Fortigate Cookbook 502

2

The FortiGate Cookbook Essential Recipes for Success with your FortiGate

15 May 2013

Copyright© 2013 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard®, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions, and performance may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

Visit these links for more information and documentation for your Fortinet products:

Fortinet Knowledge Base - http://kb.fortinet.comTechnical Documentation - http://docs.fortinet.comTraining Services - http://campus.training.fortinet.comTechnical Support - http://support.fortinet.com

You can report errors or omissions in this or any Fortinet technical document to [email protected].

3

ContentsIntroduction 5

Installing and Setup 7

Setting up a limited access administrator account 9

Setting up and troubleshooting FortiGuard services 13

Logging FortiGate system events to gather network traffic information 17

Using SNMP to monitor the FortiGate unit 21

Using FortiCloud to view log data and reports 27

Using two ISPs for redundant Internet connections with distributed sessions 31

Protect a web server on the DMZ network 35

Adding a second FortiGate unit to improve reliability 39

Setting up an explicit proxy for users on a private network 45

Using port pairing to simplify transparent mode 49

Adding packet capture to help troubleshooting 55

Wireless Networking 58

Providing remote users access to the internet and corporate network using FortiAP 59

Setting up a FortiGate and FortiAP to provide wired and wireless Internet access 65

Setting up guest wifi users with a captive portal 71

Security Policies and Firewall Objects 78

Controlling when BYOD users can access the Internet 79

Using AirPrint with iOS and OS X and a FortiGate unit 83

Using AirPlay with iOS, AppleTV, FortiAP and a FortiGate unit 93

Using port forwarding on a FortiGate unit 101

UTM Profiles 106

Visualizing and controlling the applications on your network using application control 107

Configuring web filter overrides and local ratings 113

Protecting a web server from vulnerabilities and DoS attacks using IPS 119

4

Blocking email/web traffic or files containing sensitive information 125

Monitoring your network for undesirable behavior using client reputation 131

Inspecting content on the network using flow-based UTM instead of proxy-based UTM 135

Blocking large files from entering the network 141

Blocking access to specific web sites 145

Blocking HTTPS traffic with web filtering 149

SSL and IPsec VPN 153

Protecting traffic between company headquarters and branch offices using IPsec VPN 155

Providing remote users with access to a corporate network and Internet using SSL VPN 161

Securing remote access to the office network using FortiClient IPsec VPN 169

Securing remote access to the office network for an iOS device over IPsec VPN 175

Redundant OSPF routing between two remote networks over IPsec VPN 183

Authentication 198

Providing single sign-on on a Windows AD network by adding a FortiGate 199

5

IntroductionThis FortiGate Cookbook provides administrators who are new to FortiGate appliances with examples of how to implement many basic and advanced FortiGate configurations. FortiGate products offer administrators a wealth of features and functions for securing their networks, but to cover the entire scope of configuration possibilities would easily surpass this book. Fortunately, much more information can be obtained in the FortiOS Handbook. The latest version is available from the Fortinet Technical Documentation website at http://docs.fortinet.com.

This cookbook contains a series of “recipes” that describe how to solve a problem. Each recipe begins with a description the configuration requirements, followed by a step-by-step solution, and concludes with results that show what should occur to verify the steps were completed successfully.

This FortiGate Cookbook was written for FortiOS 5.0 patch 2 (FortiOS 5.0.2).

A PDF copy of this document is available from the FortiGate Technical Documentation website at http://docs.fortinet.com/cookbook.html. You can also find earlier editions of the FortiGate Cookbook, that contains additional recipes and troubleshooting tips and video representations of some of the content in this book.

You can send comments about this document and ideas for new recipes to [email protected]. New recipes may be published on the FortiGate Cookbook website and added to future versions.

Web-based ManagerAlso called the Web Interface or Web UI, the FortiGate web-based manager is an advanced point and click, drag and drop interface that provides quick access to most FortiGate configuration settings and includes visual monitoring and management tools.

Using the web-based manager you can add a security policy to monitor application activity on a network, view the results of this application monitoring policy, and then create additional policies or change the existing policy to block or limit the traffic produced by some applications.The web-based manager also provides a wide range of monitoring and reporting tools that provide detailed information about traffic and events occurring on the FortiGate unit.

You access the web-based manager using HTTP or a secure HTTPS connection from any web browser. By default you can access the web-based manager by connecting to the FortiGate interface usually attached to a protected network. Configuration changes made from the web-based manager take effect immediately, without resetting the unit or interrupting service.

6

FortiExplorerFortiExplorer provides a user-friendly and accessible tool that you can use to configure a FortiGate unit over a standard USB connection. You can install FortiExplorer software on a PC running Windows or Mac OS X and use a USB connection between the PC and your FortiGate unit. Use FortiExplorer to register your FortiGate unit, check for and perform FortiOS firmware updates, use the FortiExplorer configuration wizard to quickly set up the FortiGate unit and connect to the web-based manager or CLI.

Registering your Fortinet productBefore you begin configuring and customizing features, take a moment to register your Fortinet product at the Fortinet Technical Support web site, https://support.fortinet.com. Many Fortinet customer services, such as firmware updates, technical support, and FortiGuard Antivirus and other FortiGuard services, require product registration.

For more information

DocumentationThe Fortinet Technical Documentation web site, http://docs.fortinet.com, provides the most up-to-date versions of Fortinet publications.

Fortinet Knowledge BaseThe Fortinet Knowledge Base provides additional Fortinet technical documentation, such as troubleshooting and how-to-articles, examples, FAQs, technical notes, a glossary, and more. Visit the Fortinet Knowledge Base at http://kb.fortinet.com.

TrainingFortinet Training Services provides a variety of training programs world-wide that orient you to your new equipment, and provides certifications to verify your knowledge level. For more on training services, visit the Fortinet Training Services web site at http://campus.training.fortinet.com.

7

Installing and SetupMost people purchase a FortiGate unit with the intention of creating a secure connection between a protected private network and the Internet. And in most cases they want the FortiGate unit to hide the IP addresses of the private network from the Internet. This chapter describes how to setup a number of common configurations with the FortiGate unit.

In addition this chapter describes a common transparent mode FortiGate installation in which a FortiGate unit provides security services to a network without requiring any changes to the network.

8

9

1. Create a new administrative profile

2. Add a new administrator and assign the profile

3. Results

Setting up a limited access administrator account

This example adds a new FortiGate administrator login that uses an administrator profile that has limited access only to firewall features, and read-only access to administrator information. It also shows how to identify the administrators using the admin administrator account.

Internet

FortiGate

Internal Network

LAN192168.1.99/24

wAN 1172.20.120.22

10

Step Two: Add a new administrator and assign a profile

Step One: Create a new administrative profile

Go to System > Admin > Administrators.

Create a new administrator with the Firewall_Admin_Access profile, to enable full access to all FortiOS features.

Go to System > Admin > Admin Profle.

Create a new administer profile that allows the administrator with this profile to view and edit firewall objects and security policies and only view administrator information.

The admin profile controls what features of the FortiGate configuration the administrator can see and configure from web-based manager and CLI. You can add multiple profiles and assign users and administrators different profiles, depending on what they are tasked to do with the FortiGate unit.

11

Results

Log in to the FortiGate unit using the user name of Terry_White.

As this administrator, you can and edit any element of the FortiGate unit pertaining to the firewall objects and security policies. You can also view the other administrator information. Note that any menu items for other features do not appear.

Go to Log & Report > Event Log > System.

Verify that the login activity occurred.

Select the entry for more information on the administrator log in.

12

Go to System > Dashboard > Status, and view the System Information widget.

The Current Administrator row indicates the current administrators and the number of administrators logged in.

Select Details for the Current Administrator to view all administrators logged in.

13

Setting up and troubleshooting FortiGuard services

If you have purchased FortiGuard services and registered your FortiGate unit, the FortiGate unit it should automatically connect to the FortiGuard Distribution Network (FDN) and display license information about your FortiGuard services.

In this example, you will verify whether the FortiGate unit is communicating with the FDN by checking the License Information dashboard widget. The FortiGate unit automatically connects with the FortiGuard network to verify the FortiGuard Services status for the FortiGate unit.

Internet

FortiGate

Internal Network

port 1

WAN 1FortiGuard

14

Verifying the connection

Any subscribed services should have a green check mark, indicating that connections are successful.

A grey X indicates that the FortiGate unit cannot connect to the FortiGuard network, or that the FortiGate unit is not registered.

A red X indicates that the FortiGate unit was able to connect but that a subscription has expired, or has not been activated.

You can also view the FortiGuard connection status by going to System > Config > FortiGuard.

15

Troubleshooting connection issues

Use these steps to troubleshoot FortiGuard services should connection issues arise.

• Verify that you have registered your FortiGate unit, purchased FortiGuard services, and that the services have not expired. You can verify the support status for your FortiGate unit at the Fortinet Support website (https://support.fortinet.com/).

• Verify that the FortiGate unit can communicate with the Internet. The FortiGate unit should be able to communicate with the FortiGuard network if it can communicate with the Internet.

• Go to Router > Monitor > Routing Monitor and verify that a default route is available and configured correctly.

• Go to System > Network > DNS and make sure the primary and secondary DNS servers are correct. The FortiGate unit connects to the FortiGuard network using a domain name, not a numerical IP address. If the FortiGate interface connected to the Internet gets its IP address using DHCP, you should make sure Override internal DNS is selected so that the FortiGate unit gets its DNS server IP addresses from the ISP using DHCP.

• Verify that the FortiGate unit can connect to the DNS servers using the execute ping command to ping them.

• You can also attempt a traceroute from FortiGate CLI to an external network using a domain name for a location, for example, enter the command: execute traceroute www.fortiguard.com

• If the command cannot find the numeric IP address of www.fortiguard.com, then the FortiGate unit cannot connect to the configured DNS servers.

• Make sure that at least one security policy includes antivirus. If no security policies include antivirus, the antivirus database may not be updated.

• Verify that the FortiGate unit can communicate with the FortiGuard network. Go to System > Config > FortiGuard > Antivirus and IPS Options, you can select Update now to force an immediate update of the antivirus and IPS databases. After a few minutes, you can verify if the updates were successful.

• Test the availability of web filtering and email filtering lookups from System > Config > FortiGuard > Web Filtering and Email Filtering options by selecting Test Availability. If the test is not successful, try changing the port that is used for web filtering and email filtering lookups. The FortiGate unit uses port 53 or 8888 to communicate with the FortiGuard network and some ISPs may block one of these ports.

• Determine if there is anything upstream that might be blocking FortiGuard traffic, either on the network or on the ISP’s network. Many firewalls block all ports by default, and often ISPs block low-numbered ports (such as 53). FortiGuard uses port 53 by default, so if it is being blocked, you need to either open the port or change the port used by the FortiGate unit.

16

• Change the FortiGuard source port. It is possible ports that are used to contact the FortiGuard network are being changed before reaching FortiGuard, or on the return trip, before reaching your FortiGate unit. A possible solution for this is to use a fixed-port at the NAT firewall to ensure the port number remains the same.

• FortiGate units contact the FortiGuard Network by sending UDP packets with typical source ports of 1027 or 1031, and destination ports of 53 or 8888. The FDN reply packets would then have a destination port of 1027 or 1031.

• If your ISP blocks UDP packets in this port range, the FortiGate unit cannot receive the FDN reply packets. You can select a different source port range for the FortiGate unit to use.

If your ISP blocks the lower range of UDP ports (around 1024), you can configure your FortiGate unit to use higher-numbered ports such as 2048-20000, using the following CLI command:

config system global set ip-src-port-range 2048-20000 end

Trial and error may be required to select the best source port range. You can also contact your ISP to determine the best range to use.

• Display the FortiGuard server list. The diagnose debug rating CLI command shows the list of FortiGuard servers that the FortiGate unit can connect to. The command should show more than one server.

17

1. Configure logging and event logging

2. Enable logging in the security policy

3. Results

Logging FortiGate system events to gather network traffic informationThis example shows how to enable logging to capture the details of network traffic processed by the FortiGate unit.

Internet

FortiGate

Internal Network

port 1192168.1.99

WAN 1 172.20.120.123

18

Step One: Configure logging and event logging

Step Two: Enable logging in the security policy

Go to Log & Report > Log Config > Log Setting.

Enable and configure logging.

Note that logging to disk is only available on FortiGate units with a hard disk or flash drive.

Logging to disk is enabled in the CLI using the config log disk setting commands.

Go to Policy > Policy > Policy.

For any security policy, in the Logging Options section, select Log all Sessions.

19

Results

To see information about network traffic processed by the FortiGate unit, go to Log & Report > Traffic Log > Forward Traffic.

Select an entry for more information.

20

21

Using SNMP to monitor the FortiGate unit

Simple Network Management Protocol (SNMP) enables you to monitor hardware on your network. You configure the hardware, such as the FortiGate SNMP agent, to report system information and send traps (alarms or event messages) to SNMP managers. An SNMP manager, or host, is a typically a computer running an application that reads the traps from the agent and sends out SNMP queries to the SNMP agents.

In this example, you configure the SNMP agent and FortiGate interface to send SNMP traps to the SNMP server for review.

1. Configure the SNMP agent and community

2. Enable SNMP on a FortiGate interface

3. Download the MIB files and configure the SNMP manager

4. Results

Internet

FortiGate

Internal Network

port 1192168.1.99

WAN 1172.20.120.123

SNMP Manager192.168.1.114

22

Step One: Configure the SNMP agent and community

Go to System > Config > SNMP.

Configure the agent.

Under the SNMP version, create a new community.

You need to add a host IP address where the SNMP manager is installed, 192.168.1.114/32, and select the port to receive SNMP request and send SNMP traps.

You can also set the IP address/Netmask to 0.0.0.0/0.0.0.0 and the Interface to ANY so that any SNMP manager at any network connected to the FortiGate unit can use this SNMP community and receive traps from the FortiGate unit.

23

Step Two: Enable SNMP on a FortiGate interface

Step Three: Download the MIB files and configure the SNMP manager

Go to System > Network > Interface.

Enable SNMP on port 1.

Go to System > Config > SNMP to download FortiGate SNMP MIB.

There are two MIB files for FortiGate units: the Fortinet MIB, and the FortiGate MIB. The Fortinet MIB contains traps, fields and information that is common to all Fortinet products. The FortiGate MIB contains traps, fields and information that is specific to FortiGate units.

Configure the SNMP manager at 192.168.1.114 to receive traps from the FortiGate unit.

24

Results

Select Select Device and enter the IP address of the FortiGate unit and the community string.

Open the SNMP Trap Receiver and select Launch.

This example uses SolarWinds SNMP trap viewer.

In SolarWinds Toolset Launch Pad, go to SNMP > MIB Viewer and select Launch.

25

Perform an action to trigger a trap, for example, change the IP address of the DMZ interface in the FortiGate.

Verify that the SNMP manager receives the trap.

View the UTM log by going to Log & Report > Event Log > System.

26

27

Using FortiCloud to view log data and reports

FortiCloud is an online hosted security management and log retention service. It provides a centralized reporting, traffic analysis, configuration and log retention tool without the need for additional hardware and software.

This example describes setting up and accessing log and reports in FortiCloud.

Internet

FortiGate

Internal Network

port 1192168.1.99

WAN 1172.20.120.123

FortiCloud

1. Activate FortiCloud

2. Configure logging and event logging

3. Enable logging in the security policy

4. Results

28

Step One: Activate FortiCloud

Go to System > Dashboard > Status.

On the License Information widget, in the FortiCloud section, select Activate.

Once the account is created, you can launch the FortiCloud portal from the License Information widget.

Step Two: Configure logging

Go to Log & Report > Log Config > Log Setting.

Enable and configure logging to FortiCloud.

29


On the License Information widget, in the FortiCloud section, select Launch Portal.

From the portal, you can see the log data and reports.

Step Three: Enable logging in the security policy

Results


For any security policy, in the Logging Options section, select Log all Sessions.

30

31

1. Configure connections to the two ISPs

2. Add security policies

3. Configure fail over detection and spillover load balancing

4. Results

Using two ISPs for redundant Internet connections with distributed sessionsThis example describes how to improve the reliability of a network’s connection to the Internet by using two Internet connections. It also includes configuration of equal cost multi-path load balancing to make efficient use of these two Internet connections by distributing sessions to both, without allowing either one to become overloaded.

InternalNetwork

LANFortiGate

WAN 2WAN1

Internet

ISP 1 ISP 2

32

Step One: Configure connections to the two ISPs

Step Two: Add security policies



Create a security policy for the primary interface connecting to their ISPs and the internal network.

33

Step Three: Configure fail over detection and spillover load balancing

Go to Router > Static > Settings.

Create two new Dead Gateway Detection entries.

Set the Ping Interval and Failover Threshold to a smaller value for a more immediate reaction to a connection going down.

Create a security policy for each interface connecting to their ISPs and the internal network.

34

The Spillover Threshold value is calculated in kbps (kilobit per second). However the bandwidth on interfaces is calculated in kBps (kilo Byte per second).

For wan1 interface, Spillover Threshold = 100 kbps = 100000 bps

100000 bps = 102400 bps = 102400/8 Bps = 12800 Bps

Go to Log & Report > Traffic Log > Forward Traffic to see network traffic from different source IP addresses flowing through both wan1 and wan2.

Disconnect the wan1 port on the FortiGate unit to see all traffic will automatically flow through the wan2 port unit wan1 is available again.

Results

Go to Router > Static > Settings and set the ECMP Load Balancing Method to Spillover.

35

1. Configure the FortiGate unit DMZ interface

2. Add virtual IPs

3. Create security policies

4. Results

Protect a web server on the DMZ network

In this example, a web server on the DMZ network. An internal to DMZ security policy allows internal users to access the web server using its internal IP address (10.10.10.22). A WAN to DMZ security policy hides the internal address, allowing external users to access the web server with a public IP address (172.20.120.22).

Internet

WAN 1172.20.120.22

FortiGateDMZ

DMZ Network

Web Server10.10.10.22

LAN

Internal Network

36

Step One: Configure the FortiGate unit DMZ interface

Step Two: Add virtual IPs


Edit the DMZ interface settings.

Go to Firewall Objects > Virtual IP > Virtual IP.

Create two virtual IPs; one for HTTP access and one for HTTPS access.

Your FortiGate unit may have an interface named DMZ. Using the DMZ interface is recommended but not required.

Each virtual IP will have the same address mapping from the public-facing interface to the DMZ interface. The difference is the port for each traffic type; (port 80 for HTTP and port 443 for HTTPS).

37

Step Three: Create security policies


Create a security policy to allow HTTP and HTTPS traffic from the Internet to the DMZ interface and web server.

Create a security policy to allow HTTP and HTTPS traffic from the internal network to the DMZ interface and web server.

Adding this policy reduces traffic on the wan1 interface by allowing traffic to pass directly from the Internal interface to the DMZ interface, rather than from the Internal interface, to the wan1 interface, then back in through the wan1 interface to the DMZ interface.

38

Results

External users can access the web server on the DMZ network from the internet using http://172.20.120.22 and https://172.20.120.22.

Internal users can access the web server using http://10.10.10.22 and https://10.10.10.22.

Go to Policy > Monitor > Policy Monitor.

Use the policy monitor to verify that traffic from the Internet and from the internal network is allowed to access the web server. This verifies that the policies are configured correctly.

Go to Log & Report > Traffic Log > Forward Traffic.

The traffic log should shows sessions from the internal network and from the Internet accessing the web server on the DMZ network.

39

1. Add and connect the second FortiGate and configure HA

2. Test the failover functionality

3. Upgrade the firmware for the HA cluster

Adding a second FortiGate unit to improve reliability

This example adds a second FortiGate unit to a currently installed FortiGate unit to provide redundancy in the event one FortiGate unit fails. This example also steps through upgrading the HA cluster to a new firmware version.

Switch

Switch

WAN 1WAN 1

FortiGate FortiGate

Internal Network

InternalInternal

Dual HALinks

Internet

40

Step One: Add and connect the second FortiGate and configure HA


Change the host name of the primary FortiGate unit.


Change the host name of the backup FortiGate unit.

Go to System > Config > HA.

Configure the HA settings for the primary FortiGate unit.

41

Go to System > Config > HA.

Configure the HA settings for the backup FortiGate unit.

Ensure that the Group Name and Password are the same as on the primary FortiGate unit.

Go to System > Config > HA to view the cluster information.

Select View HA Statistics for more information on the cluster.

42

Step Two: Test the failover functionality

Go to System > Dashboard > Status to see the cluster information.

Unplug the ethernet cable from the wan 1 interface of the primary FortiGate unit. Traffic will divert to the backup FortiGate unit.

Use the ping command to view the results.

Shut down the primary FortiGate unit, and see that traffic fails over to the backup FortiGate unit using a ping command.

43

Step Three: Upgrading the firmware for the HA cluster

When a new version of the FortiOS firmware becomes available, upgrade the firmware on the primary FortiGate unit, and the backup FortiGate unit will upgrade automatically

Go to System > Dashboard > Status to upgrade the firmware.

The firmware will load on the primary FortiGate unit, and then on the backup unit.

Go to Log & Report > Event Log > System.


Both FortiGate units have the new firmware installed.

44

45

1. Enable explicit web proxy on the internal interface

2. Configure the explicit web proxy for HTTP/HTTPS traffic

3. Add a security policy for proxy traffic

4. Results

Setting up an explicit proxy for users on a private networkThis example sets up the explicit web proxy to accommodate faster web browsing. Internal users will connect to an explicit web proxy using port 8080 rather than surfing the Internet directly using port 80.

FortiGate

port 3

Internet

port 4Internal Network

Explicit webproxy

46

Step One: Enable explicit web proxy on the internal interface

Step Two: Configure the explicit web proxy for HTT P/HTT PS traffic

Go to System > Network > Explicit Proxy and enable the http/https explicit web proxy.

Ensure to set the Default Firewall Policy Action to Deny.

Later you will create a security policy for webproxy traffic with web cache enabled.

You may need to enable Explicit Proxy and WAN Opt. & Cache on the System Information widget before you proceed.

Go to System > Dashboard > Status and select Enable for these options.

Go to System > Network > Interface and enable web proxy on port 4.

47


Create a security policy for webproxy traffic, and enable web cache.

Configure web browsers on the private network to connect using a proxy server. The IP address of the HTTP proxy server is 10.10.1.99 (the IP address of the FortiGate internal interface) and the port is 8080 (the default explicit web proxy port).

Web browsers configured to use the proxy server are able to connect to the Internet.

Go to Policy > Policy > Policy to see the ID of the policy (3) allowing webproxy traffic. Web proxy traffic is not counted by firewall policy.

Results

Step Three: Add a security policy for proxy traffic

48

49

1. Switch the FortiGate unit to transparent mode and add a static route

2. Create an internal and wan 1 port pair

3. Create firewall addresses

4. Create a security policy

5. Results

Using port pairing to simplify transparent mode

This example simplifies configuring a FortiGate unit operating in transparent mode by using port pairing. When you create a port pair, all traffic accepted by one of the ports of the pair can only exit out the other port. You add security policies to control the traffic that can pass between these to ports and to apply UTM protection to the traffic.

Internet

FortiGateInternal Network192.168.1.[110-150]

InternalManagement IP

192.168.1.100

Protected web server192.168.1.200

Router

wan 1192.168.1.99/24

50

Step One: Switch the FortiGate unit to transparent mode and add a static route

Step Two: Create an internal and wan 1 port pair


In the System Information widget, select Change beside the Operation mode.


Create an internal/wan 1 pair.

Log into the FortiGate unit using the management IP 192.168.1.100.

Go to System > Network > Routing Table and set a static route.

51

Step Three: Create firewall addresses

Step Four: Create security policies

Go to Firewall Objects > Address > Address.

Create addresses for the web server and address range for internal users.


Create a security policy that allows internal users to access the web server using HTTP and HTTPS.

52


Create a security policy that allows connections from the web server to the internal users’ network and to the internet using any service.

Connect to the web server from the internal network and surf the Internet from the server itself.

Go to Log & Report > Traffic Log > Forward Traffic to verify that there is traffic from the internal to wan 1 interface.

Results

53

Select an entry for details.

Go to Policy > Monitor > Policy Monitor to see the active sessions.

54

55

1. Create a packet capture filter

2. Start the packet capture

3. Stop the packet capture

4. Results

Adding packet capture to help troubleshooting

Packet capture is a means of logging traffic and its details to troubleshoot any issues you may have with traffic flow or connectivity. This example shows the basics of setting up packet capture on the FortiGate unit and analyze the results.

FortiGate

Internet

WAN 1172.20.120.23

Internal192.168.1.99/24

Internal network

56

Step One: Create a packet capture filter

Step Two: Start the packet capture

Go to System > Network > Packet Capture and create a new filter.

For this example, the FortiGate unit will capture 100 HTTP packets on the internal interface from/to host 192.168.1.200.

•Host(s) can be a single or multiple IPs separated by comma, IP range or subnet.

•Port(s) can be single or multiple separated by comma or range.

•Protocol can be simple, multiple separated by comma or range. Use 6 for TCP, 17 for UDP, 1 for ICMP.

Select Start to begin the packet capture, and from an internal computer or device set to IP address 192.168.1.200, surf the Internet to generate traffic.

57

Step Three: Stop the packet capture

Results

Once the maximum packets to save is reached (in this example 100), the capturing progress is stopped and allows you to download the saved pcap file.

You can also stop the capturing at any time before the maximum is reached.

Open the pcap file with a pcap file viewer such as tcpdump or Wireshark.

Depending on the kind of traffic you need to capture, you may adjust the settings in the filter to meet your needs.

Go to Log & Report > Event Log > System to verify that the packet capture file was successfully downloaded.

58

Wireless NetworkingFortiOS WiFi networking provides a wide range of capabilities for integrating wireless networks into your organization’s network architecture. Each WiFi network, or SSID, is represented by a virtual network interface to which you apply security policies, UTM features, traffic shaping, and so on, in the same way as for physical wired networks.

You can create multiple WiFi networks to serve different groups of users. For example, you might have one network for your employees and another for guests or customers. Also, with the increase in use of Bring Your Own Devices (BYOD); smartphones, tablets and other mobile devices that use WiFi technology, wireless networks are becoming busier than ever and have to be monitored and accommodated accordingly.

A network that requires only one WiFi access point is easily created with a FortiWiFi unit operating as a single thick Access Ppoint (AP). A thick AP such as a FortiWiFi unit contains the WiFi radio facility as well as access control and authentication functionality.

A thin AP, such as a FortiAP unit contains only the radio facility and a microcontroller that receives commands and exchanges data with a WiFi controller. If you already have a FortiGate unit, adding a FortiAP unit as a thin AP managed by the FortiGate unit operating as a WiFi controller is a cost effective solution for adding WiFi to your network.

The FortiOS WiFi controller feature is available on both FortiGate and FortiWiFi units. A FortiWiFi unit’s WiFi controller also controls the unit’s internal (Local WiFi) radio facility, treating it much like a built-in thin AP. Whenever multiple APs are required, a single FortiGate or FortiWiFi unit controlling multiple FortiAP units is best. A network of multiple thick APs would be more expensive and more complex to manage.

59

1. Configure the corporate SSID and security policies

2. Configure the FortiGate unit to connect and configure FortiAP

3. Authorize the remote FortiAP connection

4. Results

Providing remote users access to the internet and corporate network using FortiAP

In this example, users in a remote location such as a hotel, use FortiAP to securely connect to a corporate network and browse the Internet from behind the corporate firewall.

Internal

Internet

Internal Network

Wireless Network

WLAN_1

WLAN 1

FortiAP

FortiGate

60

Go to WiFi Controller > WiFi Network > SSID and create a new SSID for the FortiAP.


Create addresses for the remote users and the corporate network.

Step One: Configure the FortiGate for remote user connections

Configure the WiFi Settings, and DHCP Server so wireless users can connect directly to the FortiAP.

61

Go to Policy > Policy > Policy and create two security polices.

Create a policy for remote wireless users to access the Internet.

Create a policy for remote wireless users to access the corporate network.

Step Two: Configure FortiAP to connect to the corporate FortiGate unit

The remote user will plug an Ethernet cable into the FortiAP and into the network connection to the Internet at the hotel. FortiAP searches for the FortiGate interface you configure here.

In the System Information tab, enter the AC IP Address of the public facing interface of the FortiGate unit.

62

Step Tthee: Configure the FortiGate unit to connect, and configure FortiAP

Go to WiFi Controller > Managed Devices > Managed FortiAP.

Right-click the FortiAP in the list and select Authorize.

With the FortiAP authorized with the FortiGate unit, you can use the FortiGate to configure the wireless settings for the FortiAP remotely.

The remote user connects the FortiAP to the network connection at the hotel. They then connect to the RemoteWiFi wireless network. They will be able to access the corporate network and surf the Internet securely.

Go to WiFi Controller > Monitor > Client Monitor to see remote wireless users connected to the FortiAP unit.

Results

When the remote wireless user connects to the corporate network, traffic appears in the log messages.


63

Selecting an entry for the WLAN_1 interface and internal destination interface shows traffic using RDP to connect to the corporate network.

Selecting an entry for the WLAN_1 interface and wan1 destination interface shows internet traffic.

64

65

1. Configure the FortiGate WAN 1 and LAN ports

2. Create an internal address range and security policy

3. Set up a wireless network with the FortiAP

4. Results

Setting up a FortiGate and FortiAP to provide wired and wireless Internet accessThis example sets up FortiAP to connect to the Internet using the FortiGate unit. Wireless and wired users will be on the same subnet and thus can share network resources.

Internet

LAN192.168.1.99/24

FortiGate

FortiAP

WAN 1172.20.120.226

wirelessnetwork

Internal network

66

Step One: Configure the FortiGate WAN 1 and LAN ports


Configure the WAN 1 interface to use DHCP.

Configure the LAN interface to use a static IP with a DHCP server enabled.

67

Step TWO: Create an internal address range and security policy

Step Three: Set up a wireless network with the FortiAP


Create a new address range for the internal network users.

Connect the FortiAP to the LAN interface.

Go to WiFi Conroller > Managed Access Points > Managed FortiAP and authorize the FortiAP.


Create a security policy allowing users on the wired network to access the Internet.

68

Go to WiFi Conroller > WiFi Network > SSID and create a new SSID.

Ensure the Traffic Mode is set to Local bridge with FortiAP’s Interface.

Go to WiFi Conroller > WiFi Network > Custom AP Profile.

Select Create New and select My_SSID for Radio 1 and Radio 2.

69

Go to WiFi Conroller > Managed Access Points > Managed FortiAP.

Edit the FortiAP in the Wireless Settings and select MyProfile for the AP Profile.

Go to Log & Report > Traffic Log > Forward Traffic and verify that wifi users accessing the internet with the same security policy as the wired network users.

Have the wifi users connect to My_SSID and they should be able to surf the internet. The wireless devices will be in the same subnet as the internal wired network.

Go to WiFi Controller > Monitor > Client Monitor to see wifi users and their IP addresses.

Results

70

71

1. Authorize the FortiAP over the DMZ interface

2. Add wifi guest users

3. Create an SSID using a captive portal

4. Add firewall addresses

5. Add security policies

6. Add a limited administrative role for the receptionist

7. Results

Setting up guest wifi users with a captive portal

In this example, a FortiGate unit provides your office with wired networking, but guest users use laptops and mobile devices. These devices need secure WiFi access to both the office network and the Internet. Guest users use web applications and authenticate through a portal using a web browser. The receptionist for the company is provided a limited access admin account to distribute temporary password access to the wireless network.

FortiGate

Wireless network10.10.10.1/24

FortiAP

Internet

WAN 1172.20.120.23

DMZ10.10.80.99/24

Internal192.168.1.99/24

Internal network

72

Step One: Authorize the FortiAP over the DMZ interface

Step Two: Add wifi guest users


Set the DMZ interface to be dedicated to FortiAP connections.

Go to User & Device > User > User Group.

Create guest wifi users group.

Connect the FortiAP to the DMZ interface and go to WiFi Controller > Managed Access Points > Managed FortiAP to authorize the FortiAP.

73

Step Three: Create an SSID using a captive portal

Step Four: Add firewall addresses

Go to WiFi Controller > WiFi Network > SSID.

Create new SSID using captive portal.


Create addresses for internal wired network and guest wifi users.

74

Step Five: Add security policies


Create a security policy allowing wifi guest users accessing the internal network.

Create a security policy allowing wifi guest users accessing the Internet.

75

Step Six: Add a limited administrative role for the receptionist

Go to System > Admin > Admin Profile.

Create a limited admin profile allowing the receptionist to create new guest users.

Go to System > Admin > Administrators.

Create a new admin account for the receptionist using the new limited profile.

76

Results

When a guest requires access to the wireless network, the company receptionist logs into the FortiGate unit with their account. The receptionist creates guest user names on the FortiGate unit.

Once logged in, they go to User & Device > User > Guest Management and create new user id.

The FortiGate unit generates a password for the user. This password is only valid for four hours.

Once this information is provided to the guest user, they can log in through the captive portal on the authentication page.

77

To verify that guest user logged in successfully, go to WiFi Controller > Monitor > Client Monitor.

Once authenticated, guest users can surf on the internet and can also access resources in the internal wired network.

Go to Policy > Monitor > Policy Monitor and verify the active sessions.

Select one of the bars for more information.

78

Security Policies and Firewall ObjectsFortiGate units are used to control access between the Internet and a network, typically allowing users on the network to connect to the Internet while protecting the network from unwanted access from the Internet. The FortiGate unit has to know what access should be allowed and what should be blocked. This is what security policies are for; controlling all network traffic attempting to pass through a FortiGate unit. No traffic can pass through a FortiGate unit unless specifically allowed to by a security policy. With a security policy, you can control address translation, control the addresses and services used by the traffic, and apply features such as UTM, authentication, and VPNs. Most of the examples in this cookbook at some point involve the creation of security policies to allow traffic and then apply a feature to it. This chapter focuses more on firewall features and how to configure policies to apply them.

It is simple to set up a FortiGate unit to allow users on a network to access the Internet while blocking traffic from the Internet from accessing the protected network. All that is required is a single security policy that allows traffic from the Internal network to connect to the Internet. As long as you do not add a security policy to allow traffic from the Internet onto your internal network, your network is protected. The same security policy that allows you to connect to the Internet also allows servers you contact to respond to you. In effect, a single policy allows two-way traffic, but the incoming traffic is only allowed in response to requests sent by you.

Firewall objects are those elements within the security policy that further dictate how and when network traffic is routed and controlled. This includes addresses, services, and schedules that are used in security policies to control the traffic accepted or blocked by a security policy. Addresses are matched with the source and destination address of packets received by the FortiGate unit.

The examples in this chapter use a number of these elements and policies to build a secure network.

79

This example uses FortiOS device identity and security policy scheduling to limit use of Bring Your Own Device (BYOD) users during company time.

1. Add BYODs to the FortiGate unit

2. Add schedules for time allowed for use of a BYOD

3. Add a device identity security policy

4. Results

FortiWiFi

Internet

Internal

wireless mobiledevices

internalnetwork

wan 1

wifi

Controlling when BYOD users can access the Internet

80

Step One: Add BYODs to the FortiGate unit

Step Two: Add schedules for time allowed for use of a BYOD

Go to User & Device > Device > Device Definition.

Go to Firewall Objects > Schedule > Recurring.

The BYOD information may not initially fill in on the table until the user connects with their device. Select Refresh if needed.

The schedule, when included with a security policy, will allow users to access the Internet with their personal wireless devices over lunch time hours.

This schedule can also be used in other security policies as well as this application.

Alternatively, got to System > Network Interface, and for the wireless interface, select Detect and Identify Devices.

Devices not yet added may appear in the list. Double-click on the entry and enter an Alias to add it.

81

Step Three: Add a device identity security policy

Results

Go to Policy > Policy > Policy and create a Device Identity policy.

Create a new authentication rule that includes the wireless devices and the new schedule.

Go to Log & Report > Traffic Log > Forward Traffic. When a mobile user connects during the lunch break, they can surf the Internet, as shown in the logs.

When the time in the schedule is reached, further surfing cannot continue. This does not appear in the logs, as only allowed traffic is logged.

Evidence that the schedule and policy are working appears when attempting to connect to a web site, and possibly a few questions from the BYOD users.

82

83

1. Configure the FortiAP and SSIDs

2. Add addresses for the wireless networks and printer

3. Add service objects for printing

4. Add multicast security policies

5. Add inter-subnet security policies

6. Results

Using AirPrint with iOS and OS X and a FortiGate unit

This example sets up AirPrint services for use with an iOS device and OS X computers using Bonjour and multicast security policies.

FortiGateFortiAP

SSID 2 (WLAN 2)20.20.20.1.24

DMZ10.10.100.1/24

SSID 1 (WLAN 1 )10.10.10.1/24ipad 10.10.10.3

(connected to SSID 1 )

AirPrint 20.20.20.2(connected to SSID 2)

LAN192.168.1.99/24

Internal networkOS x

84

Step One: Configure the FortiAP and SSIDs


Set the DMZ interface as dedicated for the FortiAP unit.

Connect FortiAP to the DMZ interface.Go to WiFi Controller > Managed Access Points > Managed FortiAP and authorize the FortiAP.

Once authorized, it will appear in the authorized list.

85


Create an SSID for the network for wireless users.

Create an SSID for the network for the AirPrint printer.

86

Step Two: Add addresses for the wireless networks and printer


Create addresses for the SSID 1, SSID 2 and AirPrint printer.

87

Step Three: Add service objects for printing

Create an address for the internal network with the OS X computers.

Go to Firewall Objects > Service > Service.

Create a new service for Internet Printing Protocol (IPP) for iOS devices.

Create a new service for PDL Data Stream for OS X computers.

88

Create two policies to allow multicast traffic from the LAN and WLAN 2 for OS X computers.

Step Four: Add multicast security policies

Go to Policy > Policy > Multicast Policy.

Create two policies to allow multicast traffic from WLAN 1 and WLAN 2 for iOS devices.

89

Step Five: Add inter-subnet security policies


Create policy allowing IPP service from WLAN1 to WLAN2.

Create policy allowing printing from a OS X computer to the AirPrint printer.

90

Results

Print a document from an iOS device.

Go to Log & Report > Traffic Log > Multicast Traffic to see the printing traffic passing through the FortiGate unit.

Go to Log & Report > Traffic Log > Forward Traffic and verify the entry with the IPP service.

Select an entry to see more information.

91

Print a document from an OS X computer.

Go to Log & Report > Traffic Log > Multicast Traffic to see the printing traffic passing through the FortiGate unit.

Go to Log & Report > Traffic Log > Forward Traffic and filter the destination interface for WLAN 2 traffic.



92

93

1. Configure the FortiAP and SSIDs

2. Add addresses for the wireless network

3. Add service objects for multicasting

4. Add multicast security policies

5. Add inter-subnet security policies

6. Results

Using AirPlay with iOS, AppleTV, FortiAP and a FortiGate unit

This example sets up AirPlay services for use with an iOS device using Bonjour and multicast security policies.

Apple TV can also be connected to the internet wirelessly, from any iOS device connected to the same SSID as Apple TV, AirPlay will function. No configuration is required on the FortiGate unit.

LAN192.168.1.99/24FortiGateFortiAP

Internal network OS x

DMZ10.10.100.1/24

SSID1 (WLAN 1 )10.10.10.1/24

ipad 10.10.10.3(connected to SSID 1 )

AppleTV

94

Step One: Configure the FortiAP and SSIDs


Set the DMZ interface as dedicated for the FortiAP unit.

Connect FortiAP to the DMZ interface.Go to WiFi Controller > Managed Access Points > Managed FortiAP and authorize the FortiAP.

Once authorized, it will appear in the authorized list.

95


Create an SSID for the network for wireless users.

Step Two: Add addresses for the wireless network


Create addresses for SSID 1.

96

Step Three: Add two service object for AirPlay

Go to Firewall Objects > Service > Service.

Step Four: Add multicast security policies


Create a policy to allow multicast traffic from the LAN and WLAN 1 for AppleTV to iOS devices.

97


Create a policy to allow multicast traffic from the WLAN 1 and LAN for iOS devices to AppleTV.

Step Five: Add inter-subnet security policies


Create policy allowing traffic from the Apple TV to the iOS device.

Create policy allowing traffic from the iOS device to the Apple TV.

98

Use Airplay from the iPad to stream video to the Apple TV.

Go to Log & Report > Traffic Log > Multicast Traffic to see the multicast traffic between the WLAN 1 and LAN interfaces.

Select and entry for more information.

Results

99

Go to Log & Report > Traffic Log > Log Forward and filter on the policy id 6 and 7, that allow AirPlay traffic.


100

101

1. Create three virtual IPs

2. Add the virtual IPs to a group

3. Create a security policy to allow inbound traffic to the server

4. Results

Using port forwarding on a FortiGate unit

This example illustrates how to allow incoming connections from the Internet to a server on the internal network so that the server can access a service that requires open ports. The service requires opening TCP ports in the range 7882 to 7999, as well as opening UDP ports 2119 and 2995. This involves creating multiple VIPs that map sessions from the wan 1 IP address to the server IP address.

Internet

LAN192.168.1.99/24

FortiGate

WAN 1172.20.120.226

192.168.1.200Server

Open TCP ports 7882-7999,UDP port 2119 and 2995 for

traffic from the Internetto the Server

102

Step One: Create three virtual IPs

Go to Firewall Objects > Virtual IP > Virtual IP.

Add a virtual IP for the TCP port range 7882 to 7999.

Add a virtual IP for the UDP port 2119.

Add a virtual IP for the UDP port 2995.

103

Step Two: Add virtual IPs to a group

Step Three: Create a security policy to allow inbound traffic to the server

Go to Firewall Objects > Virtual IP > VIP Group.

Create a VIP group that includes all three virtual IPs.


Create a security policy allowing inbound connections to the server from the Internet.

104

Results

Go to Policy > Monitor > Policy Monitor to see the active sessions.

Select the blue bar for more information.

105

Go to Log & Report > Traffic Log > Forward Traffic to see the logged activity.


106

UTM ProfilesUTM profiles, including antivirus, web filtering, application control, intrusion protection (IPS), email filtering, and data leak prevention (DLP), apply core UTM security functions to traffic accepted by security policies. The FortiGate unit includes default UTM profiles for all of these security features. You can apply UTM features to traffic accepted by a security policy by selecting the default profiles for the UTM features that you want to apply.

The default profiles are designed to provide basic protection. You can modify the default profiles, and group them, for your needs or create new ones. Creating multiple profiles means you can apply different levels of protection to different traffic types according to the security policies that accept the traffic.

Endpoint control profiles are created to ensure that workstation computers, also known as endpoints, on your network meet the network’s security requirements; otherwise, they are not permitted access. Enhanced by Fortinet’s FortiClient Endpoint Security software, FortiGate endpoint control can block or control access through the FortiGate unit for workstation computers depending on the security functions enabled on the computers and the applications running on them. After creating endpoint control profiles, you can add endpoint security profiles to security policies.

The final UTM profile feature, vulnerability scanning is independent of security policies. By using vulnerability scanning, you can scan computers on your network for multiple vulnerabilities, and take action to remove those vulnerabilities.

107

1. Add an application control sensor

2. Add a security policy to use the application control sensor

3. Reviewing data from the application control monitor

4. Block high bandwidth applications

5. Add a security policy to use the block application control sensor

6. Results

Visualizing and controlling the applications on your network using application control

This example sets up application monitors in security policies to determine what applications are contributing to high bandwidth usage on the network or distractions for employees and blocking access from those applications.

Internet

WAN 1

Internal

Internal Network

FortiGate

1001001001011100010110011

108

Step One: Add application control sensor

Go to UTM Security Profiles > Application Control > Application Sensor.

Select the plus icon in the upper right corner of the window to create a new sensor list for monitoring application traffic.

Select Create New to add a new application filter. Ensure you set the Action to Monitor.

At this stage in the process, you want to watch the application traffic to determine where problems, if any, are occurring.

109

Step Two: Add a security policy to use the application control sensor

Step Three: Review the data from the application control monitor


Edit the security policy allowing internal users to access the Internet and apply the application control sensor in the UTM Security Profiles section.

Go to UTM > Monitor > Application Monitor.

110

Select on each blue bar to see further details on the usage statistics.


You can see the sensor is working and picking up on various application traffic.

Step Four: Block high-bandwidth applications

Go to UTM Security Profiles > Application Control > Application Sensor.

Select the plus icon in the upper right corner of the window to create a new sensor list for blocking application traffic.

111

Select Create New to add a new application filter.

Select the options for streaming media, instant messaging clients, social media and peer-to-peer file sharing.

Ensure you set the Action to Block.

Step Five: Add a security policy to use the block application control sensor


Edit the security policy allowing internal users to access the Internet and apply the block application control sensor in the UTM Security Profiles section.

112


You can see the sensor is working and blocking the selected application traffic.

Select and entry to see more details.

Results

113

1. Configure users and user groups

2. Configure rating overrides and web filter profiles

3. Edit security profile to include the web filter UTM profile

4. Results

Configuring web filter overrides and local ratings

This example sets up web site overrides for blocked sites. It will add web profiles that prohibit viewing a web site until the user authenticates an override. Once authenticated, they will still only have a limited amount of time to visit the site.

FortiGuard

FortiGate

Internal Network

Internet

WAN 1

LAN

114

Step One: Configure users and user groups

Step Two: Configure rating overrides and web filter profiles

Go to User & Device > User > User Definition.

Add users. These users will be allowed to override the web filter blocking.

Go to UTM Security Profiles > Web Filter > Rating Overrides.

Select Lookup Rating to see the FortiGuard rating for a URL.

Select Custom Categories and Create New and add the new category name for the URL.

Go to User & Device > User > User Group and add users to a group.

115

Go to UTM Security Profiles > Web Filter > Profile.

Create web filter profile to allow the Web News and Streaming Media and Download categories.

Create a new profile to block the new Web news category, as well as Streaming Media and Download categories.

Select the blue arrow to expand the Advanced Filter section.

Enable Allow Blocked Override and Assign to Overrided_URLs profile.

116

Step Three: Edit the security profile to include the web filter UTM profile

Results


Edit the policy allowing outbound traffic from internal network and add the web filter profile .

In a web browser, go to cnn.com. The FortiGate unit blocks the web site wth an override option.

117

Select Override. You are prompted to authenticate to view the page.


Once successfully authenticated, you are guaranteed access for 15 minutes from your IP address only. This access will be for all allowed categories according to the Overrided_URLs web filter profile.

Go to Log & Report > Traffic Log > Forward Traffic and filter the destination to the IP address of cnn.com (157.166.255.19)

118

119

1. Configure IPS to detect and protect against common attacks

2. Add a security profile that includes the IPS UTM profile

3. Add a DoS security policy using IPS

4. Results

Protecting a web server from vulnerabilities and DoS attacks using IPSThis example uses IPS to protect a web server by placing the web server on the internal network with a virtual IP, and creating a security policy that allows web access from the Internet to the server. IPS is added to the policy to protect the server from attacks.

Internet

FortiGate

LAN192.168.1.99/24

WAN 1172.20.120.24

Web serverVIP: 172.20.120.24 --> 192.168.1.200Internal network

Attacks

120

Step One: Configure IPS to detect and protect against common attacks

Go to UTM Security Profiles > Intrusion Protection > IPS Sensor.

Create a new sensor.

Select Create New and add a new IPS filter.

121

Step Two: Add a security profile that includes the IPS UTM profile


Edit the security policy allowing traffic to the web server from the Internet and add the new IPS sensor.

122

Step Three: Add a DoS security policy using IPS

Go to Policy > Policy > DoS Policy.

Create a new policy. The Incoming Interface is the one connected to the Internet.

123

Results

Go to Log & Report > UTM Security Log > Intrusion Protection.


Perform an DoS tcp_sync_flood attack to the web server IP address. The TCP sync session should be blocked when the threshold of 20 is reached.

Note: Ensure you have the proper IP address of your web server. Otherwise you may be unwillingly causing a DoS attack on another server!

124

125

1. Create a DLP file matching pattern filter

2. Setup a DLP sensor with sensor criteria

3. Create an address range for the internal network

4. Add a security profile that includes the DLP sensor

5. Results

Blocking email/web traffic or files containing sensitive informationThis example sets up data leak prevention (DLP) for the network by analyzing data using sensors for credit card numbers, watermarked files and file pattern matching. With these filters, the FortiGate unit will scan outgoing data for potential sensitive data breaches.

Internet

LANFortiGate

Data leakWAN 1

Internal network

126

Step Two: Setup a DLP sensor with sensor criteria

Step One: Create a DLP file matching pattern filter

Go to UTM Security Profiles > Data Leak Prevention > Sensor.

Create a new sensor. To this sensor you will add the filters the FortiGate unit uses to scan outgoing data.

To create a file matching pattern, you need to create a DLP file filter.

Go to UTM Security Profiles > Data Leak Prevention > File Filter.

Create new file filter table and add the file filter.

Select Create New to add a filter to look for the file patterns.

127

Step Three: Create an address range for the internal network


Create an address range for the internal network. The FortiGate unit will scan any traffic for data loss from this range.

Select Create New to add a filter to look for credit card number patterns.

Select Create New to add a filter to look for a corporate identifier, or watermark, in outgoing files.

128

Step Four: Add a security profile that includes the DLP sensor

Results


Create a security policy and enable the DLP sensor using the filters created.

Upload a file containing a credit card number to a server on the Internet such as a local FTP server or web server. The FortiGate unit will block the file and prevent it from leaving the internal network.

Go to Log & Report > Traffic Log > Forward Traffic and locate the blocked log entry.

129

Upload a watermarked file to a server on the Internet such as a local FTP server or web server. The FortiGate unit will block the file and prevent it from leaving the internal network.


Upload an exe file to a server on the Internet such as a local FTP server or web server. The FortiGate unit will block the file and prevent it from leaving the internal network.


130

131

1. Add client reputation to the network

2. Create a security policy

3. Results

Monitoring your network for undesirable behavior using client reputationClient reputation enables you to monitor traffic from internal sources based on UTM profiles and risk ratings. Client reputation tracks client behavior and reporting on the activities you determine are risky or otherwise noteworthy. This example enables client reputation on web filtering to monitor traffic from various sources to web sites.

Internal Network

Internal

Internet

FortiGate

WAN 1

132

Step One: Add client reputation on the network

Step Two: Create a security policy

Go to User & Device > Client Reputation > Reputation Definition.

Enable Client Reputation Tracking by selecting the Off button to turn the feature on.

To configure the profile, decide how risky or dangerous each of the types of behavior are to your network and rate them accordingly. The higher you rate a type of behavior the more visible clients engaging in this behavior will become in the client reputation monitor and the more easily you can detect this behavior.

Go to Policy > Policy > Policy. In the UTM Security Profiles section, enable the web filter profile. You can use the default profiles for data gathering purposes.

133

Results

Allow traffic to pass through the FortiGate unit for a day. Then go to User & Device > Client Reputation > Reputation Score to view the results.

Each user by device that met the threshold set appears in the chart. With this information, you can see where potential problems may occur or potential security breaches are imminent.

Select the blue bar for a device to see more information.

Client reputation only highlights risky activity. It does not include tools to stop the behavior. Rather, client reputation is a tool that exposes risky behavior. When you uncover risky behavior that you are concerned about you can take additional action to stop it. That action could include adding more restrictive security policies to block the activity or increase UTM protection. You can also taking other measures outside your FortiGate unit to stop the activity.

134

135

1. Enable flow-based antivirus

2. Enable flow-based web filtering

3. Add a firewall policy to include the new UTM security profiles

4. Results

Inspecting content on the network using flow-based UTM instead of proxy-based UTMFlow-based scans examine files as they pass through while proxy-based scans require that files are cached as they come in and examined once completely cached. Caching files takes more memory and system resources. UTM features using flow-based scans will continue to protect network traffic without interruption. Flow-based scanning is an ideal solution to ease the memory requirements of some UTM scans.

Internal Network

Internal FortiGate WAN 1

Web Filter

Viruses

Viruses

Viruses

Internet

136

Step One: Enable flow-based antivirus

Step Two: Enable flow-based web filtering

Go to UTM Security Profiles > Antivirus > Profile.

Select the plus icon in the upper right corner and add a new AV profile.


Select the plus icon in the upper right corner and add a new profile to block search engines and portals.

137

Step Three: Add a firewall policy to include the new UTM security profiles

Results


Edit the policy allowing users to access the Internet and apply the flow-based profiles.

To test the AV scanning, from a PC in the internal network, go to http://www.eicar.org and try to download a test file.

The browser will time out and display a message similar to what is shown here from Google Chrome.

138

To test the web filtering, from a PC in the internal network, go to google.com.

The FortiGate unit displays a block message.

Go to UTM Security Profiles > Monitor > Web Monitor.

Go to Log & Report > Traffic Log > Forward Traffic to see the UTM profile is activated when attempting to download the file.

139

Select the blue bar in the chart to see further details by user.

140

141

Blocking large files from entering the network

If a file is too large to be properly scanned by the FortiGate unit, you need to make sure they still do not enter the network. This example configures data leak prevention (DLP) options to block files large files from entering the network.

Internet

LAN

FortiGate

Viruses/Spyware

WAN 1

Internal network

1. Setup a DLP sensor with file matching pattern filter

2. Add a security profile that includes the DLP sensor

3. Results

142

Step One: Setup a DLP sensor with file matching pattern filter

Go to UTM Security Profiles > Data Leak Prevention > Sensor.

Create a new senor. To this sensor you will add the filters the FortiGate unit uses to check incoming files.

Select Create New to add a filter to look for a file size threshold.

143

Step Two: Add a security profile that includes the DLP sensor


Create a security policy and enable the DLP sensor using the filters created.

144

Results

Any attempt to download a file larger than 10 MB is blocked.

The FortiGate unit displays a replacement message explaining why the attempt failed.


Select an entry to see information on the blocked file.

145

1. Create a new web filter block list

2. Add the block list to a web filter profile

3. Add a security profile that includes the web filter UTM profile

4. Results

Blocking access to specific web sites

This example sets up the FortiGate unit to block users from viewing specific web sites using web filtering.

InternetBlock Site

Internal network

FortiGate

WAN 1

LAN

146

Step One: Create a new web filter block list

Step Two: Add the block list to a web filter profile

Go to UTM Security Profiles > Web Filter > URL Filter.

Create a new filter list for blocked URLs.

Select Create New to enter a list of URLs you want to prevent users from accessing.

Using the asterisk (*) as a wildcard in the URL, ensures any sub-domain for the site is also blocked.


Create a new profile and expand the Advanced Filter. Select the new block list in the Web URL Filter.

147

Step Three: Add a security profile that includes the web filter UTM profile

Results


Edit the policy allowing outbound traffic from the internal network to include UTM security profiles and select the new profile.

In a web browser, attempt to visit fortinet.com and docs.fortinet.com. In both cases, the FortiGate unit displays a message.

148



149

1. Verify FortiGuard services are enabled

2. Create a web filter profile

3. Create an SSL inspection profile

4. Create a security profile with the web filter and SSL profiles

5. Results

Blocking HTT PS traffic with web filtering

Some websites are accessible using http and https protocols, such as YouTube and Facebook. This example steps through how to block https access to these websites using either proxy-based or flow-based web filtering profiles. You will need to have your FortiGate licensed for FortiGuard services.

FortiGuard

HTT PSYouTubeFacebook

Internet

WAN 1

FortiGateInternal

Internal Network

150


Go to UTM Security Profiles > Web Filter > Profile. Select the plus icon in the upper-right corner to create a new profile.

Ensure the inspection mode is set to Proxy. You can also set the Inspection Mode to Flow-based or DNS.

In the Licence Information widget, verify that the FortiGate unit is connected to the FortiGuard servers. A green check mark should appear next to the services you are subscribed to.

Step One: Verify FortiGuard services are enabled

Step Two: Create a web filter profile

151

Go to Policy > Policy > SSL/SSH Inspection.

Select the plus icon in the upper-right corner to create a new profile and enable only the HTTPS option.


Create a new security policy that uses the new SSL/SSH inspection profile and the HTTPS web filter profile.

Step Three: Create a SSL Inspection protile

Step Four: Create a security profile

152

Results

In a web browser, go to https://youtube.com. The web page is blocked and a FortiGate replacement message is put up in its place.

Go to UTM Security Profiles > Monitor > Web Monitor.

Go to System > Admin > Settings.

Enable UTM Monitoring in the Display Options on GUI area.

If you chose DNS block or redirect, when you visit https://youtube.com, the browser will time out. FortiGuard will not display a message.

153

SSL and IPsec VPNSSL is an easy to use application-level, network-independent method of ensuring private communication over the Internet. Commonly used to protect the privacy of online shopping payments, customer’s web browsers can almost transparently switch to using SSL for secure communication without customer’s being required to do any SSL-related configuration or have any extra SSL-related software.

The FortiGate SSL VPN configuration requires an SSL VPN web portal for users to log into, a user authentication configuration to allow SSL VPN users to login, and the creation of SSL VPN security policies that control the source and destination access of SSL VPN users. SSL VPN security policies can also apply UTM and other security features to all SSL VPN traffic.

IPsec VPN is a common method for enabling private, secure communication over the Internet. IPsec supports a similar client server architecture as SSL VPN. However, to support a client server architecture, IPsec clients must install and configure an IPsec VPN client (such as Fortinet’s FortiClient Endpoint Security) on their PCs or mobile devices.

IPsec VPN, supports more configuration options than SSL VPN. A common application of IPsec VPN is for a gateway to gateway configuration that allows users to transparently communicate between remote networks over the Internet. When a user on one network starts a communication session with a server on the other network, a security policy configured for IPsec VPN intercepts the communication session and uses an associated IPsec configuration to both encrypt the session for privacy but also transparently route the session over the Internet to the remote network. At the remote network the encrypted communication session is intercepted and decrypted by the IPsec gateway and the unencrypted traffic is forwarded to the server.

Many variations of the gateway to gateway configuration are available depending on the requirements.

All communication over IPsec VPNs is controlled by security policies. Security policies allow for full access control and can be used to apply UTM and other features to IPsec VPN traffic. Fortinet IPsec VPNs employs industry standard features to ensure the best security and interoperability with industry standard VPN solutions provided by other vendors.

154

155

1. Configure the HQ IPsec VPN Phase 1 and Phase 2 settings

2. Add HQ addresses for the local and remote LAN on the HQ FortiGate unit

3. Create an HQ IPsec security policy

4. Configure the Branch IPsec VPN Phase 1 and Phase 2 settings

5. Add Branch addresses for the local and remote LAN on the HQ FortiGate unit

6. Create an branch IPsec security policy

7. Results

Protecting traffic between company headquarters and branch offices using IPsec VPNThis example uses a gateway-to-gateway IPsec VPN, and assumes that both offices have connections to the Internet with static IP addresses. This configuration uses a policy-based IPsec VPN.

InternetFortiGate

InternalNetwork (HQ)

port3172.20.120.141

FortiGate

InternalNetwork (Branch)

wan1172.20.120.123

port410.10.1.99/24

port1192.168.1.99/24

IPsec

156

Step One: Configure the HQ IPsec VPN Phase 1 and Phase 2 settings

Go to VPN > IPsec > Auto Key (IKE).

Select Create New Phase 1.



157

Step Two: Add HQ addresses for the local and remote LAN on the HQ FortiGate unit

Step Three: Create an HQ IPsec security policy


Create a local address and a remote LAN address.


When complete, make sure it is at the top of the policy list by clicking on the policy sequence number and dragging the row to the top of the policy table.

158

Step Four: Configure the Branch IPsec VPN Phase 1 and Phase 2 settings





159

Step Five: Add Branch addresses for the local and remote LAN on the HQ FortiGate unit

Step Six: Create a Branch IPsec security policy


Create a local address and a remote LAN address.


When complete, make sure it is at the top of the policy list by clicking on the policy sequence number and dragging the row to the top of the policy table.

160

Results

Go to VPN > Monitor > IPSec Monitor to verify the status of the VPN tunnel. It should be up.

From the Headquarters FortiGate unit go to Log & Report > Traffic Log > Forward Traffic.

From the Branch FortiGate unit go to Log & Report > Traffic Log > Forward Traffic.

A user on either of the office networks should be able to connect to any address on the other office network transparently.

For example, from a PC on the Branch office with IP address 10.10.1.100 you should be able to ping a device on the Headquarters network with the IP address 192.168.1.114 and vice versa.

161

1. Create an SSL VPN tunnel for remote users

2. Create user definitions and add them to a group

3. Add an address for the local network

4. Add security profiles for access to the Internet and internal network

5. Set the FortiGate unit to verify users have current antivirus software

6. Results

Providing remote users with access to a corporate network and Internet using SSL VPNThis example sets up remote users to connect to the corporate network using SSL VPN, and use the FortiGate UTM for surfing the Internet. During the connecting phase, the FortiGate unit will also verify that the remote user’s antivirus software is installed and current.

FortiGate

InternetRemote sslvpn user

Port 1192.168.1.99/24

Internal Network

WAN 1172.20.120.123sslroot

browsing

Windows Server 192.168.1.114

162

Step One: Create an SSL VPN tunnel for remote users

Go to VPN > SSL > Portal.

Edit the full-access portal.

Enable Split Tunneling is not enabled so that all internet traffic will go through the FortiGate unit and be subject to the corporate UTM profiles.

The full-access portal allows the use of tunnel mode and/or web mode. In this scenario we are using both modes.

Select Create New in the Include Bookmarks area to add a bookmark for a remote desktop link/connection.

163

Step Two: Create user definitions and add them to a group

Step Three: Add an address for the local network


Add a remote user.


Add the user to a user group for SSL VPN connections.


Add the address for the local network.

164

Step Four: Add security profiles for access to the Internet and internal network


Add a security policy allowing access to the internal network.

Add a security policy allowing access to the Internet.

For this policy, the Incoming Interface is sslvpn tunnel interface and Outgoing Interface is wan1. This way, the remote SSL VPN users accessing the Internet through the FotiGate unit.

165

Step Five: Set the FortiGate unit to verify users have current antivirus software

Results

Go to System > Status > Dashboard.

In the CLI Console widget, enter the commands on the right to enable the host check for compliant antivirus software on the remote user’s computer.

Log into the portal as twhite.

The FortiGate unit performs the host check.

166

After the check is complete, the portal appears.

Select the bookmark Remote Desktop link to begin an RDP session.

Go to VPN > Monitor > SSL-VPN to verify the list of SSL users. The Web Application description indicates that the user is using web mode.

167

Go to Log & Report > Traffic Log > Forward Traffic and view the details for the SSL entry.

In the Tunnel Mode widget, select Connect to enable the tunnel.

Select the bookmark Remote Desktop link to begin an RDP session.

Go to VPN > Monitor > SSL-VPN to verify the list of SSL users.

The Tunnel description indicates that the user is using tunnel mode.

168


Internet access occurs simultaneously through the FortiGate unit.


Go to Log & Report > Traffic Log > Forward Traffic and view the details for the SSL entry.

169

Securing remote access to the office network using FortiClient IPsec VPNThis example sets up a remote user and user group to provide protected access to the corporate network. The remote users use the FortiClient Endpoint Protection software to connect to the VPN tunnel. This example sets up the user to access the internal network as well as access the Internet through the FortiGate unit, to provide a secure surfing experience using the FortiGate UTM features.

InternetFortiGate

Internal Network

Remote user(FortiClient)

wan 1172.20.120.123port 1

192.168.1.99/24

IPsec

1. Create a new FortiClient user and add to a user group

2. Create an IPsec FortiClient VPN tunnel

3. Add addresses for the local LAN and remote FortiClient users

4. Create security policies for access to the internal network and Internet

5. Results

170

Step One: Create a new FortiClient user and add to a user group

Step Two: Create an IPsec FortiClient VPN tunnel


Create a new user.


Create a user group for FortiClient users and add user twhite.


Select Create FortiClient VPN.

171

Step Three: Add addresses for the local LAN and remote FortiClient users

Step Four: Create security policies for access to the internal network and Internet



Create a security policy allowing remote FortiClient users to access the internal network.

172


Create a security policy allowing remote FortiClient users to access the Internet securely through the FortiGate unit.

Launch FortiClient and go to Remote Access and add new connection.

Results

173

Connect using the user name twhite.

On the FortiGate unit, go to VPN > Monitor > IPsec Monitor to see the satus of the tunnel.

Go to Log & Report > Traffic Log > Forward Traffic and filter by the policy ID controlling the FortiClient VPN traffic.

Verify the IP address assigned to the remote user by the FortiGate unit. which is 10.10.1.100.

All hosts in the internal network should be accessible using the FortiClient VPN, to test this, ping an internal server set to IP 192.168.1.114 and logon to it using RDP.

174

175

Securing remote access to the office network for an iOS device over IPsec VPN

1. Create a new user and add to a user group

2. Add addresses for the local LAN and remote users

3. Configure the IPsec VPN Phase 1 and Phase 2 settings

4. Create security policies for access to the internal network and Internet

5. Results

This example sets up a remote user and user group to provide protected access to the corporate network. The remote users use their iPad to connect to the VPN tunnel. This example sets up the user to access the internal network as well as access the Internet through the FortiGate unit, to provide a secure surfing experience using the FortiGate UTM features. This example uses an iPad 2 running iOS 6.1.2. Menu options may vary for different iOS versions and devices.

InternetFortiGate

Internal Network

Remote user(iPad)

wan 1172.20.120.123

Port 1192.168.1.99/24

IPsec

176

Step One: Create a new user and add to a user group

Step Two: Add addresses for the local LAN and remote users


Create a new user.


Create a user group for ios users and add user twhite.


177


Step Three: Configure the IPsec VPN Phase 1 and Phase 2 settings

Go to VPN > IPSec > Auto Key (IKE).

Select Create Phase 1.

For the Mode, select Main.

In the Advanced section select Enable IPsec Interface Mode and select 2 for the DH Group.

Enable XAUTH and select the user group ios_group.

178

Once you complete the tunnel configuration, go to System > Dashboard > Status and enter the commands here in the CLI widget.

In the Advanced section select 2 for the DH Group.

Go to VPN > IPSec > Auto Key (IKE).


179


Create a security policy allowing remote ios users to access the Internet securely through the FortiGate unit.

Step Four: Create security policies for access to the internal network and Internet


Create a security policy allowing remote iOS users to access the internal network.

180

Results

On the iPad, go to Settings > General > VPN and select Add VPN Configuration.

On the FortiGate unit, go to VPN > Monitor > IPsec Monitor and see the status of the tunnel.

Users on the internal network will be accessible using the iPad.

Go to Log & Report > Traffic Log > Forward Traffic to see the traffic.

181

Remote iOS users can also access the internet securely via the FortiGate unit.

Go to Log & Report > Traffic Log > Forward Traffic to see the traffic.

Select an entry to view more information.

Select an entry to view more information.

182

183

1. Create redundant IPSec tunnels on FortiGate 1

2. Create IP addresses for the IPsec interfaces on FortiGate 1

3. Configure OSPF on FortiGate 1

4. Configure firewall addresses on FortiGate 1

5. Configure security policies on FortiGate 1

6. Create redundant IPSec tunnels for FortiGate 2

7. Create IP addresses for the IPsec interfaces on FortiGate 2

8. Configure OSPF on FortiGate 2

9. Configure firewall addresses on FortiGate 2

10. Configure security policies on FortiGate 2

11. Results

Redundant OSPF routing between two remote networks over IPsec VPNThis example sets up secure communication between two remote networks using redundant OSPF routes .

InternetFortiGate 1

InternalNetwork (HQ)

WAN 1172.20.120.24

FortiGate 2

InternalNetwork (Branch)

WAN 1172.20.120.123

Internal10.21.1.1/24

Internal10.20.1.1/24

IPsec

IPsecWAN 2

172.20.120.23WAN 2

172.20.120.127

OSPF

OSPF

184

Step One: Create redundant IPSec tunnels on FortiGate 1


Select Create Phase 1 and create the primary tunnel.

Select Advanced and select Enable IPSec Interface Mode.


185


Select Create Phase 1 and create the secondary tunnel.



186

Step Two: Create IP addresses for the IPsec interfaces on FortiGate 1

Step Three: Configure OSPF on FortiGate 1


Select the arrow for wan1 to expand the list. Edit the primary tunnel interface.

Go to Router > Dynamic > OSPF.

Enter the Router ID for FortiGate 1.

Select Create New in the Area section.

Add the backbone area of 0.0.0.0.

Select the arrow for wan2 to expand the list. Edit the secondary tunnel interface.

187

Step Four: Configure firewall addresses on FortiGate 1


Edit the subnets behind FortiGate 1 and FortiGate 2.

Select Create New in the Networks section.

Create the networks and select Area 0.0.0.0 for each one.

Select Create New in the Interfaces section.

create primary and secondary tunnel interfaces. Set the Cost of 10 for the primary interface and 100 for the secondary interface.

188

Edit the primary and secondary interfaces of FortiGate 2.

Step Five: Configure security policies on FortiGate 1


Create security policies for each primary and secondary interface to the FortiGate 2 primary and secondary interfaces.

189

190

Step Six: Create redundant IPSec tunnels on FortiGate 2


Select Create Phase 1 and create the primary tunnel.



191



Select Create Phase 1 and create the secondary tunnel.


192

Step Seven: Create IP addresses for the IPsec interfaces on FortiGate 2


Select the arrow for wan1 to expand the list. Edit the primary tunnel interface.

Select the arrow for wan2 to expand the list. Edit the secondary tunnel interface.

Step Eight: Configure OSPF on FortiGate 2

Go to Router > Dynamic > OSPF.

Enter the Router ID for FortiGate 2.

Select Create New in the Area section.

Add the backbone area of 0.0.0.0.

193

Step Nine: Configure firewall addresses on FortiGate 2


Edit the subnets behind FortiGate 1 and FortiGate 2.

Select Create New in the Networks section.

Create the networks and select Area 0.0.0.0 for each one.

Select Create New in the Interfaces section.

create primary and secondary tunnel interfaces. Set the Cost of 10 for the primary interface and 100 for the secondary interface.

194

Edit the primary and secondary interfaces of FortiGate 1.

Step Ten: Configure security policies on FortiGate 2


Create security policies for each primary and secondary interface to the FortiGate 1 primary and secondary interfaces.

195

196

Results

Verify the primary and secondary IPSec vpn tunnel status on FortiGate1 and FortiGate2.

Tunnels on both FortiGates should be UP.

Go to VPN > Monitor > IPsec Monitor to verify the status.

Verify the routing table on FortiGate 1 and FortiGate 2. The primary OSPF route (the one with cost =10) appears on both FortiGates.

Go to Router > Monitor > Routing Monitor. Type OSPF for the Type and select Apply Filter to verify OSPF route.

Verify that traffic flows via the primary tunnel.

From a PC1 set to IP:10.20.1.100 behind FortiGate 1, run a tracert to a PC2 set to IP address 10.21.1.00 behind fortiGate 2 and vise versa.

From PC1, you should see the traffic goes through 10.1.1.2 which is the primary tunnel interface IP set on FortiGate 2.

From PC2, you should see the traffic goes through 10.1.1.1 which is the primary tunnel interface IP set on FortiGate 1.

197

The VPN network between the two OSPF networks uses the primary VPN connection. Disconnect the wan1 interface and confirm that the secondary tunnel will be used automatically to maintain a secure connection.

Verify the IPSec vpn tunnels status on FortiGate 1 and FortiGate 2. Both FortiGates should show that primary tunnel is DOWN and secondary tunnel is UP.

Go to VPN > Monitor > IPsec Monitor to verify the status.

Verify the routing table on FortiGate 1 and FortiGate 2.

The secondary OSPF route (the one with cost =100) appears on both FortiGate units.

Go to Router > Monitor > Routing Monitor. Type OSPF for the Type and select Apply Filter to verify OSPF route.

Verify that traffic flows via the secondary tunnel.

From a PC1 set to IP:10.20.1.100 behind FortiGate 1, run a tracert to a PC2 set to IP:10.21.1.100 behind fortiGate 2 and vise versa. From PC1, you should see the traffic goes through 10.2.1.2 which is the secondary tunnel interface IP set on FortiGate 2.

From PC2, you should see the traffic goes through 10.2.1.1 which is the secondary tunnel interface IP set on FortiGate 1.

198

AuthenticationAuthentication is the act of confirming the identity of a person or other entity. In the context of a private computer network, the identities of users or host computers must be established to ensure that only authorized parties can access the network. The FortiGate unit enables controlled network access and applies authentication to users of security policies and VPN clients.

Identifying users and other computers (authentication) is a key part of network security. This chapter describes some basic configurations.

199

1. Install the FSSO Collector Agent

2. Configure the Single Sign-on Agent

3. Configure the FortiGate unit to connect to the FSSO agent

4. Add a FSSO user group

5. Add an address for the internal network

6. Add a security profile that includes an authentication rule

7. Results

Providing single sign-on on a Windows AD network by adding a FortiGateThis example uses the Fortinet Single Sign-On (FSSO) Collector Agent to integrate a FortiGate unit into the Windows AD domain.

FortiGate

Internet

WAN 1172.20.120.123

Port 1192.168.1.99/24

Windows AD192.168.1.114 Internal Network

200

Step One: Install the FSSO Collector Agent

Run the setup for the Fortinet SSO Collector Agent. After logging in, configure the agent settings.

Add the Collector Agent address information.

201

Select the domains to monitor, and any users whose activity you do not wish to monitor.

Set the working mode and complete the installation.

202

Step Two: Configure the Single Sign-on Agent

Step Three: Configure the FortiGate unit to connect to the FSSO agent

Step Four: Add a FSSO user group

If required, select Require authenticatied connection from FortiGate, and add a password.

You will also enter this password when configuring the FSSO on the FortiGate unit.

On the FortiGate unit, go to User & Device > Authentication > Single Sign-On.

Enter this password used configuring the FSSO on the FortiGate unit in the previous step.

On the FortiGate unit, go to User & Device > User > User Group.

203

Step Five: Add an address for the internal network

Step Six: Add a security profile that includes an authentication rule



Add an accept user identity security policy and add the new FSSO group.

204

Results


As users log into the Windows AD system, the FortiGate collects their connection information.


Date post:	30-Jan-2016
Category:	Documents
Upload:	yohana-ceron-acosta
View:	240 times
Download:	3 times

Fortigate Cookbook 502

Documents