Quantcast
Channel: Fortinet Cookbook
Viewing all 690 articles
Browse latest View live

Add additional public IPs to FortiWeb-VM on Azure

April 14, 2016, 8:10 am
$
0
0

By default, your FortiWeb-VM Azure instance has a single public IP address that clients use to reach FortiWeb and the servers it protects. You can use an Azure load balancer to specify multiple public IP addresses instead. This is useful when, for example, your server pool hosts several web services and clients access each service using a different IP address.

You use load balancer frontend objects to add public IP addresses to the load balancer. Azure NAT rules allow you to associate the IP addresses with a FortiWeb-VM instance by mapping frontend ports to FortiWeb-VM network interface ports.

When you add a load balancer, any public IP address that you specified when you created your FortiWeb-VM on Azure instance is not reachable. Clients contact FortiWeb using one or more IP addresses associated with the load balancer only.

In this example, the load balancer does not provide load balancing functionality.

1. Create a load balancer

For detailed information on creating a load balancer, see Azure documentation. For example:

Create a front end IP pool and a backend address pool

Because the load balancer in this example does not balance traffic, it does not use a front end IP pool or backend address pool.

2. Create additional public IP addresses

Azure allows you to create public IP addresses using the portal, PowerShell, or CLI.

For example, the following CLI command creates the public IP address NRPPublicIP with DNS name loadbalancernrp.eastus.cloudapp.azure.com:

azure network public-ip create -g <resource-group> -n NRPPublicIP -l <location> -d loadbalancernrp -a static -i 4

where:

  • <resource_group> is the Azure resource group where your load balancer and Forti-Web instances are located.
  • <location> is the Azure cloud service location of your load balancer and Forti-Web instances.

3. Add the additional public IP addresses to the load balancer  

You use load balancer frontend objects to add public IP addresses. You can use PowerShell or the CLI to add a public IP address to each frontend.

For example, the following CLI command adds a frontend and associates a public IP address with it:

azure network lb frontend-ip create -g <resource-group> -l <load-balancer-name> -n <frontend-name> -i <public-ip>

where:

  • <load-balancer-name> is the name of the load balancer you created earlier.
  • <frontend-name> is a name you choose for the new frontend.
  • <public-ip> is the IP address you created earlier.

4. Create a NAT rule that routes traffic for the public IP address to FortiWeb 

To route traffic to the FortiWeb, you create a NAT rule that maps an outside port on the load balancer frontend to an inside port on FortiWeb. FortiWeb listens on the inside port for traffic destined for the servers it protects.

You can specify the same port for both outside and inside. However, you can use an outside port only once for each frontend and an inside port only once for each FortiWeb.

For example, a rule translates port 443 on the frontend to port 443 on the FortiWeb network interface. An additional rule routes traffic from a different frontend to the same FortiWeb instance using the frontend port 443 again, but the mapped port on FortiWeb is 10443. (To avoid having to reconfigure the back-end servers, you can configure FortiWeb to use the original port to connect to the server pool.) 

To create the configuration, you first create the rule, then associate the rule with the FortiWeb network interface.

azure network lb inbound-nat-rule create -g <resource-group> -l <load-balancer-name> -p tcp -t <frontend-name> -f <outside-port> -b <inside-port> -n <rule-name>

where:

  • <outside-port> is the port on the frontend.
  • <inside-port> is the port on the FortiWeb network interface.
  • <rule-name> is the name you choose for the rule.

azure network nic inbound-nat-rule add -g <resource-group> -n FortiWebNic0 -r <rule-name> --lb-name <load-balancer-name>

where the name of the FortiWeb network interface is the default value (FortiWebNic0).

5. Configure FortiWeb-VM to use the load balancer  
 

Log in to the web UI for the FortiWeb-VM instance, and then go to Server Objects > Server > Virtual Server.

Select Use Interface IP and for Interface, select port1.

  
 

Create a server pool that contains the servers that the FortiWeb-VM routes traffic to.

 

Go to Server Objects > Service > Custom and create a service that uses the inside port you specified earlier.

Remember, a unique FortiWeb port is required for each frontend you configure on the load balancer. When you repeat these FortiWeb-VM configuration steps for an additional public IP, configure a new custom service with the unique port.

  
Create a server policy that uses the virtual server, server pool, and service that you configured earlier.  
Repeat the configuration for each public IP address you added to the load balancer. 

For further reading, see the FortiWeb-VM for Azure Install Guide and FortiWeb Adminstration Guide.

The post Add additional public IPs to FortiWeb-VM on Azure appeared first on Fortinet Cookbook.

Search

FortiGate registration and basic settings

April 18, 2016, 11:14 am
$
0
0

After installing a FortiGate in your network, there are some basic administrative tasks which you should complete. In this recipe, you will complete these tasks to get your FortiGate ready for use:

  • Registering your FortiGate with a Fortinet Support account
  • Setting the correct system time
  • Adding a password to the default administrative account
  • (optional) Restricting administrative access to a trusted host PC

Find this recipe for other FortiOS versions
5.2 | 5.4

1. Registering your FortiGate

Registering your FortiGate allows you to receive FortiGuard updates and is required for firmware upgrades and access to Fortinet Support.

Before registering your FortiGate unit, it must have Internet connectivity.

Go to the Dashboard and locate the License Information widget.

Next to Support Contract, select Register.

  

Either use an existing Fortinet Support account or create a new one. Select your Country and Reseller.

 

The License Information widget now displays the unit as Registered.

A Launch Portal button also appears, which allows you to quickly access the Fortinet Support Portal.

  

If you need to contact Fortinet Support, it is recommended to first read the article How to work with Fortinet Support.

2. Setting the system time

Go to the Dashboard and locate the System Information widget.

Next to System Time, select Change.

  

Select your Time Zone and either set the time manually or select Synchronize with NTP Server.

 

The System Information widget now displays the correct time.

3. Changing the default admin password

Go to System > Admin > Administrators and edit the default admin account.

Select Change Password. Leave Old Password blank and enter the New Password.

You will be automatically signed out after changing the password.

  

It is also recommended to change the user name of this account; however, since you cannot change the user name of an account that is currently in use, a second administrator account will need to be created in order to do this.

4. Results

Attempt to log in using the admin account without a password. Access is denied.

  

Log in using the admin account with your new password. Access is granted.

Go to the Dashboard and locate the Alert Message Console widget, which indicates the failed authentication attempt.

  

5. (Optional) Restricting administrative access to a trusted host

If desired, you can configure an administrative account to only be accessible to someone using a trusted host. The host can be either a particular device, or any device on a particular subnet.

Go to System > Administrators and edit the default admin account.

Enable Restrict login to trusted hosts. Set Trusted Host #1 to the static IP address of the PC you will use to administer the FortiGate unit.

If required, set additional trusted hosts.

For further reading, check out Basic Administration in the FortiOS 5.4 Handbook.

To allow the Support site to keep a complete listing of your devices, we recommend that you use one account to register all of your Fortinet products.
Since not all time zones have names, you may need to know how many hours ahead (+) or behind (-) you are from Greenwich Mean Time (GMT).

The post FortiGate registration and basic settings appeared first on Fortinet Cookbook.

FortiAuthenticator as a Certificate Authority

April 19, 2016, 7:00 am
$
0
0

For this recipe, you will configure the FortiAuthenticator as a Certificate Authority (CA). This will allow the FortiAuthenticator to sign certificates that the FortiGate will use to secure administrator GUI access.

This scenario includes creating a certificate request on the FortiGate, downloading the certificate to the network’s computers, and then importing it to the FortiAuthenticator. You will sign the certificate with the FortiAuthenticator’s own certificate, then download and import the signed certificate back to the FortiGate.

The process of downloading the certificate to the network’s computers will depend on which web browser you use. Internet Explorer and Chrome use one certificate store, while Firefox uses another. This configuration includes both methods.

1. Creating a new CA on the FortiAuthenticator

On the FortiAuthenticator, go to Certificate Management > Certificate Authorities > Local CAs and create a new CA.

Enter a Certificate ID, select Root CA certificate, and configure the key options as shown in the example.

Once created, highlight the certificate and select Export.

This will save a .crt file to your local drive.

2. Installing the CA on the network
The certificate must now be installed on the computers in your network as a trusted root CA. The steps below show different methods of installing the certificate, depending on your browser.

Internet Explorer and Chrome

In Windows Explorer, right-click on the certificate and select Install Certificate. Open the certificate and follow the Certificate Import Wizard.

Make sure to place the certificate in the Trusted Root Certification Authorities store.

Finish the Wizard, and select Yes to confirm and install the certificate.

Firefox

In the web browser, go to Options > Advanced > Certificates and select View Certificates.

In the Authorities tab, select Import.

Find and open the root certificate.

You will be asked what purposes the certificate will be trusted to identify. Select all options, and select OK.

3. Creating a CSR on the FortiGate

On the FortiGate, go to System > Certificates and select Generate to create a new certificate signing request (CSR).

Enter a Certificate Name, the IP of the FortiGate, and a valid email address, then configure the key options as shown in the example.

Once created, the certificate will show a Status of Pending. Highlight the certificate and select Download.

This will save a .csr file to your local drive.

4. Importing and signing the CSR on the FortiAuthenticator

Back on the FortiAuthenticator, go to Certificate Management > End Entities > Users and import the .csr certificate created earlier.

Make sure to select the Certificate authority from the dropdown menu and set the Hash algorithm to SHA-256, as configured earlier.

Once imported, you should see that the certificate has been signed by the FortiAuthenticator, with a Status of Active. Highlight the certificate and select Export Certificate.

This will save a .cer file to your local drive.

5. Importing the local certificate to the FortiGate

Back on the FortiGate, go to System > Certificates and select Local Certificate from the Import dropdown menu.

Browse to the .cer certificate you just created. Select Open and then select OK.

You should now see that the certificate’s Status has changed from Pending to OK. You may have to refresh your page to see the status change.

6. Configuring the certificate for the GUI

Go to System > Admin > Settings.

Under Administration Settings, set HTTPS server certificate to the certificate created/signed earlier, then select Apply.

7. Results

Close and reopen your browser, and go to the FortiGate admin login page. If you click on the lock icon next to the address bar, you should see that the certificate has been signed and verified by the FortiAuthenticator. As a result, no certificate errors will appear.

The post FortiAuthenticator as a Certificate Authority appeared first on Fortinet Cookbook.

Installing Hard Drives in FortiRecorder 400D

April 21, 2016, 7:33 am
$
0
0

The FortiRecorder FRC-400D supports up to 4 hard disk drives to maximize your storage capacity for saved videos. 

This recipe guides you through the process of configuring RAID levels, adding RAID disks, replacing a RAID disk, and reinstalling all of your RAID disks.

Your FortiRecorder unit stores video data on its internal hard drive until the drive is full. Storing files locally reduces the system’s resource usage when recording. Through RAID storage, you’ll be able to store more data without sacrificing system performance.

Supported HDD models and capacities

Fortinet recommends surveillance grade rated hard drive models such as Western Digital WD40PURX and the Seagate ST4000VX000 (2-4 TB capacity).

Important: If you are using old disks from another system (RAID or LVM), erase all metadata on the drives.

Configuring RAID Levels

The FortiRecorder 400D supports four hard drives and software RAID.  The following table illustrates FortiRecorder 400D supported  RAID levels. 

Number of Installed Hard Drives Available Raid Levels Default Raid Level
1 0 0
2 0, 1 1
3 0, 1 + hot spare, 5 5
4 5 + hot spare, 10 10

To configure RAID levels:

IMPORTANT: Back up your data on a disk before beginning the following procedure. Changing the device’s RAID levels temporarily suspends all data processing and erases all data on the hard disk.

  1. Connect to the CLI console.
  2. Enter the the command: 
    execute raidlevel <level>

The FortiRecorder will change the RAID levels and reboot.

 

Adding a RAID Disk

You can add two additional drives to your FortiRecorder 400D unit to expand your storage capacity. 

To add an additional disk to the RAID array:

  1. Remove the hard disk bay from the unit by unlocking the bay with the supplied key.
  2. Install the hard disk into the bay and insert the bay into the unit.
  3. Go to System > Storage > Local Storage
  4. Select RefreshThe newly added disk will appear under Drives.
  5. Add the disk to an array.
  6. Select RefreshThe new array will appear under RAID Arrays.
  7. Select the new array and adjust the portions you want to allocate to log and video storage.
  8. Select Add to Logical Disks.
  
The hard drive bays

The hard drive bays

Replacing a RAID Disk

Whether due to damage or a component upgrade, you may want to replace a disk in your FortiRecorder 400D unit. The following steps guide you through the simple process of replacing a RAID disk.

Important: The new disk must have the same or greater storage capacity than the existing disk in the array. If the new disk has a larger capcity, only the amount equal to the smallest disk will be used. For example, if the RAID has a 400 GB disk and you replace one of those disks with a 500 GB disk, only 400 GB of the new disk will be used.

Note: FortiRecorder units support hot swap. You do not need to shut down the unit during hard disk replacement.

To replace a RAID disk:

  1. Go to System > Storage > Local Storage
  2. Select the hard disk from the row you want to replace (for example, p4) and select Delete. The RAID controller will be removed from the list.
    Important: Use an anti-static wrist strap to avoid static electricity damaging the hard disk.
  3. Remove the hard disk that you removed from the web UI from its drive bay. 
  4. Insert the new hard disk into the drive bay. 
  5. Select Refresh.

The RAID controller will scan for and locate the newly installed disk. The FortiRecorder unit may automatically add the new hard disk to the RAID unit or allocate it as a spare depending on the RAID level.

  

Replacing all RAID disks

You may need to replace all RAID disks in your machine, including the pre-installed drives, and build a new array.

Important: Because the HTTPs certificates are stored on the hard drive, if you still need them, you must back up the configuration first. The certificates will be backed up in the configuration file. After you install the new hard drives, restore the configuration. But if you’re not using the factory certificates and you’re planning to import your own certificate later on, you don’t have to back up the configuration/certificates.

To replace all disks in the array

  1. Shut down the FortiRecorder unit.
  2. Remove the hard disks.
  3. Install the new hard disks.
  4. Boot up the system.
  5. From the Command Line Interface, enter the following command to rebuild the disks:
    execute factoryreset disk
    This command uses the default RAID level based on the number of drives used. You can also use the following command to rebuild the disks with the specified RAID level. For the supported RAID levels, see the above section.
    execute raidlevel <level>
  6. The system will reboot.
  

 

The post Installing Hard Drives in FortiRecorder 400D appeared first on Fortinet Cookbook.

Updating your FortiGate’s firmware

April 21, 2016, 12:15 pm
$
0
0

In this example, you will update your FortiGate to use the latest version of FortiOS, so that you can use the latest FortiOS features.

In this recipe, a FortiGate is updated from FortiOS 5.2.5 to 5.4.0. This upgrade path is supported, as shown in the Supported Upgrade Paths – FortiOS.

Find this recipe for other FortiOS versions
5.2 | 5.4

1. Checking the current FortiOS firmware

Go to the Dashboard (in FortiOS 5.2, System > Dashboard > Status) and view the System Information dashboard widget. The Firmware Version section shows the firmware that is currently installed and if a new version is available.

  

2. Reviewing the Release Notes

If a new version is available, select View Release Notes to access the Release Notes for that version. Review the release notes to determine if you want to upgrade to this version.

Pay extra attention to the Upgrade Information section, to find out if you can upgrade directly from your current firmware to the latest version. You should also check the Supported Upgrade Paths document, found at the Fortinet Documentation Library.

  

3. Updating to the latest firmware

If you wish to upgrade to the latest FortiOS version, select Update.

Under Available Firmware, select the Recommended tab, then select Backup Config and Upgrade.

If the firmware version you wish to upgrade to is not shown in this tab, it may be listed under All Available.

  

Firmware can also be downloaded directly from Fortinet Support, then uploaded manually to your FortiGate.

4. Results

The FortiGate unit uploads the firmware image file, updates to the new firmware version, restarts, and displays the FortiGate login. This process takes a few minutes.

You may have to refresh your browser to see the FortiGate login.

Go to System > Dashboard > Status. In the System Information dashboard widget, the Firmware Version will show the updated version of FortiOS.

  

For further reading, check out Firmware in the FortiOS 5.4 Handbook.

The post Updating your FortiGate’s firmware appeared first on Fortinet Cookbook.

Setting up FortiGuard services

April 22, 2016, 9:22 am
$
0
0

If you have purchased FortiGuard services and registered your FortiGate, it should automatically connect to FortiGuard and display license information about your services. In this example, you will verify whether the FortiGate unit is communicating with FortiGuard. If the FortiGate cannot connect, you will troubleshoot the connection.

Find this recipe for other FortiOS versions
5.2 | 5.4

1. Verifying the connection

Go to the Dashboard and find the License Information widget.

An icon appears beside each FortiGuard service, indicating its current status:

  •  : the service is active and the FortiGate is connected to FortiGuard network.
  • : the FortiGate unit cannot connect to FortiGuard network or the FortiGate unit is not registered.
  • the subscription has not been activated or is expired. To add/renew a subscription, go to Fortinet Support.
  
You can also view FortiGuard license information by going to System > FortiGuard.  

2. Troubleshooting communication errors

If a service that you subscribe to is shown as unavailable, there are several things you can do to troubleshoot the connection.
Go to Network > DNS and ensure that the primary and secondary DNS servers are correct and the FortiGate is Connected to FortiGuard.  

To test if your DNS can reach FortiGuard, go to the Dashboard and enter the following command into the CLI Console:

execute ping guard.fortinet.net

If the connection is successful, the CLI Console should display a similar output as the example below:

PING guard.fortinet.net (208.91.112.198): 56 data bytes
64 bytes from 208.91.112.198: icmp_seq=0 ttl=59 time=60.0 ms
64 bytes from 208.91.112.198: icmp_seq=1 ttl=59 time=50.0 ms
64 bytes from 208.91.112.198: icmp_seq=2 ttl=59 time=50.0 ms
64 bytes from 208.91.112.198: icmp_seq=3 ttl=59 time=50.0 ms
64 bytes from 208.91.112.198: icmp_seq=4 ttl=59 time=50.0 ms

--- guard.fortinet.net ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 50.0/52.0/60.0 ms

To test if the FortiGuard services are reachable, go to System > FortiGuard.

Under Filtering, check Filtering Services Availability. If you don’t see a , select Check Again to re-try.

  

If FortiGuard services can still not be reached, your ISP may be blocking blocking access to port 53 (used for DNS). Change the FortiGuard Filtering Port to the alternate port (8888). Select Apply and see if the services become available.

If your FortiGate is still unable to connect to FortiGuard, you can find more troubleshooting methods and other information in the FortiGuard section of the FortiOS 5.4 Handbook.

3. Results
Go to the Dashboard and view the License Information widget. Any subscribed services should have a beside it.  
Go to System > FortiGuard. Features and services you are subscribed to should have a beside it.  

For further reading, check out FortiGuard in the FortiOS 5.4 Handbook.

Only services that have been enabled in Feature Select will appear in the widget. To enable more services, go to System > Feature Select.
For information about registering your FortiGate, see the recipe FortiGate registration and basic settings.
If you are updating FortiGuard using a FortiManager, the FortiGuard Filtering Port can also be 80.

The post Setting up FortiGuard services appeared first on Fortinet Cookbook.

Setting up a WiFi Bridge with a FortiAP

April 26, 2016, 8:37 am
$
0
0

In this example you will set up a WiFi network with a FortiGate managing a FortiAP in Bridge mode.

You can configure a FortiAP unit in either Tunnel or Bridge mode. When a FortiAP is in Bridge mode, the Ethernet and WiFi interfaces are connected (or bridged), allowing wired and wireless networks to be on the same subnet. Tunnel mode is the default mode for a FortiAP. A FortiAP in Tunnel mode uses a wireless-only subnet for wireless traffic.

For information about using a FortiAP in Tunnel mode, see Setting up WiFi with a FortiAP.

Find this recipe for other FortiOS versions
5.2 | 5.4

1. Connecting and authorizing the FortiAP unit

Connect the FortiAP to the lan interface.

Go to WiFi & Switch Controller > Managed FortiAPs. The FortiAP is listed. The device is not yet authorized, as indicated by the  in the State column.

By default, the FortiGate adds newly discovered FortiAPs to the Managed FortiAPs list but does not authorize them.

FortiAP discovered but not yet authorized

Highlight the FortiAP unit on the list and select Authorize.

After a few minutes, hit the Refresh button and  will appear to tell you that the device is authorized.

2. Creating an SSID

Go to WiFi & Switch Controller > SSID and create a new SSID.

Set Traffic Mode to Local bridge with FortiAP’s Interface.

Configure the WiFi Settings as you would for a regular wireless network and set a secure Pre-shared Key.

 Create a new SSID

3. Creating a custom FortiAP profile

Go to WiFi & Switch Controller > FortiAP Profiles and create a new profile.

Set Platform to the FortiAP model you are using (FAP11C).

Set SSID to use the new SSID. Set LAN Port mode to bridge to the new SSID.

 Create a new FortiAP profile

Go to WiFi & Switch Controller > Managed FortiAPs and edit the FortiAP. Set FortiAP Profile to the new profile.

You have the option to enter a name for the FortiAP (MyFortiAP in this example). If you don’t, the FortiAP will be identified by its serial number.

 Customize the FortiAP profile

4. Results

Connect to the SSID with a wireless device. After a connection is established, you can browse the Internet using the wireless network configured in this recipe. 

 Wireless device on newly created WiFi

Go to FortiView > All Sessions and observe the wireless activity. Hover over the Device column to see details.

 Showing wireless device on the network

 

For further reading, check out Deploying Wireless Networks in the FortiOS 5.4 Handbook.

It may take a few minutes for the FortiAP to appear.
You can disable this in the CLI. See Deploying Wireless Networks.

The post Setting up a WiFi Bridge with a FortiAP appeared first on Fortinet Cookbook.

Setting up WiFi with a FortiAP

April 26, 2016, 8:40 am
$
0
0

In this recipe, you will set up a WiFi network with a FortiGate managing a FortiAP in Tunnel mode.

You can configure a FortiAP unit in either Tunnel mode or Bridge mode. Tunnel mode is the default mode for a FortiAP. A FortiAP in Tunnel mode uses a wireless-only subnet for wireless traffic. When a FortiAP is in Bridge mode, the Ethernet and WiFi interfaces are connected (or bridged), allowing wired and wireless networks to be on the same subnet.

For information about using a FortiAP in Bridge mode, see Setting up a WiFi bridge with a FortiAP.

Find this recipe for other FortiOS versions
5.2 | 5.4

1. Connecting and authorizing the FortiAP unit

Go to Network > Interfaces and edit the interface that will connect to the FortiAP (in this example, port 16).

Set Addressing Mode to Dedicate to Extension Device and set an IP/Network Mask.

 Edit interface to connect to FortiAP

Connect the FortiAP unit to the interface.

Go to WiFi & Switch Controller > Managed FortiAPs. The FortiAP is listed. The device is not yet authorized, as indicated by the  in the State column.

By default, FortiGate adds newly discovered FortiAPs to the Managed FortiAPs list but does not authorize them.

FortiAP discovered by FortiGate and ready to be authorized.

Highlight the FortiAP unit on the list and select Authorize.

After a few minutes, hit the Refresh button and  will appear to tell you that the device is authorized.

2. Creating an SSID

Go to WiFi Controller > WiFi Network > SSID and create a new SSID.

Set Traffic Mode to Tunnel to Wireless Controller.

Select an IP/Network Mask for the wireless interface and enable DHCP Server.

Set the WiFi Settings as required and set a secure Pre-shared Key.

 Create a new SSID

3. Creating a custom FortiAP profile

Go to WiFi Controller > WiFi Network > FortiAP Profiles and create a new profile.

Set Platform to the FortiAP model you are using (FAP11C in this recipe).

The SSID defaults to Automatically assign Tunnel-mode SSIDs. Your network is assigned.

 Create acustom FortiAP profile

Go to WiFi Controller > Managed Access Points > Managed FortiAPs and edit the FortiAP. Set FortiAP Profile to use the new profile.

By default, the FortiGate assigns all SSIDs to this profile.

 Manage the FortiAP; set the profile to use the new profile

4. Allowing wireless access to the Internet

Go to Policy & Objects > Policy > IPv4 and create a new policy.

Set Incoming Interface to the SSID and Outgoing Interface to your Internet-facing interface. Confirm that NAT is enabled.

 Create a policy allowing wireless access

5. Results

Connect to the SSID with a wireless device. After a connection is established, you are able to browse the Internet.

 Wireless device on newly created WiFi
Go to FortiView > All  Sessions to see the traffic allowed by the wireless policy.  

For further reading, check out Configuring a WiFi LAN in the FortiOS 5.4 Handbook.

It may take a few minutes for the FortiAP to appear.
You can disable this in the CLI. See Deploying Wireless Networks.

The post Setting up WiFi with a FortiAP appeared first on Fortinet Cookbook.

Search

FortiAuthenticator certificate for SSL inspection

April 28, 2016, 8:00 am
$
0
0

For this recipe, you will create a certificate on the FortiGate, have it signed on the FortiAuthenticator, and configure the FortiGate so that the certificate can be used for SSL deep inspection of HTTPS traffic.

Note that, for this configuration to work correctly, the FortiAuthenticator must be configured as a certificate authority (CA), otherwise the certificate created in this recipe will not be trusted. For more information on how to do this, see FortiAuthenticator as a Certificate Authority.

This scenario includes creating a certificate signing request (CSR), signing the certificate on the FortiAuthenticator, and downloading the signed certificate back to the FortiGate. You will then create an SSL/SSH Inspection profile for full SSL inspection, add the certificate created to the profile, and apply the profile to the policy allowing Internet access.

As an example, you will also have Application Control with Deep Inspection of Cloud Applications enabled. This will apply inspection to HTTPS traffic. Note that you may use another security profile instead of Application Control.

1. Creating a CSR on the FortiGate

On the FortiGate, go to System > Certificates and select Generate to create a new CSR.

Enter a Certificate Name (Ramtops), the public IP of the FortiGate (172.20.121.92), and a valid email address.

Make sure to set Key Type to RSA and Key Size to 2048 Bit. This will ensure the certificate is securely encrypted.

Once created, the certificate Ramtops will show a Status of Pending. Highlight Ramtops and select Download.

This will save a .csr file to your local drive.

2. Creating an Intermediate CA on the FortiAuthenticator

On the FortiAuthenticator, go to Certificate Management > Certificate Authorities > Local CAs and select Import.

Set Type to CSR to sign, enter a Certificate ID, and import the Ramtops.csr file. Make sure to select the Certificate authority from the dropdown menu and set the Hash algorithm to SHA-256.

Once imported, you should see that Ramtops has been signed by the FortiAuthenticator, showing a Status of Active, and with the CA Type of Intermediate (non-signing) CA. Highlight the certificate and select Export.

This will save a .crt file to your local drive.

3. Importing the signed certificate on the FortiGate

Back on the FortiGate, go to System > Certificates and select Local Certificate from the Import dropdown menu.

Browse to the Ramtops.crt file and select OK.

 

You should now see that Ramtops has a Status of OK.

4. Configuring Application Control

Go to Security Profiles > Application Control and edit the default profile.

Under Options, enable Deep Inspection of Cloud Applications.

5. Configuring full SSL inspection

Go to Policy & Objects > Policy > SSL/SSH Inspection and create a new profile.

Enter a Name, select Ramtops from the CA Certificate dropdown menu, and make sure Inspection Method is set to Full SSL Inspection.

Next go to Policy & Objects > Policy > IPv4 and edit the policy that allows Internet access.

Under Security Profiles, enable SSL/SSH Inspection and select the ramtops profile created earlier.

Enable Application Control and set it to default.

6. Results

To test the certificate, open your web browser and attempt to navigate to an HTTPS website (in the example, https://www.dropbox.com).

If you click on the lock icon next to the address bar, you should now see that the certificate from the FortiGate (172.20.121.92) has signed and verified access to the site. As a result, no certificate errors will appear.

The post FortiAuthenticator certificate for SSL inspection appeared first on Fortinet Cookbook.

Installing a FortiGate in NAT/Route Mode (Video)

April 29, 2016, 5:40 am
$
0
0

In this video, you will learn how to connect and configure a new FortiGate unit in NAT/Route mode to securely connect a private network to the Internet.

In NAT/Route mode, a FortiGate unit is installed as a gateway or router between two networks. In most cases, it is used between a private network and the Internet. This allows the FortiGate to hide the IP addresses of the private network using network address translation (NAT).

The recipe for this video is available here.

Watch more videos

The post Installing a FortiGate in NAT/Route Mode (Video) appeared first on Fortinet Cookbook.

Logging FortiGate traffic and using FortiView

April 29, 2016, 11:00 am
$
0
0

In this example, you will configure logging to record information about sessions processed by your FortiGate. You will then use FortiView to look at the traffic logs and see how your network is being used.

FortiView is a logging tool made up of a number of dashboards that show real time and historical logs. The dashboards can be filtered to show specific results, and many of them also allow you to drill down for more information about a particular session. Each dashboard focuses on a different aspect of your network traffic, such as traffic sources of WiFi clients.

Some FortiView dashboards, such as Applications and Web Sites, require security profiles to be applied to traffic before they can display any results.

Find this recipe for other FortiOS versions
5.2 | 5.4

1. Configuring log settings

Go to Log & Report > Log Settings.

Select where log messages will be recorded. In this example, Local Log is used, because it is required by FortiView.

Enable DiskLocal Reports, and Historical FortiView.

  

You can also use Remote Logging and Archiving to send logs to either a FortiAnalyzer/FortiManager, FortiCloud, or a Syslog server.

Under Log Settings, enable both Local Traffic Log and Event Logging.

You can choose to Enable All logging or only specific types, depending on how much network data you want to collect.

Under the GUI Preferences, set Display Logs From to the same location where the log messages are recorded (in the example, Disk).

  

2. Enabling logging in security policies

Go to Policy & Objects > IPv4 Policy. Edit the policies controlling the traffic you wish to log.

Under Logging Options, select All Sessions

  

In most cases, it is recommended to select security events, as all sessions requires more system resources and storage space. For now, however, all sessions will be used to verify that logging has been set up successfully.

3. Results

Generate network traffic through the FortiGate, then go to FortiView > All Sessions and select the now view. A real time display of active sessions is shown.

If you right-click on a listed session, you can choose to remove that session, remove all sessions, or quarantine the source address of that session.

  
Select the 24 hours view. A historical view of your traffic is shown. If you select a session, more information about it is shown below.  
Go to FortiView > Sources and select the 5 minutes view. A list of the sources of your network traffic is shown, as well as a graph showing their activity during the last five minutes.  

Right-click on any of the sources listed and select Drill Down to Details.

You can view a variety of information about the source address, including traffic destinations, security policies used, and if any threats are linked to traffic from this address.

  
   
   

For further reading, check out FortiView in the FortiOS 5.4 Handbook.

Local logging is not supported on all FortiGate models. If your FortiGate does not support local logging, it is recommended to use FortiCloud.

The post Logging FortiGate traffic and using FortiView appeared first on Fortinet Cookbook.

User and device authentication

May 1, 2016, 10:35 am
$
0
0

In this recipe, you will provide different network access for staff members based on full-time or part-time status. Wireless access will be allowed for users with laptops but denied for tablets and mobile phones.

In this recipe, a WiFi network has already been configured that is in the same subnet as the wired LAN. For more information, see Setting up a WiFi bridge with a FortiAP.

Find this recipe for other FortiOS versions
5.2 | 5.4

1. Creating two users groups and adding users

Go to User & Device > User Groups.

Create the user group full-time.

  

Create a second user group, part-time.

  

Go to User & Device > User Definition.

Create two new users with the Users/Group Creation Wizard (mlennox and ccraven, for example). Add one user to the full-time group and the other to the part-time group.

  
   
   
   

Both user names now appear in the user list.

 List of new users created 

2. Creating a schedule for part-time staff

Go to Policy & Objects > Schedules and create a new recurring schedule.

Set an appropriate schedule. In order to get results later, do not select the current day of the week.

 Creat part-time schedule

There default always schedule will be used for full-time staff.

3. Creating a policy for full-time staff

Go to Policy & Objects > IPv4 Policy and create a new policy.

Set Incoming Interface to the local network interface. Select Source and set Address to all and User to the full-time group. Set Outgoing Interface to your Internet-facing interface, and make sure Schedule is set to always.

Turn on NAT.

Scroll down to view the Logging Options. In order to view the results later, enable Log Allowed Traffic and select All Sessions.

 Enable logging

4. Creating a policy for part-time staff that enforces the schedule

Go to Policy & Objects > IPv4 Policy and create a new policy.

Set Incoming Interface to the local network interface. Select Source and set Address to all and User to the part-time group. Set Outgoing Interface to your Internet-facing interface, and set Schedule to use the part-time schedule.

Turn on NAT.

Scroll down to view the Logging Options. In order to view the results later, enable Log Allowed Traffic and select All Sessions.

 Enable logging

View the policy list. Click on the part-time policy row and right-click anywhere in the row. Select > Edit in CLI from the dropdown menu.

Enter the commands shown into the CLI Console. Close the console when done.

This ensures that access for part-time users is revoked on days not on schedule, even if their current session began when access was allowed.

5. Creating a policy that denies mobile traffic

Go to Policy & Objects > IPv4 and create a new policy.

Set Incoming Interface to the local network interface. Select Source and set Address to all and Device to Mobile Devices (a default custom device group that includes tablets and mobile phones), Outgoing Interface to your Internet-facing interface, and set Action to DENY.

Leave Log Violation Traffic turned on.

 Policy to deny mobile device access 

Go to Policy & Objects > IPv4 Policy and view policies By Sequence.

The deny mobile traffic policy must be above the other Internet access policies. To move a policy, select any area in the far-left column of the policy and drag it to where you want it.

6. Results

Browse the Internet using a computer. You will be prompted to enter authentication credentials.

Log in using the mlennox account. You will be able to access the Internet at any time.

Go to Monitor > Firewall User Monitor. Highlight mlennox and select De-authenticate. Your connection will be dropped.

Attempt to browse the Internet again. This time, log in using the ccraven account. After entering login credentials, you will not be able to access the Internet because you are attempting access on a day that is not on  ccraven‘s schedule.

Attempts to connect to the Internet with any mobile device accessing the WiFi configured for this recipe will also be denied.

Go to Fortiview > Sources and select the 5 minutes view. You can see mobile and part-time user traffic is blocked and that the full-time user traffic is allowed.

For further reading, check out Users and user groups in the FortiOS 5.4 Handbook.

Using a device group will automatically enable device identification on the local network interface.

If the site you try to access uses HTTP Strict Transport Security (HSTS), you won’t get the prompt for authentication credentials. Be sure to go to a site that does not use HSTS.

Once you authenticate, you can then go to any website that is not blocked by any filters your network has in place.

The post User and device authentication appeared first on Fortinet Cookbook.

Inspecting traffic content using flow-based inspection

May 3, 2016, 7:02 am
$
0
0

In this recipe, you will set your FortiGate’s inspection mode to use flow-based scanning. You will then apply flow-based antivirus scanning to network traffic.

FortiGates can inspect traffic in proxy mode or flow mode. Proxy mode, the default, uses a proxy to look for threats.  Proxy mode is usually preferred because, compared to flow mode, it offers more control and an improved user experience. In addition, some security profiles are only available in proxy mode, such as DNS filter, AntiSpam, DLP, and VoIP.

In some cases, however, you may want to use flow mode. For example, some traffic may not be compatible with proxy mode or you may want to avoid using proxy mode for performance reasons.

1. Changing from proxy to flow mode
Go to Dashboard and locate the System Information widget. If the Inspection Mode is set to the proxy (the default), click on [Change] and select Flow-based.
The System Information widget shows that flow-based inspection is set.
 

2. Configuring the AntiVirus profile

Go to Security Profiles > AntiVirus. By default, the GUI only shows flow-based inspection options.

When configuring flow-based virus scanning FortiOS 5.4 allows you to now choose between Quick and Full mode.

Full mode is the same as flow-based scanning in FortiOS 5.2. Quick mode uses a compact antivirus database and advanced techniques to improve performance.

 3. Enabling AntiVirus in a policy
Go to Policy & Objects > IPv4 Policy and edit the policy for outgoing traffic. Under Security Profiles, enable the AntiVirus profile.

4. Results
To test the AV scanning, go to www.eicar.org and attempt to download a test file. The browser will display a message denying permission to download the file.

 

For further reading, check out Changing the FortiGate’s inspection mode to flow or proxy  and AntiVirus sections in the FortiOS 5.4 Handbook.

Flow mode uses in-line IPS inspection instead of proxying.
Files can only be sent to FortiSandbox for inspection while in Full scan mode Flow-based virus scanning.

The post Inspecting traffic content using flow-based inspection appeared first on Fortinet Cookbook.

Protecting a web server with DMZ

May 10, 2016, 5:00 am
$
0
0

In this recipe, you will protect a web server by connecting it to your FortiGate’s DMZ network. A DMZ network (from the term ‘demilitarized zone’) is a secure network, protected by the FortiGate, that only grants access if it has been explicitly allowed. In this example the DMZ network uses a private subnet and allows access to a web server using different addresses for internal and external users, while preventing access from the web server to the internal network if the web server is compromised.

A WAN-to-DMZ firewall policy with a Virtual IP (VIP) uses source NAT to hide the DMZ address of the web server, allowing external users to access the web server using a public IP address (in this example, 172.20.120.22). An internal to DMZ firewall policy allows internal users to access the web server using its DMZ address (10.10.10.22). Both of these firewall policies only allow access to the web server using HTTP and HTTPS. No other access is allowed.

Find this recipe for other FortiOS versions
5.2 | 5.4

1. Configuring the FortiGate’s DMZ interface

Go to Network > Interfaces and edit the DMZ interface.

This example uses the port3 interface as the DMZ interface. The interface Alias indicates that this is the DMZ interface. As well the Role is set to DMZ.

For enhanced security, disable all Administrative Access options.

  

2. Creating virtual IPs (VIPs)

Go to Policy & Objects > Virtual IPs. Create two virtual IPs: one for HTTP access and one for HTTPS access.

Each virtual IP has the same address, mapping from the Internet to the DMZ interface. The difference is the port for each traffic type: port 80 for HTTP and port 443 for HTTPS.

In this example the Internet address of the web server is 172.20.120.35.

 

 

 

3. Creating firewall policies

Go to Policy & Objects > IPv4 Policy. Create a firewall policy to allow HTTP and HTTPS traffic from the Internet to the web server. Add both VIPs as the destination address.

Do not enable NAT.

You can also enable logging for all sessions to make it easier to test the configuration.

  

Create a second firewall policy to allow HTTP and HTTPS traffic from the internal network to the web server.

Do not enable NAT.

You can also enable logging for all sessions to make it easier to test the configuration.

  

4. Results

Internet users and internal network users can access the web server by browsing to the web server’s Internet address (in this example, http://172.20.120.35 and https://172.20.120.35). Internal users can also access the web server using its DMZ address (in this example, http://10.10.10.22 and https://10.10.10.22).

Since only HTTP and HTTPS are enabled, the web server is not accessible using other protocols (such as FTP) and you also cannot ping the web server from the Internet or from the internal network.

Go to FortiView Policies to see current sessions for each firewall policy. If you add a filter to just show policies with the DMZ interface as the destination interface you will see sessions from the Internal network to the web server and from the Internet to the web server.

 

  
Double-clicking on the Internet to DMZ web server session shows sessions from Internet addresses (in the example 172.20.120.100) and from the internal network (192.1681.20).  

For further reading, check out Firewall in the FortiOS 5.4 Handbook.

In addition to protecting the web server, the DMZ also protects the rest of the network. A hole in the network protection must be made to allow outside users to access the web server. This hole creates a potential vulnerability that is mitigated by the DMZ.
For this recipe to work the web server must be properly configured with its default route pointing at the FortiGate’s DMZ interface.
Enabling the NAT option actually enables source NAT which is not required for this configuration since the VIPs are added to perform destination NAT. If you do enable source NAT the configuration will still work but all traffic received by the web server will have the same source IP address so you will loose information about your website users.
If you enable source NAT the configuration will still work but all traffic received by the web server will have the same source IP address so you will loose information about your website users.

The post Protecting a web server with DMZ appeared first on Fortinet Cookbook.

Captive Portal WiFi Access with FortiToken-200 (Video)

May 12, 2016, 9:19 am
Search

Site-to-Site IPsec VPN Between a FortiGate and a Cisco ASA

May 12, 2016, 12:00 pm
$
0
0

In this recipe, we will configure a site-to-site IPsec VPN tunnel between a FortiGate 90D and a Cisco ASA 5505.

Using FortiOS 5.2 and Cisco ASDM 7.1, the example demonstrates how to configure the tunnel on each site, assuming that both devices are configured with appropriate internal (inside) and external (outside) interfaces.

Note that this example uses the default encryption and authentication (SA proposal) settings of the Cisco ASDM IPsec VPN wizard. These are not necessarily the recommended settings.

We will use the wizards to configure each end of the tunnel as it is much quicker. However, some customization will be required on the FortiGate to ensure that its SA proposal matches the Cisco ASA for each Phase. One of the most common reasons that tunnels between FortiGates and third-party products don’t work is because of mismatched settings.

1. Configuring the Cisco ASA using the IPsec VPN Wizard

In the Cisco ASDM, under the Wizard menu, select IPsec VPN Wizard.

Select Site-to-site, with VPN Tunnel Interface set to outside, and click Next.

In the Peer IP Address field, enter the IP address of the FortiGate unit.

Under Authentication Method, enter a secure Pre-Shared Key. You will use the same key when configuring the FortiGate.

Configure Phase 1 with 3DES Encryption and SHA Authentication. Set the Diffie-Hellman Group to 2.

Configure Phase 2 with 3DES Encryption and SHA Authentication. Set the Diffie-Hellman Group to 1.

Set the Local Networks and Remote Networks.

Review the configuration before you click Finish.

If prompted, Send the CLI commands to the device.

The tunnel configuration on the Cisco ASA is complete.

Next you must configure the FortiGate with identical settings, except for the remote gateway and internal network.

2. Configuring the FortiGate using the IPsec VPN Wizard

On the FortiGate, go to VPN > IPsec > Wizard.

Enter a Name for the tunnel and select the Site to Site – Cisco template.

Set Remote Gateway to the IP address of the outside interface on the Cisco ASA. The Outgoing Interface should automatically populate.

Enter the same Pre-shared Key used in the Cisco ASA configuration.

Set Local Interface to the internal interface. The Local Subnets will automatically populate.

Set Remote Subnets to the IP address range of the inside network on the Cisco ASA and click Create.

The IPsec VPN Wizard automatically creates the required objects, policies, and static routes required for the tunnel to function properly.

3. Matching the encryption and authentication settings

On the FortiGate, go to VPN > IPsec > Tunnels, and Edit the tunnel you just created.

Select Convert to Custom Tunnel.

Under Phase 1 Proposal, configure 3DES Encryption and SHA Authentication.

Set the Diffie-Hellman Group to 2.

Under Phase 2 Proposal > Advanced, configure 3DES Encryption and SHA Authentication.

Set the Diffie-Hellman Group to 1.

When you are certain that the tunnel settings match the Cisco ASA configuration, click OK.

OPTION

 SETTING
Phase 1 Encryption 3DES
Phase 1 Authentication SHA1
Phase 1 DH Group 2
Phase 2 Encryption 3DES
Phase 2 Authentication SHA1
Phase 2 DH Group 1

4. Results
On the FortiGate, go to VPN > Monitor > IPsec Monitor. Right-click on the Site to Site – Cisco VPN and select Bring Up.

From one of the internal networks, you should be able to successfully ping the other internal network.

You will be able to see Incoming and Outgoing Data in the FortiGate IPsec Monitor.
Go to Log & Report > Event Log > VPN to view the status of the tunnel negotiation.
Highlight an entry to view the status in greater detail.

5. Troubleshooting

For complete troubleshooting information, refer to IPsec VPN Troubleshooting. Below are some troubleshooting tips.

IPsec VPN troubleshooting tips

Configuration problem

 Correction
Mode settings do not match. Select complementary mode settings.
Peer ID or certificate name of the remote peer or dialup client is not recognized by FortiGate VPN server. Check Phase 1 configuration. Depending on the Remote Gateway and Authentication Method settings, you have a choice of options to authenticate FortiGate dialup clients or VPN peers by ID or certificate name.

If you are configuring authentication parameters for FortiClient dialup clients, refer to the Authenticating FortiClient Dialup Clients Technical Note.
Preshared keys do not match. Reenter the preshared key.
Phase 1 or Phase 2 key exchange proposals are mismatched. Make sure that both VPN peers have at least one set of proposals in common for each phase.
NAT traversal settings are mismatched. Select or clear both options as required.

 

Note that if you change the Tunnel Group Name, Aggressive Mode will be required. Refer to the FortiOS Handbook IPsec VPN chapter for more information.

The post Site-to-Site IPsec VPN Between a FortiGate and a Cisco ASA appeared first on Fortinet Cookbook.

FortiWeb-VM offline protection mode

May 16, 2016, 10:33 am
$
0
0

 

This recipe configures a FortiWeb in a VMware ESX environment that uses the offline protection operation mode to detect threats and attacks directed at web applications and your virtual servers.

Because the web application firewall (WAF) works in offline protection mode (also called sniffer mode), no reconfiguration of the web servers is required. Note that this recipe is the absolute minimum that is needed to configure a working offline protection profile. See the FortiWeb Administration Guide for information on additional configuration that can improve the detection of web application threats to your environment. 

 

1. Changing the operation mode

Because changing the operation mode deletes several settings, including routes, it is recommended  that you perform this procedure from a network that is directly connected to the FortiWeb.

Alternatively, after you change the operation mode, use the ESX Console to configure the routes via the CLI.

Go to System > Status > Status.

In the System Information widget, beside Operation Mode, click Change.

Alternatively, go to System > Config > Operation.

  

Select Offline Protection, and then click Apply.

  

2. Configuring the default route

Adding a default route to your FortiWeb-VM is important because it allows it to validate its license by contacting a Fortinet Distribution Network (FDN) server.

Go to System > Network > Static Route.

 

Alternatively, you can configure the default route from the CLI.
config router static
  edit 1
    set dst 0.0.0.0/0
    set gateway 192.168.0.155
    set device port1
end

3. Configuring certificates for SSL Inspection

You upload the server private key to FortiWeb so it can use the web server’s certificate to decrypt traffic and scan it for policy violations. This step is required only if your web server uses SSL

Go to System > Certificates > Local. Click Import, and then, for Type, select PKCS12 Certificate.

Browse for the web server certificate that you exported earlier in PKCS12 format (usually a .pfx with a password file).

In some cases, if you have two files (a .cer and a .pem file), for Type, you select Certificate.

  

4. Configuring the server pool

Go to Server Objects > Server Pool and click Create New.

Enter a Name for the server pool.

Select Offline Protection, and then click OK.

Click Create New, configure the IP of the web server, enable SSL, select the certificate you uploaded earlier (if required), and then click OK.

If the server accepts both HTTP and HTTPS requests, configure the server in the server pool twice: once for each protocol.

 

5. Configuring the web protection profile

Go to Policy > Server Policy > Server Policy, and then click Create New.

Enter a name for the policy.

Select the server pool you configured earlier.

For Data Capture Port, select an interface that is in the same VSwitch and Virtual Machine Port Group as the listening web server interface.

For Web Protection Profile, select Offline Alert Only.

For Auto Learn Profile, select Default Auto Learn Profile.

  

6. Enabling traffic logs

Go to Log & Report > Log Config > Other Log Settings > Enable Traffic Log.

When you enable this setting, FortiWeb logs all requests, even if they are not attacks. This can be useful for quickly identifying if your configuration is valid and if the FortiWeb is correctly receiving the mirrored traffic.

Later on, you can also use this traffic log to create several reports based on web site utilization, most used domains, and other Web Analytics indicators.

  

7. Results

Go to Log & Report > Log Access > Traffic to verify that your web site is receiving requests and that FortiWeb is able to identify them.

 

Go to Log & Report > Log Access > Attacks to view the latest attacks to your web site.

If no log messages are displayed in the Attack log, you can test the web protection profile you applied by simulating some attacks manually or performing a vulnerability scan.

  

For further reading, see “How to set up your FortiWeb” in the FortiWeb Administration Guide.

The post FortiWeb-VM offline protection mode appeared first on Fortinet Cookbook.

Configuring FortiFone 870i

May 18, 2016, 6:39 am
$
0
0

You can configure FortiFone 870i to work with the FortiVoice unit by adding a primary phone (base) and multiple secondary phones (bases). For detailed information, see FortiFone 8070i Multi-Cell Deployment with ForitVoice Enterprise Technical Note. 

This recipe guides you through the process of configuring your FortiFone 870i

The following prerequisites must be met for the configuration to work:

  • FortiVoice v5.0 build 136 or later 
  • FortiVoice auto provisioning is enabled (see “Configuring SIP phone auto-provisioning” on page 114)
  • FortiFone 870i firmware 3.23 or later
  • Network connectivity available between FortiFone870i and the FortiVoice unit

Configuring FortiFone 870i

To configure the FortiFone 870i

  1. Go to Status > Phone System > Unassigned Phone.
  2. Select the intended primary station and then select the Action menu and Assign to 870i device.
  3. Set the station as primary with chain ID in the Device role and then select Create. 
  4. Go to Phone System > Devices > 870i Phone.
  5. Select the recently created primary station and select Action and then Assign new extension or Apply existing extension.
  6. Configure the extension information and enter Handset ID, which should start with 1. Leave the Base MAC address field empty and select Create. Add any additional extensions as needed with different handset IDs.
  7. Factory reset the intended secondary station and connect it to the network. You should be able to see the unit under Status > Phone System > Unassigned Phone.
  8. Select the unassigned FortiFone 870i station and selection Action and then Assign to 870i device.
  9. Sett he base station as secondary and select Prime from the dropdown menu. Select Create.
  10. Remove the temporary extension setting and reboot the secondary phone configuration’s station. 
  

The post Configuring FortiFone 870i appeared first on Fortinet Cookbook.

FortiVoice Enterprise Profiles: LDAP Profiles

May 18, 2016, 8:29 am
$
0
0

FortiVoice phone profiles let you create user privileges and SIP profiles for configuring extensions and SIP trunks. It also allows you to modify caller IDs, schedule the FortiVoice unit, and configure phone and LDAP profiles.

This recipe guides you through the process of configuring a LDAP profile.

Configuring an LDAP Profile

The LDAP submenu lets you configure LDAP profiles which can query LDAP servers for authentication.

IMPORTANT: Before using an LDAP profile, verify each LDAP query and connectivity with your LDAP server. When LDAP queries do not match with the server’s schema and/or contents, unintended phone call processing behaviors can result. 

To configure an LDAP profile

  1. Go to Phone System > Profiles > LDAP.
  2. Select New or double-click an existing profile to modify it.
  3. Enter the profile name, and server name. The fallback server name is optional.
  4. Select whether or not to connection to the LDAP servers using an encrypted connection from the Use secure connection dropdown menu. 
  5. Enter a distinguished name of the part of the LDAP directory tree within which the FortiVoice unit will search for user objects
  6. Enter the bind DN. This field is optional if your LDAP server does not require the FortiVoice unit to authenticate when performing queries.
  7. Enter the password of the Bind DN.

FVE LDAP

Configuring User Authentication Options for the LDAP Profile

With the basic settings of the LDAP profile configured, you can now customize the user authentication options. Select the arrow button to expand the User Authentication Options section.

  1. Select Try common name with base DN as bind DN and enter a common name ID. If this is your selection, you are finished with the user authentication options.
  2. Select Search user and try bind DN.
  3. Select your desired schema style. If your LDAP server uses any other schema style, select User Defined, then manually configure the query string.
  4. Enter an LDAP query filter that selects a set of user objects from the LDAP directory. The query string filters the result set, and should be based upon any attributes that are common to all user objects but also exclude non-user objects.
  5. Select which level of depth to query from the scope dropdown menu.
  6. Select the Derefer method to use, if any, when dereferencing attributes whose values are references.
  FVE authentication

Configuring Advanced Options

With the authentication settings completed, we can now configure some advanced options. Select the arrow button to expand the Advanced Options section.

  1. Enter the maximum amount of time in seconds that the FortiVoice unit will wait for query responses form the LDAP server.
  2. Select the Protocol version from the dropdown menu.
  3. Enable cache.
  4. Enter the amount of time in minutes that the FortiVoice unit will cache query results. After the TTL has elapsed, cached results expire and any subsequent requests for the information causes the FotiVoice unit to query the LDAP server, refreshing the cache.
  5. Enable user password change
  6. Select your LDAP server’s user schema style from the dropdown menu.
  7. Select Apply.

Once you have finished creating an LDAP profile, you should test each enabled query in the LDAP profile to verify that the FortiVoice unit connects to the LDAP server, the the LDAP directory contains the required attributes and values, and the query configuration is correct.

Once you are finished testing, configure User Privileges. For more information on configuring user privileges, see the corresponding chapter in the FortiVoice Enterprise Administrator Guide.

  FVE advanced options

The post FortiVoice Enterprise Profiles: LDAP Profiles appeared first on Fortinet Cookbook.

FortiVoice Enterprise Profiles: Scheduling and Phone Profiles

May 18, 2016, 8:43 am
$
0
0

FortiVoice phone profiles let you create user privileges and SIP profiles for configuring extensions and SIP trunks. It also allows you to modify caller IDs, schedule the FortiVoice unit, and configure phone and LDAP profiles.

This recipe guides you through the process of configuring a dial plan schedule and a phone profile.

Scheduling the FortiVoice Unit

You can schedule the FortiVoice operation time and use the schedules when configuring dial plans, virtual numbers, or call management. 

To schedule the operation time

  1. Go to Phone System > Profiles > Schedule and select New.
  2. Enter a name for the schedule.
  3. Select the days to include in the schedule and set the AM and PM time.
  4. Select New under the Holiday section to set your schedule for the holidays.
  5. Select Create.

FVE Schedule

Configuring Phone Profiles

Phone profiles contain the most used phone configurations. Phone profiles make extension configuration more flexible by allowing phone users to choose the profile they want. 

To configure a phone profile

  1. Go to Phone System > Profiles > Phone and select New.
  2. Enter a profile name.
  3. Select a phone model for the profile from the Phone type dropdown menu.
  4. Select LLDP or Manual from the Vlan dropdown menu. If you select Manual, configure settings in the Vlan section. If you select LLDP, the FortiVoice unit automatically generates the configuration file. 
  5. Configure the Automatic Configuration section. This section only appears if you select Automatic from the Configuration mode setting in the Phone profile section.

    i. Select a display option
    ii. Enter the number of phone lines to which this profile applies.
    iii. Enter the digit map timeout in seconds which defines the waiting time between the completion of dialing and initiating the call.
    iv. Enter the appropriate digital map syntax. For more information on digit map syntax definitions, see section 2.1.5 of RFC 3435.
    v. Expand the Set Programmable Phone Key section if you wish to program the phone keys for FortiFone. For a detailed look at programmable keys, consult the FortiVoice Enterprise Administrator Guide. 

  6. Select Create.
  FVE Phone Profile

The post FortiVoice Enterprise Profiles: Scheduling and Phone Profiles appeared first on Fortinet Cookbook.

Viewing all 690 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>