Blog

Adding Trial FortiGate-VM to FortiManager

Adding Trial FortiGate-VM to FortiManager

If you are working with a 14 day evaluation version of a virtual FortiGate firewall and would like to add it to your FortiManager you will be greeted with a vague SSL Error and the devices won’t be able to communicate. This is probably an issue you will run into with your lab environment but it’s anoying nontheless. The issue is FortiManager requires a high level of encryption, something that’s not supported in the 14 day eval of a virtual…

Read More Read More

FortiGate Managed FortiAP Administrative Access & Static IP

FortiGate Managed FortiAP Administrative Access & Static IP

By default direct management for FortiGate managed FortiAP’s is disabled. You need to enable this if you want to set a static IP address. Enabling AP Management Navigate to WiFi & Switch Controller –> FortiAP Profiles Edit the profile your AP’s are assigned too First the password! Before enabling direct management, set a reasonable password. AP Login Password: Set Enter the password you want to use for the APs and click OK Next set the protocols you wan to allow…

Read More Read More

Creating Policies with Internet Services Database

Creating Policies with Internet Services Database

This article describes using the Internet Services Database on a FortiGate firewall. The Internet Services Database is a comprehensive public IP address database that combines IP address range, IP owner, service port number and IP security credibility. The data comes from the FortiGuard service system and is regularly updated by Fortinet. This database can be used as either source or destination for policies. A few prerequisites, you have to have a valid FortiGuard subscription and the service Domain & IP…

Read More Read More

FortiGate HA Cluster Management IP – In Band Method v6

FortiGate HA Cluster Management IP – In Band Method v6

This article describes an option for managing a FortiGate HA cluster. Why is this important? Ideally, you want to make sure you have IP access to both the Active and Standby FortiGate firewalls separately from the combined management IP address. This gets important when you have to do things like a remote upgrade. This method will give you a separate management IP address on both the primary and standby FortiGate firewall. These IP addresses will be on the same network…

Read More Read More

Cisco FlexVPN

Cisco FlexVPN

Cisco’s FlexVPN is a framework to configure IPSEC VPN’s on newer Cisco IOS devices, it was created to simplify the deployment of VPN solutions. It uses a common configuration template for all VPN types. FlexVPN is based on IKEv2 and does not support IKEv1. IKEv2 is a spoke and hub VPN technology. Example: R1 is the HUB, R2 & R3 are the spokes. We’ll use EIGRP as the routing protocol. Starting with the HUB, R1: !ipsec transform set crypto ipsec…

Read More Read More

Cisco Group Encrypted Transport VPN (GETVPN)

Cisco Group Encrypted Transport VPN (GETVPN)

GETVPN is Cisco’s implementation of the GDOI standard (Group Domain of Interpretation). GDOI was originally created to allow for a less-cumbersome way to encrypt multicast traffic, an alternative to GRE over IPSEC tunnels. These days, GETVPN is used for private networks like MPLS where you use a single Security Association for all routers in a group. It gets around traditional IPSEC’s scaling issue (IPSEC being point to point) by issuing a single IPSEC SA for all routers in the group….

Read More Read More

Certificate Based Site to Site VPN

Certificate Based Site to Site VPN

Site to Site VPN tunnels can be authenticated by using digital certificates instead of using pre-shared keys. With certificates, each peer gets a certificate from a centralized CA (certificate authority). When peers want to use IPsec they exchange the certificates to authenticate. The biggest advantage of using certificate based VPN’s is they are easier to scale up. Let’s say you have a home office and 3 branch offices connected via site to site VPN’s, and these VPN’s are protected using…

Read More Read More

Cisco ASA Ping TCP troubleshooting command

Cisco ASA Ping TCP troubleshooting command

We’ve all used ping to test basic connectivity and we all know that command sends ICMP packets and waits for replies. On Cisco ASA’s you can also use an enhanced version of this command to send any TCP packet instead of just ICMP. This is awesome for troubleshooting purposes and verifying remote services/ports are up, running and reachable. It’s also a great trick to force traffic over a VPN connection to bring a tunnel up from the ASA! Let’s assume…

Read More Read More

Cisco ASA Active/Active Failover

Cisco ASA Active/Active Failover

Cisco ASA Active/Active failover requires two identical Cisco ASA appliances talking to each other through a dedicated failover link and a dedicated stateful link (these can be the same interface). With Active/Active failover both appliances will carry traffic. Failover contexts and failover groups need to be created, the failover group is then applied to the Primary or Secondary ASA appliance. Example configuration parameters:ASA1 & ASA2 are the firewall names being used. Make sure the interfaces being used for the failover…

Read More Read More

Cisco ASA Active/Standby Failover

Cisco ASA Active/Standby Failover

Active/Standby failover enables you to use a standby ASA to take over for a failed unit. When the active unit fails it changes to the standby state while the standby unit changes to the active state. The unit that becomes active assumes the IP addresses and the MAC addresses of the failed unit and starts passing traffic. In Active/Standby failover, failover occurs on a unit basis, even on systems running in multiple context mode, you can’t failover individual contexts. Aside…

Read More Read More

FortiGate as a DNS slave to a Windows AD DNS Master v5.4

FortiGate as a DNS slave to a Windows AD DNS Master v5.4

This post goes over how to setup a FortiGate firewall as a slave DNS server to a Windows DNS master.  This is a great feature to enable for branch offices or even as basic redundancy to a single Windows DNS server. Starting on the Windows DNS Server: Launch DNS Manager Double click on the zone you want to replicate and locate the SOA record and edit it. Go to the Zone Transfer tab and enable zone transfers.  You can leave…

Read More Read More

FortiGate WAN Link Monitor v5.4

FortiGate WAN Link Monitor v5.4

You’ve setup your FortiGate and have multiple Internet providers.  You are using basic failover for your providers, you want to monitor the links to automate the failover but you don’t want to setup SD-WAN or WAN LLB. What you want is link-monitor, or what used to be called ping server detect. With link-monitor setup, when the target detects a failure the routes for WAN1 will be deleted and traffic will go to WAN2.  When the target detects success the routes…

Read More Read More

Cisco Site to Site GRE VPN Tunnel with EIGRP

Cisco Site to Site GRE VPN Tunnel with EIGRP

What is a GRE tunnel? Generic Routing Encapsulation (GRE) is a tunneling protocol that lets you run a routing protocol between endpoints. This example will create a GRE tunnel between two routers and will run EIGRP between the two. Topology Summary: 192.168.13.0/24 will be the Tunnel Network IP block  Router-1 lo0 10.1.1.0/24 e0/0 192.1.12.2 Router-2 lo0 10.2.2.0/24 e0/0 192.1.23.2 Router-1 interface tunnel1 ip address 192.168.13.1 255.255.255.0 tunnel source 192.1.12.1 tunnel destination 192.1.23.3 router eigrp 100 no auto-summ net 192.168.13.0 net…

Read More Read More

Cisco IOS Site to Site VPN

Cisco IOS Site to Site VPN

Five steps to configuring an IPSec Site to Site VPN! Configure Phase I – ISAKMP Parameters Configure Phase II – ESP Parameters Configure the interesting traffic ACL Link the above parameters to each other using a Crypto Map Apply the Crpyto Map to the outbound interface Notes: Items below between < > are meant to be replaced with a value Phase 1 parameters: pre shared key: cisco123 Peer IP:  192.1.23.3 Phase 1 encryption:  3des Phase 1 hash:  md5 Phase 1…

Read More Read More

FortiGate SSL VPN Internal DNS Resolution v5.4

FortiGate SSL VPN Internal DNS Resolution v5.4

You’ve setup your FortiGate firewall, configured SSL VPN and deployed your clients.  Your users can log in but they need to use fully qualified domain names to resolve hosts internally. To create a better user experience, you want to append your DNS domain name to your SSL VPN users when they connect, just like when they are in the office.  It’s pretty straight forward assuming you already have SSL VPN configured, if you don’t follow this guide: FortiGate SSL VPN…

Read More Read More

FortiGate Agent Based FSSO AD Integration v5.4

FortiGate Agent Based FSSO AD Integration v5.4

If you want to report on user Internet usage and possibly even define access rules based on your Active Directory groups this document is for you.  We’ll install the FSSO Collector Agent in basic mode, identify the groups we are interested in and setup the FortiGate. The FSSO Collector will monitor the Windows security logs on your domain controller for log on and log off events, these events contain the IP address of the computer that logged on or off…

Read More Read More

Cisco FirePOWER DNS Security Intelligence Policy v6

Cisco FirePOWER DNS Security Intelligence Policy v6

DNS-based Security Intelligence allows you to use your FirePOWER implementation to blacklist traffic based on the domain name lookup requested by a client workstation. What’s cool is that items configured here are blocked BEFORE access control rules so you can block bad traffic without wasting resources inspection it further based on the work Cisco has already done, and continues to do via the Cisco Talos Security Intelligence and Research Group.  These lists we’ll select below are automatically updated as Cisco…

Read More Read More

FortiGate Managed Access Point Tunnel Mode v5.4

FortiGate Managed Access Point Tunnel Mode v5.4

This example will use a FortiGate firewall to manage FortiAP access points.  We’ll create what’s called a tunnel-mode wireless network, which means the wireless clients will be on a different network then the wired clients.  The FortiGate firewall will also provide DHCP services to both wired and wireless clients. Creating the wireless network Pick an interface that will have the AP connected to it, this can be on the local FortiGate or a local FortiGate port that’s connected to a…

Read More Read More

FortiGate Managed Access Point Bridge Mode v5.4

FortiGate Managed Access Point Bridge Mode v5.4

This example will use a FortiGate firewall to manage FortiAP access points.  We’ll create what’s called a bridge-mode wireless network, which means the wireless clients will be on the same network as the wired clients.  The FortiGate firewall will also provide DHCP services to both wired and wireless clients. I’ll assume you already have an outbound policy created to allow traffic from inside your network out to the Internet.  Because in this example the wired and wireless traffic will be…

Read More Read More

FortiGate Periodically Dropping Comcast Connection v5.4

FortiGate Periodically Dropping Comcast Connection v5.4

This quick post is to document an issue we’ve seen enough times to make this change part of our standard deployment. Issue:  New FortiGate installation seems to drop Comcast Internet connection for a minute periodically. This isn’t a link monitor issue or anything complex.  The problem comes down to some Comcast modems, other providers I’m sure have a similar issue. When a FortiGate is deployed, the FortiGaurd service uses port 53 for updates.  When these impacted modems see non DNS…

Read More Read More

FortiGate Category Filtering Office 365 Issue v5.4

FortiGate Category Filtering Office 365 Issue v5.4

Content filtering is a great feature with the FortiGate firewalls but the nature of what’s happening behind the scenes means some web sites do not like to be inspected and some users don’t fit the standard policy. For example, if you enable blocking unrated categories with your web filtering, and you have Office 365 there’s a good chance your users will start getting errors with Office 365.  A bit of tweaking fixes this, but it would be better to know…

Read More Read More

FortiGate Geo Blocking v5.4

FortiGate Geo Blocking v5.4

I’m frequently asked to block users from accessing certain countries and it can help prevent exploits if your users have no business connecting to some of these countries.  This is called Geo Blocking and it’s pretty easy to setup. Setup address object for the country you want to block Navigate to Policy & Objects > Addresses and click Create New Address Enter the name of the country in question Change the Type to Geography Change the Country to the country…

Read More Read More

FortiGate Content Filtering Per User Override v5.4

FortiGate Content Filtering Per User Override v5.4

Content filtering is a great feature with the FortiGate firewalls but the nature of what’s happening behind the scenes means some web sites do not like to be inspected and some users don’t fit the standard policy. Issue:  Blocking A Category but need to create an exception So maybe your organization blocks the Social Networking category for all users but now HR can’t check out candidates and they need access.  We’ll fix this with an exemption and a new policy…

Read More Read More

FortiGate Block Website v5.4

FortiGate Block Website v5.4

This post shows you how to block an individual website with a static URL filter. Navigate to Security Profiles > Web Filter Scroll down to Static URL filter and enable URL Filter (if it’s not already) Click Create Enter the url you want to block.  I’m using facebook.com for this example and since I want to block all things facebook.com I’m making this a Wildcard block and using *facebook.com for the entry.  Click OK Make sure you have an outbound…

Read More Read More

FortiGate Outbound Static NAT using IP Pools v5.4

FortiGate Outbound Static NAT using IP Pools v5.4

Say you have a block of static IP addresses from your provider.  You are using one of them for the external IP address of your FortiGate, this is typically applied as the NAT address for your inside traffic to access the Internet. If you have an internal server that you want to use one of your other static IP addresses instead this is the process for you.  This is commonly done for something like an internal mail server that you…

Read More Read More