Fortinet FortiGate firewall technology delivers complete content and network protection by combining stateful inspection with a comprehensive suite of powerful security features. Application control, antivirus, IPS, Web filtering and VPN along with advanced features such as an extreme threat database, vulnerability management and flow-based inspection work in concert to identify and mitigate the latest complex security threats. The security-hardened FortiOS operating system is purpose-built for inspection and identification of malware.
Â
- Fortigate VPN Lab - IPSec, VTI, GRE, BGP
- FortiGate Lab - BGP over IPSec (VTI) - Web Gui Configuration
Features
FortiGate delivers:
- End-to-end security across the full attack cycle
- Top-rated security validated by third-party testing
- Tight integration and multitenancy with Azure
- Centralized management across physical, virtual, and cloud deployments
- Automation templates for rapid deployment
FortiGate virtual appliances offer protection from a broad array of threats, with support for all of the security and networking services offered by the FortiOS operating system.
IPS technology protects against current and emerging network-level threats. In addition to signature-based threat detection, IPS performs anomaly-based detection which alerts users to any traffic that matches attack behavior profiles.
Specification:
BYOL License:
- FortiCare Premium Support
- FortiGuard App Control Service
- FortiGuard IPS Service
- FortiGuard Advanced Malware Protection
- FortiGuard Web Filtering Service
- FortiGuard Antispam Service
Cost
- DS1_v2 - 1vCPU, 3.5GiB RAM, 2 vNIC - $41.61/Month
- DS2_v2 - 2vCPU, 7GiB RAM, 2 vNIC - $83.22/Month
- DS3_v2 - 4vCPU, 14GiB RAM, 4 vNIC - $167.17/Month
FortiGate Subscription Cost
- 1 vCPU - $0.36/hr - $260 / Month
- 2 vCPU - $0.88/hr - $634 / Month
- 4 vCPU - $1.02/hr - $735 / Month
Steps
Following 6 resources will be created into your Resource Group:
Login to Web GUIÂ
Change admin password, ports, and Idle timeout
Register Product to FortiCloud
# diagnose debug cloudinit show
# diagnose debug vm-print-license
# execute vm-license PAYG license exists.
- Obtain the VM ID:
- In FortiOS, runÂ
diagnose test application azd 6
 and search for theÂVM Instance ID
. - In Azure, runÂ
az vm show -g Resource-Group-Name -n PAYG-VM-Name --query vmId -o tsv
.
It may take up to an hour for the registration status to synchronize and update in the FortiOS GUI.
- In FortiOS, runÂ
- Go Dashboard > Status and in the Licenses widget verify the FortiCare Support status.
- Once the registration is complete, you can log in to a FortiGate Cloud account and download the two free tokens that come standard with FortiGates (see FortiTokens).
then you can see details in FortiGuard license information page. Currently we are using a free license:
Diag Commands
Get system statusÂ
NETSEC-FGT # get sys status
Version: FortiGate-VM64-AZURE v7.4.3,build2573,240201 (GA.F)
First GA patch build date: 230509
Security Level: 1
Firmware Signature: certified
Virus-DB: 1.00000(2018-04-09 18:07)
Extended DB: 1.00000(2018-04-09 18:07)
Extreme DB: 1.00000(2018-04-09 18:07)
AV AI/ML Model: 0.00000(2001-01-01 00:00)
IPS-DB: 6.00741(2015-12-01 02:30)
IPS-ETDB: 6.00741(2015-12-01 02:30)
APP-DB: 6.00741(2015-12-01 02:30)
Proxy-IPS-DB: 6.00741(2015-12-01 02:30)
Proxy-IPS-ETDB: 6.00741(2015-12-01 02:30)
Proxy-APP-DB: 6.00741(2015-12-01 02:30)
FMWP-DB: 24.00040(2024-04-22 17:59)
IPS Malicious URL Database: 1.00001(2015-01-01 01:01)
IoT-Detect: 0.00000(2022-08-17 17:31)
OT-Detect-DB: 0.00000(2001-01-01 00:00)
OT-Patch-DB: 0.00000(2001-01-01 00:00)
OT-Threat-DB: 6.00741(2015-12-01 02:30)
IPS-Engine: 7.00524(2023-11-27 18:30)
Serial-Number: FGTAZabcdefghi
License Status: Valid
VM Resources: 1 CPU, 3443 MB RAM
Log hard disk: Available
Hostname: KS-FGT
Private Encryption: Disable
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 2
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Branch point: 2573
Release Version Information: GA
FortiOS x86-64: Yes
System time: Thu May 2 21:16:54 2024
Last reboot reason: warm reboot
Conserve Mode default settings:
# diag hardware sysinfo conserve
memory conserve mode: off
total RAM: 3443 MB
memory used: 1285 MB 37% of total RAM
memory freeable: 474 MB 13% of total RAM
memory used + freeable threshold extreme: 3270 MB 95% of total RAM
memory used threshold red: 3029 MB 88% of total RAM
memory used threshold green: 2823 MB 82% of total RAM
If we assume that the memory will keep increasing from 70% until 98% here is what is supposed to happen:Â
extreme>red>green
-when it reaches 95% it goes in extreme mode >>>>starts dropping new connections
-when it reaches 88% goes into red >>>>>>> begins conserve mode, but not to drop connections
-and when it goes below 82% it turns to green which should be the normal value >>>>> acts as nothing is happening, everything flows normal.
Monitoring and Alarming
We can configure an automated stitch to send an e-mail every time a threshold is reached on a FortiGate.
For CPU it could be:
1. First configure a threshold for CPU use:
config system global
   set cpu-use-threshold <percent> <- 80% in this case.
end
2. On the FortiGate
Security Fabric -> Automation -> Stitch -> Create New -> Add Trigger -> High CPU.
Add Action -> Email Notification.
For memory usage:
1. Security Fabric -> Automation -> Stitch -> Create New -> Add Trigger -> Conserve Mode.
 Add Action -> Email Notification.
For the moment Automation Stitch does not count for event log for session count.
References
- Fortinet for Azure
- Fortinet FortiGate-VM Datasheet
- Fortinet FortiOS Administration Guide
- Fortinet Threat Map for Azure
- Fortinet FortiGate-VM ReleaseNotes
- Azure Administration Guide: Instance Type Support
- Technical Tip: Resizing an Azure FortiGate VM instance
- Technical Tip: Default session timeout value (session-ttl)
- Technical Tip: How to save and restore configuration changes using revisions
No comments:
Post a Comment