FortiOS 5.6 SSL VPN

Introduction

This document provides a general introduction to SSL VPN technology, explains the features available with SSL VPN and gives guidelines to decide what features you need to use, and how the FortiGate unit is configured to implement the features.

The following chapters are included in this document:

SSL VPN Overview provides useful general information about VPN and SSL, how the FortiGate unit implements them, and gives guidance on how to choose between SSL and IPsec.

Basic configuration explains how to configure the FortiGate unit and the web portal. Along with these configuration details, this chapter also explains how to grant unique access permissions, how to configure the SSL encryption key algorithm, and describes the SSL VPN OS Patch Check feature that allows a client with a specific OS patch to access SSL VPN services.

The SSL VPN client provides an overview of the FortiClient software required for tunnel mode, where to obtain the software, how to install it, and the configuration information required for remote users to connect to the internal network.

The SSL VPN web portal provides an overview of the SSL VPN web portal, with explanations of how to use and configure the web portal features.

Setup examples explores several configuration scenarios with step-by-step instructions. While the information provided is enough to set up the described SSL VPN configurations, these scenarios are not the only possible SSL VPN setups.

Troubleshooting provides some general maintenance and troubleshooting procedures for SSL VPNs.

FortiSIEM Using the Notification API

1 Reply

Using the Notification API

Applies To

General API Parameters

Request API Parameters

Polling API Parameters

Results API Parameters

Sample XML Ouput

XML Schema

Sample Code

Sample XML Input File

Querying Incidents for the Last 2 Hours

Sample Python Script

Applies To

Enterprise and multitenant deployments.

General API Parameters

Methodology

REST API based: make an HTTP(S) request with an input XML. An output XML is returned. Since the number of returned results can be large, the requester has to first get the total number of results, and then get the results one chunk at a time.

Request API Parameters

Input URL	https:///phoenix/rest/query/eventQuery
Input Parameters	XML file containing the query parameters
Input Credentials	Enterprise Deployments: Username and password of any AccelOps account Mulittenant Deployments: Username and password of Super account for getting incidents for all organizations. If incidents for a specific organization are needed, then an organization-specific account and an organization name is needed.
Output	queryId or an error code if there is a problem in handling the query or the query format

Polling API Parameters

The request will poll until the server completes the query.

Input

URL

https:///phoenix/rest/query/progress/

Output

progress (pct)

Until progress reaches 100, at which point the server completes the query, you need to continue polling the server. This is because the server may need to aggregate the results or insert meta-information before sending the results.

Results API Parameters

Input

URL

https:///phoenix/rest/query/events///

Output

totalCount (first time) and an XML containing the incident attributes.

For the first call, begin = 0 and end can be 1000. You need to continuously query the server by using the same URL, but increasing the begin and end until the totalCount is reached

Sample XML Ouput

Incidents Report Output

XML Schema

The AccelOps AONotification.xsd file shows the XML schema for incident notifications..

Sample Code

Sample XML Input File

Sample Python Script

<script name>.py Script

Usage

Sample Query

python GetIncidentsByOrg.py 172.16.20.210 “super/admin” “admin*1” SoftwareAB

Super_user needs to be explicitly stated in organization/user format, for example “sup er/admin” or “super/admin” instead of just “admin”

External Help desk / CMDB Integration

Currently AccelOps has inbuilt support for ServiceNow and ConnectWise for CMDB and 2-way incident integration. Other systems can be supported by create a new Java plugin by following instructions in the AccelOps ServiceAPI. The document is available at AccelOps support portal under AccelOps ServiceAPI section.

External Threat Intelligence Integration

New external threat intelligence websites can be supported by create a new Java plugin by following instructions in the AccelOps ServiceAPI. The document is available at AccelOps support portal under AccelOps ServiceAPI section.

License Registration

Worker registration

Collector registration

AccelOps License registration

Worker registration

Methodology	Run this command to add or delete a Worker from Super
Usage	Command located at /opt/phoenix/deployment/jumpbox Run commands from Super Add a Worker to Super: phProvisionWorker –add <user> <password> <super> <worker> Remove a Worker from Super: phProvisionWorker –delete <user> <password> <super> <worker>
Input Parameters	user: username of admin account to logon to GUI password: password of admin account to logon to GUI superIp: Supervisor IP Address or FQDN workerIp: Worker IP Address or FQDN
Output	None

Collector registration

Methodology	Run this command to add or delete a collector
Usage	Add a Collector to Super Run this command from Collector Usage: /opt/phoenix/bin/phProvisionCollector –add <user> <password> <super> <organization> <collector> Remove a Collector to Super Run this command from Super Usage: /opt/phoenix/bin/phProvisionCollector –delete <user> <password> <super> <organization> <collector>
Input Parameters	user: username of admin account to logon to GUI password: password of admin account to logon to GUI super: Supervisor IP Address or FQDN organization: organization name (SP), Super (Enterprise) collector: Collector IP Address or FQDN
Output	None
Sample Interaction	[root@Super171]# cd /opt/phoenix/deployment/jumpbox [root@Super171]# phProvisionCollector –delete admin admin*1 10.10.110.171 test-org 10.10.110.172 Continue the provision process… Deleting Collector: 10.10.110.172 from Super: 10.10.110.171 with Organization: test-org … Sucessfully done.

AccelOps License registration

Methodology	Download License from AccelOps
Usage	Run this command from Super as root Usage: /pbin/phdownloadlicense <user> <password> <ao-license-server>
Input Parameters	user: username for obtaining license password: password for obtaining license ao-license-server: AccelOps license server host name
Output	None

Sample interaction		[root@sp161 pbin]# phdownloadlicense rstest rstest va-reg.accelops.net Retrieving Information … New license file has been retrieved. You may use phinstalllicense to install the new license.
Methodology	Install downloaded license as root
Usage	Run this command from Super as root Usage: /pbin/phinstalllicense
Input Parameters	None
Output	None
Sample interaction	[root@sp161 pbin]# phinstalllicense The process of installing a license will disrupt AccelOps services. Do you want to start the installation at this time ? [yes/no] : yes Installing license … Number of Licensed VA(s) = 10 … Number of Running Worker(s) = 0 … Exiting from worker provision … [root@sp161 pbin]# phLicenseTool –verify license matched [root@sp161 pbin]# phLicenseTool –show Report License: workers=9; citems=5000; eps=10000;storage=10737418240000; starttime=1399878000; endtime=1447398000; mode=1; rsOrg=111; rsExp=1432796400; SP=1; organizationNum=10; country=; customerId=1086; customerName=rstest; collectors=5; devicesupport=1; basicAgents=1; advancedAgents=1; profile=0

FortiSIEM Incident Notification

Leave a reply

Incident Notification

AccelOps can send notifications via email/SMS, HTTPS, SNMP traps, and over the AccelOps API. These topics describe the formats for these notification types, and how to use the notification API.

Formats for Incident Notifications over Email, HTTPS, SNMP Trap, and API Using the Notification API

Formats for Incident Notifications over Email, HTTPS, SNMP Trap, and API

This topic describes the formats for the various types of notifications that AccelOps can send by email/SMS, HTTPS, SNMP trap, or through the API>.

Email/SMS Notification

Subject Line Format

Body Format

SMS Format

SNMP Trap Notification

MIB File

HTTP(S) Notification

XML Schema

XML File Format

Email/SMS Notification

Email is the most common form of incident notification. For integration purposes, an incident email subject and body can be parsed and specific actions can be taken if necessary.

These screenshots shows three types of email that can be sent depending on whether an incident is NEW, UPDATEd or CLEARed

New	Update	Clear

Subject Line Format

[New|Update|Clear] <HostName>: <Rule Name>

Body Format

Section	Field	Description
Generic
	Incident Id	Unique ID of the incident in AccelOps. An incident can be searched in AccelOps by this ID.
	Time	Time when this incident occurred
	Severity	Incident severity: HIGH\|MEDIUM\|LOW and a numeric severity in the range 0-10 (0-4 LOW, 5-8 MEDIUM and 9-10 HIGH
	Incident Count	How many times this incident has occurred. For NEW incidents, the count is 1.
Rule	Rule Name	Name of the rule, repeated in the subject line
	Rule Description
Incident Target		Where the incident occurred, or the target of an IPS alert
	Host Name (optional)
	Host IP (optional)
	Other attributes as defined in rule
Incident Source		For security-related incidents, where the incident originated
	Host Name (optional)
	Host IP (optional)
	Other attributes as defined in rule
Incident Details		Rule-specific details that caused the incident to trigger
Affected Business Services (optional )
Identity and Location		Xontains additional information for IP addresses in incident source or target. This information is present only if such information is discovered by AccelOps and shown in the Identity and Location tab. Host name User Domain Nearest switch name/port or VPN gateway or Wireless Controller First and last seen times for this IP address to identity/location binding

Pages: 1 2

FortiSIEM Events and Report Integration

1 Reply

Events and Report Integration

This API provides a way to programmatically run any query or report that can be executed on the event data from the AccelOps GUI.

General Description

Request API Parameters

Polling API Parameters

Results API Parameters

Sample XML Output

Sample Code

General Description

Methodology

REST API based:

make an HTTP(S) request with an input XML that defines the query.

Since the number of returned results can be large, the caller has to first get the total number of results

Then get the results one chunk at a time. Every time, an output XML containing the query results is returned.

Request API Parameters

Input URL	https:///phoenix/rest/query/eventQuery
Input Parameters	XML file containing the query parameters
Input Credentials	Enterprise Deployments: Username and password of any AccelOps account Multi-tenant Deployments: Username and password of Super account for getting incidents for all organizations. If incidents for a specific organization are needed, then an organization-specific account and an organization name is needed.
Output	queryId or an error code if there is a problem in handling the query or the query format

Polling API Parameters

The request will poll until the server completes the query.

Input

URL

https:///phoenix/rest/query/progress/

Output

progress (pct)

Results API Parameters

Input

URL

https:///phoenix/rest/query/events///

Output

totalCount (first time) and an XML containing the incident attributes.

For the first call, begin = 0 and end can be 1000. You need to continuously query the server by using the same URL, but increasing the begin and end until the totalCount is reached.

Sample XML Output

Failed-Logins-Report.txt

Sample Code

This sample takes the credentials, input XML and. optionally. organization name as arguments and writes out the query results in a comma separated value (CSV) format on the screen. The output can be redirected to a file if needed.

Sample XML Input Files

Failed Login at Any Device

Top Events by Severity and

Count

Top Reporting Device and Module by Event Count

Top Servers By Least Free

Disk Space

Sample Python Script

<script name>.py Script

Usage

You also need to download the getMonitoredOrganizations python script into the same directory

Sample Query

python GetQueryResultsByOrg.py 172.16.20.210 “super/admin” “admin*1” all ./failed-login.xml

Super_user needs to be explicitly stated in

organization/user format, for example “super/admin

” or “super/admin” instead of just “admin”

FortiSIEM Add, Update or Delete Device Maintenance Schedule

Leave a reply

Add, Update or Delete Device Maintenance Schedule

Applies To

API Parameters for Adding/Updating Maintenance Schedule

API Parameters for Deleting Maintenance Schedule

Sample Code to Add/Update a Device Maintenance Schedule

Sample XML Input File

Sample Python Script

Sample Code to Delete a Device Maintenance Schedule Sample Python Script

Applies To

API Parameters for Adding/Updating Maintenance Schedule

Methodology	REST API based: make an HTTP(S) request with an input XML (optional). An output XML is returned.
Input URL	https:///phoenix/rest/deviceMaint/update
Input Parameters	An XML file
Input Credentials	Username and password of any AccelOps account
Output	An XML file

API Parameters for Deleting Maintenance Schedule

Methodology	REST API based: make an HTTP(S) request with an input XML (optional). An output XML is returned.
Input URL	https:///phoenix/rest/deviceMaint/delete
Input Parameters	An XML file
Input Credentials	Username and password of any AccelOps account
Output	An XML file

Sample Code to Add/Update a Device Maintenance Schedule

Sample XML Input File

Sample Python Script

AddMaint.py Script

Usage

import sys, base64, urllib, urllib2 def restPost(appServer, user, password, file):

f = open(file, ‘r’) content = f.read()

f.close() url = “https://” + appServer + “/phoenix/rest/deviceMaint/update” auth = “Basic %s” % base64.encodestring(user + “:” + password) request = urllib2.Request(url, content) request.add_header(‘Authorization’, auth) request.add_header(‘Content-Type’, ‘text/xml’) # ‘application/xml’ request.add_header(‘Content-Length’, len(content)+2) request.add_header(‘User-Agent’, ‘Python-urllib2/2.7’) request.get_method = lambda: ‘PUT’ try:

handle = urllib2.urlopen(request) except urllib2.HTTPError, error: if (error.code != 204):

print error if __name__==’__main__’: if len(sys.argv) != 5:

print “Usage: AddMaint.py appServer user password scheduleDefFile” print “Example: python AddMaint.py 192.168.20.116 super/admin adm1n scheduleDef.xml” sys.exit() restPost(sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4])

python AddMaint.py <AccelOps_IP> <user> <password> <maintenance schedule xml file name> Sample Query

python AddMaint.py 172.16.20.210 “super/admin”

“admin*1” MaintenanceSchedule.xml

Super_user needs to be explicitly stated in organization/user format, for example “super/admi n” or “super/admin” instead of just “admin”

Sample Code to Delete a Device Maintenance Schedule

Sample Python Script

DeleteMaint.py Script

Usage

import sys, base64, urllib, urllib2 def restPost(appServer, user, password, file):

f = open(file, ‘r’) content = f.read()

f.close() url = “https://” + appServer + “/phoenix/rest/deviceMaint/delete” auth = “Basic %s” % base64.encodestring(user + “:” + password) request = urllib2.Request(url, content) request.add_header(‘Authorization’, auth) request.add_header(‘Content-Type’, ‘text/xml’) # ‘application/xml’ request.add_header(‘Content-Length’, len(content)+2) request.add_header(‘User-Agent’, ‘Python-urllib2/2.7’) request.get_method = lambda: ‘PUT’ try:

handle = urllib2.urlopen(request) except urllib2.HTTPError, error: if (error.code != 204):

print error if __name__==’__main__’: if len(sys.argv) != 5:

print “Usage: DeleteMaint.py appServer user password scheduleDefFile” print “Example: python DeleteMaint.py 192.168.20.116 “super/admin” “adm1n” scheduleDef.xml” sys.exit()

restPost(sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4])

python DeleteMaint.py <AccelOps_IP> <user> <password> <maintenance schedule xml file name> Sample Query

python DeleteMaint.py 172.16.20.210 “super/admin”

“admin*1” MaintenanceSchedule.xml

Super_user needs to be explicitly stated in organization/user format, for example “super/admi n” or “super/admin” instead of just “admin”

FortiSIEM Update Device Monitoring

Leave a reply

Update Device Monitoring

Applies To

API Parameters for Enterprise Deployments

API Parameters for Multitenant Deployments

Sample XML Output

Sample Code

Sample XML Input File

Sample Python Script

Applies To

Enterprise and multitenant deployments.

API Parameters for Enterprise Deployments

Methodology	REST API based: make an HTTP(S) request with an input XML (optional).
Input URL	https:///phoenix/rest/deviceMon/updateMonitor
Input Credentials	Username and password of any AccelOps account
Input Parameters	Username and password of Super account or Organization specific account, Organization name, input XML containing the updates to device monitoring configuration.
Output	HTTP Status Code

API Parameters for Multitenant Deployments

Methodology	REST API based: make an HTTP(S) request with an input XML (optional).
Input URL	https:///phoenix/rest/deviceMon/updateMonitor
Input Credentials	Username and password of Super account or Organization specific account, Organization name, input XML containing the updates to device monitoring configuration.
Output	HTTP Status Code

Sample XML Output

MonitorDevice.xml

Sample Code

Sample XML Input File

Sample Python Script

This sample takes the credentials, and optionally an organization name, as arguments and writes out the parsed XML output file in a comma separated value (CSV) format on the screen. The output can be redirected to a file if needed.

UpdateMonitor.py Script

Usage

import sys, base64, urllib, urllib2 def restPost(appServer, user, password, file):

f = open(file, ‘r’) content = f.read()

f.close() url = “https://” + appServer + “/phoenix/rest/deviceMon/updateMonitor” auth = “Basic %s” % base64.encodestring(user + “:” + password) request = urllib2.Request(url, content) request.add_header(‘Authorization’, auth) request.add_header(‘Content-Type’, ‘text/xml’) # ‘application/xml’ request.add_header(‘Content-Length’, len(content)+2) request.add_header(‘User-Agent’, ‘Python-urllib2/2.7’) request.get_method = lambda: ‘PUT’ try:

handle = urllib2.urlopen(request) except urllib2.HTTPError, error: if (error.code != 204):

print error if __name__==’__main__’: if len(sys.argv) != 5:

print “Usage: UpdateMonitor.py appServer user password deviceDefFile” print “Example: python UpdateMonitor.py 192.168.20.116 super/admin adm1n deviceMonitorDef.xml” sys.exit() restPost(sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4])

python UpdateMonitor.py <AccelOps_IP> <user> <password> <device monitor xml file name> Sample Query

python UpdateMonitor.py 172.16.20.210 “super/admin”

“admin*1” MonitorDevice.xml

Super_user needs to be explicitly stated in organization/user format, for example “super/admi n” or “super/admin” instead of just “admin”

FortiSIEM Get the List of Monitored Organizations

Leave a reply

Get the List of Monitored Organizations

Applies To

API Parameters

Sample XML Output

Sample Code

Applies To

Multitenant deployments

API Parameters

Methodology	REST API based: make an HTTP(S) request with an input XML (optional). An output XML is returned.
Input URL	https:///phoenix/rest/config/Domain
Input Credentials	Username and password of Super account
Output	An XML that contains Organization id, Organization name, Status, Included and Excluded IP range

Sample XML Output

Sample Code

This sample python script takes the Super credentials as arguments and writes out the parsed XML output file in a comma separated value (CSV) format on the screen. The output can be redirected to a file if needed.

mapping={‘name’:”, ‘domainId’:”, ‘disabled’:”, ‘initialized’:”, ‘include’:”, ‘exclude’:”} for node2 in node1.getElementsByTagName(“domainId”): for node3 in node2.childNodes: if node3.nodeType==Node.TEXT_NODE: mapping[‘domainId’]=node3.data for node4 in node1.getElementsByTagName(“excludeRange”): for node5 in node4.childNodes: if node5.nodeType==Node.TEXT_NODE: mapping[‘exclude’]=node5.data for node6 in node1.getElementsByTagName(“includeRange”): for node7 in node6.childNodes: if node7.nodeType==Node.TEXT_NODE: mapping[‘include’]=node7.data for node8 in node1.getElementsByTagName(“name”): for node9 in node8.childNodes: if node9.nodeType==Node.TEXT_NODE: mapping[‘name’]=node9.data for node10 in node1.getElementsByTagName(“disabled”): for node11 in node10.childNodes: if node11.nodeType==Node.TEXT_NODE: mapping[‘disabled’]=node11.data for node12 in node1.getElementsByTagName(“initialized”): for node13 in node12.childNodes: if node13.nodeType==Node.TEXT_NODE: mapping[‘initialized’]=node13.data param.append(mapping) return param def generateResult(param): print “Org Name,Org Id,Disabled,Initialized,Include Range,Exclude Range\n\n” for item in param:

print “%s,%s,%s,%s,%s,%s\n” % (item[‘name’], item[‘domainId’], item[‘disabled’], item[‘initialized’], item[‘include’], item[‘exclude’]) if __name__==’__main__’:

import sys if len(sys.argv)!=4:

print “Usage: GetMonitoredOrganizations.py appServer user password” exit()

FortiSIEM Get CMDB Device Info

Leave a reply

Get CMDB Device Info

API Parameters for Enterprise Deployments

Get Short Description of All Devices

Sample XML Output

Sample Python Script

Get Short Description of All Devices in an Address Range

Sample XML Output

Sample Python Script

Get Full Information About One Device

Sample XML Output

Sample Python Script

Get a Section of Information (Applications, Interfaces, Processors, Storage) About One Device

Sample XML Output

Sample Python Script

API Parameters for Multitenant Deployments

Get Short Description of All Devices for an Organization

Sample XML Output

Sample Python Script

Get Short Description of All Devices in an Address Range for an Organization

Sample XML Output

Sample Python Code

Get Full Information About One Device Belonging to an Organization

Sample XML Output

Sample Python Code

Get a Section of Information (Applications, Interfaces, Processors, Storage) About One Device for an Organization Sample XML Output

Sample Python Code

Applies To

Enteprise and multitenant deployments.

API Parameters for Enterprise Deployments

Get Short Description of All Devices

Methodology	REST API based: make an HTTP(S) request with an input XML (optional). An output XML is returned.
Input URL	https://<AccelOps_IP>/phoenix/rest/cmdbDeviceInfo/devices
Input Credentials	Username and password of any AccelOps account
Output	An XML that contains a short set of attributes for each device, including: Host Name Access IP Creation Method Description Vendor, Model, version Contact info Location Uptime Hardware Model Serial Number Business Service Groups to which the device belongs

Sample XML Output

AllDevicesShortInfo.xml

Sample Python Script

getCMDBinfo.py Script

Usage

python getCMDBInfo.py <AccelOpsSuperIp> super/<user>

Get Short Description of All Devices in an Address Range

Methodology	REST API based: make an HTTP(S) request with an input XML (optional). An output XML is returned.
Input URL	https://<AccelOps_IP>/phoenix/rest/cmdbDeviceInfo/devices?includeIps=<includeIpSet>&excludeIps >
Input Credentials	Username and password of any AccelOps account
Output	An XML that contains short description of devices with access IPs in the specified address range

If you want all devices in the range 192.168.20.1-192.168.20.100, then issue the API https://<AccelOps_IP>/pho enix/rest/cmdbDeviceInfo/devices?includeIps=192.168.20.1-192.168.20.100

If you want all devices in the range 192.168.20.1-192.168.20.100, but want to exclude 192.168.20.20,

192.168.20.25, then issue the API https://<AccelOps_IP>/phoenix/rest/cmdbDeviceInfo/devices?include

Ips=192.168.20.1-192.168.20.100&excludeIps=192.168.20.20,192.168.20.25

If you want all devices in the range 192.168.20.1-192.168.20.100, but want to exclude 192.168.20.20-192.168.20

.25, then issue the API https://<AccelOps_IP>/phoenix/rest/cmdbDeviceInfo/devices?includeIps=192.16

8.20.1-192.168.20.100&excludeIps=192.168.20.20-192.168.20.25

Sample XML Output

Query: https://<AccelOps_IP>/phoenix/rest/cmdbDeviceInfo/devices?includeIps=192.168.20.1-192.168.20.40

Output: AllDeviceInRangeShortDescription.xml

Sample Python Script

Get Full Information About One Device

Methodology	REST API based: make an HTTP(S) request with an input XML (optional). An output XML is returned.
Input URL	https://<AccelOps_IP>/phoenix/rest/cmdbDeviceInfo/device?ip=<deviceIp>&loadDepend=true
Input Credentials	Username and password of any AccelOps account
Output	An XML that contains full information AccelOps has discovered about a device

Sample XML Output

Query: https://<AccelOps_IP>/phoenix/rest/cmdbDeviceInfo/device?ip=192.168.1.12&loadDepend=true

Output: oneWindowsServerFullInfo.xml

Sample Python Script

getCMDBinfo.py Script
	p g < s <

Get a Section of Information (Applications, Interfaces, Processors, Storage) About One Device

Methodology	REST API based: make an HTTP(S) request with an input XML (optional). An output XML is returned.
Input URL	https:///phoenix/rest/cmdbDeviceInfo/device?ip=&loadDepend=true&fields=<
Input Credentials	Username and password of any AccelOps account
Output	An XML that contains the specified section discovered for the device

Query: https://<AccelOps_IP>/phoenix/rest/cmdbDeviceInfo/device?ip=192.168.1.12&fields=interfaces&loadDepend

=true

Output: oneWindowsServerInterfaces.xml

Sample Python Script

Pages: 1 2 3