Tag Archives: best practice fortinet

Networking

Networking

Internet-Service database (288672 281333 291858)

Go to Policy & Objects > Internet Service Database to view the Internet Service Database. The database contains detailed information about services available on the Internet such as DNS servers provided by Adobe, Google, Fortinet, Apple and so on and a wide range of other services. For each service the database includes the IP addresses of the servers that host the service as well as the port and protocol number used by each IP address.

 

Interfaces assigned to Virtual Wired Pairs don’t have “roles” (296519 )

Assigning an interface to be part of a virtual wire pairing will remove the “role” value from the interface.

 

FortiHeartBeat replaces FortiClient Access and other FortiClient interface settings (299371)

To configure an interface to listen for connections from devices with FortiClient installed, enable FortiHeartBeat

Administrative Access. FortiHeartBeat was called FCT-Access or FortiClient Access in FortiOS 5.2.

After enabling FortiHeartBeat, under Admission Control you can select Enforce FortiHeartBeat for all FortiClients to require clients to have FortiClient installed to be able to get access through the FortiGate. If you enable this feature you should also go to Security Profiles > FortiClient Profiles and configure FortiClient Profiles. Then you should add the configured FortiClient Profiles to firewall policies with device detection.

Use the following CLI command to enable FortiHeartBeat on an interface and enable enforcing FortiHeartBeat for all FortiClients:

config system interface edit port1

set listen-forticlient-connection enable set endpoint-compliance enable

end

After enabling FortiHeartBeat, you can also enable DHCP server and turn on FortiClient On-Net Status to display the on-net status of FortiClient devices on the FortiClient Monitor (go to Monitor > FortiClient Monitor).

 

Use the following CLI command to enable FortiClient on-net status for a DHCP server added to the port1 interface:

config system dhcp server edit 1

set interface port1

set forticlient-on-net-status enable end

 

STP (Spanning Tree Protocol) support for models with hardware switches (214901 291953)

STP used to be only available on the old style switch mode for the internal ports. It is now possible to activate STP on the hardware switches found in the newer models. These models use a virtual switch to simulate the old Switch Mode for the Internal ports.

The syntax for enabling STP is as follows:

config system interface edit lan

set stp [enable | disable]

end

 

Command to determine interface transceiver optical signal strength (205138 282307)

The ew get system interface transceiver command can be used to determine optical signal strength when using SFP/SFP+ modules. The command can be used for trouble shooting fiber optic connections to

service providers. This command is hardware dependent and currently supported by FortiGate models that include various SPF/SFP+ interfaces including the FortiGate-100D/200D- POE/400D/500D/900D/1000D/1200D/1500D/3700D/3700DX) models.

Managing a FortiSwitch with FortiGate

Managing a FortiSwitch with FortiGate

Unless otherwise stated, these features require FortiSwitchOS 3.3.0 or later release on the FortiSwitch. The following FortiGate models can be used to manage FortiSwitches:

FGT-60D, FGT-60D-POE, FWF-60D, FWF-60D-POE, FGT-90D, FGT-90D-POE, FWF-90D, FWF-90D-POE,

FGT-100D, FGT-140D, FGT-140D_POE, FGT-140D_POE_T1, FGT-200D, FGT-240D, FGT-280D, FGT-280D_POE,

FGT-600C, FGT-800C, FGT-1000C, FGT-1200D, FGT-1500D, FGT-3700D

 

New FortiLink topology diagram (289005 271675 277441)

For managed FortiSwitches (WIFI & Switch Controller > Managed FortiSwitch), the system now displays the overall topology of the managed FortiSwitches that are connected to this FortiGate.

The topology lists the FortiLink ports on the FortiGate, and displays a full faceplate for each connected FortiSwitch (also showing the FortiLink ports on each FortiSwitch). You can right-click to authorize a managed FortiSwitch or left-click to edit the managed FortiSwitch information.

The topology can displays multiple FortiLinks to each FortiSwitch, as FortiOS 5.4 provides support for FortiLink as a LAG.

 

New interface option to auto-authorize extension devices 294966

If you enable the auto-authorize option on a FortiGate FortiLink port, the FortiGate will automatically authorize the managed FortiSwitch connected to this FortiLink. The new option is only visible when the interface type is set to Dedicate to Extension Device.

 

New CLI setting to enable pre-standard PoE detection on managed FortiSwitch ports 293512

This feature is available in FortiSwitchOS 3.3.2 and later releases.

Use the following commands to enable this setting on a managed FortiSwitch port:

config switch-controller managed-switch edit $FSW

config ports edit “port1”

set poe-pre-standard-detection enable/disable (the default is disable)

next end

end

Reset any POE port (by toggling the power OFF and then ON):

execute switch-controller poe-reset <fortiswitch-id> <port>

Display general POE status:

get switch-controller <fortiswitch-id> <port>

Configuring Profiles

Configuring profiles

The Profile menu lets you configure many types of profiles. These are a collection of settings for antispam, antivirus, authentication, or other features.

After creating and configuring a profile, you can apply it either directly in a policy, or indirectly by inclusion in another profile that is selected in a policy. Policies apply each selected profile to all email messages and SMTP connections that the policy governs.

Creating multiple profiles for each type of policy lets you customize your email service by applying different profiles to policies that govern different SMTP connections or email users. For instance, if you are an Internet service provider (ISP), you might want to create and apply antivirus profiles only to policies governing email users who pay you to provide antivirus protection.

This section includes:

  • Configuring session profiles
  • Configuring antispam profiles and antispam action profiles
  • Configuring antivirus profiles and antivirus action profiles
  • Configuring content profiles and content action profiles
  • Configuring resource profiles (server mode only)
  • Configuring authentication profiles
  • Configuring LDAP profiles
  • Configuring dictionary profiles
  • Configuring security profiles
  • Configuring IP pools
  • Configuring email and IP groups
  • Configuring notification profiles

Configuring session profiles

Session profiles focus on the connection and envelope portion of the SMTP session. This is in contrast to other types of profiles that focus on the message header, body, or attachments.

To access this part of the web UI, your administrator account’s access profile must have Read or Read-Write permission to the Policy category. For details, see “About administrator account permissions and domains” on page 290.

To configure session profiles

  1. Go to Profile > Session > Session.
  2. Click New to add a profile or double-click a profile to modify it.

A multisection page appears.

Figure 193:Session Profile dialog

  1. For a new session profile, type the name in Profile name.
  2. Configure the following sections as needed:
  • “Configuring connection settings” on page 483
  • “Configuring sender reputation options” on page 485
  • “Configuring endpoint reputation options” on page 487
  • “Configuring sender validation options” on page 488
  • “Configuring session settings” on page 490
  • “Configuring unauthenticated session settings” on page 493
  • “Configuring SMTP limit options” on page 496
  • “Configuring error handling options” on page 497
  • “Configuring header manipulation options” on page 498
  • “Configuring list options” on page 499
  • Configuring advanced MTA control settings