Tag Archives: fortinet product matrix

Configuring Peer user groups

Configuring Peer user groups

Peer user groups can only be configured using the CLI. Peers are digital certificate holders defined using the config user peer command. The peer groups you define here are used in dialup IPsec VPN configurations that accept RSA certificate authentication from members of a peer certificate group.

 

To create a peer group – CLI example:

config user peergrp edit vpn_peergrp1

set member pki_user1 pki_user2 pki_user3 end

SSO user groups

SSO user groups

SSO user groups are part of FSSO authentication and contain only Windows or Novell network users. No other user types are permitted as members. Information about the Windows or Novell user groups and the logon activities of their members is provided by the Fortinet Single Sign On (FSSO) which is installed on the network domain controllers.

You can specify FSSO user groups in security policies in the same way as you specify firewall user groups. FSSO user groups cannot have SSL VPN or dialup IPsec VPN access.

For information about configuring FSSO user groups, see Creating Fortinet Single Sign-On (FSSO) user groups on page 589. For complete information about installing and configuring FSSO, see Agent-based FSSO on page 553.

Editing CASI profiles

Editing CASI profiles

The CASI profile application list consists of the Application Name, Category, and Action. A default

CASI profile exists, with the option to create custom profiles. For each CASI profile application, the user has the option to Allow, Block, or Monitor the selected cloud application. The following image demonstrates the ability to Allow, Block, or Monitor YouTube using CASI:editing CASI

When the user drills down into a selected cloud application, the following options are available (depending on the type of service):

lFor business services, such as Salesforce and Zoho:

Option to allow, block, or monitor file download/upload and login.

For collaboration services, such as Google.Docs and Webex:

Option to allow, block, or monitor file access/download/upload and login.

For web email services, such as Gmail and Outlook:

Option to allow, block, or monitor attachment download/upload, chat, read/send message.

For general interst services, such as Amazon, Google, and Bing:

Option to allow, block, or monitor login, search phase, and file download/upload.

For social media services, such as Facebook, Twitter, and Instagram:

Option to allow, block, or monitor chat, file download/upload, post, login.

For storage backup services, such as Dropbox, iCloud, and Amazon Cloud Drive:

Option to allow, block, or monitor file access/download/upload and login.

For video/audio services, such as YouTube, Netflix, and Hulu:

Option to allow, block, or monitor channel access, video access/play/upload, and login.

 

 

CLI Syntax

 

configure application casi profile edit “profile name”

set comment “comment”

set replacemsg-group “xxxx”

set app-replacemsg [enable|disable]

configure entries edit

set application “app name”

 

 

 

 

 

 

 

 

 

next end

set action [block|pass]

set log [enable|disable]

next edit 2

 

 

configure firewall policy edit “1”

set casi-profile “profile name” next

end

 

config firewall sniffer edit 1

set casi-profile-status [enable|disable]

set casi-profile “sniffer-profile” next

end

 

config firewall interface-policy edit 1

set casi-profile-status [enable|disable]

set casi-profile “2” next

end

Cloud Access Security Inspection (CASI)

Cloud Access Security Inspection (CASI)

This feature introduces a new security profile called Cloud Access Security Inspection (CASI) that provides support for fine-grained control on popular cloud applications, such as YouTube, Dropbox, Baidu, and Amazon. The CASI profile is applied on a policy much like any other security profile.

Unfortunately CASI does not work when using Proxy-based profiles for AV or Web fil- tering for example.

Make sure to only use Flow-based profiles in combination with CASI on a specific policy.

CASI

For this feature, Deep Inspection of Cloud Applications (set deep-app-inspection [enable|disable]) has been moved out of the Application Control security profile options.

You will find the Cloud Access Security Inspection feature under Security Profiles > Cloud Access Security

Inspection, but you must first enable it in the Feature store under System > Feature Select > CASI.

7-day time display

7day time display

In FortiOS 5.4, the following FortiGate models now support 7-day time display:

  • FortiGate 1000D
  • FortiGate 1500D
  • FortiGate 3700DX
  • FortiGate 3700D

The option for 7-day time display, however, can only be configured in the CLI using the following command:

config log setting

set fortiview-weekly-data {enable|disable}

end

FortiGuard Cloud App DB identification

FortiGuard Cloud App DB identification

FortiView now recognizes FortiGuard Cloud Application database traffic, which is mainly monitored and validated by FortiFlow, an internal application that identifies cloud applications based on IP, Port, and Protocol. Administrators can potentially use this information for WAN Link Load Balancing, for example.

 

WHOIS Lookup anchor for public IPv4 addresses

WHOIS Lookup anchor for public IPv4 addresses

Reverse IP lookup is now possible in FortiOS 5.4. A WHOIS lookup icon is available when you mouse over a public IP address in a FortiView log. If you left-click on the lookup icon, a new tab is opened in your browser for www.networksolutions.com, and a lookup is performed on the selected IP address (this option persists after drilling down one level in FortiView).

Accelerated session filtering on All Sessions page

Accelerated session filtering on All Sessions page

By default, on a FortiGate unit with NP6 processors, when you enable traffic logging in a firewall policy this also enables NP6 per-session accounting. If you disable traffic logging this also disables NP6 per-session accounting. This behavior can be changed using the following command:

config system np6 edit np6_0

set per-session-accounting {disable | all-enable | enable-by-log}

end

By default, per-session-accounting is set to enable-by-log, which results in per-session accounting being turned on when you enable traffic logging in a policy. This configuration is set separately for each NP6 processor.

When offloaded sessions appear on the FortiView All Sessions console they include an icon identifying them as

NP sessions:

np sessions

You can hover over the NP icon to see some information about the offloaded sessions. You can also use a FortiASIC Filter to view just the accelerated sessions.