FortiOS 6.0.0 recipes

March 29, 2018, 12:00 am

≫ Next: Installing a FortiGate in NAT/Route mode

≪ Previous: FortiSandbox in the Security Fabric

FortiOS 6.0.0 is now available. Check out the following recipes and recipe collections, based on the new release.

Remember to read the Upgrade Information and Release Notes before upgrading your FortiGate to any new firmware version.

FortiOS 6.0.0 recipes

Was this helpful?
Yes No

The post FortiOS 6.0.0 recipes appeared first on Fortinet Cookbook.

↧

Installing a FortiGate in NAT/Route mode

March 29, 2018, 12:00 am

≫ Next: Security Fabric collection

≪ Previous: FortiOS 6.0.0 recipes

In this example, you connect and configure a new FortiGate in NAT/Route mode, to securely connect a private network to the Internet.

This recipe is in the Basic FortiGate network collection and the Security Fabric collection. You can also use it as a standalone recipe.

In NAT/Route mode, you install a FortiGate as a gateway, or router, between two networks. Typically, you set the FortiGate up between a private network and the Internet, which allows the FortiGate to hide the IP addresses of the private network using NAT.

NAT/Route mode is the most commonly used operating mode for a FortiGate.

_{Find this recipe for other FortiOS versions}
_{5.2 | 5.4 | 5.6 | 6.0}

1. Connecting the network devices and logging in to the FortiGate
Connect the FortiGate to your ISP-supplied equipment using the Internet-facing interface. This is typically WAN or WAN1, depending on your model. Connect a PC to the FortiGate, using an internal port (in the example, port 3).
Power on the ISP equipment, the FortiGate, and the PC on the internal network. Use the PC to connect to the FortiGate GUI using either FortiExplorer or an Internet browser. For more information about connecting to the GUI, see the QuickStart Guide for you FortiGate model.
Log in using an admin account. The default admin account has the username admin and no password.
2. Configuring the FortiGate interfaces
To edit the Internet-facing interface (in the example, wan1), go to Network > Interfaces. Set the Estimated Bandwidth for the interface based on your Internet connection. Set Role to WAN.
To determine which Addressing mode to use, check if your ISP provides an IP address for you to use or if the ISP equipment uses DHCP to assign IP addresses. If your ISP provides an IP address, set Addressing mode to Manual and set the IP/Network Mask to that IP address. If your ISP equipment uses DHCP, set Addressing mode to DHCP to allow the equipment to assign an IP address to WAN1.
Edit the lan interface, which is called internal on some FortiGate models. Set Role to LAN. Set Addressing mode to Manual and set the IP/Network Mask to the private IP address that you want to use for the FortiGate. If you need to assign IP addresses to devices on your internal network, enable DHCP Server.
3. Adding a default route
To create a new default route, go to Network > Static Routes. Typically, you have only one default route. If the static route list already contains a default route, you can edit it, or delete the route and add a new one. Set Destination to Subnet and leave the destination IP address set to 0.0.0.0/0.0.0.0. Set Gateway to the IP address provided by your ISP and Interface to the Internet-facing interface.
4. Setting the FortiGate DNS servers (optional)
The FortiGate DNS settings are configured to use FortiGuard DNS servers by default, which is sufficient for most networks.
If you need to change the DNS servers, go to Network > DNS, select Specify, and add Primary and Secondary servers.
5. Creating a policy to allow traffic from the internal network to the Internet
To create a new policy, go to Policy & Objects > IPv4 Policy. Give the policy a Name that indicates that the policy will be for traffic to the Internet (in the example, Internet).
Set the Incoming Interface to lan and the Outgoing Interface to wan1. Set Source, Destination Address, Schedule, and Services, as required. Ensure the Action is set to ACCEPT. Turn on NAT and select Use Outgoing Interface Address.
Scroll down to view the Logging Options. To view the results later, enable Log Allowed Traffic and select All Sessions.
6. Results
Browse the Internet using the PC on the internal network. If you can’t connect to the Internet, see FortiGate installation troubleshooting.
To view information about FortiGate traffic, go to FortiView > Traffic from LAN/DMZ > Sources. The PC appears on the list of sources.
To view more detailed information about the traffic from the PC, right-click the entry for the PC and select Drill Down to Details.
If your FortiGate model has internal storage and disk logging enabled, a drop-down menu in the top corner allows you to view historical logging information for the previous 5 minutes, 1 hour, and 24 hours. If you’re not sure whether your model supports disk logging, check the FortiGate Feature/Platform Matrix.

For further reading, check out Installing a FortiGate in NAT/Route mode in the FortiOS 6.0 Online Help.

Was this helpful?
Yes No

If your FortiGate doesn’t have a default LAN interface, for this step, you can use either an individual interface or create a software switch to combine the separate interfaces into a single virtual interface.

This destination type allows you to input a numeric IP address or subnet.

A default route always has a destination IP address of 0.0.0.0/0.0.0.0.

Some FortiGate models include an IPv4 security policy in the default configuration. If you have one of these models, edit it to include the logging options shown below, then proceed to the results section.

The post Installing a FortiGate in NAT/Route mode appeared first on Fortinet Cookbook.

↧

Security Fabric collection

March 29, 2018, 12:00 am

≫ Next: Logging FortiGate traffic and using FortiView

≪ Previous: Installing a FortiGate in NAT/Route mode

The Fortinet Security Fabric links various security sensors and tools together to collect, coordinate, and respond to malicious behavior, in real time, anywhere it occurs on your network.

Below, you can find the Security Fabric Collection, which is a list of recipes about configuring and using the Security Fabric. By using these recipes in the order listed, you can create a network similar to the one shown above. This collection is a work in progress. Check back regularly for new recipes.

If you encounter any issues while configuring your Security Fabric, check out Security Fabric troubleshooting. You can also find more information about the Security Fabric at the Fortinet Document Library.

Screenshots of the Security Fabric topology views are shown after most of the recipes, so you can see how the network configuration changes. Physical Topology shows all access layer devices, and Logical Topology shows information about the interface (logical or physical) that each device is connected to. To view the complete network, you must access the topology views using the root FortiGate in the Security Fabric.

This collection supports the following Fortinet firmware:

FortiOS 6.0.0 and higher
FortiAnalyzer 6.0.0 and higher
FortiSandbox 2.5.0 and higher

1. Installing a FortiGate in NAT/Route mode

This recipe shows you how to install a single FortiGate in your network using NAT/Route mode, which is the most commonly used operation mode.

In later recipes, this FortiGate will be called “Edge,” because it’s the only FortiGate that connects directly to the Internet, with the other FortiGate devices located behind it. This role is also known as the gateway FortiGate.

This FortiGate will also be the root FortiGate in the Security Fabric. The root FortiGate receives information from all other FortiGates in the Security Fabric and is used for the Security Rating. For more information about this, refer to the next recipe in the collection.

Because a Security Fabric hasn’t yet been created, the Security Fabric topology views havn’t been included here.

2. Security Fabric installation and rating

This recipe shows you how to add three additional FortiGate devices to the network, with each functioning as an Internal Segmentation Firewall (ISFW). A FortiAnalyzer is also added to collect and view logs.

After the ISFW FortiGate devices and FortiAnalyzer are installed, the Security Fabric is configured. Edge, the FortiGate from the previous recipe, becomes the root FortiGate in the Security Fabric, with the other FortiGates sending their information upstream to Edge.

All of the FortiGate devices and the FortiAnalyzer now appear in the Security Fabric topology views, which you must view using Edge. The ISFW FortiGates (Accounting, Sales, and Marketing) are connected to the root FortiGate (Edge).

Physical topology:

Logical topology:

3. FortiSandbox in the Security Fabric

This recipe shows you how to add a FortiSandbox to the Security Fabric, so that any suspicious files that the FortiGate devices discover can be scanned and tested in isolation from the rest of the network.

After the FortiSandbox is added to the Security Fabric, it appears in the topology views.

Physical topology:

Logical topology:

4. High availability with two FortiGates

This recipe shows you how to create an HA cluster by connecting a backup FortiGate to the root FortiGate in the Security Fabric. This provides redundancy if the root FortiGate, now called Edge-Primary, fails.

After the HA cluster is created, it appears in the topology views.

Physical topology:

Logical topology:

Was this helpful?
Yes No

The post Security Fabric collection appeared first on Fortinet Cookbook.

↧

Logging FortiGate traffic and using FortiView

March 29, 2018, 12:00 am

≫ Next: Security Fabric installation and rating

≪ Previous: Security Fabric collection

In this example, you will configure logging to record information about sessions processed by your FortiGate. You will then use FortiView to look at the traffic logs and see how your network is being used.

This recipe is in the Basic FortiGate network collection. You can also use it as a standalone recipe.

FortiView is a logging tool that contains dashboards that show real time and historical logs. You can filter the dashboards to show specific results and also drill down for more information about a particular session. Each dashboard focuses on a different aspect of your network traffic, such as traffic sources of WiFi clients.

Some FortiView dashboards, such as Applications and Web Sites, require you to apply security profiles to traffic before you can view results.

_{Find this recipe for other FortiOS versions
5.2 | 5.4 | 6.0}

1. Configuring log settings
To configure log settings, go to Log & Report > Log Settings. Select where you want to record log messages. This example uses Local Log, because it is required by FortiView. Enable Disk, Local Reports, and Historical FortiView.
You can also use Remote Logging and Archiving to send logs to either a FortiAnalyzer/FortiManager, FortiCloud, or a Syslog server.
Under Log Settings, set both Event Logging and Local Traffic Log to All.
2. Enabling logging in security policies
To edit the Internet policy, go to Policy & Objects > IPv4 Policy. Under Logging Options, enable Log Allowed Traffic and select All Sessions.
Because logging all sessions uses more system resources, it is typically recommended to log only security events. However, for the purpose of this recipe, all sessions will be logged to ensure that logging has been configured correctly.
3. Results
Browse the Internet to generate traffic through the FortiGate.
To view a realtime display of all active sessions, go to FortiView > All Segments > All Sessions. If you right-click a session in the list, you can choose to end the session, end all sessions, ban the source IP, or filter logs by the source device.
Select the 24 hours view. You can see a historical view of your traffic. To see more information, doubleclick a session.
To view a list of the sources in your network traffic, go to FortiView > Traffic from LAN/DMZ > Sources.
Right-click on any source listed and select Drill Down to Details. You can view a variety of information about the source address, including traffic destinations, security policies used, and if any threats are linked to traffic from this address.

For further reading, check out FortiView in the FortiOS 6.0 Online Help.

Was this helpful?
Yes No

Local logging is not supported on all FortiGate models. If your FortiGate does not support local logging, it is recommended to use FortiCloud.

Historical views are only available on FortiGate models with internal hard drives.

The post Logging FortiGate traffic and using FortiView appeared first on Fortinet Cookbook.

↧

Security Fabric installation and rating

March 29, 2018, 12:00 am

≫ Next: Antivirus scanning using flow-based inspection

≪ Previous: Logging FortiGate traffic and using FortiView

In this recipe, you configure a Fortinet Security Fabric that consists of four FortiGate devices and a FortiAnalyzer. One of the FortiGates acts as the network edge firewall and root FortiGate of the Security Fabric, while the other FortiGate devices function as Internal Segmentation Firewalls (ISFWs).

After you configure the network, you should run a Security Rating, which analyzes the Security Fabric and recommends changes to help you mprove the configuration.

This recipe is in the Security Fabric Collection. You can also use it as a standalone recipe.

The example network uses the following FortiGate aliases:

Edge: the root FortiGate in the Security Fabric. This FortiGate is named “Edge” because it’s the only FortiGate that directly connects to the Internet. This role is also known as the gateway FortiGate.
Accounting: an ISFW FortiGate that connects to Edge.
Marketing: an ISFW FortiGate that connects to Edge.
Sales: an ISFW FortiGate that connects to Marketing.

_{Find this recipe for other FortiOS versions}
_{5.4 | 5.6 | 6.0}

1. Configuring Edge
In the Security Fabric, Edge is the root FortiGate. This FortiGate receives information from the other FortiGates in the Security Fabric and you use it to run the Security Rating. In the example, the following interfaces on Edge connect to other network devices: Port 9 connects to the Internet (this interface was configured when Edge was installed) Port 10 connects to Accounting (IP address: 192.168.10.2) Port 11 connects to Marketing (IP address: 192.168.200.2) Port 16 connects to the FortiAnalyzer (IP address: 192.168.55.2)
To edit port 10 on Edge, go to Network > Interfaces. Set an IP/Network Mask for the interface (in the example, 192.168.10.2/255.255.255.0). Set Administrative Access to allow FortiTelemetry, which is required so that FortiGates in the Security Fabric can communicate with each other.
Repeat this step to configure the other interfaces with the appropriate IP addresses, as listed above.
To create a policy for traffic from Accounting to the Internet, go to Policy & Objects > IPv4 Policy. Enable NAT.
Repeat this step to create a similar policy for Marketing.
On Edge, go to System > Feature Select. Under Additional Features, enable Multiple Interface Policies.
To create a policy that allows Accounting and Marketing to access the FortiAnalyzer, go to Policy & Objects > IPv4 Policy.
To enable communication between the FortiGates in the Security Fabric, go to Security Fabric > Settings and enable FortiGate Telemetry. Set a Group name and Group password. FortiAnalyzer Logging is enabled by default. Set IP address to an internal address that will later be assigned to port 1 on the FortiAnalyzer (in the example, 192.168.65.10). Set Upload option to Real Time.
Select Test Connectivity. An error appears because the FortiGate isn’t yet authorized on the FortiAnalyzer. This authorization is configured in a later step.
2. Installing Accounting and Marketing
To edit wan1 on Accounting, go to Network > Interfaces. Set an IP/Network Mask for the interface that is on the same subnet as port 10 on Edge (in the example, 192.168.10.10/255.255.255.0). Under Administrative Access, select HTTPS and SSH to allow Edge to use this interface to manage the FortiGate.
Edit the lan interface. Set Addressing mode to Manual and set the IP/Network Mask to a private IP address (in the example, 10.10.10.1/255.255.255.0). Set Administrative Access to allow FortiTelemetry. If you require the FortiGate to provide IP addresses using DHCP to devices that connect to this interface, enable DHCP Server. Under Networked Devices, enable Device Detection.
To add a static route, go to Network > Static Routes. Set Gateway to the IP address of port 10 on Edge.
To create a policy to allow users on the Accounting network to access Edge, go to Policy & Objects > IPv4 Policy.
To add Accounting to the Security Fabric, go to Security Fabric > Settings. Enable FortiGate Telemetry, then enter the same Group name and Group password that you set previously on Edge. Enable Connect to upstream FortiGate and enter the IP address of port 10 on Edge. FortiAnalyzer Logging is enabled by default. Settings for the FortiAnalyzer are retrieved when Accounting connects to Edge.
Connect WAN 1 on Accounting to port 10 on Edge.
Connect and configure Marketing, using the same method that you used to configure Accounting. Make sure you complete the following steps: Configure WAN 1 to connect to Edge (IP address: 192.168.200.10/255.255.255.0) and allow HTTPS and SSH access. Configure the LAN interface for the Marketing network (IP address: 10.10.200.2/255.255.255.0). Create a static route pointing traffic to port 11 on Edge. Create a policy to allow users on the Marketing network to access Edge. Add Marketing to the Security Fabric.
3. Installing Sales
To edit the interface on Marketing that connects to Sales (in the example, port12), go to Network > Interfaces. Set an IP/Network Mask for the interface (in the example, 192.168.135.2/255.255.255.0). Set Administrative Access to allow FortiTelemetry.
To create a policy for traffic from Sales to Edge, go to Policy & Objects > IPv4 Policy. Enable NAT.
To edit wan2 on Sales, go to Network > Interfaces. Set an IP/Network Mask for the interface that’s on the same subnet as the internal 14 interface on Marketing (in the example, 192.168.135.10/255.255.255.0). Under Administrative Access, select HTTPS and SSH.
Edit the lan interface. Set Addressing Mode to Manual, and set the IP/Network Mask to a private IP address (in the example, 10.10.135.1/255.255.255.0). Set Administrative Access to allow FortiTelemetry. If you require the FortiGate to provide IP addresses, using DHCP, to devices that connect to this interface, enable DHCP Server. Under Networked Devices, enable Device Detection.
To add a default route, go to Network > Static Routes. Set Gateway to the IP address of the internal 14 interface on Marketing.
To create a policy that allow users on the Sales network to access Marketing, go to Policy & Objects > IPv4 Policy.
To add Sales to the Security Fabric, go to Security Fabric > Settings. Enable FortiGate Telemetry, then enter the same Group name and Group password that you set previously. Enable Connect to upstream FortiGate and enter the IP address of the internal 14 interface on Marketing. FortiAnalyzer Logging is enabled by default. Settings for the FortiAnalyzer are retrieved when Accounting connects to Edge.
Connect WAN 2 on Sales to internal 14 on Marketing.
4. Configuring the FortiAnalyzer
To use the FortiAnalyzer in the Security Fabric, make sure that the firmware is compatible with the version of FortiOS on the FortiGates. To check for compatibility, see the FortiAnalyzer Release Notes.
To edit the port on FortiAnalyzer that connects to Edge (in the example, port4), go to System Settings > Network and select All Interfaces. Set IP Address/Netmask to the IP address that you use to configure the Security Fabric settings on Edge (192.168.65.10/255.255.255.0). Add a Default Gateway, using the IP address of port 16 on Edge.
Go to Device Manager. The FortiGates are listed as Unregistered.
Select the FortiGates, then select +Add.
The FortiGates now appear as Registered.
After a moment, a warning icon appears beside Edge because the FortiAnalyzer needs administrative access to the root FortiGate in the Security Fabric. Double-click on the FortiGate to enter the Authentication information.
On Edge, go to Security Fabric > Settings. FortiAnalyzer Logging now shows Storage usage information.
5. Checking your Security Rating
The Security Rating analyzes your Security Fabric deployment to identify potential vulnerabilities and highlight best practices. Using the Security Rating can help you improve your network configuration, deploy new hardware and software, and gain more visibility and control over your network. By regularly checking your network’s Security Rating Score, which is determined by how many checks your network passes or fails, and making the recommended improvements, you can have confidence that your network is getting more secure over time. You must have a valid Security Rating license to run all available checks. If you do not have a license, only certain checks are available. For more information about these checks, see Security Best Practices & Security Rating Feature.
On Edge, go to Security Fabric > Security Rating. The Security Rating runs automatically on the root FortiGate. However, if you want more recent results, select Run Now to run another Security Rating. You can also select whether to run the Security Rating on All FortiGates or on specific FortiGate devices in the Security Fabric. At the top of the page, you can see your network’s Security Rating Score, as well as the overall count of how many checks passed or failed. The failed checks are divided by severity.
Further down the page, you can see information about each failed check, including which FortiGate failed the check, the effect on your network’s score, and recommendations for fixing the issue. Easy Apply recommendations in the next stage. However, if your Security Rating is older than 30 minutes, you must run it again to apply these changes.
By using Easy Apply, you can change the configuration of any FortiGate in the Security Fabric, not just the root FortiGate. Select all the changes that you want to make, then select Apply Recommendations.
6. Results
On Edge, go to Dashboard > Main. The Security Fabric widget displays the names of the FortiGates in the Security Fabric.
The icons on the top of the widget indicate the other Fortinet devices that can be used in a Security Fabric. Devices in blue are detected in your network, devices in gray aren’t detected in your network, and devices in red are also not detected in your network but are recommended for a Security Fabric. Also located on the Dashboard is the Security Rating widget, which displays your network’s current score. If either of these widgets don’t appear on your dashboard, you can add them using the settings button in the bottom right corner.
Go to Security Fabric > Physical Topology. This page shows a visualization of access layer devices in the Security Fabric. The topology also shows Security Rating next to the icon of the device that the recommendations apply to.
Go to Security Fabric > Logical Topology. This dashboard displays information about the interface (logical or physical) that each device in the Security Fabric connects.
On the FortiAnalyzer, go to Device Manager. The FortiGates are now shown as part of a Security Fabric group. The * beside Edge indicates that it’s the root FortiGate in the Security Fabric.
Right-click on the Security Fabric group and select Fabric Topology. The topology of the Security Fabric is displayed.
7. (Optional) Adding security profiles to the Security Fabric
The Security Fabric allows you to distribute security profiles to different FortiGates in your network, which can lessen the workload of each device and avoid creating bottlenecks. For example, you can implement antivirus scanning on Edge while the ISFW FortiGates apply application control and web filtering. This results in distributed processing between the FortiGates in the Security Fabric, which reduces the load on each one. It also allows you to customize the web filtering and application control for the specific needs of the Accounting network since other internal networks may have different application control and web filtering requirements. This configuration may result in threats getting through Edge, which means you should very closely limit access to the network connections between the FortiGates in the network.
To edit the policy that allows traffic from Accounting to the Internet, connect to Edge and go to Policy & Objects > IPv4 Policy. Under Security Profiles, enable AntiVirus and select the default profile. SSL Inspection is enabled by default. Set it to the deep-inspection profile. Do the same for the policy that allows traffic from Marketing to the Internet.
To edit the policy that allows traffic from the Accounting network to Edge, connect to Accounting and go to Policy & Objects > IPv4 Policy. Under Security Profiles, enable Web Filter and Application Control. Select the default profiles for both. Repeat this step for both Marketing and Sales.

For further reading, check out Configuring the Security Fabric in the FortiOS 6.0 Online Help.

Was this helpful?
Yes No

This FortiGate has already been installed in NAT/Route mode in the “Installing a FortiGate in NAT/Route mode” recipe.

Once this feature is enabled, the option to view the policy list using the Interface Pair View is no longer available.

In this recipe, the policy is called Access-Resources because more Fortinet devices, such as a FortiSandbox, will be added to the subnet currently used by the FortiAnalyzer.

Enabling Device Detection on all interfaces that are classified as LAN or DMZ is a best practice.

The Default Gateway setting may not appear until you save the settings with the new IP address.

You may need to refresh the page before the icon appears.

Only Fortinet devices will be shown.

Using the deep-inspection profile may cause certificate errors. See Preventing certificate warnings for more information.

The post Security Fabric installation and rating appeared first on Fortinet Cookbook.

↧

Antivirus scanning using flow-based inspection

March 29, 2018, 12:00 am

≫ Next: Creating security policies

≪ Previous: Security Fabric installation and rating

In this recipe, you will turn on flow-based inspection on your FortiGate and apply flow-based antivirus scanning to network traffic.

For more information about the different antivirus inspection modes available in FortiOS, see FortiOS antivirus inspection modes.

_{Find this recipe for other FortiOS versions}
_{5.4 | 6.0}

1. Verifying the inspection mode
Flow-based is the default inspection mode for FortiOS. To verify that your FortiGate is in this mode, go to System > Settings and locate System Operations Settings.
Verify that Inspection Mode is set to Flow-based and NGFW Mode is set to Profile-based.
2. Configuring the AntiVirus profile
Go to System > Feature Visibility and verify that AntiVirus is enabled under Security Features.
To edit the default antivirus profile, go to Security Profiles > AntiVirus. Set Scan Mode to Full and Detect Viruses to Block.
Under APT Protection Options, enable Use Virus Outbreak Prevention Database to provide an additional layer of protection from early stage virus outbreaks.
3. Enabling antivirus in a policy
To edit your Internet access policy, go to Policy & Objects > IPv4 Policy. Under Security Profiles, enable AntiVirus and select the default profile. SSL Inspection is enabled by default. Select deep-inspection.
4. Results
To test the antivirus scanning, go to www.eicar.org and attempt to download a test file. The browser will display a message denying permission to download the file.
To view information about the blocked file, go to FortiView > Traffic from LAN/DMZ > Threats.

For further reading, check out Antivirus in the FortiOS 6.0 Online Help.

Was this helpful?
Yes No

Using the deep-inspection profile may cause certificate errors. See Preventing certificate warnings for more information.

The post Antivirus scanning using flow-based inspection appeared first on Fortinet Cookbook.

↧

Creating security policies

March 29, 2018, 12:00 am

≫ Next: SSL VPN using web and tunnel mode

≪ Previous: Antivirus scanning using flow-based inspection

In this recipe, you will create multiple security policies, which will apply security inspection to different users based on which user group they belong to.

This recipe is in the Basic FortiGate network collection. You can also use it as a standalone recipe.

This example contains three IPv4 policies:

Internet: The policy that the Employee user group uses to access the Internet. You use the FortiGate to apply some security inspection to traffic.
Accounting: The policy that the Accounting user group uses to access the Internet. You use the FortiGate to apply increased security inspection to protect sensitive information.
Admin: The policy that the Admin user group uses, connecting from a specific computer, to access the Internet. You use the FortiGate to apply limited security inspection.

_{Find this recipe for other FortiOS versions}
_{5.2 | 5.4 | 6.0}

1. Creating an Employee user, user group, and Internet policy
To create a new user, go to User & Device > User Definition (in the example, this account is called jpearson). In the User Type section, select Local User.
In the Login Credentials section, set Username and set a Password.
In the Contact info section, set the user’s Email Address.
In the Extra Info section, verify that User Account Status is Enabled.
Your FortiGate now lists the new user.
To create a new user group, go to User & Device > User Groups (in the example, this group is called Employees). Add user jpearson to the Members list.
The FortiGate now lists the new user group.
To edit the Internet policy, go to Policy & Objects > IPv4 Policy. For Source, set Address to all and User to the Employees group. Under Security Profiles, enable AntiVirus and Web Filter. Set both to use the default profile. SSL Inspection is enabled by default. Set it to the deep-inspection profile.
2. Creating an Accounting user, user group, and Internet policy
To create another user, go to User & Device > User Definition (in the example, akeating).
To create another user group, go to User & Device > User Groups (in the example, Accounting). Add user akeating to the Members list.
To create a new Accounting policy, go to Policy & Objects > IPv4 Policy. For Source, set Address to all and User to the Accounting group. Under Security Profiles, enable AntiVirus, Web Filter, Application Control, and IPS. Set all of these to use the default profile. SSL Inspection is enabled by default. Set it to the deep-inspection profile.
3. Creating an Admin user, user group, device, and Internet policy
To create another user, go to User & Device > User Definition (in the example, tal-jamil).
To create another user group, go to User & Device > User Groups (in the example, Admin). Add user tal-jamil to the Members list.
To add a new device, go to User & Device > Custom Devices & Groups. Set Alias to AdminPC and enter the MAC Address of the PC. Select the appropriate Device Type.
The PC is now listed under Custom Devices.
To create a new Admin policy, go to Policy & Objects > IPv4 Policy. For Source, set Address to all, User to the Admin group, and Device to the AdminPC. Under Security Profiles, enable AntiVirus and set it to use the default profile. SSL Inspection is enabled by default. Set it to the deep-inspection profile.
4. Ordering the policy table
To view the policy table, go to Policy & Objects > IPv4 Policy. Select the By Sequence view, which shows the policies in the order that they are used by your FortiGate. Currently, the policies are arranged in the order you created them, with the oldest policy at the top of the list.
To have the correct traffic flowing through each policy, you must arrange them so that the more specific policies are located at the top. To rearrange the policies, select the column on the far left (in the example, ID) and drag the policy to the required position, as shown on the right.
5. Results
From any PC in the internal network, attempt to browse the Internet. A log in screen will appear. Use the jpearson account to log in. After authentication, you can connect to the Internet.
Go to Monitor > Firewall User Monitor. The list shows jpearson is online. Right-click the account and select Deauthenticate.
On the same PC, attempt to browse the Internet again. This time, log in using the akeating account. The Firewall User Monitor now shows akeating is online and you can access the Internet.
From the AdminPC, attempt to browse the Internet. Log in using the tal-jamil account. The Firewall User Monitor now shows tal-jamil is online and you can access the Internet.
If you attempt to log in from any other device using the tal-jamil account, the account will authenticate; however, you will not have Internet access.
Go to FortiView. Under All Segments, select Policies and select the 5 minutes view. You can see traffic hitting all three policies and that each user’s traffic is flowing through the correct policy.

For further reading, check out Firewall policies in the FortiOS 6.0 Online Help.

Was this helpful?
Yes No

This policy was previously created in the Installing a FortiGate in NAT/route mode.

Using the deep-inspection profile may cause certificate errors. See Preventing certificate warnings for more information.

If a certificate error occurs during the authentication process, browse to a different site and re-attempt user authentication. For more information, see Certificate errors with authentication.

The post Creating security policies appeared first on Fortinet Cookbook.

↧

SSL VPN using web and tunnel mode

March 29, 2018, 12:00 am

≫ Next: FortiGate registration and basic settings

≪ Previous: Creating security policies

In this example, you will allow remote users to access the corporate network using an SSL VPN, connecting either by web mode using a web browser or tunnel mode using FortiClient.

Web mode allows users to access network resources, such as the the AdminPC used in this example.

For users connecting via tunnel mode, traffic to the Internet will also flow through the FortiGate, to apply security scanning to this traffic. During the connecting phase, the FortiGate will also verify that the remote user’s antivirus software is installed and up-to-date.

This recipe is in the Basic FortiGate network collection. You can also use it as a standalone recipe.

This recipe allows access for members of the Employee user group, created in the previous recipe, Creating security profiles.

_{Find this recipe for other FortiOS versions
5.2 | 5.4 | 5.6 | 6.0}

1. Editing the SSL VPN portal for remote users
To edit the full-access SSL VPN portal, go to VPN > SSL-VPN Portals. The full-access portal allows the use of tunnel mode and web mode. Under Tunnel Mode, disable Enable Split Tunneling for both IPv4 and IPv6 traffic to ensure all Internet traffic will go through the FortiGate. Set Source IP Pools to use the default IP range SSLVPN_TUNNEL-ADDR1.
Under Enable Web Mode, create Predefined Bookmarks for any internal resources that the SSL VPN users need to access. In the example, the bookmark allows the remote user RDP access to a computer on the internal network.
2. Configuring the SSL VPN tunnel
To configure the SSL VPN tunnel, go to VPN > SSL-VPN Settings. Set Listen on Interface(s) to wan1. To avoid port conflicts, set Listen on Port to 10443. Set Restrict Access to Allow access from any host. In the example, the Fortinet_Factory certificate is used as the Server Certificate. To ensure that traffic is secure, you should use your own CA-signed certificate. For more information about using certificates, see Preventing certificate warnings (CA-signed certificates). Under Tunnel Mode Client Settings, set IP Ranges to use the default IP range SSLVPN_TUNNEL-ADDR1.
Under Authentication/Portal Mapping, click Create New to add the Employee user group and map it to the full-access portal. If necessary, map a portal for All Other Users/Groups.
3. Adding security policies for access to the internal network and Internet
To add an address for the local network, go to Policy & Objects > Addresses. Set Type to Subnet, Subnet/IP Range to the local subnet, and Interface to lan.
To create a security policy allowing access to the internal network through the VPN tunnel interface, go to Policy & Objects > IPv4 Policy. Set Incoming Interface to ssl.root and Outgoing Interface to lan. Select Source and set Address to all and User to the Employee user group. Set Destination Address to the local network address, Service to ALL, and enable NAT.
Add a second security policy allowing SSL VPN access to the Internet. For this policy, set Incoming Interface to ssl.root and Outgoing Interface to wan1. Select Source and set Address to all and User to the Employee user group.
4. Verifying remote user’s OS and software
To verify that remote users are using up-to-date devices to connect to your network, you can configure a host check for both operating system (supported for Windows and Mac OS) and software. You can configure an OS host check for specific OS versions. This check includes the following options: allow the device to connect, block the device, or check that the OS is up-to-date. The default action for all OS versions is allow. The software host can verify whether the device has AntiVirus software recognized by Windows Security Center, firewall software recognized by Windows Security Center, both, or a custom setting. Configure both checks using the CLI: `config vpn ssl web portal edit full-access set os-check enable config os-check-list {macos-high-sierra-10.13 \| macos-sierra-10.12 \| os-x-el-capitan-10.11 \| os-x-mavericks-10.9 \| os-x-yosemite-10.10 \| windows-7 \| windows-8 \| windows-8.1 \| windows-10 \| windows-2000 \| windows-vista \| windows-xp} set action {deny \| allow \| check-up-to-date} end set host-check {av \| fw \| av-fw\| custom} end`
5. Results
The steps for connecting to the SSL VPN differ depending on whether you are using a web browser or FortiClient.
Web browsers: Using a supported Internet browser, connect to the SSL VPN web portal using the remote gateway configured in the SSL VPN settings (in the example, https://172.25.176.62:10443) Log in to the SSL VPN.
After authenticating, you can access the SSL-VPN Portal. From this portal, you can launch or download FortiClient, access Bookmarks, or connect to other resources using the Quick Connection tool.
In this example, selecting the bookmark enables you to connect to the AdminPC.
To connect to the Internet, select Quick Connection. Select HTTP/HTTPS, then enter the URL and select Launch.
The website loads.
To view the list of users currently connected to the SSL VPN, go to Monitor > SSL-VPN Monitor. The user is connected to the VPN.
If a remote device fails the OS or host check, a warning message appears after authentication instead of the portal.
FortiClient: If you have not done so already, download FortiClient from www.forticlient.com. Open the FortiClient Console and go to Remote Access. Add a new connection.
Set VPN Type to SSL VPN, set Remote Gateway to the IP of the listening FortiGate interface (in the example, 172.25.176.62). Select Customize Port and set it to 10443. Select Add.
Log in to the SSL VPN.
You are able to connect to the VPN tunnel.
To view the list of users currently connected to the SSL VPN, go to Monitor > SSL-VPN Monitor. The user is connected to the VPN.

For further reading, check out Basic SSL VPN configuration in the FortiOS 6.0 Online Help.

Was this helpful?
Yes No

If you do select Enable Split Tunneling, traffic not intended for the corporate network will not flow through the FortiGate or be subject to the corporate security profiles. You will also have to set your corporate network’s address as the Routing Address.

If you are allowing split tunneling, this policy is not required.

The post SSL VPN using web and tunnel mode appeared first on Fortinet Cookbook.

↧

FortiGate registration and basic settings

March 29, 2018, 12:00 am

≫ Next: Automations for the Security Fabric

≪ Previous: SSL VPN using web and tunnel mode

In this recipe, you will complete these following basic administrative tasks to get a newly installed FortiGate ready for use:

Register your FortiGate with a Fortinet Support account.
Set the system time.
Create a new administrator and edit the default account.
Restrict administrative access to a trusted host (optional).

This recipe is in the Basic FortiGate network collection. You can also use it as a standalone recipe.

_{Find this recipe for other FortiOS versions}
_{5.2 | 5.4 | 6.0}

1. Registering your FortiGate
You must register your FortiGate to receive firmware upgrades, FortiGuard updates, and access to Fortinet Support. Before you register your FortiGate, it must be connected to the Internet.
Connect to your FortiGate. A message appears that states that FortiCare registration is required. Select Register Now.
If you have a Fortinet Support account, set Action to Login. If you need to create an account, set Action to Create Account. To allow Fortinet Support to keep a complete list of your devices, you should use one account to register all of your Fortinet products.
Go to System > FortiGuard. In License Information, FortiCare Support appears as Registered. Your other FortiGuard licenses now show as licensed. There may be a delay before all of them appear as licensed.
2. Setting the system time
Go to System > Settings. Under System Time, select your Time Zone and either set the time manually or select Synchronize with NTP Server.
Current system time displays the correct time.
3. Creating a new administrator and editing the default account
Go to System > Administrators and create a new account. Set User Name and Password. Set Administrator Profile to super_admin. This profile allows the administrator full access to configure the FortiGate.
Log out of the FortiGate and log in using your new account.
To secure your FortiGate, it’s recommended that you change the name and password of the default admin account. Go to System > Administrators and edit the default account. Change the User Name.
Select Change Password to add a password to this account.
4. Results
Attempt to log in using the original credentials for the default account. Access is denied.
Log in using the new credentials for the default account. Access is granted.
Go to Log & Report > System Events. You can see the successful and failed login attempts in the events list.
5. Restricting administrative access to a trusted host (optional)
You can configure an administrative account to be accessible only to someone who is using a trusted host. You can set a specific IP address for the trusted host or use a subnet.
Go to System > Administrators and edit the default admin account. Enable Restrict login to trusted hosts. Set Trusted Host 1 to the static IP address of the computer you use to administer the FortiGate. If required, set additional trusted hosts.

For further reading, check out Basic Administration in the FortiOS 6.0 Online Help.

Was this helpful?
Yes No

For system events to appear in the GUI, you must configure disk logging in the log settings on the FortiGate. This option is only available on FortiGate models that have an internal hard drive.

The post FortiGate registration and basic settings appeared first on Fortinet Cookbook.

↧

Automations for the Security Fabric

April 5, 2018, 12:10 pm

≫ Next: Using Facial Recognition in FortiCentral

≪ Previous: FortiGate registration and basic settings

In this recipe, you configure Automations for your Fortinet Security Fabric. Each Automation pairs an event trigger and one or more actions, which allows you to monitor your network and take appropriate action when the Security Fabric detects a threat. You can use Automations to detect events from any source in the Security Fabric and apply actions to any destination.

This recipe is in the Security Fabric Collection. You can also use it as a standalone recipe.

In this example, you create the following Automations:

Ban a compromised host’s IP address.
Send an email alert when HA failover occurs.

In this example, the Security Fabric consists of Edge, an HA cluster that is the root FortiGate of the Security Fabric, and three ISFW FortiGate devices (Accounting, Marketing, and Sales). You configure the Automations on the root FortiGate and the settings are synchronized with the other FortiGate devices in the Security Fabric.

1. Creating the Automations
To create a new Automation that bans the IP address of a compromised host, go to Security Fabric > Automation. Set FortiGate to All FortiGates. Set Trigger to Compromised Host. Set IOC level threshold to High. Set Action to IP Ban.
Create a second Automation that sends an email alert when HA failover occurs. Set FortiGate to Edge-Primary, which is part of the only HA cluster in the Security Fabric. Set Trigger to HA Failover. Set Action to Email. Set the Email subject and email address to send alerts to.
2. Testing the Automations
Instead of testing the Automation that blocks compromised hosts, the following steps simulate its effects by manually blocking the IP address of a PC on your network. Go to Security Fabric > Physical Topology and locate a PC on your network. Right-click the PC and select Ban IP.
Set Ban Type to Temporary. Set Duration to 30 minutes.
To test the Automation for HA failover, go to Edge-Primary. In the administrative drop-down menu, select System > Reboot. Set an Event log message.
3. Results
The banned device can no longer access the Internet.
When HA failover occurs, an email similar to the one shown is sent to the email that you configured in the Automation.

For further reading, check out Using the Security Fabric to improve network security in the FortiOS 6.0 Online Help.

Was this helpful?
Yes No

If you select the Medium threshold, the event trigger occurs for both medium and high level IOC threats.

The post Automations for the Security Fabric appeared first on Fortinet Cookbook.

↧

Using Facial Recognition in FortiCentral

March 23, 2018, 11:27 am

≫ Next: Episode 23: FortiCloud & FortiDeploy

≪ Previous: Automations for the Security Fabric

The following recipe guides you through the process of using and optimizing facial recognition in FortiCentral.

Entering Individuals into the Facial Database

There are a variety of methods to enter individuals into the facial database.

You could Take a track and create a person entry based on that track:

Select the track and then select New. The New Person dialog box appears with a snapshot of the suggested picture.
Enter the individuals’ first and last name.
Select their class of guest in the Class dropdown menu.
Select OK.

Verifying an Individual’s Identity

What if an individual of interest has been seen before on camera and you want to know the identity of the individual?

Select the pane gear button.
Select Computer Vision Query.
Select Search without enabling the face recognition checkbox.
Select the track that contains the subject of interest in the returned tracks section.
Check face recognition and select the Search button. The search results will now be sorted according to similarity with the person of interest.
Drag a video from the query pane to a video pane to play the video from one of the tracks. This initiates playback from the time of detection.

Viewing a Recently Seen Individual

What if you know a particular individual has been to your building and you want to find out the exact time and day they arrived? To view a recently seen individual

Open the Computer Vision Query from the pane gear menu.
Select the individual in the People list on the left side.
Enable the face recognition checkbox.
Select Search. The result window shows tracks of the selected person and all individuals who resemble the selected person.
Switch to the table view and sort by time.

Was this helpful?
Yes No

The post Using Facial Recognition in FortiCentral appeared first on Fortinet Cookbook.

↧

Episode 23: FortiCloud & FortiDeploy

April 11, 2018, 7:55 am

≫ Next: Security Rating

≪ Previous: Using Facial Recognition in FortiCentral

A look into FortiCloud, Fortinet’s cloud-based management service, and FortiDeploy, our bulk provisioning solution for FortiCloud.

FortiCloud & FortiDeploy resources

Subscribe to FortiCast

Was this helpful?
Yes No

The post Episode 23: FortiCloud & FortiDeploy appeared first on Fortinet Cookbook.

↧

Security Rating

April 17, 2018, 11:10 am

≫ Next: Re-Aligning FortiRecorder Disk Partitions

≪ Previous: Episode 23: FortiCloud & FortiDeploy

In this recipe, you run a Security Rating, which analyzes your Security Fabric deployment to identify potential vulnerabilities and highlight best practices.

Using the Security Rating can help you improve your network configuration, deploy new hardware and software, and gain more visibility and control over your network. By regularly checking your Security Rating percentile and your Security Rating Score and making the recommended improvements, you can have confidence that your network is getting more secure over time.

You must have a valid Security Rating license from FortiGuard to run all available checks. If you do not have a license, only certain checks are available. For more information about these checks, see Security Best Practices & Security Rating Feature.

1. Checking the Security Rating widget
Go to the Dashboard and locate the Security Rating widget. In the example, the widget does not display any information because it has not been properly configured.
Once configured, the widget displays a comparison between your Security Rating and the Security Rating of other users. You can either compare your rating with users from all industries or with only your industry . You can also compare your rating with users from all regions or only your region.
To change which users your score is compared to, select the widget settings using the menu in the top right corner of the widget.
2. Checking your Security Rating
On Edge, go to Security Fabric > Security Rating. The Security Rating runs automatically on the root FortiGate. However, if you want more recent results, select Run Now to run another Security Rating. You can also select whether to run the Security Rating on All FortiGates or on specific FortiGate devices in the Security Fabric.
At the top of the page, you can see your network’s Security Rating, which shows which percentile your network is in compared to other users. You can also see your Security Rating Score, which is based on how many checks were passed or failed, as well as how many FortiGate units are in your network. Further down the page, you can see information about each failed check, including which FortiGate failed the check, the effect on your network’s score, and recommendations for fixing the issue. Easy Apply recommendations in the next stage. However, if your Security Rating is older than 30 minutes, you must run it again to apply these changes.
By using Easy Apply, you can change the configuration of any FortiGate in the Security Fabric, not just the root FortiGate. Select all the changes that you want to make, then select Apply Recommendations.
3. Results
Go to the Dashboard. The Security Rating widget displays the information from the newly run Security Rating.
Go to Security Fabric > Physical Topology. Each FortiGate has a circle with a number beside it, displaying the number and severity of failed checks on that unit.
To view the failed checks on a specific FortiGate unit, click the FortiGate. A screen appears, showing the information and allowing you to make changes for the Easy Apply recommendations.

Was this helpful?
Yes No

Your industry is determined based on your FortiCare account settings.

The post Security Rating appeared first on Fortinet Cookbook.

↧

Re-Aligning FortiRecorder Disk Partitions

April 17, 2018, 11:50 am

≫ Next: Verifying FortiGuard licenses and troubleshooting

≪ Previous: Security Rating

The following recipe is for those having performance problems with the FRC-200Dgen2, the FRC-400D, and VMs installed before FortiRecorder v2.6 release. It covers how to check for alignment and aligning partition in FortiRecorder if the partitions are not aligned correctly.

Checking Alignment
First you need to verify disk partition alignment. Access the CLI and enter “diag system disk-details”. If your partitions are not aligned correctly, your screen will resemble the following: `System Time: 2018-04-13 09:58:13 EDT (Uptime: 1d 23h 55m)` `for type for-var-physical` `+device-name=sda` `\| is-enc=0` `\| is-dma=1` `\| is-usb=0` `\| size=2000398934016 (opt=0,min=4096,alg=0,phy=4096,log=512,grn=1048576)` `+-----part-name=sda1` `\| size=2000299999744` `\| start=512(not-aligned)` `\| is-mounted=0` `\| fs-type=software_raid` `+device-name=sdb` `\| is-enc=0` `\| is-dma=1` `\| is-usb=0` `\| size=2000398934016 (opt=0,min=4096,alg=0,phy=4096,log=512,grn=1048576)` `+-----part-name=sdb1` `\| size=2000299999744` `\| start=512(not-aligned)` `\| is-mounted=0` `\| fs-type=software_raid` Continue to the next section to remedy the problem.
Aligning Partitions
Now that we’ve identified the problem, we can now align the partitions properly. Backup your FortiRecorder configuration by going to Monitor > System Status > Status and selecting Backup. If remote storage is available, modify each camera profile in use by going to Storage Options and selecting Move after 1 hour for both continuous and detection records. Let the system run until the local storage usage is down to a minimum. This could take a few days since the system will continue recording. Repartition the disk by using the CLI command: `exec factoryreset disk` Restore the configuration.

Was this helpful?
Yes No

The post Re-Aligning FortiRecorder Disk Partitions appeared first on Fortinet Cookbook.

↧

Verifying FortiGuard licenses and troubleshooting

April 17, 2018, 12:10 pm

≫ Next: Configuring Config-Only HA Mode in FortiMail

≪ Previous: Re-Aligning FortiRecorder Disk Partitions

In this recipe, you verify that your FortiGate displays the correct FortiGuard licenses and troubleshoot any errors. You must register your FortiGate before FortiGuard licenses are shown.

_{Find this recipe for other FortiOS versions}
_{5.2 | 5.4 | 6.0}

1. Viewing your licenses
To view your licenses, go to the Dashboard and find the Licenses widget. The FortiGuard licenses are listed, with their status indicated: A green check mark indicates an active license. A gray question mark indicates an unavailable license. A license highlighted in orange is either unlicensed or expires soon. A license highlights in red is expired.
The widget only displays licenses for features you enabled in Feature Visibility. To enable more features, go to System > Feature Visibility. The Web Filtering license only appears as active when a web filter profile is applied to a firewall policy.
You can also view FortiGuard license information by going to System > FortiGuard.
2. Troubleshooting
If you need to add or renew a subscription, go to Fortinet Support. If a license that should be active is not currently available, you can use the following steps to troubleshoot your connection. After each troubleshooting step, go to System > FortiGuard to check if the licenses are now shown as available.
Connecting to FortiGuard To prompt your FortiGate to connect to FortiGuard, connect to the CLI and use the command shown below: diagnose debug application update -1 diagnose debug enable execute update-now If your FortiGate has multiple VDOMs, make sure that you use the management VDOM and that the VDOM has Internet access. To set the proper VDOM as the management VDOM, use the following command: config system global set management-vdom <VDOM_name> end
Checking FortiGuard filtering To test if FortiGuard is reachable, go to System > FortiGuard.
Under Filtering, check Filtering Services Availability. If you don’t see a green check mark, select Check Again. If you are still don’t see a green check mark, change the FortiGuard Filtering Port to the alternate port (8888). Select Apply and see if the services become available.
Testing the DNS To test if your DNS can reach FortiGuard, use the following CLI command: execute ping guard.fortinet.net If you are able to reach the address, run the following command: diagnose debug application update -1 diagnose debug enable execute update-now If you cannot reach the address, go to System > DNS and verify that the settings are correct. Then run the PING test again.
Contacting Support If you are still unable to connect, contact Fortinet Support.
3. Results
Go to the Dashboard and view the Licenses widget. Any subscribed services should have a beside it.
Go to System > FortiGuard. Features and services you are subscribed to should have a green check mark beside it.

For further reading, check out FortiGuard in the FortiOS 6.0 Handbook.

Was this helpful?
Yes No

When you apply the profile, a warning will appear stating that web filtering doesn’t have a valid license. You can ignore this for the moment.

If you are updating FortiGuard using a FortiManager, the FortiGuard Filtering Port can also be 80.

The post Verifying FortiGuard licenses and troubleshooting appeared first on Fortinet Cookbook.

↧

Configuring Config-Only HA Mode in FortiMail

April 23, 2018, 9:22 am

≫ Next: Configuring Active-Passive HA Mode in FortiMail

≪ Previous: Verifying FortiGuard licenses and troubleshooting

Your FortiMail unit can operate in one of two HA modes: active-passive and config-only. This video focuses on a config-only configuration.

Was this helpful?
Yes No

The post Configuring Config-Only HA Mode in FortiMail appeared first on Fortinet Cookbook.

↧

Configuring Active-Passive HA Mode in FortiMail

April 23, 2018, 9:28 am

≫ Next: Episode 24: FortiGuard

≪ Previous: Configuring Config-Only HA Mode in FortiMail

Your FortiMail unit can operate in one of two HA modes: active-passive and config-only. This video focuses on a active-passive configuration.

Was this helpful?
Yes No

The post Configuring Active-Passive HA Mode in FortiMail appeared first on Fortinet Cookbook.

↧

Episode 24: FortiGuard

April 25, 2018, 12:01 pm

≫ Next: FortiGate installation troubleshooting

≪ Previous: Configuring Active-Passive HA Mode in FortiMail

A discussion about FortiGuard and how it protects Fortinet customers from a variety of attacks.

FortiGuard resources

Subscribe to FortiCast

Was this helpful?
Yes No

The post Episode 24: FortiGuard appeared first on Fortinet Cookbook.

↧

FortiGate installation troubleshooting

May 2, 2018, 8:25 am

≫ Next: Guest WiFi accounts

≪ Previous: Episode 24: FortiGuard

This document includes information about the steps you can take if your FortiGate isn’t functioning as expected after you’ve installed it in either NAT/Route or Transparent mode. Steps apply to both NAT/Route and Transparent mode, unless noted otherwise.

1. Check your equipment and cables

Verify that all network equipment is powered on and all cables connect to the right interfaces.

2. Check the FortiGate LEDs

There are multiple LEDs on the faceplate of your FortiGate that you can use to troubleshoot the connections. Check the FortiGate LED Specifications guide for more information about the LEDs.

3. Ping the FortiGate

Use a computer on the internal network to ping the FortiGate. If you are using NAT/Route Mode, ping the IP address of the internal interface. For Transparent mode, ping the management IP address.

If you can’t ping the FortiGate, verify that the IP address of the computer is on the same subnet as the IP address you’re trying to reach. Also, make sure that PING is enabled for Administrative Access on the FortiGate interface.

If you can ping the interface but can’t connect to the GUI, use SSH to connect to the CLI, then make sure HTTPS is enabled for Administrative Access on the interface.

If you’re unable to connect using HTTPS or SSH, you need to connect through the console port on the FortiGate. If you are using FortiOS 5.6 or higher, you can also connect using the FortiExplorer app for iOS.

4. Check the FortiGate interface configurations (NAT/Route mode only)

Check the configuration of the FortiGate interfaces to make sure you use the correct Addressing Mode for your network.

5. Verify the security policy configuration

Check the Internet access policy to make sure Action is set to ACCEPT and that the policy is located near the top of the policy list. Check the Sessions column to verify that traffic has been processed by this policy (if this column doesn’t appear, right-click the title row, select Sessions, and select Apply).

If you’re using NAT/Route mode, make sure that NAT is enabled and Use Destination Interface Address is selected.

6. Verify the static routing configuration (NAT/Route mode only)

Make sure you configured a default static route on the FortiGate that points to the correct gateway IP address, provided by your ISP.

7. Verify that you can connect to the Internet-facing interface’s IP address (NAT/Route mode only)

Use a computer on the internal network to ping the IP address of the Internet-facing interface. If you can’t connect to the interface, verify that PING has been enabled for Administrative Access on the interface.

If you are still unable to connect, traffic is not allowed to flow from the internal network to the Internet-facing interface. Go back to the installation recipe for your operation mode and verify that you correctly followed all the steps.

8. Verify that you can connect to the gateway provided by your ISP

Use a computer on the internal network to ping the default gateway IP address. If you can’t reach the gateway, contact your ISP to verify that you are using the correct IP address.

9. Ping an IP on the Internet

On the FortiGate, use the CLI command execute ping to ping the IP address an IP address on the Internet, such as 8.8.8.8, the IP address of Google Public DNS. If you can’t ping the address, then the FortiGate isn’t able to access the Internet.

You can also use the execute traceroute command to troubleshoot connectivity to the Internet.

10. Verify the DNS configuration

The FortiGate uses the Domain Name System (DNS) to map domain names to the corresponding website IP addresses. Use the CLI command execute ping to ping a domain name, such as www.fortinet.com, and verify that the name can be resolved.

If it can’t, check that the DNS settings on the FortiGate are correct.

11. Resetting the FortiGate

If none of the above steps identify your problem, reset the FortiGate to factory defaults using the CLI command execute factoryreset. When prompted, type y to confirm the reset.

12. Contacting Fortinet Support

If you need further assistance with troubleshooting your FortiGate, visit the Fortinet Support website.

Was this helpful?
Yes No

Resetting the FortiGate to factory defaults puts the FortiGate back into NAT/Route mode.

The post FortiGate installation troubleshooting appeared first on Fortinet Cookbook.

↧

Guest WiFi accounts

May 3, 2018, 6:35 am

≫ Next: Configuring FortiGuard AntisSpam in FortiMail

≪ Previous: FortiGate installation troubleshooting

In this recipe, you create temporary guest accounts that can connect to your WiFi network after authenticating using a captive portal. To make management easier, you also create a separate administrative account that can only be used to manage guest accounts.

This example uses a FortiAP in Tunnel mode to provide WiFi access to guests. For information about configuring the FortiAP, see Setting up WiFi with a FortiAP.

_{Find this recipe for other FortiOS versions}
_{5.2 | 5.4 | 6.0}

1. Creating a WiFi guest user group
To create a guest user group, go to User & Device > User Groups and create a new group. Set Type to Guest and set User ID to Email. Under Guest Details, enable Require Email, enable Password, and set the password to Auto Generated. Under Expiration, set Start Countdown to After First Login and set Time to 5 minutes for testing purposes.
2. Creating a guest SSID that uses captive portal
To create an SSID for guest users, go to WiFi & Switch Controller > SSID and create a new SSID. Set Traffic Mode to Tunnel to Wireless Controller. Assign an IP/Network Mask to the interface and enable DHCP Server.
Under WiFi Settings, set the following: Security Mode to Captive Portal Portal Type to Authentication User Groups to the guest user group
To broadcast the new SSID, go to WiFi & Switch Controller > FortiAP Profiles and edit the profile used by the FortiAP. Under Radio 1 set SSIDs to include the new SSID.
3. Creating a security policy for WiFi guests
To allow WiFi guest users to access the Internet, go to Policy & Objects > IPv4 Policy and create a new policy. Set Incoming Interface to the guest SSID and set Outgoing Interface to your Internet-facing interface. Select Source and set Address to all and User to the guest user group. Set Service to ALL. Enable NAT.
4. Creating a restricted admin account for guest user management
To simplify guest account creation, you can create an admin account that is only used for guest user management. This allows new accounts to be made as needed without requiring full administrative access to the FortiGate. In this example, the account is made for use by receptionist.
To create the guest management account, go to System > Administrators and create a new account. Set a User Name and set Type to Local User. Set and confirm a Password. Enable Restrict admin to guest account provisioning only and set Guest Group to the WiFi guest user group.
Sign in to the FortiGate using the new admin account. You will only be able to see the menu for Guest User Management.
5. Creating a guest user account
Using the receptionist account, create a guest account. Set Email to the user’s email address (in the example, ballen@example.com). To test the account, set Expiration to 5 Minutes.
After you select OK, a User Created Successfully notice appears that shows the new account’s Password. This password can then be printed or emailed to the guest user. You can also view the password by editing the user account.
6. Results
On a PC, connect to the guest SSID and attempt to browse the Internet. When the authentication screen appears, log in using the guest user’s credentials. After the account is authenticated, you can connect to the Internet.
Five minutes after the initial login, the guest user account will expire and you will no longer be able to log in using those credentials.
Use the reception account to log on to the FortiGate. The guest account is listed as Expired.