Showing posts with label Fortigate. Show all posts
Showing posts with label Fortigate. Show all posts

Tuesday, October 25, 2016

FortiOS 5.4.1 IPSec Phase 2 for AutoConf-enabled Phase1 Issue

The Fortigate 60D and 100D were used to build IPSec tunnel between two sites since last year. The Firmware version is 5.2.4 build 668. I were planning to upgrade Fortigate 100D to 5.4.1. The upgrade process were smooth but IPsec tunnel got broken after upgrade.

Fortigate60D IPSec Tunnel Configuration:

Fortigate100D I{Sec Tunnel Configuration:


Friday, September 9, 2016

Fortigate Firewall Configuration Migrate to Different Device

Fortigate firewall upgrade to different model can become a pain when you are not sure how to migration configuration. Fortinet provides a tool which name is FortiConverter. Here are some features from it website page

  • Multi-vendor Support - Conversion from Check Point, Cisco, Juniper, Alcatel-Lucent, Palo Alto Networks, and SonicWall. A single tool converts configurations from all supported vendors.
  • FortiGate to FortiGate - Can migrate configurations between FortiGate devices to minimize the risk associated with network upgrades. Facilitates migration to new hardware models from legacy FortiGate devices. This feature, including conversion output, is enabled with the trial license.
  • Standardized Conversion - Configuration conversion is performed according to conversion rules and policy review and tuning is done after the conversion, prior to generating the output. Human error in the conversion process is minimized.
  • Full Support - A valid FortiConverter license entitles users to direct engineering support and private builds to support their complex conversion projects.

Wednesday, June 22, 2016

Fortigate 60D High Availability Configuration Steps

Fortigate 60D has been used to do HA examples in this post.

The back of Fortigate 60D:


The configuration steps for Fortigate High Availability is the easiest one comparing other firewall vendors. Fortigate cookbook "High Availability with two FortiGates" has presented enough detailed steps for most situations. In this post, it records the steps I just recently did.

Topology:

Friday, June 17, 2016

Basic Fortinet Firewall Fortigate CLI Commands (Tips and Tricks)

1. FGT30D # config system interface 



FGT30D (interface) # show
config system interface
    edit "wan"
        set ip 10.99.142.1 255.255.255.0
        set allowaccess ping https ssh snmp http fgfm
        set type physical
        set snmp-index 2
    next
.....
    edit "lan"
        set ip 192.168.100.1 255.255.255.0
        set allowaccess ping https ssh http fgfm capwap
        set type physical
        set snmp-index 1
    next
end

2. Change System Hostname

FGT30D # config system global 
FGT30D (global) # set hostname FGT30D
FGT30D (global) # end

Wednesday, February 24, 2016

Fortigate Firewall Console TFTP Image Recovery

Recently I had a experience to install firmware from a local TFTP server under console control to reset a FortiGate unit to factory default settings.

It was caused by a failed firmware upgrade. System died after reboot. Power light was green, but not other interfaces.

I recorded the all steps in this post.

1. Physical Connections
I were using Fortigate 30D to do this firmware TFTP installation. There are four different types of interfaces on the back of Fortigate 30D.
Here is the photo how Fortigate connected to my laptop with console connection and WAN interface Ethernet connection.
Fortigate 30D Connecting Console and WAN to Laptop

Thursday, December 3, 2015

Fortigate File Syste Check Recommendation After Logged in Web UI

Fortigate firewall 60D has been used in our environment because of performance and cost. It is small, powerful, rich feature also cost effective. Usually 60D is reliable and sitting quietly in the corner of server room.

Today during a regular check, File System Check Recommended message pop-ed up when I logged into Web Interface. It prompted a file system check recommended window as show below:

It seems Power Failure Detected during last power outage. Obviously Firewall itself is still running well. It is not down and nothing scary happened yet. Should I directly go ahead to click "Check file system" button?

There is one thing you will have to remember is this option to check file system will reboot your devices. If your device is in the production, you will have to let it remind you later. If you hit the Check file system button, you will have to wait 5-8 minutes for this job done, which also means your production will be down for 5-8 minutes. I would suggest the button name should change from "Check file system" to "Check file system and Reboot", just for those impatient person not to read all messages on the screen.

Wednesday, April 22, 2015

Set Up IPSec Site to Site VPN Between Fortigate 60D (4) - SSL VPN

IPSec Site to Site VPN Configuration Series:
  1. Set Up IPSec Site to Site VPN Between Fortigate 60D (1) - Route-Based VPNs
  2. Set Up IPSec Site to Site VPN Between Fortigate 60D (2) - Policy-Based VPNs
  3. Set Up IPSec Site to Site VPN Between Fortigate 60D (3) - Concentrator and Troubleshooting
  4. Set Up IPSec Site to Site VPN Between Fortigate 60D (4) - SSL VPN
SSL VPNs establish connectivity using SSL, which functions at Levels 4 - 5 (Transport and Session layers). Information is encapsulated at Levels 6 - 7 (Presentation and Application layers), and SSL VPNs communicate at the highest levels in the OSI model. SSL is not strictly a Virtual Private Network (VPN) technology that allows clients to connect to remote networks in a secure way.

FortiOS supports the SSL (not SSL1.0) and TLS (TLS1.3) versions defined below:

Defined
ProtocolYear
SSL 1.0n/a
SSL 2.01995 - RFC 6176
SSL 3.01996 - RFC 6101
TLS 1.01999 - RFC 2246
TLS 1.12006 - RFC 4346
TLS 1.22008 - RFC 5246
TLS 1.3TBD


When a remote client connects to the FortiGate unit, the FortiGate unit authenticates the user based on username, password, and authentication domain. A successful login determines the access rights of remote users according to user group. The user group settings specify whether the connection will operate in web-only mode or tunnel mode. There are three types of mode:

  1. Web-only Mode
  2. Tunnel Mode
  3. Port Forwarding Mode (Proxy Mode)


 Lab Topology:


Wednesday, April 15, 2015

Set Up IPSec Site to Site VPN Between Fortigate 60D (3) - Concentrator and Troubleshooting

IPSec Site to Site VPN Configuration Series:
  1. Set Up IPSec Site to Site VPN Between Fortigate 60D (1) - Route-Based VPNs
  2. Set Up IPSec Site to Site VPN Between Fortigate 60D (2) - Policy-Based VPNs
  3. Set Up IPSec Site to Site VPN Between Fortigate 60D (3) - Concentrator and Troubleshooting
  4. Set Up IPSec Site to Site VPN Between Fortigate 60D (4) - SSL VPN
After tested policy based and route based IPSec vpn, this post will do a quick test FortiGate concentrator feature.

The VPN concentrator collects hub-and-spoke tunnels into a group.The concentrator allows VPN traffic to pass from one tunnel to the other through the FortiGate unit. The FortiGate unit functions as a concentrator, or hub, in a hub-and-spoke network.

If the VPN peer is a FortiGate unit functioning as the hub, or concentrator, it requires aVPN configuration connecting it to each spoke (AutoIKE phase 1 and 2 settings ormanual key settings, plus encrypt policies). It also requires a concentratorconfiguration that groups the hub-and-spoke tunnels together. The concentratorconfiguration defines the FortiGate unit as the hub in a hub-and-spoke network.If the VPN peer is one of the spokes, it requires a tunnel connecting it to the hub (butnot to the other spokes). It also requires policies that control its encrypted connectionsto the other spokes and its non-encrypted connections to other networks, such as theInternet.

Topology:

FW3 adds into the our previous topology used in route based and policy based vpn labs. FW3 will act as another spoke , same as FW1. FW2 will be the hub , or concentrator.

Photos:




Monday, April 13, 2015

Set Up IPSec Site to Site VPN Between Fortigate 60D (2) - Policy-Based VPNs

IPSec Site to Site VPN Configuration Series:
  1. Set Up IPSec Site to Site VPN Between Fortigate 60D (1) - Route-Based VPNs
  2. Set Up IPSec Site to Site VPN Between Fortigate 60D (2) - Policy-Based VPNs
  3. Set Up IPSec Site to Site VPN Between Fortigate 60D (3) - Concentrator and Troubleshooting
  4. Set Up IPSec Site to Site VPN Between Fortigate 60D (4) - SSL VPN
This is the second post for Fortigate IPSec VPN configuration. It will use same topology as previous one.

The implementation will be set up policy based IPSec VPN between two sites.

Topology:


Set Up IPSec Site to Site VPN Between Fortigate 60D (1) - Route-Based VPNs

IPSec Site to Site VPN Configuration Series:
  1. Set Up IPSec Site to Site VPN Between Fortigate 60D (1) - Route-Based VPNs
  2. Set Up IPSec Site to Site VPN Between Fortigate 60D (2) - Policy-Based VPNs
  3. Set Up IPSec Site to Site VPN Between Fortigate 60D (3) - Concentrator and Troubleshooting
  4. Set Up IPSec Site to Site VPN Between Fortigate 60D (4) - SSL VPN

Fortigate firewall supports two types of site-to-site IPSec vpn based on FortiOS Handbook 5.2,  policy-based or route-based. There is little difference between the two types. However there is a difference in implementation. A route-based VPN creates a virtual IPsec network interface that applies encryption or decryption as needed to any traffic that it carries.That is why route-based VPNs are also known as interface-based VPNs. A policy-based VPN is implemented through a special security policy that applies the encryption you specified in the Phase 1 and Phase 2 settings.

Route-based VPNs:
For a route-based VPN, you create two security policies between the virtual IPsec interface and the interface that connects to the private network. In one policy the virtual interface is the source. In the other policy the virtual interface is the destination. The Action for both policies is Accept. This creates bidirectional policies that ensure traffic will flow in both directions over the VPN.

Policy-based VPNs:
For a policy-based VPN, one security policy enables communication in both directions. You must select IPSEC as the Action and then select the VPN tunnel you defined in the Phase 1 settings. You can then enable inbound and outbound traffic as needed within that policy, or create multiple policies of this type to handle different types of traffic differently. For example HTTPS traffic may not require the same level of scanning as FTP traffic.


In this lab part 1, Route-Based VPNs will be configured between FW1 and FW2.

Topology:

1. Two Fortigate 60Ds - FW1 and FW2
2. Switch and Router for routing and connections
3. FW1 has WAN1 IP 10.94.32.8/24, Internal IP 10.94.70.4/24
4. FW2 has WAN1 IP 10.94.17.8/24, Internal IP 10.94.66.4/24, WAN2 IP 10.94.64.4/24, DMZ IP 10.94.144.4/24


Friday, March 20, 2015

Free Forticloud Service for FortiGate and FortiWiFi

FortiCloud is a Cloud-based services for FortiGate and FortiWiFi products from Fortinet company. It is free for charge for at most 1GB data storage. It is quite interesting especially the remote access feature when I tried to use it. As long as your products managed by FortiCloud have Internet access, you are able to remote access into it.

Here are some FortiCloud Highlights based on its webpage:
  • Low touch device provisioning - Get your security and wireless infrastructure up and running quickly by centrally bootstrapping devices
  • Centralized configuration management - Change device settings across multiple devices instantly with profile-based templates
  • Traffic and application visibility - Oversee network utilization by leveraging built-in dashboards and FortiView's drill-down capabilities
  • Secure, hosted log retention - Minimize IT costs by storing log data in the cloud
  • Cloud-based APT sandboxing - Leverage threat research from FortiGuard to prevent the latest zero-day attacks from affecting your network
  • Rogue AP detection - Prevent attackers from circumventing your wireless network with the introduction of rogue APs
  • Custom and preconfigured reporting - Proactively optimize and secure your network by leveraging reporting insights to maintain an optimized security posture

This is FortiCloud main page:

Monday, November 3, 2014

Fortinet Firewall Fortigate-30D Basic Configuration and NAT Set up Steps


There is a new Fortigate-30D firewall shipped to me and I am working on to have it tested in our network environment to see how the performance looks like. Device is quite small as a seven inch tablet. After unpacked the box, we will see one Ethernet cable, one usb cable, one power adapter and manual included in the box. 


In the back of the Fortigate-30D, there are 4xGE RJ45 Switch Ports, One GE RJ45 WAN Port, One USB port and one Small USB Management Port. Beside Small USB Management Port (4), it is small Reset hole and DC power adapter port.

Topology:

NetSec Youtube Videos