Category Archives: FortiGate

Best Practices – Performing a firmware downgrade

Leave a reply

Performing a firmware downgrade

Just like upgrading, you need to make sure it’s done properly. While similar, the steps are somewhat different since there are other pitfalls in this case.

  1. Locate pre-upgrade configuration file.

Step 1 is very important. This is why, when you upgrade you make a backup of your old configuration and save it.

If you don’t, then you’ll need to rebuild manually.

  1. Have copy of old firmware available.

Step 2 is fairly obvious. Even with devices that have multiple partitions and your downgrade process is simply going to be to switch the active partition, this could go wrong. In which case, you may be without Internet access. A professional has a plan for when things go wrong.

  1. Have disaster recovery option on standby — especially if remote.

Step 3 is no different from before. Hopefully you don’t need to format the unit, but be prepared for that, just in case.

  1. Read the release notes — is a downgrade possible, or necessary?

Step 4, once again, is to READ THE RELEASE NOTES. In this case, you will need to do this for the version you are on, and the version you are downgrading too, and everything in between (if you are going back multiple major releases or patches). Maybe the OS switched from 32 to 64 bits somewhere between the two firmware releases. In order to make sure you don’t get nailed by something like that you need to check the upgrade and downgrade information in every major release and patch, as it may have a direct impact on your options.

  1. Double check everything.
  2. Downgrade — all settings, except those needed for access, are lost.

Step 5 and 6 are the same as before. Double check everything, then downgrade.

  1. Restore pre-upgrade configuration.

Step 7 is new. Obviously most settings are lost when you downgrade so in order to get back up and running you will need to restore your old configuration file.

Best Practices – Performing a Firewall Upgrade

Leave a reply

Performing a firmware upgrade

Upgrading a firewall is something that should be compared to upgrading the operating system on your computer. It’s not to be taken lightly! You want to make sure everything is backed up and you have some options available if things go awry. Assuming it all seems to work you also want a list of things to do in order to confirm everything is working properly. Finally, you need enough time to do it. All really simple stuff, but what does this mean in relation to upgrading your FortiGate? It means, you follow these simple steps:

  1. Backup and store old configuration (full configuration backup from CLI).

Digging into this a little, step 1 is easy to understand. Do a full backup of your old configuration. This is all part of your disaster recovery plan. If the upgrade fails in some way you need to make sure you can get the Firewall back up and running. The best way to do this is to get it back to a state where you know what the behavior was. For more information, refer to “Performing a configuration backup” on page 17.

  1. Have copy of old firmware available.

Step 2, is also part of your disaster recovery. If the upgrade fails you might be able to switch the active partition. But as a Professional, you need to be prepared for the worst case scenario where you can’t do that. Which means you’ll need your old firmware.

  1. Have disaster recovery option on standby — especially if remote.

Step 3, is your plan for what to do in the event of a critical failure. As we’re talking FortiGate this means that your firewall doesn’t come back after the upgrade. What this means is that you need to be able to get to the console port in order to find out why. Maybe it’s DHCP and the IP changed, maybe the OS is corrupt, who knows? Get to the console and find out.

There could be a simple fix. If there’s not, then be prepared for a format and TFTP reload.

  1. Read the release notes, including the upgrade path and bug information.

Step 4, READ THE RELEASE NOTES. They contain all kinds of information, known bugs, fixed bugs even upgrade issues like lost configuration settings. Not all upgrade information is ever contained in any products release notes. That does not mean they are devoid of good/useful information. Read them, digest them, then a few days later read them again.

  1. Double check everything.

Step 5, do a double check of everything. Is your TFTP server working, does your console connection function, is there anything in the release notes that could impact your upgrade procedure, do you have your configuration backed up? Make sure you’ve done everything.

Step 6, do the upgrade. Doing an upgrade doesn’t take very long, a few minutes (less a lot of times) but make sure you schedule enough time for it. At the end of the day an upgrade can succeed or fail. If it succeeds you want some time to check/confirm that any important features you have are working (VPNs etc). If it fails you’ll need time to sort things out.

Recipes for Sandbox inspection

Leave a reply

Recipes for Sandbox inspection

AntiVirus

The following recipes provide information about Sandbox inspection with AntiVirus:

Use FortiSandbox Appliance with AntiVirus

Feature overview

AntiVirus can use FortiSandbox to supplement its detection capabilities. In real-world situations, networks are always under the threat of zero-day attacks.

AntiVirus can submit potential zero-day viruses to FortiSandbox for inspection. Based on FortiSandbox’s analysis, the FortiGate can supplement its own antivirus database with FortiSandbox’s database to detect files determined as malicious/risky by FortiSandbox. This helps FortiGate’s AntiVirus to detect zero-day virus and malware whose signatures are not found in the FortiGate’s antivirus Database.

Support and limitations

  • FortiSandbox can be used with AntiVirus in both proxy-based and flow-based inspection modes.
  • With FortiSandbox enabled, Full Scan mode AntiVirus can do the following:
  • Submit only suspicious files to FortiSandbox for inspection. l Submit every file to FortiSandbox for inspection.
  • Do not submit anything. l Quick Scan mode AntiVirus cannot submit suspicious files to FortiSandbox. It can only do the following:
  • Submit every file to FortiSandbox for inspection. l Do not submit anything.

Network topology example

Configuring the feature

To configure AntiVirus to work with an external block list, the following steps are required:

  1. Enable FortiSandbox on the FortiGate.
  2. Authorize FortiGate on the FortiSandbox.
  3. Enable FortiSandbox inspection.
  4. Enable use of the FortiSandbox database.

To enable FortiSandbox on the FortiGate:

  1. Go to Global > Security Fabric > Settings.
  2. Set the Sandbox Inspection toggle to the On
  3. Enter the IP address of the FortiSandbox.
  4. Add an optional NotifierEmail if desired.
  5. At this point, selecting Test connectivity will return an unreachable status.

This is expected behavior because the FortiGate is not yet authorized by the FortiSandbox.

  1. Select Apply to save the settings.

To authorize FortiGate on the FortiSandbox:

  1. In the FortiSandbox Appliance GUI, go to Scan Input > Device.
  2. Use the FortiGate serial number to quickly locate the desired FortiGate and select the link icon to authorize the FortiGate.
  3. Enable the desired VDOM in the same manner.
  4. The link icon changes from an open to closed link. This indicates that the FortiSandbox has authorized this FortiGate.
  5. In the FortiGate GUI, go to Global > Security Fabric > Settings.
  6. Select Test connectivity. FortiGate is now authorized and the status now displays as Connected.
  7. FortiSandbox options are now displayed in the AV Profile

To enable FortiSandbox inspection:

  1. Go to Security Profiles > AntiVirus.
  2. Enable FortiSandbox inspection by selecting either Suspicious Files Only or All Supported Files.
  3. Files can be excluded from being sent to FortiSandbox based on their file types by choosing from a list of supported file types.
  4. Files can also be excluded from being sent to FortiSandbox by using wild card patterns.
  5. Select Apply.

To enable use of the FortiSandbox database:

  1. Go to Security Profiles > AntiVirus
  2. Enable use of the FortiSandbox database by setting the Use FortiSandbox Database toggle to the On
  3. Select Apply.

Diagnostics and Debugging

Debug on the FortiGate side l Update daemon:

FGT_PROXY (global) # diagnose debug application quarantined -1 FGT_PROXY (global) # diagnose debug enable

quar_req_fsa_file()-890: fsa ext list new_version (1547781904) quar_fsb_handle_quar()-1439: added a req-6 to fortisandbox-fsb5, vfid=1, oftp-name=[]. __quar_start_connection()-908: start server fortisandbox-fsb5-172.18.52.154 in vdom-1

[103] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca

Fortinet_CA, idx 0 (default)

[551] ssl_ctx_create_new_ex: SSL CTX is created [578] ssl_new: SSL object is created

upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-

1901281000 upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-

1901281000 upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-

1901281000 upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-

1901281000 upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-

1901281000

quar_remote_recv_send()-731: dev=fortisandbox-fsb2 xfer-status=0

__quar_build_pkt()-408: build req(id=337, type=4) for vdom-vdom1, len=99, oftp_name=

__quar_send()-470: dev buffer — pos=0, len=99

quar_remote_send()-520: req(id=337, type=4) read response, dev=fortisandbox-fsb2, xfer_ status=1, buflen=12

quar_remote_recv_send()-770: dev-fortisandbox-fsb2, oevent=4, nevent=1, xfer-status=1 quar_remote_recv_send()-731: dev=fortisandbox-fsb3 xfer-status=0

__quar_build_pkt()-408: build req(id=338, type=6) for vdom-vdom1, len=93, oftp_name=

__quar_send()-470: dev buffer — pos=0, len=93

quar_remote_send()-520: req(id=338, type=6) read response, dev=fortisandbox-fsb3, xfer_ status=1, buflen=12

quar_remote_recv_send()-770: dev-fortisandbox-fsb3, oevent=4, nevent=1, xfer-status=1 quar_remote_recv_send()-731: dev=fortisandbox-fsb5 xfer-status=0

__quar_build_pkt()-408: build req(id=340, type=6) for vdom-vdom1, len=93, oftp_name=

__quar_send()-470: dev buffer — pos=0, len=93

quar_remote_send()-520: req(id=340, type=6) read response, dev=fortisandbox-fsb5, xfer_ status=1, buflen=12

quar_remote_recv_send()-770: dev-fortisandbox-fsb5, oevent=4, nevent=1, xfer-status=1 quar_remote_recv_send()-731: dev=fortisandbox-fsb2 xfer-status=1 quar_remote_recv()-662: dev(fortisandbox-fsb2) received a packet: len=69, type=1 quar_remote_recv()-718: file-[337] is accepted by server(fortisandbox-fsb2). quar_put_job_req()-332: Job 337 deleted

quar_remote_recv_send()-731: dev=fortisandbox-fsb4 xfer-status=0

__quar_build_pkt()-408: build req(id=339, type=6) for vdom-vdom1, len=93, oftp_name=

__quar_send()-470: dev buffer — pos=0, len=93

quar_remote_send()-520: req(id=339, type=6) read response, dev=fortisandbox-fsb4, xfer_ status=1, buflen=12

quar_remote_recv_send()-770: dev-fortisandbox-fsb4, oevent=4, nevent=1, xfer-status=1 quar_remote_recv_send()-731: dev=fortisandbox-fsb1 xfer-status=0

__quar_build_pkt()-408: build req(id=336, type=4) for vdom-root, len=98, oftp_name= __quar_send()-470: dev buffer — pos=0, len=98 …

__get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0

__quar_req_handler()-127: Request 0 was handled successfully

__get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0

__quar_req_handler()-127: Request 0 was handled successfully

__get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0

__quar_req_handler()-127: Request 0 was handled successfully

__get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0

__quar_req_handler()-127: Request 0 was handled successfully quar_fsb_handle_quar()-1439: added a req-6 to fortisandbox-fsb1, vfid=1, oftp-name=[]. __quar_start_connection()-908: start server fortisandbox-fsb1-172.18.52.154 in vdom-1

[103] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca

Fortinet_CA, idx 0 (default)

[551] ssl_ctx_create_new_ex: SSL CTX is created [578] ssl_new: SSL object is created

upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-

1901281000

quar_remote_recv_send()-731: dev=fortisandbox-fsb1 xfer-status=0

__quar_build_pkt()-408: build req(id=2, type=6) for vdom-vdom1, len=93, oftp_name=

__quar_send()-470: dev buffer — pos=0, len=93

quar_remote_send()-520: req(id=2, type=6) read response, dev=fortisandbox-fsb1, xfer_ status=1, buflen=12

quar_remote_recv_send()-770: dev-fortisandbox-fsb1, oevent=4, nevent=1, xfer-status=1 quar_remote_recv_send()-731: dev=fortisandbox-fsb1 xfer-status=1

quar_remote_recv()-662: dev(fortisandbox-fsb1) received a packet: len=767, type=1 quar_store_analytics_report()-590: Analytics-report return

file=/tmp/fsb/83bb2d9928b03a68b123730399b6b9365b5cc9a5a77f8aa007a6f1a499a13b18.json.gz, buf_sz=735

quar_store_analytics_report()-597: The request

’83bb2d9928b03a68b123730399b6b9365b5cc9a5a77f8aa007a6f1a499a13b18′ score is 1 quar_remote_recv()-718: file-[2] is accepted by server(fortisandbox-fsb1). quar_put_job_req()-332: Job 2 deleted quar_monitor_connection_func()-978: monitoring dev fortisandbox-fsb1 quar_monitor_connection_func()-978: monitoring dev fortisandbox-fsb1 __get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0

__quar_req_handler()-127: Request 0 was handled successfully

__get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0

__quar_req_handler()-127: Request 0 was handled successfully quar_monitor_connection_func()-978: monitoring dev fortisandbox-fsb1 quar_stop_connection()-1006: close connection to server(fortisandbox-fsb1)

[193] __ssl_data_ctx_free: Done

[805] ssl_free: Done

[185] __ssl_cert_ctx_free: Done

[815] ssl_ctx_free: Done

[796] ssl_disconnect: Shutdown l Appliance FortiSandbox diagnostics:

FGT_PROXY # config global

FGT_PROXY (global) # diagnose test application quarantined 1

Total remote&local devices: 8, any task full? 0 System have disk, vdom is enabled, mgmt=1, ha=2

xfer-fas is enabled: ips-archive dlp-archive, realtime=yes, taskfull=no addr=0.0.0.0/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=0, hmac_alg=0

License=0, content_archive=0, arch_pause=0.

global-fas is disabled. forticloud-fsb is disabled. fortisandbox-fsb1 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0

fortisandbox-fsb2 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0

fortisandbox-fsb3 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0

fortisandbox-fsb4 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0

fortisandbox-fsb5 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0

fortisandbox-fsb6 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0

global-faz is disabled. global-faz2 is disabled. global-faz3 is disabled. l Checking FortiSandbox analysis statistics:

FGT_PROXY (global) # diagnose test application quarantine 7 Total: 0

Statistics: vfid: 0, detected: 0, clean: 0, risk_low: 0, risk_med: 0, risk_high: 0, limit_

reached:0

vfid: 3, detected: 0, clean: 0, risk_low: 0, risk_med: 0, risk_high: 0, limit_

reached:0 vfid: 4, detected: 0, clean: 0, risk_low: 0, risk_med: 0, risk_high: 0, limit_

reached:0

FGT_PROXY (global) #

Debug on the FortiSandbox side l Appliance FortiSandbox OFTP debug:

> diagnose-debug device FG101E4Q17002429

[2019/01/31 00:48:21] LOGIN->SUCCEED: Serial(FG101E4Q17002429), HOSTNAME(FGT_PROXY)

[2019/01/31 00:48:21] FG101E4Q17002429 VDOM: vdom1

[2019/01/31 00:48:21] FG101E4Q17002429 suspicious stats START_TIME: 1548290749

[2019/01/31 00:48:21] FG101E4Q17002429 suspicious stats END_TIME: 1548895549

[2019/01/31 00:48:21] FG101E4Q17002429 opd_data_len=37 clean=2 detected=2 risk_low=0 risk_ med=0 risk_high=0 sus_limit=0

[2019/01/31 00:48:21] FG101E4Q17002429 ENTERING->HANDLE_SEND_FILE.

[2019/01/31 00:48:21] FG101E4Q17002429 ENTERING->HANDLE_SEND_FILE.

[2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->FGT->VDOM: vdom1

[2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->FGT->VDOM: vdom1

[2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->IMG_VERSION: 6.2.0.0818

[2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->IMG_VERSION: 6.2.0.0818

[2019/01/31 00:48:21] INCOMING->FGT: FG101E4Q17002429, VDOM: vdom1

[2019/01/31 00:48:21] INCOMING->FGT: FG101E4Q17002429, VDOM: vdom1

[2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->TYPE: 0

[2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->TYPE: 1

[2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->VERSION: 3 . 1795

[2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->VERSION: 3 . 595

[2019/01/31 00:48:21] FG101E4Q17002429 VDOM: root

[2019/01/31 00:48:21] FG101E4Q17002429 ENTERING->HANDLE_SEND_FILE.

[2019/01/31 00:48:21] FG101E4Q17002429 suspicious stats START_TIME: 1548290749

[2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->FGT->VDOM: vdom1

[2019/01/31 00:48:21] FG101E4Q17002429 suspicious stats END_TIME: 1548895549

[2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->IMG_VERSION: 6.2.0.0818

[2019/01/31 00:48:21] INCOMING->FGT: FG101E4Q17002429, VDOM: vdom1

[2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->TYPE: 4

[2019/01/31 00:48:21] FG101E4Q17002429 opd_data_len=37 clean=0 detected=0 risk_low=0 risk_ med=0 risk_high=0 sus_limit=0

[2019/01/31 00:48:22] FG101E4Q17002429 RETRIEVE->PKG: TYPE: av, ENTRY_VERSION: 1795,

PACKAGE_PATH: /Storage/malpkg/pkg/avsig/avsigrel_1795.pkg

[2019/01/31 00:48:22] FG101E4Q17002429 RETRIEVE->PKG: TYPE: url, ENTRY_VERSION: 595,

PACKAGE_PATH: /Storage/malpkg/pkg/url/urlrel_595.pkg.gz

[2019/01/31 00:48:29] LOGIN->SUCCEED: Serial(FG101E4Q17002429), HOSTNAME(FGT_PROXY)

[2019/01/31 00:48:32] LOGIN->SUCCEED: Serial(FG101E4Q17002429), HOSTNAME(FGT_PROXY)

[2019/01/31 00:48:59] LOGIN->SUCCEED: Serial(FG101E4Q17002429), HOSTNAME(FGT_PROXY)

[2019/01/31 00:49:03] LOGIN->SUCCEED: Serial(FG101E4Q17002429), HOSTNAME(FGT_PROXY)

Use FortiSandbox Cloud with AntiVirus

Feature overview

FortiCloud Sandbox allows users to take advantage of FortiSandbox features without having to purchase, operate, and maintain a physical appliance.

FortiCloud Sandbox works the same way as the physical FortiSandbox appliance.

Starting from FortiOS 6.2, the FortiCloud Sandbox allows users to control the region where their traffic is sent to for analysis. This allows users to meet their country’s compliances regarding data’s storage location.

Support and limitations

  • Starting from FortiOS 6.2, users no longer require a FortiCloud account to use FortiCloud Sandbox. l Without a valid AVDB license, FortiGate devices are limited to 100 FortiCloud submissions per day.
  • Unlimited FortiCloud submissions are allowed if the FortiGate has a valid AVDB license.
  • There is a limit on how many submissions are sent per minute.
  • Per minute submission rate is based on the FortiGate model.
  • FortiSandbox can be used with AntiVirus in both proxy-based and flow-based policy inspection modes.
  • With FortiSandbox enabled, Full Scan mode AntiVirus can do the following:
  • Submit only suspicious files to FortiSandbox for inspection. l Submit every file to FortiSandbox for inspection.
  • Do not submit anything. l Quick Scan mode AntiVirus cannot submit suspicious files to FortiSandbox. It can only do the following:
  • Submit every file to FortiSandbox for inspection. l Do not submit anything.

Network topology example

Configuring the feature

To configure AntiVirus to work with an external block list, the following steps are required:

  1. Through FortiCare/FortinetOne, registerthe FortiGate device and purchase a FortiGuard AntiVirus license.
  2. Enable FortiCloud Sandbox on the FortiGate.
  3. Enable FortiSandbox inspection.
  4. Enable the use of the FortiSandbox database.

To obtain or renew an AVDB license:

  1. Please see the video How to Purchase orRenew FortiGuard Services for FortiGuard AntiVirus license purchase instructions.
  2. Once a FortiGuard license has been purchased or activated, users will be provided with a paid FortiSandbox Cloud license.
    1. Go to Global > Main Dashboard to view the FortiSandbox Cloud license indicator.
    2. Users can also view this indicator at Global > System > FortiGuard.

Enable FortiCloud Sandbox on the FortiGate:

  1. Go to Global > Security Fabric > Settings and set the Sandbox Inspection toggle to the On
  2. Select FortiSandbox Cloud and choose a region from the dropdown list.
  3. Select Apply to save the settings.
  4. When the FortiGate is connected to the FortiSandbox Cloud, FortiSandbox’s current database version is displayed.

Enable FortiSandbox inspection:

  1. Go to Security Profiles > AntiVirus.
  2. Enable FortiSandbox inspection by selecting either Suspicious Files Only or All Supported Files.
  3. Files can be excluded from being sent to FortiSandbox based on their file types by choosing from a list of supported file types.
  4. Files can also be excluded from being sent to FortiSandbox by using wild card patterns.
  5. Select Apply.

Enable the use of the FortiSandbox database:

  1. Go to Security Profiles > AntiVirus.
  2. Enable use of the FortiSandbox database by setting the Use FortiSandbox Database toggle to the On
  3. Select Apply.

Diagnostics and debugging

Debug on FortiGate side

l Checking FortiCloud controller status:

FGT_FL_FULL (global) # diagnose test application forticldd 2

Server: log-controller, task=0/10, watchdog is off

Domain name: logctrl1.fortinet.com

Address of log-controller: 1

172.16.95.168:443

Statistics: total=3, discarded=1, sent=2, last_updated=12163 secs ago http connection: is not in progress

Current address: 172.16.95.168:443

Calls: connect=9, rxtx=12

Current tasks number: 0

Account: name=empty, status=0, type=basic

Current volume: 0B

Current tasks number: 0

Update timer fires in 74240 secs l Checking Cloud APT server status:

FGT_FL_FULL (global) # diagnose test application forticldd 3 Debug zone info:

Domain:

Home log server: 0.0.0.0:0

Alt log server: 0.0.0.0:0

Active Server IP:      0.0.0.0

Active Server status: down

Log quota:      0MB

Log used:       0MB

Daily volume: 0MB

fams archive pause: 0

APTContract : 1                           <====

APT server: 172.16.102.51:514            <====

APT Altserver: 172.16.102.52:514          <====

Active APTServer IP:       172.16.102.51 <====

Active APTServer status: up  <==== l Cloud FortiSandbox diagnostics:

FGT_FL_FULL (global) # diagnose test application quarantine 1

Total remote&local devices: 4, any task full? 0 System have disk, vdom is enabled, mgmt=3, ha=1

xfer-fas is enabled: ips-archive dlp-archive, realtime=yes, taskfull=no addr=0.0.0.0/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=1, hmac_alg=0

License=0, content_archive=0, arch_pause=0.

global-fas is disabled. forticloud-fsb is enabled: analytics, realtime=yes, taskfull=no addr=172.16.102.51/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=1, hmac_alg=0 fortisandbox-fsb1 is disabled. fortisandbox-fsb2 is disabled. fortisandbox-fsb3 is disabled. fortisandbox-fsb4 is disabled.

fortisandbox-fsb5 is disabled. fortisandbox-fsb6 is disabled. global-faz is disabled. global-faz2 is disabled. global-faz3 is disabled.

l Checking FortiSandbox Cloud submission statistics:

FGT_FL_FULL (global) # diagnose test application quarantined 2 Quarantine daemon state:

QUAR mem: mem_used=0, mem_limit=97269, threshold=72951

dropped(0 by quard, 0 by callers)

pending-jobs=0, tot-mem=0, last_ipc_run=12353, check_new_req=1 alloc_job_failed=0, job_wrong_type=0, job_wrong_req_len=0, job_invalid_qfd=0 tgz_create_failed=0, tgz_attach_failed=0, qfd_mmap_failed=0, buf_attached=0 xfer-fas:

ips: total=0, handled=0, accepted=0 quar: total=0, handled=0, accepted=0 archive: total=0, handled=0, accepted=0 analytics: total=0, handled=0, accepted=0, local_dups=0 analytics stats: total=0, handled=0, accepted=0 last_rx=0, last_tx=0, error_rx=0, error_tx=0

max_num_tasks=10000, num_tasks=0, mem_used=0, ttl_drops=0, xfer_status=0

forticloud-fsb:

ips: total=0, handled=0, accepted=0 quar: total=0, handled=0, accepted=0 archive: total=0, handled=0, accepted=0

analytics: total=0, handled=0, accepted=0, local_dups=0

num_buffer=0(per-minute:10) last_min_count=0 last_vol_count=0 next_vol_reset_tm=’Sun Feb 17 00:00:00 2019

‘ analytics stats: total=24, handled=24, accepted=24 last_rx=1224329, last_tx=1224329, error_rx=2, error_tx=0 max_num_tasks=200, num_tasks=0, mem_used=0, ttl_drops=0, xfer_status=0

l Checking FortiSandbox analysis statistics:

FGT_FL_FULL (global) # diagnose test application quarantine 7 Total: 0

Statistics: vfid: 0, detected: 0, clean: 0, risk_low: 0, risk_med: 0, risk_high: 0, limit_

reached:0 vfid: 3, detected: 0, clean: 0, risk_low: 0, risk_med: 0, risk_high: 0, limit_

reached:0 vfid: 4, detected: 0, clean: 0, risk_low: 0, risk_med: 0, risk_high: 0, limit_

reached:0

FGT_FL_FULL (global) # l Update Daemon debug:

FGT_FL_FULL (global) # diagnose debug application quarantined -1 FGT_FL_FULL (global) # diagnose debug enable

quar_req_fsa_file()-890: fsa ext list new_version (1547781904) quar_fsb_handle_quar()-1439: added a req-6 to fortisandbox-fsb5, vfid=1, oftp-name=[]. __quar_start_connection()-908: start server fortisandbox-fsb5-172.18.52.154 in vdom-1 [103] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca

Fortinet_CA, idx 0 (default)

[551] ssl_ctx_create_new_ex: SSL CTX is created [578] ssl_new: SSL object is created

upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-

1901281000 upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-

1901281000 upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-

1901281000 upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-

1901281000 upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-

1901281000

quar_remote_recv_send()-731: dev=fortisandbox-fsb2 xfer-status=0

__quar_build_pkt()-408: build req(id=337, type=4) for vdom-vdom1, len=99, oftp_name=

__quar_send()-470: dev buffer — pos=0, len=99

quar_remote_send()-520: req(id=337, type=4) read response, dev=fortisandbox-fsb2, xfer_ status=1, buflen=12

quar_remote_recv_send()-770: dev-fortisandbox-fsb2, oevent=4, nevent=1, xfer-status=1 quar_remote_recv_send()-731: dev=fortisandbox-fsb3 xfer-status=0

__quar_build_pkt()-408: build req(id=338, type=6) for vdom-vdom1, len=93, oftp_name=

__quar_send()-470: dev buffer — pos=0, len=93

quar_remote_send()-520: req(id=338, type=6) read response, dev=fortisandbox-fsb3, xfer_ status=1, buflen=12

quar_remote_recv_send()-770: dev-fortisandbox-fsb3, oevent=4, nevent=1, xfer-status=1 quar_remote_recv_send()-731: dev=fortisandbox-fsb5 xfer-status=0

__quar_build_pkt()-408: build req(id=340, type=6) for vdom-vdom1, len=93, oftp_name=

__quar_send()-470: dev buffer — pos=0, len=93

quar_remote_send()-520: req(id=340, type=6) read response, dev=fortisandbox-fsb5, xfer_ status=1, buflen=12

quar_remote_recv_send()-770: dev-fortisandbox-fsb5, oevent=4, nevent=1, xfer-status=1 quar_remote_recv_send()-731: dev=fortisandbox-fsb2 xfer-status=1 quar_remote_recv()-662: dev(fortisandbox-fsb2) received a packet: len=69, type=1 quar_remote_recv()-718: file-[337] is accepted by server(fortisandbox-fsb2). quar_put_job_req()-332: Job 337 deleted

quar_remote_recv_send()-731: dev=fortisandbox-fsb4 xfer-status=0

__quar_build_pkt()-408: build req(id=339, type=6) for vdom-vdom1, len=93, oftp_name=

__quar_send()-470: dev buffer — pos=0, len=93

quar_remote_send()-520: req(id=339, type=6) read response, dev=fortisandbox-fsb4, xfer_ status=1, buflen=12

quar_remote_recv_send()-770: dev-fortisandbox-fsb4, oevent=4, nevent=1, xfer-status=1 quar_remote_recv_send()-731: dev=fortisandbox-fsb1 xfer-status=0

__quar_build_pkt()-408: build req(id=336, type=4) for vdom-root, len=98, oftp_name= __quar_send()-470: dev buffer — pos=0, len=98 …

__get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0

__quar_req_handler()-127: Request 0 was handled successfully

__get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0

__quar_req_handler()-127: Request 0 was handled successfully

__get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0

__quar_req_handler()-127: Request 0 was handled successfully

__get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0

__quar_req_handler()-127: Request 0 was handled successfully quar_fsb_handle_quar()-1439: added a req-6 to fortisandbox-fsb1, vfid=1, oftp-name=[]. __quar_start_connection()-908: start server fortisandbox-fsb1-172.18.52.154 in vdom-1

[103] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca

Fortinet_CA, idx 0 (default)

[551] ssl_ctx_create_new_ex: SSL CTX is created [578] ssl_new: SSL object is created

upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-

1901281000

quar_remote_recv_send()-731: dev=fortisandbox-fsb1 xfer-status=0

__quar_build_pkt()-408: build req(id=2, type=6) for vdom-vdom1, len=93, oftp_name=

__quar_send()-470: dev buffer — pos=0, len=93

quar_remote_send()-520: req(id=2, type=6) read response, dev=fortisandbox-fsb1, xfer_ status=1, buflen=12

quar_remote_recv_send()-770: dev-fortisandbox-fsb1, oevent=4, nevent=1, xfer-status=1 quar_remote_recv_send()-731: dev=fortisandbox-fsb1 xfer-status=1

quar_remote_recv()-662: dev(fortisandbox-fsb1) received a packet: len=767, type=1 quar_store_analytics_report()-590: Analytics-report return

file=/tmp/fsb/83bb2d9928b03a68b123730399b6b9365b5cc9a5a77f8aa007a6f1a499a13b18.json.gz, buf_sz=735

quar_store_analytics_report()-597: The request

’83bb2d9928b03a68b123730399b6b9365b5cc9a5a77f8aa007a6f1a499a13b18’ score is 1 quar_remote_recv()-718: file-[2] is accepted by server(fortisandbox-fsb1). quar_put_job_req()-332: Job 2 deleted quar_monitor_connection_func()-978: monitoring dev fortisandbox-fsb1 quar_monitor_connection_func()-978: monitoring dev fortisandbox-fsb1 __get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0

__quar_req_handler()-127: Request 0 was handled successfully

__get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0

__quar_req_handler()-127: Request 0 was handled successfully quar_monitor_connection_func()-978: monitoring dev fortisandbox-fsb1 quar_stop_connection()-1006: close connection to server(fortisandbox-fsb1)

[193] __ssl_data_ctx_free: Done

[805] ssl_free: Done

[185] __ssl_cert_ctx_free: Done

[815] ssl_ctx_free: Done

[796] ssl_disconnect: Shutdown l Appliance FortiSandbox diagnostics:

FGT_PROXY # config global

FGT_PROXY (global) # diagnose test application quarantined 1

Total remote&local devices: 8, any task full? 0 System have disk, vdom is enabled, mgmt=1, ha=2

xfer-fas is enabled: ips-archive dlp-archive, realtime=yes, taskfull=no addr=0.0.0.0/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=0, hmac_alg=0

License=0, content_archive=0, arch_pause=0.

global-fas is disabled. forticloud-fsb is disabled. fortisandbox-fsb1 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0

fortisandbox-fsb2 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0

fortisandbox-fsb3 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0

fortisandbox-fsb4 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0

fortisandbox-fsb5 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0

fortisandbox-fsb6 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0

global-faz is disabled. global-faz2 is disabled. global-faz3 is disabled.

FortiSandbox Appliance or FortiSandbox Cloud

Leave a reply

FortiSandbox Appliance or FortiSandbox Cloud

FortiSandbox is available as a physical or virtual appliance (FortiSandbox Appliance), or as a cloud advanced threat protection service integrated with FortiGate (FortiSandbox Cloud).

To select the settings for Sandbox Inspection, such as the FortiSandbox type, server, and notifier email, go to Security Fabric > Settings.

The table below highlights the supported features of both types of FortiSandbox:

Feature FortiSandbox Appliance

(including VM)

 FortiSandbox Cloud
Sandbox inspection for FortiGate Yes (FortiOS 5.0.4+) Yes (FortiOS 5.2.3+)
Sandbox inspection for FortiMail Yes (FortiMail OS 5.1+) Yes (FortiMail OS 5.3+)
Sandbox inspection for FortiWeb Yes (FortiWeb OS 5.4+) Yes (FortiWeb OS 5.5.3+)
Sandbox inspection for FortiClient Yes (FortiClient 5.4+ for Windows only) No
Feature FortiSandbox Appliance

(including VM)

 FortiSandbox Cloud
Sandbox inspection for network share Yes No
Sandbox inspection for ICAP client Yes No
Manual File upload for analysis Yes Yes
Sniffer mode Yes Yes
File Status Feedback and Report Yes Yes
Dynamic Threat Database updates for FortiGate Yes (FortiOS 5.4+) Yes (FortiOS 5.4+)
Dynamic Threat Database updates

for FortiClient

 Yes (FortiClient 5.4 for Windows only) Yes (FortiClient 5.6+ for Windows only)

Note that a separate Dynamic Threat Database is maintained for FortiMail. For more information, see the FortiSandbox documentation.

FAQ for Sandbox inspection

Leave a reply

FAQ for Sandbox inspection

The following are some frequently asked questions about using sandbox inspection with FortiSandbox and FortiGate.

Why is the FortiSandbox Cloud option not available when sandbox inspection is enabled?

This option is only available if you have created a FortiCloud account. For more information, see the FortiCloud documentation.

Why don’t results from FortiSandbox Cloud appear in the FortiGate GUI?

Go to Log & Report > Log Settings and make sure Send Logs to FortiCloud is enabled and GUI Preferences is set to Display Logs from FortiCloud.

Why are the FortiSandbox Appliance VMs inactive?

Make sure that port 3 on the FortiSandbox has an active Internet connection. This is required in order to activate the FortiSandbox VMs.

Why aren’t files are being scanned by FortiSandbox?

Make sure an AntiVirus profile that sends files to FortiSandbox is enabled for all policies that require sandbox inspection.

Is FortiSandbox supported by FortiGate when in NAT or Transparent mode?

Yes, a FortiGate can be in either NAT or Transparent mode and support FortiSandbox.

Are FortiGates behind a NAT device supported? If so how many?

Yes, multiple FortiGates can be supported in-line with FortiSandbox. Note that the FortiSandbox will see all FortiGates only as one device so there is no way to differentiate reports.

If the FortiGate has a dynamic IP, will the FortiSandbox automatically update the FortiGate?

Yes. Dynamic IPs are supported and the FortiGate will not have to be reconfigured on the FortiSandbox each time.

What is Sandbox inspection?

Leave a reply

What is Sandbox inspection?

Sandbox inspection is a network process that allows files to be sent to a separate device, such as FortiSandbox, to be inspected without risking network security. This allows the detection of threats capable of bypassing other security measures, including zero-day threats.

You can configure your FortiGate device to send suspicious files to FortiSandbox for inspection and analysis. The FortiGate queries scan results and retrieves scan details. The FortiGate can also download malware packages as a complementary AV signature database to block future intrusions by the same malware and download URL packages as complementary web-filtering black lists.

The FortiSandbox uses virtual machines (VMs) running different operating systems to test a file and to determine if it is malicious. If the file exhibits risky behavior, or is found to contain a virus, a new signature can be added to the FortiGuard AntiVirus signature database.

When a FortiGate learns from FortiSandbox that an endpoint is infected, the administrator can quarantine the host, if it is registered to a FortiClient.

FortiSandbox has a VM pool and processes multiple files simultaneously. The amount of time to process a file depends on hardware and the number of sandbox VMs used to scan the file. For example, it can take 60 seconds to five minutes to process a file. FortiSandbox has a robust prefiltering process that, if enabled, reduces the need to inspect every file and reduces processing time. For more information on enabling prefiltering, refer to the FortiSandbox documentation.

Explicit proxy authentication

Leave a reply

Explicit proxy authentication

FortiGate supports multiple authentication methods. This topic explains using an external authentication server with Kerberos as the primary and NTLM as the fallback.

To configure Explicit Proxy with authentication:

Enable and configure the explicit proxy

To enable and configure explicit web proxy in the GUI:

  1. Go to Network > Explicit Proxy.
  2. Enable Explicit Web Proxy.
  3. Select port2 as the Listen on Interfaces and set the HTTP Port to 8080.
  4. Configure the remaining settings as needed.
  5. Click Apply.

To enable and configure explicit web proxy in the CLI:

config web-proxy explicit set status enable set ftp-over-http enable set socks enable set http-incoming-port 8080 set ipv6-status enable

set unknown-http-version best-effort

end

config system interface edit “port2” set vdom “vdom1”

set ip 10.1.100.1 255.255.255.0

set allowaccess ping https ssh snmp http telnet set type physical set explicit-web-proxy enable set snmp-index 12

end

next

end

Configure the authentication server and create user groups

Since we are using an external authentication server with Kerberos authentication as the primary and NTLM as the fallback, Kerberos authentication is configured first and then FSSO NTLM authentication is configured.

For successful authorization, the FortiGate checks if user belongs to one of the groups that is permitted in the security policy.

To configure an authentication server and create user groups in the GUI:

  1. Configure Kerberos authentication:
    1. Go to User& Device > LDAP Servers.
    2. Click Create New.
    3. Set the following:
Name ldap-kerberos
Server IP 172.18.62.220
Server Port 389
Common Name Identifier cn
Distinguished Name dc=fortinetqa,dc=local
  1. Click OK
  1. Define Kerberos as an authentication service. This option is only available in the CLI.
  2. Configure FSSO NTLM authentication:

FSSO NTLM authentication is supported in a Windows AD network. FSSO can also provide NTLM authentication service to the FortiGate unit. When a user makes a request that requires authentication, the FortiGate initiates NTLM negotiation with the client browser, but does not process the NTLM packets itself. Instead, it forwards all the NTLM packets to the FSSO service for processing. a. Go to Security Fabric > Fabric Connectors.

  1. Click Create New and select Fortinet Single Sign-On Agent from the SSO/Identity
  2. Set the Name to FSSO, Primary FSSO Agent to 16.200.220, and enter a password. d. Click OK.
  1. Create a user group for Kerberos authentication:
    1. Go to User& Device > UserGroups.
    2. Click Create New.
    3. Set the Name to Ldap-Group, and Type to Firewall.
    4. In the Remote Groups table, click Add, and set the Remote Server to the previously created ldap-kerberos
    5. Click OK.
  2. Create a user group for NTLM authentication:
    1. Go to User& Device > UserGroups.
    2. Click Create New.
    3. Set the Name to NTLM-FSSO-Group, Type to Fortinet Single Sign-On (FSSO), and add FORTINETQA/FSSO as a member.
    4. Click OK.

To configure an authentication server and create user groups in the CLI:

  1. Configure Kerberos authentication:

config user ldap edit “ldap-kerberos” set server “172.18.62.220” set cnid “cn”

set dn “dc=fortinetqa,dc=local”

set type regular

set username “CN=root,CN=Users,DC=fortinetqa,DC=local” set password ENC

6q9ZE0QNH4tp3mnL83IS/BlMob/M5jW3cAbgOqzTBsNTrGD5Adef8BZTquu46NNZ8KWoIoclAMlrGTR0z1IqT8n 7FIDV/nqWKdU0ehgwlqMvPmOW0+S2+kYMhbEj7ZgxiIRrculJIKoZ2gjqCorO3P0BkumbyIW1jAdPTOQb749n4O cEwRYuZ2odHTwWE8NJ3ejGOg== next

end

  1. Define Kerberos as an authentication service:

config user krb-keytab edit “http_service” set pac-data disable

set principal “HTTP/FGT.FORTINETQA.LOCAL@FORTINETQA.LOCAL” set ldap-server “ldap-kerberos” set keytab

“BQIAAABFAAIAEEZPUlRJTkVUUUEuTE9DQUwABEhUVFAAFEZHVC5GT1JUSU5FVFFBLkxPQ0FMAAAAAQAAAAAEAA

EACKLCMonpitnVAAAARQACABBGT1JUSU5FVFFBLkxPQ0FMAARIVFRQABRGR1QuRk9SVElORVRRQS5MT0NBTAAAA

AEAAAAABAADAAiiwjKJ6YrZ1QAAAE0AAgAQRk9SVElORVRRQS5MT0NBTAAESFRUUAAURkdULkZPUlRJTkVUUUEu

TE9DQUwAAAABAAAAAAQAFwAQUHo9uqR9cSkzyxdzKCEXdwAAAF0AAgAQRk9SVElORVRRQS5MT0NBTAAESFRUUAA

URkdULkZPUlRJTkVUUUEuTE9DQUwAAAABAAAAAAQAEgAgzee854Aq1HhQiKJZvV4tL2Poy7hMIARQpK8MCB//BI AAAABNAAIAEEZPUlRJTkVUUUEuTE9DQUwABEhUVFAAFEZHVC5GT1JUSU5FVFFBLkxPQ0FMAAAAAQAAAAAEABEAE

G49vHEiiBghr63Z/lnwYrU=” next

end

  1. Configure FSSO NTLM authentication:

config user fsso edit “1” set server “172.18.62.220” set password ENC

4e2IiorhPCYvSWw4DbthmLdpJuvIFXpayG0gk1DHZ6TYQPMLjuiG9k7/+qRneCtztBfbzRr1pcyC6Zj3det2pvW dKchMShyz67v4c7s6sIRf8GooPBRZJtg03cmPg0vd/fT1xD393hiiMecVGCHXOBHAJMkoKmPNjc3Ga/e78rWYeH uWK1lu2Bk64EXxKFt799UgBA== next

end

  1. Create a user group for Kerberos authentication:

config user group edit “Ldap-Group” set member “ldap” “ldap-kerberos”

next

end

  1. Create a user group for NTLM authentication:

config user group edit “NTLM-FSSO-Group” set group-type fsso-service set member “FORTINETQA/FSSO”

next end

Create an authentication scheme and rules

Explicit proxy authentication is managed by authentication schemes and rules. An authentication scheme must be created first, and then the authentication rule.

To create an authentication scheme and rules in the GUI:

  1. Create an authentication scheme:
    1. Go to Policy & Objects > Authentication Rules.
    2. Click Create New > Authentication Schemes.
    3. Set the Name to Auth-scheme-Negotiate and select Negotiate as the Method. Click OK.
  2. Create an authentication rule:
    1. Go to Policy & Objects > Authentication Rules.
    2. Click Create New > Authentication Rules.
    3. Set the Name to Auth-Rule, Source Address to all, and Protocol to HTTP.
    4. Enable Authentication Scheme, and select the just created Auth-scheme-Negotiate e. Click OK.

To create an authentication scheme and rules in the CLI:

  1. Create an authentication scheme:

config authentication scheme edit “Auth-scheme-Negotiate” set method negotiate      <<< Accepts both Kerberos and NTLM as fallback next

end

  1. Create an authentication rule:

config authentication rule edit “Auth-Rule” set status enable set protocol http set srcaddr “all” set ip-based enable

set active-auth-method “Auth-scheme-Negotiate” set comments “Testing”

next

end

Create an explicit proxy policy and assign a user group to the policy

To create an explicit proxy policy and assign a user group to it in the GUI:

  1. Go to Policy & Object > Proxy Policy.
  2. Click Create New.
  3. Set Proxy Type to Explicit Web and Outgoing Interface to port1.
  4. Set Source to all, and the just created user groups NTLM-FSSO-Group and Ldap-Group.
  5. Also set Destination to all, Schedule to always, Service to webproxy, and Action to ACCEPT.
  6. Click OK.

To create an explicit proxy policy and assign a user group to it in the CLI:

config firewall proxy-policy edit 1 set uuid 722b6130-13aa-51e9-195b-c4196568d667 set proxy explicit-web set dstintf “port1” set srcaddr “all” set dstaddr “all” set service “web” set action accept set schedule “always” set logtraffic all

set groups “NTLM-FSSO-Group” “Ldap-Group” set av-profile “av”

set ssl-ssh-profile “deep-custom”

next

end

Verify the configuration

Log in using a domain and system that would be authenticated using the Kerberos server, then enter the diagnose wad user list CLI command to verify:

# diagnose wad user list

ID: 8, IP: 10.1.100.71, VDOM: vdom1 user name : test1@FORTINETQA.LOCAL

duration : 389 auth_type : IP

auth_method : Negotiate

pol_id     : 1 g_id    : 1 user_based : 0

expire      : no

LAN: bytes_in=4862 bytes_out=11893 WAN: bytes_in=7844 bytes_out=1023

Log in using a system that is not part of the domain. The NTLM fallback server should be used:

# diagnose wad user list

ID: 2, IP: 10.1.100.202, VDOM: vdom1 user name : TEST31@FORTINETQA

duration   : 7 auth_type : IP auth_method : NTLM

pol_id     : 1 g_id    : 5 user_based : 0

expire      : no

LAN:

bytes_in=6156 bytes_out=16149 WAN: bytes_in=7618 bytes_out=1917

 

Proxy policy security profiles

Leave a reply

Proxy policy security profiles

Web proxy policies support most security profile types.

Explicit web proxy policy

The security profiles supported by explicit web proxy policies are:

  • AntiVirus, l Web Filter, l Application Control, l IPS, l DLP Sensor, l ICAP,
  • Web Application Firewall, and l SSL Inspection.

To configure security profiles on an explicit web proxy policy in the GUI:

  1. Go to Policy & Objects > Proxy Policy.
  2. Click Create New.
  3. Set the following:
Proxy Type Explicit Web
Outgoing Interface port1
Source all
Destination all
Schedule always
Service webproxy
Action ACCEPT
  1. In the Firewall / Network Options section, set Protocol Options to default.
  2. In the Security Profiles section, make the following selections (for this example, these profiles have all already been created):
AntiVirus av
Web Filter urlfiler
Application Control app
IPS Sensor-1
DLP Sensor dlp
ICAP default
Web Application Firewall default
SSL Inspection deep-inspection
  1. Click OK to create the policy.

To configure security profiles on an explicit web proxy policy in the CLI:

config firewall proxy-policy edit 1 set uuid c8a71a2c-54be-51e9-fa7a-858f83139c70 set proxy explicit-web set dstintf “port1” set srcaddr “all” set dstaddr “all” set service “web” set action accept set schedule “always” set utm-status enable set av-profile “av” set webfilter-profile “urlfilter” set dlp-sensor “dlp” set ips-sensor “sensor-1” set application-list “app” set icap-profile “default” set waf-profile “default” set ssl-ssh-profile “deep-inspection”

next end

Transparent proxy

The security profiles supported by explicit web proxy policies are:

  • AntiVirus, l Web Filter, l Application Control, l IPS, l DLP Sensor, l ICAP,
  • Web Application Firewall, and l SSL Inspection.

To configure security profiles on a transparent proxy policy in the GUI:

  1. Go to Policy & Objects > Proxy Policy.
  2. Click Create New.
  3. Set the following:
Proxy Type Explicit Web
Incoming Interfae port2
Outgoing Interface port1
Source all
Destination all
Schedule always
Service webproxy
Action ACCEPT
  1. In the Firewall / Network Options section, set Protocol Options to default.
  2. In the Security Profiles section, make the following selections (for this example, these profiles have all already been created):
AntiVirus av
Web Filter urlfiler
Application Control app
IPS Sensor-1
DLP Sensor dlp
ICAP default
Web Application Firewall default
SSL Inspection deep-inspection
  1. Click OK to create the policy.

To configure security profiles on a transparent proxy policy in the CLI:

config firewall proxy-policy edit 2 set uuid 8fb05036-56fc-51e9-76a1-86f757d3d8dc set proxy transparent-web set srcintf “port2” set dstintf “port1” set srcaddr “all” set dstaddr “all” set service “webproxy” set action accept set schedule “always” set utm-status enable set av-profile “av” set webfilter-profile “urlfilter” set dlp-sensor “dlp” set ips-sensor “sensor-1” set application-list “app” set icap-profile “default” set waf-profile “default” set ssl-ssh-profile “certificate-inspection”

next

end

FTP proxy

The security profiles supported by explicit web proxy policies are:

l AntiVirus, l Application Control, l IPS, and l DLP Sensor.

To configure security profiles on an FTP proxy policy in the GUI:

  1. Go to Policy & Objects > Proxy Policy.
  2. Click Create New.
  3. Set the following:
Proxy Type FTP
Outgoing Interface port1
Source all
Destination all
Schedule always
Action ACCEPT
  1. In the Firewall / Network Options section, set Protocol Options to default.
  2. In the Security Profiles section, make the following selections (for this example, these profiles have all already been created):
AntiVirus av
Application Control app
IPS Sensor-1
DLP Sensor dlp
  1. Click OK to create the policy.

To configure security profiles on an FTP proxy policy in the CLI:

config firewall proxy-policy edit 3 set uuid cb89af34-54be-51e9-4496-c69ccfc4d5d4

set proxy ftp set dstintf “port1” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set utm-status enable set av-profile “av” set dlp-sensor “dlp” set ips-sensor “sensor-1” set application-list “app”

next

end