Tag Archives: how does fortinet work

Diagnose command changes

Diagnose command changes

Most diagnose sys dashboard commands removed (129248)

The diagnose sys dashboard reset command is still available.

 

FortiView network segmentation tree diagnose command (286116)

Enter diagnose sys nst {downstream | query} to display information about the FortiView network segmentation tree, downstream shows connected downstream FortiGates.

query query the network segmentation tree.

 

Changes to diagnose hardware deviceinfo disk command (271816)

Extraneous information has been removed from the diagnose hardware deviceinfo disk command output and some field names have been changed.

Device identification

Device identification

802.1x Mac Authentication Bypass (197218)

Some FortiGate models contain a hardware switch. On the hardware switch interface, 802.1X authentication is available. You might want to bypass 802.1X authentication for devices such as printers that cannot authenticate, identifying them by their MAC address.

In the CLI, enable MAC authentication bypass on the interface:

config system interface edit “lan”

set ip 10.0.0.200 255.255.255.0 set security-mode 802.1X

set security-mac-auth-bypass enable set security-groups “Radius-group”

end

The devices that bypass authentication have entries in the RADIUS database with their MAC address in the User- Name and User-Password attributes instead of user credentials.

Vulnerability Scan status change(293156)

The FortiGate will no longer function as a vulnerability scanner, even in CLI mode. Vulnerability scans / assessments will handled by the FortiClient software.

FortiFone devices are now identified by FortiOS (289921)

FortiFone devices are now identified by FortiOS as Fortinet FON.

Support for MAC Authentication Bypass (MAB) (197218)

MAC Authentication Bypass allows devices without 802.1X capability (printers and IP phones for example) to bypass authentication and be allowed network access based on their MAC address. This feature requires RADIUS-based 802.1X authentication in which the RADIUS server contains a database of authorized MAC addresses.

MAC Authentication Bypass is configurable only in the CLI and only on interfaces configured for 802.1X authentication. For example:

config system interface edit “lan”

set ip 10.0.0.200 255.255.255.0 set vlanforward enable

set security-mode 802.1X

set security-mac-auth-bypass enable set security-groups “Radius-group”

end end

MAC Authentication Bypass is also available on WiFi SSIDs, regardless of authentication type. It is configurable only in the CLI. You need to enable the radius-mac-auth feature and specify the RADIUS server that will be used. For example:

config wireless-controller vap edit “office-ssid”

set security wpa2-only-enterprise set auth usergroup

set usergroup “staff”

set radius-mac-auth enable

set radius-mac-auth-server “ourRadius” end

end

 

Active device identification (279278)

Hosts whose device type cannot be determined passively are actively scanned using the same techniques as the vulnerability scan. This active scanning is enabled by default on models that support vulnerability scanning. You can turn off Active Scanning on any interface. In the GUI, go to the interface’s page in Network > Interfaces.

 

CLI Syntax:

config system interface edit port1

set device-identification enable

set device-identification-active-scan disable end

 

 

Device Page Improvements (Detected and custom devices) (280271)

Devices are now in two lists on the User & Device menu. Detected devices are listed in the Device List where you can list them alphabetically, by type, or by interface. On the Custom Devices and Groups page you can

  • create custom device groups
  • predefine a device, assigning its device type and adding it to custom device groups

 

Device offline timeout is adjustable (269104)

A device is considered offline if it has not sent any packets during the timeout period. Prior to FortiOS 5.4, the timeout value was fixed at 90 seconds. Now the timeout can be set to any value from 30 to 31 536 000 seconds (365 days). The default value is 300 seconds (5 minutes). The timer is in the CLI:

config system global

set device-idle-timeout 300 end

 

Improved detection of FortiOS-VM devices (272929)

A FortiGate-VM device is an instance of FortiOS running on a virtual machine (VM). The host computer does not have the Fortinet MAC addresses usually used to detect FortiGate units. Device detection now has two additional ways to detect FortiGate-VMs:

  • the FortiGate vendor ID in FortiOS IKE messages
  • the FortiGate device ID in FortiGuard web filter and spamfilter requests

 

Custom avatars for custom devices (299795)

You can upload an avatar for a custom device. The avatar is then displayed in the GUI wherever the device is listed, such as FortiView, log viewer, or policy configuration. To upload an avatar image,click Upload Image on the New Device or Edit Device page of User & Device > Custom Devices & Groups. The image can be in any format your browser supports and will be automatically sized to 36 x 36 pixels for use in the FortiGate GUI.

 

PCI DSS compliance

PCI DSS compliance

Vulnerability Scanning has been removed (293156)

Vulnerability scanning can now be done from FortiClient.

PCI DSS Compliance Check Support (270014)

FortiOS 5.4 allows you to run a compliance check either on demand or according to a schedule that automatically checks PCI DSS compliance at the global or VDOM level. The compliance check determines whether the FortiGate is compliant with each PCI DSS requirement by displaying an ‘X’ next to the non-compliant entries in the GUI logs.

Go to System > Advanced > Compliance, turn on compliance checking and configure a daily time to run the compliance check. Or you can select Run Now to run the compliance check on demand.

compliance

Go to Log & Report > Compliance Events to view compliance checking log messages that show the results of running compliance checks.

Review Complaince Results

FortiGate Connector for Cisco ACI

Overview

FortiGate Connector for Cisco ACI (Application Centric Infrastructure) is the Fortinet solution to provide seamless integration between Fortinet Firewall (Fortigate) deployment with Cisco APIC (Application Policy Infrastructure Controller). This integration allows customers to perform single point of Fortigate configuration and Management operation through Cisco APIC.

While the FortiGate series of firewalls enable superb firewall services, in a data center environment, the insertion, configuration, and management of network services such as firewall can be quite complex and potentially errorprone tasks. One solution for such data center problems is Cisco’s ACI. Cisco’s ACI is a policy-based framework with integration of software and hardware in the underlying leaf-spine fabric. In Cisco ACI, the APIC is a tool used to automate service insertion and provisioning into the fabric of the network environment. Network service appliances, both physical and virtual, can be attached to ACI fabric’s leaf node through APIC. Traffic demanding certain network services is steered by APIC-managed policies to the appropriate resources. The FortiGate Connector allows FortiGates to be included amongst the list of resources that traffic can be directed to.

Licensing

FortiGate Connector for Cisco ACI is free of charge for Fortinet customers. You need to make sure that you register your FortiGate with FortiCare on support.fortinet.com.

Terms and concepts

FortiGate VDOMs

VDOM or Virtual Domain refers to a discretely administered segment on a FortiGate firewall. A FortiGate firewall that is not segmented and where a single administrator can access all of the firewall is operating in the “root” VDOM. However, it is possible to segment the FortiGate so that different administrators can access different areas of the FortiGate. Credentials for VDOM X will allow access to the resources and settings of VDOM A but no other. There will also be global resources and settings that will require credentials to the root VDOM. When setting up connectivity between Cisco APIC and the FortiGates it will be important to know which VDOMs control the needed resources.

FortiOS RESTful API

REST (sometimes spelled ReST) stands for Representational State Transfer. It is a software architectural style for the WWW. REST systems typically communication over HTTP, using HTTP verbs or commands to retrieve and send information to remote servers.

A good resource for the finer details of Fortinet’s implementation of ReST can be found at http://docs.fortinet.com/uploaded/files/1276/FortiAuthenticator_REST_API_Solution_Guide.pdf

North/South and East/West Traffic

The cardinal compass direction terms to describe traffic flow are used to differentiate between traffic within the cloud or data center and traffic going in and out of the cloud or data center.

  • North/South – traffic either heading into or out of a cloud or data center.
  • East/West – traffic that is between nodes inside the same cloud or data center.