Blog

FortiGate Periodically Dropping Comcast Connection v5.4

FortiGate Periodically Dropping Comcast Connection v5.4

This quick post is to document an issue we’ve seen enough times to make this change part of our standard deployment. Issue:  New FortiGate installation seems to drop Comcast Internet connection for a minute periodically. This isn’t a link monitor issue or anything complex.  The problem comes down to some Comcast modems, other providers I’m sure have a similar issue. When a FortiGate is deployed, the FortiGaurd service uses port 53 for updates.  When these impacted modems see non DNS…

Read More Read More

FortiGate Category Filtering Office 365 Issue v5.4

FortiGate Category Filtering Office 365 Issue v5.4

Content filtering is a great feature with the FortiGate firewalls but the nature of what’s happening behind the scenes means some web sites do not like to be inspected and some users don’t fit the standard policy. For example, if you enable blocking unrated categories with your web filtering, and you have Office 365 there’s a good chance your users will start getting errors with Office 365.  A bit of tweaking fixes this, but it would be better to know…

Read More Read More

FortiGate Geo Blocking v5.4

FortiGate Geo Blocking v5.4

I’m frequently asked to block users from accessing certain countries and it can help prevent exploits if your users have no business connecting to some of these countries.  This is called Geo Blocking and it’s pretty easy to setup. Setup address object for the country you want to block Navigate to Policy & Objects > Addresses and click Create New Address Enter the name of the country in question Change the Type to Geography Change the Country to the country…

Read More Read More

FortiGate Content Filtering Per User Override v5.4

FortiGate Content Filtering Per User Override v5.4

Content filtering is a great feature with the FortiGate firewalls but the nature of what’s happening behind the scenes means some web sites do not like to be inspected and some users don’t fit the standard policy. Issue:  Blocking A Category but need to create an exception So maybe your organization blocks the Social Networking category for all users but now HR can’t check out candidates and they need access.  We’ll fix this with an exemption and a new policy…

Read More Read More

FortiGate Block Website v5.4

FortiGate Block Website v5.4

This post shows you how to block an individual website with a static URL filter. Navigate to Security Profiles > Web Filter Scroll down to Static URL filter and enable URL Filter (if it’s not already) Click Create Enter the url you want to block.  I’m using facebook.com for this example and since I want to block all things facebook.com I’m making this a Wildcard block and using *facebook.com for the entry.  Click OK Make sure you have an outbound…

Read More Read More

FortiGate Outbound Static NAT using IP Pools v5.4

FortiGate Outbound Static NAT using IP Pools v5.4

Say you have a block of static IP addresses from your provider.  You are using one of them for the external IP address of your FortiGate, this is typically applied as the NAT address for your inside traffic to access the Internet. If you have an internal server that you want to use one of your other static IP addresses instead this is the process for you.  This is commonly done for something like an internal mail server that you…

Read More Read More

FortiGate Inbound Port Forwarding using VIP’s v5.4

FortiGate Inbound Port Forwarding using VIP’s v5.4

This article goes over creating an inbound port forward NAT rule on a FortiGate device.  This allows inbound access to a resource behind your firewall using your public IP address. For this example we’ll create a rule that allows HTTP (port 80) and SMTP (port 25) pointed at one internal server resource. The external IP address (WAN interface side) for this example is 1.1.1.1 The internal IP address (inside interface side) for this example is 2.2.2.2 First we’re going to…

Read More Read More

FortiGate AD Authentication for SSL VPN v5.4

FortiGate AD Authentication for SSL VPN v5.4

Active Directory is a great authentication system, already in use on your network if you have a Windows Server based infrastructure so it makes sense to leverage for authenticating your SSL VPN users rather then creating separate, local login accounts. Before you set this up on the FortiGate you first need to setup a service account on your windows server.  Yes, you could use an already existing account but it’s advisable to use something separate so if/when you need to…

Read More Read More

Figuring out an Active Directory Objects DN Path

Figuring out an Active Directory Objects DN Path

There are times when you will need to figure out an object’d distinguished name path in Active Directory.  For example, you want to configure AD authentication.  There are a few different ways to do this, I’m going to show you two of them. I’m doing this on Microsoft Windows Server 2012 R2 but the idea is the same for 2008/2008R2. Method One:  Attribute Editor On a domain controller, open up Active Directory Users and Computers Click View and select Advanced…

Read More Read More

FortiGate Dual ISP Failover both active v5.4

FortiGate Dual ISP Failover both active v5.4

The premise.  You have a FortiGate and you have two ISP connections.  Maybe the speeds aren’t that close together and one of them is really just for failover so load balancing is out but you want BOTH WAN connections to respond from the outside. It’s pretty straight forward.  Configure your IP addressing on both WAN interfaces.  Let’s assume WAN1 is going to be the primary connection. The secret sauce is in the Distance and Priority for your static routes.  You…

Read More Read More

Cisco FirePOWER Management Center Alerting – v6

Cisco FirePOWER Management Center Alerting – v6

If you want to be notified of system alerts without having to stare at the dashboard then you need to configure an email server and external alerting. Configure Email Notification Navigate to System > Configuration > Email Notification Enter the Mail Relay Host, the port number, the encryption method, the from address and the authentication settings and click Save. Make sure to click Test Mail Server Settings to make sure they are working properly before proceeding.  

Cisco ASA5500-X FirePOWER Preparation v6

Cisco ASA5500-X FirePOWER Preparation v6

To upgrade an ASA’s FirePOWER module to version 6 and get it ready to be integrated into FirePOWER Management Center is a bit of a process but thankfully most of it isn’t production impacting. First a few prerequisites. The ASA must have a SSD drive installed and functional.  Do a show inventory from the CLI to make sure one is found before you get started, if you have a drive installed but it’s not showing up try rebooting the ASA….

Read More Read More

Cisco FirePOWER Management Center v6 – Adding Licenses

Cisco FirePOWER Management Center v6 – Adding Licenses

This will cover Classic Licensing, not Smart Licensing for FirePOWER features.  You’ll receive your PAK code from Cisco either electronically or on a paper card.  From there you can goto https://cisco.com/go/license to register it and get the actual .LIC file. If you haven’t purchased a license yet, you can get a demo license from Cisco by working with your sales engineer. Before you head over there you will need the License Key from the FirePOWER Management Center since that’s where…

Read More Read More

Cisco FirePOWER Management Center AD Integration v6

Cisco FirePOWER Management Center AD Integration v6

You have FirePOWER Management Center all fired up and configured and you are getting lots of information but rather then seeing what user is doing what, you are just getting source computer IP addresses.  You can tie FirePOWER into Active Directory to report on actual users as well as being able to create policies based on AD users.  This lets you get much more granular with your approach. There are two ways to accomplish this, active authentication and passive authentication….

Read More Read More

Cisco FirePOWER Management Center v6 – Initial Installation

Cisco FirePOWER Management Center v6 – Initial Installation

This will review deploying the Cisco FirePOWER Management Center on ESXi.  The Management Center makes it possible to manage multiple FirePOWER devices from a central server, allowing you to scale up more efficiently. Before we get started, a few prerequisites.  Make sure you have a VMware host (ESXi or ESX).  You will need capacity on this host for 8GB RAM, 4 vCPU’s and 250GB storage (thick provisioned) for the FirePOWER Management Center VM.  You can deploy this thin provisioned if…

Read More Read More