Category Archives: FortiOS 5.4 Handbook

The complete handbook for FortiOS 5.4

Diagnose command changes

Leave a reply

Diagnose command changes

Most diagnose sys dashboard commands removed (129248)

The diagnose sys dashboard reset command is still available.

 

FortiView network segmentation tree diagnose command (286116)

Enter diagnose sys nst {downstream | query} to display information about the FortiView network segmentation tree, downstream shows connected downstream FortiGates.

query query the network segmentation tree.

 

Changes to diagnose hardware deviceinfo disk command (271816)

Extraneous information has been removed from the diagnose hardware deviceinfo disk command output and some field names have been changed.

Pages: 1 2 3 4 5

Device identification

Leave a reply

Device identification

802.1x Mac Authentication Bypass (197218)

Some FortiGate models contain a hardware switch. On the hardware switch interface, 802.1X authentication is available. You might want to bypass 802.1X authentication for devices such as printers that cannot authenticate, identifying them by their MAC address.

In the CLI, enable MAC authentication bypass on the interface:

config system interface edit “lan”

set ip 10.0.0.200 255.255.255.0 set security-mode 802.1X

set security-mac-auth-bypass enable set security-groups “Radius-group”

end

The devices that bypass authentication have entries in the RADIUS database with their MAC address in the User- Name and User-Password attributes instead of user credentials.

Vulnerability Scan status change(293156)

The FortiGate will no longer function as a vulnerability scanner, even in CLI mode. Vulnerability scans / assessments will handled by the FortiClient software.

FortiFone devices are now identified by FortiOS (289921)

FortiFone devices are now identified by FortiOS as Fortinet FON.

Support for MAC Authentication Bypass (MAB) (197218)

MAC Authentication Bypass allows devices without 802.1X capability (printers and IP phones for example) to bypass authentication and be allowed network access based on their MAC address. This feature requires RADIUS-based 802.1X authentication in which the RADIUS server contains a database of authorized MAC addresses.

MAC Authentication Bypass is configurable only in the CLI and only on interfaces configured for 802.1X authentication. For example:

config system interface edit “lan”

set ip 10.0.0.200 255.255.255.0 set vlanforward enable

set security-mode 802.1X

set security-mac-auth-bypass enable set security-groups “Radius-group”

end end

MAC Authentication Bypass is also available on WiFi SSIDs, regardless of authentication type. It is configurable only in the CLI. You need to enable the radius-mac-auth feature and specify the RADIUS server that will be used. For example:

config wireless-controller vap edit “office-ssid”

set security wpa2-only-enterprise set auth usergroup

set usergroup “staff”

set radius-mac-auth enable

set radius-mac-auth-server “ourRadius” end

end

 

Active device identification (279278)

Hosts whose device type cannot be determined passively are actively scanned using the same techniques as the vulnerability scan. This active scanning is enabled by default on models that support vulnerability scanning. You can turn off Active Scanning on any interface. In the GUI, go to the interface’s page in Network > Interfaces.

 

CLI Syntax:

config system interface edit port1

set device-identification enable

set device-identification-active-scan disable end

 

 

Device Page Improvements (Detected and custom devices) (280271)

Devices are now in two lists on the User & Device menu. Detected devices are listed in the Device List where you can list them alphabetically, by type, or by interface. On the Custom Devices and Groups page you can

  • create custom device groups
  • predefine a device, assigning its device type and adding it to custom device groups

 

Device offline timeout is adjustable (269104)

A device is considered offline if it has not sent any packets during the timeout period. Prior to FortiOS 5.4, the timeout value was fixed at 90 seconds. Now the timeout can be set to any value from 30 to 31 536 000 seconds (365 days). The default value is 300 seconds (5 minutes). The timer is in the CLI:

config system global

set device-idle-timeout 300 end

 

Improved detection of FortiOS-VM devices (272929)

A FortiGate-VM device is an instance of FortiOS running on a virtual machine (VM). The host computer does not have the Fortinet MAC addresses usually used to detect FortiGate units. Device detection now has two additional ways to detect FortiGate-VMs:

  • the FortiGate vendor ID in FortiOS IKE messages
  • the FortiGate device ID in FortiGuard web filter and spamfilter requests

 

Custom avatars for custom devices (299795)

You can upload an avatar for a custom device. The avatar is then displayed in the GUI wherever the device is listed, such as FortiView, log viewer, or policy configuration. To upload an avatar image,click Upload Image on the New Device or Edit Device page of User & Device > Custom Devices & Groups. The image can be in any format your browser supports and will be automatically sized to 36 x 36 pixels for use in the FortiGate GUI.

 

PCI DSS compliance

1 Reply

PCI DSS compliance

Vulnerability Scanning has been removed (293156)

Vulnerability scanning can now be done from FortiClient.

PCI DSS Compliance Check Support (270014)

FortiOS 5.4 allows you to run a compliance check either on demand or according to a schedule that automatically checks PCI DSS compliance at the global or VDOM level. The compliance check determines whether the FortiGate is compliant with each PCI DSS requirement by displaying an ‘X’ next to the non-compliant entries in the GUI logs.

Go to System > Advanced > Compliance, turn on compliance checking and configure a daily time to run the compliance check. Or you can select Run Now to run the compliance check on demand.

compliance

Go to Log & Report > Compliance Events to view compliance checking log messages that show the results of running compliance checks.

Review Complaince Results

New Features – Authentication

Leave a reply

Authentication

RADIUS Framed-IP into accounting packets (234003 189828)

RADIUS attributes, including NAS-IP-Address, Called-Station-ID, Framed-IP-Address, and Event-Timestamp, are supported.

Include RADIUS attribute CLASS in all accounting requests (290577)

RADIUS attribute CLASS in accounting requests for firewall, WiFi, and proxy authentication is now supported. RADIUS attribute CLASS is returned in Access-Accept message and it is added to all accounting requests.

Certificaterelated changes (263368)

Fortinet_factory certificate has been re-signed with an expiration date of 2038 and it is used instead of fortinet_factory2, which has been removed.

Improvements and changes to per-VDOM certificates (276403 267362)

The CA and local certificate configuration is now available per-VDOM. When an admin uploads a certificate to a VDOM, it will only be accessible inside that VDOM. When an admin uploads a certificate to global, it will be accessible to all VDOMs and global.

There are factory default certificates such as Fortinet_CA_SSL, Fortinet_SSL, PositiveSSL_CA, Fortinet_Wifi, and Fortinet_Factory, these certificates are moved to per-VDOM and automatically generated when a new VDOM is created.

The Fortinet_Firmware certificate has been removed and all the attributes that use Fortinet_Firmware now use

Fortinet_Factory.

CLI Changes

Two new attributes range and source have been added: range can be global or per-VDOM, if the certificate file is imported from global, it is a global certificate. If the certificate file is imported from a VDOM, it is VDOM certificate. source can be factory, user or fortiguard:

factory: The factory certificate file with FortiOS version, this includes: Fortinet_CA_SSL, Fortinet_SSL, PositiveSSL_CA, Fortinet_Wifi, Fortinet_Factory.

user: Certificate file imported by the user.

fortiguard: Certificate file imported from FortiGuard.

config certificate local edit Fortinet_Factory

set range global/vdom

set source factory/user/fortiguard end

end

Default Root VDOM Certificates

default root vdom certificates

Certificates with the same names are also available from the global configuration. These are generated with you turn on VDOMs.

Pages: 1 2

Virtual Wire Pair

1 Reply

Virtual Wire Pair

This feature (276013), available in NAT and Transparent mode, replaces the Port Pair feature available in FortiOS 5.2 in Transparent mode only. When when two physical interfaces are setup as a Virtual Wire Pair, they will have no IP addressing and are treated similar to a transparent mode VDOM. All packets accepted by one of the interfaces in a virtual wire pair can only exit the FortiGate through the other interface in the virtual wire pair and only if allowed by a virtual wire pair firewall policy. Packets arriving on other interfaces cannot be routed to the interfaces in a virtual wire pair. A FortiGate can have multiple virtual wire pairs.

You cannot add VLANs to virtual wire pairs. However, you can enable wildcard VLANs for a virtual wire pair. This means that all VLAN-tagged traffic can pass through the virtual wire pair if allowed by virtual wire pair firewall policies.

Adding a virtual wire pair

To add a virtual wire pair, go to Network > Interfaces and select Create New > Virtual Wire Pair. Select the interfaces to add to the virtual wire pair to, optionally enable Wildcard VLAN and select OK.

adding a virtual wire pair

 

The virtual wire pair appears on the Interface list.

Use the following command to add a virtual wire pair from the CLI that enables the wildcard VLAN feature:

config system virtual-wire-pair edit test-VWP

set member port3 port4 set wildcard-vlan enable

end

Assigning an interface to be part of a virtual wire pairing will remove the “role” value from the interface.

Pages: 1 2

WAN link load balancing

29 Replies

WAN link load balancing

In the same way that incoming traffic can be load balanced, outgoing or WAN traffic can also be load balanced and for the same three reasons.

1. Reduce the places in the work flow where a single point of failure can bring the process to a halt.

2. Expand the capacity of the resources to handle the required workload.

3. Have it configured so that the process of balancing the workload is automatic.

Often, it can be just as important for an organizations members to be able to access the Internet as it is for the denizens of the Internet to access the Web facing resources.

There is now a WAN Load Balancing feature located in the Network section of the GUI (“WAN LLB”).

As part of the new WAN Load Balancing feature, the FortiOS 5.2 Router > Static > Settings GUI page has been removed. WAN Load Balancing should be used instead of the 5.2 ECMP Load Balancing Method settings. The 5.2 Link Health Monitor definitions are now only available from the CLI.

WAN links

The basis for the configuration of the virtual WAN link are the interfaces that comprise it. As interfaces are added to the “wan-load-balance” interface, they are added into the calculations that comprise the various algorithms used to do the load balancing.

  • While most of the load balancing algorithms are based on equal distribution or weighted distribution, spill over does rely on which interface is first in the sequence, so this should be kept in mind when adding the interfaces.
  • The interfaces in the virtual WAN link can be disabled if necessary if work needs to be done on an interface without interfering with the performance of the link.
  • There is no requirement that the interfaces be those labeled on the hardware as WAN interfaces.
  • In the GUI, to help analysis the effectiveness of the algorithm being used and its configuration, there is a graphic representation of the bandwidth usage of the link.

Load balancing algorithm

Once the interfaces involved has been configured the next step is to determine how the workload will be distributed. 5 load balancing algorithms are available to choose from.

Bandwidth

This is a very straight forward method of distributing the work load based on the amount of packets going through the interfaces. An integer value assigns a weight to each interface. These weights are used to calculate a percentage of the total bandwidth that is directed to the interface.

Example:

  • There are 2 interfaces
  • Interface #1 is assigned a weight of 5 because it is a 5 MB connection. (There is no requirement to match the weight to the capacity of the connection. It is just a simple way of optimizing the differing capacities in this case.)
  • Interface #2 is assigned a weight of 3 because it is a 3 MB connection.
  • The total weight is 8 so interface #1 gets 5/8 (63%) and interface #2 gets 3/8 (38%) of the traffic.

Wan Link Load Balancing Algorithm

Sessions

The session algorithm is similar to the bandwidth algorithm in that it also uses an integer value to assign a weight to each interface. The difference is that the number of sessions connected is what is being measured and not the packets flowing through the interfaces.

WAN Link Load Balancing Spillover

 

Pages: 1 2 3

Traffic Shaping Policies

Leave a reply

Traffic Shaping Policies

New Traffic Shaper Policy Configuration Method (269943)

Previously, traffic shapers were configured in Policy & Objects > Objects > Traffic Shapers and then applied in security policies under Policy & Objects > Policy > IPv4 . In FortiOS 5.4, traffic shapers are now configured in a new traffic shaping section in Policy & Objects > Traffic Shapers.

The way that traffic shapers are applied to policies has changed significantly in 5.4., because there is now a specific section for traffic shaping policies in Policy & Objects > Traffic Shaping Policy. In the new traffic shaping policies, you must ensure that the Matching Criteria is the same as the security policy or policies you want to apply shaping to.

There is also added Traffic Shaper support based on the following:

  • Source (Address, Local Users, Groups)
  • Destination (Address, FQDN, URL or category)
  • Service (General, Web Access, File Access, Email and Network services, Authentication, Remote Access, Tunneling, VoIP, Messaging and other Applications, Web Proxy)
  • Application
  • Application Category
  • URL Category

 

Creating Application Control Shapers

Application Control Shapers were previously configured in the Security Profiles > Application Control section, but for simplicity they are now consolidated in the same section as the other two types of traffic shapers: Shared and Per-IP.

To create an Application Control Shaper, you must first enable application control at the policy level, in Policy

& Objects > Policy > [IPv4 or IPv6]. Then, you can create a matching application-based traffic shaping policy that will apply to it, in the new Traffic Shaping section under Policy & Objects > Traffic Shaping Policy.

New attributes added to “firewall shaping-policy” (277030) (275431)

The two new attributes are status and url-category. The status attribute verifies whether the policy is set to enabled or disabled. The url-category attribute applies the shaping-policy to sessions without a URL rating when set to 0, and no web filtering is applied.

Syntax:

config firewall shaping-policy edit 1

set status enable

set url-category [category ID number]

New button added to “Clone” Shapers

You can now easily create a copy of an existing shaper by selecting the shaper and clicking the Clone button.

 

FortiClient Monitoring and Quarantine

Leave a reply

FortiClient Monitoring and Quarantine

FortiClient monitoring and quarantine is currently only supported by FortiClient 5.4 for Windows.

FortiSandbox uses a single signature to identify tens of thousands of variations of viral code. A FortiSandbox can send frequent, dynamic signature updates to a FortiGate and FortiClient, which allows files to be blocked before they are sent to the FortiSandbox.

With FortiSandbox, FortiClient, and FortiGate integration, you can configure a FortiGate to send files to FortiSandbox for scanning.

When FortiSandbox determines that a file is infected, it will notify the FortiGate of this event. Then, from

FortiView, the administrator can take action to quarantine the endpoint which downloaded the infected file. FortiGate administrators can quarantine endpoints from FortiView.

To support this, the FortiClient now supports host-level quarantine, which cuts off other network traffic from the endpoint directly, preventing it from infecting or scanning the local network.

When a device is under quarantine, FortiClient cannot be shutdown or uninstalled. A user is also unable to unregister from the FortiGate that quarantined them, or register to another FortiGate unit.

Alternately, FortiGate can release the file to the client before receiving the FortiSandbox scan results, and then have FortiClient quarantine the device when the scan results are available if required.