Security Fabric over IPsec VPN

This recipe provides an example of configuring Security Fabric over IPsec VPN.

The following sample topology shows a downstream FortiGate (HQ2) connected to the root FortiGate (HQ1) over IPsec VPN to join Security Fabric.

 

configure      root FortiGate (HQ1):

Configure interface:

1. In the root FortiGate (HQ1), go to Network > Interfaces.
2. Edit port2: l Set Role to WAN.
   • For the interface connected to the Internet, set the IP/Network Mask to 2.200.1/255.255.255.0 c. Edit port6:
   • Set Role to DMZ.
   • For the interface connected to FortiAnalyzer, set the IP/Network Mask to 168.8.250/255.255.255.0
3. Configure the static route to connect to the Internet:
4. Go to Network > Static Routes and click Create New.
   • Set Destination to 0.0.0/0.0.0.0.
   • Set Interface to port2.
   • Set Gateway Address to 2.200.2.
5. Configure IPsec VPN:
6. Go to VPN > IPsec Wizard. l Set VPN Name to To-HQ2. l Set Template Type to Custom.
   • Click Next.
   • Set Authentication to Method. l Set Pre-shared Key to 123456.

1. Leave all other fields in their default values and click OK.

4. Configure the IPsec VPN interface IP address which will be used to form Security Fabric:
   1. Go to Network > Interfaces.
   2. Edit To-HQ2:
      • Set Role to LAN.
      • Set the IP/Network Mask to 10.10.1/255.255.255.255. l Set Remote IP/Network Mask to 10.10.10.3/255.255.255.0.
   3. Configure IPsec VPN local and remote subnet:
   4. Go to Policy & Objects > Addresses.
      • Click Create New l Set Name to To-HQ2_local_subnet_1.
      • Set Type to Subnet. l Set IP/Network Mask to 168.8.0/24.
      • Click OK.
      • Click Create New l Set Name to To-HQ2_remote_subnet_1.
      • Set Type to Subnet. l Set IP/Network Mask to 1.100.0/24. l Click OK.
      • Click Create New l Set Name to To-HQ2_remote_subnet_2.
      • Set Type to Subnet. l Set IP/Network Mask to 10.10.3/32.
      • Click OK.
   5. Configure IPsec VPN static routes:
   6. Go to Network > Static Routes and click Create New.
      • For Named Address, select Type and select To-HQ2_remote_subnet_1. l Set Interface to To-HQ2.
      • Click OK.

1. Click Create New.

• For Named Address, select Type and select To-HQ2_remote_subnet_1. l Set Interface to Blackhole.
• Set Administrative Distance to 254.
• Click OK.

7. Configure IPsec VPN policies:
8. Go to Policy & Objects > IPv4 Policy and click Create New.
   • Set Name to vpn_To-HQ2_local. l Set Incoming Interface to port6. l Set Outgoing Interface to To-HQ2. l Set Source to To-HQ2_local_subnet_1.
   • Set Destination to To-HQ2_remote_subnet_1. l Set Schedule to Always. l Set Service to All. l Disable NAT.

1. Click Create New.

• Set Name to vpn_To-HQ2_remote. l Set Incoming Interface to To-HQ2. l Set Outgoing Interface to port6. l Set Source to To-HQ2_remote_subnet_1, To-HQ2_remote_subnet_2.
• Set Destination to To-HQ2_local_subnet_1. l Set Schedule to Always. l Set Service to All. l Enable NAT.
• Set IP Pool Configuration to Use Outgoing Interface Address.

8. Configure Security Fabric:
9. Go to Security Fabric > Settings.
   • Enable FortiGate Telemetry.
   • Set Group name to Office-Security-Fabric. l In FortiTelemetry enabled interfaces, add VPN interface To-HQ2. l Set IP address to the FortiAnalyzer IP of 168.8.250.

After FortiGate Telemetry is enabled, FortiAnalyzer automatically enables Logging and Upload is set to Real Time.

configure      downstream FortiGate (HQ2):

Configure interface:

1. Go to Network > Interfaces.
2. Edit interface wan1: l Set Role to WAN. l For the interface connected to the Internet, set the IP/Network Mask to 168.7.3/255.255.255.0. c. Edit interface vlan20: l Set Role to LAN.

l For the interface connected to local endpoint clients, set the IP/Network Mask to

10.1.100.3/255.255.255.0.

2. Configure the static route to connect to the Internet:
   1. Go to Network > Static Routes and click Create New.
      • Set Destination to 0.0.0/0.0.0.0.
      • Set Interface to wan1.
      • Set Gateway Address to 168.7.2.
   2. Configure IPsec VPN:
      1. Go to VPN > IPsec Wizard. l Set VPN Name to To-HQ1. l Set Template Type to Custom. l Click Next. l In the Network IP Address, enter 2.200.1.
         • Set Interface to wan1.
         • Set Authentication to Method. l Set Pre-shared Key to 123456.
      2. Leave all other fields in their default values and click OK.
   3. Configure the IPsec VPN interface IP address which will be used to form Security Fabric:
      1. Go to Network > Interfaces.
      2. Edit To-HQ1:
         • Set Role to WAN. l Set the IP/Network Mask to 10.10.3/255.255.255.255. l Set Remote IP/Network Mask to 10.10.10.1/255.255.255.0.0.
      3. Configure IPsec VPN local and remote subnet:
         1. Go to Policy & Objects > Addresses.
            • Click Create New l Set Name to To-HQ1_local_subnet_1.
            • Set Type to Subnet. l Set IP/Network Mask to 1.100.0/24.
            • Click OK.
            • Click Create New l Set Name to To-HQ1_remote_subnet_1. l Set Type to Subnet.
            • Set IP/Network Mask to 168.8.0/24.
            • Click OK.
         2. Configure IPsec VPN static routes:
            1. Go to Network > Static Routes and click Create New.
               • For Named Address, select Type and select To-HQ1_remote_subnet_1. l Set Interface to To-HQ1.
               • Click OK.
            2. Click Create New.
               • For Named Address, select Type and select To-HQ1_remote_subnet_1. l Set Interface to Blackhole. l Set Administrative Distance to 254.
               • Click OK.
            3. Configure IPsec VPN policies:
               1. Go to Policy & Objects > IPv4 Policy and click Create New.
                  • Set Name to vpn_To-HQ1_local. l Set Incoming Interface to vlan20. l Set Outgoing Interface to To-HQ1. l Set Source to To-HQ1_local_subnet_1.
                  • Set Destination to To-HQ1_remote_subnet_1. l Set Schedule to Always. l Set Service to All. l Disable NAT.
               2. Click Create New.
                  • Set Name to vpn_To-HQ1_remote. l Set Incoming Interface to To-HQ1. l Set Outgoing Interface to vlan20. l Set Source to To-HQ1_remote_subnet_1. l Set Destination to -HQ1_local_subnet_1.
                  • Set Schedule to Always. l Set Service to All. l Disable NAT.
               3. Configure Security Fabric:
                  1. Go to Security Fabric > Settings.
                     • Enable FortiGate Telemetry.
                     • Enable Connect to upstream FortiGate. l Set FortiGate IP to 10.10.1.

After FortiGate Telemetry is enabled, FortiAnalyzer automatically enables Logging. Settings for the FortiAnalyzer are retrieved from the downstream FortiGate (HQ2) when it connects to the root FortiGate (HQ1).

authorize      downstream FortiGate (HQ2) on the root FortiGate (HQ1):

In the root FortiGate (HQ1), go to Security Fabric > Settings.

The Topology field highlights the connected FortiGate (HQ2)with the serial number and asks you to authorize the highlighted device.

2. Select the highlighted FortiGate and select Authorize.

After authorization, the downstream FortiGate (HQ2) appears in the Topology field in Security Fabric > Settings. This means the downstream FortiGate (HQ2) has successfully joined the Security Fabric.

To check Security Fabric over IPsec VPN:

1. On the root FortiGate (HQ1), go to Security Fabric > Physical Topology.

The root FortiGate (HQ1) is connected by the downstream FortiGate (HQ2) with VPN icon in the middle.

2. On the root FortiGate (HQ1), go to Security Fabric > Logical Topology.

The root FortiGate (HQ1) VPN interface To-HQ2 is connected by downstream FortiGate (HQ2) VPN interface ToHQ1 with VPN icon in the middle.

To run diagnose commands:

1. Run the diagnose sys csf authorization pending-list command in the root FortiGate (HQ1) to show the downstream FortiGate pending for root FortiGate authorization:

HQ1 # diagnose sys csf authorization pending-list

Serial                  IP Address      HA-Members

Path

————————————————————————————

FG101ETK18002187        0.0.0.0

FG3H1E5818900718:FG101ETK18002187

2. Run the diagnose sys csf downstream command in the root FortiGate (HQ1) to show the downstream

FortiGate (HQ2) after it joins Security Fabric:

HQ1 # diagnose sys csf downstream

1:    FG101ETK18002187 (10.10.10.3) Management-IP: 0.0.0.0 Management-port:0 parent:

FG3H1E5818900718 path:FG3H1E5818900718:FG101ETK18002187

data received: Y downstream intf:To-HQ1 upstream intf:To-HQ2 admin-port:443 authorizer:FG3H1E5818900718

3. Run the diagnose sys csf upstream command in the downstream FortiGate (HQ2) to show the root FortiGate (HQ1) after the downstream FortiGate joins Security Fabric:

HQ2 # diagnose sys csf upstream Upstream Information:

Serial Number:FG3H1E5818900718

IP:10.10.10.1

Connecting interface:To-HQ1

Connection status:Authorized

Viewing and controlling network risks via topology view

This recipe shows how to view and control compromised hosts via the Security Fabric > Physical Topology or Security Fabric > Logical Topology view.

In the following topology, the downstream FortiGate (Marketing) is connected to the root FortiGate (Edge) through a FortiSwitch (Distribution). The Endpoint Host is connected to the downstream FortiGate (Marketing) through another FortiSwitch (Access).

This recipe consists of the following steps:

1. Configure the root FortiGate.
2. Configure the downstream FortiGate.
3. Authorize the downstream FortiGate on the root FortiGate. Authorize Security Fabric FortiGates on the FortiAnalyzer.
4. View the compromised endpoint host.
5. Quarantine the compromised endpoint host.
6. Run diagnose

To configure the root FortiGate:

1. Configure the interface:
   1. In FortiOS on the downstream FortiGate, go to Network > Interfaces.
   2. Edit port4. Set the role to WAN and set the IP/Network Mask to 192.168.5.2/255.255.255.0 for the interface that is connected to the Internet.
   3. Edit port6. Set the role to DMZ and set the IP/Network Mask to 192.168.8.2/255.255.255.0 for the interface which is connected to FortiAnalyzer.
   4. Edit port5. Set the Addressing mode to Dedicated to the FortiSiwitch for the interface which is connected to the Distribution FortiSwitch.
   5. Return to Network > Interfaces and click Create New. For the new interface, set the name to vlan70, Type to VLAN, Interface to port5, VLAN ID to 70, Role to LAN, and IP/Network Mask to 192.168.7.2/255.255.255.0
2. Authorize the Distribution FortiSwitch:
   1. Go to WiFi & Switch Controller> Managed FortiSwitch.
   2. Click the FortiGate icon, then click Edit. Set the Name to Distribution-Switch, enable the Authorized option, then click OK.
   3. Click the FortiSwitch port1 icon. For port1’s Native VLAN, select vlan70.

 

3. Configure the default static route to connect to the root FortiGate. Go to Network > Static Routes. Set the Destination to 0.0.0.0/0.0.0.0, select port4 as the Interface, and set the Gateway Address as 192.168.5.254.
4. Configure the Security Fabric:
5. Go to Security Fabric > Settings.
6. Enable FortiGate Telemetry.
7. Configure a group name.
8. In FortiTelemetry enabled interfaces, add vlan70.
9. FortiAnalyzer logging is enabled and the Upload option is set to Real Time after FortiGate Telemetry is enabled. Set the IP address to the FortiAnalyzer IP address, which in this example is 192.168.8.250. FortiAnalyzer settings will be retrieved when the downstream FortiGate connects to the root FortiGate.
10. Create a policy to access the Internet. Go to Policy & Objects > IPv4 Policy. Click Create New, and configure the policy as follows:
    1. Set the Name to Access-internet1.
    2. Set the Source Interface to vlan70 and the Destination Interface to port4.
    3. Set the Source Address to all and the Destination Address to all.
    4. Set the Action to ACCEPT.
    5. Set the Schedule to Always.
    6. Set the Service to ALL.
    7. Enable NAT.
    8. Set the IP Pool Configuration to Use Outgoing Interface Address.
11. Create an address for the FortiAnalyzer:
    1. Go to Policy & Objects > Addresses. Click Create New, then Address.
    2. Set the Name to FAZ-addr.
    3. Set the Type to Subnet.
    4. Set the Subnet/IP Range to 192.168.8.250/32.
    5. Set the Interface to Any.
12. Create a policy for the downstream FortiGate to access the FortiAnalyzer. Go to Policy & Objects > IPv4 Policy.

Click Create New, and configure the policy as follows: a. Set the Name to Access-Resources.

6. Set the Source Interface to vlan70 and the Destination Interface to port6.
7. Set the Source Address to all and the Destination Address to FAZ-addr.
8. Set the Action to ACCEPT.
9. Set the Schedule to Always.
10. Set the Service to ALL.
11. Enable NAT.
12. Set the IP Pool Configuration to Use Outgoing Interface Address.

To configure the downstream FortiGate:

1. Configure the interface:
   1. In FortiOS on the downstream FortiGate, go to Network > Interfaces.
   2. Edit wan1. Set the role to WAN and set the IP/Network Mask to 192.168.7.3/255.255.255.0 for the interface that is connected to the root FortiGate.
   3. Edit wan2. Set the Addressing mode to Dedicated to the FortiSiwitch for the interface which is connected to the Access FortiSwitch.
   4. Return to Network > Interfaces and click Create New. For the new interface, set the name to vlan20, Type to VLAN, Interface to wan2, VLAN ID to 20, Role to LAN, and IP/Network Mask to 10.1.100.3/255.255.255.0.
2. Authorize the Access FortiSwitch:
   1. Go to WiFi & Switch Controller> Managed FortiSwitch.
   2. Click the FortiGate icon, then click Edit. Set the Name to Access-Switch, enable the Authorized option, then click OK.
   3. Click the FortiSwitch port2 icon. For port2’s Native VLAN, select vlan20.
3. Configure the default static route to connect to the root FortiGate. Go to Network > Static Routes. Set the Destination to 0.0.0.0/0.0.0.0, select wan1 as the Interface, and set the Gateway Address as 192.168.7.2.
4. Configure the Security Fabric:
   1. Go to Security Fabric > Settings.
   2. Enable FortiGate Telemetry.
   3. Under FortiGate Telemetry, enable Connect to upstream FortiGate.
   4. Configure the FortiGate IP to 192.168.7.2.
   5. In FortiTelemetry enabled interfaces, add vlan20.
   6. FortiAnalyzer logging is enabled after FortiGate Telemetry is enabled. FortiAnalyzer settings will be retrieved when the downstream FortiGate connects to the root FortiGate.
5. Create a policy to access the Internet. Go to Policy & Objects > IPv4 Policy. Click Create New, and configure the policy as follows:
   2. Set the Name to Access-internet2.
   3. Set the Source Interface to vlan20 and the Destination Interface to wan1..
   4. Set the Source Address to all and the Destination Address to all.
   5. Set the Action to ACCEPT.
   6. Set the Schedule to Always.
   7. Set the Service to ALL.
   8. Enable NAT.
   9. Set the IP Pool Configuration to Use Outgoing Interface Address.
   10. Choose the default Web Filter profile.

To authorize the downstream FortiGate on the root FortiGate:

1. In FortiOS on the root FortiGate, go to Security Fabric > Settings. In the Topology field, a highlighted FortiGate with a serial number is connecting to the root FortiGate, and a highlighted warning asks for authorization of the highlighted device.
2. Click the highlighted FortiGate, then select Authorize. After authorization, the downstream FortiGate appears in the Topology field in Security Fabric > Settings, meaning that the downstream FortiGate joined the Security Fabric successfully.

To authorize Security Fabric FortiGates on the FortiAnalyzer:

1. Ensure that the FortiAnalyzer firmware is 6.2.0 or a later version.
2. In FortiAnalyzer, go to Device Manager> Unauthorized. All FortiGates are listed as unauthorized. Select all FortiGates, then select authorize. The FortiGates now appear as authorized.
3. After a moment, a warning icon appears beside the root FortiGate since the FortiAnalyzer needs administrative access to the root FortiGate in the Security Fabric. Click the warning icon, then enter the admin user and password for the root FortiGate.

To view the compromised endpoint host:

1. Test that FortiGate detects a compromised endpoint host by opening a browser on the endpoint host and entering a malicious website URL. The browser displays a Web Page Blocked! warning and does not allow access to the website.
2. In FortiOS on the root FortiGate, go to Security Fabric > Physical Topology. The endpoint host, connected to the Access FortiSwitch, is highlighted in red. Mouse over the endpoint host to view a tooltip that shows the IoC verdict. The endpoint host is compromised.
3. Go to Security Fabric > Logical Topology. The endpoint host, connected to the downstream FortiGate, is highlighted in red. Mouse over the endpoint host to view a tooltip that shows the IoC verdict. The endpoint host is compromised.

To quarantine the compromised endpoint host:

1. In FortiOS on the root FortiGate, go to Security Fabric > Physical Topology.
2. Right-click the endpoint host and select Quarantine Host. Click OK to confirm the confirmation dialog.
3. Go to Monitor> Quarantine Monitor. From the dropdown list at the top right corner, select All FortiGates. The quarantined endpoint host displays in the content pane.
4. On the endpoint host, open a browser and visit a website such as https://fortinet.com. If the website cannot be accessed, this confirms that the endpoint host is quarantined.

To run diagnose commands:

1. To show the downstream FortiGate after it joins the Security Fabric, run the diagnose sys csf downstream command in the root FortiGate (Edge) CLI. The output should resemble the following: Edge # diagnose sys csf downstream

1: FG101ETK18002187 (192.168.7.3) Management-IP: 0.0.0.0 Management-port:0 parent:

FG201ETK18902514 path:FG201ETK18902514:FG101ETK18002187

data received: Y downstream intf:wan1 upstream intf:vlan70 admin-port:443 authorizer:FG201ETK18902514

2. To show the upstream FortiGate after the downstream FortiGate joins the Security Fabric, run the diagnose sys csf upstream command in the downstream FortiGate (Marketing) CLI. The output should resemble the following:

Marketing # diagnose sys csf upstream Upstream Information:

Serial Number:FG201ETK18902514

IP:192.168.7.2

Connecting interface:wan1

Connection status:Authorized

3. To show the quarantined endpoint host in the connected FortiGate, run the following commands in the downstream FortiGate (Marketing) CLI:

Marketing # show user quarantine config user quarantine config targets edit “PC2” set description “Manually quarantined” config macs edit 00:0c:29:3d:89:39 set description “manual-qtn Hostname: PC2”

next

end

next

end end

 

Security Fabric

The Fortinet Security Fabric provides an intelligent architecture that interconnects discrete security solutions into an integrated whole to detect, monitor, block, and remediate attacks across the entire attack surface. It delivers broad protection and visibility into every network segment and device, be they hardware, virtual, or cloud based.

• The physical topology view shows all connected devices, including access layer devices. The logical topology view shows information about the interfaces that each device is connected to.
• Security rating checks analyze the Security Fabric deployment to identify potential vulnerabilities and highlight best practices to improve the network configuration, deploy new hardware and software, and increase visibility and control of the network.
• Automation pairs an event trigger with one or more actions to monitor the network and take the designated actions automatically when the Security Fabric detects a threat.
• Fabric connectors provide integration with multiple SDN, cloud, and partner technology platforms to automate the process of managing dynamic security updates without manual intervention.

Deploy Security Fabric

This recipe provides an example of deploying Security Fabric with three downstream FortiGates connecting to one root FortiGate. To deploy Security Fabric, you need a FortiAnalyzer running firmware version 6.2.

The following shows a sample network topology of three downstream FortiGates (Accounting, Marketing, and Sales) connected to the root FortiGate (Edge).

To configure the root FortiGate (Edge):

1. Configure interface:
   1. In the root FortiGate (Edge), go to Network > Interfaces.
   2. Edit port16:
      • Set Role to DMZ.
      • For the interface connected to FortiAnalyzer, set the IP/Network Mask to 168.65.2/255.255.255.0 c. Edit port10:
      • Set Role to LAN.
      • For the interface connected to the downstream FortiGate (Accounting), set the IP/Network Mask to

192.168.10.2/255.255.255.0

1. Edit port11:

• Set Role to LAN.
• For the interface connected to the downstream FortiGate (Marketing), set the IP/Network Mask to 168.200.2/255.255.255.0

2. Configure Security Fabric:
3. In the root FortiGate (Edge), go to Security Fabric > Settings. l Enable FortiGate Telemetry.
   • Set a Group name, such as Office-Security-Fabric.
   • Add port10 and port11 to FortiTelemetry enabled interfaces.

After FortiGate Telemetry is enabled, FortiAnalyzer automatically enables Logging and Upload Option is set to Real Time.

192. Set IP address to the FortiAnalyzer IP 168.65.10.
193. Select Test Connectivity.

A warning message indicates that the FortiGate is not authorized on the FortiAnalyzer. The authorization is configured in a later step on the FortiAnalyzer.

3. Create a policy to allow the downstream FortiGate (Accounting) to access the FortiAnalyzer:
4. In the root FortiGate (Edge), go to Policy & Objects > Addresses.
   • Click Create New.
   • Set Name to FAZ-addr. l Set Type to Subnet.
   • Set Subnet/IP Range to 168.65.10/32.
   • Set Interface to any. l Click Create New.
   • Set Name to Accounting. l Set Type to Subnet.
   • Set Subnet/IP Range to 168.10.10/32.
   • Set Interface to any.

1. In the root FortiGate (Edge), go to Policy & Objects > IPv4 Policy.

• Set Name to Accounting-to-FAZ. l Set srcintf to port10. l Set dstintf to port16.
• Set srcaddr to Accounting-addr. l Set dstaddr to FAZ-addr. l Set Action to Accept. l Set Schedule to Always. l Set Service to All. l Enable NAT.
• Set IP Pool Configuration to Use Outgoing Interface Address.

4. Create a policy to allow the two downstream FortiGates (Marketing and Sales) to access the FortiAnalyzer:
5. In the root FortiGate (Edge), go to Policy & Objects > Addresses and click Create New.
   • Set Name to Marketing-addr. l Set Type to Subnet.
   • Set Subnet/IP Range to 168.200.10/32.
   • Set Interface to any.

1. In the root FortiGate (Edge), go to Policy & Objects > IPv4 Policy.

• Set Name to Marketing-to-FAZ. l Set srcintf to port11.
• Set dstintf to port16.
• Set srcaddr to Marketing-addr. l Set dstaddr to FAZ-addr. l Set Action to Accept. l Set Schedule to Always. l Set Service to All. l Enable NAT. l Set IP Pool Configuration to Use Outgoing Interface Address.

To configure the downstream FortiGate (Accounting):

1. Configure interface:
   1. In the downstream FortiGate (Accounting), go to Network > Interfaces.
   2. Edit interface wan1: l Set Role to WAN.
      • For the interface connected to root, set the IP/Network Mask to 168.10.10/255.255.255.0
   3. Configure the default static route to connect to the root FortiGate (Edge):
      1. In the downstream FortiGate (Accounting), go to Network > Static Routes:
         • Set Destination to 0.0.0/0.0.0.0. l Set Interface to wan1.
         • Set Gateway Address to 168.10.2.
      2. Configure Security Fabric:
         1. In the downstream FortiGate (Accounting), go to Security Fabric > Settings.
            • Enable FortiGate Telemetry.
            • Enable Connect to upstream FortiGate.
            • FortiGate IP is filled in automatically with the default static route Gateway Address of 168.10.2 set in the previous step.
            • Leave FortiTelemetry enabled interfaces empty since there is no downstream FortiGate connecting to it.

After FortiGate Telemetry is enabled, FortiAnalyzer automatically enables Logging. Settings for the FortiAnalyzer are retrieved from the root FortiGate (Edge) when FortiGate (Accounting) connects to the root FortiGate (Edge).

To configure the downstream FortiGate (Marketing):

1. Configure interface:
   1. In the downstream FortiGate (Marketing), go to Network > Interfaces.
   2. Edit port12:
      • Set Role to LAN.
      • For the interface connected to the downstream FortiGate (Sales), set the IP/Network Mask to 168.135.11/255.255.255.0.
   3. Edit wan1:
      • Set Role to WAN.
      • For the interface connected to the root FortiGate (Edge), set the IP/Network Mask to 168.200.10/255.255.255.0.
   4. Configure the default static route to connect to the root FortiGate (Edge):
      1. In the downstream FortiGate (Marketing), go to Network > Static Routes:
         • Set Destination to 0.0.0/0.0.0.0. l Set Interface to wan1.
         • Set Gateway Address to 168.200.2.
      2. Configure Security Fabric:
         1. In the downstream FortiGate (Marketing), go to Security Fabric > Settings.
            • Enable FortiGate Telemetry.
            • Enable Connect to upstream FortiGate.
            • FortiGate IP is filled in automatically with the default static route Gateway Address of 168.200.2 set in the previous step.
            • In FortiTelemetry enabled interfaces, add port12.

After FortiGate Telemetry is enabled, FortiAnalyzer automatically enables Logging. Settings for the FortiAnalyzer are retrieved from the root FortiGate (Edge) when FortiGate (Marketing) connects to the root FortiGate (Edge).

4. Create a policy to allow another downstream FortiGate (Sales) going through FortiGate (Marketing) to access the FortiAnalyzer:
   1. In the downstream FortiGate (Marketing), go to Policy & Objects > Addresses and click Create New.
      • Set Name to FAZ-addr. l Set Type to Subnet.
      • Set Subnet/IP Range to 168.65.10/32.
      • Set Interface to any.
   2. Click Create New. l Set Name to Sales-addr. l Set Type to Subnet.
      • Set Subnet/IP Range to 168.135.10/32.
      • Set Interface to any.
   3. In the downstream FortiGate (Marketing), go to Policy & Objects > IPv4 Policy.
      • Set Name to Sales-to-FAZ.
      • Set srcintf to port12. l Set dstintf to wan1.
      • Set srcaddr to Sales-addr. l Set dstaddr to FAZ-addr. l Set Action to Accept. l Set Schedule to Always. l Set Service to All. l Enable NAT. l Set IP Pool Configuration to Use Outgoing Interface Address.

 

configure the downstream FortiGate (Accounting):

Configure interface:

1. In the downstream FortiGate (Accounting), go to Network > Interfaces.
2. Edit interface wan1: l Set Role to WAN.
   • For the interface connected to root, set the IP/Network Mask to 168.10.10/255.255.255.0
3. Configure the default static route to connect to the root FortiGate (Edge):
   1. In the downstream FortiGate (Accounting), go to Network > Static Routes:
      • Set Destination to 0.0.0/0.0.0.0. l Set Interface to wan1.
      • Set Gateway Address to 168.10.2.
   2. Configure Security Fabric:
      1. In the downstream FortiGate (Accounting), go to Security Fabric > Settings.
         • Enable FortiGate Telemetry.
         • Enable Connect to upstream FortiGate.
         • FortiGate IP is filled in automatically with the default static route Gateway Address of 168.10.2 set in the previous step.
         • Leave FortiTelemetry enabled interfaces empty since there is no downstream FortiGate connecting to it.

After FortiGate Telemetry is enabled, FortiAnalyzer automatically enables Logging. Settings for the FortiAnalyzer are retrieved from the root FortiGate (Edge) when FortiGate (Accounting) connects to the root FortiGate (Edge).

To configure the downstream FortiGate (Sales):

1. Configure interface:
   1. In the downstream FortiGate (Sales), go to Network > Interfaces.
   2. Edit wan2:
      • Set Role to WAN.
      • For the interface connected to the upstream FortiGate (Marketing), set the IP/Network Mask to 168.135.10/255.255.255.0.
   3. Configure the default static route to connect to the upstream FortiGate (Marketing):
      1. In the downstream FortiGate (Sales), go to Network > Static Routes:
         • Set Destination to 0.0.0/0.0.0.0. l Set Interface to wan2.
         • Set Gateway Address to 168.135.11.
      2. Configure Security Fabric:
         1. In the downstream FortiGate (Sales), go to Security Fabric > Settings.
            • Enable FortiGate Telemetry.
            • Enable Connect to upstream FortiGate.
            • FortiGate IP is filled in automatically with the default static route Gateway Address of 168.135.11 set in the previous step.
            • Leave FortiTelemetry enabled interfaces empty since there is no downstream FortiGate connecting to it.

After FortiGate Telemetry is enabled, FortiAnalyzer automatically enables Logging. Settings for the

FortiAnalyzer are retrieved from the root FortiGate (Edge) when FortiGate (Sales) connects to the root

FortiGate (Edge).

To authorize downstream FortiGates (Accounting, Marketing, and Sales) on the root FortiGate (Edge):

1. In the root FortiGate (Edge), go to Security Fabric > Settings.

The Topology field highlights two connected FortiGates with their serial numbers and asks you to authorize the highlighted devices.

2. Select the highlighted FortiGates and select Authorize.

After they are authorized, the two downstream FortiGates (Accounting and Marketing) appear in the Topology field in Security Fabric > Settings. This means the two downstream FortiGates (Accounting and Marketing) have successfully joined the Security Fabric.

3. The Topology field now highlights the FortiGate with the serial number that is connected to the downstream FortiGate (Marketing) and asks you to authorize the highlighted device.
4. Select the highlighted FortiGates and select Authorize.

After it is authorized, the downstream FortiGate ( Sales) appears in the Topology field in Security Fabric > Settings. This means the downstream FortiGates (Sales) has successfully joined the Security Fabric.

To use FortiAnalyzer to authorize all the Security Fabric FortiGates:

1. Authorize all the Security Fabric FortiGates on the FortiAnalyzer side:
   1. In the FortiAnalyzer, go to System Settings > Network > All Interfaces.

l Edit port1 and set IP Address/Netmask to 192.168.65.10/255.255.255.0.

1. Go to Device Manager> Unauthorized.

All the FortiGates are listed as unauthorized.

1. Select all the FortiGates and select Authorize. The FortiGates are now listed as authorized.

After a moment, a warning icon appears beside the root FortiGate (Edge) because the FortiAnalyzer needs administrative access to the root FortiGate (Edge) in the Security Fabric.

1. Click the warning icon and enter the admin username and password of the root FortiGate (Edge).

2. Check FortiAnalyzer status on all the Security Fabric FortiGates:

l On each FortiGates, go to Security Fabric > Settings and check that FortiAnalyzerLogging shows Storage usage information.

check Security Fabric deployment result:

On FortiGate (Edge), go to Dashboard > Status.

The Security Fabric widget displays all the FortiGates in the Security Fabric.

2. On FortiGate (Edge), go to Security Fabric > Physical Topology.

This page shows a visualization of access layer devices in the Security Fabric.

3. On FortiGate (Edge), go to Security Fabric > Physical Topology.

This dashboard shows information about the interfaces of each device in the Security Fabric.

To run diagnose commands:

1. Run the diagnose sys csf authorization pending-list command in the root FortiGate to show the downstream FortiGate pending for root FortiGate authorization:

Edge # diagnose sys csf authorization pending-list

Serial IP Address   HA-Members   Path ————————————————————————————

FG201ETK18902514        0.0.0.0                      FG3H1E5818900718:FG201ETK18902514

2. Run the diagnose sys csf downstream command in the root or middle FortiGate to show the downstream

FortiGates after they join Security Fabric:

Edge # diagnose sys csf downstream

1:    FG201ETK18902514 (192.168.200.10) Management-IP: 0.0.0.0 Management-port:0 parent:

FG3H1E5818900718 path:FG3H1E5818900718:FG201ETK18902514

data received: Y downstream intf:wan1 upstream intf:port11 admin-port:443 authorizer:FG3H1E5818900718

2:    FGT81ETK18002246 (192.168.10.10) Management-IP: 0.0.0.0 Management-port:0 parent:

FG3H1E5818900718 path:FG3H1E5818900718:FGT81ETK18002246

data received: Y downstream intf:wan1 upstream intf:port10 admin-port:443 authorizer:FG3H1E5818900718

3:    FG101ETK18002187 (192.168.135.10) Management-IP: 0.0.0.0 Management-port:0 parent:

FG201ETK18902514 path:FG3H1E5818900718:FG201ETK18902514:FG101ETK18002187

data received: Y downstream intf:wan2 upstream intf:port12 admin-port:443 authorizer:FG3H1E5818900718

3. Run the diagnose sys csf upstream command in any downstream FortiGate to show the upstream

FortiGate after downstream FortiGate joins Security Fabric:

Marketing # diagnose sys csf upstream Upstream Information:

Serial Number:FG3H1E5818900718

IP:192.168.200.2

Connecting interface:wan1

Connection status:Authorized

Troubleshooting your installation

If your FortiGate does not function as desired after installation, try the following troubleshooting tips:

1. Check for equipment issues Verify that all network equipment is powered on and operating as expected. Refer to the QuickStart Guide for information about connecting your FortiGate to the network. You will also find detailed information about the FortiGate LED indicators.The FortiGate has multiple LED lights on the faceplate. Verify whether or not the LEDs on your FortiGate indicate a problem. For information on what the LEDs mean, see the LED specifications on page 43
2. Check the physical network connections Check the cables used for all physical connections to ensure that they are fully connected and do not appear damaged, and make sure that each cable connects to the correct device and the correct Ethernet port on that device.
3. Verify that you can connect to the internal IP address of the FortiGate Connect to the GUI from the FortiGate’s internal interface by browsing to its IP address. From the PC, try to ping the internal interface IP address; for example, ping 192.168.1.99. If you cannot connect to the internal interface, verify the IP configuration of the PC. If you can ping the interface but can’t connect to the GUI, check the settings for administrative access on that interface. Alternatively, use SSH to connect to the CLI, and then confirm that HTTPS has been enabled for Administrative Access on the interface.
4. Check the FortiGate interface configurations Check the configuration of the FortiGate interface connected to the internal network (under Network > Interfaces) and check that Addressing mode is set to the correct mode.
5. Verify the security policy configuration Go to Policy & Objects > IPv4 Policy and verify that the internal interface to Internet-facing interface security policy has been added and is located near the top of the policy list. Check the Active Sessions column to ensure that traffic has been processed (if this column does not appear, right-click on the table header and select Active Sessions). If you are using NAT mode, check the configuration of the policy to make sure that NAT is enabled and that Use Outgoing Interface Address is selected.
6. Verify the static routing configuration

Go to Network > Static Routes and verify that the default route is correct. Go to Monitor > Routing Monitor and verify that the default route appears in the list as a static route. Along with the default route, you should see two routes shown as Connected, one for each connected FortiGate interface.

7. Verify that you can connect to the Internet-facing interface’s IP address Ping the IP address of the Internetfacing interface of your FortiGate. If you cannot connect to the interface, the FortiGate is not allowing sessions from the internal interface to Internet-facing interface. Verify that PING has been enabled for Administrative Access on the interface.
8. Verify that you can connect to the gateway provided by your ISP

Ping the default gateway IP address from a PC on the internal network. If you cannot reach the gateway, contact your ISP to verify that you are using the correct gateway.

9. Verify that you can communicate from the FortiGate to the Internet

Access the FortiGate CLI and use the command execute ping 8.8.8.8. You can also use the execute traceroute 8.8.8.8 command to troubleshoot connectivity to the Internet.

10. Verify the DNS configurations of the FortiGate and the PCs

Check for DNS errors by pinging or using traceroute to connect to a domain name; for example: ping www.fortinet.com.

If the name cannot be resolved, the FortiGate or PC cannot connect to a DNS server and you should confirm that the DNS server IP addresses are present and correct.

11. Confirm that the FortiGate can connect to the FortiGuard network Once the FortiGate is on your network, you should confirm that it can reach the FortiGuard network. First, check the License Information widget to make sure that the status of all FortiGuard services matches the services that you have purchased. Go to System > FortiGuard. Scroll down to Filtering Services Availability and select Check Again. After a minute, the GUI

should indicate a successful connection.Verify that your FortiGate can resolve and reach FortiGuard at service.fortiguard.net by pinging the domain name. If you can reach this service, you can then verify the connection to FortiGuard servers by running the command diagnose debug rating. This displays a list of FortiGuard IP gateways you can connect to, as well as the following information:

• Weight: Based on the difference in time zone between the FortiGate and this server l RTT: Return trip time l Flags: D (IP returned from DNS), I (Contract server contacted), T (being timed), F (failed) l TZ: Server time zone l Curr Lost: Current number of consecutive lost packets l Total Lost: Total number of lost packets

12. Consider changing the MAC address of your external interface Some ISPs do not want the MAC address of the device connecting to their network cable to change. If you have added a FortiGate to your network, you may have to change the MAC address of the Internet-facing interface using the following CLI command:

config system interface edit <interface> set macaddr <xx:xx:xx:xx:xx:xx>

end

end

13. Check the FortiGate bridge table (transparent mode) When a FortiGate is in transparent mode, the unit acts like a bridge sending all incoming traffic out on the other interfaces. The bridge is between interfaces on the FortiGate unit. Each bridge listed is a link between interfaces. Where traffic is flowing between interfaces, you expect to find bridges listed. If you are having connectivity issues and there are no bridges listed, that is a likely cause. Check for the MAC address of the interface or device in question.To list the existing bridge instances on the FortiGate, use the following CLI command:

diagnose netlink brctl name host root.b show bridge control interface root.b host. fdb: size=2048, used=25, num=25, depth=1 Bridge root.b host table port no device devname mac addr ttl attributes

3 4 wan1 00:09:0f:cb:c2:77 88

3 4 wan1 00:26:2d:24:b7:d3 0

• 4 wan1 00:13:72:38:72:21 98
• 3 internal 00:1a:a0:2f:bc:c6 6

1 6 dmz 00:09:0f:dc:90:69 0 Local Static

3 4 wan1 c4:2c:03:0d:3a:38 81

3 4 wan1 00:09:0f:15:05:46 89

3 4 wan1 c4:2c:03:1d:1b:10 0

2 5 wan2 00:09:0f:dc:90:68 0 Local Static

14. Use FortiExplorer if you can’t connect to the FortiGate over Ethernet If you can’t connect to the FortiGate

GUI or CLI, you may be able to connect using FortiExplorer. Refer to the QuickStart Guide or see the section on FortiExplorer for more details.

15. Either reset the FortiGate to factory defaults or contact Fortinet Support for assistance To reset the FortiGate to factory defaults, use the CLI command execute factoryreset. When prompted, type y to confirm the reset.

If you require further assistance, visit the Fortinet Support website.

 

FortiCloud

FortiCloud is a hosted security management and log retention service for FortiGate devices. It gives you centralized reporting, traffic analysis, configuration management, and log retention without the need for additional hardware or software.

FortiCloud offers a wide range of features:

• Simplified central management — FortiCloud provides a central web-based management console to manage individual or aggregated FortiGate and FortiWiFi devices. Adding a device to the FortiCloud management subscription is straightforward. FortiCloud has detailed traffic and application visibility across the whole network.
• Hosted log retention with large default storage allocated — Log retention is an integral part of any security and compliance program but administering a separate storage system is burdensome. FortiCloud takes care of this automatically and stores the valuable log information in the cloud. Each device is allowed up to 200GB of log retention storage. Different types of logs can be stored including Traffic, System Events, Web, Applications, and Security Events.
• Monitoring and alerting in real time — Network availability is critical to a good end-user experience. FortiCloud enables you to monitor your FortiGate network in real time with different alerting mechanisms to pinpoint potential issues. Alerting mechanisms can be delivered via email.
• Customized or pre-configured reporting and analysis tools — Reporting and analysis are your eyes and ears into your network’s health and security. Pre-configured reports are available, as well as custom reports that can be tailored to your specific reporting and compliance requirements. For example, you may want to look closely at application usage or website violations. The reports can be emailed as PDFs and can cover different time periods.
• Maintain important configuration information uniformly — The correct configuration of the devices within your network is essential to maintaining an optimum performance and security posture. In addition, maintaining the correct firmware (operating system) level allows you to take advantage of the latest features.
• Service security — All communication (including log information) between the devices and the clouds is encrypted. Redundant data centers are always used to give the service high availability. Operational security measures have been put in place to make sure your data is secure — only you can view or retrieve it.

Registration and activation

FortiCloud accounts can be registered manually through the FortiCloud website, https://www.forticloud.com, but you can easily register and activate your account directly from your FortiGate.

Activating your FortiCloud account

1. On your device’s dashboard, in the FortiCloud widget, select the Activate button in the status field.
2. A dialogue asking you to register your FortiCloud account appears. Select Create Account, enter your information, view and accept the terms and conditions, and select OK.
3. A second dialogue window appears, asking you to enter your information to confirm your account. This sends a confirmation email to your registered email. The dashboard widget then updates to show that confirmation is required.
4. Open your email, and follow the confirmation link it contains.

Results

A FortiCloud page will open, stating that your account has been confirmed. The Activation Pending message on the dashboard will change to state the type of account you have (‘1GB Free’ or ‘200GB Subscription’), and will provide a link to the FortiCloud portal.

Enabling logging to FortiCloud

1. Go to Log & Report > Log Settings.
2. Enable Send Logs to FortiCloud.
3. Select Test Connectivity to ensure that your FortiGate can connect to the registered FortiCloud account.
4. Scroll down to GUI Preferences, set Display Logs/FortiView From, to see FortiCloud logs within the FortiGate’s GUI.

Logging into the FortiCloud portal

Once logging has been configured and you have registered your account, you can log into the FortiCloud portal and begin viewing your logging results. There are two methods to reach the FortiCloud portal:

• If you have direct networked access to the FortiGate, you can simply open your Dashboard and check the License Information Next to the current FortiCloud connection status will be a link to reach the FortiCloud Portal.
• If you do not currently have access to the FortiGate’s interface, you can visit the FortiCloud website

(https://forticloud.com) and log in remotely, using your email and password. It will ask you to confirm the FortiCloud account you are connecting to and then you will be granted access. Connected devices can be remotely configured using the Scripts page in the Management Tab, useful if an administrator may be away from the unit for a long period of time.

Cloud sandboxing

FortiCloud can be used for automated sample tracking, or sandboxing, for files from a FortiGate. This allows suspicious files to be sent to be inspected without risking network security. If the file exhibits risky behavior, or is found to contain a virus, a new virus signature is created and added to the FortiGuard antivirus signature database.

Cloud sandboxing is configured by going to Security Fabric > Settings. After enabling Sandbox Inspection, select the FortiSandbox type.

Sandboxing results are shown in a new tab called AV Submissions in the FortiCloud portal. This tab only appears after a file has been sent for sandboxing.

For more information about FortiCloud, see the FortiCloud documentation.

FortiGuard

The FortiGuard Distribution Network (FDN) of servers provides updates to antivirus, antispam, and IPS definitions to your FortiGate. FortiGuard Subscription Services provides comprehensive Unified Threat Management (UTM) security solutions to enable protection against content and network level threats.

The FortiGuard team can be found around the globe, monitoring virus, spyware and vulnerability activities. As vulnerabilities are found, signatures are created and pushed to the subscribed FortiGates. The Global Threat Research Team enables Fortinet to deliver a combination of multi-layered security intelligence and provide true zero-day protection from new and emerging threats. The FortiGuard Network has data centers around the world located in secure, high availability locations that automatically deliver updates to the Fortinet security platforms to protect the network with the latest information.

FortiGuard provides a number of services to monitor world-wide activity and provide the best possible security, including:

• Intrusion Prevention System (IPS) – IPS uses a customizable database of more than 4000 known threats to stop attacks that evade conventional firewall defenses. It also provides behavior-based heuristics, enabling the system to recognize threats when no signature has yet been developed. It also provides more than 1000 application identity signatures for complete application control.
• Application Control– Application Control allows you to identify and control applications on networks and endpoints regardless of port, protocol, and IP address used. It gives you unmatched visibility and control over application traffic, even traffic from unknown applications and sources. Application Control is a free FortiGuard service and the database for Application Control signatures is separate from the IPS database (Botnet Application signatures are still part of the IPS signature database since these are more closely related with security issues and less about application detection). Application Control signature database information is displayed under the System > FortiGuard page in the FortiCare section.
• AntiVirus – The FortiGuard AntiVirus Service provides fully automated updates to ensure protection against the latest content level threats. It employs advanced virus, spyware, and heuristic detection engines to prevent both new and evolving threats from gaining access to your network and protects against vulnerabilities.
• Web Filtering – Web Filtering provides Web URL filtering to block access to harmful, inappropriate, and dangerous web sites that may contain phishing/pharming attacks, malware such as spyware, or objectionable content that can expose your organization to legal liability. Based on automatic research tools and targeted research analysis, real-time updates enable you to apply highly-granular policies that filter web access based on six major categories and nearly 80 micro-categories, over 45 million rated web sites, and more than two billion web pages – all continuously updated.
• Email Filtering – The FortiGuard Antispam Service uses both a sender IP reputation database and a spam signature database, along with sophisticated spam filtering tools on Fortinet appliances and agents, to detect and block a wide range of spam messages. Updates to the IP reputation and spam signature databases are provided continuously via the FDN.
• Messaging Services – Messaging Services allow a secure email server to be automatically enabled on your FortiGate to send alert email or send email authentication tokens. With the SMS gateway, you can enter phone numbers where the FortiGate will send the SMS messages. Note that depending on your carrier, there may be a slight time delay on receiving messages.
• DNS and DDNS – The FortiGuard DNS and DDNS services provide an efficient method of DNS lookups once subscribed to the FortiGuard network. This is the default option. The FortiGate connects automatically to the FortiGuard DNS server. If you do not register, you need to configure an alternate DNS server. Configure the DDNS server settings using the CLI command:

config system fortiguard set ddns-server-ip set ddns-server-port

end

Support contract and FortiGuard subscription services

The FDN support Contract is available under System > FortiGuard.

The License Information area displays the status of your FortiGate’s support contract.

You can also manually update the AntiVirus and IPS engines.

Verifying your connection to FortiGuard

If you are not getting FortiGuard web filtering or antispam services, there are a few things to verify that communication to the FDN is working. Before any troubleshooting, ensure that the FortiGate has been registered and subscribed to the FortiGuard services.

Verification – GUI:

The simplest method to check that the FortiGate is communicating with the FDN, is to check the License Information dashboard widget. Any subscribed services should have a green check mark beside them indicating that connections are successful. Any other icon indicates a problem with the connection, or you are not subscribed to the FortiGuard services.

You can also view the FortiGuard connection status by going to System > FortiGuard.

Verification – CLI:

You can also use the CLI to see what FortiGuard servers are available to your FortiGate. Use the following CLI command to ping the FDN for a connection: execute ping guard.fortinet.net

You can also use the following diagnose command to find out what FortiGuard servers are available:

diagnose debug rating

From this command, you will see output similar to the following:

Locale       : english License      : Contract Expiration : Sun Jul 24 20:00:00 2011 Hostname    : service.fortiguard.net -=- Server List (Tue Nov 2 11:12:28 2010) -=-
IP Weight           RTT Flags TZ        Packets	Curr Lost  Total Lost
69.20.236.180     0       10    -5   77200	0          42
69.20.236.179       0  12   -5         52514	0          34
66.117.56.42     0     32       -5   34390	0          62
80.85.69.38         50 164     0   34430	0          11763
208.91.112.194      81 223 D -8        42530	0          8129
216.156.209.26     286 241 DI -8       55602	0          21555

An extensive list of servers are available. Should you see a list of three to five available servers, the FortiGuard servers are responding to DNS replies to service FortiGuard.net, but the INIT requests are not reaching FDS services on the servers.

The rating flags indicate the server status:

D	Indicates the server was found via the DNS lookup of the hostname. If the hostname returns more than one IP address, all of them will be flagged with ‘D’ and will be used first for INIT requests before falling back to the other servers.
I	Indicates the server to which the last INIT request was sent.
F	The server has not responded to requests and is considered to have failed.
T	The server is currently being timed.

The server list is sorted first by weight and then the server with the smallest RTT is put at the top of the list, regardless of weight. When a packet is lost, it will be resent to the next server in the list.

The weight for each server increases with failed packets and decreases with successful packets. To lower the possibility of using a distant server, the weight is not allowed to dip below a base weight, which is calculated as the difference in hours between the FortiGate and the server, multiplied by 10. The further away the server, the higher its base weight and the lower in the list it will appear.

Port assignment

The FortiGate contacts FDN for the latest list of FDN servers by sending UDP packets with typical source ports of 1027 or 1031, and destination port 8888. The FDN reply packets have a destination port of 1027 or 1031.

If your ISP blocks UDP packets in this port range, the FortiGate cannot receive the FDN reply packets. As a result, the FortiGate will not receive the complete FDN server list.

If your ISP blocks the lower range of UDP ports (around 1024), you can configure your FortiGate to use highernumbered ports, using the CLI command:

config system global set ip-src-port-range <start port>-<end port>

end

where the <start port> and <end port> are numbers ranging of 1024 to 25000.

For example, you could configure the FortiGate to not use ports lower than 2048 or ports higher than the following range:

config system global set ip-src-port-range 2048-20000

end

Trial and error may be required to select the best source port range. You can also contact your ISP to determine the best range to use. Push updates might be unavailable if:

l there is a NAT device installed between the unit and the FDN, and/or l your unit connects to the Internet using a proxy server.

Configuring Antivirus and IPS options

Go to System > FortiGuard, and scroll down to the AntiVirus & IPS Updates section to configure the antivirus and IPS options for connecting and downloading definition files.

Accept push updates	Select to allow updates to be sent automatically to your FortiGate. New definitions will be added as soon as they are released by FortiGuard.
Use override push	Appears only if Accept push updates is enabled. Enable to configure an override server if you cannot connect to the FDN or if your organization provides updates using their own FortiGuard server. Once enabled, enter the following: l  Enter the IP address and port of the NAT device in front of your FortiGate. FDS will connect to this device when attempting to reach the FortiGate. l  The NAT device must be configured to forward the FDS traffic to the FortiGate on UDP port 9443.
Scheduled Updates	Enable for updates to be sent to your FortiGate at a specific time. For example, to minimize traffic lag times, you can schedule the update to occur on weekends or after work hours. Note that a schedule of once a week means any urgent updates will not be pushed until the scheduled time. However, if there is an urgent update required, select the Update Now button.
Improve IPS quality	Enable to help Fortinet maintain and improve IPS signatures. The information sent to the FortiGuard servers when an attack occurs can be used to keep the database current as variants of attacks evolve.
Use extended IPS signature package	Regular IPS database protects against the latest common and in-the-wild attacks. Extended IPS database includes protection from legacy attacks.
Update AV & IPS Definitions	Select to manually initiate an FDN update.

Manual updates

To manually update the signature definitions file, you need to first go to the Fortinet Support web site. Once logged in, select Download > FortiGuard Service Updates. The browser will present you the most current IPS and AntiVirus signature definitions which you can download.

Once downloaded to your computer, log into the FortiGate to load the definition file.

To load the definition file onto the FortiGate:

1. Go to System > FortiGuard.
2. In the License Information table, select the Upgrade Database link in either the Application Control Signature, IPS, or AntiVirus
3. In the pop-up window, select Upload and locate the downloaded file and select Open.

The upload may take a few minutes to complete.

Automatic updates

The FortiGate can be configured to request updates from FDN on a scheduled basis, or via push notification.

Scheduling updates

Scheduling updates ensures that the virus and IPS definitions are downloaded to your FortiGate on a regular basis, ensuring that you do not forget to check for the definition files yourself.

Updating definitions can cause a very short disruption in traffic currently being scanned while the FortiGate unit applies the new signature database, Ideally, schedule updates during off-peak hours, such as evenings or weekends, when network usage is minimal, to ensure that the network activity will not suffer from the added traffic of downloading the definition files.

To enable scheduled updates – GUI:

1. Go to System > FortiGuard and scroll down to AntiVirus & IPS Updates.
2. Enable Scheduled Updates.
3. Select the frequency of updates.
4. Select Apply.

To enable scheduled updates – CLI:

config system autoupdate schedule set status enable

set frequency {every | daily | weekly} set time <hh:mm> set day <day_of_week>

end

Push updates

Push updates enable you to get immediate updates when new viruses or intrusions have been discovered and new signatures created. This ensures that the latest signature will be sent to the FortiGate as soon as possible.

When a push notification occurs, the FortiGuard server sends a notice to the FortiGate that there is a new signature definition file available. The FortiGate then initiates a download of the definition file, similar to the scheduled update.

To ensure maximum security for your network, you should have a scheduled update as well as enable the push update, in case an urgent signature is created, and your cycle of the updates only occurs weekly.

To enable push updates – GUI:

1. Go to System > FortiGuard and scroll down to AntiVirus & IPS Updates.
2. Enable Accept push updates.
3. Select Apply.

To enable push updates – CLI:

config system autoupdate push-update set status enable

end

Push IP override

If the FortiGate is behind another NAT device (or another FortiGate), to ensure it receives the push update notifications, you need to use an override IP address for the notifications. To do this, you create a virtual IP to map to the external port of the NAT device.

Generally speaking, if there are two FortiGate devices, the following steps need to be completed on the FortiGate NAT device to ensure the FortiGate on the internal network receives the updates:

• Add a port forwarding virtual IP to the FortiGate NAT device that connects to the Internet by going to Policy & Objects > Virtual IPs.
• Add a security policy to the FortiGate NAT device that connects to the Internet that includes the port forwarding virtual IP. l Configure the FortiGate on the internal network with an override push IP and port.

On the FortiGate internal device, the virtual IP is entered as the Use push override IP address.

To enable push update override- GUI:

1. Go to System > FortiGuard and scroll down to AntiVirus & IPS Updates.
2. Enable Accept push updates.
3. Enable Use override push.
4. Enter the virtual IP address configured on the NAT device.
5. Select Apply.

To enable push updates – CLI:

config system autoupdate push-update set status enable set override enable set address <vip_address> end

Sending malware statistics to FortiGuard

To support following malware trends and making zero-day discoveries, FortiGate units send encrypted statistics to

FortiGuard about IPS, Application Control, and AntiVirus events detected by the FortiGuard services running on your FortiGate. FortiGuard uses the statistics collected to achieve a balance between performance and security effectiveness by moving inactive signatures to an extended signature database.

The statistics include some non-personal information that identifies your FortiGate and its country. The information is never shared with external parties. You can choose to disable the sharing of this information by entering the following CLI command:

config system global set fds-statistics disable

end

Configuring web filtering and email filtering options

Go to System > FortiGuard, and scroll down to Filtering to set the size of the caches and ports.

Web Filter Cache	Set the Time To Live (TTL) value. This is the number of seconds the FortiGate will store a blocked IP or URL locally, saving time and network access traffic, checking the FortiGuard server. Once the TTL has expired, the FortiGate will contact an FDN server to verify a web address. The TTL must be between 300 and 86400 seconds.
Anti-Spam Cache	Set the TTL value (see above).
FortiGuard Filtering Port	Select the port assignments for contacting the FortiGuard servers.
Filtering Service Availability	Indicates the status of the filtering service. Select Check Again if the filtering service is not available.
Request re-evaluation of a URL’s category	Select to re-evaluate a URL’s category rating on the FortiGuard Web Filter service.

Email filtering

The FortiGuard data centers monitor and update email databases of known spam sources. With FortiGuard Anti-Spam filtering enabled, the FortiGate verifies incoming email sender addresses and IPs against the database, and takes the necessary actions as defined within the antivirus profiles.

Spam source IP addresses can also be cached locally on the FortiGate, providing a quicker response time, while easing load on the FortiGuard servers, aiding in a quicker response time for less common email address requests.

By default, the anti-spam cache is enabled. The cache includes a TTL value, which is the amount of time an email address will stay in the cache before expiring. You can change this value to shorten or extend the time between 5 and 1,440 minutes.

To modify the antispam cache TTL – GUI:

1. Go to System > FortiGuard.
2. Under Filtering, enable Anti-Spam Cache.
3. Enter the TTL value in minutes.
4. Select Apply.

To modify the Anti-Spam filter TTL – CLI:

config system fortiguard set antispam-cache-ttl <integer>

end

Further antispam filtering options can be configured to block, allow, or quarantine specific email addresses. These configurations are available through the Security Profiles > Anti-Spam menu.

Online security tools

The FortiGuard online center provides a number of online security tools, including but not limited to:

• URL lookup — By entering a website address, you can see if it has been rated and what category and classification it is filed as. If you find your website or a site you commonly go to has been wrongly categorized, you can use this page to request that the site be re-evaluated: https://fortiguard.com/webfilter
• Threat Encyclopedia — Browse the Fortiguard Labs extensive encyclopedia of threats. Search for viruses, botnet

C&C, IPS, endpoint vulnerabilities, and mobile malware: https://www.fortiguard.com/encyclopedia l Application Control — Browse the Fortiguard Labs extensive encyclopedia of applications: https://fortiguard.com/appcontrol

Firmware

Fortinet periodically updates the FortiGate firmware to include new features and resolve important issues. After you have registered your FortiGate unit, you can download firmware updates from the Fortinet Support web site, Before you install any new firmware, be sure to follow the steps below:

• Review the Release Notes for a new firmware release.
• Review the Supported Upgrade Paths SysAdmin note on the Fortinet Cookbook site to prepare for the upgrade of FortiOS on your FortiGate.
• Backup the current configuration, including local certificates. l Test the new firmware until you are satisfied that it applies to your configuration.

Installing new firmware without reviewing release notes or testing the firmware may result in changes to settings or unexpected issues.

Backing up the current configuration

You should always back up the configuration before installing new firmware, in case you need to restore your FortiGate configuration.

Downloading

Firmware images for all FortiGate units are available on the Fortinet Support website.

To download firmware:

1. Log into the site using your user name and password.
2. Go to Download > Firmware Images.
3. A list of Release Notes is shown. If you have not already done so, download and review the Release Notes for the firmware you wish to upgrade your FortiGate unit to.
4. Select Download.
5. Navigate to the folder for the firmware version you wish to use.
6. Select your FortiGate model from the list. If your unit is a FortiWiFi, the firmware will have a filename starting with ‘FWF’.
7. Save the firmware image to your computer.

Testing

The integrity of firmware images downloaded from Fortinet’s support portal can be verified using a file checksum. A file checksum that does not match the expected value indicates a corrupt file. The corruption could be caused by errors in transfer or by file modification. A list of expected checksum values for each build of released code is available on Fortinet’s support portal.

Image integrity is also verified when the FortiGate is booting up. This integrity check is done through a cyclic redundancy check (CRC). If the CRC fails, the FortiGate unit will encounter an error during the boot process.

Lastly, firmware images are signed and the signature is attached to the code as it is built. When upgrading an image, the running OS will generate a signature and compare it with the signature attached to the image. If the signatures do not match, the new OS will not load.

Testing before installation

FortiOS lets you test a new firmware image by installing the firmware image from a system reboot and saving it to system memory. After completing this procedure, the FortiGate unit operates using the new firmware image with the current configuration. This new firmware image is not permanently installed. The next time the FortiGate unit restarts, it operates with the originally installed firmware image using the current configuration. If the new firmware image operates successfully, you can install it permanently using the procedure explained in Upgrading firmware.

To use this procedure, you must connect to the CLI using the FortiGate console port and an RJ-45 to DB-9 or null modem cable. This procedure temporarily installs a new firmware image using your current configuration.

For this procedure, you must install a TFTP server that you can connect to from the FortiGate internal interface. The TFTP server should be on the same subnet as the internal interface.

To test the new firmware image:

1. Connect to the CLI using an RJ-45 to DB-9 or null modem cable.
2. Make sure the TFTP server is running.
3. Copy the new firmware image file to the root directory of the TFTP server.
4. Make sure the FortiGate unit can connect to the TFTP server using the execute ping
5. Enter the following command to restart the FortiGate unit: execute reboot
6. As the FortiGate unit reboots, press any key to interrupt the system startup. As the FortiGate unit starts, a series of system startup messages appears: Press any key to display configuration menu….
7. Immediately press any key to interrupt the system startup.
8. If you successfully interrupt the startup process, the following messages appears:

[G]: Get firmware image from TFTP server.

[F]: Format boot device.

[B]: Boot with backup firmware and set as default

[C]: Configuration and information

[Q]: Quit menu and continue to boot with default firmware.

[H]: Display this list of options. Enter G, F, Q, or H:

9. Type G to get the new firmware image from the TFTP server. The following message appears: Enter TFTP server address [192.168.1.168]:
10. Type the address of the TFTP server and press Enter. The following message appears: Enter Local Address [192.168.1.188]:
11. Type an IP address of the FortiGate unit to connect to the TFTP server. The IP address must be on the same network as the TFTP server.
12. The following message appears: Enter File Name [image.out]:
13. Enter the firmware image file name and press Enter. The TFTP server uploads the firmware image file to the FortiGate unit and the following appears: Save as Default firmware/Backup firmware/Run image without saving: [D/B/R]
14. Type R. The FortiGate image is installed to system memory and the FortiGate unit starts running the new firmware image, but with its current configuration.

You can test the new firmware image as required. When done testing, you can reboot the FortiGate unit, and the FortiGate unit will resume using the firmware that was running before you installed the test firmware.

Upgrading firmware

Installing firmware replaces your current antivirus and attack definitions, along with the definitions included with the firmware release you are installing. After you install new firmware, make sure that antivirus and attack definitions are up to date. You can also use the CLI command execute update-now to update the antivirus and attack definitions.

To upgrade the firmware – GUI:

1. Log into the GUI as the admin administrative user.
2. Go to System > Firmware.
3. Under Upload Firmware, select Browse and locate the firmware image file.
4. Select OK.

The FortiGate unit uploads the firmware image file, upgrades to the new firmware version, restarts, and displays the FortiGate login. This process takes a few minutes.

To upgrade the firmware – CLI:

Before you begin, ensure you have a TFTP server running and accessible to the FortiGate unit.

1. Make sure the TFTP server is running.
2. Copy the new firmware image file to the root directory of the TFTP server.
3. Log into the CLI.
4. Make sure the FortiGate unit can connect to the TFTP server. You can use the following command to ping the computer running the TFTP server. For example, if the IP address of the TFTP server is 192.168.1.168 execute ping 192.168.1.168
5. Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit:

execute restore image tftp <filename> <tftp_ipv4>

6. The FortiGate unit responds with the message:

This operation will replace the current firmware version! Do you want to continue? (y/n)

7. Type y. The FortiGate unit uploads the firmware image file, upgrades to the new firmware version, and restarts.

This process takes a few minutes.

8. Reconnect to the CLI.
9. Update antivirus and attack definitions:

execute update-now.

Reverting

The following procedure reverts the FortiGate unit to its factory default configuration and deletes any configuration settings. If you are reverting to a previous FortiOS version, you might not be able to restore the previous configuration from the backup configuration file.

To revert to a previous firmware version – GUI:

1. Log into the GUI as the admin user.
2. Go to System > Firmware
3. Under Upload Firmware, select Browse and locate the firmware image file.
4. Select OK.

The FortiGate unit uploads the firmware image file, reverts to the old firmware version, resets the configuration, restarts, and displays the FortiGate login. This process takes a few minutes.

To revert to a previous firmware version – CLI:

Before beginning this procedure, it is recommended that you:

• Backup the FortiGate unit system configuration using the command execute backup config
• Backup the IPS custom signatures using the command execute backup ipsuserdefsig
• Backup web content and email filtering lists.

To use the following procedure, you must have a TFTP server the FortiGate unit can connect to.

1. Make sure that the TFTP server is running.
2. Copy the firmware image file to the root directory of the TFTP server.
3. Log in to the FortiGate CLI.
4. Make sure the FortiGate unit can connect to the TFTP server by using the execute ping
5. Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit:

execute restore image tftp <name_str> <tftp_ipv4>

6. The FortiGate unit responds with this message:

This operation will replace the current firmware version! Do you want to continue? (y/n)

7. Type y. The FortiGate unit uploads the firmware image file. After the file uploads, a message similar to the following appears:

Get image from tftp server OK.

Check image OK.

This operation will downgrade the current firmware version! Do you want to continue? (y/n)

8. Type y. The FortiGate unit reverts to the old firmware version, resets the configuration to factory defaults, and restarts. This process takes a few minutes.
9. Reconnect to the CLI.
10. To restore your previous configuration, if needed, use the command:

execute restore config <name_str> <tftp_ipv4>

11. Update antivirus and attack definitions using the command:

execute update-now

Installation from system reboot

In the event that the firmware upgrade does not load properly and the FortiGate unit will not boot, or continuously reboots, it is best to perform a fresh install of the firmware from a reboot using the CLI.

This procedure installs a firmware image and resets the FortiGate unit to default settings. You can use this procedure to upgrade to a new firmware version, revert to an older firmware version, or re-install the current firmware.

To use this procedure, you must connect to the CLI using the FortiGate console port and a RJ-45 to DB-9, or null modem cable. This procedure reverts the FortiGate unit to its factory default configuration.

For this procedure you install a TFTP server that you can connect to from the FortiGate internal interface. The TFTP server should be on the same subnet as the internal interface.

Before beginning this procedure, ensure you backup the FortiGate unit configuration.

If you are reverting to a previous FortiOS version, you might not be able to restore the previous configuration from the backup configuration file.

Installing firmware replaces your current antivirus and attack definitions, along with the definitions included with the firmware release you are installing. After you install new firmware, make sure that antivirus and attack definitions are up to date.

To install firmware from a system reboot:

1. Connect to the CLI using the RJ-45 to DB-9 or null modem cable.
2. Make sure the TFTP server is running.
3. Copy the new firmware image file to the root directory of the TFTP server.
4. Make sure the internal interface is connected to the same network as the TFTP server.
5. To confirm the FortiGate unit can connect to the TFTP server, use the following command to ping the computer running the TFTP server. For example, if the IP address of the TFTP server is 192.168.1.168: execute ping 192.168.1.168
6. Enter the following command to restart the FortiGate unit: execute reboot
7. The FortiGate unit responds with the following message:

This operation will reboot the system!

Do you want to continue? (y/n)

8. Type y. As the FortiGate unit starts, a series of system startup messages appears. When the following messages appears:

Press any key to display configuration menu……….

10. If you successfully interrupt the startup process, the following messages appears:

[G]: Get firmware image from TFTP server.

[F]: Format boot device.

[B]: Boot with backup firmware and set as default

[C]: Configuration and information

[Q]: Quit menu and continue to boot with default firmware.

[H]: Display this list of options. Enter G, F, Q, or H

11. Type G to get to the new firmware image form the TFTP server. The following message appears: Enter TFTP server address [192.168.1.168]:
12. Type the address of the TFTP server and press Enter. The following message appears: Enter Local Address [192.168.1.188]:
13. Type an IP address the FortiGate unit can use to connect to the TFTP server. The IP address can be any IP address that is valid for the network to which the interface is connected.
14. The following message appears: Enter File Name [image.out]:
15. Enter the firmware image filename and press Enter.The TFTP server uploads the firmware image file to the FortiGate unit and a message similar to the following appears: Save as Default firmware/Backup firmware/Run image without saving: [D/B/R]
16. Type D. The FortiGate unit installs the new firmware image and restarts. The installation might take a few minutes to complete.

Restoring from a USB key

1. Log into the CLI.
2. Enter the following command to restore an unencrypted configuration file:

execute restore image usb Restore image from USB disk. {string} Image file name on the USB disk.

3. The FortiGate unit responds with the following message:

This operation will replace the current firmware version! Do you want to continue? (y/n)

4. Type y.

Controlled upgrade

Using a controlled upgrade, you can upload a new version of the FortiOS firmware to a separate partition in the FortiGate memory for later upgrade. The FortiGate unit can also be configured so that when it is rebooted, it will automatically load the new firmware (CLI only). Using this option, you can stage a number of FortiGate units to do an upgrade simultaneously to all devices using FortiManager or script.

To load the firmware for later installation:

execute restore secondary-image {ftp | tftp | usb} <filename_str>

To set the FortiGate unit so that when it reboots, the new firmware is loaded:

execute set-next-reboot {primary | secondary}

where {primary | secondary} is the partition with the preloaded firmware.

Basic administration

This section contains information about basic FortiGate administration that you can do after you installing the unit in your network.

Registration

In order to have full access to Fortinet Support and FortiGuard Services, you must register your FortiGate.

Registering your FortiGate:

1. Go to the Dashboard and locate the Licenses
2. Click on FortiCare Support to display a pop-up window and Register.
3. In the pop-up window, either use an existing Fortinet Support account or create a new one. Select your Country and Reseller.
4. Select OK.

FortiGate platforms don’t impose any limitations on the number or type of customers, users, devices, IP addresses, or number of VPN clients being served by the platform. Such factors are limited solely by the hardware capacity of each given model.

System settings

There are several system settings that should be configured once your FortiGate is installed:

• Default administrator password on page 46
• Settings on page 46 l Changing the host name on page 46 l System time on page 46 l Administration settings on page 47 l Password policy on page 48 l View settings on page 48 l Administrator password retries and lockout time on page 48

Default administrator password

By default, your FortiGate has an administrator account set up with the username admin and no password. In order to prevent unauthorized access to the FortiGate, it is highly recommended that you add a password to this account.

To change the default password:

1. Go to System > Administrators.
2. Edit the admin
3. Select Change Password.
4. Enter the New Password and re-enter the password for confirmation.
5. Select OK.

It is also recommended to change the user name of this account; however, since you cannot change the user name of an account that is currently in use, a second administrator account will need to be created in order to do this.

Settings

Settings can be accessed by going to System > Settings. On this page, you can change the Host name, set the system time and identify time zone in System Time, configure HTTP, HTTPS, SSH, and Telnet ports as well as idle timeout in Administration Settings, designate the Password Policy, and manage display options and designate inspection mode in View Settings.

Changing the host name

The host name of your FortiGate appears in the Hostname row in the System Information widget on the Dashboard. The host name also appears at the CLI prompt when you are logged in to the CLI, and as the SNMP system name.

To change the host name on the FortiGate

Go to System > Settings and type in the new name in the Host name row. The only administrators that can change a

FortiGate’s host name are administrators whose admin profiles permit system configuration write access. If the FortiGate is part of an HA cluster, you should use a unique host name to distinguish the FortiGate from others in the cluster.

System time

For effective scheduling and logging, the FortiGate system time and date should be accurate. You can either manually set the system time and date or configure the FortiGate to automatically synchronize with a Network Time Protocol (NTP) server.

NTP enables you to keep the FortiGate time synchronized with other network systems. By enabling NTP on the FortiGate, FortiOS will check with the NTP server you select at the configured intervals. This will also ensure that logs and other time-sensitive settings on the FortiGate are correct.

The FortiGate maintains its internal clock using a built-in battery. At start up, the time reported by the FortiGate will indicate the hardware clock time, which may not be accurate. When using NTP, the system time might change after the FortiGate has successfully obtained the time from a configured NTP server.

To set the date and time

1. Go to the System > Settings.
2. Under System Time, select your Time Zone by using the drop-down menu.
3. Set Time by either selecting Synchronize with NTP Server or Manual settings. If you select synchronization, you can either use the default FortiGuard servers or specify a custom server. You can also set the Sync interval.
4. If you use an NTP server, you can identify a specific interface for this self-originating traffic by enabling Setup device as local NTP server.
5. Select Apply.

Administration settings

In order to improve security, you can change the default port configurations for administrative connections to the FortiGate. When connecting to the FortiGate when the port has changed, the port must be included, such as https://<ip_address>:<port>. For example, if you are connecting to the FortiGate using port 99, the URL would be https://192.168.1.99:99.

To configure the port settings:

1. Go to System > Settings.
2. Under Administration Settings, change the port numbers for HTTP, HTTPS, SSH, and/or Telnet as needed. You can also select Redirect to HTTPS in order to avoid HTTP being used for the administrators.
3. Select Apply.

When you change the default port number for HTTP, HTTPS, SSH, or Telnet, ensure that the port number is unique. If a conflict exists with a particular port, a warning message will appear.

By default, the GUI disconnects administrative sessions if no activity occurs for five minutes. This prevents someone from using the GUI if the management PC is left unattended.

To change the idle timeout

1. Go to System > Settings.
2. In the Administration Settings section, enter the time in minutes in the Idle timeout
3. Select Apply.

Password policy

The FortiGate includes the ability to create a password policy for administrators and IPsec pre-shared keys. With this policy, you can enforce regular changes and specific criteria for a password including:

• minimum length between 8 and 64 characters.
• if the password must contain uppercase (A, B, C) and/or lowercase (a, b, c) characters. l if the password must contain numbers (1, 2, 3). l if the password must contain special or non-alphanumeric characters (!, @, #, $, %, ^, &, *, (, and )). l where the password applies (admin or IPsec or both). l the duration of the password before a new one must be specified.

To create a password policy – GUI

1. Go to System > Settings.
2. Configure Password Policy settings as required.
3. Click Apply.

If you add a password policy or change the requirements on an existing policy, the next time that administrator logs into the FortiGate, they are prompted to update their password to meet the new requirements before proceeding to log in.

View settings

Three settings can change the presentation of information in the GUI: Language, Lines per page, and Theme.

To change the language, go to System > Settings. Select the language you want from the Language drop-down list: English (the default), French, Spanish, Portuguese, Japanese, Traditional Chinese, Simplified Chinese, or Korean. For best results, you should select the language that is used by the management computer.

To change the number of lines per page displayed in the GUI tables, set Lines per page to a value between 20 and 1,000. The default is 50 lines per page.

Five color themes are currently available: Green (the default), Red, Blue, Melongene, and Mariner. To change your theme, select the color from the Theme drop-down list.

This is also where you select either Flow-based or Proxy Inspection Mode . If you select Flow-based mode, then you need to specify if it is NGFW Profile-based or NGFW Policy-based inspection.

Administrator password retries and lockout time

By default, the FortiGate sets the number of password retries at three, allowing the administrator a maximum of three attempts to log into their account before locking the account for a set amount of time.

Both the number of attempts (admin-lockout-threshold) and the wait time before the administrator can try to enter a password again (admin-lockout-duration) can be configured within the CLI.

To configure the lockout options:

config system global set admin-lockout-threshold <failed_attempts> set admin-lockout-duration <seconds> end

The default value of admin-lockout-threshold is 3 and the range of values is between 1 and 10. The adminlockout-duration is set to 60 seconds by default and the range of values is between 1 and 4294967295 seconds.

Keep in mind that the higher the lockout threshold, the higher the risk that someone may be able to break into the FortiGate.

Example:

To set the admin-lockout-threshold to one attempt and the admin-lockout-duration to a five minute duration before the administrator can try to log in again, enter the commands:

config system global set admin-lockout-threshold 1

Passwords

Using secure passwords are vital for preventing unauthorized access to your FortiGate. When changing the password, consider the following to ensure better security:

• Do not make passwords that are obvious, such as the company name, administrator names, or other obvious words or phrases.
• Use numbers in place of letters, for example, passw0rd. l Administrator passwords can be up to 64 characters. l Include a mixture of letters, numbers, and upper and lower case. l Use multiple words together, or possibly even a sentence, for example keytothehighway. l Use a password generator.
• Change the password regularly and always make the new password unique and not a variation of the existing password, such as changing from password to password1.
• Make note of the password and store it in a safe place away from the management computer, in case you forget it or ensure that at least two people know the password in the event that one person becomes ill, is away on vacation, or leaves the company. Alternatively, have two different admin logins.

Downgrades will typically maintain the administrator password. If you need to downgrade to FortiOS 4.3, remove the password before the downgrade, then log in after the downgrade and re-configure the password.

Password policy

The FortiGate includes the ability to create a password policy for administrators and IPsec pre-shared keys. With this policy, you can enforce regular changes and specific criteria for a password including:

• minimum length between 8 and 64 characters.
• if the password must contain uppercase (A, B, C) and/or lowercase (a, b, c) characters. l if the password must contain numbers (1, 2, 3). l if the password must contain special or non-alphanumeric characters (!, @, #, $, %, ^, &, *, (, and )). l where the password applies (admin or IPsec or both). l the duration of the password before a new one must be specified.

To create a password policy – GUI

1. Go to System > Settings.
2. Configure Password Policy settings as required.
3. Click Apply.

If you add a password policy or change the requirements on an existing policy, the next time that administrator logs into the FortiGate, they are prompted to update their password to meet the new requirements before proceeding to log in.

Configuration backups

Once you successfully configure the FortiGate, it is extremely important that you backup the configuration. In some cases, you may need to reset the FortiGate to factory defaults or perform a TFTP upload of the firmware, which will erase the existing configuration. In these instances, the configuration on the device will have to be recreated, unless a backup can be used to restore it. You should also backup the local certificates, as the unique SSL inspection CA and server certificates that are generated by your FortiGate by default are not saved in a system backup.

We also recommend that you backup the configuration after any changes are made, to ensure you have the most current configuration available. Also, backup the configuration before any upgrades of the FortiGate’s firmware. Should anything happen to the configuration during the upgrade, you can easily restore the saved configuration.

Always backup the configuration and store it on the management computer or off-site. You have the option to save the configuration file to various locations including the local PC, USB key, FTP, and TFTP server. The last two are configurable through the CLI only.

If you have VDOMs, you can back up the configuration of the entire FortiGate or only a specific VDOM. Note that if you are using FortiManager or FortiCloud, full backups are performed and the option to backup individual VDOMs will not appear.

You can also backup and restore your configuration using Secure File Copy (SCP). See How to download/upload a FortiGate configuration file using secure file copy (SCP).

You enable SCP support using the following command:

config system global set admin-scp enable

end

For more information about this command and about SCP support, see config system global.

Backing up the configuration using the GUI

1. Click on admin in the upper right-hand corner of the screen and select Configuration > Backup.
2. Direct the backup to your Local PC or to a USB Disk.

The USB Disk option will be grayed out if no USB drive is inserted in the USB port. You can also backup to the FortiManager using the CLI.

3. If VDOMs are enabled, indicate whether the scope of the backup is for the entire FortiGate configuration (Global) or only a specific VDOM configuration (VDOM).
4. If backing up a VDOM configuration, select the VDOM name from the list.
5. Select Encryption.

Encryption must be enabled on the backup file to back up VPN certificates.

6. Enter a password and enter it again to confirm it. You will need this password to restore the file.
7. Select OK.
8. The web browser will prompt you for a location to save the configuration file. The configuration file will have a .conf extension.

Backing up the configuration using the CLI

Use one of the following commands:

execute backup config management-station <comment> or:

execute backup config usb <backup_filename> [<backup_password>]

or for FTP, note that port number, username are optional depending on the FTP site:

execute backup config ftp <backup_filename> <ftp_server> [<port>] [<user_name>] [<password>]

or for TFTP:

execute backup config tftp <backup_filename> <tftp_servers> <password> Use the same commands to backup a VDOM configuration by first entering the commands:

config vdom edit <vdom_name>

Backup and restore the local certificates

This procedure exports a server (local) certificate and private key together as a password protected PKCS12 file. The export file is created through a customer-supplied TFTP server. Ensure that your TFTP server is running and accessible to the FortiGate before you enter the command.

To back up the local certificates:

Connect to the CLI and use the following command:

execute vpn certificate local export tftp <cert_name> <filename> <tftp_ip> where:

l <cert_name> is the name of the server certificate. l <filename> is a name for the output file. l <tftp_ip> is the IP address assigned to the TFTP server host interface.

To restore the local certificates – GUI:

1. Move the output file from the TFTP server location to the management computer.
2. Go to System > Certificates and select Import.
3. Select the appropriate type of certificate from the dropdown menu and fill in any required fields.
4. Select Upload. Browse to the location on the management computer where the exported file has been saved, select the file and select Open.
5. If required, enter the Password needed to upload the exported file.
6. Select OK.

To restore the local certificates – CLI:

Connect to the CLI and use the following command:

execute vpn certificate local import tftp <filename> <tftp_ip>

Restoring a configuration

Should you need to restore a configuration file, use the following steps:

To restore the FortiGate configuration – GUI:

1. Click on admin in the upper right-hand corner of the screen and select Configuration > Restore.
2. Identify the source of the configuration file to be restored : your Local PC or a USB Disk.

The USB Disk option will be grayed out if no USB drive is inserted in the USB port. You can restore from the FortiManager using the CLI.

3. Enter the path and file name of the configuration file, or select Browse to locate the file.
4. Enter a password if required.
5. Select Restore.

To restore the FortiGate configuration – CLI:

execute restore config management-station normal 0 or:

execute restore config usb <filename> [<password>]

or for FTP, note that port number, username are optional depending on the FTP site:

execute restore config ftp <backup_filename> <ftp_server> [<port>] [<user_name>] [<password>]

or for TFTP:

execute restore config tftp <backup_filename> <tftp_server> <password>

The FortiGate will load the configuration file and restart. Once the restart has completed, verify that the configuration has been restored.

Troubleshooting

When restoring a configuration, errors may occur, but the solutions are usually straightforward.

Error message	Reason and Solution
Configuration file error	This error occurs when attempting to upload a configuration file that is incompatible with the device. This may be due to the configuration file being for a different model or being saved from a different version of firmware. Solution: Upload a configuration file that is for the correct model of FortiGate device and the correct version of the firmware.
Error message		Reason and Solution
Invalid password		When the configuration file is saved, it can be protected by a password. The password entered during the upload process is not matching the one associated with the configuration file. Solution: Use the correct password if the file is password protected.

Configuration revision

You can manage multiple versions of configuration files on models that have a 512MB flash memory and higher. Revision control requires either a configured central management server or the local hard drive, if your FortiGate has this feature. Typically, configuration backup to local drive is not available on lower-end models.

The central management server can either be a FortiManager unit or FortiCloud.

If central management is not configured on your FortiGate unit, a message appears instructing you to either:

l Enable central management, or l obtain a valid license.

When revision control is enabled on your FortiGate unit, and configuration backups have been made, a list of saved revisions of those backed-up configurations appears.

Configuration revisions are viewed by clicking on admin in the upper right-hand corner of the screen and selecting Configuration > Revisions.

Restore factory defaults

There may be a need to reset the FortiGate to its original defaults; for example, to begin with a fresh configuration. There are two options when restoring factory defaults. The first resets the entire device to the original out-of-the-box configuration.

You can reset using the CLI by entering the command:

execute factoryreset

When prompted, type y to confirm the reset.

Alternatively, in the CLI you can reset the factory defaults but retain the interface and VDOM configuration. Use the following command: execute factoryreset2