FortiGate Archives -

Creating Policies with Internet Services Database

April 7, 2020 ggleason Comments 0 Comment

This article describes using the Internet Services Database on a FortiGate firewall. The Internet Services Database is a comprehensive public IP address database that combines IP address range, IP owner, service port number and IP security credibility. The data comes from the FortiGuard service system and is regularly updated by Fortinet. This database can be used as either source or destination for policies. A few prerequisites, you have to have a valid FortiGuard subscription and the service Domain & IP…

Read More Read More

FortiGate HA Cluster Management IP – In Band Method v6

December 30, 2019 ggleason Comments 1 comment

This article describes an option for managing a FortiGate HA cluster. Why is this important? Ideally, you want to make sure you have IP access to both the Active and Standby FortiGate firewalls separately from the combined management IP address. This gets important when you have to do things like a remote upgrade. This method will give you a separate management IP address on both the primary and standby FortiGate firewall. These IP addresses will be on the same network…

Read More Read More

FortiGate as a DNS slave to a Windows AD DNS Master v5.4

March 12, 2018 ggleason Comments 0 Comment

This post goes over how to setup a FortiGate firewall as a slave DNS server to a Windows DNS master. This is a great feature to enable for branch offices or even as basic redundancy to a single Windows DNS server. Starting on the Windows DNS Server: Launch DNS Manager Double click on the zone you want to replicate and locate the SOA record and edit it. Go to the Zone Transfer tab and enable zone transfers. You can leave…

Read More Read More

FortiGate WAN Link Monitor v5.4

March 10, 2018 ggleason Comments 0 Comment

You’ve setup your FortiGate and have multiple Internet providers. You are using basic failover for your providers, you want to monitor the links to automate the failover but you don’t want to setup SD-WAN or WAN LLB. What you want is link-monitor, or what used to be called ping server detect. With link-monitor setup, when the target detects a failure the routes for WAN1 will be deleted and traffic will go to WAN2. When the target detects success the routes…

Read More Read More

FortiGate SSL VPN Internal DNS Resolution v5.4

October 27, 2017 ggleason Comments 0 Comment

You’ve setup your FortiGate firewall, configured SSL VPN and deployed your clients. Your users can log in but they need to use fully qualified domain names to resolve hosts internally. To create a better user experience, you want to append your DNS domain name to your SSL VPN users when they connect, just like when they are in the office. It’s pretty straight forward assuming you already have SSL VPN configured, if you don’t follow this guide: FortiGate SSL VPN…

Read More Read More

FortiGate Agent Based FSSO AD Integration v5.4

October 21, 2017 ggleason Comments 0 Comment

If you want to report on user Internet usage and possibly even define access rules based on your Active Directory groups this document is for you. We’ll install the FSSO Collector Agent in basic mode, identify the groups we are interested in and setup the FortiGate. The FSSO Collector will monitor the Windows security logs on your domain controller for log on and log off events, these events contain the IP address of the computer that logged on or off…

Read More Read More

FortiGate Periodically Dropping Comcast Connection v5.4

October 1, 2017 ggleason Comments 0 Comment

This quick post is to document an issue we’ve seen enough times to make this change part of our standard deployment. Issue: New FortiGate installation seems to drop Comcast Internet connection for a minute periodically. This isn’t a link monitor issue or anything complex. The problem comes down to some Comcast modems, other providers I’m sure have a similar issue. When a FortiGate is deployed, the FortiGaurd service uses port 53 for updates. When these impacted modems see non DNS…

Read More Read More

FortiGate Category Filtering Office 365 Issue v5.4

October 1, 2017 ggleason Comments 0 Comment

Content filtering is a great feature with the FortiGate firewalls but the nature of what’s happening behind the scenes means some web sites do not like to be inspected and some users don’t fit the standard policy. For example, if you enable blocking unrated categories with your web filtering, and you have Office 365 there’s a good chance your users will start getting errors with Office 365. A bit of tweaking fixes this, but it would be better to know…

Read More Read More

FortiGate Geo Blocking v5.4

October 1, 2017 ggleason Comments 0 Comment

I’m frequently asked to block users from accessing certain countries and it can help prevent exploits if your users have no business connecting to some of these countries. This is called Geo Blocking and it’s pretty easy to setup. Setup address object for the country you want to block Navigate to Policy & Objects > Addresses and click Create New Address Enter the name of the country in question Change the Type to Geography Change the Country to the country…

Read More Read More

FortiGate Content Filtering Per User Override v5.4

October 1, 2017 ggleason Comments 0 Comment

Content filtering is a great feature with the FortiGate firewalls but the nature of what’s happening behind the scenes means some web sites do not like to be inspected and some users don’t fit the standard policy. Issue: Blocking A Category but need to create an exception So maybe your organization blocks the Social Networking category for all users but now HR can’t check out candidates and they need access. We’ll fix this with an exemption and a new policy…

Read More Read More

FortiGate Block Website v5.4

October 1, 2017 ggleason Comments 0 Comment

This post shows you how to block an individual website with a static URL filter. Navigate to Security Profiles > Web Filter Scroll down to Static URL filter and enable URL Filter (if it’s not already) Click Create Enter the url you want to block. I’m using facebook.com for this example and since I want to block all things facebook.com I’m making this a Wildcard block and using *facebook.com for the entry. Click OK Make sure you have an outbound…

Read More Read More

FortiGate Outbound Static NAT using IP Pools v5.4

October 1, 2017 ggleason Comments 0 Comment

Say you have a block of static IP addresses from your provider. You are using one of them for the external IP address of your FortiGate, this is typically applied as the NAT address for your inside traffic to access the Internet. If you have an internal server that you want to use one of your other static IP addresses instead this is the process for you. This is commonly done for something like an internal mail server that you…

Read More Read More

FortiGate Inbound Port Forwarding using VIP’s v5.4

October 1, 2017 ggleason Comments 0 Comment

This article goes over creating an inbound port forward NAT rule on a FortiGate device. This allows inbound access to a resource behind your firewall using your public IP address. For this example we’ll create a rule that allows HTTP (port 80) and SMTP (port 25) pointed at one internal server resource. The external IP address (WAN interface side) for this example is 1.1.1.1 The internal IP address (inside interface side) for this example is 2.2.2.2 First we’re going to…

Read More Read More

FortiGate AD Authentication for SSL VPN v5.4

October 1, 2017 ggleason Comments 0 Comment

Active Directory is a great authentication system, already in use on your network if you have a Windows Server based infrastructure so it makes sense to leverage for authenticating your SSL VPN users rather then creating separate, local login accounts. Before you set this up on the FortiGate you first need to setup a service account on your windows server. Yes, you could use an already existing account but it’s advisable to use something separate so if/when you need to…

Read More Read More

FortiGate Dual ISP Failover both active v5.4

September 26, 2017 ggleason Comments 0 Comment

The premise. You have a FortiGate and you have two ISP connections. Maybe the speeds aren’t that close together and one of them is really just for failover so load balancing is out but you want BOTH WAN connections to respond from the outside. It’s pretty straight forward. Configure your IP addressing on both WAN interfaces. Let’s assume WAN1 is going to be the primary connection. The secret sauce is in the Distance and Priority for your static routes. You…

Read More Read More

FortiGate SSL VPN v5.4

September 19, 2017 ggleason Comments 1 comment

This will review setting up remote users to access your network using a SSL VPN connection, either by tunnel mode (FortiClient) or with a web browser. For this example we’re using tunnel mode instead of split tunnel. This means all traffic (including Internet traffic) will go through the firewall, allowing the client to be protected by the firewalls security features. This example will authenticate with local user accounts. Step 1: Create a local user On your FortiGate go to User…

Read More Read More

FortiGate VPN – SSL Certificate Installation

August 19, 2017 ggleason Comments 0 Comment

Why should you get a certificate for SSL-VPN? When you setup your FortiGate to let users connect into your network via SSL-VPN you will notice they receive a certificate warning. This is because the certificate being used is the self signed certificate that’s on the firewall. This certificate isn’t “trusted” by clients trying to connect in so they warn you on connection attempts. You can eliminate this problem and potential support call by purchasing a SSL certificate from a reputable…

Read More Read More