Category Archives: FortiDeceptor

FortiDeceptor – System Log

System Log

Use the Log pages to view and download FortiDeceptor system logs. You can put logs locally on FortiDeceptor or on a remote log server.

Logging Levels

FortiDeceptor log level can be Emergency (reserved), Alert, Critical, Error, Warning, Information, or Debug. The following table provides example logs for each log level.

Log Level Description Example Log Entry
Alert Immediate action is required. Suspicious URL visit domain.com from 192.12.1.12 to 42.156.162.21:80.
Critical Functionality is affected. System database is not ready. A program should have started to rebuild it and it shall be ready after a while.
Error An erroneous condition exists and functionality is probably affected. Errors that occur when deleting certificates.
Warning Functionality might be affected. Submitted file AVSInstallPack.exe is too large: 292046088.
Information General information about system operations. LDAP server information that was successfully updated.
Debug Detailed information for debugging. Launching job for file. jobid=2726271637747836543 filename=log

md5=ebe5ae2bec3b653c2970e8cec9f5f1d9 sha1=06ea6108d02513f0d278ecc8d443df86dac2885b sha256=d678da5fb9ea3ee20af779a4ae13c402585 ebb070edcf20091cb20509000f74b

Raw logs

You can download and save raw logs to the management computer by clicking Download Log. Raw logs are saved as a text file with the extension .log.gz. You can search the system log for more details.

Sample raw logs file content

itime=1535413204 date=2018-08-27 time=16:40:04 logid=0106000001 type=event subtype=system pri=debug user=system ui=system action= status=success msg=”SNMP TRAP sent out: Service=SSH AttackerIp=10.95.5.83 AttackerPort=57190 VictimIp=10.95.5.21 VictimPort=22

Operation=Established SSH connection Description=10.95.5.83 Username=NA Password=NA” itime=1535413204 date=2018-08-27 time=16:40:04 logid=0106000001 type=event subtype=system pri=debug user=system ui=system action= status=success msg=”SNMP TRAP sent out: Service=SSH AttackerIp=10.95.5.83 AttackerPort=57190 VictimIp=10.95.5.21 VictimPort=22

Operation=SSH connection closed Description=83ssh Username=83ssh Password=83ssh” itime=1535413204 date=2018-08-27 time=16:40:04 logid=0106000001 type=event subtype=system pri=debug user=system ui=system action= status=success msg=”SNMP TRAP sent out: Service=SSH AttackerIp=10.95.5.83 AttackerPort=57190 VictimIp=10.95.5.21 VictimPort=22

Operation=Authentication Failure Description=83ssh Username=83ssh Password=83ssh” itime=1535413204 date=2018-08-27 time=16:40:04 logid=0106000001 type=event subtype=system pri=debug user=system ui=system action= status=success msg=”SNMP TRAP sent out: Service=SAMBA AttackerIp=10.95.5.83 AttackerPort=NA VictimIp=10.95.5.21 VictimPort=445

Operation=Change to dir Description=/home/share/samba Username=83samba Password=83samba” itime=1535413204 date=2018-08-27 time=16:40:04 logid=0106000001 type=event subtype=system pri=debug user=system ui=system action= status=success msg=”SNMP TRAP sent out: Service=SAMBA AttackerIp=10.95.5.83 AttackerPort=NA VictimIp=10.95.5.21 VictimPort=445

Operation=Access path Description=samba Username=83samba Password=83samba” itime=1535413204 date=2018-08-27 time=16:40:04 logid=0106000001 type=event subtype=system pri=debug user=system ui=system action= status=success msg=”SNMP TRAP sent out: Service=SAMBA AttackerIp=10.95.5.83 AttackerPort=NA VictimIp=10.95.5.21 VictimPort=445

Operation=Disconnect net share Description=samba Username=83samba Password=83samba” itime=1535413201 date=2018-08-27 time=16:40:01 logid=0106000001 type=event subtype=system pri=alert user=system ui=GUI action=update status=success msg=”Service=SSH

AttackerIp=10.95.5.83 AttackerPort=57190 VictimIp=10.95.5.21 VictimPort=22 Operation=SSH connection closed Description=83ssh Username=83ssh Password=83ssh”

itime=1535413201 date=2018-08-27 time=16:40:01 logid=0106000001 type=event subtype=system pri=alert user=system ui=GUI action=update status=success msg=”Service=SSH AttackerIp=10.95.5.83 AttackerPort=57190 VictimIp=10.95.5.21 VictimPort=22

Operation=Authentication Failure Description=83ssh Username=83ssh Password=83ssh” itime=1535413198 date=2018-08-27 time=16:39:58 logid=0106000001 type=event subtype=system pri=alert user=system ui=GUI action=update status=success msg=”Service=SSH AttackerIp=10.95.5.83 AttackerPort=57190 VictimIp=10.95.5.21 VictimPort=22

Operation=Established SSH connection Description=10.95.5.83 Username=NA Password=NA” itime=1535413198 date=2018-08-27 time=16:39:58 logid=0106000001 type=event subtype=system pri=alert user=system ui=GUI action=update status=success msg=”Service=SAMBA

AttackerIp=10.95.5.83 AttackerPort=NA VictimIp=10.95.5.21 VictimPort=445

Operation=Disconnect net share Description=samba Username=83samba Password=83samba” itime=1535413197 date=2018-08-27 time=16:39:57 logid=0106000001 type=event subtype=system pri=alert user=system ui=GUI action=update status=success msg=”Service=SAMBA

AttackerIp=10.95.5.83 AttackerPort=NA VictimIp=10.95.5.21 VictimPort=445 Operation=Change to dir Description=/home/share/samba Username=83samba Password=83samba”

itime=1535413197 date=2018-08-27 time=16:39:57 logid=0106000001 type=event subtype=system pri=alert user=system ui=GUI action=update status=success msg=”Service=SAMBA

AttackerIp=10.95.5.83 AttackerPort=NA VictimIp=10.95.5.21 VictimPort=445 Operation=Access path Description=samba Username=83samba Password=83samba”

Log Categories

Log > All Events show all logs.

The following options are available:

Download Log   Download the raw log file to the management computer.
History Logs   Enable to include historical logs in Log Search.
Refresh Refresh the log message list.
Filter Click Filter to add search filters. You can select different categories to search the logs. Search is not case sensitive.

The following information is displayed:

# Log number.
Date/Time Date and time the log message was created.
Level Level of the log message. For logging levels, see Logging Levels on page 46.
User The user to which the log message relates. User can be a specific user or system.
Message Detailed log message.

Log Servers

You can send FortiDeceptor logs to a remote syslog server or common event type (CEF) server. In Log > Log Servers, you can create new remote log servers, and edit and delete remote log servers. You can configure up to 30 remote log server entries.

The following options are available:

Create New Create a log server entry.
Edit Edit the selected log server entry.
Delete Delete the selected log server entry.

This page displays the following information:

Name Name of the server entry.
Server Type Server type: syslog or CEF.
Server Address Log server address.
Port Log server port number.
Status Log server status, Enabled or Disabled.

To create a server entry:

  1. Go to Log > Log Servers.
  2. Click Create New.
  3. Configure the following settings:
Name Name of the new server entry.
Type Select Syslog Protocol or Common Event Format.
Log Server Address Log server IP address or FQDN.
Port Port number. The default port is 514.
Status Enable or disable sending logs to the server.
Log Level Select the logging levels to forward to the log server. For logging levels, see Logging Levels on page 46.
  1. Click OK.

To edit or delete a log server

  1. Go to Log > Log Servers.
  2. Select an entry and click Edit or Delete.

FortiDeceptor – System Settings

System Settings

Dashboard

The System Status dashboard displays widgets that provide information and enable you to configure basic system settings. All the widgets appear on a single dashboard. You can select which widgets to display and you can customize the widgets.

The following widgets are available.

System Information Basic information about the FortiDeceptor system, such as the serial number, system up time, and license status information.
System Resources Real-time usage status of the CPU and memory.
Top Critical Logs The top logs that are classified as Critical.
Deception VM License The list of VM license keys and their expiry dates.
Disk Monitor The RAID level and status, disk usage, and disk management information.
Incidents & Events Distribution Information about the number of incidents and events, and their level of severity.
Incidents & Events Count Number of events occurring each day.
Decoy Distribution by OS Number of decoys with a chart showing the OS such as Windows or Ubuntu.
Lure Distribution Number of decoys deployed with the chart showing the type of service such as SSH, Samba, SMB, SCADA, or RDP.
Incidents Distribution by Service Information about the number and types of incidents, such as SMB, HTTP, TCP, and so on.
Top 10 Attackers by Incidents The top 10 attackers by the number of incidents.
Top 10 Attackers by Events The top 10 attackers by the number of events.
Global Incidents Distribution Displays the number of Attackers by country on a global map.
Top 10 IPS attacks Displays the top 10 IPS attackers by the number of events.

Customizing the dashboard

You can customize the FortiDeceptor system dashboard. You can select which widgets to display and where they are located on the page.

  • To add a widget, click Add Widget in the Dashboard’s floating toolbar at the bottom, and then select the widgets you want to add.
  • To edit a widget, click the Edit icon in the in the widget’s title bar, change the settings, and click OK. l To move a widget, click and drag the widget’s title bar.
  • To refresh a widget’s data, click Refresh in the widget’s title bar.
  • To reset all widgets to their default settings, click Reset in the Dashboard’s floating toolbar at the bottom. l To hide a widget, click the Close icon in the widget’s title bar.

System Information

The System Information widget displays information about the FortiDeceptor unit and enables you to configure basic system settings.

This widget displays the following information and options.

Host Name The name assigned to this FortiDeceptor unit. Click Change to edit the FortiDeceptor host name.
Serial Number Serial number of this FortiDeceptor unit. The serial number is unique to the FortiDeceptor unit and does not change with firmware upgrades. The serial number is used for identification when connecting to the FortiGuard server.
System Time The current time on the FortiDeceptor internal clock or NTP server. Click Change to configure the system time.
Firmware Version Version and build number of the firmware installed on the FortiDeceptor unit.

To update the firmware, you must download the latest version from the Fortinet Customer Service & Support portal. Click Update or UPDATE AVAILABLE and select the firmware image to load from the local hard disk or network volume.

Firmware License To load a firmware license, click Upload License and select a license file.
System Configuration Date and time of the last system configuration backup. Click Backup/Restore to go to the System Recovery page.
Current User The administrator that is currently logged into the system.
Uptime Duration that the FortiDeceptor unit has been running since it booted up.
Deception OS Deception OS license activation and initialization status.

Displays an up icon if the Deception OS is activated and initialized. Displays a Caution icon if the Deception OS is initializing or having issues. Hover the mouse pointer on the status icon to view detailed information. For more information, see Log > All Events.

To go to Deception > Deception OS to see the images available on FortiDeceptor, click Update or UPDATE AVAILABLE.

After purchase, download the license file from the Fortinet Customer Service & Support portal. Then click Upload License to select the license file. The system reboots and activates the newly-installed Deception OS.

FDN Download Server Shows if the FDN download server is accessible. When the FDN download server is inaccessible, no update packages are downloaded.
Web Filtering Server Shows if the web filtering query server is accessible.
Antivirus DB Contract Brief information about this contract.
Antivirus Engine Contract Brief information about this contract.
IDS Engine/DB Contract Brief information about this contract.
Web Filtering Contract Brief information about this contract.
ARAE Engine Contract Brief information about this contract.
Custom VM Contract Brief information about this contract.

System Resources

This widget displays the following information and options.

CPU Usage Gauges the CPU percentage usage.
Memory Usage Gauges the Memory percentage usage.
Reboot/Shutdown Options to shut down or reboot the FortiDeceptor device.

Decoy Distribution by OS

This widget displays the following information in a pie chart.

Ubuntu Number and percentage of Ubuntu Decoy VMs.
Windows Number and percentage of Windows Decoy VMs.
SCADA Number and percentage of SCADA Decoy VMs.

Hover over the pie chart to see the percentage. Click the pie chart to split out a Decoy from the pie chart.

Lure Distribution

This widget displays the number of lures deployed with the following information in a pie chart.

SSH Number and percentage of decoy images using SSH service.
SAMBA Number and percentage of decoy images using SAMBA service.
SMB Number and percentage of decoy images using SMB service.
RDP Number and percentage of decoy images using RDP service.
HTTP Number and percentage of decoy images using HTTP service.
FTP Number and percentage of decoy images using FTP service.
TFTP Number and percentage of decoy images using TFTP service.
SNMP Number and percentage of decoy images using SNMP service.
MODBUS Number and percentage of decoy images using MODBUS service.
S7COMM Number and percentage of decoy images using S7COMM service.
BACNET Number and percentage of decoy images using BACNET service.
IPMI Number and percentage of decoy images using IPMI service.
TRICONEX Number and percentage of decoy images using TRICONEX service.
Guardian-AST Number and percentage of decoy images using Guardian-AST service.
IEC104 Number and percentage of decoy images using IEC104 service.

Hover over the pie chart to see the percentage. Click the pie chart to split out a service from the pie chart.

Top Critical Logs

This widget displays recent critical logs including the time and a brief description of the event.

Click the edit icon to change the refresh interval and top count.

Disk Monitor

This widget is only available in hardware-based models. This widget displays the RAID level and status, disk usage, and disk management information.

This widget displays the following information.

Summary Disk summary information including RAID level and status.
RAID Level The RAID level.
Disk Status The disk status.
Disk Usage The current level of disk usage.
Disk Number The disk number.
Disk Size The disk size.

Basic System Settings

Change the GUI idle timeout

By default, the GUI disconnects administrative sessions if there is no activity for five minutes.

To change the idle timeout length:

  1. Go to System > Settings.
  2. Change the Idle timeout minutes (1 to 480 minutes).
  3. Click OK.

The setting takes affect after you log out and log back in.

Microsoft Windows VM license activation

When Fortinet ships FortiDeceptor, the default Windows guest VM image is activated. The Windows VM license is in an unactivated state and need re-activation.

Log out of the unit

To log out of the unit:

  1. In the FortiDeceptor banner at the top-right, click the user name and select Logout.

If you only close the browser or browse to another web site, you remain logged in until the idle timeout period elapses.

Update FortiDeceptor firmware

A best practice is to stay current on patch releases for your current major release. Only update to a new major release or version when you are looking for specific functionality in the new major release or version. For more information, see the FortiDeceptorRelease Notes or contact Technical Support.

Before any firmware update, complete the following:

  • Download the FortiDeceptor firmware image and Release Notes document from the Fortinet Customer Service & Support Review the Release Notes, including the special notices, upgrade information, product integration and support, and resolved and known issues.
  • Back up your configuration file. It is highly recommended that you create a system backup file and save it to your management computer. You can also schedule the system to back up system configurations to a remote server.
  • Plan a maintenance window for the firmware update. If possible, consider setting up a test environment to check that the update does not negatively impact your network.

To update the FortiDeceptor firmware:

  1. Go to Dashboard > System Information > Firmware Version.
  2. In the System Information widget beside Firmware Version, click Update or UPDATE AVAILABLE.
  3. Click Choose File and locate the firmware image on your management computer; then click Submit to start the upgrade.

Alternatively, in the AVAILABLE FIRMWARE pane Install column, click the download icon beside the firmware release you want. The system upgrades and restarts automatically.

When the update is complete, test your FortiDeceptor device to ensure that the update was successful.

Reboot or shut down the unit

To avoid potential configuration or hardware problems, always use the GUI or CLI to reboot or shut down FortiDeceptor.

To reboot the FortiDeceptor unit:

  1. Go to Dashboard > System Resources.
  2. Click Reboot.
  3. Enter a reason for the reboot in the Reason
  4. Click OK.

After reboot, the FortiDeceptor VM initialization might about 30 minutes. The Decoy VM icon in the System Information widget shows a warning sign until the process completes.

When FortiDeceptor boots or reboots, the following critical event log message is normal:

The VM system is not running and might need more time to startup. Please check system logs formore details. If needed, please reboot system.

After upgrading FortiDeceptor to a new firmware version, the system might clean up data and a Database is not ready message displays. The clean up time depends on the size of historical data.

To shut down the FortiDeceptor unit:

  1. Go to Dashboard > System Resources.
  2. Click Shutdown.
  3. Enter a reason for the shutdown in the Reason
  4. Click OK.

Back up or restore the system configuration

We recommend that yous regular maintenance includes system backups. Always backup before upgrading firmware or making major system configuration changes. Save configuration backups to a management computer in case you need to restore the system after a network event.

To back up the FortiDeceptor configuration to your local management computer:

  1. Go to Dashboard > System Information > System Configuration.
  2. Click Backup/Restore.
  3. Click Click here to save your backup file.

To restore the FortiDeceptor configuration:

  1. Go to Dashboard >System Information > System Configuration.
  2. Click Backup/Restore.
  3. Click Choose File and locate the backup file on your management computer.
  4. Click Restore to load the backup file.
  5. Click OK.

When the system configuration restore process completes, the login page appears.

When you do a system restore, all configurations are replaced with the backup data. The system reboots automatically to complete the restore. Only the backup configuration file from the previous or the same release is supported.

Network

The Network page provides interface, DNS, and routing management options.

Interfaces

To view and manage interfaces, go to Network > Interfaces.

This page displays the following information and options:

Interface The interface name and description.

Failover IP is listed under this field with the descriptor: (clusterexternal port).

port1

(administration port)

Port1 is hard-coded as the administration interface. You can enable or disable HTTP, SSH, and Telnet access rights on port1. HTTPS is enabled by default. You can use port1 for Device mode although a different, dedicated port is recommended.
port2 Decoy VM deployment.
port3 Decoy VM deployment.
port4 Decoy VM deployment.
port5/port6 Decoy VM deployment.
port7/port8 Decoy VM deployment.
IPv4 The IPv4 IP address and subnet mask of the interface.
IPv6 The IPv6 IP address and subnet mask of the interface.
Interface Status The state of the interface:

l     Interface up l Interface down

l     Interface is being used by sniffer

Link Status The link status: l Link up l Link down
Access Rights The access rights associated with the interface. HTTPS is enabled by default on port1. You can enable HTTP, SSH, and Telnet access on port1.
Edit Select the interface and click Edit in the toolbar to edit the interface.

To edit an interface:

  1. Select the IPv4 or IPv6 address of an interface name and click Edit in the toolbar.
  2. Edit the IP Address / Netmask.
  3. If you want, you can change the Interface Status.
  4. Click OK.

To edit administrative access:

  1. Select port1 (administration port) and click Edit in the toolbar.
  2. Edit the Access Rights.

HTTPS is enabled by default. You can also enable HTTP, SSH, and Telnet support.

  1. If necessary, edit the IP Address / Netmask.
  2. Click OK.

DNS Configuration

You can configure the primary and secondary DNS server addresses in Network > System DNS.

System Routing

Use the Network > System Routing page to manage static routes of your FortiDeceptor device.

The following options are available:

Create New Create a new static route.
Edit Edit the selected static route.
Delete Delete the selected static route.

The following information is displayed:

IP/Mask   IP address and subnet mask.
Gateway   Gateway IP address.
Device   The interface associated with the static route.

To create a new static route:

  1. Click Create New.
  2. Enter the Destination IP address, Mask, and Gateway.
  3. Select a Device (or interface).
  4. Click OK.

To edit a static route:

  1. Select a Static Route
  2. Click Edit.
  3. Edit the destination IP address and mask, gateway, and device (or interface) as required.
  4. Click OK to apply the edits to the static route.

To delete a static route or routes:

  1. Select one or more Static Routes.
  2. Click Delete.
  3. Confirm the deletion.

 

FortiDeceptor – System

System

Use the System pages to manage and configure the basic system options for FortiDeceptor. This includes administrator configuration, mail server settings, and maintenance information.

The System menu provides access to the following:

Administrators Configure administrator user accounts.
Admin Profile Configure user profiles to define user privileges.
Certificates Configure CA certificates.
LDAP Servers Configure LDAP servers.
RADIUS Servers Configure RADIUS servers.
Mail Server Configure the mail server.
SNMP Configure SNMP.
FortiGuard Configure FortiGuard settings and upgradeable packages.
Settings Configure the idle timeout or reset all widgets to their default state.
Login Disclaimer Configure the Login Disclaimer.
Table Customization Define columns and order of Incident and Event tables.

Administrators

Use the System > Administrators page to configure administrator user accounts.

If the user whose Admin Profile does not have Read Write privilege under System > Admin Profiles, the user can only view and edit their own information.

The following options are available:

Create New Create a new administrator account.
Edit Edit the selected entry.
Delete Delete the selected entry.
Test Login Test the selected user’s login settings. If an error occurs, a debug message appears.

The following information is displayed:

Name   The administrator account name.
Type   The administrator type: l Local

 

  l LDAP l RADIUS
Profile The Admin Profile the user belongs to.

To create a new user:

  1. Log in using an account with Read/Write access and go to System > Administrators.
  2. Click Create New.
  3. Configure the following:
Administrator Name of the administrator account. The name must be 1 to 30 characters using upper-case letters, lower-case letters, numbers, or the underscore character (_).
Password, Confirm Password Password of the account. The password must be 6 to 64 characters using upper-case letters, lower-case letters, numbers, or special characters.

This field is available when Type is set to Local.

Type Select Local, LDAP, or RADIUS.
LDAP Server When Type is LDAP, select an LDAP Server. For more information, see LDAP Servers on page 29.
RADIUS Server When Type is RADIUS, select a RADIUS Server. For more information, see RADIUS Servers.
Admin Profile Select the Admin Profile.
Trusted Host 1, Trusted Host 2, Trusted Host 3 Enter up to three IPv4 trusted hosts. Only users from trusted hosts can access FortiDeceptor.
Trusted IPv6 Host 1, Trusted

IPv6 Host 2, Trusted IPv6

Host 3

Enter up to three IPv6 trusted hosts. Only users from trusted hosts can access FortiDeceptor.
Comments Enter an optional comment.

Setting trusted hosts for administrators limits what computers an administrator can use to log into FortiDeceptor. When you identify a trusted host, FortiDeceptor only accepts the administrator’s login from the configured IP address or subnet. Attempts to log in with the same credentials from another IP address or subnet are dropped.

  1. Click OK.

To edit a user account:

  1. Log in using an account with Read/Write access and go to System > Administrators.
  2. Select and account and click Edit.

Only the admin user can edit its own settings.

You must enter the old password before you can set a new password.

  1. Edit the account and click OK.

To delete one or more user accounts:

  1. Log in using an account with Read/Write access and go to System > Administrators.
  2. Select the user account you want to delete.
  3. Click Delete and confirm that you want to delete the user.

To test LDAP or RADIUS logins:

  1. Log in using an account with Read/Write access and go to System > Administrators.
  2. Select an LDAP or RADIUS user to test.
  3. Click Test Login.
  4. Enter the user password.
  5. Click OK.

If an error occurs, a debug message appears.

Admin Profiles

Use administrator profiles to control administrator access privileges to system features. When you create an administrator account, you assign a profile to the account.

You cannot modify or delete the following predefined administrator profiles:

l SuperAdmin has access to all functionality. l Read only has read-only access.

Only users with the Super Admin profile can create, edit, and delete administrator profiles. Users can create, edit, and delete administrator profiles if they have Read Write privilege in their profile.

The Menu Access section has the following settings:

None User cannot view or make changes to that page.
Read Only User can view but not make any change to that page, except session-related user settings such as Table Customization, Dashboard, or Attack Map filter.
Read Write User can view and make changes to that page.

The CLI Commands section has the following settings:

None User cannot execute CLI commands.
Execute User can execute CLI commands.

To create an Administrator Profile:

  1. Go to System > Admin Profiles.
  2. Click Create New.
  3. Specify the Profile Name.
  4. If you wish, add a Comment.
  5. Specify the privileges for Menu Access:
    • Dashboard l Dashboard
    • Deception
    • Customization l Deception OS l Deployment Network l Deployment Wizard l Decoy & Lure Status l Decoy Map
    • Whitelist
    • Incident l Analysis l Campaign l Attack Map
    • Fabric
    • FortiGate Integration l Quarantine Status l IOC Export
    • Network
    • Interfaces
    • System DNS l System Routing
    • System
    • Administrators l Admin Profiles l Certificates l LDAP Servers l RADIUS Servers l Mail Server
    • SNMP
    • FortiGuard l Settings l Login Disclaimer l System Settings l Table Customization
    • Log
    • All Events l Log Servers
  6. Specify the privileges for CLI Commands:
    • Configuration l Set l Unset
    • System l Reboot l Shutdown l Reset Configuration l Factory Reset l Firmware Upgrade l Reset Widgets l IP Tables l test-network l usg-license
    • Upload VM Firmware License l Resize VM Hard Disk l Set Confirm ID for Windows VM l List VM License l Show VM Status l VM reset l DC Image Status l Set Maintainer l Set Timeout for Remote Auth l Data Purge l Log Purge l DMZ Mode
    • fdn-pkg l Utilities
    • TCP Dump
    • Trace Route
  7. Click Save.

Certificates

Use this page to import, view, and delete certificates. Certificates are used for secure connection to an LDAP server, system HTTPS, and SSH services. FortiDeceptor has one default certificate firmware.

FortiDeceptor does not support generating certificates. FortiDeceptor supports importing certificates for SSH and HTTPS access using .crt, PKCS12, or .pem format.

The following options are available:

Import   Import a certificate.
Service Configure specific certificates for HTTP and SSH servers.
View View the selected CA certificate details.
Delete Delete the selected certificate.

The following information is displayed:

Name Name of the certificate.
Subject Subject of the certificate.
Status The certificate status, active or expired.
Service HTTPS or SSH service that is using this certificate.

To import a certificate:

  1. Go to System > Certificates.
  2. Click Import.
  3. Enter the Certificate Name.
  4. If you want to import a password protected PKCS12 certificate, select PKCS12 Format.
  5. Click Choose File and locate the certificate and key files on your management computer.
  6. Click OK to import the certificate.

To view a certificate:

  1. Go to System > Certificates.
  2. Select a certificate and click View.

The following information is available:

Certificate Name Name of the certificate.
Status Certificate status.
Serial number Certificate serial number.
Issuer Issuer of the certificate.
Subject Subject of the certificate.
Effective date Date and time that the certificate became effective.
Expiration date Date and time that the certificate expires.

To delete a CA certificate:

  1. Go to System > Certificates.
  2. Select the certificate you want to delete.
  3. Click Delete and confirm you want to delete the certificate.

LDAP Servers

FortiDeceptor supports remote authentication of administrators using LDAP servers. To use this feature, configure the server entries in FortiDeceptor for each authentication server in your network.

If you have configured LDAP support and require users to authenticate using an LDAP server, FortiDeceptor contacts the LDAP server for authentication. To authenticate with FortiDeceptor, the user enters a user name and password. FortiDeceptor sends this user name and password to the LDAP server. If the LDAP server can authenticate the user, FortiDeceptor authenticates the user. If the LDAP server cannot authenticate the user, FortiDeceptor refuses the connection.

The following options are available:

Create New Add an LDAP server.
Edit Edit the selected LDAP server.
Delete Delete the selected LDAP server.

The following information is displayed:

Name LDAP server name.
Address LDAP server address.
Common Name LDAP common name.
Distinguished Name LDAP distinguished name.
Bind Type LDAP bind type.
Connection Type LDAP connection type.

To create a new LDAP server:

  1. Go to System > LDAP Servers.
  2. Click Create New.
  3. Configure the following settings:
Name A unique name to identify the LDAP server.
Server Name/IP IP address or FQDN of the LDAP server.
Port The port for LDAP traffic. The default port is 389.
Common Name Common name identifier of the LDAP server.

Most LDAP servers use cn. Some servers use other common name identifiers such as uid.

Distinguished Name Distinguished name used to look up entries on LDAP servers. The distinguished name reflects the hierarchy of LDAP database object classes above the common name identifier.
Bind Type The type of binding for LDAP authentication: l Simple l Anonymous l Regular
Username When the Bind Type is set to Regular, enter the user name.
Password When the Bind Type is set to Regular, enter the password.
Enable Secure Connection Use a secure LDAP server connection for authentication.
Protocol When Enable Secure Connection is selected, select LDAPS or STARTTLS.
CA Certificate When Enable Secure Connection is selected, select a CA Certificate.
  1. Click OK.

RADIUS Servers

FortiDeceptor supports remote authentication of administrators using RADIUS servers. To use this feature, configure the server entries in FortiDeceptor for each authentication server in your network.

If you have configured RADIUS support and require users to authenticate using a RADIUS server, FortiDeceptor contacts the RADIUS server for authentication. To authenticate with FortiDeceptor, the user enters a user name and password. FortiDeceptor sends this user name and password to the RADIUS server. If the RADIUS server can authenticate the user, FortiDeceptor authenticates the user. If the RADIUS server cannot authenticate the user, FortiDeceptor refuses the connection.

The following options are available:

Create New   Add a RADIUS server.
Edit   Edit the selected RADIUS server.
Delete   Delete the selected RADIUS server.

The following information is displayed:

Name RADIUS server name.
Primary Address Primary server IP address.
Secondary Address Secondary server IP address.
Port Port used for RADIUS traffic. The default port is 1812.
Auth Type The authentication type the RADIUS server requires.

Select Any, PAP, CHAP, or MSv2. Any means FortiDeceptor tries all authentication types.

To add a RADIUS server:

  1. Go to System > RADIUS Servers.
  2. Click Create New.
  3. Configure the following settings:
Name A unique name to identify the RADIUS server.
Primary Server Name/IP IP address or FQDN of the primary RADIUS server.
Secondary Server Name/IP IP address or FQDN of the secondary RADIUS server.
Port Port for RADIUS traffic.

The default port is 1812.

Auth Type Authentication type the RADIUS server requires.

Select Any, PAP, CHAP, or MSv2. Any means FortiDeceptor tries all authentication types.

Primary Secret Primary RADIUS server secret.
Secondary Secret Secondary RADIUS server secret.
NAS IP NAS IP address.
  1. Click OK.

Mail Server

Use the System > Mail Server page to adjust mail server settings.

You can configure the following options:

Send Incidents Alerts When enabled, FortiDeceptor sends an email alert to the ReceiverEmail List when it detects an incident.
SMTP Server Address SMTP server address.
Port SMTP server port number.
E-Mail Account The mail server email account. This is the “from” address.
Login Account The mail server login account.
Password, Confirm Password Enter and confirm the password.
Receiver Email List Enter one or more receiver email addresses.
Send Test Email Send a test email to the global email list.

If an error occurs, the error message appears at the top of the page and is recorded in the System Logs.

SNMP

SNMP is a method to monitor your FortiDeceptor system on your local computer. You need an SNMP agent on your computer to read the SNMP information. Using SNMP, your FortiDeceptor system monitors for system events including CPU usage, memory usage, log disk space, interface changes, and malware detection. Go to System > SNMP to configure your FortiDeceptor system’s SNMP settings.

SNMP has two parts: the SNMP agent or the device that is sending traps, and the SNMP manager that monitors those traps. The SNMP communities on the monitored FortiDeceptor are hard coded and configured in the SNMP menu.

The FortiDeceptor SNMP implementation is read-only — SNMP v1, v2c, v3 compliant SNMP manager applications, such as those on your local computer, have read-only access to FortiDeceptor system information and can receive FortiDeceptor system traps.

You can also download FortiDeceptor and Fortinet core MIB files.

Configure the SNMP agent

The SNMP agent sends SNMP traps that originate on FortiDeceptor to an external monitoring SNMP manager defined in one of the FortiDeceptor SNMP communities. Typically, an SNMP manager is an application on a local computer that can read the SNMP traps and then generate reports or graphs.

The SNMP manager can monitor FortiDeceptor to determine if it is operating properly or if critical events are occurring. The description, location, and contact information for this FortiDeceptor system is part of the information an SNMP manager collects. This information is useful if the SNMP manager is monitoring many devices, and it enables a faster response when FortiDeceptor requires attention.

To configure SNMP agents:

  1. Go to System > SNMP.
  2. Configure the following settings:
SNMP Agent   When enabled, the FortiDeceptor SNMP agent sends FortiDeceptor SNMP traps.
Description   Description of this FortiDeceptor to identify this unit.
Location Location of this FortiDeceptor if it requires attention.
Contact Contact information of the person in charge of this FortiDeceptor.
SNMP v1/v2c Create, edit, or delete SNMP v1 and v2c communities. You can enable or disable communities in the edit page. Columns include: Community Name, Queries, Traps, Enable.
SNMP v3 Create, edit, or delete SNMP v3 entries. You can enable or disable queries in the edit page. Columns include: Username, Security Level, Notification Host, and Queries.

To create an SNMP v1/v2c community:

  1. Go to System > SNMP.
  2. In the SNMP v1/v2c section, click Create New.
  3. Configure the following settings:
Enable Enable the SNMP community.
Community Name The name that identifies the SNMP community.
Hosts The list of hosts that can use the settings in this SNMP community to monitor FortiDeceptor.
IP/Netmask IP address and netmask of the SNMP hosts. Click Add to add additional hosts.
Queries v1, Queries v2c Port number and if it is enabled.

Enable queries for each SNMP version that FortiDeceptor uses.

Traps v1, Traps v2c Local port number, remote port number, and if it is enabled.

Enable traps for each SNMP version that FortiDeceptor uses.

SNMP Events Events that cause FortiDeceptor to send SNMP traps to the community:

l CPU usage is high l Memory is low l Log disk space is low l Incident is detected

  1. Click OK.

To create an SNMP v3 user:

  1. Go to System > SNMP.
  2. In the SNMP v3 section, click Create New.
  3. Configure the following settings:
Username Name of the SNMPv3 user.
Security Level Security level of the user: l None

l Authentication only l Encryption and authentication

Authentication Authentication is required when Security Level is either Authentication only or Encryption and authentication.
Method Authentication method: l MD5 (Message Digest 5 algorithm) l SHA1 (Secure Hash algorithm)
Password Authentication password of at least eight characters.
Encryption Encryption is required if Security Level is Encryption and authentication.
Method Encryption method: l DES l AES
Key Encryption key of at least eight characters.
Notification Hosts (Traps)  
IP/Netmask IP address and netmask. Click Add to add more hosts.
Query  
Port Port number and if it is enabled.
SNMP V3 Events SNMP events associated with that user:

l CPU usage is high l Memory is low l Log disk space is low l Incident is detected

  1. Click OK.

To download MIB files:

  1. At the bottom of the SNMP page, select the MIB file you want to download to your management computer.

FortiGuard

  1. Go to System > FortiGuard.
  2. The following options and information are available:
Module Name The FortiGuard module name, including: AntiVirus Scanner, AntiVirus Extended Signature, AntiVirus Active Signature, AntiVirus Extreme Signature, IDS Engine, IDS Signature, Anti-Reconnaissance & Anti-Exploit Engine.

All modules automatically install update packages when they are available on the FDN.

Current Version                   The current version of the module.
Release Time                      The time that module was released.
Last Update Time                The time that module was last updated.
Last Check Status               The status of the last update attempt.
Upload Package File            Select Browse to locate a package file on the management computer, then select Submit to upload the package file to the FortiDeceptor.

When the unit has no access to the Fortinet FDN servers, the user can go to the Customer Service and Support site to download package files manually.

FortiGuard Server               Select FDN servers for package update and Web Filtering query. By default, the

Location                              selection is Nearest, which means the closest FDN server according to the unit’s time zone is used. When US Region is selected, only servers inside Unite States are used.

FortiGuard Server Settings
Use override FDN         Select to enable an override FDN server, or FortiManager, to download module server to           update, then enter the server IP address or FQDN in the text box. When an download module        overridden FDN server is used, FortiGuard Server Location will be disabled. updates            Click Connect FDN Now button to schedule an immediate update check.
Connect FDN    Click the Connect FDN Now button to connect the override FDN server/Proxy. Now
FortiGuard Web Filter Settings
Use override     Select to enable an override server address for web filtering query, then enter the server address server IP address (IP address or IP address:port) or FQDN in the text box. for web filtering By default, the closest web filtering server according to the unit’s time zone is query  used.

If port is not provided, target UDP port 53 will be used.

  1. Click Apply to apply your changes.

Settings

Go to System > Settings to configure the idle timeout for the administrator account.

To configure idle timeout:

  1. Go to System > Settings.
  2. Enter a value between 1 and 480 minutes.
  3. Click OK.

To reset all widgets:

You can reset all the widgets in the Dashboard by clicking the Reset button.

Login Disclaimer

Go to System > Login Disclaimer to customize the warning message, and to enable or disable the login disclaimer.

If enabled, the disclaimer appears when a user tries to log into the unit.

Table Customization

To customize the columns available for Incidents or Events:

  1. Go to System > Table Customization.
  2. In the Incident Columns pane, drag and drop the columns from the Available Column Headers to the Customized Column Headers and Orders.
  3. In the Event Columns pane, drag and drop the columns from the Available Column Headers to the Customized Column Headers and Orders.
  4. In the Table Settings pane, specify the Page Size and select the View Type.
  5. Click Save.

 

FortiDeceptor – Fabric

Fabric

Use the Fabric pages to manage and configure FortiGate information for integration with FortiDeceptor. This includes blocking settings and Security Fabric status information. Blocking from FortiGate is an API call from FortiDeceptor which allows instant quarantine from FortiGate once an incident is detected. The quarantined IP is under user quarantine in the FortiGate GUI.

Fabric provides access to the following pages:

FortiGate Integration Configure the FortiGate settings for FortiDeceptor integration.
Quarantine Status Status of blocked IP addresses.
IOC Export Export the IOC file in CSV format for a specified time period.

FortiGate Integration

Use Fabric > FortiGate Integration to configure FortiGate settings for integration with FortiDeceptor. FortiDeceptor uses FortiGate REST APIs to make quarantine calls when decoys are accessed. Attackers are immediately quarantined on the FortiGate for further analysis.

The following options are available:

Severity level Select the security level. The selected level and all levels above it are blocked. For example, if you select Medium, then medium, high, and critical levels are blocked. If you select Critical, then only the critical level is blocked.
Add new block configuration Create a new FortiGate integration setting.
Update Save the modified FortiGate integration setting to a configuration file.
Cancel Discard current changes.
Edit Edit the record.
Delete Delete the record.
Test Manually send quarantine request to the corresponding FortiGate.

The following information is displayed:

Name Alias of the integrated FortiGate.
IP IP address of the integrated FortiGate.
User Username of the integrated FortiGate.
Password Password of that username.

Fabric

Port Port number of the integrated FortiGate REST API service. Default is 443.
Default Expiry Default blocking time in second. Default is 3600 seconds.
Default VDOM The default access VDOM of the integrated FortiGate.
Type FortiGate (read-only value).
Enabled Enable or disable the integration setting.

Quarantine Status

The Fabric > Quarantine Status page displays the status of blocked and quarantined IP addresses. It also lets you manually block or unblock devices. The following options are available:

Refresh Refresh the page to get the latest data.
Block Manually send a blocking request for the selected attacker IP addresses.
Unblock Manually send an unblocking request for the selected attack IP addresses.

The following information is displayed:

Attacker IP IP addresses of blocked attacker.
Start Start time of blocking behavior.
End End time of blocking behavior.
Handler Address IP address of the integrated FortiGate.
Handler The integrated device type.
Handle Type Blocking type, manual, or automatic quarantine.
VDOM VDOM of the integrated FortiGate.
Blocker Name Alias of the FortiGate which blocks the AttackerIP address. This is the Name field in Fabric > FortiGate Integration.
Time Remaining The remaining blocking time.
Status Current status of the attacker.
Message Related message for the blocking entry.

IOC Export

Use the Fabric > IOC Export page to export the IOC file in CSV format for a specified time period. The CSV file can be processed by third party Threat Intelligence Platforms. The file contains the TimeStamp, Incident time, Attacker IP, related files, and WCF (Web Content Filtering) events. You can include MD5 checksums, WCF category, and reconnaissance alerts.

FortiDeceptor – Monitor Attacks

Monitor Attacks

Administrators can monitor attacks in two ways:

To monitor attacks using Incident pages:

  • Incident > Analysis lists incidents and related events detected by FortiDeceptor. l Incident > Campaign lists attacks and related events detected by FortiDeceptor. l Incident > Attack Map shows attacks and related events detected by FortiDeceptor.

To monitor attacks using Dashboard widgets:

  • Use the Dashboard Incidents & Events Distribution See Incidents and Events Distribution on page 18. l Use the Dashboard Incidents & Events Count widget.

Analysis

Incident > Analysis lists the Incidents detected by FortiDeceptor.

To use the Analysis page:

  1. Go to Incident > Analysis.
  2. The Analysis page displays the list of events:
Severity Severity of the event.
Last Activity Date and time of the last activity.
Type Type of event.
Attacker IP Attacker IP mask.
Attacker User Attacker username.
Victim IP IP address of the victim.
Victim Port Port of the victim.
Lure Name of the lure service.
Decoy ID Unique ID of the Decoy VM.
ID ID of the incident.
Attacker Port Port where the attack originated.
Tag Key Unique key string for the incident.
Attacker Password Password used by the attacker.
Start   Date and time when the attack started.
  1. To refresh the data, click Refresh.
  2. To download the detailed analysis report in PDF format, click Export to PDF.
  3. To mark items as read, expand the incident details or click Mark all as read.

Newly-detected incidents are in bold to indicate they are unread.

  1. To display specific types of events, click Show All, IPS Events Only, or Web FilterEvents Only.
  2. To specify columns and table settings, use the Settings icon at the bottom right.

Campaign

Incident > Campaign lists the Attacks detected by FortiDeceptor. An Attack consists of multiple Incidents.

To use the Campaign page:

  1. Go to Incident > Campaign.
  2. The Campaign page displays the list of attacks:
Severity   Severity of the event.
Start   Date and time when the attack started.
Last Activity   Date and time of the last activity.
Attacker IP   IP mask of the attacker.
ID   ID of the campaign record.
Timeline   Click Timeline to see the timeline of the Attack from start to finish.
Table   Click Table to see all the Events in table view.
  1. To refresh the data, click Refresh.
  2. To export the data, click Export to PDF.
  3. To specify columns and table settings, use the Settings icon at the bottom right.

Attack Map

Incident > Attack Map is a visual representation of the entire network showing real endpoints, Decoy VMs, and ongoing attacks.

To work with the Attack Map:

  1. Go to Incident > Attack Map. l To change the display, drag items to another location. l Scroll to zoom in or out. l Click a node to see its information.
  2. At the bottom of the Attack Map, use the timeline indicator to set the start and end time.
  3. Click Click to begin filtering to select a different filter type and type values. Filter types include AttackerIP, Victim IP, and Decoy IP.

You can use multiple arguments with different filter types. All filter arguments and time indicator arguments are considered “AND” conditions.

  1. To locate the node on the map, use the LOCATE BY IP
  2. To save a snapshot of the map, click Save view .

Incidents and Events Distribution

This dashboard widget displays the number of incidents and events with the following risk level information and options.

Unknown Incident or Event where the risk level is unknown. Entries are in grey.
Low Risk Incident or Event where the risk level is low. Entries are in green.
Medium Risk Incident or Event where the risk level is medium. Entries are in yellow.
High Risk Incident or Event where the risk level is high. Entries are in orange.
Critical Incident or Event where the risk level is critical. Entries are in red.

Hover over the pie chart to see the number of Incidents or Events and their percentage.

To customize this widget:

  1. Click the edit icon to make the following changes:

l Enter a Customized Widget Title. l Change the Refresh Interval. l Select a Time Period: Last 24 Hours, Last 7 Days, or Last 4 Weeks.

Incidents and Events Count

This dashboard widget displays the number of Incidents and Events.

Event Click Event to show or hide the number of events in the time period. Events are in blue.
Incidents Click Incident to show or hide the number of incidents in the time period. Incidents are in orange.
Time/Date The time or date the Incident or Event occurred.

To customize this widget:

  1. Click the edit icon to make the following changes:

l Enter a Customized Widget Title. l Change the Refresh Interval. l Select a Time Period: Last 24 Hours, Last 7 Days, or Last 4 Weeks.

Top 10 Attackers by Events

This dashboard widget displays the top ten attackers by the number of events.

IP Address IP address of the attacker.
Number of Events Hover over an IP address to see the total number of Events.

Top 10 Attackers by Incidents

This dashboard widget displays the top ten attackers by the number of incidents.

IP Address IP address of the attacker.
Number of Incidents Hover over an IP address to see the total number of Incidents.

Top 10 IPS Attacks

This widget displays the top 10 IPS attacks by the number of attack events.

IPS attack name IP address of the attacker.
Number of attack events Hover over an IPS attack name to see the total number of attack events.

Incidents Distribution by Service

This dashboard widget displays the number of Incidents by service with the following information and options.

SSH Number of incidents occurring on SSH service with the percentage on a pie chart.
SAMBA Number of incidents occurring on SAMBA service with the percentage on a pie chart.
SMB Number of incidents occurring on SMB service with the percentage on a pie chart.
RDP Number of incidents occurring on RDP service with the percentage on a pie chart.
HTTP Number of incidents occurring on HTTP service with the percentage on a pie chart.
FTP Number of incidents occurring on FTP service with the percentage on a pie chart.
TFTP Number of incidents occurring on TFTP service with the percentage on a pie chart.
SNMP Number of incidents occurring on SNMP service with the percentage on a pie chart.
MODBUS Number of incidents occurring on MODBUS service with the percentage on a pie chart.
S7COMM Number of incidents occurring on S7COMM service with the percentage on a pie chart.
BACNET Number of incidents occurring on BACNET service with the percentage on a pie chart.
IPMI Number of incidents occurring on IPMI service with the percentage on a pie chart.
TRICONEX Number of incidents occurring on TRICONEX service with the percentage on a pie chart.
GUARDIAN-AST Number of incidents occurring on GUARDIAN-AST service with the percentage on a pie chart.
IEC104 Number of incidents occurring on IEC104 service with the percentage on a pie chart.

Global Attacker Distribution

This widget displays the number of Attackers by country on a global map.

 

FortiDeceptor – Deploy Decoy VM

Deploy Decoy VM

Use the Deception pages allows you to deploy Decoy VMs on your network. When a hacker gains unauthorized access to Decoy VMs, their movements can be monitored to understand how they attack the network.

Apart from the default decoy Windows, Linux, or SCADA OS images, FortiDeceptor supports custom OS images with a purchased subscription service. You can upload your custom ISO images and install the FortiDeceptor Toolkit on the image. For instructions, click the Help icon in the toolbar and select Customization.

To use FortiDeceptor to monitor the network:

  • Go to Deception > Deception OS to check the Deception OS available. See View available Deception OS on page
  1. 9. l Go to Deception > Deployment Network to auto-detect or specify the network where the Decoy VMs are deployed.
  • Go to Deception > Deployment Wizard to deploy the Decoy VM on the network.
  • Go to Deception > Decoy & Lure Status to start or stop deployed Decoy VMs, or download the FortiDeceptor Token Package to manually install on computers. l Go to Deception > Decoy Map to see the network of Decoy VMs.
  • Go to Deception > Whitelist to specify the network that is to be considered safe. This is useful if the administrator wants to log into the deployment network and not be flagged as an attacker.

View available Deception OS

The Deception > Deception OS page lists the deception OSes available for creating Decoy VMs.

Column   Description
Delete   Delete a custom OS that you have applied.
Status   Status of the Deception OS.
Name   Name of the Deception OS.
OS Type   Operating System type.
VM Type   VM type of the Deception OS endpoint.
Lures   Lures used by the Decoy VM such as SSH, SAMBA, SMB, RDP, HTTP, FTP, TFTP, SNMP, MODBUS, S7COMM, BACNET, IPMI, TRICONEX, GuardianAST, or IEC104.

Set up the Deployment Network

Use the Deception > Deployment Network page to set up a monitoring interface into a VLAN or a subnet.

To add a VLAN or subnet to FortiDeceptor:

  1. Go to Deception > Deployment Network.
  2. Enable Auto VLAN Detection to automatically detect the VLANs on your network.

Auto VLAN detection allows FortiDeceptor to detect the available VLANs on the deployment network interface and display them in the GUI. You can select and add the VLANs for the deployment of Decoys later.

  1. Select the Detection Interface and click OK.

You can select multiple ports.

  1. Click Add New VLAN/Subnet to manually add a VLAN or a subnet. Configure the following settings:
Interface The port that connects to the VLAN or subnet.
VLAN ID The VLAN’s unique integer ID.
Deploy Network IP/Mask The IP address to monitor. This is useful to mask the actual IP address.
Ref The number of objects referring to this object.
Status Status of the IP address, such as if it is initialized.
Action Click Edit to edit the VLAN or subnet entry. The Edit button is visible only after the entry is saved.
  1. Click Save.

The network IP/mask must be an IP address and not a subnet.

You must use the following guidelines to set the network IP/mask:

  • Interface name and VLAN ID must be unique among all network IP/masks.
  • If VLAN ID is 0, the network IP/mask must be unique among all the network IP/masks without VLAN and all system interfaces.
  • If VLAN is not 0, the network IP/mask must be unique among all subnets in the same VLAN.

Deploy Decoy VMs with the Deployment Wizard

Use the Deception > Deployment Wizard page to create and deploy Decoy VMs on your network. Decoy VMs appear as real endpoints to hackers and can collect valuable information about attacks.

To deploy Decoys on the network:

  1. Go to Deception > Deployment Wizard.
  2. Click + to add a Decoy VM.
  3. Configure the following:
Name Specify the name of the deployment profile. Maximum 15 characters using A-Z, a-z, 0-9, dash, or underscore. No duplicate profile names.
Available Deception OSes Select a Deception OS.
Selected Services Displays the selected services. You cannot edit this field.
  1. For an Ubuntu VM, turn on SSH or SAMBA. For Windows, turn on RDP or SMB.

For SCADA, turn on HTTP, FTP, TFTP, SNMP, MODBUS, S7COMM, BACNET, IPMI, TRICONEX, GUARDIANAST, or IEC104.

  1. Click Add Lure for the service and configure the following:
Username Specify the username for the decoy. Maximum 19 characters using A-Z, a-z, or 0-9.

Do not set the username of the lures to be the same as existing usernames in the decoy, such as administrator for RDP/SMB services on Windows, or root for SSH/SAMBA services on Linux.

Password Specify the password for the decoy in 1-14 non-unicode characters.
Sharename This option is only available for SAMBA (Ubuntu) or SMB (Windows). Specify a Sharename in 3-63 characters using A-Z, a-z, or 0-9.
Update or Cancel Click Update to save the username and password. Click Cancel to discard the username and password. Click Delete to delete an existing lure.
  1. To launch the decoy VM immediately, enable Launch Immediately.
  2. To reset the decoy VM after it detects incidents, enable Reset Decoy and specify the Reset Interval value in seconds.
  3. Click Next.
  4. The Hostname can start with an English character or a digit, and must not end with a hyphen. Maximum 15 characters using A-Z, a-z, 0-9, or hyphen (case-sensitive). Other symbols, punctuation, or white space are not allowed. The Hostname cannot conflict with decoy names.
  5. Click Add Interface.
  6. Select the Deploy Interface. Set this to the VLAN or subnet added in Set up the Deployment Network on page 10
  7. Configure the following settings in the Add Interface forDecoy pane:
Addressing Mode Select Static or DHCP.

Static allows you to configure the IP address for all the decoys.

DHCP allows the decoys to receive IP address from the DHCP server. If you select DHCP, IP Count is automatically set to 1 and all other fields are not applicable.

Network Mask This field is set automatically.
Gateway Specify the gateway.
IP Count Specify the number of IP addresses to be assigned, up to 16.

If Addressing Mode is DHCP, IP Count is automatically set to 1.

Min The minimum IP address in the IP range.
Max The maximum IP address in the IP range.
IP Ranges Specify the IP range between Min and Max.
  1. Click Done.
  2. To deploy the decoys on the network, click Deploy.
  3. To save this as a template in Deception > Deployment Wizard, click Template.

Deploy the FortiDeceptor Token Package

Use a FortiDeceptor Token Package to add breadcrumbs on real endpoints and lure an attacker to a Decoy VM. Tokens are normally distributed within real endpoints and other IT assets on the network to maximize the deception surface.

To download a FortiDeceptor Token Package:

  1. Go to Deception > Decoy & Lure Status.
  2. Select the Decoy VM by clicking its checkbox.
  3. To download the FortiDeceptor Token Package, click Download Package.

You can only download packages with valid IP addresses. A package must have a status of Initialized, Stopped, Running, or Failed.

To deploy or uninstall a FortiDeceptor Token Package on an existing endpoint:

  1. Copy the downloaded FortiDeceptor Token Package to an endpoint such as a Windows or Linux endpoint.
  2. Unzip the FortiDeceptor Token Package.
  3. In the folder for the OS, such as windows or ubuntu, follow the instructions in txt to install or uninstall the Token Package.

l For Windows, open the windows folder, right-click windows_token.exe and select Run as administrator. l For Ubuntu, open Terminal and run python ./ubuntu_token.py.

When the FortiDeceptor Token Package is installed on a real Windows or Ubuntu endpoint, it increases the deception surface and lures the attacker to a Decoy VM.

Monitor Decoy & Lure Status

The Deception > Decoy & Lure Status page shows the status of the Decoys on your network.

We recommend operating Decoy VMs with the same status for expected behavior.

To view the Deception Status:

  1. Go to Deception > Decoy & Lure Status.
Action Click View detail to see the decoy’s configuration details.

Click Copy to Template to duplicate the decoy as a template.

Click Start or Stop to start or stop the decoy. Click Delete to delete the decoy.

Click Download to download the FortiDeceptor Token Package.

Click VNC to open a VNC of the decoy.

Status The status of the decoy can be Initializing, Running, Stopped, or Cannot Start. If the Decoy VM cannot start, hover over the VM to see the reason.
Decoy Name Name of the decoy.
OS Operating system of the decoy.
VM The name of the Decoy VM.
Enabled Services The number of decoy services enabled on this VM.
IP The IP address of the Decoy VM.
Services List of services enabled. Hover over an icon to see a text list.
Network Type Shows if the IP address is Static or DHCP.
DNS DNS of the Decoy VM.
Gateway Gateway of the Decoy VM.

To delete one or more Decoy VMs:

  1. Go to Deception > Decoy & Lure Status.
  2. Click Delete beside the Decoy VM.
  3. Click OK.

To start one or more Decoy VM:

  1. Go to Deception > Decoy & Lure Status.
  2. Select one or more Decoy VMs that are stopped.
  3. Click Start.

To stop one or more Decoy VMs:

  1. Go to Deception > Decoy & Lure Status.
  2. Select one or more Decoy VMs that are running.
  3. Click Stop.

Decoy Map

Deception > Decoy Map is a visual representation of the entire network showing real endpoints and Decoy VMs. You can apply filters to focus on specific decoys.

To work with the Decoy Map:

  1. Go to Deception > Decoy Map. l To change the display, drag items to another location. l Scroll to zoom in or out.

l Click a node to see its information.

  1. Click Click to begin filtering to select a filter type and type values. Filter types include Decoy Name, Decoy IP, and Lure Type.

You can use multiple arguments with different filter types. All filter arguments and time indicator arguments are considered “AND” conditions.

  1. To locate the node on the map, use the LOCATE BY IP
  2. To save a snapshot of the map, click Save view .

Configure a Whitelist

Use the Deception > Whitelist page to add an IP address for an administrator to log into the network. User actions from a whitelisted IP address are recorded as an Event or Incident.

To add a new whitelist IP address:

  1. Go to Deception > Whitelist.
  2. Click Add New Whitelist IP and configure its settings:
IP Address   Specify the IP address from where the connection originates.
Source Ports   Specify the source ports from where the connection originates.
Destination Ports   Specify the destination ports on the network where the connection terminates.
Description   Specify a description. For example, you can name it as Safe_Network.
Services   Select the name of the services used to connect to the network.
Status   Select Enabled or Disabled.
Action   Click Update or Cancel.

DMZ Mode

Deploy a FortiDeceptor hardware unit or VM in the Demilitarized Zone (DMZ). You can monitor attacks on the DMZ network when FortiDeceptor is installed in the DMZ network.

Limitations of the DMZ Mode

The DMZ Mode in FortiDeceptor functions like regular mode with the following exceptions:

  • When DMZ mode is enabled, the banner displays DMZ-MODE.
  • In Deception > Deployment Network, Deception MonitorIP/Mask is hidden. See Set up the Deployment Network on page 10.
  • In Deception > Decoy & Lure Status in the Deception Status view, the Attack Test selection is disabled.
  • Decoy VMs are limited to one deploy Interface. For information about IP address range, see Deploy Decoy VMs with the Deployment Wizard on page 10.

To enable DMZ mode in the CLI:

dmz-mode -e

To disable DMZ mode in the CLI: dmz-mode -d

 

Set up FortiDeceptor

Set up FortiDeceptor

This section explains the initial set up of FortiDeceptor.

Connect to the GUI

Use the GUI to configure and manage FortiDeceptor.

To connect to the FortiDeceptor GUI:

  1. Connect the port1 (administration) interface of the device to a management computer using an Ethernet cable.
  2. Configure the management computer to be on the same subnet as the internal interface of the FortiDeceptor unit:
    • Change the IP address of the management computer to 168.0.2.
    • Change the IP address of the network mask to 255.255.0.
  3. Go to https://192.168.0.99.
  4. Type admin in the Name field, leave the Password field blank, and click Login.

You can now proceed with configuring your FortiDeceptor unit.

Connect to the CLI

You can use CLI commands to configure and manage FortiDeceptor.

To connect to the FortiDeceptor CLI:

  1. In the FortiDeceptor banner at the top, click the CLI Console

The CLI Console pane opens.

  1. If necessary, click Connect and enter your username and password.

The CLI Console pane has icons to disconnect from the CLI console, clear console text, download console text, copy console text, open the CLI console in its own window, and close the console.

  1. To close the CLI console, click the Close

 

Change the system hostname

The System Information widget displays the full host name. You can change the FortiDeceptor host name.

To change the host name:

  1. Go to Dashboard, System Information
  2. Click Change beside Host Name.
  3. In the New Name field, type a new host name.

The hostname can start with a character or digit, and cannot end with a hyphen. A-Z, a-z, 0-9, or hyphen are allowed (case-sensitive). Other symbols, punctuation, or white space are not allowed.

  1. Click Apply.

Change the administrator password

By default, you can log in to the GUI using admin and no password. It is highly recommended that you add a password to the admin account. For better security, regularly change the admin account password and the passwords for any other administrator accounts that you add.

To change the password of the logged in administrator:

  1. In the FortiDeceptor banner at the top, click the username and select Change Password.
  2. Change the password and click OK.

To change the administrator password in the Administrators page:

  1. Go to System > Administrators.
  2. Select an administrator and click Edit.
  3. Change the password and click OK.

Configure the system time

You can change the FortiDeceptor system time in the Dashboard. You can configure the FortiDeceptor system time manually or synchronize with an NTP server.

To configure the system time:

  1. Go to Dashboard, System Information
  2. Click Change beside System Time.
  3. Set the system time and click Apply. You might need to log in again.

FortiDeceptor – Introduction

Introduction

FortiDeceptor creates a network of decoy VMs to lure attackers and monitor their activities on the network. When attackers attack decoy VMs, their actions are analyzed to protect the network.

Key features of FortiDeceptor include:

  • Deception OS: Windows, Linux, or SCADA OS images are available to create Decoy VMs. l Decoy VMs: Decoy VMs that behave like real endpoints can be deployed through FortiDeceptor. l Lures: Lures are services, applications, or users added to a Decoy VM to simulate a real user environment.
  • FortiDeceptor Token Package: Install a FortiDeceptor Token Package to add breadcrumbs on real endpoints and lure an attacker to a Decoy VM. Tokens are normally distributed within the real endpoints and other IT assets on the network to maximize the deception surface. Use tokens to influence attackers’ lateral movements and activities. Examples of what you can use in a token include: cached credentials, database connections, network share, data files, and configuration files. l Monitor the hacker’s actions: Monitor Incidents, Events, and Campaign.
  • An Event represents a single action, for example, a login-logout event on a victim host.
  • An Incident represents all actions on a single victim host, for example, a login-logout, file system change, a registry modification, and a website visit on a single victim host.
  • A Campaign represents the hacker’s lateral movement. All related Incidents are a Campaign. For example, an attacker logs on to a system using the credentials found on another system.
  • Log Events: Log all FortiDeceptor system events.