Tag Archives: fortinet firewall security best practices

Networking

Networking

Internet-Service database (288672 281333 291858)

Go to Policy & Objects > Internet Service Database to view the Internet Service Database. The database contains detailed information about services available on the Internet such as DNS servers provided by Adobe, Google, Fortinet, Apple and so on and a wide range of other services. For each service the database includes the IP addresses of the servers that host the service as well as the port and protocol number used by each IP address.

 

Interfaces assigned to Virtual Wired Pairs don’t have “roles” (296519 )

Assigning an interface to be part of a virtual wire pairing will remove the “role” value from the interface.

 

FortiHeartBeat replaces FortiClient Access and other FortiClient interface settings (299371)

To configure an interface to listen for connections from devices with FortiClient installed, enable FortiHeartBeat

Administrative Access. FortiHeartBeat was called FCT-Access or FortiClient Access in FortiOS 5.2.

After enabling FortiHeartBeat, under Admission Control you can select Enforce FortiHeartBeat for all FortiClients to require clients to have FortiClient installed to be able to get access through the FortiGate. If you enable this feature you should also go to Security Profiles > FortiClient Profiles and configure FortiClient Profiles. Then you should add the configured FortiClient Profiles to firewall policies with device detection.

Use the following CLI command to enable FortiHeartBeat on an interface and enable enforcing FortiHeartBeat for all FortiClients:

config system interface edit port1

set listen-forticlient-connection enable set endpoint-compliance enable

end

After enabling FortiHeartBeat, you can also enable DHCP server and turn on FortiClient On-Net Status to display the on-net status of FortiClient devices on the FortiClient Monitor (go to Monitor > FortiClient Monitor).

 

Use the following CLI command to enable FortiClient on-net status for a DHCP server added to the port1 interface:

config system dhcp server edit 1

set interface port1

set forticlient-on-net-status enable end

 

STP (Spanning Tree Protocol) support for models with hardware switches (214901 291953)

STP used to be only available on the old style switch mode for the internal ports. It is now possible to activate STP on the hardware switches found in the newer models. These models use a virtual switch to simulate the old Switch Mode for the Internal ports.

The syntax for enabling STP is as follows:

config system interface edit lan

set stp [enable | disable]

end

 

Command to determine interface transceiver optical signal strength (205138 282307)

The ew get system interface transceiver command can be used to determine optical signal strength when using SFP/SFP+ modules. The command can be used for trouble shooting fiber optic connections to

service providers. This command is hardware dependent and currently supported by FortiGate models that include various SPF/SFP+ interfaces including the FortiGate-100D/200D- POE/400D/500D/900D/1000D/1200D/1500D/3700D/3700DX) models.

Managing a FortiSwitch with FortiGate

Managing a FortiSwitch with FortiGate

Unless otherwise stated, these features require FortiSwitchOS 3.3.0 or later release on the FortiSwitch. The following FortiGate models can be used to manage FortiSwitches:

FGT-60D, FGT-60D-POE, FWF-60D, FWF-60D-POE, FGT-90D, FGT-90D-POE, FWF-90D, FWF-90D-POE,

FGT-100D, FGT-140D, FGT-140D_POE, FGT-140D_POE_T1, FGT-200D, FGT-240D, FGT-280D, FGT-280D_POE,

FGT-600C, FGT-800C, FGT-1000C, FGT-1200D, FGT-1500D, FGT-3700D

 

New FortiLink topology diagram (289005 271675 277441)

For managed FortiSwitches (WIFI & Switch Controller > Managed FortiSwitch), the system now displays the overall topology of the managed FortiSwitches that are connected to this FortiGate.

The topology lists the FortiLink ports on the FortiGate, and displays a full faceplate for each connected FortiSwitch (also showing the FortiLink ports on each FortiSwitch). You can right-click to authorize a managed FortiSwitch or left-click to edit the managed FortiSwitch information.

The topology can displays multiple FortiLinks to each FortiSwitch, as FortiOS 5.4 provides support for FortiLink as a LAG.

 

New interface option to auto-authorize extension devices 294966

If you enable the auto-authorize option on a FortiGate FortiLink port, the FortiGate will automatically authorize the managed FortiSwitch connected to this FortiLink. The new option is only visible when the interface type is set to Dedicate to Extension Device.

 

New CLI setting to enable pre-standard PoE detection on managed FortiSwitch ports 293512

This feature is available in FortiSwitchOS 3.3.2 and later releases.

Use the following commands to enable this setting on a managed FortiSwitch port:

config switch-controller managed-switch edit $FSW

config ports edit “port1”

set poe-pre-standard-detection enable/disable (the default is disable)

next end

end

Reset any POE port (by toggling the power OFF and then ON):

execute switch-controller poe-reset <fortiswitch-id> <port>

Display general POE status:

get switch-controller <fortiswitch-id> <port>