Quantcast
Channel: Fortinet Cookbook
Viewing all 690 articles
Browse latest View live

[Failover test] Shut down FortiGate A

January 9, 2018, 9:31 am
$
0
0

This recipe is part of the process of deploying FortiGate HA for AWS. See below for the rest of the recipes in this process:

  1. Customize the CFT template
  2. Check the prerequisites
  3. Review the network failover diagram
  4. Invoke the CFT template
  5. Connect to the FortiGates
  6. [Connectivity test] Configure FortiGate firewall policy
  7. [Failover test] Shut down FortiGate A
  1. Let’s test the failover situation where FortiGate A fails to run. First, while the two FortiGate instances are running, log into FortiGate A by connecting to the front-end public IP address, which is https://18.217.217.193, associated with 192.168.1.13. 
  2. Let’s see if FortiGate B promotes itself to the primary when FortiGate A fails to run. On the EC2 console, shut down FortiGate A.
  3. Connect to the same public front-end IP address, https://18.217.217.193, by refreshing the browser. You have now successfully logged into FortiGate B, not FortiGate A, since the secondary IP address 192.168.1.13 has moved to FortiGate B’s public-facing port.
  4. Check FortiGate B’s secondary IP address in EC2 console.
  5. Check the HA status while FortiGate A is down.
  6. Once FortiGate A comes back online, it runs as the secondary. It takes time for the HA to settle and the synchronization to function, as indicated by the green checkmarks.
  • Was this helpful?
  • Yes   No

The post [Failover test] Shut down FortiGate A appeared first on Fortinet Cookbook.

Search

Invoke the CFT template

January 9, 2018, 9:33 am
$
0
0

This recipe is part of the process of deploying FortiGate HA for AWS. See below for the rest of the recipes in this process:

  1. Customize the CFT template
  2. Check the prerequisites
  3. Review the network failover diagram
  4. Invoke the CFT template
  5. Connect to the FortiGates
  6. [Connectivity test] Configure FortiGate firewall policy
  7. [Failover test] Shut down FortiGate A
  1. Log into the AWS portal and select CloudFormation.
  2. Click Create new stack.
  3. Under Choose a template, select Upload a template to Amazon S3. Locate and upload the prepared template, then click Next. If there is a JSON syntax error, a message displays. If this happens, fix the issue before continuing.
  4. Based on the CFT template’s content, the following screen may appear. Ensure all fields, including the IP addresses and subnets, match the configuration files for FortiGate A and B mentioned in Customize the CFT template. You may also want to change the default values in the CFT template to ensure they show up here.
  5. Choose the desired AWS instance type.
  6. Select the key pair. Otherwise, the CFT deployment will fail.
  7. The bottom of the page refers to “Cluster” options. This is not related to AWS clustering technologies or services. This refers to the secondary IP addresses of port 1 and 2 of the FortiGates as they can be considered as clusters under HA. Click Next.
  8. Leave the Options page blank and click Next. Do not specify a Name key in the tags as it will duplicate the content in the CFT template. This will cause an error.
  9. Review the configuration. Select the acknowledgement checkbox. Click Create.

    The CFT template starts running and creates relevant resources.

    After a while, if no error occurs, all resources are successfully created.
  10. Navigate to EC2 console and check if two FortiGate instances were created.
  11.  Verify the VPC that was just created.
  12. Verify the four new subnets created in 192.168.0.0/16 CIDR, depending on what you specified.
  13. Verify the routing tables that were just created. You can use the Routes and Subnet Associations tabs for more detailed information.
  14. Verify the elastic IP addresses. You can see that the elastic IP addresses are associated with the following interfaces:
    • FortiGate A eth0 (not assigned to FortiGate A’s port): 192.168.1.111
    • FortiGate B eth0 (port 1): 192.168.1.12
    • FortiGate A eth0 secondary IP address (port 1): 192.168.1.13
    • FortiGate A eth3 (port 4): 192.168.4.11
    • FortiGate B eth3 (port 4): 192.168.4.12

  15. Verify the secondary IP addresses assigned to FortiGate A’s eth0 and eth1.
  • Was this helpful?
  • Yes   No

The post Invoke the CFT template appeared first on Fortinet Cookbook.

Review the network failover diagram

January 9, 2018, 9:34 am
$
0
0

This recipe is part of the process of deploying FortiGate HA for AWS. See below for the rest of the recipes in this process:

  1. Customize the CFT template
  2. Check the prerequisites
  3. Review the network failover diagram
  4. Invoke the CFT template
  5. Connect to the FortiGates
  6. [Connectivity test] Configure FortiGate firewall policy
  7. [Failover test] Shut down FortiGate A

The following network diagram illustrates a failover event. Note that the IP addresses shown here are only examples. You can modify them according to your environment:

When FortiGate A fails, its eth0’s secondary IP address, 192.168.1.13, which was originally assigned to FortiGate A’s port 1, moves to FortiGate B’s port 1. At the same time, eth1’s secondary IP address, 192.168.2.13, FortiGate A’s port 2, moves to FortiGate B’s port 2. These moves are represented as blue arrows in the diagram. An elastic IP address associated with 192.168.1.13 is considered the front-end main public IP address, accessible even after the primary-secondary roles switch between the two FortiGates or when one FortiGate is shutdown.

  • Was this helpful?
  • Yes   No

The post Review the network failover diagram appeared first on Fortinet Cookbook.

SSL VPN to IPsec VPN

January 10, 2018, 6:00 am
$
0
0

In this recipe, you will configure a site-to-site IPsec VPN that allows access to the remote endpoint via SSL VPN. This involves a pre-existing user group, a tunnel-mode SSL VPN with split-tunneling, and a route-based IPsec VPN between two FortiGates.

In the example, all sessions need to start from the SSL VPN interface. If you want sessions to start from the FGT_2 subnet, you will need more policies. Furthermore, if the remote subnet is beyond FGT_2 (if you have to cross multiple hops), you will need to include the SSL VPN subnet in those routers as well.

PREP 20 mins      COOK 5 min      TOTAL 25 mins

1. Configuring the site-to-site IPsec VPN on FGT_1

Go to VPN > IPSec Wizard.

Name the VPN connection and select Site to Site.

Set IP Address to the Internet-facing interface.

Select Pre-shared Key for Authentication Method and enter the pre-shared key.

Set Local Interface to the internal interface and set Local Subnets to include the internal and SSL VPN subnets for FGT_1.

Set Remote Subnets to include the internal subnet for FGT_2.
A summary page shows the configuration created by the wizard, including firewall address groups (for both local subnets as well as the remote subnet), static routes, and security policies.

2. Configuring SSL VPN settings

Go to VPN > SSL-VPN Settings and set Listen on Interface(s) to wan1.

To avoid port conflicts, set Listen on Port to 10443.

Set Restrict Access to Allow access from any host.

Under Tunnel Mode Client Settings, enable Specify custom IP ranges and include the SSL VPN subnet range created by the IPsec VPN wizard.

Under Authentication/Portal Mapping, add the VPN user group to the tunnel-access portal. Set All Other Users/Groups to the web-access portal.

3. Configuring the SSL VPN portal

Go to VPN > SSL-VPN Portals and edit the tunnel-access portal.

Turn on Enable Split Tunneling so that only traffic intended for the local or remote networks will flow through FGT_1 and be subject to the corporate security profiles.

Next to Routing Address, add the local and remote IPsec VPN subnets created by the IPsec VPN wizard.

Next to Source IP Pools, add the SSL VPN subnet range created by the IPsec VPN wizard.

4. Adding policies on FGT_1

Go to Policy & Objects > IPv4 Policy and create a new policy that allows SSL VPN users access to the internal network.

Set Incoming Interface to ssl.root and set Outgoing Interface to internal.

Set Source to the SSL VPN subnet created by the IPsec VPN wizard and add the VPN user group.

Set Destination to the local IPsec VPN subnet (which represents the internal subnet).

Set the Schedule and set Service to all.

Enable NAT.

Create another policy that allows SSL VPN users access to the IPsec VPN tunnel.

Set Incoming Interface to ssl.root and set Outgoing Interface to the IPsec tunnel interface (in this case, Site1).

Set Source to the SSL VPN subnet created by the IPsec VPN wizard and add the VPN user group.

Set Destination to the remote IPsec VPN subnet.

Set the Schedule and set Service to all.

Do NOT enable NAT.

5. Configuring the site-to-site IPsec VPN on FGT_2

Go to VPN > IPSec Wizard.

Name the VPN connection and select Site to Site.

Set IP Address to the Internet-facing interface.

Select Pre-shared Key for Authentication Method and enter the pre-shared key that matches the FGT_1 configuration.

  

Set Local Interface to the internal interface and set Local Subnets to include the internal network subnet for FGT_2.

Set Remote Subnets to include the internal and SSL VPN subnets for FGT_1.

A summary page shows the configuration created by the wizard, including firewall address groups (for the local subnet as well as both remote subnets), static routes, and security policies.  

6. Results
Go to Monitor > IPsec Monitor, highlight the tunnel, and select Bring Up.
Verify that the tunnel Status changes to Up.
Configure the SSL VPN connection on the user’s FortiClient and connect to the tunnel.
Using Command Prompt/Terminal on the user’s computer, send a PING through the tunnel to the remote endpoint and confirm access.
Go to Monitor > Routing Monitor and verify the routes for the IPsec and SSL VPNs were added.
Go to Monitor > SSL-VPN Monitor and verify the user connectivity.
Go to Log & Report > VPN Events and view the IPsec and SSL tunnel statistics.
Go to FortiView > VPN and view VPN connection activity.
Right-click an entry and select Drill Down to Details for more information about a connection.

7. Debug

In order to diagnose potential issues, run the following debug commands on FGT_1 using the CLI Console:

diag debug reset
diag debug flow show function-name enable
diag debug flow show iprope enable
diag debug flow filter addr 192.168.177.99
diag debug flow filter proto 1
diag debug flow trace start 2
diag debug enable

Send a PING through the SSL VPN tunnel to 192.168.177.99 and analyze the output of the debug. Disable the debug output with the following command:

diag debug disable

If the traffic is entering the correct VPN tunnel on FGT_1, then run the same commands on FGT_2 to check whether the traffic is reaching the correct tunnel. If it is reaching the correct tunnel, confirm that the SSL VPN tunnel range is configured in the remote side quick mode selectors.

You can also run a sniffer command on FGT_1 as follows:

diag sniff packet any "host 192.168.177.99 and icmp" 4

If you suspect an IPsec VPN issue, run the following commands on either FortiGate:

diag debug reset
diag vpn ike gateway clear
diag debug application ike -1
diag debug enable

When you are satisfied with the debug output, disable the debug as follows:

diag debug disable

For more troubleshooting information for SSL VPN and IPsec VPN, refer to the following:

 

  • Was this helpful?
  • Yes   No
All times listed are approximations.
Do not use the default SSL VPN subnet.
In the example, the Fortinet_Factory certificate is used as the Server Certificate. It is, however, recommended that you purchase a certificate for your domain and upload it for use with an SSL VPN.
Do not use the default SSL VPN subnet.
Do not use the default SSL VPN subnet.
Although not normally needed, you can include the reverse policy (i.e., IPsec VPN to ssl.root on FGT_1).
Do not use the default SSL VPN subnet.
Alternatively, you can double-click an entry to drill down to details.

The post SSL VPN to IPsec VPN appeared first on Fortinet Cookbook.

Site-to-site IPsec VPN with two FortiGates

January 10, 2018, 6:00 am
$
0
0

In this recipe, you create a route-based IPsec VPN tunnel to allow transparent communication between two networks that are located behind different FortiGates. The VPN will be created on both FortiGates using the VPN Wizard’s Site to Site – FortiGate template.

In this example, one FortiGate will be referred to as HQ and the other as Branch.

Find this recipe for other FortiOS versions
5.2 | 5.4 | 5.6

1. Configuring the IPsec VPN on HQ

On HQ, go to VPN > IPsec Wizard and create a new tunnel.

In the VPN Setup step, set Template Type to Site to Site and Remote Device Type to FortiGate.

In the Authentication step, set IP Address to the public IP address of the Branch FortiGate (in the example, 172.25.177.46).

After you enter the IP address, an available interface will be assigned as the Outgoing Interface. If you want to use a different interface, select it from the drop-down menu.

Set a secure Pre-shared Key.

In the Policy & Routing step, set Local Interface to LAN. The local subnet is added automatically. Set Remote Subnets to Branch’s local subnet (in the example, 192.168.13.0/24).
 

A summary page shows the configuration created by the wizard, including firewall addresses, static routes, and security policies.

  

2. Configuring the IPsec VPN on Branch

On Branch, go to VPN > IPsec Wizard and create a new tunnel.

In the VPN Setup step, set Template Type to Site to Site and Remote Device Type to FortiGate.

In the Authentication step, set IP Address to the public IP address of the HQ FortiGate (in the example, 172.25.176.142).

After you enter the IP address, an available interface will be assigned as the Outgoing Interface. If you want to use a different interface, select it from the drop-down menu.

Set a secure Pre-shared Key that was used for the VPN on HQ.
 

In the Policy & Routing step, set Local Interface to LAN. The local subnet is added automatically. Set Remote Subnets to HQ’s local subnet (in the example, 192.168.37.0/24).

A summary page shows the configuration created by the wizard, including firewall addresses, static routes, and security policies.

  

3. Results

On either FortiGate, go to Monitor > IPsec Monitor to verify the status of the VPN tunnel. Right-click under Status and select Bring Up.

A user on either of the office networks should be able to connect to any address on the other office network transparently.

If you need to generate traffic to test the connection, ping Branch’s LAN interface from a device on HQ’s internal network.
  • Was this helpful?
  • Yes   No

The post Site-to-site IPsec VPN with two FortiGates appeared first on Fortinet Cookbook.

FortiSandbox and AWS S3 Bucket Scanning

January 17, 2018, 2:35 pm
$
0
0

In this recipe, you will learn how to set up the AWS Storage Gateway and FortiSandbox for AWS S3 Bucket scanning.

You can use FortiSandbox through NFS mount is to leverage AWS Storage Gateway. By mounting a file share and mapping it to an Amazon S3 bucket using AWS Storage Gateway, you can configure AWS S3 as the NFS or SMB network share for FortiSandbox malware analysis.

Create AWS Storage Gateway

  1. Go to the AWS Storage Gateway console.
  2. Click Create Gateway
  3. Under Select Gateway Type, select File Gateway
  4. Under Select Host Platform, select Amazon EC2.
  5. Click Launch Instance and configure the instance according to the Set Up Instructions for Amazon EC2 displayed on the page. 
  6. View the AWS Gateway instance on the EC2 Console. Find the Public IP or assign it to your Elastic IP.
  7. Go back to the Create Gateway page, and click Next
  8. Enter the AWS Storage Gateway IP Address.
  9. Once it connects to the Gateway, select your timezone, gateway name information, and storage configuration.
  10. Click Activate Gateway.
  11. Click Save and Continue. You can see your Storage Gateway on the console.

  12. Click Create File Share.
  13. Fill in your S3 Bucket Information.
  14. Click Create File Share.

  15. You can test the NFSv4 file share for S3 Bucket using a Linux Server. You will be able to see your files and be able to copy files into the S3 Bucket locally on Linux. 

Configure AWS FortiSandbox to Watch and Scan NFSv4 Share Folder

  1. Log into your AWS FortiSandbox
  2. Go to Scan Input > Network Share.
  3. Click Create New.
  4. Fill in the information for FortiSandbox to access the NFSv4 share by Storage Gateway. 
  5. Save the configuration. Your S3 Bucket share folder will be scanned by FortiSandbox.
  • Was this helpful?
  • Yes   No

The post FortiSandbox and AWS S3 Bucket Scanning appeared first on Fortinet Cookbook.

FortiAnalyzer 800F Installation Guide

January 18, 2018, 7:59 am
$
0
0

The FortiAnalyzer unit can be mounted in any standard 19 inch rack unit with the provided mounting hardware.

The rack must be stabilized before sliding the unit out for servicing. Failure to stabilize may cause the rack to tip over.

Electrostatic discharge (ESD) can damage your Fortinet equipment.
To avoid personal injury or damage to the unit, it is recommended that two or more people install the unit into the rack.

Do not place heavy objects on the unit.

Rack Precautions

  • Ensure the leveling jacks on the bottom of the rack are fully extended to the floor with the full weight of the rack resting on the jacks.
  • For single rack installation, stabilizers should be attached to the rack.
  • For multiple rack installations, the racks should be coupled together.
  • Ensure the rack is stable before extending a component from the rack.
  • Only extend one component at a time; extending two or more simultaneously may cause the rack to become unstable.
After installing the device into the rack, install the hard disk drives into the device.

Installing the unit into the rack

    1. Ensure that the FortiAnalyzer unit is placed on a stable surface prior to rack-mount installation.
    2. Attach the provided inner rails to the sides of the unit using the provided bracket screws.
    3. Attach the outer rails to the rack.
    4. Align the inner rails with the outer rails and slide the device onto the rails.
    5. Slide the release tabs on both sides at the same time, then push the device all the way into the rack.
    6. When the unit has been completely pushed into the rack, the release tabs will click into the locked position.
    7. Plug the supplied power cables into the rear of the unit and then into grounded electrical outlets or separate power sources, such as uninterruptible power supplies (UPS) or power distribution units (PDU).
If the unit has a redundant power supply, each power cable should be connected to a different power source. In this way, if one power source fails, the other may still be operational and the unit will not lose power.

Installing the unit on a flat surface

  1. Ensure that the surface onto which the FortiAnalyzer unit to be installed is clean, level, and stable and that there is at least 1.5in (3.8cm) of clearance on all sides to allow for adequate airflow.
  2. Attach the provided rubber feet to the bottom of the FortiAnalyzer unit.
  3. Place the unit in the designated location.
  4. Verify that the spacing around the FortiAnalyzer unit conforms to requirements and that the unit is level.
  5. Plug the supplied power cables into the rear of the unit and then into grounded electrical outlets or separate power sources, such as uninterruptible power supplies (UPS) or power distribution units (PDU).
System Behavior and Power Button Usage
Plug in AC Automatic system power and BIOS/OS initialization for operating mode
Operating Mode Press and hold power button for ~4 seconds to force shutdown to enter standby mode
Press the power button once to interrupt system and perform graceful shutdown. After all HDD Green LEDs turn solid, the user can either unplug the power cord to shutdown the system or long press the power button to have the system enter standby mode.
Standby Mode Press the power button once to wake up system from standby mode to operating mode
Remove AC Instant shut off; no power

 

  • Was this helpful?
  • Yes   No

The post FortiAnalyzer 800F Installation Guide appeared first on Fortinet Cookbook.

FortiGate-FortiWiFi 60E-DSL

January 18, 2018, 8:13 am
$
0
0

The FortiGate unit can be placed on any flat surface with the provided rubber feet, or mounted to a wall with the provided mounting hardware.

Electrostatic discharge (ESD) can damage your Fortinet equipment.
Do not place heavy objects on the unit.

Installing the device on a wall

  1. Use the mounting bracket to mark the location of the mounting holes on a flat wall surface.
  2. Drill the mounting holes in the marked locations.
  3. Insert the provided anchors into the drilled holes then screw the screws into the anchors, leaving approximately 2mm of the screw exposed for connecting to the mounting bracket.
  4. Fasten the mounting bracket securely to the back of the unit using the provided screws.
  5. Position the device with the attached mounting bracket over the exposed screws in the wall, then slide the device downward to secure it in place.
  6. If applicable, attach the antennas to the device.
  7. Plug the provided power adapter into the rear of the unit, and then plug the transformer into a grounded electrical outlet or a separate power source such as an uninterruptible power supply (UPS) or a power distribution unit (PDU) with the provided power cable.

Installing the unit on a flat surface

  1. Ensure that the surface onto which the FortiGate unit is to be installed is clean, level, and stable and that there is at least 1.5in (3.8cm) of clearance on all sides to allow for adequate airflow.
  2. Attach the provided rubber feet to the bottom of the FortiGate unit.
  3. Place the unit in the designated location.
  4. Verify that the spacing around the FortiGate unit conforms to requirements and that the unit is level.
  5. If applicable, attach the antennas to the device.
  6. Plug the provided power adapter into the rear of the unit, and then plug the transformer into a grounded electrical outlet or a separate power source such as an uninterruptible power supply (UPS) or a power distribution unit (PDU) with the provided power cable.
  • Was this helpful?
  • Yes   No

The post FortiGate-FortiWiFi 60E-DSL appeared first on Fortinet Cookbook.

Search

Site-to-site IPsec VPN with certificate authentication

January 22, 2018, 8:42 am
$
0
0

In this recipe, you create a route-based IPsec VPN tunnel to allow transparent communication between two networks that are located behind different FortiGates. The VPN will be created on both FortiGates using the VPN Wizard’s Site to Site – FortiGate template. However, instead of using a pre-shared key for authentication, the FortiGates will use a certificate.

In this example, one FortiGate will be referred to as HQ and the other as Branch.

1. Enabling certificate management
On both FortiGates, go to System > Feature Visibility and make sure that Certificates is enabled.  

2. Obtaining necessary certificates

This recipe requires the following files:

  • Client certificate for HQ and its matching private key
  • Client certificate for Branch and its matching private key
  • CA certificate that issued HQ’s certificate
  • CA certificate that issued Branch’s certificate

3. Installing the client certificates

The client certificate is used for authentication and represents the individual identity of each FortiGate.

On HQ, go to System > Certificates and select Import > Local Certificate.

Set Type to Certificate, choose the Certificate file and the Key file for HQ, and enter the Password for the key file, if applicable. You can also change the Certificate Name.

  

HQ’s client certificate now appears in the list of Certificates on HQ.

  

On Branch, go to System > Certificates and select Import > Local Certificate.

Set Type to Certificate, choose the Certificate file and the Key file for Branch, and enter the Password for the key file, if applicable. You can also change the Certificate Name.

  

Branch’s client certificate now appears in the list of Certificates on Branch.

  
 

4. Installing the CA certificates

The CA certificate is used for verifying the identity of the remote FortiGate’s client certificate, which we imported in step 3.

On HQ, go to System > Certificates and select Import > CA Certificate.

Set Type to File, and upload the CA certificate that issued HQ’s certificate.

  

On HQ, go to System > Certificates and select Import > CA Certificate.

Set Type to File, and upload the CA certificate that issued Branch’s certificate.

.

  

The CA certificates now appear in HQ’s list of External CA Certificates with the automatically generated names CA_Cert_1 and CA_Cert_2. 

  

Repeat this step exactly the same way on Branch.

5. Configuring the IPsec VPN on HQ

On HQ, go to VPN > IPsec Wizard and create a new tunnel.

In the VPN Setup step, set Template Type to Site to Site and Remote Device Type to FortiGate.

  

In the Authentication step, set IP Address to the public IP address of the Branch FortiGate (in the example, 172.25.177.46).

After you enter the IP address, an available interface will be assigned as the Outgoing Interface. If you want to use a different interface, select it from the drop-down menu.

  

Select Signature for the Authentication Method.

For the Certificate Name, we select the client certificate we imported in step 3 (in the example, FortiGate-HQ).

For the Peer Certificate CA, we select the CA certificate for Branch that we imported in step 4 (in the example, CA_Cert_2).

In the Policy & Routing step, set Local Interface to LAN. The local subnet is added automatically. Set Remote Subnets to Branch’s local subnet (in the example, 192.168.13.0/24).

  

A summary page shows the configuration created by the wizard, including firewall addresses, static routes, and security policies.

  

6. Configuring the IPsec VPN on Branch

On Branch, go to VPN > IPsec Wizard and create a new tunnel.

In the VPN Setup step, set Template Type to Site to Site and Remote Device Type to FortiGate.

  

In the Authentication step, set IP Address to the public IP address of the HQ FortiGate (in the example, 172.25.176.142).

After you enter the IP address, an available interface will be assigned as the Outgoing Interface. If you want to use a different interface, select it from the drop-down menu.

 

  

Select Signature for the Authentication Method.

For the Certificate Name, we select the client certificate we imported in step 3 (in the example, FortiGate-Branch).

For the Peer Certificate CA, we select the CA certificate for HQ that we imported in step 4 (in the example, CA_Cert_1).

In the Policy & Routing step, set Local Interface to LAN. The local subnet is added automatically. Set Remote Subnets to HQ’s local subnet (in the example, 192.168.37.0/24).

  

A summary page shows the configuration created by the wizard, including firewall addresses, static routes, and security policies.

  

Results

On either FortiGate, go to Monitor > IPsec Monitor to verify the status of the VPN tunnel. If the tunnel is showing down, right-click under Status and select Bring Up.

 

A user on either of the office networks should be able to connect to any address on the other office network transparently.

If you need to generate traffic to test the connection, ping Branch’s LAN interface from a device on HQ’s internal network.

 

  • Was this helpful?
  • Yes   No
A server certificate will also work.
The CA that issues the certificate can be a public CA, such as DigiCert, or a private CA, such as a FortiAuthenticator or your Windows Domain Controller.
Sometimes the certificate and key are combined into a single PKCS#12 file. If that is the case, select PKCS #12 Certificate instead.
Take note of which CA certificate was assigned which name. We will reference these names in a later step. 

The post Site-to-site IPsec VPN with certificate authentication appeared first on Fortinet Cookbook.

FortiMail WCCP

January 22, 2018, 10:30 am
$
0
0

This recipe guides you through the process of  configuring FortiMail Webmail Single Sign On to work with Active Directory Federation Server (ADFS).

The FortiMail unit needs to be in Server Mode in order for the following procedures to work.
 

 Configuring an LDAP Profile and Domain

First we’ll need to configure an LDAP Profile if not already created and then create a domain.

  1. Go to Profile > LDAP > LDAP.
  2. Select New.
  3. Enter the required information and then select Create.
  4. Go to Domain & User > Domain > Domain. 
  5. Select New.
  6. Enter the necessary information and select the previously created LDAP profile from the User profile dropdown menu.
  7. Select Create.
  

 Configuring Webmail

Next we’ll need to configure the Webmail and save important FortiMail metadata. You must be in Advanced Mode to continue with the following steps.

  1. Go to System > Customization > Appearance.
  2. Expand the Web Portal section.
  3. Select “3rd Party/Single Sign on” from the Login page dropdown menu.
  4. Select Edit.
  5. Copy the FortiMail Service Provider Metadata URL and download the FortiMail metadata using the URL. You’ll need this file for the next section.
  6. Select OK and then Apply.

 

 

  

 Configuring FortiAuthenticator

Now we’ll need to configure FortiAuthenticator. 

  1. Go to Authentication > SAML IdP > General.
  2. Enable SAML IDP.
  3. Select OK.
  4. Go to Authentication > SAML IdP > Service Provider
  5. Select Create New.
  6. Copy the IDP entity id
  7. Select Import SP metadata and select the metadata you downloaded in the previous section.
  8. Select Create New in the SAML Attribute section and enter “urn:oid:0.9.2342.19200300.100.1.3” and set the User Attribute to “Email”.

 

 

  
  • Was this helpful?
  • Yes   No

The post FortiMail WCCP appeared first on Fortinet Cookbook.

Configuring FortiMail Webmail Single Sign On

January 22, 2018, 10:44 am
$
0
0

This recipe guides you through the process of  configuring FortiMail Webmail Single Sign On to work with Active Directory Federation Server (ADFS).

The FortiMail unit needs to be in Server Mode in order for the following procedures to work.
 

 Configuring an LDAP Profile and Domain

First we’ll need to configure an LDAP Profile if not already created and then create a domain.

  1. Go to Profile > LDAP > LDAP.
  2. Select New.
  3. Enter the required information and then select Create.
  4. Go to Domain & User > Domain > Domain. 
  5. Select New.
  6. Enter the necessary information and select the previously created LDAP profile from the User profile dropdown menu.
  7. Select Create.
  

 Configuring Webmail

Next we’ll need to configure the Webmail and save important FortiMail metadata. You must be in Advanced Mode to continue with the following steps.

  1. Go to System > Customization > Appearance.
  2. Expand the Web Portal section.
  3. Select “3rd Party/Single Sign on” from the Login page dropdown menu.
  4. Select Edit.
  5. Copy the FortiMail Service Provider Metadata URL and download the FortiMail metadata using the URL. You’ll need this file for the next section.
  6. Select OK and then Apply.

 

 

  

 Configuring FortiAuthenticator

Now we’ll need to configure FortiAuthenticator. 

  1. Go to Authentication > SAML IdP > General.
  2. Enable SAML IDP.
  3. Select OK.
  4. Go to Authentication > SAML IdP > Service Provider
  5. Select Create New.
  6. Copy the IDP entity id
  7. Select Import SP metadata and select the metadata you downloaded in the previous section.
  8. Select Create New in the SAML Attribute section and enter “urn:oid:0.9.2342.19200300.100.1.3” and set the User Attribute to “Email”.

 

 

  
  • Was this helpful?
  • Yes   No

The post Configuring FortiMail Webmail Single Sign On appeared first on Fortinet Cookbook.

Using SMTP Authentication in FortiMail

January 22, 2018, 11:25 am
$
0
0

Worried about a brute force password attack? SMTP authentication mitigates the problem by tracking the IP addresses of the offending client attempting to connect to the box. SMTP authentication can detect, block, and punish hackers. This recipe guides you through the process of enabling SMTP authentication and checking the SMTP authentication score and record.

 

 Enabling SMTP Authentication

First we’ll need to enable SMTP authentication.

  1. Go to DashboardConsole. Enter the following commands to enable the feature. And if there is a gateway before the mail server, add the gateway to the exempt list.
    config system security authserver
      set status enable
          config exempt-list
        edit 1
          set sender-ip-mask 172.20.140.232/32
        next
      end
    end
  

Checking SMTP Authorization Score and Record

With SMTP authentication enabled, we can now look at a few things you can perform in the CLI:

  1. You can display and delete automatically added IP addresses:
    #diagnose system authserver auto-exempt display
    and to delete the IP address, enter
    #diagnose system authserver auto-exempt delete xxxx
  2. You can display the iptables statistics for currently blocked IP addresses: #diagnose system authserver iptables ipv4
  3. You can get the authentication records for a specific IP address:
    #diagnose system authserver records 172.20.140.230
  4. You can get the authentication status of a specific IP address, showing you if it’s safe or if it’s blocked: 
    #diagnose system authserver status 172.20.140.231
  
  • Was this helpful?
  • Yes   No

The post Using SMTP Authentication in FortiMail appeared first on Fortinet Cookbook.

Web and DNS filter troubleshooting

January 23, 2018, 10:50 am
$
0
0

This section contains tips to help you with some common challenges of FortiGate web and DNS filtering.

The Web Filter menu is missing

Go to Feature Select/Feature Visibility and enable Web Filter.

You cannot create new web filter profiles

Go to Feature Select/Feature Visibility and enable Multiple Security Profiles.

You configured web filtering, but it is not working

Verify that Web Filter is enabled in a policy and SSL Inspection has been applied as needed (SSL inspection is required in order to block traffic to sites that use HTTPS). If both settings are enabled, verify that the policy is being used for the correct traffic and that traffic is flowing by going to the policy list and viewing the Sessions column.

If all this is correct, verify that proxy options and SSL/SSH inspection settings have both HTTP and HTTPS enabled and use the correct ports.

You configured DNS Filtering, but it is not working

Verify that DNS Filter is enabled in a policy. If both settings are enabled, verify that the policy is being used for the correct traffic and that traffic is flowing by going to the policy list and viewing the Sessions column. 

If all this is correct, verify that DNS requests are going through the policy, rather than to an internal DNS server.

FortiGuard has the wrong categorization for a website

If you believe a website has been placed in the wrong category by FortiGuard, you can submit the URL for re-classification by going to the FortiGuard website.

The website categorization on your FortiGate does not match the FortiGuard categorization

Verify that you entered the entire URL of the website, not just the domain name. Also verify that you have not used a web rating override to change the local  website categorization.

If the categorizations still do not match, verify whether your web filter profile has the option to Rate URLs by domain and IP Address enabled. If this option is enabled, the categorization could be different if the IP address that the URL resolves to has a different rating than the URL itself.

An active FortiGuard web filter license displays as expired/unreachable

If this occurs, verify that web filtering is enabled in one of your security policies. FortiGuard services will sometimes show as expired those services are not actively used.

If web filtering is enabled in a policy, go to your FortiGuard settings and expand Web Filtering. Under Port Selection, select Use Alternate Port (8888). Select Apply to save the changes. Verify whether the license is shown as active. If it is still inactive/expired, switch back to the default port and verify again.

Go to the DNS settings to verify that your FortiGate is pointing to appropriate DNS servers and can resolve and reach FortiGuard at service.fortiguard.net. If you can reach this service, you can then verify the connection to FortiGuard servers by running the command diagnose debug rating. This displays a list of FortiGuard IP gateways you can connect to, as well as the following information:

  • Weight: Based on the difference in time zone between the FortiGate and this server
  • RTT: Return trip time
  • Flags: D (IP returned from DNS), I (Contract server contacted), T (being timed), F (failed)
  • TZ: Server time zone
  • Curr Lost: Current number of consecutive lost packets
  • Total Lost: Total number of lost packets

Using URL Filters in conjunction with FortiGuard Categories is not working

Web filtering inspection is applied in the following order:

  1. URL filters
  2. FortiGuard category filtering
  3. Advanced filters (ex. safe search or removing Active X components)

Because of this order, a URL can trigger two matches: first, for a URL filter with Action set to Allow, and the a second for a blocked FortiGuard Category. This results in the website being blocked. To avoid this, set Action to Exempt to bypass further web filter inspection of that URL.

You can control which scans that you wish to exempt the URL from in the CLI:

config webfilter urlfilter
  edit <id>
  config entries
    edit <id>
    set exempt {av | web-content | activex-java-cookie | dlp | fortiguard | range-block | pass | all}

 

  • Was this helpful?
  • Yes   No

The post Web and DNS filter troubleshooting appeared first on Fortinet Cookbook.

Security Fabric installation and audit

January 26, 2018, 12:30 pm
$
0
0

In this recipe, you will configure a Fortinet Security Fabric that consists of four FortiGates and a FortiAnalyzer. One of the FortiGates will act as the network edge firewall and root FortiGate of the Security Fabric, while the others function as Internal Segmentation Firewalls (ISFWs).

Once the network has been configured, a Security Fabric Audit is run, to analyze the Security Fabric and recommend changes to help improve the configuration.

This recipe is in the Security Fabric Collection. It can also be used as a standalone recipe.

In the example network, the following FortiGate aliases are used:

  • External: the root FortiGate in the Security Fabric. This FortiGate is named “External” because it is the only FortiGate that directly connects to the Internet. This role is also known as the edge or gateway FortiGate.
  • Accounting: an ISFW FortiGate that connects to External.
  • Marketing: an ISFW FortiGate that connects to External.
  • Sales: an ISFW FortiGate that connects to Marketing.

This recipe was created using FortiOS 5.6.1. If you are using 5.6.0, GUI paths related to the Security Fabric and the appearance of some pages will differ from what is shown.

Find this recipe for other FortiOS versions
5.4 | 5.6

1. Configuring External

In the Security Fabric, External is the root FortiGate. This FortiGate receives information from the other FortiGates in the Security Fabric and is used to run the Security Fabric Audit.

In the example, the following interfaces on External are used to connect to other network devices:

  • Port 9 connects to the Internet (this interface was configured when External was initially installed)
  • Port 10 connects to Accounting (IP address: 192.168.10.2)
  • Port 11 connects to Marketing (IP address: 192.168.200.2)
  • Port 16 connects to the FortiAnalyzer (IP address: 192.168.55.2)

On External, go to Network > Interfaces and edit port 10. Set an IP/Network Mask for the interface (in the example, 192.168.10.2/255.255.255.0).

Set Administrative Access to allow FortiTelemetry, which is required for communication between FortiGates in the Security Fabric.

Repeat this step to configure the other interfaces with the appropriate IP addresses, as listed above.

Go to Policy & Objects > IPv4 Policy and create a policy for traffic from Accounting to the Internet.

Enable NAT.
Repeat this step to create a similar policy for Marketing.
On External, go to System > Feature Select. Under Additional Features, enable Multiple Interface Policies.

Go to Policy & Objects > IPv4 Policy and create a policy allowing Accounting and Marketing to access the FortiAnalyzer.

To enable communication between the FortiGates in the Security Fabric, go to Security Fabric > Settings and enable FortiGate Telemetry. Set a Group name and Group password.

FortiAnalyzer Logging is now enabled by default. Set IP address to an internal address that will later be assigned to port 1 on the FortiAnalyzer (in the example, 192.168.55.10).
Select Test Connectivity. An error appears because the FortiGate is not yet authorized on the FortiAnalyzer. This authorization will be configured in a later step.

2. Installing Accounting and Marketing

On Accounting, go to Network > Interfaces and edit WAN1.

Set an IP/Network Mask for the interface that is on the same subnet as port 10 on External (in the example, 192.168.10.10/255.255.255.0).

Edit the internal interface.

Set Addressing mode to Manual and set the IP/Network Mask to a private IP address (in the example, 10.10.10.1/255.255.255.0).

Set Administrative Access to allow FortiTelemetry.

If you require the FortiGate to provide IP addresses using DHCP to devices that connect to this interface, enable DHCP Server.

Under Networked Devices, enable Device Detection.

Go to Network > Static Routes and add a static route. Set Gateway to the IP address of port 10 on External.

Go to Policy & Objects > IPv4 Policy and create a policy to allow users on the Accounting network to access External.

Go to Security Fabric > Settings to add Accounting to the Security Fabric. Enable FortiGate Telemetry, then enter the same Group name and Group password that you set previously on External.

Enable Connect to upstream FortiGate and enter the IP address of port 10 on External.

FortiAnalyzer Logging is enabled by default. Settings for the FortiAnalyzer will be retrieved when Accounting connects to External.

If you have not already done so, connect WAN1 on Accounting to port 10 on External.

Connect and configure Marketing, using the same method you used to configure Accounting. Make sure to complete the following steps:

  • Configure WAN1 to connect to External (IP address: 192.168.200.10/255.255.255.0)
  • Configure the LAN interface for the Marketing network (IP address: 10.10.200.2/255.255.255.0)
  • Create a static route pointing traffic to port 11 on External
  • Create a policy to allow users on the Marketing network to access External
  • Add Marketing to the Security Fabric

3. Installing Sales

On Marketing, go to Network > Interfaces and edit the interface that Sales will connect to (in the example, internal14).

Set an IP/Network Mask for the interface (in the example, 192.168.135.2/255.255.255.0).

Set Administrative Access to allow FortiTelemetry.

Go to Policy & Objects > IPv4 Policy and create a policy for traffic from Sales to External.

Enable NAT.

On Sales, go to Network > Interfaces and edit WAN2.

Set an IP/Network Mask for the interface that is on the same subnet as the internal 14 interface on Marketing (in the example, 192.168.135.10/255.255.255.0).

Edit the LAN interface.

Set Addressing Mode to Manual, and set the IP/Network Mask to a private IP address (in the example, 10.10.135.1/255.255.255.0).

Set Administrative Access to allow FortiTelemetry.

If you require the FortiGate to provide IP addresses, using DHCP, to devices that connect to this interface, enable DHCP Server.

Under Networked Devices, enable Device Detection.

Go to Network > Static Routes and add a route. Set Gateway to the IP address of the internal 14 interface on Marketing.
Go to Policy & Objects > IPv4 Policy and create a policy to allow users on the Sales network to access Marketing.

Go to Security Fabric > Settings to add Sales to the Security Fabric. Enable FortiGate Telemetry, then enter the same Group name and Group password that you set previously.

Enable Connect to upstream FortiGate and enter the IP address of the internal 14 interface on Marketing.

FortiAnalyzer Logging is enabled by default. Settings for the FortiAnalyzer will be retrieved when Accounting connects to External.
If you have not already done so, connect WAN 2 on Sales to the internal 14 interface on Marketing.

4. Configuring the FortiAnalyzer
To use the FortiAnalyzer in the Security Fabric, make sure that the firmware is compatible with the version of FortiOS on the FortiGates. To check for compatibility, see the FortiAnalyzer Release Notes.

On the FortiAnalyzer, go to System Settings > Network, select All Interfaces, and edit port 1. Set IP Address/Netmask to the IP address used for the Security Fabric configuration on External (192.168.55.10/255.255.255.0).

Add a Default Gateway, using the IP address of port 16 on External.

Go to Device Manager. The FortiGates are listed as Unregistered.

Select the FortiGates, then select +Add.
The FortiGates now appear as Registered.

After a moment, a warning icon appears beside External because the FortiAnalyzer needs administrative access to the root FortiGate in the Security Fabric.

Select the FortiGate, then enter the administrative authentication information.
On External, go to Security Fabric > Settings. FortiAnalyzer Logging now shows Storage usage information.

5. Running a Security Fabric Audit

You can use the Security Fabric Audit to analyze your Security Fabric deployment, identify potential vulnerabilities, and highlight best practices. Using the Security Audit helps you improve your network configuration, deploy new hardware and software, and gain more visibility and control over your network.

By regularly checking your network’s Security Score, which is determined by how many checks your network passes or fails during the Security Audit, and making the recommended improvements, you can have confidence that your network is getting more secure over time.

You must run the Security Fabric Audit on the root FortiGate in the Security Fabric.

On External, go to Security Fabric > Audit.

All the FortiGates in the Security Fabric are shown. Select Next.

At the top of the page, you can see your network’s Security Score, as well as the overall count of how many checks were passed or failed, with the failed checks divided by severity.

Further down, you can see information about each failed check, including which FortiGate failed the check, the effect on your network’s score, and the recommendation for fixing the issue.

Easy Apply recommendations may be automatically applied by the wizard in the next stage.

By using Easy Apply, you can change the configuration of any FortiGate in the Security Fabric, not just the root FortiGate.

Select all the changes you want to make, then select Apply Recommendations.

6. Results

On External, go to Dashboard > Main. The Security Fabric widget displays the names of the FortiGates in the Security Fabric.

The icons on the top indicate which other Fortinet devices can be used in a Security Fabric. Devices in blue are detected in your network, devices in gray are not detected in your network, and devices in red are also not detected in your network but are recommended for a Security Fabric.

Also located on the Dashboard is the Security Fabric Score widget, which displays your network’s current score.

If either of these widgets do not appear on your dashboard, they can be added using the settings button in the bottom right corner. This button appears when your mouse hovers over any part of the dashboard.

Go to Security Fabric > Physical Topology. This page shows a visualization of access layer devices in the Security Fabric.

Security Fabric Audit recommendations are also shown in the topology, next to the icon of the device the recommendations apply to.

Go to Security Fabric > Logical Topology. This dashboard displays information about the interface (logical or physical) that each device in the Security Fabric is connected to.

On the FortiAnalyzer, go to Device Manager. The FortiGates are now shown as part of a Security Fabric group. The * beside External indicates that it is the root FortiGate in the Security Fabric.

Right-click on the Security Fabric group and select Fabric Topology. The topology of the Security Fabric is displayed.

7. (Optional) Adding security profiles to the Security Fabric

The Security Fabric allows you to distribute security profiles to different FortiGates in your network, which can lessen the workload of each device and avoid creating bottlenecks. For example, you can implement antivirus scanning on External while the ISFW FortiGates apply application control and web filtering.

This results in distributed processing between the FortiGates in the Security Fabric, which reduces the load on each one. It also allows you to customize the web filtering and application control for the specific needs of the Accounting network as other internal networks may have different application control and web filtering requirements.

This configuration may result in threats getting through External, which means you should very closely limit access to the network connections between the FortiGates in the network.

On External, go to Policy & Objects > IPv4 Policy and edit the policy allowing traffic from Accounting to the Internet.

Under Security Profiles, enable AntiVirus and select the default profile.

Do the same for the policy allowing traffic from Marketing to the Internet.

On Accounting, go to Policy & Objects > IPv4 Policy and edit the policy allowing traffic from the Accounting network to the Internet.

Under Security Profiles, enable Web Filter and Application Control. Select the default profiles for both.

Repeat this step for both Marketing and Sales.

For further reading, check out Security Fabric in the FortiOS 5.6 Handbook.

  • Was this helpful?
  • Yes   No
This FortiGate has already been installed in NAT/Route mode in the “Installing a FortiGate in NAT/Route mode” recipe.
In this recipe, the policy is called Access-External-Device because more Fortinet devices, such as a FortiSandbox, will be added to the subnet currently used by the FortiAnalyzer.
Only Fortinet devices will be shown.
Only Fortinet devices will be shown.

The post Security Fabric installation and audit appeared first on Fortinet Cookbook.

FortiOS 5.6.3 Supported Cipher Suites

January 31, 2018, 11:25 am
$
0
0

A Cipher suite is a collection of encryption and authentication algorithms that two participants in secure communication can select from to negotiate a secure transaction.

FortiOS uses cipher suites to select encryption and authentication algorithms to use for SSL VPN, IPsec VPN, SSL inspection, SSL offloading, administrator authentication, user authentication, secure communication with FortiGuard, and so on. Each of these secure transactions selects the encryption and authentication algorithms to use for the transaction from the cipher suites supported for that transaction. 

The cipher suites available for each transaction vary depending on the software settings and on the FortiGate hardware platform.

Here is the list of cipher suites available on most FortiGate hardware platforms for FortiOS 5.6.3:

TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256

TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256

TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256   

TLS-DHE-RSA-WITH-AES-128-CBC-SHA            

TLS-DHE-RSA-WITH-AES-256-CBC-SHA            

TLS-DHE-RSA-WITH-AES-128-CBC-SHA256         

TLS-DHE-RSA-WITH-AES-128-GCM-SHA256         

TLS-DHE-RSA-WITH-AES-256-CBC-SHA256         

TLS-DHE-RSA-WITH-AES-256-GCM-SHA384         

TLS-DHE-DSS-WITH-AES-128-CBC-SHA             

TLS-DHE-DSS-WITH-AES-256-CBC-SHA            

TLS-DHE-DSS-WITH-AES-128-CBC-SHA256         

TLS-DHE-DSS-WITH-AES-128-GCM-SHA256         

TLS-DHE-DSS-WITH-AES-256-CBC-SHA256         

TLS-DHE-DSS-WITH-AES-256-GCM-SHA384         

TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA          

TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256       

TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256       

TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA          

TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384       

TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384       

TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA        

TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256     

TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256     

TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384     

TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384     

TLS-RSA-WITH-AES-128-CBC-SHA                

TLS-RSA-WITH-AES-256-CBC-SHA                

TLS-RSA-WITH-AES-128-CBC-SHA256             

TLS-RSA-WITH-AES-128-GCM-SHA256             

TLS-RSA-WITH-AES-256-CBC-SHA256             

TLS-RSA-WITH-AES-256-GCM-SHA384             

TLS-RSA-WITH-CAMELLIA-128-CBC-SHA           

TLS-RSA-WITH-CAMELLIA-256-CBC-SHA           

TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256        

TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256        

TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA           

TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA       

TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA       

TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA       

TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA       

TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256    

TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256    

TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256    

TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256    

TLS-ECDHE-RSA-WITH-RC4-128-SHA              

TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA         

TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA            

TLS-RSA-WITH-3DES-EDE-CBC-SHA               

TLS-RSA-WITH-RC4-128-MD5                    

TLS-RSA-WITH-RC4-128-SHA                    

TLS-DHE-RSA-WITH-DES-CBC-SHA                

TLS-DHE-DSS-WITH-DES-CBC-SHA                

TLS-RSA-WITH-DES-CBC-SHA   

Viewing the cipher suites supported by your FortiGate

You can use the following command to view the cipher sites that are available on your FortiGate. This command is used to select the cipher suites to apply to SSL offloading. Other implements that require cipher suites may support a subset of this list.

config firewall vip
   edit <vip-name>
      set type server-load-balance
      set server-type https
      set ssl-algorithm custom
         config ssl-cipher-suites
           edit 1
              set cipher ?
  • Was this helpful?
  • Yes   No

The post FortiOS 5.6.3 Supported Cipher Suites appeared first on Fortinet Cookbook.

Search

Basic failover with redundant Internet

February 6, 2018, 3:00 pm
$
0
0

The following example demonstrates how to configure a basic failover with redundant Internet setup.

The goal of this recipe is to achieve failover, where the primary ISP is used 100% of the time, and the secondary ISP is used only if the primary goes down. In this example, the primary ISP uses the WAN1 interface and the secondary ISP uses the WAN2 interface.

For a redundant Internet recipe that uses the new SD-WAN feature in FortiOS 5.6, click here.

Find this recipe for other FortiOS versions
5.2.0 | 5.2.1 +  | 5.4 | 5.6

1. Connecting your ISPs to the FortiGate

Connect your ISP devices to your FortiGate so that the ISP you wish to use for most traffic is connected to WAN1 and the other connects to WAN2.

 This shows a FortiGate with both wan 1 and wan 2 ports active.

2. Creating redundant firewall policies

Go to Policy & Objects > IPv4 and create a firewall policy that allows traffic from your primary ISP (WAN1) to your internal network.

Set Incoming Interface to the interface of your internal network and set Outgoing Interface to the internet facing interface of the primary ISP.

Enable NAT and apply Security Profiles as required.

Enable Log Allowed Traffic for All Sessions so that you can verify the results later.

 This image is described in the surrounding text. 

Go to Policy & Objects > IPv4 and create a firewall policy that allows traffic from your secondary ISP (WAN2) to your internal network.

Repeat the steps listed above.

 This image is described in the surrounding text. 

3. Creating redundant routes

Go to Network > Static Routes and create a static route for each ISP. The primary ISP should have a higher route priority than the secondary ISP.

Create a new static route for the primary ISP, and set Gateway IP to the subnet of the WAN1 interface.

Set Interface to the WAN1 interface.

 This image is described in the surrounding text. 

Under Advanced Options, set the Priority to a low number. In this example, 5. The route with a smaller value will have a higher priority. This route will be preferred over the route you will configure for your secondary backup ISP.

Create a static route for the secondary ISP.

Set Gateway IP to the subnet of the WAN2 interface.

Set Interface to wan2.

Under Advanced Options, set the Priority to a higher number. In this example, 10. Make sure the priority is set to a larger number than your previous route to ensure it is lower priority.

 This image is described in the surrounding text. 

Make sure both static routes are set to an equal distance. In this example, the Distance is set to the default of 10 on both routes. This ensures that both default routes will remain in the routing table.

  This image is described in the surrounding text.

4. Configuring the link-monitor

You can use the CLI to configure the link-monitor. Go to Dashboard > CLI and enter the following commands to configure the link monitor for the WAN1 interface:

config system link-monitor
 edit wan1
         (wan1) #get
                  set name wan1
                  set server 8.8.4.4
                  set protocol ping
                  set gateway-ip 172.25.176.1 
                  set interval 5
                  set timeout 1
                  set failtime 5
                  set recoverytime 5
                  set update-cascade-interface enable
                  set update-static-route enable
                  set status enable
                end

Set the server to a reliable IP address to test your connection to the Internet with the WAN1 interface. In this example, the Google public DNS IP address, 8.8.4.4, is used (since the other Google IPv4 address, 8.8.8.8, is commonly used for other ping tests).

The gateway-ip uses the same gateway IP addresses configured in Step 3.

Configure the link monitor for the WAN2 interface:

config system link-monitor
 edit wan1
         (wan1) #get
                  set name wan2
                  set server 8.8.4.4
                  set protocol ping
                  set gateway-ip 192.168.13.1
                  set interval 5
                  set timeout 1
                  set failtime 5
                  set recoverytime 5
                  set update-cascade-interface enable
                  set update-static-route enable
                  set status enable
                end

5. Results

To test failover of the redundant Internet configuration, you must simulate a failed Internet connection.

First, verify that users still have Internet access by navigating to Policy & Objects > IPv4 Policy. Right-click on the primary Internet access policy and select Show in FortiView to see verify where traffic is flowing.

 This image is described in the surrounding text.

This image is described in the surrounding text.

Physically disconnect the Ethernet cable from the Internet side of the ISP modem or device to simulate failover. Then, make sure that all traffic automatically goes through the WAN2 port, until WAN1 is available again. 

 This image is described in the surrounding text. 

Go to Log & Report > System Events to confirm that the Link Monitor has changed state and that the static route for your primary ISP has been removed.

  This image is described in the surrounding text.

Go to Monitor > Routing Monitor to view the static routes in the routing table.

When the primary ISP connection is active, you will see an active route for WAN1 and WAN2

 This image is described in the surrounding text. 

When the primary ISP connection fails, only the default route for WAN2 will appear.

  This image is described in the surrounding text.

Enter the following CLI command to view the routing table:

get router info routing-table all 

When the primary ISP connection is active, you will see an asterisk, *, with the routes for both WAN1 and WAN2 shown as active.

  This image is described in the surrounding text.

When the primary ISP connection fails, the route for WAN1 is automatically removed from the routing table.

 This image is described in the surrounding text. 

Reconnect the cable when you have verified successful failover and you should find that traffic flows through only the primary ISP again.

For further reading, check out Dual Internet connections in the FortiOS 5.6 Handbook. Also check out more on the system link monitor CLI commands.

  • Was this helpful?
  • Yes   No

The post Basic failover with redundant Internet appeared first on Fortinet Cookbook.

FortiMail Security Hardening

February 7, 2018, 8:33 am
$
0
0

This recipe acts as an introduction to increasing the security of your FortiMail unit by providing you a basic checklist of techniques you can employ to harden your security.

 

 Hardening FortiMail
  • Be sure to install your FortiMail unit in a secure location, such as a locked room with restricted access. Prohibiting access to your unit increases the security of the device, since unauthorized users could potentially disrupt your entire network through both unintentional and intentional interventions.
  • Always remember to upgrade your firmware to the latest version
  • Avoid generic administrator account names such as “admin”. If an attacker guesses your admin name they will only need to guess your password.
  • Do not allow administration access on the external interface. Use internal access methods such as IPsec VPN or SSL VPN. If you have to use remote access, only allow HTTPS and SSH and be sure to use secure access methods.
  • Be sure to establish trusted hosts for administrators to limit what computers administrators can use to access the unit. Identifying a trusted house forces the unit to only accept the administrator’s login from the configured IP address or subnet.
  • Change the default administrator pot to a non-standard port.
  • Register with support services to activate the warranty on your device.
  • To avoid the possibility of an administrator walking away from the management computer and leaving it exposed, you can add an automatic idle time-out. If the web-based manager is not used for a specified amount of time, the unit automatically logs the administrator out.
  • Enable automatic clock synchronization to facilitate auditing and consistency between expiry dates used in expiration of certificates and security protocols.
  • Brute force password software can launch more than just dictionary attacks. It can discover common passwords where a letter is replaced by a number. For example, if “p4ssw0rd” is used as a password, it can be cracked. Create a safer password policy that administrators must follow to facilitate a safer connection.
  • Set a lockout duration for when someone enters an incorrect password a specified number of times.

 


  

 

  • Was this helpful?
  • Yes   No

The post FortiMail Security Hardening appeared first on Fortinet Cookbook.

Using zones to simplify firewall policies

February 9, 2018, 7:21 am
$
0
0

This cookbook recipe shows how grouping multiple interfaces into a zone can simplify firewall policies. In this example, we create VLAN10, VLAN20, and VLAN30 and add them into a zone called the “LAN Zone.” Instead of having to reference all 3 interfaces separately as a source interface in our firewall policy, we can just use the single zone object.

Zones can also group many other kinds of interfaces in addition to VLANs, such as physical ports or IPsec tunnels.

1. Creating the VLAN interfaces

Go to Network > Interfaces and select Create New > Interface.

Create the VLAN interface for VLAN ID 10 and enable the DHCP server option.
Create the VLAN interface for VLAN ID 20 and enable the DHCP server option.
Create the VLAN interface for VLAN ID 30 and enable the DHCP server option.

2. Creating the zone

Under Network > Interfaces, select Create New > Zone, name the zone LAN Zone, and add the newly created VLANs to the zone.

Leave Block intra-zone traffic enabled to prevent communication between the VLAN interfaces.

3. Creating a firewall policy for the zone

Navigate to Policy & Objects > IPv4 Policy and create a firewall policy allowing any VLAN in the “LAN Zone” permission to access the Internet.

Select any security profiles desired with best practices and business requirements in mind.

Results

Users from VLAN10, VLAN20, or VLAN30 will now have Internet access.

As new VLANs are added in the future, they can be added to “LAN Zone” without having to modify the firewall policy we created in Step 3.

For further reading, check out Zones in the FortiOS 5.6 Handbook.

  • Was this helpful?
  • Yes   No
Interfaces that are already used in firewall policies cannot be added to a zone.

The post Using zones to simplify firewall policies appeared first on Fortinet Cookbook.

Create internal network subnet

February 13, 2018, 11:20 pm
$
0
0

This recipe is part of the process of deploying FortiGate for OCI. Note OCI is only supported by FortiOS 5.4.8. See below for the rest of the recipes in this process:

  1. Create a virtual cloud network and public-facing subnets
  2. Create a security list
  3. Create a route table for the internal network
  4. Create internal network subnet
  5. Obtain the deployment image file and place it in your bucket
  6. Import the image
  7. Launch the FortiGate instance
  8. Attach a storage to FortiGate (required)
  9. Access the FortiGate
  10. Create the second vNIC
  11. Configure the second vNIC on the FortiGate
  12. Change the protected network’s default route
  13. [Connectivity test] Configure FortiGate firewall policies and virtual IPs

 

  1. Let’s create an internal protected network, where virtual machines will be placed under the FortiGate’s protection. Click Create Subnet.
  2. Let’s create the internal protected network in the availability domain where the FortiGate is located. Choose the appropriate domain in use, then enter the internal subnet. The route table must be the one created earlier for the internal network. Under SUBNET ACCESS, select PRIVATE SUBNET. You can select any security list as desired. In the example, a security list that allows all protocols for any source and destination was selected. Note you must create the security list prior to this configuration.
  • Was this helpful?
  • Yes   No

The post Create internal network subnet appeared first on Fortinet Cookbook.

Deploying FortiGate for OCI

February 14, 2018, 4:46 am
$
0
0
Viewing all 690 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>