fortinet77.rssing.com Open in urlscan Pro
64.74.161.130 Public Scan

Back to summary

URL:
https://fortinet77.rssing.com/chan-56127603/all_p18.html
Submission: On May 15 via manual (May 15th 2023, 8:32:15 pm UTC) from US — Scanned from DE

Form analysis
5 forms found in the DOM

Name: hmsearch — GET

<form name="hmsearch" method="get">
  <input type="text" name="q" id="cs-header-menu-search-form-input" placeholder="Type and press enter..." value="" onkeydown="return dogsearch_if13(document.hmsearch.q.value, document.hmsearch.stype.value, event.keyCode);">
  <input type="text" name="dummy" style="visibility:hidden">
  <select name="stype" style="visibility:hidden">
    <option selected="" value="rssing.com">RSSing.com</option>
  </select>
</form>

Name: searchbox_1 — GET

<form name="searchbox_1" method="get">
  <div class="input-group wrapped-text-input">
    <input type="text" name="q" placeholder="search RSSing.com...." value="" onkeydown="return dogsearch_if13(document.searchbox_1.q.value, document.searchbox_1.stype.value,event.keyCode);">
    <div class="input-group-prepend">
      <a class="cs-btn cs-btn-medium " href="javascript:;" onclick="dogsearch(document.searchbox_1.q.value, document.searchbox_1.stype.value);">Search</a>
    </div>
  </div>
  <input type="text" name="dummy" style="display:none">
  <select name="stype" style="display:none">
    <option selected="" value="rssing.com">RSSing.com</option>
  </select>
</form>

Name: searchbox_2 — GET

<form name="searchbox_2" method="get">
  <div class="input-group wrapped-text-input">
    <input type="text" name="q" placeholder="search RSSing.com...." value="" onkeydown="return dogsearch_if13(document.searchbox_2.q.value, document.searchbox_2.stype.value,event.keyCode);">
    <div class="input-group-prepend">
      <a class="cs-btn cs-btn-medium " href="javascript:;" onclick="dogsearch(document.searchbox_2.q.value, document.searchbox_2.stype.value);">Search</a>
    </div>
  </div>
  <input type="text" name="dummy" style="display:none">
  <select name="stype" style="display:none">
    <option selected="" value="rssing.com">RSSing.com</option>
  </select>
</form>

Name: searchbox_3 — GET

<form name="searchbox_3" method="get">
  <div class="input-group wrapped-text-input">
    <input type="text" name="q" placeholder="search RSSing.com...." value="" onkeydown="return dogsearch_if13(document.searchbox_3.q.value, document.searchbox_3.stype.value,event.keyCode);">
    <div class="input-group-prepend">
      <a class="cs-btn cs-btn-medium " href="javascript:;" onclick="dogsearch(document.searchbox_3.q.value, document.searchbox_3.stype.value);">Search</a>
    </div>
  </div>
  <input type="text" name="dummy" style="display:none">
  <select name="stype" style="display:none">
    <option selected="" value="rssing.com">RSSing.com</option>
  </select>
</form>

Name: searchbox_4 — GET

<form name="searchbox_4" method="get">
  <div class="input-group wrapped-text-input">
    <input type="text" name="q" placeholder="search RSSing.com...." value="" onkeydown="return dogsearch_if13(document.searchbox_4.q.value, document.searchbox_4.stype.value,event.keyCode);">
    <div class="input-group-prepend">
      <a class="cs-btn cs-btn-medium " href="javascript:;" onclick="dogsearch(document.searchbox_4.q.value, document.searchbox_4.stype.value);">Search</a>
    </div>
  </div>
  <input type="text" name="dummy" style="display:none">
  <select name="stype" style="display:none">
    <option selected="" value="rssing.com">RSSing.com</option>
  </select>
</form>

Text Content

WE VALUE YOUR PRIVACY

We and our partners store and/or access information on a device, such as cookies
and process personal data, such as unique identifiers and standard information
sent by a device for personalised ads and content, ad and content measurement,
and audience insights, as well as to develop and improve products. With your
permission we and our partners may use precise geolocation data and
identification through device scanning. You may click to consent to our and our
partners’ processing as described above. Alternatively you may click to refuse
to consent or access more detailed information and change your preferences
before consenting. Please note that some processing of your personal data may
not require your consent, but you have a right to object to such processing.
Your preferences will apply to this website only. You can change your
preferences at any time by returning to this site or visit our privacy policy.
MORE OPTIONSDISAGREEAGREE

* Login
* Account
* Sign Up

* Home
* About Us
* Catalog
* Search
* Register RSS
* Embed RSS
* FAQ
* Get Embed Code
* Example: Default CSS
* Example: Custom CSS
* Example: Custom CSS per Embedding
* Super RSS
* Usage
* View Latest
* Create

* Contact Us
* Technical Support
* Guest Posts/Articles
* Report Violations
* Google Warnings
* Article Removal Requests
* Channel Removal Requests
* General Questions
* DMCA Takedown Notice

* RSSing>>
* Collections:
* RSSing
* EDA
* Intel
* Mesothelioma
* SAP
* SEO
* Latest
* Articles
* Channels
* Super Channels
* Popular
* Articles
* Pages
* Channels
* Super Channels
* Top Rated
* Articles
* Pages
* Channels
* Super Channels
* Trending
* Articles
* Pages
* Channels
* Super Channels

Switch Editions? German Edition (Deutsch)
Cancel

English
RSSing.com
RSSing>> Latest Popular Top Rated Trending
Channel: Fortinet Cookbook

SUBSCRIBE Remove ADS

NSFW?
Claim

Mark channel Not-Safe-For-Work? cancel confirm NSFW Votes: (0 votes)
Are you the publisher? Claim or contact us about this channel.
4.0 stars on 1 votes
Showing article 341 to 360 of 690 in channel 56127603
Channel Details:
* Title: Fortinet Cookbook
* Channel Number: 56127603
* Language: eng
* Registered On: November 6, 2015, 4:54 am
* Number of Articles: 690
* Latest Snapshot: November 6, 2019, 12:26 pm
* RSS URL: http://cookbook.fortinet.com/feed
* Publisher: https://cookbook.fortinet.com
* Description: Recipes for success with Fortinet
* Catalog: //fortinet77.rssing.com/catalog.php?indx=56127603

Viewing all 690 articles
First Page ... Page 16 Page 17 Page 18 Page 19 Page 20 ... Last Page
Browse latest View live

PREVENTING CERTIFICATE WARNINGS (DEFAULT CERTIFICATE)

June 9, 2017, 8:15 am
Next Preventing certificate warnings (CA-signed certificate)
Previous Preventing certificate warnings (self-signed certificate)
0
1

In this recipe, you will prevent users from receiving a security certificate
warning when your FortiGate performs full SSL inspection on incoming traffic.
There are several methods for doing this, depending on whether you are using
your FortiGate’s default certificate, a self-signed certificate, or a CA-signed
certificate. This recipe explains how you can prevent certificate warnings when
you are using your FortiGate’s default certificate.

When full SSL inspection is used, your FortiGate impersonates the recipient of
the originating SSL session, then decrypts and inspects the content. The
FortiGate then re-encrypts the content, creates a new SSL session between the
FortiGate and the recipient by impersonating the sender, and sends the content
to the end user. This is the same process used in “man-in-the-middle” attacks,
which is why a user’s device may show a security certificate warning.

For more information about SSL inspection, see Why you should use SSL
inspection.

Often, when users receive security certificate warnings, they simply select
Continue without understanding why the error is occurring. To avoid encouraging
this habit, you can prevent the warning from appearing in the first place.

Find this recipe for other FortiOS versions
5.2 | 5.4 | 5.6

USING THE DEFAULT CERTIFICATE

All FortiGates have a default certificate that is used for full SSL inspection.
This certificate is also used in the default deep-inspection profile. To prevent
users from seeing certificate warnings, you can install this certificate on
users’ devices.

1. GENERATING A UNIQUE CERTIFICATE

Run the following CLI command to generate an SSL certificate that is unique to
your FortiGate:

exec vpn certificate local generate default-ssl-ca

2. DOWNLOADING THE CERTIFICATE USED FOR FULL SSL INSPECTION

Go to Security Profiles > SSL/SSH Inspection. Use the drop-down menu in the top
right corner to select deep-inspection, which is the profile used to apply full
SSL inspection.

Image may be NSFW.
Clik here to view. The default FortiGate certificate is listed as the CA
Certificate. Select Download Certificate. Image may be NSFW.
Clik here to view.

3. IMPORTING THE CERTIFICATE INTO WEB BROWSERS

Once you have your FortiGate’s default certificate, you need to import the
certificate into users’ browsers.

The method you use for importing the certificate varies depending on the type of
browser.

INTERNET EXPLORER, CHROME, AND SAFARI (WINDOWS AND MACOS):

Internet Explorer, Chrome, and Safari use the operating system’s certificate
store for Internet browsing. If users will be using these browsers, you must
install the certificate into the certificate store for the OS.

If you are using Windows 7/8/10, double-click the certificate file
and select Open. Select Install Certificate to launch the Certificate Import
Wizard.

Use the wizard to install the certificate into the Trusted Root Certification
Authorities store. If a security warning appears, select Yes to install the
certificate.

Image may be NSFW.
Clik here to view.

If you are using macOS, double-click the certificate file to launch Keychain
Access.

Locate the certificate in the Certificates list and select it. Expand Trust and
select Always Trust. If necessary, enter the administrative password for your
computer to make this change.

Image may be NSFW.
Clik here to view.

FIREFOX (WINDOWS AND MACOS)

Firefox has its own certificate store. To avoid errors in Firefox, you must
install the certificate in this store, instead of the OS.

If users are using Firefox, instead of being pushed to all of their devices, the
certificate must be installed on each device.

In Firefox, go to Tools > Options > Advanced or Options > Advanced and select
the Certificates tab.

Select View Certificates, select the Authorities list. Import the certificate
and set it to be trusted for website identification.

Image may be NSFW.
Clik here to view.

4. RESULTS

Before you installed the certificate, an error message would appear in users’
browsers when they accessed a site that used HTTPS (this example shows an error
message in Firefox).

After you install the certificate, users should not experience a certificate
security issue when they browse to sites on which the FortiGate unit performs
SSL content inspection.

Image may be NSFW.
Clik here to view.

Users can view information about the connection and the certificate that is
used.

If users view information about the connection, they will see that it is
verified by Fortinet.

Image may be NSFW.
Clik here to view. If users view the certificate in the browser, they will see
the certificate that is used and information about that certificate. Image may
be NSFW.
Clik here to view.

For further reading, check out SSL/SSH Inspection in the FortiOS 5.6 Handbook.

* Was this helpful?
* Yes No

If you have the right environment, such as the Windows Group Policy Management
Console, you can push the certificate to users’ browsers using the Windows Group
Policy Editor. In this case, you do not have to import the certificate into
users’ browsers.

The post Preventing certificate warnings (default certificate) appeared first on
Fortinet Cookbook.

Search
RSSing.com

--------------------------------------------------------------------------------

PREVENTING CERTIFICATE WARNINGS (CA-SIGNED CERTIFICATE)

June 9, 2017, 8:15 am
Next Exempting Google from SSL inspection
Previous Preventing certificate warnings (default certificate)
0
0

In this recipe, you will prevent users from receiving a security certificate
warning when your FortiGate performs full SSL inspection on incoming traffic.
There are several methods for doing this, depending on whether you are using a
CA-signed certificate, your FortiGate’s default certificate, or a self-signed
certificate. This recipe explains how you can prevent certificate warnings when
you are using a CA-signed certificate.

For more information about SSL inspection, see Why you should use SSL
inspection.

Find this recipe for other FortiOS versions
5.2 | 5.6

USING A CA-SIGNED CERTIFICATE

In this method, you obtain a CA-signed certificate and install this certificate
on your FortiGate for use with SSL inspection. You can use either
FortiAuthenticator as a CA or a trusted private CA.

If you use FortiAuthenticator as a CA, you generate a certificate signing
request (CSR) on your FortiGate, have it signed on the FortiAuthenticator,
import the certificate into your FortiGate, and configure your FortiGate so the
certificate can be used for SSL deep inspection of HTTPS traffic.

If you use a trusted private CA, you generate a CSR on your FortiGate, apply for
an SSL certificate from a trusted private CA, import the certificate into your
FortiGate, and configure your FortiGate so the certificate can be used for SSL
deep inspection of HTTPS traffic.

If your FortiAuthenticator is not configured as a CA, see FortiAuthenticator as
a Certificate Authority for more information.

1. GENERATING A CSR ON A FORTIGATE

On your FortiGate, go to System > Certificates and select Generate to create a
new CSR.

Enter a Certificate Name, the external IP of your FortiGate, and a valid email
address.

Make sure to set Key Type to RSA and Key Size to 2048 Bit. This will ensure the
certificate is securely encrypted.

Image may be NSFW.
Clik here to view.

Once generated, the certificate will show a Status of Pending. Highlight the
certificate and select Download.

This will save a .csr file to your local drive.

Image may be NSFW.
Clik here to view.

2. GETTING THE CERTIFICATE SIGNED BY A CA

TRUSTED PRIVATE CA:

If you want to use a trusted private CA to sign the certificate, use the CSR to
apply for an SSL certificate with a trusted private CA.

FORTIAUTHENTICATOR:

If you want to use a FortiAuthenticator as a CA to sign the certificate, on the
FortiAuthenticator, go to Certificate Management > Certificate Authorities >
Local CAs and select Import.

Set Type to CSR to sign, enter a Certificate ID, and import the Example-cert.csr
file. Make sure to select the Certificate authority from the drop-down menu and
set the Hash algorithm to SHA-256.

Image may be NSFW.
Clik here to view.

Once imported, you should see that Example-cert has been signed by the
FortiAuthenticator, showing a Status of Active, and with the CA Type of
Intermediate (non-signing) CA. Highlight the certificate and select Export.

This will save a .crt file to your local drive.

Image may be NSFW.
Clik here to view.

3. IMPORTING THE SIGNED CERTIFICATE TO YOUR FORTIGATE

On your FortiGate, go to System > Certificates and select Local Certificate from
the Import drop-down menu. Image may be NSFW.
Clik here to view. Browse to the certificate file and select OK. Image may be
NSFW.
Clik here to view. You should now see that the certificate has a Status of OK.
Image may be NSFW.
Clik here to view.

4. EDITING THE SSL INSPECTION PROFILE

To use your certificate in an SSL inspection profile go to Security Profiles >
SSL/SSH Inspection. Use the dropdown menu in the top right corner to select
deep-inspection, which is the profile used to perform full SSL inspection.

In FortiOS 5.6, the deep-inspection profile is read-only. In order to use your
certificate for SSL inspection, you must create a new deep-inspection profile.

Image may be NSFW.
Clik here to view. Set CA Certificate to use the new certificate. Image may be
NSFW.
Clik here to view.

5. IMPORTING THE CERTIFICATE INTO WEB BROWSERS

Once you have your certificate signed by FortiAuthenticator, you need to import
the certificate into users’ browsers.

The method you use for importing the certificate varies depending on the type of
browser.

INTERNET EXPLORER, CHROME, AND SAFARI (ON WINDOWS AND MACOS):

If you are using Windows 7/8/10, double-click the certificate file
and select Open. Select Install Certificate to launch the Certificate Import
Wizard.

Use the wizard to install the certificate into the Trusted Root Certificate
Authorities store. If a security warning appears, select Yes to install the
certificate.

Image may be NSFW.
Clik here to view.

If you are using macOS, double-click the certificate file to launch Keychain
Access.

Locate the certificate in the Certificates list and select it. Expand Trust and
select Always Trust. If necessary, enter the administrative password for your
computer to make this change.

Image may be NSFW.
Clik here to view.

FIREFOX (ON WINDOWS AND MACOS)

Firefox has its own certificate store. To avoid errors in Firefox, the
certificate must be installed in this store, rather than in the OS.

If users are using Firefox, instead of being pushed to all of their devices, the
certificate must be installed on each device.

In Firefox, go to Tools > Options > Advanced or Options > Advanced and select
the Certificates tab.

Select View Certificates, then select the Authorities list.
Import the certificate and set it to be trusted for website identification.

Image may be NSFW.
Clik here to view.

6. RESULTS

Before you installed the certificate, an error message would appear in the
browser when users accessed a site that used HTTPS (the example shows an error
message appearing in Firefox).

After you install the certificate, users should not experience a certificate
security issue when they browse to sites on which the FortiGate unit performs
SSL content inspection.

Image may be NSFW.
Clik here to view.

Users can view information about the connection and the certificate that is
used.

If users view information about the connection, they will see that it is
verified by Fortinet.

Image may be NSFW.
Clik here to view. If users view the certificate in the browser, they will see
which certificate is used and information about that certificate. Image may be
NSFW.
Clik here to view.

For further reading, check out SSL/SSH Inspection in the FortiOS 5.6 Handbook.

* Was this helpful?
* Yes No

The post Preventing certificate warnings (CA-signed certificate) appeared first
on Fortinet Cookbook.

EXEMPTING GOOGLE FROM SSL INSPECTION

June 13, 2017, 9:10 am
Next Setting up WiFi with a FortiAP
Previous Preventing certificate warnings (CA-signed certificate)
0
0

In this recipe, you will exempt Google websites from deep SSL inspection.
Exempting these websites allows the Google Chrome browser to access them without
errors.

You should use caution when exempting websites. In general, you should exempt
only websites that you know you can trust. You could also consider exempting
websites that do not function properly when subjected to SSL inspection, such as
a site (or application) that uses certificate/public key pinning.

In this example, google.ca is exempted from SSL inspection. If necessary,
substitute your local Google search domain.

The full CLI configuration can be found at the end of this recipe.

Find this recipe for other FortiOS versions
5.2 | 5.6

1. USING THE DEFAULT DEEP-INSPECTION PROFILE

Go to System > Feature Select. Under Additional Features, make sure Multiple
Security Profiles is enabled.

If necessary, Apply changes.

Image may be NSFW.
Clik here to view.

Go to Policy & Objects > IPv4 Policy and edit the policy that allows users on
the internal network to access the Internet.

Under Security Profiles, enable Web Filter using the default profile. SSL/SSH
Inspection is enabled by default. Set it to use the deep-inspection profile.

Image may be NSFW.
Clik here to view.

When the deep-inspection profile is used, the FortiGate impersonates the
recipient of the originating SSL session, then decrypts and inspects the
content. The FortiGate then re-encrypts the content, creates a new SSL session
between the FortiGate and the recipient by impersonating the sender, and sends
the content to the sender.

For more information, see Why you should use SSL inspection.

Using Chrome, browse to google.ca. An error appears that you cannot bypass.

Image may be NSFW.
Clik here to view.

This error occurs because Chrome uses certificate pinning (also called SSL
pinning or public key pinning). This allows Chrome to determine that the
certificate from the website does not match one belonging to Google. Because of
this, Chrome believes that a “man in the middle” attack is occurring and blocks
you from the compromised website.

2. CREATING AN SSL/SSH PROFILE THAT EXEMPTS GOOGLE

In FortiOS 5.6, the two default profiles, certificate-inspection and
deep-inspection, are read-only. In order to exempt Google, you must create a new
profile.

Go to Policy & Objects > Addresses and create a new address.

Set Type to Wildcard FQDN and set Wildcard FQDN to the domain name used by
Google in your region (in the example, *.google.ca).

Image may be NSFW.
Clik here to view. Go to Security Profiles > SSL/SSH Inspection and select the
list view to view all profiles. Image may be NSFW.
Clik here to view. Select the deep-inspection profile, then select Clone to
create a copy of this profile. This copy will have all the settings used by the
default profile, while also being read-write. Image may be NSFW.
Clik here to view.

Edit the new SSL profile and change its name (in the example,
my-deep-inspection).

Exempt web categories and addresses are listed under Exempt from SSL Inspection.
Add the address for Google to the list of exempt Addresses.

Image may be NSFW.
Clik here to view.

Go to Policy & Objects > IPv4 and edit the policy that allows users on the
internal network to access the Internet.

Set SSL/SSH Inspection to use the new profile.

Image may be NSFW.
Clik here to view.

3. RESULTS

Using Chrome, browse to google.ca. The site loads properly. Image may be NSFW.
Clik here to view.

CLI Syntax

The below CLI syntax is from the configuration shown above. Remember to
substitute you own names/values when necessary.

config firewall address
edit "Google Canada"
set uuid 64b58d54-4fb2-51e7-23ee-0d067557e7ac
set type wildcard-fqdn
set wildcard-fqdn "*.google.ca"
next
end

config firewall ssl-ssh-profile
edit "my-deep-inspection"
set comment "Deep inspection."
config https
set ports 443
end
config ftps
set ports 990
end
config imaps
set ports 993
end
config pop3s
set ports 995
end
config smtps
set ports 465
end
config ssh
set ports 22
end
config ssl-exempt
edit 1
set type address
set address "Adobe Login"
next
edit 2
set type address
set address "Google Canada"
next
edit 3
set type address
set address "Gotomeeting"
next
edit 4
set type address
set address "Windows update 2"
next
edit 5
set type address
set address "adobe"
next
edit 6
set type address
set address "android"
next
edit 7
set type address
set address "apple"
next
edit 8
set type address
set address "appstore"
next
edit 9
set type address
set address "auth.gfx.ms"
next
edit 10
set type address
set address "autoupdate.opera.com"
next
edit 11
set type address
set address "citrix"
next
edit 12
set type address
set address "dropbox.com"
next
edit 13
set type address
set address "eease"
next
edit 14
set type address
set address "firefox update server"
next
edit 15
set type address
set address "fortinet"
next
edit 16
set type address
set address "google-drive"
next
edit 17
set type address
set address "google-play"
next
edit 18
set type address
set address "google-play2"
next
edit 19
set type address
set address "google-play3"
next
edit 20
set type address
set address "googleapis.com"
next
edit 21
set type address
set address "icloud"
next
edit 22
set type address
set address "itunes"
next
edit 23
set type address
set address "microsoft"
next
edit 24
set type address
set address "skype"
next
edit 25
set type address
set address "softwareupdate.vmware.com"
next
edit 26
set type address
set address "swscan.apple.com"
next
edit 27
set type address
set address "update.microsoft.com"
next
edit 28
set type address
set address "verisign"
next
edit 29
set fortiguard-category 31
next
edit 30
set fortiguard-category 33
next
end
next
end

config firewall policy
edit 1
set name "Internet"
set uuid 05bbbea0-4610-51e7-289b-434738fcb746
set srcintf "lan"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set webfilter-profile "default"
set profile-protocol-options "default"
set ssl-ssh-profile "my-deep-inspection"
set nat enable
next
end

For further reading, check out SSL/SSH Inspection in the FortiOS 5.6 Handbook.

* Was this helpful?
* Yes No

The post Exempting Google from SSL inspection appeared first on Fortinet
Cookbook.

SETTING UP WIFI WITH A FORTIAP

June 13, 2017, 2:00 pm
Next Using virtual IPs to configure port forwarding
Previous Exempting Google from SSL inspection
0
0

In this recipe, you will set up a WiFi network with a FortiGate managing a
FortiAP in Tunnel mode.

You can configure a FortiAP unit in either Tunnel mode or Bridge mode. Tunnel
mode is the default mode for a FortiAP. A FortiAP in Tunnel mode uses a
wireless-only subnet for wireless traffic. When a FortiAP is in Bridge mode, the
Ethernet and WiFi interfaces are connected (or bridged), allowing wired and
wireless networks to be on the same subnet.

For information about using a FortiAP in Bridge mode, see Setting up a WiFi
bridge with a FortiAP.

Find this recipe for other FortiOS versions
5.2 | 5.4 | 5.6

1. CONNECTING AND AUTHORIZING THE FORTIAP UNIT

Go to Network > Interfaces and edit the interface that will connect to the
FortiAP (in this example, port 16).

Set Addressing Mode to Manual and set an IP/Network Mask.

Under Administrative Access, enable CAPWAP and optionally enable PING to test
your connection.

Under Networked Devices, enable both Device Detection and Active Scanning.

Image may be NSFW.
Clik here to view.

Connect the FortiAP unit to the interface.

Image may be NSFW.
Clik here to view.

Go to WiFi & Switch Controller > Managed FortiAPs. The FortiAP is listed. The
device is not yet authorized, as indicated by the Image may be NSFW.
Clik here to view. in the State column.

By default, FortiGate adds newly discovered FortiAPs to the Managed FortiAPs
list but does not authorize them.

Image may be NSFW.
Clik here to view.

Right-click on the FortiAP, and select Authorize.

Image may be NSFW.
Clik here to view.

The device interface will be down initially, but after a few minutes, hit
the Refresh button and a Image may be NSFW.
Clik here to view. will confirm that the device is authorized.

Image may be NSFW.
Clik here to view.

Make sure that your FortiAP is on the latest firmware. If the OS Version shows
the message “A new firmware version is available,” then check the release notes
for your product on the Fortinet Support Site.

Image may be NSFW.
Clik here to view.

You can download the firmware images from the Support Site to your Local Hard
Disk, or you can select A new firmware version is available and download the
latest version directly from FortiGuard.

Image may be NSFW.
Clik here to view.

2. CREATING AN SSID

Go to WiFi & Switch Controller > SSID and create a new SSID.

Set Traffic Mode to Tunnel.

Select an IP/Network Mask for the wireless interface and enable DHCP Server.

Enable Device Detection and Active Scanning.

Name the SSID (in the example, MyNewWiFi).

Set the Security Mode as required and enter a secure Pre-shared Key.

Enable Broadcast SSID.

Image may be NSFW.
Clik here to view.

3. CREATING A CUSTOM FORTIAP PROFILE

Go to WiFi & Switch Controller > FortiAP Profiles and create a new profile.

Set Platform to the FortiAP model you are using (FAP221C in this recipe).

Set the Country/Region and you have the option to set your AP Login Password.

Make sure the Radio 1 is set to Access Point, and leave the SSID set to Auto.

Image may be NSFW.
Clik here to view.

Go to WiFi & Switch Controller > Managed FortiAPs and right-click on the FortiAP
you added earlier. Select Assign Profile and set the FortiAP to use the new SSID
profile (in the example, MyProfile).

By default, the FortiGate assigns all SSIDs to this profile.

Image may be NSFW.
Clik here to view.

4. ALLOWING WIRELESS ACCESS TO THE INTERNET

Go to Policy & Objects > IPv4 Policy and create a new policy.

Set Incoming Interface to the SSID and Outgoing Interface to your
Internet-facing interface. Confirm that NAT is enabled.

Image may be NSFW.
Clik here to view.

5. RESULTS

Connect to the SSID with a wireless device. After a connection is established,
browse the Internet to generate traffic.

Image may be NSFW.
Clik here to view. From the policy list page, right-click on your wireless
policy and select Show in FortiView or go directly to FortiView > All Sessions.
Image may be NSFW.
Clik here to view. You can view more details by selecting various tabs (Sources,
Destinations, Applications, Countries, Sessions). Image may be NSFW.
Clik here to view.

For further reading, check out Configuring a WiFi LAN in the FortiOS 5.6
Handbook.

* Was this helpful?
* Yes No

Note that some FortiGate models may not have the Active Scanning option, and it
is not required for the recipe.
It may take a few minutes for the FortiAP to appear.
You can disable this in the CLI. See Deploying Wireless Networks.
Alternatively, select the FortiAP unit on the list and select Authorize from the
top menu.
The SSID defaults to automatically assign Tunnel-mode SSIDs.
Located under Policy & Objects > IPv4 Policy.

The post Setting up WiFi with a FortiAP appeared first on Fortinet Cookbook.

USING VIRTUAL IPS TO CONFIGURE PORT FORWARDING

June 16, 2017, 8:59 am
Next Setting up a WiFi Bridge with a FortiAP
Previous Setting up WiFi with a FortiAP
0
0

This recipe demonstrates how to use Virtual IPs (VIPs) to configure port
forwarding on a FortiGate unit. This configuration allows users on the Internet
to connect to your server protected behind a FortiGate firewall, without knowing
the server’s internal IP address and only through ports that you choose.

In this example, TCP ports 80 (HTTP), 21 (FTP), and 22 (SSH) are opened for
remote users to communicate with a server behind the firewall. The external IP
address used is 172.20.121.67 and is mapped to 192.168.100.1 by the VIP.

Find this recipe for other FortiOS versions:
5.2 | 5.4

1. CREATING THREE VIPS

Go to Policy & Objects > Virtual IPs > Create New > Virtual IP.

Enter the External IP Address/Range. Next, enter the Mapped IP Address/Range.

Enable Port Forwarding and add a VIP for TCP port 80, webserver-http.

Image may be NSFW.
Clik here to view.

Next, create a second VIP for TCP port 21, webserver-ftp.

Image may be NSFW.
Clik here to view.

Finally, create a third a VIP for TCP port 22, webserver-ssh.

Image may be NSFW.
Clik here to view.

2. ADDING VIPS TO A VIP GROUP

Go to Policy & Objects > Virtual IPs > Create New > Virtual IP Group.

Create a VIP group, in this example, webserver group. Under Members, include all
three VIPs previously created.

Image may be NSFW.
Clik here to view.

3. CREATING A SECURITY POLICY

Go to Policy & Objects > IPv4 Policy and create a security policy allowing
access to a server behind the firewall.

Set Incoming Interface to your Internet-facing interface, Outgoing Interface to
the interface connected to the server, and Destination Address to the VIP group
(webserver group). Set Service to allow HTTP, FTP, and SSH traffic.

Use the appropriate Security Profiles to protect the servers.

Image may be NSFW.
Clik here to view.

4. RESULTS

To ensure that TCP port 80 is open, connect to the web server from a remote
connection on the other side of the firewall.

Image may be NSFW.
Clik here to view.

Next, ensure that TCP port 21 is open by using an FTP client to connect to the
FTP server from a remote connection on the other side of the firewall.

Image may be NSFW.
Clik here to view.

Finally, ensure that TCP port 22 is open by connecting to the SSH server from a
remote connection on the other side of the firewall.

Image may be NSFW.
Clik here to view.

For further reading, check out Virtual IPs in the FortiOS 5.4 Handbook.

* Was this helpful?
* Yes No

While this example maps port 80 to port 80, any valid External Service port can
be mapped to any listening port on the destination computer.
If the FortiGate has Central NAT enabled, the VIP objects will not be available
for selection in the policy editing window.

The post Using virtual IPs to configure port forwarding appeared first on
Fortinet Cookbook.

SETTING UP A WIFI BRIDGE WITH A FORTIAP

June 23, 2017, 8:13 am
Next Website Maintenance – June 28, 2017
Previous Using virtual IPs to configure port forwarding
0
0

In this example, you will set up a WiFi network with a FortiGate managing a
FortiAP in Bridge mode.

You can configure a FortiAP unit in either Tunnel or Bridge mode. When a FortiAP
is in Bridge mode, the Ethernet and WiFi interfaces are connected (or bridged),
allowing wired and wireless networks to be on the same subnet. Tunnel mode is
the default mode for a FortiAP. A FortiAP in Tunnel mode uses a wireless-only
subnet for wireless traffic.

For information about using a FortiAP in Tunnel mode, see Setting up WiFi with a
FortiAP.

Find this recipe for other FortiOS versions
5.2 | 5.4 | 5.6

1. CONNECTING AND AUTHORIZING THE FORTIAP UNIT

Go to Network > Interfaces and edit the lan interface.

Set Addressing Mode to Manual and set an IP/Network Mask.

Under Administrative Access, enable CAPWAP and optionally enable PING to test
your connection.

Enable the DHCP Server.

Under Networked Devices, enable both Device Detection and Active Scanning.

Image may be NSFW.
Clik here to view.

Connect the FortiAP to the lan interface.

Image may be NSFW.
Clik here to view.

Go to WiFi & Switch Controller > Managed FortiAPs. The FortiAP is listed. The
device is not yet authorized, as indicated by the Image may be NSFW.
Clik here to view. in the State column.

By default, the FortiGate adds newly discovered FortiAPs to the Managed FortiAPs
list but does not authorize them.

Image may be NSFW.
Clik here to view.

Right-click on the FortiAP, and select Authorize.

Image may be NSFW.
Clik here to view.

The device interface will be down initially, but after a few minutes, hit
the Refresh button and a Image may be NSFW.
Clik here to view. will confirm that the device is authorized.

Image may be NSFW.
Clik here to view. Verify that your FortiAP is on the latest firmware. If
the OS Version shows that a newer firmware version is available, check the
release notes for your product.

Image may be NSFW.
Clik here to view.

You can download the firmware images from the Support Site to your Local Hard
Disk, or you can select A new firmware version is available and download the
latest version directly from FortiGuard.

Image may be NSFW.
Clik here to view.Image may be NSFW.
Clik here to view.

2. CREATING AN SSID

Go to WiFi & Switch Controller > SSID and create a new SSID.

Set Traffic Mode to AP Bridge, creating a local bridge with the FortiAP’s
interface.

Configure the WiFi Settings as you would for a regular wireless network and set
a secure Pre-shared Key.

Image may be NSFW.
Clik here to view.

3. CREATING A CUSTOM FORTIAP PROFILE

Go to WiFi & Switch Controller > FortiAP Profiles and create a new profile.

Set Platform to the FortiAP model you are using (FAP221C).

Select the Country/Region and you have the option change your AP Login Password.

Under Radio 1, set the Mode to Access Point.

Set SSID to use the new SSID profile (in the example, MyWiFi).

Set Radio 2 to Disabled.

Image may be NSFW.
Clik here to view.

Go to WiFi & Switch Controller > Managed FortiAPs and right-click on the
FortiAP. Select Assign Profile andset the FortiAP to use the new SSID profile
(in the example, MyProfile).

Image may be NSFW.
Clik here to view.

4. RESULTS

Connect to the SSID with a wireless device. After a connection is established,
you can browse the Internet using the wireless network configured in this
recipe.

Image may be NSFW.
Clik here to view.

On the policy list page, right-click on your lan to wan Internet access policy
and click Show in FortiView.

Image may be NSFW.
Clik here to view.

Make sure to view the session details, including more information under the
various tabs (Sources, Destination, Applications, Countries, Sessions).

Image may be NSFW.
Clik here to view.

Go to Log & Report > WiFi Events to see the detected client IP and
authentication logs.

Image may be NSFW.
Clik here to view.

You can also go to Monitor > WiFi Client Monitor for user details and Monitor >
WiFi Health Monitor for the AP Status.

Image may be NSFW.
Clik here to view.

For further reading, check out Wireless Networks in the FortiOS 5.6 Handbook.

* Was this helpful?
* Yes No

Some FortiGates may not have an Active Scanning option and it is not required.
It may take a few minutes for the FortiAP to appear.
You can disable this in the CLI. See Deploying Wireless Networks.
Alternatively, select the FortiAP unit on the list and select Authorize from the
top menu.
Unless you wish to use a second radio.
Located under Policy & Objects > IPv4 Policy.

The post Setting up a WiFi Bridge with a FortiAP appeared first on Fortinet
Cookbook.

WEBSITE MAINTENANCE – JUNE 28, 2017

June 28, 2017, 8:01 am
Next IPsec VPN to Microsoft Azure
Previous Setting up a WiFi Bridge with a FortiAP
0
0

The Cookbook website will undergo scheduled maintenance today (June 28, 2017) at
approximately 12PM EST. Due to this maintenance, the website may experience some
downtime.

* Was this helpful?
* Yes No

The post Website Maintenance – June 28, 2017 appeared first on Fortinet
Cookbook.

IPSEC VPN TO MICROSOFT AZURE

June 30, 2017, 11:00 am
Next Captive Portal bypass for Apple updates and Chromebook authentication
Previous Website Maintenance – June 28, 2017
0
0

The following recipe demonstrates how to configure a site-to-site IPsec VPN
tunnel to Microsoft Azure™.

Using FortiOS 5.6, the example describes how to configure the tunnel between
each site, avoiding overlapping subnets, so that a secure tunnel can be
established.

PREP 10 mins COOK 25 mins TOTAL 35 mins

INGREDIENTS

* One (1) FortiGate with an Internet-facing IP address.
* One (1) valid Microsoft Azure account.

DIRECTIONS

1. CONFIGURING THE MICROSOFT AZURE VIRTUAL NETWORK

Log into Microsoft Azure and click New. In the Search the marketplace field,
type “Virtual Network”.

Locate Virtual Network from the returned list and click to open the Virtual
Network blade.

Image may be NSFW.
Clik here to view.

Near the bottom of the Virtual Network blade, from the Select a deployment model
list, select Resource Manager, and then click Create.

Image may be NSFW.
Clik here to view.

On the Create virtual network blade, fill in the values for your Virtual Network
settings and click Create.

Image may be NSFW.
Clik here to view.

2. SPECIFYING THE MICROSOFT AZURE DNS SERVER

Open the virtual network you just created, navigate to DNS Servers, and click to
open the DNS servers blade.

Enter the IP address of the DNS server and click Save at the top of the blade.

Image may be NSFW.
Clik here to view.

3. CREATING THE MICROSOFT AZURE VIRTUAL NETWORK GATEWAY

In the portal dashboard, go to New.

Search for “Virtual Network Gateway” and select it to open the Create virtual
network gateway blade.

Image may be NSFW.
Clik here to view.

In the Create virtual network gateway blade, fill in the values for your virtual
network gateway.

Image may be NSFW.
Clik here to view.

Create a Public IP address if necessary and click Create at the bottom.

Image may be NSFW.
Clik here to view.

Provisioning the virtual network gateway may take some time.

You will receive a notification about the deployment.

Image may be NSFW.
Clik here to view.

4. CREATING THE MICROSOFT AZURE LOCAL NETWORK GATEWAY

From the dashboard, select All resources.

Click +Add and then choose to See all.

Image may be NSFW.
Clik here to view.

In the Everything blade search box, type Local network gateway, and select
Create local network gateway.

Image may be NSFW.
Clik here to view.

Set IP address to the local network gateway address (the FortiGate’s external IP
address).

Fill in the remaining values for your local network gateway and click Create.

Image may be NSFW.
Clik here to view.

5. CONFIGURING THE FORTIGATE TUNNEL

Go to VPN > IPsec Wizard.

Enter a Name for the tunnel, select Custom, and click Next.

Image may be NSFW.
Clik here to view.

Set the Remote Gateway to Static IP Address, and include the gateway IP Address
provided by Microsoft Azure.

Set the Local Interface to wan1.

Disable NAT Traversal and set Dead Peer Detection to On Idle.

Under Authentication, enter a Pre-shared Key and ensure that you enable IKEv2.

Image may be NSFW.
Clik here to view.

Under Phase 1 Proposal set the Encryption algorithm to AES 128 and the
Authentication algorithm to SHA256.

Select 2 for Diffie-Hellman Group.

Set Key Lifetime (seconds) to 28800.

Image may be NSFW.
Clik here to view.

Scroll down to Phase 2 Selectors and expand the Advanced section.

Set the Encryption type to match Phase 1.

Disable Perfect Forward Secrecy.

Set Key Lifetime Seconds to 27000.

Image may be NSFW.
Clik here to view.

6. CREATING THE AZURE FIREWALL OBJECT

Go to Policy & Objects > Addresses and create a firewall object for the Azure
VPN tunnel subnet.

Image may be NSFW.
Clik here to view.

7. CREATING THE FORTIGATE FIREWALL POLICIES

Go to Policy & Objects > IPv4 Policy and create a new policy for the
site-to-site connection that allows outgoing traffic.

Set the Source Address and Destination Address using the firewall objects you
just created.

Ensure that NAT is disabled.

Image may be NSFW.
Clik here to view.

Create a second policy for the same connection to allow incoming traffic.

This time, invert the Source Address and Destination Address.

Image may be NSFW.
Clik here to view.

8. CREATING THE FORTIGATE STATIC ROUTE

Go to Network > Static Routes and create a new static route forcing outgoing
traffic destined to the Microsoft Azure network to flow through the route-based
tunnel.

Image may be NSFW.
Clik here to view.

Set the Administrative Distance to a value lower than the value set for the
existing default route.

9. CREATING A MICROSOFT AZURE SITE-TO-SITE VPN CONNECTION

In the Azure portal, locate and select your virtual network gateway.

On the Settings blade, click Connections, and then click Add at the top of the
blade to open the Add connection blade.

Image may be NSFW.
Clik here to view.

Fill in the values for your connection and click OK.

Make sure that the Shared Key (PSK) matches the shared key configured on the
FortiGate in step 5.

Image may be NSFW.
Clik here to view.

10. RESULTS

Go to Monitor > IPsec Monitor. You should see that the tunnel is UP.

If it is down, right-click the tunnel and select Bring Up.

Image may be NSFW.
Clik here to view.

Go to Log & Report > VPN Events

Select an entry to view more information and verify the connection.

Image may be NSFW.
Clik here to view.

Return to the Microsoft Azure portal, click All resources and navigate to your
virtual network gateway.

On the blade for your virtual network gateway, click Connections. You can see
the status of each connection.

Click the name of the connection that you want to verify to open Essentials.

Image may be NSFW.
Clik here to view.

In Essentials, you can view more information about your connection.

Image may be NSFW.
Clik here to view.

The Status is ‘Connected’ when you have made a successful connection.

Ingress and egress bytes confirm traffic flowing through the tunnel.

* Was this helpful?
* Yes No

This prep time assumes the time it takes to create a Microsoft Azure account.
“Cook” time is largely dependent on Azure resource deployment times, which may
vary.
All times listed are approximations.
Located under All Resources > MyMainGateway (Virtual network gateway) > Overview
> Public IP address. Note that it may take some time for this address to
populate.
If the tunnel fails to come up, begin troubleshooting by double-checking the
encryption algorithm and PSK settings match on both ends for Phase 1 and Phase
2. For other troubleshooting tips, refer to IPsec VPN Troubleshooting.

The post IPsec VPN to Microsoft Azure appeared first on Fortinet Cookbook.

Search
RSSing.com

--------------------------------------------------------------------------------

CAPTIVE PORTAL BYPASS FOR APPLE UPDATES AND CHROMEBOOK AUTHENTICATION

July 4, 2017, 10:05 am
Next Certificate errors for blocked websites
Previous IPsec VPN to Microsoft Azure
0
0

In this example, you will allow WiFi traffic to specific destinations from Apple
devices or Google Chromebooks to bypass your Captive Portal. This allows those
devices to receive updates or device logon authentication, a process which a
Captive Portal would interrupt.

Not all users or traffic types need to be authorized and authenticated by the
Captive Portal. In some circumstances the authentication required by the Captive
Portal can cause problems impacting the functionality of your users mobile
device or laptop.

Chromebooks require user authentication to log onto the device, which can be
blocked by the captive portals requirement for user authentication, to gain
network access.

Apple devices make use of Captive Network Assistant (CNA) which can detect the
use of a captive portal. The apple device attempts to visit the page
captive.apple.com. If the apple device is successful, the CNA doesn’t load, but
if it unsuccessful, then it launches a browser to prompt the user with the login
page from the captive portal. When this browser is inadvertently closed or
ignored, the device is disconnected from the network. Often times the user is
unaware and does not know why email and updates are not being downloaded.

1. CREATING A USER ACCOUNT AND USER GROUP

Go to User & Device > User Definition and create a Local user. Create additional
users as needed. You can use any authentication method.

Image may be NSFW.
Clik here to view.

Go to User & Device > User Groups.

Create a user group for employees and add the new user(s) to the group.

Image may be NSFW.
Clik here to view.

2. CREATING FIREWALL ADDRESSES

We need to create address objects to be used for the exemptions. Go to Policy &
Objects > Addresses and create an FQDN address for accounts.google.com.

Image may be NSFW.
Clik here to view.

Create an FQDN address object for gstatic.com.

Image may be NSFW.
Clik here to view.

Create an IP/Netmask address object for the apple Subnet range 17.0.0.0/8.

Image may be NSFW.
Clik here to view.

Create an FQDN address object for captive.apple.com.

Image may be NSFW.
Clik here to view.

Create IP/Netmask address object(s) for any external DNS servers the client
computers might use.

Image may be NSFW.
Clik here to view.

3. CREATING THE SSID

Go to WiFi Controller > SSID and configure your wireless network.

Image may be NSFW.
Clik here to view.

Configure DHCP addressing for clients.

Image may be NSFW.
Clik here to view.

Configure Captive Portal authentication using the Forti-WiFi-users user group.

Set Exempt Destination Services to exempt the addresses created in the previous
step.

Image may be NSFW.
Clik here to view.

4. CREATING THE SECURITY POLICY

Create an address for your SSID, using the same IP range that was set on the
DHCP server.

Image may be NSFW.
Clik here to view.

Go to Policy & Objects > IPv4 Policy and create a policy allowing WiFi users to
connect to the Internet. Select the Fortinet-WiFi-IP-range for the
permitted Source Addresses.

Enable NAT.

The Web Filter and Application Control security profiles are enabled, so we can
see the results of our configuration. Enable these profiles and others to
provide secure internet access to your wireless clients.

Image may be NSFW.
Clik here to view.

5. CONNECTING AND AUTHORIZING THE FORTIAP

Go to System > Interface and edit the interface the FortiAP connects to.

Set Administrative Access to allow CAPWAP.

Image may be NSFW.
Clik here to view.

The FortiAP will broadcast for the controller using the CAPWAP protocol. Go
to WiFi Controller > Managed FortiAPs.

The FortiAP is listed, with a grey question mark beside it because the device is
not authorized.

Image may be NSFW.
Clik here to view.

Highlight the FortiAP unit on the list and select Authorize.

Image may be NSFW.
Clik here to view. A green check mark is now shown beside the FortiAP, showing
that it is authorized and online. Image may be NSFW.
Clik here to view.

Go to WiFi Controller > WiFi Network > FortiAP Profiles and edit the profile.
For each radio:

Enable Radio Resource Provision.

Select your SSID.

Image may be NSFW.
Clik here to view.

6. RESULTS

Connect your Chromebook or Apple device to the captive portal SSID.

The user’s device shows the WiFi network as “open” and associates with it
without requesting credentials.

On the Chromebook you will be able to log onto the device and authenticate with
Google accounts.

On the Apple device you will not get the CNA prompt with the captive portal
popup, requesting you to authenticate. The Apple device will stay connected to
the WiFi.

Go to WiFi Controller > Monitor > Client Monitor to see connected users.

Image may be NSFW.
Clik here to view.

In this example a Chromebook is displayed with the IP address of 192.168.20.3.
The user has authenticated against the portal.

An iPhone is listed with the IP address of 192.168.20.4. A User is not listed as
they have not yet authenticated against the portal. We can see in the Bandwidth
TX/RX column, that there is bidirectional traffic.

Go to FortiView > Sources

Review the current sessions of the connected network clients, by drilling down
through each layer to view the related sessions.

Image may be NSFW.
Clik here to view.

In this example, we see the sessions for the connected Chromebook. You can see
towards the bottom that the sessions happened prior to the user authentication
against the portal. This proves the result of our exemption list.

Go to FortiView > Policies

Review the current sessions of the connected network clients for the SSID to
internet security policy, by drilling down through each layer to view the
related sessions.

Image may be NSFW.
Clik here to view.

In this example, we see the sessions for the connected iPhone. We see that the
user has not yet authenticated against the portal, but the iPhone is making DNS
requests and accessing the apple subnet. This proves the result of our exemption
list.

Go to Log & Report > Forward Traffic Log

Review the traffic and destinations for the Apple iPhone.

Image may be NSFW.
Clik here to view. In the these logs you can see that the iPhone is receiving
push notifications prior to the captive portal logon. The first time that a
wireless user attempts to use a web browser, the captive portal login screen is
displayed. Users who are members of the Forti-WiFi-users group can log on using
their username and password and proceed to access the wireless network. Image
may be NSFW.
Clik here to view.

For more information, see Captive Portals in the FortiOS 5.4 handbook.

* Was this helpful?
* Yes No

The post Captive Portal bypass for Apple updates and Chromebook authentication
appeared first on Fortinet Cookbook.

CERTIFICATE ERRORS FOR BLOCKED WEBSITES

June 1, 2017, 11:02 am
Next SFP Transceivers
Previous Captive Portal bypass for Apple updates and Chromebook authentication
0
0

Avoiding certificate errors when SSL inspection is applied to traffic is an
in-demand topic. There are a number of methods that you can use to prevent these
warnings: installing self-signed certificates on client devices, using a
certificate signed by a trusted CA, or using the certificate-inspection profile
for SSL inspection. However, for all of these methods, certificate errors can
still occur when you’ve blocked access to a page using web filtering and the
FortiGate attempts to display a replacement message for that site using HTTPS.

This error occurs because, by default, the FortiGate does not use the same
certificate for SSL inspection and the encryption of the replacement messages.
To avoid these errors, you should first determine which certificate your
FortiGate uses for replacement messages using the CLI. The command differs
depending on which version of FortiOS you are using:

FortiOS 5.2 and earlier:

config webfilter fortiguard
# get
cache-mode : ttl
cache-prefix-match : enable
cache-mem-percent : 2
ovrd-auth-port-http : 8008
ovrd-auth-port-https: 8010
ovrd-auth-port-warning: 8020
ovrd-auth-https : enable
warn-auth-https : enable
close-ports : disable
request-packet-size-limit: 0
ovrd-auth-hostname :
ovrd-auth-cert : Fortinet_Firmware

The certificate Fortinet_Firmware is used by default. To avoid errors, you can
either change this certificate to the certificate used for SSL inspection or you
can install this certificate on all client devices. Which solution you choose
depends on your own environment and what certificates you are already using.

FortiOS 5.4 and later:

config user setting
# get
auth-type : http https ftp telnet
auth-cert : Fortinet_Factory
auth-ca-cert :
auth-secure-http : disable
auth-http-basic : disable
auth-timeout : 5
auth-timeout-type : idle-timeout
auth-portal-timeout : 3
radius-ses-timeout-act: hard-timeout
auth-blackout-time : 0
auth-invalid-max : 5
auth-lockout-threshold: 3
auth-lockout-duration: 0
auth-ports:

The certificate Fortinet_Factory is used by default. To avoid errors, you can
either change this certificate to the certificate used for SSL inspection or you
can install this certificate on all client devices. Which solution you choose
depends on your own environment and what certificates you are already using.

For more information about SSL inspection and certificate errors, see the
following resources:

* Preventing certificate warnings (5.2 | 5.4)
* Why you should use SSL inspection

* Was this helpful?
* Yes No

The post Certificate errors for blocked websites appeared first on Fortinet
Cookbook.

SFP TRANSCEIVERS

July 7, 2017, 9:40 am
Next Basic FortiAnalyzer Installation Guide
Previous Certificate errors for blocked websites
0
0

This recipe shows you have to install and remove SFP Transceivers from your
device.

Image may be NSFW.
Clik here to view.

SFP transceivers are static sensitive devices. Use an ESD wrist strap or similar
grounding device when handling transceivers.

Do not force the SFP transceivers into the cage slots. If the transceiver does
not easily slide in and click into place, it may not be aligned correctly or may
be upside down. If this happens, remove the SFP transceiver, realign it or
rotate it and slide it in again.

Note: Installing and removing SFP transceivers can shorten their useful life. Do
not
install or remove transceivers more than is necessary.

TO INSTALL THE SFP TRANSCEIVERS

Image may be NSFW.
Clik here to view.

1. Ensure that you are properly grounded.
2. Remove the caps from the SFP cage sockets on the front panel of the unit.
3. Position the SFP transceiver in front of the cage socket opening and ensure
that the transceiver is correctly oriented. When the transceiver is
correctly oriented, the extraction lever will be level with the socket
latch.

Image may be NSFW.
Clik here to view. Note: SFP cage socket orientation may vary. Ensure that
the SFP transceiver module is correctly oriented each time that you are
inserting a transceiver.

4. Hold the sides of the SFP transceiver and slide it into the cage socket
until it clicks into place.
Image may be NSFW.
Clik here to view.
5. Press transceiver firmly into the cage socket with your thumb.
6. Verify that the transceiver is latched correctly by grasping the sides of
the transceiver and trying to pull it out without lowering the extraction
lever.
If the transceiver cannot be removed, it is installed and latched correctly.

If the transceiver can be removed, reinsert it and press harder with your
thumb.

If necessary, repeat this process until the transceiver is securely latched
into the cage socket.

TO REMOVE THE SFP TRANSCEIVERS

1. Ensure that you are properly grounded.
2. If applicable, disconnect the fiber-optic cable from the transceiver
connector and install a clean dust plug in the transceiver’s optical bores.
3. Pull the extraction lever out and down to eject the transceiver. If you are
unable to use your finger to open the lever, use a small flat-head
screwdriver or other similar tool to open the lever.
Image may be NSFW.
Clik here to view.
4. Hold the sides of the transceiver and carefully pull it away from the cage
socket.
Image may be NSFW.
Clik here to view.
5. Replace the cap on the SFP cage socket and place the removed SFP transceiver
into an antistatic bag.

Image may be NSFW.
Clik here to view.

Caution: Do not install or remove SFP transceivers while fiber-optic cables are
still attached. This can cause damage to the cables, cable connectors, and the
optical interfaces. It may also prevent the transceiver from latching correctly
into the socket connector.

Note: Follow proper fiber-optic handling procedures when installing and removing
SFP transceivers to ensure the devices remain clean and are not damaged.

* Was this helpful?
* Yes No

The post SFP Transceivers appeared first on Fortinet Cookbook.

BASIC FORTIANALYZER INSTALLATION GUIDE

July 7, 2017, 9:44 am
Next FortiAnalyzer Installation Guide with Cable Management Arm
Previous SFP Transceivers
0
0

The following FortiAnalyzer devices uses the basic installation guide.

* 200D
* 300D
* 400C
* 1000C
* 1000D
* 2000B
* 3000D
* 3000E
* 3500F
* 3900E
* 4000B
* 4000D-BD

The devices can be placed on any flat surface, or mounted in any standard 19
inch rack unit with the provided rack-mount brackets and screws.

Image may be NSFW.
Clik here to view. If the unit has a redundant power supply, each power cable
should be
connected to a different power source. In this way, if one power source fails,
the other may still be operational and the unit will not lose power.

INSTALLING THE FORTIANALYZER INTO A RACK

1. Ensure that the FortiAnalyzer unit is placed on a stable
surface prior to rack-mount installation.
2. Attach the provided rack-mount brackets to the sides of
the unit using the provided bracket screws.
1. If you are installing the unit into a four-post rack, attach the
rack-mount brackets with the handles aligned with the front of the
FortiAnalyzer unit.
Image may be NSFW.
Clik here to view.
2. If you are installing the unit into a two-post rack, attach the
rack-mount brackets with the handles aligned with the middle of the
FortiAnalyzer unit.
Image may be NSFW.
Clik here to view.
3. Position the FortiAnalyzer unit in the rack. Ensure there is enough room
around the unit to allow for sufficient air flow.
4. Line up the rack-mount bracket holes to the holes on the rack and ensure
that the FortiAnalyzer unit is level.
5. Finger tighten four rack-mount screws to attach the unit to the rack.
6. Verify that the spacing around the FortiAnalyzer unit conforms to
requirements and that the unit is level, then tighten the rack-mount screws
with an appropriate screwdriver.
7. Plug the provided power cable into the rear of the unit and then into a
grounded electrical outlet or a separate power source, such as an
uninterruptible power supply (UPS) or a power distribution unit (PDU).

INSTALLING THE DEVICE ON A FLAT SURFACE

1. Ensure that the surface onto which the FortiAnalyzer unit to be installed is
clean, level, and stable and that there is at least 1.5in (3.8cm) of
clearance on all sides to allow for adequate airflow.
2. Attach the provided rubber feet to the bottom of the FortiAnalyzer unit.
3. Place the unit in the designated location.
4. Verify that the spacing around the FortiAnalyzer unit conforms to
requirements and that the unit is level.
5. Plug the provided power cable into the rear of the unit and then into a
grounded electrical outlet or a separate power source, such as an
uninterruptible power supply (UPS) or a power distribution unit (PDU).

* Was this helpful?
* Yes No

The post Basic FortiAnalyzer Installation Guide appeared first on Fortinet
Cookbook.

FORTIANALYZER INSTALLATION GUIDE WITH CABLE MANAGEMENT ARM

July 7, 2017, 9:45 am
Next FortiAnalyzer 400E Installation Guide
Previous Basic FortiAnalyzer Installation Guide
0
0

The following FortiAnalyzer devices use this installation guide.

* 1000E
* 2000E
* 3000F
* 3700F

They can be mounted in any standard 19 inch rack unit with the provided mounting
hardware.

Image may be NSFW.
Clik here to view.

A rack stabilizing mechanism must be in place, or the rack must be bolted to the
floor, before you slide the unit out for servicing. Failure to stabilize the
rack can cause the rack to tip over.

Do not pick up the device with the front handles. They are designed to pull the
system from a rack only.

Electrostatic discharge (ESD) can damage your Fortinet equipment.

To avoid personal injury or damage to the unit, it is recommended that two or
more people install the unit into the rack.

Do not place heavy objects on the unit.

RACK PRECAUTIONS

Ensure the leveling jacks on the bottom of the rack are fully extended to the
floor with the full weight of the rack resting on the jacks.

* For single rack installation, stabilizers should be attached to the rack.
* For multiple rack installations, the racks should be coupled together.
* Ensure the rack is stable before extending a component from the rack.
* Only extend one component at a time; extending two or more simultaneously may
cause the rack to become unstable.

Image may be NSFW.
Clik here to view. After installing the device into the rack, install the hard
disk drives into the device.

RAIL RACK PARTS

Image may be NSFW.
Clik here to view.

The rail assembly consists of three parts:

* Outer rail: connects to the rack
* Middle rail: connects the inner and outer rails
* Inner rail: connects to the device.

The inner rail has a locking tab that locks the device into place when it is
installed and pushed into the rack. This prevents the device from sliding fully
out of the rack when the device is being worked on.

There are five steps to install the device into the rack:

1. Disassemble the rail assembly
2. Attach the inner rails to the device
3. Install the outer rails on a rack
4. Install the device into the rack
5. Install the cable management arm

DISASSEMBLING THE RAIL ASSEMBLY

Image may be NSFW.
Clik here to view.

1. Identify the left and right rail assemblies.
2. Pull out the inner rail until it is fully extended.
3. Press down the locking tab to release the inner rail.
4. Remove the inner rail from the outer rail.
5. Repeat steps 2 – 4 for the remaining rail assembly.

Image may be NSFW.
Clik here to view. Do not pick up the server by the front handles. They are
designed to only pull the unit from the rack.

ATTACHING THE INNER RAILS TO THE DEVICE

1. Image may be NSFW.
Clik here to view.Ensure that the right and left rails are correctly
identified.
2. Place the inner rail against the side of the device, enduring that the hooks
on the side of the device align with the holes in the rail.
3. Slide the rail towards the front of the device until the rail clicks into
the locked position.
4. Optionally, secure the rail to the device using the provided M4 Flat Head
screws.
5. Repeat steps 2 – 4 for the remaining rail.

INSTALLING THE OUTER RAILS ON A RACK

Image may be NSFW.
Clik here to view.

1. Press up on the locking tab on the back of the middle rail.
2. Push the middle rail back into the outer rail.
Image may be NSFW.
Clik here to view.
3. Hang the hooks on the front of the outer rail to the slots on the rack. Use
two of the provided washers and M5 12L Flat Head screws to secure the rail
to the rack.
Image may be NSFW.
Clik here to view.
4. Pull out the back of the outer rail to adjust its length until it fits
properly in the rack.
5. Hang the hooks on the back of the rail to the slots on the back of the rack.
Use two of the provided washers and M5 12L Flat Head screws to secure the
rail to the rack.
6. Repeat steps 1 – 5 for the remaining rail.

INSTALLING THE DEVICE INTO THE RACK

Image may be NSFW.
Clik here to view.

1. Ensure that the inner rails are properly connected to the device, and the
that the outer rails are securely attached to the rack.
2. Pull the middle rail out from the front of the outer rail until it locks.
3. Align the inner rails with the middle rails and slide the device onto the
rails until the locking tab on the inner rails clicks into the front of the
middle rails. Ensure that even pressure is applied to both sides of the
device while doing this.
4. Push down the locking tabs on both sides at the same time, then push the
device all the way into the rack.
5. When the unit has been completely pushed into the rack, the locking tabs
will click into the locked position.
6. Install the hard disk drives into the device.

INSTALLING THE CABLE MANAGEMENT ARM

Image may be NSFW.
Clik here to view.

1. Slide the device part way out of the rack to provide space for installing
the cable management arm.
2. Attach the inner member connector to the back end of the right inner rail
(when looking at the front of the device).
3. Attach the supporting bar connector to the back end of the right middle
rail.
Image may be NSFW.
Clik here to view.
4. Attach the supporting bar connector to the back end of the left middle
rail.
5. Attach the outer member connecter to the back end of the left outer rail.
Image may be NSFW.
Clik here to view.
6. Plug the supplied power cables into the power supplies on the back of the
device, and connect any other required cables.
7. Open the red caps and route the cables through the wire carrier. This is
important to ensure that cables are not damaged when sliding the device in
and out of the rack.
Image may be NSFW.
Clik here to view.
8. Fasten the cables using the provided straps and the aluminum joints and U
bracket. Use two straps on each joint and one on each connector.
9. Slide the chassis in and out to ensure that the cable management arm’s
motion is smooth. If it is not, loosen the straps as required.
10. If required, adjust the location of the U bracket to ensure that it does
not interfere with the power source.
Image may be NSFW.
Clik here to view.

CONNECTING THE DEVICE

1. Plug the power cables into grounded electrical outlets or a separate power
sources, such as uninterruptible power supplies (UPS) or a power
distribution units (PDU).
2. Insert the Ethernet cable into a router or switch that is connected to the
Internet.
3. Press the power button on the system to turn on the device.

Image may be NSFW.
Clik here to view. Both power supplies are required for normal operation.For
additional security, secure the chassis handles to the front of the rack with
the provided M5 20L Truss Head screws.

* Was this helpful?
* Yes No

The post FortiAnalyzer Installation Guide with Cable Management Arm appeared
first on Fortinet Cookbook.

FORTIANALYZER 400E INSTALLATION GUIDE

July 7, 2017, 9:46 am
Next Feature Select confusion
Previous FortiAnalyzer Installation Guide with Cable Management Arm
0
0

The FortiAnalyzer-400E can be mounted in any standard 19 inch rack unit with the
provided mounting hardware.

Image may be NSFW.
Clik here to view. The rack must be stabilized before sliding the unit out for
servicing.
Failure to stabilize may cause the rack to tip over.

Electrostatic discharge (ESD) can damage your Fortinet equipment.

To avoid personal injury or damage to the unit, it is recommended that two or
more people install the unit into the rack.

Do not place heavy objects on the unit.

RACK PRECAUTIONS

* Ensure the leveling jacks on the bottom of the rack are fully extended to the
floor with the full weight of the rack resting on the jacks.
* For single rack installation, stabilizers should be attached to the rack.
* For multiple rack installations, the racks should be coupled together.
* Ensure the rack is stable before extending a component from the rack.
* Only extend one component at a time; extending two or more simultaneously may
cause the rack to become unstable.

RAIL RACK IDENTIFICATION

Image may be NSFW.
Clik here to view.

The rail mount kit includes two rail assemblies. Each assembly consists of two
sections:

* A fixed inner rail that secures directly to the unit
* A fixed outer rack that secures directly to the rack

Both rail assemblies have locking tabs. The tabs lock the unit into place when
installed into the rack and when fully extended from the rack. This prevents the
device from sliding fully out of the rack when the device is being worked on.

INNER RAIL EXTENSIONS

Image may be NSFW.
Clik here to view.

Using the inner rail extensions is optional. Use the inner rail extensions to
stabilize the unit within the rack.

1. Ensure you have correctly identified the left and right rail extensions.
2. Place the inner rail extension on the side of the unit and align the hooks
on the unit with the holes on the rail extension. Make sure the inner rail
extension faces out.
3. Slide the extension toward the front of the unit.
4. Secure the rail extension to the unit with the provided M4 6L inner rail
screws.
5. Repeat steps 1-4 for the other inner rail extension.

Image may be NSFW.
Clik here to view. Do not pick up the server by the front handles. They are
designed to only pull the unit from the rack.

OUTER RAILS

Image may be NSFW.
Clik here to view.

The outer rails attach to the rack and hold the unit in place.

1. Attach the short bracket to the outside of the long bracket by aligning the
pins with the slides. Both brackets must face the same direction.
2. Adjust the short and long brackets to the appropriate length so that they
fit securely into the rack.
3. Secure the long bracket to the front side of the outer rail with the
provided washers and M5 12L outer rail screws.
4. Secure the short bracket to the back side of the outer rail with the
provided washers and M5 12L outer rail screws.
5. Repeat steps 1-4 for the other rail.

RACK INSTALLATION

Image may be NSFW.
Clik here to view.

1. Ensure that there is enough room around the unit to allow for sufficient air
flow.
2. Ensure that the inner rails are properly connected to the device, and the
that the outer rails are securely attached to the rack.
3. Align the inner rails with the rack rails and slide the device onto the
rails. Ensure that even pressure is applied to both sides of the device
while doing this.
4. When the unit has been completely pushed into the rack, the locking tabs
will click into the locked position.
5. For additional security, insert and tighten the thumbscrews that hold the
front of the unit to the rack.

After the device is installed in the rack and the hard disk drives are
installed, plug the supplied power cables into the rear of the unit and then
into grounded electrical outlets or separate power sources, such as
uninterruptible power supplies (UPS) or power distribution units (PDU).

* Was this helpful?
* Yes No

The post FortiAnalyzer 400E Installation Guide appeared first on Fortinet
Cookbook.

FEATURE SELECT CONFUSION

July 14, 2017, 1:14 pm
Next Episode 13: Technical Documentation
Previous FortiAnalyzer 400E Installation Guide
0
0

In a product that has and uses a number of sophisticated technical features, one
of the things that causes confusion on a regular basis is the fairly
straight-forward Feature Select section

The confusion arises not from how to use the interface, but in what it actually
does. This misunderstanding probably arises from a perfectly understandable
assumption, based upon how many products, and even the FortiGate in some
contexts, work.

In the Feature Select panel, there is a list of a number of FortiGate features
that can be used and configured. Next to the feature name is a sliding toggle
icon. Slide the toggle to the left and the icon is grayed out. Slide the toggle
to the right and it is a nice bright color. Which bright color, will depend on
which color theme is being used on your FortiGate. The grayed out icon
representing a disabled status and the colorful icon representing the feature is
on.

The erroneous assumption that gets made here is that disabling the feature in
this panel disables the feature on the FortiGate. What is actually happening is
that the feature is being disabled within the GUI. It does not stop the feature
from working on the FortiGate.

This screenshot shows what the Network section of the GUI looks like with every
feature turned on.

Image may be NSFW.
Clik here to view.

Now, we go into the Feature Select and turn off Advanced Routing.

Image may be NSFW.
Clik here to view.Then we go back to the Network section to see what changes
have taken place.

Image may be NSFW.
Clik here to view.

You’ll notice that now there are fewer options under the Network heading. The
following options are no longer available:

* Policy Routes
* RIP
* OSPF
* BGP
* Multicast

There are reasons for this non-intuitive approach. The reason for having a
setting to remove something from the GUI is that there are so many settings
because the FortiGate can do so many things, that it is a good practice to
remove the clutter of options that are not going to be needed. The reason that
large chunks of features and functions are not disabled is that there is a lot
of interconnectivity between the various feature and settings. Disabling a
feature that you don’t think that you’ll be using may include some settings
that, while you don’t see them, affect a feature that you do use.

COLORFUL BONUS:

It’s off topic, but this is a fairly short post so I thought that I’d through in
a little bonus piece of information. Just because if made reference to the
possible color variation of the toggle switches, here are the instructions for
changing the color theme:

GUI

The option is located under System > Settings, down in View Settings.

Choose a color from the drop-down menu in the Theme field.

CLI

If you’re a command line cowboy, those settings are shown below.

# config system global

(global) # set gui-theme ?
green Green theme.
red Red theme.
blue Light blue theme.
melongene Melongene theme (eggplant color).
mariner Mariner theme (dark blue color).

(global) # set gui-theme green

(global) # end

* Was this helpful?
* Yes No

The post Feature Select confusion appeared first on Fortinet Cookbook.

Search
RSSing.com

--------------------------------------------------------------------------------

EPISODE 13: TECHNICAL DOCUMENTATION

July 20, 2017, 11:29 am
Next Decrypting ESP payloads using Wireshark
Previous Feature Select confusion
0
0

--------------------------------------------------------------------------------

Send us your questions! We’re looking to do a Q&A episode of FortiCast and we
need your help. If you have a question that needs an answer, email us at
forticast@fortinet.com.

--------------------------------------------------------------------------------

Members of the FortiOS documentation team shed some light on how Fortinet
documentation gets made.

TECHNICAL DOCUMENTATION RESOURCES

* Fortinet Documentation Library
* FortiOS Online Help
* FortiOS CLI Reference
* Fortinet Knowledge Base
* Fuse Community
* Fortinet Cookbook
* Fortinet Video Library / YouTube Channel
* Valentine’s Day White Paper
* Fortinet Stories video series
* Social WiFi Captive Portal [ Facebook | Twitter | Google+ | LinkedIn |
Form-based ]
* Take-out Menu

SUBSCRIBE TO FORTICAST

Image may be NSFW.
Clik here to view. Image may be NSFW.
Clik here to view. Image may be NSFW.
Clik here to view.

* Was this helpful?
* Yes No

The post Episode 13: Technical Documentation appeared first on Fortinet
Cookbook.

DECRYPTING ESP PAYLOADS USING WIRESHARK

July 21, 2017, 9:00 am
Next High Availability with two FortiGates
Previous Episode 13: Technical Documentation
0
0

This recipe describes how to decrypt Encapsulated Security Payload (ESP) traffic
on a FortiGate using the Security Association (SA) information from diag vpn
tunnel list. This is useful for tracking whether the FortiGate is properly
encrypting/decrypting IPsec VPN packets, and whether there is any packet loss.

This recipe assumes that NPU offloading is disabled on phase1-interface and that
NAT is disabled. The example simulates a lost packet in a site-to-site IPsec VPN
tunnel.

1. ESTABLISHING THE TUNNEL

If the tunnel is currently down, go to Monitor > IPsec Monitor, right-click the
tunnel, and select Bring Up.

Image may be NSFW.
Clik here to view.

2. CAPTURING PACKETS

Go to Network > Packet Capture and create a new entry.

Set Interface to the external-facing interface (in this case, wan1).

Select Enable Filters and enter Protocol 50 (the protocol number for ESP).

Image may be NSFW.
Clik here to view.

In the Packet Capture list, highlight the new entry and select Start/Resume
Capturing to begin capturing packets for the next step.

Image may be NSFW.
Clik here to view.

Ping through the tunnel to populate the packet capture with traffic.

Image may be NSFW.
Clik here to view.

For example, in Windows Command Prompt, enter: ping x.x.x.x -n 100, where
x.x.x.x is the remote tunnel endpoint (-n 100 will ping 100 times).

In the Packet Capture list on the FortiGate, select the Download option to save
the .pcap file to your computer once the packets have been captured.

Image may be NSFW.
Clik here to view.

3. CONFIGURING WIRESHARK

In Wireshark, open the .pcap file saved previously.

Go to Edit > Preferences and navigate to Protocol > ESP.

Check all BUT Attempt to detect/decode NULL encrypted ESP payloads.

Select Edit… to open the ESP SAs configuration table.

Image may be NSFW.
Clik here to view.

On the FortiGate, open the CLI Console and enter the command diag vpn tunnel
list.

Make note of the information next to dec: and enc:. You will need the SPI
information, as well as the ESP and AH keys for both the remote and local
FortiGates.

Image may be NSFW.
Clik here to view.

In Wireshark’s ESP SAs configuration table, add a new entry for each direction
of the tunnel.

Image may be NSFW.
Clik here to view.

Note the image in the example:

* Src IP and Dest IP refer to the gateway addresses.
* The SPI information in the diag output will help you determine which
encryption and authentication keys to use for each direction.
* Note that 0x must be prepended to the SPI entries as well as each of the
Encyrption and Authentication Keys.

Click OK when you are done.

4. RESULTS

In this example, a missing packet is identified in the packet capture by the
ICMP error “No response seen to ICMP request“. Image may be NSFW.
Clik here to view. Shown here is a packet capture without any errors. Image may
be NSFW.
Clik here to view.

* Was this helpful?
* Yes No

The post Decrypting ESP payloads using Wireshark appeared first on Fortinet
Cookbook.

HIGH AVAILABILITY WITH TWO FORTIGATES

July 28, 2017, 11:15 am
Next Episode 14: FortiManager 5.6
Previous Decrypting ESP payloads using Wireshark
0
0

In this recipe, a backup FortiGate unit will be installed and connected to a
previously installed primary FortiGate to provide redundancy if the primary
FortiGate fails.

Before you begin, the FortiGates should be running the same FortiOS firmware
version and interfaces should not be configured to get their addresses from DHCP
or PPPoE.

This recipe is in the Security Fabric collection. It can also be used as a
standalone recipe.

This setup, called FortiGate High Availability (HA), improves network
reliability. The previously installed FortiGate will continue to operate as the
primary unit and the new FortiGate will operate as the backup FortiGate.

Find this recipe for other FortiOS versions
5.2 | 5.4 | 5.6

1. SETTING UP REGISTRATION AND LICENSING

Make sure both FortiGates are running the same FortiOS firmware version.
Register and apply licenses to the new FortiGate unit before adding it to the
cluster. This includes activation of FortiCloud and licenses for FortiGuard,
FortiSandbox, and FortiClient, as well as entering a license key if you
purchased more than 10 Virtual Domains (VDOMS). All FortiGates in the cluster
must have the same level of licensing for FortiGuard, FortiCloud, FortiClient
and VDOMs. FortiToken licenses can be added at any time because they are
synchronized to all cluster members.

Image may be NSFW.
Clik here to view.

You can also install any third-party certificates on the primary FortiGate
before forming the cluster. Once the cluster is formed third-party certificates
are synchronized to the backup FortiGate.

2. CONFIGURING THE PRIMARY FORTIGATE FOR HA

Connect to the primary FortiGate GUI and go to System > Settings and change the
Host Name to identify this as the primary FortiGate in the HA cluster.

Image may be NSFW.
Clik here to view.

Go to System > HA and set the Mode to Active-Passive. Set the Device Priority to
a higher value than the default to make sure this FortiGate will always be the
primary FortiGate. Also set a Group Name and Password.

Make sure that two Heartbeat Interfaces (port3 and port4 in this case) are
selected and their priorities are both set to 50.

Since the backup FortiGate is not available, when you save the HA configuration,
the primary FortiGate will form a cluster of one FortiGate but will keep
operating normally.

Image may be NSFW.
Clik here to view. If there are other FortiOS clusters on your network you may
need to change the cluster group id using this CLI command. config system ha
set group-id 25
end

3. CONNECTING THE BACKUP FORTIGATE

Connect the backup FortiGate to the primary FortiGate and the network as shown
in the network diagram at the top of the recipe. Making these network
connections will disrupt traffic so you should do this when the network is
quiet.

Image may be NSFW.
Clik here to view.

If possible, make direct Ethernet connections between the heartbeat interfaces
of the two FortiGate units.

Switches must be used between the cluster and the Internet and between the
cluster and the internal networks as shown in the network diagram. You can use
any good quality switches to make these connections. You can also use one switch
for all of these connections as long as you configure the switch to separate
traffic from the different networks.

4. CONFIGURING THE BACKUP FORTIGATE FOR HA

Connect to the backup FortiGate GUI and go to System > Settings and change the
Host Name to identify this as the backup FortiGate.

Image may be NSFW.
Clik here to view.

Go to System > HA and duplicate the HA configuration of the primary FortiGate
(except for the Device Priority): set the Mode to Active-Passive, set the Device
Priority to a lower value than the default to make sure this FortiGate will
always be the backup FortiGate. Also set the same Group Name and Password as the
primary FortiGate.

Make sure that the same two Heartbeat Interfaces (port3 and port4) are enabled
and their priorities are both set to 50.

Image may be NSFW.
Clik here to view. Change the cluster group id if you changed it for the primary
unit using this CLI command. config system ha
set group-id 25
end

When you save the backup FortiGate’s HA configuration, if the heartbeat
interfaces are connected, the FortiGates will find each other and form a
cluster. Network traffic may be disrupted for a few seconds while the cluster is
negotiating.

5. VIEWING THE CLUSTER STATUS

Connect to the primary FortiGate GUI. The HA Status widget displays the cluster
mode, group name, and includes the host name of the primary unit (master). Hover
over the primary unit host name to verify that the cluster is synchronized and
operating normally. You can also click on the widget to change the HA
configuration or view a list of recently recorded cluster events such as members
joining or leaving the cluster and so on.

Image may be NSFW.
Clik here to view. Click on the HA Status widget and select Configure settings
in System > HA (or go to System > HA) to view the cluster status. Image may be
NSFW.
Clik here to view. If the cluster is part of a security Fabric, the FortiView
Physical and Logical Topology views show information about the cluster status.
Image may be NSFW.
Clik here to view.

6. RESULTS

Traffic is now passing through the primary FortiGate. However, if the primary
FortiGate becomes unavailable, traffic should failover and the backup FortiGate
will process traffic.

Failover also causes the primary and backup FortiGate to reverse roles, even
when both FortiGates are available again.

To test this, ping the IP address 8.8.8.8 using a PC on the internal network.
After a moment, power off the primary FortiGate. You will see a momentary pause
in the ping results, until traffic diverts to the backup FortiGate, allowing the
ping traffic to continue. Image may be NSFW.
Clik here to view.

7. (OPTIONAL) UPGRADING THE FIRMWARE FOR THE HA CLUSTER

When a new version of the FortiOS firmware becomes available, upgrading the
firmware on the primary FortiGate automatically upgrades the backup FortiGate’s
firmware. Both FortiGates are updated with minimal traffic disruption.

Always review the Release Notes and Supported Upgrade Paths before installing
new firmware.

Image may be NSFW.
Clik here to view. From the admin menu, select Configuration > Backup. Always
remember to back up your configuration before upgrading the firmware. Image may
be NSFW.
Clik here to view. Click the System Information widget and select the option to
update firmware. Update the firmware from FortiGuard or by uploading a firmware
image file. The

firmware loads onto both the primary and the backup FortiGates with minimal
traffic interruption.

After the upgrade is complete, verify that the System Information widget shows
the new firmware version. Image may be NSFW.
Clik here to view.

For further reading, check out FGCP configuration examples and troubleshooting
in the FortiOS 5.6 Handbook.

* Was this helpful?
* Yes No

If you have not already installed a FortiGate, see Installing a FortiGate in
NAT/Route mode.
Also, you cannot use a switch port as a HA heartbeat interface, if necessary
convert the switch port to individual interfaces (see Choosing your FortiGate’s
switch mode.
If the FortiGates in the cluster will be running FortiOS Carrier, apply the
FortiOS Carrier license before configuring the cluster (and before applying
other licenses). Applying the FortiOS Carrier license sets the configuration to
factory defaults, requiring you to repeat steps performed before applying the
license.
If these steps don’t start HA mode, make sure that none of the FortiGate’s
interfaces use DHCP or PPPoE addressing.
This example uses two FortiGate-600Ds and the default heartbeat interfaces are
used (port3 and port4). You can use any interfaces for HA heartbeat interfaces.
A best practice is to use interfaces that do not process traffic, but this is
not a requirement.
If these steps don’t start HA mode, make sure that none of the FortiGate’s
interfaces use DHCP or PPPoE addressing.
If you are using port monitoring, you can also unplug the primary FortiGate’s
Internet-facing interface to test failover.
For information about accessing firmware images, see Verifying and updating the
FortiGate unit’s firmware.

The post High Availability with two FortiGates appeared first on Fortinet
Cookbook.

EPISODE 14: FORTIMANAGER 5.6

August 2, 2017, 7:20 am
Next FortiAnalyzer: Log Data Migration from an Old to a New FortiAnalyzer
Previous High Availability with two FortiGates
0
0

--------------------------------------------------------------------------------

Send us your questions! We’re looking to do a Q&A episode of FortiCast and we
need your help. If you have a question that needs an answer, email us at
forticast@fortinet.com.

--------------------------------------------------------------------------------

Learn all about the new features in FortiManager 5.6.

FORTIMANAGER 5.6 RESOURCES

* FortiManager 5.6 documentation:
* Release Notes
* Upgrade Guide
* Administration Guide (PDF | HTML)
* CLI Reference (PDF | HTML)
* FortiManager @ Fortinet.com

SUBSCRIBE TO FORTICAST

Image may be NSFW.
Clik here to view. Image may be NSFW.
Clik here to view. Image may be NSFW.
Clik here to view.

* Was this helpful?
* Yes No

The post Episode 14: FortiManager 5.6 appeared first on Fortinet Cookbook.

FORTIANALYZER: LOG DATA MIGRATION FROM AN OLD TO A NEW FORTIANALYZER

August 2, 2017, 2:52 pm
Next Brainpool curves in IKEv2 IPsec VPN
Previous Episode 14: FortiManager 5.6
0
0

This example illustrates how to migrate logs from an old FortiAnalyzer to a new
FortiAnalyzer.

Image may be NSFW.
Clik here to view. When migrating logs, the firmware versions must be the same.
For example, if you are migrating logs from an old FortiAnalyzer running 5.2 to
a new FortiAnalyzer running 5.4, you must upgrade the 5.2 FortiAnalyzer to 5.4
firmware before aggregating and migrating logs to the new 5.4 FortiAnalyzer.

MIGRATING PREREQUISITES

1. Make the old and new FortiAnalyzer the same firmware version.
5.4.0 or later is preferred.
2. Migrate the Device Manager settings from the old FortiAnalyzer to the new
one.
3. Enable the GUI display by using the following command:

conf sys admin setting > show-device-import-export: enable

4. In the old FortiAnalyzer, export the Device List from the Device Manager.
5. In the new FortiAnalyzer, import the Device List from the Device Manager.

SETTING UP THE AGGREGATION CLIENT

Image may be NSFW.
Clik here to view.

FortiAnalyzer 5.6.0 and later, Log Aggregation is only available from the CLI.

Use the following command to set up the Aggregation Client:

config system aggregation-client
edit 1
set mode aggregation
set agg-user [ENTER ADMIN USER FOR NEW FORTIANALYZER]
set agg-password [ENTER PASSWORD FOR NEW FORTIANALYZER]
set agg-time 1 [LOG AGGREGATION START TIME]
set server-ip [ENTER NEW FORTIANALYZER IP ADDRESS]
next
end

SETTING UP THE AGGREGATION SERVER

Use the following command to set up the Aggregation Server:

config system aggregation-service
set accept-aggregation enable
end

After running the command, take note of the Instance ID. You will need to enter
the Instance ID when running the aggregation command in the Client CLI.

Image may be NSFW.
Clik here to view. Log Aggregation is not supported on all FortiAnalyzer models,
check your specific device’s datasheet.

RUNNING AGGREGATION IN THE CLIENT CLI

You can initiate log aggregation via the GUI or the CLI console.

In the GUI, go to System > Log Forwarding > select Aggregation Profile > click
Aggregate Now.

In the CLI, use the following command to aggregate logs in the Client:

exec log-aggregation all

CHECKING THE AGGREGATION PROGRESS ON THE CLIENT

On the old FortiAnalyzer, go to System Settings > Event Log. When the log
aggregation is completed, the following message will be displayed: Log
aggregation session completed.

REBUILDING THE DATABASE

If you are migrating a large amount of logs, you will need to rebuild the
database after log aggregation.

Use the following command to rebuild the database:

exec sql-local rebuild-db

DEBUGGING LOG AGGREGATION

To debug log aggregation, use the following CLI command:

dia debug application log-aggregate 255
dia deb en

* Was this helpful?
* Yes No

The post FortiAnalyzer: Log Data Migration from an Old to a New FortiAnalyzer
appeared first on Fortinet Cookbook.

Viewing all 690 articles
First Page ... Page 16 Page 17 Page 18 Page 19 Page 20 ... Last Page
Browse latest View live

--------------------------------------------------------------------------------

More Pages to Explore .....
* //mawkishnesses74.rssing.com/chan-27294019/index-page1.html
* //happidayz84.rssing.com/chan-50555145/article12.html
* //malibu1480.rssing.com/chan-35487421/index-page1.html
* //freebie1264.rssing.com/chan-50555235/index-page1.html
* //featured1788.rssing.com/chan-12511558/index-latest.php
* //fashionista1977.rssing.com/chan-12510695/index-page1.html
* //palace2399.rssing.com/chan-27294580/article16.html
* //blaubeerstern20.rssing.com/chan-35486965/index-page1.html
* //require413.rssing.com/chan-50554507/article53.html
* //lehsys2150.rssing.com/chan-35487746/article2.html
* //arabia1513.rssing.com/chan-35487150/article2.html
* //magazine45060.rssing.com/chan-35486740/index-latest.php
* //brides2294.rssing.com/chan-48002233/index-page1.html
* //foghorn181.rssing.com/chan-8259578/index-latest.php
* //swizz263.rssing.com/chan-12510958/index-latest.php
* //ripvanwinkle3.rssing.com/chan-50554812/index-page1.html
* //insoliti22.rssing.com/chan-50555505/index-page1.html
* //knowtlon134.rssing.com/chan-50554975/article12.html
* //yovanni4.rssing.com/chan-35486999/index-latest.php
* //foodgawkercuisineparadise1.rssing.com/chan-8260271/index-page1.html

--------------------------------------------------------------------------------

Search
RSSing.com

--------------------------------------------------------------------------------

TOP-RATED IMAGES

BIG MAGIC CHANNEL'S SHOWS / SERIALS SCHEDULE AND PROGRAM LIST

YASHASVI SABOO TOPS 10TH, ANKUSH SHANDIYA EMERGES 12TH SCIENCE TOPPER FROM
BHAVAN’S VIDYA MANDIR NAGPUR

HAPPY BIRTHDAY WISHES FOR BHABHI IN HINDI & ENGLISH |हैप्पी बर्थडे भाभी

GHAWTH AL ADHIM - SHAYKH 'ABD AL-QADIR JILANI'S POWERFUL DUAS FOR HELP

AUSTRALIAN ROCK ART SCULPTURE DEFIES TRADITIONAL DICHOTOMY OF 'GEOMETRIC OR
FIGURATIVE' ROCK ART

GPO TO CREATE TASK SCHEDULER

COMO FUNCIONA O LICENCIAMENTO DO WINDOWS SERVER 2016

SALINE COUNTY JAIL BOOKING ACTIVITY – TUESDAY, SEPTEMBER 29TH

YOU ARE THE BUDDHA – ADYASHANTI

TYREE POWERS

PANINI - ADRENALYN XL FIFA 365 2023 (04) - 226-243 - PARIS SAINT-GERMAIN

LUYA TSHIMBALANGA: GNOME EXTENSION SCREEN AUTOROTATE AVAILABLE

TAGARU 2019 KANNADA HDRIP X264 AC3

MIB2 PATCH (CP OFF + FEC/SWAP) [TECHNISAT/PREH/DELPHI/HARMAN]
APPCONNECT+CARPLAY+ETC.

HEAD FIRST INTO KENDO UI FOR JAVA DEVELOPERS

PUSH ANCESTRY TOURISM

I LOVE YOUR PERSONALITY SWAP AU SO MUCH ;W; IT'S SO COOL AND YOUR ART IS
AMAZING!!

CLASS 9 SANSKRIT GRAMMAR BOOK SOLUTIONS अपठित अवबोधनम्

SUBHA BAKHAIR PICTURES IN URDU

28 ST. PATRICKS COTTAGES, GRANGE ROAD, RATHFARNHAM, DUBLIN 14 - €310,000

LATEST IMAGES

VIDEOHIVE WHITE LOGO 44452978

May 10, 2023, 1:05 am

ANTI-PASTI - THE BEST OF CD 1996

May 12, 2023, 11:10 pm

BOSCH X MEGA DISCOUNT STORE AT KALLANG LEISURE PARK TILL 14 MAY 2023

May 12, 2023, 9:55 pm

SA RE GA MA PA CHAMPIONSHIP TELUGU GRAND FINALE , SUNDAY AT 14 MAY AT 06:00...

May 12, 2023, 9:05 pm

JETSON SELECTS PARAZERO TO DEVELOP CUSTOM RECOVERY SAFETY SYSTEM FOR THE...

May 12, 2023, 8:54 am

YASHASVI SABOO TOPS 10TH, ANKUSH SHANDIYA EMERGES 12TH SCIENCE TOPPER FROM...

May 12, 2023, 3:26 am

SCORCHED EARTH - MAY 10TH SNAPSHOT

May 11, 2023, 11:40 pm

DYNAMIC WEB TWAIN 18.2

May 11, 2023, 9:44 am

PARKSIDE COLLECTIBLES (USA) - 2023 NWSL PRONTO (04)

May 10, 2023, 5:00 pm

2001 BMW M3 2001 BMW M3

May 10, 2023, 3:36 am

VIDEOHIVE WHITE LOGO 44452978

May 10, 2023, 1:05 am

ANTI-PASTI - THE BEST OF CD 1996

May 12, 2023, 11:10 pm

* RSSing>>
* Latest
* Popular
* Top Rated
* Trending

fortinet77.rssing.com Open in urlscan Pro 64.74.161.130 Public Scan

Form analysis 5 forms found in the DOM

Name: hmsearch — GET

Name: searchbox_1 — GET

Name: searchbox_2 — GET

Name: searchbox_3 — GET

Name: searchbox_4 — GET

Text Content

fortinet77.rssing.com Open in urlscan Pro
64.74.161.130 Public Scan

Form analysis
5 forms found in the DOM