Tag Archives: fortinet admin guides

Logging – FortiAuthenticator 4.0

Logging

Accounting is an important part of FortiAuthenticator. The Logging menu tree provides a record of the events that have taken place on the FortiAuthenticator unit.

Log access

To view the log events table, go to Logging > Log Access > Logs.

The following options and information are available:

Refresh Refresh the log list.
Download Raw Log Export the FortiAuthenticator log to your computer as a text file named fac.log.
Log Type Reference Select to view the log type reference dialog box. See Log type reference on page 155.
Debug Report Select to download the debug report to your computer as a file named report.dbg.
Search Enter a search term in the search field, then select Search to search the log message list.

The search string must appear in the Message portion of the log entry to result in a match. To prevent each term in a phrase from being matched separately, multiple keywords must be in quotes and be an exact match. After the search is complete the number of positive matches will be displayed next to the Search button, with the total number of log entries in brackets following. Select the total number of log entries to return to the full list. Subsequent searches will search all the log entries, and not just the previous search’s results.

ID The log message’s ID.
Timestamp The time the message was received.

Log access                                                                                                                                              Logging

Level The log severity level:

Emergency: The system has become unstable. l Alert: Immediate action is required. l Critical: Functionality is affected.

Error: An erroneous condition exists, and functionality is probably affected.

Warning: Functionality could be affected. l Notification: Information about normal events. l Information: General information about system operations. l Debug: Detailed information useful for debugging purposes.

Category The log category, which is always Event. See Log type reference on page 155.
Sub category The log subcategory. See Log type reference on page 155.
Type id The log type ID.
Action The action which created the log message, if applicable.
Status The status of the action that created the log message, if applicable.
NAS name/IP The NAS name or IP address of the relevant device if an authentication action fails.
Short message The log message itself, sometimes slightly shortened.
User The user to whom the log message pertains.

To view log details:

From the log list, select the log whose details you need to view by clicking anywhere within the log’s row. The Log Details pane will open on the right side of the window.

After viewing the log details, select the close icon in the top right corner of the pane to close the details pane. Log type reference

Select Log Type Reference in the log list toolbar to open the log type reference dialog box.

The following information and options are available:

Search   Enter a search term in the search field, then select Search to search the log type reference.
Type id   The log type ID.
>Name   The name of the log type.

155

Logging                                                                                                                                               Log access

Sub category The log type subcategory, one of: Admin Configuration, Authentication, System, High Availability, UserPortal, or Web Service.
Category The log type category, which is always Event.
Description A brief description of the log type.

To close the Log Type Reference dialog box, select close above the top right corner of the box, or simply click anywhere outside of the box within the log list.

Log configuration                                                                                                                                    Logging

Sort the log messages

The log message table can be sorted by any column. To sort the log entries by a particular column, select the title for that column. The log entries will now be displayed based on data in that column in ascending order. Select the column heading again to sort the entries in descending order. Ascending or descending is displayed with an arrow next to the column title, an up arrow for ascending and down arrow for descending.

Log configuration

Logs can be remotely backed up to an FTP server, automatically deleted, and sent to a remote syslog server in lieu of storing them locally.

Log settings

To configure log backups, automatic deletion, and remote storage, go to Logging > Log Config > Log Setting.

To configure log backups:

  1. In the log settings window, select Enable remote backup in the Log Backup
  2. Select the frequency of the backups in the Frequency field as either Daily, Weekly, or Monthly.
  3. Configure the time of day that the backup will occur in one of the following ways:

l Enter a time in the Time field l Select Now to enter the current time l Select the clock icon and choose a time from the pop-up menu: Now, Midnight, 6 a.m., or Noon.

  1. Select an FTP server from the drop-down list in the FTP server For information on configuring an FTP server, see FTP servers on page 44.
  2. Select OK to save your settings.

To configure automatic log deletion:

  1. In the log settings window, select Enable log auto-deletion in the Log Auto-Deletion
  2. In the Auto-delete logs older than field, select day(s), week(s), or month(s) from the drop-down list, then enter the number of days, weeks, or months after which a log will be deleted.
  3. Select OK to save your settings.

157

Logging                                                                                                                                    Log configuration

To configure logging to a remote syslog server:

  1. In the log settings window, select Send logs to remote Syslog servers in the Remote Syslog
  2. Move the syslog servers to which the logs will be sent from the Available syslog servers box to the Chosen syslog servers

For information on adding syslog servers, see Syslog servers on page 158.

  1. Select OK to save your settings.

Syslog servers

Syslog servers can be used to store remote logs. To view the syslog server list, go to Logging > Log Config > Syslog Servers.

Create New   Add a new syslog server.
Delete   Delete the selected syslog server or servers.
Edit   Edit the selected syslog server.
Name   The syslog server name on the FortiAuthenticator unit.
Server name/IP   The server name or IP address, and port number.

To add a syslog server:

  1. From the syslog servers list, select Create New. The Create New Syslog Server window opens.
  2. Enter the following information:
Name Enter a name for the syslog server on the FortiAuthenticator unit.
Server name/IP Enter the syslog server name or IP address.
Port Enter the syslog server port number. The default port is 514.
Level Select a log level to store on the remote server from the drop-down list. See Level on page 155.
Facility Select a facility from the drop-down list.
  1. Select OK to add the syslog server.

 

 

RADIUS Single Sign On – FortiAuthenticator 4.0

RADIUS Single Sign-On

A FortiGate or FortiMail unit can transparently identify users who have already authenticated on an external RADIUS server by parsing RADIUS accounting records. However, this approach has potential difficulties:

  • The RADIUS server is business-critical IT infrastructure, limiting the changes that can be made to the server configuration.
  • In some cases, the server can send accounting records only to a single endpoint. Some network topologies may require multiple endpoints.

The FortiAuthenticator RADIUS Accounting Proxy overcomes these limitations by proxying the RADIUS accounting records, modifying them, and replicating them to the multiple subscribing endpoints as needed.

RADIUS accounting proxy

The FortiAuthenticator receives RADIUS accounting packets from a carrier RADIUS server, transforms them, and then forwards them to multiple FortiGate or FortiMail devices for use in RADIUS Single Sign-On. This differs from the packet use of RADIUS accounting (RADIUS accounting on page 115).

The accounting proxy needs to know:

l Rule sets to define or derive the RADIUS attributes that the FortiGate unit requires, l The source of the RADIUS accounting records: the RADIUS server, l The destination(s) of the accounting records: the FortiGate units using this information for RADIUS SSO authentication.

General settings

General RADIUS accounting proxy settings can be configure by going to Fortinet SSO Methods > Accounting Proxy > General.

The following settings are available:

Log level Select Debug, Info, Warning, or Error as the minimum severity level of event to log from the drop-down list.
Group cache lifetime Enter the amount of time after which user group memberships will expire in the cache, from 1 to 10080 minutes (7 days). The default is 480 minutes.
Number of proxy retries Enter the number of times to retry proxy requests if they timeout, from 0 to 3 retries, where 0 disables retries. The default is 3 retries.
Proxy retry timeout Enter the retry period (timeout) of a proxy request, from 1 to 10 seconds.
Statistics update period Enter the time between statistics updates to the seconds debug log, from 1 to 3600 seconds (1 hour).

Select OK to apply your changes.

accounting proxy                                                                                                                 RADIUS

Rule sets

A rule set can contain multiple rules. Each rule can do one of:

l add an attribute with a fixed value l add an attribute retrieved from a user’s record on an LDAP server l rename an attribute to make it acceptable to the accounting proxy destination.

The FortiAuthenticator unit can store up to 10 rule sets. You can provide both a name and a description to each rule set to help you remember each rule set’s purpose.

Rules access RADIUS attributes of which there are both standard attributes and vendor-specific attributes (VSAs). To select a standard attribute, select the Default vendor. See RADIUS attributes on page 72.

To view the accounting proxy rule set list, go to Fortinet SSO Methods > Accounting Proxy > Rule Sets.

To add RADIUS accounting proxy rule sets:

  1. From the rule set list, select Create New. The Create New Rule Set window opens.
  2. Enter the following information:
Name Enter a name to use when selecting this rule set for an accounting proxy destination.
Description Optionally, enter a brief description of the rule’s purpose.
Rules Enter one or more rules.

Single Sign-On                                                                                      RADIUS accounting proxy

Action The action for each rule can be either Add or Modify.

Add: add either a static value or a value derived from an LDAP server.

Modify: rename an attribute.

Attribute Select Browse and choose the appropriate Vendor and Attribute ID in the Select a RADIUS Attribute dialog box.
Attribute 2 If the action is set to Modify, a second attribute may be selected. The first attribute will be renamed to the second attribute.
Value Type If the action is set to Add, select a value type from the drop-down list.

Static value: adds the attribute in the Attribute field containing the static value in the Value field.

Group names: adds attribute in the Attribute field containing “Group names” from the group membership of the Username Attribute on the remote LDAP server. l Services: adds attribute in the Attribute field containing “Services” from the group membership of the Username Attribute on the remote LDAP server.

UTM profile groups: adds attribute in the Attribute field containing “UTM profile groups” from the group membership of the Username Attribute on the remote LDAP server.

Value If the action is set to Add and Value Type is set to Static value, enter the static value.
Username

Attribute

If the action is set to Add, and Value Type is not set to Static value, specify an attribute that provides the user’s name, or select Browse and choose the appropriate Vendor and Attribute ID in the Select a RADIUS Attribute dialog box.
Remote LDAP If the attribute addition requires an LDAP server, select one from the dropdown list. See LDAP on page 88 for information on remote LDAP servers.
Description A brief description of the rule is provided.
Add another rule Select to add another rule to the rule set.
  1. Select OK to create the new rule set.
Example rule set

The incoming accounting packets contain the following fields:

  • User-Name l NAS-IP-Address l Fortinet-Client-IP-Address

The outgoing accounting packets need to have these fields:

accounting proxy                                                                                                                 RADIUS

  • User-Name l NAS-IP-Address l Fortinet-Client-IP-Address l Session-Timeout: Value is always 3600 l Fortinet-Group-Name: Value is obtained from user’s group membership on remote LDAP l Service-Type: Value is obtained from user’s group membership and SSO Group Mapping

The rule set needs three rules to add Session-Timeout, Fortinet-Group-Name, and Service-Type. The following image provides an example:

Sources

The RADIUS accounting proxy sources list can be viewed in Fortinet SSO Methods > Accounting Proxy > Sources. Sources can be added, edited, and deleted as needed.

To add a RADIUS accounting proxy source:

  1. From the source list, select Create New. The Create New RADIUS Accounting Proxy Source window opens.
  2. Enter the following information:
Name                                         Enter           the           name           of           the

This is used in FortiAuthenticator configurations.

RADIUS server.

Single Sign-On                                                                                      RADIUS accounting proxy

Source name/IP Enter the FQDN or IP address of the server.
Secret Enter the shared secret required to access the server.
Description Optionally, enter a description of the source.
  1. Select OK to add the RADIUS accounting proxy source.

Destinations

The destination of the RADIUS accounting records is the FortiGate unit that will use the records to identify users. When defining the destination, you also specify the source of the records (a RADIUS client already defined as a source) and the rule set to apply to the records.

To view the RADIUS accounting proxy destinations list, go to Fortinet SSO Methods > Accounting Proxy > Destinations.

To add a RADIUS accounting proxy destinations:

  1. From the destinations list, select Create New. The Create New RADIUS Accounting Proxy Destination window opens.
  2. Enter the following information:
Name Enter a name to identify the destination device in your configuration.
Destination name/IP Enter The FQDN or IP address of the FortiGate that will receive the RADIUS accounting records.
Secret Enter the preshared key of the destination.
Source Select a RADIUS client defined as a source from the drop-down list. See Sources on page 127.
Rule set Select an appropriate rule set from the drop-down list or select Create New to create a new rule set. See Rule sets on page 125.
  1. Select OK to add the RADIUS accounting proxy destination.

Fortinet Single Sign On – FortiAuthenticator 4.0

Fortinet Single Sign-On

FSSO is a set of methods to transparently authenticate users to FortiGate and FortiCache devices. This means that the FortiAuthenticator unit is trusting the implicit authentication of a different system, and using that to identify the user. FortiAuthenticator takes this framework and enhances it with several authentication methods:

  • Users can authenticate through a web portal and a set of embeddable widgets. l Users with FortiClient Endpoint Security installed can be automatically authenticated through the FortiClient SSO Mobility Agent.
  • Users authenticating against Active Directory can be automatically authenticated. l RADIUS Accounting packets can be used to trigger an FSSO authentication. l Users can be identified through the FortiAuthenticator API. This is useful for integration with third party systems.

The FortiAuthenticator unit must be configured to collect the relevant user logon data. After this basic configuration is complete, the various methods of collecting the log in information can be set up as needed.

Domain controller polling

When the FortiAuthenticator runs for the first time, it will poll the domain controller (DC) logs backwards until either the end of the log file or the logon timeout setting, whichever is reached first.

When the FortiAuthenticator is rebooted, the memory cache is written to the disk, then re-read at startup, allowing the previous state to be retained. Windows DC polling restarts on boot, then searches backwards in the DC log files until it reaches either the log that matches the last known serial number found in the login cache file, the log that is older than the last recorded read time, or the end of the log file, whichever is reached first.

The currently logged in FSSO users list is cached in memory and periodically written to disk. In an active-passive HA cluster, this file is synchronized to the slave device.

Windows management instrumentation polling

The FortiAuthenticator supports Windows Management Instrumentation (WMI) polling to detect workstation log off. This validates the currently logged on user for an IP address that has been discovered by the DC polling detection method.

Remote WMI access requires that the related ports are opened in the Windows firewall, and access to a domain account that belongs to the Domain Admin group.

To open ports in the Windows firewall in Windows 7, run gpedit.msc, go to Computerconfiguration >

Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile, go to Allow remote admin exception, then enable remote admin exception and, if necessary, configure an IP subnet/range.

 

General settings

General settings

The FortiAuthenticator unit listens for requests from authentication clients and can poll Windows Active Directory servers.

To configure FortiAuthenticator FSSO polling:

  1. Go to Fortinet SSO Methods > SSO > General to open the Edit SSO Configuration The Edit SSO Configuration window contains sections for FortiGate, FSSO, and user group membership.
  2. In the FortiGate section, configure the following settings:
Listening port Leave at 8000 unless your network requires you to change this. Ensure this port is allowed through the firewall.
Enable authentication Select to enable authentication, then enter a secret key, or password, in the Secret key field.
Login Expiry The length of time, in minutes, that users can remain logged in before the system logs them off automatically. The default is 480 minutes (8 hours).
Extend              user             session beyond logoff by The length of time, in seconds, that a user session is extended after the user logs off, from 0 (default) to 3600 seconds.
Enable NTLM

authentication

Select to enable NTLM authentication, then enter the NETBIOS or DNS name of the domain that the login user belongs to in the Userdomain field.
  1. In the Fortinet Single Sign-On (FSSO) section, configure the following settings:
Maximum concurrent user sessions Enter the maximum number of concurrent FSSO login sessions a user is allowed to have. Use 0 for unlimited.

Select Configure Per User/Group to configure the maximum number of concurrent sessions for each user or group. See Fine-grained controls on page 112.

Log Level Select one of Debug, Info, Warning, or Error as the minimum severity level of events to log from the drop- down list.

Select Download all logs to download all FSSO logs to your management computer.

General settings

Enable       Windows         Active

Directory domain controller polling

Select             to             enable             Windows             AD             polling.

Select to enable polling additional logon events, including from devices using Kerberos authentication or from Mac OS X systems, and from event IDs 672, 680, 4776, and 4768.

Enable polling additional logon events When additional active directory logon event IDs is enabled, event IDs 528, 540, and 4624 are also polled. These event are generated when a user attempts to access a domain service or resource. When a user logs off from the          workstation,         such      an          event     will         be               generated.

Enter the additional logon event timeout time in the Additional logon event timeout field, from 1 to 480 minutes, with 5 minutes being the default time.

Note: After a user logs off, their SSO session will stay active for the above configured period of time. During this time, if another user changes to the previous user’s IP address, they may be able to bypass the necessary authentication. For this reason, it is strongly recommended that the timeout time be kept short.

                     Enable         DNS

lookup to get IP

from workstation name

Select to use DNS lookup to get IP address information when an event contains only the workstation name.

This option is enabled by default.

Directly use domain DNS

suffix in lookup

Select to use the domain DNS suffix when doing a DNS lookup.

This option is disabled by default.

Enable  reverse DNS               lookup  to get         workstation name from IP Select to enable reverse DNS lookup. Reverse DNS lookup is used when an event contains only an IP address and no workstation name.

This option is enabled by default.

Do one more DNS lookup to get full list of IPs after reverse lookup of workstation name Reverse DNS lookup is used when an event contains only an IP address and no workstation name. Once the workstation name is determined, it is used in the DNS lookup again to get more complete IP address

information. This is useful in environments where workstations have multiple network interfaces.

This option is disabled by default.

Include     account name         ending

with $ (usually computer account)

Accounts that end in “$” used to exclusively denote computer accounts with

no actual user, but in some cases, valid accounts imported from dated systems can        feature  them.

This option is disabled by default.

Enable Radius Accounting SSO clients Select to enable the detection of users sign-ons and sign- offs from incoming RADIUS accounting (Start, Stop, and Interim-Update) records.
Use RADIUS realm as

Windows       Active

Directory domain

Select to use the RADIUS realm as the Windows AD domain.
Enable Syslog SSO Select to enable Syslog SSO.

General settings

Enable        FortiClient     SSO

Mobility Agent Service

Select to enable single sign-on (SSO) by clients running FortiClient Endpoint Security. For more information, see FortiClient SSO Mobility Agent on page 123.
FortiClient listening port Enter the FortiClient listening port number.
Enable authentication Select to enable authentication, then enter a secret key, or password, in the Secret key field.
Keep-alive interval Enter the duration between keep-alive transmissions, from 1 to 60 minutes. Default is 5 minutes.
Idle timeout Enter an amount of time after which to logoff a user if their status is not updated. The value cannot be lower than the Keep-alive interval value.
Enable NTLM Select to enable the NT LAN Manager (NTLM) to allow logon of users who are connected to a domain that does not have the FSSO DC Agent installed. Disable NTLM authentication only if your network does not support NTLM authentication for security or other reasons. Enter an amount of time after which NTLM authentication expires in the NTLM authentication expiry field, from 1 to 10080 minutes (7 days).
Enable hierarchical FSSO tiering Select to enable hierarchical FSSO tiering. Enter the collector listening port in the Collectorlistening port field.
Enable DC/TS Agent Clients Select to enable clients using DC or TS Agent. Enter the UDP port in the

DC/TS      Agent     listening     port     field.       Default       is          8002.

Select Enable authentication to enable authentication, then enter a secret key, or password, in the Secret key field.

Restrict             auto- discovered domain             controllers          to configured domain

controllers

Select to enable restricting automatically discovered domain controllers to already configured domain controllers only. See Domain controllers on page 114.
Enable       Windows         Active

Directory workstation IP

verification

Select to enable workstation IP verification with Windows Active Directory. If enabled, select Enable IP change detection via DNS lookup to detect IP changes via DNS lookup.
  1. In the UserGroup Membership section, configure the following settings:

General settings

Group cache mode Select the group cache mode:

Passive: Items have an expiry time after which the are removed and re-queried on the next logon.

Active: Items are periodically updated for all currently logged on users.

Group cache item

lifetime

Enter the amount of time after which items will expire (default = 480 minutes). This is only available when the group cache mode is set to Passive.
Do not use cached groups… Select to prevent using cached groups and to always load groups from server for the following SSO sources: l Windows Active Directory domain controller polling l RADIUS Accounting SSO l Syslog SSO

FortiClient SSO Mobility Agent l DC Agent l TS Agent

User login portal l SSO web service

Base distinguished names to search… Enter the base distinguished names to search for nesting of users or groups into cross domain and domain local groups.
  1. Select OK to apply the settings.

Port Based Network Access Control – FortiAuthenticator 4.0

Port-based Network Access Control

Port-based Network Access Control (PNAC), or 802.1X, authentication requires a client, an authenticator, and an authentication server (such as a FortiAuthenticator device).

The client is a device that wants to connect to the network. The authenticator is simply a network device, such as a wireless access point or switch. The authentication server is usually a host that supports the RADIUS and EAP protocols.

The client is not allowed access to the network until the client’s identity has been validated and authorized. Using 802.1X authentication, the client provides credentials to the authenticator, which the authenticator forwards to the authentication server for verification. If the authentication server determines that the credentials are valid, the client device is allowed access to the network.

FortiAuthenticator supports several IEEE 802.1X EAP methods.

EAP

The FortiAuthenticator unit supports several IEEE 802.1X EAP methods. These include authentication methods most commonly used in WiFi networks.

EAP is defined in RFC 3748 and updated in RFC 5247. EAP does not include security for the conversation between the client and the authentication server, so it is usually used within a secure tunnel technology such as TLS, TTLS, or MS-CHAP.

The FortiAuthenticator unit supports the following EAP methods:

Method Server Auth Client Auth Encryption Native OS Support
PEAP (MSCHAPv2) Yes Yes Yes Windows XP, Vista, 7
EAP-TTLS Yes No Yes Windows Vista, 7
EAP-TLS Yes Yes Yes Windows (XP, 7), Mac OS X, iOS,

Linux, Android

EAP-GTC Yes Yes Yes None (external supplicant required)

In addition to providing a channel for user authentication, EAP methods also provide certificate-based authentication of the server computer. EAP-TLS provides mutual authentication: the client and server authenticate each other using certificates. This is essential for authentication onto an enterprise network in a BYOD environment.

For successful EAP-TLS authentication, the user’s certificate must be bound to their account in Authentication >

UserManagement > Local Users (see Local users on page 58) and the relevant RADIUS client in Authentication > RADIUS Service > Clients (see RADIUS service on page 91) must permit that user to authenticate. By default, all local users can authenticate, but it is possible to limit authentication to specified user groups.

Port-based Network Access Control                                                                                                          EAP

The FortiAuthenticator unit and EAP

A FortiAuthenticator unit delivers all of the authentication features required for a successful EAP-TLS deployment, including:

  • Certificate Management: create and revoke certificates as a CA. See Certificate Management on page 132.
  • Simple Certificate Enrollment Protocol (SCEP) Server: exchange a Certificate Signing Request (CSR) and the resulting signed certificate, simplifying the process of obtaining a device certificate.

FortiAuthenticator unit configuration

To configure the FortiAuthenticator unit, you need to:

  1. Create a CA certificate for the FortiAuthenticator unit. See Certificate authorities on page 140.

Optionally, you can skip this step and use an external CA certificate instead. Go to Certificate Management > Certificate Authorities > Trusted CAs to import CA certificates. See Trusted CAs on page 147.

  1. Create a server certificate for the FortiAuthenticator unit, using the CA certificate you created or imported in the preceding step. See End entities on page 133.
  2. If you configure EAP-TTLS authentication, go to Authentication > RADIUS Service > EAP and configure the certificates for EAP. See Configuring certificates for EAP on page 102.
  3. If SCEP will be used:
    1. Configure an SMTP server to be used for sending SCEP notifications. Then configure the email service for the administrator to use the SMTP server that you created. See E-mail services on page 46.
    2. Go to Certificate Management > SCEP > General and select Enable SCEP. Then select the CA certificate that you created or imported in Step 1 in the Default CA field and select OK. See SCEP on page 147.
  4. Go to Authentication > Remote Auth. Servers > LDAP and add the remote LDAP server that contains your user database. See LDAP on page 88.
  5. Import users from the remote LDAP server. You can choose which specific users will be permitted to authenticate. See Remote users on page 65.
  6. Go to Authentication > RADIUS Service > Clients to add the FortiGate wireless controller as an authentication client. Be sure to select the type of EAP authentication you intend to use. See RADIUS service on page 91.

Configuring certificates for EAP

The FortiAuthenticator unit can authenticate itself to clients with a CA certificate.

  1. Go to Certificate Management > Certificate Authorities > Trusted CAs to import the certificate you will use. See Trusted CAs on page 147.
  2. Go to Authentication > RADIUS Service > EAP.
  3. Select the EAP server certificate from the EAP ServerCertificate drop-down list.
  4. Select the trusted CAs and local CAs to use for EAP authentication from their requisite lists.
  5. Select OK to apply the settings.

Configuring switches and wireless controllers to use 802.1X authentication

The 802.1X configuration will be largely vendor dependent. The key requirements are:

Device self-enrollment                                                                           Port-based Network Access Control

l RADIUS Server IP: This is the IP address of the FortiAuthenticator l Key: The preshared secret configured in the FortiAuthenticator authentication client settings l Authentication Port: By default, FortiAuthenticator listens for authentication requests on port 1812.

Device self-enrollment

Device certificate self-enrollment is a method for local and remote users to obtain certificates for their devices. It is primarily used in enabling EAP-TLS for BYOD. For example:

l A user brings their tablet to a BYOD organization. l They log in to the FortiAuthenticator unit and create a certificate for the device. l With their certificate, username, and password they can authenticate to gain access to the wireless network. l Without the certificate, they are unable to access the network.

To enable device self-enrollment and adjust self-enrollment settings, go to Authentication > Self-service Portal > Device Self-enrollment and select Enable userdevice certificate self-enrollment.

SCEP enrollment template Select a SCEP enrollment template from the drop-down list. SCEP can be configured in Certificate Management > SCEP. See SCEP on page 147 for more information.
Max. devices Set the maximum number of devices that a user can self-enroll.
Key size Select the key size for self-enrolled certificates (1024, 2048, or 4096 bits).

iOS devices only support two key size: 1024 and 2048.

Enable self-enrollment for Smart Card certificate Select to enable self-enrollment for smart card certificates.

This requires that a DNS domain name be configured, as it is used in the CRL Distribution Points (CDPs) certificate extension.

Port-based Network Access Control                                                                          Non-compliant devices

Select OK to apply any changes you have made.

Non-compliant devices

802.1X methods require interactive entry of user credentials to prove a user’s identity before allowing them access to the network. This is not possible for non-interactive devices, such as printers. MAC Authentication Bypass is supported to allow non-802.1X compliant devices to be identified and accepted onto the network using their MAC address as authentication.

This feature is only for 802.1X MAC Authentication Bypass. FortiGate Captive Portal MAC Authentication is supported by configuring the MAC address as a standard user, with the MAC address as both the username and password, and not by entering it in the MAC Devices section.

Multiple MAC devices can be imported in bulk from a CSV file. The first column of the CSV file contains the device names (maximum of 50 characters), and the second column contains the corresponding MAC addresses (0123456789AB or 01:23:45:67:89:AB).

To configure MAC-based authentication for a device:

  1. Go to Authentication > User Management > MAC Devices. The MAC device list will be shown.
  2. If you are adding a new device, select Create New to open the Create New MAC-based Authentication Device

If you are editing an already existing device, select the device from the device list.

  1. Enter the device name in the Name field, and enter the device’s MAC address in the MAC address
  2. Select OK to apply your changes.

To import MAC devices:

  1. In the MAC device list, select Import.
  2. Select Browse to locate the CSV file on your computer.
  3. Select OK to import the list.

The import will fail if the maximum number of MAC devices has already been reached, or if any of the information contained within the file does not conform, for example if the device name too long, or there is an incorrectly formatted MAC address.

FortiAuthenticator 4.0 System

System

The System tab enables you to manage and configure the basic system options for the FortiAuthenticator unit. This includes the basic network settings to connect the device to the corporate network, the configuration of administrators and their access privileges, managing and updating firmware for the device, and managing messaging servers and services.

The System tab provides access to the following menus and sub-menus:

Dashboard Select this menu to monitor, and troubleshoot your FortiAuthenticator device. Dashboard widgets include: l System Information widget l System Resources widget l Authentication Activity widget l User Inventory widget l HA Status l License Information widget l Disk Monitor l Top User Lockouts widget
Network Select this menu to configure your FortiAuthenticator interfaces and network settings. l Interfaces

l   DNS

l   Static routing l Packet capture

Administration Select this menu to configure administrative settings for the FortiAuthenticator device. l GUI access

l   High availability l Firmware l Automatic backup

l   SNMP

l   Licensing l FortiGuard l FTP servers l Administration

Messaging Select this menu to configure messaging servers and services for the FortiAuthenticator device. l SMTP servers l E-mail services l SMS gateways

Dashboard

When you select the System tab, it automatically opens at the System > Dashboard page.

The Dashboard page displays widgets that provide performance and status information and enable you to configure some basic system settings. These widgets appear on a single dashboard.

The following widgets are available:

System Information Displays basic information about the FortiAuthenticator system including host name, DNS domain name, serial number, system time, firmware version, architecture, system configuration, current administrator, and up time.

From this widget you can manually update the FortiAuthenticator firmware to a different release. For more information, see System Information widget on page 25.

System Resources Displays the usage status of the CPU and memory. For more information, see System Resources widget on page 29.
Authentication Activity Displays a customizable graph of the number of logins to the device. For more information, see Authentication Activity widget on page 29.
User Inventory Displays the numbers of users, groups, FortiTokens, FSSO users, and FortiClient users currently used or logged in, as well as the maximum allowed number, the number still available, and the number that are disabled.

For more information, see User Inventory widget on page 29.

HA Status Displays whether or not HA is enabled.
License Information Displays the device’s license information, as well as SMS information. For more information, see License Information widget on page 29.
Disk Monitor Displays if RAID is enabled, and the current disk usage in GB.
Top User Lockouts Displays the top user lockouts. For more information, see Top User Lockouts widget on page 30.

Customizing the dashboard

The FortiAuthenticator system settings dashboard is customizable. You can select which widgets to display, where they are located on the page, and whether they are minimized or maximized.

To move a widget

Position your mouse cursor on the widget’s title bar, then click and drag the widget to its new location.

To add a widget

In the dashboard toolbar, select Add Widget, then select the name of widget that you want to show. Multiple widgets of the same type can be added. To hide a widget, in its title bar, select the Close icon.

To see the available options for a widget

Position your mouse cursor over the icons in the widget’s title bar. Options include show/hide the widget, edit the widget, refresh the widget content, and close the widget.

The following table lists the widget options.

Show/Hide arrow Display or minimize the widget.
Widget Title The name of the widget.
Edit Select to change settings for the widget.

This option appears only in certain widgets.

Refresh Select to update the displayed information.
Close Select to remove the widget from the dashboard. You will be prompted to confirm the action. To add the widget, select Widget in the toolbar and then select the name of the widget you want to show.
To change the widget title

Widget titles can be customized by selecting the edit button in the title bar and entering a new title in the widget settings dialog box. Some widgets have more options in their respective settings dialog box.

To reset a widget title to its default name, simply leave the Custom widget title field blank.

The widget refresh interval can also be manually adjusted from this dialog box.

System Information widget

The system dashboard includes a System Information widget, which displays the current status of the FortiAuthenticator unit and enables you to configure basic system settings.

The following information is available on this widget:

Host Name The identifying name assigned to this FortiAuthenticator unit. For more information, see Changing the host name on page 26.
DNS Domain Name The DNS domain name. For more information, see Changing the DNS domain name on page 27.
Serial Number The serial number of the FortiAuthenticator unit. The serial number is unique to the FortiAuthenticator unit and does not change with firmware upgrades. The serial number is used for identification when connecting to the FortiGuard server.
System Time The current date, time, and time zone on the FortiAuthenticator internal clock or NTP server. For more information, see Configuring the system time, time zone, and date on page 27.
Firmware Version The version number and build number of the firmware installed on the FortiAuthenticator unit. To update the firmware, you must download the latest version from the Customer Service & Support portal at https://support.fortinet.com. Select Update and select the firmware image to load from your management computer.
Architecture The architecture of the device, such as 32-bit.
System Configuration The date of the last system configuration backup. Select Backup/Restore to backup or restore the system configuration. For more information, see Backing up and restoring the configuration on page 28.
Current Administrator The name of the currently logged on administrator.
Uptime The duration of time the FortiAuthenticator unit has been running since it was last started or restarted.
Shutdown/Reboot Options to shutdown or reboot the device. When rebooting or shutting down the system, you have the option to enter a message that will be added to the event log explaining the reason for the shutdown or reboot.
Changing the host name

The System Information widget will display the full host name.

To change the host name:

  1. Go to System > Dashboard.
  2. In the System Information widget, in the Host Name field, select Change. The Edit Host Name page opens.
  3. In the Host name field, type a new host name.

The host name may be up to 35 characters in length. It may include US-ASCII letters, numbers, hyphens, and underscores. Spaces and special characters are not allowed.

  1. Select OK to save the setting.

Introduction

Introduction

FortiAnalyzer platforms integrate network logging, analysis, and reporting into a single system, delivering increased knowledge of security events throughout your network. The FortiAnalyzer family minimizes the effort required to monitor and maintain acceptable use policies, as well as identify attack patterns to help you fine-tune your policies. Organizations of any size will benefit from centralized security event logging, forensic research, reporting, content archiving, data mining and malicious file quarantining.

FortiAnalyzer offers enterprise class features to identify threats, while providing the flexibility to evolve along with your ever-changing network. FortiAnalyzer can generate highly customized reports for your business requirements, while aggregating logs in a hierarchical, tiered logging topology.

You can deploy FortiAnalyzer physical or virtual appliances to collect, correlate, and analyze geographically and chronologically diverse security data. Aggregate alerts and log information from Fortinet appliances and third-party devices in a single location, providing a simplified, consolidated view of your security posture. In addition, FortiAnalyzer platforms provide detailed data capture for forensic purposes to comply with policies regarding privacy and disclosure of information security breaches.

Feature support

The following table lists FortiAnalyzer feature support for log devices.

Table 1: Feature support per platform

Platform Logging FortiView Event Management Reports
FortiGate a a a a
FortiCarrier a a a a
FortiMail a     a
FortiWeb a     a
FortiCache a     a
FortiClient a      
FortiSandbox a      
Syslog a      

FortiAnalyzer documentation

The following FortiAnalyzer product documentation is available:

                                 •    FortiAnalyzer Administration Guide

This document describes how to set up the FortiAnalyzer system and use it with supported Fortinet units.

                                 •   FortiAnalyzer device QuickStart Guides

These documents are included with your FortiAnalyzer system package. Use this document to install and begin working with the FortiAnalyzer system and FortiAnalyzer Web-based Manager.

                                 •   FortiAnalyzer Online Help

You can get online help from the FortiAnalyzer Web-based Manager. FortiAnalyzer online help contains detailed procedures for using the FortiAnalyzer Web-based Manager to configure and manage FortiGate units.

                                 •   FortiAnalyzer CLI Reference

This document describes how to use the FortiAnalyzer Command Line Interface (CLI) and contains references for all FortiAnalyzer CLI commands.

                                 •   FortiAnalyzer Release Notes

This document describes new features and enhancements in the FortiAnalyzer system for the release, and lists resolved and known issues. This document also defines supported platforms and firmware versions.

                                 •   FortiAnalyzer Log Message Reference

This document describes the structure of FortiAnalyzer log messages and provides information about the log messages that are generated by the FortiAnalyzer system.

Using High Availability

Using high availability (HA)

Go to System > High Availability to configure the FortiMail unit to act as a member of a high availability (HA) cluster in order to increase processing capacity or availability.

For the general procedure of how to enable and configure HA, see “How to use HA” on page 312.

This section contains the following topics:

  • About high availability
  • About the heartbeat and synchronization
  • About logging, alert email and SNMP in HA
  • How to use HA
  • Monitoring the HA status
  • Configuring the HA mode and group
  • Configuring service-based failover
  • Example: Failover scenarios
  • Example: Active-passive HA group in gateway mode

About high availability

FortiMail units can operate in one of two HA modes, active-passive or config-only.

Table 31:Comparison of HA modes

Active-passive HA Config-only HA
2 FortiMail units in the HA group 2-25 FortiMail units in the HA group
Typically deployed behind a switch Typically deployed behind a load balancer
Both configuration* and data synchronized Only configuration* synchronized
Only primary unit processes email All units process email

Table 31:Comparison of HA modes

No data loss when hardware fails Data loss when hardware fails
Failover protection, but no increased processing capacity Increased processing capacity, but no failover protection

* For exceptions to synchronized configuration items, see “Configuration settings that are not synchronized” on page 309.

Figure 126:Active-passive HA group operating in gateway mode

Figure 127:Config-only HA group operating in gateway mode

If the config-only HA group is installed behind a load balancer, the load balancer stops sending email to failed FortiMail units. All sessions being processed by the failed FortiMail unit must be restarted and will be re-directed by the load balancer to other FortiMail units in the config-only HA group.

You can mix different FortiMail models in the same HA group. However, all units in the HA group must have the same firmware version.

Communications between HA cluster members occur through the heartbeat and synchronization connection. For details, see “About the heartbeat and synchronization” on page 307.

To configure FortiMail units operating in HA mode, you usually connect only to the primary unit (master). The primary unit’s configuration is almost entirely synchronized to secondary units (slave), so that changes made to the primary unit are propagated to the secondary units.

Exceptions to this rule include connecting to a secondary unit in order to view log messages recorded about the secondary unit itself on its own hard disk, and connecting to a secondary unit to configure settings that are not synchronized. For details, see “Configuration settings that are not synchronized” on page 309.

To use FortiGuard Antivirus or FortiGuard Antispam with HA, license all FortiMail units in the cluster. If you license only the primary unit in an active-passive HA group, after a failover, the secondary unit cannot connect to the FortiGuard Antispam service. For FortiMail units in a config-only HA group, only the licensed unit can use the subscription services.

For instructions of how to enable and configure HA, see “How to use HA” on page 312.