In this recipe, you will configure and demonstrate wireless 802.1x EAP-TLS with computer authentication.

In the example, you will set up FortiAuthenticator as the Root CA and client certificate issuer. The FortiAuthenticator will authenticate without user interaction using the domain computer and client certificate (no username or password).

The example includes an Intel PROSet supplicant as well as a dynamically assigned group on a FortiWiFi using RADIUS attributes.

1. Active Directory prerequisites
Key considerations: computers must exist in AD Groups that correspond with their VLAN dNSHostName attribute for the username
2. Configuring the certificates
Go to Certificate Management > Certificate Authorities > Local CAs and create a new Root CA.
Go to Certificate Management > End Entities > Local Services and configure a certificate used for EAP-TLS.
Go to RADIUS Service > EAP and set up the EAP configuration. If client certificates were not created by FortiAuthenticator, the 3rd-party server certificate would be uploaded on to FortiAuthenticator as a Trusted CA. In this example, FortiAuthenticator creates the client certificates.
Go to Certificate Management > End Entities > Users and create a client certificate. The CN must match the full DNS name of the intended computer. Export the PKCS#12 file and passphrase protect it.
The client certificate can be pushed out using GPO (Group Policy Object). Otherwise, it can be imported manually.
3. Manually importing the client certificate – Windows 7
Manual import can be completed using MMC as shown. Open Command Prompt and type mmc and hit Enter. On the File menu, click Add/Remove Snap In.
Once imported, the certificate should show up under Local Computer and not Current User. Export the FortiAuthenticator Certificate and Import that under Trusted Root Certification Authorities (again under Certificates (Local Computer)).
4. Configuring the Intel PROSet Supplicant (Windows 7)
The supplicant will automatically select the certificate associated with the computer, based on the configuration shown. Under General Settings, set Operating Mode to Network [Infrastructure] – Connect to WiFi networks and/or the Internet.
Under Security Settings, be sure to enable Use the certificate issued to this computer. With this configuration, no user interaction is required for 802.1x EAP-TLS, on startup or attempting to connect to the WiFi, the authentication and authorization process will be transparent to the user.
5. Configuring the FortiAuthenticator AD Server
Go to Authentication > Remote Auth. Servers > LDAP and create a new AD server. Ensure that Username attribute matches the entry in the AD configuration in Step 1.
Go to Authentication > User Management > Realms and create a new realm for these users.
6. Configuring the user group
Go to Authentication > User Management > User Groups and create a new user group with the RADIUS attributes shown.
7. Configuring remote user sync rules
Go to Authentication > User Management > Remote User Sync Rules and configure a new Remote LDAP User Synchronization Rule.
Go to Authentication > User Management > Remote Users and check to see if the sync rule worked.
8. Configuring the FortiAuthenticator RADIUS client
Go to Authentication > RADIUS Service > Clients and create a RADIUS client to bring the configuration together on the FortiAuthenticator.
9. Configuring the FortiWiFi
Go to User & Device > Authentication > RADIUS Servers and set the FortiAuthenticator as the RADIUS server for the FortiWiFi.
Go to WiFi & Switch Controller > WiFi Network > SSID and configure the WiFi SSID interface.
Go to System > Network > Interfaces and configure a software switch combining the physical and WiFi interfaces.
10. Results
The authentication flow should initiate as soon as the wired computer starts up (while connected to the domain).
Using tcpdump, FortiAuthenticator shows receipt of an Incoming Authentication Request (tcpdump host 10.1.2.27 -nnvvXs): 01:09:34.674298 IP (tos Ox0, ttl 64, id 40954, offset 0, flags [none], proto UDP (17), length 212) 10.1.2.27.1025 > 10.1.2.29.1812: [udp sum ok] RADIUS, length: 184 Access-Request (1), id: 0x76, Authenticator: 4b859401ddb6c0fb95261e99fc8ef66a User-Name Attribute (1), length: 23, Value: host/leno.fortiad.net 0x0000: 686f 7374 2f6c 656e 6f2e 666f 7274 6961 0x0010: 642e 6e65 74 NAS-IP-Address Attribute (4), length: 6, Value: 0.0.0.0 0x0000: 0000 0000 NAS-Port Attribute (5), length: 6, Value: 0 0x0000: 0000 0000 Called-Station-Id Attribute (30), length: 28, Value: 88-DC-96-27-72-68:fortinet 0x0000: 3838 2d44 432d 3936 2d32 372d 3732 2d36 0x0010: 423a 666f 7274 696e 6574 Calling-Station-Id Attribute (31), length: 19, Value: 6C-88-14-C6-3D-58 0x0000: 3643 2d38 382d 3134 2d43 362d 3344 2d35 0x0010: 38 Framed-MTU Attribute (12), length: 6, Value: 1400 0x0000: 0000 0578 NAS-Port-Type Attribute (61), length: 6, Value: Wireless - IEEE 802.11 0x0000: 0000 0013 Connect-Info Attribute (77), length: 24, Value: CONNECT 11Mbps 802.11b 0x0000: 434f 4e4e 4543 5420 3131 4d62 7073 2038 0x0010: 3032 2e31 3162
Continuing with tcpdump, Access-Challenge is issued from FortiAuthenticator to the Switch: 01:09:34.679881 IP (tos Ox0, ttl 64, id 58896, offset 0, flags [none], proto UDP (17), length 108) 10.1.2.29.1812 > 10.1.2.27.1025: [bad udp cksum 0xl8a3 -> 0xbe6al) RADIUS, length: 80 Access-Challenge (11), id: 0x76, Authenticator: a4c016a41e6a0f46c17da49ff813bd6e EAP-Message Attribute (79), length: 24, Value: .. 0x0000: 0101 0016 0410 f23e 13dd 795e 18fa SddS 0x0010: 3e83 cb34 a99c Message-Authenticator Attribute (80), length: 18, Value: 0x0000: eac9 2509 cbec 6895 804a deac 5de7 d6f8 State Attribute (24), length: 18, value: *...* ....... 0x0000: 2af7 lbfd 2af6 lfb9 8db9 f1f8 20ad 9cd4 The next 14 messages are Challenge->Request EAP transactions between the FortiAuthenticator and the FortiWiFi.
Access-Accept message with RADIUS attributes are returned to the Switch: 01:09:36.517763 IP (tos Ox0, ttl 64, id 58903, offset 0, flags (none), proto UDP (17), length 225) 10.1.2.29.1812 > 10.1.2.27.1025: (bad udp cksum 0x1918 0x1f60!) RADIUS, length: 197 Access-Accept (2), id: Ox7d, Authenticator: 989626b68773ac50c060d8306287984a Vendor-Specific Attribute (26), length: 58, Value: Vendor: Microsoft (311) Vendor Attribute: 17, Length: 50, Value: ?...e....NA=E.5.9..y........Q ^R=i..!j ......... 0x0000: 0000 0137 1134 80e3 aefl 65e0 1383 c34e 0x0010: 413d 4Sbd 350d 39be ac79 04b8 90fa 1551 0x0020: a4b7 10d3 09b6 f902 5e52 3d69 b3b4 216a 0x0030: b48f 0ef2 0c08 9cd0 Vendor-Specific Attribute (26), length: 58, Value: Vendor: Microsoft (311) Vendor Attribute: 16, Length: 50, Value: z 0x0000: 0000 0137 1034 8883 7a9b bllb 9488 f181 0x0010: d179 29ba 7538 lleb 8311 3c22 1b62 9176 0x0020: d0be f763 4617 670c d8ca 8659 7a14 dl2c 0x0030: 8064 5955 942b ccla EAP-Message Attribute (79), length: 6, Value: .. 0x0000: 0307 0004 Message-Authenticator Attribute (80), length: 18, Value: ....>k....? ...( 0x0000: 9aec 02c0 3e6b af8e defb 8020 e50b 0728 User-Name Attribute (1), length: 23, Value: host/leno.fortiad.net 0x0000: 686f 7374 2f6c 656e 6f2e 666f 7274 6961 0x0010: 642e 6e65 74 Vendor-Specific Attribute (26), length: 14, Value: Vendor: Fortinet (12356) Vendor Attribute: 1, Length: 6, Value: VLAN10 0x0000: 0000 3044 0108 564c 414e 3130
Post-authentication DHCP transaction is picked up by FortiAuthenticator (tcpdump continued): 01:09:39.765661 IP (tos 0x0, ttl 64, id 15537, offset 0, flags [none], proto UDP (17), length 300) 10.1.2.27.67 > 255.255.255.255.68: [udp sum ok] BOOTP/DHCP, Reply, length 272, hops 2, xid Ox5a6b3f9e, Flags [none] (0x0000) Client-IP 10.1.2.9 Gateway-IP 10.1.2.27 Client-Ethernet-Address 6c:88:14:c6:3d:58 Vendor-rfc1048 Extensions Magic Cookie 0x63825363 DHCP-Message Option 53, length 1: ACK Server-ID Option 54, length 4: 10.1.2.1 Default-Gateway Option 3, length 4: 10.1.2.1 Domain-Name-Server Option 6, length 8: 212.159.6.9,212.159.6.10 Time-Zone Option 2, length 4: 3600
On the FortiAuthenticator, go to Logging > Log Access > Logs to verify the device authentication. The Debug Log (at https://<fac-ip>/debug/radius) should also confirm successful authentication.
On the FortiWifi, go to WiFi & Switch Controller > Monitor > Client Monitor and note that the Group is the RADIUS attribute sent from FortiAuthenticator. Any Firewall policy using that Group will now be enabled for the user.

The post Wireless 802.1x EAP-TLS with computer authentication appeared first on Fortinet Cookbook.

In this recipe, you will learn how to monitor and suppress rogue access points (APs). A rogue AP is an unauthorized AP connected to your wired network (“on-wire”).

Before suppressing any AP, confirm that Rogue Suppression is compliant with the applicable laws and regulations of your region.

Discovered access points are listed in Monitor > Rogue AP Monitor. You can mark them as either Accepted or Rogue APs. While these designations help you track APs, they do not stop anyone from using these APs.

Other APs that are available in the same area as your APs are not necessarily rogues. A neighboring AP that has no connection to your network might cause interference, but it is not a security threat. In general, you would only Mark as rogue the unauthorized APs that are on-wire.

For more information, refer to the FortiWiFi and FortiAP Configuration Guide.

PREP 1 mins      COOK 10 min      TOTAL 11 mins

1. Configuring rogue scanning
On the FortiGate, go to WiFi & Switch Controller > WIDS Profiles and edit the default profile. Enable Rogue AP Detection as shown.
2. Monitoring rogue APs
Go to Monitor > Rogue AP Monitor and view the table of APs found during scanning.
You can identify interfering APs in the Signal Interference column, indicated by the  icon.
3. Suppressing rogue APs
To suppress a rogue AP, you must first mark the AP as rogue. Right-click the desired entry and select Mark as rogue.
Once the AP is marked, suppress it by highlighting the entry and selecting Suppress AP.
4. Reverting a suppressed AP
To revert a suppressed AP, highlight its entry and select Unsuppress AP as shown. The AP will remain identified as rogue.
To revert the rogue designation, right-click the entry and select Mark as unclassified.
An unclassified AP should appear with the  icon in the State column.
5. Exempting an AP from rogue scanning
Go to WiFi & Switch Controller > WIDS Profiles and create a new WIDS profile that does not Enable Rogue AP Detection.
Go to WiFi & Switch Controller > FortiAP Profiles and select the desired FortiAP Profile. Enable WIDS Profile, select the profile you just created, and click OK.

Rogue AP Monitor icons

The icons in the Rogue AP Monitor table are defined below:

The post Monitoring and suppressing rogue APs appeared first on Fortinet Cookbook.

The FortiSwitch unit can be placed on any flat surface, or mounted in any standard
19 inch rack unit with the provided rack-mount brackets and screws.

If the unit has a redundant power supply, each power cable should be connected to a different power source. In this way, if one power source fails, the other may still be operational and the unit will not lose power.

Electrostatic discharge (ESD) can damage your Fortinet equipment. Do not place heavy objects on the unit. To avoid personal injury or damage to the unit, it is recommended that two or more people install the unit into the rack.

Installing the FortiSwitch into a Rack

1. Ensure that the FortiSwitch unit is placed on a stable surface prior to rack-mount installation.
2. Attach the provided rack-mount brackets to the sides of the unit using the provided bracket screws.
   
3. Position the FortiSwitch unit in the rack. Ensure there is enough room around the unit to allow for sufficient air flow.
   
4. Line up the rack-mount bracket holes to the holes on the rack and ensure that the FortiSwitch unit is level.
5. Finger tighten four rack-mount screws to attach the unit to the rack.
6. Verify that the spacing around the FortiSwitch unit conforms to requirements and that the unit is level, then tighten the rack-mount screws with an appropriate screwdriver.
7. Plug the provided power cable into the rear of the unit, and then into a grounded electrical outlet or a separate power source such as an uninterruptible power supply (UPS) or a power distribution unit (PDU).

Installing the Device on a Flat Surface

1. Ensure that the surface onto which the FortiSwitch unit to be installed is clean, level, and stable and that there is at least 1.5in (3.8cm) of clearance on all sides to allow for adequate airflow.
2. Attach the provided rubber feet to the bottom of the FortiSwitch unit.
3. Place the unit in the designated location.
4. Verify that the spacing around the FortiSwitch unit conforms to requirements and that the unit is level.
   
5. Plug the provided power cable into the rear of the unit, and then into a grounded electrical outlet or a separate power source such as an uninterruptible power supply (UPS) or a power distribution unit (PDU).

The post Basic FortiSwitch Installation Guide appeared first on Fortinet Cookbook.

In this recipe, you will configure and demonstrate wireless 802.1x EAP-TLS with user authentication.

In the example, you will set up FortiAuthenticator as the Root CA and client certificate issuer.

The example includes an Odyssey supplicant as well as a dynamically assigned group on a FortiWiFi using RADIUS attributes.

1. Configuring the certificates
Go to Certificate Management > Certificate Authorities > Local CAs and create a new Root CA.
Go to Certificate Management > End Entities > Local Services and configure a certificate used for EAP-TLS.
Go to RADIUS Service > EAP and set up the EAP configuration. If client certificates were not created by FortiAuthenticator, the 3rd-party server certificate would be uploaded on to FortiAuthenticator as a Trusted CA. In this example, FortiAuthenticator creates the client certificates.
Go to Certificate Management > End Entities > Users and create a client certificate. The CN must match the AD user name. Export the PKCS#12 file and passphrase protect it.
The client certificate can be pushed out using GPO (Group Policy Object). Otherwise, it can be imported manually.
2. Manually importing the client certificate – Windows 7
Manual import can be completed using MMC as shown. Open Command Prompt and type mmc and hit Enter. On the File menu, click Add/Remove Snap In.
Once imported, the certificate should show up under Local Computer and not Current User. Export the FortiAuthenticator Certificate and Import that under Trusted Root Certification Authorities (again under Certificates (Local Computer)).
3. Configuring the FortiAuthenticator AD Server
Go to Authentication > Remote Auth. Servers > LDAP and create a new AD server. Ensure that Username attribute matches the entry in the AD configuration in Step 1.
Go to Authentication > User Management > Realms and create a new realm for these users.
4. Configuring the user group
Go to Authentication > User Management > User Groups and create a new user group with the RADIUS attributes shown.
5. Configuring remote user sync rules
Go to Authentication > User Management > Remote User Sync Rules and configure a new Remote LDAP User Synchronization Rule.
Go to Authentication > User Management > Remote Users and check to see if the sync rule worked.
6. Configuring the FortiAuthenticator RADIUS client
Go to Authentication > RADIUS Service > Clients and create a RADIUS client to bring the configuration together on the FortiAuthenticator.
7. Configuring the FortiWiFi
Go to User & Device > Authentication > RADIUS Servers and set the FortiAuthenticator as the RADIUS server for the FortiWiFi.
Go to WiFi & Switch Controller > WiFi Network > SSID and configure the WiFi SSID interface.
Go to System > Network > Interfaces and configure a software switch combining the physical and WiFi interfaces.
8. Results
In the Odyssey Access Client Manager, click Connect to the network. Once connected, the Status should read open and authenticated. The authentication flow should initiate as soon as the supplicant makes a connection request.
Using tcpdump, FortiAuthenticator shows receipt of an Incoming Authentication Request (tcpdump host 10.1.2.27 -nnvvXs): 02:04:09.790423 IP (tos Ox0, ttl 64, id 9792, offset 0, flags [none], proto UDP (17), length 178) 10.1.2.27.1025 > 10.1.2.29.1812: [udp sum ok] RADIUS, length: 150 Access-Request (1), id: Ox9c, Authenticator: 874c50b16efbb87e593a5851e8361f10 User-Name Attribute (1), length: 6, Value: kash 0x0000: 6b61 7368 NAS-IP-Address Attribute (4), length: 6, Value: 0.0.0.0 0x0000: 0000 0000 NAS-Port Attribute (5), length: 6, Value: 0 0x0000: 0000 0000 Called-Station-Id Attribute (30), length: 28, Value: 88-DC-96-27-72-6B:fortinet 0x0000: 3838 2d44 432d 3936 2d32 372d 3732 2d36 0x0010: 423a 666f 7274 696e 6574 Calling-Station-Id Attribute (31), length: 19, Value: 00-26-C6-6A-E6-B2 0x0000: 3030 2d32 362d 4336 2d36 412d 4536 2d42 0x0010: 32 Framed-MTU Attribute (12), length: 6, Value: 1400 0x0000: 0000 0578 NAS-Port-Type Attribute (61), length: 6, Value: Wireless - IEEE 802.11 0x0000: 0000 0013 Connect-Info Attribute (77), length: 24, Value: CONNECT 11Mbps 802.11b 0x0000: 434f 4e4e 4543 5420 3131 4d62 7073 2038 0x0010: 3032 2e31 3162
Continuing with tcpdump, Access-Challenge is issued from FortiAuthenticator to the Switch: 01:09:34.679881 IP (tos Ox0, ttl 64, id 58896, offset 0, flags [none], proto UDP (17), length 108) 10.1.2.29.1812 > 10.1.2.27.1025: [bad udp cksum 0xl8a3 -> 0xbd921] RADIUS, length: 80 Access-Challenge (11), id: 0x9c, Authenticator: c67b8d0f8805db68e57e9757deda20d0 EAP-Message Attribute (79), length: 24, Value: .. 0x0000: 0101 0016 0410 8b8c ae75 4696 0a47 96fd 0x0010: 7c26 528a 097e Message-Authenticator Attribute (80), length: 18, Value: ..... 1.!.q._.*[. 0x0000: @ad flfd e931 1321 f571 f85f dl2a Sbd3 State Attribute (24), length: 18, Value: .!&.. "..9[~.... 0x0000: ad21 2611 ad20 22e2 e539 5b7e 94e2 9a87 The next 14 messages are Challenge->Request EAP transactions between the FortiAuthenticator and the FortiWiFi.
Access-Accept message with RADIUS attributes are returned to the Switch: 2:04:10.000998 IP (tos Ox0, ttl 64, id 44468, offset 0, flags (none), proto UDP (17), length 208) 10.1.2.29.1812 > 10.1.2.27.1025: (bad udp cksum 0x1918 0x77e9I) RADIUS, length: 180 Access-Accept (2), id: Ox7d, Authenticator: 144538f6ifd7f4b12d768e76f05709ae2 Vendor-Specific Attribute (26), length: 58, Value: Vendor: Microsoft (311) Vendor Attribute: 17, Length: 50, Value: ..S.|..W...^.. ..h0p.U..~..{. P..|b7"............s.. 0x0000: 0000 0137 1134 80e3 aefl 65e0 1383 c34e 0x0010: 413d 4Sbd 350d 39be ac79 04b8 90fa 1551 0x0020: a4b7 10d3 09b6 f902 5e52 3d69 b3b4 216a 0x0030: b48f 0ef2 0c08 9cd0 Vendor-Specific Attribute (26), length: 58, Value: Vendor: Microsoft (311) Vendor Attribute: 16, Length: 50, Value: .t._M.,...a...a.JhFz5.....2.;".."...D.y.=..{./..?. 0x0000: 0000 0137 1034 8883 7a9b bllb 9488 f181 0x0010: d179 29ba 7538 lleb 8311 3c22 1b62 9176 0x0020: d0be f763 4617 670c d8ca 8659 7a14 dl2c 0x0030: 8064 5955 942b ccla EAP-Message Attribute (79), length: 6, Value: .. 0x0000: 0307 0004 Message-Authenticator Attribute (80), length: 18, Value: .c.b..m.G.ZH.'.6 0x0000: 9aec 02c0 3e6b af8e defb 8020 e50b 0728 User-Name Attribute (1), length: 6, Value: kash 0x0000: 6b61 7368 Vendor-Specific Attribute (26), length: 14, Value: Vendor: Fortinet (12356) Vendor Attribute: 1, Length: 6, Value: VLAN10 0x0000: 0000 3044 0108 564c 414e 3130
On the FortiAuthenticator, go to Logging > Log Access > Logs to verify the device authentication. The Debug Log (at https://<fac-ip>/debug/radius) should also confirm successful authentication.
On the FortiWifi, go to WiFi & Switch Controller > Monitor > Client Monitor and note that the Group is the RADIUS attribute sent from FortiAuthenticator. Any Firewall policy using that Group will now be enabled for the user.

The post Wireless 802.1x EAP-TLS with user authentication appeared first on Fortinet Cookbook.

This cookbook recipe shows how to insert FortiGate transparent web filtering between two network devices.  The FortiGate is configured with a management interface and Virtual Wire (V-Wire) pair connected between a network switch and router.  Once inserted between the network devices, V-Wire policy and web-filtering are configured to allow and inspect traffic. 

In this example, Port 1 is used for management, Ports 2 and 3 are configured as the virtual wire pair.

​

1. Configure the management interface
Port 1 is chosen to the be the management interface. If the management interface isn’t already configured, it can be configured through the CLI. Using a console cable, access the Fortinet command line interface, and configure the management port IP address, default gateway, and DNS. At the CLI prompt, enter: config system interface        edit port1      set ip 172.31.1.254/24   end config router static     edit 1          set gateway 172.31.1.1          set device port1     end end config system dns      set primary 208.91.112.53      set secondary 208.91.112.52 end Once the management IP address is set, access the FortiGate login screen using the new management IP address.
2. Configure the Virtual Wire Pair
On the FortiGate, go to Network > Interface Select Create New > Virtual Wire Pair
In the New Virtual Wire page, assign the interface name, assign the interface members, and select Wild Card VLAN if multiple VLANs are being used on the connection.
3. Configure the Virtual Wire Pair Policy & Enable Web Filtering
On the FortiGate, go to Policy & Objects > IPv4 Virtual Wire Pair Policy.  Create a new policy, assign the policy name, select bidirectional traffic flow (dual arrows) for the wire pair, and assign the Source, Destination, Schedule, Service, and Action as needed.  Under Security Profiles, enable Web Filter and select the applicable policy.
4.  Results
Once the virtual wire policy is created, traffic should now flow through the virtual wire pair and web filtering should be enabled.  Traffic can be verified by going to FortiView > All Sessions and review the source and destination ports.  Traffic should be visible flowing across ports 2 and 3.

The post Transparent Web Filtering Using a Virtual Wire Pair appeared first on Fortinet Cookbook.

Send us your questions!

We’re looking to do a Q&A episode of FortiCast and we need your help. If you have a question that needs an answer, email us at forticast@fortinet.com. If your question is used, we’ll send you some Fortinet swag!

This episode, part of our Fortinet Innovators series, takes a look at the FortiSIEM, Fortinet’s Security Information and Event Management appliance.

FortiSIEM resources

• Website
• 30-day free trail
• Product demo

Subscribe to FortiCast

The post Episode 20: Fortinet Innovators – FortiSIEM appeared first on Fortinet Cookbook.

In this recipe, you will configure your FortiAP to broadcast the same SSID on both WiFi bands: 2.4GHz and 5GHz. This recipe also contains information about using client load balancing, if required.

This recipe requires using a FortiAP model with two radios. It also assumes that you have already configured a FortiAP in your network. For more information, see Setting up WiFi with a FortiAP (tunnel mode) or Setting up a WiFi bridge with a FortiAP (bridge mode).

1. Configuring the dual-band SSID
In this example, a FortiAP 221C is used to broadcast the dual-band SSID. For this model, Radio 1 broadcasts using the 2.4GHz band while Radio 2 uses the 5GHz band.
Go to WiFi & Switch Controller > FortiAP Profiles and create a FortiAP profile. Set Platform to the model of your FortiAP and set your Country/Region. Under Radio 1, set SSIDs to Manual and select your SSID.
Under Radio 2, set SSIDs to Manual and select your SSID.
Go to WiFi & Switch Controller > Managed FortiAPs and right-click on the FortiAP. Select Assign Profile and set the FortiAP to use your new profile.
The FortiAP is now listed with both Radio 1 and Radio 2 broadcasting the same SSID.
2. Results
Connect to the SSID from various devices. Go to WiFi & Switch Controller > Managed FortiAPs. Clients are shown connecting to the same SSID on both WiFi bands.
On the devices, you can also see that the same SSID is used on both bands (in this example, an Android device and Mac OS X computer are used).
3. (Optional) Adding client load balancing
In a dual-band SSID configuration, it is best to have as many clients as possible using the 5GHz band, leaving the 2.4GHz band for clients that do not support 5GHz. Because modern WiFi clients automatically choose the 5GHz band, client load balancing may not be necessary. However, if you notice that most clients are using the 2.4GHz band, you can use the frequency hand-off method of client load balancing (also known as band-steering), which encourages clients to use the 5GHz band if possible. It is also recommended to use FortiOS 5.6.2, which supports use of 802.11 k/v/r, which is also used by modern clients to select the appropriate AP and band.
Go to WiFi & Switch Controller > FortiAP Profiles and edit the FortiAP profile. Set Client Load Balancing to Frequency Handoff for both Radio 1 and Radio 2.

For further reading, check out Access point deployment in the FortiOS 5.6 Handbook.

The post Dual-band SSID with optional client load balancing appeared first on Fortinet Cookbook.

In this example, you will use FortiCloud to configure and manage a single FortiAP-224D, creating a working WiFi network without a FortiGate unit. You can register for a free FortiCloud account at www.forticloud.com.

You will create a simple network that uses WPA2-Personal authentication.

The FortiAP will self-configure.

PREP 13 mins      COOK 2 min      TOTAL 15 mins

1. Adding your FortiAP to FortiCloud
Visit www.forticloud.com and log in or select Create New Account.
From the FortiCloud home page, go to Inventory and select Import AP Key.
Input the FortiCloud Key and click Submit, then click OK.
Go to AP Network and select Add AP Network.
Enter an AP Network Name and select the desired Time Zone. Click Submit.
The new AP network appears on-screen. Click its icon on the left.
You are prompted to enter an SSID for this AP Network.
2. Configuring an SSID
Go to Configure and enter the SSID name and ensure that Enabled and Broadcast SSID are selected. Select WPA2-Personal Authentication and enter the Pre-shared Key. Click Next.
Select and configure the desired Security profiles and click Next.
Configure radio Availability as required. Otherwise, accept the default settings and click Next.
Preview the SSID configuration and click Apply.
The new SSID appears in the SSID list.
3. Deploying the FortiAP
Go to Deploy APs. Select the FortiAP you just added and click Next.
The correct Platform Profile should already be selected. Click Next.
No AP Folder has been configured. Click Next.
Allow Admin Access as required and enter the Admin password. Click Next.
Preview the deployment and then click Deploy.
Success! Click OK.
4. Connecting the FortiAP to the Internet
Connect the FortiAP ethernet interface to a network that provides Internet access.  The FortiAP will self-configure.
5. Results
In FortiCloud, go to AP Network > [Your AP] > Monitor and verify that the AP Status is Up. You may need to click Refresh.
Using a wireless device and the pre-shared key, attempt to connect to the SSID you created in Step 2.
In FortiCloud, go to AP Network > [Your AP] > Monitor and highlight the Client tab.
Verify the wireless connection and details about the user’s connectivity.
For log information, go to AP Network > [Your AP] > Logs > Wireless logs.
View the event logs for wireless connections, including actions taken, time stamps, client MAC addresses, and more.
For report information, go to AP Network > [Your AP] > Reports and view the Traffic & Client Count by SSID and the Traffic & Client Count by AP (Top 10).

The post Managing a FortiAP with FortiCloud appeared first on Fortinet Cookbook.

In this recipe, a backup FortiGate unit is installed and connected to a previously installed FortiGate to form a high availability (HA) cluster that improves network reliability.

Before you begin, the FortiGates should be running the same FortiOS firmware version and interfaces should not be configured to get their addresses from DHCP or PPPoE.

This recipe is in the Security Fabric collection. It can also be used as a standalone recipe.

This recipe uses the FortiGate Clustering Protocol (FGCP) for HA. The previously installed FortiGate will continue to operate as the primary unit and the new FortiGate will operate as the backup FortiGate.

_{Find this recipe for other FortiOS versions
5.2 | 5.4 | 5.6}

1. Setting up registration and licensing
Make sure both FortiGates are running the same FortiOS firmware version. Register and apply licenses to the new FortiGate unit before adding it to the HA cluster. This includes licensing for FortiCare Support, IPS, AntiVirus, Web Filtering, Mobile Malware, FortiClient, FortiCloud, and additional virtual domains (VDOMs). All FortiGates in the cluster must have the same level of licensing for FortiGuard, FortiCloud, FortiClient, and VDOMs. FortiToken licenses can be added at any time because they are synchronized to all cluster members.
You can also install any third-party certificates on the primary FortiGate before forming the cluster. Once the cluster is formed, third-party certificates are synchronized to the backup FortiGate.
2. Configuring the primary FortiGate for HA
On the primary FortiGate, go to System > Settings and change the Host name to identify this as the primary FortiGate in the HA cluster.
Go to System > HA and set the Mode to Active-Passive. Set the Device priority to a higher value than the default (in the example, 250) to make sure this FortiGate will always be the primary FortiGate. Also, set a Group name and Password. Make sure that two Heartbeat interfaces (in the example, port3 and port4) are selected and the Heartbeat Interface Priority for each is set to 50. Since the backup FortiGate is not available, when you save the HA configuration, the primary FortiGate will form a cluster of one FortiGate but will keep operating normally.
If there are other FortiOS HA clusters on your network, you may need to change the cluster group ID using this CLI command.	config system ha set group-id 25 end
3. Connecting the backup FortiGate
Connect the backup FortiGate to the primary FortiGate and the network, as shown in the network diagram at the top of the recipe. Making these network connections will disrupt traffic so you should do this when the network is not processing much traffic.
If possible, make direct Ethernet connections between the heartbeat interfaces of the two FortiGate units. Switches must be used between the cluster and the Internet, and between the cluster and the internal networks, as shown in the network diagram. You can use any good quality switches to make these connections. You can also use one switch for all of these connections, as long as you configure the switch to separate traffic from the different networks.
4. Configuring the backup FortiGate for HA
Connect to the backup FortiGate GUI and go to System > Settings and change the Host name to identify this as the backup FortiGate.
Go to System > HA and duplicate the HA configuration of the primary FortiGate (except for the Device priority): set Mode to Active-Passive, and set the Device Priority to a lower value than the default to make sure this FortiGate will always be the backup FortiGate. Also, set the same Group name and Password as the primary FortiGate. Make sure that the same two Heartbeat interfaces (port3 and port4) are selected and the Heartbeat Interface Priority for each is set to 50.
If you changed the cluster group id of the primary FortiGate, change the cluster group ID for the backup FortiGate to match, using this CLI command.	config system ha set group-id 25 end
When you save the HA configuration of the backup FortiGate, if the heartbeat interfaces are connected, the FortiGates will find each other and form an HA cluster. Network traffic may be disrupted for a few seconds while the cluster is negotiating.
5. Viewing the status of the HA cluster
Connect to the GUI of the primary FortiGate. The HA Status widget shows the cluster mode (Mode) and group name (Group). It also shows the host name of the primary FortiGate (Master), which you can hover over to verify that the cluster is synchronized and operating normally. You can click on the widget to change the HA configuration or view a list of recently recorded cluster events, such as members joining or leaving the cluster.
Click on the HA Status widget and select Configure settings in System > HA (or go to System > HA) to view the cluster status.
If the cluster is part of a Security Fabric, the FortiView Physical and Logical Topology views show information about the cluster status.
6. Results
Traffic is now passing through the primary FortiGate. However, if the primary FortiGate becomes unavailable, traffic should fail over and the backup FortiGate will process traffic. A failover also causes the primary and backup FortiGate to reverse roles, even when both FortiGates are available again.
To test HA failover, from a PC on the internal network, ping an IP address on the Internet (in the example, 8.8.8.8). After a moment, power off the primary FortiGate. You will see a momentary pause in the ping results, until traffic fails over to the backup FortiGate, allowing the ping traffic to continue.
7. (Optional) Upgrading the firmware for the HA cluster
Upgrading the firmware on the primary FortiGate automatically upgrades the firmware on the backup FortiGate. Both FortiGates are updated with minimal traffic disruption. Always review the Release Notes and Supported Upgrade Paths before installing new firmware.
Click the System Information widget and select Update firmware in System > Firmware. Back up the configuration and update the firmware from FortiGuard or by uploading a firmware image file. The firmware installs onto both the primary and backup FortiGates.
After the upgrade is complete, verify that the System Information widget shows the new firmware version.

For further reading, check out FGCP configuration examples and troubleshooting in the FortiOS 5.6 Handbook.

The post High availability with two FortiGates appeared first on Fortinet Cookbook.

The Fortinet Beta Program allows you to get early access to new products and features, and share your feedback with Fortinet developers. For information about the current beta program, please go to http://beta.fortinet.com/ or watch the following video:

The post Fortinet Beta Program appeared first on Fortinet Cookbook.

1. Installing the SDN Connector
2. Initializing the SDN Connector
3. Configuring the SDN Connector
4. Logging into RabbitMQ
5. Connecting the FortiGate to the SDN Connector
6. Configuring the firewall address and address group

The SDN Connector serves as a gateway bridging SDN controllers and FortiGates.  The SDN Connector registers itself to the SDN controller(s), which are part of Nuage VSP, polls interested objects, and translates them into address objects. The translated address objects and associated endpoints populate to the FortiGate.

If you plan to instantiate a large number of VMs in your SDN Connector environment, ensure you size the host VM or server appropriately. The following recommendations represent the minimum sizing numbers:

• Memory: 4 GB
• CPU: 2 vCPU
• Disk: 20-50 GB
• vNICs: 1

Setting up the SDN Connector with FortiGate configuration consists of the following steps:

1. Installing the SDN Connector

Download and install vSphere Client, then download sdn-connector.ovf. In vSphere Client, navigate to File > Deploy OVF Template.

In the Deploy OVF Template dialog, enter the SDN Connector image file path in the Deploy from a file or URL field. Click Next.

The dialog displays the SDN Connector version, download size, and size on disk. Click Next.

Enter the VM name, select the location, then click Next.

Choose the destination storage for the VM files, then click Next.

The dialog displays the datastore name and amount of available space. Select Thin Provision, then click Next.

Networks used in this OVF template should map to networks in your inventory. Choose the destination network for network mapping, then click Next.

The dialog displays all previously configured options. To edit an option, click Back. If ready to deploy, click Finish.

2. Initializing the SDN Connector

Once the OVF template is deployed, turn on the VM and navigate to the Console tab. Once the SDN Connector boots up, the system displays the following GUI dialog for configuration. Press Enter to proceed to the Network Interface Configuration wizard.

The Network Interface Configuration wizard provides DHCP and static IP configuration options.

When the VM receives the IP address from the DHCP server, the system shows this success dialog. The dialog shows the SDN Connector IP address and gateway information.

When the VM is configured with a static IP address, the system shows this success dialog.

To change the network configuration, click OK and return to the wizard to restart the setup flow.

Using a web browser, navigate to https://<SDN connector IP address>.

Log into the system with the default username and password, which are blank and fortinet123, respectively. When you first log in, the GUI prompts you to change the password.

Click Configuration, then enter the SDN controller IP address, username, and password, then click OK.

Click Running Status to verify the status. When the signal icons are green, this indicates the connection between the SDN controller and SDN connector has been established.

3. Configuring the SDN Connector

The SDN Connector GUI has several web controls. It is a single-page web application.

To restart the service, click Restart Service. The system displays a dialog asking you to restart the connector service.

To change the password, click Change Password.

To change the configuration click Configuration. You can enter and update the SDN Controller login information and SDN Connector login information. In the SDN Controller Type dropdown list, select nuage. Enter the Nuage credentials. The user certificate and key must be provided.

The SDN connector username and password apply to the FortiGate SDN Connector configuration. This is different than the SDN Connector GUI login credentials. The default username and password are admin and fortinet123, respectively.

Running Status indicates the SDN Connector status. Red icons mean that the connection is not established.

Cache Content displays the cache downloaded from the SDN Controller.

To download system logs, click Download Log, then /.

To log out, navigate to the SDN Connector homepage, then click Logout on the banner. The system logs the user out.

To upgrade the service, navigate to the SDN Connector homepage, then click UpgradeService on the banner. A dialog shows the upgrade progress. Once the upgrade is finished, the dialog prompts “Upgraded Successfully! Going to refresh in 10s” and the GUI refreshes automatically.

4. Logging into RabbitMQ

After successful configuration, the SDN Connector service is started. You can log in to check the connection status. The default username and password are admin and fortinet123, respectively.

5. Connecting the FortiGate to the SDN Connector

The following are sample CLI commands to establish a connection between the FortiGate and SDN Connector. The username and password are the SDN Connector username and password, which can be modified on the SDN Connector GUI. The default value are admin and fortinet123, respectively.

config system sdn-connector
    edit "nuage1"
        set status enable
        set type nuage
        set server-ip 10.160.38.141
        set server-port 5671
        set username "admin"
        set password
        set next
    edit "nuage2"
        set status enable
        set type nuage
        set server-ip 10.160.13.117
        set server-port 5671
        set username "admin"
        set password fortinet123
    next

The two entries in the above example are for redundancy. Only the first available is used based on the configured order.

Another way is to access the FortiOS GUI, navigate to System > SDN Connectors, and click Create New. Here you can configure the SDN Connectors into FortiOS.

To debug the SDN Connector on the FortiGate side, use diagnose test application sdncd.

FG100D3G14800142 (global) # diagnose  test  application  sdncd
1, Show sdn connector status
2, Show sdn channels
3, Show dynamic objects table
4, Flush all dynamic addresses
5, Purge all unused dynamic addresses

6. Configuring the firewall address and address group

The following shows sample CLI commands to create a dynamic address object.

config firewall address
    edit "test-tag"
        set type dynamic
        set sdn nuage
        set tenant "TENANT-NAME"
        set epg-name "EPG-NAME"
        set sdn-tag "TAG-NAME"
    next
end
config firewall addrgrp
    edit "test-group"
        set member "test-tag" "Adobe Login"
    next
end

Like a regular firewall address, you can edit the dynamic address on the GUI. Navigate to Policy & Objects > Addresses and create a dynamic address.

To debug the SDN Connector on the FortiGate side, use diagnose firewall dynamic address. The output lists the entire VDOM dynamic summary. Using diagnose firewall dynamic list outputs the detailed address on each dynamic address.

FG100D3G14800142 (root) # diagnose firewall dynamic address
Summary of SDN dynamic addresses:
aci.t2.App_6.*(total-addr: 1000): ID(61) REF(2)
nuage.NuageCluster.Trusted.*(total-addr: 2): ID(129) REF(1)
nuage.NuageCluster.*.*(total-addr: 5): ID(192) REF(1)
Total dynamic list entries: 3. Total dynamic addresses: 1007

The below provides information on firewall address mapping:

• Dynamic group tag: The administrator of the tenant or system administrator uses an orchestration script or manually tags those objects in the tag, description, or alias field depending on the SDN Connector.
• Back end process: After system boot-up, dynamic group daemon connects to SDN Connector using the sdn-connector global system setting. It iterates all addresses, such as dynamic-aci, dynamic-nsx, and dynamic-aws. It then sends the request to SDN Connector to get all endpoints or endpoint groups with the SDN filter.
  After that, based on the received data, it uses the filter to find the EPGs and use those as members. Then, it updates the IP and kernel.
  If any dynamic address creation is in the CMDB, daemon receives the CMDB event and sends all the filters to SDN Connector. SDN Connector retrieves the endpoints or EPGs matching the filters, sends them to the FortiGate, and updates the kernel.

The post FortiGate SDN Connector for Nuage VSP appeared first on Fortinet Cookbook.

1. Installing the SDN Connector
2. Initializing the SDN Connector
3. Configuring the SDN Connector
4. Logging into RabbitMQ
5. Connecting the FortiGate to the SDN Connector

6. Configuring the firewall address and address group

The SDN Connector serves as a gateway bridging SDN controllers and FortiGates.  The SDN Connector registers itself to APIC in the Cisco ACI fabric, polls interested objects, and translates them into address objects. The translated address objects and associated endpoints populate to the FortiGate.

FortiGates register to ACI objects through the SDN Connector. The SDN Connector monitors the objects and updates FortiGate dynamic objects.

If you plan to instantiate a large number of VMs in your SDN Connector environment, ensure you size the host VM or server appropriately. The following recommendations represent the minimum sizing numbers:

• Memory: 4 GB
• CPU: 2 vCPU
• Disk: 20-50 GB
• vNICs: 1

Setting up the SDN Connector with FortiGate configuration consists of the following steps:

1. Installing the SDN Connector

Download and install vSphere Client, then download sdn-connector.ovf. In vSphere Client, navigate to File > Deploy OVF Template.

In the Deploy OVF Template dialog, enter the SDN Connector image file path in the Deploy from a file or URL field. Click Next.

The dialog displays the SDN Connector version, download size, and size on disk. Click Next.

Enter the VM name, select the location, then click Next.

Choose the destination storage for the VM files, then click Next.

The dialog displays the datastore name and amount of available space. Select Thin Provision, then click Next.

Networks used in this OVF template should map to networks in your inventory. Choose the destination network for network mapping, then click Next.

The dialog displays all previously configured options. To edit an option, click Back. If ready to deploy, click Finish.

2. Initializing the SDN Connector

Once the OVF template is deployed, turn on the VM and navigate to the Console tab. Once the SDN Connector boots up, the system displays the following GUI dialog for configuration. Press Enter to proceed to the Network Interface Configuration wizard.

The Network Interface Configuration wizard provides DHCP and static IP configuration options.

When the VM receives the IP address from the DHCP server, the system shows this success dialog. The dialog shows the SDN Connector IP address and gateway information.

When the VM is configured with a static IP address, the system shows this success dialog.

To change the network configuration, click OK and return to the wizard to restart the setup flow.

Using a web browser, navigate to https://<SDN connector IP address>.

Log into the system with the default username and password, which are blank and fortinet123, respectively. When you first log in, the GUI prompts you to change the password.

Click Configuration, then enter the SDN controller IP address, username, and password, then click OK. The SDN controller username and password are the Cisco ACI username and password. You can obtain this from the ACI administrator.

Click Running Status to verify the status. When the signal icons are green, this indicates the connection between the SDN controller and SDN connector has been established.

3. Configuring the SDN Connector

The SDN Connector GUI has several web controls. It is a single-page web application.

To restart the service, click Restart Service. The system displays a dialog asking you to restart the connector service.

To change the password, click Change Password.

To change the configuration click Configuration. You can enter and update the SDN Controller login information and SDN Connector login information. The SDN controller username and password are the Cisco ACI username and password. You can obtain this from the ACI administrator. The SDN connector username and password apply to the FortiGate SDN Connector configuration. This is different than the SDN Connector GUI login credentials. The default username and password are admin and fortinet123, respectively.

Running Status indicates the SDN Connector status. Red icons mean that the connection is not established.

Cache Content displays the cache downloaded from the SDN Controller.

To download system logs, click Download Log, then /.

To log out, navigate to the SDN Connector homepage, then click Logout on the banner. The system logs the user out.

To upgrade the service, navigate to the SDN Connector homepage, then click UpgradeService on the banner. A dialog shows the upgrade progress. Once the upgrade is finished, the dialog prompts “Upgraded Successfully! Going to refresh in 10s” and the GUI refreshes automatically.

4. Logging into RabbitMQ

After successful configuration, the SDN Connector service is started. You can log in to check the connection status. The default username and password are admin and fortinet123, respectively.

5. Connecting the FortiGate to the SDN Connector

The following are sample CLI commands to establish a connection between the FortiGate and SDN Connector. The username and password are the SDN Connector username and password, which can be modified on the SDN Connector GUI. The default value are admin and fortinet123, respectively.

config system sdn-connector
    edit "aci1"
        set status enable
        set type aci
        set server-ip 10.160.38.141
        set server-port 5671
        set username "admin"
        set password
        set next
    edit "aci2"
        set status enable
        set type aci
        set server-ip 10.160.13.117
        set server-port 5671
        set username "admin"
        set password fortinet123
    next

The two entries in the above example are for redundancy. Only the first available is used based on the configured order.

Another way is to access the FortiOS GUI, navigate to System > SDN Connectors, and click Create New. Here you can configure the SDN Connectors into FortiOS.

To debug the SDN Connector on the FortiGate side, use diagnose test application sdncd.

FG100D3G14800142 (global) # diagnose  test  application  sdncd
1, Show sdn connector status
2, Show sdn channels
3, Show dynamic objects table
4, Flush all dynamic addresses
5, Purge all unused dynamic addresses

6. Configuring the firewall address and address group

The following shows sample CLI commands to create a dynamic address object.

config firewall address
    edit "test-tag"
        set type dynamic
        set sdn aci
        set tenant "TENANT-NAME"
        set epg-name "EPG-NAME"
        set sdn-tag "TAG-NAME"
    next
end
config firewall addrgrp
    edit "test-group"
        set member "test-tag" "Adobe Login"
    next
end

Like a regular firewall address, you can edit the dynamic address on the GUI. Navigate to Policy & Objects > Addresses and create a dynamic address.

To debug the SDN Connector on the FortiGate side, use diagnose firewall dynamic address. The output lists the entire VDOM dynamic summary. Using diagnose firewall dynamic list outputs the detailed address on each dynamic address.

FG100D3G14800142 (root) # diagnose firewall dynamic address
Summary of SDN dynamic addresses:
aci.t2.App_6.*(total-addr: 1000): ID(61) REF(2)
nuage.NuageCluster.Trusted.*(total-addr: 2): ID(129) REF(1)
nuage.NuageCluster.*.*(total-addr: 5): ID(192) REF(1)
Total dynamic list entries: 3. Total dynamic addresses: 1007

The below provides information on firewall address mapping:

• Dynamic group tag: The administrator of the tenant or system administrator uses an orchestration script or manually tags those objects in the tag, description, or alias field depending on the SDN Connector.
• Back end process: After system boot-up, dynamic group daemon connects to SDN Connector using the sdn-connector global system setting. It iterates all addresses, such as dynamic-aci, dynamic-nsx, and dynamic-aws. It then sends the request to SDN Connector to get all endpoints or endpoint groups with the SDN filter.
  After that, based on the received data, it uses the filter to find the EPGs and use those as members. Then, it updates the IP and kernel.
  If any dynamic address creation is in the CMDB, daemon receives the CMDB event and sends all the filters to SDN Connector. SDN Connector retrieves the endpoints or EPGs matching the filters, sends them to the FortiGate, and updates the kernel.

The post FortiGate SDN Connector for Cisco ACI appeared first on Fortinet Cookbook.

1. Configuring AWS SDN Connector in FortiOS
   1a. Configuring AWS SDN Connector using the GUI
   1b. Checking the configuration using the CLI
2. Creating an Address
   2a. Creating an Address using the GUI
   2b. Creating an Address using the CLI
   2c. [Connectivity test] Add an EC2 to test automatic population
3. Creating a firewall policy

This recipe describes how to configure FortiGate SDN Connector for use with Amazon Web Services (AWS).

1. Configuring AWS SDN Connector in FortiOS

This feature is supported in FortiOS 5.6.3.

1a. Configuring AWS SDN Connector using the GUI

Navigate to System > SDN Connectors. Note you can create only one SDN Connector per connector type. For example, you can create one entry for AWS.

In the Type dropdown list, select Amazon Web Services (AWS).

In the AWS access key ID field, enter the key created in the AWS management portal.

In the AWS secret access key field, enter the secret access key accompanying the above access key.

In the AWS region name field, enter the region name. In the example, us-west-2 denotes Oregon, rather than entering Oregon. Refer to http://docs.aws.amazon.com/general/latest/gr/rande.html for the desired region name.

In the AWS VPC ID field, enter the VPC ID within the specified region you desire to cover with the SDN Connector.

In the Update Interval field, enter the desired number of seconds. You can enter any value between 1 and 3600 seconds. The default value is 60 seconds.

Toggle the Status on or off. The example shows the SDN Connector is currently toggled on.

Click OK.

1b. Checking the configuration using the CLI

To check the configuration, right-click the entry and select Edit in CLI.

2. Creating an Address

You can create an Address using the GUI or CLI. Either way, the process consists of the following steps:

1. Creating an “Address”, which will be used as an address group or single address to be used for source/destination of firewall policies. The Address is based on IP addresses. The Address contains IP addresses of AWS instances.
2. When changes occur on the instances, the SDN Connector populates and updates the changes automatically based on the specified filtering condition so administrators do not need to reconfigure the Address’s content manually.
3. Appropriate firewall policies using the Address are applied to the instances that are members of it.

2a. Creating an Address using the GUI

In FortiOS, navigate to Policy & Objects > Addresses. Click Create New, then select Address.

Enter the Address name. In the Type dropdown list, select Dynamic SDN address.

In the SDN dropdown list, select Amazon Web Services (AWS). Enter the filter. This means the SDN Connector automatically populates and updates only instances belonging to the specified VPN that match this filtering condition. The following keys can be used:


1. instanceId (e.g. instanceId=i-12345678)
2. instanceType (e.g. instanceType=t2.micro)
3. imageId (e.g. imageId=ami-123456)
4. keyName (e.g. keyName=aws-key-name)
5. architecture (e.g. architecture=x86)
6. subnetId (e.g. subnetId=sub-123456)
7. placement.availabilityzone (e.g. placement.availabilityzone=us-east-1a)
8. placement.groupname (e.g. placement.groupname=group-name)
9. placement.tenancy (e.g. placement.tenancy=tenancy-name)
10. privateDnsName (e.g. privateDnsName=ip-172-31-10-211.us-west-2.compute.internal)
11. publicDnsName (e.g. publicDnsName=ec2-54-202-168-254.us-west-2.compute.amazonaws.com)
12. tag.Name AWS instance tag called “Name” (e.g. tag.Name=Value, maximum of 8 tags are supported.)


For example, to automatically populate instances that belong to a certain subnet within the VPC, you can create a filtering condition using the above 6. subnetID. First, check the subnet ID in the AWS management portal.

Enter subnetId=subnet-fb2506a0 in the Filter field.

In the Interface dropdown list, select an interface where the SDN Connector covers where relevant.

The filtering condition can be set using multiple entries with AND (“&”) or OR (“|”). When both AND and OR are used, AND is interpreted before OR. For example, you can enter subnetId=subnet-fb2506a0 & tag.Name=abc123. In this case, an IP address of the instance that matches both the subnet ID and the tag “Name” shows up. Note wildcards are not allowed in values.

Click OK. Once saved, the Address is listed under Policy & Objects > Addresses.

Proceed to creating a firewall policy.

2b. Creating an Address using the CLI

Create an Address to use to configure a firewall policy. Open the CLI with administrator credentials. Right-click the Address and select Edit in CLI.

Configure the Address as the SDN Connector supporting element. Enter set type dynamic, then set sdn aws, then end. The CLI resembles the following after entering config firewall address, then edit aws-test, then show. uuid is automatically assigned to every firewall address or policy, so can be ignored unless you desire to change it.

Configure the filtering rule. This means the SDN Connector will automatically populate and update only instances belonging to the specified VPN that match this filtering condition. The following keys can be used:


1. instanceId (e.g. instanceId=i-12345678)
2. instanceType (e.g. instanceType=t2.micro)
3. imageId (e.g. imageId=ami-123456)
4. keyName (e.g. keyName=aws-key-name)
5. architecture (e.g. architecture=x86)
6. subnetId (e.g. subnetId=sub-123456)
7. placement.availabilityzone (e.g. placement.availabilityzone=us-east-1a)
8. placement.groupname (e.g. placement.groupname=group-name)
9. placement.tenancy (e.g. placement.tenancy=tenancy-name)
10. privateDnsName (e.g. privateDnsName=ip-172-31-10-211.us-west-2.compute.internal)
11. publicDnsName (e.g. publicDnsName=ec2-54-202-168-254.us-west-2.compute.amazonaws.com)
12. tag.Name AWS instance tag called “Name” (e.g. tag.Name=Value, maximum of 8 tags are supported.)

For example, to automatically populate instances that belong to a certain subnet within the VPC, you can create a filtering condition using the above 6. subnetID. First, check the subnet ID in the AWS management portal.

Enter set filter "subnetId=subnet-fb2506a0". In this example, the subnet is 10.0.2.0/24. At this point, show shows the following:

Note three instances with IP addresses 10.0.2.111, 10.0.2.112, and 10.0.2.114 have just been populated and are updated automatically as you set the filtering condition above and the update interval specified in the GUI has been reached. Since these three instances have been up and running in the specified VPC, SDN Connector found them through APIs FortiGate called to AWS.

2c. [Connectivity test] Add an EC2 to test automatic population

Assume you want to boot up another instance with IP address 10.0.2.113, which is currently stopped. In the AWS management portal, start the instance.

Verify the instance is running.

At this point, running show again shows SDN Connector has automatically populated and added the 10.0.2.113 instance.

Therefore, administrators do not need to add this instance to the Address manually. When a firewall policy is applied to this Address, 10.0.2.113 is automatically covered. The filtering condition can be set using multiple entries with AND (“&”) or OR (“|”). When both AND and OR are used, AND is interpreted before OR. Check the syntax by entering set filter ?.

For example, you can enter subnetId=subnet-fb2506a0 & tag.Name=abc123. In this case, an IP address of the instance that matches both the subnet ID and the tag “Name” shows up. Note wildcards are not allowed in values.

3. Creating a firewall policy

Finally, you can use this Address to configure a firewall policy as a source or destination. The following operation is not SDN Connector-specific, but shows a general method of creating a firewall policy. Navigate to Policy & Objects > IPv4 Policy and create a firewall rule.

The post FortiGate SDN Connector for AWS appeared first on Fortinet Cookbook.

This recipe is part of the process of deploying FortiGate for AWS. See below for the rest of the recipes in this process:

1. Determine your licensing model
2. Register and download your licenses
3. Create a VPC and subnets
4. Attach the new VPC to the Internet gateway
5. Subscribe to the FortiGate
6. Create a routing table and associate subnets
7. Connect to the FortiGate
8. [Use case] Set up a Windows Server in the protected network
9. [Connectivity test] Configure FortiGate firewall policies and virtual IPs

Configure the routing tables. Since the FortiGate has two interfaces, one for the public subnet and one for the private subnet, you must configure two routing tables.

1. To configure the routing table for the public subnet, select VPC in the Networking & Content Delivery section of the AWS Management Console. In the VPC Dashboard, select Your VPCs, and select the VPC you created. In the Summary tab in the lower pane, select the route table ID located in the Route table field. To easily identify the route table, set a name for it in the Name field.

2. In the Routes tab, select Edit, then select Add another route. In the Destination field, type 0.0.0.0/0. In the Target field, type ig and select the Internet Gateway from the auto-complete suggestions. Select Save. The default route on the public interface in this VPC is now the Internet Gateway.

3. In the Subnet Associations tab, select Edit, and select the public subnet to associate it with this routing table. Select Save.

4. To configure the routing table for the private subnet, select Create Route Table. To easily identify the route table, set a name for it in the Name field. Select the VPC you created. Select Yes, Create.

5. In the Routes tab, select Edit, then select Add another route. In the Destination field, type 0.0.0.0/0. In the Target field, enter the interface ID of the private network interface. To find the interface ID, go to the EC2 Management Console, select Instances, and select the interface in the Network interfaces section in the lower pane of the page (Interface ID field). Select Save. The default route on the private subnet in this VPC is now the private network interface of the FortiGate.

6. In the Subnet Associations tab, select Edit, select the private subnet to associate it with this routing table. Select Save. Two routing tables, one for the public segment and one for the private segment, have now been created with default routes.

7. In the EC2 Management Console, select Instances, and select the network interface that you created for the private subnet (in this example, eth1) in the Network interfaces section in the lower pane. Select the interface ID.

8. Select the network interface, select the Actions drop-down menu, select Change Source/Dest. Check. Select Disabled. Select Save.

The post Create a routing table and associate subnets appeared first on Fortinet Cookbook.

This recipe is part of the process of deploying FortiGate for AWS. See below for the rest of the recipes in this process:

1. Determine your licensing model
2. Register and download your licenses
3. Create a VPC and subnets
4. Attach the new VPC to the Internet gateway
5. Subscribe to the FortiGate
6. Create a routing table and associate subnets
7. Connect to the FortiGate
8. [Use case] Set up a Windows Server in the protected network
9. [Connectivity test] Configure FortiGate firewall policies and virtual IPs

To connect to the FortiGate-VM, you need your login credentials and its public DNS address.

The default username is admin and the default password is the instance ID.

1. You can find the public DNS address in the EC2 Management Console. Select Instances and look at the Public DNS (IPv4) field in the lower pane. If you don’t see the DNS address, you may need to enable DNS host assignment on your VPC. In this case, go back to the VPC Management Console, select Your VPCs, and select your VPC. Select the Action dropdown menu, and select Edit DNS Hostnames. Select Yes. Select Save.

2. Open an HTTPS session using the public DNS address of the FortiGate-VM in your browser (https://<public DNS>). You will see a certificate error message from your browser, which is normal because the default FortiGate certificate is self-signed and isn’t recognized by browsers. Proceed past this error. At a later time, you can upload a publicly-signed certificate to avoid this error. Log in to the FortiGate-VM with your username and password (the login credentials mentioned above).

3. If you’re using a BYOL license, upload your license (.lic) file to activate the FortiGate-VM. The FortiGate-VM will automatically restart. After it restarts, log in again.
4. You will now see the FortiGate-VM dashboard. Depending on your license type, the information in the license widget on the dashboard may vary.

5. Select Network > Interfaces, and edit the interfaces, if required. If the IP address or subnet mask is missing for port 1 or port 2, configure these values.

The post Connect to the FortiGate appeared first on Fortinet Cookbook.

This recipe is part of the process of deploying FortiGate for AWS. See below for the rest of the recipes in this process:

1. Determine your licensing model
2. Register and download your licenses
3. Create a VPC and subnets
4. Attach the new VPC to the Internet gateway
5. Subscribe to the FortiGate
6. Create a routing table and associate subnets
7. Connect to the FortiGate
8. [Use case] Set up a Windows Server in the protected network
9. [Connectivity test] Configure FortiGate firewall policies and virtual IPs

1. In the AWS Management Console, select EC2. Select Launch Instance, then select the Microsoft Windows Server 2012 R2 that applies to your environment. You will use this to test connectivity with Remote Desktop access.

2. In the Configure Instance Details step, in the Network field, select the VPC of the FortiGate. In the Subnet field, select the private subnet.

3. In the Configure Security Group step, configure a security group for the Windows server so that it allows Internet access. In this example, we use Remote Desktop TCP port 3389, and other ports are optional. Select Review and Launch.

4. Select a key pair, select the acknowledgement check box, and select Launch Instances.

The post [Use case] Set up a Windows Server in the protected network appeared first on Fortinet Cookbook.

This recipe is part of the process of deploying FortiGate for AWS. See below for the rest of the recipes in this process:

1. Determine your licensing model
2. Register and download your licenses
3. Create a VPC and subnets
4. Attach the new VPC to the Internet gateway
5. Subscribe to the FortiGate
6. Create a routing table and associate subnets
7. Connect to the FortiGate
8. [Use case] Set up a Windows Server in the protected network
9. [Connectivity test] Configure FortiGate firewall policies and virtual IPs

This section consists of two connection tests:

• Testing incoming access to the Windows server by configuring port forwarding with SNAT for remote desktop login
• Testing outgoing access from the Windows server to a sample malware website

1. In the FortiGate-VM console, select Policy & Objects > IPv4 Policy and create two new policies, as shown in this example. Create one policy for outgoing traffic from the private subnet, through the public subnet, to the Internet. Create another policy for incoming traffic from the Internet, through the public subnet, to the private subnet.

2. Select Virtual IPs and create a new virtual IP, as shown in the example. This is Static NAT configuration.

3. Edit the second policy. In the Destination field, select the virtual IP that you created.

4. In the EC2 Management Console, add an inbound rule to allow RDP for the FortiGate security group (in this example, TCP port 3389). If you don’t do this, you won’t be able to connect to the Windows server through the FortiGate with RDP.

5. In your Windows Remote Desktop client, specify the public DNS hostname of the FortiGate and log in. This logs you in to the Windows server through the FortiGate.

6. Now outgoing access can be tested. In a web browser, navigate to https://metal.fortiguard.com/tests.
   
7. Scroll down and select a test virus file listed as infected.
   
8. The browser should display a blocked page alert because your Internet access is now protected by FortiGate.
   

The post (Connectivity test) Configure FortiGate firewall policies and virtual IPs appeared first on Fortinet Cookbook.

This recipe is part of the process of deploying FortiGate for AWS. See below for the rest of the recipes in this process:

1. Determine your licensing model
2. Register and download your licenses
3. Create a VPC and subnets
4. Attach the new VPC to the Internet gateway
5. Subscribe to the FortiGate
6. Create a routing table and associate subnets
7. Connect to the FortiGate
8. [Use case] Set up a Windows Server in the protected network
9. [Connectivity test] Configure FortiGate firewall policies and virtual IPs

FortiGate-VM for AWS supports both on-demand (PAYG) and bring-your-own-license (BYOL) licensing models.

On-demand users don’t need to register from the FortiGate GUI console. If you’re using an on-demand licensing model, once you create the FortiGate-VM instance in AWS, contact Fortinet Customer Support (http://www.fortinet.com/support/contact_support.html) with the following information:

• The serial number of your FortiGate-VM instance
• The email ID of your Fortinet account. If you don’t have a Fortinet account, you can create one at https://support.fortinet.com/login/CreateAccount.aspx.

If you’re deploying a FortiGate-VM in the AWS Marketplace with BYOL, you must obtain a license to activate it.

The post Determine your licensing model appeared first on Fortinet Cookbook.

This recipe is part of the process of deploying FortiGate for AWS. See below for the rest of the recipes in this process:

1. Determine your licensing model
2. Register and download your licenses
3. Create a VPC and subnets
4. Attach the new VPC to the Internet gateway
5. Subscribe to the FortiGate
6. Create a routing table and associate subnets
7. Connect to the FortiGate
8. [Use case] Set up a Windows Server in the protected network
9. [Connectivity test] Configure FortiGate firewall policies and virtual IPs

Licenses for the BYOL licensing model can be obtained through any Fortinet partner. If you don’t have a partner, contact aws@fortinet.com for assistance in purchasing a license.

After you purchase a license or obtain an evaluation license (60-day term), you will receive a PDF with an activation code.

1. Go to https://support.fortinet.com/ and create a new account or log in with an existing account.
2. Go to Asset > Register/Renew to start the registration process. In the Specify Registration Code field, enter your license activation code and select Next to continue registering the product. Enter your details in the other fields.

3. At the end of the registration process, download the license (.lic) file to your computer. You will upload this license later (in Connect to the FortiGate) to activate the FortiGate-VM.

   After registering a license, Fortinet servers may take up to 30 minutes to fully recognize the new license. When you upload the license (.lic) file to activate the FortiGate-VM, if you get an error that the license is invalid, wait 30 minutes and try again.

The post Register and download your licenses appeared first on Fortinet Cookbook.

This recipe is part of the process of deploying FortiGate for AWS. See below for the rest of the recipes in this process:

1. Determine your licensing model
2. Register and download your licenses
3. Create a VPC and subnets
4. Attach the new VPC to the Internet gateway
5. Subscribe to the FortiGate
6. Create a routing table and associate subnets
7. Connect to the FortiGate
8. [Use case] Set up a Windows Server in the protected network
9. [Connectivity test] Configure FortiGate firewall policies and virtual IPs

This section shows you how to create an AWS VPC and create two subnets in it. For many of the steps, you will have a choice to make that can be specific to your own environment.

1. Log into the AWS Management Console.
2. In the Networking & Content Delivery section, select VPC.

3. In the Virtual Private Cloud menu, select Your VPCs, then select Create VPC.

4. In the Name tag field, set a name for your VPC.
5. In the CIDR block field, specify an IPv4 address range for your VPC.
6. In the Tenancy field, select Default.
7. Select Yes, Create.
   
8. In the Virtual Private Cloud menu, select Subnets, then select Create Subnet. Create a public subnet (in this example, Subnet1) and a private subnet (Subnet2), as shown in this example. Both subnets belong to the VPC that you created.
   
   
   

The post Create a VPC and subnets appeared first on Fortinet Cookbook.