FortiDeceptor – System

System

Use the System pages to manage and configure the basic system options for FortiDeceptor. This includes administrator configuration, mail server settings, and maintenance information.

The System menu provides access to the following:

Administrators Configure administrator user accounts.
Admin Profile Configure user profiles to define user privileges.
Certificates Configure CA certificates.
LDAP Servers Configure LDAP servers.
RADIUS Servers Configure RADIUS servers.
Mail Server Configure the mail server.
SNMP Configure SNMP.
FortiGuard Configure FortiGuard settings and upgradeable packages.
Settings Configure the idle timeout or reset all widgets to their default state.
Login Disclaimer Configure the Login Disclaimer.
Table Customization Define columns and order of Incident and Event tables.

Administrators

Use the System > Administrators page to configure administrator user accounts.

If the user whose Admin Profile does not have Read Write privilege under System > Admin Profiles, the user can only view and edit their own information.

The following options are available:

Create New Create a new administrator account.
Edit Edit the selected entry.
Delete Delete the selected entry.
Test Login Test the selected user’s login settings. If an error occurs, a debug message appears.

The following information is displayed:

Name   The administrator account name.
Type   The administrator type: l Local

 

  l LDAP l RADIUS
Profile The Admin Profile the user belongs to.

To create a new user:

  1. Log in using an account with Read/Write access and go to System > Administrators.
  2. Click Create New.
  3. Configure the following:
Administrator Name of the administrator account. The name must be 1 to 30 characters using upper-case letters, lower-case letters, numbers, or the underscore character (_).
Password, Confirm Password Password of the account. The password must be 6 to 64 characters using upper-case letters, lower-case letters, numbers, or special characters.

This field is available when Type is set to Local.

Type Select Local, LDAP, or RADIUS.
LDAP Server When Type is LDAP, select an LDAP Server. For more information, see LDAP Servers on page 29.
RADIUS Server When Type is RADIUS, select a RADIUS Server. For more information, see RADIUS Servers.
Admin Profile Select the Admin Profile.
Trusted Host 1, Trusted Host 2, Trusted Host 3 Enter up to three IPv4 trusted hosts. Only users from trusted hosts can access FortiDeceptor.
Trusted IPv6 Host 1, Trusted

IPv6 Host 2, Trusted IPv6

Host 3

Enter up to three IPv6 trusted hosts. Only users from trusted hosts can access FortiDeceptor.
Comments Enter an optional comment.

Setting trusted hosts for administrators limits what computers an administrator can use to log into FortiDeceptor. When you identify a trusted host, FortiDeceptor only accepts the administrator’s login from the configured IP address or subnet. Attempts to log in with the same credentials from another IP address or subnet are dropped.

  1. Click OK.

To edit a user account:

  1. Log in using an account with Read/Write access and go to System > Administrators.
  2. Select and account and click Edit.

Only the admin user can edit its own settings.

You must enter the old password before you can set a new password.

  1. Edit the account and click OK.

To delete one or more user accounts:

  1. Log in using an account with Read/Write access and go to System > Administrators.
  2. Select the user account you want to delete.
  3. Click Delete and confirm that you want to delete the user.

To test LDAP or RADIUS logins:

  1. Log in using an account with Read/Write access and go to System > Administrators.
  2. Select an LDAP or RADIUS user to test.
  3. Click Test Login.
  4. Enter the user password.
  5. Click OK.

If an error occurs, a debug message appears.

Admin Profiles

Use administrator profiles to control administrator access privileges to system features. When you create an administrator account, you assign a profile to the account.

You cannot modify or delete the following predefined administrator profiles:

l SuperAdmin has access to all functionality. l Read only has read-only access.

Only users with the Super Admin profile can create, edit, and delete administrator profiles. Users can create, edit, and delete administrator profiles if they have Read Write privilege in their profile.

The Menu Access section has the following settings:

None User cannot view or make changes to that page.
Read Only User can view but not make any change to that page, except session-related user settings such as Table Customization, Dashboard, or Attack Map filter.
Read Write User can view and make changes to that page.

The CLI Commands section has the following settings:

None User cannot execute CLI commands.
Execute User can execute CLI commands.

To create an Administrator Profile:

  1. Go to System > Admin Profiles.
  2. Click Create New.
  3. Specify the Profile Name.
  4. If you wish, add a Comment.
  5. Specify the privileges for Menu Access:
    • Dashboard l Dashboard
    • Deception
    • Customization l Deception OS l Deployment Network l Deployment Wizard l Decoy & Lure Status l Decoy Map
    • Whitelist
    • Incident l Analysis l Campaign l Attack Map
    • Fabric
    • FortiGate Integration l Quarantine Status l IOC Export
    • Network
    • Interfaces
    • System DNS l System Routing
    • System
    • Administrators l Admin Profiles l Certificates l LDAP Servers l RADIUS Servers l Mail Server
    • SNMP
    • FortiGuard l Settings l Login Disclaimer l System Settings l Table Customization
    • Log
    • All Events l Log Servers
  6. Specify the privileges for CLI Commands:
    • Configuration l Set l Unset
    • System l Reboot l Shutdown l Reset Configuration l Factory Reset l Firmware Upgrade l Reset Widgets l IP Tables l test-network l usg-license
    • Upload VM Firmware License l Resize VM Hard Disk l Set Confirm ID for Windows VM l List VM License l Show VM Status l VM reset l DC Image Status l Set Maintainer l Set Timeout for Remote Auth l Data Purge l Log Purge l DMZ Mode
    • fdn-pkg l Utilities
    • TCP Dump
    • Trace Route
  7. Click Save.

Certificates

Use this page to import, view, and delete certificates. Certificates are used for secure connection to an LDAP server, system HTTPS, and SSH services. FortiDeceptor has one default certificate firmware.

FortiDeceptor does not support generating certificates. FortiDeceptor supports importing certificates for SSH and HTTPS access using .crt, PKCS12, or .pem format.

The following options are available:

Import   Import a certificate.
Service Configure specific certificates for HTTP and SSH servers.
View View the selected CA certificate details.
Delete Delete the selected certificate.

The following information is displayed:

Name Name of the certificate.
Subject Subject of the certificate.
Status The certificate status, active or expired.
Service HTTPS or SSH service that is using this certificate.

To import a certificate:

  1. Go to System > Certificates.
  2. Click Import.
  3. Enter the Certificate Name.
  4. If you want to import a password protected PKCS12 certificate, select PKCS12 Format.
  5. Click Choose File and locate the certificate and key files on your management computer.
  6. Click OK to import the certificate.

To view a certificate:

  1. Go to System > Certificates.
  2. Select a certificate and click View.

The following information is available:

Certificate Name Name of the certificate.
Status Certificate status.
Serial number Certificate serial number.
Issuer Issuer of the certificate.
Subject Subject of the certificate.
Effective date Date and time that the certificate became effective.
Expiration date Date and time that the certificate expires.

To delete a CA certificate:

  1. Go to System > Certificates.
  2. Select the certificate you want to delete.
  3. Click Delete and confirm you want to delete the certificate.

LDAP Servers

FortiDeceptor supports remote authentication of administrators using LDAP servers. To use this feature, configure the server entries in FortiDeceptor for each authentication server in your network.

If you have configured LDAP support and require users to authenticate using an LDAP server, FortiDeceptor contacts the LDAP server for authentication. To authenticate with FortiDeceptor, the user enters a user name and password. FortiDeceptor sends this user name and password to the LDAP server. If the LDAP server can authenticate the user, FortiDeceptor authenticates the user. If the LDAP server cannot authenticate the user, FortiDeceptor refuses the connection.

The following options are available:

Create New Add an LDAP server.
Edit Edit the selected LDAP server.
Delete Delete the selected LDAP server.

The following information is displayed:

Name LDAP server name.
Address LDAP server address.
Common Name LDAP common name.
Distinguished Name LDAP distinguished name.
Bind Type LDAP bind type.
Connection Type LDAP connection type.

To create a new LDAP server:

  1. Go to System > LDAP Servers.
  2. Click Create New.
  3. Configure the following settings:
Name A unique name to identify the LDAP server.
Server Name/IP IP address or FQDN of the LDAP server.
Port The port for LDAP traffic. The default port is 389.
Common Name Common name identifier of the LDAP server.

Most LDAP servers use cn. Some servers use other common name identifiers such as uid.

Distinguished Name Distinguished name used to look up entries on LDAP servers. The distinguished name reflects the hierarchy of LDAP database object classes above the common name identifier.
Bind Type The type of binding for LDAP authentication: l Simple l Anonymous l Regular
Username When the Bind Type is set to Regular, enter the user name.
Password When the Bind Type is set to Regular, enter the password.
Enable Secure Connection Use a secure LDAP server connection for authentication.
Protocol When Enable Secure Connection is selected, select LDAPS or STARTTLS.
CA Certificate When Enable Secure Connection is selected, select a CA Certificate.
  1. Click OK.

RADIUS Servers

FortiDeceptor supports remote authentication of administrators using RADIUS servers. To use this feature, configure the server entries in FortiDeceptor for each authentication server in your network.

If you have configured RADIUS support and require users to authenticate using a RADIUS server, FortiDeceptor contacts the RADIUS server for authentication. To authenticate with FortiDeceptor, the user enters a user name and password. FortiDeceptor sends this user name and password to the RADIUS server. If the RADIUS server can authenticate the user, FortiDeceptor authenticates the user. If the RADIUS server cannot authenticate the user, FortiDeceptor refuses the connection.

The following options are available:

Create New   Add a RADIUS server.
Edit   Edit the selected RADIUS server.
Delete   Delete the selected RADIUS server.

The following information is displayed:

Name RADIUS server name.
Primary Address Primary server IP address.
Secondary Address Secondary server IP address.
Port Port used for RADIUS traffic. The default port is 1812.
Auth Type The authentication type the RADIUS server requires.

Select Any, PAP, CHAP, or MSv2. Any means FortiDeceptor tries all authentication types.

To add a RADIUS server:

  1. Go to System > RADIUS Servers.
  2. Click Create New.
  3. Configure the following settings:
Name A unique name to identify the RADIUS server.
Primary Server Name/IP IP address or FQDN of the primary RADIUS server.
Secondary Server Name/IP IP address or FQDN of the secondary RADIUS server.
Port Port for RADIUS traffic.

The default port is 1812.

Auth Type Authentication type the RADIUS server requires.

Select Any, PAP, CHAP, or MSv2. Any means FortiDeceptor tries all authentication types.

Primary Secret Primary RADIUS server secret.
Secondary Secret Secondary RADIUS server secret.
NAS IP NAS IP address.
  1. Click OK.

Mail Server

Use the System > Mail Server page to adjust mail server settings.

You can configure the following options:

Send Incidents Alerts When enabled, FortiDeceptor sends an email alert to the ReceiverEmail List when it detects an incident.
SMTP Server Address SMTP server address.
Port SMTP server port number.
E-Mail Account The mail server email account. This is the “from” address.
Login Account The mail server login account.
Password, Confirm Password Enter and confirm the password.
Receiver Email List Enter one or more receiver email addresses.
Send Test Email Send a test email to the global email list.

If an error occurs, the error message appears at the top of the page and is recorded in the System Logs.

SNMP

SNMP is a method to monitor your FortiDeceptor system on your local computer. You need an SNMP agent on your computer to read the SNMP information. Using SNMP, your FortiDeceptor system monitors for system events including CPU usage, memory usage, log disk space, interface changes, and malware detection. Go to System > SNMP to configure your FortiDeceptor system’s SNMP settings.

SNMP has two parts: the SNMP agent or the device that is sending traps, and the SNMP manager that monitors those traps. The SNMP communities on the monitored FortiDeceptor are hard coded and configured in the SNMP menu.

The FortiDeceptor SNMP implementation is read-only — SNMP v1, v2c, v3 compliant SNMP manager applications, such as those on your local computer, have read-only access to FortiDeceptor system information and can receive FortiDeceptor system traps.

You can also download FortiDeceptor and Fortinet core MIB files.

Configure the SNMP agent

The SNMP agent sends SNMP traps that originate on FortiDeceptor to an external monitoring SNMP manager defined in one of the FortiDeceptor SNMP communities. Typically, an SNMP manager is an application on a local computer that can read the SNMP traps and then generate reports or graphs.

The SNMP manager can monitor FortiDeceptor to determine if it is operating properly or if critical events are occurring. The description, location, and contact information for this FortiDeceptor system is part of the information an SNMP manager collects. This information is useful if the SNMP manager is monitoring many devices, and it enables a faster response when FortiDeceptor requires attention.

To configure SNMP agents:

  1. Go to System > SNMP.
  2. Configure the following settings:
SNMP Agent   When enabled, the FortiDeceptor SNMP agent sends FortiDeceptor SNMP traps.
Description   Description of this FortiDeceptor to identify this unit.
Location Location of this FortiDeceptor if it requires attention.
Contact Contact information of the person in charge of this FortiDeceptor.
SNMP v1/v2c Create, edit, or delete SNMP v1 and v2c communities. You can enable or disable communities in the edit page. Columns include: Community Name, Queries, Traps, Enable.
SNMP v3 Create, edit, or delete SNMP v3 entries. You can enable or disable queries in the edit page. Columns include: Username, Security Level, Notification Host, and Queries.

To create an SNMP v1/v2c community:

  1. Go to System > SNMP.
  2. In the SNMP v1/v2c section, click Create New.
  3. Configure the following settings:
Enable Enable the SNMP community.
Community Name The name that identifies the SNMP community.
Hosts The list of hosts that can use the settings in this SNMP community to monitor FortiDeceptor.
IP/Netmask IP address and netmask of the SNMP hosts. Click Add to add additional hosts.
Queries v1, Queries v2c Port number and if it is enabled.

Enable queries for each SNMP version that FortiDeceptor uses.

Traps v1, Traps v2c Local port number, remote port number, and if it is enabled.

Enable traps for each SNMP version that FortiDeceptor uses.

SNMP Events Events that cause FortiDeceptor to send SNMP traps to the community:

l CPU usage is high l Memory is low l Log disk space is low l Incident is detected

  1. Click OK.

To create an SNMP v3 user:

  1. Go to System > SNMP.
  2. In the SNMP v3 section, click Create New.
  3. Configure the following settings:
Username Name of the SNMPv3 user.
Security Level Security level of the user: l None

l Authentication only l Encryption and authentication

Authentication Authentication is required when Security Level is either Authentication only or Encryption and authentication.
Method Authentication method: l MD5 (Message Digest 5 algorithm) l SHA1 (Secure Hash algorithm)
Password Authentication password of at least eight characters.
Encryption Encryption is required if Security Level is Encryption and authentication.
Method Encryption method: l DES l AES
Key Encryption key of at least eight characters.
Notification Hosts (Traps)  
IP/Netmask IP address and netmask. Click Add to add more hosts.
Query  
Port Port number and if it is enabled.
SNMP V3 Events SNMP events associated with that user:

l CPU usage is high l Memory is low l Log disk space is low l Incident is detected

  1. Click OK.

To download MIB files:

  1. At the bottom of the SNMP page, select the MIB file you want to download to your management computer.

FortiGuard

  1. Go to System > FortiGuard.
  2. The following options and information are available:
Module Name The FortiGuard module name, including: AntiVirus Scanner, AntiVirus Extended Signature, AntiVirus Active Signature, AntiVirus Extreme Signature, IDS Engine, IDS Signature, Anti-Reconnaissance & Anti-Exploit Engine.

All modules automatically install update packages when they are available on the FDN.

Current Version                   The current version of the module.
Release Time                      The time that module was released.
Last Update Time                The time that module was last updated.
Last Check Status               The status of the last update attempt.
Upload Package File            Select Browse to locate a package file on the management computer, then select Submit to upload the package file to the FortiDeceptor.

When the unit has no access to the Fortinet FDN servers, the user can go to the Customer Service and Support site to download package files manually.

FortiGuard Server               Select FDN servers for package update and Web Filtering query. By default, the

Location                              selection is Nearest, which means the closest FDN server according to the unit’s time zone is used. When US Region is selected, only servers inside Unite States are used.

FortiGuard Server Settings
Use override FDN         Select to enable an override FDN server, or FortiManager, to download module server to           update, then enter the server IP address or FQDN in the text box. When an download module        overridden FDN server is used, FortiGuard Server Location will be disabled. updates            Click Connect FDN Now button to schedule an immediate update check.
Connect FDN    Click the Connect FDN Now button to connect the override FDN server/Proxy. Now
FortiGuard Web Filter Settings
Use override     Select to enable an override server address for web filtering query, then enter the server address server IP address (IP address or IP address:port) or FQDN in the text box. for web filtering By default, the closest web filtering server according to the unit’s time zone is query  used.

If port is not provided, target UDP port 53 will be used.

  1. Click Apply to apply your changes.

Settings

Go to System > Settings to configure the idle timeout for the administrator account.

To configure idle timeout:

  1. Go to System > Settings.
  2. Enter a value between 1 and 480 minutes.
  3. Click OK.

To reset all widgets:

You can reset all the widgets in the Dashboard by clicking the Reset button.

Login Disclaimer

Go to System > Login Disclaimer to customize the warning message, and to enable or disable the login disclaimer.

If enabled, the disclaimer appears when a user tries to log into the unit.

Table Customization

To customize the columns available for Incidents or Events:

  1. Go to System > Table Customization.
  2. In the Incident Columns pane, drag and drop the columns from the Available Column Headers to the Customized Column Headers and Orders.
  3. In the Event Columns pane, drag and drop the columns from the Available Column Headers to the Customized Column Headers and Orders.
  4. In the Table Settings pane, specify the Page Size and select the View Type.
  5. Click Save.

 

This entry was posted in Administration Guides, FortiDeceptor on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.