No
To configure this, you must have Multiple Interface Policies enabled. If you have not done this already, go to System > Feature Visibility.

The post Security Fabric over IPsec VPN appeared first on Fortinet Cookbook.

Search

Multicast over IPsec VPN without PIM

October 16, 2017, 1:36 pm
$
0
0

This recipe allows transparent multicast communication between two networks located behind FortiGates connected via IPsec VPN.  Multicast is configured to send traffic across the IPsec tunnel without the use PIM or other multicast routing protocol.  Two hosts are used to send and receive a multicast stream between the two sites.  The Fortigate with the multicast streaming server is referred to as “HQ”, the Fortigate with the Multicast client is referred to as “Branch.”

1. Configure the HQ IPsec VPN

On the HQ FortiGate, go to VPN > IPsec Wizard.

Select the Site to Site template, and select FortiGate.

  

In the Authentication step, set IP Address to the IP of the Branch FortiGate (in the example, 172.31.1.65). After you enter the gateway, an available interface will be assigned as the Outgoing Interface.  Set a secure Pre-shared Key.

  

In the Policy & Routing step, set the Local Interface. The Local Subnets will be added automatically. Set Remote Subnets to the Branch FortiGate’s local subnet (10.1.2.0/24)

  

A summary page shows the configuration created by the wizard.

  

2. Configure the Branch IPsec VPN

On the Branch FortiGate, go to VPN > IPsec Wizard.

Select the Site to Site template, and select FortiGate.

  

In the Authentication step, set IP Address to the IP of the HQ FortiGate (in the example, 172.31.1.64). After you enter the gateway, an available interface will be assigned as the Outgoing Interface.

Set the same Pre-shared Key that was used for HQ’s VPN.

  

In the Policy & Routing step, set the Local Interface. The Local Subnets will be added automatically. Set Remote Subnets to the HQ FortiGate’s local subnet (in the example, 10.1.1.0/24).

  

A summary page shows the configuration created by the wizard, including firewall addresses, firewall address groups, a static route, and security policies.

  

On either FortiGate, go to Monitor > IPsec Monitor to verify the status of the VPN tunnel. Right-click under Status and select Bring Up.

  

At this point in the configuration, the multicast server behind the HQ FortiGate should be able to ping the client at Branch.   If you need to generate traffic to test the connection, ping the Branch FortiGate’s internal interface from the HQ’s internal network.

3. Configure the HQ multicast policy and phase 2 settings

On the HQ FortiGate, go to Policy & Objects > Multicast Policy.  (If multicast policy is not available, go to System > Feature Visibility and enable the feature).

Create a new policy and allow the multicast traffic from the source interface to the tunnel.

 

  

Create another multicast policy that allows multicast traffic from the tunnel to the LAN interface of the multicast server.

  

Add a phase 2 selector to the VPN tunnel by going to VPN > IPsec Tunnels and editing the tunnel.  Add a phase 2 selector with 10.1.1.0/24 as the local address and 239.0.0.0/8 as the remote address.

  

Enable multicast forwarding

At the CLI prompt, enter:

config system settings
       set multicast-forward enable
end

 

4. Configure Branch multicast policy and phase 2 settings

On the Branch FortiGate, go to Policy & Objects > Multicast Policy.  (If multicast policy is not available, go to System > Feature Visibility and enable the feature).

 

Create a new policy and allow the multicast traffic from the source interface to the tunnel.

 

  

Create another multicast policy that allows multicast traffic from the tunnel to the LAN interface of the multicast server.

  

Add a phase 2 selector to the VPN tunnel by going to VPN > IPsec Tunnels and editing the tunnel.  Add a phase 2 selector with 239.0.0.0/8 as the local address and 10.1.1.0/24 as the remote address.

  

Enable multicast forwarding

At the CLI prompt, enter:

config system settings
    set multicast-forward enable
end

 

5. Results

Multicast traffic should now flow from the multicast server to the client.  Start the multicast stream and make note the of the address being used.  In this configuration, all multicast traffic that matches 239.0.0.0/8 should flow from the HQ to the Branch.

Multicast traffic flow can be verified by issuing the “diag sys mcast-session list” command on the branch Fortigate.

In the example above, we see the multicast group sourcing from the HQ server and transmitting on multicast group address 239.1.1.100:1234.  The multicast receiver application on the branch host should now be able to receive this multicast traffic.
  • Was this helpful?
  • Yes   No

The post Multicast over IPsec VPN without PIM appeared first on Fortinet Cookbook.

Security Fabric troubleshooting

October 17, 2017, 7:15 am
$
0
0

This section contains tips to help you with some common challenges of the Fortinet Security Fabric.

Useful diagnose commands

You can use the following diagnose commands as a first step to troubleshoot issues with the Security Fabric.

diagnose system csf

This command allows you to check if the upstream FortiGate can see downstream FortiGates. Advanced users can also use this command to send query requests to downstream FortiGates.

Syntax:

diagnose system csf
downstream    Show connected downstream FortiGates.
query         Query through Security Fabric.
neighbor      Security Fabric enabled devices in adjacency.

Example output:

 # dia sys csf downstream 

 1:	FG101E4Q17001320 (10.1.1.1) Management-IP: 0.0.0.0 parent: FGT6HD3916800525
	path:FGT6HD3916800525:FG101E4Q17001320
	data received: Y downstream intf:VPN-to-External upstream intf:VPN-to-Branch admin-port:443
 
 2:	FGT90D3Z15019631 (192.168.200.10) Management-IP: 0.0.0.0 parent: FGT6HD3916800525
	path:FGT6HD3916800525:FGT90D3Z15019631
	data received: Y downstream intf:wan1 upstream intf:port11 admin-port:443

 3:	FG140D3G13804256 (192.168.10.10) Management-IP: 0.0.0.0 parent: FGT6HD3916800525
	path:FGT6HD3916800525:FG140D3G13804256
	data received: Y downstream intf:wan1 upstream intf:port10 admin-port:443

diagnose test application csfd

You can use this command to check the Security Fabric daemon. You can run this command on an upstream or downstream FortiGate.

Syntax:

diagnose test application csfd 
1. show stats
2. show plugin status
99. restart
10. show MAC cache status
11. show Slave MAC cache status
20. show FAZ setting synchronization status
40. show slave mac sync status

Example output:

Upstream FortiGate

# diagnose test application csfd 1

Dump CSF daemon info
group name: Office-Security-Fabric
group pwd: *
status: Active
in queue query num: 0

Upstream info
N/A

Downstream info
fgt total: 3

# 1
sn: FG101E4Q17001320
ip: 10.1.1.1
port: 20407
status:  link-ok SSL-ok auth-ok hello-ok
no response: 0

# 2
sn: FGT90D3Z15019631
ip: 192.168.200.10
port: 1025
status:  link-ok SSL-ok auth-ok hello-ok
no response: 0

# 3
sn: FG140D3G13804256
ip: 192.168.10.10
port: 15011
status:  link-ok SSL-ok auth-ok hello-ok
no response: 0

Downstream FortiGate

Dump CSF daemon info

group name: Office-Security-Fabric
group pwd: *
status: Active
in queue query num: 0

Upstream info
sn: FGT6HD3916800525
ip: 192.168.10.2
port: 8013
status:  link-ok SSL-ok auth-ok hello-ok
no response: 0

Downstream info
fgt total: 0

Common questions and issues

The following sections provide information about specific questions and issues that may come up with the Security Fabric.

What devices are included in the Security Fabric?

Required devices

To configure a Security Fabric, you must have at least two FortiGate units. One FortiGate will be the root FortiGate of the Security Fabric, and the other FortiGates will be the downstream FortiGates. An HA cluster is considered a single FortiGate unit.

In FortiOS 5.6 and later, a FortiAnalyzer is a required device in the Security Fabric.

Recommended devices

The following devices are recommended in the Security Fabric:

Optional devices

Other Fortinet products and 3rd party products from the Fabric-Ready Partner Program are optional.

A downstream FortiGate won’t join the Security Fabric

Check your networking configuration to make sure the FortiGate can connect to an upstream FortiGate in the Security Fabric. If the FortiGate still won’t join the Security Fabric, verify that the Group Name and Password is the same on all devices in the Security Fabric, so that the connection between them is authenticated.

Network devices don’t appear in the Physical and Logical Topology

In the Physical and Logical Topology pages, two types of device bubbles are shown: WAN destination and LAN device. Each type has its own requirements:

WAN destination bubbles

  • Shows traffic to interfaces that have the WAN role
  • Does not require device detection on the interface

LAN device bubbles

  • Shows any device detected on any FortiGate interfaces, regardless of interface role
  • Requires device detection on the interfaces

Also, devices located behind a layer 3 device may not appear in the Physical and Logical Topology pages.

The historical views for Physical and Logical Topology aren’t working

If you can see devices and traffic in “real time,” but not in the historical views (5 minutes, 1 hour, and so on), this points to issues with FortiAnalyzer logging. To resolve this issue, do the following:

  • Check the FortiAnalyzer Release Notes to make sure the FortiAnalyzer’s firmware is compatible with the FortiOS version on the FortiGates in the Security Fabric

  • Go to Security Fabric > Settings on each FortiGate in the Security Fabric. All FortiGates should be sending logs to the same FortiAnalyzer, unless the option to use local logging is enabled (this option is only available for downstream FortiGates)

  • On the FortiAnalyzer, go to Device Manager and verify the following:

    • All FortiGate devices in the Security Fabric are authorized on the FortiAnalyzer

    • The Security Fabric group name and members are visible

    • All FortiGates are sending logs to the FortiAnalyzer

    • FortiView has been properly configured on both the FortiAnalyzer and the FortiGate devices to display the right information

 

  • Was this helpful?
  • Yes   No

The post Security Fabric troubleshooting appeared first on Fortinet Cookbook.

Fortinet Support Portal Authentication Process Change FAQ

October 20, 2017, 8:10 am
$
0
0

In an effort to enhance the security of your account, the support portal login and authentication process now offers an extra security measure to protect your information.

In an age where a simple password isn’t enough to protect your data from unauthorized access, we are introducing two-factor authentication and new minimal password complexity requirements. This will require all customers to reset their passwords, and will affect those with multiple logins.

We recommend you enable this option as soon as possible so your login credentials and user information is well protected. See below to see if we can answer any of your questions regarding these changes.

When is the change taking place?

The change in login process is currently scheduled for Saturday November 18th, 2017.

Why is the login process changing?

The login process is being revamped to comply with modern security standards and federal requirements. This includes password complexity rules, password expiration, and two-factor authentication.

How often will I need to change my password?

You will be required to change your password every 90 days.

Am I required to use two-factor authentication?

You are not required to use two-factor authentication, however it is highly recommended.

What happens if I don’t activate my token?

Your account will become disabled, at which point you will need to re-enable your account and set a new password.

If I request a password reset but do not reset it within the 5 day grace period, what will happen?

The link will become invalid and you will need to request a password reset again. During this time your previous, or existing password will not change.

I received a password reset email that I did not request, what do I do?

If you did not request a password reset email you can safely ignore it. The password reset process requires the owner of the email address to click the link in order to configure a new password.

Note: Anyone who has access to the email address can process a password reset.  Please keep this in mind if you are using an email alias that has multiple users who can access it.

What happens if I’m using an invalid email address?

If you are using an invalid email address for your account then you will not be able to complete the password reset process. In order to properly configure your new authentication options, you will need to change your Account ID (email address) to a valid address that you are able to access.

How does this affect me if I’m using a group email alias for our Support Portal login?

If you are using a group email alias for your support account (e.g. fortinetsupport@company.com) that is used by multiple individuals to access our support services, you will need to be wary of enabling two-factor authentication, as a mobile token can only be associated with one device. 

Additionally, you will need to be wary of resetting the password as this will impact all users. Finally, if you wish to enable two-factor authentication, it is recommended that you use email to receive your token. This way all users who have access to the alias can log into the support website.

Fortinet recommends that you use an individual account where at all possible in order to ensure the security of your account, enhance, and simplify account management.

How do I enable a disabled account?

When you attempt to log into a deactivated account you will be presented with a Reactivate My Account button. Clicking this button will send an email to your address with a link to initiate the reactivation process.

When you click the link to reactivate the account, it will open a page with an Enable my Account button. Once your account has been reactivated successfully, you can click on the Close button to login.

Note: If your account was disabled due to your password expiring, you will need to reset your password. You can do this by clicking the Reset Password button provided when reactivating your account.

Can I change my email address?

Yes, you can change the master email address (Account ID) on your account.  

Please be aware that if you change your email address, all accounts that are linked to the original Account ID as a sub account will reflect the new email address.

To change your email, follow these steps:

  1. Sign in with the account you wish to change.
  2. Click your name in the upper-right corner and select Credentials below User Profile.
  3. Click on Change Account ID (Email) from the options on the left-hand side menu.
  4. Enter and re-enter your new email address to confirm the change.
  5. Click Save to commit your change.
  6. Once your Account ID has been successfully changes, you will be logged out.
  7. You will receive an email confirming the Account ID change. Depending on your account, you may need to reset your password before you can gain access to your account.
  8. Login with your new email address and password.
  9. Reconfigure your two-factor authentication settings. You may need to re-provision your FortiToken if necessary.

Note: Please make sure you have access to the email account in question prior to initiating any change.

How complex does my password need to be? What are the minimum password requirements?

Your password must be at least 8 characters in length, and consist of at least 1 upper-case letter, 1 lower-case letter, 1 numeric character, and 1 non-alphanumeric character (e.g. $!#).

I want to enforce two-factor authentication but I don’t own an iPhone or an Android device, what are my options?

We provide email as an alternative to using FortiToken Mobile on your mobile device.

If I choose to enforce two-factor authentication, do I need a FortiToken or can my two-factor authentication security device be from a 3rd Party? 

Our portal only supports FortiToken Mobile or email. There is no support for 3rd Party tokens at this time.

Is there a limit to how often I can change my two-factor authentication delivery method?

There is currently no limit. However, every time you change which method you use, it will deprovision the old token and require you to reconfigure your mobile device each time.

How is using one password for all my accounts more secure than separate passwords?

This change provides the ability to apply two-factor authentication for all accounts that you use on our support portal, providing minimal configuration changes, and easier password management for users with access to multiple accounts.

Is there a time limit to reactivating my account if it has been deactivated?

There is no time limit, and we will not delete or remove your account. Should you wish to access it again in the future, simply follow the typical account reactivation process.

Can I use two-factor authentication with a group alias email?

You cannot use FortiToken Mobile with a group alias, as only one FortiToken Mobile can be assigned per address. You can, however, use email as an option, as all users of the account with this alias should have access to receive the token email.

Does FortiToken Mobile support PUSH notifications? 

Yes, FortiToken Mobile 4.0 and above supports PUSH notifications. Please note that PUSH notifications may not work in all countries/regions.

Can I go back to the old login process once I’ve migrated?

You cannot return to the legacy authentication process once you’ve migrated your account.

How do I access my other accounts if I login with only one username and password? 

When you log in, you will be presented with a landing page providing you a list of all available accounts. Simply select the account you wish to access. Once you are in an account you can change which account you are accessing by clicking your profile in the upper right corner and selecting another account from the list.

Which account is selected as the default account when I log in?

There is no default account selected for you; when you log in, you are provided with a landing page that provides a list of accounts that you have access to.

How can I change my email if my account has been blocked and I’m unable to access my email address?

If you have a disabled account, and are unable to access your email address at the time, simply contact our customer service team who will assist you in reactivating your account.

You can contact your local customer service team by visiting this page: https://www.fortinet.com/support-and-training/support/contact.html

Why doesn’t my Partner Portal account have two-factor authentication options? 

Our Partner Portal is a different system that interacts with our Support Portal. In order to ensure a smooth process we are implementing the changes on the primary Support Portal first with additional portals to follow.

What are the reasons an account would be disabled? 

There are several reasons that your account could become disabled:

  1. Your password has expired.
  2. You configured two-factor authentication but did not provision your token within the specified timeframe.
  3. Your account was disabled by Fortinet Customer Service.
  4. A standard user account has been linked to a Fortinet Partner.
  5. Your accounts have been merged by Customer Service or your Account ID has been changed on the Support Portal.
  • Was this helpful?
  • Yes   No

The post Fortinet Support Portal Authentication Process Change FAQ appeared first on Fortinet Cookbook.

Web Portal Authentication in FortiMail with G Suites

October 20, 2017, 11:18 am
$
0
0

In this recipe we’ll explore how FortiMail can be configured to authenticate G-Suite users accessing their personal spam digest portal to review & release quarantined messages and/or reviewing their personal profile settings.   

NOTE: This document is based on FortiMail 5.4 release.

 Enabling POP and IMAP

First we will need to enable POP and IMAP access in the Google Admin console.

  1. Sign in to your Google Admin console
  2. Go to  AppsG Suite >Gmail Advanced Settings.
  3. Select the organization unit you want to configure in the Organization section.
  4. Select or clear the check boxes for Disable POP and IMAP access for all users in the domain. This setting is enabled by default.
  

 Creating a SMTP Authentication Profile

Now you will need to create a new SMTP Authentication Profile on FortiMail (build 5.4.x).

  1. Go to Profile Authentication SMTP.
  2. Select New.
  3. Enter “Gsuites-SMTP_Auth” in the Profile name section.
  4. Enter “smtp.gmail.com” in the Server name/IP section.
  5. Enter 587 in the Server port section.
  6. Disable Use generic LDAP mail host if available.
  7. Enable SSL/TLS and Server requires domain.
  8. Select Create.
  

 Establishing Authentication

Now we will need to edit an existing recipient policy.

  1. Go to Policy > Recipient Policy > Inbound.
  2. Select your existing policy and select Edit.
  3. Expand the Authentication and Access section.
  4. Select SMTP from the Authentication type dropdown menu.
  5. Select “Gsuites-SMTP_AUTH” from the Authentication profile dropdown menu.
  6. Select OK.
  

 

  • Was this helpful?
  • Yes   No

The post Web Portal Authentication in FortiMail with G Suites appeared first on Fortinet Cookbook.

Deploying FortiAnalyzer-VM virtual appliance in Microsoft Azure

October 23, 2017, 7:41 am
$
0
0

FortiAnalyzer for Microsoft Azure is deployed as a virtual appliance in Microsoft Azure cloud (IaaS). This recipe shows you how to install and configure a FortiAnalyzer-VM virtual appliance in Microsoft Azure.

1. Registering and downloading your license

If you’re deploying a FortiAnalyzer-VM in the Microsoft Azure marketplace, you must obtain a license to activate it. FortiAnalyzer-VM for Microsoft Azure supports a bring-your-own-license (BYOL) licensing model.

Licenses can be obtained through any Fortinet partner. If you don’t have a partner, contact azure@fortinet.com for assistance in purchasing a license.

After you purchase a license or obtain an evaluation license (60-day term), you will receive a PDF with an activation code. 
Go to https://support.fortinet.com/ and either create a new account or log in with an existing account. 

Go to Asset > Register/Renew to start the registration process.

In the Specify Registration Code field, enter your license activation code and select Next to continue registering the product. Enter your details in the other fields.

At the end of the registration process, download the license (.lic) file for your FortiAnalyzer-VM.

After registering a license, Fortinet servers may take up to 30 minutes to fully recognize the new license. When you upload the license (.lic) file to activate the FortiAnalyzer-VM (in step 3), if you get an error that the license is invalid, wait 30 minutes and try again.

2. Creating a FortiAnalyzer-VM
Log in to the Microsoft Azure Portal and select + New
Search for Fortinet FortiAnalyzer Centralized Log Analytics and select it from the search results.
Under Select a deployment model, ensure that Resource Manager is selected. Select Create.

In the Basics section, set a FortiAnalyzer-VM name in the FortiAnalyzer virtual appliance name field

Set a FortiAnalyzer administrative username. This name can’t be admin or root.

Choose a FortiAnalyzer password for the new account and confirm the password. For security reasons, it’s not possible to reset this password through the Microsoft Azure portal, so make sure that you remember the password.

Select the appropriate Subscription from the drop-down list. You may have only one option here.

Create a new Resource group. Currently, it’s not possible to select an existing resource group for a Microsoft Azure Marketplace template set.

Set a Location for the VM.

Select OK.

In the Network and Storage Settings section, select Virtual network. You can either create a new virtual network (VNet) or select an existing one.

In the Address space field, accept the default values or specify your own.

Select OK.

In the Subnet section, the Subnet name and Subnet address prefix are pre-defined and you shouldn’t need to change the default values. 

Select OK.

In the Virtual machine size section, select the appropriate VM size for your deployment. 

In the Microsoft Azure Marketplace, the FortiAnalyzer virtual machines come in a variety of sizes, from A0 Standard to D4 Standard. Each virtual machine size within each series has different limits for the amount of memory, number of network interface cards (NIC), maximum number of data disks, size of cache, and maximum input/output operations per second (IOPS) and bandwidth.

Select OK.

In the Storage account section, choose an existing storage account or create a new one. All resources should be in the same location. 

Set a Name for the storage account.

Under Performance, choose a storage account type.

Select the Replication option you want to use. The options are Locally redundant storage (LRS) or Geo-redundant storage (GRS). LRS is where all data in the Microsoft Azure storage account replicates synchronously to three different storage nodes within the primary region that was chosen when you created the Microsoft Azure storage account. GRS is where every entity is replicated into two data centers.

The data in the Microsoft Azure storage account is always replicated in order to ensure durability and high availability. Some settings can’t be changed after the storage account is created.

To accept the Network and Storage Settings values, select OK.

In the FortiAnalyzer IP address assignments section, select First public IP address resource name. In the Name field, set a name for the public IP address of the FortiAnalyzer. In the Assignment field, select Dynamic or Static. Select OK.

In the Public IP address type field, select Static or Dynamic. Select OK.
Wait for validation to pass, then select OK.

Select Purchase to buy the FortiAnalyzer-VM instance from Microsoft Azure. 

Once the FortiAnalyzer-VM is deployed, you will see a “Deployment succeeded” message.

3. Connecting to the FortiAnalyzer-VM

To connect to the FortiAnalyzer-VM, you must find its public IP address. There are a number of ways to do this. One way is to select Virtual machines on the left bar and select the FortiAnalyzer-VM you created. Under Essentials, you will see the public IP address of the FortiAnalyzer-VM in the Public IP address field. 

Connect to the FortiAnalyzer using your browser and the FortiAnalyzer-VM IP address. Log in to the FortiAnalyzer-VM with the FortiWeb administrative username and FortiAnalyzer password that you configured above. 

Upload your license (.lic) file to activate the FortiAnalyzer-VM. Restart the FortiAnalyzer-VM and log in again.

After you log in, you will see that the license has been uploaded. You need to wait for authentication with the registration servers. This can take up to 15 minutes.

Select Return.
You will now see the FortiAnalyzer-VM dashboard.

 

  • Was this helpful?
  • Yes   No
This must be a complex password containing three of the following types of characters: numbers, capital letters, lowercase letters, and special characters.
Storage types are created from a Microsoft Azure storage account. The Microsoft Azure storage account, in turn, determines certain characteristics for the storage, such as whether the storage is locally redundant or geo-redundant, and whether the storage is based on standard HDDs or SSDs.

The post Deploying FortiAnalyzer-VM virtual appliance in Microsoft Azure appeared first on Fortinet Cookbook.

Configuring Alexa for FortiVoice

October 25, 2017, 11:32 am
$
0
0

What if you want to have a conversation with someone, but you don’t remember their phone number? What if you want to leave the office but you don’t want to miss an important phone call? FortiVoice now supports Alexa, which allows you to operate your FortiVoice unit through voice commands.

In this recipe, we’ll guide you through the process by configuring FortiVoice, setting up an Amazon account to enable the FortiVoice skill and then we’ll provide a quick overview of what you can do with Alexa in FortiVoice.

 
 

 Configuring FortiVoice

First we’ll need to configure FortiVoice to connect to Alexa.

  1. Go to Phone System Advanced SettingsMiscellaneous.
  2. Enable Amazon Alexa under the Internet of Things section and select Apply.
  3. Go to Call Features > Internet of Things.
  4. Select New.
  5. Enter the user’s email address and create a password.
  6. Select the applicable extension for the user.
  7. Select the Amazon Alexa service for the extension. If you wish to use the phone to initiate requests to Alexa, enable FortiVoice Extension.
  8. Select Create and then Yes.

  

 

 Configuring Amazon Alexa

With FortiVoice configured, we can now focus on setting up Amazon Alexa. First, we’ll need to access the user portal to authorize the Alexa extension.

  1. Go to Internet of Things.
  2. Select the Authorize my extension link.
  3. Accept the terms and conditions.
  4. Enter your Amazon username and password or create a new one.
  5. Enter the user portal email and authorization code.
  6. Add the FortiVoice skill through Amazon.
  

 Using Amazon Alexa

With Amazon Alexa now configured, you can now use the device in conjunction with FortiVoice.

To use Alexa, simply dial *91 before issuing a command. 

Here are a few examples of commands you can issue Alexa:

  • You could ask Alexa to set FortiVoice to do not disturb by simply saying “Ask FortiVoice to turn on do not disturb”. 
  • You could ask Alexa to call a person in your office by saying “Ask Fortivoice to call John”. Now, if there are multiple Johns, Alexa will respond asking you to clarify by providing the person’s last name.
  • You could enable call forwarding by saying “Ask FortiVoice to turn on call forwarding <number>.
  
  • Was this helpful?
  • Yes   No

The post Configuring Alexa for FortiVoice appeared first on Fortinet Cookbook.

New Security Fabric Docs Experience

October 26, 2017, 10:20 am
$
0
0

This week, join us in exploring the new 5.6 Security Fabric documentation experience:

The Fortinet Security Fabric is an end-to-end security solution that gives you control, integration, and easy management of security across your entire organization. The Security Fabric provides an intelligent architecture that interconnects discrete security solutions into an integrated whole to detect, monitor, block, and remediate attacks across the entire enterprise attack surface.

The Security Fabric Handbook 5.6.2

The Security Fabric Handbook is a complete reference guide for the Fortinet Security Fabric.

It includes an overview of what the Security Fabric is, what devices are included in the Security Fabric and how they work together to secure your network, and how to configure and manage the Security Fabric.

 

Featured Security Fabric Videos

Security Fabric with IPsec VPN

Fortinet Security Fabric 5.6 Series

Part 1: Introduction

Part 2: Monitoring & Remediation

Part 3: Security Fabric Audit

Click here for more Security Fabric Videos!

Hot Security Fabric Recipes

In addition to the hot recipes listed below, there is a new Security Fabric troubleshooting article containing tips to help you with some common challenges.

Security Fabric installation and audit
Security Fabric over IPsec VPN
FortiSandbox in the Security Fabric
FortiManager in the Security Fabric
 

Click here for more Security Fabric recipes!

Security Fabric Docs Portal

Security Fabric Docs Portal is now available! This is the home for all Security Fabric resources.

 

 

Let us know what you think about the documentation experience at techdoc@fortinet.com.

 

  • Was this helpful?
  • Yes   No

The post New Security Fabric Docs Experience appeared first on Fortinet Cookbook.

Search

Deploying FortiAnalyzer VM in AWS (On-Demand)

November 3, 2017, 8:02 am
$
0
0

In this recipe, you will deploy FortiAnalyzer VM in Amazon Web Services (AWS) in one of two ways:

Note 1-Click Launch creates the minimum size of EBS storage for quick setup and viewing. For production purposes, you will need more storage later. To have more storage initially, use Manual Launch. You can also manually add storage after the launch as described in step 2.

FortiAnalyzer VMs can be deployed on the AWS Elastic Compute Cloud (EC2). Prior to deploying the VM, an Amazon EC2 account is required. You can deploy the FortiAnalyzer VM using the AWS Marketplace launch or directly from the EC2 console.

1a. Deploying FortiAnalyzer VM using 1-Click Launch

Go to the AWS Marketplace’s page for FortiAnalyzer VM. Select Continue.

Select the desired region and instance type. Ensure the instance type fits the size of your deployment and potential future growth. Note t2.small is intended for free preview and its device support is limited to FortiGate-90 or smaller and FortiGate-VM 1vCPU models (VM00 and VM01).

 

Under Security Group, ensure Create new based on seller settings is selected from the dropdown list. The only open port required for the VM’s initial configuration is port 443, which allows for an HTTPS connection to the GUI. The remaining ports can also be opened to allow for all potential FortiAnalyzer communication.

Provide the Key Pair, then click Accept Terms & Launch with 1-Click to deploy the instance. The next page displays a thank you message, and you also receive an email from AWS Marketplace about the subscription. Close the page and go to the EC2 console.

The public DNS address is used to connect to and configure the FortiAnalyzer VM via the GUI.

To connect to the FortiAnalyzer VM management GUI, open a web browser and use the public DNS IPv4 address as the URL: https://<public DNS IPv4 address>. Log in with the default username admin and the instance ID as the password to configure your FortiAnalyzer VM. 

1b. Deploying FortiAnalyzer VM using Manual Launch

Go to the AWS Marketplace’s page for FortiAnalyzer VM. Select Continue, then select Manual Launch.

Click the Launch with EC2 Console button beside your desired region.

Select an instance type. Ensure the instance type fits the size of your deployment and potential future growth. Note t2.small is intended for free preview and its device support is limited to FortiGate-90 or smaller and FortiGate-VM 1vCPU models (VM00 and VM01). Click Next: Configure Instance Details.

Configure the various attributes:

  • Network (ensure to select a VPC connected to Internet Gateway; by default, VPCs are connected to Internet Gateway)
  • Subet
  • Enable Auto-assign Public IP
  • Others as needed depending on your IT infrastructure requirements

Continue to adding storage. You can configure the volume type as EBS and the device as /dev/sdb and the size based on your requirements. Also consider the FortiAnalyzer license type as corresponding to the following storage amounts:

  • t2.small: 500 GB
  • c4.large: 4 TB
  • m4.large: 8 TB
  • m4.xlarge: 12 TB
  • c4.2xlarge: 24 TB
  • m4.2xlarge: 36 TB
  • m4.4xlarge: 48 TB
  • d2.4xlarge: 48 TB

The FortiAnalyzer system reserves a certain portion of disk space for system use and unexpected quota overflow. The remaining space is available for allocation to devices. Reports are stored in the reserved space. The following describes the reserved disk quota relative to the total available disk size (other than the root device):

  • Small disk (less than or equal to 500 GB): system reserves 20% or 50 GB of disk space, whichever is smaller.
  • Medium disk (less than or equal to 1 TB): system reserves 15% or 100 GB of disk space, whichever is smaller.
  • Medium to large disk (less than or equal to 5 TB): system reserves 10% or 200 GB of disk space, whichever is smaller.
  • Large disk (less than 5 TB): system reserves 5% or 300 GB of disk space, whichever is smaller.

To add additional storage at this point, follow the instructions in step 2.

Click Next: Tag Instance. A tag consists of a key-value pair. It is useful to create tags to quickly identify instances in the EC2 console.

Click Next: Configure Security Group. The default provided security group is based on recommended settings for the FortiAnalyzer VM.

Click Review and Launch. If there is no change needed, click Launch.

You are prompted to choose a key pair. Click the checkbox, then click Launch Instances.

The public DNS address is used to connect to and configure the FortiAnalyzer VM via the GUI.

To connect to the FortiAnalyzer VM management GUI, open a web browser and use the public DNS IPv4 address as the URL: https://<public DNS IPv4 address>. Log in with the default username admin and the instance ID as the password to configure your FortiAnalyzer VM.

2. Adding additional storage (optional)

It is possible to add additional storage to FortiAnalyzer after launch. Create an EBS storage and attach it to the FortiAnalyzer instance on EC2 console, then access FortiAnalyzer via SSH to run the command exec lvm extend to add the storage.

For details, refer to http://kb.fortinet.com/kb/viewContent.do?externalId=FD34953.

Log into the FortiAnalyzer GUI and add the volume.

3. Uploading the license file via the GUI

Go to System Settings.

The License Information widget on the Dashboard displays as AWS-On-Demand.

Unlike perpetual BYOL licensing, there is no interface to upload a license file for on-demand use. For on-demand deployments, contact Fortinet Customer Support as indicated on the AWS Marketplace product listing page and notify your deployment. When contacting Fortinet Support, be ready to provide your FortiAnalyzer VM instance’s serial number and your Fortinet account’s email ID.

4. Configuring your FortiAnalyzer VM

Click the top-right menu icon to access FortiAnalyzer Online Help and the Basic Setup Video. Refer to these and the FortiAnalyzer Administration Guide for more detailed configuration: http://docs.fortinet.com/d/fortianalyzer-5.6.0-administration-guide.

  • Was this helpful?
  • Yes   No

The post Deploying FortiAnalyzer VM in AWS (On-Demand) appeared first on Fortinet Cookbook.

Deploying FortiAnalyzer VM in AWS (BYOL)

November 3, 2017, 8:03 am
$
0
0

Bring Your Own License (BYOL) is annual perpetual licensing as opposed to On-Demand, which is an hourly subscription. The BYOL license is available from resellers or your distributors.

In this recipe, you will deploy FortiAnalyzer VM in Amazon Web Services (AWS) in one of two ways:

Note 1-Click Launch creates the minimum size of EBS storage for quick setup and viewing. For production purposes, you will need more storage later. To have more storage initially, use Manual Launch. You can also manually add storage after the launch as described further below.

FortiAnalyzer VMs can be deployed on the AWS Elastic Compute Cloud (EC2). Prior to deploying the VM, an Amazon EC2 account is required. You can deploy the FortiAnalyzer VM using the AWS Marketplace launch or directly from the EC2 console.

1a. Deploying FortiAnalyzer VM using 1-Click Launch

Go to the AWS Marketplace’s page for FortiAnalyzer VM. Select Continue.

Select the desired region and instance type. Ensure the instance type fits the size of your deployment and potential future growth.

Select a VPC and subnet as required. Under Security Group, ensure Create new based on seller settings is selected from the dropdown list. The only open port required for the VM’s initial configuration is port 443, which allows for an HTTPS connection to the GUI. The remaining ports can also be opened to allow for all potential FortiAnalyzer communication.

Provide the Key Pair, then click Accept Terms & Launch with 1-Click to deploy the instance. The next page displays a thank you message, and you also receive an email from AWS Marketplace about the subscription. Close the page and go to the EC2 console.

The public DNS address is used to connect to and configure the FortiAnalyzer VM via the GUI.

To connect to the FortiAnalyzer VM management GUI, open a web browser and use the public DNS IPv4 address as the URL: https://<public DNS IPv4 address>. Log in with the default username admin and the instance ID as the password to configure your FortiAnalyzer VM. 

1b. Deploying FortiAnalyzer VM using Manual Launch

Go to the AWS Marketplace’s page for FortiAnalyzer VM. Select Continue, then select Manual Launch.

Click the Launch with EC2 Console button beside your desired region.

Select an instance type. Ensure the instance type fits the size of your deployment and potential future growth. Click Next: Configure Instance Details.

Configure the various attributes:

  • Network (ensure to select a VPC connected to Internet Gateway; by default, VPCs are connected to Internet Gateway)
  • Subet
  • Enable Auto-assign Public IP
  • Others as needed depending on your IT infrastructure requirements

Continue to adding storage. You can configure the volume type as EBS and the device as /dev/sdb and the size based on your requirements.

The FortiAnalyzer system reserves a certain portion of disk space for system use and unexpected quota overflow. The remaining space is available for allocation to devices. Reports are stored in the reserved space. The following describes the reserved disk quota relative to the total available disk size (other than the root device):

  • Small disk (less than or equal to 500 GB): system reserves 20% or 50 GB of disk space, whichever is smaller.
  • Medium disk (less than or equal to 1 TB): system reserves 15% or 100 GB of disk space, whichever is smaller.
  • Medium to large disk (less than or equal to 5 TB): system reserves 10% or 200 GB of disk space, whichever is smaller.
  • Large disk (less than 5 TB): system reserves 5% or 300 GB of disk space, whichever is smaller.

To add additional storage at this point, follow the instructions in step 3.

Click Next: Tag Instance. A tag consists of a key-value pair. It is useful to create tags to quickly identify instances in the EC2 console.

Click Next: Configure Security Group. The default provided security group is based on recommended settings for the FortiAnalyzer VM.

Click Review and Launch. If there is no change needed, click Launch.

You are prompted to choose a key pair. Click the checkbox, then click Launch Instances.

The public DNS IPv4 address is used to connect to and configure the FortiAnalyzer VM via the GUI. You can find the public DNS IPv4 address by locating the FortiAnalyzer VM instance in the EC2 console.

To connect to the FortiAnalyzer VM management GUI, open a web browser and use the public DNS IPv4 address as the URL: https://<public DNS IPv4 address>. Log in with the default username admin and the instance ID as the password to configure your FortiAnalyzer VM.

2. Adding additional storage (optional)

It is possible to add additional storage to FortiAnalyzer after launch. Create an EBS storage and attach it to the FortiAnalyzer instance on EC2 console, then access FortiAnalyzer via SSH to run the command exec lvm extend to add the storage.

For details, refer to http://kb.fortinet.com/kb/viewContent.do?externalId=FD34953.

Log into the FortiAnalyzer GUI and add the volume.

3. Installing a valid license

By default, the license expires 14 days after deployment. Go to System Settings.

In the License Information widget on the Dashboard, click the Upload License button.

In the Upload Device License window, click Browse, locate the license file (.lic) on your computer, then click OK to upload the license file. A reboot message is shown, then the FortiAnalyzer VM system reboots and loads the license file. The license file is available once you register on the Fortinet Support Portal.

Refresh the browser and log back into the FortiAnalyzer VM with the username admin. The registration status appears differently than before, reflecting the license in the License Information widget once the license has been validated.

As part of the license validation process, the FortiAnalyzer VM compares its IP address with the IP information in the license file. If a new license file has been imported or the FortiAnalyzer’s IP address has been changed, the FortiAnalyzer VM must be rebooted for the system to validate the change and operate with a valid license.

If the IP address in the license file and the IP configured in the FortiAnalyzer VM do not match, you receive an error message when you log back into the VM.

If this occurs, you must change the IP address in the Fortinet Customer Service & Support portal to match the management IP and re-download the license file.

After an invalid license file has been loaded onto the FortiAnalyzer VM, the GUI is locked until a valid license file is uploaded. You can upload a new license file via the CLI.

4. Configuring your FortiAnalyzer VM

Click the top-right menu icon to access FortiAnalyzer Online Help and the Basic Setup Video. Refer to these and the FortiAnalyzer Administration Guide for more detailed configuration: http://docs.fortinet.com/d/fortianalyzer-5.6.0-administration-guide.

  • Was this helpful?
  • Yes   No

The post Deploying FortiAnalyzer VM in AWS (BYOL) appeared first on Fortinet Cookbook.

FortiAuthenticator user self-registration

November 9, 2017, 8:45 am
$
0
0

For this recipe, you will configure the FortiAuthenticator self-service portal to allow users to add their own account and create their own passwords.

Note that enabling and using administrator approval requires the use of an email server, or SMTP server. Since administrators will approve requests by email, this recipe describes how to add an email server to your FortiAuthenticator.  You will create and use a new server instead of the unit’s default server.

1. Creating a self-registration user group

Go to Authentication > User Management > User Groups and create a new user group for self-registering users.

Enter a Name and select OK. Users will be added to this group once they register through the self-registration portal.

2. Enabling self-registration 

Go to Authentication > Self-service Portal > General.

Enter a Site name, add an Email signature that you would like appended to the end of outgoing emails, and select OK.

3. Enabling self-registration  
Go to Authentication > Self-service Portal > Self-registration and select Enable.

Enable Require administrator approval and Enable email to freeform addresses, and enter the administrator’s email address in the field provided.

Enable Place registered users into a group, select the user group created earlier, and configure basic account information to be sent to the user by Email.

Open the Required Field Configuration dropdown and enable First name, Last name, and Email address.

4. Creating a new SMTP server
Go to System > Messaging > SMTP Servers and create a new email server for your users.

Enter a Name, the IP address of the FortiAuthenticator, and leave the default port value (25).

Enter the administrator’s email address, Account username, and Password.

Note that, for the purpose of this recipe, Secure connection will not be set to STARTTLS, as a signed CA certificate would be required.

Once created, highlight the new server and select Set as Default.

The new SMTP server will now be used for future user registration.

5. Results — Self-registration

When the user visits the login page, https://<FortiAuthenticator-IP>/auth/register/, they can click the Register button, where they will be prompted to enter their information.

They will need to enter and confirm a UsernamePasswordFirst nameLast name, and Email address. These are the only required fields, as configured in the FortiAuthenticator earlier.

Select Submit.
The user’s registration is successful, and their information has been sent to the administrator for approval.
When the administrator has enabled the user’s account, 

the user will receive an activation welcome email.

The user’s login information will be listed.
Select the link and log in to the user’s portal.

The user is now logged into their account where they can review their information.

As recommended in the user’s welcome email, the user may change their password. However, this is optional.

6. Results — Administrator approval
After receiving the user’s registration request, in the FortiAuthenticator as the administrator, go to Authentication > User Management > Local Users. The user has been added, but their Status is listed as Unknown.

In the administrator’s email account, open the user’s Approval Required email. The user’s full name will appear in the email’s subject, along with their username in the emai’s body.

Select the link to approve or deny the user.

The link will take you to the New User Approval page, where you can review the user’s information and either approve or deny the user’s full registration.

Select Approve.
 

The user has now been approved and activated by the administrator.

This can be confirmed by going back to Authentication > User Management > Local Users. The user’s Status has changed to Enabled.

7. Verifying the results  
On the FortiAuthenticator, go to Logging > Log Access > Log to view the successful login of the user and more information.
  • Was this helpful?
  • Yes   No
Although the FortiAuthenticator can be configured to send emails from the built-in mail server (localhost), this is not recommended. Anti-spam methods such as IP lookup, DKIM, and SPF can cause mail from such ad-hoc mail servers to be blocked. It is highly recommended that email is relayed via an official mail server for your domain.
For increased security, it is recommended to configure this setting.
Alternatively, you can go to System > Messaging > Email Services, set both Administrators and Users to use the new SMTP server, and select Save.
Note that the email may have been marked as Spam.

The post FortiAuthenticator user self-registration appeared first on Fortinet Cookbook.

Episode 19: Fortinet Innovators – FortiCarrier

November 9, 2017, 11:45 am
$
0
0

Send us your questions!

We’re looking to do a Q&A episode of FortiCast and we need your help. If you have a question that needs an answer, email us at forticast@fortinet.com. If your question is used, we’ll send you some Fortinet swag!

Get an inside look into the FortiCarrier in the second part of our Fortinet Innovators series.

FortiCarrier resources

Subscribe to FortiCast

      

  • Was this helpful?
  • Yes   No

The post Episode 19: Fortinet Innovators – FortiCarrier appeared first on Fortinet Cookbook.

Blocking Facebook

November 13, 2017, 6:35 am
$
0
0

This recipe explains how to block access to Facebook on your network with a Web Filter security profile and an Application Control security profile. This recipe works on FortiGates operating in flow-based profile inspection mode or proxy-based inspection mode.

You will need a WiFi network configured on your FortiGate. See Setting up WiFi with a FortiAP or Setting up a WiFi Bridge with a FortiAP.

Find this recipe for other FortiOS versions:
5.2 | 5.4 | 5.6

1. Enable Web Filtering and Application Control

Go to System > Feature Visibility to enable the Web Filter and Application Control features.

2. Edit the default Web Filter profile

Go to Security Profiles > Web Filter and edit the default profile.

To block Facebook, go to Static URL filter, enable URL Filter, and then click + Create.

Set URL to *facebook.com. Set Type to Wildcard, set Action to Block, and set Status to Enable.

3. Edit the default Application Control profile

Go to Security Profiles > Application Control and edit the default profile.

To block Facebook, go to Application Overrides and click on + Add Signatures.

  
Click  Add Filter. Select Name and enter Facebook to reveal a list of all the signatures for Facebook applications. Select all the signatures and click Use Selected Signatures.  
Confirm that the Action is set to Block for each of the Facebook application signatures and select Apply.

4. Create the security policy

Go to Policy & Objects > IPv4 Policy, and click + Create New. Give the policy an identifying name. In this example, blocking-facebook.

Set Incoming Interface to the internal network and set Outgoing Interface to the Internet-facing interface.

Enable NAT.

Under Security Profiles, enable Web Filter and Application Control. Select the default web filter and application control profiles.

Once you select those profiles, SSL/SSH Inspection is enabled by default. If you are using proxy-based inspection mode, then Proxy Options will also be enabled by default.

To inspect all traffic, SSL/SSH inspection must be set to deep-inspection profile.

 

The new policy must be first on the list in order to be applied to Internet traffic. Confirm this by viewing policies By Sequence.

To move a policy up or down, click and drag the far-left column of the policy.

If your FortiAP is configured in tunnel mode, you will need to edit the wireless policy and apply the web filter and application control security profiles to that policy.

5. Results

Visit facebook.com.

HTTPS is automatically applied to facebook.com, even if it is not entered in the address bar. A Web Page Blocked! message appears. 

A FortiGuard warning message will appear, stating that the application was blocked.

 

Visit a subdomain of Facebook, for example, attachments.facebook.com.

A Web Page Blocked! message appears, blocking the subdomain.  

  

Using a mobile device, or any device that has the Facebook app installed, ensure that you are connected to the Internet. Open the Facebook app and login. You should not be able to connect.

  

Go to Log & Report > Web Filter. You will see that facebook.com and attachments.facebook.com are blocked by the FortiGate.

  
Go to Log & Report > Application Control. You will see that the Facebook application is blocked by the FortiGate.   

For further reading, check out Static URL Filter and Application Control in the FortiOS 5.6 Handbook.

  • Was this helpful?
  • Yes   No
Using the deep-inspection profile may cause certificate errors. See Preventing certificate warnings for more information.
Application Control uses flow-based inspection; if you apply an additional security profile to your traffic that is proxy-based, the connection will simply timeout rather than display the warning message. However, Application Control will still function.

The post Blocking Facebook appeared first on Fortinet Cookbook.

Filtering WiFi clients by MAC address

November 13, 2017, 12:30 pm
$
0
0

In this recipe, you will configure a managed FortiAP to filter client devices based on MAC address. Only authorized devices will have access to the wireless network.

In the example, only a single device is authorized, but you can add devices as required.

PREP 15 mins      COOK 1 min      TOTAL 16 mins

1. Acquiring the MAC address

Acquire the MAC address of a particular device as follows:

  • Windows device:
    Open the command prompt and type ipconfig /all.
    The MAC address of your Windows device is the Physical Address, under information about the wireless adapter.
  • Mac OS X device:
    Open Terminal and type ifconfig en1 | grep ether.
    Take note of the displayed MAC address.
  • iOS device:
    Open Settings > General > About.
    The Wi-Fi Address  is the MAC address of your iOS device.
  • Android device:
    Open Settings > About Device > Status.
    Take note of the Wi-Fi MAC address of your Android device.

2. Creating the FortiAP interface

Go to Network > Interfaces and create an internal FortiAP interface.

Set Addressing Mode to Manual and set an IP/Network Mask.

Under Administrative Access, enable CAPWAP.

Enable DHCP Server and set the Starting IP and End IP.

Enable Device Detection and click OK.

3. Defining a device using its MAC address

Go to User & Device > Custom Devices & Groups and create a new device definition.

Set MAC Address to the device’s address obtained in Step 1 and set the other fields as required.

4. Creating the new SSID

Go to WiFi & Switch Controller > SSID and create a new SSID.

Set Traffic Mode to Tunnel.

Select an IP/Network Mask for the wireless interface and enable DHCP Server.

Enable Device Detection.

 

Under WiFi Settings, name the SSID (in the example, MySecureWiFi).

Set the Security Mode as required and enter a secure Pre-shared Key.

Enable Broadcast SSID.

Under Filter clients by MAC Address, enable Local and select Add from device list.

Add the device you configured in Step 3 and set its Action to Accept. Set the Action for Unknown MAC Addresses to Deny.

If you haven’t already, connect the FortiAP unit to the interface created in Step 2.

5. Managing the FortiAP

Go to WiFi & Switch Controller > Managed FortiAPs.

If the FortiAP is not listed you may need to wait a few minutes. If the device still does not appear, select Create New > Managed AP.

Once you enter the Serial Number, the default FortiAP Profile for that model is selected. Click OK.

6. Authorizing the managed FortiAP
Right-click on the FortiAP, and select Authorize.
The device interface will be down initially, but after a few minutes, click Refresh and a  will confirm that the device is authorized.

7. Editing the default FortiAP Profile

Go to WiFi & Switch Controller > FortiAP Profiles and Edit the default profile for your particular FortiAP model.

For all radios you wish to use, set the SSID to Manual and select the SSID created in Step 4.

8. Allowing wireless access to the Internet

Go to Policy & Objects > IPv4 Policy and create a new policy.

Set Incoming Interface to the SSID and Outgoing Interface to your Internet-facing interface.

Enable NAT.

9. Results

Using the authorized device, connect to the broadcast SSID (in the example, MySecureWifi).

Go to Log & Report > WiFi Events and verify the authorized connection.
Attempt to connect using an unauthorized device and verify that the connection was rejected.
Go to Monitor > WiFi Client Monitor to view the status of the connected WiFi clients.

 

  • Was this helpful?
  • Yes   No
The FortiAP will be configured in Tunnel mode.
All times listed are approximations.
Note that some device types might be missing from this list. Furthermore, the instructions noted are relevant to the most recent operating systems at the time that this recipe was published. Older or newer operating systems may differ.
Optional: Enable PING for troubleshooting.
By default, the FortiGate adds newly discovered FortiAPs to the Managed FortiAPs list but does not authorize them, as indicated by the  in the State column.

The post Filtering WiFi clients by MAC address appeared first on Fortinet Cookbook.

FortiAuthenticator as Guest Portal for FortiWLC

November 15, 2017, 10:43 pm
$
0
0

In this recipe we will use FortiAuthenticator as Guest Portal for users getting wireless connection provided by FortiWLC.

1. Creating the FortiAuthenticator as RADIUS server on the FortiWLC

On the FortiWLC, go to Configuration > Security > RADIUS and click the ADD botton and create two profiles. One to be used for Authentication and one to be used for Accounting.

RADIUS Profile name: Enter a name for the profile. TIP: Use a name that will indicate if the profile is used for Authentication or Accounting.
RADIUS IP: IP address of the FortiAuthenticator.
RADIUS Secret: Shared Secret between WLC and FortiAuthenticator.
RADIUS Port: use 1812 for Authentication profile and 1813 when creating an Accounting Profile.

  

2. Creating the Captive Portal Profile on the FortiWLC

On the FortiWLC, go to Configuration > Security > Captive Portal, select the Captive Portal Profiles tab, and ADD a new profile.

CP Name: Enter a name for the profile.
Authentication Type: RADIUS.
Primary Authentication: Your Authentication profile.
Primary Accounting: Your Accounting profile.
External Server: FortinetConnect.
External Portal URL: https://<fortiauthenticator-ip>/guests
Public IP of Controller: IP address of the FortiWLC.

  

3. Creating the Security Profile on the FortiWLC

On the FortiWLC, go to Configuration > Security > Profile, and ADD a new profile.

Profile Name: Enter a name for the profile.
Security mode: Open.
Captive Portal: Webauth.
Captive Portal Profile: Select the profile created earlier.
Captive Portal Authentication Method: external.
Passthrough Firewall Filter ID: Your choice, will be used to allow access to the portal before authentication using QoS rules.

  

4. Creating the QoS rule on the FortiWLC

On the FortiWLC, go to Configuration > Policies > QoS and select the QoS and Firewall Rules tab.
Use the ADD button to create two profiles.

For the first rule, allow the wireless client to access FortiAuthenticator’s guest portal.

ID: Rule number.
Destination IP: IP address of the FortiAuthenticator, and enable Match
Destination Netmask: 255.255.255.255
Destination Port: 443, and enable Match
Network Protocol: 6, and enable Match
Firewall Filter ID: Use the “Passthrough Firewall Filter ID” string from the Security Profile, and enable Match
QoS Protocol: Other.

  

For the second rule, allow FortiAuthenticator to reach the clients.

ID: Rule number.
Source IP: IP address of the FortiAuthenticator, and enable Match
Source Netmask: 255.255.255.255
Source Port: 443, and enable Match
Network Protocol: 6, and enable Match
Firewall Filter ID: Use the “Passthrough Firewall Filter ID” string from the Security Profile, and enable Match
QoS Protocol: Other.

  

5. Creating the ESS Profile on the FortiWLC

On the FortiWLC, go to Configuration > Wireless > ESS and ADD an ESS profile.

Configure the profile with an appropriate ESS Profile and SSID. Then select the Security Profile that contains the Captive Portal settings.

Primary RADIUS Accounting Server: Your RADIUS Accounting profile.

  

6. Creating FortiWLC as RADIUS Client on the FortiAuthenticator

On the FortiAuthenticator, go to Authentication > RADIUS Service > Clients and create a new client.

Set Client address as IP/Hostname and enter the FortiWLC management IP as the IP address. Set the same Secret that was entered during the RADIUS configuration on the FortiWLC.
At the Profiles section set a new Profile name, and choose EAP types.
At the Realms section choose the Realms that are allowed.

 

 7. Creating the Guest Portal on the FortiAuthenticator

On the FortiAuthenticator, go to Authentication > Guest Portals > Portals and create a new portal.

For the Profile Configuration select the RADIUS profile created earlier.

  

8. Creating the Portal Rule on the FortiAuthenticator

On the FortiAuthenticator, go to Authentication > Guest Portal > Rules and create a new rule.

For Action choose Go to portal, and select the portal created earlier.

You can choose different HTTP parameters to determine which portal to show (used for instances with multiple portals from different FortiWLC’s and or Client IP subnets)

  

9. Results

Connect a client to the SSID created on the FortiWLC, then login to the portal with the correct username and password.

You can use Authentication > User Management > Local Users to create local user accounts for the FortiAuthenticator.

 

To confirm the successful login, on  FortiAuthenticator go to Logging > Log Access > Logs

Find the line showing User Portal at Sub Category

  

To confirm the successful login, on FortiWLC go to Monitor > Devices > All Stations and find the device showing the authenticated user.

  
  • Was this helpful?
  • Yes   No

The post FortiAuthenticator as Guest Portal for FortiWLC appeared first on Fortinet Cookbook.

Search

Supported compression formats

November 17, 2017, 10:02 am
$
0
0

Practically everyone who works in a corporate environment will try this trick at least once. Compressing or zipping a file is a common method of circumventing security measures to get past a firewall filter. Maybe you just wanted to see if you could out-smart the firewall, or more likely because you “knew” that your judgment was better than that of the firewall policy in a particular instance.

A common scenario is that a user may wish to run a simple little utility on their desktop that they’ve used thousands of times on their home computer, but forgot to bring the file to work. Not to worry, it’s barely over a hundred Kilobytes and they can probably download it in a matter of minutes. That’s when the user gets frustrated, because Network Administrators at work have placed a filter on downloaded material that blocks executable files. So the user rationalizes, surely they couldn’t mean my harmless and very useful app that thousands of other people have downloaded from a website hosting free downloads! In fact, the website is so accommodating that it gives users the option to download the 750 Kb program in a compressed file format to save valuable bandwidth. Six months later, the legal department is trying to figure out what the company’s responsibilities are to customers and shareholders with regard to the data loss of an unknown number of confidential documents due to a rampant Trojan horse attack that breached the company network.

Sometimes, the most important job for IT personnel is to protect people from their own actions. In the scenario above, the decision to filter executable files was made fora good reason. If the filtering can be bypassed simply by selecting a different download option, its effectiveness is somewhat questionable at best. For this reason some firewalls include the capability to decompress archive files and scan the content in compressed file formats. The ability to scan the content of a compressed file is only one tool in what should be a large and multifaceted toolkit.

Archive and compression file formats

Archive and compression files have been around for decades. There are many types of utilities — free, commercial and shareware — and all with their own specific algorithms. A quick look at Wikipedia shows a large list of formats, including:

  • Archiving only formats
  • Compression only formats
  • Archiving and compression format

This leads to the next logical progression; that choosing one of the formats that the firewall cannot decompress or un-archive is more likely to get by a firewall’s filter policy. Therefore, the more formats your firewall can open the more secure your network is.

Not all Engines are the same

While it may seem a forgone conclusion that every firewall and every AV engine would open every format possible there are differences and limitations. In versions of FortiOS 5.0 and earlier, the two different inspection modes (Proxy-based and Flow-based) use different engines to do the scanning. Because of the way the Flow-based mode works in earlier versions of FortiOS, it opens a more limited number of compression and/or archive formats. Now that both inspection modes use the same improved AV engine in FortiOS 5.2, all of the formats listed below can be opened in both Proxy-based and Flow-based AV modes.

Different products also take different approaches to which formats will be targeted. For instance,some firewalls only check ZIP and GZIP formats. Others may check a few more popular formats, but nowhere near all of the wide variety formats available. In order to check other file formats, they have to proxy the entire file to scan it.

What can a FortiGate do?

The FortiGate AV engine, that looks to filter content on the incoming files, can open the following:

Archive/Compression formats

  • ZIP
  • ZIPX (BZIP2, INFLATE64, LZMA, LZMA2)
  • JAR
  • RAR
  • 7Z
  • BZIP2
  • CAB
  • TAR
  • AR
  • GZIP
  • ARJ
  • LZH
  • MSC (Microsoft Compress)
  • SIS (Symbian Installer Package)
  • SISX (Symbian Installer Package for 9.x)
  • SWF
  • NSIS (Nullsoft Installer Package)
  • E32Image (Symbian 9.x, compressed with custom LZW algorithm)
  • XZ (starting with AV engine v4.3)
  • CPIO (starting with AV engine v4.3)
  • AutoIt (starting with AV engine 5.0)
  • TNEF (starting with AV engine 5.1)
  • EGG
  • ACE
  • ISO (starting with AV engine 5.6, yet to be released)
  • CRX (starting with AV engine 5.6, yet to be released)

Self Extracting formats

  • SFX ZIP
  • SFX RAR
  • SFX LZH
  • SFX ARJ
  • SFX CAB
  • SFX 7Z

Static Packers

  • UPX
  • ASPACK
  • PETITE
  • FSG

Generic/Custom Packers

The engine supports most custom packers with emulator, including:

  • UPACK
  • Mew
  • PECompact
  • ASProtect
  • PecBundle
  • PEncrypt
  • ACProtect

Document formats

Text files are straightforward and easily readable by most editors, but there are some text files that require an editor specifically configured to read these proprietary formats. The following file formats can be read by a FortiGate:

  • PDF
  • MS OFFICE
  • RTF
  • WORDML
  • MIME

Misc

With anything a diverse as file formats there has to be a miscellaneous section for these that don’t really fit in any of the other groupings.

  • UNICODE

Levels of compression or archiving

Individuals who attempt to confound the scanning process by compressing a file multiple times will be defeated by the FortiGate’s ability to scan through multiple levels of compression. By default, a FortiGate operating in proxy-based or flow-based inspection will go through 12 nested levels of compression to find the original file and this setting can be increased to 100 levels. A FortiGate operating in quick flow mode will only decompress up to 4 levels and is not configurable.

Before changing the setting to 100, remember that it is unlikely that the file sender will go through the effort to compress a file beyond the default, and the file receiver is even less likely to want to decompress the file that many times. It takes system resources to go through decompressing a file, so it might be simpler to drop any files that are nested that many times.

  • Was this helpful?
  • Yes   No

The post Supported compression formats appeared first on Fortinet Cookbook.

Deploying FortiGate-VM virtual appliance in Amazon Web Services

November 17, 2017, 12:25 am
$
0
0

The FortiGate Enterprise Firewall for Amazon Web Services (AWS) is deployed as a virtual appliance in AWS (IaaS). This recipe shows you how to install and configure a single instance FortiGate-VM virtual appliance in AWS to provide a full NGFW/UTM security solution to protect your workloads in the AWS IaaS. 

Networking is a core component in using AWS services, and using virtual private clouds (VPCs), subnets, and virtual gateways help you to secure your resources at the networking level.

This recipe covers the deployment of simple web servers, but this type of deployment can be used for any type of public resource protection, with only slight modifications. With this architecture as a starting point, you can implement more advanced solutions, including multi-tiered solutions.

In this recipe, two subnets are created: Subnet1, which is used to connect the FortiGate-VM to the AWS Virtual Gateway on the public-facing side, and Subnet2, which is used to connect the FortiGate-VM and the Windows server on the private side.

1. Determining your licensing model

FortiGate-VM for AWS supports both on-demand (PAYG) and bring-your-own-license (BYOL) licensing models.

On-demand users don’t need to register from the FortiGate GUI console. If you’re using an on-demand licensing model, once you create the FortiGate-VM instance in AWS, contact Fortinet Customer Support (http://www.fortinet.com/support/contact_support.html) with the following information:

If you’re deploying a FortiGate-VM in the AWS Marketplace with BYOL, you must obtain a license to activate it.

2. Registering and downloading your license (BYOL)

Licenses for the BYOL licensing model can be obtained through any Fortinet partner. If you don’t have a partner, contact aws@fortinet.com for assistance in purchasing a license.

After you purchase a license or obtain an evaluation license (60-day term), you will receive a PDF with an activation code.

Go to https://support.fortinet.com/ and either create a new account or log in with an existing account.

Go to Asset > Register/Renew to start the registration process.

In the Specify Registration Code field, enter your license activation code and select Next to continue registering the product. Enter your details in the other fields.

At the end of the registration process, download the license (.lic) file to your computer. You will upload this license later (in step 6) to activate the FortiGate-VM.

After registering a license, Fortinet servers may take up to 30 minutes to fully recognize the new license. When you upload the license (.lic) file to activate the FortiGate-VM, if you get an error that the license is invalid, wait 30 minutes and try again.

3. Creating an AWS VPC

This section shows you how to create an AWS VPC and create two subnets in it. For many of the steps, you will have a choice to make that can be specific to your own environment.

Log in to the AWS Management Console.

In the Networking & Content Delivery section, select VPC.

In the Virtual Private Cloud menu, select Your VPCs, then select Create VPC.

In the Name tag field, set a name for your VPC.

In the CIDR block field, specify an IPv4 address range for your VPC.

In the Tenancy field, select Default.

Select Yes, Create.

In the Virtual Private Cloud menu, select Subnets, then select Create Subnet. Create a public subnet (in this example, Subnet1) and a private subnet (Subnet2), as shown in this example.

Both subnets belong to the VPC that you created.

4. Connect the new VPC to the Internet gateway

This section shows you how to connect the new VPC to the Internet gateway. Note that if you’re using the default VPC, the Internet gateway should already exist.

In the Virtual Private Cloud menu, select Internet Gateways, then select Create Internet Gateway.

In the Name tag field, set a name for the Internet gateway, then select Yes, Create.

Select the Internet gateway, then select Attach to VPC.

Select the VPC that you created and select Yes, Attach.

The state of the Internet gateway will change from detached to attached.

 

5.   Subscribing to the FortiGate-VM

This section shows you how to subscribe to and configure the FortiGate-VM. 
Go to the AWS Marketplace’s page for Fortinet FortiGate-VM (BYOL) or FortiGate-VM (PAYG). Select Continue.
Select Manual Launch
Select Launch with EC2 Console beside the Region you want to launch.
Select an Instance Type, then select Next: Configure Instance Details.

In the Network field, select the VPC that you created.

In the Subnet field, select the public subnet.

In the Network interfaces section, you will see the entry for eth0 that was created for the public subnet. Select Add Device to add another network interface (in this example, eth1), and select the private subnet. It is recommended that you assign static IP addresses.

When you have two network interfaces, a global IP address isn’t assigned automatically. You must manually assign a global IP address later.

Select Review and Launch, then select Launch.

Select an existing key pair or create a new key pair. Select the acknowledgement check box. Select Launch Instances.

To easily identify the instance, set a name for it in the Name field.

In the Network & Security menu, select Elastic IPs, then select a global IP address that is available for you to use. Select Actions > Associate Address.

If you don’t have a global IP address available to use, create one.

In the Resource type section, select Network Interface

In the Network interface field, select the Interface ID of the network interface that you created for the public subnet (in this example, eth0). In the Private IP field, select the IP address that belongs to the public subnet. To find these values, go to the EC2 Management Console, select Instances, and select the interface in the Network interfaces section in the lower pane of the page (Interface ID and Private IP Address fields). Select Associate.

A message is displayed indicating the address association was successful. Note that if the Internet Gateway isn’t associated with a VPC, the elastic IP assignment will fail.

Next, configure the routing tables. Since the FortiGate has two interfaces, one for the public subnet and one for the private subnet, you must configure two routing tables.

To configure the routing table for the public subnet, select VPC in the Networking & Content Delivery section of the AWS Management Console. In the VPC Dashboard, select Your VPCs, and select the VPC you created. In the Summary tab in the lower pane, select the route table ID located in the Route table field. To easily identify the route table, set a name for it in the Name field.

In the Routes tab, select Edit, then select Add another route. In the Destination field, type 0.0.0.0/0. In the Target field, type ig and select the Internet Gateway from the auto-complete suggestions. Select Save

The default route on the public interface in this VPC is now the Internet Gateway.

In the Subnet Associations tab, select Edit, and select the public subnet to associate it with this routing table. Select Save.

To configure the routing table for the private subnet, select Create Route Table. To easily identify the route table, set a name for it in the Name field. Select the VPC you created. Select Yes, Create.

In the Routes tab, select Edit, then select Add another route. In the Destination field, type 0.0.0.0/0. In the Target field, enter the interface ID of the private network interface. To find the interface ID, go to the EC2 Management Console, select Instances, and select the interface in the Network interfaces section in the lower pane of the page (Interface ID field). Select Save.

The default route on the private subnet in this VPC is now the private network interface of the FortiGate.

In the Subnet Associations tab, select Edit, select the private subnet to associate it with this routing table. Select Save.

Two routing tables, one for the public segment and one for the private segment, have now been created with default routes.

In the EC2 Management Console, select Instances, and select the network interface that you created for the private subnet (in this example, eth1) in the Network interfaces section in the lower pane. Select the interface ID.

Select the network interface, select the Actions drop-down menu, select Change Source/Dest. Check. Select Disabled. Select Save.

6. Connecting to the FortiGate-VM  

To connect to the FortiGate-VM, you need your login credentials and its public DNS address.

The default username is admin and the default password is the instance ID.

You can find the public DNS address in the EC2 Management Console. Select Instances and look at the Public DNS (IPv4) field in the lower pane. If you don’t see the DNS address, you may need to enable DNS host assignment on your VPC. In this case, go back to the VPC Management Console, select Your VPCs, and select your VPC. Select the Action drop-down menu, and select Edit DNS Hostnames. Select Yes. Select Save.

Open an HTTPS session using the public DNS address of the FortiGate-VM.

Use your credentials to log in to the FortiGate-VM.

If you’re using a BYOL license, upload your license (.lic) file to activate the FortiGate-VM. 

The FortiGate-VM will automatically restart. After it restarts, log in again.

You will now see the FortiGate-VM dashboard.

Depending on your license type, the information in the license widget on the dashboard may vary.
Select Network > Interfaces, and edit the interfaces, if required. If the IP address or subnet mask is missing for port 1 or port 2, configure these values.

7. Setting up the Windows server

In the AWS Management Console, select EC2. Select Launch Instance, then select the Microsoft Windows Server 2012 R2 that applies to your environment.

You will use this to test connectivity with Remote Desktop access.
In the Configure Instance Details step, in the Network field, select the VPC of the FortiGate. In the Subnet field, select the private subnet.

In the Configure Security Group step, configure a security group for the Windows server so that it allows Internet access. In this example, we use Remote Desktop TCP port 3389, and other ports are optional. Select Review and Launch.
Select a key pair, select the acknowledgement check box, and select Launch Instances.

8. Configuring FortiGate firewall policies

In the FortiGate-VM console, select Policy & Objects > IPv4 Policy and create two new policies, as shown in this example. 

Create one policy for outgoing traffic from the private subnet, through the public subnet, to the Internet. Create another policy for incoming traffic from the Internet, through the public subnet, to the private subnet.

Select Virtual IPs and create a new virtual IP, as shown in the example. This is Static NAT configuration.
Edit the second policy. In the Destination field, select the virtual IP that you created.
In the EC2 Management Console, add an inbound rule to allow RDP for the FortiGate security group (in this example, TCP port 3389). If you don’t do this, you won’t be able to connect to the Windows server through the FortiGate with RDP.

In your Windows Remote Desktop client, specify the public DNS hostname of the FortiGate and log in. This logs you in to the Windows server through the FortiGate.

9. Results

Open a web browser and try to access the following site: metal.fortiguard.com/tests

Scroll down the page and select one of the test virus files that are listed as infected.

You should see a blocked page alert because your Internet access is now protected by FortiGate.
  • Was this helpful?
  • Yes   No

The post Deploying FortiGate-VM virtual appliance in Amazon Web Services appeared first on Fortinet Cookbook.

MAC authentication bypass with dynamic VLAN assignment

November 20, 2017, 7:00 am
$
0
0

In this recipe, you will configure MAC authentication bypass in a wired network with dynamic VLAN assignment.

The purpose of this recipe is to configure and demonstrate MAC address bypass with FortiAuthenticator, using a 3rd-party switch (EX2200) to confirm cross-vendor interoperability. The recipe also demonstrates dynamic VLAN allocation without a supplicant.

1. Configuring MAC Authentication Bypass on the FortiAuthenticator
Go to Authentication > User Management > MAC Devices and create a new MAC-based device.

2. Configuring the user group

Go to Authentication > User Management > User Groups and create a new user group.

No members are required; MAC-based authentication devices are automatically linked with this group.

Click OK.

Edit the group you just created and add RADIUS Attributes as shown.

3. Configuring the RADIUS client

Go to Authentication > RADIUS Service > Clients and create a new RADIUS client. Configure the Switch IP and Shared Secret.

Use the Local realm.

Allow MAC-based authentication and link the group created in Step 2.

4. Configuring the 3rd-party switch

The switch configuration provided below is intended for demonstration only. Your switch configuration is likely to differ significantly.

set system services dhcp pool 10.1.2.0/24 address-range low 10.1.2.220
set system services dhcp pool 10.1.2.0/24 address-range high 10.1.2.230
set system services dhcp pool 10.1.2.0/24 domain-name fortiad.net
set system services dhcp pool 10.1.2.0/24 name-server 10.1.2.122
set system services dhcp pool 10.1.2.0/24 router 10.1.2.1
set system services dhcp pool 10.1.2.0/24 server-identifier 10.1.2.27
set interfaces ge-0/0/0 unit 0 family ethernet-switching #no vlan assigned to printer port, this will be allocated based on Group attributes
set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members engineering #interface used to communicate with FortiAuthenticator
set interfaces vlan unit 10 family inet address 10.1.2.27/24
set protocols dot1x authenticator authentication-profile-name profile1
set protocols dot1x authenticator interface ge-0/0/0.0 mac-radius restrict #forces mac address as username over RADIUS
set access radius-server 10.1.2.29 secret "$9$kmfzIRSlvLhSLNVYZGk.Pf39"
set access profile profile1 authentication-order radius
set access profile profile1 radius authentication-server 10.1.2.29
set vlans engineering vlan-id 10
set vlans engineering l3-interface vlan.10

No configuration is required on the endpoint.

5. Results
Connect the wired device (in this case, the printer).

Using tcpdump, FortiAuthenticator shows receipt of an Incoming Authentication Request (tcpdump host 10.1.2.27 -nnvvXs):

tcpdump: listening on port1, link-type EN10MB (Ethernet), capture size 262144 bytes
17:36:19.110399 IP (tos 0x0, ttl 64, id 18417, offset 0, flags [none], proto UDP (17), length 185)
  10.1.2.27.60114 > 10.1.2.29.1812: [udp sum ok] RADIUS, length: 157
    Access-Request (1), id: 0x08, Authenticator: b77fe0657747891fc8d53ae0ad2b0e7a
      User-Name Attribute (1), length: 14, Value: 0022681af1a0 #Switch forces username to be endpoint MAC address, no configuration needed on endpoint
        0x0000:  3030 3232 3638 3161 6631 6130
      NAS-Port Attribute (5), length: 6, Value: 70
        0x0000:  0000 0046
      EAP-Message Attribute (79), length: 19, Value: .
        0x0000:  0200 0011 0130 3032 3236 3831 6166 3161
        0x0010:  30
      Message-Authenticator Attribute (80), length: 18, Value: .y{.j.%..9|es.'x 
        0x0000: a679 7b82 6344 2593 f639 7c65 73eb 2778 
      Acct-Session-Id Attribute (44), length: 24, value: 802.1x81fa002500078442 
        0x0000: 384f 322e 3178 3831 6661 3030 3235 3030 
        0x0010: 3037 3834 3432
      NAS-Port-rd Attribute (87), length: 12, Value: ge-0/0/0.0 
        0x0000: 6765 2430 2f30 2f30 2e30 
      Calling-Station-Id Attribute (31), length: 19, value: 00-22-68-1a-fl-a0 
        0x0000: 3030 2032 3220 3638 2031 6120 6631 2461 
        0x0010: 30 
      Called-Station-Id Attribute (30), length: 19, Value: a8-40-e5-b0-21-80 
        0x0000: 6138 2464 3024 6535 2d62 302d 3231 2d38 
        0x0010: 30 
      NAS-Port-Type Attribute (61), length: 6, value: Ethernet 
        0x0000: 0000 000f

Go to Logging > Log Access > Logs to verify the device authentication.

The Debug Log (at https://<fac-ip>/debug/radius) should also confirm successful authentication.

Continuing with tcpdump, authentication is accepted from FortiAuthenticator and authorization attributes returned to the switch:

17:36:19.115264 IP (tos Ox0, ttl 64, id 49111, offset 0, flags [none], proto UDP (17), length 73) 
  10.1.2.29.1812 > 10.1.2.27.60114: (bad udp cksum 0x1880 -> 0x5ccel] RADIUS, length: 45 
    Access-Accept (2), id: 0x08, Authenticator: b5c7b1bb5a316fb483a622eaae58ccc2 
      Tunnel-Type Attribute (64), length: 6, Value: Tag[Unused] #13 
        0x0000: 0000 000d 
      Tunnel-Medium-Type Attribute (65), length: 6, Value: Tag[Unused] 802 
        Ox0000: 0000 0006 
      Tunnel-Private-Group-ID Attribute (81), length: 13, Value: engineering
        Ox0000: 656e 6769 6e65 6572 696e 67
    Ox0000: 4500 0049 bfd7 0000 4011 a293 0a01 021d E..I....@ .......
    0x0010: Oa01 021b 0714 ead2 0035 1880 0208 002d 5 
    0x0020: b5c7 blbb 5a31 6fb4 83a6 22ea ae58 ccc2 ....21o..."..X.. 
    0x0030: 4006 0000 0000 4106 0000 0006 510d 656e @ A Q en 
    0x0040: 6769 6e65 6572 696e 67                  gineering

Post-authentication DHCP transaction is picked up by FortiAuthenticator (tcpdump continued):

17:36:22.955537 IP (tos Ox0, ttl 1, id 18546, offset 0, flags [none], proto UDP (17), length 328)
  10.1.2.27.67 > 255.255.255.255.68: judo sum ok] BOOTP/DHCP, Reply, length 300, xid Ox9fc8f40c, Flags (Broadcast] (0x8000)
    Your-IP 10.1.2.224
    Client-Ethernet-Address 00:22:68:1a:fl:a0
    Vendor-rfc1048 Extensions
        Magic Cookie 0x63825363
  DHCP-Message Option 53, length 1: ACK
  Server-ID Option 54, length 4: 10.1.2.27
  Lease-Time Option 51, length 4: 86400
  Subnet-Mask Option 1, length 4: 255.255.255.0
  Default-Gateway Option 3, length 4: 10.1.2.1
  Domain-Name-Server Option 6, length 4: 10.1.2.122
  Domain-Name Option 15, length 11: "fortiad.net"

The switch logs show a successful dot1x session:

root# run show dotlx interface ge-0/0/0.0
802.1X Information:
Interface    Role             State            MAC address          User
ge-0/0/0.0   Authenticator    Authenticated    00:22:68:1A:F1:A0    0022681af1a0

The MAC address interface has been dynamically placed into correct VLAN:

root# run show vlans engineering
Name          Tag           Interfaces
engineering   10
                            ge-0/0/0.0*, ge-0/0/11.0*

And the printer shows as available on the network:

root# run show arp interface vlan.10 
MAC Address         Address       Name          Interface   Flags 
00:0c:29:5b:90:68   10.1.2.29     10.1.2.29     vlan.10     none 
6c:70:9f:d6:ae:al   10.1.2.220    10.1.2.220    vlan.10     none 
b8:53:ac:4a:d5:f5   10.1.2.221    10.1.2.221    vlan.10     none
00:22:68:1a:fl:a0   10.1.2.224    10.1.2.224    vlan.10     none
a4:c3:61:24:b9:07   10.1.2.228    10.1.2.228    vlan.10     none
Total entries: 5

{master:0}[edit] 
root* run ping 10.1.2.224 
PING 10.1.2.224 (10.1.2.224): 56 data bytes 
64 bytes from 10.1.2.224: icmp_seq=0 tt1=128 time=2.068 ms 
64 bytes from 10.1.2.224: icmp_seq=1 tt1=128 time=2.236 ms 
64 bytes from 10.1.2.224: icmp_seq=2 tt1=128 time=2.699 ms 
 
--- 10.1.2.224 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss 
round-trip min/avg/max/stddev = 2.068/2.334/2.699/0.267 ms

 

  • Was this helpful?
  • Yes   No
Alternatively, you can use the Import option to import from a CSV file.

The post MAC authentication bypass with dynamic VLAN assignment appeared first on Fortinet Cookbook.

Wired 802.1x EAP-TLS with computer authentication

November 20, 2017, 10:00 am
$
0
0

In this recipe, you will configure and demonstrate wired 802.1x EAP-TLS using computer authentication.

In the example, you will set up FortiAuthenticator as the Root CA and client certificate issuer. The FortiAuthenticator will authenticate user interaction using the domain computer and client certificate (no username or password).

The example includes a native Windows 7 supplicant and a 3rd-party switch (EX2200) to confirm cross-vendor interoperability. It also includes dynamic VLAN assignment on the switch as per the FortiAuthenticator RADIUS attributes.

1. Active Directory prerequisites

Key considerations:

  • computers must exist in AD Groups that correspond with their VLAN
  • dNSHostName attribute for the username

2. Configuring the certificates
Go to Certificate Management > Certificate Authorities > Local CAs and create a new Root CA.
Go to Certificate Management > End Entities > Local Services and configure a certificate used for EAP-TLS.

Go to RADIUS Service > EAP and set up the EAP configuration.

If client certificates were not created by FortiAuthenticator, the 3rd-party server certificate would be uploaded on to FortiAuthenticator as a Trusted CA.

In this example, FortiAuthenticator creates the client certificates.

Go to Certificate Management > End Entities > Users and create a client certificate. The CN must match the full DNS name of the intended computer.

Export the PKCS#12 file and passphrase protect it.

The client certificate can be pushed out using GPO (Group Policy Object). Otherwise, it can be imported manually.

3. Manually importing the client certificate – Windows 7

Manual import can be completed using MMC as shown.

Open Command Prompt and type mmc and hit Enter.

On the File menu, click Add/Remove Snap In.

Once imported, the certificate should show up under Local Computer and not Current User.

Export the FortiAuthenticator Certificate and Import that under Trusted Root Certification Authorities (again under Certificates (Local Computer)).

4. Configuring the FortiAuthenticator AD Server

Go to Authentication > Remote Auth. Servers > LDAP and create a new AD server.

Ensure that Username attribute matches the entry in the AD configuration in Step 1.
Go to Authentication > User Management > Realms and create a new realm for these users.

5. Configuring the user group
Go to Authentication > User Management > User Groups and create a new user group with the RADIUS attributes shown.

6. Configuring remote user sync rules

Go to Authentication > User Management > Remote User Sync Rules and configure a new Remote LDAP User Synchronization Rule.

Go to Authentication > User Management > Remote Users and check to see if the sync rule worked.

7. Configuring the FortiAuthenticator RADIUS client
Go to Authentication > RADIUS Service > Clients and create a RADIUS client to bring the configuration together on the FortiAuthenticator.

8. Configuring the switch

The switch configuration provided below is intended for demonstration only. Your switch configuration is likely to differ significantly.

set system services dhcp pool 10.1.2.0/24 address-range low 10.1.2.220
set system services dhcp pool 10.1.2.0/24 address-range high 10.1.2.230
set system services dhcp pool 10.1.2.0/24 domain-name fortiad.net
set system services dhcp pool 10.1.2.0/24 name-server 10.1.2.122
set system services dhcp pool 10.1.2.0/24 router 10.1.2.1
set system services dhcp pool 10.1.2.0/24 server-identifier 10.1.2.27
set interfaces ge-0/0/1 unit 0 family ethernet-switching #windows 7 machine port, no VLAN assigned, will be allocated dynamically
set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members engineering #interface used to communicate with FortiAuthenticator
set interfaces me0 unit 0 family inet address 10.1.1.1/24
set interfaces vlan unit 10 family inet address 10.1.2.27/24
set protocols dot1x authenticator authentication-profile-name profile1
set protocols dot1x authenticator interface ge-0/0/1.0 supplicant single #802.1x configuration requiring supplicant
set access radius-server 10.1.2.29 secret "$9$kmfzIRSlvLhSLNVYZGk.Pf39"
set access profile profile1 authentication-order radius
set access profile profile1 radius authentication-server 10.1.2.29
set vlans engineering vlan-id 10
set vlans engineering l3-interface vlan.10

 

9. Results

The authentication flow should initiate as soon as the wired computer starts up (while connected to the domain).

Using tcpdump, FortiAuthenticator shows receipt of an Incoming Authentication Request (tcpdump host 10.1.2.27 -nnvvXs):

02:18:48.572998 IP (tos 0x0, ttl 64, id 32483, offset 0, flags [none], proto UDP (17), length 203) 
  10.1.2.27.60114 > 10.1.2.29.1812: ludo sum okl RADIUS. length: 175 
    Access-Request (1), id: 0x4d, Authenticator: 27e45f0edbfa7026318d583ccf915776 
      User-Name Attribute (11. length: 23. Value: host/leno.fortiad.net 
        0x0000: 686f 7374 2f6c 656e 6f2e 666f 7274 6961 
        0x0010: 642e 6e65 74 
      NAS-Port Attribute (5), length: 6, Value: 71 
        0x0000: 0000 0047 
      EAP-Message Attribute (79), length: 28, Value: . 
        0x0000: 0200 001a 0168 6f73 742f 6c65 6e6f 2e66 
        0x0010: 6f72 7469 6164 2e6e 6574 
      Message-Authenticator Attribute (80), length: 18, Value: ...0S2 ....... .M
        0x0000: b60f 874f 5332 c9a7 e2f5 d90e 8c20 e64d 
      Acct-Session-Id Attribute (44), length: 24, Value: 802.1x81fa00370003dd64 
        0x0000: 384f 322e 3178 3831 6661 3030 3337 3030 
        0x0010: 3033 6464 3634 
      NAS-Port-Id Attribute (87), length: 12, Value: ge-0/0/1.0 
        0x0000: 6765 2d30 2f30 2f31 2e30 
      Calling-Station-Id Attribute (31), length: 19, Value: 00-22-68-1a-ft-a0 
        0x0000: 3030 2d32 322d 3638 2d31 612d 6631 2d61 
        0x0010: 30 
      Called-Station-Id Attribute (30), length: 19, Value: a8-d0-e5-b0-21-80 
        0x0000: 6138 2d64 302d 6535 2d62 302d 3231 2d38 
        0x0010: 30 
      NAS-Port-Type Attribute (61), length: 6, Value: Ethernet 
        0x0000: 0000 000f

Continuing with tcpdump, Access-Challenge is issued from FortiAuthenticator to the Switch:

02:18:48.578465 IP (tos 0x0, ttl 64, id 29725, offset 0, flags [none], proto UDP (17), length 108)
  10.1.2.29.1812 > 10.1.2.27.60114: [bad udp cksum 0x18a3 -> 0x7f96!] RADIUS, length: 80 
    Access-Challenge (11), id: 0x4d, Authenticator: 8140836b0192a5ef12630d4d049d05e6 
      EAP-Message Attribute (79), length: 24, Value: .. 
        0x0000: 0101 0016 0410 bc6b 992d bbfc 141f 3bbl 
        0x0010: 1908 2978 2030 
      Message-Authenticator Attribute (80), length: 18, Value: .#...:&%N.z.7...
        0x0000: dc23 d299 Of3a 2625 4eed 7a9c 37d9 ef97 
      State Attribute (24), length: 18, Value: ........ ...m.q. 
        0x0000: c2lb 819c c2la 85b8 20c3 b2b7 6dla 71d6

 

Access-Accept message with RADIUS attributes are returned to the Switch:

02:18:48.919099 IP (tos Ox0, ttl 64, id 29732, offset 0, flags [none], proto UDP (17), length 236) 
  10.1.2.29.1812 > 10.1.2.27.60114: [bad udp cksum 0x1923 -> Oxae5a!] RADIUS, length: 208 
    Access-Accept (2), id: 0x54, Authenticator: 668c7cbb00d96161c278906918ce2291 
      Vendor-Specific Attribute (26), length: 58, Value: Vendor: Microsoft (311) 
        Vendor Attribute: 17, Length: 50, Value: .p<.6..A [y)..E)......Y..(..P...Xd@..aB.k. 
        0x0000: 0000 0137 1134 f270 3cbf 360b 1d41 f5e5 
        0x0010: c87f e8eb b9e9 955b 7929 0915 4529 fa92
        0x0020: 8c02 Ofec 59a0 e528 889e 50b9 f506 5864 
        0x0030: 4018 ff61 429a 6bb8 
      Vendor-Specific Attribute (26), length: 58, Value: Vendor: Microsoft (311)
        Vendor Attribute: 16, Length: 50, Value: ..G......Q...............x.=xA/......i.r..a.%R.^.. 
        0x0000: 0000 0137 1034 ff86 47fc 00f1 99d9 cc51 
        0x0010: fclf 1ae2 b9e3 00a7 1ec9 baf4 031d fa78 
        0x0020: 8d3d 7841 2114 0313 a2e8 9e69 dc72 efed 
        0x0030: 61b2 2552 995e fbf4 
      EAP-Message Attribute (79), length: 6, Value: .. 
        0x0000: 0307 0004 
      Message-Authenticator Attribute (80), length: 18, Value: .8............30 
        0x0000: 0438 c613 8719 caa2 eaf0 a106 ffb4 3330 
      User-Name Attribute (1), length: 23, Value: host/leno.fortiad.net 
        0x0000: 686f 7374 2f6c 656e 6f2e 666f 7274 6961 
        0x0010: 642e 6e65 74 
      Tunnel-Type Attribute (64), length: 6, Value: Tag[Unused] #13 
        0x0000: 0000 000d 
      Tunnel-Medium-Type Attribute (65), length: 6, Value: Tag[Unused] 802 
        0x0000: 0000 0006 
      Tunnel-Private-Group-ID Attribute (81), length: 13, Value: engineering 
        0x0000: 656e 6769 6e65 6572 696e 67

Post-authentication DHCP transaction is picked up by FortiAuthenticator (tcpdump continued):

02:18:52.384838 IP (tos Ox0, ttl 1, id 32640, offset 0, flags [none], proto UDP (17), length 328) 
  10.1.2.27.67 > 255.255.255.255.68: [udp sum ok] BOOTP/DHCP, Reply, length 300, xid Oxf79d54fa, Flags [Broadcast] (0x8000)
    Your-IP 10.1.2.224 
    Client-Ethernet-Address 00:22:68:1a:fl:a0 
    Vendor-rfc1048 Extensions 
      Magic Cookie 0x63825363 
      DHCP-Message Option 53, length 1: ACK 
      Server-ID Option 54, length 4: 10.1.2.27 
      Lease-Time Option 51, length 4: 86400 
      Subnet-Mask Option 1, length 4: 255.255.255.0 
      Default-Gateway Option 3, length 4: 10.1.2.1 
      Domain-Name-Server Option 6, length 4: 10.1.2.122 
      Domain-Name Option 15, length 11: "fortiad.net"

Go to Logging > Log Access > Logs to verify the device authentication.

The Debug Log (at https://<fac-ip>/debug/radius) should also confirm successful authentication.

The switch logs show a successful dot1x session:

root# run show dotlx interface ge-0/0/1.0
802.1X Information:
Interface    Role             State            MAC address          User
ge-0/0/1.0   Authenticator    Authenticated    00:22:68:1A:F1:A0    host/leno.fortiad.net

The Domain Computer interface is dynamically placed into the correct VLAN:

root# run show vlans
Name          Tag           Interfaces
default
                            ge-0/0/0.0, ge-0/0/2.0, ge-0/0/3.0, ge-0/0/4.0, ge-0/0/5.0, ge-0/0/6.0, ge-0/0/7.0, ge-0/0/8.0, ge-0/0/9.0, ge-0/0/10.0, 
engineering   10
                            ge-0/0/1.0*, ge-0/0/11.0*

And the domain computer shows as available on the network:

root# run show arp interface vlan.10 
MAC Address        Address        Name         Interface    Flags
00:0c:29:5b:90:68  10.1.2.29      10.1.2.29    vlan.10      none
98:b8:e3:a0:c6:lb  10.1.2.220     10.1.2.220   vlan.10      none
b8:78:2e:38:3e:28  10.1.2.222     10.1.2.222   vlan.10      none
00:22:68:1a:f1:a0  10.1.2.224     10.1.2.224   vlan.10      none
54:e4:3a:d5:16:a0  10.1.2.226     10.1.2.226   vian.l0      none 
Total entries: 5 

{master:0}[edit]
root# run ping 10.1.2.224
PING 10.1.2.224 (10.1.2.224): 56 data bytes
54 bytes from 10.1.2.224: icmp_seq=0 tt1=128 time=4.651 ms
54 bytes from 10.1.2.224: icmp_seq-1 ttl-128 time-2.385 ms

--- 10.1.2.224 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.385/3.518/4.651/1.133 ms
  • Was this helpful?
  • Yes   No
Note that to view certificates in the local machine store, you must be in the Administrator role.
If the Authentication tab is not visible under your LAN properties then you may need to configure the Wired AutoConfig service to automatically start.
This rule automatically imports computers in the AD Group VLAN10 into the FortiAuthenticator User Group VLAN10.
Users/computers should be visible under Remote Users. Certificate bindings must be manually completed.
Certificate CN has to match the Remote User Computer Name.

The post Wired 802.1x EAP-TLS with computer authentication appeared first on Fortinet Cookbook.

Wired 802.1x EAP-TLS with user authentication

November 22, 2017, 7:00 am
$
0
0

In this recipe, you will configure and demonstrate wired 802.1x EAP-TLS with user authentication.

In the example, you will set up FortiAuthenticator as the Root CA and client certificate issuer. 

The example includes an Odyssey supplicant and a 3rd-party switch (EX2200) to confirm cross-vendor interoperability. It also includes dynamic VLAN assignment on the switch as per the FortiAuthenticator RADIUS attributes.

1. Configuring the certificates
Go to Certificate Management > Certificate Authorities > Local CAs and create a new Root CA.
Go to Certificate Management > End Entities > Local Services and configure a certificate used for EAP-TLS.

Go to RADIUS Service > EAP and set up the EAP configuration.

If client certificates were not created by FortiAuthenticator, the 3rd-party server certificate would be uploaded on to FortiAuthenticator as a Trusted CA.

In this example, FortiAuthenticator creates the client certificates.

Go to Certificate Management > End Entities > Users and create a client certificate. The CN must match the user sAMAccountName.

Export the PKCS#12 file and passphrase protect it.

The client certificate can be pushed out using GPO (Group Policy Object). Otherwise, it can be imported manually.

2. Manually importing the client certificate – Windows 7

Manual import can be completed using MMC as shown.

Open Command Prompt and type mmc and hit Enter.

On the File menu, click Add/Remove Snap In.

Once imported, the certificate should show up under Local Computer and not Current User.

Export the FortiAuthenticator Certificate and Import that under Trusted Root Certification Authorities (again under Certificates (Local Computer)).

3. Configuring the FortiAuthenticator AD Server

Go to Authentication > Remote Auth. Servers > LDAP and create a new AD server.

Ensure that Username attribute matches the entry in the AD configuration (sAMAccountName).
Go to Authentication > User Management > Realms and create a new realm for these users.

4. Configuring the user group

Go to Authentication > User Management > User Groups and create a new user group with the RADIUS attributes shown.

The group will automatically populate with the Remote Sync Rule configured below.

5. Configuring remote user sync rules

Go to Authentication > User Management > Remote User Sync Rules and configure a new Remote LDAP User Synchronization Rule.

Go to Authentication > User Management > Remote Users and check to see if the sync rule worked.

6. Configuring the FortiAuthenticator RADIUS client
Go to Authentication > RADIUS Service > Clients and create a RADIUS client to bring the configuration together on the FortiAuthenticator.

7. Configuring the switch

The switch configuration provided below is intended for demonstration only. Your switch configuration is likely to differ significantly.

set system services dhcp pool 10.1.2.0/24 address-range low 10.1.2.220
set system services dhcp pool 10.1.2.0/24 address-range high 10.1.2.230
set system services dhcp pool 10.1.2.0/24 domain-name fortiad.net
set system services dhcp pool 10.1.2.0/24 name-server 10.1.2.122
set system services dhcp pool 10.1.2.0/24 router 10.1.2.1
set system services dhcp pool 10.1.2.0/24 server-identifier 10.1.2.27
set interfaces ge-0/0/1 unit 0 family ethernet-switching #odyssey machine port, no VLAN assigned, will be allocated dynamically
set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members engineering #interface used to communicate with FortiAuthenticator
set interfaces me0 unit 0 family inet address 10.1.1.1/24
set interfaces vlan unit 10 family inet address 10.1.2.27/24
set protocols dot1x authenticator authentication-profile-name profile1
set protocols dot1x authenticator interface ge-0/0/1.0 supplicant single #802.1x configuration requiring supplicant
set access radius-server 10.1.2.29 secret "$9$kmfzIRSlvLhSLNVYZGk.Pf39"
set access profile profile1 authentication-order radius
set access profile profile1 radius authentication-server 10.1.2.29
set vlans engineering vlan-id 10
set vlans engineering l3-interface vlan.10

8. Results

In the Odyssey Access Client Manager, click Connect to the network. Once connected, the Status should read open and authenticated.

The authentication flow should initiate as soon as the supplicant makes a connection attempt (while connected to the domain).

Using tcpdump, FortiAuthenticator shows receipt of an Incoming Authentication Request (tcpdump host 10.1.2.27 -nnvvXs):

16:10:25.051118 IP (tos 0x0, ttl 64, id 22102, offset 0, flags [none], proto UDP (17), length 169) 
  10.1.2.27.51296 > 10.1.2.29.1812: [udp sum ok] RADIUS. length: 141 
    Access-Request (1), id: 0x18, Authenticator: 4c69f617666fcdaadbcdb14700c57551 
      User-Name Attribute (1), length: 6, Value: kash 
        0x0000: 6b61 7368 
      NAS-Port Attribute (5), length: 6, Value: 71 
        0x0000: 0000 0047 
  EAP-Message Attribute (79), length: 11, Value: .A 
        0x0000: 0241 0009 016b 6173 68 
  Message-Authenticator Attribute (80), length: 18, value: ..C....- .....o.> 
        0x0000: 8a86 43bf a7d9 8a2d 8cef e0bf 036f 9f3e 
  Acct-Session-Id Attribute (44), length: 24, Value: 802.1x81fb00610008e3c1 
        0x0000: 384f 322e 3178 3831 6662 3030 3631 3030 
        0x0010: 3038 6533 6331 
  NAS-Port-Id Attribute (87), length: 12, Value: ge-0/0/1.0 
        0x0000: 6765 2d30 2f30 2f31 2e30 
  Calling-Station-Id Attribute (31), length: 19, Value: 00-22-68-1a-ft-a0 
        0x0000: 3030 2d32 322d 3638 2d31 612d 6631 2d61 
        0x0010: 30 
  Called-Station-Id Attribute (30), length: 19, Value: a8-d0-e5-b0-21-80 
        0x0000: 6138 2d64 302d 6535 2d62 302d 3231 2d38 
        0x0010: 30 
  NAS-Port-Type Attribute (61), length: 6, Value: Ethernet 
        0x0000: 0000 000f

Continuing with tcpdump, Access-Challenge is issued from FortiAuthenticator to the Switch:

16:10:25.057286 IP (tos 0x0, ttl 64, id 50545, offset 0, flags [none], proto UDP (17), length 108) 
  10.1.2.29.1812 > 10.1.2.27.51296: [bad udp cksum 0x18a3 -> 0x0722!] RADIUS, length: 80 
    Access-Challenge (11), id: 0x18, Authenticator: f0a3636e1b2ddf8b76f96239feece6bb 
      EAP-Message Attribute (79), length: 24, Value: .B 
        0x0000: 0142 0016 0410 87a4 a938 54dd 43b6 9ff4 
        0x0010: 7ddc b515 1591 
      Message-Authenticator Attribute (80), length: 18, Value: ..mu.l..0..o.ht. 
        0x0000: 0f09 6d75 e76c 87c3 30f3 b76f f368 74e3 
      State Attribute (24), length: 18, Value: s...s...L@..._K. 
        0x0000: 73de c494 739c c0lf 4c40 c6ce 815f 4bd5

The next 14 messages are Challenge->Request EAP transactions between the FortiAuthenticator and the Switch

Access-Accept message with RADIUS attributes are returned to the Switch:

16:10:25.479480 IP (tos Ox0, ttl 64, id 50552, offset 0, flags [none], proto UDP (17), length 219)
  10.1.2.29.1812 > 10.1.2.27.51296: [bad udp cksum 0x1912 -> 0xef88I] RADIUS, length: 191
    Access-Accept (2), id: Oxlf, Authenticator: Sb463667865b7dacf8a742aea5424f20
      Vendor-Specific Attribute (26), length: 58, Value: Vendor: Microsoft (311)
        Vendor Attribute: 17, Length: 50, Value: ......3.y.3..T.1z..[m..W. .c. Zv a rpa.z
        0x0000: 0000 0137 1134 831d 27be +0af 4aae 7990
        0x0010: 33da 0954 b631 7ad7 e15b 6dd4 8557 83cb
        0x0020: a83c f4e0 155a 76fd dd61 c7f5 fd0a d8d1
        0x0030: 08e8 eb72 7061 b27a
      Vendor-Specific Attribute (26), length: 58, Value: Vendor: Microsoft (311)
        Vendor Attribute: 16, Length: 50, Value: ..^D0b...z..9:e+....]+2X • / WF ..... 4..K...Pt.
        0x0000: 0000 0137 1034 8f91 Se44 4f62 9d7f f513
        0x0010: 7abb 942a 213a 652b 0fc5 b488 5d2b 3258
        0x0020: ce3a ded5 dd2f d757 4698 9a94 b205 34a2
        0x0030: ed4b 83bb a250 74f6
      EAP-Message Attribute (79), length: 6, Value: .H
        0x0000: 0348 0004
      Message-Authenticator Attribute (80), length: 18, Value: .".Z.T..X....@.
        0x0000: ca22 aasa f354 17bc 58dc ccd7 cf40 7fb4
      User-Name Attribute (1), length: 6, Value: kash
        0x0000: 6b61 7368
      Tunnel-Type Attribute (64), length: 6, Value: Tag[Unused] #13
        0x0000: 0000 000d
      Tunnel-Medium-Type Attribute (65), length: 6, Value: Tag[Unused] 802
        0x0000: 0000 0006
      Tunnel-Private-Group-ID Attribute (81), length: 13, Value: engineering
        0x0000: 656e 6769 6e65 6572 696e 67

Post-authentication DHCP transaction is picked up by FortiAuthenticator (tcpdump continued):

16:10:25.569855 IP (tos Ox0, ttl 1, id 22153, offset 0, flags [none], proto UDP (17), length 328)
  10.1.2.27.67 > 255.255.255.255.68: [udp sum ok] BOOTP/DHCP, Reply, length 300, xid Ox91fced0e, Flags [Broadcast] (0x8000)
    Your-IP 10.1.2.224
    Client-Ethernet-Address 00:22:68:1a:f1:a0
    Vendor-rfc1048 Extensions
      Magic Cookie 0x63825363
      DHCP-Message Option 53, length 1: ACK
      Server-ID Option 54, length 4: 10.1.2.27
      Lease-Time Option 51, length 4: 86400
      Subnet-Mask Option 1, length 4: 255.255.255.0
      Default-Gateway Option 3, length 4: 10.1.2.1
      Domain-Name-Server Option 6, length 4: 10.1.2.122
      Domain-Name Option 15, length 11: "fortiad.net"

Go to Logging > Log Access > Logs to verify the device authentication.

The Debug Log (at https://<fac-ip>/debug/radius) should also confirm successful authentication.

The Switch CLI shows a successful dot1x session:

root# run show dotlx interface ge-0/0/1.0
802.1X Information:
Interface    Role             State            MAC address          User
ge-0/0/1.0   Authenticator    Authenticated    00:22:68:1A:F1:A0    kash

The Domain Computer interface is dynamically placed into the correct VLAN:

root# run show vlans
Name          Tag           Interfaces
default
                            ge-0/0/0.0, ge-0/0/2.0, ge-0/0/3.0, ge-0/0/4.0, ge-0/0/5.0, ge-0/0/6.0, ge-0/0/7.0, ge-0/0/8.0, ge-0/0/9.0, ge-0/0/10.0, 
engineering   10
                            ge-0/0/1.0*, ge-0/0/11.0*

And the domain computer shows as available on the network:

root# run show arp interface vlan.10 
MAC Address        Address        Name         Interface    Flags
00:0c:29:5b:90:68  10.1.2.29      10.1.2.29    vlan.10      none
98:b8:e3:a0:c6:lb  10.1.2.220     10.1.2.220   vlan.10      none
b8:78:2e:38:3e:28  10.1.2.222     10.1.2.222   vlan.10      none
00:22:68:1a:f1:a0  10.1.2.224     10.1.2.224   vlan.10      none
54:e4:3a:d5:16:a0  10.1.2.226     10.1.2.226   vian.l0      none 
Total entries: 5 

{master:0}[edit]
root# run ping 10.1.2.224
PING 10.1.2.224 (10.1.2.224): 56 data bytes
54 bytes from 10.1.2.224: icmp_seq=0 tt1=128 time=4.651 ms
54 bytes from 10.1.2.224: icmp_seq-1 ttl-128 time-2.385 ms

--- 10.1.2.224 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.385/3.518/4.651/1.133 ms
  • Was this helpful?
  • Yes   No
Note that to view certificates in the local machine store, you must be in the Administrator role.
If the Authentication tab is not visible under your LAN properties then you may need to configure the Wired AutoConfig service to automatically start.
This rule automatically imports computers in the AD Group VLAN10 into the FortiAuthenticator User Group VLAN10.
Users/computers should be visible under Remote Users. Certificate bindings must be manually completed.
Certificate CN has to match the Remote User Computer Name.

The post Wired 802.1x EAP-TLS with user authentication appeared first on Fortinet Cookbook.

Viewing all 690 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>