Category Archives: FortiOS 5.4 Handbook

The complete handbook for FortiOS 5.4

Security Profiles components

AntiVirus

Your FortiGate unit stores a virus signature database that can identify more than 15,000 individual viruses. FortiGate models that support additional virus databases are able to identify hundreds of thousands of viruses. With a FortiGuard AntiVirus subscription, the signature databases are updated whenever a new threat is discovered.

AntiVirus also includes file filtering. When you specify files by type or by file name, the FortiGate unit will stop the matching files from reaching your users.

FortiGate units with a hard drive or configured to use a FortiAnalyzer unit can store infected and blocked files for that you can examine later.

Web Filter

Web filtering includes a number of features you can use to protect or limit your users’ activity on the web. FortiGuard Web Filtering is a subscription service that allows you to limit access to web sites. More than 60 million web sites and two billion web pages are rated by category. You can choose to allow or block each of the 77 categories.

URL filtering can block your network users from access to URLs that you specify.

Web content filtering can restrict access to web pages based on words and phrases appearing on the web page itself. You can build lists of words and phrases, each with a score. When a web content list is selected in a web filter profile, you can specify a threshold. If a user attempts to load a web page and the score of the words on the page exceeds the threshold, the web page is blocked.

DNS Filter

Application Control

Although you can block the use of some applications by blocking the ports they use for communications, many applications do not use standard ports to communicate. Application control can detect the network traffic of more than 1000 applications, improving your control over application communication.

Intrusion Protection

The FortiGate Intrusion Protection System (IPS) protects your network against hacking and other attempts to exploit vulnerabilities of your systems. More than 3,000 signatures are able to detect exploits against various operating systems, host types, protocols, and applications. These exploits can be stopped before they reach your internal network.

You can also write custom signatures, tailored to your network.

Anti–Spam

FortiGuard Anti-Spam is a subscription service that includes an IP address black list, a URL black list, and an email checksum database. These resources are updated whenever new spam messages are received, so you do not need to maintain any lists or databases to ensure accurate spam detection.

You can use your own IP address lists and email address lists to allow or deny addresses, based on your own needs and circumstances.

Data Leak Prevention

Data Leak Prevention (DLP) allows you to define the format of sensitive data. The FortiGate unit can then monitor network traffic and stop sensitive information from leaving your network. Rules for U.S. social security numbers, Canadian social insurance numbers, as well as Visa, Mastercard, and American Express card numbers are included.

VoIP

The Session Initiation Protocol (SIP) is an IETF application layer signaling protocol used for establishing, conducting, and terminating multiuser multimedia sessions over TCP/IP networks using any media. SIP is often used for Voice over IP (VoIP) calls but can be used for establishing streaming communication between end points.

For more information, see VoIP Solutions: SIP.

ICAP

This module allows for the offloading of certain processes to a separate server so that your FortiGate firewall can optimize its resources and maintain the best level of performance possible.

FortiClient Profiles

FortiClient is a comprehensive endpoint security solutions that extends the power of Fortinet’s Advanced Threat Protection (ATP) to end user devices. 5.4.0 has brought two notable capabilities for the detection of Advanced Persistent Threats (APT), including Botnet Command and Control (C&C) Communications Detection and FortiSandbox integration (Windows only).

For more information, see FortiClient 5.4.0 Administration Guide.

Proxy Options

Proxy Options includes features you can configure for when your FortiGate is operating in proxy mode, including protocol port mapping, block oversized files/emails, and other web and email options.

SSL Inspection

SSL Inspection (otherwise known as Deep Inspection) is used to scan HTTPS traffic in the same way that HTTP traffic can be scanned. This allows the FortiGate to receive and open up the encrypted traffic on behalf of the client, then the traffic is re-encrypted and sent on to its intended destination.

Individual Deep Inspection profiles can be created, depending on the requirements of the policy. Depending on the profile, you can:

Configure which CA certificate will be used to descrypt the SSL encrypted traffic
Configure which SSL protocols will be inspected
Configure which ports will be associated with which SSL protocols for inspection
Configure whether or not to allow invalid SSL certificates
Configure whether or not SSH traffic will be inspected

Security Profiles overview

Leave a reply

Security Profiles overview

Ranging from the FortiGate®-30 series for small businesses to the FortiGate-5000 series for large enterprises, service providers and carriers, the FortiGate line combines a number of security features to protect your network from threats. As a whole, these features, when included in a single Fortinet security appliance, are referred to as Security Profiles. The Security Profiles features your FortiGate model includes are:

AntiVirus
Web Filter
DNS Filter
Application Control
Cloud Access Security Inspection
Intrusion Protection
Anti-Spam
Data Leak Prevention
VoIP
ICAP
Web Application Firewall
FortiClient Profiles
Proxy Options
SSL Inspection
Web Rating Overrides
Web Profile Overrides
ICAP Servers

FortiOS 5.4 no longer supports FortiClient 5.0.

FortiOS 5.2 can support FortiClient 5.0, but only if the FortiGate upgraded to FortiOS 5.2. Customers need to purchase a FortiClient 5.4 subscription-based FortiClient license.

Firewall policies limit access, and while this and similar features are a vital part of securing your network, they are not covered in this document.

Traffic inspection

When the FortiGate unit examines network traffic one packet at a time for IPS signatures, it is performing traffic analysis. This is unlike content analysis where the traffic is buffered until files, email messages, web pages, and other files are assembled and examined as a whole.

DoS policies use traffic analysis by keeping track of the type and quantity of packets, as well as their source and destination addresses.

Application control uses traffic analysis to determine which application generated the packet.

Although traffic inspection doesn’t involve taking packets and assembling files they are carrying, the packets themselves can be split into fragments as they pass from network to network. These fragments are reassembled by the FortiGate unit before examination.

No two networks are the same and few recommendations apply to all networks. This topic offers suggestions on how you can use the FortiGate unit to help secure your network against content threats.

IPS signatures

IPS signatures can detect malicious network traffic. For example, the Code Red worm attacked a vulnerability in the Microsoft IIS web server. Your FortiGate’s IPS system can detect traffic attempting to exploit this vulnerability. IPS may also detect when infected systems communicate with servers to receive instructions.

IPS recommendations

Enable IPS scanning at the network edge for all services.
Use FortiClient endpoint IPS scanning for protection against threats that get into your network.
Subscribe to FortiGuard IPS Updates and configure your FortiGate unit to receive push updates. This will ensure you receive new IPS signatures as soon as they are available.
Your FortiGate unit includes IPS signatures written to protect specific software titles from DoS attacks. Enable the signatures for the software you have installed and set the signature action to Block.
You can view these signatures by going to Security Profiles > Intrusion Protection and selecting the [View IPS Signatures] link.
Because it is critical to guard against attacks on services that you make available to the public, configure IPS signatures to block matching signatures. For example, if you have a web server, configure the action of web server signatures to Block.

Suspicious traffic attributes

Network traffic itself can be used as an attack vector or a means to probe a network before an attack. For example, SYN and FIN flags should never appear together in the same TCP packet. The SYN flag is used to initiate a TCP session while the FIN flag indicates the end of data transmission at the end of a TCP session.

The FortiGate unit has IPS signatures that recognize abnormal and suspicious traffic attributes. The SYN/FIN combination is one of the suspicious flag combinations detected in TCP traffic by the TCP.BAD.FLAGS signature.

The signatures that are created specifically to examine traffic options and settings, begin with the name of the traffic type they are associated with. For example, signatures created to examine TCP traffic have signature names starting with TCP.

Application control

While applications can often be blocked by the ports they use, application control allows convenient management of all supported applications, including those that do not use set ports.

Application control recommendations

Some applications behave in an unusual manner in regards to application control. For more information, see Application considerations on page 2145.
By default, application control allows the applications not specified in the application control list. For high security networks, you may want to change this behavior so that only the explicitly allowed applications are permitted.

SSL inspection

Regular web filtering can be circumvented by using https:// instead of http://. By enabling this feature, the FortiGate can filter traffic that is using the HTTPS protocol.

Content inspection and filtering

When the FortiGate unit buffers the packets containing files, email messages, web pages, and other similar files for reassembly before examining them, it is performing content inspection. Traffic inspection, on the other hand, is accomplished by the FortiGate unit examining individual packets of network traffic as they are received.

No two networks are the same and few recommendations apply to all networks. This topic offers suggestions on how you can use the FortiGate unit to help secure your network against content threats. Be sure to understand the effects of the changes before using the suggestions.

AntiVirus

The FortiGate antivirus scanner can detect viruses and other malicious payloads used to infect machines. The FortiGate unit performs deep content inspection. To prevent attempts to disguise viruses, the antivirus scanner will reassemble fragmented files and uncompress content that has been compressed. Patented Compact Pattern Recognition Language (CPRL) allows further inspection for common patterns, increasing detection rates of virus variations in the future.

AntiVirus recommendations

Enable antivirus scanning at the network edge for all services.
Use FortiClient endpoint antivirus scanning for protection against threats that get into your network.
Subscribe to FortiGuard AntiVirus Updates and configure your FortiGate unit to receive push updates. This will ensure you receive new antivirus signatures as soon as they are available.
Enable the Extended Virus Database if your FortiGate unit supports it.
Examine antivirus logs periodically. Take particular notice of repeated detections. For example, repeated virus detection in SMTP traffic could indicate a system on your network is infected and is attempting to contact other systems to spread the infection using a mass mailer.
The builtin–patterns file filter list contains nearly 20 file patterns. Many of the represented files can be executed or opened with a double-click. If any of these file patterns are not received as a part of your normal traffic, blocking them may help protect your network. This also saves resources since files blocked in this way do not need to be scanned for viruses.
To conserve system resources, avoid scanning email messages twice. Scan messages as they enter and leave your network or when clients send and retrieve them, rather than both.
Enable Treat Windows Executables in Email Attachments as Viruses if you are concerned about incoming ‘.exe’ files.

FortiGuard Web Filtering

The web is the most popular part of the Internet and, as a consequence, virtually every computer connected to the Internet is able to communicate using port 80, HTTP. Botnet communications take advantage of this open port and use it to communicate with infected computers. FortiGuard Web Filtering can help stop infections from malware sites and help prevent communication if an infection occurs.

FortiGuard Web Filtering recommendations

Enable FortiGuard Web Filtering at the network edge.
Install the FortiClient application and use FortiGuard Web Filtering on any systems that bypass your FortiGate unit.
Block categories such as Pornography, Malware, Spyware, and Phishing. These categories are more likely to be dangerous.
In the email filter profile, enable IP Address Check in FortiGuard Email Filtering. Many IP addresses used in spam messages lead to malicious sites; checking them will protect your users and your network.

DNS Filter

The following filtering options can be configured in a DNS Filter profile:

Blocking DNS requests to known Botnet C&C addresses

A new FortiGuard database contains a list of known Botnet C&C addresses. This database is updated dynamically and stored on the FortiGate. This database is covered by FortiGuard web filter licensing, so you must have a FortiGuard web filtering license to use this feature. You can view the botnet list by going to System > FortiGuard > Botnet Definitions.

When you block DNS requests to known Botnet C&C addresses, using IPS, DNS lookups are checked against the Botnet C&C database. All matching DNS lookups are blocked. Matching uses a reverse prefix match, so all sub- domains are also blocked.

To enable blocking of DNS requests to known Botnet C&C addresses, go to Security Profiles > DNS Filter, and enable Block DNS requests to known botnet C&C.

Static URL filter

The DNS inspection profile static URL filter allows you to block, exempt, or monitor DNS requests by using IPS to look inside DNS packets and match the domain being looked up with the domains on the static URL filter list. If there is a match the DNS request can be blocked, exempted, monitored, or allowed.

If blocked, the DNS request is blocked and so the user cannot look up the address and connect to the site. If exempted, access to the site is allowed even if another method is used to block it.

DNS–based web filtering

This feature is similar to the FortiGuard DNS web filtering available in FortiOS 5.2. You can configure DNS web filtering to allow, block, or monitor access to web content according to FortiGuard categories. When DNS web filtering is enabled, your FortiGate must use the FortiGuard DNS service for DNS lookups. DNS lookup requests sent to the FortiGuard DNS service return with an IP address and a domain rating that includes the FortiGuard category of the web page.

If that FortiGuard category is set to block, the result of the DNS lookup is not returned to the requester. If the category is set to redirect, then the address returned to the requester points at a FortiGuard redirect page.

You can also allow access or monitor access based on FortiGuard category.

Anti–Spam

Spam is a common means by which attacks are delivered. Users often open email attachments they should not, and infect their own machine. The FortiGate email filter can detect harmful spam and mark it, alerting the user to the potential danger.

Anti–Spam filter recommendations

Enable email filtering at the network edge for all types of email traffic.
Use FortiClient endpoint scanning for protection against threats that get into your network.
Subscribe to the FortiGuard Anti-Spam Service.

Data Leak Prevention

Most security features on the FortiGate unit are designed to keep unwanted traffic out of your network while Data Leak Prevention (DLP) can help you keep sensitive information from leaving your network. For example, credit card numbers and social security numbers can be detected by DLP sensors.

DLP recommendations

Rules related to HTTP posts can be created, but if the requirement is to block all HTTP posts, a better solution is to use application control or the HTTP POST Action option in the web filter profile.
While DLP can detect sensitive data, it is more efficient to block unnecessary communication channels than to use DLP to examine it. If you don’t use instant messaging or peer-to-peer communication in your organization, for example, use application control to block them entirely.

Chapter 22 – Security Profiles

Leave a reply

Chapter 22 – Security Profiles

This FortiOS Handbook chapter contains the following sections:

What’s new in FortiOS 5.4 lists and describes the new security profile features in FortiOS 5.4.
Security Profiles overview describes Security Profiles components and their relation to firewall policies, as well as SSL content scanning and inspection. We recommend starting with this section to become familiar with the different features in your FortiGate unit.
AntiVirus explains how the FortiGate unit scans files for viruses and describes how to configure the antivirus options.
Web filter describes basic web filtering concepts, FortiGuard Web Filtering, the order in which the FortiGate unit performs web filtering, and configuration.
Application Control describes how your FortiGate unit can detect and take action against network traffic based on the application generating the traffic.
FortiClient Profiles describes the FortiClient Profiles endpoint protection features and configuration.
Intrusion protection explains basic Intrusion Protection System (IPS) concepts and how to configure IPS options;
includes guidance and a detailed table for creating custom signatures as well as several examples.
Custom Application & IPS Signatures describes how to create custom Application Control and IPS signatures. Anti-Spam filter explains how the FortiGate unit filters email, describes how to configure the filtering options and the action to take with email detected as spam.
Data leak prevention describes the DLP features that allow you to prevent sensitive data from leaving your network and explains how to configure the DLP rules, compound rules, and sensors.
ICAP support describes how to off load traffic to a separate server specifically set up for the specialized processing of the traffic.
Other Security Profiles considerations describes topics like Security Profiles VDOMs, conserve mode, SSL content scanning and inspection, Using wildcards and Perl regular expressions, Adding External Security Devices, CPU allocation and tuning commands to survive reboot and so on.

What‘s new in FortiOS 5.4

Proxy and flow-based inspection per VDOM

You can select flow or proxy mode from the System Information dashboard widget to control your FortiGate’s security profile inspection mode. Having control over flow and proxy mode is helpful if you want to be sure that only flow inspection mode is used (and that proxy inspection mode is not used). As well, switching to flow inspection mode also turns off the explicit web proxy and the explicit FTP proxy, making sure that no proxying can occur.

In most cases proxy mode (the default) is preferred because more security profile features are available and more configuration options for these individual features are available. Some implementations; however, may require all security profile scanning to only use flow mode. In this case, you can set your FortiGate to flow mode knowing that proxy mode inspection will not be used.

If you select flow-based to use external servers for FortiWeb and FortiMail you must use the CLI to set a Web Application Firewall profile or Anti-Spam profile to external mode and add the Web Application Firewall profile or Anti-Spam profile to a firewall policy.

Changing between proxy and flow mode

By default proxy mode is enabled and you change to flow mode by changing the Inspection Mode on the System Information dashboard widget. When you select Flow–based you are reminded that all proxy mode profiles are converted to flow mode, removing any proxy settings. As well proxy-mode only features (for example, Web Application Profile) are removed from the GUI.

In addition, when you select Flow–based the Explicit Web Proxy and Explicit FTP Proxy features are removed from the GUI and the CLI. This includes Explicit Proxy firewall policies.

If required you can change back to proxy mode just as easily. As well, if your FortiGate has multiple VDOMs you can set the inspection mode independently for each VDOM.

Security profile features available in proxy mode

When set to proxy mode, the following security profiles are available:

AntiVirus
Web Filter
DNS Filter
Application Control
Intrusion Protection
Anti-Spam
Data Leak Prevention
VoIP
ICAP
Web Application Firewall
FortiClient Profiles
Proxy Options
SSL Inspection
Web Rating Overrides
Web Profile Overrides
ICAP Servers

In proxy mode, from the GUI you can only configure antivirus and web filter security profiles in proxy mode. From the CLI you can configure flow-based antivirus profiles, web filter profiles and DLP profiles and they will appear on the GUI and include their inspection mode setting. Also, flow-based profiles created when in flow mode are still available when you switch to proxy mode.

Security profile features available in flow mode

When you change to flow mode, proxy mode antivirus and web filter security profiles are converted to flow mode and the following reduced set of security profiles features are available:

AntiVirus
Web Filter
Application Control
Cloud Access Security Inspection
Intrusion Protection
FortiClient Profiles
SSL Inspection
Web Rating Overrides

In flow mode, antivirus and web filter profiles only include flow-mode features. Web filtering and virus scanning is still done with the same engines and to the same accuracy, but some inspection options are limited or not available in flow mode. Application control, intrusion protection, and FortiClient profiles are not affected when switching between flow and proxy mode.

Unfortunately CASI does not work when using Proxy-based profiles for AV or Web fil- tering. Make sure to only use Flow-based profiles in combination with CASI on a specific policy.

Even though VoIP profiles are not available from the GUI in flow mode, the FortiGate can process VoIP traffic. In this case the appropriate session helper is used (for example, the SIP session helper).

Setting flow or proxy mode doesn’t change the settings available from the CLI. However, you can’t save security profiles that are set to proxy mode.

You can also add add proxy-only security profiles to firewall policies from the CLI. So, for example, you can add a VoIP profile to a security policy that accepts VoIP traffic. This practice isn’t recommended because the setting will not be visible from the GUI.

Proxy mode and flow mode antivirus and web filter profile options

The following tables list the antivirus and web filter profile options available in proxy and flow modes.

Antivirus features in proxy and flow mode

Feature

Proxy

Flow

Scan Mode (Quick or Full)

yes

Detect viruses (Block or Monitor)

yes

Inspected protocols

yes

no (all relevant protocols are inspected)

Inspection Options

yes

yes (not available for quick scan mode)

Treat Windows Executables in Email Attachments as Viruses

yes

Include Mobile Malware Protection

yes

Web Filter features in proxy and flow mode

Feature Proxy Flow

FortiGuard category based filter yes yes (show, allow, monitor, block)

Category Usage Quota yes no

Allow users to override blocked categories (on some models) yes no

Search Engines yes no

Enforce ‘Safe Search’ on Google, Yahoo!, Bing, Yandex yes no

YouTube Education Filter yes no

Log all search keywords yes no

Static URL Filter yes yes

Block invalid URLs yes no

URL Filter yes yes

Block malicious URLs discovered by FortiSand- box yes yes

Web Content Filter yes yes

Feature Proxy Flow

Rating Options yes yes

Allow websites when a rating error occurs yes yes

Rate URLs by domain and IP Address yes yes

Block HTTP redirects by rating yes no

Rate images by URL yes no

Proxy Options yes no

Restrict Google account usage to specific yes no domains

Provide details for blocked HTTP 4xx and 5xx yes no errors

HTTP POST Action yes no

Remove Java Applets Remove ActiveX yes no

Remove Cookies yes no

Filter Per-User Black/White List yes no

Cloud Access Security Inspection (CASI)

This feature introduces a new security profile called Cloud Access Security Inspection (CASI) that provides support for fine-grained control on popular cloud applications, such as YouTube, Dropbox, Baidu, and Amazon. The CASI profile is applied on a policy much like any other security profile.

Unfortunately CASI does not work when using Proxy-based profiles for AV or Web fil- tering for example.

Make sure to only use Flow-based profiles in combination with CASI on a specific policy.

For this feature, Deep Inspection of Cloud Applications (set deep-app-inspection [enable| disable]) has been moved out of the Application Control security profile options.

You will find the Cloud Access Security Inspection feature under Security Profiles > Cloud Access Security Inspection, but you must first enable it in the Feature store under System > Feature Select > CASI.

Editing CASI profiles

The CASI profile application list consists of the Application Name, Category, and Action. A default CASI profile exists, with the option to create custom profiles. For each CASI profile application, the user has the option to Allow, Block, or Monitor the selected cloud application. The following image demonstrates the ability to Allow, Block, or Monitor YouTube using CASI:

When the user drills down into a selected cloud application, the following options are available (depending on the type of service):

For business services, such as Salesforce and Zoho: Option to allow, block, or monitor file download/upload and login.
For collaboration services, such as Google.Docs and Webex: Option to allow, block, or monitor file access/download/upload and login.
For web email services, such as Gmail and Outlook: Option to allow, block, or monitor attachment download/upload, chat, read/send message.
For general interst services, such as Amazon, Google, and Bing: Option to allow, block, or monitor login, search phase, and file download/upload.
For social media services, such as Facebook, Twitter, and Instagram: Option to allow, block, or monitor chat, file download/upload, post, login.
For storage backup services, such as Dropbox, iCloud, and Amazon Cloud Drive: Option to allow, block, or monitor file access/download/upload and login.
For video/audio services, such as YouTube, Netflix, and Hulu: Option to allow, block, or monitor channel access, video access/play/upload, and login.

CLI Syntax

configure application casi profile edit “profile name”

set comment “comment”

set replacemsg-group “xxxx”

set app-replacemsg [enable|disable]

configure entries edit

set application “app name” set action [block|pass]

set log [enable|disable]

next edit 2

next end

configure firewall policy edit “1”

set casi-profile “profile name” next

end

config firewall sniffer edit 1

set casi-profile-status [enable|disable]

set casi-profile “sniffer-profile” next

end

config firewall interface-policy edit 1

set casi-profile-status [enable|disable]

set casi-profile “2” next

end

External Security Devices

External Security Devices can be configured as means to offload processes to other devices, such as a FortiWeb, FortiCache, or FortiMail. Example processes could include HTTP inspection, web caching, and anti-spam.

To configure such a device, go to System > External Security Devices.

FortiWeb

To be able to offload HTTP inspection to a FortiWeb device you should:

1. Go to System > External Security Devices, enable HTTP Service, select FortiWeb and add the IP address of your FortiCache device.

2. Go to Policy & Objects > IPv4 Policy, add or edit a firewall policy and select Web Application Firewall. When you add Web Application Firewall to a firewall policy, web traffic accepted by the policy is offloaded to the FortiWeb device for processing.

Enabling FortiWeb on the External Security Devices page adds the following configuration to the CLI:

config system wccp set service-id 51

set router-id 5.5.5.5 (the IP address of the FortiGate interface that communicates with the FortiWeb)

set group address 0.0.0.0

set server-list 5.5.5.25 255.255.255.255 (the IP address of the FortiWeb)

set authentication disable set forward-method GRE

set return-method GRE

set assignment-method HASH

end

FortiCache

To be able to offload Web Caching to a FortiCache device you should:

1. Go to System > External Security Devices, enable HTTP Service, select FortiCache and add the IP address of your FortiCache device.

2. Go to Policy & Objects > IPv4 Policy, add or edit a firewall policy and select Web Cache.

When you add web caching to a firewall policy, web traffic accepted by the policy is offloaded to the FortiCache device for processing.

Enabling FortiCache on the External Security Devices page adds the following configuration to the CLI:

config system wccp set service-id 51

set router-id 5.5.5.5 (the IP address of the FortiGate interface that communicates with the FortiCache)

set group address 0.0.0.0

set server-list 5.5.5.45 255.255.255.255 (the IP address of the FortiCache)

set authentication disable set forward-method GRE

set return-method GRE

set assignment-method HASH

end

FortiMail

To be able to offload Anti-Spam processing to a FortiMail device you should:

1. Go to System > Feature Select and turn on Anti–Spam Filter.

2. Go to System > External Security Devices, enable SMTP Service – FortiMail and add the IP address of your FortiMail device.

3. Go to Security Profiles > Anti-Spam and edit an Anti-Spam profile and set Inspection Device to External.

4. Go to Policy & Objects > IPv4 Policy, add or edit a Firewall policy, enable Anti–Spam and select the profile for which you set Inspection Device to External.

When you add this Anti-Spam profile to a firewall policy, email traffic accepted by the policy is offloaded to the FortiMail device for processing.

If your FortiGate or VDOM inspection mode is set to flow-based you must use the CLI to set an Anti-Spam profile to external mode and add the Anti-Spam profile to a fire- wall policy.

Enabling FortiMail on the External Security Devices page adds the following configuration to the CLI:

config system wccp set service-id 52

set router-id 5.5.5.5 (the IP address of the FortiGate interface that communicates with the FortiMail)

set group address 0.0.0.0

set server-list 5.5.5.65 255.255.255.255 (the IP address of the FortiMail)

set authentication disable set forward-method GRE

set return-method GRE

set assignment-method HASH

end

Selecting External in the Anti-Spam profile adds the following configuration to the CLI:

config spamfilter profile edit default

set external enable end

Web Application Firewall

Go to Security Profiles > Web Application Firewall. From here you can customize the default Web Application Firewall profile, or create new profiles, to protect against a variety of web-based threats. Web Application Firewall profiles can be created with a variety of options (Signatures and Constraints), similar to other security profiles.

You can set the Web Application Firewall to use an External Security Device, such as FortiWeb, by setting Inspection Device to External.

Configure the ability to store FortiClient configuration files (171380)

1. Enable the advanced FortiClient configuration option in the endpoint profile:

config endpoint-control profile edit “default”

set forticlient-config-deployment enable set fct-advanced-cfg enable

set fct-advanced-cfg-buffer “hello” set forticlient-license-timeout 1 set netscan-discover-hosts enable

next end

2. Export the configuration from FortiClient (xml format).

3. Copy the contents of the configuration file and try to paste in the advanced FortiClient configuration box.

If the configuration file is greater than 32k, you need to use the following CLI:

config endpoint-control profile edit <profile>

config forticlient-winmac-settings config extra-buffer-entries

edit <entry_id>

set buffer xxxxxx next

end

next end

FortiOS 5.4 no longer supports FortiClient 5.0 or earlier (289455)

FortiOS 5.2 would support FortiClient 5.0 (only if the FortiGate upgraded to FortiOS 5.2), however FortiOS 5.4 will no longer support FortiClient 5.0. Customers need to purchase a FortiClient 5.4 subscription-based FortiClient license.

Session timers for IPS sessions (174696 163930)

The standard FortiOS session-ttl (time to live) timer for IPS sessions has been introduced to reduce synchronization problems between the FortiOS Kernel and IPS. This has been added so that FortiGate hard- coded timeout values can be customized, and IPS was using too much overall memory.

Botnet protection with DNS Filter (293259)

The new botnet list from FortiGuard can be used to block DNS requests to known botnet C&C IP addresses within a new DNS filter profile.

You can view the botnet list by going to System > FortiGuard > Botnet Definitions.

Secure white list database (288365)

Secure white list exemption for SSL deep inspection. To enable, go to Security Profiles > SSL/SSH Inspection and enable Exempt from SSL Inspection and enable Reputable Websites.

Mobile Malware Definition update (288022)

Mobile Malware is a separate license and can be downloaded as a separate object. It is packaged with the same FortiGuard object as the client app signatures. These signatures can be enabled in AV profiles by selecting Include Mobile Malware Protection.

Options not supported by the new quick mode flow-based virus scanning (288317)

Files cannot be sent to FortiSandbox for inspection while in quick mode flow-based virus scanning, and so the GUI option for it has been removed. No option to switch between quick mode and full mode, as choice between Proxy and Flow based inspection has been removed.

Add mobile malware to FortiGuard licenses page and include more version information (290049)

An entry and version information for Mobile Malware Definitions has been added in the License Information table under System > FortiGuard. Also, main items have been bolded and sub-items have been indented for clarification.

Secure white-list DB for flow based UTM features (287343)

A new feature that gathers a list of reputable domain names that can be excluded from SSL deep inspection. This list is periodically updated and downloaded to FortiGate units through FortiGuard.

Syntax:

config firewall ssl-ssh-profile edit deep-inspection

set whitelist enable

end

New customizable replacement message that appears when an IPS sensor blocks traffic (240081)

A new replacement message will appear specifically for IPS sensor blocked Internet access, to differentiate between IPS sensor blocking and application control blocking.

Low end models don’t support flow AV quick mode and don’t support the IPS block-malicious- url option (288318)

AV quick mode and the IPS block-malicious-url option have been disabled on low-end FortiGate models, however these features can be enabled if the FortiGate unit has a hard disk. Low-end models will only supportFullscan mode (the option is left in the GUI to show which mode is active for the user).

New quick mode flow-based virus scanning (281291)

When configuring flow-based virus scanning you can now choose between quick and full mode. Full mode is the same as flow-based scanning in FortiOS 5.2. Quick mode uses a compact antivirus database and advanced techniques to improve performance. Use the following command to enable quick mode in an antivirus profile:

config antivirus profile edit <profile-name>

set scan-mode {quick | full}

end

CVE–IDs now appear in the FortiOS IPS signature list (272251)

The signature list can be found at Security Profiles > Intrusion Protection > View IPS Signatures.

Mobile malware protection added to Antivirus configuration (288022)

FortiGuard can now download signatures to enhance mobile antivirus protection.

To enable this option, go to Security Profiles > AntiVirus and enable Include Mobile Malware Protection.

Botnet protection added (254959)

The latest Botnet database is available from FortiGuard. You can see the version of the database and display its contents from the System > FortiGuard GUI page. You can also block, monitor or allow outgoing connections to Botnet sites for each FortiGate interface.

FortiSandbox URL database added

You can see the version of the database and display its contents from the System > FortiSandbox GUI page.

New Web Filter profile whitelist setting and changes to blacklist setting (283855, 285216)

Domain reputation can now be determined by “common sense”, for sites such as Google, Apple, and even sites that may contain sensitive material that would otherwise be trusted (i.e. there is no risk of receiving botnets or malicious attacks). You can tag URL groups with flags that exempt them from further sandboxing or AV analyzing.

You can identify reputable sites and enable certain bypasses under Security Profiles > Web Filter. Similarly, you can exempt the identified reputable sites from SSL inspection.

CLI Syntax

config firewall ssl-ssh-profile edit <profile-name>

set whitelist [enable | disable]

end

config webfilter profile edit <profile-name>

config web

set whitelist exempt-av exempt-webcontent exempt-activex-java-cookie exempt-dlp exempt-rangeblock extended-log-others

end

Support security profile scanning of RPC over HTTP traffic (287508)

This protocol is used by Microsoft Exchange Server so this feature supports security profile features such as virus scanning of Microsoft Exchange Server email that uses RPC over HTTP.

Users now allowed to override blocked categories using simple, wildcard, and regex expres- sions to identify the URLs that are blocked (270165)

This feature is also called per-user BWL. To be able to configure this feature from the GUI enter the following command:

config system global

set per-user-bwl enable end

Then go to Security Profiles > Web Filtering, edit a web filtering profile and select Allow users to override blocked categories.

Use the following command to configure this feature from the CLI:

config webfilter profile edit <profile-name>

set options per-user-bwl end

Set flow or proxy mode for your FortiGate (or per VDOM) (266028)

You can configure your FortiGate or a VDOM to apply security profile features in proxy or flow mode. Change between modes from the System Information dashboard widget. Proxy mode offers the most accurate results and the greatest depth of functionality. Flow mode provides enhanced performance. IPS and application control always operates in flow mode and so is not affected by changing this mode.

Security Profiles > Web Application Firewall

Signatures can now be filtered based on risk level.

The options to reset action and apply traffic shaping is now only available in the CLI.

The All Other Known Applications option has been removed, while the option for All Other Unknown Applications has been renamed Unknown Applications.

Block all Windows executable files (.exe) in email attachments (269781)

A new option has been added to AntiVirus profiles to block all Windows executable files (.exe) in email attachments.

CLI Syntax

config antivirus profile edit “default”

config imap

set executables {default | virus}

end

config pop3

set executables {default | virus}

end config smtp

set executables {default | virus}

end

config mapi

set executables {default | virus}

end end

end

Cookies can now be used to authenticate users when a web filter override is used (275273)

Cookies can be used to authenticate users when a web filter override is used. This feature is available in CLI only.

CLI Syntax

config webfilter cookie-ovrd set redir-host <name or IP> set redir-port <port>

end

config webfilter profile edit <name>

config override

set ovrd-cookie {allow | deny}

set ovrd-scope {user | user-group | ip | ask}

set profile-type {list | radius} set ovrd-dur-mode {constant | ask} set ovrd-dur <duration>

set ovrd-user-group <name>

set profile <name>

end end

end

Blocking malicious URLs (277363)

A local malicious URL database dowloaded from FortiGuard has been added to assist IPS detection for live exploits, such as drive-by attacks. You enable blocking malicious URLs in an IPS profile from the CLI using the following command:

CLI Syntax

config ips sensor edit default

set block-malicious-url {enable | disable}

next end

The FortiGuard IPS/AV update schedule can be set by time intervals (278772)

This feature allows updates to occur more frequently (syntax below shown for updates randomly every 2-3 hours).

CLI Syntax

config system autoupdate schedule set frequency every set time 02:60 end

Application Control signatures belonging to industrial category/group are excluded by default (277668)

Use the following command to be able to add industrial signatures to an application control sensor:

config ips global

set exclude-signatures {none | industrial}

end

The Indistrial category now appears on the Application Control sensor GUI.

An SSL server table can now be used for SSL offloading (275273)

CLI Syntax

config firewall ssl-ssh-profile edit <name>

set use-ssl-server {enable | disable}

next end

MAPI RPC over HTTP/HTTPS traffic is now supported for security scanning (278012)

CLI Syntax

config firewall profile-protocol-options edit “default”

set comment “All default services.” config http

set ports 80 3128

set options rpc-over-http end

end end

New Dynamic DNS FortiGuard web filtering sub-category (276495)

A new FortiGuard web filtering sub-category, Dynamic DNS, has been added and can be found in the Security Risk Category. Also, the sub-category Shopping and Auction has been separated into two sub-categories: Auction and Shopping.

New Filter Overrides in the Application Sensor GUI (260901)

The overrides allow you to select groups of applications and override the application signature settings for them.

FortiGate CA certificates installed on managed FortiClients (260902)

This feature allows you to enable or disable CA certificate installation on managed FortiClients in a FortiClient Profile.

Syntax

config endpoint-control profile edit <profile>

config forticlient-winmac-settings

set install-ca-certificate [enable | disable]

end next

end

More exemptions to SSL deep inspection (267241)

Some common sense exemptions have been added to the default SSL deep inspection profile, such as Fortinet, Android, Apple, Skype, and many more.

Exempting URLs for flow-based web filtering (252010)

You can once again exempt URLs for flow-based web filtering.

Filter overrides in Application Sensors (246546)

In the Application Sensor page, a new section named Filter Overrides has been introduced. From this section, clicking Add Filter/Edit Filter will launch a dialog to pick/edit the advanced filter and save it back to the list.

New keyword byte_extract for custom IPS and Application Control signatures (179116)

The new byte_extract custom IPS signature key has been added that supports snort-like byte extraction actions. It is used for writing rules against length-encoded protocols. The keyword reads some of the bytes from the packet payload and saves it to a variable. You can use the -quiet option to suppress the reporting of signatures.

IPS logging changes (254954)

IPS operations severely affected by disk logging are moved out of the quick scanning path, including logging, SNMP trap generation, quarantine, etc.

Scanning processes are dedicated to nothing but scanning, which results in more evenly distributed CPU usage. Slow (IPS) operations are taken care of in a dedicated process, which usually stays idle.

New FortiGuard web filtering category: Dynamic DNS (265680)

A new FortiGuard web filtering category has been added forDynamic DNSunder theSecurity Riskheading, to account for nearly half a million URLs of “Information Technology” rated by BlueCoat as “Dynamic DNS Host”.

Syntax

config webfilter profile edit <profile>

config ftgd-wf config filters

edit <id>

set category 88<— New category, Dynamic DNS; number 88

end end

end

Access Control Lists in DoS Policies (293399)

You can go to Policy & Objects > IPv4 Access Control List or Policy & Objects > IPv6 Access Control List and select an incoming interface and add a list of Firewall source and destination addresses and services and drop traffic that matches.

You can use the following CLI command to add an ACL:

config firewall acl edit 1

set interface “port1”

set srcaddr “google-drive” set dstaddr “all”

set service “ALL” next

end

WebSense web filtering through WISP (287757)

WISP is a Websense protocol that is similar in functionality to ICAP, it allows for URLs to be extracted by a firewall and submitted to WebSense systems for rating and approval checking.

This feature provides a solution for customers who have large, existing, deployed implementations of Websense security products to replace their legacy firewalls with a Fortigate family, such that they are not forced to make a change to their web filtering infrastructure at the same time.

In order to use WebSense’s web filtering service, a WISP server per VDOM needs to be defined and enabled first. A Web filtering profile is then defined that enables WISP, which in turn is applied to a firewall policy.

When WISP is enabled, the FortiGate will maintain a pool of TCP connections to the WISP server. The TCP connections will be used to forward HTTP request information and log information to the WISP server and receive policy decisions.

Syntax

config web-proxy wisp set status enable

set server-ip 72.214.27.138 set max-connection 128

end

config webfilter profile edit “wisp_only”

set wisp enable next

end

Other new Security Profiles features:

CPU allocation & tuning commands now remain after a system reboot (276190)
The GUI notifies an administrator when the FortiGate is in conserve mode (266937)
A new custom IPS signature option, “–ip_dscp” has been added to be compatible with engine 1.x. (269063 )
The RTP/RTSP decoder can now detect slave sessions (273910)
ISNIFF can now dump all HTML files if the dump-all-html CLI command is used (277793)
Sender and recipient fields have been added to flow-based SMTP spam logs (269063)
Browser Signature Detection added to Application Control profiles (279934)

Chapter 21 – Sandbox Inspection

Leave a reply

Chapter 21 – Sandbox Inspection

Sandbox Inspection

This guide explains how to set up sandbox inspection using FortiSandbox with a FortiGate. It contains the following sections:

An Overview of Sandbox Inspection: General information about how sandbox inspection works.
Using FortiSandbox with a FortiGate: How to set up sandbox inspection on a FortiGate.
Sandbox Integration: Integrating sandbox inspection with FortiGate, FortiSandbox, and FortiClient.
Sandbox Inspection FAQ: Frequently asked questions to help troubleshoot sandbox inspection.

An Overview of Sandbox Inspection

This section contains information about how Fortinet sandbox inspection works.The following topics are included in this section:

What is Sandbox Inspection?
Sending Files for Sandbox Inspection
FortiSandbox Appliance vs FortiSandbox Cloud

What is Sandbox Inspection?

Sandbox inspection is a network process that allows files to be sent to a seperate device, such as FortiSandbox, to be inspected without risking network security. This allows the detection of threats which may bypass other security measures, including zero-day threats.

When a FortiGate uses sandbox inspection, files are sent to the FortiSandbox. Then the FortiSandbox uses virtual machines (VMs) running different operating systems to test the file, to determine if it is malicious. If the file exhibits risky behavior, or is found to contain a virus, a new signature can be added to the FortiGuard AntiVirus signature database.

Sending Files for Sandbox Inspection

There are three options concerning what type of files can be sent for sandbox inspection: All Files, Suspicious Files, or Executable Files.

All Files is recommended to increase the likelihood of detecting unknown malware, which may appear safe to the FortiGate.

If Suspicious Files is selected, then the FortiGate will examine each file and determine if it should be considered suspicious. A file is deemed suspicious when it does not contain a known threat but has characteristics that suggest it may be malware. The characteristics that determine if a file is suspicious are updated by Fortinet to reflect the current threat climate.

If Executable Files is chosen, all executable files will be sent to FortiSandbox while other file types are not inspected.

FortiSandbox Appliance vs FortiSandbox Cloud

FortiSandbox is available as a physical or virtual appliance (FortiSandbox Appliance), or as a cloud advanced threat protection service integrated with FortiGate (FortiSandbox Cloud). The table below highlights the supported features of both types of FortiSandbox:

Feature

FortiSandbox Appliance

(including VM)

FortiSandbox Clou

Sandbox inspection for FortiGate

Yes (FortiOS 5.0.4+)

Yes (FortiOS 5.2.3+)

Sandbox inspection for FortiMail

Yes (FortiMail OS 5.1+)

Sandbox inspection for FortiWeb

Yes (FortiWeb OS 5.4+)

Sandbox inspection for FortiClient

Yes (FortiClient 5.4 for Windows only)

Manual File upload for analysis

Yes

Sniffer mode

Yes

File Status Feedback and Report

Yes

Dynamic Threat Database updates for FortiGate

Yes (FortiOS 5.4+)

Dynamic Threat Database updates for FortiMail

Yes (FortiMail OS 5.4+)

Dynamic Threat Database updates for FortiClient

Yes (FortiClient 5.4 for Windows only)

For more information, see the FortiSandbox documentation.

Using FortiSandbox with a FortiGate

This section contains information about how to use sandbox inspection with FortiSandbox and FortiGate. It includes the following sections:

Connecting a FortiGate to FortiSandbox
The FortiSandbox Dashboard

Connecting a FortiGate to FortiSandbox

The procedures for connecting a FortiGate to FortiSandbox differ depending whether you are using FortiSandbox Appliance or FortiSandbox Cloud.

Connecting to FortiSandbox Appliance

1. Connect the FortiSandbox Appliance to your FortiGate so that port 1 and port 3 on the FortiSandbox are on different subnets.

FortiSandbox port 3 is used for outgoing communication triggered by the execution of the files under analysis. It is recommended to connect this port to a dedicated inter- face on your FortiGate to protect the rest of the network from threats currently being investigated by the FortiSandbox.

2. FortiSandbox port 3 must be able to connect to the Internet. On the FortiGate, go to Policy & Objects > IPv4

Policy and create a policy allowing connections from the FortiSandbox to the Internet (using the isolated interface on the FortiGate mentioned above).

3. On the FortiSandbox, go to System > Network > Static Routing and add static routes for port 1 and port 3.

4. On the FortiSandbox, go to System > Status and locate the System Information widget. Now that the FortiSandbox has Internet access, it can activate its VM licenses. Wait until a green arrow shows up beside Windows VM before continuing to the next step.

5. On the FortiGate, go to System > External Security Devices. Select Enable Sandbox Inspection and select FortiSandbox Appliance. Set the IP Address and enter a Notifier Email. If you select Test Connectivity, the Status shows as Service is not configured because the FortiGate has not been authorized to connect to the FortiSandbox.

6. On the FortiSandbox, go to File-based Detection > File Input > Device. Edit the entry for the FortiGate. Under Permissions, enable Authorized.

7. On the FortiGate, go to System > External Security Devices and for FortiSandbox select Test Connectivity. The Status now shows that Service is online.

Once the FortiGate is connected to FortiSandbox, an AntiVirus profile can be configured to send suspicious files for inspection. Sandbox integration can also be configured, for more information see “Sandbox Integration” on page 2051.

Connecting to FortiSandbox Cloud

Before you can connect a FortiGate to FortiSandbox Cloud, you need an active FortiCloud account. For more information, see the FortiCloud documentation.

Once you have created a FortiCloud account, sandbox inspection should be enabled by default. To verify this, go to System > External Security Devicesand make sure Enable Sandbox Inspection is selected and set to FortiSandbox Cloud.

To see the results from FortiSandbox Cloud in the FortiGate logs, go to Log & Report > Log Settings and make sure Send Logs to FortiCloud is enabled and GUI Preferences is set to Display Logs from FortiCloud.

Now that the FortiGate is connected to FortiSandbox, an AntiVirus profile can be configured to send suspicious files for inspection. Sandbox integration can also be configured, for more information see “Sandbox Integration” on page 2051.

The FortiSandbox Dashboard

The FortiSandbox dashboard is available from FortiView > FortiSandbox. The dashboard shows all samples submitted for inspection. Information on the dashboard can be filtered by checksum, file name, result, source, status, and user name.

If you right-click on an entry, you can choose to Drill Down to Details, Quarantine Source Address, or Quarantine FortiClient Device.

Information about the FortiSandbox database and sandboxing statistics are also available at System > External Security Devices once sandbox inspection is enabled.

Information can also be found by accessing FortiSandbox. For more information, please refer to the FortiSandbox documentation.

Sandbox Integration

Sandbox integration adds another level to sandbox inspection, allowing you allows you to set up automatic actions to protect your network from files FortiSandbox determines are malicious. These actions include: receiving AntiVirus signature updates from FortiSandbox, adding the originating URL of any malicious file to a blocked URL list, and extending sandbox scanning to FortiClient devices.

This section contains the following topics:

Overview
Example Configuration

Overview

FortiSandbox integration involves three different FortiGate security profiles: AntiVirus, Web Filtering, and FortiClient Profiles.

AntiVirus

When FortiSandbox discovers a malicious file, it can create a AntiVirus signature for that file. Through FortiSandbox integration, this signature can be sent to a FortiGate to block the file from re-entering the network and to prevent the future retransmission of that file to FortiSandbox.

Use of the FortiSandbox AntiVirus database is enabled in an AntiVirus profile, found at Security Profiles > AntiVirus. It can also be configured using the following CLI commands:

config antivirus profile edit <profile>

set analytics-db enable

end

Web Filtering

ortiSandbox integration can also be used to allow FortiSandbox to add a URL filter blocking the source of a discovered malicious file to the FortiGate’s blocked URL list.

Blocking malicious URLs discovered by FortiSandbox is enabled in a Web Filter profile, found at Security Profiles > Web Filter. It can also be configured using the following CLI commands:

config webfilter profile edit <profile>

config web

set blacklist enable end

FortiClient Profiles

Extended FortiSandbox scanning is currently only supported by FortiClient 5.4 for Win- dows. It can also only be used with FortiSandbox Appliance.

When extended FortiSandbox scanning is enabled for FortiClient, files downloaded by FortiClient can be sent to the FortiSandbox for inspection. Also, if a suspicious file is discovered, FortiClient can be configured to wait until sandbox inspection is complete before allowing that file to be accessed.

AntiVirus signatures can also be pushed by the FortiGate to FortiClient.

If a FortiClient device attempts to download a file that FortiSandbox discovers is malicious, the FortiSandbox notifies the FortiGate. The administrator can take action to quarantine the device. When a quarantine is in effect, FortiClient cuts off other network traffic from the device directly, preventing it from infecting or scanning the local network. When a device is under quarantine, FortiClient cannot be shutdown or uninstalled. A user is also unable to unregister from the FortiGate that quarantined them, or register to another FortiGate unit. A quarantine can only be lifted by the administrator of the FortiGate where the FortiClient device is registered.

Extending FortiSandbox scanning can by configured in the Security settings of a FortiClient Profile, found at Security Profiles > FortiClient Profiles. It can also be configured using the following CLI commands:

config endpoint-control profile edit <profile>

config forticlient-winmac-settings set scan-download-file enable set sandbox-scan enable

set sandbox-address <address>

set wait-sandbox-result {enable | disable}

set use-sandbox-signature {enable | disable}

end

Extending FortiSandbox scanning can also be configured directly in the FortiClient AntiVirus settings.

Example Configuration

The following example configuration sets up FortiSandbox integration using AntiVirus, Web Filtering, and a FortiClient profile. This configuration assumes that a connection has already been established between the FortiSandbox Appliance and the FortiGate.

1. Go to Security Profiles > AntiVirus and edit the default profile. Under Inspection Options, enable both Send Files to FortiSandbox Appliance for Inspection and Use FortiSandbox Database. Select Apply.

2. Go to Security Profiles > Web Filter and edit the default profile. Under Static URL Filter, enable Block malicious URLS discovered by FortiSandbox. Select Apply.

3. Go to Security Profiles > FortiClient Profiles and edit the default profile. Under AntiVirus, enable Realtime Protection, then enable Scan Downloads, followed by Scan with FortiSandbox. Enter the IP of the FortiSandbox, then enable Use FortiSandbox signatures. Select Apply.

4. Go to Policy & Objects > IPv4 Policy and view the policy list. If a policy has AntiVirus and Web Filtering scanning applied, the profiles will be listed in the Security Profiles column. If scanning needs to be added to any security policy (excluding the Implicit Deny policy) select the + button in the Security Profiles column for that policy, then select the default AntiVirus Profile, the default Web Filter Profile, the appropriate Proxy Options, and the deep–inspection profile for SSL Inspection Options (to ensure that encrypted traffic is inspected).

5. Select OK.

Results

If your FortiGate discovers a suspicious file, it will now be sent to the FortiSandbox. To view information about the files that have been sent on the FortiGate, go to FortiView > FortiSandbox to see a list of file names and current status.

To view results on the FortiSandbox, go to System > Status and view the Scanning Statistics widget. There may be a delay before results appear on the FortiSandbox.

Open FortiClient using a Windows PC on the internal network. Make sure it is registered to your FortiGate. Go to AntiVirus > Realtime Protection Enabled and edit the settings. You will see that the Realtime Protection settings match the FortiClient Profile configured on the FortiGate. These settings cannot be changed using FortiClient.

If a PC running FortiClient downloads a suspicious file that the FortiSandbox determined was malicious, a quarantine would be applied automatically. While the quarantine is in effect, FortiClient cannot be shutdown on the PC. It can not be uninstalled or unregistered from the FortiGate. The quarantine can only be released from the FortiClient Monitor on the FortiGate.

Sandbox Inspection FAQ

The following are some frequently asked questions about using sandbox inspection with FortiSandbox and FortiGate.

Why is the FortiSandbox Cloud option not available when sandbox inspection is enabled?

This option is only available if you have already created a FortiCloud account. For more information, see the FortiCloud documentation.

Why don’t results from FortiSandbox Cloud appear in the FortiGate GUI?

Go to Log & Report > Log Settings and make sure Send Logs to FortiCloud is enabled and GUI Preferences is set to Display Logs from FortiCloud.

Why are the FortiSandbox Appliance VMs inactive?

Make sure that port 3 on the FortiSandbox has an active Internet connection. This is required in order to active the FortiSandbox VMs.

Why aren’t files are being scanned by FortiSandbox?

Make sure an AntiVirus profile that sends files to FortiSandbox is enabled for all policies that require sandbox inspection.

Chapter 20 – Managing a FortiSwitch with a FortiGate

Leave a reply

Chapter 20 – Managing a FortiSwitch with a FortiGate

Managing a FortiSwitch with a FortiGate

Introduction

This document provides information about how to setup and configure Managed FortiSwitches with a FortiGate. This is also known as using FortiSwitch in Fortilink mode.

Supported Models

The following table shows the FortiSwitch models that support Fortilink mode when paired with the corresponding

FortiGate models and the listed minimum software releases.

FortiGate Models Earliest

FortiOS

FortiSwitch Models

FGT-90D 5.2.2 FS-224D-POE

FGT-60D FGT-90D

FGT-100D, FGT-140D (POE, T1)

FGT-200D, FGT-240D, FGT-280D (POE) FGT-600C

FGT-800C FGT-1000C 5.2.3 5.4.0

FSR-112D-POE FS-108D-POE FS-124D

FS-124D-POE FS-224D-POE FS-224D-FPOE

All FortiSwitch D-series models. FortiSwitchOS 3.3.x or 3.4.0 is recommended.

FGT-1200D FGT-1500D FGT-3700D FGT-3700DX 5.4.0

All FortiSwitch D-series models.

FortiSwitchOS 3.3.x or 3.4.0 is recom- mended.

What‘s New

The following new Fortilink features are available

FortiOS 5.4.0 with FortiSwitchOS 3.3.0 (or later)

FortiGate High-Availability mode
Multiple VLANs per port (native VLAN and tagged VLANs)
Auto-authorization of the FortiSwitch.
FortiLink GUI enabled for FGT600C, 800C and 1000C
POE configuration on the FortiSwitch ports.
Fortilink Link Aggregation Group (LAG)
Auto-detect Fortilink ports on the FortiSwitch.

Before You Begin

Before you configure the managed FortiSwitch unit, the following assumptions have been made in the writing of this manual:

You have completed the initial configuration of the FortiSwitch unit, as outlined in the QuickStart Guide for your FortiSwitch, and you have administrative access to the FortiSwitch web-based manager and CLI.
You have installed a FortiGate unit on your network and have administrative access to the FortiGate web-based manager and CLI.

How this Guide is Organized

This guide contains the following sections:

Connecting FortiLink Ports – information about connecting FortiSwitch ports to FortiGate ports.
FortiLink Configuration – how to configure FortiLink
Configuring Fortilink for FortiGate HA – how to configure Fortilink when you have a pair of FortiGate units in HA mode.
Optional Setup Tasks – describes other set up tasks.
VLAN Configuration – configure VLANs from the FortiGate unit.
FortiSwitch POE Configuration – configure Ports and POE from the FortiGate unit. Add STP and LAG?
Troubleshooting – describes techniques for troubleshooting common problems.
Scenarios – contains practical examples of how to use managed FortiSwitch units in a network.

Connecting FortiLink Ports

This section contains information about the FortiSwitch and FortiGate ports that you connect to establish a FortiLink connection.

You have a choice of connecting a single FortiLink port or multiple FortiLink ports in a link-aggregation group (LAG).

In FortiSwitchOS 3.3.0 and later releases, you can use any of the switch ports for FortiLink. Some or all of the switch ports (depending on the model) support auto-discovery of the FortiLink ports.

Summary of the Steps

1. If required,enable the Switch Controller on FortiGate

2. Connect a cable between the FortiSwitch port and the FortiGate port (or ports for a LAG)

Enable the Switch Controller on FortiGate

Prior to connecting the FortiSwitch and FortiGate units, ensure that the Switch Controller feature is enabled on the FortiGate (depending on the FortiGate model and software release, this feature may be enabled by default).

Use the FortiGate web-based manager or CLI to enable the Switch Controller.

Using the FortiGate web-based manager

1. Go to System > Features.

2. Turn on the Switch Controller feature.

3. Select Apply.

The menu option WiFi & Switch Controller now appears in the web-based manager.

Using the FortiGate CLI

Use the following command to enable the Switch Controller.

config system global

set switch-controller enable end

Connect the FortiSwitch and FortiGate

In FortiSwitchOS 3.3.0 and later releases, FortiSwitchOS provides additional flexibility for FortiLink:

Use any switch port for FortiLink
Provides auto-discovery of the FortiLink ports on the FortiSwitch
Choice of a single FortiLink port or multiple FortiLink ports in a link-aggregation group (LAG)

Auto–discovery of the FortiSwitch Ports

In releases FortiSwitchOS 3.3.0 and beyond, the D-series FortiSwitch models support FortiLink auto-discovery, which is automatic detection of the port connected to the FortiGate.

You can use any of the switch ports for FortiLink. Use the following commands to configure a port for FortiLink auto-discovery:

config switch interface edit <port>

set auto-discovery-fortilink enable end

NOTE: Some ports are enabled for auto-discovery by default. See table below.

NOTE: Complete this configuration step BEFORE connecting the switch to the FortiGate.

Each FortiSwitch model provides a set of ports that are enabled for FortiLink auto-discovery by default. If you connect the FortiLink using one of these ports, no switch configuration is required.

In general (in FortiSwitchOS 3.4.0 and later releases), the last four ports are the default auto-discovery FortiLink ports. You can also run the show switch interface CLI command on the FortiSwitch to see the ports that have auto-discovery enabled.

The table below lists the default auto-discovery ports for each switch model:

FortiSwitch Model Default Auto-FortiLink ports

FS-108D ports 9 and 10

FSR-112D ports 9, 10, 11 and 12

FS-224D-POE ports 21, 22, 23 and 24

FS-1024D, FS-1048D, FS-3032D all ports

FS-124D, FS-124D-POE ports 23, 24, 25 and 26

FS-224D-FPOE ports 25, 26, 27 and 28

FS-424D-FPOE ports 25 and 26

FS-524D-FPOE ports 25, 26, 27, 28, 29 and 30

FS-548D-FPOE ports 49, 50, 51, 52, 53 and 54

FS-248D-FPOE ports 49, 50, 51, and 52

FS-524D ports 25, 26, 27, 28, 29 and 30

FS-548D ports 49, 50, 51, 52, 53 and 54

Choosing the FortiGate Ports

For all FortiGate models, you can connect up to 16 FortiSwitches to one FortiGate unit. The FortiGate manages all of the switches through one active FortiLink. The FortiLink may consist of one port or multiple ports (for a LAG).

The following table shows the ports for each model of FortiGate that you can use for FortiLink.

FortiGate Model Ports for Fortilink connection

FGT-60D, FGT-60D-POE FWF-60D, FWF-60D-POE

FGT-90D, FGT-90D-POE FWF-90D, FWF-90D-POE port1 – port7 port1 – port14

FGT-100D port1 – port16

FGT-140D , 140D-POE, 140D-POE-T1 port1 – port36

FGT-200D port1 – port16

FGT-240D port1 – port40

FGT-280D, FGT-280D-POE port1 – port84

FGT-600C port3 – port22

FGT-800C port3 – port24

FGT-1000C port3 – port14, port23 – port24

FGT-1200D port1 – port36

FGT-1500D port1 – port40

FGT-3700D, FGT-3700DX port1 – port32

FortiLink Configuration

This section describes the configuration steps to establish a FortiLink between a FortiSwitch and a FortiGate unit. You can configure FortiLink using the FortiGate web-based manager (GUI) or the FortiGate CLI. We recommend using the FortiGate GUI, because the CLI steps are more complex (and therefore more prone to error).

If you use one of the auto-discovery FortiSwitch ports, you can establish the FortiLink connection (single port or LAG) with zero configuration steps on the FortiSwitch, and with a few simple configuration steps on the FortiGate.

Summary of the Steps

1. On the FortiGate, configure the FortLink port or create a FortLink LAG

2. Authorize the managed FortiSwitch.

Using FortiGate GUI to Configure FortiLink (Single Link)

The following sections describe how to configure FortiLink using a single switch port.

Configuring the Port

Configure the FortiLink port on the FortiGate using the following steps:

1. Go to System > Network > Interfaces

2. (Optional) If the FortiLink physical port is currently included in the internal interface, edit the internal interface and remove the desired port from the Physical Interface Members.

3. Edit the FortiLink port.

4. Enter the following fields in the Edit Interface form:

a. Addressing mode: Set to Dedicate to Extension Device.

b. IP/Network Mask: system automatically sets the IP address and network mask.

c. (Optional) Automatically authorize devices: disable to manually authorize the FortiSwitch.

d. Select OK.

Authorizing the FortiSwitch

If you set the FortiLink port to manually authorize the FortiSwitch as a managed switch, perform the following steps:

1. Go to WiFi & Switch Controller > Managed FortiSwitch.

2. (Optional)Click on the FortiSwitch faceplate and click Authorize. This step is required only if you disabled the automatic authorization field of the interface.

Network Interface Display

The following image shows the Managed FortiSwitch display. The page displays the FortiGate ports on the left, and the faceplate for each switch on the right.

When the FortiLink is established successfully, the port status is green (on the FortiGate port and on the FortiSwitch faceplate) and the link between the ports is a solid line.

In System > Network > Interfaces, the system displays the switch ID next to the interface name, and displays Dedicated to Extension Device in the IP/Netmask field .

Note: An interface configured for managed FortiAP is also set to Dedicated to Extension Device. Make sure that you are viewing the correct FortiLink interface.

Using FortiGate GUI to Configure FortiLink (LAG)

Starting in FortiSwitchOS 3.3.0, you can configure the FortiLink as a Link Aggregation Group (LAG) to provide increased FortiLink bandwidth between the FortiGate and FortiSwitch.

NOTE: LAG is supported on all FortiSwitch models and on FortiGate models FGT-100D and above.

Connect any of the FortiLink-capable ports on the FortiGate to the FortiSwitch. Make sure that you configure auto-discovery on the FortiSwitch ports (unless the port is a default auto-discovery port).

Configuring the LAG on the FortiGate

1. Go to Network> Interfaces

2. (Optional) If the FortiLink physical ports are currently included in the internal interface, edit the internal interface and remove the desired ports from the Physical Interface Members.

3. Click Create New

4. Enter the following fields in the Add Interface form:

a. Interface name: enter a name for the interface (11 characters maximum)

b. Type: select FortiLink

c. Physical Interface Members : select the FortiGate ports for the LAG

d. IP/Network Mask: system automatically sets the IP address and network mask.

e. Administrative Access: check the boxes for ping, capwap, http and https.

Authorizing the FortiSwitch

To authorize the FortiSwitch as a managed switch, perform the following steps:

1. Go to WiFi & Switch Controller > Managed Devices > Managed FortiSwitch. Click on the switch faceplate and select Authorize.

2. From the FortiGate CLI, ensure that NTP is enabled for the FortiLink LAG:

config system ntp

set server-mode enable set interface fortilink

end

The following image shows the Managed FortiSwitch display. The page displays the FortiGate ports on the left, and the faceplate for each FortiSwitch on the right. The link between the FortiSwitch and FortiGate splits at each end to indicate which ports are members of the LAG.

Before the LAG becomes established, the FortiLink is displayed with dashed lines with a broken-link icon. When the FortiLink LAG is established successfully, the port status for the LAG ports is green (on the FortiGate port list and on the FortiSwitch faceplate), and the link between the ports is a solid line.

Network Interface Display

In System > Network > Interfaces, the system displays the switch ID next to the interface name, and displays Dedicated to Extension Device in the IP/Netmask field .

Note: An interface configured for managed FortiAP is also set to Dedicated to Extension Device. Make sure that you are viewing the correct FortiLink interface.

Using FortiGate CLI to Configure FortiLink (Single Link)

The following sections describe how to use the FortiGate CLI to configure FortiLink using a single link.

Configuring the Port and Authorizing the FortiSwitch

Configure the FortiLink port on the FortiGate, and authorize the FortiSwitch as a managed switch. In the following steps, port1 is configured as the FortiLink port.

1. If required, remove port 1 from the lan interface:

config system virtual-switch edit lan

config port delete port1

end end

end

2. Configure for port 1 as the FortiLink interface

config system interface edit port1

set auto-auth-extension-device enable set fortilink enable

end end

3. Configure an NTP server on port 1.

config system ntp

set server-mode enable set interface port1

end

4. Authorize the FortiSwitch unit as a managed switch.

config switch-controller managed-switch edit FS224D3W14000370

set fsw-wan1-admin enable end

end

NOTE: FortiSwitch will reboot when you issue the above command.

Using FortiGate CLI to Configure FortiLink (LAG)

Starting in FortiSwitchOS 3.3.0, you can configure the FortiLink as a Link Aggregation Group (LAG) to provide increased FortiLink bandwidth between the FortiGate and FortiSwitch.

NOTE: LAG is supported on all FortiSwitch models and on FortiGate models FGT-100D and above.

Configuring the LAG on the FortiGate

To configure the FortiLink as a LAG, create a FortiLink interface on the FortiGate, add the physical ports, and authorize the FortiSwitch as a managed switch. In the following steps, port4 and port5 are configured as the FortiLink LAG.

1. If required, remove the LAG ports from the lan interface:

config system virtual-switch edit lan

config port

delete port4 port5 end

end end

2. Create a trunk (of type fortilink) with the two ports that you connected to the switch:

config system interface

edit flink1 (enter a name, 11 characters maximum)

set allowaccess ping capwap https

set type fortilink

set member port4 port5 set lacp-mode static

next end

3. Configure an NTP server on the LAG interface:

config system ntp

set server-mode enable set interface flink1

end

4. Authorize the FortiSwitch unit as a managed switch.

config switch-controller managed-switch edit FS224D3W14000370

set fsw-wan1-admin enable end

end

NOTE: FortiSwitch will reboot when you issue the above command.

5. Configure a DHCP server on port 1.

config system dhcp server edit 0

set ntp-service local

set netmask 255.255.255.252 set interface flink1

config ip-range edit 1

set start-ip 169.254.254.2 set end-ip 169.254.254.2

end

set vci-match enable

set vci-string FortiSwitch end

end

Configuring FortiLink for FortiGate HA

With FortiOS 5.4.0 and later releases, a FortiGate operating in HA mode can use FortiLink (to FortiSwitches running FortiSwitchOS 3.3.0 or later release).

To use FortiLink mode with a pair of FortiGate units in a high-availability cluster, you must connect FortiLink from the switch to both of the FortiGate units.

Highlights of this configuration:

1. No console port or direct management is required on the FortiSwitch.

2. All the actions described here can be performed from FortiCloud if needed

3. All FortiSwitch internal state and counters are visible when in FortiLink managed mode

Example Topology

The LAN and WAN links connect to FortiSwitch ports. The FortiSwitch connects to the active and standby FortiGate units. If the standby FortiGate (for example, FGT2) becomes active, this is transparent to the LAN and WAN ports. FortiLink is automatically established to FGT2, and the active traffic path becomes LAN <-> FGT2<-> WAN.

Note the following points:

1. FortiSwitch connects with FortiLink to both of the FortiGate units. These connections can be LAGs (in FortiSwitch 3.3.0 and later releases).

2. LAN and WAN links can connect to separate FortiSwitches, as shown in the figure. You can also connect them to the same FortiSwitch (and use VLANs to separate the LAN and WAN traffic).

3. Connect the FortiLinks from any two FortiSwitch ports to FGT1 port X and FGT2 port X, where the FortiGate port numbers must match (port1 in the above topology diagram).

4. For FortiLink LAGs, connect Fortilinks from two additional FortiSwitch ports to FGT1 port Y and FGT2 port Y, where the FortiGate port numbers must match.

Adding a Second FortiGate to Existing Single FortiGate

Connect an additional FortiLink from the FortiSwitch to the new FortiGate, and configure HA on both of the FortiGate units.

Pages: 1 2

Managing “bring your own device”

Leave a reply

Managing “bring your own device”

FortiOS can control network access for different types of personal mobile devices that your employees bring onto your premises. You can:

identify and monitor the types of devices connecting to your networks, wireless or wired
use MAC address based access control to allow or deny individual devices
create security policies that specify device types
enforce endpoint control on devices that can run FortiClient Endpoint Control software

This chapter contains the following sections: Device monitoring

Device Groups

Controlling access with a MAC Address Access Control List

Security policies for devices

Device monitoring

The FortiGate unit can monitor your networks and gather information about the devices operating on those networks. Collected information includes:

MAC address
IP address
operating system
hostname
user name
how long ago the device was detected and on which FortiGate interface

You can go to User & Device > Device List to view this information. Mouse-over the Device column for more details.

Depending on the information available, the Device column lists the Alias or the MAC address of the device. For ease in identifying devices, Fortinet recommends that you assign each device an Alias.

Device monitoring is enabled separately on each interface. Device detection is intended for devices directly connected to your LAN ports. If enabled on a WAN port, device detection may be unable to determine the operating system on some devices. Hosts whose device type cannot be determined passively can be found by enabling active scanning on the interface.

You can also manually add devices. This enables you to ensure that a device with multiple interfaces is displayed as a single device.

To configure device monitoring

1. Go to Network > Interfaces.

2. Edit the interface that you want to monitor devices on.

3. In Networked Devices, turn on Device Detection and optionally turn on Active Scanning.

4. Select OK.

5. Repeat steps 2 through 4 for each interface that will monitor devices.

To assign an alias to a detected device or change device information

1. Go to User & Device > Device List and edit the device entry.

2. Enter an Alias such as the user’s name to identify the device.

3. Change other information as needed.

4. Select OK.

To add a device manually

1. Go to User & Device > Custom Devices & Groups.

2. Select Create New > Device.

3. Enter the following information:

Alias (required)
MAC address
Additional MACs (other interfaces of this device)
Device Type
Optionally, add the device to Custom Groups.
Optionally, enter Comments.

3. Select OK.

Device Groups

You can specify multiple device types in a security policy. As an alternative, you can add multiple device types to a custom device group and include the group in the policy. This enables you to create a different policy for devices that you know than for devices in general.

To create a custom device group and add devices to it

1. Go to User & Device > Custom Devices & Groups.

The list of device groups is displayed.

2. Select Create New > Device Group.

3. Enter a Name for the new device group.

4. Click in the Members field and click a device type to add. Repeat to add other devices.

5. Select OK.

Controlling access with a MAC Address Access Control List

A MAC Address Access Control List (ACL) allows or blocks access on a network interface that includes a DHCP server. If the interface does not use DHCP, or if you want to limit network access to a larger group such as employee devices, it is better to create a device group and specify that group in your security policies.

A MAC Address ACL functions as either

a list of devices to block, allowing all other devices or
a list of devices to allow, blocking all other devices

Allowed devices are assigned an IP address. The Assign IP action assigns the device an IP address from the DHCP range. In a list of allowed devices, you can also use the Reserve IP action to always provide a specific IP address to the device.

The Unknown MAC Address entry applies to “other” unknown, unlisted devices. Its action must be opposite to that of the other entries. In an allow list, it must block. In a block list, it must allow.

To create a MAC Address ACL to allow only specific devices

1. Go to the SSID or network interface configuration.

2. In the DHCP Server section, expand Advanced.

DHCP Server must be enabled.

3. In MAC Reservation + Access Control, select Create New and enter an allowed device’s MAC Address.

4. In the IP or Action column, select one of:

Assign IP — device is assigned an IP address from the DHCP server address range.
Reserve IP — device is assigned the IP address that you specify.

5. Repeat Steps “Controlling access with a MAC Address Access Control List” on page 2006 and “Controlling access with a MAC Address Access Control List” on page 2006 for each additional MAC address entry.

6. Set the Unknown MAC Address entry IP or Action to Block.

Devices not in the list will be blocked.

7. Select OK.

To create a MAC Address ACL to block specific devices

1. Go to the SSID or network interface configuration.

2. In the DHCP Server section, expand Advanced.

DHCP Server must be enabled.

3. In MAC Reservation + Access Control, select Create New and enter the MAC Address of a device that must be blocked.

4. In the IP or Action column, select Block.

5. Repeat Steps “Controlling access with a MAC Address Access Control List” on page 2006 and “Controlling access with a MAC Address Access Control List” on page 2006 for each device that must be blocked.

6. Set the Unknown MAC Address entry IP or Action to Assign IP.

Devices not in the list will be assigned IP addresses.

7. Select OK.

Security policies for devices

Security policies enable you to implement policies according to device type. For example:

Gaming consoles cannot connect to the company network or the Internet.
Personal tablet and phone devices can connect to the Internet but not to company servers.
Company-issued laptop computers can connect to the Internet and company servers. Web filtering and antivirus are applied.
Employee laptop computers can connect to the Internet, but web filtering is applied. They can also connect to company networks, but only if FortiClient Endpoint Security is installed to protect against viruses.

The following images show these policies implemented for WiFi to the company network and to the Internet.

Device policies for company laptop access to the company network

Device policies for WiFi access to the Internet

The next section explains device policy creation in detail.

Creating device policies

Device-based security policies are similar to policies based on user identity:

The policy enables traffic to flow from one network interface to another.
NAT can be enabled.
UTM protection can be applied.

To create a device policy

1. Go to Policy & Objects > IPv4 Policy and select Create New.

2. Choose Incoming Interface, Outgoing Interface and Source as you would for any security policy.

3. In Source, select an address and the device types that can use this policy.

You can select multiple devices or device groups.

4. Turn on NAT if appropriate.

5. Configure Security Profiles as you would for any security policy.

6. Select OK.

Adding endpoint protection

Optionally, you can require that users’ devices connecting to a particular network interface have FortiClient Endpoint Security software installed. Devices without an up-to-date installation of FortiClient software are restricted to a captive portal from which the user can download a FortiClient installer. For information about creating FortiClient profiles, see “Endpoint Protection”.

To add endpoint protection to a security policy

1. Go to Network > Interfaces and edit the interface.

2. In Admission Control turn on Allow FortiClient Connections and FortiClient Enforcement.

3. Optionally, select sources (addresses and device types) to exempt from FortiClient enforcement.

4. Optionally, select destination addresses and services to exempt from FortiClient enforcement.

5. Select OK.

FortiOS pushes a FortiClient profile out to the FortiClient software, configuring network protection such as antivirus, application control, and web category filtering. To create these profiles, go to Security Profiles > FortiClient Profiles.

Chapter 19 – Managing Devices

Leave a reply

Chapter 19 – Managing Devices

What’s New in FortiOS 5.4

Managing “bring your own device” Device monitoring

Device Groups

Controlling access with a MAC Address Access Control List

Security policies for devices

This handbook chapter contains the following sections:

Managing “bring your own device” describes device monitoring, devices, device groups, and device policies. The administrator can monitor all types of devices and control their access to network resources.

What‘s New in FortiOS 5.4

802.1x Mac Authentication Bypass (197218)

Some FortiGate models contain a hardware switch. On the hardware switch interface, 802.1X authentication is available. You might want to bypass 802.1X authentication for devices such as printers that cannot authenticate, identifying them by their MAC address.

In the CLI, enable MAC authentication bypass on the interface:

config system interface edit “lan”

set ip 10.0.0.200 255.255.255.0 set security-mode 802.1X

set security-mac-auth-bypass enable set security-groups “Radius-group”

end

The devices that bypass authentication have entries in the RADIUS database with their MAC address in the User- Name and User-Password attributes instead of user credentials.

Vulnerability Scan status change(293156)

The FortiGate will no longer function as a vulnerability scanner, even in CLI mode. Vulnerability scans / assessments will handled by the FortiClient software.

FortiFone devices are now identified by FortiOS (289921)

FortiFone devices are now identified by FortiOS as Fortinet FON.

Support for MAC Authentication Bypass (MAB) (197218)

MAC Authentication Bypass allows devices without 802.1X capability (printers and IP phones for example) to bypass authentication and be allowed network access based on their MAC address. This feature requires RADIUS-based 802.1X authentication in which the RADIUS server contains a database of authorized MAC addresses.

MAC Authentication Bypass is configurable only in the CLI and only on interfaces configured for 802.1X authentication. For example:

config system interface edit “lan”

set ip 10.0.0.200 255.255.255.0 set vlanforward enable

set security-mode 802.1X

set security-mac-auth-bypass enable set security-groups “Radius-group”

end end

MAC Authentication Bypass is also available on WiFi SSIDs, regardless of authentication type. It is configurable only in the CLI. You need to enable the radius-mac-auth feature and specify the RADIUS server that will be used. For example:

config wireless-controller vap edit “office-ssid”

set security wpa2-only-enterprise set auth usergroup

set usergroup “staff”

set radius-mac-auth enable

set radius-mac-auth-server “ourRadius” end

end

Active device identification (279278)

Hosts whose device type cannot be determined passively are actively scanned using the same techniques as the vulnerability scan. This active scanning is enabled by default on models that support vulnerability scanning. You can turn off Active Scanning on any interface. In the GUI, go to the interface’s page in Network > Interfaces.

CLI Syntax:

config system interface edit port1

set device-identification enable

set device-identification-active-scan disable end

Device Page Improvements (Detected and custom devices) (280271)

Devices are now in two lists on the User & Device menu. Detected devices are listed in the Device List where you can list them alphabetically, by type, or by interface. On the Custom Devices and Groups page you can

create custom device groups
predefine a device, assigning its device type and adding it to custom device groups

Device offline timeout is adjustable (269104)

A device is considered offline if it has not sent any packets during the timeout period. Prior to FortiOS 5.4, the timeout value was fixed at 90 seconds. Now the timeout can be set to any value from 30 to 31 536 000 seconds (365 days). The default value is 300 seconds (5 minutes). The timer is in the CLI:

config system global

set device-idle-timeout 300 end

Improved detection of FortiOS-VM devices (272929)

A FortiGate-VM device is an instance of FortiOS running on a virtual machine (VM). The host computer does not have the Fortinet MAC addresses usually used to detect FortiGate units. Device detection now has two additional ways to detect FortiGate-VMs:

the FortiGate vendor ID in FortiOS IKE messages
the FortiGate device ID in FortiGuard web filter and spamfilter requests

Custom avatars for custom devices (299795)

You can upload an avatar for a custom device. The avatar is then displayed in the GUI wherever the device is listed, such as FortiView, log viewer, or policy configuration. To upload an avatar image,click Upload Image on the New Device or Edit Device page of User & Device > Custom Devices & Groups. The image can be in any format your browser supports and will be automatically sized to 36 x 36 pixels for use in the FortiGate GUI.

Troubleshooting and logging

Leave a reply

Troubleshooting and logging

This section explains how to troubleshoot logging configuration issues, as well as connection issues, that you may have with your FortiGate unit and a log device. This section also contains information about how to use log messages when troubleshooting issues that are about other FortiGate features, such as VPN tunnel errors.

Using log messages to help in troubleshooting issues

Log messages can help when troubleshooting issues that occur, since they can provide details about what is occurring. The uses and methods for involving logging in troubleshooting vary depending on the problem. The following are examples of how log messages can assist when troubleshooting networking issues.

Using IPS packet logging in diagnostics

This type of logging should only be enabled when you need to know about specific diagnostic information, for example, when you suspect a signature is triggered by a false positive. These log messages can help troubleshoot individual problems with misidentified or missing packets and network intrusions involving malicious packets.

To configure IPS packet logging

1. Go to Security Profiles > Intrusion Protection.

2. Select the IPS sensor that you want to enable IPS packet logging on, and then select Edit.

3. In the filter options, enable Packet Logging.

4. Select OK.

If you want to configure the packet quota, number of packets that are recorded before alerts and after attacks, use the following procedure.

To configure additional settings for IPS packet logging

1. Log in to the CLI.

2. Enter the following to start configuring additional settings:

config ips settings

set ips-packet-quota <integer>

set packet-log-history <integer>

set packet-log-post-attack <integer>

end

Using HA log messages to determine system status

When the FortiGate unit is in HA mode, you may see the following log message content within the event log:

type=event subtype=ha level=critical msg= “HA slave heartbeat interface internal lost neighbor information”

OR type=event subtype=ha level=critical msg= “Virtual cluster 1 of group 0 detected new joined HA member”

OR type=event subtype=ha level=critical msg= “HA master heartbeat interface internal get peer information”

The log messages occur within a given time, and indicate that the units within the cluster are not aware of each other anymore. These log messages provide the information you need to fix the problem.

Connection issues between FortiGate unit and logging devices

If external logging devices are not recording the log information properly or at all, the problem will likely be due to one of two situations: no data is being received because the log device cannot be reached, or no data is being sent because the FortiGate unit is no longer logging properly.

Unable to connect to a supported log device

After configuring logging to a supported log device, and testing the connection, you may find you cannot connect. To determine whether this is the problem:

1. Verify that the information you entered is correct; it could be a simple mistake within the IP address or you may have not selected Apply on the Log Settings page after changing them, which would prevent them from taking effect.

2. Use execute ping to see if you can ping to the log device.

3. If you are unable to ping to the log device, check to see if the log device itself working and that it is on the network and assigned an appropriate address.

FortiGate unit has stopped logging

If the FortiGate unit stopped logging to a device, test the connection between both the FortiGate unit and device using the execute ping command. The log device may have been turned off, is upgrading to a new firmware version, or just not working properly.

The FortiGate unit may also have a corrupted log database. When you log into the web-based manager and you see an SQL database error message, it is because the SQL database has become corrupted. View “SQL database errors” in the next section before taking any further actions, to avoid losing your current logs.

Log database issues

If attempting to troubleshoot issues with the SQL log database, use the following to help guide you to solving issues that occur.

SQL statement syntax errors

There may be errors or inconsistencies in the SQL used to maintain the database. Here are some example error messages and possible causes:

You have an error in your SQL syntax (remote/MySQL) or ERROR: syntax error at or near… (local/PostgreSQL)

Verify that the SQL keywords are spelled correctly, and that the query is well-formed.
Table and column names are demarked by grave accent (`) characters. Single (‘) and double (“) quotation marks will cause an error.

No data is covered.

The query is correctly formed, but no data has been logged for the log type. Verify that you have configured the FortiGate unit to save that log type. On the Log Settings page, make sure that the log type is checked.

Connection problems

If well-formed SQL queries do not produce results, and logging is turned on for the log type, there may be a database configuration problem with the remote database.

Ensure that:

MySQL is running and using the default port 3306.
You have created an empty database and a user who has read/write permissions for the database.
Here is an example of creating a new MySQL database named fazlogs, and adding a user for the database:

1. #Mysql –u root –p

2. mysql> Create database fazlogs;

3. mysql> Grant all privileges on fazlogs.* to ‘fazlogger’@’*’ identified by ‘fazpassword’;

4. mysql> Grant all privileges on fazlogs.* to ‘fazlogger’@’localhost’ identified by ‘fazpassword’;

SQL database errors

If the database seems inacessible, you may encounter the following error message after upgrading or downgrading the FortiGate unit’s firmware image.

Example of an SQL database error message

The error message indicates that the SQL database is corrupted and cannot be updated with the SQL schemas any more. When you see this error message, you can do one of the following:

select Cancel and back up all log files; then select Rebuild to blank and rebuild the database.
select Rebuild immediately, which will blank the database and previous logs will be lost.

Until the database is rebuilt, no information will be logged by the FortiGate unit regardless of the log settings that are configured on the unit. When you select Rebuild, all logs are lost because the SQL database is erased and then rebuilt again. Logging resumes automatically according to your settings after the SQL database is rebuilt.

To view the status of the database, use the diagnose debug sqldb-error status command in the CLI. This command will inform you whether the database has errors present.

If you want to view the database’s errors, use the diagnose debug sqldb-error read command in the CLI. This command indicates exactly what errors occurred, and what tables contain those errors.

Log files are backed up using the execute backup {disk | memory } {alllogs | logs} command in the CLI. You must use the text variable when backing up log files because the text variable allows you to view the log files outside the FortiGate unit. When you back up log files, you are really just copying the log files from the database to a specified location, such as a TFTP server.

Logging daemon (Miglogd)

The number of logging daemon child processes has been made available for editing. A higher number can affect performance, and a lower number can affect log processing time, although no logs will be dropped or lost if the number is decreased.

If you are suffering from performance issues, you can alter the number of logging daemon child processes, from 0 to 15, using the following syntax. The default is 8.

config system global

set miglogd-children <integer>

end

Fortinet GURU

FortiGate Guides and MORE!

Category Archives: FortiOS 5.4 Handbook

Security Profiles components

Security Profiles overview

Chapter 22 – Security Profiles

Chapter 21 – Sandbox Inspection

Chapter 20 – Managing a FortiSwitch with a FortiGate

Managing “bring your own device”

Chapter 19 – Managing Devices

Troubleshooting and logging