FortiClient EMS – Enterprise Management Server

FortiClient EMS – Enterprise Management Server

FortiClient Enterprise Management Server (FortiClient EMS) is a security management solution that enables scalable and centralized management of multiple endpoints (computers). FortiClient EMS provides efficient and effective administration of endpoints running FortiClient. It provides visibility across the network to securely share information and assign security profiles to endpoints. It is designed to maximize operational efficiency and includes automated capabilities for device management and troubleshooting.

FortiClient EMS is designed to meet the needs of small to large enterprises that deploy FortiClient on endpoints. Benefits of deploying FortiClient EMS include:

Communication Service Protocol Port
FortiClient endpoint registration File transfers TCP 8013 (default)
Computer browser service Enabled
Samba (SMB) service

l During FortiClient deployment, endpoints may connect to the FortiClient EMS server using the SMB service.

Enabled 445
Distributed Computing Environment / Remote Procedure Calls (DCE- RPC)

l The FortiClient EMS server connects to the endpoints using RPC for FortiClient deployment.

Enabled 135
Active Directory server connection When used as

a default connection

389
Windows HTTP TCP 80
  • Remotely deploying FortiClient software to Windows PCs.
  • Updating profiles for endpoint users regardless of access location, such as administering antivirus, web filtering, VPN, and signature updates.
  • Administering FortiClient endpoint registrations, such as accepting, deregistering, and blocking registrations. l Managing endpoints, such as status, system, and signature information. l Identifying outdated versions of FortiClient software.

Required services

You must ensure that required ports and services are enabled for use by FortiClient EMS and its associated applications on your server. The required ports and services enable FortiClient EMS to communicate with clients and servers running associated applications.

FortiClient EMS – Enterprise Management Server

Communication Service Protocol Port
Internet Information Services (IIS) HTTPS TCP 443, 10443
SQL server

For more infomation about FortiClient EMS, including other requirements, installation, and management, see the FortiClient EMS Administration Guide.

OFTP – Optimized Fabric Transfer Protocol

OFTP – Optimized Fabric Transfer Protocol

The Optimized Fabric Transfer Protocol (OFTP) is used when information is synchronized between FortiAnalyzer and FortiGate. Remote logging and archiving can be configured on the FortiGate to send logs to a FortiAnalyzer (and/or FortiManager) unit.

OFTP listens on ports TCP/514 and UDP/514.

You can connect to a FortiAnalyzer unit from a FortiGate unit using Automatic Discovery, so long as both units are on the same network. Connecting these devices in this way does not use OFTP. Instead, the Fortinet Discovery Protocol (FDP) is used to locate the FortiAnalyzer unit.

When you select Automatic Discovery, the FortiGate unit uses HELLO packets to locate any FortiAnalyzer units that are available on the network within the same subnet. When the FortiGate unit discovers the FortiAnalyzer unit, the FortiGate unit automatically enables logging to the FortiAnalyzer unit and begins sending log data.

CLI command – To connect to FortiAnalyzer using Automatic Discovery:

config log fortianalyzer setting set status [enable | disable] set server <ip_address> set gui-display [enable | disable] set address-mode auto-discovery

end

To send logs from FortiGate to FortiAnalyzer:

  1. Go to Log & Report > Log Settings and enable Send Logs to FortiAnalyzer/FortiManager (under Remote Logging and Archiving).
  2. Enter the FortiAnalyzer unit’s IP address in the IP Address field provided.
  3. For Upload Option, select Store & Upload Logs to set when the uploads occur (either Daily, Weekly, or Monthly), and the time when the unit uploads the logs. Select Realtime to upload logs as they come across the FortiGate unit.
  4. Logs sent to FortiAnalyzer can be encrypted by enabling Encrypt Log Transmission.

 

FSSO – Fortinet Single Sign-On

FSSO – Fortinet Single Sign-On

Fortinet Single Sign-On (FSSO), formerly known as FortiGate Server Authentication Extension (FSAE), is the authentication protocol by which users can transparently authenticate to FortiGate, FortiAuthenticator, and FortiCache devices. The FortiAuthenticator unit identifies users based on their authentication from a different system, and can be authenticated via numerous methods:

  • Users can authenticate through a web portal and a set of embeddable widgets. l Users with FortiClient Endpoint Security installed can be automatically authenticated through the FortiClient SSO Mobility Agent.
  • Users authenticating against Active Directory can be automatically authenticated. l RADIUS Accounting packets can be used to trigger an FSSO authentication. l Users can be identified through the FortiAuthenticator API. This is useful for integration with third-party systems.

Below are the TCP/UDP ports used by the multiple FSSO modes:

Purpose Protocol/Port
LDAP group membership lookup (Global Catalog) TCP/3268
LDAP domain controller discovery and group membership lookup TCP/389
DC Agent keepalive and push logon info to CA UDP/8002
CA keepalive and push logon info to Fortigate TCP/8000
NTLM TCP/8000
CA DNS UDP/53
Workstation check, polling mode (preferred method) TCP/445
Workstation check, polling mode (fallback method) TCP/135, TCP/139, UDP/137
Remote access to logon events TCP/445
Group lookup using LDAP TCP/389
Group lookup using LDAP with global catalog TCP/3268
Group lookup using LDAPS TCP/636
Resolve FSSO server name UDP/53

FSSO – Fortinet Single Sign-On

Configuring the FortiAuthenticator

The FortiAuthenticator unit can be integrated with external network authentication systems, such as RADIUS, LDAP, Windows AD, and FortiClients to poll user logon information and send it to the FortiGate unit.

To configure FortiAuthenticator polling:

  1. Go to Fortinet SSO Methods > SSO > General.
  2. In the FortiGate section, leave Listening port set to 8000, unless your network requires you to change this. The FortiGate unit must allow traffic on this port to pass through the firewall. Optionally, you can set the Login expiry time (default is 480 minutes, or eight hours). This is the length of time users can remain logged in before the system logs them off automatically.
  3. Select Enable authentication and enter the Secret key. Be sure to use the same secret key when configuring the FSSO Agent on FortiGate units.
  4. In the Fortinet Single Sign-On (FSSO) section, enter the following information:
Enable Windows event log polling (e.g. domain controllers/Exchange

servers)

Select for integration with Windows Active Directory
Enable RADIUS

Accounting SSO clients

Select if you want to use a Remote RADIUS server.
Enable Syslog SSO Select for integration with Syslog server.
Enable FortiClient SSO Mobility Agent Service Once enabled, also select Enable authentication to enable SSO by clients running FortiClient Endpoint Security.

Enter the Secret key. Be sure to use the same secret key in the FortiClient Single Sign-On Mobility Agent settings.

  1. Select OK.

For more detailed information for each available setting, see the FortiAuthenticator Administration Guide.

Configuring the FortiGate

The FortiAuthenticator unit needs to be added to the FortiGate as an SSO agent that will provide user logon information.

To add a FortiAuthenticator unit as SSO agent:

  1. Go to User & Device > Single Sign-On and select Create New.
  2. Set Type to Fortinet Single-Sign-On Agent, and enter a Name.
  3. In Primary Agent IP/Name, enter the IP address of the FortiAuthenticator unit or a name.
  4. In Password, enter the same secret key defined earlier on the FortiAuthenticator (under Fortinet SSO Methods > SSO > General).

 

FSSO – Fortinet Single Sign-On

  1. You may also specify Users/Groups from the dropdown menu.
  2. Select OK.

In a few minutes, the FortiGate unit receives a list of user groups from the FortiAuthenticator unit. When you open the server, you can see the list of groups. You can use the groups in identity-based security policies.

FSSO user groups

You can only use FortiAuthenticator SSO user groups directly in identity-based security policies. You must create an FSSO user group, then add FortiAuthenticator SSO user groups to it. These FortiGate FSSO user groups will then become available for selection in identity-based security policies.

To create an FSSO user group:

  1. Go to User & Device > User Groups and select Create New.
  2. Enter a Name for the group.
  3. Set Type to Fortinet Single Sign-On (FSSO).
  4. Add Members. The groups available to add as members are SSO groups provided by SSO agents.
  5. Select OK.

Configuring the FortiClient SSO Mobility Agent

In order for the user to successfully set up the SSO Mobility Agent in FortiClient, they must know the FortiAuthenticator IP address and pre-shared key/secret.

To configure FortiClient SSO Mobility Agent:

  1. In FortiClient, go to File > Settings.
  2. Under Advanced, select Enable Single Sign-On mobility agent.
  3. In Server address, enter the IP address of the FortiAuthenticator.
  4. In Customize port, enter the listening port number specified on the FortiAuthenticator unit. You can omit the port number if it is 8005.
  5. Enter the Pre-shared key.
  6. Select OK.

For more detailed FSSO configurations, including with Windows AD, Citrix, Novell eDirectory, and more, see the Authentication guide.

CLI Syntax

The following section contains commands to control FSSO.

user/fsso

The following command will set the server address, port, and password for multiple FSSO agents.

config user fsso edit <name_str> set name <string> set [server | server2 | server3 | server4 | server5] <string> set [port | port2 | port3 | port4 | port5] <integer>

set [password | password2 | password3 | password4 | password5] <password> end

FSSO – Fortinet Single Sign-On

user/fsso-polling

The following command will set the Active Directory server port.

config user fsso-polling edit <name_str> set port <integer> end

FortiOS WAN optimization

FortiOS WAN optimization

Multi-location organizations or businesses using the cloud can provide license-free WAN optimization using FortiOS.

WAN Optimization is a comprehensive solution that maximizes your WAN performance and provides intelligent bandwith management and unmatched consolidated security performance. WAN optimization reduces your network overhead and removes unneccessary traffic for a better overall performance experience. Efficient use of bandwidth and better application performance will remove the need for costly WAN link upgrades between data centers and other expensive solutions for your network traffic growth.

WAN optimization is available on FortiGate models with internal storage that also support SSL acceleration. Internal storage includes high-capacity internal hard disks, AMC hard disk modules, FortiGate Storage Modules (FSMs) or over 4 GB of internal flash storage.

WAN optimization tunnels use port 7810.

The following features below are available through WAN optimization:

Protocol optimization

Protocol optimization is effective for applications designed for the LAN that do not function well on low bandwidth, high latency networks. FortiOS protocol optimization improves the efficiency of CIFS, FTP, HTTP, MAPI, and general TCP sessions.

CIFC, for example, requires many background transactions to successfully transfer a single file. When transferring the file, CIFS sends small chunks of data and waits sequentially for each chunk’s arrival and acknowledgment before sending the next chunk. This large amount of requests and acknowledgements of traffic can delay transfers. WAN Optimization removes this complexity and improves the efficiency of transferring the file.

TCP protocol optimization uses techniques such as SACK support, window scaling and window size adjustment, and connection pooling to remove common WAN TCP bottlenecks.

FortiOS WAN optimization

Byte caching

Byte caching improves caching by accelerating the transfer of similar, but not identical content. Byte caching reduces the amount of data crossing the WAN when multiple different emails with the same or similar attachments or different versions of an attachment are downloaded from a corporate email server to different locations over the WAN.

Byte caching breaks large units of application data, such as email attachments or file downloads, into smaller chunks of data. Each chunk of data is labeled with a hash, and chunks with their respective hashes are stored in a database on the local FortiGate unit. When a remote user requests a file, WAN optimization sends the hashes, rather than the actual data. The FortiGate unit at the other end of the WAN tunnel reassembles the data from its own hash database, only downloading the chunks it is missing. Deduplication, or the process of eliminating duplicate data, will reduce space consumption.

Byte caching is not application specific, and assists by accelerating all protocols supported by WAN optimization.

Web caching

WAN optimization reduces download times of content from central files repositories through web caching. FortiOS Web caching stores remote files and web pages on local FortiGate devices for easy local access to commonly accessed files. There is little impact on the WAN, resulting in reduced latency for those requesting the files.

In addition, web caching also recognizes requests for Windows or MS Office updates, and downloads the new update file in the background. Once downloaded to the cache, the new update file is available to all users, and all subsequent requests for this update are rapidly downloaded from the cache.

FortiOS WAN optimization

Traffic shaping

Controls data flow for specific applications, giving administrators the flexibility to choose which applications take precedence over the WAN. A common use case of traffic shaping would be to prevent one protocol or application from flooding a link over other protocols deemed more important by the administrator.

SSL acceleration

SSL is used by many organizations to keep WAN communications private. WAN Optimization boosts SSL acceleration properties of FortiGate FortiASIC hardware by accelerating SSL traffic across the WAN. The FortiGate unit handles SSL encryption/decryption for corporate servers providing SSL encrypted connections over the WAN.

Explicit web proxy server

Allows users on the internal network to browse the Internet through the explicit web proxy server.

Explicit FTP proxy server

Allows users on the internal network to access FTP servers through the explicit FTP proxy server.

Reverse proxy

The web and FTP proxies can be configured to protect access to web or FTP servers that are behind the FortiGate using a reverse proxy configuration. Reverse proxies retrieve resources on behalf of a client from one or more servers. These resources are then returned to the client as if they originated from the proxy server.

WCCP

The Web Cache Communication Protocol (WCCP) allows you to offload web caching to redundant web caching servers. This traffic redirection helps to improve response time and optimize network resource usage.

WAN optimization and HA

You can configure WAN optimization on a FortiGate HA cluster. The recommended HA configuration for WAN optimization is active-passive mode. Also, when the cluster is operating, all WAN optimization sessions are processed by the primary unit only. Even if the cluster is operating in active-active mode, HA does not loadbalance WAN optimization sessions. HA also does not support WAN optimization session failover.

Configuring an explicit proxy with WAN optimization web caching

For this configuration, all devices on the wireless network will be required to connect to the proxy at port 8080 before they can browse the Internet. WAN Optimization web caching is added to reduce the amount of Internet bandwidth used and improve web browsing performance.

Enabling WAN Optimization and configuring the explicit web proxy for the wireless interface

  1. Go to System > Config > Features. Ensure that Explicit Proxy and WAN Opt & Cache are enabled.
  2. Go to System > Network > Interfaces, edit the wireless interface and select Enable Explicit Web Proxy.

FortiOS WAN optimization

  1. Go to System > Network > Explicit Proxy. Select Enable Explicit Web Proxy for HTTP/HTTPS. Make sure that Default Firewall Policy Action is set to Deny.

Adding an explicit web proxy policy

  1. Go to Policy & Objects > Policy > Explicit Proxy and create a new policy.
  2. Set Explicit Proxy Type to Web and the Outgoing Interface to the Internet-facing interface.
  3. Enable Web Cache.

Configuring devices on the wireless network to use the web proxy

To use the web proxy, all devices on the wireless network must be configured to use the explicit proxy server. The IP address of the server is the IP address of the FortiGate’s wireless interface (for example, 10.10.80.1) and the port is 8080. Some browsers may have to be configured to use the device’s proxy settings.

For Windows Vista/7/8, open Internet Properties. Go to Connections > LAN Settings and enable and configure the Proxy Server.

For Mac OS X, open Network Preferences > Wi-Fi > Advanced > Proxies. Select Web Proxy (HTTP) and configure the proxy settings.

For iOS, go to Settings > Wi-Fi. Edit the wireless network. Scroll down to HTTP PROXY, select Manual, and configure the proxy settings.

For Android, in WiFi network connection settings, edit the wireless network. Select Show advanced options, configure a Manual proxy, and enter the proxy settings.

Force HTTP and HTTPS traffic to use the Web Proxy

Block HTTP and HTTPS access to the Internet from the wireless network so that the only path to the Internet is through the explicit proxy. You can edit or delete policies that allow HTTP or HTTPS access. You can also add a policy to the top of the list that Denies HTTP and HTTPS traffic.

FortiLink

FortiLink

FortiGate units can be used to remotely manage FortiSwitch units, which is also known as using a FortSwitch in FortiLink mode. FortiLink defines the management interface and the remote management protocol between the FortiGate and FortiSwitch.

Supported FortiSwitch models

The following table shows the FortiSwitch models that support FortiLink mode when paired with the corresponding FortiGate models and the listed minimum software releases.

FortiSwitch FortiGate Earliest FortiSwitchOS Earlist FortiOS
FS-224D-POE FGT-90D (Wifi/POE) 3.0.0 5.2.2
FS-108D-POE FGT-60D (all) 3.0.1 5.2.3
FSR-112D-POE FGR-90D 3.0.1 5.2.3
FS-124D FGT-90D + FGT-60D 3.0.1 5.2.3
FS-124D-POE FGT-90D + FGT-60D 3.0.1 5.2.3
FS-224D-FPOE FGT-90D + FGT-60D 3.0.1 5.2.3

Note that all FortiSwitches above also support FortiLink mode when paired with the following FortiGate models: 100D, 140D (POE, T1), 200D, 240D, 280D (POE), 600C, 800C, and 1000C.

FortiLink ports for each FortiSwitch model

Each FortiSwitch model provides one designated port for the FortiLink connection. The table below lists the FortiLink port for each model:

FortiSwitch model Port for FortiLink connection
FS-28C WAN port 1
FS-324B-POE Management Port
FS-448B (10G only) WAN port (uplink 1)

 

FortiSwitch model                                Port for FortiLink connection
FS-348B                                                 Last port (port 48)
For all D-series switches, use the last (highest number) port for FortiLink. For example:
FS-108D-POE                                         Last port (port 10)
FSR-112D-POE                                       Last port (port 12)
FS-124D                                                 Last port (port 26). May require an SFP module.*
FS-224D-POE                                         Last port (port 24)
FS-224D-FPOE                                       Last port (port 28). May require an SFP module.*

* FortiSwitch 3.3.1 and later releases support the use of an RJ-45 port for FortiLink. Please contact Fortinet Customer Service & Support for additional information.

FortiLink ports for each FortiGate model

The following table shows the ports for each model of FortiGate that can be FortiLink-dedicated.

FortiGate model Port for FortiLink connection
FGT-90D, FGT-90D-POE, FWF-90D, FWF-90D-POE port1 – port14
FGT-60D, FGT-60D-POE, FWF-60D, FWF-60D-POE port1 – port7
FGT-100D port1 – port16
FGT-140D , 140D-POE, 140D-POE-T1 port1 – port36
FGT-200D port1 – port16
FGT-240D port1 – port40
FGT-280D, FGT-280D-POE port1 – port84
FGT-600C port3 – port22
FGT-800C port3 – port24
FGT-1000C port3 – port14, port23, port24

FortiLink

Auto-discovery of the FortiSwitch ports

In releases FortiSwitchOS 3.3.0 and beyond, the D-series FortiSwitch models support FortiLink auto-discovery, which is automatic detection of the port connected to the FortiGate.

You can use any of the switch ports for FortiLink. Use the following FortiSwitch CLI commands to configure a port for FortiLink auto-discovery:

config switch interface edit <port> set auto-discovery-fortilink enable

end

Note that some FortiSwitch ports are enabled for auto-discovery by default.

Each FortiSwitch model provides a set of ports that are enabled for FortiLink auto-discovery by default. If you connect the FortiLink using one of these ports, no switch configuration is required.

In general (in FortiSwitchOS 3.4.0 and later releases), the last four ports are the default auto-discovery FortiLink ports. The table below lists the default auto-discovery ports for each switch model:

FortiSwitch model Default Auto-FortiLink ports
FS-108D ports 9 and 10
FSR-112D ports 9, 10, 11, and 12
FS-124D, FS-124D-POE ports 23, 24, 25, and 26
FS-224D-POE ports 21, 22, 23, and 24
FS-224D-FPOE ports 25, 26, 27, and 28
FS-248D-POE ports 49, 50, 51, and 52
FS-248D-FPOE ports 49, 50, 51, and 52
FS-424D, FS-424D-POE, FS-424D-FPOE ports 25 and 26
FS-448D, FS-448D-POE, FS-448D-FPOE ports 49, 50, 51, and 52
FS-524D, FS-524D-FPOE ports 25, 26, 27, 28, 29, and 30
FS-548D, FS-548D-FPOE ports 49, 50, 51, 52, 53, and 54
FS-1024D, FS-1048D, FS-3032D all ports

You can also run the show switch interface CLI command on the FortiSwitch to see the ports that have auto-discovery enabled.

Adding a Managed FortiSwitch to the FortiGate

The following steps show how to add a new managed FortiSwitch using the FortiGate GUI or the CLI.

Using the FortiGate GUI:

  1. Connect a cable from the designated FortiSwitch port to an unused port on the FortiGate. Refer to FortiLink ports for each FortiSwitch model for additional information.
  2. Go to Network > Interfaces and edit an internal port on the FortiGate.
  3. Set Addressing mode to Dedicated to FortiSwitch and select OK.
  4. As of FortiOS 5.4.0, the Managed FortiSwitch GUI option can only be accessed by enabling it through the CLI console.

Open the CLI console and enter the following command to make the switch controller available in the GUI, and to set the reserved subnetwork for the controller:

config system global set switch-controller enable

set switch-controller-reserved-network 169.254.254.0 255.255.255.0

end

  1. Go to WiFI & Switch Controller > Managed FortiSwitch. The new FortiSwitch should now be displayed in the table.
  2. Right-click on the FortiSwitch and select Authorize.

Using the FortiGate CLI:

Note that, for the example shown below, the FortiGate’s port1 is configured as the FortiLink port.

  1. If required, remove port1 from the lan interface:

config system virtual-switch edit lan config port delete port1

end

end

end

  1. Configure the interface for port1:

config system interface edit port1 set ip 172.20.120.10 255.255.255.0 set allowaccess capwap set vlanforward enable

end

end

  1. Configure an NTP server on port1:

config system ntp set server-mode enable set interface port1

end

  1. Authorize the FortiSwitch unit as a managed switch (note that that FortiSwitch will reboot once you issue the command below):

config switch-controller managed-switch

FortiLink

edit FS224D3W14000370 set fsw-wan1-admin enable

end

end

  1. Configure a DHCP server on port1:

config system dhcp server edit 0 set netmask 255.255.255.252 set interface port1 config ip-range edit 0 set start-ip 169.254.254.2 set end-ip 169.254.254.50

end

set vci-match enable set vci-string FortiSwitch set ntp-service local

end

end

Set the FortiSwitch to Remote Management mode

Use the FortiSwitch GUI or the CLI to set the remote management mode.

Note that the following steps are not necessary for FortiSwitchOS releases 3.3.0 or later.

Using the FortiSwitch GUI:

  1. Go to System > Dashboard > Status and locate the System Information
  2. Beside Operation Mode, select Change.
  3. Change Management Mode to FortiGate Remote Management and select OK.
  4. A warning will appear asking if you wish to continue. Select OK.

Using the FortiSwitch CLI:

config system global set switch-mgmt-mode fortilink

end

Configuring the FortiSwitch Remote Management port

If the FortiSwitch model has a dedicated management port, you can configure remote management to the FortiSwitch. In FortiLink mode, the FortiGate is the default gateway, so you need to configure an explicit route for the FortiSwitch management port.

To do this, from the FortiSwitch CLI, enter the following command:

config router static edit 1 set device mgmt

set gateway <router_IP_address> set dst <router_subnet> <subnet_mask>

end end

Configuring FortiLink LAG

Starting with FortiOS 5.4.0 and FortiSwitchOS 3.3.0, you can configure the Fortilink as a Link Aggregation Group (LAG) to provide increased bandwidth between the FortiGate and FortiSwitch.

Connect any two ports on the FortiGate to two ports on the FortiSwitch. Make sure that you use the designated Fortilink port as one of the ports on the switch.

To configure the Fortilink as a LAG on the FortiGate, create a trunk (of type fortilink) with the two ports that you connected to the switch:

config system interface edit “fortilink” set vdom root

set allowaccess ping capwap http https set type fortilink set member port4 port5 set snmp-index 17 set lacp-mode static

next

end config system ntp set ntpsync enable set syncinterval 60 set server-mode enable set interface “fortilink”

end

There is no specific configuration required for the LAG on the switch.

 

FortiGuard

FortiGuard

FortiGuard services can be purchased and registered to your FortiGate unit. The FortiGate must be connected to the Internet in order to automatically connect to the FortiGuard Distribution Network (FDN) to validate the license and download FDN updates.

The FortiGuard subscription update services include:

  • AntiVirus (AV) l Intrusion Protection Service (IPS) l Application Control l Anti-Spam l Web Filtering
  • Web Application Firewall (WAF)

The FDN sends notice that a FortiGuard AntiVirus and IPS update is available on UDP/9443.

Enabling FDN updates and FortiGuard Services

In order to receive FortiGuard subscription updates, the unit needs to have access to the Internet and be able to connect to a DNS server in order to resolve the following URLs:

l update.fortiguard.net: For AV and IPS updates l service.fortiguard.net: For web filtering and anti-spam updates

  1. Go to System > FortiGuard. Under AntiVirus & IPS Updates, enable Scheduled Updates, and configure an update schedule.
  2. You can force the unit to connect to the AV/IPS server by selecting Update AV & IPS Definitions.
  3. You can view your subscription details above in the License Information
  4. Once the schedule has been enabled, select Apply.

To see if the service is viable, open the CLI console and enter the following commands below.

For Web Filtering:

diagnose debug rating

For Anti-Spam:

diag spamfilter fortishield servers

If only one or two IPs are displayed in the command outputs, it could be one of the following issues:

l No response from the DNS server: Either the DNS server is unreachable or there is a problem with the routing. Make sure that contact to the DNS server is available by resolving some URLs from the CLI, for example:

exec ping http://www.google.com exec ping service.fortiguard.net

You can also l Review update errors: Review update information from the last update, enable debug outputs and force the update:

diag test update info

FortiGuard

diag debug enable

diag debug application update 255 exec update-ase exec update-av exec update-ips

After troubleshooting, it is highly recommended to turn off debug mode:

diag debug disable diag debug application update 0

l FortiGuard Web filtering: Port blocking or packet inspection is occurring downstream. The default port used by the FortiGuard for the FortiGuard services is 53. The traffic will fail any DNS packet inspection that could be happening.

You can either change the port to 8888 from the GUI, or change the source port for management traffic with the following CLI command:

config system global set ip-src-port-range 1035-25000

end diag test application urlfilter 99 diag test application smtp 99

CLI Syntax

The following section contains commands to control FortiGuard.

system.autoupdate/push-update

The following command will set the FDN push update port.

config system.autoupdate push-update edit <name_str> set port <integer>

end

system.autoupdate/tunneling

The following command will set the proxy server port that the FortiGate will use to connect to the FortiGuard Distribution Network (FDN).

config system.autoupdate tunneling edit <name_str> set port <integer>

end

system/fortiguard

The following command will set the port by which scheduled FortiGuard service updates will be received.

config system fortiguard edit <name_str> set port [53 | 8888 | 80]

end

FortiGuard

webfilter/fortiguard

The following command will close ports used for HTTPS/HTTP override authentication and disable user overrides:

config webfilter fortiguard edit <name> set close-ports [enable | disable] end

FortiTelemetry/On-Net/FortiClient Endpoint Compliance

FortiTelemetry/On-Net/FortiClient Endpoint Compliance

FortiTelemetry (called FortiHeartBeat in FortiOS 5.4.0 and FortiClient Access in FortiOS 5.2) is an interface option that listens for connections from devices with FortiClient installed.

FortiTelemetry is the TCP/8013 protocol used between FortiClient and FortiGate, FortiClient and FortiClient EMS, and between FortiGate and other FortiGates in CSF configurations.

While all GUI references of FortiHeartBeat have been changed to FortiTelemetry in FortiOS 5.4.1, the CLI options have not been renamed and will remain as fortiheartbeat.

With FortiTelemetry enabled on the FortiGate, you can enforce FortiTelemetry for all FortiClients. This FortiClient endpoint compliance will require all clients to have FortiClient installed in order to get access through the FortiGate. Configure these settings in the internal interface under Network > Interfaces. Edit the interface of your choice. Under Restrict Access > Administrative Access, enable FortiTelemetry, then enable FortiClient On-Net Status.

CLI command – To enable FortiTelemetry on an interface:

config system interface edit <port_number> set listen-forticlient-connection enable set endpoint-compliance enable

end

You can also enable DHCP server and FortiClient On-Net Status to display the on-net status of FortiClient devices on the FortiClient Monitor (under Monitor > FortiClient Monitor).

CLI command – To enable FortiClient On-Net status for a DHCP server added to the port1 interface:

config system dhcp server edit 1 set interface port1

set forticlient-on-net-status enable

end

FortiClient Endpoint licence updates

FortiClient endpoint licenses for FortiOS 5.6.0 can be purchased in multiples of 100. There is a maximum client limit based on the FortiGate’s model. FortiCare enforces the maximum limits when the customer is applying the license to a model.

If you are using the ten free licenses for FortiClient, support is provided on the Fortinet Forum (forum.fortinet.com). Phone support is only available for paid licenses.

Model(s) Maximum Client Limit
VM00 200

FortiTelemetry/On-Net/FortiClient Endpoint Compliance

Model(s) Maximum Client Limit
FGT/FWF 30 to 90 series 200
FGT 100 to 400 series 600
FGT 500 to 900 series, VM01, VM02 2,000
FGT 1000 to 2900 series, VM04 50,000
FGT 3700D and above, VM08 and above 100,000

Older FortiClient SKUs will still be valid and can be applied to FortiOS 5.4 and 5.6.

Connecting FortiClient Telemetry after installation

After FortiClient is installed on an endpoint, FortiClient automatically launches and searches for a FortiGate or FortiClient EMS for FortiClient Telemetry connection. When FortiClient locates a FortiGate or EMS, the FortiGate Detected or Enterprise Management Server (EMS) Detected dialog box will appear:

If all the information displayed is correct, select Accept. FortiClient Telemetry will connect to the identified FortiGate/EMS.

Alternately, you can select Cancel and launch FortiClient without connecting to FortiClient Telemetry. This will launch FortiClient is standalone mode, where you can manually connect FortiClient Telemetry.

After FortiClient Telemetry is connected to FortiGate or EMS, FortiClient downloads a profile from FortiGate/EMS.

How FortiClient locates FortiGate/EMS

FortiClient uses the following methods in the following order to automatically locate FortiGate/EMS for Telemetry connection:

FortiTelemetry/On-Net/FortiClient Endpoint Compliance

  1. Telemetry gateway IP list: FortiClient Telemetry searches for IP addresses in its subnet in the Gateway IP list. It connects to the FortiGate in the list that is also in the same subnet as the host system.

If FortiClient cannot find any FortiGates in its subnet, it will attempt to connect to the first reachable FortiGate in the list, starting from the top. The order of the list is maintained as it was configured in the Gateway IP list.

  1. Remembered gateway IP list: You can configure FortiClient to remember gateway IP addresses when you connect Telemetry to FortiGate/EMS. Later FortiClient can use the remembered IP addresses to automatically connect Telemetry to FortiGate/EMS.
  2. Default gateway IP address: The default gateway IP address is specified on the FortiClient endpoint and is used to automatically connect to FortiGate. This method does not support connection to EMS.

FortiClient obtains the default gateway IP address from the operating system on the endpoint device. The default gateway IP address of the endpoint device should be the IP address for the FortiGate interface with Telemetry enabled.

If FortiClient is unable to automatically locate a FortiGate/EMS on the network for Telemetry connection, you can type the gateway IP address of the FortiGate/EMS.

 

CSF – Cooperative Security Fabric

CSF – Cooperative Security Fabric

Cooperative Security Fabric (CSF) – also known as a Fortinet Security Fabric – spans across an entire network linking different security sensors and tools together to collect, coordinate, and respond to malicious behavior in real time. CSF can be used to coordinate the behavior of different Fortinet products in your network, including FortiGate, FortiAnalyzer, FortiClient, FortiSandbox, FortiAP, FortiSwitch, and FortiClient Enterprise Management Server (EMS). CSF supports FortiOS 5.4.1+, FortiSwitchOS 3.3+, and FortiClient 5.4.1+.

Port TCP/8009 is the port FortiGate uses for incoming traffic from the FortiClient Portal, as user information (such as IP address, MAC address, avatar, and other profile information) is automatically synchronized to the FortiGate and EMS.

The brief example below assumes that FortiTelemetry has been enabled on the top-level FortiGate (FGT1), OSPF routing has been configured, and that policies have been created for all FortiGate units to access the

Internet.

For more details on how to configure a security fabric between FortiGate units, see Installing internal FortiGates and enabling a security fabric on the Fortinet Cookbook website.

CSF – Cooperative Security Fabric

Enabling CSF on the FortiGate:

  1. On the upstream FortiGate (FGT1), go to System > Cooperative Security Fabric and enable Cooperative Security Fabric (CSF).
  2. Enter a Group name and Group password for the fabric.
  3. On a downstream FortiGate (such as FGT2 or FGT3), configure the same fabric settings as were set on FGT1.
  4. Enable Connect to upstream FortiGate.

Be sure you do not enable this on the topmost-level FortiGate (in this example, FGT1).

  1. In FortiGate IP, enter the FGT1 interface that has FortiTelemetry The FortiTelemetry port (set to 8013) can be changed as required.

Once set up, you can view your network’s CSF configuration under FortiView through two topology dashboards.

  1. On top-level FortiGate, go to FortiView > Physical Topology. This dashboard shows a vizualization of all access layer devices in the fabric.
  2. Go to FortiView > Logical Topology to view information about the interfaces (logical or physical) that each device in the fabric is connected to.

Other CSF configurations for your network are available through the Fortinet Cookbook Cooperative Security Fabric page.