You can use FortiWeb’s site publishing feature to integrate its HTTP authentication capabilities with web services that use Kerberos Delegation authentication. The Kerberos authentication protocol uses “tickets” to control access to web services such as Exchange Outlook Web Application (OWA) and SharePoint. 

This recipe describes both how to configure an IIS web server, Exchange OWA, and SharePoint to support Kerberos authentication and how to configure FortiWeb to control access to these web services.

This recipe assumes that the configuration of your Windows domain elements is complete, including DNS, IIS, Exchange server, SharePoint, and so on.

To ensure Kerberos delegation works properly, do the following:

• Ensure that the clocks of all the related servers (DC, FortiWeb, and so on) are synchronized.
• For FortiWeb versions earlier than 5.4.1, ensure that the DNS is valid and reachable.

Configuring web services to use Kerberos authentication

IIS web site
In IIS Manager, access the authentication settings for the appropriate web site and enable Windows Authentication.
By default, both Kerberos and NTLM are enabled. To customize the authentication, under Actions, click Providers. In the illustration, the web site is configured to use Kerberos authentication only.
Exchange OWA
In the Exchange Management Console, in the console tree, under Server Configuration, select Client Access. In the Client Access results pane, choose the server name (in this example, USER-LHLGG566P0). In the work pane for the server, on the Outlook Web App tab, double-click owa (Default Web Site).
On the Authentication tab, select Use one or more standard authentication methods, and then select Integrated Windows authentication.
Alternatively, use IIS Manager to configure customized authentication: In IIS Manager, in the Connections tree, under Default Web site, select owa. Then, under Actions, click Providers. For example, in the illustration, the web site is configured to use Negotiate and NTLM.
SharePoint
Use one of the following methods to obtain the application pool identity of SharePoint server (a domain account that was created when you installed SharePoint): In IIS Manager, in the Connections tree, click Application Pools. The domain and application pool identity for each list entry are displayed in the Identity column. For example, in the illustration, the application pool identity for the server with the name SharePoint – 80 and the domain FWBDEV (fwbdev.com) is SPFarmAdmin.
In SharePoint Central Administration, click Security. Then, under General Security, click Configure managed accounts.
Create Service Principal Names (SPNs) for the application pool identity: On your domain controller (DC), use Windows PowerShell to execute the following commands: $setspn -S http/<hostname>           fwbdev\SPFarmAdmin $setspn -S http/<hostname>.fwbdev.com fwbdev\SPFarmAdmin  where <hostname> is the server where SharePoint is located. Use the following command to confirm the SPNs: $setspn -l fwbdev\SPFarmAdmin The illustration shows an example result.
On your domain controller (DC), enable the HTTP delegation feature for the SharePoint server: In the Active Directory Users and Computers console tree, under the appropriate domain, click Computers. Open the properties for the SharePoint item (SP2013 in the illustration). Use the Delegation tab to select the http service.
On SharePoint, select Kerberos as the Windows authentication method: In SharePoint Central Administration, under Applications Management, click Manage web applications. Select the SharePoint item (in this example, SharePoint – 80). On the Authentication tab, click Default, and then select Negotiate (Kerberos) (see illustration).
Do one of the following to enable application pool credentials for SharePoint:
In the IIS Manager, in Advanced Settings for the SharePoint server (in this example, SharePoint – 80), for Extended Protection, select Off, and clear the Enable Kernel-mode authentication option.
In PowerShell, enter the following commands: $cd C:\Windows\System32\inetsrv $.\appcmd.exe set config -section:system.webServer/security/authentication/windowsAuthentication -useAppPoolCredentials:true
For better performance, set the <windowsAuthentication> element instead of disabling Kernel-mode authentication.
To confirm that the value for useAppPoolCredentials is true, open the file C:\Windows\System32\inetsrv\config\applicationHost.config.

FortiWeb configuration

FortiWeb site publishing provides the following two options for accessing a Kerberos-enabled web service:

• Regular Kerberos delegation — For site publishing configurations that use HTML Form Authentication or HTTP Basic Authentication.
• Kerberos constrained delegation — For site publishing configurations that use Client Certificate Authentication.

When you specify a realm, ensure you enter the value using all capital letters (for example, FWBDEV.COM).

For Kerberos delegation, Fortinet recommends the login format <realm>/<username>. For single domain environments, you can use the Default Domain Prefix Support option to automatically add the realm (domain) value for users (see the example for Kerberos constrained delegation).

1. Configure the Kerberos Key Distribution Center (KDC)
Go to User > Remote Server > KDC Server. Specify the Delegated Realm value using capital letters only (in this example, FWBDEV.COM).
2. Configure site publishing
To configure the site publishing settings, go to Application Delivery > Site Publish > Site Publish Rule. Continue with the instructions for type of Kerberos delegation you want to implement: regular or constrained.
Configure regular Kerberos delegation
For Authentication Delegation, select Kerberos, and then specify the Delegated HTTP Service Principal Name value. In this example, the service is Exchange OWA with the service principal name (SPN) http/USER-LHLGG566P0@FWBDEV.com. The SPN has three parts: Protocol – http Exchange server hostname – USER-LHLGG566P0 This value is case-insensitive. You can also use the full name (for example, USER-LHLGG566P0.fwbdev.com). Realm – FWBDEV.COM Specify this value using capital letters only.
Configure Kerberos constrained delegation
Create an Active Directory (AD) user that FortiWeb can use for authentication delegation and a keytab file that corresponds to the AD user. Ensure that the account and its password never expire. To create the SPN for the account, use the following SetSPN utility command: $setspn -S The “Users” section in the FortiWeb Administration Guide provides detailed instruction for creating this domain account.
To upload the keytab file you created using the FortiWeb AD user, go to Application Delivery > Site Publish > Keytab File.
In this example, the service is SharePoint. For the site publish rule, for Client Authentication Method, select Client Certificate Authentication. Ensure any server policy that uses this site publish rule is configured for client certificate authentication. For information on the Delegated HTTP Service Principal Name value, see the instructions for configuring regular Kerberos delegation. For Service Principal Name for Keytab File, enter the SPN of the AD account that you created for FortiWeb. For Keytab File, select the keytab file you uploaded earlier.
Username Location in Certificate allows you to specify a field in the certificate that contains the username to use (in this example, cert1@fwbdev.com): Subject or Subject Alternative Name (SAN). This example uses the user principal name (UPN or RFC822 name) in the certificate subject alternative name (SAN), which is the most exact.
When you use Kerberos Delegation, Fortinet recommends that you require users to log in using both a domain and username. Default Domain Prefix Support and Default Domain Prefix allow you to automatically add the domain value so that users log in with just a username.

For further reading, check out the “Users” section in the FortiWeb Administration Guide.

The post Configure FortiWeb to work with Kerberos Delegation appeared first on Fortinet Cookbook.

In this recipe, you will learn how to enforce a FortiClient Profile on an internal network such that only internal devices registered with FortiClient can access the Internet and the corporate network.  You will edit the default FortiClient Profile to enforce realtime antivirus protection and malicious website blocking.

This recipe requires you to enable FortiHeartBeat on a FortiGate interface. When you enable FortiHeartBeat on an interface, the option to enforce FortiClient registration becomes available. Devices connecting to that interface are forced to register to the FortiGate and install FortiClient before getting access to network services.

FortiGates come with a free FortiClient license allowing a limited number of devices to register to the FortiGate and download FortiClient. Your FortiGate gets the latest version of FortiClient for Mac and for Windows from FortiGuard. When devices register with the FortiGate they download and install one of these copies of FortiClient. You can see the status of your FortiClient licensing and purchase additional FortiClient licenses from the License Information Dashboard Widget.

This recipe was tested using FortiClient version 5.4.

1. Enabling endpoint control on the FortiGate
On the FortiGate, go to System > Feature Select and make sure that Endpoint Control is enabled.
2. Enforcing FortiClient registration on the internal interface
Go to Network > Interfaces and select the internal interface. Under Restrict Access, enable FortiHeartBeat.
Under Admission Control, enable Enforce FortiHeartBeat for all FortiClients.
3. Configuring the FortiClient Profile
Configuring a FortiClient Profile allows you to control the security features enabled on the registered endpoint. The profile is automatically downloaded to FortiClient when it registers to the FortiGate.
Go to Security Profiles > FortiClient Profiles and edit the default profile to provide realtime antivirus protection that scans files as they are downloaded or copied to the device, block malicious websites and block attack channels.
4. Results
In this image, an internal device has FortiClient installed but not registered with a FortiGate. This is indicated by the Attention banner, and also because the option to Register Endpoint is available.
When a user on this device attempts to browse the Internet, an Endpoint Security Required page appears instructing the user to install and register endpoint security in the form of FortiClient.
A download link is provided at the bottom of the page. When the user clicks on this link, the FortiGate responds with a download of the latest FortiClient software.
Similarly, since the device requires a registered FortiClient to access network services, internal servers (such as Exchange mail servers) will also be blocked, unless otherwise exempted—see Step 2.
By comparison, a registered device appears below. The device shows as registered, with a lock icon next to the device name in the upper right corner.
FortiClient should automatically attempt to register to the nearest FortiGate, provided that FortiHeartBeat has been enabled and registration enforced.  A user on this device can verify their registration status by clicking on the device name.
FortiClient displays the device’s On-Net/Off-Net status, Hostname, Domain, registered FortiGate’s serial number (SN), and IP address.
Upon registration, the FortiGate updates the FortiClient configuration to match the FortiClient Profile and downloads the latest FortiGuard antivirus database to the device.
You can verify that the registered configuration update matches the FortiClient Profile.
Depending on the FortiClient Profile, the user may also have the option to Unregister the device. This can be disabled on the FortiGate in Security Profiles > FortiClient Profiles, under the Advanced tab.
The registered device can now access corporate network services and browse the Internet.
To verify the status of the endpoints on the FortiGate, go to User & Device > Device List.
By default, this list shows On-Net/Off-Net Status, endpoint Device (Hostname and device name), endpoint IP Address, and the device’s operating system (OS).
To view only the status of FortiClient connections, go to Monitor > FortiClient Monitor.

For further reading, check out the FortiClient 5.4 Administration Guide.

The post Enforcing network security using a FortiClient Profile appeared first on Fortinet Cookbook.

In this example, you will allow remote users to access the corporate network using an SSL VPN, connecting either by web mode or tunnel mode and with FortiClient. This allows users to access network resources, such as the Internal Segmentation Firewall (ISFW) used in this example.

For users connecting via tunnel mode, traffic to the Internet will also flow through the FortiGate, to apply security scanning to this traffic.

During the connecting phase, the FortiGate will also verify that the remote user’s antivirus software is installed and up-to-date.

_{Find this video for other [glossary_exclude]FortiOS[/glossary_exclude] versions
5.2 | 5.4}

1. Creating a user and a user group
Go to User & Device User Definition. Create a local user account for a SSL VPN user.
Go to User & Device > User Groups. Create a user group for SSL VPN users and add the new user account.
2. Creating an SSL VPN portal for remote users
Go to VPN > SSL-VPN Portals. Edit the full-access portal. The full-access portal allows the use of tunnel mode and/or web mode. Make sure Enable Split Tunneling is not selected, so that all Internet traffic will go through the FortiGate. Set Source IP Pools to use the default IP range SSLVPN_TUNNEL-ADDR1.
Under Predefined Bookmarks, select create new to add a new bookmark. Bookmarks are used as links to internal network resources. In the example, a bookmark is added to connect to a FortiGate being used as an ISFW, which can be accessed at https://192.168.200.111.
3. Configuring the SSL VPN tunnel
Go to VPN > SSL-VPN Settings and set Listen on Interface(s) to wan1. To avoid port conflicts, set Listen on Port to 10443. Set Restrict Access to Allow access from any host. In the example, the Fortinet_Factory certificate is used as the Server Certificate. It is, however, recommended that you purchase a certificate for your domain and upload it for use with an SSL VPN. Under Tunnel Mode Client Settings, set IP Ranges to use the default IP range SSLVPN_TUNNEL-ADDR1.
Under Authentication/Portal Mapping, add the SSL VPN user group and map it to the full-access portal. If necessary, map a portal for All Other Users/Groups.
4. Adding an address for the local network
Go to Policy & Objects > Addresses. Add the address for the local network. Set Type to IP/Netmark, Subnet/IP Range to the local subnet, and Interface to an internal port.
5. Adding security policies for access to the internal network and Internet
Go to Policy & Objects > IPv4 Policy. Add a security policy allowing access to the internal network through the VPN tunnel interface. Set a policy name that will identify what this policy is used for (in the example, SSL-VPN-internal) Set Incoming Interface to ssl.root and Outgoing Interface to the local network interface. Select Source and set Address to all and Source User to the SSL-VPN user group. Set Destination Address to the local network address, Service to ALL, and enable NAT. Configure any remaining firewall and security options as desired.
Add a second security policy allowing SSL VPN access to the Internet. For this policy, Incoming Interface is set to ssl.root, Outgoing Interface is set to wan1, and Destination is set to all.
6. Setting the FortiGate unit to verify users have current AntiVirus software
Go to the Dashboard. In the CLI Console widget, enter the following commands to enable the host to check for compliant AntiVirus software on the remote user’s computer: config vpn ssl web portal edit full-access set host-check av end
7. Results
Web mode: Using a supported Internet browser, connect to the SSL VPN web portal using the remote gateway configured in the SSL VPN settings (in the example, 172.20.121.46:10443) Use the SSL VPN user’s credentials to authenticate.
The web portal appears.
In this example, selecting the ISFW Bookmark allows you to connect to the ISFW FortiGate.
To connect to the Internet, select Quick Connection. Select HTTP/HTTPS, then enter the URL and select Launch.
The website will launch.
You can also use the Quick Connection for other allowed types of traffic, such as SSH.
An SSH connection will open in your browser, connecting to the requested Host. Java is required for an SSH connection.
On the FortiGate, go to Monitor > SSL-VPN Monitor. The user is connected to the VPN.
Tunnel mode: If you have not done so already, download FortiClient from www.forticlient.com. Open the FortiClient Console and go to Remote Access. Add a new connection. Set VPN Type to SSL VPN, set Remote Gateway to the IP of the listening FortiGate interface (in the example, 172.20.121.46). Select Customize Port and set it to 10443. Select Add.
Connect to the VPN using the SSL VPN user’s credentials.
You are able to connect to the VPN tunnel.
On the FortiGate, go to Monitor > SSL-VPN Monitor. The user is connected to the VPN.

The post SSL VPN using web and tunnel mode appeared first on Fortinet Cookbook.

In this video, you will learn how to protect your network from Botnet C&C attacks using the FortiGuard Botnet C&C database feature, and block access to social networking sites using the Static Domain Filter. You will create a new DNS Filter security profile called Botnet&Facebook, block access to all known C&C addresses, and block access to the Social Networking FortiGuard category.

Watch more videos

The post DNS Filtering and Botnet Protection 5.4 (Video) appeared first on Fortinet Cookbook.

You may be experiencing difficulties streaming video in FortiRecorder in Internet Explorer and Microsoft Edge . 

This recipe provides a quick solution to the problem.

Internet Explorer Users
QuickTime 7 does not install the QuickTime Web Plug-in by default. So, if you recently installed a fresh version of QuickTime, you may not be able to stream video in FortiRecorder.   To stream video in FortiRecorder using Internet Explorer   Run the QuickTime installation file. Select Modify. Select Optional QuickTime Features. Select QuickTime Web Plug-in. Select Change.	The installation screen Selecting the plug-in
Microsoft Edge Users
Windows 10 now features Microsoft Edge as its default browser. Microsoft Edge does not support the QuickTime plugin. To configure Microsoft Edge to work with QuickTime Open the Microsoft Edge browser.  Select the More button located at the top right of the browser. Select Open with Internet Explorer.	Working in Edge

The post Problems with QuickTime in FortiRecorder appeared first on Fortinet Cookbook.

1. Integrating the FortiGate with the Windows DC LDAP server
Go to User & Device > LDAP Servers to configure the LDAP server.
2. Installing FSSO agent on the Windows DC server
Accept the license and follow the Wizard. Enter the Windows AD administrator password.
Select the Advanced Access method.
In the Collector Agent IP address field, enter the IP address of the Windows AD server.
Select the domain you wish to monitor.
Next, select the users you do not wish to monitor.
Under Working Mode, select DC Agent Mode.
Reboot the Domain Controller.
Upon reboot, the collector agent will start up. You can choose to Require authenticated connection from FortiGate and set a Password.
3. Configuring Single Sign-On on the FortiGate
Go to User & Device > Single Sign-On and create a new SSO server. Under the Groups tab, select the user groups to be monitored. In this example, the “FortiOS Writers” group is used.
4. Adding a user group to the FortiGate
Go to User & Device > User Groups to create a new FSSO user group. Under Members, select the “FortiOS Writers” group.
5. Adding a policy to the FortiGate
Go to Policy & Objects > IPv4 Policy and create a policy allowing  “FortiOS_Writers” to navigate the Internet with appropriate security profiles. The default Web Filter security profile is used in this example.
9. Results
Have users log on to the domain, go to the FSSO agent, and select Show Logon Users.
From the FortiGate, go to Dashboard to look for the CLI Console widget and type this command for more detail about current FSSO logons:	diagnose debug authd fsso list ----FSSO logons---- IP: 10.10.20.3  User: ADMINISTRATOR  Groups: CN=FORTIOS WRITERS,CN=USERS,DC=TECHDOC,DC=LOCAL  Workstation: WIN2K8R2.TECHDOC.LOCAL MemberOf: FortiOS_Writers IP: 10.10.20.7  User: TELBAR  Groups: CN=FORTIOS WRITERS,CN=USERS,DC=TECHDOC,DC=LOCAL  Workstation: TELBAR-PC7.TECHDOC.LOCAL MemberOf: FortiOS_Writers Total number of logons listed: 2, filtered: 0 ----end of FSSO logons----
From the FortiGate, go to Monitor > Firewall User Monitor and verify FSSO Logons.
Have users go to the Internet and the security profiles will be applied accordingly. Go to Log & Report > Forward Traffic to verify the log.
Select an entry for details.

The post Single Sign-On using LDAP and FSSO agent in advanced mode (Expert) appeared first on Fortinet Cookbook.

Here is a short video detailing how to configure your FortiVoice Enterprise unit to send and receive faxes.

If you would like a written tutorial, see the recipe located here.

The post Using FortiVoice Enterprise to Send and Receive Faxes (Video) appeared first on Fortinet Cookbook.

The following is a video detailing how to configure emergency numbers in FortiVoice Enterprise for a single office environment.

If you require a written tutorial, see the recipe located here.

The post Adding Emergency Numbers in FortiVoice Enterprise (Video) appeared first on Fortinet Cookbook.

Here is a short video detailing how to work with virtual numbers in FortiVoice Enterprise to automate the call process based on a set schedule. In this example, we create a ring group for the IT department to handle call transfers and automatic answering.

If you prefer a written guide, consult this recipe.

The post Call Handling in FortiVoice Enterprise (Video) appeared first on Fortinet Cookbook.

In this example, you will create a virtual wire pair (consisting of port3 and port4) to make it easier to protect a web server that is behind a FortiGate operating as an Internal Segmentation Firewall (ISFW). Users on the internal network will access the web server through the ISFW over the virtual wire pair.A virtual wire pair consists of two interfaces that have no IP addresses and all traffic received by one interface in the pair can only be forwarded out the other; as controlled by firewall policies. Since the interfaces do not have IP addresses, you can insert a virtual wire pair into a network without having to make any changes to the network.

In FortiOS 5.4, virtual wire pair replaces the feature port pairing from earlier firmware versions. Unlike port pairing, virtual wire pair can be used for a FortiGate in NAT/Route mode, as well as Transparent mode.

_{Find this recipe for other FortiOS versions
5.2 | 5.4}

1. Adding a virtual wire pair
Interfaces used in a virtual wire pair cannot be used to access the ISFW FortiGate. Before creating a virtual wire pair, make sure you have a different port (in the example, port1) configured to allow admin access using your preferred protocol.
Go to Network > Interfaces and select Create New > Virtual Wire Pair. Add port3 and port4 add to the virtual wire pair.
2. Adding virtual wire pair firewall policies
Go to Policy & Objects > IPv4 Virtual Wire Pair Policy and create a policy will allow users on the internal network to connect to the server. Give the policy an appropriate name (in the example, Network-server-access). Select the direction that traffic is allowed to flow (from port3 to port4). Configure the other firewall options as needed. In the example, AntiVirus is enabled to protect the server.
Create a second virtual wire pair policy allowing traffic from port4 to exit out of port3. This policy allows the server to connect to the Internet, in order to download updates.
3. Results
To test both virtual wire pair policies, connect to the web server from a PC on the internal network, and also connect to the Internet from the web server.
Go to FortiView > Policies to see traffic flowing through both policies.

The post Creating a virtual wire pair appeared first on Fortinet Cookbook.

When a particular IP address uses too many resources you can prevent that IP from consuming your bandwidth indiscriminately. In this recipe, you learn how to use Traffic Shaping on your Fortigate to limit the bandwidth for a specific IP address.

First, you will enable traffic shaping and create an address object to target a specific internal IP address. Then, you will create a shared shaper and a security policy that uses that specific IP address as the source address.

This recipe also explains how to configure traffic shaping to set a maximum bandwidth limit for uploads and/or downloads to 200 kb/s.

1. Enabling Traffic Shaping
Go to System > Config > Features and select the Show More button to view additional features. Select ON to enable Traffic Shaping and apply your changes.
2. Creating an Address Object
Go to Policy & Objects > Objects > Addresses and select Create New to define the address you would like to limit. Set Category to Address and enter a name (in the example, limited_bandwidth). Set Type to IP/Netmask. For the Subnet / IP Range, enter the internal IP address you wish to limit .  Lastly, set Interface to any and select Show in Address List.
3. Configuring a traffic shaper to limit bandwidth
Go to Policy & Objects > Objects > Traffic Shapers and select Create New to define a new Shared Traffic Shaper profile. Set Type to Shared. Set Apply shaper to Per Policy. Set Traffic Priority to Medium. Select Max Bandwidth and enter 200 kb/s (0.2 Mbps). Select Guaranteed Bandwidth and enter 100 kb/s (0.1 Mbps).
4. Creating a security policy
Go to Policy & Objects > Policy > IPv4 and create a new security policy to limit bandwidth for the IP address you configured in Step 2. Set the Source Address to limited_bandwidth. Enable Shared Shaper and Reverse Shaper and select limited-bandwith from the drop down menu. The Shared Shaper restricts the bandwidth for uploads and the Reverse Shaper restricts downloads. For Logging Options, select All Sessions for testing purposes.
Order your policies so that your new security policy is above your general Internet access policies.
5. Results
When a computer with the IP you have specified, 10.1.10.10, browses the Internet from your internal network, its bandwidth will be restricted by the amount you set in your shaper. Go to System > FortiView > Sources to view traffic, and use the search field to filter your results by Source IP.
Go to Policy & Objects > Monitor > Traffic Shaper Monitor and set the Report By option to Current Bandwidth. If the standard traffic volume is high enough, it will top out at the maximum bandwidth defined by each shaper. In this example, you can see that the bandwidth does not exceed your set limit: 200kb/s.
You can also set Report By to Dropped Packets to get an idea of whether your traffic shaper settings need to be adjusted. For example, if there are very few dropped packets, you may need to set a higher Maximum Bandwidth in your shaper.

For further reading, check out Traffic Shaping in the FortiOS 5.2 Handbook.

The post Applying traffic shaping to a specific IP address (5.2) appeared first on Fortinet Cookbook.

1. Configuring an LDAP directory on the FortiAuthenticator
Go to Authentication > User Management > Local Users to create a user list. Make sure to enable Allow LDAP browsing.
Go to Authentication > User Management  > User Groups to create a user group and add users to it. “FortiOS_Writers”  user group is used in this example.
Go to Authentication > LDAP Service > Directory tree and configure the LDAP directory tree.
2. Integrating the FortiGate with the FortiAuthenticator
On the FortiGate, go to User & Device > LDAP Servers to configure the LDAP server.
3. Installing FSSO agent on the Windows DC
Accept the license and follow the Wizard. Enter the Windows AD administrator password.
Select the Advanced access method for Windows Directory.
In the Collector Agent IP address field, enter the IP address of the Windows AD server.
Select the domain you wish to monitor.
Next, select the users you do not wish to monitor.
Under Working Mode, select DC Agent Mode.
When prompted, select Yes to reboot the Domain Controller.
Upon reboot, the collector agent will start up. You can choose to Require authenticated connection from FortiGate and set a Password which will be used in step 4.
4. Configuring Single Sign-On on the FortiGate
Go to User & Device > Single Sign-On and create a new SSO server. In the Primary Agent IP/Name field, enter the Collector Agent IP Address used in step 3. Likewise, enter the Password required for authentication. Under the Groups tab, select the user groups to be monitored. In this example, the “FortiOS_Writers” group is used.
5. Adding a user group to the FortiGate
Go to User & Device > User Groups to create new user group. Under Remote groups, add the remote LDAP server created earlier in the FortiAuthenticator (in this example it’s called “FAC_LDAP”).
6. Adding a policy to the FortiGate
Go to Policy & Objects > IPv4 Policy and create a policy allowing  “FortiOS_Writers” to navigate the Internet with appropriate security profiles. The default Web Filter security profile is used in this example.
7. Results
Have users log on to the domain, go to the FSSO agent, and select Show Logon Users.
From the FortiGate, go to Dashboard to look for the CLI Console widget and type this command for more detail about current FSSO logons:	diagnose debug authd fsso list ----FSSO logons---- IP: 10.10.20.3  User: ADMINISTRATOR  Groups: CN=FORTIOS WRITERS,CN=USERS,DC=TECHDOC,DC=LOCAL  Workstation: WIN2K8R2.TECHDOC.LOCAL MemberOf: FortiOS_Writers IP: 10.10.20.7  User: TELBAR  Groups: CN=FORTIOS WRITERS,CN=USERS,DC=TECHDOC,DC=LOCAL  Workstation: TELBAR-PC7.TECHDOC.LOCAL MemberOf: FortiOS_Writers Total number of logons listed: 2, filtered: 0 ----end of FSSO logons----
Have users belonging to the “FortiOS_Writers” user group navigate the Internet. An authentication portal is presented to allow only authorized users. Security profiles will be applied accordingly.
Upon successful authentication, from the FortiGate, go to Monitor > Firewall User Monitor and verify FSSO Logons.
Go to Log & Report > Forward Traffic to verify the log.
Select an entry for details.

The post Single Sign-On using FSSO agent in advanced mode and FortiAuthenticator (Expert) appeared first on Fortinet Cookbook.

In this example, you will allow transparent communication between two networks that are located behind different FortiGates at different offices using route-based IPsec VPN. The VPN will be created on both FortiGates by using the VPN Wizard’s Site to Site – FortiGate template.

In this example, one office will be referred to as HQ and the other will be referred to as Branch.

_{Find this recipe for other FortiOS versions
5.2 | 5.4}

1. Configuring the HQ IPsec VPN
On the HQ FortiGate, go to VPN > IPsec Wizard. Select the Site to Site template, and select FortiGate.
In the Authentication step, set IP Address to the IP of the Branch FortiGate (in the example, 172.20.120.135). After you enter the gateway, an available interface will be assigned as the Outgoing Interface. If you wish to use a different interface, select Change. Set a secure Pre-shared Key.
In the Policy & Routing step, set the Local Interface. The Local Subnets will be added automatically. Set Remote Subnets to the Branch FortiGate’s local subnet (in the example, 5.5.5.5/24).
A summary page shows the configuration created by the wizard, including firewall addresses, firewall address groups, a static route, and security policies.
2. Configuring the Branch IPsec VPN
On the Branch FortiGate, go to VPN > IPsec Wizard. Select the Site to Site template, and select FortiGate.
In the Authentication step, set IP Address to the IP of the HQ FortiGate (in the example, 172.20.121.92). After you enter the gateway, an available interface will be assigned as the Outgoing Interface. If you wish to use a different interface, select Change. Set the same Pre-shared Key that was used for HQ’s VPN.
In the Policy & Routing step, set the Local Interface. The Local Subnets will be added automatically. Set Remote Subnets to the HQ FortiGate’s local subnet (in the example, 10.10.10.1/24).
A summary page shows the configuration created by the wizard, including firewall addresses, firewall address groups, a static route, and security policies.
3. Results
On either FortiGate, go to Monitor > IPsec Monitor to verify the status of the VPN tunnel. Right-click under Status and select Bring Up.
A user on either of the office networks should be able to connect to any address on the other office network transparently. If you need to generate traffic to test the connection, ping the Branch FortiGate’s internal interface from the HQ’s internal network.

The post Site-to-site IPsec VPN with two FortiGates appeared first on Fortinet Cookbook.

The following is a short video on autoprovisioning for internal extensions in FortiVoice Enterprise.

The post Autoprovisioning in FortiVoice Enterprise (Video) appeared first on Fortinet Cookbook.

In this video, you will learn how to enforce a FortiClient Profile on an internal network so that only internal devices registered with FortiClient can access the Internet and the corporate network. You will enable FortiHeartBeat on an interface to enforce FortiClient registration, edit the default FortiClient Profile to enforce realtime antivirus protection and malicious website blocking, and register FortiClient with your FortiGate.

The recipe for this video is available here.

Watch more videos

The post Enforcing Network Security with a FortiClient Profile (Video) appeared first on Fortinet Cookbook.

FortiRecorder supports third party ONVIF cameras; however, each manufacturer’s ONVIF camera is different. The following recipe provides you with some general guidelines for adding ONVIF cameras to FortiRecorder.

The post ONVIF Camera Installation Guidelines appeared first on Fortinet Cookbook.

In this video, you learn how to use Traffic Shaping on your Fortigate to limit the bandwidth for a specific IP address. When a particular IP address uses too many resources you can prevent that IP from consuming your bandwidth indiscriminately. 

First, you will enable traffic shaping and create an address object to target a specific internal IP address. Then, you will create a shared shaper and a security policy that uses that specific IP address as the source address.

This recipe also explains how to configure traffic shaping to set a maximum bandwidth limit for uploads and/or downloads to 200 kb/s.

The recipe for this video is available here.

Watch more videos

The post Limiting bandwidth with traffic shaping (Video) appeared first on Fortinet Cookbook.

This traffic shaping document describes Priority Queueing (PRIQ), Type of Service (ToS) priority, and Quality of Service (QoS). It also explains the following:

• Why traffic shaping only occurs when traffic approaches the configured capacity on a given interface.
• Why you should configure the FortiGate unit to preemptively drop excess packets.
• How priority queues work on the FortiGate.
• The difference between ToS-based priority and global ToS priority.
• Why you must enable traffic shaping for ALL firewall policies to get expected results.
• How firewall policy priorities and ToS policies affect each other.
• Why traffic shaper priorities only effect per port egress queueing.

Any CLI commands and GUI references in this article have been tested for both FortiOS 5.2.5 and FortiOS 5.4, and any differences between versions will be documented.

How traffic shaping really works

One of the most common misconceptions with traffic shaping on your FortiGate is that setting a “priority” will ensure that high priority traffic will download faster than low priority traffic. This perfectly reasonable expectation does not fully encapsulate what “priority” means in FortiOS, which needs to be taken into consideration. Traffic shaping will only begin to take effect when an interface with traffic shaping configured reaches its capacity. Until this threshold is reached all traffic is treated equally. As the interface experiences high traffic levels that reach its threshold, you will begin to notice a variation in traffic flow or download speeds.

Figure 1: A screenshot of a shaper at capacity in the FortiView > Traffic Shaping section (FortiOS 5.4).

Before you begin

There are a few things you need to know about Traffic Shaping and priority queueing before we begin:

• Packets are prioritized based on their priority value.
• The priority value is based on whether you have configured Type of Service (ToS) priority and/or Firewall policy priority.
• The total priority value then determines which queue the packet is placed in, out of six queue options.

• Also, remember that only per port egress queueing works!

Other considerations that affect which queue is used include:

• Whether the traffic is through traffic or originates on the FortiGate.
• Whether traffic shaping is enabled in all your firewall policies.

Traffic shaping methods

When deciding how to configure QoS techniques, it can be helpful to know when FortiGate units employ each technique in the overall traffic processing flow, and the considerations that follow.

Dropping excess packets early on

As traffic arrives (ingress) and departs (egress) on an interface, the FortiGate unit begins to process the traffic. In later phases of network processing — such as enforcing maximum bandwidth on sessions handled by a security policy — if the current rate for the destination interface or traffic regulated by that policy is too high, the FortiGate unit may drop the packet. Time spent on prior processing — like web filtering, decryption, or IPS — is wasted on these dropped packets.

You can prevent wasted effort on ingress by configuring the FortiGate unit to preemptively drop excess packets when they are received at the source interface, before most other traffic processing is performed:

config system interface
  edit <interface_name>
    set inbandwidth <rate_int>
    set outbandwidth <rate_int>
  next
end

Where <rate_int> is set to the bandwidth limit in Kb/s, excess packets will be dropped. If the inbandwidth <rate_int> is set to 0, then the rate is not limited.

As with ingress, if you set the rate to 0 (zero) that means you are setting the rate to unlimited. Rate limiting traffic accepted by the interface enables you to restrict incoming traffic to rates that, while no longer the full capacity of the interface, at the traffic shaping point in the processing are more likely to result in acceptable rates of outgoing traffic per destination interface or all security policies. This conserves FortiGate processing resources for those packets likely to be viable (to the point of egress).

Figure 2: This diagram shows how excess packets going from LAN to WAN 1 can be intercepted and dropped at the source interface. 

How priority queuing works

After packet acceptance, the FortiGate unit classifies traffic and may apply traffic policing at additional points during processing. It may also apply QoS techniques, such as prioritization and traffic shaping. Traffic shaping consists of a mixture of traffic policing to enforce bandwidth limits, and priority queue adjustment to assist packets in achieving the guaranteed rate.

If you have configured prioritization, the FortiGate unit prioritizes egressing packets by distributing them among FIFO (first in, first out) queues associated with each possible priority number. Each physical interface has six priority queues. Virtual interfaces use the priority queues of the physical interface to which they are bound.

Each physical interface’s six queues are queue 0 to queue 5, where queue 0 is the highest priority queue. However, you may observe that your traffic uses only a subset of those six queues. For example, some traffic may always use a certain queue number. Queuing may also vary by the packet rate or mixture of services. Some queue numbers may only be used by through traffic for which you have configured traffic shaping in the security policy that applies to that traffic session. 

Figure 3: This diagram illustrates the description below.

• Administrative access traffic will always use queue 0.
• Traffic matching security policies without traffic shaping may use queue 0, queue 1, or queue 2. The queue is selected based on the priority value you have configured for packets with that ToS (Type of Service) bit value, if you have configured ToS-based priorities.
• Traffic matching security policies with traffic shaping enabled in the policy may use any queue. The queue is selected based on whether the packet rate is currently below the guaranteed bandwidth (queue 0), or above the guaranteed bandwidth. Packets at rates greater than the maximum bandwidth limit are dropped.
• If the global tos-based-priority is low (3) and the priority in a traffic-shaper is medium (2), when a packet flows through a policy that refers to the shaper, the packet will be assigned the priority defined by the shaper. In this case, medium (2).

Types of priority

Prioritization and traffic shaping behavior vary based on the configuration, service type, traffic volume, and whether the traffic is through traffic or originates at the FortiGate unit itself.

Packets can be assigned a priority in one of three ways:

• On entering ingress – for packets flowing through the firewall.
• Upon generation – for packets generated by the firewall (including packets generated due to AV proxying).
• On passing through a firewall policy – for packets passing through a firewall policy that has a traffic shaper defined.

Ingress priority and priority for generated packets is controlled via two different CLI settings:

config system global
  set traffic-priority-level {high|medium|low}
end

config system tos-based-priority
  edit 1
    set tos [0-15]
    set priority (high|medium|low)
  next
end

Type of Service (ToS) priority

Type of Service is an 8-bit field in the IP header that allows you to determine how the IP datagram should be delivered, using the following criteria: Delay, Throughput, Priority, Reliability, and Cost. The criteria help gateways pick the best way to route datagrams.

A router maintains a ToS value for each route in its routing table. The lowest priority ToS is 0, and the highest is 7 (when bits 3, 4, and 5 are all set to 1). There are four other bits that are seldom used or reserved that are not included here.

Together these bits are the tos variable of the tos-based-priority command. The router tries to match the ToS of the datagram to the ToS on one of the available routes to the destination. If there is no match, then the datagram is sent over a zero ToS route. Using increased quality may increase the cost of delivery, because better performance may consume limited network resources.

Each bit represents the priority as per RFC 1349:

• 1000 – minimize delay
• 0100 – maximize throughput
• 0010 – maximize reliability
• 0001 – minimize monetary cost

The tos value is set in the CLI using the commands:

config system tos-based-priority
  edit <sequence_number>
    set tos [0-15]
    set priority [high | medium | low]
end

Where tos is the value of the type of service bit in the IP datagram header with a value between 0 and 15, and priority is the priority of this type of service. 

These priority levels conform to the firewall traffic shaping priorities, as defined in RFC 1349.

Firewall policy priority

All traffic shapers are enabled within a security policy, including the Application Control shapers. As such, the shapers take effect after any DoS detection policies, and before any routing or packet scanning occurs.

The shaper you select for the security policy (shared shaper) will affect the traffic in the direction defined in the policy. For example, if the source port is lan and the destination is wan 1, the shaping affects the flow in this direction only — affecting the upload speed of the outbound traffic. 

By selecting Shared Traffic Shaper Reverse Direction, you can define the traffic shaper for the policy in the opposite direction to affect the download speed of the inbound traffic. In this example, from wan 1 to lan.

config firewall policy
  edit <policy_number>
  ...
    set traffic-shaper <shaper_name>
    set per-ip-shaper <shaper_name>
    set traffic-shaper-reverse <shaper_name>
end

In a firewall policy you can enable traffic shaping and set the firewall priority to high, medium, or low:

Since all security policies are set to “high” priority by default, it is necessary to set some traffic at a lower priority to get results. When you enable traffic shaping, and change the priority to medium or low it will override the default setting.

To have proper QoS using the FortiGate, the firewall policy you create between your incoming interface and outgoing interface should include two interfaces. For example, a LAN to WAN 1 policy. 

Important: Make sure that ALL the firewall policies that use these two interfaces for communication have traffic shaping enabled!

In versions of FortiOS 5.2 and earlier, you must enable traffic shaping at the policy level for each individual policy:

Figure 4: A screenshot of a FortiOS 5.2 Security Policy with all types of traffic shaping enabled, under Policy & Objects > Policy > IPv4.

This is no longer necessary in FortiOS 5.4, as the new Traffic Shaping Policies allow you to apply traffic shaping globally to any traffic matching your criteria. The criteria must specify a source, a destination, a service, and the outgoing interface:

Figure 5: A screenshot of a FortiOS 5.4 traffic shaping policy, under Policy & Objects > Traffic Shaping Policy.

How do these priorities affect each other?

The global or ingress ToS-based priority value is combined with the firewall policy priority value:

Global priority (0, 1, 2) + policy priority (1, 2, 3) = total priority (queue number).

Let’s take a look at some examples:

• If we assume a default ingress priority of low (2) and a firewall policy priority of low (3), then the resulting priority is 5.
• If the packet flowing through results in a rate that is less than the guaranteed bandwidth, then the priority is set to 0 regardless of the priority in the firewall policy.
• If the packet flowing through results in a rate that’s above the maximum bandwidth, then the packet is dropped.
• If the packet flowing through results in a rate that is between the guaranteed and the maximum bandwidth, then the packet priority is increased by the priority from the policy. Therefore, assuming a default ingress priority of high (0) and a firewall policy of high (1), then the resulting priority is 1.
• When a packet is sent to the egress device, it is attached to a queue based on the packet priority. For example, priority 0 is attached to queue 1, and so on. If the queue is full, then the packet is dropped.

Important: Shaper priority only affects per port egress queueing. Thus, if there are two streams of traffic — with one egressing over port 1 and one egressing over port 2 — then the priority has no effect whatsoever. Both streams will continue to run at full speed.

Traffic passing through the FortiGate

The method a FortiGate unit uses to determine the priority queue for traffic passing through the FortiGate unit depends on whether you have enabled Traffic Shaping. Packets may or may not use a priority queue directly or indirectly derived from the type of service (ToS) bit — sometimes used instead with differentiated services — in the packet’s IP header.

If Traffic Shaping is not enabled in the security policy, the FortiGate unit neither limits nor guarantees bandwidth. Traffic shaping for that session uses the priority queue determined by matching the ToS bit in its header with your configured values:

config system global
  set traffic-priority-level {high | medium | low}
end

or, if you have configured a priority specifically for that TOS bit value:

config system tos-based-priority
  edit <id_int>
    set tos [0-15]
    set priority {high | medium | low}
  next
end

Where tos is the value of the ToS bit in the packet’s IP header, and high has a value of 0 and low is 2. Priority values configured in the second location will override the global ToS-based priority. In other words, packet priority = ToS-based priority.

For example, you might specify that packets with a ToS bit value of 2 should use queue 0, the highest priority queue: 

config system tos-based-priority
  edit 15
    set tos 2
    set priority high
  next
end

If Traffic Shaping is enabled in the security policy using shared traffic shapers, the FortiGate unit may instead or also subject packets to traffic policing or priority queue increases in an effort to meet bandwidth guarantees configured in the shaper:

config firewall shaper traffic-shaper
  edit <shaper_name>
  ...
    set priority {high | medium | low }
    set maximum bandwidth <rate>
    set guaranteed-bandwidth <rate>
end

Where high has a priority value of 1 and low is 3, and <rate> is the bandwidth limit in kilobits per second.

Figure 6: Traffic queueing as as the packet rate increases.

• If the current packet rate is less than the guaranteed bandwidth, packets use priority queue 0. In other words, packet priority = 0.
• If the current packet rate is greater than the guaranteed bandwidth, but less than maximum bandwidth, the FortiGate unit assigns a priority queue by adding the numerical value of the security policy-based priority, where high has a priority value of 0 and low is 2. Because the two values are added, depending on the configured ToS-based priorities, packets in this category could use queues from queue 1 to queue 5. In other words, packet priority = ToS-based priority + security policy-based priority. For example, if you have enabled Traffic Shaping in the security policy, and the security policy’s Traffic Priority is Low (value 3), and the priority normally applied to packets with that ToS bit is medium (value 1), then packets have a total packet priority of 4, and use priority queue 4.
• If the current packet rate exceeds the maximum bandwidth, excess packets are dropped.

Traffic originating at the FortiGate 

Security policies do not apply to administrative access traffic to the FortiGate through HTTPS or SSH, or IPsec tunnel negotiations. Consequently, FortiGates do not apply traffic shaping to these types of traffic. These types of traffic use the highest priority queue, queue 0. In other words, packet priority = 0.

Exceptions to this rule include traffic types with connections that are related to a session governed by a security policy. For example, if you have enabled FortiGuard AntiVirus scanning, traffic from the sender technically terminates at the FortiGate proxy that scans that traffic type; the FortiGate unit initiates a second connection that transmits scanned content to its destination. Because the second connection’s traffic is technically originating from the FortiGate proxy, and therefore the FortiGate unit itself, it uses the highest priority queue, queue 0. However, this connection is logically associated with through traffic, and is therefore subject to possible bandwidth enforcement and guarantees in its governing security policy. In this way, it behaves partly like other through traffic.

Egress queueing

Shaper priority only affects per port egress queueing, so if you have two streams of traffic — like one egressing over Port1 and one egressing over Port2 — then priority has no effect whatsoever. Both streams will continue to run at full speed.

[Source: Stevan Bevan -Tracking No. 227414)]

To make any difference to the order in which packets egress the interface, there must be packets of a lower priority queued on the egress interface. This usually happens when there is an imbalance between the packet rates on the interfaces.

For example, if the LAN is 1Gb, but the WAN is only 100MB. In this scenario the priority of the traffic egressing the WAN is very important, but the traffic egressing the LAN is rendered irrelevant (as it would take 10 WAN links to drive traffic at a high enough rate to cause queuing interference on the LAN interface).

This was tested by performing a debug on the kernel to determine when priority would take effect. In this case, by counting how many times the egress interface had more than one packet in the queue. Two simultaneous 500MB downloads via HTTP were performed, with one policy set to a high priority and one set to a low priority. Results showed that there was more than one packet in the egress queue only 23 times. With over 600,000 packets egressing over that interface, altering the priority of 23 does not make a practical difference to the relative speed of downloads.

Resources

In the FortiOS Handbook, you may be interested in checking out the following Traffic Shaping sections:

• Important Considerations for more information.
• Troubleshooting for diagnose commands.
• Traffic Shaper Monitor for how to view traffic shaping results.

The post Traffic Shaping Priority Queueing (PRIQ) appeared first on Fortinet Cookbook.

When a particular IP address uses too many resources, you can prevent that IP from consuming your bandwidth indiscriminately. In this recipe, you learn how to use Traffic Shaping on your FortiGate to limit the bandwidth for a specific IP address.

This recipe also explains how to configure traffic shaping to set a maximum bandwidth limit for uploads and/or downloads to 200 kb/s.

_{Find this recipe for other [glossary_exclude]FortiOS[/glossary_exclude] versions
5.2 | 5.4}

1. Enabling Traffic Shaping
Go to System > Feature Select and under Additional Features enable Traffic Shaping.
2. Creating a firewall address
Go to Policy & Objects > Addresses to define the address you would like to limit. Select Create New and select Address from the drop down menu. Enter a name: limited_bandwidth. Set Type to IP/Netmask. Set the Subnet/IP Range to the internal IP address you wish to limit. Set Interface to Any.
3. Configuring a traffic shaper to limit bandwidth
Go to Policy & Objects > Traffic Shapers and select Create New to define a new shared Traffic Shaper profile. Set Type to Shared. Enter the name limited_bandwidth for your shaper and set the Traffic Priority to Medium. Select Max Bandwidth and enter 200 kb/s (0.2 Mbps). If you would like to set a Guaranteed Bandwidth make sure the rate is lower than the Max Bandwidth. Apply your changes.
By default, shared shapers apply shaping by evenly distributing the bandwidth to all policies using it. You can also enable Per Policy shaping to apply shaping individually to each policy. Right-click your new limited_bandwidth shaper, and select Edit in CLI from the drop down menu.
Enter the following CLI commands:  set per-policy enable end
Now that Per Policy shaping is enabled, edit your limited_bandwidth shaper and set Apply Shaper to Per Policy.
4. Verifying your Internet access security policy
Go to Policy & Objects > IPv4 Policy and look at your general Internet access policy. Take a note of the Incoming interface, Outgoing interface, Source and Destination. If necessary, edit your policy and ensure that Logging Options is set to All Sessions for testing purposes.
4. Create two Traffic Shaping Policies
Go to Policy & Objects > Traffic Shaping Policy and select Create New to create a shaping policy that will set regular traffic to high priority. Under Matching Criteria, set Source, Destination, Service to match your Internet Access policy. Under Apply Shaper, set the Outgoing Interface to match your Internet Access policy and enable Shared Shaper and Reverse Shaper. Shared Shapers affect upload speeds and reverse shapers affect download speeds. Set both shapers to high-priority.
Select Create New to create a second traffic shaping policy that will affect the IP address you wish to limit. Under Matching Criteria, set Source to limited_bandwidth. Set Destination and Service to ALL. Apply the shaper to the same Outgoing Interface. Enable Shared Shaper and Reverse Shaper and set both shapers to limited_bandwidth.
Order your traffic shaping policies so that your more granular limited_bandwidth policy is above your general high-priority Internet access policy.
5. Results
When a computer with the IP you have specified, 192.168.10.10, browses the Internet from your internal network, its bandwidth will be restricted by the amount you set in your shaper. Go to FortiView > Sources to view traffic, and use the search field to filter your results by the Source IP (192.168.10.10).
Go to FortiView > Traffic Shaping to view the current bandwidth usage for any active shapers. Users on the local network will have high-priority traffic. The IP address you have specified will receive limited-bandwidth treatment and may experience dropped bytes. Your limited-bandwidth shaper should not exceed 200kbps. Note that the results show the Bytes (Sent/Received) in Megabytes (MB) and the Bandwidth in kilobits per second (kbps).
You can also view these results in a bubble graph by changing the graph type in the drop down menu. Sort by Bandwidth to verify that your regular traffic is using more bandwidth.
You can also double-click on either shaper to see more granular information. Select the Destinations tab to see which websites are using up the most bandwidth.

The post Limiting bandwidth with traffic shaping appeared first on Fortinet Cookbook.

In this video, you will learn how to exempt specific websites from SSL Deep Inspection.

Exempting a website from SSL Inspection allows a user’s browser to access it without errors, as deep inspection can prevent certain sites from functioning, and can cause some sites to produce certificate errors. You should only exempt websites that you trust.

In this example, we’ll exempt google.ca from SSL Inspection. If you’re following along, you should try exempting your local Google search domain instead.

The recipe for this video is available here.

Watch more videos

The post Exempting Websites from SSL Deep Inspection (Video) appeared first on Fortinet Cookbook.