Configuration Notifications in FortiMail

February 27, 2018, 11:13 am

≫ Next: Working with Dictionary Profiles in FortiMail

≪ Previous: Configuring Greylisting in FortiMail

When FortiMail decides to take action against an offending email message it can send a message to the senders and/or the recipients of any action that was taken.

This recipe guides you through the process of creating and configuring a notification profile that will allow you to stay more informed of the actions your unit is taking.

Creating a Notification Profile

First we’ll need to create a notification profile

Go to Profile > Notification > Notification.
Select New.
Enter a descriptive name.
Select the type from the dropdown menu. Generic is used in antispam, antivirus, and content profiles to notify the sender or recipient. Sender Address Rate Control only notifies the senders and the original message
Enable the individuals you want to send the notification to: sender, recipient, or others. If you choose “others” you’ll need to enter the email addresses in the email address section.
select an email template to use.
Select OK.

Was this helpful?
Yes No

The post Configuration Notifications in FortiMail appeared first on Fortinet Cookbook.

↧

Working with Dictionary Profiles in FortiMail

February 28, 2018, 11:05 am

≫ Next: Configuring Adult Image Analysis in FortiMail

≪ Previous: Configuration Notifications in FortiMail

Your FortiMail unit can use a dictionary profile to determine if an email is likely to be spam, based on predefined or user-defined patterns, like a Canadian SIN pattern. While the process sounds similar to banned words scanning, dictionary terms are UTF-8 encoded, which means they can include characters other than US-ASCII characters, such as é or ñ.g

In this recipe, we’ll guide you through the process of creating a dictionary profile and then we’ll configure the dictionary options.

Caution: Unlike banned word scans, dictionary profile scans are more resource intensive.

Creating a Dictionary Profile
First we’ll need to create a dictionary profile Go to Profile > Dictionary > Dictionary. Select New to create a new profile or edit an existing profile by selecting a profile and selecting Edit. Enter the name for the profile. Double click an existing predefined pattern and then select Enable and then OK. If you wish to create your own pattern, select New in the Dictionary Entries section. Enable the pattern and enter a word or phrase that you want the dictionary to match. Matches are case insensitive. Select Regex or Wildcard from the Pattern type dropdown menu. Enter the pattern weight and maximum pattern weight. Enable whether to match occurrences of the pattern when it is located in an email’s header or body. Select Create and Create once more.
Configuring Dictionary Options
With the dictionary profile created, we can now move on to configuring the dictionary scan options. To configure dictionary scan options Go to Profile > AntiSpam > AntiSpam. Double-click an existing profile. Expand the Scan Configuration section and then the Dictionary section. Enable Dictionary. Select the Action profile you want the FortiMail unit to use if the heuristic scan finds spam email. Select the previously created profile from the dictionary profile dropdown menu. Enter the minimum dictionary score. This is the number of dictionary term matches above which the email will be considered spam. Select OK.

Was this helpful?
Yes No

The post Working with Dictionary Profiles in FortiMail appeared first on Fortinet Cookbook.

↧

Configuring Adult Image Analysis in FortiMail

February 28, 2018, 11:21 am

≫ Next: Configuring Banned Words in FortiMail

≪ Previous: Working with Dictionary Profiles in FortiMail

Maybe you suspect an employee of viewing adult images or videos during office hours through his or her email. Maybe you’re receiving unsolicited adult files through your email. In either scenario, FortiMail can help you keep your office setting professional through a new scanning option that detects if an email contains adult sensitive material.

In this recipe, we’ll guide you through the process of configuring a content profile to scan for adult images in the email body and attachments.

Configuring a Content Profile and Scan Options
For this recipe we’ll need to briefly go over the content profile creation process. If you would like a more detailed explanation, see the content profile section in the FortiMail Administrator Guide. To establish a content profie Go to Profile > Content > Content. Select New or edit an existing profile. Select the appropriate domain from the Domain dropdown menu. Selecting “System” shows profiles from the entire FortiMail unit. Enter a profile name. Select “Reject” from the Action dropdown menu to make FortiMail reply to the SMTP client with SMTP reply code 550. All emails containing adult images will be rejected. Enable video, audio, and image from the attachment scan rules. This will make sure that any attachments that contain adult images will be scanned for. Enable Adult image analysis under the Scan Options section.
Establishing Adult Image Analysis
With the content profile properly configured, we can now move on to configuring adult image analysis settings. Go to Security > Other > Adult Image Analysis. Enable the analysis. Adjust the sensitivity of the ratting. Adjusting the sensitivity to the appropriate number will avoid false positives and false negatives. Enter the minimum and maximum image size. Select Apply.

Was this helpful?
Yes No

The post Configuring Adult Image Analysis in FortiMail appeared first on Fortinet Cookbook.

↧

Configuring Banned Words in FortiMail

March 1, 2018, 7:32 am

≫ Next: Importing Users in FortiMail

≪ Previous: Configuring Adult Image Analysis in FortiMail

What if you know through experience that the occurrence of a certain word in your emails is typically linked to spam? FortiMail can scan an email and look for certain banned words and log those messages as spam when the word is detected.

The following recipe guides you through the easy process of configuring your FortiMail unit to scan for banned words and define known safe words that will bypass the scanning process.

Configuring an AntiSpam Profile
To configure banned word scan options in FortiMail Go to Profile > AntiSpam > AntiSpam Select an existing profile and select Edit or create a new profile. For more information on creating an AntiSpam profile see the corresponding chapter in the FortiMail Administrator Guide. Expand the Scan Configuration section Enable Banned word and then select Configuration. Select New. Enter the word you wish to be banned in the Banned Word field. Enable both Subject and Body to let FortiMail scan the subject line and the body of the email for the banned word. Select OK.
Configuring Safelist Word Options
As an added bonus, you can also configure a safelist word section in your profile that tells your FortiMail unit to allow messages whose subject or body contains a particular word. So, for example, we could make it so the unit lets every email containing the word “meeting” through without scanning. To configure safe list scan options Go to Profile > AntiSpam > AntiSpam. Edit an existing profile or create a new one. Expand Scan Configurations. Enable Safelist word and select Configuration. Select New. Enter the word you want to bypass scanning. Enable both the Subject and Body selection. Select OK and OK once more.

Was this helpful?
Yes No

The post Configuring Banned Words in FortiMail appeared first on Fortinet Cookbook.

↧

Importing Users in FortiMail

March 1, 2018, 7:51 am

≫ Next: Customizing the FortiMail GUI Appearance

≪ Previous: Configuring Banned Words in FortiMail

What if you want to quickly add a list of new local users? You can do so outside FortiMail through a spreadsheet editor like Excel and import the information into FortiMail. The following easy to follow recipe guides you through the incredibly quick process of importing new users into FortiMail.

Importing a User List

To create and import user records

Go to Domain & User > User > User.
Select a user and then select Export .CSV.
Save the file and then open the CSV file in a spreadsheet editor, like Microsoft Excel.
Enter the user records in the columns to match the exported format.
Select Save As to save the file as a CSV file.
Select Import .CSV in FortiMail.
Find your file and select open and then OK.

All the users you created in Excel will be imported into FortiMail.

Was this helpful?
Yes No

The post Importing Users in FortiMail appeared first on Fortinet Cookbook.

↧

Customizing the FortiMail GUI Appearance

March 1, 2018, 10:16 am

≫ Next: Creating Custom Massages in FortiMail

≪ Previous: Importing Users in FortiMail

What if you need to change the appearance of your webmail page? Maybe you want to insert your own corporate logo and product name into the user interface. This recipe guides you through the process of customizing your GUI.

Customizing the Administrative Portal

Only administrators can change the appearance of the interface.

To customize the GUI appearance

Go to System > Customization > Appearance.
Expand the Admin Portal.
Enter the name of the product. This name precedes the Administrator Login in the title on the login page.
Select Change to choose your own custom icon and logo. These images appear at the top of all pages on the web UI.
Select your default language and theme.

Customizing the Webmail Portal.

You can also change the appearance of the webmail page.

Go to System > Customization > Appearance.
Expand the Webmail Portal.
Enter the name that appears on the top of the webmail login page.
Enter a hint for the user name. For example, the hint could be “Your Email Address”.
Select a theme for the webmail GUI from the Login page dropdown menu.
Select your desired language from the Webmail language dropdown menu. You can create your own custom language. See the Administrator guide for more details.
Select Change from the custom logo section to add your own graphic.
Select Apply.

Was this helpful?
Yes No

The post Customizing the FortiMail GUI Appearance appeared first on Fortinet Cookbook.

↧

Creating Custom Massages in FortiMail

March 1, 2018, 12:37 pm

≫ Next: FortiGate 60E Series Installation Guide

≪ Previous: Customizing the FortiMail GUI Appearance

Whenever your FortiMail unit detects a virus it replaces the attachment with a message that provides information on the virus and the source of the email. All messages received by your unit are customizable. This recipe guides you through the process of customizing your replacement messages.

Creating Variables

Before you create your custom message you’ll likely want to create new predefined variables to insert into your custom message. Typically, these variables represent messages that you will frequently use.

To create a new variable

Go to System > Customization > Custom Message
Select a replacement message or email template you want to edit and then select Edit Variable.
Select New.
Enter a name. The typical formal is as follows: %%EXAMPLE%%. So, if I wanted the name of the file that is infected to appear in the message, I would enter: %%FILE%%.
Enter a descriptive display name. This name appears in the variable list when you select Insert Variables.
Enter the variable’s content. Click Insert Variables to include any existing variables. For example, you could enter:
The file %%FILE%% is infected with the virus %%VIRUS%% and has been deleted.
Select Create.
There is a fairly large list of variables available at your disposal. Check the appropriate section in the administrator guide

Creating a Custom Message

With your custom variable created, you can now customize the replacement message

Go to System > Customization > Custom Message.
Double click a message to edit the message.
Enter your replacement message in the content section. There is a 4000 character limitation.
Enter your custom variable by selecting Insert Variable.
Select your desired variable from the list and then select the close button.
Select OK

Was this helpful?
Yes No

The post Creating Custom Massages in FortiMail appeared first on Fortinet Cookbook.

↧

FortiGate 60E Series Installation Guide

March 7, 2018, 8:18 am

≫ Next: Inter-VDOM communication with static routing

≪ Previous: Creating Custom Massages in FortiMail

The FortiGate unit can be placed on any flat surface with the provided rubber feet, or mounted to a wall with the providing mounting hardware.

To install the unit on a flat surface

Ensure that the surface onto which the FortiGate unit to be installed is clean, level, and stable and that there is at least 1.5in (3.8cm) of clearance on all sides to allow for adequate airflow.
Attach the provided rubber feet, if not already attached, to the bottom of the FortiGate unit.
Place the unit in the designated location.
Verify that the spacing around the FortiGate unit conforms to requirements and that the unit is level.
If applicable, attach the antennas to the device.
Plug the provided power adapter into the rear of the unit, and then plug the transformer into a grounded electrical outlet or a separate power source such as an uninterruptible power supply (UPS) or a power distribution unit (PDU) with the provided power cable.

To mount the device on a wall

Use the mounting bracket to mark the location of the mounting holes on a flat wall surface.
Drill the mounting holes in the marked locations.
Insert the provided anchors into the drilled holes then screw the screws into the anchors, leaving approximately 2mm of the screw exposed for connecting to the mounting bracket.
Fasten the mounting bracket securely to the back of the unit using the provided screws.
Position the device with the attached mounting bracket over the exposed screws in the wall, then slide the device downward to secure it in place.
If applicable, attach the antennas to the device.
Plug the provided power adapter into the rear of the unit, and then plug the transformer into a grounded electrical outlet or a separate power source such as an uninterruptible power supply (UPS) or a power distribution unit (PDU) with the provided power cable.

Was this helpful?
Yes No

The post FortiGate 60E Series Installation Guide appeared first on Fortinet Cookbook.

↧

Inter-VDOM communication with static routing

March 13, 2018, 1:42 pm

≫ Next: Episode 21: Security Fabric

≪ Previous: FortiGate 60E Series Installation Guide

In this recipe, you will configure virtual domains (VDOMs) and allow communication between them with static routing.

In this example, a managed security service provider (MSSP) provides controlled Internet access to two companies (Company A and Company B.) The MSSP, Company A, and Company B each has a VDOM (named root, VDOM-A and VDOM-B) that is managed independently. Connections between VDOM-A and VDOM-B to root are made using VDOM Links (named IVL-A and IVL-B.)

The management PC connected to the root VDOM will be used during this cookbook recipe.

1. Planning the network topology and addressing scheme
Below is the network diagram that we will use for this cookbook recipe. It was created based on the requirements in the example scenario.

As noted above, a connection between root and VDOM-A, as well as root and VDOM-B, will be achieved with a VDOM Link. VDOM-A and VDOM-B will not be allowed to communicate with each other directly; any communication between VDOM-A and VDOM-B has to be allowed by the root VDOM.
2. Switching to VDOM mode and creating two VDOMs
Go to System > Settings and, under the Operations Settings section, enable Virtual Domains. You will be required to re-login after enabling virtual domains because the GUI menu options change.
Certain FortiGate models will not show the above option under System > Settings. For these models, click the >_ icon in the top-right corner of the GUI and enter the following command in the CLI Console: config system global set vdom-admin enable end Enter y when you are asked if you want to continue. You will be required to re-login to the GUI after enabling virtual domains because the GUI menu options change.
Make sure that Global is selected from dropdown menu located in the top-left corner. This allows you to make changes to the global configuration.
Go to System > VDOM and select Create New. Name the Virtual Domain VDOM-A, and leave the defaults for Inspection Mode and NGFW Mode. Select OK to create your first VDOM.
Repeat the process above to create a second VDOM, VDOM-B.
3. Adding interfaces to VDOM-A and VDOM-B
In this example, one hardware switch interface (comprised of 3 physical interfaces) will be added to VDOM-A and VDOM-B for use by the local network. If an interface is used in an existing FortiGate configuration, the VDOM assignment cannot be changed. Because some FortiGate models have a default configuration, you may need to delete existing policies and routes in order to make changes to that particular interface.
From Global, go to Network > Interfaces and edit the internal interface. Remove all Interface Members except for internal1, and ensure the Virtual Domain is set to root. All other settings can stay their default values.
The interface members we just removed from the internal hardware switch will be listed separately as internal2, internal3, etc, but will belong to the root VDOM.
Edit internal2 and change the Virtual Domain to VDOM-A. Leave the other settings their defaults. Repeat this step for internal3 and internal4 to make them a member of VDOM-A.
Edit internal5, internal6, and internal7 and change their Virtual Domain to VDOM-B. Your interface overview should now show internal1 assigned to root, internal2-4 assigned to VDOM-A, and internal5-7 assigned to VDOM-B.
Go to Network > Interfaces and create a new interface. Type LAN-A for the Interface Name, set the Type to Hardware Switch, and set the Virtual Domain to VDOM-A. Select internal2-4 as the Interface Members, and set the Role to LAN. Assign 10.1.1.1/24 as the IP/Network Mask, set Administrative Access to HTTPS, PING, and SSH, and enable DHCP Server.
Create another interface, this time setting Interface Name as LAN-B. Set the Type to Hardware Switch, and set the Virtual Domain to VDOM-B. Select internal5-7 as the Interface Members, and set the Role to LAN. Assign 10.2.2.1/24 as the IP/Network Mask, set Administrative Access to HTTPS, PING, and SSH, and enable DHCP Server.
Your interface list should now show internal assigned to root, LAN-A assigned to VDOM-A, and LAN-B assigned to VDOM-B.
4. Connecting VDOMs with Virtual Links
Virtual Links are used to virtually connect VDOMs that would otherwise not be able to communicate with each other. A VDOM Link consists of two sub-interfaces, called Interface 0 and Interface 1, where each sub-interface is a member of one of the VDOMs that is being connected together. This can be conceptualized as two ends of a point-to-point link.
From Global, go to Network > Interfaces and select Create New > VDOM Link. Give the new VDOM Link the name IVL-A. For Interface 0, select the Virtual Domain of root. Give it an IP/Netmask of 172.16.1.1/30, and set the Administrative Access to PING only. For Interface 1, select the Virtual Domain of VDOM-A. Give it an IP/Netmask of 172.16.1.2/30, and set the Administrative Access to PING only.
Select Create New > VDOM Link to begin creating a second VDOM Link. Give the new VDOM Link the name IVL-B. For Interface 0, select the Virtual Domain of root. Give it an IP/Netmask of 172.16.1.5/30, and set the Administrative Access to PING only. For Interface 1, select the Virtual Domain of VDOM-A. Give it an IP/Netmask of 172.16.1.6/30, and set the Administrative Access to PING only.
5. Creating static routes in the root VDOM
Select root from the dropdown menu located in the top-left corner. This allows you to make changes to the root VDOM.
Go to Network > Static Routes and select Create New. Enter the Destination of 10.1.1.0/24, which is the subnet for VDOM-A’s internal network. For Interface, select IVL-A0 from the dropdown menu, and then enter 172.16.1.2 for the Gateway, which is VDOM-A’s VDOM Link IP address.
Create a second route. Enter the Destination of 10.2.2.0/24, which is the subnet for VDOM-B’s internal network. For Interface, select IVL-B0 from the dropdown menu, and then enter 172.16.1.6 for the Gateway, which is VDOM-B’s VDOM Link IP address.
If your WAN interface receives a default route via DHCP or PPPoE, then it is not required to statically configure a default route. However, if your WAN interface has been statically configured with an IP address, then you will need to add a static default route, shown below.
Create another route, which will be the static default route. Leave the Destination of 0.0.0.0/0.0.0.0, which indicates this is the default route. For Interface, select wan1 from the dropdown menu, and then enter your ISP-provided gateway IP for the Gateway field, which in this example is 172.25.176.41.
6. Creating firewall policies to allow Internet access through the root VDOM
Go to Policy & Objects > IPv4 Policy and select Create New. Enter MGMT to Internet for the policy Name. Select internal for Incoming Interface and wan1 for Outgoing Interface. Select all for the Source, all for the Destination, and ALL for the Service fields. Leave NAT enabled and enable the Security Profiles desired to meet business requirements and best practices.
Create another policy. Enter VDOM-A to Internet for the policy Name. Select IVL-A0 for Incoming Interface and wan1 for Outgoing Interface. Select all for the Source, all for the Destination, and ALL for the Service fields. Leave NAT enabled, and enable the Security Profiles desired to meet business requirements and best practices.
Create another policy. Enter VDOM-B to Internet for the policy Name. Select IVL-B0 for Incoming Interface and wan1 for Outgoing Interface. Select all for the Source, all for the Destination, and ALL for the Service fields. Leave NAT enabled, and enable the Security Profiles desired to meet business requirements and best practices.
7. [Optional] Creating firewall policies in the root VDOM to allow VDOM-A and VDOM-B to communicate
If your business needs require VDOM-A to be able to communicate with VDOM-B, two additional policies will be needed. Select Create New under Policy & Objects > IPv4 Policy and set Name to VDOM-A to VDOM-B. Select IVL-A0 for Incoming Interface and IVL-B0 for Outgoing Interface. Select all for the Source, all for the Destination, ALL for the Service fields, and disable NAT. Enable the Security Profiles desired to meet business requirements and best practices.
Create another policy and set Name to VDOM-B to VDOM-A. Select IVL-B0 for Incoming Interface and IVL-A0 for Outgoing Interface. Select all for the Source, all for the Destination, ALL for the Service fields, and disable NAT. Enable the Security Profiles desired to meet business requirements and best practices.
8. Creating firewall policies and static routes in VDOM-A
Select VDOM-A from the dropdown menu located in the top-left corner. This allows you to make changes to VDOM-A.
Go to Network > Static Routes and select Create New. Leave the Destination of 0.0.0.0/0.0.0.0, which indicates this will be the default route. For Interface, select IVL-A1 from the dropdown menu, and then enter 172.16.1.1 for the Gateway, which is root’s VDOM Link IP address on IVL-A.
Go to Policy & Objects > IPv4 Policies and Create New. Give the policy a Name of VDOM-A to root. Select LAN-A for Incoming Interface and IVL-A1 for Outgoing Interface. Select all for the Source, all for the Destination, and ALL for the Service fields. Disable NAT. Company-A can enable the Security Profiles desired to meet their business requirements and best practices.
9. Creating firewall policies and static routes in VDOM-B
Select VDOM-B from the dropdown menu located in the top-left corner. This allows you to make changes to VDOM-B.
Go to Network > Static Routes and select Create New. Leave the Destination of 0.0.0.0/0.0.0.0, which indicates this will be the default route. For Interface, select IVL-B1 from the dropdown menu, and then enter 172.16.1.5 for the Gateway, which is root’s VDOM Link IP address on IVL-B.
Go to Policy & Objects > IPv4 Policies and Create New. Give the policy a Name of VDOM-B to root. Select LAN-B for Incoming Interface and IVL-B1 for Outgoing Interface. Select all for the Source, all for the Destination, and ALL for the Service fields. Disable NAT. Company-B can enable the Security Profiles desired to meet their business requirements and best practices.
10. Results
Using a PC located on VDOM-A’s internal network, generate Internet traffic. On the management PC, select VDOM-A from the top-left dropdown, and navigate to FortiView > Policies. You can see traffic flowing through the VDOM-A to root policy.
Right-click the policy, then select Drill Down to Details. You can see more information about the traffic.
Using a PC located on VDOM-B’s internal network, generate Internet traffic. On the management PC, select VDOM-B from the top-left dropdown, and navigate to FortiView > Policies. You can see traffic flowing through the VDOM-B to root policy.
Select root from the dropdown on the top-left, and navigate to FortiView > Policies. You can see traffic flowing through the VDOM-A to Internet and VDOM-B to Internet policies.
If you completed the optional Step 7, using a PC connected to VDOM-A’s internal network, initiate traffic to a device on VDOM-B’s internal network. Select root from the dropdown on the top-left, and navigate to FortiView > Policies. You will see traffic flowing through the VDOM-A to VDOM-B and/or the VDOM-B to VDOM-A policies.

For further reading, check out Inter-VDOM Routing in the FortiOS 5.6 Handbook.

Was this helpful?
Yes No

Connecting VDOMs can be done physically (for example, connecting a cable between port2 and port4) or virtually (using VDOM Links).

The internal interface is the default hardware switch interface on many FortiGate models, including the FortiGate 60D used throughout this recipe. Your FortiGate model may have slightly different configuration, so you will need to adjust accordingly.

If your FortiGate doesn’t support a Hardware Switch, you can use a Software Switch instead.

As a general best practice, it is not recommended to use the all object where possible. However, we will use it throughout this cookbook recipe for the sake of brevity.

FortiGates are stateful firewalls, so two policies allows both VDOM-A and VDOM-B to initiate traffic. Only one firewall policy is required if a certain VDOM will always initiate traffic, with reply traffic being allowed back in by the same policy.

The Security profiles are not shared between VDOMs. This means the MSSP in the root VDOM can have one baseline set of security profiles to apply to traffic, while Company A can have their own, company-specific profiles.

The post Inter-VDOM communication with static routing appeared first on Fortinet Cookbook.

↧

Episode 21: Security Fabric

March 14, 2018, 7:41 am

≫ Next: Face Recognition Configuration in FortiCentral

≪ Previous: Inter-VDOM communication with static routing

FortiCast is back with a new episode (and a new host!). This episode focuses on the Fortinet Security Fabric, examining how it works and what problems it solves.

Security Fabric resources

Subscribe to FortiCast

Was this helpful?
Yes No

The post Episode 21: Security Fabric appeared first on Fortinet Cookbook.

↧

Face Recognition Configuration in FortiCentral

March 14, 2018, 8:33 am

≫ Next: Enable jumbo frame on the second vNIC

≪ Previous: Episode 21: Security Fabric

FortiRecorder and FortiCentral supports easy to use face detection for your ever-evolving security needs. This recipe guides you through the process of getting the best facial recognition results and configuring facial recognition in FortiCentral.

Note: FortiRecorder automatically initializes and configures facial recognition when detected. No manual configuration is required.

Ensuring Best Results

There are a few steps you should take to ensure the best possible results for a face match

Make sure the individual at eye-level with the camera and is facing forward and looking into the camera.
Keep the area well lit to avoid harsh shadows.
Do not pose the subject of the picture against a bright background, since this will darken their faces and make facial recognition difficult.
Keep the subject relatively still to reduce motion blur.

FortiCentral Configuration

Select the settings cog.
Select Settings.
Select Analytics.
Select the recorder receiving teh results of the face analytics from the Face Recognition Database dropdown menu.
Enable “Face Recognition in a snapshot” to allow FortiRecorder to receive an image individual pictures of individuals for later identification.
Enable “Display EBC/GPC Demos” to electronically welcome guests based on recognition.
Enable “Show Analytics Alarms” to start a playback loop of the moment a person triggered an alarm.
Select OK.

Facial Analytics Configuration

Face Analytics is the first implementation of a video analytics engine for FortiCentral. Setting it up is simple

Select a camera stream on a pane.
Select the pane’s settings gear menu.
Select Face Recognition from the Algorithm dropdown menu to activate analytics on the camera’s stream.
Enable Visualize to enable the overlay of facial landmarks on a live video. This could help determine if the processing is functional. The displayed overlay has four different colors:
White: Face detected but the quality is too low to generate a representation.
Yellow: First frame taken as a snapshot and to generate facial representation.
Magenta: The individual being tracked after initial detection.
Cyan/Green: The individual track continued from face matching.
Enable Show Snapshots to enable the display of the best snapshots associated with each track in a gallery.
Enable Look For Names to activate a search for detected faces in the face database. If an enrolled person resembles someone in the database, their name is added to the bottom of the facial landmark.
Select OK.

Was this helpful?
Yes No

The post Face Recognition Configuration in FortiCentral appeared first on Fortinet Cookbook.

↧

Enable jumbo frame on the second vNIC

March 23, 2018, 8:23 am

≫ Next: Episode 22: Fortinet Partnership Program

≪ Previous: Face Recognition Configuration in FortiCentral

There is no excerpt because this is a protected post.

The post Enable jumbo frame on the second vNIC appeared first on Fortinet Cookbook.

↧

Episode 22: Fortinet Partnership Program

March 28, 2018, 11:21 am

≫ Next: Setting up WiFi with a FortiAP

≪ Previous: Enable jumbo frame on the second vNIC

Learn how Fortinet is working with other companies as part of our two partnership programs: the Fabric-Ready Partner Program and the Technology Alliance Partners Program.

Security Fabric resources

Subscribe to FortiCast

Was this helpful?
Yes No

The post Episode 22: Fortinet Partnership Program appeared first on Fortinet Cookbook.

↧

Setting up WiFi with a FortiAP

March 29, 2018, 12:00 am

≫ Next: Basic FortiGate network collection

≪ Previous: Episode 22: Fortinet Partnership Program

In this recipe, you will set up a WiFi network with by adding a FortiAP in Tunnel mode to your network.

This recipe is in the Basic FortiGate network collection. You can also use it as a standalone recipe.

You can configure a FortiAP in either Tunnel mode (default) or Bridge mode. When a FortiAP is in Tunnel mode, a wireless-only subnet is used for wireless traffic. When a FortiAP is in Bridge mode, the Ethernet and WiFi interfaces are connected (or bridged), allowing wired and wireless networks to be on the same subnet.

_{Find this recipe for other FortiOS versions}
_{5.2 | 5.4 | 5.6 | 6.0}

1. Connecting and authorizing the FortiAP
To edit the interface that will connect to the FortiAP (in the example, port 22), go to Network > Interfaces. Set Role to LAN and Addressing Mode to Manual. Set IP/Network Mask to a private IP address (in the example 10.10.200.1/255.255.255.0). Under Administrative Access, enable CAPWAP. Enable DHCP Server. Under Networked Devices, enable Device Detection.
Connect the FortiAP unit to the interface.
To view the list of managed FortiAPs, go to WiFi & Switch Controller > Managed FortiAPs. The newFortiAP appears in the list but it is greyed out because it is not authorized. Select the FortiAP, and select Authorize.
After a few minutes, select Refresh. The FortiGate shows the FortiAP as authorized.
2. Creating an SSID
To create a new SSID to be broadcast for WiFi users, go to WiFi & Switch Controller > SSID. Set Traffic Mode to Tunnel and set IP/Network Mask to a private IP address (in the example 10.10.201.1/255.255.255.0). Enable DHCP Server and Device Detection.
Under WiFi Settings, name the SSID (in the example, Office-WiFi) and set a secure Pre-shared Key. Enable Broadcast SSID.
3. Creating a custom FortiAP profile
To create a new FortiAP profile, go to WiFi & Switch Controller > FortiAP Profiles. Set Platform to the FortiAP model you are using (in the example, FAP221C) and Country/Region to the appropriate location. Set an AP Login Password to secure the FortiAP. Under Radio 1, set Mode to Access Point and SSIDs to Manual. Add your new SSID.
To assign the new profile, go to WiFi & Switch Controller > Managed FortiAPs and right-click the FortiAP. Select Assign Profile and set the FortiAP to use the new profile.
4. Allowing wireless access to the Internet
To create a new policy for wireless Internet access, go to Policy & Objects > IPv4 Policy. Set Incoming Interface to the SSID and Outgoing Interface to your Internet-facing interface. Enable NAT.
5. Results
Connect to the SSID with a wireless device. After a connection is established, browse the Internet to generate traffic.
To view the traffic using the wireless Internet access policy, go to FortiView > All Segments > Polices.
To view more information about this traffic, right-click the policy and select Drill Down to Details.

For further reading, check out Configuring a WiFi LAN in the FortiOS 6.0 Online Help.

Was this helpful?
Yes No

If the FortiAP does not appear, wait a few minutes, then refresh the page.

If you are in the United States, you can use the default profile for your FortiAP model, which has Country/Region set to United States.

The post Setting up WiFi with a FortiAP appeared first on Fortinet Cookbook.

↧

Basic FortiGate network collection

March 29, 2018, 12:00 am

≫ Next: Content Disarm and Reconstruction (CDR)

≪ Previous: Setting up WiFi with a FortiAP

The basic FortiGate network collection is intended to help you go from having an unboxed FortiGate to a functional network that includes wired connections, WiFi, and remote access.

The list of recipes contains instructions on how to configure a FortiGate and set up a basic network. By using the recipes in order, you can create a network similar to the one shown above.

If any recipe in this collection does not fit your own network configuration, you can skip it and move on to the next recipe.

This collection is based on FortiOS 6.0.

1. Installing a FortiGate in NAT/Route mode

This recipe shows you how to install a single FortiGate in your network using NAT/Route mode, which is the most commonly used operation mode.

2. FortiGate registration and basic settings

This recipe shows you how to register your FortiGate and configure some of the basic FortiGate settings.

3. Logging FortiGate traffic and using FortiView

This recipe shows you how to configure the FortiGate’s log settings and also contains information about FortiView, the FortiOS log viewing tool.

4. Creating security policies

This recipe shows you how to create and order different security policies.

5. Setting up WiFi with FortiAP

This recipe shows you how to allow WiFi access by adding a FortiAP to your network.

6. SSL VPN using web and tunnel mode

This recipe shows you how to set-up an SSL VPN tunnel to allow remote users to access resources on the internal network.

Was this helpful?
Yes No

The post Basic FortiGate network collection appeared first on Fortinet Cookbook.

↧

Content Disarm and Reconstruction (CDR)

March 29, 2018, 12:00 am

≫ Next: DNS Filtering

≪ Previous: Basic FortiGate network collection

In this recipe you will configure the default AntiVirus security profile to include a new FortiOS 6.0 feature: Content Disarm and Reconstruction (CDR). You will apply this security profile to the Internet access policy so that exploitable content leaving the network is stripped from documents and replaced with content that is known to be safe.

In the example, we will use FortiSandbox as the original file destination, where the original file is archived and can be retrieved if necessary. The CDR feature works without FortiSandbox configured, but only if you wish to discard the original file.

Content that can be scanned includes PDF and Microsoft Office files leaving the network on CDR-supported protocols (for more information, refer to the Security Profiles handbook).

Note that the FortiGate must be in Proxy inspection mode for CDR to function.

PREP 5 mins COOK 5 min TOTAL 10 mins

1. Setting the system inspection mode
Go to System > Settings and set System Operation Settings > Inspection Mode to Proxy.
2. Testing FortiSandbox connectivity
On the FortiGate, go to Security Fabric > Settings and enable Sandbox Inspection. Select your FortiSandbox type and Server address.
Confirm that the service is available by selecting Test connectivity. The Status should read “Service is online.”
3. Enabling Content Disarm and Reconstruction
Go to Security Profiles > AntiVirus. Under APT Protection Options, enable Content Disarm and Reconstruction and select the Original File Destination.
If you enable FortiSandbox as the file destination, original files caught by the AntiVirus profile are archived on the FortiSandbox. The FortiSandbox administrator can retrieve the original files, but only for a short time. If you enable either File Quarantine or Discard as the file destination, original files caught by the AntiVirus profile are lost. Only the disarmed content is made available.
4. Configuring the Internet access policy
Go to Policy & Objects > IPv4 Policy and Edit the Internet access policy. Under Security Profiles, enable the default AntiVirus profile. Proxy Options and SSL Inspection are automatically enabled.
5. Results
As the AntiVirus profile scans files using CDR, it replaces content that is deemed malicious or unsafe with content that will allow the traffic to continue but not put the recipient at risk.
CDR appends a new cover page to the malicious/unsafe content that includes a replacement message.
If you wish to disable the cover page, enter the following commands in the CLI Console: config antivirus profile edit default config content-disarm set cover-page disable end end
6. Troubleshooting
The feature is not visible in the GUI Confirm that the Inspection Mode is set to Proxy under System > Settings. Also check that the AntiVirus profile inspection mode is set to proxy using the CLI Console: config antivirus profile edit default set inspection-mode proxy next end
Error messages and/or conflicts If you receive an error message when attempting to enable Content Disarm and Reconstruction on the AntiVirus profile, check the Proxy Options settings in the CLI Console and disable `splice` and `clientcomfort` on CDR-supported protocols: config firewall profile-protocol-options edit default config smtp unset options splice next config http unset options clientcomfort next end end You should also confirm the AntiVirus profile’s protocol settings under `config antivirus profile`: ensure that `set options scan` is enabled on CDR-supported protocols if `set options av-monitor` is configured on a CDR-supported protocol , it overrides the `config content-disarm detect-only` setting (and CDR will not occur)
The FortiSandbox service is unreachable If testing the FortiSandbox connectivity returns a “Service is unreachable” error message, then you may need to authorize the FortiGate on the FortiSandbox. On the FortiSandbox, go to Scan Input > Device and edit the entry for the FortiGate.
Under Permissions & Policy, enable Authorized.

Was this helpful?
Yes No

HTTP, IMAP, POP3, and SMTP.

All times listed are approximations.

HTTP, IMAP, POP3, and SMTP.

These instructions are relative to FortiSandbox v2.5.1.

The post Content Disarm and Reconstruction (CDR) appeared first on Fortinet Cookbook.

↧

DNS Filtering

March 29, 2018, 12:00 am

≫ Next: One-Click VPN (OCVPN)

≪ Previous: Content Disarm and Reconstruction (CDR)

In this recipe you will set up DNS filtering to block access to bandwidth consuming websites.

Following the results section, you will find instructions for changing the FortiDNS server that your FortiGate will use to verify domains, as well as troubleshooting information.

PREP 5 mins COOK 15 min TOTAL 20 mins

1. Feature visibility
If DNS Filter is not listed under Security Profiles, go to System > Feature Visibility, and enable DNS Filter under Security Features.
2. Creating a DNS web filter profile
Go to Security Profiles > DNS Filter, and edit the default profile. Enable FortiGuard category based filter, right-click Bandwidth Consuming, and set it to Block.
3. Enabling DNS filtering in a security policy
All traffic that matches this policy will be redirected to the FortiDNS server. Go to Policy & Objects > IPv4 Policy, and edit the outgoing policy that allows Internet access. Under Security Profiles, enable DNS Filter and set it to default. Proxy Options and SSL Inspection profiles are automatically enabled.
4. Results
Open a browser using a computer on the internal network and navigate to dailymotion.co.uk. The page will be blocked.
Enter the following CLI command to sniff packets with a destination URL that does not belong to the bandwidth consuming category: diagnose sniffer packet any 'port 53' and 'host 194.153.110.160' 4 The resulting output should indicate that the IP (in this example, paris.fr) was allowed by FortiGuard: interfaces=[any] filters=[port 53] 2.851628 172.20.121.56.59046 -> 208.91.112.52.53: udp 43 2.916281 208.91.112.52.53 -> 172.20.121.56.59046: udp 436 3.336945 10.1.2.102.51755 -> 208.91.112.53.53: udp 37 3.338611 208.91.112.53.53 -> 10.1.2.102.51755: udp 37
5. (Optional) Changing the FortiDNS server and port
You can use the default FortiDNS server located in Sunnyvale, USA (IP address 208.91.112.220), or you can switch to the server in London, UK (IP address 80.85.69.54). Communication between your FortiGate and the FortiDNS server uses Fortinet’s proprietary DNS communication protocol. `config system fortiguard` `set sdns-server-ip 208.91.112.220end` The North American server should work in most cases, however you can switch to the European server to see if it improves latency. You can also change the port used to communicate with the FortiDNS server using the following command: `config system fortiguard` `set sdns-server-port <value>end`
6. Troubleshooting
The Security Profiles > DNS Filter menu is missing Go to System > Feature Visibility and enable DNS Filter.
You configured DNS Filtering, but it is not working Verify that DNS Filter is enabled in a policy and SSL Inspection has been applied as needed (SSL inspection is required in order to block traffic to sites that use HTTPS). If both settings are enabled, verify that the policy is being used for the correct traffic and that traffic is flowing by going to the policy list and viewing the Sessions column. If the above settings are correct, verify that DNS requests are going through the policy, rather than to an internal DNS server. Also verify that proxy options and SSL/SSH inspection settings have both HTTP and HTTPS enabled and use the correct ports.
Communication with the FortiDNS server fails Verify that the correct FortiDNS server is configured using the following diagnose command: diag test application dnsproxy 3 The resulting output should indicate that communication with the correct FortiDNS server was established. For example: FWF60D4615016384 # diag test application dnsproxy 3 vdom: root, index=0, is master, vdom dns is enabled, mip-169.254.0.1 dns_log=1 dns64 is disabled dns-server:208.91.112.53:53 tz=0 req=919160 to=545900 res=117880 rt=1800 secure=0 ready=1 dns-server:208.91.112.52:53 tz=0 req=913029 to=520111 res=134810 rt=6 secure=0 ready=1 dns-server:208.91.112.220:53 tz=-480 req=0 to=0 res=0 rt=0 secure=1 ready=1 dns-server:80.85.69.54:53 tz=0 req=0 to=0 res=0 rt=0 secure=1 ready=1 vfid=0, interface=wan1, ifindex=6, recursive, dns DNS_CACHE: hash-size=2048, ttl=1800, min-ttl=60, max-num=5000 DNS FD: udp_s=12 udp_c=14:15 ha_c=18 unix_s=19, unix_nb_s=20, unix_nc_s=21, v6_udp_s=11, v6_udp_c=16:17 DNS FD: tcp_s=24, tcp_s6=23 FQDN: hash_size=1024, current_query=1024 DNS_DB: response_buf_sz=131072 LICENSE: expiry=2016-08-15, expired=0, type=2 FDG_SERVER:208.91.112.220:53 SERVER_LDB: gid=6d61, tz=-480 FGD_REDIR:208.91.112.55 This CLI result shows that the DNS server IP is set to the North American server, and is being accessed through port 53 (208.91.112.220:53). Next, verify that bandwidth consuming sites are blocked, while other URLs are allowed. Go to the CLI Console and enter the following: diagnose sniffer packet any 'port 53' and 'host 195.8.215.138' 4 The resulting output should indicate that the IP (in this example, dailymotion.co.uk) was blocked by the FortiDNS server: interfaces=[any] filters=[port 53] 2.026733 172.20.121.56.59046 -> 208.91.112.220.53: udp 117 2.027316 172.20.121.56.59046 -> 80.85.69.54.53: udp 112 2.028480 172.20.121.56.59046 -> 208.91.112.220.53: udp 116 2.029591 172.20.121.56.59046 -> 208.91.112.220.53: udp 117
FortiGuard has the wrong categorization for a website If you believe a website has been placed in the wrong category by FortiGuard, you can submit the URL for re-classification by going to the FortiGuard website.

Was this helpful?
Yes No

All times listed are approximations.

The post DNS Filtering appeared first on Fortinet Cookbook.

↧

One-Click VPN (OCVPN)

March 29, 2018, 12:00 am

≫ Next: High availability with two FortiGates

≪ Previous: DNS Filtering

In this recipe you will use the new cloud-assisted OCVPN solution in FortiOS 6.0 to greatly simplify the provisioning and configuration of IPsec VPN.

Note the following limitations:

The FortiGate must be registered with a valid FortiCare Support license.
Only full-mesh VPN configurations using PSK cryptography are supported.
Public IPs must be used (FortiGates behind NAT cannot participate).
Non-root VDOMs and FortiGate VMs are not supported.
Up to 16 nodes can be added to the OCVPN cloud, each with a maximum of 16 subnets.

You can repeat Step 1 below to add up to 16 nodes to the OCVPN cloud (barring the above limitations), but you will configure only two nodes in the following example.

PREP 5 mins COOK 5 min TOTAL 10 mins

1. Enabling OCVPN
On FGT_1, go to VPN > One-Click VPN Settings. Set Status to Enabled and confirm Cloud Status. This may take a minute or two. As indicated, a green checkmark appears along with the message Connected to the cloud service. Finally, add the required Subnets from FGT_1.
On FGT_2, repeat the steps above. Enable and confirm connection to the cloud service, and then add the required subnets from FGT_2.
2. Confirming cloud membership
In the Cloud Members table on FGT_1, click Refresh and confirm the entries. The remote gateway and corresponding subnets for each device should populate the list.
You can perform the step above on any FortiGate that is a member of the OCVPN cloud. FGT_2 should return the same results as above.
3. Results
As the Cloud Members table populates, the OCVPN cloud updates each member automatically. You can now verify that the remainder of the configuration has also been created, and proceed to test the tunnel.
On either FortiGate, go to VPN > IPsec Tunnels and confirm the entry of a new tunnel with the prefix _OCVPN.
Go to Network > Static Routes and confirm the new static routes.
Go to Policy & Objects > IPv4 Policy and confirm the new policies.
Go to Monitor > IPsec Monitor and verify that the tunnel status is Up.
Go to Log & Report > VPN Events and view the tunnel statistics.
Using Command Prompt/Terminal, attempt a ping from one internal network to the other. Ping should be successful: ping 192.168.177.99 Pinging 192.168.177.99 with 32 bytes of data: Reply from 192.168.177.99: bytes=32 time=5ms TTL=254 Reply from 192.168.177.99: bytes=32 time=1ms TTL=254 Reply from 192.168.177.99: bytes=32 time<1ms TTL=254 Reply from 192.168.177.99: bytes=32 time<1ms TTL=254 Ping statistics for 192.168.177.99: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 5ms, Average = 1ms Now, disable OCVPN (VPN > One-Click VPN Settings) and repeat the ping attempt to confirm that OCVPN was indeed responsible for the successful ping above: ping 192.168.177.99 Pinging 192.168.177.99 with 32 bytes of data: Reply from 192.168.176.99: Destination net unreachable. Reply from 192.168.176.99: Destination net unreachable. Reply from 192.168.176.99: Destination net unreachable. Reply from 192.168.176.99: Destination net unreachable. Ping statistics for 192.168.177.99: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), Re-enable OCVPN.
4. Troubleshooting
The following diagnose commands may prove useful.
To verify OCVPN status, use the following command: FGT_1 # diag vpn ocvpn status Current State : registered OCVPN Status : OK (200)
To view device states, use the following command: FGT_1 # diag vpn ocvpn device-state FGT_1 wan1 172.25.176.56 0 6 0 2 200 2 0x3 0x3
To print a log report, use the following command: FGT_1 # diag vpn ocvpn log OCVPN Polling: state = undefined cvpn_save_state: FGT_1 <null> 0.0.0.0 -1 0 0 0 0 0 0x0 0x0 OCVPN Polling: state = undefined cvpn_save_state: FGT_1 <null> 0.0.0.0 -1 0 0 0 0 0 0x0 0x0 OCVPN Polling: state = undefined cvpn_save_state: FGT_1 <null> 0.0.0.0 -1 0 0 0 0 0 0x0 0x0 ======================== Thurs Mar 29 09:00:00 2018 ======================== cvpn_load_state: FGT_1 <null> 0.0.0.0 -1 0 0 0 0 0 0x0 0x0 OCVPN Register: sn=x, num_subnets=0 Current State: undefined -> registering cvpn_save_state: FGT_1 <null> 0.0.0.0 -1 2 0 0 0 0 0x0 0x0 WAN intf wan1, IP 172.25.176.56/255.255.255.0 WAN intf changed from <null> to wan1 WAN IP changed from 0.0.0.0 to 172.25.176.56 Local Subnets: 192.168.176.0/255.255.255.0 JSON Update request = '{ "SN": "x", "IPv4": "172.25.176.56", "port": "500", "Name": "FGT_1", "subnets": [ "192.168.176.0\/255.255.255.0" ] }' Sending OCVPN request: method=Update, data='{ "SN": "x", "IPv4": "172.25.176.56", "port": "500", "Name": "FGT_1", "subnets": [ "192.168.176.0\/255.255.255.0" ] }' Received OCVPN response: method=Update, res=0, http_resp=200 JSON Response: '{"key":"","rev":1,"members":[{"IPv4":"172.25.176.56","port":"500","slot":0,"subnets":["192.168.176.0/255.255.255.0"],"Name":"FGT_1"}]}' Member table size = 1 Member: { "IPv4": "172.25.176.56", "port": "500", "slot": 0, "subnets": [ "192.168.176.0\/255.255.255.0" ], "Name": "FGT_1" } Subnet 192.168.176.0/255.255.255.0 cvpn_config_install: prev mask 0x1, new mask 0x1 Update response code = 200 Current State: updating -> registered cvpn_save_state: FGT_1 wan1 172.25.176.56 0 6 0 1 200 1 0x1 0x1 JSON Response: '{"key":"8TVdIwG2xS400jMOxyNN9WKOYWZEsaJDIV8JUGVK2FaHoEVqQPw2qDgt5RLHlZXAuInpCHwl9t8WpZ7jWD+6xg==", "rev":1,"members":[{"IPv4":"172.25.176.56","port":"500","slot":0,"subnets":["192.168.176.0/255.255.255.0"],"Name":"FGT_1"}]}' Member table size = 1 Member: { "IPv4": "172.25.176.56", "port": "500", "slot": 0, "subnets": [ "192.168.176.0\/255.255.255.0" ], "Name": "FGT_1" } Subnet 192.168.176.0/255.255.255.0 cvpn_config_install: prev mask 0x0, new mask 0x1 New members table, revision = 1 Register response code = 200 Current State: registering -> registered cvpn_save_state: FGT_1 wan1 172.25.176.56 0 6 0 1 200 1 0x1 0x0 Current State: registered -> acknowledging cvpn_save_state: FGT_1 wan1 172.25.176.56 0 5 6 1 200 1 0x1 0x0 JSON regack request = '{ "SN": "x", "rev": 1 }' Sending OCVPN request: method=RegAck, data='{ "SN": "x", "rev": 1 }' Received OCVPN response: method=RegAck, res=0, http_resp=200 JSON Response: '{"message":"Device successfully acknowledged"}' Message='Device successfully acknowledged' RegAck response code = 200 Current State: acknowledging -> registered cvpn_save_state: FGT_1 wan1 172.25.176.56 0 6 6 1 200 1 0x1 0x0 OCVPN Update: sn=x, num_subnets=0 Current State: registered -> updating cvpn_save_state: FGT_1 wan1 172.25.176.56 0 3 0 1 200 1 0x1 0x0 WAN intf wan1, IP 172.25.176.56/255.255.255.0 Local Subnets: cvpn_build_json_reg_upd: internal error, line 1187 cvpn_build_json_reg_upd: res = -1 sys_ocvpn_update: res=-1 WAN intf wan1, IP 172.25.176.56/255.255.255.0 OCVPN Update: sn=x, num_subnets=1 Current State: updating WAN intf wan1, IP 172.25.176.56/255.255.255.0 Local Subnets: 192.168.176.0/255.255.255.0 JSON Update request = '{ "SN": "x", "IPv4": "172.25.176.56", "port": "500", "Name": "FGT_1", "subnets": [ "192.168.176.0\/255.255.255.0" ] }' Sending OCVPN request: method=Update, data='{ "SN": "IPv4": "172.25.176.56", "port": "500", "Name": "FGT_1", "subnets": [ "192.168.176.0\/255.255.255.0" ] }' Received OCVPN response: method=Update, res=0, http_resp=200 JSON Response: '{"key":"","rev":1,"members":[{"IPv4":"172.25.176.56","port":"500","slot":0,"subnets":["192.168.176.0/255.255.255.0"],"Name":"FGT_1"}]}' Member table size = 1 Member: { "IPv4": "172.25.176.56", "port": "500", "slot": 0, "subnets": [ "192.168.176.0\/255.255.255.0" ], "Name": "FGT_1" } Subnet 192.168.176.0/255.255.255.0 cvpn_config_install: prev mask 0x1, new mask 0x1 Update response code = 200 Current State: updating -> registered cvpn_save_state: FGT_1 wan1 172.25.176.56 0 6 0 1 200 1 0x1 0x1
To view a list of OCVPN cloud members, use the following command: FGT_1 # diag vpn ocvpn print-members Member: { "IPv4": "172.25.176.56", "port": "500", "slot": 0, "subnets": [ "192.168.176.0\/255.255.255.0" ], "Name": "FGT_1" } Member: { "IPv4": "172.25.177.56", "port": "500", "slot": 1, "subnets": [ "192.168.177.0\/255.255.255.0" ], "Name": "FGT_2" }

Was this helpful?
Yes No

You can verify the status of your FortiCare Support contract under System > FortiGuard.

All times listed are approximations.

You can enter a maximum of 16 subnets.

The example below has been truncated.

The post One-Click VPN (OCVPN) appeared first on Fortinet Cookbook.

↧

High availability with two FortiGates

March 29, 2018, 12:00 am

≫ Next: FortiSandbox in the Security Fabric

≪ Previous: One-Click VPN (OCVPN)

This recipe describes how to add a backup FortiGate to a previously installed FortiGate to form a high availability (HA) cluster that improves network reliability.

Before you begin, the FortiGates should be running the same FortiOS firmware version and interfaces should not be configured to get their addresses from DHCP or PPPoE.

This recipe is in the Security Fabric collection. It can also be used as a standalone recipe.

This recipe uses the FortiGate Clustering Protocol (FGCP) for HA. When you have completed this recipe, the original FortiGate will continue to operate as the primary unit and the new FortiGate will operate as the backup FortiGate.

_{Find this recipe for other FortiOS versions}
_{5.2 | 5.4 | 5.6 | 6.0}

1. Setting up registration and licensing
Make sure both FortiGates are running the same FortiOS firmware version. Register and apply licenses to the new FortiGate unit before adding it to the HA cluster.
This includes licensing for FortiCare Support, IPS, AntiVirus, Web Filtering, Mobile Malware, FortiClient, FortiCloud, and additional virtual domains (VDOMs). All FortiGates in the cluster must have the same level of licensing for FortiGuard, FortiCloud, FortiClient, and VDOMs. FortiToken licenses can be added at any time because they are synchronized to all cluster members. You can also install any third-party certificates on the primary FortiGate before forming the cluster. Once the cluster is formed, third-party certificates are synchronized to the backup FortiGate.
2. Configuring the primary FortiGate for HA
On the primary FortiGate, go to System > Settings and change the Host name to identify this as the primary FortiGate in the HA cluster.
Go to System > HA and set the Mode to Active-Passive. Set the Device priority to a higher value than the default (in the example, 250) to make sure this FortiGate will always be the primary FortiGate. Also, set a Group name and Password. Make sure that two Heartbeat interfaces (in the example, port3 and port4) are selected and the Heartbeat Interface Priority for each is set to 50.
Since the backup FortiGate is not available, when you save the HA configuration, the primary FortiGate will form a cluster of one FortiGate but will keep operating normally. If there are other FortiOS HA clusters on your network, you may need to change the cluster group ID using this CLI command.
config system ha set group-id 25 end
3. Connecting the backup FortiGate
Connect the backup FortiGate to the primary FortiGate and the network, as shown in the network diagram at the top of the recipe.
Making these network connections will disrupt traffic so you should do this when the network is not processing much traffic. If possible, make direct Ethernet connections between the heartbeat interfaces of the two FortiGate units. Switches must be used between the cluster and the Internet, and between the cluster and the internal networks, as shown in the network diagram. You can use any good quality switches to make these connections. You can also use one switch for all of these connections, as long as you configure the switch to separate traffic from the different networks.
4. Configuring the backup FortiGate for HA
Connect to the backup FortiGate GUI and go to System > Settings and change the Host name to identify this as the backup FortiGate.
Go to System > HA and duplicate the HA configuration of the primary FortiGate (except for the Device priority): set Mode to Active-Passive, and set the Device Priority to a lower value than the default to make sure this FortiGate will always be the backup FortiGate. Also, set the same Group name and Password as the primary FortiGate.
Make sure that the same two Heartbeat interfaces (port3 and port4) are selected and the Heartbeat Interface Priority for each is set to 50. If you changed the cluster group id of the primary FortiGate, change the cluster group ID for the backup FortiGate to match, using this CLI command.
config system ha set group-id 25 end
When you save the HA configuration of the backup FortiGate, if the heartbeat interfaces are connected, the FortiGates will find each other and form an HA cluster. Network traffic may be disrupted for a few seconds while the cluster is negotiating.
5. Viewing the status of the HA cluster
Connect to the GUI of the primary FortiGate. The HA Status widget shows the cluster mode (Mode) and group name (Group).
It also shows the host name of the primary FortiGate (Master), which you can hover over to verify that the cluster is synchronized and operating normally. You can click on the widget to change the HA configuration or view a list of recently recorded cluster events, such as members joining or leaving the cluster.
Click on the HA Status widget and select Configure settings in System > HA (or go to System > HA) to view the cluster status.
If the cluster is part of a Security Fabric, the FortiView Physical and Logical Topology views show information about the cluster status.
6. Results
Traffic is now passing through the primary FortiGate. However, if the primary FortiGate becomes unavailable, traffic should fail over and the backup FortiGate will process traffic. A failover also causes the primary and backup FortiGate to reverse roles, even when both FortiGates are available again.
To test HA failover, from a PC on the internal network, ping an IP address on the Internet (in the example, 8.8.8.8).
After a moment, power off the primary FortiGate. You will see a momentary pause in the ping results, until traffic fails over to the backup FortiGate, allowing the ping traffic to continue.
7. (Optional) Upgrading the firmware for the HA cluster
Upgrading the firmware on the primary FortiGate automatically upgrades the firmware on the backup FortiGate. Both FortiGates are updated with minimal traffic disruption. Always review the Release Notes and Supported Upgrade Paths before installing new firmware.
Click the System Information widget and select Update firmware in System > Firmware. Back up the configuration and update the firmware from FortiGuard or by uploading a firmware image file. The firmware installs onto both the primary and backup FortiGates.
After the upgrade is complete, verify that the System Information widget shows the new firmware version.

For further reading, check out FGCP configuration examples and troubleshooting in the FortiOS 6.0 Online Help.

Was this helpful?
Yes No

If you have not already installed a FortiGate, see Installing a FortiGate in NAT/Route mode.

Also, you cannot use a switch port as an HA heartbeat interface. If necessary, convert the switch port to individual interfaces.

If the FortiGates in the cluster will be running FortiOS Carrier, apply the FortiOS Carrier license before configuring the cluster (and before applying other licenses). Applying the FortiOS Carrier license sets the configuration to factory defaults, requiring you to repeat steps performed before applying the license.

If these steps don’t start HA mode, make sure that none of the FortiGate’s interfaces use DHCP or PPPoE addressing.

This example uses two FortiGate-600Ds and the default heartbeat interfaces are used (port3 and port4). You can use any interfaces for HA heartbeat interfaces. A best practice is to use interfaces that do not process traffic, but this is not a requirement. If you are setting up HA between two FortiGates in a VM environment (for example, VMware or Hyper-V) you need to enable promiscuous mode and allow mac address changes for heartbeat communication to work. Since the HA heartbeat interfaces must be on the same broadcast domain, for HA between remote data centers (called distributed clustering) you must support layer 2 extensions between the remote data centers, using technology such as MPLS or VXLAN.

If these steps don’t start HA mode, make sure that none of the FortiGate’s interfaces use DHCP or PPPoE addressing.

If you are using port monitoring, you can also unplug the primary FortiGate’s Internet-facing interface to test failover.

For information about accessing firmware images, see Verifying and updating the FortiGate unit’s firmware.

The post High availability with two FortiGates appeared first on Fortinet Cookbook.

↧

FortiSandbox in the Security Fabric

March 29, 2018, 12:00 am

≫ Next: FortiOS 6.0.0 recipes

≪ Previous: High availability with two FortiGates

In this recipe, you will add a FortiSandbox to your Security Fabric and configure each FortiGate in the network to send suspicious files to FortiSandbox for sandbox inspection. The FortiSandbox scans and tests these files in isolation from your network.

This recipe is in the Security Fabric Collection. You can also use it as a standalone recipe.

This example uses the Security Fabric configuration created in the Security Fabric installation recipe. The FortiSandbox connects to the root FortiGate in the Security Fabric, known as External. There are two connections between the devices:

FortiSandbox port 1 (administration port) connects to Edge port 16
FortiSandbox port 3 (VM outgoing port) connects to Edge port 13

If possible, you can also use a separate Internet connection for FortiSandbox port 3, rather than connecting through the Edge FortiGate to use your main Internet connection. This configuration avoids having IP addresses from your main network blacklisted if malware that’s tested on the FortiSandbox generates an attack. If you use this configuration, you can skip the steps listed for FortiSandbox port 3.

_{Find this recipe for other FortiOS versions
5.4 | 5.6 | 6.0}

1. Checking the Security Rating results before installing the FortiSandbox
On Edge (the root FortiGate in the Security Fabric), go to Security Fabric > Security Rating. Since you haven’t yet installed a FortiSandbox in your network, the Security Fabric fails the Advanced Threat Protection check. In the example, the Security Rating Score decreases by 30 points for each of the four FortiGates in the Security Fabric.
2. Connecting the FortiSandbox and Edge
Connect to the FortiSandbox. To edit port1, which is used for communication between the FortiSandbox and the rest of the Security Fabric, go to Network > Interfaces. Set IP Address/Netmask to an internal IP address. In this example, the FortiSandbox connects to the same subnet as the FortiAnalyzer that you installed previously, using the IP address 192.168.65.20.
Edit port3. This port is used for outgoing communication by the virtual machines (VMs) running on the FortiSandbox. It’s recommended that you connect this port to a dedicated interface on your FortiGate to protect the rest of the network from threats that the FortiSandbox is currently investigating. Set IP Address/Netmask to an internal IP address (in the example, 192.168.179.10/255.255.255.0).
To add a static route, go to Network > System Routing. Set Gateway to the IP address of the FortiGate interface that port 1 connects to (in the example, 192.168.65.2).
Connect to Edge. To configure the port that connects to port3 on the FortiSandbox (in the example, port13), go to Network > Interfaces. Set IP/Network Mask to an address on the same subnet as port 3 on the FortiSandbox (in the example, 192.168.179.2/255.255.255.0)
Connect the FortiSandbox to the Security Fabric.
3. Allowing VM Internet access
Connect to Edge. To create a policy that allows connections from the FortiSandbox to the Internet, go to Policy & Objects > IPv4 Policy.
Connect to FortiSandbox. Go to Scan Policy > General and select Allow Virtual Machines to access external network through outgoing port3. Set Gateway to the IP address of port 13 on the FortiGate.
Go to the Dashboard and locate the System Information widget. Verify that VM Internet Access has a green checkmark beside it.
4. Adding the FortiSandbox to the Security Fabric
Connect to Edge. To add FortiSandbox to the Security Fabric, go to Security Fabric > Settings. Enable Sandbox Inspection. Make sure FortiSandbox Appliance is selected and set Server to the IP address of port 1 on the FortiSandbox.
Select Test Connectivity. An error message appears because Edge hasn’t been authorized on the FortiSandbox.
Edge, as the root FortiGate, pushes FortiSandbox settings to the other FortiGates in the Security Fabric. To verify this, connect to Accounting and go to Security Fabric > Settings.
On the FortiSandbox, go to Scan Input > Device. The FortiGates in the Security Fabric (Edge, Accounting, Marketing, and Sales) are listed but the Auth column indicates that the devices are unauthorized.
Select and edit Edge. Under Permissions & Policies, select Authorized. Repeat this for the other FortiGates.
On Edge, go to Security Fabric > Settings and test the Sandbox Inspection connectivity again. External is now connected to the FortiSandbox.
5. Adding sandbox inspection to Antivirus, Web Filter, and FortiClient profiles
You can apply sandbox inspection with three types of security inspection: antivirus, web filter, and FortiClient compliance profiles. In this step, you add sandbox to all FortiGate devices in the Security Fabric individually, using the profiles that each FortiGate applies to network traffic. In order to pass the Advanced Threat Protection check, you must add sandbox inspection to antivirus profiles for all FortiGate devices in the Security Fabric.
Go to Security Profiles > AntiVirus and edit the default profile. Under Inspection Options, set Send Files to FortiSandbox Appliance for Inspection to All Supported Files.
Enable Use FortiSandbox Database, so that if the FortiSandbox discovers a threat, it adds a signature for that file to the antivirus signature database on the FortiGate.
Go to Security Profiles > Web Filter and edit the default profile. Under Static URL Filter, enable Block malicious URLs discovered by FortiSandbox.
If the FortiSandbox discovers a threat, the URL that threat came from is added to the list of URLs that are blocked by the FortiGate.
Go to Security Profiles > FortiClient Compliance Profiles and edit the default profile. Enable Security Posture Check. Enable Realtime Protection and Scan with FortiSandbox.
6. Results
If a FortiGate in the Security Fabric discovers a suspicious file, it sends the file to the FortiSandbox.
You can view information about scanned files on either the FortiGate that sent the file or the FortiSandbox. On one of the FortiGate devices, go to the Dashboard and locate the Advanced Threat Protection Statistics widget. This widget shows files that both the FortiGate and FortiSandbox scan.
On the FortiSandbox, go to System > Status and view the Scanning Statistics widget for a summary of scanned files. You can also view a timeline of scanning in the File Scanning Activity widget.
On Edge, go to Security Fabric > Security Rating and run a rating. When it is finished, select the All Results view.
In the example, all four FortiGate devices in the Security Fabric pass the Advanced Threat Protection check and the Security Rating Score increases by 9.7 points for each FortiGate.