Tag Archives: fortios 5.4

Virtual Wire Pair

Virtual Wire Pair

This feature (276013), available in NAT and Transparent mode, replaces the Port Pair feature available in FortiOS 5.2 in Transparent mode only. When when two physical interfaces are setup as a Virtual Wire Pair, they will have no IP addressing and are treated similar to a transparent mode VDOM. All packets accepted by one of the interfaces in a virtual wire pair can only exit the FortiGate through the other interface in the virtual wire pair and only if allowed by a virtual wire pair firewall policy. Packets arriving on other interfaces cannot be routed to the interfaces in a virtual wire pair. A FortiGate can have multiple virtual wire pairs.

You cannot add VLANs to virtual wire pairs. However, you can enable wildcard VLANs for a virtual wire pair. This means that all VLAN-tagged traffic can pass through the virtual wire pair if allowed by virtual wire pair firewall policies.

Adding a virtual wire pair

To add a virtual wire pair, go to Network > Interfaces and select Create New > Virtual Wire Pair. Select the interfaces to add to the virtual wire pair to, optionally enable Wildcard VLAN and select OK.

adding a virtual wire pair

 

The virtual wire pair appears on the Interface list.

Use the following command to add a virtual wire pair from the CLI that enables the wildcard VLAN feature:

config system virtual-wire-pair edit test-VWP

set member port3 port4 set wildcard-vlan enable

end

Assigning an interface to be part of a virtual wire pairing will remove the “role” value from the interface.

Fortinet Single Sign On – FortiAuthenticator 4.0

Fortinet Single Sign-On

FSSO is a set of methods to transparently authenticate users to FortiGate and FortiCache devices. This means that the FortiAuthenticator unit is trusting the implicit authentication of a different system, and using that to identify the user. FortiAuthenticator takes this framework and enhances it with several authentication methods:

  • Users can authenticate through a web portal and a set of embeddable widgets. l Users with FortiClient Endpoint Security installed can be automatically authenticated through the FortiClient SSO Mobility Agent.
  • Users authenticating against Active Directory can be automatically authenticated. l RADIUS Accounting packets can be used to trigger an FSSO authentication. l Users can be identified through the FortiAuthenticator API. This is useful for integration with third party systems.

The FortiAuthenticator unit must be configured to collect the relevant user logon data. After this basic configuration is complete, the various methods of collecting the log in information can be set up as needed.

Domain controller polling

When the FortiAuthenticator runs for the first time, it will poll the domain controller (DC) logs backwards until either the end of the log file or the logon timeout setting, whichever is reached first.

When the FortiAuthenticator is rebooted, the memory cache is written to the disk, then re-read at startup, allowing the previous state to be retained. Windows DC polling restarts on boot, then searches backwards in the DC log files until it reaches either the log that matches the last known serial number found in the login cache file, the log that is older than the last recorded read time, or the end of the log file, whichever is reached first.

The currently logged in FSSO users list is cached in memory and periodically written to disk. In an active-passive HA cluster, this file is synchronized to the slave device.

Windows management instrumentation polling

The FortiAuthenticator supports Windows Management Instrumentation (WMI) polling to detect workstation log off. This validates the currently logged on user for an IP address that has been discovered by the DC polling detection method.

Remote WMI access requires that the related ports are opened in the Windows firewall, and access to a domain account that belongs to the Domain Admin group.

To open ports in the Windows firewall in Windows 7, run gpedit.msc, go to Computerconfiguration >

Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile, go to Allow remote admin exception, then enable remote admin exception and, if necessary, configure an IP subnet/range.

 

General settings

General settings

The FortiAuthenticator unit listens for requests from authentication clients and can poll Windows Active Directory servers.

To configure FortiAuthenticator FSSO polling:

  1. Go to Fortinet SSO Methods > SSO > General to open the Edit SSO Configuration The Edit SSO Configuration window contains sections for FortiGate, FSSO, and user group membership.
  2. In the FortiGate section, configure the following settings:
Listening port Leave at 8000 unless your network requires you to change this. Ensure this port is allowed through the firewall.
Enable authentication Select to enable authentication, then enter a secret key, or password, in the Secret key field.
Login Expiry The length of time, in minutes, that users can remain logged in before the system logs them off automatically. The default is 480 minutes (8 hours).
Extend              user             session beyond logoff by The length of time, in seconds, that a user session is extended after the user logs off, from 0 (default) to 3600 seconds.
Enable NTLM

authentication

Select to enable NTLM authentication, then enter the NETBIOS or DNS name of the domain that the login user belongs to in the Userdomain field.
  1. In the Fortinet Single Sign-On (FSSO) section, configure the following settings:
Maximum concurrent user sessions Enter the maximum number of concurrent FSSO login sessions a user is allowed to have. Use 0 for unlimited.

Select Configure Per User/Group to configure the maximum number of concurrent sessions for each user or group. See Fine-grained controls on page 112.

Log Level Select one of Debug, Info, Warning, or Error as the minimum severity level of events to log from the drop- down list.

Select Download all logs to download all FSSO logs to your management computer.

General settings

Enable       Windows         Active

Directory domain controller polling

Select             to             enable             Windows             AD             polling.

Select to enable polling additional logon events, including from devices using Kerberos authentication or from Mac OS X systems, and from event IDs 672, 680, 4776, and 4768.

Enable polling additional logon events When additional active directory logon event IDs is enabled, event IDs 528, 540, and 4624 are also polled. These event are generated when a user attempts to access a domain service or resource. When a user logs off from the          workstation,         such      an          event     will         be               generated.

Enter the additional logon event timeout time in the Additional logon event timeout field, from 1 to 480 minutes, with 5 minutes being the default time.

Note: After a user logs off, their SSO session will stay active for the above configured period of time. During this time, if another user changes to the previous user’s IP address, they may be able to bypass the necessary authentication. For this reason, it is strongly recommended that the timeout time be kept short.

                     Enable         DNS

lookup to get IP

from workstation name

Select to use DNS lookup to get IP address information when an event contains only the workstation name.

This option is enabled by default.

Directly use domain DNS

suffix in lookup

Select to use the domain DNS suffix when doing a DNS lookup.

This option is disabled by default.

Enable  reverse DNS               lookup  to get         workstation name from IP Select to enable reverse DNS lookup. Reverse DNS lookup is used when an event contains only an IP address and no workstation name.

This option is enabled by default.

Do one more DNS lookup to get full list of IPs after reverse lookup of workstation name Reverse DNS lookup is used when an event contains only an IP address and no workstation name. Once the workstation name is determined, it is used in the DNS lookup again to get more complete IP address

information. This is useful in environments where workstations have multiple network interfaces.

This option is disabled by default.

Include     account name         ending

with $ (usually computer account)

Accounts that end in “$” used to exclusively denote computer accounts with

no actual user, but in some cases, valid accounts imported from dated systems can        feature  them.

This option is disabled by default.

Enable Radius Accounting SSO clients Select to enable the detection of users sign-ons and sign- offs from incoming RADIUS accounting (Start, Stop, and Interim-Update) records.
Use RADIUS realm as

Windows       Active

Directory domain

Select to use the RADIUS realm as the Windows AD domain.
Enable Syslog SSO Select to enable Syslog SSO.

General settings

Enable        FortiClient     SSO

Mobility Agent Service

Select to enable single sign-on (SSO) by clients running FortiClient Endpoint Security. For more information, see FortiClient SSO Mobility Agent on page 123.
FortiClient listening port Enter the FortiClient listening port number.
Enable authentication Select to enable authentication, then enter a secret key, or password, in the Secret key field.
Keep-alive interval Enter the duration between keep-alive transmissions, from 1 to 60 minutes. Default is 5 minutes.
Idle timeout Enter an amount of time after which to logoff a user if their status is not updated. The value cannot be lower than the Keep-alive interval value.
Enable NTLM Select to enable the NT LAN Manager (NTLM) to allow logon of users who are connected to a domain that does not have the FSSO DC Agent installed. Disable NTLM authentication only if your network does not support NTLM authentication for security or other reasons. Enter an amount of time after which NTLM authentication expires in the NTLM authentication expiry field, from 1 to 10080 minutes (7 days).
Enable hierarchical FSSO tiering Select to enable hierarchical FSSO tiering. Enter the collector listening port in the Collectorlistening port field.
Enable DC/TS Agent Clients Select to enable clients using DC or TS Agent. Enter the UDP port in the

DC/TS      Agent     listening     port     field.       Default       is          8002.

Select Enable authentication to enable authentication, then enter a secret key, or password, in the Secret key field.

Restrict             auto- discovered domain             controllers          to configured domain

controllers

Select to enable restricting automatically discovered domain controllers to already configured domain controllers only. See Domain controllers on page 114.
Enable       Windows         Active

Directory workstation IP

verification

Select to enable workstation IP verification with Windows Active Directory. If enabled, select Enable IP change detection via DNS lookup to detect IP changes via DNS lookup.
  1. In the UserGroup Membership section, configure the following settings:

General settings

Group cache mode Select the group cache mode:

Passive: Items have an expiry time after which the are removed and re-queried on the next logon.

Active: Items are periodically updated for all currently logged on users.

Group cache item

lifetime

Enter the amount of time after which items will expire (default = 480 minutes). This is only available when the group cache mode is set to Passive.
Do not use cached groups… Select to prevent using cached groups and to always load groups from server for the following SSO sources: l Windows Active Directory domain controller polling l RADIUS Accounting SSO l Syslog SSO

FortiClient SSO Mobility Agent l DC Agent l TS Agent

User login portal l SSO web service

Base distinguished names to search… Enter the base distinguished names to search for nesting of users or groups into cross domain and domain local groups.
  1. Select OK to apply the settings.

VOIP application control sessions are no longer blocked after an HA failover

If you were one of those people, like me, that would have application control sessions blocked after a failover on HA then 5.4 may be beneficial for you! See below!

VOIP application control sessions are no longer blocked after an HA failover (273544)

After an HA failover, VoIP sessions that are being scanned by application control will now continue with only a minor interruption, if any. To support this feature, IPS UDP expectation tables are now synchronized between cluster units

FGCP Supports BFD Enabled BGP Graceful Restart After an HA Failover

FGCP supports BFD enabled BGP graceful restart after an HA failover

If an HA cluster is part of a Border Gateway Protocol (BGP) bidirectional forwarding detection (BFD) configuration where both the cluster and the BGP static neighbor are configured for graceful restart, after an HA failover BGP enters graceful restart mode and both the cluster and the BGP neighbor keep their BGP routes.

To support HA and BFD enabled BGP graceful:

  • From the cluster, configure the BFD enabled BGP neighbor as a static BFD neighbor using the config router bfd command.Set the BGP auto-start timer to 5 seconds so that after an HA failover BGP on the new primary unit waits for 5 seconds before connect to its BFD neighbors, and then registers BFD requests after establishing the connections. With static BFD neighbors, BFD requests and sessions can be created as soon as possible after the failover.The command get router info bfd requests shows the BFD peer requests.
  • The BFD session created for a static BFD neighbor/peer request initializes its state as INIT instead of DOWN and its detection time as bfd-required-min-rx * bfd-detect-mult msecs.
  • When a BFD control packet with a nonzero Your Discriminator (your_discr) value is received, if no session can be found to match the your_discr, instead of discarding the packet, other fields in the packet, such as addressing information, are used to choose one session that was just initialized, with zero as its remote discriminator.
  • When a BFD session in the UP state receives a control packet with zero as Your Discriminator and DOWN as State, the session changes its state to DOWN but will not notify this DOWN event to BGP and/or other registered clients.
Fortigate HA

High Availability FortiOS 5.4 Before You Begin

So, a lot of people are starting to deploy HA clusters of Fortinet hardware which is awesome. There are however some things you will want to consider before doing so. Here is a drill down from the Fortinet HA for FortiOS 5.4 Administration document.

Before you begin

Before you begin using this guide, take a moment to note the following:

  • If you enable virtual domains (VDOMs), HA is configured globally for the entire FortiGate unit and the configuration is called virtual clustering.
  • This HA guide is based on the assumption that you are a FortiGate administrator. It is not intended for others who may also use the FortiGate unit, such as FortiClient administrators or end users.
  • The configuration examples show steps for both the web-based manager (GUI) and the CLI. At this stage, the following installation and configuration conditions are assumed:
  • You have two or more FortiGate units of the same model available for configuring and connecting to form an HA cluster. You have a copy of the QuickStart Guide for the FortiGate units.
  • You have administrative access to the web-based manager and CLI.

Many of the configuration examples in this document begin FortiGates unit configured with the factory default configuration. This is optional, but may make the examples easier to follow. As well, you do not need to have installed the FortiGate units on your network before using the examples in this document.

Before you set up a cluster

Before you set up a cluster ask yourself the following questions about the FortiGate units that you are planning to use to create a cluster. Do all the FortiGate units have the same hardware configuration? Including the same hard disk configuration and the same optional components installed in the same slots?

1. Do all FortiGate units have the same firmware build?

2. Are all FortiGate units set to the same operating mode (NAT or Transparent)?

3. Are all the FortiGate units operating in the same VDOM mode?

4. If the FortiGate units are operating in multiple VDOM mode do they all have the same VDOM configuration?

Zones Will Save Your Sanity

FortiGates are interface driven firewalls. Policy is relatively straight forward. Port 1 to Wan 1 Allow HTTP NAT you get my drift. In more complex environments though where you can easily have 5-10 interfaces (even more if you  bring in VLAN’s) you will most certainly want to use Zones.

What is a zone? A zone is a created “Interface” that you assign other interfaces to. For instance, my common deployment has 2 main zones, INSIDE and OUTSIDE. This keeps policy extremely simple.

The train of thought with this ZONE setup is traffic is either coming in or out. From there you just create the policy and work accordingly. This makes deployments for my clients super easy.

The setup at my house is utilized this way as well (I have a FortiGate 92D at home). My setup is slightly more advanced though thanks to having dual internet connections, SSL VPN, and other capabilities kicked on. But as you can see in the policy set below I have an INSIDE zone. That zone has my work network, my personal home network, and my DMZ wireless network (for when I am cleaning peoples deranged and abused machines). I have each one assigned to the INSIDE zone so that I can apply the same policy for traffic that is traveling from inside sources to the internet. This greatly reduces policy count and helps keep things uniform.

Disclaimer: Make sure to click the “Block Intra-Zone Traffic” check box when creating a zone that includes a set of networks that you don’t want to communicate without policy. For instance, my INSIDE zone has my work network which I need to make sure only my work laptop can see, My personal network which sees everything on the personal net, and a DMZ network that I absolutely don’t want ANY of my other networks to receive traffic from or send traffic to. So I check the “block intra-zone traffic” box when I create my zone (can be edited after the zone is created as well) and then manually allow it via policy (work network is able to access printer on personal net etc). Remember, the more granular you are the better your security will be. Also, the only traffiic that should be able to flow is the traffic you explicitly allow.

Zone Setup FortiGate FortiOS 5.4

Zone Setup FortiGate FortiOS 5.4