Category Archives: Tips and Tricks

Read The Damn Release Notes

I made a post about this on our forums (first post on the forums actually haha) but decided I needed to make a front page post. Please save yourselves the heart ache and grief and just read the damn release notes before you upgrade firmware versions. Technician friend of mine apparently doesn’t like reading too much. Either way, he took a firewall straight to 5,4,1 from an unsupported firmware upgrade path. Yeah, I know, 5.4.1, too early for production, I get that….but the issues he is experiencing are due to his lack of release note reading.

 

So PLEASE save yourself the trouble and pain and just read and follow the release notes!

Indexing of Old Archived Logs on FortiAnalyzer

Question: The FortiAnalyzer divides logs into indexed and archived. Once an old log is archived, can this be brought back in order to be indexed?

Answer:# exec sql-local rebuild-db

http://kb.fortinet.com/kb/documentLink.do?externalID=FD36458

Awesome tip from Paulo R on the Fortinet Forums. See the thread by clicking here

 

 

Custom FortiAnalyzer Report To See Blocked URLs for a Category

Ian on Fortinet’s forums asked a good question. You can see the question below:

Hi

I want to create a report that allows me to select a category and then to list all the activity for users where the URLS match that category. For example a report that lists user name, source IP, date time, url for the “Explicit Violence” category.

I have had a look at the datasets but my SQL coding is not to good 🙁

Has anyone tried this or any tips on what I need to do.

Regards

Ian

This is an awesome question and would be an incredible report to have right? Well, CrisP replied with an incredible solution to this issue.

Hello Ian,
I hate unanswered questions on a forum like this…
So here you have my two pennies on this.

Create a new dataset using
==============================
select
from_dtime(dtime) as timestamp, user_src, catdesc, hostname as website,
action as status, sum(bandwidth) as bandwidth
from
###(
select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src,
dtime, catdesc, hostname, utmaction as action,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth
from $log-traffic
where $filter and
hostname is not null and
logid_to_int(logid) not in (4, 7, 14) and ((logver>=52 and countweb>0)
or
((logver is null) and utmevent in (‘webfilter’, ‘banned-word’, ‘web-content’,
‘command-block’, ‘script-filter’)))
group by user_src, dtime, catdesc, hostname, utmaction
order by dtime desc
)### t
group by user_src, dtime, catdesc, website, status
order by dtime desc
===================================
(slightly modified from default dataset called “web-Detailed-Website-Browsing-Log”)
then build a new chart using the dataset, and a report using that chart.

Use a filter specifying the categories you want to detail in the Advanced settings of the report.

Now, if you really need the URLs, the story becomes quite ugly. You could see the post called “URL field” in this forum.
Best regards and good luck

CategBrowsingDetail-AdvSettings

CategBrowsingDetail

FortiAuthenticator For Windows Active Directory Self Service

Using FortiAuthenticator To Perform Account Self Service For AD

I was asked a question on the FortiAuthenticator 4.0 Admin Guide about whether or not the FortiAuthenticator was needed in order for a FortiGate to communicate and authenticate with Windows Active Directory. The answer to that question is a resounding “NO” but it did remind me of a neat trick the FortiAuthenticator does provide when deployed in a LDAP environment. I like to call little things like this configuration the key to #FortiSuccess

When a FortiAuthenticator is deployed in a Windows Active Directory environment and it’s service account (the account you created for it to use when authenticating to AD in order to perform service tasks and lookups) has permissions to read and write to update passwords, you can utilize the FortiAuthenticator self service portal for your users in order to perform AD password resets.

We all know, having worked in help desk style environments before, that one of the most frequent trouble tickets a service desk receives is the dreaded password resets due to users forgetting their credentials.

So buy a FortiAuthenticator, deploy it in your environment, and utilize it for self service so that you can reduce your help desk work load and overhead!

I deployed this configuration for a large university and they were able to greatly reduce the work load and needs of their help desk and at the same time caused their users to feel empowered.

 

The FortiAuthenticator 4.0 Documentation will tell you everything you need to know to deploy this setup. Specific Password Recovery configurations can be viewed on PAGE 4 of that same documentation.

Policy Based IPSec and NAT

Think of the little things

This is going to be a quick guide on things to check when your Policy based IPSec tunnels decide to not work properly with NAT enabled.

Have this client, they were getting ready to migrate a bunch of IPSec tunnels from one of their client’s firewalls. The firewall that was originally hosting these tunnels is a Dell Sonicwall (threw up a little in my mouth right there).

We get the tunnels loaded and all are working fine except for the ones that require NAT due to overlapping subnets.

Just a reminder boys and girls, when your settings APPEAR to be correct but things still aren’t working…..it’s going to be something simple.

It is always something simple!

When you create a phase 2 for your tunnels through the GUI certain parameters are predefined. This is fine if you are using a simple tunnel with no NAT being applied.

One of these settings is the “use-natip enabled” setting that comes swinging right out the gate. If you have never looked at your phase 2 through the CLI you wouldn’t even know this existed.

Proof is in the pudding:

There is nothing more frustrating than having your policy setup improperly (no NAT applied through policy) and the tunnel come up, but no traffic flows……but if you enable NAT in the policy all of a sudden no tunnel OR traffic.

The two conflict. So if you are doing policy based IPSec tunnels that ALSO happen to be performing NAT on the policy (which you can only enable on the policy through CLI by the way…) you are going to be in for a bad time until you turn off the NAT setting on the phase 2

In Conclusion:

I know this entire post is basically a giant run on sentence but I wanted to get it on paper as it was fresh in my head. I tend to forget things you know. By all means express your findings on these types of situations in the comments. Would love a healthy dialogue regarding these types of things! If I need to expand on anything to make it easier to understand please let me know. I am always available to answer questions.

Zones Will Save Your Sanity

FortiGates are interface driven firewalls. Policy is relatively straight forward. Port 1 to Wan 1 Allow HTTP NAT you get my drift. In more complex environments though where you can easily have 5-10 interfaces (even more if you  bring in VLAN’s) you will most certainly want to use Zones.

What is a zone? A zone is a created “Interface” that you assign other interfaces to. For instance, my common deployment has 2 main zones, INSIDE and OUTSIDE. This keeps policy extremely simple.

The train of thought with this ZONE setup is traffic is either coming in or out. From there you just create the policy and work accordingly. This makes deployments for my clients super easy.

The setup at my house is utilized this way as well (I have a FortiGate 92D at home). My setup is slightly more advanced though thanks to having dual internet connections, SSL VPN, and other capabilities kicked on. But as you can see in the policy set below I have an INSIDE zone. That zone has my work network, my personal home network, and my DMZ wireless network (for when I am cleaning peoples deranged and abused machines). I have each one assigned to the INSIDE zone so that I can apply the same policy for traffic that is traveling from inside sources to the internet. This greatly reduces policy count and helps keep things uniform.

Disclaimer: Make sure to click the “Block Intra-Zone Traffic” check box when creating a zone that includes a set of networks that you don’t want to communicate without policy. For instance, my INSIDE zone has my work network which I need to make sure only my work laptop can see, My personal network which sees everything on the personal net, and a DMZ network that I absolutely don’t want ANY of my other networks to receive traffic from or send traffic to. So I check the “block intra-zone traffic” box when I create my zone (can be edited after the zone is created as well) and then manually allow it via policy (work network is able to access printer on personal net etc). Remember, the more granular you are the better your security will be. Also, the only traffiic that should be able to flow is the traffic you explicitly allow.

Zone Setup FortiGate FortiOS 5.4

Zone Setup FortiGate FortiOS 5.4