Category Archives: Fortinet GURU

Text strings – FortiOS 6.2

Text strings

The configuration of a FortiGate is stored in the FortiOS configuration database. To change the configuration, you can use the GUI or CLI to add, delete, or change configuration settings. These changes are stored in the database as you make them. Individual settings in the configuration database can be text strings, numeric values, selections from a list of allowed options, or on/off (enable/disable) settings.

Entering text strings (names)

Text strings are used to name entities in the configuration. For example, the name of a firewall address, the name of an administrative user, and so on. You can enter any character in a FortiGate configuration text string, except the following characters that present cross-site scripting (XSS) vulnerabilities: l (double quote) l & (ampersand) l (single quote) l < (less than) l > (greater than)

Most GUI text string fields make it easy to add an acceptable number of characters and prevent you from adding the XSS vulnerability characters.

You can also use the tree command in the CLI to view the number of characters allowed in a name field. For example, firewall address names can contain up to 64 characters. When you add a firewall address to the GUI, you are limited to entering 64 characters in the firewall address name field. From the CLI you can enter the following tree command to confirm that the firewall address name field allows 64 characters.

config firewall address tree

— [address] –*name (64)

|- uuid

|- subnet

|- type

|- start-ip

|- end-ip

|- fqdn (256)

|- country (3)

|- cache-ttl (0,86400)

|- wildcard

|- comment

|- visibility

|- associated-interface (36)

|- color (0,32)

|- [tags] –*name (65)

+- allow-routing

The tree command output also shows the number of characters allowed for other firewall address name settings. For example, the fully qualified domain name (fqdn) field can contain up to 256 characters.

Entering numeric values

Numeric values set various sizes, rates, addresses, and other numeric values (e.g. a static routing priority of 10, a port number of 8080, an IP address of 10.10.10.1). Numeric values can be entered as a series of digits without spaces or commas (for example, 10 or 64400), in dotted decimal format (for example the IP address 10.10.10.1) or, as in the case of MAC or IPv6 addresses, separated by colons (e.g. the MAC address 00:09:0F:B7:37:00). Most numeric values are standard base 10 numbers, but some fields, such as MAC addresses, require hexadecimal numbers.

Most GUI numeric value fields make it easy to add the acceptable number of digits within the allowed range. CLI help text includes information about allowed numeric value ranges. Both the GUI and the CLI prevent you from entering invalid numbers.

Dashboard – FortiOS 6.2

Dashboard

The FortiOS Dashboard consists of a Network Operations Center (NOC) view with a focus on alerts. Widgets are interactive. By clicking or hovering over most widgets, the user can see additional information or follow links to other pages.

The dashboard and its widgets include:

  • Multiple dashboard support l VDOM and global dashboards l Widget resize control l Notifications on the top header bar

The following widgets are displayed by default:

Widget Description
System Information The System Information widget lists information relevant to the FortiGate system, including hostname, serial number, and firmware.
Security Fabric The Security Fabric widget displays a visual summary of many of the devices in the Fortinet Security Fabric.
CPU The real-time CPU usage is displayed for different time frames.
Widget Description
Licenses Hovering over the Licenses widget results in the display of status information (and, where applicable, database information) on the licenses for FortiCare Support, Firmware & General Updates, AntiVirus, Web Filtering, Security Rating,

FortiClient, and FortiToken. Note that Mobile Malware is not a separate service in FortiOS 6.0.0. The Mobile Malware subscription is included with the AntiVirus subscription. Clicking in the Licenses widget provides you with links to other pages, such as System > FortiGuard or contract renewal pages.

FortiCloud This widget displays FortiCloud status and provides a link to activate FortiCloud.
Administrators This widget allows you to view: l which administrators are logged in and how many sessions are active (a link directs you to a page displaying active administrator sessions) l all connected administrators and the protocols used by each
Memory Real-time memory usage is displayed for different time frames. Hovering over any point on the graph displays percentage of memory used along with a timestamp.
Sessions Hovering over the Sessions widget allows you to view memory usage data over time. Click on the down arrow to change the timeframe displayed.

Security processing unit, or SPU, percentage is displayed if your FortiGate includes an SPU. Likewise, nTurbo percentage is displayed if supported by your FortiGate.

Bandwidth Hover over the Bandwidth widget to display bandwidth usage data over time. Click on the down arrow to change the timeframe displayed. Bandwidth is displayed for both incoming and outgoing traffic.
Virtual Machine The VM widget (shown by default in the dashboard of a FortiOS VM device) includes:

l License status and type l CPU allocation usage l License RAM usage l VMX license information (if the VM supports VMX)

If the VM license specifies ‘unlimited’ the progress bar is blank. If the VM is in evaluation mode, it is yellow (warning style) and the dashboard shows the number of evaluation days used.

The following optional widgets are also available:

  • FortiView l Host Scan Summary
  • Vulnerabilities Summary l Botnet Activity l HA Status l Log Rate l Session Rate l Security Fabric Score l Advanced Threat Protection Statistics l Interface Bandwidth

Modifying dashboard widget titles

Dashboard widget titles can be modified so that widgets with different filters applied can be easily differentiated. The widget has a default title unless you set a new title.

Syntax

config system admin edit <name> config gui-dashboard config widget edit 9 set type fortiview …

set title “test source by bytes”

end

end

end

Buy Hardware Reminder

Hey Guys!

Just a reminder that we do have an official Fortinet GURU store now so you can buy Fortinet hardware and services / support. It is located at the Buy Fortinet Hardware link that is at the top of the site as well as on the sidebar. We will have some raffles and misc other items that will provide you guys an opportunity to win some free hardware as well!

VPN policies

VPN policies

At one point, if you wanted to have secure digital communications between 2 points a private network would be created. This network would only allow the people that were intended to get the communications on it. This is very straightforward if the 2 points are in the same room or even in the same building. It can all be done physically. If you are supposed to be on the secure network

VPNs are an answer to one of today’s biggest concerns, how to make digital communications secure between to points that must communicate over the Internet which anybody can have access to.

There are two types of VPNs supported by FortiOS, SSL and IPsec. They are differentiated by the security protocol suites that are used to secure the traffic. These are both described in more detail in the VPN section, but the IPsec VPN can be configured as an Action with a firewall policy.

IPsec policies

IPsec policies allow IPsec VPN traffic access to the internal network from a remote location. These policies include authentication information that authenticates users and user group or groups. These policies specify the following:

  • the FortiGate firewall interface that provides the physical connection to the remote VPN gateway, usually an interface connected to the Internet
  • the FortiGate firewall interface that connects to the private network l IP addresses associated with data that has to be encrypted and decrypted l optional: a schedule that restricts when the VPN can operate, and services (or types of data) that can be sent.

For a route-based (interface mode) VPN, you do not configure an IPsec security policy. Instead, you configure two regular ACCEPT security policies, one for each direction of communication, with the IPsec virtual interface as the source or destination interface, as appropriate.