Category Archives: FortiOS 6.2

DNS – FortiOS 6.2

DNS

Introduction

DNS (Domain Name System) is used by devices connecting to the Internet to locate websites by mapping a domain name to a website’s IP address. For example, a DNS server maps the domain name www.fortinet.com to the IP address 66.171.121.34.

A FortiGate can serve different roles based on user requirements:

A FortiGate can control which DNS serves network uses. l A FortiGate can function as a DNS server.
FortiGuard Dynamic Domain Name Service (DDNS) allows a remote administrator to access a FortiGate’s Internetfacing interface using a domain name that remains constant even when its IP address changes.

FortiOS supports DNS configuration for both IPv4 and IPv6 addressing. When a user requests a website, the FortiGate looks to the configured DNS servers to provide the IP address of the website in order to know which server to contact to complete the transaction.

The FortiGate queries the DNS servers whenever it needs to resolve a domain name into an IP address, such as for NTP or web servers defined by their domain names.

FGT_A (dns) # set

*primary Primary DNS server IP address. secondary Secondary DNS server IP address. dns-over-tls Enable/disable/enforce DNS over TLS.

ssl-certificate Name of local certificate for SSL connections. domain Search suffix list for hostname lookup.

ip6-primary Primary DNS server IPv6 address. ip6-secondary Secondary DNS server IPv6 address.

timeout DNS query timeout interval in seconds (1 – 10). retry Number of times to retry (0 – 5). dns-cache-limit Maximum number of records in the DNS cache. dns-cache-ttl Duration in seconds that the DNS cache retains information.

cache-notfound-responses Enable/disable response from the DNS server when a record is not in cache. source-ip IP address used by the DNS server as its source IP.

FGT_A (dns) # set Important DNS commands

dns-over-tls

FortiGate version 6.2 adds DNS over TLS (DoT) support. DoT is a security protocol for encrypting and wrapping DNS queries and answers via the Transport Layer Security (TLS) protocol.

FGT_A (dns) # set dns-over-tls disable Disable DNS over TLS. enable Use TLS for DNS queries if TLS is available. enforce Use only TLS for DNS queries. Does not fall back to unencrypted DNS queries if TLS is unavailable.

cache-notfound-responses

When you enable DNS cache not found responses, any DNS requests that are returned with NOT FOUND can be stored in the cache. When enabled, the DNS server is not asked to resolve the host name for NOT FOUND entries.

config system dns set cache-notfound-responses enable

end dns-cache-limit

This command enables you to set how many DNS entries are stored in the cache. Entries that remain in the cache provide a quicker response to requests than going out to the Internet to get the same information.

config system dns set dns-cache-limit 2

end dns-cache-ttl

This command enables you to set how long entries remain in the cache.

FGT_A (dns) # set dns-cache-limit dns-cache-limit Enter an integer value from <0> to <4294967295> (default = <5000>). DNS troubleshooting

The FortiGate CLI can collect the following list of DNS debug information.

FGT_A (global) # diagnose test application dnsproxy worker idx: 0 1. Clear DNS cache

Show stats
Dump DNS setting
Reload FQDN
Requery FQDN
Dump FQDN
Dump DNS cache
Dump DNS DB
Reload DNS DB
Dump secure DNS policy/profile
Dump Botnet domain
Reload Secure DNS setting
Show Hostname cache
Clear Hostname cache
Show SDNS rating cache
Clear SDNS rating cache
DNS debug bit mask
Restart dnsproxy worker

The example below shows useful information about the ongoing DNS connection.

Important fields include:

tls	1 if the connection is TLS. 0 for non-TLS connection.
rt	Round trip time of the DNS latency.
probe	The number of probes sent.

FGT_A (global) # diagnose test application dnsproxy 3 worker idx: 0

vdom: root, index=0, is master, vdom dns is disabled, mip-169.254.0.1 dns_log=1 tls=0 cert= dns64 is disabled

vdom: vdom1, index=1, is master, vdom dns is enabled, mip-169.254.0.1 dns_log=1 tls=0 cert= dns64 is disabled

dns-server:208.91.112.220:53 tz=-480 tls=0 req=0 to=0 res=0 rt=0 rating=1 ready=0 timer=37 probe=9 failure=0 last_failed=0

dns-server:8.8.8.8:53 tz=0 tls=0 req=73 to=0 res=73 rt=5 rating=0 ready=1 timer=0 probe=0 failure=0 last_failed=0

dns-server:65.39.139.63:53 tz=0 tls=0 req=39 to=0 res=39 rt=1 rating=0 ready=1 timer=0 probe=0 failure=0 last_failed=0

dns-server:62.209.40.75:53 tz=60 tls=0 req=0 to=0 res=0 rt=0 rating=1 ready=0 timer=37 probe=9 failure=0 last_failed=0

dns-server:209.222.147.38:53 tz=-300 tls=0 req=0 to=0 res=0 rt=0 rating=1 ready=0 timer=37 probe=9 failure=0 last_failed=0

dns-server:173.243.138.221:53 tz=-480 tls=0 req=0 to=0 res=0 rt=0 rating=1 ready=0 timer=37 probe=9 failure=0 last_failed=0

dns-server:45.75.200.89:53 tz=0 tls=0 req=0 to=0 res=0 rt=0 rating=1 ready=0 timer=37 probe=9 failure=0 last_failed=0

DNS_CACHE: hash-size=2048, ttl=1800, min-ttl=60, max-num=-1

DNS FD: udp_s=12 udp_c=17:18 ha_c=22 unix_s=23, unix_nb_s=24, unix_nc_s=25 v6_udp_s=11, v6_udp_c=20:21, snmp=26, redir=13, v6_redir=14

DNS FD: tcp_s=29, tcp_s6=27, redir=31 v6_redir=32

FQDN: hash_size=1024, current_query=1024

DNS_DB: response_buf_sz=131072

LICENSE: expiry=2015-04-08, expired=1, type=2

FDG_SERVER:208.91.112.220:53

FGD_CATEGORY_VERSION:8

SERVER_LDB: gid=eb19, tz=-480, error_allow=0 FGD_REDIR_V4:208.91.112.55 FGD_REDIR_V6:

DNS proxy performance enhancement

For a FortiGate with multiple CPUs, version 6.2 adds a new CLI command to allow the customer to set the DNS process number from 1 to the number of CPUs. The default DNS process number is 1.

config system global set dnsproxy-worker-count 4

end

Note: The range of dnsproxy-worker-count is 1 to the number of CPUs that the FortiGate has.

To debug DNS proxy on the worker ID, use the following command. The following example runs test commands on the second dnsproxy worker. If you do not specify worker ID, the default worker ID is 0.

#diagnose test application dnsproxy 7 1

Similarly, the following command enables debug on the second worker.

#diagnose debug application dnsproxy -1 1

For debugging, you can also enable it on all workers by specifying -1 as worker ID.

#diagnose debug application dnsproxy -1 -1

DNS local domain list

End-users who commonly use incomplete URLs without a domain (for example: http://host1) rely on the proxy to locate the domain and resolve the address. If the configured domain is company.com and the URL is http://host1, the DNS feature will send a request for host1.company.com to a DNS server for the IP address. If you have local Microsoft domains on the network, you can enter a domain name in the Local Domain Name field. In situations where all three fields are configured, the FortiGate first looks to the local domain, and if no match is found, sends a request to the external DNS servers.

Whenever a client requests a URL which does not include a fully qualified domain name (FQDN), FortiGate resolves the URL by traversing through the DNS suffix list and doing a DNS query for each entry until the first match. Sample configuration

To configure a FortiGate’s DNS domain list in the GUI:

By default, FortiGate is configured to use FortiGuard’s DNS servers which are primary (208.91.112.53) and secondary (208.91.112.52).
To configure the DNS server addresses, go to Network > DNS and select Specify, then enter the preferred DNS server addresses.

For example: 172.16.200.1 as the primary DNS server and 172.16.200.2 as the secondary.

FortiGate supports a total of eight local domain lists.

To configure a FortiGate’s DNS domain list in the CLI:

Additional DNS configuration options are available in the CLI using the config system dns command.

New CLI commands added in 6.2 allow users to set up to eight domains. Retry Time and Timeout values can be configured to define how many attempts the FortiGate makes to search a particular domain and when FortiGate gives up on the domain.

FGT_B (dns) # set domain

*domain DNS search domain list separated by space (maximum 8 domains)

config system dns set primary 172.16.200.1

set domain “sample.com” “example.com” “domainname.com” end

FG3H1E5818900749 (global) # config system dns

FG3H1E5818900749 (dns) # set

*primary Primary DNS server IP address. secondary Secondary DNS server IP address. domain Search suffix list for hostname lookup. ip6-primary Primary DNS server IPv6 address. ip6-secondary Secondary DNS server IPv6 address.

cache-notfound-responses Enable/disable response from the DNS server when a record is not in cache. source-ip IP address used by the DNS server as its source IP.

FG3H1E5818900749 (dns) # set timeout timeout Enter an integer value from <1> to <10> (default = <5>).

FG3H1E5818900749 (dns) # set retry retry Enter an integer value from <0> to <5> (default = <2>).

DNS local domain example

In the example below, the local domain resolves host1 to 1.1.1.1 and host2 to 2.2.2.2. The local DNS server has an entry for host1 mapped to the FQDN of host1.sample.com and a second entry for host2 mapped to the FQDN of host2.example.com.

ping host1

PING host1.sample.com (1.1.1.1): 56 data bytes

ping host2

PING host2.example.com (2.2.2.2): 56 data bytes

Using FortiGate as a DNS server

This topic provides the following sample configurations: l About using a DNS server to resolve internal and external requests

l About using an internal DNS server for internal requests and a public DNS server for external requests

You can also create local DNS servers for your network. Depending on your requirements, you can manually maintain your entries (master DNS server) or use it as a jumping point where the server refers to an outside source (slave DNS server).

In version 6.2, FortiGate as a DNS server also supports TLS connections to a DNS client.

Sample configuration about DNS servers

This section describes how to set up a FortiGate to use a DNS server for resolving internal and external requests.

To configure FortiGate as a DNS server using the GUI:

Ensure the DNS Database feature is visible.
Go to System > Feature Visibility and ensure DNS Database is enabled.
Add the DNS entry to the FortiGate DNS server.
Go to Network > DNS Servers.
Under DNS Database, click Create New.
- For Type, select Master.
- For View, select Shadow.

View controls the accessibility of the DNS server. If you select Public, external users can access or use the DNS server. If you select Shadow, only internal users can use it.

Enter a DNS Zone, for example, WebServer. l Enter the Domain Name of the zone, for example, com. l Enter the Hostname of the DNS server, for example, Corporate. l Enter the Contact Email Address for the administrator, for example, admin@example.com. l Disable Authoritative.
Click OK.

Under DNS Entries, click Create New.
- Select the Type, for example, Address (A). l Enter the Hostname, for example, example. l Specify the remaining fields depending on the Type you select.
- Click OK.

Enable the DNS service on the interface.

Go to Network > DNS Servers.
Under DNS Service, click Create New. l Select the Interface.

l For Mode, select Recursive. l Click OK.

To configure FortiGate as a DNS server using the CLI:

config system dns-database edit “example” set domain “fortinet.com” config dns-entry edit 1 set hostname “example” set ip 2.3.3.4

end set primary-name “Corporate” set contact “admin@example.com”

end

To configure DNS query using the CLI:

config system dns-server

edit wan1 set mode recursive end

Run dig to query the FortiGate DNS server. Dig (Domain Information Grouper) is a Unix-like network administration command line tool for querying DNS servers.

root@PC05:~# dig @172.16.200.1 example.fortinet.com

; <<>> DiG 9.11.0-P1 <<>> @172.16.200.1 example.fortinet.com

; (1 server found) ;; global options: +cmd ;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51137

;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;example.fortinet.com. IN A

;; ANSWER SECTION:

example.fortinet.com. 86400 IN A 2.3.3.4

;; Query time: 0 msec

;; SERVER: 172.16.200.1#53(172.16.200.1)

;; WHEN: Thu Jan 10 10:24:01 PST 2019

;; MSG SIZE rcvd: 54

Sample configuration about internal and public DNS servers

This section describes how to set up a FortiGate to use an internal DNS server for resolving internal requests and a public DNS server for resolving external requests.

To configure FortiGate using the CLI:

Set up a forwarder for the DNS database:

In this example, an IP address of 172.16.100.100 is used to resolve the domain fortinet.com:

config system dns-database edit “corp” set domain “fortinet.com” set authoritative disable set forwarder “172.16.100.100”

Set up a listening interface:

In this example, you are setting up the listening interface to connect to the host. FGT_A (dns-server) # show config system dns-server edit “wan1”

end

Set the system DNS to 8.8.8.8 for all other queries:

config system dns set primary 8.8.8.8 end

Technical information

The Type of the DNS Database Zone can be one of the following:

A Master zone is an editable version of a zone. l A Slave zone is a synchronized read-only copy from another DNS server that holds the master zone.

The View of the DNS Database Zone can be one of the following:

Public view is usually a general (outside) view of a DNS zone.
Shadow views in this context are used to present a different view of a zone to local networks, that is, shadow view might contain different IPs and names).

The DNS Database Zone can be one of the following categories:

An Authoritative zone claims to hold all existing entries concerning this zone. A DNS server holding an authoritative zone serves requests to this zone only from its local zone file, that is, it does not perform additional recursive requests such as matching this zone to other defined DNS servers for zone records which do not exist in this zone file.
An Unauthoritative zone serves the records it holds itself from the local zone file and performs recursive request to other defined DNS servers for requests that match the zone but are not listed in the local zone file.

The Mode of the DNS Service can be one of the following:

Recursive DNS servers performs DNS lookups to other defined DNS servers for any zone requests they cannot fulfill from local files. l Non-recursive DNS servers only serve from local zone files. l Forward to system DNS forwards the query to the FortiGate’s configured system DNS.

FortiGuard DDNS

If your ISP changes your external IP address regularly and you have a static domain name, you can configure the external interface to use a dynamic DNS (DDNS) service. This ensures that external users and customers can always connect to your company firewall. If you have a FortiGuard subscription, you can use FortiGuard as the DDNS server.

You can configure FortiGuard as the DDNS server using the GUI or CLI.

Sample topology

Sample configuration

To configure FortiGuard as a DDNS server in the FortiGate using the GUI:

Go to Network > DNS and enable FortiGuard DDNS.
Select the Interface with the dynamic connection.
Specify the other fields.

To configure FortiGuard as a DDNS server in the FortiGate using the CLI:

config system fortiguard set ddns-server-ip set ddns-server-port end

If you don’t have a FortiGuard subscription or want to use a different DDNS server, you can configure DDNS in the CLI. You can configure a DDNS for each interface. Only the first configured port appears in the FortiGate GUI. Additional commands vary depending on the DDNS server you select. Use the following CLI commands:

config system ddns edit <DDNS_ID> set monitor-interface <external_interface> set ddns-server <ddns_server_selection> next end

You can configure FortiGate to refresh DDNS IP addresses. FortiGate periodically checks the DDNS server that is configured.

To configure FortiGate to refresh DDNS IP addresses using the CLI:

config system ddns edit <1> set ddns-server FortiGuardDDNS set use-public-ip enable set update-interval seconds

next end

The possible values for update-interval are 60 to 2592000 seconds, and the default is 300 seconds.

When clear-text is disabled, FortiGate uses the SSL connection to send and receive (DDNS) updates.

To disable cleartext and set the SSL certificate using the CLI:

config system ddns set clear-text disable set ssl-certificate <cert_name> end

A DHCP server has an override command option that allows DHCP server communications to go through DDNS to perform updates for the DHCP client. This enforces a DDS update of the AA field every time even if the DHCP client does not request it. This allows supporting the allow/ignore/deny client-updates options.

To enable DDNS update override using the CLI:

config system dhcp server edit <0>

set ddns-update_override enable

next end

FortiView – FortiOS 6.2

Leave a reply

FortiView

FortiView from disk

Prerequisites

All FortiGates with an SSD disk.

Restrictions

Desktop models (for example: under 100D) with SSD only supports five minutes and one hour view. l Medium models (for example: 200D, 500D) with SSD supports up to 24 hours view.
Large models (for example: 1500D and above) with SSD supports up to seven days view.
Confirm that the setting is enabled:

config log setting set fortiview-weekly-data enable

end

Configuration

A firewall policy needs to be in place with traffic logging enabled. For best operation with FortiView, internal interface roles should be clearly defined as LAN; DMZ and internet facing or external interface roles should be defined as WAN.

To enable FortiView from Disk:

Enable disk logging from the FortiGate GUI.
1. Go to Log & Report > Log Settings > Local Log.
2. Select the checkbox next to Disk.
Enable historical FortiView from the FortiGate GUI.
1. Go to Log & Report > Log Settings > Local Log.
2. Select the checkbox next to Enable Historical FortiView.
Click Apply.

To include sniffer traffic and local-deny traffic when FortiView from Disk:

This feature is only supported through the CLI.

config report setting

set report-source forward-traffic sniffer-traffic local-deny-traffic

end

Source View

Top Level

Sample entry:

Time	l	Realtime or Now entries are determined by the FortiGate’s system session list.
	l	Historical or 5 minutes and later entries are determined by traffic logs, with additional information coming from UTM logs.
Graph	l	The graph shows the bytes sent/received in the time frame. Realtime does not include a chart.
	l	Users can customize the time frame by selecting a time period within the graph.
Bubble Chart	l	Bubble chart shows the same information as the table, but in a different graphical manner.
Columns	l	Source shows the IP address (and user as well as user avatar if configured) of the source device.
	l	Device shows the device information as listed in User& Device > Device Inventory. Device detection should be enabled on the applicable interfaces for best function.
	l	Threat Score is the threat score of the source based on UTM features such as web filter and antivirus. It shows threat scores allowed and threat scores blocked.
	l	Bytes is the accumulated bytes sent/received. In realtime, this is calculated from the session list, and in historical it is from logs.
	l	Sessions is the total sessions blocked/allowed. In realtime, this is calculated from the session list, and in historical it is from logs.
	l	Source is a simplified version of the first column, including only the IP address without extra information.
	l	Source Interface is the interface from which the traffic originates. In realtime, this is calculated from the session list, and in historical it is from the logs.
	l	More information can be shown in a tooltip while hovering over these entries.

l	For realtime, two more columns are available, Bandwidth and Packets, both of which come from the session list.

Drilldown Level

Sample entry:

Graph	l	The graph shows the bytes sent/received in the time frame. Realtime does not include a chart.
	l	Users can customize the time frame by selecting a time period within the graph.
Summary Information	l	Shows information such as the user/avatar, avatar/source IP, bytes, and sessions total for the time period.
	l	Can quarantine host (access layer quarantine) if they are behind a FortiSwitch or FortiAP.
	l	Can ban IP addresses, adds the source IP address into the quarantine list.
Tabs	l	Drilling down entries in any of these tabs (except sessions tab) will take you to the underlying traffic log in the sessions tab.
	l	Applications shows a list of the applications attributed to the source IP. This can include scanned applications (using application control in a firewall policy or unscanned applications. config log gui-display set fortiview-unscanned-apps enable end
	l	Destinations shows destinations grouped by IP address/FQDN.
	l	Threats lists the threats caught by UTM profiles. This can be from antivirus, IPS, webfilter, application control, etc.
	l	Web Sites contains the websites which were detected either with webfilter, or through FQDN in traffic logs.
	l	Web Categories groups entries into their categories as dictated by the Web Filter Database.
	l	Search Phrases shows entries of search phrases on search engines captured by a web filter UTM profile, with deep inspection enabled in firewall policy.
	l	Policies groups the entries into which polices they passed through or were blocked by.
	l	Sessions shows the underlying logs (historical) or sessions (realtime). Drilldowns from other tabs end up showing the underlying log located in this tab.
	l	More information can be shown in a tooltip while hovering over these entries.

Troubleshooting

Use diagnose debug application httpsd -1 to check which filters were passed through httpsd.

For example:

[httpsd 3163 – 1546543360 info] api_store_parameter[227] — add API parameter ‘filter’: ‘{ “source”: “10.1.100.30”, “application”: “TCP\/5228”, “srcintfrole”: [ “lan”,

“dmz”, “undefined” ] }’ (type=object)

Use diagnose debug application miglogd 0x70000 to check what the SQL command is that is passed to the underlying SQL database.

For example:

fortiview_request_data()-898: total:31 start:1546559580 end:1546563179

_dump_sql()-799: dataset=fv.general.chart, sql:select a.timestamp1,ses_al,ses_ bk,r,s,ifnull(sc_l,0),ifnull(sc_m,0),ifnull(sc_h,0),ifnull(sc_c,0) from (select timestamp-(timestamp%60) timestamp1 ,sum(case when passthrough<>’block’ then sessioncount else 0 end) ses_al,sum(case when passthrough=’block’ then sessioncount else 0 end) ses_bk,sum(rcvdbyte) r,sum(sentbyte) s from grp_traffic_all_src where timestamp BETWEEN 1546559580 and 1546563179 and 1=1 AND srcip in (‘10.1.100.11’) AND srcintfrole in (‘lan’,’dmz’,’undefined’) group by timestamp1 ) a left join (select timestamp-(timestamp%60) timestamp1 ,sum(case when threat_level=1 then crscore else 0 end) sc_l,sum(case when threat_level=2 then crscore else 0 end) sc_ m,sum(case when threat_level=3 then crscore else 0 end) sc_h,sum(case when threat_ level=4 then crscore else 0 end) sc_c from grp_threat where timestamp BETWEEN 1546559580 and 1546563179 and 1=1 AND srcip in (‘10.1.100.11’) AND srcintfrole in (‘lan’,’dmz’,’undefined’) group by timestamp1 ) b on a.timestamp1 = b.timestamp1; takes 40(ms), agggr:0(ms)

Use exe report flush-cache and exe report recreate-db to clear up any irregularities that may be caused by upgrading or cache issues.

Security Fabric over IPsec VPN – FortiOS 6.2

Leave a reply

Security Fabric over IPsec VPN

This recipe provides an example of configuring Security Fabric over IPsec VPN.

The following sample topology shows a downstream FortiGate (HQ2) connected to the root FortiGate (HQ1) over IPsec VPN to join Security Fabric.

configure root FortiGate (HQ1):

Configure interface:

In the root FortiGate (HQ1), go to Network > Interfaces.
Edit port2: l Set Role to WAN.
- For the interface connected to the Internet, set the IP/Network Mask to 2.200.1/255.255.255.0 c. Edit port6:
- Set Role to DMZ.
- For the interface connected to FortiAnalyzer, set the IP/Network Mask to 168.8.250/255.255.255.0
Configure the static route to connect to the Internet:
Go to Network > Static Routes and click Create New.
- Set Destination to 0.0.0/0.0.0.0.
- Set Interface to port2.
- Set Gateway Address to 2.200.2.
Configure IPsec VPN:
Go to VPN > IPsec Wizard. l Set VPN Name to To-HQ2. l Set Template Type to Custom.
- Click Next.
- Set Authentication to Method. l Set Pre-shared Key to 123456.

Leave all other fields in their default values and click OK.

Configure the IPsec VPN interface IP address which will be used to form Security Fabric:
1. Go to Network > Interfaces.
2. Edit To-HQ2:
  - Set Role to LAN.
  - Set the IP/Network Mask to 10.10.1/255.255.255.255. l Set Remote IP/Network Mask to 10.10.10.3/255.255.255.0.
3. Configure IPsec VPN local and remote subnet:
4. Go to Policy & Objects > Addresses.
  - Click Create New l Set Name to To-HQ2_local_subnet_1.
  - Set Type to Subnet. l Set IP/Network Mask to 168.8.0/24.
  - Click OK.
  - Click Create New l Set Name to To-HQ2_remote_subnet_1.
  - Set Type to Subnet. l Set IP/Network Mask to 1.100.0/24. l Click OK.
  - Click Create New l Set Name to To-HQ2_remote_subnet_2.
  - Set Type to Subnet. l Set IP/Network Mask to 10.10.3/32.
  - Click OK.
5. Configure IPsec VPN static routes:
6. Go to Network > Static Routes and click Create New.
  - For Named Address, select Type and select To-HQ2_remote_subnet_1. l Set Interface to To-HQ2.
  - Click OK.

Click Create New.

For Named Address, select Type and select To-HQ2_remote_subnet_1. l Set Interface to Blackhole.
Set Administrative Distance to 254.
Click OK.

Configure IPsec VPN policies:
Go to Policy & Objects > IPv4 Policy and click Create New.
- Set Name to vpn_To-HQ2_local. l Set Incoming Interface to port6. l Set Outgoing Interface to To-HQ2. l Set Source to To-HQ2_local_subnet_1.
- Set Destination to To-HQ2_remote_subnet_1. l Set Schedule to Always. l Set Service to All. l Disable NAT.

Click Create New.

Set Name to vpn_To-HQ2_remote. l Set Incoming Interface to To-HQ2. l Set Outgoing Interface to port6. l Set Source to To-HQ2_remote_subnet_1, To-HQ2_remote_subnet_2.
Set Destination to To-HQ2_local_subnet_1. l Set Schedule to Always. l Set Service to All. l Enable NAT.
Set IP Pool Configuration to Use Outgoing Interface Address.

Configure Security Fabric:
Go to Security Fabric > Settings.
- Enable FortiGate Telemetry.
- Set Group name to Office-Security-Fabric. l In FortiTelemetry enabled interfaces, add VPN interface To-HQ2. l Set IP address to the FortiAnalyzer IP of 168.8.250.

After FortiGate Telemetry is enabled, FortiAnalyzer automatically enables Logging and Upload is set to Real Time.

configure downstream FortiGate (HQ2):

Configure interface:

Go to Network > Interfaces.
Edit interface wan1: l Set Role to WAN. l For the interface connected to the Internet, set the IP/Network Mask to 168.7.3/255.255.255.0. c. Edit interface vlan20: l Set Role to LAN.

l For the interface connected to local endpoint clients, set the IP/Network Mask to

10.1.100.3/255.255.255.0.

Configure the static route to connect to the Internet:
1. Go to Network > Static Routes and click Create New.
  - Set Destination to 0.0.0/0.0.0.0.
  - Set Interface to wan1.
  - Set Gateway Address to 168.7.2.
2. Configure IPsec VPN:
  1. Go to VPN > IPsec Wizard. l Set VPN Name to To-HQ1. l Set Template Type to Custom. l Click Next. l In the Network IP Address, enter 2.200.1.
    - Set Interface to wan1.
    - Set Authentication to Method. l Set Pre-shared Key to 123456.
  2. Leave all other fields in their default values and click OK.
3. Configure the IPsec VPN interface IP address which will be used to form Security Fabric:
  1. Go to Network > Interfaces.
  2. Edit To-HQ1:
    - Set Role to WAN. l Set the IP/Network Mask to 10.10.3/255.255.255.255. l Set Remote IP/Network Mask to 10.10.10.1/255.255.255.0.0.
  3. Configure IPsec VPN local and remote subnet:
    1. Go to Policy & Objects > Addresses.
      - Click Create New l Set Name to To-HQ1_local_subnet_1.
      - Set Type to Subnet. l Set IP/Network Mask to 1.100.0/24.
      - Click OK.
      - Click Create New l Set Name to To-HQ1_remote_subnet_1. l Set Type to Subnet.
      - Set IP/Network Mask to 168.8.0/24.
      - Click OK.
    2. Configure IPsec VPN static routes:
      1. Go to Network > Static Routes and click Create New.
        
        For Named Address, select Type and select To-HQ1_remote_subnet_1. l Set Interface to To-HQ1.
        
        Click OK.
      2. Click Create New.
        
        For Named Address, select Type and select To-HQ1_remote_subnet_1. l Set Interface to Blackhole. l Set Administrative Distance to 254.
        
        Click OK.
      3. Configure IPsec VPN policies:
        
        Go to Policy & Objects > IPv4 Policy and click Create New.
        
        Set Name to vpn_To-HQ1_local. l Set Incoming Interface to vlan20. l Set Outgoing Interface to To-HQ1. l Set Source to To-HQ1_local_subnet_1.
        
        Set Destination to To-HQ1_remote_subnet_1. l Set Schedule to Always. l Set Service to All. l Disable NAT.
        
        Click Create New.
        
        Set Name to vpn_To-HQ1_remote. l Set Incoming Interface to To-HQ1. l Set Outgoing Interface to vlan20. l Set Source to To-HQ1_remote_subnet_1. l Set Destination to -HQ1_local_subnet_1.
        
        Set Schedule to Always. l Set Service to All. l Disable NAT.
        
        Configure Security Fabric:
        
        Go to Security Fabric > Settings.
        
        Enable FortiGate Telemetry.
        
        Enable Connect to upstream FortiGate. l Set FortiGate IP to 10.10.1.

After FortiGate Telemetry is enabled, FortiAnalyzer automatically enables Logging. Settings for the FortiAnalyzer are retrieved from the downstream FortiGate (HQ2) when it connects to the root FortiGate (HQ1).

authorize downstream FortiGate (HQ2) on the root FortiGate (HQ1):

In the root FortiGate (HQ1), go to Security Fabric > Settings.

The Topology field highlights the connected FortiGate (HQ2)with the serial number and asks you to authorize the highlighted device.

Select the highlighted FortiGate and select Authorize.

After authorization, the downstream FortiGate (HQ2) appears in the Topology field in Security Fabric > Settings. This means the downstream FortiGate (HQ2) has successfully joined the Security Fabric.

To check Security Fabric over IPsec VPN:

On the root FortiGate (HQ1), go to Security Fabric > Physical Topology.

The root FortiGate (HQ1) is connected by the downstream FortiGate (HQ2) with VPN icon in the middle.

On the root FortiGate (HQ1), go to Security Fabric > Logical Topology.

The root FortiGate (HQ1) VPN interface To-HQ2 is connected by downstream FortiGate (HQ2) VPN interface ToHQ1 with VPN icon in the middle.

To run diagnose commands:

Run the diagnose sys csf authorization pending-list command in the root FortiGate (HQ1) to show the downstream FortiGate pending for root FortiGate authorization:

HQ1 # diagnose sys csf authorization pending-list

Serial IP Address HA-Members

Path

————————————————————————————

FG101ETK18002187 0.0.0.0

FG3H1E5818900718:FG101ETK18002187

Run the diagnose sys csf downstream command in the root FortiGate (HQ1) to show the downstream

FortiGate (HQ2) after it joins Security Fabric:

HQ1 # diagnose sys csf downstream

1: FG101ETK18002187 (10.10.10.3) Management-IP: 0.0.0.0 Management-port:0 parent:

FG3H1E5818900718 path:FG3H1E5818900718:FG101ETK18002187

data received: Y downstream intf:To-HQ1 upstream intf:To-HQ2 admin-port:443 authorizer:FG3H1E5818900718

Run the diagnose sys csf upstream command in the downstream FortiGate (HQ2) to show the root FortiGate (HQ1) after the downstream FortiGate joins Security Fabric:

HQ2 # diagnose sys csf upstream Upstream Information:

Serial Number:FG3H1E5818900718

IP:10.10.10.1

Connecting interface:To-HQ1

Connection status:Authorized

Viewing and controlling network risks via topology view

This recipe shows how to view and control compromised hosts via the Security Fabric > Physical Topology or Security Fabric > Logical Topology view.

In the following topology, the downstream FortiGate (Marketing) is connected to the root FortiGate (Edge) through a FortiSwitch (Distribution). The Endpoint Host is connected to the downstream FortiGate (Marketing) through another FortiSwitch (Access).

This recipe consists of the following steps:

Configure the root FortiGate.
Configure the downstream FortiGate.
Authorize the downstream FortiGate on the root FortiGate. Authorize Security Fabric FortiGates on the FortiAnalyzer.
View the compromised endpoint host.
Quarantine the compromised endpoint host.
Run diagnose

To configure the root FortiGate:

Configure the interface:
1. In FortiOS on the downstream FortiGate, go to Network > Interfaces.
2. Edit port4. Set the role to WAN and set the IP/Network Mask to 192.168.5.2/255.255.255.0 for the interface that is connected to the Internet.
3. Edit port6. Set the role to DMZ and set the IP/Network Mask to 192.168.8.2/255.255.255.0 for the interface which is connected to FortiAnalyzer.
4. Edit port5. Set the Addressing mode to Dedicated to the FortiSiwitch for the interface which is connected to the Distribution FortiSwitch.
5. Return to Network > Interfaces and click Create New. For the new interface, set the name to vlan70, Type to VLAN, Interface to port5, VLAN ID to 70, Role to LAN, and IP/Network Mask to 192.168.7.2/255.255.255.0
Authorize the Distribution FortiSwitch:
1. Go to WiFi & Switch Controller> Managed FortiSwitch.
2. Click the FortiGate icon, then click Edit. Set the Name to Distribution-Switch, enable the Authorized option, then click OK.
3. Click the FortiSwitch port1 icon. For port1’s Native VLAN, select vlan70.

Configure the default static route to connect to the root FortiGate. Go to Network > Static Routes. Set the Destination to 0.0.0.0/0.0.0.0, select port4 as the Interface, and set the Gateway Address as 192.168.5.254.
Configure the Security Fabric:
Go to Security Fabric > Settings.
Enable FortiGate Telemetry.
Configure a group name.
In FortiTelemetry enabled interfaces, add vlan70.
FortiAnalyzer logging is enabled and the Upload option is set to Real Time after FortiGate Telemetry is enabled. Set the IP address to the FortiAnalyzer IP address, which in this example is 192.168.8.250. FortiAnalyzer settings will be retrieved when the downstream FortiGate connects to the root FortiGate.
Create a policy to access the Internet. Go to Policy & Objects > IPv4 Policy. Click Create New, and configure the policy as follows:
1. Set the Name to Access-internet1.
2. Set the Source Interface to vlan70 and the Destination Interface to port4.
3. Set the Source Address to all and the Destination Address to all.
4. Set the Action to ACCEPT.
5. Set the Schedule to Always.
6. Set the Service to ALL.
7. Enable NAT.
8. Set the IP Pool Configuration to Use Outgoing Interface Address.
Create an address for the FortiAnalyzer:
1. Go to Policy & Objects > Addresses. Click Create New, then Address.
2. Set the Name to FAZ-addr.
3. Set the Type to Subnet.
4. Set the Subnet/IP Range to 192.168.8.250/32.
5. Set the Interface to Any.
Create a policy for the downstream FortiGate to access the FortiAnalyzer. Go to Policy & Objects > IPv4 Policy.

Click Create New, and configure the policy as follows: a. Set the Name to Access-Resources.

Set the Source Interface to vlan70 and the Destination Interface to port6.
Set the Source Address to all and the Destination Address to FAZ-addr.
Set the Action to ACCEPT.
Set the Schedule to Always.
Set the Service to ALL.
Enable NAT.
Set the IP Pool Configuration to Use Outgoing Interface Address.

To configure the downstream FortiGate:

Configure the interface:
1. In FortiOS on the downstream FortiGate, go to Network > Interfaces.
2. Edit wan1. Set the role to WAN and set the IP/Network Mask to 192.168.7.3/255.255.255.0 for the interface that is connected to the root FortiGate.
3. Edit wan2. Set the Addressing mode to Dedicated to the FortiSiwitch for the interface which is connected to the Access FortiSwitch.
4. Return to Network > Interfaces and click Create New. For the new interface, set the name to vlan20, Type to VLAN, Interface to wan2, VLAN ID to 20, Role to LAN, and IP/Network Mask to 10.1.100.3/255.255.255.0.
Authorize the Access FortiSwitch:
1. Go to WiFi & Switch Controller> Managed FortiSwitch.
2. Click the FortiGate icon, then click Edit. Set the Name to Access-Switch, enable the Authorized option, then click OK.
3. Click the FortiSwitch port2 icon. For port2’s Native VLAN, select vlan20.
Configure the default static route to connect to the root FortiGate. Go to Network > Static Routes. Set the Destination to 0.0.0.0/0.0.0.0, select wan1 as the Interface, and set the Gateway Address as 192.168.7.2.
Configure the Security Fabric:
1. Go to Security Fabric > Settings.
2. Enable FortiGate Telemetry.
3. Under FortiGate Telemetry, enable Connect to upstream FortiGate.
4. Configure the FortiGate IP to 192.168.7.2.
5. In FortiTelemetry enabled interfaces, add vlan20.
6. FortiAnalyzer logging is enabled after FortiGate Telemetry is enabled. FortiAnalyzer settings will be retrieved when the downstream FortiGate connects to the root FortiGate.
Create a policy to access the Internet. Go to Policy & Objects > IPv4 Policy. Click Create New, and configure the policy as follows:
1. Set the Name to Access-internet2.
2. Set the Source Interface to vlan20 and the Destination Interface to wan1..
3. Set the Source Address to all and the Destination Address to all.
4. Set the Action to ACCEPT.
5. Set the Schedule to Always.
6. Set the Service to ALL.
7. Enable NAT.
8. Set the IP Pool Configuration to Use Outgoing Interface Address.
9. Choose the default Web Filter profile.

To authorize the downstream FortiGate on the root FortiGate:

In FortiOS on the root FortiGate, go to Security Fabric > Settings. In the Topology field, a highlighted FortiGate with a serial number is connecting to the root FortiGate, and a highlighted warning asks for authorization of the highlighted device.
Click the highlighted FortiGate, then select Authorize. After authorization, the downstream FortiGate appears in the Topology field in Security Fabric > Settings, meaning that the downstream FortiGate joined the Security Fabric successfully.

To authorize Security Fabric FortiGates on the FortiAnalyzer:

Ensure that the FortiAnalyzer firmware is 6.2.0 or a later version.
In FortiAnalyzer, go to Device Manager> Unauthorized. All FortiGates are listed as unauthorized. Select all FortiGates, then select authorize. The FortiGates now appear as authorized.
After a moment, a warning icon appears beside the root FortiGate since the FortiAnalyzer needs administrative access to the root FortiGate in the Security Fabric. Click the warning icon, then enter the admin user and password for the root FortiGate.

To view the compromised endpoint host:

Test that FortiGate detects a compromised endpoint host by opening a browser on the endpoint host and entering a malicious website URL. The browser displays a Web Page Blocked! warning and does not allow access to the website.
In FortiOS on the root FortiGate, go to Security Fabric > Physical Topology. The endpoint host, connected to the Access FortiSwitch, is highlighted in red. Mouse over the endpoint host to view a tooltip that shows the IoC verdict. The endpoint host is compromised.
Go to Security Fabric > Logical Topology. The endpoint host, connected to the downstream FortiGate, is highlighted in red. Mouse over the endpoint host to view a tooltip that shows the IoC verdict. The endpoint host is compromised.

To quarantine the compromised endpoint host:

In FortiOS on the root FortiGate, go to Security Fabric > Physical Topology.
Right-click the endpoint host and select Quarantine Host. Click OK to confirm the confirmation dialog.
Go to Monitor> Quarantine Monitor. From the dropdown list at the top right corner, select All FortiGates. The quarantined endpoint host displays in the content pane.
On the endpoint host, open a browser and visit a website such as https://fortinet.com. If the website cannot be accessed, this confirms that the endpoint host is quarantined.

To run diagnose commands:

To show the downstream FortiGate after it joins the Security Fabric, run the diagnose sys csf downstream command in the root FortiGate (Edge) CLI. The output should resemble the following: Edge # diagnose sys csf downstream

1: FG101ETK18002187 (192.168.7.3) Management-IP: 0.0.0.0 Management-port:0 parent:

FG201ETK18902514 path:FG201ETK18902514:FG101ETK18002187

data received: Y downstream intf:wan1 upstream intf:vlan70 admin-port:443 authorizer:FG201ETK18902514

To show the upstream FortiGate after the downstream FortiGate joins the Security Fabric, run the diagnose sys csf upstream command in the downstream FortiGate (Marketing) CLI. The output should resemble the following:

Marketing # diagnose sys csf upstream Upstream Information:

Serial Number:FG201ETK18902514

IP:192.168.7.2

Connecting interface:wan1

Connection status:Authorized

To show the quarantined endpoint host in the connected FortiGate, run the following commands in the downstream FortiGate (Marketing) CLI:

Marketing # show user quarantine config user quarantine config targets edit “PC2” set description “Manually quarantined” config macs edit 00:0c:29:3d:89:39 set description “manual-qtn Hostname: PC2”

end

end end

Security Fabric – FortiOS 6.2

Leave a reply

Security Fabric

The Fortinet Security Fabric provides an intelligent architecture that interconnects discrete security solutions into an integrated whole to detect, monitor, block, and remediate attacks across the entire attack surface. It delivers broad protection and visibility into every network segment and device, be they hardware, virtual, or cloud based.

The physical topology view shows all connected devices, including access layer devices. The logical topology view shows information about the interfaces that each device is connected to.
Security rating checks analyze the Security Fabric deployment to identify potential vulnerabilities and highlight best practices to improve the network configuration, deploy new hardware and software, and increase visibility and control of the network.
Automation pairs an event trigger with one or more actions to monitor the network and take the designated actions automatically when the Security Fabric detects a threat.
Fabric connectors provide integration with multiple SDN, cloud, and partner technology platforms to automate the process of managing dynamic security updates without manual intervention.

Deploy Security Fabric

This recipe provides an example of deploying Security Fabric with three downstream FortiGates connecting to one root FortiGate. To deploy Security Fabric, you need a FortiAnalyzer running firmware version 6.2.

The following shows a sample network topology of three downstream FortiGates (Accounting, Marketing, and Sales) connected to the root FortiGate (Edge).

To configure the root FortiGate (Edge):

Configure interface:
1. In the root FortiGate (Edge), go to Network > Interfaces.
2. Edit port16:
  - Set Role to DMZ.
  - For the interface connected to FortiAnalyzer, set the IP/Network Mask to 168.65.2/255.255.255.0 c. Edit port10:
  - Set Role to LAN.
  - For the interface connected to the downstream FortiGate (Accounting), set the IP/Network Mask to

192.168.10.2/255.255.255.0

Edit port11:

Set Role to LAN.
For the interface connected to the downstream FortiGate (Marketing), set the IP/Network Mask to 168.200.2/255.255.255.0

Configure Security Fabric:
In the root FortiGate (Edge), go to Security Fabric > Settings. l Enable FortiGate Telemetry.
- Set a Group name, such as Office-Security-Fabric.
- Add port10 and port11 to FortiTelemetry enabled interfaces.

After FortiGate Telemetry is enabled, FortiAnalyzer automatically enables Logging and Upload Option is set to Real Time.

Set IP address to the FortiAnalyzer IP 168.65.10.
Select Test Connectivity.

A warning message indicates that the FortiGate is not authorized on the FortiAnalyzer. The authorization is configured in a later step on the FortiAnalyzer.

Create a policy to allow the downstream FortiGate (Accounting) to access the FortiAnalyzer:
In the root FortiGate (Edge), go to Policy & Objects > Addresses.
- Click Create New.
- Set Name to FAZ-addr. l Set Type to Subnet.
- Set Subnet/IP Range to 168.65.10/32.
- Set Interface to any. l Click Create New.
- Set Name to Accounting. l Set Type to Subnet.
- Set Subnet/IP Range to 168.10.10/32.
- Set Interface to any.

In the root FortiGate (Edge), go to Policy & Objects > IPv4 Policy.

Set Name to Accounting-to-FAZ. l Set srcintf to port10. l Set dstintf to port16.
Set srcaddr to Accounting-addr. l Set dstaddr to FAZ-addr. l Set Action to Accept. l Set Schedule to Always. l Set Service to All. l Enable NAT.
Set IP Pool Configuration to Use Outgoing Interface Address.

Create a policy to allow the two downstream FortiGates (Marketing and Sales) to access the FortiAnalyzer:
In the root FortiGate (Edge), go to Policy & Objects > Addresses and click Create New.
- Set Name to Marketing-addr. l Set Type to Subnet.
- Set Subnet/IP Range to 168.200.10/32.
- Set Interface to any.

In the root FortiGate (Edge), go to Policy & Objects > IPv4 Policy.

Set Name to Marketing-to-FAZ. l Set srcintf to port11.
Set dstintf to port16.
Set srcaddr to Marketing-addr. l Set dstaddr to FAZ-addr. l Set Action to Accept. l Set Schedule to Always. l Set Service to All. l Enable NAT. l Set IP Pool Configuration to Use Outgoing Interface Address.

To configure the downstream FortiGate (Accounting):

Configure interface:
1. In the downstream FortiGate (Accounting), go to Network > Interfaces.
2. Edit interface wan1: l Set Role to WAN.
  - For the interface connected to root, set the IP/Network Mask to 168.10.10/255.255.255.0
3. Configure the default static route to connect to the root FortiGate (Edge):
  1. In the downstream FortiGate (Accounting), go to Network > Static Routes:
    - Set Destination to 0.0.0/0.0.0.0. l Set Interface to wan1.
    - Set Gateway Address to 168.10.2.
  2. Configure Security Fabric:
    1. In the downstream FortiGate (Accounting), go to Security Fabric > Settings.
      - Enable FortiGate Telemetry.
      - Enable Connect to upstream FortiGate.
      - FortiGate IP is filled in automatically with the default static route Gateway Address of 168.10.2 set in the previous step.
      - Leave FortiTelemetry enabled interfaces empty since there is no downstream FortiGate connecting to it.

After FortiGate Telemetry is enabled, FortiAnalyzer automatically enables Logging. Settings for the FortiAnalyzer are retrieved from the root FortiGate (Edge) when FortiGate (Accounting) connects to the root FortiGate (Edge).

To configure the downstream FortiGate (Marketing):

Configure interface:
1. In the downstream FortiGate (Marketing), go to Network > Interfaces.
2. Edit port12:
  - Set Role to LAN.
  - For the interface connected to the downstream FortiGate (Sales), set the IP/Network Mask to 168.135.11/255.255.255.0.
3. Edit wan1:
  - Set Role to WAN.
  - For the interface connected to the root FortiGate (Edge), set the IP/Network Mask to 168.200.10/255.255.255.0.
4. Configure the default static route to connect to the root FortiGate (Edge):
  1. In the downstream FortiGate (Marketing), go to Network > Static Routes:
    - Set Destination to 0.0.0/0.0.0.0. l Set Interface to wan1.
    - Set Gateway Address to 168.200.2.
  2. Configure Security Fabric:
    1. In the downstream FortiGate (Marketing), go to Security Fabric > Settings.
      - Enable FortiGate Telemetry.
      - Enable Connect to upstream FortiGate.
      - FortiGate IP is filled in automatically with the default static route Gateway Address of 168.200.2 set in the previous step.
      - In FortiTelemetry enabled interfaces, add port12.

Create a policy to allow another downstream FortiGate (Sales) going through FortiGate (Marketing) to access the FortiAnalyzer:
1. In the downstream FortiGate (Marketing), go to Policy & Objects > Addresses and click Create New.
  - Set Name to FAZ-addr. l Set Type to Subnet.
  - Set Subnet/IP Range to 168.65.10/32.
  - Set Interface to any.
2. Click Create New. l Set Name to Sales-addr. l Set Type to Subnet.
  - Set Subnet/IP Range to 168.135.10/32.
  - Set Interface to any.
3. In the downstream FortiGate (Marketing), go to Policy & Objects > IPv4 Policy.
  - Set Name to Sales-to-FAZ.
  - Set srcintf to port12. l Set dstintf to wan1.
  - Set srcaddr to Sales-addr. l Set dstaddr to FAZ-addr. l Set Action to Accept. l Set Schedule to Always. l Set Service to All. l Enable NAT. l Set IP Pool Configuration to Use Outgoing Interface Address.

configure the downstream FortiGate (Accounting):

Configure interface:

In the downstream FortiGate (Accounting), go to Network > Interfaces.
Edit interface wan1: l Set Role to WAN.
- For the interface connected to root, set the IP/Network Mask to 168.10.10/255.255.255.0
Configure the default static route to connect to the root FortiGate (Edge):
1. In the downstream FortiGate (Accounting), go to Network > Static Routes:
  - Set Destination to 0.0.0/0.0.0.0. l Set Interface to wan1.
  - Set Gateway Address to 168.10.2.
2. Configure Security Fabric:
  1. In the downstream FortiGate (Accounting), go to Security Fabric > Settings.
    - Enable FortiGate Telemetry.
    - Enable Connect to upstream FortiGate.
    - FortiGate IP is filled in automatically with the default static route Gateway Address of 168.10.2 set in the previous step.
    - Leave FortiTelemetry enabled interfaces empty since there is no downstream FortiGate connecting to it.

To configure the downstream FortiGate (Sales):

Configure interface:
1. In the downstream FortiGate (Sales), go to Network > Interfaces.
2. Edit wan2:
  - Set Role to WAN.
  - For the interface connected to the upstream FortiGate (Marketing), set the IP/Network Mask to 168.135.10/255.255.255.0.
3. Configure the default static route to connect to the upstream FortiGate (Marketing):
  1. In the downstream FortiGate (Sales), go to Network > Static Routes:
    - Set Destination to 0.0.0/0.0.0.0. l Set Interface to wan2.
    - Set Gateway Address to 168.135.11.
  2. Configure Security Fabric:
    1. In the downstream FortiGate (Sales), go to Security Fabric > Settings.
      - Enable FortiGate Telemetry.
      - Enable Connect to upstream FortiGate.
      - FortiGate IP is filled in automatically with the default static route Gateway Address of 168.135.11 set in the previous step.
      - Leave FortiTelemetry enabled interfaces empty since there is no downstream FortiGate connecting to it.

After FortiGate Telemetry is enabled, FortiAnalyzer automatically enables Logging. Settings for the

FortiAnalyzer are retrieved from the root FortiGate (Edge) when FortiGate (Sales) connects to the root

FortiGate (Edge).

To authorize downstream FortiGates (Accounting, Marketing, and Sales) on the root FortiGate (Edge):

In the root FortiGate (Edge), go to Security Fabric > Settings.

The Topology field highlights two connected FortiGates with their serial numbers and asks you to authorize the highlighted devices.

Select the highlighted FortiGates and select Authorize.

After they are authorized, the two downstream FortiGates (Accounting and Marketing) appear in the Topology field in Security Fabric > Settings. This means the two downstream FortiGates (Accounting and Marketing) have successfully joined the Security Fabric.

The Topology field now highlights the FortiGate with the serial number that is connected to the downstream FortiGate (Marketing) and asks you to authorize the highlighted device.
Select the highlighted FortiGates and select Authorize.

After it is authorized, the downstream FortiGate ( Sales) appears in the Topology field in Security Fabric > Settings. This means the downstream FortiGates (Sales) has successfully joined the Security Fabric.

To use FortiAnalyzer to authorize all the Security Fabric FortiGates:

Authorize all the Security Fabric FortiGates on the FortiAnalyzer side:
1. In the FortiAnalyzer, go to System Settings > Network > All Interfaces.

l Edit port1 and set IP Address/Netmask to 192.168.65.10/255.255.255.0.

Go to Device Manager> Unauthorized.

All the FortiGates are listed as unauthorized.

Select all the FortiGates and select Authorize. The FortiGates are now listed as authorized.

After a moment, a warning icon appears beside the root FortiGate (Edge) because the FortiAnalyzer needs administrative access to the root FortiGate (Edge) in the Security Fabric.

Click the warning icon and enter the admin username and password of the root FortiGate (Edge).

Check FortiAnalyzer status on all the Security Fabric FortiGates:

l On each FortiGates, go to Security Fabric > Settings and check that FortiAnalyzerLogging shows Storage usage information.

check Security Fabric deployment result:

On FortiGate (Edge), go to Dashboard > Status.

The Security Fabric widget displays all the FortiGates in the Security Fabric.

On FortiGate (Edge), go to Security Fabric > Physical Topology.

This page shows a visualization of access layer devices in the Security Fabric.

On FortiGate (Edge), go to Security Fabric > Physical Topology.

This dashboard shows information about the interfaces of each device in the Security Fabric.

To run diagnose commands:

Run the diagnose sys csf authorization pending-list command in the root FortiGate to show the downstream FortiGate pending for root FortiGate authorization:

Edge # diagnose sys csf authorization pending-list

Serial IP Address HA-Members Path ————————————————————————————

FG201ETK18902514 0.0.0.0 FG3H1E5818900718:FG201ETK18902514

Run the diagnose sys csf downstream command in the root or middle FortiGate to show the downstream

FortiGates after they join Security Fabric:

Edge # diagnose sys csf downstream

1: FG201ETK18902514 (192.168.200.10) Management-IP: 0.0.0.0 Management-port:0 parent:

FG3H1E5818900718 path:FG3H1E5818900718:FG201ETK18902514

data received: Y downstream intf:wan1 upstream intf:port11 admin-port:443 authorizer:FG3H1E5818900718

2: FGT81ETK18002246 (192.168.10.10) Management-IP: 0.0.0.0 Management-port:0 parent:

FG3H1E5818900718 path:FG3H1E5818900718:FGT81ETK18002246

data received: Y downstream intf:wan1 upstream intf:port10 admin-port:443 authorizer:FG3H1E5818900718

3: FG101ETK18002187 (192.168.135.10) Management-IP: 0.0.0.0 Management-port:0 parent:

FG201ETK18902514 path:FG3H1E5818900718:FG201ETK18902514:FG101ETK18002187

data received: Y downstream intf:wan2 upstream intf:port12 admin-port:443 authorizer:FG3H1E5818900718

Run the diagnose sys csf upstream command in any downstream FortiGate to show the upstream

FortiGate after downstream FortiGate joins Security Fabric:

Marketing # diagnose sys csf upstream Upstream Information:

Serial Number:FG3H1E5818900718

IP:192.168.200.2

Connecting interface:wan1

Connection status:Authorized

Troubleshooting your installation – FortiOS 6.2

Leave a reply

Troubleshooting your installation

If your FortiGate does not function as desired after installation, try the following troubleshooting tips:

Check for equipment issues Verify that all network equipment is powered on and operating as expected. Refer to the QuickStart Guide for information about connecting your FortiGate to the network. You will also find detailed information about the FortiGate LED indicators.The FortiGate has multiple LED lights on the faceplate. Verify whether or not the LEDs on your FortiGate indicate a problem. For information on what the LEDs mean, see the LED specifications on page 43
Check the physical network connections Check the cables used for all physical connections to ensure that they are fully connected and do not appear damaged, and make sure that each cable connects to the correct device and the correct Ethernet port on that device.
Verify that you can connect to the internal IP address of the FortiGate Connect to the GUI from the FortiGate’s internal interface by browsing to its IP address. From the PC, try to ping the internal interface IP address; for example, ping 192.168.1.99. If you cannot connect to the internal interface, verify the IP configuration of the PC. If you can ping the interface but can’t connect to the GUI, check the settings for administrative access on that interface. Alternatively, use SSH to connect to the CLI, and then confirm that HTTPS has been enabled for Administrative Access on the interface.
Check the FortiGate interface configurations Check the configuration of the FortiGate interface connected to the internal network (under Network > Interfaces) and check that Addressing mode is set to the correct mode.
Verify the security policy configuration Go to Policy & Objects > IPv4 Policy and verify that the internal interface to Internet-facing interface security policy has been added and is located near the top of the policy list. Check the Active Sessions column to ensure that traffic has been processed (if this column does not appear, right-click on the table header and select Active Sessions). If you are using NAT mode, check the configuration of the policy to make sure that NAT is enabled and that Use Outgoing Interface Address is selected.
Verify the static routing configuration

Go to Network > Static Routes and verify that the default route is correct. Go to Monitor > Routing Monitor and verify that the default route appears in the list as a static route. Along with the default route, you should see two routes shown as Connected, one for each connected FortiGate interface.

Verify that you can connect to the Internet-facing interface’s IP address Ping the IP address of the Internetfacing interface of your FortiGate. If you cannot connect to the interface, the FortiGate is not allowing sessions from the internal interface to Internet-facing interface. Verify that PING has been enabled for Administrative Access on the interface.
Verify that you can connect to the gateway provided by your ISP

Ping the default gateway IP address from a PC on the internal network. If you cannot reach the gateway, contact your ISP to verify that you are using the correct gateway.

Verify that you can communicate from the FortiGate to the Internet

Access the FortiGate CLI and use the command execute ping 8.8.8.8. You can also use the execute traceroute 8.8.8.8 command to troubleshoot connectivity to the Internet.

Verify the DNS configurations of the FortiGate and the PCs

Check for DNS errors by pinging or using traceroute to connect to a domain name; for example: ping www.fortinet.com.

If the name cannot be resolved, the FortiGate or PC cannot connect to a DNS server and you should confirm that the DNS server IP addresses are present and correct.

Confirm that the FortiGate can connect to the FortiGuard network Once the FortiGate is on your network, you should confirm that it can reach the FortiGuard network. First, check the License Information widget to make sure that the status of all FortiGuard services matches the services that you have purchased. Go to System > FortiGuard. Scroll down to Filtering Services Availability and select Check Again. After a minute, the GUI

should indicate a successful connection.Verify that your FortiGate can resolve and reach FortiGuard at service.fortiguard.net by pinging the domain name. If you can reach this service, you can then verify the connection to FortiGuard servers by running the command diagnose debug rating. This displays a list of FortiGuard IP gateways you can connect to, as well as the following information:

Weight: Based on the difference in time zone between the FortiGate and this server l RTT: Return trip time l Flags: D (IP returned from DNS), I (Contract server contacted), T (being timed), F (failed) l TZ: Server time zone l Curr Lost: Current number of consecutive lost packets l Total Lost: Total number of lost packets

Consider changing the MAC address of your external interface Some ISPs do not want the MAC address of the device connecting to their network cable to change. If you have added a FortiGate to your network, you may have to change the MAC address of the Internet-facing interface using the following CLI command:

config system interface edit <interface> set macaddr <xx:xx:xx:xx:xx:xx>

end

Check the FortiGate bridge table (transparent mode) When a FortiGate is in transparent mode, the unit acts like a bridge sending all incoming traffic out on the other interfaces. The bridge is between interfaces on the FortiGate unit. Each bridge listed is a link between interfaces. Where traffic is flowing between interfaces, you expect to find bridges listed. If you are having connectivity issues and there are no bridges listed, that is a likely cause. Check for the MAC address of the interface or device in question.To list the existing bridge instances on the FortiGate, use the following CLI command:

diagnose netlink brctl name host root.b show bridge control interface root.b host. fdb: size=2048, used=25, num=25, depth=1 Bridge root.b host table port no device devname mac addr ttl attributes

3 4 wan1 00:09:0f:cb:c2:77 88

3 4 wan1 00:26:2d:24:b7:d3 0

4 wan1 00:13:72:38:72:21 98
3 internal 00:1a:a0:2f:bc:c6 6

1 6 dmz 00:09:0f:dc:90:69 0 Local Static

3 4 wan1 c4:2c:03:0d:3a:38 81

3 4 wan1 00:09:0f:15:05:46 89

3 4 wan1 c4:2c:03:1d:1b:10 0

2 5 wan2 00:09:0f:dc:90:68 0 Local Static

Use FortiExplorer if you can’t connect to the FortiGate over Ethernet If you can’t connect to the FortiGate

GUI or CLI, you may be able to connect using FortiExplorer. Refer to the QuickStart Guide or see the section on FortiExplorer for more details.

Either reset the FortiGate to factory defaults or contact Fortinet Support for assistance To reset the FortiGate to factory defaults, use the CLI command execute factoryreset. When prompted, type y to confirm the reset.

If you require further assistance, visit the Fortinet Support website.

FortiCloud – FortiOS 6.2

Leave a reply

FortiCloud

FortiCloud is a hosted security management and log retention service for FortiGate devices. It gives you centralized reporting, traffic analysis, configuration management, and log retention without the need for additional hardware or software.

FortiCloud offers a wide range of features:

Simplified central management — FortiCloud provides a central web-based management console to manage individual or aggregated FortiGate and FortiWiFi devices. Adding a device to the FortiCloud management subscription is straightforward. FortiCloud has detailed traffic and application visibility across the whole network.
Hosted log retention with large default storage allocated — Log retention is an integral part of any security and compliance program but administering a separate storage system is burdensome. FortiCloud takes care of this automatically and stores the valuable log information in the cloud. Each device is allowed up to 200GB of log retention storage. Different types of logs can be stored including Traffic, System Events, Web, Applications, and Security Events.
Monitoring and alerting in real time — Network availability is critical to a good end-user experience. FortiCloud enables you to monitor your FortiGate network in real time with different alerting mechanisms to pinpoint potential issues. Alerting mechanisms can be delivered via email.
Customized or pre-configured reporting and analysis tools — Reporting and analysis are your eyes and ears into your network’s health and security. Pre-configured reports are available, as well as custom reports that can be tailored to your specific reporting and compliance requirements. For example, you may want to look closely at application usage or website violations. The reports can be emailed as PDFs and can cover different time periods.
Maintain important configuration information uniformly — The correct configuration of the devices within your network is essential to maintaining an optimum performance and security posture. In addition, maintaining the correct firmware (operating system) level allows you to take advantage of the latest features.
Service security — All communication (including log information) between the devices and the clouds is encrypted. Redundant data centers are always used to give the service high availability. Operational security measures have been put in place to make sure your data is secure — only you can view or retrieve it.

Registration and activation

FortiCloud accounts can be registered manually through the FortiCloud website, https://www.forticloud.com, but you can easily register and activate your account directly from your FortiGate.

Activating your FortiCloud account

On your device’s dashboard, in the FortiCloud widget, select the Activate button in the status field.
A dialogue asking you to register your FortiCloud account appears. Select Create Account, enter your information, view and accept the terms and conditions, and select OK.
A second dialogue window appears, asking you to enter your information to confirm your account. This sends a confirmation email to your registered email. The dashboard widget then updates to show that confirmation is required.
Open your email, and follow the confirmation link it contains.

Results

A FortiCloud page will open, stating that your account has been confirmed. The Activation Pending message on the dashboard will change to state the type of account you have (‘1GB Free’ or ‘200GB Subscription’), and will provide a link to the FortiCloud portal.

Enabling logging to FortiCloud

Go to Log & Report > Log Settings.
Enable Send Logs to FortiCloud.
Select Test Connectivity to ensure that your FortiGate can connect to the registered FortiCloud account.
Scroll down to GUI Preferences, set Display Logs/FortiView From, to see FortiCloud logs within the FortiGate’s GUI.

Logging into the FortiCloud portal

Once logging has been configured and you have registered your account, you can log into the FortiCloud portal and begin viewing your logging results. There are two methods to reach the FortiCloud portal:

If you have direct networked access to the FortiGate, you can simply open your Dashboard and check the License Information Next to the current FortiCloud connection status will be a link to reach the FortiCloud Portal.
If you do not currently have access to the FortiGate’s interface, you can visit the FortiCloud website

(https://forticloud.com) and log in remotely, using your email and password. It will ask you to confirm the FortiCloud account you are connecting to and then you will be granted access. Connected devices can be remotely configured using the Scripts page in the Management Tab, useful if an administrator may be away from the unit for a long period of time.

Cloud sandboxing

FortiCloud can be used for automated sample tracking, or sandboxing, for files from a FortiGate. This allows suspicious files to be sent to be inspected without risking network security. If the file exhibits risky behavior, or is found to contain a virus, a new virus signature is created and added to the FortiGuard antivirus signature database.

Cloud sandboxing is configured by going to Security Fabric > Settings. After enabling Sandbox Inspection, select the FortiSandbox type.

Sandboxing results are shown in a new tab called AV Submissions in the FortiCloud portal. This tab only appears after a file has been sent for sandboxing.

For more information about FortiCloud, see the FortiCloud documentation.

FortiGuard – FortiOS 6.2

1 Reply

FortiGuard

The FortiGuard Distribution Network (FDN) of servers provides updates to antivirus, antispam, and IPS definitions to your FortiGate. FortiGuard Subscription Services provides comprehensive Unified Threat Management (UTM) security solutions to enable protection against content and network level threats.

The FortiGuard team can be found around the globe, monitoring virus, spyware and vulnerability activities. As vulnerabilities are found, signatures are created and pushed to the subscribed FortiGates. The Global Threat Research Team enables Fortinet to deliver a combination of multi-layered security intelligence and provide true zero-day protection from new and emerging threats. The FortiGuard Network has data centers around the world located in secure, high availability locations that automatically deliver updates to the Fortinet security platforms to protect the network with the latest information.

FortiGuard provides a number of services to monitor world-wide activity and provide the best possible security, including:

Intrusion Prevention System (IPS) – IPS uses a customizable database of more than 4000 known threats to stop attacks that evade conventional firewall defenses. It also provides behavior-based heuristics, enabling the system to recognize threats when no signature has yet been developed. It also provides more than 1000 application identity signatures for complete application control.
Application Control– Application Control allows you to identify and control applications on networks and endpoints regardless of port, protocol, and IP address used. It gives you unmatched visibility and control over application traffic, even traffic from unknown applications and sources. Application Control is a free FortiGuard service and the database for Application Control signatures is separate from the IPS database (Botnet Application signatures are still part of the IPS signature database since these are more closely related with security issues and less about application detection). Application Control signature database information is displayed under the System > FortiGuard page in the FortiCare section.
AntiVirus – The FortiGuard AntiVirus Service provides fully automated updates to ensure protection against the latest content level threats. It employs advanced virus, spyware, and heuristic detection engines to prevent both new and evolving threats from gaining access to your network and protects against vulnerabilities.
Web Filtering – Web Filtering provides Web URL filtering to block access to harmful, inappropriate, and dangerous web sites that may contain phishing/pharming attacks, malware such as spyware, or objectionable content that can expose your organization to legal liability. Based on automatic research tools and targeted research analysis, real-time updates enable you to apply highly-granular policies that filter web access based on six major categories and nearly 80 micro-categories, over 45 million rated web sites, and more than two billion web pages – all continuously updated.
Email Filtering – The FortiGuard Antispam Service uses both a sender IP reputation database and a spam signature database, along with sophisticated spam filtering tools on Fortinet appliances and agents, to detect and block a wide range of spam messages. Updates to the IP reputation and spam signature databases are provided continuously via the FDN.
Messaging Services – Messaging Services allow a secure email server to be automatically enabled on your FortiGate to send alert email or send email authentication tokens. With the SMS gateway, you can enter phone numbers where the FortiGate will send the SMS messages. Note that depending on your carrier, there may be a slight time delay on receiving messages.
DNS and DDNS – The FortiGuard DNS and DDNS services provide an efficient method of DNS lookups once subscribed to the FortiGuard network. This is the default option. The FortiGate connects automatically to the FortiGuard DNS server. If you do not register, you need to configure an alternate DNS server. Configure the DDNS server settings using the CLI command:

config system fortiguard set ddns-server-ip set ddns-server-port

end

Support contract and FortiGuard subscription services

The FDN support Contract is available under System > FortiGuard.

The License Information area displays the status of your FortiGate’s support contract.

You can also manually update the AntiVirus and IPS engines.

Verifying your connection to FortiGuard

If you are not getting FortiGuard web filtering or antispam services, there are a few things to verify that communication to the FDN is working. Before any troubleshooting, ensure that the FortiGate has been registered and subscribed to the FortiGuard services.

Verification – GUI:

The simplest method to check that the FortiGate is communicating with the FDN, is to check the License Information dashboard widget. Any subscribed services should have a green check mark beside them indicating that connections are successful. Any other icon indicates a problem with the connection, or you are not subscribed to the FortiGuard services.

You can also view the FortiGuard connection status by going to System > FortiGuard.

Verification – CLI:

You can also use the CLI to see what FortiGuard servers are available to your FortiGate. Use the following CLI command to ping the FDN for a connection: execute ping guard.fortinet.net

You can also use the following diagnose command to find out what FortiGuard servers are available:

diagnose debug rating

From this command, you will see output similar to the following:

Locale : english License : Contract Expiration : Sun Jul 24 20:00:00 2011 Hostname : service.fortiguard.net -=- Server List (Tue Nov 2 11:12:28 2010) -=-
IP Weight RTT Flags TZ Packets	Curr Lost Total Lost
69.20.236.180 0 10 -5 77200	0 42
69.20.236.179 0 12 -5 52514	0 34
66.117.56.42 0 32 -5 34390	0 62
80.85.69.38 50 164 0 34430	0 11763
208.91.112.194 81 223 D -8 42530	0 8129
216.156.209.26 286 241 DI -8 55602	0 21555

An extensive list of servers are available. Should you see a list of three to five available servers, the FortiGuard servers are responding to DNS replies to service FortiGuard.net, but the INIT requests are not reaching FDS services on the servers.

The rating flags indicate the server status:

D	Indicates the server was found via the DNS lookup of the hostname. If the hostname returns more than one IP address, all of them will be flagged with ‘D’ and will be used first for INIT requests before falling back to the other servers.
I	Indicates the server to which the last INIT request was sent.
F	The server has not responded to requests and is considered to have failed.
T	The server is currently being timed.

The server list is sorted first by weight and then the server with the smallest RTT is put at the top of the list, regardless of weight. When a packet is lost, it will be resent to the next server in the list.

The weight for each server increases with failed packets and decreases with successful packets. To lower the possibility of using a distant server, the weight is not allowed to dip below a base weight, which is calculated as the difference in hours between the FortiGate and the server, multiplied by 10. The further away the server, the higher its base weight and the lower in the list it will appear.

Port assignment

The FortiGate contacts FDN for the latest list of FDN servers by sending UDP packets with typical source ports of 1027 or 1031, and destination port 8888. The FDN reply packets have a destination port of 1027 or 1031.

If your ISP blocks UDP packets in this port range, the FortiGate cannot receive the FDN reply packets. As a result, the FortiGate will not receive the complete FDN server list.

If your ISP blocks the lower range of UDP ports (around 1024), you can configure your FortiGate to use highernumbered ports, using the CLI command:

config system global set ip-src-port-range <start port>-<end port>

end

where the <start port> and <end port> are numbers ranging of 1024 to 25000.

For example, you could configure the FortiGate to not use ports lower than 2048 or ports higher than the following range:

config system global set ip-src-port-range 2048-20000

end

Trial and error may be required to select the best source port range. You can also contact your ISP to determine the best range to use. Push updates might be unavailable if:

l there is a NAT device installed between the unit and the FDN, and/or l your unit connects to the Internet using a proxy server.

Configuring Antivirus and IPS options

Go to System > FortiGuard, and scroll down to the AntiVirus & IPS Updates section to configure the antivirus and IPS options for connecting and downloading definition files.

Accept push updates	Select to allow updates to be sent automatically to your FortiGate. New definitions will be added as soon as they are released by FortiGuard.
Use override push	Appears only if Accept push updates is enabled. Enable to configure an override server if you cannot connect to the FDN or if your organization provides updates using their own FortiGuard server. Once enabled, enter the following: l Enter the IP address and port of the NAT device in front of your FortiGate. FDS will connect to this device when attempting to reach the FortiGate. l The NAT device must be configured to forward the FDS traffic to the FortiGate on UDP port 9443.
Scheduled Updates	Enable for updates to be sent to your FortiGate at a specific time. For example, to minimize traffic lag times, you can schedule the update to occur on weekends or after work hours. Note that a schedule of once a week means any urgent updates will not be pushed until the scheduled time. However, if there is an urgent update required, select the Update Now button.
Improve IPS quality	Enable to help Fortinet maintain and improve IPS signatures. The information sent to the FortiGuard servers when an attack occurs can be used to keep the database current as variants of attacks evolve.
Use extended IPS signature package	Regular IPS database protects against the latest common and in-the-wild attacks. Extended IPS database includes protection from legacy attacks.
Update AV & IPS Definitions	Select to manually initiate an FDN update.

Manual updates

To manually update the signature definitions file, you need to first go to the Fortinet Support web site. Once logged in, select Download > FortiGuard Service Updates. The browser will present you the most current IPS and AntiVirus signature definitions which you can download.

Once downloaded to your computer, log into the FortiGate to load the definition file.

To load the definition file onto the FortiGate:

Go to System > FortiGuard.
In the License Information table, select the Upgrade Database link in either the Application Control Signature, IPS, or AntiVirus
In the pop-up window, select Upload and locate the downloaded file and select Open.

The upload may take a few minutes to complete.

Automatic updates

The FortiGate can be configured to request updates from FDN on a scheduled basis, or via push notification.

Scheduling updates

Scheduling updates ensures that the virus and IPS definitions are downloaded to your FortiGate on a regular basis, ensuring that you do not forget to check for the definition files yourself.

Updating definitions can cause a very short disruption in traffic currently being scanned while the FortiGate unit applies the new signature database, Ideally, schedule updates during off-peak hours, such as evenings or weekends, when network usage is minimal, to ensure that the network activity will not suffer from the added traffic of downloading the definition files.

To enable scheduled updates – GUI:

Go to System > FortiGuard and scroll down to AntiVirus & IPS Updates.
Enable Scheduled Updates.
Select the frequency of updates.
Select Apply.

To enable scheduled updates – CLI:

config system autoupdate schedule set status enable

set frequency {every | daily | weekly} set time <hh:mm> set day <day_of_week>

end

Push updates

Push updates enable you to get immediate updates when new viruses or intrusions have been discovered and new signatures created. This ensures that the latest signature will be sent to the FortiGate as soon as possible.

When a push notification occurs, the FortiGuard server sends a notice to the FortiGate that there is a new signature definition file available. The FortiGate then initiates a download of the definition file, similar to the scheduled update.

To ensure maximum security for your network, you should have a scheduled update as well as enable the push update, in case an urgent signature is created, and your cycle of the updates only occurs weekly.

To enable push updates – GUI:

Go to System > FortiGuard and scroll down to AntiVirus & IPS Updates.
Enable Accept push updates.
Select Apply.

To enable push updates – CLI:

config system autoupdate push-update set status enable

end

Push IP override

If the FortiGate is behind another NAT device (or another FortiGate), to ensure it receives the push update notifications, you need to use an override IP address for the notifications. To do this, you create a virtual IP to map to the external port of the NAT device.

Generally speaking, if there are two FortiGate devices, the following steps need to be completed on the FortiGate NAT device to ensure the FortiGate on the internal network receives the updates:

Add a port forwarding virtual IP to the FortiGate NAT device that connects to the Internet by going to Policy & Objects > Virtual IPs.
Add a security policy to the FortiGate NAT device that connects to the Internet that includes the port forwarding virtual IP. l Configure the FortiGate on the internal network with an override push IP and port.

On the FortiGate internal device, the virtual IP is entered as the Use push override IP address.

To enable push update override- GUI:

Go to System > FortiGuard and scroll down to AntiVirus & IPS Updates.
Enable Accept push updates.
Enable Use override push.
Enter the virtual IP address configured on the NAT device.
Select Apply.

To enable push updates – CLI:

config system autoupdate push-update set status enable set override enable set address <vip_address> end

Sending malware statistics to FortiGuard

To support following malware trends and making zero-day discoveries, FortiGate units send encrypted statistics to

FortiGuard about IPS, Application Control, and AntiVirus events detected by the FortiGuard services running on your FortiGate. FortiGuard uses the statistics collected to achieve a balance between performance and security effectiveness by moving inactive signatures to an extended signature database.

The statistics include some non-personal information that identifies your FortiGate and its country. The information is never shared with external parties. You can choose to disable the sharing of this information by entering the following CLI command:

config system global set fds-statistics disable

end

Configuring web filtering and email filtering options

Go to System > FortiGuard, and scroll down to Filtering to set the size of the caches and ports.

Web Filter Cache	Set the Time To Live (TTL) value. This is the number of seconds the FortiGate will store a blocked IP or URL locally, saving time and network access traffic, checking the FortiGuard server. Once the TTL has expired, the FortiGate will contact an FDN server to verify a web address. The TTL must be between 300 and 86400 seconds.
Anti-Spam Cache	Set the TTL value (see above).
FortiGuard Filtering Port	Select the port assignments for contacting the FortiGuard servers.
Filtering Service Availability	Indicates the status of the filtering service. Select Check Again if the filtering service is not available.
Request re-evaluation of a URL’s category	Select to re-evaluate a URL’s category rating on the FortiGuard Web Filter service.

Email filtering

The FortiGuard data centers monitor and update email databases of known spam sources. With FortiGuard Anti-Spam filtering enabled, the FortiGate verifies incoming email sender addresses and IPs against the database, and takes the necessary actions as defined within the antivirus profiles.

Spam source IP addresses can also be cached locally on the FortiGate, providing a quicker response time, while easing load on the FortiGuard servers, aiding in a quicker response time for less common email address requests.

By default, the anti-spam cache is enabled. The cache includes a TTL value, which is the amount of time an email address will stay in the cache before expiring. You can change this value to shorten or extend the time between 5 and 1,440 minutes.

To modify the antispam cache TTL – GUI:

Go to System > FortiGuard.
Under Filtering, enable Anti-Spam Cache.
Enter the TTL value in minutes.
Select Apply.

To modify the Anti-Spam filter TTL – CLI:

config system fortiguard set antispam-cache-ttl <integer>

end

Further antispam filtering options can be configured to block, allow, or quarantine specific email addresses. These configurations are available through the Security Profiles > Anti-Spam menu.

Online security tools

The FortiGuard online center provides a number of online security tools, including but not limited to:

URL lookup — By entering a website address, you can see if it has been rated and what category and classification it is filed as. If you find your website or a site you commonly go to has been wrongly categorized, you can use this page to request that the site be re-evaluated: https://fortiguard.com/webfilter
Threat Encyclopedia — Browse the Fortiguard Labs extensive encyclopedia of threats. Search for viruses, botnet

C&C, IPS, endpoint vulnerabilities, and mobile malware: https://www.fortiguard.com/encyclopedia l Application Control — Browse the Fortiguard Labs extensive encyclopedia of applications: https://fortiguard.com/appcontrol

Firmware Management – FortiOS 6.2

Leave a reply

Firmware

Fortinet periodically updates the FortiGate firmware to include new features and resolve important issues. After you have registered your FortiGate unit, you can download firmware updates from the Fortinet Support web site, Before you install any new firmware, be sure to follow the steps below:

Review the Release Notes for a new firmware release.
Review the Supported Upgrade Paths SysAdmin note on the Fortinet Cookbook site to prepare for the upgrade of FortiOS on your FortiGate.
Backup the current configuration, including local certificates. l Test the new firmware until you are satisfied that it applies to your configuration.

Installing new firmware without reviewing release notes or testing the firmware may result in changes to settings or unexpected issues.

Backing up the current configuration

You should always back up the configuration before installing new firmware, in case you need to restore your FortiGate configuration.

Downloading

Firmware images for all FortiGate units are available on the Fortinet Support website.

To download firmware:

Log into the site using your user name and password.
Go to Download > Firmware Images.
A list of Release Notes is shown. If you have not already done so, download and review the Release Notes for the firmware you wish to upgrade your FortiGate unit to.
Select Download.
Navigate to the folder for the firmware version you wish to use.
Select your FortiGate model from the list. If your unit is a FortiWiFi, the firmware will have a filename starting with ‘FWF’.
Save the firmware image to your computer.

Testing

The integrity of firmware images downloaded from Fortinet’s support portal can be verified using a file checksum. A file checksum that does not match the expected value indicates a corrupt file. The corruption could be caused by errors in transfer or by file modification. A list of expected checksum values for each build of released code is available on Fortinet’s support portal.

Image integrity is also verified when the FortiGate is booting up. This integrity check is done through a cyclic redundancy check (CRC). If the CRC fails, the FortiGate unit will encounter an error during the boot process.

Lastly, firmware images are signed and the signature is attached to the code as it is built. When upgrading an image, the running OS will generate a signature and compare it with the signature attached to the image. If the signatures do not match, the new OS will not load.

Testing before installation

FortiOS lets you test a new firmware image by installing the firmware image from a system reboot and saving it to system memory. After completing this procedure, the FortiGate unit operates using the new firmware image with the current configuration. This new firmware image is not permanently installed. The next time the FortiGate unit restarts, it operates with the originally installed firmware image using the current configuration. If the new firmware image operates successfully, you can install it permanently using the procedure explained in Upgrading firmware.

To use this procedure, you must connect to the CLI using the FortiGate console port and an RJ-45 to DB-9 or null modem cable. This procedure temporarily installs a new firmware image using your current configuration.

For this procedure, you must install a TFTP server that you can connect to from the FortiGate internal interface. The TFTP server should be on the same subnet as the internal interface.

To test the new firmware image:

Connect to the CLI using an RJ-45 to DB-9 or null modem cable.
Make sure the TFTP server is running.
Copy the new firmware image file to the root directory of the TFTP server.
Make sure the FortiGate unit can connect to the TFTP server using the execute ping
Enter the following command to restart the FortiGate unit: execute reboot
As the FortiGate unit reboots, press any key to interrupt the system startup. As the FortiGate unit starts, a series of system startup messages appears: Press any key to display configuration menu….
Immediately press any key to interrupt the system startup.
If you successfully interrupt the startup process, the following messages appears:

[G]: Get firmware image from TFTP server.

[F]: Format boot device.

[B]: Boot with backup firmware and set as default

[C]: Configuration and information

[Q]: Quit menu and continue to boot with default firmware.

[H]: Display this list of options. Enter G, F, Q, or H:

Type G to get the new firmware image from the TFTP server. The following message appears: Enter TFTP server address [192.168.1.168]:
Type the address of the TFTP server and press Enter. The following message appears: Enter Local Address [192.168.1.188]:
Type an IP address of the FortiGate unit to connect to the TFTP server. The IP address must be on the same network as the TFTP server.
The following message appears: Enter File Name [image.out]:
Enter the firmware image file name and press Enter. The TFTP server uploads the firmware image file to the FortiGate unit and the following appears: Save as Default firmware/Backup firmware/Run image without saving: [D/B/R]
Type R. The FortiGate image is installed to system memory and the FortiGate unit starts running the new firmware image, but with its current configuration.

You can test the new firmware image as required. When done testing, you can reboot the FortiGate unit, and the FortiGate unit will resume using the firmware that was running before you installed the test firmware.

Upgrading firmware

Installing firmware replaces your current antivirus and attack definitions, along with the definitions included with the firmware release you are installing. After you install new firmware, make sure that antivirus and attack definitions are up to date. You can also use the CLI command execute update-now to update the antivirus and attack definitions.

To upgrade the firmware – GUI:

Log into the GUI as the admin administrative user.
Go to System > Firmware.
Under Upload Firmware, select Browse and locate the firmware image file.
Select OK.

The FortiGate unit uploads the firmware image file, upgrades to the new firmware version, restarts, and displays the FortiGate login. This process takes a few minutes.

To upgrade the firmware – CLI:

Before you begin, ensure you have a TFTP server running and accessible to the FortiGate unit.

Make sure the TFTP server is running.
Copy the new firmware image file to the root directory of the TFTP server.
Log into the CLI.
Make sure the FortiGate unit can connect to the TFTP server. You can use the following command to ping the computer running the TFTP server. For example, if the IP address of the TFTP server is 192.168.1.168 execute ping 192.168.1.168
Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit:

execute restore image tftp <filename> <tftp_ipv4>

The FortiGate unit responds with the message:

This operation will replace the current firmware version! Do you want to continue? (y/n)

Type y. The FortiGate unit uploads the firmware image file, upgrades to the new firmware version, and restarts.

This process takes a few minutes.

Reconnect to the CLI.
Update antivirus and attack definitions:

execute update-now.

Reverting

The following procedure reverts the FortiGate unit to its factory default configuration and deletes any configuration settings. If you are reverting to a previous FortiOS version, you might not be able to restore the previous configuration from the backup configuration file.

To revert to a previous firmware version – GUI:

Log into the GUI as the admin user.
Go to System > Firmware
Under Upload Firmware, select Browse and locate the firmware image file.
Select OK.

The FortiGate unit uploads the firmware image file, reverts to the old firmware version, resets the configuration, restarts, and displays the FortiGate login. This process takes a few minutes.

To revert to a previous firmware version – CLI:

Before beginning this procedure, it is recommended that you:

Backup the FortiGate unit system configuration using the command execute backup config
Backup the IPS custom signatures using the command execute backup ipsuserdefsig
Backup web content and email filtering lists.

To use the following procedure, you must have a TFTP server the FortiGate unit can connect to.

Make sure that the TFTP server is running.
Copy the firmware image file to the root directory of the TFTP server.
Log in to the FortiGate CLI.
Make sure the FortiGate unit can connect to the TFTP server by using the execute ping
Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit:

execute restore image tftp <name_str> <tftp_ipv4>

The FortiGate unit responds with this message:

This operation will replace the current firmware version! Do you want to continue? (y/n)

Type y. The FortiGate unit uploads the firmware image file. After the file uploads, a message similar to the following appears:

Get image from tftp server OK.

Check image OK.

This operation will downgrade the current firmware version! Do you want to continue? (y/n)

Type y. The FortiGate unit reverts to the old firmware version, resets the configuration to factory defaults, and restarts. This process takes a few minutes.
Reconnect to the CLI.
To restore your previous configuration, if needed, use the command:

execute restore config <name_str> <tftp_ipv4>

Update antivirus and attack definitions using the command:

execute update-now

Installation from system reboot

In the event that the firmware upgrade does not load properly and the FortiGate unit will not boot, or continuously reboots, it is best to perform a fresh install of the firmware from a reboot using the CLI.

This procedure installs a firmware image and resets the FortiGate unit to default settings. You can use this procedure to upgrade to a new firmware version, revert to an older firmware version, or re-install the current firmware.

To use this procedure, you must connect to the CLI using the FortiGate console port and a RJ-45 to DB-9, or null modem cable. This procedure reverts the FortiGate unit to its factory default configuration.

For this procedure you install a TFTP server that you can connect to from the FortiGate internal interface. The TFTP server should be on the same subnet as the internal interface.

Before beginning this procedure, ensure you backup the FortiGate unit configuration.

If you are reverting to a previous FortiOS version, you might not be able to restore the previous configuration from the backup configuration file.

To install firmware from a system reboot:

Connect to the CLI using the RJ-45 to DB-9 or null modem cable.
Make sure the TFTP server is running.
Copy the new firmware image file to the root directory of the TFTP server.
Make sure the internal interface is connected to the same network as the TFTP server.
To confirm the FortiGate unit can connect to the TFTP server, use the following command to ping the computer running the TFTP server. For example, if the IP address of the TFTP server is 192.168.1.168: execute ping 192.168.1.168
Enter the following command to restart the FortiGate unit: execute reboot
The FortiGate unit responds with the following message:

This operation will reboot the system!

Do you want to continue? (y/n)

Type y. As the FortiGate unit starts, a series of system startup messages appears. When the following messages appears:

Press any key to display configuration menu……….

If you successfully interrupt the startup process, the following messages appears:

[G]: Get firmware image from TFTP server.

[F]: Format boot device.

[B]: Boot with backup firmware and set as default

[C]: Configuration and information

[Q]: Quit menu and continue to boot with default firmware.

[H]: Display this list of options. Enter G, F, Q, or H

Type G to get to the new firmware image form the TFTP server. The following message appears: Enter TFTP server address [192.168.1.168]:
Type the address of the TFTP server and press Enter. The following message appears: Enter Local Address [192.168.1.188]:
Type an IP address the FortiGate unit can use to connect to the TFTP server. The IP address can be any IP address that is valid for the network to which the interface is connected.
The following message appears: Enter File Name [image.out]:
Enter the firmware image filename and press Enter.The TFTP server uploads the firmware image file to the FortiGate unit and a message similar to the following appears: Save as Default firmware/Backup firmware/Run image without saving: [D/B/R]
Type D. The FortiGate unit installs the new firmware image and restarts. The installation might take a few minutes to complete.

Restoring from a USB key

Log into the CLI.
Enter the following command to restore an unencrypted configuration file:

execute restore image usb Restore image from USB disk. {string} Image file name on the USB disk.

The FortiGate unit responds with the following message:

This operation will replace the current firmware version! Do you want to continue? (y/n)

Type y.

Controlled upgrade

Using a controlled upgrade, you can upload a new version of the FortiOS firmware to a separate partition in the FortiGate memory for later upgrade. The FortiGate unit can also be configured so that when it is rebooted, it will automatically load the new firmware (CLI only). Using this option, you can stage a number of FortiGate units to do an upgrade simultaneously to all devices using FortiManager or script.

To load the firmware for later installation:

execute restore secondary-image {ftp | tftp | usb} <filename_str>

To set the FortiGate unit so that when it reboots, the new firmware is loaded:

execute set-next-reboot {primary | secondary}

where {primary | secondary} is the partition with the preloaded firmware.

Fortinet GURU

FortiGate Guides and MORE!

Category Archives: FortiOS 6.2

DNS – FortiOS 6.2

FortiView – FortiOS 6.2

Security Fabric over IPsec VPN – FortiOS 6.2

Security Fabric – FortiOS 6.2

Troubleshooting your installation – FortiOS 6.2

FortiCloud – FortiOS 6.2

FortiGuard – FortiOS 6.2

Firmware Management – FortiOS 6.2