Yearly Archives: 2017

Transparent web proxy

Transparent web proxy (386474)

In addition to the Explicit Web Proxy, FortiOS now supports a Transparent web proxy. While it does not have as many features as Explicit Web Proxy, the transparent proxy has the advantage that nothing needs to be done on the user’s system to forward supported web traffic over to the proxy. There is no need to reconfigure the browser or publish a PAC file. Everything is transparent to the end user, hence the name. This makes it easier to incorporate new users into a proxy deployment.

You can use the transparent proxy to apply web authentication to HTTP traffic accepted by a firewall policy. In previous versions of FortiOS, web authentication required using the explicit proxy.

Normal FortiOS authentication is IP address based. Users are authenticated according to their IP address and access is allowed or denied based on this IP address. On networks where authentication based on IP address will not work you can use the Transparent Web proxy to apply web authentication that is based on the user’s browser and not on their IP address. This authentication method allows you to identify individual users even if multiple users on your network are connecting to the FortiGate from the same IP address.

Using the Transparent proxy

To implement the Transparent proxy, go to System > Settings and scroll down to Operations Settings and set the inspection mode to Proxy.

Then go to System > Feature Visibility and enable Explicit Proxy.

Then go to Security Profiles > Proxy Options, edit a proxy options profile and under Web Options enable HTTP Policy Redirect.

Then go to Policy & Objects > IPv4 Policy and create or edit a policy that accepts traffic that you want to apply web authentication to. This can be a general policy that accepts many different types of traffic as long as it also accepts the web traffic that you want to apply web authentication to.

Select a Security Profile and select the Proxy Options profile that you enabled HTTP Policy Redirect for.

Using the Transparent proxy

Then go to Policy & Objects > Proxy Policy create a Transparent Proxy policy to accept the traffic that you want to apply web authentication to. Set the Proxy Type to Transparent Web. The incoming interface, outgoing interface, destination address, and schedule should either match or be a subset of the same options defined in the IPv4 policy. Addresses added to the Source must match or be a subset of the source addresses added to the IPv4 policy. You can also add the users to be authenticated by the transparent policy to the source field.

Select other transparent policy options as required.

More about the transparent proxy

The following changes are incorporated into Transparent proxy, some of which affect Explicit Web Proxy as well.

Flat policies

The split policy feature has been removed. This will make the explicit policy more like the firewall policy.

Authentication

The new authentication design is intended to separate authentication from authorization. Authentication has been moved into a new table in the FortiOS. This leaves the authorization as the domain of the explicit proxy policy.

Previously, if authentication was to be used:

The policy would be classified as an identity based policy
The policy would be split to add the authentication parameters
The authentication method would be selected
The user/group would be configured Now:

The user/group is configured in the proxy policy

A new authentication rule is added
This option refers to the authentication scheme
The authentication scheme has the details of the authentication method The new authentication work flow for Transparent Proxy:

Toggle the transparent-http-policy match:

config firewall profile-protocol-options edit <profile ID> config http set http-policy <enable|disable>

If disabled, everything works like before. If enabled, the authentication is triggered differently.

http-policy work flow:
For transparent traffic, if there is a regular firewall policy match, when the Layer 7 check option is enabled, traffic will be redirected to WAD for further processing.
For redirected traffic, layer 7 policy (HTTP policy) will be used to determine how to do security checks.
If the last matching factor is down to user ID, then it will trigger a new module to handle the L7 policy user authentication.
Then propagate learned user information back to the system so that it can be used to match traffic for L4 policy.

New Proxy Type

There is a new subcategory of proxy in the proxy policy called Transparent Web. The old Web Proxy is now referred to as Explicit Web Proxy.

This is set in the firewall policy l It is available when the HTTP policy is enabled in the profile-protocol options for the firewall policy l This proxy type supports OSI layer 7 address matching.
This proxy type should include a source address as a parameter l Limitations:
It can be used for HTTPS traffic, if deep scanning is not used l It only supports SNI address matching, i.e. domain names
It does not support header types of address matching l It only supports SSO authentication methods, no active authentication methods.

IP pools support

Proxies are now supported on outgoing IP pools.

SOCKSv5

SOCKSv5 authentication is now supported for explicit proxies.

To configure:

config authentication rule edit <name of rule> set protocol socks end

Forwarding

Proxies support URL redirect/forwarding. This allows a non-proxy forwarding server to be assigned a rule that will redirect web traffic from one URL to another, such as redirecting traffic destined for youtube.com to restrict.youtube.com.

l A new option called “Redirect URL” has been added to the policy l Traffic forwarding by VIP is supported

Support for explicit proxy address objects & groups into IPv4 firewall policies

This would allow the selection of web filter policy, SSL inspection policy, and proxy policy based on source IP + destination (address|explicit proxy object|category|group of any of those). This enables things like “do full SSL interception on www.google.com, but not the rest of the Search Engines category”.

Support application service in the proxy based on HTTP requests.

The application service can be configured using the following CLI commands:

config firewall service custom edit <name of service> set explicit-proxy enable set app-service-type <disable|app-id|app-category> set app-category <application category ID, integer> set application <application ID, integer> end

CLI Changes:

New

Previous

config firewall explicit-proxy-policy

config firewall explicit-proxy-address

config firewall explicit-proxy-addrgrp

config firewall proxy-address

config firewall proxy-policy

config firewall proxy-addrgrp

config firewall explicit-proxy-policy edit <policy ID> set proxy web end

config firewall proxy-policy edit <policy ID> set proxy explicit-web end

Removals:

l “split-policy” from firewall explicit-proxy-policy.

The previous method to set up a split policy was:

config firewall explicit-proxy-policy

edit 1 set proxy web set identity-based enable config identity-based-policy edit 1 set schedule “always” set utm-status enable set users “guest”

set profile-protocol-options “default” next

end

“auth relative” from firewall explicit-proxy-policy

The following attributes have been removed from firewall explicit-proxy-policy:

identity-based l ip-based l active-auth-method l sso-auth-method l require-tfa

Moves:

users and groups from firewall explicit-proxy-policy identity-based-policy to

config firewall proxy-policy edit 1 set groups <Group name> set users <User name> end Additions:

authentication scheme

config authentication scheme

ntlm – NTLM authentication. l basic – Basic HTTP authentication. l digest – Digest HTTP authentication. l form – Form-based HTTP authentication. l negotiate – Negotiate authentication. l fsso – FSSO authentication.
rsso – RADIUS Single Sign-On authentication. l none – No authentication. authentication setting

config authentication setting set active-auth-scheme <string> set sso-auth-scheme <string> set captive-portal <string>

set captive-portal-port <integer value from 1 to 65535>

active-auth-scheme – Active authentication method. l sso-auth-scheme – SSO authentication method. l captive-portal – Captive portal host name. l captive-portal-port – Captive portal port number.

authentication rule

config authentication rule

edit <name of rule>

set status [enable|disable] set protocol [http|ftp|socks] set srcaddr <name of address object> set srcaddr6 <name of address object> set ip-based [enable|disable] set active-auth-method <string> set sso-auth-method <string> set web-auth-cookie [enable|disable] set transaction-based [enable|disable] set comments

status – Enable/disable auth rule status. l protocol – set protocols to be matched l srcaddr /srcaddr6 – Source address name. [srcaddr or srcaddr6(web proxy only) must be set]. l ip-based – Enable/disable IP-based authentication. l active-auth-method – Active authentication method.
sso-auth-method – SSO authentication method (require ip-based enabled) l web-auth-cookie – Enable/disable Web authentication cookie. l transaction-based – Enable/disable transaction based authentication. l comments – Comment.

NGFW Policy Mode (371602) NGFW policy mode and NAT

FortiExplorer for iOS

Leave a reply

FortiExplorer for iOS

A new iOS FortiExplorer app is available as of April 8, 2017.

FortExplorer for iOS is compatible with iPhone, iPad, and iPod Touch and supports configuration via REST API and display of FortiView and other security fabric components.

You can use FortiExplorer for iOS to perform most FortiOS configuration management tasks.

Advanced features will be available with the purchase of an add-on through the App Store. These paid features include the adding more than two devices and downloading firmware images from FortiCare.

With the release of FortiOS 5.6.1, FortiOS icons and colors are now exportable in the GUI shared project and FortiExplorer now uses these icons and colors. This change improves the icon colors only for the FortiExplorer GUI theme (seen only when accessing a web GUI page from within the FortiExplorer iOS app).

The images below offer a preview of a few of the new FortiExplorer iOS app’s screens.

FortiExplorer iOS, v 1.0 – Device Status FortiExplorer iOS, v. 1.0 – Sources

FortiExplorer for iOS

FortiExplorer iOS, v.1.0 – Device Interfaces FortiExplorer iOS, v.1.0 – Firmware

Using Transparent

New Dashboard Features

Leave a reply

New Dashboard Features

The FortiOS 5.6 Dashboard has a new layout with a Network Operations Center (NOC) view with a focus on alerts. Widgets are interactive; by clicking or hovering over most widgets, the user can get additional information or follow links to other pages.

Enhancements to the GUI dashboard and its widgets are:

Multiple dashboard support. l VDOM and global dashboards. l Updated resize control for widgets.
Notifications moved to the top header bar (moved existing dashboard notifications to the header and added additional ones).
Reorganization of Add Widget l New Host Scan Summary widget.
New Vulnerabilities Summary widget that displays endpoint vulnerability information much like the FortiClient Enterprise Management Server (EMS) summary. l Multiple bug fixes.

Features that were only visible through old dashboard widgets have been placed elsewhere in the GUI:

Restore configuration. l Configuration revisions. l Firmware management. l Enabling / disabling VDOMs. l Changing inspection mode.
Changing operation mode. l Shutdown / restart device. l Changing hostname. l Changing system time.

The following widgets are displayed by default:

System Information l Licenses l FortiCloud l Security Fabric l Administrators
CPU l Memory l Sessions l Bandwidth
Virtual Machine (on VMs and new to FortiOS 5.6.1) The following optional widgets are available:
Interface Bandwidth l Disk Usage l Security Fabric Risk l Advanced Threat Protection Statistics l Log Rate l Session Rate l Sensor Information l HA Status l Host Scan Summary
Vulnerabilities Summary l FortiView (new to FortiOS 5.6.1) The following widgets have been removed:
CLI Console l Unit Operation l Alert Message Console

System Information

Licenses

Hovering over the Licenses widget will cause status information (and, where applicable, database information) on the licenses to be displayed for FortiCare Support, IPS & Application Control, AntiVirus, Web Filtering, Mobile Malware, and FortiClient. The image below shows FortiCare Support information along with the registrant’s company name and industry.

Clicking in the Licenses widget will provide you with links to other pages, such as System > FortiGuard or contract renewal pages.

FortiCloud

This widget displays FortiCloud status and provides a link to activate FortiCloud.

Security Fabric

The Security Fabric widget is documented in the Security Fabric section of the What’s New document.

Administrators

This widget allows you to view which administrators are logged in and how many sessions are active. The link directs you to a page displaying active administrator sessions.

CPU

The real-time CPU usage is displayed for different time frames.

Memory

Real-time memory usage is displayed for different time frames. Hovering over any point on the graph displays percentage of memory used along with a timestamp.

Sessions

Bandwidth

Virtual Machine

FortiOS 5.6.1 introduces a VM widget.

License status and type. l CPU allocation usage. l License RAM usage. l VMX license information (if the VM supports VMX). l If the VM license specifies ‘unlimited’ the progress bar is blank.
If the VM is in evaluation mode, it is yellow (warning style) and the dashboard show evaluation days used.
Widget is shown by default in the dashboard of a FortiOS VM device. l Removed VM information from License widget at Global > Dashboard.
License info and Upload License button provided on page Global > System > FortiGuard.
Updated ‘Upload VM License’ page: l Added license RAM usage and VMX instance usage. l Replaced file input component.

FortiExplorer for iOS

Security Fabric Audit and Fabric Score

Leave a reply

Security Fabric Audit and Fabric Score

This chapter contains information about the Security Fabric Audit and Fabric Score, which together provide a method to continually monitor and improve your Security Fabric’s configuration.

What is the Security Fabric Audit?

The Security Fabric Audit is a feature on your FortiGate that allows you to analyze your Security Fabric deployment to identify potential vulnerabilities and highlight best practices that could be used to improve your network’s overall security and performance.

Why should you run a Security Fabric Audit?

Using the Security Fabric Audit helps you to tune your network’s configuration, deploy new hardware and/or software, and gain more visibility and control of your network. Also, by checking your Security Fabric Score, which is determined based on how many checks your network passes/fails during the Audit, you can have confidence that your network is getting more secure over time.

Running a Security Fabric Audit

The Security Fabric Audit can be found by going to Security Fabric > Audit. In the first step, all detected FortiGates are shown.

Running a Security Fabric Audit

In the second step, the audit is performed and a list of recommendations are shown. Two views are available: Failed or All Results. These views can be further segmented so that you view results from all FortiGates or just a specific unit.

In each view, a chart appears showing the results of individual checks. The following information is shown: the name and a description of the check, which FortiGate the check occurred on, the checks result on your overall security score, and any necessary recommendations.

If you hover the mouse over the Result for a check, you can get a breakdown on how this score was determined.

For more information about this, see “Security Fabric Score” on page 38.

Logging for the Security Fabric Audit

In Step Three of the Audit, Easy Apply recommendations are displayed and can be applied. By using Easy Apply, you can change the configuration of any FortiGate in the fabric.

For other recommendations, further action is required if you wish to follow the recommendation.

You can also view Audit recommendations for specific devices using the FortiView Topology consoles. If a recommendation is available for a device, a circle containing a number appears. The number shows how many recommendations are available, while the color of the circle shows the severity of the highest check that failed (red is critical, orange is high, yellow is medium, and blue is low).

Logging for the Security Fabric Audit

An event filter subtype is available for the Security Audit. Every time an audit is run, event logs are created on the root FortiGate that summarize the results of the audit, as well as details into the individual tests.

Security Fabric Audit Checks

Syntax

config log eventfilter set security-audit {enable | disable} (enabled by default)

end

Security Fabric Audit Checks

The Security Fabric Audit performs a variety of checks when analyzing your network. All checks are based on your current network configuration, using realtime monitoring. The Audit runs these checks across all FortiGates in the Security Fabric.

Firmware & Subscriptions

Easy Apply?

Recommendation

Run same version as root.

Renew subscriptions.

Upgrade FortiAP to recommended version.

Check

All FortiGates in the Security Fabric should run the same firmware version.

FortiGate should be registered with FortiCare.

All registered FortiGuard license subscriptions should be valid.

All FortiAPs should be running the latest firmware.

Severity

Critical

High

Low

Goal

Compatible Firmware

FortiCare Support

FortiGuard License Subscriptions

FortiAP Firmware Versions

FortiSwitch FirmwareAll FortiSwitches should beUpdate all FortiSwitches to use

LowNo

Versionsrunning the latest firmware.the latest firmware.

Internal Segmentation Firewall (ISFW)

Easy Apply?

Recommendation

Configure the interface role.

Enable device detection.

Check

All interfaces should be classified as either “LAN”, “WAN”, or “DMZ”.

Interfaces which are classified as “LAN” or “DMZ” should have device detection enabled.

Severity

High

Goal

Interface Classification

Device Discovery

Yes

Checks

Easy Apply?

Recommendation

Replace the device with a FortiGate.

Use FortiSwitch and FortiLink.

Install FortiAnalyzer for logging & reporting.

All servers should be moved to interfaces with role “DMZ”.

Review all IPv4 policies that haven’t been used in the last 90 days.

Check

No third party router or NAT devices should be detected in the network.

Non-FortiLink interfaces should not have multiple VLANs configured on them.

Logging and reporting should be done in a centralized place throughout the Security Fabric.

Servers should be placed behind interfaces classified as “DMZ”.

All IPv4 policies should be used.

Severity

Medium

High

Medium

Goal

Third Party Router & NAT Devices

VLAN Management

Centralized Logging & Reporting

LAN Segment

Unused Policies

Advanced Threat

Protection

High

Suspicious files should be submitted to FortiSandbox or FortiSandbox Cloud for inspection.

Configure AntiVirus profiles to send files to FortiSandbox or FortiSandbox Cloud for inspection.

All discovered FortiAPs should Authorize or disable

Unauthorized FortiAPs Medium Yes

be authorized or disabled. unauthorized FortiAPs.

Unauthorized FortiSwitches

Medium

All discovered FortiSwitches should be authorized or disabled.

Authorize or disable unauthorized FortiSwitches.

Yes

Endpoint Compliance

Easy Apply?

Recommendation

Enable FortiTelemetry on “LAN” interfaces.

Check

Interfaces which are classified as “LAN” should have

FortiTelemetry enabled.

All supported devices should be registered via FortiClient.

Severity

High

Medium

Goal

Endpoint Registration

FortiClient Protected

Yes

All registered FortiClientInvestigate non-compliant

FortiClient ComplianceMediumdevices should be compliantreason(s) for FortiClientNo with FortiClient profile.endpoints.

Security Fabric Audit Checks

Goal

FortiClient Vulnerabilities

Severity

Critical

Check

All registered FortiClient devices should have no critical vulnerabilities.

Recommendation

Have FortiClient fix the detected critical vulnerabilities.

Easy Apply?

Security Best Practices

Goal

Severity

Check

Recommendation

Easy Apply?

Yes

Enable HTTPS redirection globally.

Disable Telnet.

Interfaces which are classified as “WAN” should not allow

HTTP administrative access.

Interfaces which are classified as “WAN” should not allow

Telnet administrative access.

High

Unsecure Protocol – HTTP

Unsecure Protocol – Telnet

Yes

Valid HTTPS Certificate Administrative GUI

Medium

The administrative GUI should not be using a default built-in certificate.

Acquire a certificate for your domain, upload it, and configure the administrative GUI to use it.

Acquire a certificate for your

Valid HTTPS Certificate – SSL VPN should not be using a

Medium domain, upload it, and No

SSL VPN default built-in certificate.

configure SSL VPN to use it.

Explicit Interface Policies

Low

Policies that allow traffic should not be using the “any” interface.

Change the policy to use a specific interface.

A password policy should beEnable a simple password

Admin Password PolicyMediumsetup for systempolicy for systemYes administrators.administrators.

Security Fabric Score

The Security Fabric Score widget has been added to the FortiGate Dashboard to give visibility into auditing trends. This widget uses information from the Security Fabric Audit to determine your score. Score can be positive or negative, with a higher score representing a more secure network.

Score is based on the number of checks failed and the severity of these checks. The weight for each severity level is as follows:

l Critical: 50 points l High: 25 points l Medium: 10 points l Low: 5 points

You get points for passing a test only when it passes for all FortiGates in your fabric. If this occurs, the score is calculated using this formula:

+Severity Weight x Secure FortiGate Multiplier

The Severity Weight is calculated as Severity divided by the number of FortiGates in the Fabric. The Secure FortiGate Multiplier is determined using logarithms and the number of FortiGates in the fabric. For example, if you have four FortiGates in your fabric that all pass the Compatible Firmware check, your score for each individual FortiGate is:

(50/4) x 1.292 = 16.2 points

If a test fails on any FortiGate in your Fabric, all other FortiGates that passed the check award 0 points. For the FortiGate the test failed on, the score is calculated using this formula:

-Severity Weight x Count

Count is the number of times the check failed during the audit. For example, if two critical FortiClient vulnerabilities are discovered during the Audit, your score for that check is:

-50 x 2 = -100 points

For checks that do not apply, your score does not change. For example, if you have no FortiAPs in the fabric, you will receive no points for the FortiAP Firmware Versions check.

FortiOS 5.6.1 New Security Fabric features

Leave a reply

New Security Fabric features

In FortiOS 5.6, the Security Fabric (previously known as the Cooperative Security Fabric) has been expanded in several ways to add more functionality and visibility.

One of the most important functional changes is that FortiAnalyzer is now a required part of the Security Fabric configuration. Also, two important new features, Security Fabric Audit and Fabric Score, have been added to provide a method to continually monitor and improve the Security Fabric configuration.

Many changes have been made through FortiView to improve the visibility of the Security Fabric. More information is now displayed and you can access downstream FortiGates directly from the root FortiGate’s FortiView display.

Other smaller improvements have been made throughout the Security Fabric, with a focus on improving communication between devices.

In FortiOS 5.6.1, the new updated GUI design consolidates the Security Fabric features together under a new menu and has many new topological changes to provide greater visibility into the connectivity of your networked devices. This includes adding more Fortinet products to the topology and widgets. Other topology improvements include enhanced IPsec VPN detection (which now includes detection of downstream FortiGates) and support for SD-WAN. Smaller changes have also been made to add more information to device tooltip alerts in the Physical and Logical Topology views.

Setting up the Security Fabric in FortiOS 5.6

See the following FortiGate Cookbook recipes to get started in setting up the Security Fabric in FortiOS 5.6:

l Installing a FortiGate in NAT/Route mode l Security Fabric installation

Security Fabric between remote networks by enabling FortiTelemetry for IPsec VPN interfaces

You can now enable FortiTelemetry for IPsec VPN interfaces. The Security Fabric can now detect the downstream FortiGate through the IPsec VPN interface. This allows you to send FortiTelemetry communication over a Gateway-to-Gateway IPsec VPN tunnel between two remote networks. One of the networks would contain the root FortiGate and the network at the other end of the IPsec VPN tunnel can connect to the root FortiGate’s Security Fabric.

In the GUI, to enable FortiTelemetry

Go to Network > Interfaces and edit your IPsec VPN interface.
Under Administrative Access enable FortiTelemetry.

New Security Fabric Security Fabric between remote networks by enabling FortiTelemetry for IPsec VPN features interfaces

Your IPsec VPN interface will automatically be added to the FortiTelemetry enabled interface list under Security Fabric > Settings.

In the CLI, enter the following commands:

config system interface edit <vpn_name> set fortiheartbeat enable

end

Re-designed Security Fabric setup

A new updated GUI menu consolidates the Security Fabric features in one location. This includes Physical Topology, Logical Topology, Audit, and Settings. For more details, see the illustration below:

Security Fabric between remote networks by enabling FortiTelemetry for IPsec VPN interfaces

New Security Fabric features

Improved Security Fabric Settings page

The Security Fabric Settings page has been updated to act as a centralized location for you to enable connectivity to other Fortinet products. Navigate to Security Fabric > Settings.

Changes to the Settings page include the following:

l The previous Enable Security Fabric option has been replaced with an option to enable FortiGate Telemetry. l The previous Downstream FortiGates option has been replaced with Topology to show multiple devices.

See the screen shot below:

Security Fabric dashboard widgets

New dashboard widgets for the Security Fabric put information about the status of the Security Fabric at your fingertips when you first log into your FortiGate.

The FortiGate dashboard widget has been updated to include the following Fortinet products: FortiGate (core), FortiAnalyzer (core), FortiSwitch, FortiClient, FortiSandbox, and FortiManager. See the screen shot below:

You can hover over the icons along the top of the Security Fabric widget to get a quick view of the status of the Security Fabric. Available information includes the FortiTelemetry status and the status of various components of in the Security Fabric.

The Security Fabric Score widget shows the Security Fabric Audit score for the Security Fabric and allows you to apply recommended changes right from the dashboard.

Physical and Logical FortiView improvements

The FortiView Physical and Logical Topology pages now display the following improvements:

Shows both FortiGates in an HA configuration l Shows FortiAPs l Lists FortiAnalyzer and FortiSandbox as components of the Security Fabric l Highlights the current FortiGate l Displays Link Usage in different colors l Ranks Endpoints by FortiClient Vulnerability Score and by Threat Score ( see below, for more information) l Displays user avatars l Recognizes servers as a device type

Introduces a search bar to help locate specific devices in the Security Fabric

Updated Physical and Logical Topology legend

On the Physical Topology and Logical Topology pages, the Security Fabric legend has been updated. See the screenshot below:

Physical and Logical FortiView improvements

New option to minimize the Topology

This new feature allows you to minimize portions of the Physical and Logical Topology. This makes it easy to view your entire topology, or minimize portions to focus in on a specific area. See the screenshot below:

Security Fabric Topology shows new resource information alerts

The enhanced Security Fabric topology now shows CPU Usage and Memory Usage alerts in the device information tooltip. It also displays a warning if the FortiGate is in conserve mode. Note that the CPU usage, memory usage and conserve mode data are drawn from the data that was last loaded from the FortiGate, not real-time data.

You can see the new CPU Usage and Memory Usage fields shown in the tooltip below:

Physical and Logical FortiView improvements

The Conserve mode warning is shown below:

SD-WAN information added to Security Fabric topology

The Security Fabric topology now includes SD-WAN. Enhancements include greater visibility into where the data comes from and goes to, link saturation indicators, and detailed tooltip explanations. The following SD-WAN information has been integrated into the Security Fabric topology:

The tooltip for the SD-WAN interface now includes load balancing settings. l In the Security Fabric Logical Topology, SD-WAN and its interface members will appear above all interfaces.
If connected to an upstream FortiGate, one link between the exact SD-WAN member and the upstream FortiGate will appear.
If connected to a destination bubble, links between each enabled member and the destination bubble appear.
Interface bandwidth and link utilization for other interfaces (WAN role interface) have been temporarily removed and will be added back in later.
Fixes have been made to show vulnerabilities for multiple MAC addresses (402495) and to show the FortiSwitch serial and port (389158).

For more details see the screenshot below:

FortiCache support for the (435830)

SD-WAN Monitor Support added to Security Fabric (417210)

The Security Fabric now retrieves monitor information from all members of the Security Fabric and displays it in the GUI of the root FortiGate. Support was added for the Routing Monitor, DHCP Monitor and User Quarantine Monitor.

You can use the new drop down menu shown below to select the Security Fabric members:

FortiCache support for the Security Fabric (435830)

FortiGates in the Security Fabric can now use FortiCache as a remote cache service. Previously, FortiCache was supported via WCCP re-direct only, but now FortiGates can use it as a local cache rather than redirecting via WCCP.

In the GUI, follow the steps below:

Go to Security Fabric > Settings and enable HTTP Service.

Enhanced Security Fabric audit tests for FortiGuard licenses (409156)

Set Device Type to FortiCache and add the IP addresses of the FortiCache devices.
You can also select Authentication and add a password if required. See the screenshot below:

In the CLI, enter the following commands:

config wanopt forticache-service set status enable

set local-cache-id <local-cache-id> set remote-forticache-id <remote-forticache-id> set remote-forticache-ip <remote-forticache-ip>

end

l status – Enable/disable using FortiCache as web-cache storage l disable – Use local disks as web-cache storage l enable – Use a remote FortiCache as web-cache storage l local-cache-id – The cache ID that this device uses to connect to the remote FortiCache l remote-forticache-id – The ID of the FortiCache that the device connects to l remote-forticache-ip – The IP address of the FortiCache the device connects to

Enhanced Security Fabric audit tests for FortiGuard licenses (409156)

The Security Fabric audit now has separate audit tests for FortiGuard licenses based on whether the FortiGuard license is valid, expired, never been activated, or temporarily unavailable. Previously, the audit test performed one batch test on all FortiGuard licenses, regardless of the status of the licenses. Recommendations for individual licenses are also provided in the GUI tooltips.

You can see the new breakdown of pass or fail actions shown below:

License valid = pass l License expired = fail l License never activated = fail
License is unavailable (connection issue with FortiGuard) = pass

If a required Feature Visibility is disabled, the audit test for it will not show vulnerabilities. The audit will show a score of zero (or a pass). Go to System > Feature Visibility (previously the Feature Select menu) to make any changes.

FortiClient Vulnerability Score

In the GUI, follow the steps below to check the status of your FortiGuard licenses:

Go to Security Fabric > Audit to check the status of your FortiGuard licenses.
Follow the steps in the Security Fabric Audit wizard.
Expand Firmware & Subscriptions, and look at the FortiGuard License Subscriptions section to verify whether any recommended action is required. See the example below:

FortiClient Vulnerability Score

Endpoints in the Security Fabric topology are now ranked by their FortiClient Vulnerability Score. This score is calculated by the severity of vulnerabilities found on the endpoint:

l critical vulnerability = 100 points l high vulnerability = 50 points l medium vulnerability = 5 points l low vulnerability = 2 points l info vulnerability = 1 point

FortiView Consolidation

Information about the Security Fabric can now be seen throughout the FortiView dashboards on the upstream FortiGate, when the real-time view is used.

You can right-click on an entry and select View Aggregated Details to see more information.
The upstream FortiGate filters information to avoid counting traffic from the same hosts multiple times on each hop.

The upstream FortiGate also now has the option to end downstream FortiGate sessions or quarantine endpoints that connect to downstream FortiGates.

Remote login to downstream FortiGates

You can now log into downstream FortiGates from the upstream FortiGate, by right-clicking on the downstream FortiGate when viewing the Security Fabric’s topology using FortiView.

Logging Consolidation and Improvements

Several changes have been made to improve logging for a Security Fabric.

Sending all logs to a single FortiAnalyzer

By default, all FortiGates in the Security Fabric now send logs to a single FortiAnalyzer. The connection to the FortiAnalyzer is configured on the upstream FortiGate, then the settings are pushed to all other FortiGates.

In FortiOS 5.6, a FortiAnalyzer is required for the root FortiGate in the Security Fabric; however, downstream devices can be configured to use other logging methods through the CLI:

config system csf set logging-mode local

end

Data Exchange with FortiAnalyzer

The following information about the Security Fabric configuration is now sent to the FortiAnalyzer:

l Topology info l Interface roles l LAT / LNG info l Device asset tags Device Tree

Retrieving Monitor Information

Monitors on the upstream FortiGate, such as the VPN Monitor, Route Monitor, and User Quarantine, can now view the information from downstream devices. You can use the button in the top right corner of the screen to change the FortiGate information that is displayed.

Log Settings

Log statistics for each FortiGate in the Security Fabric are now shown when you go to Log & Report > Log Settings.

Device Tree

The entire Security Fabric tree is now updated upward, and each node has an updated state of the whole subtree. The content is saved in the local file and upon request from the GUI or a diagnose command (dia sys csf downstream) it can be retrieved.

What is the Security Fabric Audit?

What’s New In FortiOS 5.6.1

Leave a reply

Executive Summary

This chapter briefly highlights some of the higher profile new FortiOS 5.6 features, some of which have been enhanced for FortiOS 5.6.1.

Security Fabric enhancements

Security Fabric features and functionality continue to evolve. New features include improved performance and integration, a security audit function that finds possible problems with your network and recommends solutions, security fabric dashboard widgets, improved device detection, and the remote login to other FortiGates on the fabric. See New Security Fabric features on page 20.

Security Fabric Audit

The Security Fabric Audit allows you to analyze your Security Fabric deployment to identify potential vulnerabilities and highlight best practices that could be used to improve your network’s overall security and performance. See Security Fabric Audit and Fabric Score on page 32.

Re-designed Dashboard

The Dashboard has been enhanced to show more information with greater flexibility and more functionality. See New Dashboard Features on page 40 for details.

NGFW Policy Mode

You can operate your FortiGate in NGFW policy mode to simplify applying Application control and Web Filtering to firewall traffic. See NGFW Policy Mode (371602) on page 57.

Flow-based inspection with profile-based NGFW mode is the default inspection mode in FortiOS 5.6.

Transparent web proxy

In addition to the Explicit Web Proxy, FortiOS now supports a Transparent web proxy. You can use the transparent proxy to apply web authentication to HTTP traffic accepted by a firewall policy.

Pages: 1 2

Reference

Leave a reply

Reference

This chapter provides some reference information pertaining to wireless networks.

FortiAP web-based manager

Wireless radio channels

WiFi event types

FortiAP CLI

FortiAP web-based manager

You can access the FortiAP unit’s built-in web-based manager. This is useful to adjust settings that are not available through the FortiGate unit’s WiFi Controller. Logging into the FortiAP web-based manager is similar to logging into the FortiGate web-based manager.

System Information

Status

The Status section provides information about the FortiAP unit.

You can:

Select Change to change the Host Name. l Select Update in Firmware Version to upload a new FortiAP firmware file from your computer.
Select Change Password to change the administrator password. l Select Backup to save the current FortiAP configuration as a file on your computer. l Select Restore to load a configuration into your FortiAP unit from a file on your computer.

Network Configuration

Select DHCP or select Static and specify the IP address, netmask, and gateway IP address. Administrative Access settings affect access after the FortiAP has been authorized. By default, HTTP access needed to access the FortiAP web-based manager is enabled, but Telnet access is not enabled.

Connectivity

These settings determine how the FortiAP unit connects to the FortiGate WiFi controller.

FortiAP web-based manager

Uplink	Ethernet – wired connection to the FortiGate unit (default) Mesh – WiFi mesh connection Ethernet with mesh backup support
Mesh AP SSID	Enter the SSID of the mesh root. Default: fortinet.mesh.root
Mesh AP Password	Enter password for the mesh SSID.
Ethernet Bridge	Bridge the mesh SSID to the FortiAP Ethernet port. This is available only whe Uplink is Mesh.

WTP Configuration

AC Discovery Type settings affect how the FortiAP unit discovers a FortiGate WiFi controller. By default, this is set to Auto which causes the FortiAP unit to cycle through all of the discovery methods until successful. For more information see Controller discovery methods.

AC Discovery Type	Static, DHCP, DNS, Broadcast, Multicast, Auto
AC Control Port	Default port is 5246.
AC IP Address 1 AC IP Address 2 AC IP Address 3	You enter up to three WiFi controller IP addresses for static discovery. Routing must be properly configured in both directions.
AC Host Name 1 AC Host Name 2 AC Host Name 3	As an alternetive to AC IP addresses, you can enter their fully qualified domain names (FQDNs).
AC Discovery Multicast Address	224.0.1.140
AC Discovery DHCP Option Code	When using DHCP discovery, you can configure the DHCP server to provide the controller address. By default the FortiAP unit expects this in option 138.

AC Data Channel Security by default accepts either DTLS-encrypted or clear text data communication with the WiFi controller. You can change this setting to require encryption or to use clear text only.

Wireless Information

The Wireless Information page provides current information about the operation of the radios and the type Uplink in use.

Wireless radio channels

IEEE 802.11a/n channels

The following table lists the channels supported on FortiWiFi products that support the IEEE 802.11a and 802.11n wireless standards. 802.11a is available on FortiWiFi models 60B and higher. 802.11n is available on FortiWiFi models 80CM and higher.

All channels are restricted to indoor usage except in the Americas, where both indoor and outdoor use is permitted on channels 52 through 64 in the United States.

IEEE 802.11a/n (5-GHz Band) channel numbers

Channel number	Frequency (MHz)	Regulatory Areas Americas Europe	Taiwan	Singapore Japan
34	5170			•
36	5180	• •		•
38	5190
40	5200	• •		• •
42	5210
44	5220	• •		• •
46	5230
48	5240	• •		• •
149	5745	•	•	•
153	5765	•	•	•
157	5785	•	•	•
161	5805	•	•	•
165	5825	•		•

IEEE 802.11b/g/n channel numbers

The following table lists IEEE 802.11b/g/n channels. All FortiWiFi units support 802.11b and 802.11g. Newer models also support 802.11n.

Wireless radio channels

Mexico is included in the Americas regulatory domain. Channels 1 through 8 are for indoor use only. Channels 9 through 11 can be used indoors and outdoors. You must make sure that the channel number complies with the regulatory standards of Mexico.

IEEE 802.11b/g/n (2.4-GHz Band) channel numbers

Channel number	Frequency (MHz)	Regulatory Areas Americas EMEA	Israel	Japan
1	2412	• •	indoor	•
2	2417	• •	indoor	•
3	2422	• •	indoor	•
4	2427	• •	indoor	•
5	2432	• •	•	•
6	2437	• •	•	•
7	2442	• •	•	•
8	2447	• •	•	•
9	2452	• •	•	•
10	2457	• •	•	•
11	2462	• •	•	•
12	2467	•	•	•
13	2472	•	•	•
14	2484			b only

View all Country & Regcodes/Regulatory Domains

The following CLI command can be entered to view a list of the Country & Regcodes/Regulatory Domains supported by Fortinet:

cw_diag -c all-countries

Below is a table showing a sample of the list displayed by entering this command:

Country-code Region-code Domain	ISO-name Name
0 A FCC3 & FCCA	NA NO_COUNTRY_SET

WiFi event types

Country-code Region-code Domain	ISO-name Name
8 W NULL1 & WORLD	AL ALBANIA
12 W NULL1 & WORLD	DZ ALGERIA
16 A FCC3 & FCCA	AS AMERICAN SAMOA
… … …	… …

WiFi event types

Event type	Description
rogue-ap-detected	A rogue AP has been detected (generic).
rogue-ap-off-air	A rogue AP is no longer detected on the RF side.
rogue-ap-on-wire	A rogue AP has been detected on wire side (connected to AP or controller L2 network).
rogue-ap-off-wire	A rogue AP is no longer detected on wire.
rogue-ap-on-air	A rogue AP has been detected on the RF side.
fake-ap-detected	A rogue AP broadcasting on the same SSIDs that you have in your managed APs has been detected.
fake-ap-on-air	The above fake AP was detected on the RF side.

FortiAP CLI

The FortiAP CLI controls radio and network operation through the use of variables manipulated with the cfg command. There are also diagnostic commands.

The cfg command include the following

cfg -s		List variables.
cfg -a var=value		Add or change a variable value.
cfg -c		Commit the change to flash.
cfg -x		Reset settings to factory defaults.

cfg -r var	Remove variable.
cfg -e	Export variables.
cfg -h	Display help for all commands.

The configuration variables are:

Var	Description and Values
AC_CTL_PORT	WiFi Controller control (CAPWAP) port. Default 5246.
AC_DATA_CHAN_SEC	Data channel security. 0 – Clear text 1 – DTLS (encrypted) 2 – Accept either DTLS or clear text (default)
AC_DISCOVERY_TYPE	1 – Static. Specify WiFi Controllers 2 – DHCP 3 – DNS 5 – Broadcast 6 – Multicast 0 – Cycle through all of the discovery types until successful.
AP_IPADDR AP_NETMASK IPGW	These variables set the FortiAP unit IP address, netmask and default gateway when ADDR_MODE is STATIC. Default 192.168.1.2 255.255.255.0, gateway 192.168.1.1.
AC_HOSTNAME_1 AC_HOSTNAME_2 AC_HOSTNAME_3	WiFi Controller host names for static discovery.
AC_IPADDR_1 AC_IPADDR_2 AC_IPADDR_3	WiFi Controller IP addresses for static discovery.
AC_DISCOVERY_DHCP_OPTION_CODE	Option code for DHCP server. Default 138.
AC_DISCOVERY_MC_ADDR	Multicast address for controller discovery. Default 224.0.1.140.

Var	Description and Values
ADDR_MODE	How the FortiAP unit obtains its IP address and netmask. DHCP – FortiGate interface assigns address. STATIC – Specify in AP_IPADDR and AP_NETMASK. Default is DHCP.
ADMIN_TIMEOUT	Administrative timeout in minutes. Applies to Telnet and web-based manager sessions. Default is 5 minutes.
AP_MGMT_VLAN_ID	Non-zero value applies VLAN ID for unit management. Default: 0.
AP_MODE	FortiAP operating mode. 0 – Thin AP (default) 2 – Unmanaged Site Survey mode. See SURVEY variables.
BAUD_RATE	Console data rate: 9600, 19200, 38400, 57600, or 115200 baud.
DNS_SERVER	DNS Server for clients. If ADDR_MODE is DHCP the DNS server is automatically assigned.
FIRMWARE_UPGRADE	Default is 0.
HTTP_ALLOW	Access to FortiAP web-based manager 1 – Yes (default), 0 – No.
LED_STATE	Enable/disable status LEDs. 0 – LEDs enabled, 1 – LEDs disabled, 2 – follow AC setting.
LOGIN_PASSWD	Administrator login password. By default this is empty.
STP_MODE	Spanning Tree Protocol. 0 is off. 1 is on.
TELNET_ALLOW	By default (value 0), Telnet access is closed when the FortiAP unit is authorized. Set value to 1 to keep Telnet always available.
WTP_LOCATION	Optional string describing AP location.
Mesh variables

Var	Description and Values
MESH_AP_BGSCAN	Enable or disable background mesh root AP scan. 0 – Disabled 1 – Enabled
MESH_AP_BGSCAN_RSSI	If the root AP’s signal is weak, and lower than the received signal strength indicator (RSSI) threshold, the WiFi driver will immediately start a new round scan and ignore the configured MESH_AP_BGSCAN_PERIOD delays. Set the value between 0-127. After the new round scan is finished, a scan done event is passed to wtp daemon to trigger roaming.
MESH_AP_BGSCAN_PERIOD	Time in seconds that a delay period occurs between scans. Set the value between 1-3600.
MESH_AP_BGSCAN_IDLE	Time in milliseconds. Set the value between 0-1000.
MESH_AP_BGSCAN_INTV	Time in milliseconds between channel scans. Set the value between 200-16000.
MESH_AP_BGSCAN_DUR	Time in milliseconds that the radio will continue scanning the channel. Set the value between 10-200.
MESH_AP_SCANCHANLIST	Specify those channels to be scanned.
MESH_AP_TYPE	Type of communication for backhaul to controller: 0 – Ethernet (default) 1 – WiFi mesh 2 – Ethernet with mesh backup support
MESH_AP_SSID	SSID for mesh backhaul. Default: fortinet.mesh.root
MESH_AP_BSSID	WiFi MAC address
MESH_AP_PASSWD	Pre-shared key for mesh backhaul.
MESH_ETH_BRIDGE	1 – Bridge mesh WiFi SSID to FortiAP Ethernet port. This can be used for point-to-point bridge configuration. This is available only when MESH_AP_TYPE =1. 0 – No WiFi-Ethernet bridge (default).
Var Description and Values
MESH_MAX_HOPS Maximum number of times packets can be passed from node to node on the mesh. Default is 4.
The following factors are summed and the FortiAP associates with the lowest scoring mesh AP.
MESH_SCORE_HOP_WEIGHT Multiplier for number of mesh hops from root. Default 50.
MESH_SCORE_CHAN_WEIGHT AP total RSSI multiplier. Default 1.
MESH_SCORE_RATE_WEIGHT Beacon data rate multiplier. Default 1.
Band weight (0 for 2.4GHz, 1 for 5GHz) multiplier. Default MESH_SCORE_BAND_WEIGHT 100.
MESH_SCORE_RSSI_WEIGHT AP channel RSSI multiplier. Default 100.
Survey variables
SURVEY_SSID SSID to broadcast in site survey mode (AP_MODE=2).
SURVEY_TX_POWER Transmitter power in site survey mode (AP_MODE=2).
SURVEY_CH_24 Site survey transmit channel for the 2.4Ghz band (default 6).
Site survey transmit channel for the 5Ghz band (default SURVEY_CH_50 36).
SURVEY_BEACON_INTV Site survey beacon interval. Default 100msec.

cw_diag	help		Display help for all diagnose commands.
cw_diag	uptime		Show daemon uptime.
cw_diag	–tlog	<on\|off>	Turn on/off telnet log message.
cw_diag	–clog	<on\|off>	Turn on/off console log message.
cw_diag 38400 \|	baudrate [9600 \| 19200 \| 57600 \| 115200]		Set the console baud rate.

Previously, FortiAP accepted Telnet and HTTP connection to any virtual interfaces that have an IP address. For security reasons, Telnet and HTTP access are now limited to br0 or br.vlan for AP_MGMT_VLAN_ID.

Diagnose commands include:

cw_diag	plain-ctl [0\|1]		Show or change current plain control setting.
cw_diag	sniff-cfg ip port		Set sniff server ip and port.
cw_diag	sniff [0\|1\|2]		Enable/disable sniff packet.
cw_diag	stats wl_intf		Show wl_intf status.
cw_diag	admin-timeout [30]		Set shell idle timeout in minutes.
cw_diag	-c	wtp-cfg	Show current wtp config parameters in control plane.
cw_diag	-c	radio-cfg	Show current radio config parameters in control plane.
cw_diag	-c	vap-cfg	Show current vaps in control plane.
cw_diag	-c	ap-rogue	Show rogue APs pushed by AC for on-wire scan.
cw_diag	-c	sta-rogue	Show rogue STAs pushed by AC for on-wire scan.
cw_diag	-c	arp-req	Show scanned arp requests.
cw_diag	-c	ap-scan	Show scanned APs.
cw_diag	-c	sta-scan	Show scanned STAs.
cw_diag	-c	sta-cap	Show scanned STA capabilities.
cw_diag	-c	wids	Show scanned WIDS detections.
cw_diag	-c	darrp	Show darrp radio channel.
cw_diag	-c	mesh	Show mesh status.
cw_diag	-c	mesh-veth-acinfo	Show mesh veth ac info, and mesh ether type.
cw_diag	-c	mesh-veth-vap	Show mesh veth vap.
cw_diag	-c	mesh-veth-host	Show mesh veth host.
cw_diag	-c	mesh-ap	Show mesh ap candidates.
cw_diag	-c	scan-clr-all	Flush all scanned AP/STA/ARPs.
cw_diag	-c	ap-suppress	Show suppressed APs.
cw_diag	-c	sta-deauth	De-authenticate an STA.

Link aggregation can also be set in the CLI. Link aggregation is used to combine multiple network connections in parallel in order to increase throughput beyond what a single connection could sustain.

FortiAP 320B and 320C models are supported. l FortiAP 112B and 112D models cannot support link aggregation.
NPI FAP-S3xxCR and “wave2” FAP/FAP-S models will have link aggregation feature via synchronization with regular FortiAP trunk build.

Troubleshooting Useful debugging commands

Leave a reply

Useful debugging commands

For a comprehensive list of useful debug options you can use the following help commands on the controller:

diagnose wireless-controller wlac help

(this command lists the options available that pertain to the wireless controller)

diagnose wireless-controller wlwtp help

(this command lists the options available that pertain to the AP)

Useful debugging commands

Sample outputs

Syntax

diagnose wireless-controller wlac -c vap

(this command lists the information about the virtual access point, including its MAC address, the BSSID, its

SSID, the interface name, and the IP address of the APs that are broadcasting it)

Result:

bssid ssid intf vfid:ip-port rId wId

00:09:0f:d6:cb:12 Office Office ws (0-192.168.3.33:5246) 0 0

00:09:0f:e6:6b:12 Office Office ws (0-192.168.1.61:5246) 0 0

06:0e:8e:27:dc:48 Office Office ws (0-192.168.3.36:5246) 0 0

0a:09:0f:d6:cb:12 public publicAP ws (0-192.168.3.33:5246) 0 1

Syntax

diagnose wireless-controller wlac -c darrp

(this command lists the information pertaining to the radio resource provisioning statistics, including the AP serial number, the number of channels set to choose from, and the operation channel. Note that the 5GHz band is not available on these APs listed)

Result:

wtp_id rId	base_mac index nr_chan vfid 5G oper_chan age
FAP22A3U10600400 0	00:09:0f:d6:cb:12 0 3 0 No 1 87588
FW80CM3910601176 0	06:0e:8e:27:dc:48 1 3 0 No 6 822