Tag Archives: execute top fortinet

Chapter 3 – Advanced Routing

Chapter 3 – Advanced Routing

This chapter describes advanced static routing concepts and how to implement dynamic routing on FortiGate units.

This FortiOS Handbook chapter contains the following sections:

Advanced Static Routing explains universal and static routing concepts, equal cost multipath (ECMP) and load balancing, policy routing, and routing in transparent mode.

Dynamic Routing Overview provides an overview of dynamic routing, compares static and dynamic routing, and helps you decide which dynamic routing protocol is best for you.

Routing Information Protocol (RIP) describes a distance-vector routing protocol intended for small, relatively homogeneous networks.

Border Gateway Protocol (BGP) describes classless inter-domain routing, and aggregate routes. BGP is the only routing protocol to use TCP for a transport protocol.

Open Shortest Path First (OSPF) provides background on the specific protocol explaining terms used and how the protocol works, as well as providing some troubleshooting information and examples on configuring the protocols in different situations.

Intermediate System to Intermediate System Protocol(IS-IS), which describes the link state protocol, is well- suited to smaller networks and with near universal support on routing hardware. The section also provides troubleshooting information and configuration examples.

 

Chapter 2 – Getting Started

Chapter 2 – Getting Started

  • Installation discusses installing a FortiGate in your network.
  • Using the GUI describes how to use the graphical user interface (GUI).
  • A Guide to Using the Entry Level Models introduces you to FortiGate models 30-90, also known as the Entry Level models.
  • Basic Administration explains basic tasks that should be done to set-up a new FortiGate.
  • Resources lists resources available to help you with more advanced FortiGate configurations.

Differences between Models

You should know that there are two key differences between different FortiGate models.

 

 

Features

Certain features are not available on all models. Additionally, a particular feature may be available only through the CLI on some models, while that same feature may be viewed in the GUI on other models.

If you believe your FortiGate model supports a feature that does not appear in the GUI, go to System > Feature

Select and confirm that the feature is turned on. For more information, see Feature Select on page 205. For more information about features that vary by model, please see the Feature/Platform Matrix.

 

Names

Naming conventions may vary between FortiGate models. For example, on some models the hardware switch interface used for the local area network is called lan, while on other units it is called internal.

 

Installation

This section discusses how to install your FortiGate and use it in your network, after completion of the initial set- up outlined in the FortiGate model’s QuickStart Guide. The section also provides troubleshooting tips.

The following topics are included in this section:

  • NAT/Route Mode vs. Transparent Mode
  • Setup Wizard
  • Installing a FortiGate in NAT/Route mode
  • Using a Virtual Wire Pair
  • Troubleshooting your FortiGate Installation

NAT/Route Mode vs. Transparent Mode

A FortiGate can operate in one of two modes: NAT/Route or Transparent.

 

NAT/Route mode is the most common operating mode. In this mode, a FortiGate is installed as a gateway or router between two networks. In most cases, it is used between a private network and the Internet. This allows the FortiGate to hide the IP addresses of the private network using network address translation (NAT). NAT/Route mode is also used when two or more Internet service providers (ISPs) will be used to provide the FortiGate with redundant Internet connections.

A FortiGate in Transparent mode is installed between the internal network and the router. In this mode, the FortiGate does not make any changes to IP addresses and only applies security scanning to traffic. When a FortiGate is added to a network in Transparent mode, no network changes are required, except to provide the FortiGate with a management IP address. Transparent mode is used primarily when there is a need to increase network protection but changing the configuration of the network itself is impractical.

For more information about Transparent Mode, see the Transparent Mode handbook available at the Fortinet Document Library.

 

Setup Wizard

The Setup Wizard helps to quickly configure your FortiGate to allow Internet access and remote access. The wizard can be launched from the GUI by selecting the  button, located in the top right corner. You can also get to the SetupWizard through FortiExplorer for either Windows or Mac OS. FortiExplorer can be downloaded at www.fortinet.com.

 

 

Using the Setup Wizard

The Setup Wizard is intended to be used for initial setup. If it is used on a previously configured FortiGate, it replaces parts of the configuration, including existing firewall policies.

1. Connect to the FortiGate using FortiExplorer. It is recommended to view FortiExplorer in fullscreen mode because some options may not be visible otherwise.

2. Select your FortiGate, then select Setup Wizard.

3. Login using an admin account (the default admin account has the username admin and no password).

4. Select Change Password to set a new password for the admin account. Select Next.

5. Select the appropriate time zone. Select Next.

6. Fill in the appropriate information about your Internet WAN Connection. Select Next.

7. Enter an IP Address and Netmask for your LAN. If necessary, enable DHCP and select a Start and End

Address. Select Next.

8. Select the schedule for when Internet access should be allowed. Select Next.

9. Select the appropriate options for your Internet Access Policy, including NAT options and Unified Threat

Management. Select Next.

10. If necessary, configure options to allow Remote VPN Access using either an SSL VPN or an IPsec VPN. Select

Next.

11. A summary screen will appear. If the configuration shown is correct, select Configure.

12. (Optional) If you wish to activate a FortiCloud account, select Next and enter your information (for more information about FortiCloud, see the FortiCloud FAQ). Otherwise, select Done.

Results

Your configuration has now been set up on the FortiGate, allowing users on the LAN to have Internet access.

 

WiFi

WiFi

Automatic all-SSID selection in FortiAP Profile (219347)

The SSID field in FortiAP Profiles now includes the option Automatically assign Tunnel-mode SSIDs. This eliminates the need to re-edit the profile when new SSIDs are created. You can still select SSIDs individually using the Select SSIDs option.

Automatic assignment of SSIDs is not available for FortiAPs in Local Bridge mode. The option is hidden on both the Managed FortiAP settings and the FortiAP Profile assigned to that AP.

 

Improved override of FortiAP settings (219347 264010 264897)

The configuration settings of a FortiAP in WiFi Controller > Managed FortiAPs can override selected settings in the FortiAP Profile:

  • Band and/or Channel
  • Transmitter Power
  • SSIDs
  • LAN Port mode

 

Note that a Band override also overrides Channel selections.

In the CLI, you can also override FortiAP LED state, WAN port mode, IP Fragmentation prevention method, spectrum analysis, and split tunneling settings.

 

Spectrum Analysis removed from FortiAP Profile GUI

Spectrum Analysis is no longer available in FortiAP Profiles in the GUI. It can be enabled in the CLI if needed.

 

Disable low data rates in 802.11a, g, n ac (297821)

To reduce air-time usage on your WiFi network, you can disable the use of low data rates which cause communications to consume more air time.

The 802.11 a, b, and g protocols are specified by data rate. 802.11a can support 6,9,12, 18, 24, 36, 48, and 54

Mb/s. 802.11b/g can support 1, 2, 5.5, 6, 9,12, 18, 24, 36, 48, 54 Mb/s. Basic rates are specified with the suffix “basic”, “12-basic” for example. The capabilities of expected client devices need to be considered when deciding the lowest Basic rate.

The 802.11n and ac protocols are specified by MSC (Modulation and Coding Scheme) Index and the number of spatial streams.

  • 802.11n with 1 or 2 spatial streams can support mcs0/1, mcs1/1, mcs2/1, mcs3/1, mcs4/1, mcs5/1, mcs6/1, mcs7/1,mcs8/2,mcs9/2, mcs10/2, mcs11/2, mcs12/2, mcs13/2, mcs14/2, mcs15/2.
  • 802.11n with 3 or 4 spatial streams can support mcs16/3, mcs17/3, mcs18/3, mcs19/3, mcs20/3, mcs21/3, mcs22/3, mcs23/3, mcs24/4, mcs25/4, mcs26/4, mcs27/4, mcs28/4, mcs29/4, mcs30/4, mcs31/4.
  • 802.11ac with 1 or 2 spatial streams can support mcs0/1, mcs1/1, mcs2/1, mcs3/1, mcs4/1, mcs5/1, mcs6/1, mcs7/1, mcs8/1, mcs9/1, mcs0/2, mcs1/2, mcs2/2, mcs3/2, mcs4/2, mcs5/2, mcs6/2, mcs7/2, mcs8/2, mcs9/2.
  • 802.11ac with 3 or 4 spatial streams can support mcs0/3, mcs1/3, mcs2/3, mcs3/3, mcs4/3, mcs5/3, mcs6/3, mcs7/3, mcs8/3, mcs9/3, mcs0/4, mcs1/4, mcs2/4, mcs3/4, mcs4/4, mcs5/4, mcs6/4, mcs7/4, mcs8/4, mcs9/4

 

Here are some examples of setting basic and supported rates.

config wireless-controller vap edit <vap_name>

set rates-11a 12-basic 18 24 36 48 54 set rates-11bg 12-basic 18 24 36 48 54

set rates-11n-ss34 mcs16/3 mcs18/3 mcs20/3 mcs21/3 mcs22/3 mcs23/3 mcs24/4 mcs25/4 set rates-11ac-ss34 mcs0/3 mcs1/3 mcs2/3 mcs9/4 mcs9/3

end

 

WiFi and Switch controllers are enabled separately (275860)

In the Feature Store (System > Features), the WiFi Controller and Switch Controller are now separate. However, the Switch Controller must be enabled in order for the WiFi Controller to be visible.

In the CLI, the settings that enable the WiFi and Switch controllers have been separated:

config system global

set wireless-controller enable set switch-controller enable

end

 

The settings that enable the GUI display for those controllers have also been separated:

config system settings

set gui-wireless-controller enable set gui-switch-controller enable

end

 

Add Support of LLDP protocol on FortiAP to send switch and port information (283107)

You can enable LLDP protocol in the FortiAP Profile. Each FortiAP using that profile can then send back information about the switch and port that it is connected to. This information is visible in the optional LLDP column of the Managed FortiAP list. To enable LLDP:

config wireless-controller wtp-profile edit <profile-name>

set lldp enable end

 

WTP groups (278462)

You can define FortiAP Groups. Each group can contain FortiAPs of a single platform (model). These groups can be used in VLAN-pooling to assign APs to particular VLANs. Create a FortiAP Group in the CLI like this:

 

config wireless-controller wtp-group edit 1

set platform-type 320C

config wtp-list

edit FP320C3X14010828 next

edit FP320C3X14010830 end

end

The platform-type field is optional. If it is left empty, the group can contain FortiAPs of any model.

 

VLANpooling (278462)

In an SSID, you can define a VLAN pool. As clients associate to an AP, they are assigned to a VLAN. A VLAN

pool can

  • assign a specific VLAN based on the AP’s FortiAP Group, usually for network configuration reasons, or
  • assign one of several available VLANs for network load balancing purposes (tunnel mode SSIDs only)

WAN Optimization

WAN Optimization

Toggle Disk Usage for logging or wan-opt (290892)

Both logging and WAN Optimization use hard disk space to save data. For FortiOS 5.4 you cannot use the same hard disk for WAN Optimization and logging.

  • If the FortiGate has one hard disk, then it can be used for either disk logging or WAN optimization, but not both. By default, the hard disk is used for disk logging.
  • If the FortiGate has two hard disks, then one disk is always used for disk logging and the other disk is always used for WAN optimization.

On the FortiGate, go to System > Advanced > Disk Settings to switch between Local Log and WAN Optimization.

You can also change disk usage from the CLI using the following command:

configure system global

set disk-usage {log | wanopt}

end

 

The Toggle Disk Usage feature is supported on all new “E” Series models, while sup- port for “D” Series models may vary.

Please refer to the Feature Platform Matrix for more information.

Changing the disk setting formats the disk, erases current data stored on the disk and disables either disk logging or WAN Optimization.

You can configure WAN Optimization from the CLI or the GUI. To configure WAN Optimization from the GUI you must go to System > Feature Select and turn on WAN Optimization.

Remote logging (including logging to FortiAnalyzer and remote Syslog servers) is not affected by using the single local hard disk for WAN Optimization.

VDOMS

VDOMs

Stackable VDOM licenses (269153)

Using this feature you can purchase VDOM licenses for your FortiGate in multiples of 5 and increase the number of VDOM licenses that your FortiGate has incrementally over time. For example, you could add a 5 VDOM license to a 25 VDOM license and your FortiGate would now support up to 30 VDOMs. In the future you could add another 5 (or 10 or more).

For previous versions of FortiOS if you had a 25 VDOM license and wanted to increase the number of VDOMs you would have to purchase a 50 VDOM license, resulting in a total of 50 VDOMs.

This stackable VDOM licenses feature is backwards compatible with VDOM licenses purchased for older versions of FortiOS. For example, if you purchased a 25-VDOM license for your FortiGate running FortiOS 5.2.x, when you upgrade to FortiOS 5.4.x you can purchase 5 more VDOM licenses so that your FortiGate running FortiOS 5.4.x now supports up to 30 VDOMs.

 

Support execution of global CLI commands from within VDOMs (262848)

A new CLI command, sudo, allows the running of global commands from within the vdom context of the

CLI.This means that the user no longer has to:

1. exit from the VDOM

2. enter global

3. run the command

4. return to the previous VDOM The syntax for the command is:

sudo {global | vdom-name} {diagnose | execute | show | get}

These commands will only work if the user already has permissions to run the command. Unlike the the sudo command in some other operating systems like Linux, this command does not allow the user to run programs with the privileges of another user.

 

GUI features can now be enabled and disabled per VDOM (263708 273799 266028)

When VDOMs are enabled, most of the items in the Features section of the menu are moved to a similar menu section within the VDOM menu and are now customizable on a per VDOM basis. Some items such as IPv6 and Certificates are still configured on a global basis.

From the GUI, you can enable or disable GUI features from System > Feature Select.

From the CLI, GUI items that are enabled or disabled per-VDOM are configured from the config system settings command. GUI items that are enabled globally are enabled or disabled from the config system global command.

Turning these features on or off does not enable or disable the feature but determines whether or not that option is

Custom Original Videos Coming Soon!

So I have my rig setup with OBS (Open Broadcasting Software) and a camera now which should enable me to start making videos that will enable me to pump out some original content for you guys. I am pretty excited about this. I will be doing videos on various versions of FortiOS code as well as covering various tasks.

My goal is to create five videos a week that will provide some insight, guidance, or perhaps just general tips for Fortinet users out there.

I am also pretty tempted to start a podcast if people would be willing to listen. Yeah yeah, I’m from the south so I talk a little lower. Perhaps you guys would enjoy laughing at me while I do the show!

System Advancements

System

 

New role property on interfaces (294385)

Interfaces now have a property called ‘role’ which affects visibility and suggests different default options depending on it’s value.

  • WAN – this interface is used to connect to the internet.
  • LAN – this interface is used to connect to local network of endpoints.
  • DMZ – this interface is used to connect to servers.
  • Undefined – This interface has a custom role which isn’t one of the above.

 

Interface roles affect visibility of properties and features (295736)

Depending on an interfaces role, some properties may set to a default value and the visibility of others may be set to show or hide in the GUI.

 

Toggle automatic authorization of extension devices (294966)

When an interface is configured to be dedicated to an extension device, a new option appears to auto-authorize extension devices.

 

Support for new modem added (293598)

Support for the Linktop LW273 modem has been added.

SSL VPN

SSL VPN

Significant SSL VPN web portal improvements (287328, 292726, 299319)

Significant updates and improvements have been made to the SSL VPN web portal in preparation for future browser updates, and in order to support all browsers:

  • SSL VPN web portal redesigned.
  • SSL VPN tunnel mode widget no longer works in the web portal.The tunnel mode widget used a deprecated NPAPI plugin mechanism to send the tunnel client to the browser for local system execution—this is a popular exploitation vector. FortiClient is now required for tunnel mode SSL VPN.
  • SSL VPN Web mode RDP Native java applet removed.
  • Removed unnecessary options from RDP bookmark and changed to HTML5 RDP.
  • Cache cleaning function has been removed.

Implement post-authentication CSRF protection in SSL VPN web mode (287180)

This attribute can enable/disable verification of a referer in the HTTP request header in order to prevent a Cross- Site Request Forgery attack.

Syntax:

config vpn ssl settings

set check-referer [enable|disable]

end