Tag Archives: fortinet tips

Port Based Network Access Control – FortiAuthenticator 4.0

Port-based Network Access Control

Port-based Network Access Control (PNAC), or 802.1X, authentication requires a client, an authenticator, and an authentication server (such as a FortiAuthenticator device).

The client is a device that wants to connect to the network. The authenticator is simply a network device, such as a wireless access point or switch. The authentication server is usually a host that supports the RADIUS and EAP protocols.

The client is not allowed access to the network until the client’s identity has been validated and authorized. Using 802.1X authentication, the client provides credentials to the authenticator, which the authenticator forwards to the authentication server for verification. If the authentication server determines that the credentials are valid, the client device is allowed access to the network.

FortiAuthenticator supports several IEEE 802.1X EAP methods.

EAP

The FortiAuthenticator unit supports several IEEE 802.1X EAP methods. These include authentication methods most commonly used in WiFi networks.

EAP is defined in RFC 3748 and updated in RFC 5247. EAP does not include security for the conversation between the client and the authentication server, so it is usually used within a secure tunnel technology such as TLS, TTLS, or MS-CHAP.

The FortiAuthenticator unit supports the following EAP methods:

Method Server Auth Client Auth Encryption Native OS Support
PEAP (MSCHAPv2) Yes Yes Yes Windows XP, Vista, 7
EAP-TTLS Yes No Yes Windows Vista, 7
EAP-TLS Yes Yes Yes Windows (XP, 7), Mac OS X, iOS,

Linux, Android

EAP-GTC Yes Yes Yes None (external supplicant required)

In addition to providing a channel for user authentication, EAP methods also provide certificate-based authentication of the server computer. EAP-TLS provides mutual authentication: the client and server authenticate each other using certificates. This is essential for authentication onto an enterprise network in a BYOD environment.

For successful EAP-TLS authentication, the user’s certificate must be bound to their account in Authentication >

UserManagement > Local Users (see Local users on page 58) and the relevant RADIUS client in Authentication > RADIUS Service > Clients (see RADIUS service on page 91) must permit that user to authenticate. By default, all local users can authenticate, but it is possible to limit authentication to specified user groups.

Port-based Network Access Control                                                                                                          EAP

The FortiAuthenticator unit and EAP

A FortiAuthenticator unit delivers all of the authentication features required for a successful EAP-TLS deployment, including:

  • Certificate Management: create and revoke certificates as a CA. See Certificate Management on page 132.
  • Simple Certificate Enrollment Protocol (SCEP) Server: exchange a Certificate Signing Request (CSR) and the resulting signed certificate, simplifying the process of obtaining a device certificate.

FortiAuthenticator unit configuration

To configure the FortiAuthenticator unit, you need to:

  1. Create a CA certificate for the FortiAuthenticator unit. See Certificate authorities on page 140.

Optionally, you can skip this step and use an external CA certificate instead. Go to Certificate Management > Certificate Authorities > Trusted CAs to import CA certificates. See Trusted CAs on page 147.

  1. Create a server certificate for the FortiAuthenticator unit, using the CA certificate you created or imported in the preceding step. See End entities on page 133.
  2. If you configure EAP-TTLS authentication, go to Authentication > RADIUS Service > EAP and configure the certificates for EAP. See Configuring certificates for EAP on page 102.
  3. If SCEP will be used:
    1. Configure an SMTP server to be used for sending SCEP notifications. Then configure the email service for the administrator to use the SMTP server that you created. See E-mail services on page 46.
    2. Go to Certificate Management > SCEP > General and select Enable SCEP. Then select the CA certificate that you created or imported in Step 1 in the Default CA field and select OK. See SCEP on page 147.
  4. Go to Authentication > Remote Auth. Servers > LDAP and add the remote LDAP server that contains your user database. See LDAP on page 88.
  5. Import users from the remote LDAP server. You can choose which specific users will be permitted to authenticate. See Remote users on page 65.
  6. Go to Authentication > RADIUS Service > Clients to add the FortiGate wireless controller as an authentication client. Be sure to select the type of EAP authentication you intend to use. See RADIUS service on page 91.

Configuring certificates for EAP

The FortiAuthenticator unit can authenticate itself to clients with a CA certificate.

  1. Go to Certificate Management > Certificate Authorities > Trusted CAs to import the certificate you will use. See Trusted CAs on page 147.
  2. Go to Authentication > RADIUS Service > EAP.
  3. Select the EAP server certificate from the EAP ServerCertificate drop-down list.
  4. Select the trusted CAs and local CAs to use for EAP authentication from their requisite lists.
  5. Select OK to apply the settings.

Configuring switches and wireless controllers to use 802.1X authentication

The 802.1X configuration will be largely vendor dependent. The key requirements are:

Device self-enrollment                                                                           Port-based Network Access Control

l RADIUS Server IP: This is the IP address of the FortiAuthenticator l Key: The preshared secret configured in the FortiAuthenticator authentication client settings l Authentication Port: By default, FortiAuthenticator listens for authentication requests on port 1812.

Device self-enrollment

Device certificate self-enrollment is a method for local and remote users to obtain certificates for their devices. It is primarily used in enabling EAP-TLS for BYOD. For example:

l A user brings their tablet to a BYOD organization. l They log in to the FortiAuthenticator unit and create a certificate for the device. l With their certificate, username, and password they can authenticate to gain access to the wireless network. l Without the certificate, they are unable to access the network.

To enable device self-enrollment and adjust self-enrollment settings, go to Authentication > Self-service Portal > Device Self-enrollment and select Enable userdevice certificate self-enrollment.

SCEP enrollment template Select a SCEP enrollment template from the drop-down list. SCEP can be configured in Certificate Management > SCEP. See SCEP on page 147 for more information.
Max. devices Set the maximum number of devices that a user can self-enroll.
Key size Select the key size for self-enrolled certificates (1024, 2048, or 4096 bits).

iOS devices only support two key size: 1024 and 2048.

Enable self-enrollment for Smart Card certificate Select to enable self-enrollment for smart card certificates.

This requires that a DNS domain name be configured, as it is used in the CRL Distribution Points (CDPs) certificate extension.

Port-based Network Access Control                                                                          Non-compliant devices

Select OK to apply any changes you have made.

Non-compliant devices

802.1X methods require interactive entry of user credentials to prove a user’s identity before allowing them access to the network. This is not possible for non-interactive devices, such as printers. MAC Authentication Bypass is supported to allow non-802.1X compliant devices to be identified and accepted onto the network using their MAC address as authentication.

This feature is only for 802.1X MAC Authentication Bypass. FortiGate Captive Portal MAC Authentication is supported by configuring the MAC address as a standard user, with the MAC address as both the username and password, and not by entering it in the MAC Devices section.

Multiple MAC devices can be imported in bulk from a CSV file. The first column of the CSV file contains the device names (maximum of 50 characters), and the second column contains the corresponding MAC addresses (0123456789AB or 01:23:45:67:89:AB).

To configure MAC-based authentication for a device:

  1. Go to Authentication > User Management > MAC Devices. The MAC device list will be shown.
  2. If you are adding a new device, select Create New to open the Create New MAC-based Authentication Device

If you are editing an already existing device, select the device from the device list.

  1. Enter the device name in the Name field, and enter the device’s MAC address in the MAC address
  2. Select OK to apply your changes.

To import MAC devices:

  1. In the MAC device list, select Import.
  2. Select Browse to locate the CSV file on your computer.
  3. Select OK to import the list.

The import will fail if the maximum number of MAC devices has already been reached, or if any of the information contained within the file does not conform, for example if the device name too long, or there is an incorrectly formatted MAC address.

FortiAuthenticator 4.0 Setup

Setup

For information about installing the FortiAuthenticator unit and accessing the CLI or GUI, refer to the Quick Start Guide provided with your unit.

This chapter provides basic setup information for getting started with your FortiAuthenticator device. For more detailed information about specific system options, see System on page 23.

The following topics are included in this section:

  • Initial setup l Adding a FortiAuthenticator unit to your network l Maintenance l CLI commands
  • Troubleshooting

Initial setup

The following section provides information about setting up the Virtual Machine (VM) version of the product.

FortiAuthenticator VM setup

Before using FortiAuthenticator-VM, you need to install the VMware application to host the FortiAuthenticator-VM device. The installation instructions for FortiAuthenticator-VM assume you are familiar with VMware products and terminology.

System requirements

For information on the FortiAuthenticator-VM system requirements, please see the product datasheet available at http://www.fortinet.com/products/fortiauthenticator.

FortiAuthenticator-VM has kernel support for more than 4GB of RAM in VM images. However, this support also depends on the VM player version. For more information, see: http://kb.vmware.com/selfservice/microsites/search.do?language=en_

US&cmd=displayKC&externalId=1014006

The default Hardware Version is 4 to support the widest base of VM players. However you can modify the VM Hardware Version by editing the following line in the FortiAuthenticator-VM.vmx file:

virtualHW.version = “4”

FortiAuthenticator-VM image installation and initial setup

The following procedure describes setup on VMware Fusion.

 

Initial setup

To set up the FortiAuthenticator VM image:

  1. Download the VM image ZIP file to the local computer where VMware is installed.
  2. Extract the files from the zip file into a folder.
  3. In your VMware software, go to File > Open.
  4. Navigate to the expanded VM image folder, select the FortiAuthenticator-VM.vmx file, and select Open. VMware will install and start FortiAuthenticator-VM. This process can take a minute or two to complete.
  5. At the FortiAuthenticator login prompt, enter admin and press Enter.
  6. At the password prompt, press Enter. By default, there is no password.
  7. At the CLI prompt enter the following commands:

set port1-ip 192.168.1.99/24 set default-gw 192.168.1.2

Substitute your own desired FortiAuthenticator IP address and default gateway.

You can now connect to the GUI at the IP address you set for port 1.

Suspending the FortiAuthenticator-VM can have unintended consequences. Fortinet recommends that you do not use the suspend feature of VMware. Instead, shut down the virtual FortiAuthenticator system using the GUI or CLI, and then shut down the virtual machine using the VMware console.

Administrative access

Administrative access is enabled by default on port 1. Using the GUI, you can enable administrative access on other ports if necessary.

To add administrative access to an interface:

  1. Go to System > Network > Interfaces and select the interface you need to add administrative access to. See Interfaces on page 30.
  2. In Admin access, select the types of access to allow.
  3. Select OK.
GUI access

To use the GUI, point your browser to the IP address of port 1 (192.168.1.99 by default). For example, enter the following in the URL box:

https://192.168.1.99

Enter admin as the UserName and leave the Password field blank.

HTTP access is not enabled by default. To enable access, use the set ha-mgmtaccess command in the CLI (see CLI commands on page 19), or enable HTTP access on the interface in the GUI (see Interfaces on page 30).

For security reasons, the host or domain names that the GUI responds to are restricted. The list of trusted hosts is automatically generated from the following:

Adding a FortiAuthenticator unit to your network

l Configured hostname l Configured DNS domain name l Network interface IP addresses that have HTTP or HTTPS enabled l HA management IP addresses

Additional IP addresses and host or domain names that the GUI responded to can be defined in the GUI Access settings. See GUI access on page 34

Telnet

CLI access is available using telnet to the port1 interface IP address (192.168.1.99 by default). Use the telnet -K option so that telnet does not attempt to log on using your user ID. For example:

$ telnet -K 192.168.1.99

At the FortiAuthenticator login prompt, enter admin. When prompted for password press Enter. By default there is no password. When you are finished, use the exit command to end the telnet session.

CLI access using Telnet is not enabled by default. To enable access, use the set ha-mgmt-access command in the CLI (see CLI commands on page 19), or enable Telnet access on the interface in the GUI (see Interfaces on page 30)

SSH

SSH provides secure access to the CLI. Connect to the port1 interface IP address (192.168.1.99 by default). Specify the user name admin or SSH will attempt to log on with your user name. For example:

$ ssh admin@192.168.1.99

At the password prompt press Enter. By default there is no password. When you are finished, use the exit command to end the session.

FortiSwitch Standalone Mode Administration Guide

Introduction

Welcome and thank you for selecting Fortinet products for your network configuration.

This guide contains information about the administration of a FortiSwitch unit in standalone mode. In standalone mode, a FortiSwitch is managed by connected directly to the unit, either using the web-based manager (also known as the GUI) or the CLI.

If you will be managing your FortiSwitch unit using a FortiGate, please see the guide Managing a FortiSwitch unit with a FortiGate.

Supported Models

This guide is for all FortiSwitch models that are supported by FortiSwitchOS. This includes the following models:

FortiSwitch-28C, FortiSwitch-108D-POE, FortiSwitch-124D, FortiSwitch-124D-POE,

FortiSwitch Rugged-124D, FortiSwitch-224D-POE, FortiSwitch-324B-POE,

FortiSwitch-348B, FortiSwitch-448B, FortiSwitch-1024D, FortiSwitch-1048D, and

FortiSwitch-3032D

Before You Begin

Before you start administrating your FortiSwitch unit, it is assumed that you have completed the initial configuration of the FortiSwitch unit, as outlined in the QuickStart Guide for your FortiSwitch model and have administrative access to the FortiSwitch unit’s web-based manager and CLI.

How this Guide is Organized

This guide is organized into the following chapters:

  • System Settings contains information about the initial configuration of your FortiSwitch unit.
  • Ports contains information on configuring your FortiSwitch’s ports.
  • 1x contains information on using 802.1x protocol.
  • LACP Mode contains information on using a FortiSwitch in Link Aggregation Control Protocol (LACP) mode.
  • TACACS contains information on using TACACS authetication with your FortiSwitch unit.
  • Power over Ethernet contains information on using Power over Ethernet (PoE) with your FortiSwitch.

Key Concepts

Key Concepts

This chapter defines basic FortiAnalyzer concepts and terms.

If you are new to FortiAnalyzer, this chapter can help you to quickly understand this document and your FortiAnalyzer platform.

This topic includes:

  • Administrative domains
  • Operation modes
  • Log storage
  • Workflow

Administrative domains

Administrative domains (ADOMs) enable the admin administrator to constrain other

FortiAnalyzer unit administrators’ access privileges to a subset of devices in the device list. For Fortinet devices with virtual domains (VDOMs), ADOMs can further restrict access to only data from a specific device’s VDOM.

Enabling ADOMs alters the structure of and the available functions in the Web-based Manager and CLI, according to whether or not you are logging in as the admin administrator, and, if you are not logging in as the admin administrator, the administrator account’s assigned access profile. See “System Information widget” on page 46 for information on enabling and disabling

ADOMs.

For information on working with ADOMs, see “Administrative Domains” on page 27. For information on configuring administrators and administrator settings, see“Admin” on page 73.

Operation modes

The FortiAnalyzer unit has two operation modes:

  • Analyzer: The default mode that supports all FortiAnalyzer features. This mode used for aggregating logs from one or more log collectors. In this mode, the log aggregation configuration function is disabled.
  • Collector: The mode used for saving and uploading logs. For example, instead of writing logs to the database, the collector can retain the logs in their original (binary) format for uploading. In this mode, the report function and some functions under the System Settings tab are disabled.

The analyzer and collector modes are used together to increase the analyzer’s performance. The collector provides a buffer to the FortiAnalyzer by off-loading the log receiving task from the analyzer. Since log collection from the connected devices is the dedicated task of the collector, its log receiving rate and speed are maximized.

The mode of operation that you choose will depend on your network topology and individual requirements. For information on how to select an operation mode, see “Changing the operation mode” on page 50.

Feature comparison between analyzer and collector mode

The operation mode options have been simplified to two modes, Analyzer and Collector. Standalone mode has been removed.

Table 2: Feature comparison between Analyzer and Collector modes

  Analyzer Mode Collector Mode
Event Management Yes No
Monitoring (drill-down/charts) Yes No
Reporting Yes No
FortiView/Log View Yes Yes
Device Manager Yes Yes
System Settings Yes Yes
Log Forwarding No Yes

Analyzer mode

The analyzer mode is the default mode that supports all FortiAnalyzer features. If your network log volume does not compromise the performance of your FortiAnalyzer unit, you can choose this mode.

Figure 1 illustrates the network topology of the FortiAnalyzer unit in analyzer mode.

Figure 1: Topology of the FortiAnalyzer unit in analyzer mode

 

Analyzer and collector mode

The analyzer and collector modes are used together to increase the analyzer’s performance. The collector provides a buffer to the analyzer by off-loading the log receiving task from the analyzer. Since log collection from the connected devices is the dedicated task of the collector, its log receiving rate and speed are maximized.

In most cases, the volume of logs fluctuates dramatically during a day or week. You can deploy a collector to receive and store logs during the high traffic periods and transfer them to the analyzer during the low traffic periods. As a result, the performance of the analyzer is guaranteed as it will only deal with log insertion and reporting when the log transfer process is over.

As illustrated in Figure 2: company A has two remote branch networks protected by multiple FortiGate units. The networks generate large volumes of logs which fluctuate significantly during a day. It used to have a FortiAnalyzer 4000B in analyzer mode to collect logs from the FortiGate units and generate reports. To further boost the performance of the FortiAnalyzer 4000B, the company deploys a FortiAnalyzer 400C in collector mode in each branch to receive logs from the FortiGate units during the high traffic period and transfer bulk logs to the FortiAnalyzer 4000B during the low traffic period.

Figure 2: Topology of the FortiAnalyzer units in analyzer/collector mode

FortiAnalyzer v5.2.0 Administration Guide

To set up the analyzer/collector configuration:

  1. On the FortiAnalyzer unit, go to System Settings > Dashboard.
  2. In the System Information widget, in the Operation Mode field, select Change.
  3. Select Analyzer in the Change Operation Mode dialog box.
  4. Select OK.
  5. On the first collector unit, go to System Settings > Dashboard.
  6. In the System Information widget, in the Operation Mode field, select Change.
  7. Select Collector the Change Operation Mode dialog box.
  8. Select OK.

For more information on configuring log forwarding, see “Log forwarding” on page 40.

Log storage

The FortiAnalyzer unit supports Structured Query Language (SQL) logging and reporting. The log data is inserted into the SQL database for generating reports. Both local and remote SQL database options are supported.

For more information, see “Reports” on page 165.

Workflow

Once you have successfully deployed the FortiAnalyzer platform in your network, using and maintaining your FortiAnalyzer unit involves the following:

  • Configuration of optional features, and re-configuration of required features if required by changes to your network
  • Backups
  • Updates
  • Monitoring reports, logs, and alerts

What’s New in FortiAnalyzer V5.2

What’s New in FortiAnalyzer v5.2

FortiAnalyzer v5.2 includes the following new features and enhancements.

FortiAnalyzer v5.2.0

FortiAnalyzer v5.2.0 includes the following new features and enhancements.

Event Management

  • Event Handler for local FortiAnalyzer event logs
  • FortiOS v4.0 MR3 logs are now supported.
  • Support subject customization of alert email.

FortiView

  • New FortiView module

Logging

  • Updated compact log v3 format from FortiGate • Explicit proxy traffic logging support
  • Improved FortiAnalyzer insert rate performance
  • Log filter improvements
  • FortiSandbox logging support
  • Syslog server logging support

Reports

  • Improvements to report configuration
  • Improvements to the Admin and System Events Report template
  • Improvements to the VPN Report template
  • Improvements to the Wireless PCI Compliance Report template
  • Improvements to the Security Analysis Report template
  • New Intrusion Prevention System (IPS) Report template
  • New Detailed Application Usage and Risk Report template
  • New FortiMail Analysis Report template
  • New pre-defined Application and Websites report templates
  • Macro library support
  • Option to display or upload reports in HTML format
  • FortiCache reporting support

 

Other

Introduction

Introduction

FortiAnalyzer platforms integrate network logging, analysis, and reporting into a single system, delivering increased knowledge of security events throughout your network. The FortiAnalyzer family minimizes the effort required to monitor and maintain acceptable use policies, as well as identify attack patterns to help you fine-tune your policies. Organizations of any size will benefit from centralized security event logging, forensic research, reporting, content archiving, data mining and malicious file quarantining.

FortiAnalyzer offers enterprise class features to identify threats, while providing the flexibility to evolve along with your ever-changing network. FortiAnalyzer can generate highly customized reports for your business requirements, while aggregating logs in a hierarchical, tiered logging topology.

You can deploy FortiAnalyzer physical or virtual appliances to collect, correlate, and analyze geographically and chronologically diverse security data. Aggregate alerts and log information from Fortinet appliances and third-party devices in a single location, providing a simplified, consolidated view of your security posture. In addition, FortiAnalyzer platforms provide detailed data capture for forensic purposes to comply with policies regarding privacy and disclosure of information security breaches.

Feature support

The following table lists FortiAnalyzer feature support for log devices.

Table 1: Feature support per platform

Platform Logging FortiView Event Management Reports
FortiGate a a a a
FortiCarrier a a a a
FortiMail a     a
FortiWeb a     a
FortiCache a     a
FortiClient a      
FortiSandbox a      
Syslog a      

FortiAnalyzer documentation

The following FortiAnalyzer product documentation is available:

                                 •    FortiAnalyzer Administration Guide

This document describes how to set up the FortiAnalyzer system and use it with supported Fortinet units.

                                 •   FortiAnalyzer device QuickStart Guides

These documents are included with your FortiAnalyzer system package. Use this document to install and begin working with the FortiAnalyzer system and FortiAnalyzer Web-based Manager.

                                 •   FortiAnalyzer Online Help

You can get online help from the FortiAnalyzer Web-based Manager. FortiAnalyzer online help contains detailed procedures for using the FortiAnalyzer Web-based Manager to configure and manage FortiGate units.

                                 •   FortiAnalyzer CLI Reference

This document describes how to use the FortiAnalyzer Command Line Interface (CLI) and contains references for all FortiAnalyzer CLI commands.

                                 •   FortiAnalyzer Release Notes

This document describes new features and enhancements in the FortiAnalyzer system for the release, and lists resolved and known issues. This document also defines supported platforms and firmware versions.

                                 •   FortiAnalyzer Log Message Reference

This document describes the structure of FortiAnalyzer log messages and provides information about the log messages that are generated by the FortiAnalyzer system.

Troubleshooting

Troubleshooting

This section provides guidelines to help you determine why your FortiMail unit is behaving unexpectedly. It includes general troubleshooting methods and specific troubleshooting tips using both the command line interface (CLI) and the web UI. Each troubleshooting item describes both the problem and the solution.

Some CLI commands provide troubleshooting information not available through the web UI. The web UI is better suited for viewing large amounts of information on screen, reading logs and archives, and viewing status through the dashboard.

For late-breaking troubleshooting information, see the Fortinet Knowledge Base.

For additional information, see “Best practices and fine tuning” on page 697.

This section contains the following topics:

  • Establish a system baseline
  • Define the problem
  • Search for a known solution
  • Create a troubleshooting plan
  • Gather system information
  • Troubleshoot hardware issues
  • Troubleshoot GUI and CLI connection issues
  • Troubleshoot FortiGuard connection issues
  • Troubleshoot MTA issues
  • Troubleshoot antispam issues
  • Troubleshoot HA issues
  • Troubleshoot resource issues
  • Troubleshoot bootup issues
  • Troubleshoot installation issues
  • Contact Fortinet customer support for assistance

Best Practices and Fine Tuning

Best practices and fine tuning

This section is a collection of guidelines to ensure the most secure and reliable operation of FortiMail units.

These same guidelines can be found alongside their related setting throughout this

Administration Guide. To provide a convenient checklist, these guidelines are also listed here.

This section includes:

  • Network topology tuning
  • Network topology tuning
  • System security tuning
  • High availability (HA) tuning
  • SMTP connectivity tuning
  • Antispam tuning
  • Policy tuning
  • System maintenance tips
  • Performance tuning