Guest WiFi accounts

March 16, 2016, 11:15 am

In this example, you will create guest accounts that can connect to your FortiGate’s WiFi network for a limited amount of time after authenticating using a captive portal. To make management easier, you will also create a separate administrative account that can only be used to create and manage guest accounts.

In this example, a FortiAP in Tunnel mode is used to provide WiFi access to guests.

_{Find this recipe for other [glossary_exclude]FortiOS[/glossary_exclude] versions}
_{5.2 | 5.4}

1. Creating a WiFi guest user group
Go to User & Device > User Groups and create a new group. Set Type to Guest. Set User ID to Email, Password to Auto-Generate, and Expire Type to After first login. Leave Default Expire Time set to 4 Hours.
2. Creating a guest SSID that uses Captive Portal
Go to WiFi & Switch Controller > SSID and create a new SSID. Set Traffic Mode to Tunnel to Wireless Controller. Assign an IP/Network Mask to the interface and enable DHCP server.
Under WiFi Settings, set Security Mode to Captive Portal and User Groups to the WiFi guest user group.
Go to WiFi & Switch Controller > FortiAP Profiles and edit the profile used by the FortiAP. Set Radio 1 to broadcast the new SSID.
3. Creating a security policy for WiFi guests
Go to Policy & Objects > IPv4 Policy and create a new policy. Give the policy a name that identifies its use. Set Incoming Interface to the guest SSID, Source User(s) to the WiFi guest user group, Outgoing Interface to your Internet-facing interface, and Service to ALL. Enable NAT.
4. Creating a restricted admin account for guest user management
To simply guest account creation, an admin account can be made that is only used for guest user management. This allows new accounts to be made as needed without requiring full administrative access to the FortiGate. In this example, the account is made for use by reception staff.
Go to System > Administrators and create a new account. Set a User Name and Password for the account. Set Type to Local User. Select Restrict admin to guest account provisioning only and set Guest Group to the WiFi guest user group.
Sign in to the FortiGate using the new admin account. You will only be able to see the menu for Guest User Management.
5. Creating a guest user account
Using the reception account, create a guest account. Set Email to the user’s email address (in the example, ballen@example.com). To test the account, set Expiration to 5 Minutes.
After you select OK, a User Created Successfully notice appears that shows the new account’s Password. This password can then be printed or emailed to the guest user.
6. Results
On a PC, connect to the guest SSID and attempt to browse the Internet. When the authentication screen appears, log in using the guest user’s credentials. After the account is authenticated, you can connect to the Internet.
Five minutes after the initial login, the guest user account will expire and you will no longer be able to log in using those credentials.
Use the reception account to log on to the FortiGate. The guest account is listed as Expired.

For further reading, check out Managing Guest Access in the FortiOS 5.4 Handbook.

The post Guest WiFi accounts appeared first on Fortinet Cookbook.

↧

Publish OWA using FortiWeb

March 16, 2016, 9:00 pm

≫ Next: Integrating a FortiGate with FortiClient EMS

≪ Previous: Guest WiFi accounts

You can use FortiWeb’s site publishing features to authorize clients that want to connect to web applications such as Microsoft’s Outlook Web App (OWA).

This site publishing feature can replace the web publishing functionality provided by Microsoft’s Threat Management Gateway (TMG). FortiWeb also provides additional security features that protect the application after a successful login.

You create the FortiWeb configuration that publishes and protects web applications using a server policy.

A server policy is made up of several other configuration objects, including:

Web protection profile — A set of security-related configuration objects.
Virtual server — The IP address where FortiWeb receives client requests for access to the web application.
Server pool — A backend server or servers where the web application is located.
Certificate — Certificate to use for SSL encryption.

The numbers in the illustration correspond to the recipe instructions for the configuration objects.

This recipe assumes that:

Basic configuration is complete, including IP addresses, routing, and DNS information.
The operating mode is reverse proxy (the destination for requests for the web application is a virtual server IP address on FortiWeb, not the back-end server where the application resides)

FortiWeb configuration

1. LDAP query
Go to User > Remote Server > LDAP Server and create a new entry. In this example, users log in using their full mail address. Therefore, the Common Name Identifier value is the Active Directory field userPrincipalName. (Other applications or configurations may require different login information.) To obtain the Distinguished Name field: On the domain controller, start the adsiedit.msc tool. Click Action > Connect to. Click OK. Browse to the CN=Users folder. Select a user (for example, CN=Administrator) and then select its properties. Scroll down to Distinguished Name field to view the value to use in FortiWeb. For more information on creating the LDAP query, see LDAP query best practices and tips.
2. Site publish rule
Go to Application Delivery > Site Publish > Site Publish Rule. Name is a unique identifier for the rule. Published Site and Path specify the URL the client uses to access OWA. FortiWeb intercepts requests for this URL and forces the clients to pre-authenticate. Because the path for OWA starts with /owa, the URL is: https://mail.fortiweb.lab/owa Published Server Log Off Path specifies the path FortiWeb uses to log off a user. For OWA, it is /owa/logoff.owa.
Client Authentication Method specifies how FortiWeb prompts the client to enter the authentication credentials. For example, via HTTP Basic Authentication or a predefined form (shown at right). LDAP Server is the LDAP configuration you created earlier. Authentication Delegation specifies whether FortiWeb sends the credentials the client enters to the back-end server. For example, select No Delegation when the web application has no authentication of its own or uses HTML form-based authentication. Select HTTP Basic Authentication to use `HTTP Authorization:` headers with Base64 encoding to forward the client’s credentials to the web application. Because FortiWeb stores the credentials for the length of the session, it can forward the credentials to other application servers without requiring the client to re-enter the password. To enable this functionality, select SSO Support and specify an SSO Domain value. Alert Type specifies which logon events FortiWeb writes to event log (none, failed only, successful only, or all).
3. Site publish policy
You add use a site publish policy to add site publish rules to a web protection profile. The site publish policy allows you to add multiple site publish rules to a policy. To create a new policy, go to Application Delivery > Site Publish > Site Publish Policy. Create a new entry, enter the policy name, and then click OK. Then, you can add one or more site publish rules to the policy.
4. X-Forwarded-For rule
Because the operating mode is reverse proxy, the source address of all connections from the FortiWeb to the back-end server is the IP address of one of the FortiWeb interfaces. To provide the client IP address in the log of the back-end server, you can forward the client IP address of the client in the request in a `X-Forwarded-For:` header. Go to Server Objects > X-Forwarded-For > X-Forwarded-For and create a new entry. Enter a name and select Add X-Forwarded-For. (These settings also provide alternative methods to include this information in requests.)
5. Web protection profile
Go to Policy > Web Protection Profile > Inline Protection Profile. Instead of creating a new profile, you can clone the predefined profile for Exchange 2013, and then configure the cloned profile to suit your environment. Enter a name, enable Session Management and select the X-Forwarded-For profile you created earlier.
At the bottom of the profile configuration, under Application Delivery, for Site Publish, select the site publish policy that you created earlier.
6. Virtual server
Go to Server Objects > Server > Virtual Server and create a new entry that specifies the IP address that FortiWeb listens to for connections from the Internet.
7. Server pool
Go to Server Objects > Server > Server Pool. Create a new pool that is a single server pool (the default). Then, add a new pool member by specifying the IP address of the server that runs the published application.
8. Certificates
To upload certificates or generate certificate signing requests, go to System > Certificates > Local. If you have an official, signed certificate, upload the certificate of the signing authority (CA). Depending on your authority, you also upload the Intermediate CAs. The FortiWeb Administration Guide includes detailed information about uploading certificates. For example, see “How to offload or inspect HTTPS”.
9. Server policy
Go to Policy > Server Policy > Server Policy and create a new entry. Select the configuration objects that you created earlier: Virtual server Server pool Certificate Web protection profile (inline) FortiWeb is now listens on the specified IP address and intercepts connections destined for the URL defined in the site publishing rule (in this example, https://mail.fortiweb.lab/owa). The client must successfully complete authentication before it can send any further requests to the application server. You can configure additional security features, but these are outside the scope of this recipe.

Outlook Web App configuration

https://<server_name>.<domain_name>.com/ecp

Go to servers > virtual directories.

Select the owa entry, and then click the pencil icon (edit).

Select authentication, and then select Use one or more standard authentication methods and Basic authentication.

Select Save.

Outlook Web Access administration prompts to make the same change to the /ecp virtual folder.

Select the ecp entry and make the same setting changes as you did for the owa entry.

LDAP query best practices and tips

In most cases, the AD attribute sAMAccountName is the container used for authentication and the appropriate value for Common Name Identifier. However, in some environments, the userPrincipalName (email address) is the required or preferred container (for example, for networks that use a domain forest). For Server Port: To search for AD objects more efficiently, specify 3268 instead of the default LDAP port 389. Fortinet recommends that you transmit user credentials securely by specifying 3269 (for more efficient searching) or the LDAP port 636. Distinguished Name specifies the Base DN from which to start the LDAP query. Filter allows you to improve the speed and efficiency of the queries. If Common Name Identifier is userPrincipalName, use that attribute in the Filter value. If the query does not work when you specify the LDAP Distinguished Name for User DN, use the UPN (User Principle Name) instead. In most cases, the UPN (Email Address) format produces the best results.	Search Filter – (&(objectCategory=person)(objectClass=user)(sAMAccountName=*))
For Windows 2003 SP2 and later, the filter can use the string identifier LDAP_MATCHING_RULE_IN_CHAIN (Matching rule OID 1.2.840.113556.1.4.1941). For example: `(memberOf:1.2.840.113556.1.4.1941=(CN=Users))` The following example filter matches multiple groups: `(&(objectCategory=group)(\|(cn=Test)(cn=Admin*)))`
The example filters that follow are based on the following example environment: Directory: DC=domain,DC=com + Test_Users —–internet_group ——–Matthew Vassallo (user) —–normal_group ——–Kenneth Grech (user)
Query multiple groups (method 1)	`(&(memberOf=CN=,OU=Test_Users,DC=domain,DC=com)(sAMAccountName=))`
Query multiple groups (method 2)	`(&(\|(memberOf=CN=normal_group,OU=Test_Users,DC=domain,DC=com)(memberOf=CN=internet_group,OU=Test_Users,DC=domain,DC=com))(sAMAccountName=%s))`
Query all users by sAMAccount type	`(sAMAccountType=805306368)`
Exclude users in a specific group from the query	`(!(memberOf=cn=TestGroup,OU=Groups,DC=DOMAIN,DC=com))`
Query for non-disabled users in a group	`(&(objectCategory=person)(objectclass=user)(memberOf=CN=All Europe,OU=Global,dc=company,dc=com) (!(userAccountControl:1.2.840.113556.1.4.803:=2)) )`

For further reading, check out “Users” in the FortiWeb Administration Guide.

The post Publish OWA using FortiWeb appeared first on Fortinet Cookbook.

↧

Integrating a FortiGate with FortiClient EMS

March 17, 2016, 9:00 am

≫ Next: FortiMail Content-based Email Encryption (Video)

≪ Previous: Publish OWA using FortiWeb

In this recipe, you will learn how to integrate a FortiGate with FortiClient Endpoint Management Server (EMS) and your Active Directory server to protect the devices or endpoints on your network. Using this Internal Segmentation Firewall (ISFW) configuration you can relatively easily deploy and manage FortiClient to protect all of the endpoints on your network.

FortiClient EMS supports ISFW by simplifying FortiClient deployment and by providing endpoint management from a single console. FortiClient EMS helps to provide real-time control and visibility into your endpoints when they are both on and off corporate networks.

In FortiGate Integrated mode, FortiClient EMS deploys the endpoint clients while an integrated FortiGate running FortiOS 5.4 handles Network Access Control (NAC) and policy enforcement.

For more information on FortiClient EMS, please refer to the FortiClient EMS Administration Guide.

1. Configuring FortiClient EMS
In the FortiClient EMS Dashboard, go to Endpoints > Domains and select the Add a new domain button. In the Domain Settings window, enter the Active Directory server information. Test the connection, and then select Save.
Select the new domain in the Domains list to view the Client Details and FortiClient Information.
Go to View > Settings. Enter and confirm a FortiHeartBeat Connection Key and enable Scan Local Workgroups. Make note of the FortiHeartBeat Connection Key. Also note the FortiClient Download URL. Save your changes.
2. (Optional) Importing Endpoint Profiles into FortiClient EMS
If you have previously configured Endpoint Profiles on a FortiGate and you wish to import them into FortiClient EMS, follow the instructions below.
Navigate to the Endpoint Profiles list on the left pane and click on the Import profile from FortiGate icon.
Enter the FortiGate IP/Hostname and valid administrator credentials and click Next.
You can assign a profile to a Domain or Workgroup by right-clicking on it and selecting Assign profile.
3. Enabling and enforcing FortiHeartBeat on the FortiGate
On the FortiGate, go to Network > Interfaces and edit the internal interface. Under Restrict Access, enable FortiHeartBeat.
Scroll down to Admission Control and enable Enforce FortiHeartBeat for all FortiClients.
4. (Optional) FortiClient installer configuration
With the above configuration, devices on the internal network that aren’t registered with FortiClient are presented with an Endpoint Security Required page that includes a download link to the FortiClient application on the FortiGate. You can customize the FortiClient download installer link to use the EMS installer link instead.
On the FortiGate, go to System > Replacement Messages, switch to the Extended View, and edit the Endpoint Control replacement message for the appropriate endpoints.
You can also customize the installer itself in FortiClient EMS. Go to View > Software Manager and +Add a custom installer. Configure the installer as desired, then select Save.
5. Results
When a device on the internal network that isn’t registered with FortiClient attempts to connect to the Internet, or access other services behind the FortiGate, the user of that device is presented with an Endpoint Security Required page that includes a download link to the FortiClient application.
When the user downloads and installs FortiClient, they are prompted for registration. Enter the Registration Key and select Accept. Note that the Registration Key matches the FortiHeartBeat Connection Key entered in Step 1.
The FortiClient then registers to the FortiGate (or FortiClient EMS, depending on the installation) and downloads a configuration update from FortiClient EMS.
The registered endpoint now has access to the Internet and network services as defined by NAC and policy enforcement on the FortiGate. The registration information and FortiClient profile configuration can be verified in the FortiClient window.
To view the details of registered endpoints on FortiClient EMS, select Endpoints from the left pane.
Highlight one of the endpoints in the All Endpoints list to view Client Details.
To view the details of registered endpoints on the FortiGate, go to one of the following: FortiView > Sources (Double-click the item in the list to drill down to greater detail.)
User & Device > Device List
Monitor > FortiClient Monitor

This key will be required for the FortiClient endpoint to register.

You can also Exempt Sources (such as non-FortiClient supported devices—routers, printers, Linux devices) and/or Exempt Destinations/Services (such as the EMS server itself, if necessary). When you exempt a source or destination, it does not require FortiClient registration to access network services or the Internet.

The post Integrating a FortiGate with FortiClient EMS appeared first on Fortinet Cookbook.

↧

FortiMail Content-based Email Encryption (Video)

March 21, 2016, 11:29 am

≫ Next: FortiMail (v5.3) Calendar Sharing in Outlook (Video)

≪ Previous: Integrating a FortiGate with FortiClient EMS

The following is a tutorial video detailing how to encrypt content sensitive emails in FortiMail using specific words written in either the message’s header or body.

Watch more videos

The post FortiMail Content-based Email Encryption (Video) appeared first on Fortinet Cookbook.

↧

FortiMail (v5.3) Calendar Sharing in Outlook (Video)

March 22, 2016, 7:49 am

≫ Next: FortiMail (v5.3) Calendar Sharing in Outlook

≪ Previous: FortiMail Content-based Email Encryption (Video)

The following is a short updated video that details how to share your calendars in FortiMail 5.3 using Outlook.

The post FortiMail (v5.3) Calendar Sharing in Outlook (Video) appeared first on Fortinet Cookbook.

↧

FortiMail (v5.3) Calendar Sharing in Outlook

March 22, 2016, 8:03 am

≫ Next: FortiMail (v5.3) Calendar Sharing in Thunderbird

≪ Previous: FortiMail (v5.3) Calendar Sharing in Outlook (Video)

FortiMail supports calendar sharing over a variety of mail clients, making it easier for you to schedule meetings and organize your daily routine.

This recipe overviews calendar sharing for Outlook. It provides detailed instructions on how to configure FortiMail to enable sharing, how to set-up Outlook to publish your calendar and how to subscribe to other people’s calendars.

The initial setup steps are only for FortiMail administrators. If you are an email end user, skip the administrator step.

Administrators: Configuring FortiMail for Sharing
Before publishing your calendar in Outlook, configure FortiMail to enable calendar sharing. These steps are only for Administrators.
1. Select Mail Settings from the FortiMail menu bar and select Calendar.
2. In the Settings tab, you’ll see two checkboxes. Select and enable WebDav. Outlook does not use CalDav. Select Apply.	Enabling WebDAV.
3. Select the Resources tab and select New.
4. Enter the required information and select Create.
Outlook Users: Getting the URLs
Now that FortiMail is properly configured for sharing, you need to acquire some important information before you can begin publishing your calendar.
Open your FortiMail webmail account.
2. Select the Preferences button under the User dropdown menu.
3. Select View in the Account Settings section beside Service URL. Copy the the WebDAV URL.
Outlook Users: Publishing Your Calendar
Outlook users can publish their calendar and subscribe to other people’s calendars from the FortiMail WebDAV server. To publish a calendar to the FortiMail WebDAV service in Outlook:
1. Select Go from the taskbar in Outlook and then select Calendar.
2. From the My Calendar tab on the left of the screen, right-click on the calendar you wish to publish and select Publish to Internet and then Publish to WebDAV server.
3. Enter the URL that you copied from the WebDAV URL link in the previous procedure.
4. Specify a time span and permission and enter the user name and password required for FortiMail Authentication. Select OK.
Outlook Users: Subscribing to a Calendar
In addition to publishing your own calendar, you can subscribe to other people’s calendars via the WebDAV protocol, which facilitates calendar sharing and synchronization between FortiMail and Outlook.
1. Select Tools from the menu bar and then select Account Setting.
2. Select On the Network.
3. Click on the Internet Calendars tab and select New.
4. Enter the publicly shared calendar location URL you copied from the previous instructions.
5. Specify the folder name and description and select OK. The new imported calendar will appear on the left in the calendar pane.
Outlook Users: Configuring Free/Busy Settings
With Outlook and FortiMail, you can schedule an event or meeting based on the free and busy information shared and stored on the FortiMail WebDAV server. To configure the free and busy settings in Outlook:
Navigate to Tools and select Options.
2. Navigate to Calendar Options and select Free/Busy options.
3. Enter the free/busy URL. Outlook users get the free/busy URL from the FortiMail administrator, who gets the URL from the calendar settings on the FortiMail web UI. Note: The Publish at my location selection is not supported. Do not use this option.
4. Select OK. Both Outlook and FortiMail should now be fully configured to allow for calendar sharing.

The post FortiMail (v5.3) Calendar Sharing in Outlook appeared first on Fortinet Cookbook.

↧

FortiMail (v5.3) Calendar Sharing in Thunderbird

March 22, 2016, 8:08 am

≫ Next: Captive portal two-factor authentication with FortiToken Mobile

≪ Previous: FortiMail (v5.3) Calendar Sharing in Outlook

FortiMail supports calendar sharing over a variety of mail clients, making it easier for you to schedule meetings and organize your daily routine.

This recipe overviews calendar sharing for Mozilla Thunderbird. It provides detailed instructions on how to configure FortiMail to enable sharing, how to set-up Thunderbird to publish your calendar, how to set-up your Free/Busy settings and how to subscribe to other people’s calendars.

Thunderbird users should skip the administrator steps.

Note: Two add-ons for Thunderbird are required for these steps to work: Lightning and Free/Busy. Detailed instructions on how to install add-ons in Thunderbird are located here.

Administrators: Configuring Fortimail for Sharing
Before publishing your calendar in Thunderbird, configure FortiMail to enable calendar sharing and then create a calendar resource for sharing:
1. Select Mail Settings from the FortiMail menu bar and select Calendar.
2. In the Settings tab, you’ll see two checkboxes. Select and enable both WebDav and CalDav.	Enabling CalDAV and WebDAV.
3. Select the Resources tab and select New.
4. Enter the required information.
Thunderbird Users: Getting the URLs
Now that FortiMail is properly configured for sharing, you need to acquire some important information before you can begin publishing your calendar.
Open your FortiMail webmail account.
2. Select the Preferences button under the User dropdown menu.
3. Select View in the Account Settings section beside Service URL. Copy the the WebDAV URL.
Thunderbird Users: Publishing Your Calendar
Thunderbird users can publish their calendar and subscribe to other people’s calendars from the FortiMail WebDAV server.
1. Select the Events and Tasks menu in the menu bar and select Calendar.
2. From the Calendar drop down menu, right click on the calendar you want to share and select Publish Calendar	Publishing your calendar.
3. Enter the URL that you copied from the WebDAV URL link in the previous procedure.
4. Enter your user name and password and select OK.
Thunderbird Users: Subscribing to a Calendar
In addition to publishing your own calendar, you can subscribe to other people’s calendars via the CalDAV protocol, which facilitates calendar sharing and synchronization between FortiMail and Thunderbird.
1. Select File>New>Calendar.
2. Select On the Network.
3. Select the CalDAV format and enter the CalDAV URL from the previous procedure.	Entering the CalDAV URL
4. Enter the display name and settings and select Next.
5. Enter your user name and password for FortiMail authentication. The new calendar is available in the left calendar pane.
Thunderbird Users: Configuring Free/Busy Settings
With Thunderbird and FortiMail, you can schedule an event or meeting based on the free and busy information shared and stored on the FortiMail WebDAV server. To configure the free and busy settings in Thunderbird:
1. Navigate to Tools and select Free/Busy.	Navigating to free/busy.
2. Select the Settings tab.
3. Enter the email address and matching free/busy URL. The free/busy URL is located in FortiMail under the Calendar settings in the Mail Settings.	The Free/Busy URL location.
4. Create a new event by selecting the Events and Tasks tab and select New Event. Enter all the necessary information and select Invite Attendees.

The post FortiMail (v5.3) Calendar Sharing in Thunderbird appeared first on Fortinet Cookbook.

↧

Captive portal two-factor authentication with FortiToken Mobile

March 22, 2016, 11:00 am

≫ Next: Blocking Facebook with Web Filtering (Video)

≪ Previous: FortiMail (v5.3) Calendar Sharing in Thunderbird

For this recipe, you will set up a FortiGate to require users on an internal network to use two-factor authentication with FortiToken Mobile through a captive portal to access the Internet.

The captive portal will be added to the FortiGate’s internal interface and you will customize the portal by changing the login page appearance and adding a new image.

This scenario assumes that you have already added an Internet access policy, that you have added FortiToken Mobile to the FortiGate, and the elainemarley user is a member of the FortiToken user group named FTK-users.

1. Enabling FortiToken for elainemarley
Go to User & Device > User Definition and edit elainemarley.
Select Enable Two-factor Authentication and select the FortiToken Mobile from the dropdown menu. Under Contact Info, enable Email Address or SMS, enter elainemarley’s contact information, and select Send Activation Code Email or Send Activation Code SMS. The internal network user will receive the activation code by the method specified.
2. Adding a user account to FortiToken Mobile
Open the FortiToken Mobile application and go to Add account > Enter Manually > Fortinet.
Enter your email address, enter the activation code you received, and select Add account. The token will activate and start generating codes.
3. Editing the internal interface
Go to Network > Interfaces and edit the internal interface. Under Admission Control, set Security Mode to Captive Portal. Set Authentication Portal to Local, and set User Groups to FTK-users.
4. Customizing the captive portal login page
Go to System > Replacement Messages. Under Authentication, select Login Page. Two panels will open showing the login page that users will see when attempting to browse the Internet, and the HTML format. You can customize the login page, such as border color and thickness, using the HTML panel. When finished, select Save, then select Manage Images > Create New.
Enter a name for the new replacement image, select a Content Type (select from GIF, JPEG, TIFF, or PNG), and upload an image file of your choice (in the example, Mêlée-Island.png). Note that your image must be 24 KB or less.
In the HTML panel for Login Page, scroll down to the logo, and configure the HTML as follows: `}.logo{` `background:#eee center 5px url(%%IMAGE:Example%%) no-repeat;` `padding-top:110px;}` Make any other changes you wish.
The new logo will replace the old image, as shown here.
Under Authentication, select FortiToken Page and make the same customization changes made for the login page.
5. Results
Internal network users will be redirected to the captive portal login page when attempting to browse the Internet. Enter elainemarley‘s user credentials. You will then be prompted to enter a FortiToken Code. Enter the code and select Continue.
The user is now successfully authenticated and has access to the Internet. To verify the elainemarley‘s connection, go to Monitor > FortiClient Monitor.

Use the Scan Barcode option to scan the attached QR code if you received your activation code by email instead of SMS.

The post Captive portal two-factor authentication with FortiToken Mobile appeared first on Fortinet Cookbook.

↧

Blocking Facebook with Web Filtering (Video)

March 22, 2016, 11:14 am

≫ Next: Deciphering abbreviations for Fortinet products

≪ Previous: Captive portal two-factor authentication with FortiToken Mobile

In this video, you will learn how to block access to Facebook and its subdomains using web filtering. To do this, you will create a static URL filter for facebook.com. You will also use SSL inspection, to make sure that encrypted traffic to Facebook is also blocked.

The recipe for this video is available here.

Watch more videos

The post Blocking Facebook with Web Filtering (Video) appeared first on Fortinet Cookbook.

↧

Deciphering abbreviations for Fortinet products

March 23, 2016, 2:59 pm

≫ Next: Skill-Based Routing in FortiVoice Enterprise (Video)

≪ Previous: Blocking Facebook with Web Filtering (Video)

One of the convenient aspect of using the prefix “Forti” for product names is that there is less stress to be creative when naming a product do to trying to avoid names that are already taken, trademarked or might otherwise be confused with something else. The drawback is that when coming up with 2 or 3 letter abbreviations the first letter is always going to be the same so as we come up with more products it gets harder to differentiate and match the abbreviation to the product.

Below is a table listing abbreviations that have been associated with Fortinet products. These abbreviations are used for various purposes and sometimes the different abbreviations will be used a different situation for the same product.

They can be used as part of the model name such as “FGT60D”.
Some of them will be used as prefixes for the serial number of a product such as “FG100D3G14808602”
The same prefix syntax used for the serial number may also be used to identify the device in the entries of a syslog server such as “device_id=FG50BH3G09601792”

Some products have been around for some time and the naming convention has evolved over time so that an older model a product may have a different prefix than one of the newer models.

Product	Abbreviation(s)
FortiADC (Application Delivery Controller)	FAD, FBL
FortiAnalyzer	FAZ, FL, FLG
FortiAP (Access Point)	FAP
FortiAuthenticator	FAC
FortiBridge	FB, FBG
FortiCache	FCH
FortiCamera	FCM
FortiCarrier	FCR, FG, FK, FS, FT
FortiCarrier, Low Encryption BIOS	LK
FortiClient	FCC, FCT
FortiCloud	FCL
FortiController	FCTL
FortiCore	FCE
FortiDB (DataBase)	FDB
FortiDDOS	FDD, FI
FortiDNS	FNS
FortiExtender	FEX
FortiGate	FG, FGT
FortiGate, Low Encryption BIOS	LF
FortiGate, Ruggedized	FGR
FortiGate, Voice	FGV
FortiHypervisor	FHV
FortiMail	FE, FMAIL, FML
FortiManager	FM, FMG
Fortinet Storage Module	FSM
FortiPhone	FON
FortiRecorder	FRC
FortiSandbox	FSA
FortiScan	FSC
FortiSwitch	FS
FortiSwitchATCA	FT
FortiSwitch, Ruggedized	FSR
FortiTap	FTP
FortiTester	FTS
FortiToken	FTK
FortiVoice System	FVC
FortiVoice, Enterprise	FVE
FortiWeb	FV, FWB
FortiWiFi	FW, FWF
FortiWAN Load Balancer	FWN

The post Deciphering abbreviations for Fortinet products appeared first on Fortinet Cookbook.

↧

Skill-Based Routing in FortiVoice Enterprise (Video)

March 24, 2016, 7:27 am

≫ Next: FortiMail Rule-based Email Encryption (Video)

≪ Previous: Deciphering abbreviations for Fortinet products

In this video we’ll learn how to establish an automated attendant that will transfer client calls to the most qualified agent through skill-based routing.

The post Skill-Based Routing in FortiVoice Enterprise (Video) appeared first on Fortinet Cookbook.

↧

FortiMail Rule-based Email Encryption (Video)

March 24, 2016, 8:39 am

≫ Next: Blocking social media websites using FortiGuard categories

≪ Previous: Skill-Based Routing in FortiVoice Enterprise (Video)

The following is a quick video detailing how to encrypt your email messages in FortiMail based on who is sending the message.

The post FortiMail Rule-based Email Encryption (Video) appeared first on Fortinet Cookbook.

↧

Blocking social media websites using FortiGuard categories

March 31, 2016, 8:30 am

≫ Next: Increasing FortiVoice Enterprise encryption level

≪ Previous: FortiMail Rule-based Email Encryption (Video)

This recipe explains how to block access to social media websites using FortiGuard categories. An active license for FortiGuard Web Filtering service is required.

Web filtering with FortiGuard categories allows you to take action against a group of websites, whereas a Static URL Filter is intended to block or monitor specific URLs. Consult this blog post to determine whether to use FortiGuard categories or a Static URL Filter to control your internal network’s access to websites.

If you wish to use a static URL filter to block access to a website and its subdomains, follow the example described in Blocking Facebook with Web Filtering.

1. Enabling the Web Filter feature
Go to System > Feature Select and confirm that the Web Filter feature is enabled.
2. Editing the default Web Filter profile
Go to Security Profiles > Web Filter and edit the default Web Filter profile. Confirm that the FortiGuard category based filter is enabled.
Right-click on the General Interest – Personal FortiGuard category. Scroll down to the Social Networking subcategory and right-click again. Select Block.
3. Adding the Web Filter profile to the Internet access policy
Go to Policy & Objects > IPv4 Policy, and click Create New. Give the policy a name that identifies its use. Set Incoming Interface to the internal network and set Outgoing Interface to the Internet-facing interface. Enable NAT.
Under Security Profiles, enable Web Filter and select the default web filter profile. Enable SSL/SSH Inspection and select certificate-inspection from the dropdown menu. This allows the FortiGate to apply web filtering to HTTPS traffic.
In order to be applied to Internet traffic, the new policy has to higher in the policy sequence than any other policy that could manage the same traffic. Confirm this under Policy & Objects > IPv4 Policy by viewing policies By Sequence. To move a policy up or down, click and drag the far-left column of the policy.
4. Results
Attempt to visit a social networking site such as facebook.com, twitter.com, or meetup.com. A FortiGuard Web Page Blocked! message appears when attempting to visit sites in the blocked category.
Go to FortiView > Websites and select the 5 minutes view. The blocked social networking sites are listed in the Domain column.

For further reading, check out FortiGuard Web Filtering Service in the FortiOS 5.4 Handbook.

FortiGuard’s web filtering categories are organized into six main groups; descriptions can be found at FortiGuard Center.

Using the deep-inspection profile may cause certificate errors. See Preventing certificate warnings for more information.

The HTTPS protocol is automatically applied to these addresses, even if it is not entered.

The post Blocking social media websites using FortiGuard categories appeared first on Fortinet Cookbook.

↧

Increasing FortiVoice Enterprise encryption level

April 5, 2016, 8:34 am

≫ Next: FortiToken Two-Factor Authentication with FortiAuthenticator RADIUS (Video)

≪ Previous: Blocking social media websites using FortiGuard categories

This article examines how to increase your FVE encryption level on release 5.0.4 and above.

What does strong encryption do?

Enabling the use of strong encryption will:

disable deprecated SSL versions: SSLv2, SSL v3
enable TLS 1.0, 1.1, and 1.2 by default (you may choose to enable any of the TLS versions by using the ssl-versions CLI command. See below.)
disable weak encryption and hash algorithm and only enable AES and SHA/SHA256
generate key length of at least 128 bits
provide HTTPS administration access
support SIP over TLS.

How to enable strong encryption

To enable Strong Encryption, run the following CLI command:

config system global

set strong-crypto enable

end

To disable Strong Encryption, run the following CLI command:

config sys global

set strong-crypto disable

end

The default setting for strong-crypto is disabled.

To set SSL versions, run the following CLI command:

config system global

set ssl-versions {ssl3|tls1_0|tls1_1|tls1_2}

end

Note that when strong encryption is enabled, you cannot set SSL versions and

“system sip-setting/tls-client-protocol” to SSLv3, and vice versa.

Accepted ciphers with strong encryption enabled

Protocol	Key length	Cipher
_TLSv1	_{256 bits}	_{ECDHE-RSA-AES256-SHA}
_TLSv1	_{256 bits}	_{DHE-RSA-AES256-SHA}
_TLSv1	_{256 bits}	_AES256-SHA
_TLSv1	_{128 bits}	_{ECDHE-RSA-AES128-SHA}
_TLSv1	_{128 bits}	_{DHE-RSA-AES128-SHA}
_TLSv1	_{128 bits}	_AES128-SHA
_TLS11	_{256 bits}	_{ECDHE-RSA-AES256-SHA}
_TLS11	_{256 bits}	_{DHE-RSA-AES256-SHA}
_TLS11	_{256 bits}	_AES256-SHA
_TLS11	_{128 bits}	_{ECDHE-RSA-AES128-SHA}
_TLS11	_{128 bits}	_{DHE-RSA-AES128-SHA}
_TLS11	_{128 bits}	_AES128-SHA
_TLS12	_{256 bits}	_{ECDHE-RSA-AES256-SHA}
_TLS12	_{256 bits}	_{DHE-RSA-AES256-SHA256}
_TLS12	_{256 bits}	_{DHE-RSA-AES256-SHA}
_TLS12	_{256 bits}	_{AES256-SHA256}
_TLS12	_{256 bits}	_AES256-SHA
_TLS12	_{128 bits}	_{ECDHE-RSA-AES128-SHA}
_TLS12	_{128 bits}	_{DHE-RSA-AES128-SHA256}
_TLS12	_{128 bits}	_{DHE-RSA-AES128-SHA}
_TLS12	_{128 bits}	_{AES128-SHA256}
_TLS12	_{128 bits}	_AES128-SHA

The post Increasing FortiVoice Enterprise encryption level appeared first on Fortinet Cookbook.

↧

FortiToken Two-Factor Authentication with FortiAuthenticator RADIUS (Video)

April 5, 2016, 11:45 am

≫ Next: Migrating Email from Other Mail Servers in FortiMail

≪ Previous: Increasing FortiVoice Enterprise encryption level

In this video, you will set up FortiAuthenticator to function as a RADIUS server to allow FortiToken two-factor authentication for SSL VPN users. You will create a user, assign a FortiToken 200 to the user, and set up the RADIUS client on the FortiAuthenticator. You will then create the SSL VPN tunnel and configure the RADIUS server on the FortiGate.

The recipe for this video is available here.

Watch more videos

The post FortiToken Two-Factor Authentication with FortiAuthenticator RADIUS (Video) appeared first on Fortinet Cookbook.

↧

Migrating Email from Other Mail Servers in FortiMail

April 6, 2016, 11:17 am

≫ Next: Using AWS Elastic Load Balancing with FortiWeb-VM

≪ Previous: FortiToken Two-Factor Authentication with FortiAuthenticator RADIUS (Video)

FortiMail supports email migration for users that wish to transfer their user information and data from existing mail servers such as Exchange. The following recipe details the migration process in FortiMail.

FortiMail must be running in Server Mode in order for these steps to work.

Mail flow consideration during migration
Option A: Mail flow pointing to FortiMail 1. Import the migration user accounts and export them to FortiMail local users first, so that these accounts are ready to receive email on FortiMail. 2. Direct inbound mail flow from the old server to FortiMail. 3. Migrate the mail data from the old server. During the migration process, the migrated users may not see their older email for a while.
Option B: Mail flow pointing to existing server 1. All inbound email continue to be delivered to the existing mail server. 2. After user account and mail data migration, export all the migrated users to FortiMail local users, so that these accounts are ready to receive email on FortiMail. 3. Direct mail flow to FortiMail. 4. Migrate the mail data once again to fetch the latest email on the old server.
Preparation
1. Select the Console tab from the System Status section.
2. Enter the following CLI commands to enable mail migration. By default, this is disabled and not displayed on the GUI. config system global set email-migration-status enable end After entering the CLI commands, refresh the GUI in the web browser to display the mail migration menus and pages.	Entering the CLI commands
3. Define the remote mail settings by going to Mail Settings > Mail Migration > Remote Mail Server and then selecting New. Note: The Mail Migration selection will not appear unless you enter the proper CLI commands from step two.
4. Enter a name for the remote server and the host name or IP address of the remote server.	Entering the server and user information.
5. Select either IMAP or IMAPS for the protocol and enter the IMAP port number if it is different from the default port number (port 993). Select Create.
6. Create a remote domain under Mail Settings > Domains > Mail Migration Settings of the domain that the user will be migrated to. The remote domain name must be the same as the user’s domain on the remote server. If you require more information on how to create domains for mail migration, consult the Creating Domains for Mail Migration section in the FortiMail Administration Guide.
User Migration
Now that you have enabled migration, you must now import the user and password information of the individuals you wish to migrate using one of the following methods.
Method 1: If you know the users’ login credentials, enter their user name and password information by navigating to Mail Settings > Mail Migration > Migration Users and select New.	Entering the login credentials.
Method 2: If you can export the user name and non-encrypted password list into a CSV file, import the CSV file by navigating to Mail Settings > Mail Migration > Migration Users and select Action > Import > .CSV File.
Method 3: If the user already has an account on the FortiMail server, import/copy the local user list to the migration user list by navigating to Mail Settings > Mail Migration > Migration Users and select Action > Import > All Local Users.
Method 4: If the user passwords are encrypted, you must collect their passwords through FortiMail webmail login or SMTP client login by following these steps. 1. Create an authentication profile that uses the remote mail server as the authentication server. For more details on this process, see Configuring Authentication Profiles in the FortiMail Administration Gudie. 2. Create a recipient-based policy that includes the authentication profile and users as senders. For details on this process, see Controlling Email Based on Recipient Addresses in the FortiMail Administration Guide. 3. Use one of the following two methods to collect user passwords: a. Through FortiMail webmail login: Inform the users to log in to the FortiMail webmail portal, using their email addresses of the remote domain (the domain part needs to match proper authentication policy) and their passwords. Upon successful login, the users will be shown an empty webmail mailbox. This is because the email data has not been migrated yet and this step is only meant to collect user passwords. b. Through SMTP client login: Inform the users to use the FortiMail host name as their outgoing mail server.
After following any of the above methods, users will need to authenticate through FortiMail. FortiMail will record the user names and passwords into the migration user list, which is located under Mail Settings > Mail Migration > Migration Users.
Mail Data Migration
Once the users are migrated, transfer their mail boxes from the remote server by following these steps.
1. Navigate to Mail Settings > Mail Migration > Migration Users.
2. Select Migrate > Selected Users or All Users from the Action dropdown list.
3. Select the Stop and Start button to control the migration process if needed.
4. Export the user to the local user list by selecting Action > Export > Selected Users or All Users.
The exported users will appear as local users under User > User.

The post Migrating Email from Other Mail Servers in FortiMail appeared first on Fortinet Cookbook.

↧

Using AWS Elastic Load Balancing with FortiWeb-VM

April 6, 2016, 9:00 pm

≫ Next: Offloading flow-based content inspection with NTurbo and IPSA

≪ Previous: Migrating Email from Other Mail Servers in FortiMail

AWS Elastic Load Balancing (ELB) allows you to automatically distribute public HTTP traffic to multiple instances of FortiWeb-VM deployed on EC2. The load balancer serves as a single point of contact for clients.

To create this configuration, you first create a virtual load balancer and register FortiWeb-VM instances to it. Then, you configure the FortiWeb-VM instances to work with the load balancer.

In this example, ELB listens for HTTP requests on port 80 and then selects one of two FortiWeb-VM instances on port 8012 to route the traffic to. The FortiWeb-VM then routes the requests to a server pool member.

This example assumes you are already have an Amazon VPC with the following resources:

One or more subnets.
Two or more instances of FortiWeb-VM on EC2, located on the subnets.
One or more security groups. (You can also create a new security group to use when you create the load balancer.)

For detailed information on configuring ELB, see AWS Documentation for Elastic Load Balancing.

1. Configure the load balancer
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/. From the navigation bar, select the region where your FortiWeb-VM instances are located. In the navigation pane, under LOAD BALANCING, click Load Balancers. Click Create Load Balancer.
For Load Balancer name, enter a name for your load balancer. For Create LB inside, select the network where the FortiWeb-VM instances are located. Under Listener Configuration, specify the following options: Load Balancer Protocol – HTTP Load Balancer Port – 80 Instance Protocol – HTTP
Under Select Subnets, add one or more subnets to the list of selected subnets. The Available Subnets list displays the subnets that are available in your VPC. Select public subnets that are in the same Availability Zones as your FortiWeb-VM instances.
Under Assign Security Groups, select a security group for the load balancer.
Navigate to Configure Health Check, and then specify the following options: Ping Protocol – HTTP Ping Port – 8012 Ping Path –/index.html
Under Add EC2 Instances, select the FortiWeb-VM instances.
Navigate to the Review page, and then click Create. A message is displayed when the load balancer creation process is complete. Click Close. The new load balancer is displayed in the list of load balancers.
In the load balancer details, you can view information about the FortiWeb-VM instances on the Instances tab.
2. Configure FortiWeb-VM to use ELB
Log in to the web UI for the FortiWeb-VM instance, and then go to Server Objects > Server > Virtual Server. Select Use Interface IP and for Interface, select port1.
Create a server pool that contains the servers that the FortiWeb-VM instances route traffic to.
Go to Server Objects > Service > Custom and create a service that uses port 8012.
Create a server policy that uses the virtual server, server pool, and service that you configured earlier.
Repeat the configuration for the other FortiWeb-VM instances that you registered with the load balancer.
3. Access the server pool via the load balancer
Go to the load balancer Description tab.
Enter the DNS Name value in the address field of your Internet-connected web browser. The browser displays the default page of an HTTP server in the server pool.

For further reading, check out the FortiWeb-VM Install Guide and the FortiWeb Administration Guide.

The post Using AWS Elastic Load Balancing with FortiWeb-VM appeared first on Fortinet Cookbook.

↧

Offloading flow-based content inspection with NTurbo and IPSA

April 12, 2016, 11:24 am

≫ Next: FortiAnalyzer Analyzer-Collector configuration

≪ Previous: Using AWS Elastic Load Balancing with FortiWeb-VM

NTurbo and IPSA are two hardware acceleration technologies that FortiGates can use to improve performance by offloading and accelerating flow-based UTM/NGFW content processing.

NTurbo offloading and acceleration

NTurbo improves FortiGate performance by offloading firewall sessions with flow-based security profiles to NP4 or NP6 network processors. Firewall sessions that include proxy-based security profiles or a mixture of flow-based and proxy-based security profiles are never offloaded to network processors and are always processed by the FortiGate CPU.

NTurbo creates a special data path to redirect traffic from the ingress interface to IPS, and from IPS to the egress interface. NTurbo allows firewall operations to be offloaded along this path, and still allows IPS to behave as a stage in the processing pipeline, reducing the workload on the FortiGate CPU and improving overall throughput.

If NTurbo is supported by your FortiGate unit, you can use the following command to configure it:

config ips global
  set np-accel-mode {basic | none}
end

basic enables NTurbo and is the default setting for FortiGate models that support NTurbo. none disables NTurbo. If the np-accel-mode option is not available, then your FortiGate does not support NTurbo.

There are some special cases (listed below) where sessions may not be offloaded by NTurbo, even when NTurbo is explicitly enabled. In these cases the sessions are handled by the FortiGate CPU.

NP acceleration is disabled. For example, auto-asic-offload is disabled in the firewall policy configuration.
The firewall policy includes proxy-based security profiles.
The sessions require FortiOS session-helpers. For example, FTP sessions are not offloaded to NP processors because FTP sessions use the FTP session helper.
Interface policies or DoS policies have been added to the ingress or egress interface.
Tunneling is enabled. Any traffic to or from a tunneled interface (IPSec, IPinIP, SSL VPN, GRE, CAPWAP, etc.) cannot be offloaded by NTurbo.

IPSA offloading and acceleration

IPSA offloads and accelerates flow-based UTM/NGFW pattern matching to CP8 and CP9 content processors. IPSA is available for NTurbo and standard firewall sessions.

IPSA is supported by most FortiGate models. If your model supports IPSA, you can use the following command to configure it:

config ips global
  set cp-accel-mode {advanced | basic | none}
end

basic offloads basic pattern matching.

advanced offloads more types of pattern matching resulting in higher throughput than basic mode. advanced is only available on FortiGate models with two or more CP8 processors or one or more CP9 processors.

If the cp-accel-mode option is not available, then your FortiGate does not support IPSA.

On FortiGates with one CP8, the default cp-accel-mode is basic. Setting the mode to advanced does not change the types of pattern matching that are offloaded.

On FortiGates with two or more CP8s or one or more CP9s the default cp-accel-mode is advanced. You can set the mode to basic to offload fewer types of pattern matching.

The post Offloading flow-based content inspection with NTurbo and IPSA appeared first on Fortinet Cookbook.

↧

FortiAnalyzer Analyzer-Collector configuration

April 13, 2016, 9:46 am

≫ Next: SSL VPN Web and Tunnel Mode (Video)

≪ Previous: Offloading flow-based content inspection with NTurbo and IPSA

This example illustrates how to set up FortiAnalyzer Analyzer and Collector modes and make them work together to increase the overall performance of log receiving, analysis, and reporting.

FortiAnalyzer provides two operation modes: Analyzer and Collector. Analyzer mode is the default mode that supports the full FortiAnalyzer features, while the primary task of a Collector is receiving logs from connected devices and uploading the logs to an Analyzer. Instead of writing logs to the database, the Collector retains the logs in their original (binary) format for uploading. The following table shows a comparison of the supported features of the Analyzer and Collector modes:

	Analyzer Mode	Collector Mode
FortiView	Yes	No
Event Monitor	Yes	No
Reports	Yes	No
Log View	Yes	Compressed logs only; indexed logs not available
Device Manager	Yes	Yes
System Settings	Yes	Yes

In this example, Company A has a remote branch network with a FortiGate unit and a FortiAnalyzer 400E in the Collector mode deployed. In its head office, Company A has a FortiAnalyzer 3000D in the Analyzer mode deployed, which analyzes the FortiGate device logs of the remote branch that are forwarded by the Collector and generates reports.

1. Checking and configuring the storage policy of the Analyzer-to-be and Collector-to-be Before you configure Analyzer and Collector, make sure the data policy and disk utilization policy for both the Analyzer-to-be and Collector-to-be are appropriate and provide sufficient disk space for receiving and storing logs.
For both Analyzer-to-be and Collector-to-be, go to Device Manager, and click the Storage Used tab on the quick status bar. Observe the storage usage pattern and trend of the Analyzer-to-be and Collector-to-be, and consider the storage need of this Analyzer–Collector scenario. Decide if you need to adjust the data policy.
To edit the date policy when ADOMs are enabled: Go to System Settings > All ADOMs, double-click the ADOM to which your FAZ Analyzer/Collector belongs. On the Edit ADOM Storage Configurations page that opens, edit the log storage policy. To edit log storage settings when ADOMs are disabled: Go to System Settings > Dashboard. In the System Information widget, click the edit icon for Log Storage Policy. In the Edit Log Storage Policy dialog box that opens, change the settings. The screen shots on the right show an example of storage configurations for the Analyzer (top) and Collector (bottom) modes.
Recommended settings Analyzer: You might want to initially set it to keep indexed logs for 6 months and compressed logs for 2 years (Data Policy), to meet regulatory requirements. You might want to keep the default Indexed : Compressed ratio of 70% : 30% (Disk Utilization). You can then monitor the storage usage and adjust the storage policy as you go. Collector: You should allocate most if not all of the disk space to compressed logs (Indexed : Compressed ratio of Disk Utilization). You can then monitor the storage usage and adjust the storage policy as you go.
2. Setting up the Analyzer
Configure the Operation Mode. Go to System Settings > Dashboard. In the System Information widget, go to Operation Mode, and select Analyzer.
Prepare an administrator account with a Super_User profile. (You can use the default admin account, which is assigned the Super_User profile, or create a custom administrator account.) The Collector will need to provide the login credentials of this administrator account to get authenticated by the Analyzer.
Add the FortiGate device to the Analyzer. Go to Device Manager, and click Device Unregistered in the quick status bar. Select the FortiGate device, and click Add. In the Add Device dialog box that opens, select the ADOM to which to add the FortiGate device (if ADOM is disabled, select root), and give the device a name you prefer. Once the FortiGate device is added, you can see it under the Device Total tab.
Make sure that the log aggregation service is enabled on the Analyzer. Go to System Settings > Dashboard. In the CLI Console widget, enter the following CLI commands: `config system aggregation-service` `set accept-aggregation enable` `end`
Make sure the interface that will receive logs allows aggregator access. Go to System Settings > Network. In the System Network Management Interface pane, select Aggregator under Administrative Access.
3. Setting up the Collector
Configure the Operation Mode. Go to System Settings > Dashboards. In the System Information widget, go to Operation Mode, and select Collector. Once the FortiAnalyzer device is set to work in the Collector mode, features such as FortiView, Event Monitor, and Reports are disabled. Only Device Manager, System Settings, and Log View are available.
Configure Log Forwarding. Go to System Settings > Log Forwarding. Click Create New. Set Server Name to a name you prefer. Set Remote Server Type to FortiAnalyzer. Set Server IP to the IP address of the Analyzer to which this Collector will forward logs. Click Select Device and select the FortiGate device. Select both Enable Real-time forwarding and Enable Log Aggregation. Provide the user name and password of the Administrator account of the Analyzer.
Note: By enabling real-time forwarding, the Collector will forward logs to the Analyzer in real-time. By enabling log aggregation, the Collector will upload log archive files, which include DLP (data leak prevention) files, antivirus quarantine files, and IPS (intrusion prevention system) packet logs, to the Analyzer daily at the scheduled time.
Log forwarding is enabled by default. If you cannot see System Settings > Log Forwarding in the GUI, you will have to enable it first. Go to System Settings > Dashboard. In the CLI Console widget, enter the following CLI commands: `config system admin setting` `set show-log-forwarding enable` `end`
4. Results
At this point, the Collector starts to forward logs to the Analyzer. Log onto the Analyzer GUI and go to Log View. Select the FortiGate device from the device list, and select Real-time Log from the Tools drop-down. You will see real-time logs flowing into the log message list.

The post FortiAnalyzer Analyzer-Collector configuration appeared first on Fortinet Cookbook.

↧

SSL VPN Web and Tunnel Mode (Video)

April 13, 2016, 1:41 pm

≫ Next: Add additional public IPs to FortiWeb-VM on Azure

≪ Previous: FortiAnalyzer Analyzer-Collector configuration

In this video, you will allow remote users to access your internal network using an SSL VPN, connecting by web mode, or by tunnel mode using FortiClient.

Web Mode allows users to access network resources, such as the Internal Segmentation Firewall (or ISFW) used in this example.
Users connecting via Tunnel Mode will be able to access the internet, but with all traffic passing through the FortiGate, protected by your FortiGate’s security policies and profiles. The FortiGate will also verify that the remote user’s AntiVirus software is installed and up-to-date. This example assumes that you have already created an SSL user account and SSL-users group.

The recipe for this video is available here.

Watch more videos

The post SSL VPN Web and Tunnel Mode (Video) appeared first on Fortinet Cookbook.

↧

1. Creating a WiFi guest user group

2. Creating a guest SSID that uses Captive Portal

3. Creating a security policy for WiFi guests

4. Creating a restricted admin account for guest user management

5. Creating a guest user account

6. Results

FortiWeb configuration

1. LDAP query

2. Site publish rule

3. Site publish policy

4. X-Forwarded-For rule

5. Web protection profile

6. Virtual server

7. Server pool

8. Certificates

9. Server policy

Outlook Web App configuration

LDAP query best practices and tips

1. Configuring FortiClient EMS

2. (Optional) Importing Endpoint Profiles into FortiClient EMS

3. Enabling and enforcing FortiHeartBeat on the FortiGate

4. (Optional) FortiClient installer configuration

5. Results

Administrators: Configuring FortiMail for Sharing

Outlook Users: Getting the URLs

Outlook Users: Publishing Your Calendar

Outlook Users: Subscribing to a Calendar

Outlook Users: Configuring Free/Busy Settings

Administrators: Configuring Fortimail for Sharing

Thunderbird Users: Getting the URLs

Thunderbird Users: Publishing Your Calendar

Thunderbird Users: Subscribing to a Calendar

Thunderbird Users: Configuring Free/Busy Settings

1. Enabling FortiToken for elainemarley

2. Adding a user account to FortiToken Mobile

3. Editing the internal interface

4. Customizing the captive portal login page

5. Results

1. Enabling the Web Filter feature

2. Editing the default Web Filter profile

3. Adding the Web Filter profile to the Internet access policy

4. Results

What does strong encryption do?

How to enable strong encryption

Accepted ciphers with strong encryption enabled

Protocol

Key length

Cipher

TLSv1

256 bits

ECDHE-RSA-AES256-SHA

TLSv1

256 bits

DHE-RSA-AES256-SHA

TLSv1

256 bits

AES256-SHA

TLSv1

128 bits

ECDHE-RSA-AES128-SHA

TLSv1

128 bits

DHE-RSA-AES128-SHA

TLSv1

128 bits

AES128-SHA

TLS11

256 bits

ECDHE-RSA-AES256-SHA

TLS11

256 bits

DHE-RSA-AES256-SHA

TLS11

256 bits

AES256-SHA

TLS11

128 bits

ECDHE-RSA-AES128-SHA

TLS11

128 bits

_TLSv1

_{256 bits}

_{ECDHE-RSA-AES256-SHA}

_TLSv1

_{256 bits}

_{DHE-RSA-AES256-SHA}

_TLSv1

_{256 bits}

_AES256-SHA

_TLSv1

_{128 bits}

_{ECDHE-RSA-AES128-SHA}

_TLSv1

_{128 bits}

_{DHE-RSA-AES128-SHA}

_TLSv1

_{128 bits}

_AES128-SHA

_TLS11

_{256 bits}

_{ECDHE-RSA-AES256-SHA}

_TLS11

_{256 bits}

_{DHE-RSA-AES256-SHA}

_TLS11

_{256 bits}

_AES256-SHA

_TLS11

_{128 bits}

_{ECDHE-RSA-AES128-SHA}

_TLS11

_{128 bits}

_{DHE-RSA-AES128-SHA}

_TLS11

_{128 bits}

_AES128-SHA

_TLS12

_{256 bits}

_{ECDHE-RSA-AES256-SHA}

_TLS12

_{256 bits}

_{DHE-RSA-AES256-SHA256}

_TLS12

_{256 bits}

_{DHE-RSA-AES256-SHA}

_TLS12

_{256 bits}

_{AES256-SHA256}

_TLS12

_{256 bits}

_AES256-SHA

_TLS12

_{128 bits}

_{ECDHE-RSA-AES128-SHA}

_TLS12

_{128 bits}

_{DHE-RSA-AES128-SHA256}

_TLS12

_{128 bits}

_{DHE-RSA-AES128-SHA}

_TLS12

_{128 bits}

_{AES128-SHA256}

_TLS12

_{128 bits}

_AES128-SHA