Category Archives: FortiGate

Proxy policy addresses

Leave a reply

Proxy policy addresses

Proxy addresses are designed to be used only by proxy policies.

Fast policy match

The fast policy match function improves the performance of IPv4 explicit and transparent web proxies on FortiGate devices.

When enabled, after the proxy policies are configured, the FortiGate builds a fast searching table based on the different proxy policy matching criteria. When fast policy matching is disabled, web proxy traffic is compared to the policies one at a time from the beginning of the policy list.

Fast policy matching is enabled by default, and can be configured with the following CLI command:

config web-proxy global set fast-policy-match {enable | disable} end

Host regex match

In this address type, a user can create a hostname as a regular expression. Once created, the hostname address can be selected on the destination tab of an explicit proxy policy. This means that a policy will only allow or block requests that match the regular expression.

This example creates a host regex match address with the pattern qa.[a-z]*.com.

To create a host regex match address in the GUI:

  1. Go to Policy & Objects > Addresses.
  2. Click Create New > Address.
  3. Set the following:

l Category to Proxy Address, l Name to Host Regex, l Type to Host Regex Match, and l Host Regex Pattern to qa.[a-z]*.com.

  1. Click OK.

To create a host regex match address in the CLI:

config firewall proxy-address edit “Host Regex” set uuid 8e374390-57c9-51e9-9353-ee4469629df8

set type host-regex set host-regex “qa.[a-z]*.com”

next

end

URL pattern

In this address type, a user can create a URL path as a regular expression. Once created, the path address can be selected in the destination tab of an explicit proxy policy. This means that a policy will only allow or block requests that match the regular expression.

This example creates a URL pattern address with the pattern /filetypes/.

To create a URL pattern address in the GUI:

  1. Go to Policy & Objects > Addresses.
  2. Click Create New > Address.
  3. Set the following:

l Category to Proxy Address, l Name to URL Regex, l Type to URL Pattern, l Host to all, and l URL Path Regex to /filetypes/.

  1. Click OK.

To create a URL pattern address in the CLI:

config firewall proxy-address edit “URL Regex” set uuid 267dc8e4-57cb-51e9-0cfe-27877bff51d3

set type url set host “all” set path “/filetypes/”

next

end

URL category

In this address type, a user can create a URL category based on a FortiGuard URL ID. Once created, the address can be selected in the destination tab of an explicit proxy policy. This means that a policy will only allow or block requests that match the URL category.

The example creates a URL category address for URLs in the Education category. For more information about categories, see https://fortiguard.com/webfilter/categories.

To create a URL category address in the GUI:

  1. Go to Policy & Objects > Addresses.
  2. Click Create New > Address.
  3. Set the following:

l Category to Proxy Address, l Name to url-category, l Type to URL Category, l Host to all, and l URL Category to Education.

  1. Click OK.

To create a URL category address in the CLI:

config firewall proxy-address edit “url-category” set uuid 7a5465d2-57cf-51e9-49fd-0c6b5ad2ff4f

set type category set host “all” set category 30

next

end

To see a list of all the categories and their numbers, when editing the address, enter set category ?.

HTTP method

In this address type, a user can create an address based on the HTTP request methods that are used. Multiple method options are supported, including: CONNECT, DELETE, GET, HEAD, OPTIONS, POST, PUT, and TRACE. Once created, the address can be selected in the source tab of an explicit proxy policy. This means that a policy will only allow or block requests that match the selected HTTP method.

The example creates a HTTP method address that uses the GET method.

To create a HTTP method address in the GUI:

  1. Go to Policy & Objects > Addresses.
  2. Click Create New > Address.
  3. Set the following:
    • Category to Proxy Address, l Name to method_get,
    • Type to HTTP Method, l Host to all, and l Request Method to GET.
  4. Click OK.

To create a HTTP method address in the CLI:

config firewall proxy-address edit “method_get” set uuid 1e4d1a02-57d6-51e9-a5c4-73387925b7de

set type method set host “all” set method get

next

end

HTTP header

In this address type, a user can create a HTTP header as a regular expression. Once created, the header address can be selected in the source tab of an explicit proxy policy. This means that a policy will only allow or block requests where the HTTP header matches the regular expression.

This example creates a HTTP header address with the pattern Q[A-B].

To create a HTTP header address in the GUI:

  1. Go to Policy & Objects > Addresses.
  2. Click Create New > Address.
  3. Set the following:
    • Category to Proxy Address, l Name to HTTP-header, l Type to HTTP Header, l Host to all,
    • HeaderName to Header_Test, and l HeaderRegex to Q[A-B].
  4. Click OK.

To create a HTTP header address in the CLI:

config firewall proxy-address edit “method_get” set uuid a0f1b806-57e9-51e9-b214-7a1cfafa9bb3

set type header set host “all”

set header-name “Header_Test” set header “Q[A-B]”

next

end

User agent

In this address type, a user can create an address based on the names of the browsers that are used as user agents. Multiple browsers are supported, such as Chrome, Firefox, Internet Explorer, and others. Once created, the address can be selected in the destination tab of an explicit proxy policy. This means that a policy will only allow or block requests from the specified user agent.

This example creates a user agent address for Google Chrome.

To create a user agent address in the GUI:

  1. Go to Policy & Objects > Addresses.
  2. Click Create New > Address.
  3. Set the following:

l Category to Proxy Address, l Name to UA-Chrome, l Type to UserAgent, l Host to all, and l UserAgent to Google Chrome.

  1. Click OK.

To create a user agent address in the CLI:

config firewall proxy-address edit “UA-Chrome” set uuid e3550196-57d8-51e9-eed0-115095a7920b

set type ua set host “all” set ua chrome

next

end

Advanced (source)

In this address type, a user can create an address based on multiple parameters, including HTTP method, User Agent, and HTTP header. Once created, the address can be selected in the source tab of an explicit proxy policy. This means that a policy will only allow or block requests that match the selected address.

This example creates an address that uses the get method, a user agent for Google Chrome, and an HTTP header with the pattern Q[A-B].

To create an advanced (source) address in the GUI:

  1. Go to Policy & Objects > Addresses.
  2. Click Create New > Address.
  3. Set the following:

l Category to Proxy Address, l Name to advanced_src, l Type to Advanced (Source), l Host to all, l Request Method to GET, l UserAgent to Google Chrome, and l HTTP header to Header_Test : Q[A-B].

  1. Click OK.

To create an advanced (source) address in the CLI:

config firewall proxy-address edit “advance_src” set uuid fb9991d0-57e3-51e9-9fed-855e0bca16c3 set type src-advanced set host “all” set method get set ua chrome config header-group edit 1 set header-name “Header_Test” set header “Q[A-B]”

next

end

next

end

Advanced (destination)

In this address type, a user can create an address based on URL pattern and URL category parameters. Once created, the address can be selected in the destination tab of an explicit proxy policy. This means that a policy will only allow or block requests that match the selected address.

This example creates an address with the URL pattern /about that are in the Education category. For more information about categories, see https://fortiguard.com/webfilter/categories.

To create an advanced (destination) address in the GUI:

  1. Go to Policy & Objects > Addresses.
  2. Click Create New > Address.
  3. Set the following:

l Category to Proxy Address, l Name to Advanced-dst, l Type to Advanced (Destination), l Host to all, l URL Path Regex to /about, and l URL Category to Education.

  1. Click OK.

To create an advanced (destination) address in the CLI:

config firewall proxy-address edit “Advanced-dst” set uuid d9c2a0d6-57e5-51e9-8c92-6aa8b3372198 set type dst-advanced set host “ubc” set path “/about” set category 30

next

end

FTP Proxy

Leave a reply

FTP proxy

FTP proxies can be configured on the FortiGate so that FTP traffic can be proxied. When the FortiGate is configured as an FTP proxy, FTP client applications should be configured to send FTP requests to the FortiGate.

To configure explicit FTP proxy in the GUI:

  1. Enable and configure explicit FTP proxy:
    1. Go to Network > Explicit Proxy.
    2. Enable Explicit FTP Proxy.
    3. Select port2 as the Listen on Interfaces and set the HTTP Port to 21.
    4. Configure the Default Firewall Policy Action as needed.
    5. Click Apply.
  2. Create an explicit FTP proxy policy:
    1. Go to Policy & Objects > Proxy Policy.
    2. Click Create New.
    3. Set Proxy Type to FTP and Outgoing Interface to port1.
    4. Also set Source and Destination to all, Schedule to always, and Action to ACCEPT.
    5. Configure the FTP client application to use the FortiGate IP address.

To configure explicit FTP proxy in the CLI:

  1. Enable and configure explicit FTP proxy:

config ftp-proxy explicit set status enable set incoming-port 21

end

config system interface edit “port2” set vdom “vdom1” set ip 10.1.100.1 255.255.255.0 set allowaccess ping https ssh snmp http telnet set type physical set explicit-ftp-proxy enable set snmp-index 12

end

next end

  1. Create an explicit FTP proxy policy:

config firewall proxy-policy edit 4 set uuid 2e945a3a-565d-51e9-4fac-5215d287adc0

set proxy ftp set dstintf “port2” set srcaddr “all” set dstaddr “all” set action accept set schedule “always”

next

end

  1. Configure the FTP client application to use the FortiGate IP address.

Transparent proxy

Leave a reply

Transparent proxy

In a transparent proxy deployment, the user’s client software, such as a browser, is unaware that it is communicating with a proxy.

Users request Internet content as usual, without any special client configuration, and the proxy serves their requests. FortiGate also allows user to configure in transparent proxy mode.

To configure transparent proxy in the GUI:

  1. Configure a regular firewall policy with HTTP redirect:
    1. Go to Policy & Objects > IPv4 Policy.
    2. Click Create New.
    3. Name the policy appropriately, set the Incoming Interface to port2, and set the Outgoing Interface to port1.
    4. Also set Source and Destination to all, Schedule to always, Service to ALL, and Action to ACCEPT.
    5. Set Inspection Mode to Proxy-based and SSL Inspection to deep-inspection.
    6. Configure the remaining settings as needed.
    7. Click OK.
  2. Configure a transparent proxy policy:
  3. Go to Policy & Objects > Proxy Policy.
  4. Click Create New.
  5. Set Proxy Type to Transparent Web, set the Incoming Interface to port2, and set the Outgoing Interface to port1.
  6. Also set Source and Destination to all, Scheduleto always, Service to webproxy, and Action to ACCEPT.
  7. Configure the remaining settings as needed.
  8. No special configure is required on the client to use FortiGate transparent proxy. As the client is using the FortiGate as its default gateway, requests will first hit the regular firewall policy, and then be redirected to the transparent proxy policy.

To configure transparent proxy in the CLI:

  1. Configure a regular firewall policy with HTTP redirect:

config firewall policy edit 1 set name “1”

set uuid c5c30442-54be-51e9-c17c-4513b1c973c0

set srcintf “port2” set dstintf “port1” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set inspection-mode proxy set http-policy-redirect enable

set fsso disable

set ssl-ssh-profile “deep-inspection”

set nat enable

next

end

  1. Configure a transparent proxy policy:

config firewall proxy-policy edit 5 set uuid 8fb05036-56fc-51e9-76a1-86f757d3d8dc set proxy transparent-web set srcintf “port2” set dstintf “port1” set srcaddr “all” set dstaddr “all” set service “webproxy” set action accept set schedule “always”

next end

  1. No special configure is required on the client to use FortiGate transparent proxy. As the client is using the FortiGate as its default gateway, requests will first hit the regular firewall policy, and then be redirected to the transparent proxy policy.

Explicit web proxy

Leave a reply

Explicit web proxy

Explicit web proxy can be configured on FortiGate for proxying HTTP and HTTPS traffic.

To deploy explicit proxy, individual client browsers can be manually configured to send requests directly to the proxy, or they can be configured to download proxy configuration instructions from a Proxy Auto-Configuration (PAC) file.

Once explicit proxy is configured on an interface, the interface IP address can be used by client browsers to forward requests directly to the FortiGate. FortiGate also supports PAC file configuration

To configure explicit web proxy in the GUI:

  1. Enable and configure explicit web proxy:
    1. Go to Network > Explicit Proxy.
    2. Enable Explicit Web Proxy.
    3. Select port2 as the Listen on Interfaces and set the HTTP Port to 8080.
    4. Configure the remaining settings as needed.
    5. Click Apply.
  2. Create an explicit web proxy policy:
  3. Go to Policy & Objects > Proxy Policy.
  4. Click Create New.
  5. Set Proxy Type to Explicit Web and Outgoing Interface to port1.
  6. Also set Source and Destination to all, Schedule to always, Service to webproxy, and Action to ACCEPT.
  7. Configure a client to use the FortiGate explicit proxy:

Set the FortiGate IP address as the proxy IP address in the browser, or use an automatic configuration script for the PAC file.

To configure explicit web proxy in the CLI:

  1. Enable and configure explicit web proxy:

config web-proxy explicit set status enable set ftp-over-http enable set socks enable set http-incoming-port 8080 set ipv6-status enable set unknown-http-version best-effort

end

config system interface

edit “port2” set vdom “vdom1”

set ip 10.1.100.1 255.255.255.0

set allowaccess ping https ssh snmp http telnet set type physical set explicit-web-proxy enable set snmp-index 12

end

next

end

  1. Create an explicit web proxy policy:

config firewall proxy-policy edit 1 set uuid 722b6130-13aa-51e9-195b-c4196568d667 set proxy explicit-web set dstintf “port1” set srcaddr “all” set dstaddr “all” set service “webproxy” set action accept set schedule “always” set logtraffic all

next

end

  1. Configure a client to use the FortiGate explicit web proxy:

Set the FortiGate IP address as the proxy IP address in the browser, or use an automatic configuration script for the PAC file.

VoIP Solutions – SIP over TLS

Leave a reply

SIP over TLS

Some SIP phones and servers can communicate using TLS to encrypt the SIP signaling traffic. To allow SIP over TLS calls to pass through the FortiGate, the encrypted signaling traffic must be unencrypted and inspected. The FortiGate SIP ALG intercepts, unencrypts , and inspects the SIP packets, which are then re-encrypted and forwarded to their destination.

The SIP ALG only supports full mode TLS. This means that the SIP traffic between SIP phones and the FortiGate, and between the FortiGate and the SIP server, is always encrypted. The highest TLS version supported by SIP ALG is TLS

1.2.

To enable SIP over TLS support, the SSL mode in the VoIP profile must be set to full. The SSL server and client certificates can be provisioned so that the FortiGate can use them to establish connections to SIP phones and servers, respectively.

To configure SIP over TLS:

  1. Configure a VoIP profile with SSL enabled:

config voip profile edit “tls” config sip set ssl-mode full set ssl-client-certificate “ssl_client_cert” set ssl-server-certificate “ssl_server_cert”

end

next

end

The ssl_server_cert, ssl_client_cert, and key files can be generated using a certification tool, such as OpenSLL, and imported to the local certificate store of the FortiGate from System > Certificates in the GUI. Existing local certificates in the certificate store can also be used. As always for TLS connections, the certificates used must be verified and trusted at the other end of the connection when required.

For example, the CA certificate of the SIP server’s certificate should be imported to the FortiGate as an external CA certification, such that the FortiGate can use it to verify the SIP server’s certificate when setting up the TLS connection. The CA certificate configured as the ssl_server_cert should be installed as the trusted certificate on the SIP phones. The deployment of the certificates across the network depends on the SIP client and server devices that are used in the system.

  1. Apply the profile to the firewall policy:

config firewall policy edit 1 set srcintf “port1” set dstintf “port2” set srcaddr “all” set dstaddr “vip_sip_server” set action accept set schedule “always” set service “SIP” set utm-status enable set voip-profile “tls”

next end

 

VoIP Solutions – SIP pinholes

Leave a reply

SIP pinholes

When SIP ALG processes a SIP call, it usually opens pinholes for SIP signaling and RTP/RTCP packets. NAT usually takes place during the process at both the network and SIP application layers. SIP ALG ensures that, with NAT happening, corresponding SIP and RTP/RTCP pinholes are created during the process when it is necessary for call sessions to be established through FortiOS devices.

By default, SIP ALG manages pinholes automatically, but some special configurations can be used to restrict the pinholes if required.

SIP pinhole restriction

By default, the strict-register attribute is enabled. When enabled, after a SIP endpoint registers to the SIP server through a firewall policy on the FortiOS device, only the SIP messages sent from the same IP address as the SIP server are allowed to pass through the SIP pinhole that is created in the FortiOS device to reach the SIP endpoints. If the attribute is disabled, SIP messages from any IP addresses can pass through the pinhole created after the registration.

config voip profile edit “voip-profile-name” config sip set strict-register [enable|disable]

end

next

end

RTP/RTCP pinhole restriction

In a SIP call through SIP ALG, the NATed RTP/RTCP port range is 5117 to 65533 by default. If required, the port range can be restricted.

config voip profile edit “voip-profile-name” config sip set nat-port-range <start_port_number>-<end_port_number> …

end

next

end

In a SIP call session, the RTP port number is usually an even number and the RTCP port number is an odd number that is one more than the RTP port number. It is best practice to configure start_port_number to an even number, and end_port_number to an odd number, for example:

config voip profile edit “voip-profile-name” conf sip set nat-port-range 30000-39999

end

next

end

VoIP Solutions – SIP Message Inspection and Filtering

Leave a reply

SIP message inspection and filtering

SIP ALG provides users with security features to inspect and control SIP messages that are transported through FortiOS devices, including:

l Verifying the SIP message syntax. l Blocking particular types of SIP requests. l Restricting the rate of particular SIP requests.

These features are configured in the VoIP profile:

config voip profile edit <voip_profile_name> config sip set …

The VoIP profile can then be applied to a firewall policy to process the SIP call traffic.

SIP message syntax inspection

For syntax verification, the following attributes are available for configuration in the VoIP profile to determine what action is taken when a specific syntax error or attack based on invalid syntax is detected. For example, the action can be set to pass or discard it.

malformed-request-line malformed-header-via malformed-header-from malformed-header-to malformed-header-call-id malformed-header-cseq malformed-header-rack malformed-header-rseq malformed-header-contact malformed-header-record-route malformed-header-route malformed-header-expires malformed-header-content-type malformed-header-content-length malformed-header-max-forwards malformed-header-allow

malformed-header-p-asserted-identity malformed-header-sdp-v malformed-header-sdp-o malformed-header-sdp-s malformed-header-sdp-i malformed-header-sdp-c malformed-header-sdp-b malformed-header-sdp-z malformed-header-sdp-k malformed-header-sdp-a malformed-header-sdp-t malformed-header-sdp-r malformed-header-sdp-m

SIP message blocking

The following options are available in the VoIP profile to block SIP messages:

block-long-lines block-unknown block-ack block-bye block-cancel block-info block-invite block-message block-notify block-options block-prack block-publish block-refer block-register block-subscribe block-update block-geo-red-options

SIP message rate limiting

The rate of certain types of SIP requests that are passing through the SIP ALG can be restricted :

register-rate invite-rate subscribe-rate message-rate notify-rate refer-rate update-rate options-rate ack-rate prack-rate info-rate publish-rate bye-rate cancel-rate

Back up log files or dump log messages

Leave a reply

Back up log files or dump log messages

When a log issue is caused by a particular log message, it is very help to get logs from that FortiGate. This topic provides steps for using exe log backup or dump log messages to USB.

Back up full logs using exe log backup

This command backs up all disk log files and is only available on FortiGates with SSD disk.

Before running exec log backup, we recommend temporarily stopping miglogd and reportd.

To stop and kill miglogd and reportd:

diagnose sys process daemon-auto-restart disable miglogd diagnose sys process daemon-auto-restart disable reportd

fnsysctl killall miglogd fnsysctl killall reportd

To store the log file on USB drive:

  1. Plug in a USB drive into the FortiGate.
  2. Run this command:

exec log backup /usb/log.tar

To restart miglogd and reportd:

diagnose sys process daemon-auto-restart enable miglogd diagnose sys process daemon-auto-restart enable reportd

Dump log messages

To dump log messages:

  1. Enable log dumping for miglogd

FGT-B-LOG (global) # diagnose test application miglogd 26 1 miglogd(1) log dumping is enabled

  1. Display all miglogd dumping status.

FGT-B-LOG (global) # diagnose test application miglogd 26 0 255 miglogd(0) log dumping is disabled

miglogd(1) log dumping is enabled miglogd(2) log dumping is disabled

FGT-B-LOG (global) # diagnose test application miglogd 26 2 miglogd(2) log dumping is enabled

FGT-B-LOG (global) # diagnose test application miglogd 26 0 miglogd(0) log dumping is enabled

FGT-B-LOG (global) # diagnose test application miglogd 26 0 255 miglogd(0) log dumping is enabled miglogd(1) log dumping is enabled miglogd(2) log dumping is enabled

  1. Let FortiGate run and collect log messages.
  2. List log dump files.

FGT-B-LOG (global) # diagnose test application miglogd 33

2019-04-17 15:50:02         20828     log-1-0.dat

2019-04-17 15:48:31           4892     log-2-0.dat

  1. Back up log dump files to USB disk.

FGT-B-LOG (global) # diagnose test application miglogd 34 Dumping file miglog1_index0.dat copied to USB disk OK.

Dumping file miglog2_index0.dat copied to USB disk OK.

  1. Disable log dumping for miglogd daemon

FGT-B-LOG (global) # diagnose test application miglogd 26 0 miglogd(0) log dumping is disabled

FGT-B-LOG (global) # diagnose test application miglogd 26 1 miglogd(1) log dumping is disabled

FGT-B-LOG (global) # diagnose test application miglogd 26 2 miglogd(2) log dumping is disabled

FGT-B-LOG (global) # diagnose test application miglogd 26 0 255 miglogd(0) log dumping is disabled miglogd(1) log dumping is disabled miglogd(2) log dumping is disabled