FortiDeceptor – System

Leave a reply

System

Use the System pages to manage and configure the basic system options for FortiDeceptor. This includes administrator configuration, mail server settings, and maintenance information.

The System menu provides access to the following:

Administrators Configure administrator user accounts.
Admin Profile Configure user profiles to define user privileges.
Certificates Configure CA certificates.
LDAP Servers Configure LDAP servers.
RADIUS Servers Configure RADIUS servers.
Mail Server Configure the mail server.
SNMP Configure SNMP.
FortiGuard Configure FortiGuard settings and upgradeable packages.
Settings Configure the idle timeout or reset all widgets to their default state.
Login Disclaimer Configure the Login Disclaimer.
Table Customization Define columns and order of Incident and Event tables.

Administrators

Use the System > Administrators page to configure administrator user accounts.

If the user whose Admin Profile does not have Read Write privilege under System > Admin Profiles, the user can only view and edit their own information.

The following options are available:

Create New Create a new administrator account.
Edit Edit the selected entry.
Delete Delete the selected entry.
Test Login Test the selected user’s login settings. If an error occurs, a debug message appears.

The following information is displayed:

Name   The administrator account name.
Type   The administrator type: l Local

 

  l LDAP l RADIUS
Profile The Admin Profile the user belongs to.

To create a new user:

  1. Log in using an account with Read/Write access and go to System > Administrators.
  2. Click Create New.
  3. Configure the following:
Administrator Name of the administrator account. The name must be 1 to 30 characters using upper-case letters, lower-case letters, numbers, or the underscore character (_).
Password, Confirm Password Password of the account. The password must be 6 to 64 characters using upper-case letters, lower-case letters, numbers, or special characters.

This field is available when Type is set to Local.
Type Select Local, LDAP, or RADIUS.
LDAP Server When Type is LDAP, select an LDAP Server. For more information, see LDAP Servers on page 29.
RADIUS Server When Type is RADIUS, select a RADIUS Server. For more information, see RADIUS Servers.
Admin Profile Select the Admin Profile.
Trusted Host 1, Trusted Host 2, Trusted Host 3 Enter up to three IPv4 trusted hosts. Only users from trusted hosts can access FortiDeceptor.
Trusted IPv6 Host 1, Trusted

IPv6 Host 2, Trusted IPv6

Host 3

 Enter up to three IPv6 trusted hosts. Only users from trusted hosts can access FortiDeceptor.
Comments Enter an optional comment.

Setting trusted hosts for administrators limits what computers an administrator can use to log into FortiDeceptor. When you identify a trusted host, FortiDeceptor only accepts the administrator’s login from the configured IP address or subnet. Attempts to log in with the same credentials from another IP address or subnet are dropped.

  1. Click OK.

To edit a user account:

  1. Log in using an account with Read/Write access and go to System > Administrators.
  2. Select and account and click Edit.

Only the admin user can edit its own settings.

You must enter the old password before you can set a new password.

  1. Edit the account and click OK.

To delete one or more user accounts:

  1. Log in using an account with Read/Write access and go to System > Administrators.
  2. Select the user account you want to delete.
  3. Click Delete and confirm that you want to delete the user.

To test LDAP or RADIUS logins:

  1. Log in using an account with Read/Write access and go to System > Administrators.
  2. Select an LDAP or RADIUS user to test.
  3. Click Test Login.
  4. Enter the user password.
  5. Click OK.

If an error occurs, a debug message appears.

Admin Profiles

Use administrator profiles to control administrator access privileges to system features. When you create an administrator account, you assign a profile to the account.

You cannot modify or delete the following predefined administrator profiles:

l SuperAdmin has access to all functionality. l Read only has read-only access.

Only users with the Super Admin profile can create, edit, and delete administrator profiles. Users can create, edit, and delete administrator profiles if they have Read Write privilege in their profile.

The Menu Access section has the following settings:

None User cannot view or make changes to that page.
Read Only User can view but not make any change to that page, except session-related user settings such as Table Customization, Dashboard, or Attack Map filter.
Read Write User can view and make changes to that page.

The CLI Commands section has the following settings:

None User cannot execute CLI commands.
Execute User can execute CLI commands.

To create an Administrator Profile:

  1. Go to System > Admin Profiles.
  2. Click Create New.
  3. Specify the Profile Name.
  4. If you wish, add a Comment.
  5. Specify the privileges for Menu Access:
    • Dashboard l Dashboard
    • Deception
    • Customization l Deception OS l Deployment Network l Deployment Wizard l Decoy & Lure Status l Decoy Map
    • Whitelist
    • Incident l Analysis l Campaign l Attack Map
    • Fabric
    • FortiGate Integration l Quarantine Status l IOC Export
    • Network
    • Interfaces
    • System DNS l System Routing
    • System
    • Administrators l Admin Profiles l Certificates l LDAP Servers l RADIUS Servers l Mail Server
    • SNMP
    • FortiGuard l Settings l Login Disclaimer l System Settings l Table Customization
    • Log
    • All Events l Log Servers
  6. Specify the privileges for CLI Commands:
    • Configuration l Set l Unset
    • System l Reboot l Shutdown l Reset Configuration l Factory Reset l Firmware Upgrade l Reset Widgets l IP Tables l test-network l usg-license
    • Upload VM Firmware License l Resize VM Hard Disk l Set Confirm ID for Windows VM l List VM License l Show VM Status l VM reset l DC Image Status l Set Maintainer l Set Timeout for Remote Auth l Data Purge l Log Purge l DMZ Mode
    • fdn-pkg l Utilities
    • TCP Dump
    • Trace Route
  7. Click Save.

Certificates

Use this page to import, view, and delete certificates. Certificates are used for secure connection to an LDAP server, system HTTPS, and SSH services. FortiDeceptor has one default certificate firmware.

FortiDeceptor does not support generating certificates. FortiDeceptor supports importing certificates for SSH and HTTPS access using .crt, PKCS12, or .pem format.

The following options are available:

Import   Import a certificate.
Service Configure specific certificates for HTTP and SSH servers.
View View the selected CA certificate details.
Delete Delete the selected certificate.

The following information is displayed:

Name Name of the certificate.
Subject Subject of the certificate.
Status The certificate status, active or expired.
Service HTTPS or SSH service that is using this certificate.

To import a certificate:

  1. Go to System > Certificates.
  2. Click Import.
  3. Enter the Certificate Name.
  4. If you want to import a password protected PKCS12 certificate, select PKCS12 Format.
  5. Click Choose File and locate the certificate and key files on your management computer.
  6. Click OK to import the certificate.

To view a certificate:

  1. Go to System > Certificates.
  2. Select a certificate and click View.

The following information is available:

Certificate Name Name of the certificate.
Status Certificate status.
Serial number Certificate serial number.
Issuer Issuer of the certificate.
Subject Subject of the certificate.
Effective date Date and time that the certificate became effective.
Expiration date Date and time that the certificate expires.

To delete a CA certificate:

  1. Go to System > Certificates.
  2. Select the certificate you want to delete.
  3. Click Delete and confirm you want to delete the certificate.

LDAP Servers

FortiDeceptor supports remote authentication of administrators using LDAP servers. To use this feature, configure the server entries in FortiDeceptor for each authentication server in your network.

If you have configured LDAP support and require users to authenticate using an LDAP server, FortiDeceptor contacts the LDAP server for authentication. To authenticate with FortiDeceptor, the user enters a user name and password. FortiDeceptor sends this user name and password to the LDAP server. If the LDAP server can authenticate the user, FortiDeceptor authenticates the user. If the LDAP server cannot authenticate the user, FortiDeceptor refuses the connection.

The following options are available:

Create New Add an LDAP server.
Edit Edit the selected LDAP server.
Delete Delete the selected LDAP server.

The following information is displayed:

Name LDAP server name.
Address LDAP server address.
Common Name LDAP common name.
Distinguished Name LDAP distinguished name.
Bind Type LDAP bind type.
Connection Type LDAP connection type.

To create a new LDAP server:

  1. Go to System > LDAP Servers.
  2. Click Create New.
  3. Configure the following settings:
Name A unique name to identify the LDAP server.
Server Name/IP IP address or FQDN of the LDAP server.
Port The port for LDAP traffic. The default port is 389.
Common Name Common name identifier of the LDAP server.

Most LDAP servers use cn. Some servers use other common name identifiers such as uid.
Distinguished Name Distinguished name used to look up entries on LDAP servers. The distinguished name reflects the hierarchy of LDAP database object classes above the common name identifier.
Bind Type The type of binding for LDAP authentication: l Simple l Anonymous l Regular
Username When the Bind Type is set to Regular, enter the user name.
Password When the Bind Type is set to Regular, enter the password.
Enable Secure Connection Use a secure LDAP server connection for authentication.
Protocol When Enable Secure Connection is selected, select LDAPS or STARTTLS.
CA Certificate When Enable Secure Connection is selected, select a CA Certificate.
  1. Click OK.

RADIUS Servers

FortiDeceptor supports remote authentication of administrators using RADIUS servers. To use this feature, configure the server entries in FortiDeceptor for each authentication server in your network.

If you have configured RADIUS support and require users to authenticate using a RADIUS server, FortiDeceptor contacts the RADIUS server for authentication. To authenticate with FortiDeceptor, the user enters a user name and password. FortiDeceptor sends this user name and password to the RADIUS server. If the RADIUS server can authenticate the user, FortiDeceptor authenticates the user. If the RADIUS server cannot authenticate the user, FortiDeceptor refuses the connection.

The following options are available:

Create New   Add a RADIUS server.
Edit   Edit the selected RADIUS server.
Delete   Delete the selected RADIUS server.

The following information is displayed:

Name RADIUS server name.
Primary Address Primary server IP address.
Secondary Address Secondary server IP address.
Port Port used for RADIUS traffic. The default port is 1812.
Auth Type The authentication type the RADIUS server requires.

Select Any, PAP, CHAP, or MSv2. Any means FortiDeceptor tries all authentication types.

To add a RADIUS server:

  1. Go to System > RADIUS Servers.
  2. Click Create New.
  3. Configure the following settings:
Name A unique name to identify the RADIUS server.
Primary Server Name/IP IP address or FQDN of the primary RADIUS server.
Secondary Server Name/IP IP address or FQDN of the secondary RADIUS server.
Port Port for RADIUS traffic.

The default port is 1812.
Auth Type Authentication type the RADIUS server requires.

Select Any, PAP, CHAP, or MSv2. Any means FortiDeceptor tries all authentication types.
Primary Secret Primary RADIUS server secret.
Secondary Secret Secondary RADIUS server secret.
NAS IP NAS IP address.
  1. Click OK.

Mail Server

Use the System > Mail Server page to adjust mail server settings.

You can configure the following options:

Send Incidents Alerts When enabled, FortiDeceptor sends an email alert to the ReceiverEmail List when it detects an incident.
SMTP Server Address SMTP server address.
Port SMTP server port number.
E-Mail Account The mail server email account. This is the “from” address.
Login Account The mail server login account.
Password, Confirm Password Enter and confirm the password.
Receiver Email List Enter one or more receiver email addresses.
Send Test Email Send a test email to the global email list.

If an error occurs, the error message appears at the top of the page and is recorded in the System Logs.

SNMP

SNMP is a method to monitor your FortiDeceptor system on your local computer. You need an SNMP agent on your computer to read the SNMP information. Using SNMP, your FortiDeceptor system monitors for system events including CPU usage, memory usage, log disk space, interface changes, and malware detection. Go to System > SNMP to configure your FortiDeceptor system’s SNMP settings.

SNMP has two parts: the SNMP agent or the device that is sending traps, and the SNMP manager that monitors those traps. The SNMP communities on the monitored FortiDeceptor are hard coded and configured in the SNMP menu.

The FortiDeceptor SNMP implementation is read-only — SNMP v1, v2c, v3 compliant SNMP manager applications, such as those on your local computer, have read-only access to FortiDeceptor system information and can receive FortiDeceptor system traps.

You can also download FortiDeceptor and Fortinet core MIB files.

Configure the SNMP agent

The SNMP agent sends SNMP traps that originate on FortiDeceptor to an external monitoring SNMP manager defined in one of the FortiDeceptor SNMP communities. Typically, an SNMP manager is an application on a local computer that can read the SNMP traps and then generate reports or graphs.

The SNMP manager can monitor FortiDeceptor to determine if it is operating properly or if critical events are occurring. The description, location, and contact information for this FortiDeceptor system is part of the information an SNMP manager collects. This information is useful if the SNMP manager is monitoring many devices, and it enables a faster response when FortiDeceptor requires attention.

To configure SNMP agents:

  1. Go to System > SNMP.
  2. Configure the following settings:
SNMP Agent   When enabled, the FortiDeceptor SNMP agent sends FortiDeceptor SNMP traps.
Description   Description of this FortiDeceptor to identify this unit.
Location Location of this FortiDeceptor if it requires attention.
Contact Contact information of the person in charge of this FortiDeceptor.
SNMP v1/v2c Create, edit, or delete SNMP v1 and v2c communities. You can enable or disable communities in the edit page. Columns include: Community Name, Queries, Traps, Enable.
SNMP v3 Create, edit, or delete SNMP v3 entries. You can enable or disable queries in the edit page. Columns include: Username, Security Level, Notification Host, and Queries.

To create an SNMP v1/v2c community:

  1. Go to System > SNMP.
  2. In the SNMP v1/v2c section, click Create New.
  3. Configure the following settings:
Enable Enable the SNMP community.
Community Name The name that identifies the SNMP community.
Hosts The list of hosts that can use the settings in this SNMP community to monitor FortiDeceptor.
IP/Netmask IP address and netmask of the SNMP hosts. Click Add to add additional hosts.
Queries v1, Queries v2c Port number and if it is enabled.

Enable queries for each SNMP version that FortiDeceptor uses.
Traps v1, Traps v2c Local port number, remote port number, and if it is enabled.

Enable traps for each SNMP version that FortiDeceptor uses.
SNMP Events Events that cause FortiDeceptor to send SNMP traps to the community:

l CPU usage is high l Memory is low l Log disk space is low l Incident is detected
  1. Click OK.

To create an SNMP v3 user:

  1. Go to System > SNMP.
  2. In the SNMP v3 section, click Create New.
  3. Configure the following settings:
Username Name of the SNMPv3 user.
Security Level Security level of the user: l None

l Authentication only l Encryption and authentication
Authentication Authentication is required when Security Level is either Authentication only or Encryption and authentication.
Method Authentication method: l MD5 (Message Digest 5 algorithm) l SHA1 (Secure Hash algorithm)
Password Authentication password of at least eight characters.
Encryption Encryption is required if Security Level is Encryption and authentication.
Method Encryption method: l DES l AES
Key Encryption key of at least eight characters.
Notification Hosts (Traps)  
IP/Netmask IP address and netmask. Click Add to add more hosts.
Query  
Port Port number and if it is enabled.
SNMP V3 Events SNMP events associated with that user:

l CPU usage is high l Memory is low l Log disk space is low l Incident is detected
  1. Click OK.

To download MIB files:

  1. At the bottom of the SNMP page, select the MIB file you want to download to your management computer.

FortiGuard

  1. Go to System > FortiGuard.
  2. The following options and information are available:
Module Name The FortiGuard module name, including: AntiVirus Scanner, AntiVirus Extended Signature, AntiVirus Active Signature, AntiVirus Extreme Signature, IDS Engine, IDS Signature, Anti-Reconnaissance & Anti-Exploit Engine.

All modules automatically install update packages when they are available on the FDN.
Current Version                   The current version of the module.
Release Time                      The time that module was released.
Last Update Time                The time that module was last updated.
Last Check Status               The status of the last update attempt.
Upload Package File            Select Browse to locate a package file on the management computer, then select Submit to upload the package file to the FortiDeceptor.

When the unit has no access to the Fortinet FDN servers, the user can go to the Customer Service and Support site to download package files manually.
FortiGuard Server               Select FDN servers for package update and Web Filtering query. By default, the

Location                              selection is Nearest, which means the closest FDN server according to the unit’s time zone is used. When US Region is selected, only servers inside Unite States are used.
FortiGuard Server Settings
Use override FDN         Select to enable an override FDN server, or FortiManager, to download module server to           update, then enter the server IP address or FQDN in the text box. When an download module        overridden FDN server is used, FortiGuard Server Location will be disabled. updates            Click Connect FDN Now button to schedule an immediate update check.
Connect FDN    Click the Connect FDN Now button to connect the override FDN server/Proxy. Now
FortiGuard Web Filter Settings
Use override     Select to enable an override server address for web filtering query, then enter the server address server IP address (IP address or IP address:port) or FQDN in the text box. for web filtering By default, the closest web filtering server according to the unit’s time zone is query  used.

If port is not provided, target UDP port 53 will be used.
  1. Click Apply to apply your changes.

Settings

Go to System > Settings to configure the idle timeout for the administrator account.

To configure idle timeout:

  1. Go to System > Settings.
  2. Enter a value between 1 and 480 minutes.
  3. Click OK.

To reset all widgets:

You can reset all the widgets in the Dashboard by clicking the Reset button.

Login Disclaimer

Go to System > Login Disclaimer to customize the warning message, and to enable or disable the login disclaimer.

If enabled, the disclaimer appears when a user tries to log into the unit.

Table Customization

To customize the columns available for Incidents or Events:

  1. Go to System > Table Customization.
  2. In the Incident Columns pane, drag and drop the columns from the Available Column Headers to the Customized Column Headers and Orders.
  3. In the Event Columns pane, drag and drop the columns from the Available Column Headers to the Customized Column Headers and Orders.
  4. In the Table Settings pane, specify the Page Size and select the View Type.
  5. Click Save.

 

FortiDeceptor – Fabric

Leave a reply

Fabric

Use the Fabric pages to manage and configure FortiGate information for integration with FortiDeceptor. This includes blocking settings and Security Fabric status information. Blocking from FortiGate is an API call from FortiDeceptor which allows instant quarantine from FortiGate once an incident is detected. The quarantined IP is under user quarantine in the FortiGate GUI.

Fabric provides access to the following pages:

FortiGate Integration Configure the FortiGate settings for FortiDeceptor integration.
Quarantine Status Status of blocked IP addresses.
IOC Export Export the IOC file in CSV format for a specified time period.

FortiGate Integration

Use Fabric > FortiGate Integration to configure FortiGate settings for integration with FortiDeceptor. FortiDeceptor uses FortiGate REST APIs to make quarantine calls when decoys are accessed. Attackers are immediately quarantined on the FortiGate for further analysis.

The following options are available:

Severity level Select the security level. The selected level and all levels above it are blocked. For example, if you select Medium, then medium, high, and critical levels are blocked. If you select Critical, then only the critical level is blocked.
Add new block configuration Create a new FortiGate integration setting.
Update Save the modified FortiGate integration setting to a configuration file.
Cancel Discard current changes.
Edit Edit the record.
Delete Delete the record.
Test Manually send quarantine request to the corresponding FortiGate.

The following information is displayed:

Name Alias of the integrated FortiGate.
IP IP address of the integrated FortiGate.
User Username of the integrated FortiGate.
Password Password of that username.

Fabric

Port Port number of the integrated FortiGate REST API service. Default is 443.
Default Expiry Default blocking time in second. Default is 3600 seconds.
Default VDOM The default access VDOM of the integrated FortiGate.
Type FortiGate (read-only value).
Enabled Enable or disable the integration setting.

Quarantine Status

The Fabric > Quarantine Status page displays the status of blocked and quarantined IP addresses. It also lets you manually block or unblock devices. The following options are available:

Refresh Refresh the page to get the latest data.
Block Manually send a blocking request for the selected attacker IP addresses.
Unblock Manually send an unblocking request for the selected attack IP addresses.

The following information is displayed:

Attacker IP IP addresses of blocked attacker.
Start Start time of blocking behavior.
End End time of blocking behavior.
Handler Address IP address of the integrated FortiGate.
Handler The integrated device type.
Handle Type Blocking type, manual, or automatic quarantine.
VDOM VDOM of the integrated FortiGate.
Blocker Name Alias of the FortiGate which blocks the AttackerIP address. This is the Name field in Fabric > FortiGate Integration.
Time Remaining The remaining blocking time.
Status Current status of the attacker.
Message Related message for the blocking entry.

IOC Export

Use the Fabric > IOC Export page to export the IOC file in CSV format for a specified time period. The CSV file can be processed by third party Threat Intelligence Platforms. The file contains the TimeStamp, Incident time, Attacker IP, related files, and WCF (Web Content Filtering) events. You can include MD5 checksums, WCF category, and reconnaissance alerts.

FortiDeceptor – Monitor Attacks

Leave a reply

Monitor Attacks

Administrators can monitor attacks in two ways:

To monitor attacks using Incident pages:

  • Incident > Analysis lists incidents and related events detected by FortiDeceptor. l Incident > Campaign lists attacks and related events detected by FortiDeceptor. l Incident > Attack Map shows attacks and related events detected by FortiDeceptor.

To monitor attacks using Dashboard widgets:

  • Use the Dashboard Incidents & Events Distribution See Incidents and Events Distribution on page 18. l Use the Dashboard Incidents & Events Count widget.

Analysis

Incident > Analysis lists the Incidents detected by FortiDeceptor.

To use the Analysis page:

  1. Go to Incident > Analysis.
  2. The Analysis page displays the list of events:
Severity Severity of the event.
Last Activity Date and time of the last activity.
Type Type of event.
Attacker IP Attacker IP mask.
Attacker User Attacker username.
Victim IP IP address of the victim.
Victim Port Port of the victim.
Lure Name of the lure service.
Decoy ID Unique ID of the Decoy VM.
ID ID of the incident.
Attacker Port Port where the attack originated.
Tag Key Unique key string for the incident.
Attacker Password Password used by the attacker.
Start   Date and time when the attack started.
  1. To refresh the data, click Refresh.
  2. To download the detailed analysis report in PDF format, click Export to PDF.
  3. To mark items as read, expand the incident details or click Mark all as read.

Newly-detected incidents are in bold to indicate they are unread.

  1. To display specific types of events, click Show All, IPS Events Only, or Web FilterEvents Only.
  2. To specify columns and table settings, use the Settings icon at the bottom right.

Campaign

Incident > Campaign lists the Attacks detected by FortiDeceptor. An Attack consists of multiple Incidents.

To use the Campaign page:

  1. Go to Incident > Campaign.
  2. The Campaign page displays the list of attacks:
Severity   Severity of the event.
Start   Date and time when the attack started.
Last Activity   Date and time of the last activity.
Attacker IP   IP mask of the attacker.
ID   ID of the campaign record.
Timeline   Click Timeline to see the timeline of the Attack from start to finish.
Table   Click Table to see all the Events in table view.
  1. To refresh the data, click Refresh.
  2. To export the data, click Export to PDF.
  3. To specify columns and table settings, use the Settings icon at the bottom right.

Attack Map

Incident > Attack Map is a visual representation of the entire network showing real endpoints, Decoy VMs, and ongoing attacks.

To work with the Attack Map:

  1. Go to Incident > Attack Map. l To change the display, drag items to another location. l Scroll to zoom in or out. l Click a node to see its information.
  2. At the bottom of the Attack Map, use the timeline indicator to set the start and end time.
  3. Click Click to begin filtering to select a different filter type and type values. Filter types include AttackerIP, Victim IP, and Decoy IP.

You can use multiple arguments with different filter types. All filter arguments and time indicator arguments are considered “AND” conditions.

  1. To locate the node on the map, use the LOCATE BY IP
  2. To save a snapshot of the map, click Save view .

Incidents and Events Distribution

This dashboard widget displays the number of incidents and events with the following risk level information and options.

Unknown Incident or Event where the risk level is unknown. Entries are in grey.
Low Risk Incident or Event where the risk level is low. Entries are in green.
Medium Risk Incident or Event where the risk level is medium. Entries are in yellow.
High Risk Incident or Event where the risk level is high. Entries are in orange.
Critical Incident or Event where the risk level is critical. Entries are in red.

Hover over the pie chart to see the number of Incidents or Events and their percentage.

To customize this widget:

  1. Click the edit icon to make the following changes:

l Enter a Customized Widget Title. l Change the Refresh Interval. l Select a Time Period: Last 24 Hours, Last 7 Days, or Last 4 Weeks.

Incidents and Events Count

This dashboard widget displays the number of Incidents and Events.

Event Click Event to show or hide the number of events in the time period. Events are in blue.
Incidents Click Incident to show or hide the number of incidents in the time period. Incidents are in orange.
Time/Date The time or date the Incident or Event occurred.

To customize this widget:

  1. Click the edit icon to make the following changes:

l Enter a Customized Widget Title. l Change the Refresh Interval. l Select a Time Period: Last 24 Hours, Last 7 Days, or Last 4 Weeks.

Top 10 Attackers by Events

This dashboard widget displays the top ten attackers by the number of events.

IP Address IP address of the attacker.
Number of Events Hover over an IP address to see the total number of Events.

Top 10 Attackers by Incidents

This dashboard widget displays the top ten attackers by the number of incidents.

IP Address IP address of the attacker.
Number of Incidents Hover over an IP address to see the total number of Incidents.

Top 10 IPS Attacks

This widget displays the top 10 IPS attacks by the number of attack events.

IPS attack name IP address of the attacker.
Number of attack events Hover over an IPS attack name to see the total number of attack events.

Incidents Distribution by Service

This dashboard widget displays the number of Incidents by service with the following information and options.

SSH Number of incidents occurring on SSH service with the percentage on a pie chart.
SAMBA Number of incidents occurring on SAMBA service with the percentage on a pie chart.
SMB Number of incidents occurring on SMB service with the percentage on a pie chart.
RDP Number of incidents occurring on RDP service with the percentage on a pie chart.
HTTP Number of incidents occurring on HTTP service with the percentage on a pie chart.
FTP Number of incidents occurring on FTP service with the percentage on a pie chart.
TFTP Number of incidents occurring on TFTP service with the percentage on a pie chart.
SNMP Number of incidents occurring on SNMP service with the percentage on a pie chart.
MODBUS Number of incidents occurring on MODBUS service with the percentage on a pie chart.
S7COMM Number of incidents occurring on S7COMM service with the percentage on a pie chart.
BACNET Number of incidents occurring on BACNET service with the percentage on a pie chart.
IPMI Number of incidents occurring on IPMI service with the percentage on a pie chart.
TRICONEX Number of incidents occurring on TRICONEX service with the percentage on a pie chart.
GUARDIAN-AST Number of incidents occurring on GUARDIAN-AST service with the percentage on a pie chart.
IEC104 Number of incidents occurring on IEC104 service with the percentage on a pie chart.

Global Attacker Distribution

This widget displays the number of Attackers by country on a global map.

 

FortiDeceptor – Deploy Decoy VM

Leave a reply

Deploy Decoy VM

Use the Deception pages allows you to deploy Decoy VMs on your network. When a hacker gains unauthorized access to Decoy VMs, their movements can be monitored to understand how they attack the network.

Apart from the default decoy Windows, Linux, or SCADA OS images, FortiDeceptor supports custom OS images with a purchased subscription service. You can upload your custom ISO images and install the FortiDeceptor Toolkit on the image. For instructions, click the Help icon in the toolbar and select Customization.

To use FortiDeceptor to monitor the network:

  • Go to Deception > Deception OS to check the Deception OS available. See View available Deception OS on page
  1. 9. l Go to Deception > Deployment Network to auto-detect or specify the network where the Decoy VMs are deployed.
  • Go to Deception > Deployment Wizard to deploy the Decoy VM on the network.
  • Go to Deception > Decoy & Lure Status to start or stop deployed Decoy VMs, or download the FortiDeceptor Token Package to manually install on computers. l Go to Deception > Decoy Map to see the network of Decoy VMs.
  • Go to Deception > Whitelist to specify the network that is to be considered safe. This is useful if the administrator wants to log into the deployment network and not be flagged as an attacker.

View available Deception OS

The Deception > Deception OS page lists the deception OSes available for creating Decoy VMs.

Column   Description
Delete   Delete a custom OS that you have applied.
Status   Status of the Deception OS.
Name   Name of the Deception OS.
OS Type   Operating System type.
VM Type   VM type of the Deception OS endpoint.
Lures   Lures used by the Decoy VM such as SSH, SAMBA, SMB, RDP, HTTP, FTP, TFTP, SNMP, MODBUS, S7COMM, BACNET, IPMI, TRICONEX, GuardianAST, or IEC104.

Set up the Deployment Network

Use the Deception > Deployment Network page to set up a monitoring interface into a VLAN or a subnet.

To add a VLAN or subnet to FortiDeceptor:

  1. Go to Deception > Deployment Network.
  2. Enable Auto VLAN Detection to automatically detect the VLANs on your network.

Auto VLAN detection allows FortiDeceptor to detect the available VLANs on the deployment network interface and display them in the GUI. You can select and add the VLANs for the deployment of Decoys later.

  1. Select the Detection Interface and click OK.

You can select multiple ports.

  1. Click Add New VLAN/Subnet to manually add a VLAN or a subnet. Configure the following settings:
Interface The port that connects to the VLAN or subnet.
VLAN ID The VLAN’s unique integer ID.
Deploy Network IP/Mask The IP address to monitor. This is useful to mask the actual IP address.
Ref The number of objects referring to this object.
Status Status of the IP address, such as if it is initialized.
Action Click Edit to edit the VLAN or subnet entry. The Edit button is visible only after the entry is saved.
  1. Click Save.

The network IP/mask must be an IP address and not a subnet.

You must use the following guidelines to set the network IP/mask:

  • Interface name and VLAN ID must be unique among all network IP/masks.
  • If VLAN ID is 0, the network IP/mask must be unique among all the network IP/masks without VLAN and all system interfaces.
  • If VLAN is not 0, the network IP/mask must be unique among all subnets in the same VLAN.

Deploy Decoy VMs with the Deployment Wizard

Use the Deception > Deployment Wizard page to create and deploy Decoy VMs on your network. Decoy VMs appear as real endpoints to hackers and can collect valuable information about attacks.

To deploy Decoys on the network:

  1. Go to Deception > Deployment Wizard.
  2. Click + to add a Decoy VM.
  3. Configure the following:
Name Specify the name of the deployment profile. Maximum 15 characters using A-Z, a-z, 0-9, dash, or underscore. No duplicate profile names.
Available Deception OSes Select a Deception OS.
Selected Services Displays the selected services. You cannot edit this field.
  1. For an Ubuntu VM, turn on SSH or SAMBA. For Windows, turn on RDP or SMB.

For SCADA, turn on HTTP, FTP, TFTP, SNMP, MODBUS, S7COMM, BACNET, IPMI, TRICONEX, GUARDIANAST, or IEC104.

  1. Click Add Lure for the service and configure the following:
Username Specify the username for the decoy. Maximum 19 characters using A-Z, a-z, or 0-9.

Do not set the username of the lures to be the same as existing usernames in the decoy, such as administrator for RDP/SMB services on Windows, or root for SSH/SAMBA services on Linux.
Password Specify the password for the decoy in 1-14 non-unicode characters.
Sharename This option is only available for SAMBA (Ubuntu) or SMB (Windows). Specify a Sharename in 3-63 characters using A-Z, a-z, or 0-9.
Update or Cancel Click Update to save the username and password. Click Cancel to discard the username and password. Click Delete to delete an existing lure.
  1. To launch the decoy VM immediately, enable Launch Immediately.
  2. To reset the decoy VM after it detects incidents, enable Reset Decoy and specify the Reset Interval value in seconds.
  3. Click Next.
  4. The Hostname can start with an English character or a digit, and must not end with a hyphen. Maximum 15 characters using A-Z, a-z, 0-9, or hyphen (case-sensitive). Other symbols, punctuation, or white space are not allowed. The Hostname cannot conflict with decoy names.
  5. Click Add Interface.
  6. Select the Deploy Interface. Set this to the VLAN or subnet added in Set up the Deployment Network on page 10
  7. Configure the following settings in the Add Interface forDecoy pane:
Addressing Mode Select Static or DHCP.

Static allows you to configure the IP address for all the decoys.

DHCP allows the decoys to receive IP address from the DHCP server. If you select DHCP, IP Count is automatically set to 1 and all other fields are not applicable.
Network Mask This field is set automatically.
Gateway Specify the gateway.
IP Count Specify the number of IP addresses to be assigned, up to 16.

If Addressing Mode is DHCP, IP Count is automatically set to 1.
Min The minimum IP address in the IP range.
Max The maximum IP address in the IP range.
IP Ranges Specify the IP range between Min and Max.
  1. Click Done.
  2. To deploy the decoys on the network, click Deploy.
  3. To save this as a template in Deception > Deployment Wizard, click Template.

Deploy the FortiDeceptor Token Package

Use a FortiDeceptor Token Package to add breadcrumbs on real endpoints and lure an attacker to a Decoy VM. Tokens are normally distributed within real endpoints and other IT assets on the network to maximize the deception surface.

To download a FortiDeceptor Token Package:

  1. Go to Deception > Decoy & Lure Status.
  2. Select the Decoy VM by clicking its checkbox.
  3. To download the FortiDeceptor Token Package, click Download Package.

You can only download packages with valid IP addresses. A package must have a status of Initialized, Stopped, Running, or Failed.

To deploy or uninstall a FortiDeceptor Token Package on an existing endpoint:

  1. Copy the downloaded FortiDeceptor Token Package to an endpoint such as a Windows or Linux endpoint.
  2. Unzip the FortiDeceptor Token Package.
  3. In the folder for the OS, such as windows or ubuntu, follow the instructions in txt to install or uninstall the Token Package.

l For Windows, open the windows folder, right-click windows_token.exe and select Run as administrator. l For Ubuntu, open Terminal and run python ./ubuntu_token.py.

When the FortiDeceptor Token Package is installed on a real Windows or Ubuntu endpoint, it increases the deception surface and lures the attacker to a Decoy VM.

Monitor Decoy & Lure Status

The Deception > Decoy & Lure Status page shows the status of the Decoys on your network.

We recommend operating Decoy VMs with the same status for expected behavior.

To view the Deception Status:

  1. Go to Deception > Decoy & Lure Status.
Action Click View detail to see the decoy’s configuration details.

Click Copy to Template to duplicate the decoy as a template.

Click Start or Stop to start or stop the decoy. Click Delete to delete the decoy.

Click Download to download the FortiDeceptor Token Package.

Click VNC to open a VNC of the decoy.
Status The status of the decoy can be Initializing, Running, Stopped, or Cannot Start. If the Decoy VM cannot start, hover over the VM to see the reason.
Decoy Name Name of the decoy.
OS Operating system of the decoy.
VM The name of the Decoy VM.
Enabled Services The number of decoy services enabled on this VM.
IP The IP address of the Decoy VM.
Services List of services enabled. Hover over an icon to see a text list.
Network Type Shows if the IP address is Static or DHCP.
DNS DNS of the Decoy VM.
Gateway Gateway of the Decoy VM.

To delete one or more Decoy VMs:

  1. Go to Deception > Decoy & Lure Status.
  2. Click Delete beside the Decoy VM.
  3. Click OK.

To start one or more Decoy VM:

  1. Go to Deception > Decoy & Lure Status.
  2. Select one or more Decoy VMs that are stopped.
  3. Click Start.

To stop one or more Decoy VMs:

  1. Go to Deception > Decoy & Lure Status.
  2. Select one or more Decoy VMs that are running.
  3. Click Stop.

Decoy Map

Deception > Decoy Map is a visual representation of the entire network showing real endpoints and Decoy VMs. You can apply filters to focus on specific decoys.

To work with the Decoy Map:

  1. Go to Deception > Decoy Map. l To change the display, drag items to another location. l Scroll to zoom in or out.

l Click a node to see its information.

  1. Click Click to begin filtering to select a filter type and type values. Filter types include Decoy Name, Decoy IP, and Lure Type.

You can use multiple arguments with different filter types. All filter arguments and time indicator arguments are considered “AND” conditions.

  1. To locate the node on the map, use the LOCATE BY IP
  2. To save a snapshot of the map, click Save view .

Configure a Whitelist

Use the Deception > Whitelist page to add an IP address for an administrator to log into the network. User actions from a whitelisted IP address are recorded as an Event or Incident.

To add a new whitelist IP address:

  1. Go to Deception > Whitelist.
  2. Click Add New Whitelist IP and configure its settings:
IP Address   Specify the IP address from where the connection originates.
Source Ports   Specify the source ports from where the connection originates.
Destination Ports   Specify the destination ports on the network where the connection terminates.
Description   Specify a description. For example, you can name it as Safe_Network.
Services   Select the name of the services used to connect to the network.
Status   Select Enabled or Disabled.
Action   Click Update or Cancel.

DMZ Mode

Deploy a FortiDeceptor hardware unit or VM in the Demilitarized Zone (DMZ). You can monitor attacks on the DMZ network when FortiDeceptor is installed in the DMZ network.

Limitations of the DMZ Mode

The DMZ Mode in FortiDeceptor functions like regular mode with the following exceptions:

  • When DMZ mode is enabled, the banner displays DMZ-MODE.
  • In Deception > Deployment Network, Deception MonitorIP/Mask is hidden. See Set up the Deployment Network on page 10.
  • In Deception > Decoy & Lure Status in the Deception Status view, the Attack Test selection is disabled.
  • Decoy VMs are limited to one deploy Interface. For information about IP address range, see Deploy Decoy VMs with the Deployment Wizard on page 10.

To enable DMZ mode in the CLI:

dmz-mode -e

To disable DMZ mode in the CLI: dmz-mode -d

 

Set up FortiDeceptor

Leave a reply

Set up FortiDeceptor

This section explains the initial set up of FortiDeceptor.

Connect to the GUI

Use the GUI to configure and manage FortiDeceptor.

To connect to the FortiDeceptor GUI:

  1. Connect the port1 (administration) interface of the device to a management computer using an Ethernet cable.
  2. Configure the management computer to be on the same subnet as the internal interface of the FortiDeceptor unit:
    • Change the IP address of the management computer to 168.0.2.
    • Change the IP address of the network mask to 255.255.0.
  3. Go to https://192.168.0.99.
  4. Type admin in the Name field, leave the Password field blank, and click Login.

You can now proceed with configuring your FortiDeceptor unit.

Connect to the CLI

You can use CLI commands to configure and manage FortiDeceptor.

To connect to the FortiDeceptor CLI:

  1. In the FortiDeceptor banner at the top, click the CLI Console

The CLI Console pane opens.

  1. If necessary, click Connect and enter your username and password.

The CLI Console pane has icons to disconnect from the CLI console, clear console text, download console text, copy console text, open the CLI console in its own window, and close the console.

  1. To close the CLI console, click the Close

 

Change the system hostname

The System Information widget displays the full host name. You can change the FortiDeceptor host name.

To change the host name:

  1. Go to Dashboard, System Information
  2. Click Change beside Host Name.
  3. In the New Name field, type a new host name.

The hostname can start with a character or digit, and cannot end with a hyphen. A-Z, a-z, 0-9, or hyphen are allowed (case-sensitive). Other symbols, punctuation, or white space are not allowed.

  1. Click Apply.

Change the administrator password

By default, you can log in to the GUI using admin and no password. It is highly recommended that you add a password to the admin account. For better security, regularly change the admin account password and the passwords for any other administrator accounts that you add.

To change the password of the logged in administrator:

  1. In the FortiDeceptor banner at the top, click the username and select Change Password.
  2. Change the password and click OK.

To change the administrator password in the Administrators page:

  1. Go to System > Administrators.
  2. Select an administrator and click Edit.
  3. Change the password and click OK.

Configure the system time

You can change the FortiDeceptor system time in the Dashboard. You can configure the FortiDeceptor system time manually or synchronize with an NTP server.

To configure the system time:

  1. Go to Dashboard, System Information
  2. Click Change beside System Time.
  3. Set the system time and click Apply. You might need to log in again.

FortiGate Cloud – FortiDeploy

Leave a reply

FortiDeploy

FortiDeploy is a product built into FortiGate Cloud for one-touch provisioning when devices are deployed locally or remotely. FortiDeploy provides automatic connection of FortiGates to be managed by FortiGate Cloud or a FortiManager.

At time of purchase, you can order a FortiDeploy SKU in addition to your FortiGate Cloud subscription.

When you visit the FortiGate Cloud portal and enter the bulk FortiGate Cloud key, you see a list of serial numbers from the order that contained the FortiDeploy SKU. After you confirm that the devices are connected, you can perform basic configuration on the devices remotely, such as sending a FortiManager IP address to all remote FortiGates, so that the FortiManager can manage them remotely.

FortiDeploy support starts the moment you send an email to cs@fortinet.com. You can also contact cs@fortinet.com if you have already purchased a FortiGate Cloud subscription and want to purchase FortiDeploy to add to your existing subscription.

FortiDeploy is available for FortiGate, FortiWiFi, and PoE desktop and 1U models up to the 900D. It is recommended for trained personnel to handle larger deployments. FortiDeploy is available for devices running FortiOS 5.2.2 and later.

To enable autojoining FortiGate Cloud:

From FortiOS 5.2.3 and later, the auto-join-forticloud option is enabled by default. It must be enabled for FortiDeploy to function correctly. You can ensure that the option is enabled by running the following commands:

config system fortiguard set auto-join-forticloud enable

end

After changing this setting, restart the device and ensure that the device is sending traffic to FortiGate Cloud to verify that you have configured it correctly.

To set central management to FortiGuard:

If your device is connected to FortiGate Cloud but not cloud-managed, ensure that central management is set to FortiGuard:

config system central-management set type fortiguard

end

Reboot the device, log into FortiGate Cloud, and see if you can manage the device.

To use FortiDeploy with a device deployed behind a NAT device:

The default address of the internal or LAN interface is the 192.168.1.0/24 subnet. IP conflicts can occur with departmentalization devices. You can unset each device’s default IP address:

config system interface edit internal unset ip

end end

FortiDeploy

config system interface edit lan unset ip

end

end

You can change the web-based management interface’s internal interface IP address in Network > Interfaces.

FortiGate Cloud – IOC

Leave a reply

IOC

FortiGate Cloud IOC alerts administrators about newly found infections and threats to devices in their network. By analyzing UTM logging and activity, IOC provides a comprehensive overview of threats to the network.

IOC detects three threat types, based on the evolving FortiGuard database:

Threat type Description
Malware Malicious programs residing on infected endpoints
Potentially unwanted programs Spyware, adware, and toolbars
Unknown Threats that the signature has detected but are not associated with any known malware

The free version of IOC is currently available on all accounts in the North America datacenter. The free version alerts you to threats and automatically prepares a comprehensive threat report. Threats listed only provide infected devices’ partial IP addresses: server and subnet.

A subscription grants access to IP address whitelisting, which allows you to narrow your malware search by excluding safe IP addresses and domains, and alert emails to notify you directly of detected network threats. You can also view infected devices’ full IP addresses, allowing you to better control their access to your network.

To purchase an IOC subscription:

  1. Open the Plan page in the FortiGate Cloud IOC site, and select Buy Online.
  2. Complete the purchase process, and wait for the key to arrive by email.
  3. Log into the Fortinet Support website.
  4. On the Asset page, register the code as if it were a new product’s serial number, and then enter the serial number of the FortiGate Cloud-connected device that you want the service to monitor. The service automatically takes effect.

To access IOC using a non-multitenancy account:

  1. In the FortiGate list, click the Threats/Suspicious label under System Status. This only appears if the FortiGate has detected any threats.

To access IOC using a multitenancy account:

  1. In the FortiGate list, look to the right. If your FortiGate has detected any threats, a bomb icon is visible. Click the bomb icon.

FortiGate Cloud – Multitenancy

Leave a reply

Multitenancy

The multitenancy account is a FortiGate Cloud premium account designed for MSSPs. A multitenancy account is a oneor five-year service for an administrator to create and manage multiple subaccounts. It also allows you to move devices between these accounts. You can allocate administrators to each subaccount with full or read-only access, allowing more control over a managed service’s provisioning.

After you activate multitenancy, FortiGate Cloud replaces the default Analysis, Management, and SandBox homepages with the multitenancy Analysis, Management, and SandBox homepages.

You can access management actions from the multitenancy homepage. Some actions are not unique to multitenancy and are described elsewhere in this document. For descriptions of these functions, see Analysis on page 16, Management on page 29, and SandBox on page 35.

To activate multitenancy:

  1. Contact your Fortinet partner or reseller, requesting the following SKU: FCLE-10-FCLD0-161-02-DD. They email you a multitenancy activation code.
  2. In the FortiGate Cloud interface, select the My Account
  3. Under the admin/user list, select Activate multi-tenancy feature.
  4. Enter the activation code, and click Submit.

To configure basic multitenancy:

  1. On the Inventory page, select Import FortiCloud Key or Import Bulk Key to add multiple FortiGate Cloud licenses at once.
  2. On the FortiGate Inventory subpage, select one or multiple devices, and select Deploy to FortiGate Cloud. Select the subaccount for the selected devices and template, if any. You can also select a timezone for the devices.
  3. Click Deploy. The devices are moved to the FortiGate Cloud Deployed

To assign a device to a subaccount on the homepage:

Assigning a device to a new subaccount keeps the device data in FortiGate Cloud, including logs, reports, and configuration backup, and moves this data to the new subaccount. To delete this data, you must undeploy your device from FortiGate Cloud, then assign it to the desired subaccount.

 

You can assign a device to a different subaccount, including RMA devices.

  1. On the multitenancy homepage, click the Config icon beside the desired device, then click Assign To.
  2. In the Assign To dialog, select the desired subaccount, then click Submit.
  3. In the confirmation dialog, click YES.

To manage subaccounts:

  1. The multitenancy homepage lists subaccounts on the left panel. To manage a subaccount, click the desired subaccount. From the dropdown list, select the desired management action.
  2. On the multitenancy page, click the My Account You can view all accounts associated with this FortiGate Cloud. Use the dropdown list to view Global, SubAccount, or All Users. You can see in this dialog that users have different roles. For descriptions of the roles, see User roles on page 44.
  3. Click the Edit icon for the desired account.
  4. In the My Account > Edit User dialog, for Manage Sub Account, select Selected. Select the desired subaccounts for this user to manage.

User roles

The multitenancy account includes different user roles. You can view users and their roles by clicking the My Account icon.

User role Description
Admin (All) Administrator who can access devices under all subaccounts.
Admin (1) Administrator who can only access devices under the one subaccount that is assigned to them, including the assigned subaccount’s child subaccounts.
Regular (All) Regular user who has view-only access to all subaccounts.
Regular (1) Regular user who has view-only access to all subaccounts, including the assigned subaccount’s child subaccounts.

Admin (All)

The Admin (All) user can view and access all subgroups on the left pane, and use Management functions.

Admin (1)

The Admin (1) user can only access devices under the one subaccount assigned to them (and any child subaccounts), as shown in the left pane. They can access Management functions.

Regular (All)

The Regular (All) user has view-only access to all subgroups, but has no access to Management functions.

Regular (1)

The Regular (1) user has view-only access to devices under the subaccount assigned to them (and any child subaccounts), as shown in the left pane. In this example, the user is assigned access to the sub_2 subaccount, which means they can also view devices assigned to the sub_2_a and sub_2_b subaccounts, which are children of the sub_2 subaccount. The Regular (1) user cannot access Management functions.

Group management

Multitenancy also enables group management actions. You can apply actions to a group of FortiGate and FortiWifi devices, simplifying administrative tasks.

Some group management actions require that you enable management on the selected device. See Management on page 29.

You can access group management actions from the Analysis and Management homepages when multitenancy is enabled.

Some actions are not unique to group management and are described elsewhere in this document in the context of use on a single device; multitenancy simply offers the ability to apply the action to multiple devices. For descriptions of these functions, see the following topics:

Schedule Report To schedule a report: on page 25
Deploy Config To deploy cloud configuration to devices: on page 31
Upgrade Firmware To upgrade remote device firmware: on page 32
Run Script To execute a script on a remote device: on page 33
Set Auto Backup To enable auto backup: on page 31
Manage Report Configs Reports on page 24
Manage Scripts Script on page 33

The following describes actions exclusive to group management:

To view group task status:

You can view the current status of group management actions.

  1. On the Management homepage, click Group Management > Task Status. The Group Task Status displays the group management actions and their statuses. You can click # devices beside the task type to view the devices

that the group management action was applied to.

Templates

You can create device configuration templates and deploy different templates to applicable devices to simplify device management. FortiGate Cloud applies the template to the selected devices.

To create a template:

  1. On the Management homepage, click Group Management > Manage Templates.
  2. Click Create Template.
  3. In the Name field, enter the desired template name.
  4. In the Description field, enter the desired template description.
  5. For Create template based on, select one of the following:
Option Description
In-cloud config copy of sampling device Create a template based on a sample device that has already been added to FortiGate Cloud. Select the desired device from the dropdown list. Only devices from the subaccount selected in Sub Account are available.
Platform and version Create a template based on a specific FortiGate or FortiWifi platform and FortiOS version.
Config file Create a template based on a configuration file. You must upload a .conf file.
  1. For Feature set, select the desired features.
  2. For Sub Account, select the desired sub account for this template.
  3. Click Apply.

To apply a template to devices:

  1. On the Management homepage, select the desired devices
  2. Click Group Management > Use Templates.
  3. In the Use Templates dialog, select the desired template. The dialog only shows templates applicable for the current selected devices.
  4. Click Apply. FortiGate Cloud applies the template to the selected devices.

To revoke templates from devices:

  1. On the Management homepage, select the desired devices.
  2. Click Group Management > Un-use Templates.
  3. Click Apply. FortiGate Cloud revokes the templates from the selected devices.

To edit a template:

  1. On the Management homepage, go to Group Management > Manage Templates.
  2. Click the Edit icon for the desired template.
  3. For a template that has already been applied to devices, you can configure device-specific settings:
    1. Go to the desired configuration page, then expand Device Specific Settings.
    2. Click Create New.
    3. In the New Device Specific Settings dialog, select the desired device’s serial number from the SN dropdown list.
    4. To configure a device-specific setting, enable Override Template Setting, then configure the desired option. Otherwise, FortiGate Cloud applies the template setting to the device. Click OK.

The example configures a device-specific setting for the time zone using Cape Verde Island time, which differs from the template setting, which uses Jerusalem time.