Advanced configurations FortiOS 6.2

Advanced configurations

VDOM

You can use VDOMs (virtual domains) as a method of dividing a FortiGate unit into multiple virtual units. Each unit functions as an independent unit. VDOMs can provide separate security policies and, in NAT mode, completely separate configurations for routing and VPN services for each connected network.

By default, most FortiGate units support up to ten VDOMs. Many FortiGate models support purchasing a license key to increase the maximum number of VDOMs.

Sample topology

In this sample, you use VDOMs to provide Internet access for two different companies (called Company A and Company B) using a single FortiGate.

VDOM mode

There are three VDOM modes:

  • No VDOM. The VDOM setting is disabled. When VDOMs are disabled on any FortiGate unit, there is still one active VDOM: the root VDOM. The root VDOM is always in the background. When VDOMs are disabled, the root VDOM is not visible but it is still there.
  • Split VDOM. FortiGate has two VDOMs: the root VDOM and a VDOM for FortiGate traffic.
  1. The root VDOM is the management VDOM and only does management work. The following items are hidden in the root VDOM: l All Policy & Object entries. l User & Device entries. l Security Profiles. l Traffic-related FortiView entries. l VPN entries. l Fabric Connectors, Reputation, Feature Visibility, and Object Tags entries.
  • Wan-Opt entries. l Most route entries. l Most Log Event entries.
  • Monitor entries.
  1. The FortiGate traffic VDOM can provide separate security policies and allow traffic through the FortiGate. l Multi-VDOM. Multiple VDOMs each functioning as an independent unit.

You can change VDOM modes in the following ways:

  • Change from no VDOM to split VDOM or vice versa. l Change from multi-VDOM to no VDOM. l Change from no VDOM/split VDOM to multi-VDOM is allowed only if CSF is disabled.
  • Change from multi-VDOM directly to split VDOM is not You must change to no VDOM first and then change from no VDOM to split VDOM.

To enable VDOMs in the GUI:

  1. Go to System > Settings.
  2. In the System Operation Settings section, enable Virtual Domains.
  3. Specify VDOM options.

On FortiGate 60 series models, you must use CLI to enable VDOMs.

To enable VDOMs in the CLI:

config system global set vdom-mode no-vdom/split-vdom/multi-vdom

end

To add a VDOMs in the GUI:

  1. Go to Global > System > VDOM.
  2. Select Create New and specify the new VDOM parameters.

To add a VDOMs in the CLI:

config vdom edit <new_vdom_name>

end

To edit a VDOMs in the GUI:

  1. Go to Global > System > VDOM.
  2. Select the VDOM and select Edit.
  3. Specify the new VDOM parameters.

To edit a VDOMs in the CLI:

config vdom edit vdom_name config system settings

set opmode nat

end

To delete a VDOMs in the GUI:

  1. Go to Global > System > VDOM.
  2. Select the VDOM and select Delete.

To delete a VDOMs in the CLI:

config vdom delete vdom_name

end

Operation mode

A FortiGate can operate in one of two modes: NAT/Route or Transparent.

NAT/Route is the most common operating mode. In this mode, a FortiGate is installed as a gateway or router between two networks. In most cases, it is used between a private network and the Internet. This allows the FortiGate to hide the IP addresses of the private network using network address translation (NAT). You can also use NAT/Route mode when several Internet service providers (ISPs) provide the FortiGate with redundant Internet connections.

In Transparent mode, the FortiGate is installed between the internal network and the router. In this mode, the FortiGate does not changes any IP addresses and only applies security scanning to traffic. When you add a FortiGate to a network in Transparent mode, no network changes are requiredexcept to provide the FortiGate with a management IP address. Transparent mode is used primarily when there is a need to increase network protection but changing the configuration of the network itself is impractical.

By default, new VDOMs are set to NAT/Route operation mode. If you want a VDOM to be in Transparent operation mode, you must manually change it.

To change operation mode in the CLI:

config system settings set opmode nat | transparent

end

SNMP

The Simple Network Management Protocol (SNMP) enables you to monitor hardware on your network. You can configure the hardware, such as the FortiGate SNMP agent, to report system information and send traps (alarms or event messages) to SNMP managers.

SNMP v1/v2c

SNMPWALK is a Simple Network Management Protocol (SNMP) application present on the Security Management

System (SMS) CLI that uses SNMP GETNEXT requests to query a network device for information. An object identifier (OID) may be given on the command line. This OID specifies which portion of the object identifier space will be searched using GETNEXT requests. All variables in the subtree below the given OID are queried and their values presented to the user.

To configure SNMP v1/v2c:

config system snmp community edit 1 set name “REGR-SYS” config hosts edit 1 set ip 10.1.100.11 255.255.255.255

next

end

set events cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down ha-switch ha-hb-

failure ips-signature ips-anomaly av-virus av-oversize av-pattern av-fragmented fm-if-change fm-conf-change bgp-established bgp-backward-transition ha-member-up ha-member-down ent-confchange av-conserve av-bypass av-oversize-passed av-oversize-blocked ips-pkg-update ips-failopen faz-disconnect wc-ap-up wc-ap-down fswctl-session-up fswctl-session-down load-balancereal-server-down device-new next

end

Below is a sample SNMPWALK output on the above configuration:

snmpwalk -v2c -c REGR-SYS 10.1.100.1 1 SNMPv2-MIB::sysDescr.0 = STRING: REGR-SYS

SNMPv2-MIB::sysObjectID.0 = OID: FORTINET-FORTIGATE-MIB::fgt140P

DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (224721) 0:37:27.21

SNMPv2-MIB::sysContact.0 = STRING: Gundam-Justice

SNMPv2-MIB::sysName.0 = STRING: FortiGate-140D-POE

SNMPv2-MIB::sysLocation.0 = STRING: Gundam-Seed

SNMPv2-MIB::sysServices.0 = INTEGER: 78

SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00

SNMPv2-MIB::sysORIndex.1 = INTEGER: 1

SNMPv2-MIB::sysORID.1 = OID: SNMPv2-SMI::zeroDotZero.0 SNMPv2-MIB::sysORDescr.1 = STRING:

SNMPv2-MIB::sysORUpTime.1 = Timeticks: (0) 0:00:00.00

IF-MIB::ifNumber.0 = INTEGER: 45

IF-MIB::ifIndex.1 = INTEGER: 1

IF-MIB::ifIndex.2 = INTEGER: 2

IF-MIB::ifIndex.3 = INTEGER: 3

IF-MIB::ifIndex.4 = INTEGER: 4

IF-MIB::ifIndex.5 = INTEGER: 5

IF-MIB::ifIndex.6 = INTEGER: 6

IF-MIB::ifIndex.7 = INTEGER: 7

IF-MIB::ifIndex.8 = INTEGER: 8

IF-MIB::ifIndex.9 = INTEGER: 9

IF-MIB::ifIndex.10 = INTEGER: 10

IF-MIB::ifIndex.11 = INTEGER: 11

IF-MIB::ifIndex.12 = INTEGER: 12

IF-MIB::ifIndex.13 = INTEGER: 13

IF-MIB::ifIndex.14 = INTEGER: 14

IF-MIB::ifIndex.15 = INTEGER: 15

—————truncated———————–

SNMP v3

Authentication is used to ensure the identity of users. Privacy allows for encryption of SNMP v3 messages to ensure confidentiality of data. These protocols provide a higher level of security than is available in SNMP v1 and v2c, which use community strings for security. Both authentication and privacy are optional.

To configure SNMP v3:

config system snmp user edit “v3user” set notify-hosts 10.1.100.11

set events cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down ha-switch ha-hb-

failure ips-signature ips-anomaly av-virus av-oversize av-pattern av-fragmented fm-if-change fm-conf-change ha-member-up ha-member-down ent-conf-change av-conserve av-bypass av-oversizepassed av-oversize-blocked ips-pkg-update faz-disconnect set security-level auth-priv

set auth-pwd ENC nu9t3vKW5BOw03RBzrp8cRVgq5kXg/ZqMgEACPNeNi+o-

pioCE6ztKXjkn+eReY9DxSUjgO5TckbMgqfH+YpVzNJxvL8jueq8g00Hs5gJyRy-

ueP22xsRudVv6v0gdfX47WTYvhqxBIDGnUKsL4NsztG0rJVUVZWNVPepdtWYMNDgGgePhvir3Rk/M1OjbS+mGX0YkYw== set priv-pwd ENC

YlZKutoqQPWK0fut2QPy-

fFayGaMssCaBT4y+6mP0AXNC+NJSbOeYCfhL4XFvyvhH8l07Hww6QYcoIGAU9jBcMt+tJk97MExQ/VutOwlSizKNqfy9MnJjLWARoKQwOYKpnE2b-

tZGxiFnFmD37mQHcKAtC9n531CPTYOuCtPQB26IjQ97yyWca4SqhRvuSZs6sjkSVWA== next

end

Below is a sample SNMPWALK output on the above configuration:

snmpwalk -v3 -u v3user -c REGR-SYS -a sha -A 1234567890 -x aes -X 1234567890 10.1.100.1 1 -l authpriv

SNMPv2-MIB::sysDescr.0 = STRING: REGR-SYS

SNMPv2-MIB::sysObjectID.0 = OID: FORTINET-FORTIGATE-MIB::fgt140P

DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (14328) 0:02:23.28

SNMPv2-MIB::sysContact.0 = STRING: Gundam-Justice

SNMPv2-MIB::sysName.0 = STRING: FortiGate-140D-POE

SNMPv2-MIB::sysLocation.0 = STRING: Gundam-Seed

SNMPv2-MIB::sysServices.0 = INTEGER: 78

SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00

SNMPv2-MIB::sysORIndex.1 = INTEGER: 1

SNMPv2-MIB::sysORID.1 = OID: SNMPv2-SMI::zeroDotZero.0 SNMPv2-MIB::sysORDescr.1 = STRING:

SNMPv2-MIB::sysORUpTime.1 = Timeticks: (0) 0:00:00.00

IF-MIB::ifNumber.0 = INTEGER: 45

IF-MIB::ifIndex.1 = INTEGER: 1

IF-MIB::ifIndex.2 = INTEGER: 2

IF-MIB::ifIndex.3 = INTEGER: 3

IF-MIB::ifIndex.4 = INTEGER: 4

IF-MIB::ifIndex.5 = INTEGER: 5

IF-MIB::ifIndex.6 = INTEGER: 6

IF-MIB::ifIndex.7 = INTEGER: 7

IF-MIB::ifIndex.8 = INTEGER: 8

IF-MIB::ifIndex.9 = INTEGER: 9

IF-MIB::ifIndex.10 = INTEGER: 10

IF-MIB::ifIndex.11 = INTEGER: 11

IF-MIB::ifIndex.12 = INTEGER: 12

IF-MIB::ifIndex.13 = INTEGER: 13

IF-MIB::ifIndex.14 = INTEGER: 14

IF-MIB::ifIndex.15 = INTEGER: 15

IF-MIB::ifIndex.16 = INTEGER: 16

IF-MIB::ifIndex.17 = INTEGER: 17

IF-MIB::ifIndex.18 = INTEGER: 18

IF-MIB::ifIndex.19 = INTEGER: 19

IF-MIB::ifIndex.20 = INTEGER: 20

IF-MIB::ifIndex.21 = INTEGER: 21

IF-MIB::ifIndex.22 = INTEGER: 22

IF-MIB::ifIndex.23 = INTEGER: 23

IF-MIB::ifIndex.24 = INTEGER: 24

IF-MIB::ifIndex.25 = INTEGER: 25

IF-MIB::ifIndex.26 = INTEGER: 26

IF-MIB::ifIndex.27 = INTEGER: 27

IF-MIB::ifIndex.28 = INTEGER: 28

IF-MIB::ifIndex.29 = INTEGER: 29

IF-MIB::ifIndex.30 = INTEGER: 30

IF-MIB::ifIndex.31 = INTEGER: 31

IF-MIB::ifIndex.32 = INTEGER: 32

IF-MIB::ifIndex.33 = INTEGER: 33

IF-MIB::ifIndex.34 = INTEGER: 34

IF-MIB::ifIndex.35 = INTEGER: 35

IF-MIB::ifIndex.36 = INTEGER: 36

IF-MIB::ifIndex.37 = INTEGER: 37

IF-MIB::ifIndex.38 = INTEGER: 38

IF-MIB::ifIndex.39 = INTEGER: 39

IF-MIB::ifIndex.40 = INTEGER: 40

IF-MIB::ifIndex.41 = INTEGER: 41

IF-MIB::ifIndex.42 = INTEGER: 42

IF-MIB::ifIndex.43 = INTEGER: 43

IF-MIB::ifIndex.44 = INTEGER: 44

IF-MIB::ifIndex.45 = INTEGER: 45

=====================Truncated=========================

Important SNMP traps

Link Down and Link Up traps

This trap is sent when a FortiGate port goes down or is brought up. For example, the below traps are generated when the state of port34 is set to down using set status down and then brought up using set status up.

NET-SNMP version 5.7.3 2019-01-31 14:11:48 10.1.100.1(via UDP: [10.1.100.1]:162->

[10.1.100.11]:162) TRAP, SNMP v1, community REGR-SYS SNMPv2-MIB::snmpTraps Link Down Trap (0) Uptime: 0:14:44.95 IF-MIB::ifIndex.42 = INTEGER: 42 IF-MIB::ifAdminStatus.42 = INTEGER: down (2) IF-MIB::ifOperStatus.42 = INTEGER: down(2) FORTINET-CORE-MIB::fnSysSerial.0 = STRING: FG140P3G15800330 SNMPv2-MIB::sysName.0 = STRING: FortiGate-140D-POE

2019-01-31 14:11:48 <UNKNOWN> [UDP: [10.1.100.1]:162->[10.1.100.11]:162]: DISMAN-EVENTMIB::sysUpTimeInstance = Timeticks: (88495) 0:14:44.95 SNMPv2-MIB::snmpTrapOID.0 = OID: IFMIB::linkDown IF-MIB::ifIndex.42 = INTEGER: 42 IF-MIB::ifAdminStatus.42 = INTEGER: down(2) IFMIB::ifOperStatus.42 = INTEGER: down(2) FORTINET-CORE-MIB::fnSysSerial.0 = STRING:

FG140P3G15800330 SNMPv2-MIB::sysName.0 = STRING: FortiGate-140D-POE 2019-01-31 14:12:01

10.1.100.1(via UDP: [10.1.100.1]:162->[10.1.100.11]:162) TRAP, SNMP v1, community REGR-SYS

SNMPv2-MIB::snmpTraps Link Up Trap (0) Uptime: 0:14:57.98 IF-MIB::ifIndex.42 = INTEGER: 42 IFMIB::ifAdminStatus.42 = INTEGER: up(1) IF-MIB::ifOperStatus.42 = INTEGER: up(1) FORTINET-COREMIB::fnSysSerial.0 = STRING: FG140P3G15800330 SNMPv2-MIB::sysName.0 = STRING: FortiGate-140DPOE

2019-01-31 14:12:01 <UNKNOWN> [UDP: [10.1.100.1]:162->[10.1.100.11]:162]: DISMAN-EVENTMIB::sysUpTimeInstance = Timeticks: (89798) 0:14:57.98 SNMPv2-MIB::snmpTrapOID.0 = OID: IFMIB::linkUp IF-MIB::ifIndex.42 = INTEGER: 42 IF-MIB::ifAdminStatus.42 = INTEGER: up(1) IFMIB::ifOperStatus.42 = INTEGER: up(1) FORTINET-CORE-MIB::fnSysSerial.0 = STRING: FG140P3G15800330 SNMPv2-MIB::sysName.0 = STRING: FortiGate-140D-POE fgFmTrapIfChange trap

This trap is sent when any changes are detected on the interface. The change can be very simple, such as giving an IPV4 address. For example, the user has given the IP address of 1.2.3.4/24 to port 1 and the EMS Manager has detected the below trap.

DISMAN-EXPRESSION-MIB::sysUpTimeInstance = Timeticks: (7975058) 22:09:10.58 SNMPv2-MIB::snmpTrapOID.0 = OID: FORTINET-FORTIGATE-MIB::fgFmTrapIfChange FORTINET-CORE-MIB::fnSysSerial.0 = STRING: FG140P3G15800330 IF-MIB::ifName.45 = STRING: port1 FORTINET-FORTIGATEMIB::fgManIfIp.0 = IpAddress: 1.2.3.4 FORTINET-FORTIGATE-MIB::fgManIfMask.0 = IpAddress:

255.255.255.0 FORTINET-FORTIGATE-MIB::fgManIfIp6.0 = STRING: 0:0:0:0:0:0:0:0 entConfigChange trap

The change to the interface in the example above has also triggered the ConfChange Trap which is sent along with the fgFmTrapIfChange trap.

2018-11-15 09:30:23 FGT_A [UDP: [172.16.200.1]:162->[172.16.200.55]:162]: DISMAN-EXPRESSIONMIB::sysUpTimeInstance = Timeticks: (8035097) 22:19:10.97 SNMPv2-MIB::snmpTrapOID.0 = OID: ENTITY-MIB::entConfigChange fgTrapDeviceNew trap

This trap is triggered when a new device like FortiAP/FortiSwitch is connected to the FortiGate. For example, the below scenario has given the device a new trap for adding FortiAP on a POE interface of FGT140D-POE. The trap has important information about the device name, device MAC address, and when it was last seen.

2018-11-15 11:17:43 UDP/IPv6: [2000:172:16:200::1]:162 [UDP/IPv6: [2000:172:16:200::1]:162]: DISMAN-EXPRESSION-MIB::sysUpTimeInstance = Timeticks: (520817) 1:26:48.17 SNMPv2-MIB::snmpTrapOID.0 = OID: FORTINET-FORTIGATE-MIB::fgTrapDeviceNew FORTINET-CORE-MIB::fnSysSerial.0 = STRING: FG140P3G15800330 SNMPv2-MIB::sysName.0 = STRING: FGT_A IF-MIB::ifIndex.0 = INTEGER: 0

FORTINET-FORTIGATE-MIB::fgVdEntIndex.0 = INTEGER: 0 FORTINET-FORTIGATE-MIB::fgDeviceCreated.0

= Gauge32: 5 FORTINET-FORTIGATE-MIB::fgDeviceLastSeen.0 = Gauge32: 5 FORTINET-FORTIGATEMIB::fgDeviceMacAddress.0 = STRING: 90:6c:ac:f9:97:a0

2018-11-15 11:17:43 FGT_A [UDP: [172.16.200.1]:162->[172.16.200.55]:162]: DISMAN-EXPRESSIONMIB::sysUpTimeInstance = Timeticks: (520817) 1:26:48.17 SNMPv2-MIB::snmpTrapOID.0 = OID:

FORTINET-FORTIGATE-MIB::fgTrapDeviceNew FORTINET-CORE-MIB::fnSysSerial.0 = STRING:

FG140P3G15800330 SNMPv2-MIB::sysName.0 = STRING: FGT_A IF-MIB::ifIndex.0 = INTEGER: 0

FORTINET-FORTIGATE-MIB::fgVdEntIndex.0 = INTEGER: 0 FORTINET-FORTIGATE-MIB::fgDeviceCreated.0

= Gauge32: 5 FORTINET-FORTIGATE-MIB::fgDeviceLastSeen.0 = Gauge32: 5 FORTINET-FORTIGATE-

MIB::fgDeviceMacAddress.0 = STRING: 90:6c:ac:f9:97:a0 fgTrapAvOversize trap

The fgTrapAvOversize trap is generated when Antivirus Scanner detects an Oversized File.

019-01-31 13:22:04 10.1.100.1(via UDP: [10.1.100.1]:162->[10.1.100.11]:162) TRAP, SNMP v1, community REGR-SYS FORTINET-FORTIGATE-MIB::fgt140P Enterprise Specific Trap (602) Uptime: 1 day, 3:41:10.31 FORTINET-CORE-MIB::fnSysSerial.0 = STRING: FG140P3G15800330 SNMPv2-MIB::sysName.0 =

STRING: FortiGate-140D-POE 2019-01-31 13:22:29 <UNKNOWN> [UDP: [10.1.100.1]:162->

[10.1.100.11]:162]: DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (9967031) 1 day,

3:41:10.31 SNMPv2-MIB::snmpTrapOID.0 = OID: FORTINET-FORTIGATE-MIB::fgTrapAvOversize FORTINETCORE-MIB::fnSysSerial.0 = STRING: FG140P3G15800330 SNMPv2-MIB::sysName.0 = STRING: FortiGate-

140D-POE

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.