Quantcast
Channel: Fortinet Cookbook
Viewing all 690 articles
Browse latest View live

High Availability with FGCP (Expert)

June 13, 2016, 7:36 am
$
0
0

This recipe describes how to enhance the reliability of a network protected by a FortiGate unit by adding a second FortiGate unit and setting up a FortiGate Clustering Protocol (FGCP) High Availability cluster.

The FortiGate already on the network will be configured to become the primary unit by enabling HA, increasing its device priority and enabling override. The new FortiGate will be prepared by setting it to factory defaults to wipe any configuration changes. Then it will be licensed, configured for HA, and then connected to the FortiGate already on the network. The new FortiGate becomes the backup unit and its configuration is overwritten by the primary unit.

The recipe contains instructions for both the GUI and the CLI, with some parts of the configuration requiring use of the CLI. A simplified HA recipe that only requires use of the GUI is available here.

Before you start, the FortiGates should be running the same FortiOS  firmware version and interfaces should not be configured to get their addresses from DHCP or PPPoE.

Find this recipe for other FortiOS versions
5.2 | 5.4

1. Configuring the primary FortiGate

Connect to the primary FortiGate and locate the System Information Dashboard widget.

Change the unit’s Host name to identify it as the primary FortiGate.

 

You can also enter this CLI command:

 config system global
    set hostname External-Primary
 end
Register and apply licenses to the primary FortiGate unit before configuring it for HA operation. This includes activation of FortiCloud and licenses for FortiGuard, FortiSandbox, FortiClient, and FortiToken, as well as entering a license key if you purchased more than 10 Virtual Domains (VDOMS).

Enter this CLI command to set the HA mode to active-passive, set a group name and password, increase the device priority to a higher value (for example, 200) and enable override.

Enabling override and increasing the device priority means this unit should always become the primary unit.

This command also selects port3 and port4 to be the heartbeat interfaces and sets their priorities to 50.

 config system ha
    set mode a-p
    set group-name External-HA-Cluster
    set password
    set priority 200
    set override enable
    set hbdev port3 50 port4 50
 end

You can also use the GUI (System > HA) to configure most of these settings.

 
Override can only be enabled from the CLI. 

config system ha
    set override enable
end

The FortiGate unit negotiates to establish an HA cluster. When you select OK you may temporarily lose connectivity with the FortiGate unit as FGCP negotiation takes place and the MAC addresses of the FortiGate unit are changed to HA virtual MAC addresses. These virtual MAC addresses are used for failover. The actual virtual MAC address assigned to each FortiGate interface depends on the HA group ID. Since this example does not involve changing the HA group ID, the FortiGate unit’s interfaces will have the following MAC addresses: 00:09:0f:09:00:00, 00:09:0f:09:00:01, 00:09:0f:09:00:02 and so on.

To reconnect sooner, you can update the ARP table of your management PC by deleting the ARP table entry for the FortiGate unit (or just deleting all ARP table entries). You can usually delete the ARP table from a command prompt using a command similar to arp -d.

To confirm these MAC address changes, you can use the get hardware nic (or diagnose hardware deviceinfo nic) command to view the virtual MAC address of any FortiGate unit interface. Depending on the FortiGate model, the output from this command could include lines similar to the following:

Current_HWaddr:   00:09:0f:09:00:00
Permanent_HWaddr  02:09:0f:78:18:c9

2. Configuring the backup FortiGate

Enter this command to reset the new FortiGate that will become the backup FortiGate to factory default settings.

execute factoryreset

You can skip this step if the new FortiGate is fresh from the factory. But if its configuration has been changed at all it is recommended to set it back to factory defaults to reduce the chance of synchronization problems.

If required, change the firmware running on the new FortiGate to be the same version as is running on the primary unit.

Register and apply licenses to the new FortiGate unit before adding it to the cluster. This includes activation of FortiCloud and licenses for FortiGuard, FortiSandbox, FortiClient, and FortiToken, as well as entering a license key if you purchased more than 10 Virtual Domains (VDOMS).

From the System Information Dashboard widget, change

the new FortiGate’s Host Name to identify it as the backup FortiGate.

  
You can also enter this CLI command:

config system global
    set hostname External-Backup
 end

Duplicate the primary unit HA settings, except set the Device Priority to a lower value (for example, 50) and do not enable override.

You can configure all of these settings from the GUI.

You can also enter this CLI command:

 config system ha
    set mode a-p
    set group-name External-HA-Cluster
    set password
    set priority 50
    set hbdev port3 50 port4 50
 end

3. Connecting the cluster

Connect the HA cluster as shown in the network diagram. Making these connections will disrupt network traffic as you disconnect and re-connect cables.

If possible, make direct Ethernet connections between the heartbeat interfaces of the two FortiGate units.

Switches must be used between the cluster and the Internet and between the cluster and the internal networks as shown in the network diagram. You can use any good quality switches to make these connections. You can also use one switch for all of these connections as long as you configure the switch to separate traffic from the different networks.

When connected, the primary and backup FortiGates find each other and negotiate to form an HA cluster.  The Primary unit synchronizes its configuration with the backup FortiGate. Forming the cluster happens automatically with minimal or no disruption to network traffic.

4. Checking cluster operation and disabling override

Check the cluster synchronization status to make sure the primary and backup units have the same configuration. Log into the primary unit CLI and enter this command:

diag sys ha checksum cluster

The command output lists all cluster members’ configuration checksums. If both cluster units have identical checksums you can be sure that their configurations are synchronized. If the checksums are different, wait a short while and enter the command again. Repeat until the checksums are identical. It may take a while for some parts of the configuration to be synchronized. If the checksums never become identical contact Fortinet support to help troubleshoot the problem.

The System Information Dashboard widget also shows if the cluster units are synchronized. Mouse over each FortiGate in the cluster to verify that they both have the same checksum.

When the checksums are identical, disable override on the primary unit (recommended).

config system ha
    set override disable
end

The HA cluster dynamically responds to network conditions. If you keep override enabled the same FortiGate will always be the primary FortiGate. Because of this, however; the cluster may negotiate more often potentially increasing traffic disruptions.

If you disable override it is more likely that the new FortiGate unit could become the primary unit. Disabling override is recommended unless its important that the same FortiGate remains the primary unit.

From the System Information widget, select HA Status (or go to System > HA) to view the cluster status.

  
Select View HA Statistics for more information on how the cluster is operating and processing traffic.  

5. Results
Normally, traffic should now be flowing through the primary FortiGate. However, if the primary FortiGate is unavailable, traffic should failover and the backup FortiGate will be used. Failover will also cause the primary and backup FortiGates to reverse roles, even when both FortiGates are available again.
To test this, ping the IP address 8.8.8.8 using a PC on the internal network. After a moment, power off the primary FortiGate. You will see a momentary pause in the Ping results, until traffic diverts to the backup FortiGate, allowing the Ping traffic to continue.

For further reading, check out FGCP configuration examples and troubleshooting in the FortiOS 5.4 Handbook.

If the FortiGates in the cluster will be running FortiOS Carrier, apply the FortiOS Carrier license before configuring the cluster (and before applying other licenses). Applying the FortiOS Carrier license sets the configuration to factory defaults, requiring you to repeat steps performed before applying the license.
If the FortiGates in the cluster will be running FortiOS Carrier, apply the FortiOS Carrier license before configuring the cluster (and before applying other licenses). Applying the FortiOS Carrier license sets the configuration to factory defaults, requiring you to repeat steps performed before applying the license.
This example uses two FortiGate-600Ds and the default heartbeat interfaces are used (port3 and port4). You can use any interfaces for HA heartbeat interfaces. A best practice is to use interfaces that do not process traffic, but this is not a requirement.
If you are using port monitoring, you can also unplug the primary FortiGate’s Internet-facing interface to test failover.

The post High Availability with FGCP (Expert) appeared first on Fortinet Cookbook.

Search

IPsec VPN Troubleshooting (Video)

June 13, 2016, 2:49 pm
$
0
0

In this video, you will learn how to troubleshoot a site-to-site IPsec VPN that provides transparent communication between a Headquarters FortiGate and Branch office FortiGate. This video will show you how to diagnose common problems when your tunnel connection fails, and how to adjust your settings when the tunnel drops on and off. This video includes common Preshared Secret Key issues, Security Association or “SA” proposal errors, quick mode selector issues, and more. By the end of this tutorial you should have a better understanding of how to use these debug commands for basic troubleshooting.This video is recorded on FortiOS 5.2.6, and although the GUI options may vary, the troubleshooting tips and CLI commands are relevant for most recent builds.

The recipe for this video is available here.

Watch more videos

The post IPsec VPN Troubleshooting (Video) appeared first on Fortinet Cookbook.

ISFW and Cooperative Security Fabric (Video)

June 21, 2016, 11:11 am
$
0
0

In this video, you’ll how to install two Internal Segmentation Firewalls behind an external FortiGate. Once these FortiGates are installed, you will set-up a Cooperative Security Fabric between the FortiGates. This fabric will span across an entire network, using FortiTelemetry to link the FortiGates together to protect the network.

This video is part of the Cooperative Security Fabric collection. It can also be used as a standalone video.

The recipe for this video is available here.

Watch more videos

The post ISFW and Cooperative Security Fabric (Video) appeared first on Fortinet Cookbook.

SSL VPN for users with passwords that expire

June 23, 2016, 9:00 am
$
0
0

In this recipe, you will learn how to configure an SSL VPN portal for users with passwords that expire after two days.  Users will be warned after one day about the password expiring and will have one day to renew it.

The example uses local users but the password policy can be applied to any user. Unfortunately, the password policy cannot be applied to a user group.

This recipe involves some minor configuration in the CLI Console.

1. Creating the SSL VPN user and user group

Go to User & Device > User Definition > Create New and create a new user via the Users/Groups Creation wizard.
Enter a User Name and Password.
Enter contact information via Email Address. SMS information should be provided if required.

Enable the user account and apply Two-factor Authentication if required.

Click Create.
Go to User & Device > User Groups and create a user group that includes the newly created user.

2. Configuring and assigning the password policy

Enter the CLI Console and configure a password policy using the following commands:

config user password-policy
  edit "pwpolicy1"
    set expire-days 2
    set warn-days 1
  next
end

The password policy includes an expiration time and a warning time.

Next, assign the password policy to the newly created user using the following commands.

config user local
  edit "jsnow"
    set type password
    set passwd-policy "pwpolicy1"
  next
end

By default, the start time for the password is set to the time the user was created.

3. Configuring the SSL VPN web portal and settings

Go to VPN > SSL-VPN Portals and select full-access.

Disable Enable Split Tunneling. and select the Source IP Pools. In the example, the default SSLVPN_TUNNEL_ADDR1 pool will suffice.

Enable Tunnel Mode Client Options as required, ensure that you Enable Web Mode and click OK.

Go to VPN > SSL-VPN Settings.

Under Connection Settings, set Listen on Interface(s) to the Internet-facing interface and set Listen on Port to 10443.

Under Tunnel Mode Client Settings, set Address Range to Automatically assign addresses.

Under Authentication/Portal Mapping, assign the newly created user group (“TempVPNGroup“) to the full-access portal and Apply your changes.

4. Adding security policies for access to the internal network and the Internet

Go to Policy & Objects > IPv4 Policy and add a security policy allowing access to the internal network through the VPN tunnel interface.

Include the newly created user group and enable NAT.

Add a second security policy allowing access to the Internet through the VPN tunnel interface.

Include the newly created user group an enable NAT.

5. Results
When jsnow browses to the SSL VPN web portal, they are prompted to enter their username and password.

When the warning time is reached (see Step 2), the user is prompted to enter a new password.

However, when the expiration time is reached, the user will not be able to enter a new password and must contact the administrator for assistance.

Go to Log & Report > VPN Events to see the SSL VPN alert labeled ssl-alert.

Highlight the alert message and click Details to see the log in greater detail, specifically under Action.

 

Note that if the users also have access to an IPsec VPN, the expiration time applies to that tunnel’s access as well, since the passwords expire and not the tunnel itself.
This will avoid the administrative HTTPS port conflict. Alternatively, you can change the administration HTTPS port under System > Settings.
You may Specify custom IP ranges if you like.
Unfortunately, there is no warning that the user will expire for IPsec VPN as there is no protocol for that in IPsec Xauth.

The post SSL VPN for users with passwords that expire appeared first on Fortinet Cookbook.

Logging Traffic and Using FortiView (Video)

July 5, 2016, 11:16 am
$
0
0

In this video, you will learn how to configure logging to record information about sessions processed by your FortiGate, and use FortiView to look at the traffic logs and see how your network is being used.

FortiView is a logging tool made up of multiple dashboards that show real-time and historical logs. The dashboards can be filtered to show specific results, and you can drill down for more information about a particular session. Each dashboard focuses on a different aspect of your network traffic, such as traffic sources of WiFi clients. Some FortiView dashboards, such as Applications and Web Sites, require security profiles to be applied to traffic before they will display any results.

The recipe for this video is available here.

Watch more videos

The post Logging Traffic and Using FortiView (Video) appeared first on Fortinet Cookbook.

Redundant Internet connections

July 12, 2016, 11:50 pm
$
0
0

In this example, you will create a WAN link interface that provides your FortiGate unit with redundant Internet connections from two Internet service providers (ISPs). The WAN link interface combines these two connections into a single interface.

This example includes weighted load balancing so that most of your Internet traffic is handled by one ISP.

Find this recipe for other FortiOS versions
5.2 | 5.2.1 | 5.4

1. Connecting your ISPs to the FortiGate
Connect your ISP devices to your FortiGate so that the ISP you wish to use for most traffic is connected to WAN1 and the other connects to WAN2.

2. Deleting security policies and routes that use WAN1 or WAN2

You will not be able to add an interface to the WAN link interface if it is already used in the FortiGate’s configuration, so you must delete any security policies or routes that use either WAN1 or WAN2. Traffic will not be able to reach WAN1 or WAN2 through the FortiGate after you delete the existing policies.

Many FortiGate models include a default Internet access policy that uses WAN1. This policy must also be deleted.
Go to Policy & Objects > IPv4 Policy and delete any policies that use WAN1 or WAN2.
Go to Network > Static Routes and delete any routes that use WAN1 or WAN2.

3. Creating a WAN link interface

Go to Network > WAN LLB (WAN Link Load Balancing).

Set the Interface State to Enable.

Under WAN LLB, select Create New to add an interface.

Add wan1 and enter the Gateway IP provided by your primary ISP. Do the same for wan2, but this time use the Gateway IP provided by your secondary ISP.

 

Under Load Balancing Algorithm, select Volume as the type. This will allow you to prioritize the wan1 interface so that more traffic uses it. For the weight, set wan1 to 3 and set wan2 to 1.

The weight settings will cause 75% of traffic to use WAN1, with the remaining 25% using WAN2.
To help analyze the effectiveness of the algorithm selected, the WAN Links Usage graph shows you the volume and bandwidth usage.

4. Configuring Health Check (optional)

You can optionally configure Health Check to verify the health and status of the links that make up the virtual WAN link. Health Check is only available via the CLI. Go to Dashboard > CLI and enter the following commands:

config system virtual-wan-link
 set fail-detect [enable | disable]
 set fail-alert-interfaces (available only if fail-detect is enabled)
 config health-check
  edit [health check name]
  set server <string>
  set protocol [ping | tcp-echo | udp-echo | http | twamp ]
...
  set timeout <integer>
  set failtime [1-10]
  set recoverytime [1-10]
  set update-cascade-interface [enable | disable]
  set update-static-route [enable | disable ]
 end
end

5. Creating a default route for the WAN link interface

Go to Network > Static Routes and create a new default route.

Set Device to the WAN link interface.

6. Allowing traffic from the internal network to the WAN link interface

Go to Policy & Objects > IPv4 and create a new policy.

Set Incoming Interface to your internal network’s interface and set Outgoing Interface to the WAN link interface.

Turn on NAT.
Scroll down to view the Logging Options. To view the results later, turn on Log Allowed Traffic and select All Sessions.

7. Results

Browse the Internet using a computer on the internal network and then go to FortiView > All Sessions.

Make sure that the Destination Interface column is shown. If it’s not, right-click on the top menu row to add it to the menu.

The log shows traffic flowing through both WAN1 and WAN2.

  

Go to Network > Interfaces and disable the wan1 port. Then browse the Internet from the internal network.

  
Go back to FortiView > All Sessions and the results should show that traffic is only flowing through wan2, until you enable WAN1 again.  

For further reading, check out Dual Internet Connections in the FortiOS 5.4 Handbook.

The post Redundant Internet connections appeared first on Fortinet Cookbook.

IPsec VPN with FortiClient (Video)

July 13, 2016, 1:15 pm

SSL VPN with certificate authentication

July 14, 2016, 8:33 am
$
0
0

In this recipe, you will configure an SSL VPN tunnel that requires users to authenticate using a certificate.

This recipe requires that you have three certificates:

  • CA certificate
  • server certificate (signed by the CA certificate)
  • user certificate (signed by the CA certificate)

The certificates in the example were created using OpenSSL.

1. Enabling certificate management

Go to System > Feature Select and make sure that Certificates is enabled.

 

2. Installing the server certificate
The server certificate is used for encrypting SSL VPN traffic and will be used for authentication.

Go to System > Certificates and select Import > Local Certificate.

Set Type to Certificate, choose the Certificate file and the Key file for your certificate, and enter the Password. You can also change the Certificate Name.

The server certificate now appears in the list of Certificates.

3. Installing the CA certificate

The CA certificate is the certificate that signed both the server certificate and the user certificate. In this example, it is used to authenticate SSL VPN users.

Go to System > Certificates and select Import > CA Certificate.

Select Local PC, then select the certificate file.

The CA certificate now appears in the list of External CA Certificates (CA_Cert_1).

4. Creating PKI users and a user group

To use certificate authentication, PKI users must be created in the CLI. Go to Dashboard and enter the following commands into the CLI Console widget:

config user peer
  edit rdiaz
    set ca CA_Cert_1
    set subject User01
  end

Make sure that subject matches the name of the user certificate (in this example, User01) 

Now that you have created a PKI user, a new menu has been added to the GUI. Go to User & Device > User group > PKI to see the new user listed.

Edit the user account and expand Two-factor authentication. Enable Require two-factor authentication and set a Password for the account.

  
Go to User & Device > User > User Groups and create a group for SSL VPN users. Add the new user to the group.  

5. Creating an SSL VPN portal

Go to VPN > SSL-VPN Portals.

Edit the full-access portal to confirm the default configuration.

Make sure that Enable Split Tunneling is disabled so that all SSL VPN traffic will go through the FortiGate unit.

  

6. Configuring the SSL VPN tunnel

Go to VPN > SSL-VPN Settings.

Under Connection Settings, set Listen on Interface(s) to wan1. To avoid admin port conflicts, set Listen on Port to 10443

Set Server Certificate to the authentication certificate and enable Require Client Certificate.

Under Authentication/Portal Mapping, assign the user group to the full-access portal. If necessary, assign a portal for All Other Users/Groups.

  

7. Adding security policies for access to the Internet and internal network

Go to Policy & Objects > IPv4 Policy. Create a security policy allowing SSL VPN users to access the internal network.

Set Incoming Interface to ssl.root. Set Source to all and include the new SSL VPN User’s group. Set Outgoing Interface to the local network interface so that the remote user can access the internal network.

Set Destination Address to all, enable NAT, and configure any remaining firewall and security options.

  

Add a second security policy allowing SSL VPN users to access the Internet.

For this policy, Incoming Interface is set to ssl.root and Outgoing Interface is set to wan1.

Make sure that NAT is enabled.

  

8. Installing the user certificate

 Every user should have a unique user certificate, so that you can distinguish each user and so that it is possible to revoke a user’s certificate when necessary.

Internet Explorer or Safari (on Windows or Mac OS):

If you are using Windows 7/8/10, open the certificate file and select Install Certificate. The Import Wizard appears.

 Import the certificate into the Personal store.

  

If you are using Mac OS X, open the certificate file. Keychain Access opens.

Double-click the certificate. Expand Trust and select Always Trust.

  

FortiClient (on Windows or Mac OS)

Open FortiClient and go to Remote Access > Configure VPN. Create a new SSL VPN connection.

Set the Connection Name, Remote Gateway, and Customize port. Enable Client Certificate and select the authentication certificate.

  

Firefox (on Windows or Mac OS)

Depending on the operating system, go to Menu > Options or Preferences > Advanced and find the Certificates tab.

Select View Certificates, then select the Your Certificates list. Import the certificate file.

  

9. Results

Using a web browser

Browse to the SSL VPN portal (https://172.20.120.184:10443).

When prompted,select the user certificate.

Enter  user credentials when requested.

  

You are able to connect to the SSL VPN web portal.

Using FortiClient

Open FortiClient, select the newly created VPN, enter user credentials and click Connect.

  

On the FortiGate, go to Monitor > SSL-VPN Monitor. You can see that the user is currently connected to the VPN.

The first instance correlates to the SSL VPN Web portal connection while the second entry relates to the FortiClient connection.

  

 

You may need to refresh the GUI before the menu appears.

The post SSL VPN with certificate authentication appeared first on Fortinet Cookbook.

Search

Configuring Remote Extensions in FortiVoice Enterprise

July 18, 2016, 7:25 am
$
0
0

Callers can connect to remote extensions through auto attendants or through call cascade transfers. A remote extension reaches an external phone by automatically selecting a line from a trunk and dialing the phone number. For example, a remote extension could reach an employee’s cell phone or home phone, or a phone at a branch office.

This recipe guides you through the process of configuring a remote extension.

Remote extensions are designed to operate with most major telephone service providers. Unfortunately, phone numbers and mobile phones roaming internationally may not support remote extensions.

Adding a Remote Extension

To add and configure a remote extension

  1. Go to Extensions > Extensions > Remote Extensions.
  2. Select New.
  3. Enter the local extension number from which calls are transferred to a remote extension.
  4. Enter the remote phone number to which a call to the local extension is transferred.
  5. Select Enabled.
  6. Enter the Display name and External caller ID.
  7. Enter the password for the user to access voicemail in the User PIN section.
  8. Select the appropriate Authentication type from the dropdown menu. LDAP requires and LDAP profile and authentication ID.
  9. Expand the Voice Mailbox tab and configure accordingly if you want other users or groups to share the voice mailbox. For example, you may others to access your mailbox when you’re away.
  10. Select Create.
  remote extension

The post Configuring Remote Extensions in FortiVoice Enterprise appeared first on Fortinet Cookbook.

FortiOS 5.4.1 category added

July 19, 2016, 10:48 am

Configuring Follow Me Settings in FortiVoice Enterprise

July 21, 2016, 5:37 am
$
0
0

Each SIP and analog extension comes with its default user preferences, such as the follow me settings. Follow me allows a call to an extension to be transferred to another destination when you are not available.

This recipe guides you through the quick and easy process of configuring follow me settings.

This configuration serves as a profile for use in managing calls. To learn how to manage calls and make profiles, see Handling calls in the FortiVoice Enterprise Admin Guide.

Follow Me Configuration

To configure follow me settings.

  1. Go to Extensions > Extensions > Preferences
  2. Double click an existing number.
  3. Select New in the Follow Me section.
  4. Enter a Name for the setting.
  5. Under Follow Me Numbers, select New.
  6. Enter a phone number to which the call to your extension can be transferred.
  7. Enter the duration in which the phone will ring until it is sent to voicemail or the next number is dialed in the sequence.
  8. Select Create.

You can repeat these procedures to add additional numbers. Numbers are dialed according to their sequence in the follow me setting.

  Follow Me

The post Configuring Follow Me Settings in FortiVoice Enterprise appeared first on Fortinet Cookbook.

Custom IPS Signature Syntax Guide

July 21, 2016, 11:56 am
$
0
0

IPS Signature Syntax

When making a custom IPS signature for your FortiGate, it is helpful to understand the syntax in creating the signatures. There is a section in the FortiOS handbook, but we are also in the process of building a page that contains content to help configure your own IPS signatures. In the mean time, an additional pdf, that some of this content will be based on, can be downloaded from the link, IPS Signature Syntax Guide.pdf.

The post Custom IPS Signature Syntax Guide appeared first on Fortinet Cookbook.

Managing Call Handling in FortiVoice Enterprise

July 25, 2016, 7:31 am
$
0
0

Each SIP and analog extension comes with its default user preferences, such as how the unit manages the call process. For example, you could configure the process to forward a call to another number on a specific schedule. 

This recipe guides you through the quick and easy process of configuring call handling in FortiVoice Enterprise.

Handling a Normal Call

To handle a normal call

  1. Go to Extensions > Extensions > Preferences.
  2. Double click an existing number.
  3. Go to the Call Handling section and select Normal call handling.
  4. Select one of the call status tabs (No answer, Busy, Do not disturb, Unavailable, or Voicemail).
  5. Select User defined.
  6. Select New to define a call process according to a schedule.
  7. Select a preconfigured schedule from the Schedule dropdown menu.
  8. Select the action you want the unit to take when the call reaches the unit during the designated schedule.
  9. Select Create and then select OK.
  FVE call handle 3 FVE call handle 2 FVE call handle

The post Managing Call Handling in FortiVoice Enterprise appeared first on Fortinet Cookbook.

Adding FortiAnalyzer to a security fabric

July 27, 2016, 1:58 pm
$
0
0

In this recipe, you will add a FortiAnalyzer to a network that is already configured as a Cooperative Security Fabric (CSF). This will simplify network logging by storing and displaying all log information in one place.

This recipe is part of the Cooperative Security Fabric collection. It can also be used as a standalone recipe.

In this example, a FortiGate called External is the upstream FortiGate. There are also two ISFWs, called Accounting and Marketing. OSPF routing is used between the FortiGates in the CSF.

1. Connecting the External FortiGate and the FortiAnalyzer

In this example, the External FortiGate’s port 16 will connect to port 2 on the FortiAnalyzer.

On the External FortiGate, go to Network > Interfaces and edit port 16. Set an IP/Network Mask for the interface (in the example, 192.168.55.2).

Configure Administrative Access to allow FortiTelemetry, required for communication between devices in the CSF. Configure other services as required.

  
On the FortiAnalyzer, go to System Settings > Network, select All Interfaces, and edit port2. Set IP/Netmask to an internal IP (in the example, 192.168.55.10/255.255.255.0).  
Connect the External FortiGate and the FortiAnalyzer.
On the FortiAnalyzer, go to System Settings > Network. Port 2 is now shown as the management interface. Add a Default Gateway, using the IP address of the External FortiGate’s port 16.  

2. Configuring OSPF routing to the FortiAnalyzer
On the External FortiGate, go to Network > OSPF and create a new Network. Set IP/Netmask to 192.168.55.0/255.255.255.0 (the subnet that includes FortiAnalyzer’s port 2) and Area to 0.0.0.0.
 

3. Allowing internal FortiGates to access the FortiAnalyzer
On the External FortiGate, go to System > Feature Select. Under Additional Features, select Multiple Interface Policies.  

Go to Policy & Objects > IPv4 Policy and create a policy allowing the internal FortiGates (Accounting and Marketing) to access the FortiAnalyzer.

Do not enable NAT.

  

4. Sending log information to the FortiAnalyzer

On the FortiAnalyzer, go to Device Manager and add a device.

Enter all information about the External FortiGate, then select Next.
 

The FortiAnalyzer will now add the device.
 
The External FortiGate is now listed on the FortiAnalyzer.  

On the External FortiGate, go to Log & Report > Log Settings. Under Remote Logging and Archiving, enable Send Logs to FortiAnalyzer/FortiManager. Enter the IP Address of the FortiAnalyzer.
 

In this example, logs will be uploaded in Realtime because there is no bandwidth limitations. Also, since log traffic is occurring within the CSF, encryption is not enabled.

Select Test Connectivity to view information about the connection.

 

 

Under GUI Preferences, select Display Logs From FortiAnalyzer.
Repeat this process on both the Accounting and Marketing FortiGates. 

5. Results 
All three FortiGates are listed in the FortiAnalyzer’s Device Manager.
 
Go to FortiView > System > System Events. Events from all FortiGates in the CSF are shown, allowing you to have a complete view of the network.
 
You can select a type of System Event, such as System performance statistics, to view information about the individual events. Events are shown from all three FortiGates (the Device ID shown for each FortiGate is that unit’s serial number).  

The post Adding FortiAnalyzer to a security fabric appeared first on Fortinet Cookbook.

Configuring Remote Cameras in FortiRecorder

July 28, 2016, 10:55 am
$
0
0

The following scenario is intended for users who are accessing their cameras remotely. Remote camera deployment refers to scenarios in which there is a firewall, such as your FortiGate unit, between FortiRecorder and the cameras.

In this recipe, automatic IP configuration will not work, since the cameras will need to be assigned virtual IP addresses. 

Configuring FortiRecorder

To configure FortiRecorder

  1. Go to System > Network > Interface and edit port 1.
  2. Set a manual IP for the interface that is on the same subnet as the FortiGate interface.
  3. Set Access to allow HTTPS, FRC-Central, and any other required protocols.
  4. Select OK.
  5. Go to System > Network > Routing and select new to add a default route that uses the IP address of the FortiGate’s interface. Set the interface to port1.
  FR Remote 3
 

Configuring Remote Camera Deployment

To configure remote camera deployment

  1. In the FortiRecorder UI, go to Camera > Configuration > Camera.
  2. Select
  3. Enter the Name and Location of the camera and select ONVIF from the Camera dropdown menu.
  4. Enter the username and password of the remote camera you are accessing.
  5. Since the camera is on a remote network, select VIP from the Address Mode dropdown menu.
  6. Enter the required virtual IP address in the Address section. Entering a static IP address will allow FortiGate to forward connections to the camera’s private network address. Enter port 443.
  7. Select UDP from the Transport type dropdown menu and enter port 554.

 FR Remote

FR Remote 2

The post Configuring Remote Cameras in FortiRecorder appeared first on Fortinet Cookbook.

Search

New FAQ page

August 5, 2016, 1:36 pm
$
0
0

As you may expect, we here in the Technical Documentation team get asked a lot of questions. Sometimes we even get asked the same question more than once. I strongly suspect that this repetitive intrusion upon some poor subject matter expert in the past brought into being the concept of documentation in the first place. Therefore we are continuing the time honored tradition of having an FAQ page. 

The FAQ can be found by going to http://cookbook.fortinet.com/sysadmins-notebook/frequently-asked-questions/ or by going to the Cookbook site, selecting Resources and then selecting FAQ.

Being the lazy efficient folks that we are, rather than answering a similar question a number of different times with differing levels of depth we are going to come up with a single answer once, and possibly add improvements later.

The criteria for inclusion in the FAQ is going to be questions that we have been asked multiple times and/or we can safely assume will be asked again.

The subjects of the questions will generally be those that don’t really fit into the context of one of our existing documents/pages/posts or we believe that the answer to a fairly common and straightforward question will lost amidst all of the other information on the topic.

Occasionally we may include topics/questions that were the result of a post of their own. This will usually happen when the amount of content is fairly small and we want to make sure that it maintains a certain amount of visibility. Once a post that we think warrants inclusion gets pushed back far enough in the display sequence we will move its content to the FAQ.

Of course the best part of all this (for our readers), is that readers are in position to help drive the course of the content for the site.

To submit a question you think should be in the FAQ:

 

The post New FAQ page appeared first on Fortinet Cookbook.

WiFi with WSSO using Windows NPS and Attributes

August 8, 2016, 4:00 pm
$
0
0

This is an example of wireless single sign-on (WSSO) with a FortiGate. The WiFi users are students at a school. They belong to a Windows Active Directory (AD) group called WiFiAccess. The Network Policy Server (NPS) or RADIUS server performs user authentication and passes the WiFi group attribute to the FortiGate so that the appropriate security policy is applied.

1. Registering the FortiGate as a RADIUS client on NPS
From the NPS, right click on RADIUS Clients,  and create an entry for the FortiGate. Enter the FortiGate’s IP address. Enter the Shared secret (password).

2. Creating a Connection Request Policy
Right click Connection Request Policies under Policies and select New. Leave default values for Overview and Settings tab. Under Conditions tab, enter Client IPv4 Address as the FortiGate’s IP address.

3. Creating a Network Policy
Right click Network Policies under Policies and select New to create a new policy. Leave default values in Overview tab. In Conditions tab, click on Add, select Windows Group, then select Add. Finally Add Groups, then enter WiFiAccess, and select OK.
In Constraints tab, under Authentication Methods, click Add, then select Microsoft: Protected EAP (PEAP) then OK. Next select Microsoft Encrypted Authentication version 2 (MS-CHAP-v2), and finally select User can change password after it has expired and select OK.
In Settings tab, go to RADIUS Attributes > Vendor Specific, then click Add, select Custom under Vendor and Vendor Specific under Attributes  select Add. On Attribute Information window, click Add, type 12356 next to Enter Vendor Code, next select Yes. It conforms. Click on Configure Attribute and a new window pops upon Vendor-assigned attribute number enter 1, on Attribute format select String, and in Attribute value enter WiFi and select OK.

4. Configuring FortiGate to use the RADIUS server
On the FortiGate, go to User & Device > RADIUS Servers. Select Create New DC-RADIUS. Enter the Domain Controller IP address and the Server Secret that you entered on NPS. Optionally, you can click Test Connectivity. Enter a RADIUS user’s ID and password. The result should be “Successful”.

5. Configuring a user group on the FortiGate
Go to User & Device > User Groups. Create a group that matches the WiFi RADIUS attribute. Do not add any members or remote servers.

6. Creating an SSID with RADIUS authentication
Go to WiFi & Switch Controller > SSID. Create an SSID and set up DHCP for clients.
Set WPA2-Enterprise with RADIUS Server authentication, and choose DC-RADIUS.

7. Creating a security policy
Go to Policy & Objects > IPv4 Policy. Create a WiFi-to-Internet policy. Use WiFi group as the Source.

8. Results
Connect to the WiFi network, authenticate, and browse the Internet. Try this with a user that belongs to the WiFiAccess Windows AD Group.
Go to Monitor > Firewall User Monitor. You can see the User Name, User Group and verify that WSSO authentication Method was used.

 

The post WiFi with WSSO using Windows NPS and Attributes appeared first on Fortinet Cookbook.

Working with Ring Groups in FortiVoice Enterprise

August 9, 2016, 7:02 am
$
0
0
It is far more convenient  to establish a group number that clients can contact instead of manually calling each individual in a particular department. A ring group allows clients to call a single contact number. Both local extensions and auto attendants can dial a ring group.
 

This recipe guides you through the quick and easy process of configuring ring groups in FortiVoice Enterprise.

A ring group can reach a group of extensions. For example, ring group 301 can ring the sales group at extensions 111, 112, 113, and 114. When a customer calls the sales group, the first available salesperson answers for the group.
 

Creating a Ring Group

To create a ring group

  1. Go to Extensions > Groups > Ring Group.
  2. Select New.
  3. Enter a descriptive name for the ring group and a number.
  4. Enable the ring group by selecting the Enabled checkbox.
  5. Select whether you want all extensions in the group to ring when dialed or if you want individuals to be contacts one at a time.
  6. Select the available extensions or user groups that you want to include in the ring group and select the right arrow button to move them into the selected field.
  7. Select New in the External numbers section to add an external phone number to the ring group. For example, you can add the number of a remote employee to an established ring group.
  8. Select Create.

You can expand the Advanced setting section to configure options such as when to send a call to voicemail and call waiting. You can also edit call handling options, which we will cover in the next section.

  
 FVE Ring Group FVE Ring Group 2


 

Configuring Ring Group Call Handling

Call Handling establishes how the unit will handle each individual call that contacts a specific ring group. For example, a client may call a number and the unit will forward the call to another number depending on the time of day. 

To configure the call process in the Ring Group section

  1. Select the available option in the Call Handling section. It should say “Normal call handling”.
  2. Select a desire call status tab (No answer, Busy, or Unavailable). Each status can only be used for one call management configuration.
  3. Select either User defined or System default action in the Call process section. The System default action changes depending on the status section.
  4. If you select User defined, select New.
  5. Select a pre-configured schedule for the Schedule section  or create your own. For more information on how to create and configure a schedule, see Scheduling the FortiVoice unit” in the Administrator Guide.

    Voicemai: Enter the extension number
    Play Announcement: Select the sound file.
    Auto Attendant: Select the auto attendant profile or create one. For more information on creating an auto attendant, see “Configuring auto attendants” in the FortiVoice Admin Guide.
    Forward: Enter the number to which you want the call forwarded.

  6. Select Create and then OK.
  FVE Ring Group 3 FVE Ring Group 4

The post Working with Ring Groups in FortiVoice Enterprise appeared first on Fortinet Cookbook.

IPsec VPN for iOS 9

August 9, 2016, 9:00 am
$
0
0

In this recipe, you will use the FortiGate IPsec VPN Wizard to set up an IPsec VPN between a FortiGate and a device running iOS 9. This configuration allows iPhone users to securely connect to an internal network.

The IPsec VPN is a pre-shared key configuration that also requires users to authenticate with their own credentials to be able to connect to the VPN.

This recipe assumes that a user (dbuchanan) and a user group (iphone-users) have already been created on the FortiGate.

An Apple iPhone SE running iOS 9.3.4 was used for this configuration.

1. Configuring the IPsec VPN using the IPsec VPN Wizard

On the FortiGate, go to VPN > IPsec Wizard.

Name the VPN connection (iPhoneVPN).

Select the Remote Access template, select the iOS Native device type, and select Next.

Set the Incoming Interface to the Internet-facing interface (wan1).

Select the Pre-shared Key authentication method and enter a pre-shared key.

Select the iphone-users user group and select Next.

Set Local Interface to the internal interface and set Local Address to all.

Enter an IP address range for VPN users in the Client Address Range field, enter a Subnet Mask, and select Create.

Make sure no other interfaces on the FortiGate are using the same address range.

A summary page shows the wizard’s configuration, including a remote-to-local access security policy.

2. Connecting to the IPsec VPN from iPhone
On the iPhone, go to Settings > General > VPN and select Add VPN Configuration.

Set Type to IPsec and enter a Description (required).

Set Server to the FortiGate’s Internet-facing interface, and enter the user’s name in Account.

Enter the user’s password, the pre-shared IPsec VPN secret, and select Done.

 

Make sure the IPsec VPN configuration is highlighted (indicated by the  icon), and select the button next to Not Connected.

The IPsec VPN will connect with the user’s credentials and secret. The status will change to Connected, and a VPN icon will appear at the top of the screen.

3. Results
To verify the connection, on the FortiGate, go to Log & Report > VPN Events. The user has been assigned an IP from the client address range.
You may also verify the user’s connection by going to FortiView > VPN.

The post IPsec VPN for iOS 9 appeared first on Fortinet Cookbook.

Protecting a server running web applications

August 11, 2016, 7:44 am
$
0
0

In this recipe, you will use a Web Application Firewall profile to protect a server that is running a web application, such as web mail. In this example, the default profile will be targeted to block SQL injection attempts, as well as generic attacks.

Web Application Firewall is only available when Inspection Mode is Proxy-based.

1. Enabling Web Application Firewall

Go to System > Features and enable Web Application Firewall. Select Show More and enable Multiple Security Profiles.

Apply your changes.

2. Editing the default Web Application Firewall profile

Web Application Firewall profiles are created with a variety of options, called Signatures and Constraints. Once these options are enabled, Action can be set to Allow, Monitor, or Block, and Severity can be set to High, Medium, or Low.

You can also use a Web Application Firewall profile to enforce an HTTP method policy, which controls the HTTP method allowed when accessing websites that match the specified pattern.

Go to Security Profiles > Web Application Firewall and edit the default profile.

In this example, the signatures for SQL Injection (Extended) and Generic Attacks (Extended) have been enabled, with the Action set to Block and Severity set to High.

Trojans and Known Exploits are also blocked by default.

3. Applying the profile to a security policy

Go to Policy & Objects > IPv4 Policies and edit the policy that allows access to the web server.

Under Security Profiles, enable Web Application Firewall and set it to use the default profile. Set the appropriate Proxy Option and set SSL/SSH Inspection to use the deep-inspection profile.

  

4. Results

Use the following URL to simulate an attack on your web server, substituting the IP address of your server:

http:///<server IP>/index.php?username=1'%20or%20'1'%20=%20'1&password=1'%20or%20'1'%20=%20'1
An error message appears, stating that the web application firewall has blocked the traffic.  

5. Offloading to a FortiWeb

If you have a FortiWeb, you may be able to offload the functions of the Web Application Control to your FortiWeb. To find out if this option is available, refer to the FortiOS or FortiWeb Release Notes for information about device compatibility.

Go to System > External Security Devices and enable HTTP Service. Enter your FortiWeb’s IP address.

If necessary, enable Authentication and enter the FortiWeb’s password.

 

The post Protecting a server running web applications appeared first on Fortinet Cookbook.

Viewing all 690 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>