Tag Archives: Fortinet

Edit in CLI

Edit in CLI

Available in the following locations among others in the FortiOS GUI you can select the Edit in CLI option to edit an item in the CLI. Editing an item is the CLI is available from the following locations

  • Firewall policy
  • Firewall address
  • Firewall service
  • Firewall schedule
  • Traffic shaper
  • Shaping policy
  • Policy route
  • Static route
  • Managed FortiAP

For example, if you are looking at a Firewall policy on the GUI and select Edit in CLI, the CLI console opens up inside the CLI configuration of the same policy. Some configurations options are only available from the CLI and this control allows you to easily edit specific items without having to find the item in the CLI.

 

Full screen mode

Full screen mode

You can use the Full Screen Mode button (between the online help button and the admin menu) to toggle full screen mode. In full screen mode the GUI menu and header are hidden the full browser window is taken up by the current GUI page. You can select the Exit Full Screen mode any time to return to the normal GUI arrangement.

Changing the GUI theme

Changing the GUI theme

You can go to System > Settings > View Settings and select a Theme. You can also use the following CLI command to change the GUI theme. The following command shows how to change the GUI to use the red theme:

config system global set gui-theme red

end

FortiOS 6_4 Red Theme

FortiOS 6_4 Red Theme

New options for editing policies from the policy list

New options for editing policies from the policy list

All of the security policy lists (Policy & Objects > IPv4 and so on) have new options for controlling the columns displayed for policies, for editing policies, and for accessing FortiView data or log messages generated by individual policies. You can access these options clicking or right-clicking on the policy list header or on individual policies.

For example, as shown below if you click on the Security Profiles settings for a policy a list of categories and profiles appears on the left of the GUI. The list highlights the security profile options added to the policy. You can select a profile option to add it to a policy. You can deselect an option to remove it from a policy. Similar lists are available to select addresses, services, user groups, devices, and so on.

FortiOS 5_4_0 New GUI Policies

FortiOS 5_4_0 New GUI Policies

GUI Refresh

GUI Refresh

The FortGate GUI now uses a new flat GUI design and framework that incorporates a simplified and modern look and feel. In addition to the new look, options have been moved around on the GUI menus:

  • New Dashboard and FortiView top level menus.
  • New top level Network menu includes networking features such as interfaces, DNS, explicit proxy, packet capture, WAN links (WAN load balancing), static routing, policy routing, dynamic routing (RIP, OSPF, BGP) and multicast routing.
  • New top level Monitor menu collects monitoring functions previously distributed throughout the GUI.Some former monitoring features, such as security profile-related monitoring, are now available in FortiView.
  • The GUI menu now has two levels only. For example the menu path for accessing IPv4 firewall policies is Policy & Objects > IPv4.
  • The new administrator’s menu (upper right) provides quick access to change the administrator’s password , backup the FortiGate configuration, access the CLI console and log out.
  • Most individual GUI pages have also been enhanced with new view options and more information.
  • Some functionality has moved around in the GUI. For example, Proxy Options and SSL/SSH Inspection moved from Policy & Objects to Security Profiles.
FortiOS 5_4_0 New GUI

FortiOS 5_4_0 New GUI

Proxy mode and flow mode antivirus and web filter profile options

Proxy mode and flow mode antivirus and web filter profile options

The following tables list the antivirus and web filter profile options available in proxy and flow modes.

 

Antivirus features in proxy and flow mode  
Feature Proxy Flow
 

Scan Mode (Quick or Full)

 

no

 

yes

 

Detect viruses (Block or Monitor)

 

yes

 

yes

 

Inspected protocols

 

yes

 

no (all relevant protocols are inspected)

 

Inspection Options

 

yes

 

yes (not available for quick scan mode)

 

Treat Windows Executables in Email Attachments as Viruses

 

yes

 

yes

 

Include Mobile Malware Protection

 

yes

 

yes

 

Web Filter features in proxy and flow mode

 

Feature                                                                                                       Proxy  Flow
 

FortiGuard category based filter                                                                         yes       yes (show, allow, monitor, block)

 

Category Usage Quota                                                                                       yes       no

 

Allow users to override blocked categories (on some models)                            yes       no

 

Search Engines                                                                                                   yes       no

   

Enforce ‘Safe Search’ on Google, Yahoo!, Bing,      yes       no

Yandex

 

YouTube Education Filter                                        yes       no

 

Log all search keywords                                           yes       no

 

Static URL Filter                                                                                                  yes       yes

   

Block invalid URLs                                                   yes       no

 

URL Filter                                                                yes       yes

 

Block malicious URLs discovered by FortiSand-      yes       yes box

 

Web Content Filter                                                  yes       yes

 

Rating Options                                                                                                    yes       yes

   

Allow websites when a rating error occurs               yes       yes

 

Rate URLs by domain and IP Address                     yes       yes

 

Block HTTP redirects by rating                                yes       no

 

Rate images by URL                                               yes       no

 

Proxy Options                                                                                                      yes       no

Feature Proxy  Flow

Restrict Google account usage to specific domains

Provide details for blocked HTTP 4xx and 5xx errors

yes       no

yes       no

HTTP POST Action                                                 yes       no

 

Remove Java Applets Remove ActiveX                   yes       no

 

Remove Cookies                                                     yes       no

 

Filter Per-User Black/White List                               yes       no

 

 

 

 

 

I really despise Sonic Wall

Sometimes, after a long day of work, the need to vent is so powerful that you can’t overcome it. Well, today is one of those days so I figured I would bless you guys with a little bit of information. If you use a Dell Sonic Wall…..I pity you for you know not what you do….These devices are horrible. Absolutely horrible. Go buy a FortiGate, or hell, a Palo Alto even just to stay away from these things. I seriously almost shot one today with a Springfield Armory XDS 45 ACP. It would have caused and incredibly warm feeling, like that of morphine flowing through your veins, to be experienced by myself. Speaking of which, I will be filming myself shooting AND blowing up some competitor hardware as I remove them from the client’s offices. I thought you guys might get a kick out of that and lets face it, as soon as I figure out the logistics with doing it legally, I too, will enjoy it. Keep your eyes open for some Fortinet GURU how to videos. Going to start with videos based on the Cook Book, but with better explanations than what Fortinet provided and then I will move on to tasks and encounters I have seen in the field.

Remember kids, friends don’t let friends buy SonicWall.

Logging – FortiBalancer

Chapter 18 Logging

18.1 Overview

The Logging mechanism used by the FortiBalancer appliance is Syslog compliant. System error and HTTP access information during proxy application are logged by using the logging subsystem. Syslog is a standard program for Unix and there are also Syslog implementations for Windows. On the Unix platform, syslog is started by the syslogd daemon. The syslogd daemon takes charge of receiving and storing log messages from local machine or remote machine, which listens at UDP 514 port. FortiBalancer appliance supports three remote log servers.

18.2 Understanding Logging

18.2.1 Syslog

Syslog is a protocol that is used for the transmission of event notification message across networks.

Syslog logging has eight valid levels of log message severity: emerg, alert, crit, err, warning, notice, info and debug. And the supported facilities are LOCAL0 to LOCAL7. Users can view the internal log buffer, select the transport protocol, and configure syslog source and destination ports and the alerts on log message string match.

18.2.2 RFC 5424 Syslog

RFC5424 defines the standard format of syslogs. The FortiBalancer appliance supports the RFC 5424 syslog function. When the RFC 5424 syslog function is enabled, the system will generate system logs in the standard format defined by RFC 5424. The format is “<PRI>VER

TIMESTAMP HOSTNAME APPNAME PROCID MSGID STRUCTURED-DATA MSG-CONTENT”. (The PROCID and STRUCTURED-DATA fields are not supported

temporarily and are displayed as “-”.) By default, the RFC 5424 syslog function is disabled. The configuration of “log rfc5424 on” takes effect only when the system logging function has been enabled by using the “log on” command.

18.2.3 HTTP Access Logging

HTTP Access Logging is the logging of information about every HTTP request and its response in a specific predefined format.

HTTP Access Logging supports four standard formats: Combined, WELF (WebTrends Enhanced Log), Common and Squid. And users can define their own logging format by using the “log http custom” command.

Note: The FortiBalancer appliance will record an HTTP access log only after the HTTP communication between the client and the Web server is completed successfully.

18.2.4 Log Filtering

Log filtering is designed to filter logs to different log servers by matching filter strings which are configured in the command “log filter”.

Log filtering in the OS allows administrators to collect only the logs that they are interested in instead of having to capture all the logs. For example, the administrator of “www.site1.com” may want to only collect the HTTP access logs for “www.site1.com”. Knowing if the logs contain a keyword “site1.com”, the administrator can create a filter for a log definition that captures only the logs which match the keyword. The administrator will now have a log file which contains only the desired logs.

If multiple log filters are set on a syslog host, the logs matching one of the filter strings will go to the syslog host.

18.3 Logging Configuration

18.3.1 Configuration Guidelines

Table 18-1 General Settings of Logging

Operation Command
Enable the logging log {on|off}
Enable RFC 5424 Syslog log rfc5424 {on|off}
Configure the remote host log host <host_ip> [port] [udp|tcp] [host_id]
Set log filters log filter <host_id> <filter_id> <filter_string>
Set log level log level <level>
Change log facility log facility <facility>
Set HTTP access logging format log http {squid|common|combined|welf} [vip|novip] [host|nohost] log http custom <format>

18.3.2 Configuration Example via CLI

  • Step 1 Enable Logging function The logging system is off by default.

FortiBalancer(config)#log on

  • Step 2 Enable the RFC 5424 Syslog function

FortiBalancer(config)#log rfc5424 on

  • Step 3 Set the remote host to which log messages will be sent

The remote host IP address must be specified in dotted IP format. The remote port is optional and the default value is 514. The transport protocol for the syslog messages can be either UDP or TCP and the default is UDP. In our example, the host of 10.2.37.1 is listening for log message at UDP 514 port.

FortiBalancer(config)#log host 10.2.37.1 514 udp 1

  • Step 4 Set log filters for the configured host

No more than 3 log filters can be set on one syslog host. Log filter canot be set on the syslog host whose ID is 0 (it is configured by the command “log host”). After this command is executed, only the logs matching this filter string go to the syslog host.

FortiBalancer(config)#log filter 1 1 “index”

  • Step 5 Change the minimum log level at which messages will be logged

Once a log level is set, messages with level below the configured level will be ignored. The default level is info.

FortiBalancer(config)#log level err

  • Step 6 Change the syslog facility The default facility is LOCAL0.

FortiBalancer(config)#log facility LOCAL0

  • Step 7 Configure the HTTP access logging format

HTTP access information can be logged in one of the standard formats Squid, WELF, Common and Combined, or it can be logged in a custom format specified by the user.

FortiBalancer(config)#log http squid

  • Step 8 Generate a test log

You can run the command “log test” to generate an emerg-level log.

FortiBalancer(config)#log test

  • Step 9 View and clear logs

You can run the following command “show log buff {forward|backward} [match_str]” to view logs in the log buffer. The parameters “backward” and “forward” are used to display the logs that are latest and first generated respectively.

FortiBalancer(config)#show log buffer backward start of buffer

<128>1 2012-07-17T06:35:26Z FortiBalancer – – 100021002 – Fortinet test message

You can run the command “clear log buff” to clear logs from the log buffer.

FortiBalancer(config)#clear log buffer