Yearly Archives: 2019

FortiOS 6 IPSEC Introduction

Leave a reply

Introduction

The following is covered in this documentation section

IPsec VPN concepts explains the basic concepts that you need to understand about virtual private networks (VPNs).

IPsec VPN overview provides a brief overview of IPsec technology and includes general information about how to configure IPsec VPNs using this guide.

IPsec VPN in the web-based manager describes the IPsec VPN menu of the web-based manager interface.

Gateway-to-gateway configurations explains how to set up a basic gateway-to-gateway (site-to-site) IPsec VPN. In a gateway-to-gateway configuration, two FortiGate units create a VPN tunnel between two separate private networks.

Hub-and-spoke configurations describes how to set up hub-and-spoke IPsec VPNs. In a hub-and-spoke configuration, connections to a number of remote peers and/or clients radiate from a single, central FortiGate hub.

Dynamic DNS configuration describes how to configure a site-to-site VPN, in which one FortiGate unit has a static IP address and the other FortiGate unit has a dynamic IP address and a domain name.

FortiClient dialup-client configurations guides you through configuring a FortiClient dialup-client IPsec VPN. In a FortiClient dialup-client configuration, the FortiGate unit acts as a dialup server and VPN client functionality is provided by the FortiClient Endpoint Security application installed on a remote host.

FortiGate dialup-client configurations explains how to set up a FortiGate dialup-client IPsec VPN. In a FortiGate dialup-client configuration, a FortiGate unit with a static IP address acts as a dialup server and a FortiGate unit with a dynamic IP address initiates a VPN tunnel with the FortiGate dialup server.

Supporting IKE Mode config clients explains how to set up a FortiGate unit as either an IKE Mode Config server or client. IKE Mode Config is an alternative to DHCP over IPsec.

Internet-browsing configuration explains how to support secure web browsing performed by dialup VPN clients, and hosts behind a remote VPN peer. Remote users can access the private network behind the local FortiGate unit and browse the Internet securely. All traffic generated remotely is subject to the security policy that controls traffic on the private network behind the local FortiGate unit.

Redundant VPN configurations discusses the options for supporting redundant and partially redundant tunnels in an IPsec VPN configuration. A FortiGate unit can be configured to support redundant tunnels to the same remote peer if the FortiGate unit has more than one interface to the Internet.

Transparent mode VPNs describes two FortiGate units that create a VPN tunnel between two separate private networks transparently. In transparent mode, all FortiGate unit interfaces except the management interface are invisible at the network layer.

IPv6 IPsec VPNs describes FortiGate unit VPN capabilities for networks based on IPv6 addressing. This includes IPv4-over-IPv6 and IPv6-over-IPv4 tunnelling configurations. IPv6 IPsec VPNs are available in FortiOS 3.0 MR5 and later.

L2TP and IPsec (Microsoft VPN) explains how to support Microsoft Windows native VPN clients.

GRE over IPsec (Cisco VPN) explains how to interoperate with Cisco VPNs that use Generic Routing Encapsulation (GRE) protocol with IPsec.

Protecting OSPF with IPsec provides an example of protecting OSPF links with IPsec.

Redundant OSPF routing over IPsec provides an example of redundant secure communication between two remote networks using an OSPF VPN connection.

OSPF over dynamic IPsec provides an example of how to create a dynamic IPsec VPN tunnel that allows OSPF.

BGP over dynamic IPsec provides an example of how to create a dynamic IPsec VPN tunnel that allows BGP.

Phase 1 parameters provides detailed step-by-step procedures for configuring a FortiGate unit to accept a connection from a remote peer or dialup client. The basic Phase 1 parameters identify the remote peer or clients and support authentication through preshared keys or digital certificates. You can increase VPN connection security further using methods such as extended authentication (XAuth).

Phase 2 parameters provides detailed step-by-step procedures for configuring an IPsec VPN tunnel. During Phase 2, the specific IPsec security associations needed to implement security services are selected and a tunnel is established.

Defining VPN security policies explains how to specify the source and destination IP addresses of traffic transmitted through an IPsec VPN tunnel, and how to define a security encryption policy. Security policies control all IP traffic passing between a source address and a destination address.

Logging and monitoring and Troubleshooting provide VPN monitoring and troubleshooting procedures.

 

Sandbox Inspection FAQ

Leave a reply

Sandbox Inspection FAQ

The following are some frequently asked questions about using sandbox inspection with FortiSandbox and FortiGate.

Why is the FortiSandbox Cloud option not available when sandbox inspection is enabled?

This option is only available if you have already created a FortiCloud account. For more information, see the FortiCloud documentation.

Why don’t results from FortiSandbox Cloud appear in the FortiGate GUI?

Go to Log & Report > Log Settings and make sure Send Logs to FortiCloud is enabled and GUI Preferences is set to Display Logs from FortiCloud.

Why are the FortiSandbox Appliance VMs inactive?

Make sure that port 3 on the FortiSandbox has an active Internet connection. This is required in order to active the FortiSandbox VMs.

Why aren’t files are being scanned by FortiSandbox?

Make sure an AntiVirus profile that sends files to FortiSandbox is enabled for all policies that require sandbox inspection.

Is FortiSandbox supported by FortiGate when in NAT or Transparent mode?

Yes, both NAT and Transparent mode are supported.

Are FortiGates behind a NAT device supported? If so how many?

Yes, multiple FortiGates can be supported in-line with FortiSandbox. Currently, there is a limitation where the FortiSandbox will see all FortiGates only as one device so there is no way to differentiate reports but all material will be sent.

If the FortiGate has a dynamic IP, will the FortiSandbox automatically update the FortiGate?

Yes. Dynamic IPs™ are supported and the FortiGate will not have to be reconfigured on the FortiSandbox each time.

Sandbox Integration

Leave a reply

Sandbox Integration

Sandbox integration adds another level to sandbox inspection, allowing you allows you to set up automatic actions to protect your network from files FortiSandbox determines are malicious. These actions include:

receiving AntiVirus signature updates from FortiSandbox, adding the originating URL of any malicious file to a blocked URL list, and extending sandbox scanning to FortiClient devices.

Overview

FortiSandbox integration involves three different FortiGate security profiles: AntiVirus, Web Filtering, and FortiClient Profiles.

A FortiGate can retrieve scan results and details from FortiSandbox, and also receive antivirus and web filtering signatures to supplement the current signature database. When FortiGate learns from FortiSandbox that an endpoint is infected, the administrator can push instruction for self-quarantine on a registered FortiClient host.

When integrated with a FortiGate unit, the following protocols are supported by FortiSandbox: HTTP, HTTPS, FTP, FTPS, POP3, POP3S, IMAP, IMAPS, SMTPS, MAPI, MAPIS, SMB, and supported IM protocols.

AntiVirus

When FortiSandbox discovers a malicious file, it can create an AntiVirus signature for that file and add that signature to both the local FortiGate malware database and the FortiGuard AntiVirus signature database. Through FortiSandbox integration, this signature can be sent to a FortiGate to block the file from re-entering the network and to prevent the future retransmission of that file to FortiSandbox.

Use of the FortiSandbox AntiVirus database is enabled in an AntiVirus profile, found at Security Profiles > AntiVirus. It can also be configured using the following CLI commands:

config antivirus profile edit <profile> set analytics-db enable

end

Web Filtering

FortiSandbox integration can also be used to allow FortiSandbox to add a URL filter blocking the source of a discovered malicious file to the FortiGate’s blocked URL list.

Blocking malicious URLs discovered by FortiSandbox is enabled in a Web Filter profile, found at Security Profiles > Web Filter. It can also be configured using the following CLI commands:

config webfilter profile edit <profile> config web

set blacklist enable

end

FortiClient Profiles

When extended FortiSandbox scanning is enabled for FortiClient, files downloaded by FortiClient can be sent to the FortiSandbox for inspection. Also, if a suspicious file is discovered, FortiClient can be configured to wait until sandbox inspection is complete before allowing that file to be accessed.

AntiVirus signatures can also be pushed by the FortiGate to FortiClient.

If a FortiClient device attempts to download a file that FortiSandbox discovers is malicious, the FortiSandbox notifies the FortiGate. The administrator can take action to quarantine the device. When a quarantine is in effect, FortiClient cuts off other network traffic from the device directly, preventing it from infecting or scanning the local network. When a device is under quarantine, FortiClient cannot be shutdown or uninstalled. A user is also unable to unregister from the FortiGate that quarantined them, or register to another FortiGate unit. A quarantine can only be lifted by the administrator of the FortiGate where the FortiClient device is registered.

Extending FortiSandbox scanning can by configured in the Security settings of a FortiClient Profile, found at Security Profiles > FortiClient Compliance Profiles. It can also be configured using the following CLI commands:

config endpoint-control profile edit <profile> config forticlient-winmac-settings set forticlient-av enable set av-realtime-protection enable set sandbox-analysis enable set sandbox-address <address>

end

Extending FortiSandbox scanning can also be configured directly in the FortiClient AntiVirus settings. If you are using FortiClient version 5.6+, the Sandbox Detection feature can be used to send files to FortiSandbox for analysis without having to install the AntiVirus feature. See the FortiClient 5.6 Administration Guide for details.

The number of files sent from a single device to FortiSandbox can be limited by configuring the submission limit on the FortiSandbox. This allows users to prioritize which devices get the greater share of FortiSandbox resources.

Example Configuration

The following example configuration sets up FortiSandbox integration using AntiVirus, Web Filtering, and a FortiClient profile. This configuration assumes that a connection has already been established between the FortiSandbox Appliance and the FortiGate.

  1. Go to Security Fabric > Settings and confirm that Sandbox Inspection is enabled and the FortiSandbox Appliance is connected.
  2. Go to Security Profiles > AntiVirus and edit the default profile. Under Inspection Options, select All Supported Files to be sent for inspection and enable Use FortiSandbox Database. You have the option of withholding files by name or pattern. Select Apply.
  3. Go to Security Profiles > Web Filter and edit the default profile. Under Static URL Filter, enable Block malicious URLS discovered by FortiSandbox. Select Apply.
  4. Go to Security Profiles > FortiClient Compliance Profiles and edit the default profile. Under Security Posture Check, enable Realtime Protection. Next, enable Scan with FortiSandbox. Select Apply.
  5. Go to Policy & Objects > IPv4 Policy and view the policy list. If a policy has AntiVirus and Web Filtering profiles scanning applied, the profiles will be listed in the Security Profiles If scanning needs to be added to any security policy (excluding the Implicit Deny policy) select the + button in the Security Profiles column for that policy, then select the default AntiVirus Profile, the default Web Filter Profile, the appropriate Proxy Options, and select the deep-inspection profile for SSL/SSH Inspection (to ensure that encrypted traffic is inspected).
  6. Select OK.

Results

If your FortiGate discovers a suspicious file, it will be sent to the FortiSandbox. To view information about the files that have been sent on the FortiGate, go to FortiView > FortiSandbox to see a list of file names and current status.

To view results on the FortiSandbox, go to the Dashboardand view the Scanning Statistics widget. There may be a delay before results appear on the FortiSandbox.

Open FortiClient using a Windows PC on the internal network. Make sure it is registered to your FortiGate. Go to the AntiVirus tab and open Settings. You will see that the Realtime Protection settings match the FortiClient profile configured on the FortiGate. These settings cannot be changed using FortiClient.

If a PC running FortiClient downloads a suspicious file that the FortiSandbox determined was malicious, a quarantine would be applied automatically. While the quarantine is in effect, FortiClient cannot be shutdown on the PC. It can not be uninstalled or unregistered from the FortiGate. The quarantine can only be released from the FortiClient Monitor on the FortiGate.

Using FortiSandbox with a FortiGate

Leave a reply

Using FortiSandbox with a FortiGate

Connecting a FortiGate to FortiSandbox

The procedures for connecting a FortiGate to FortiSandbox differ depending whether you are using FortiSandbox Appliance or FortiSandbox Cloud.

If you are using FortiSandbox in a Security Fabric, consult the Fortinet Cookbook site for the Security Fabric collection of recipes.

Once the FortiGate is connected to FortiSandbox, an AntiVirus profile can be configured to send suspicious files for inspection. Sandbox integration can also be configured, for more information see “Sandbox Integration” on page 11.

Connecting to FortiSandbox Appliance

  1. Connect the FortiSandbox Appliance to your FortiGate so that port 1 and port 3 on the FortiSandbox are on different subnets.

FortiSandbox port 3 is used for outgoing communication triggered by the execution of the files under analysis. While the FortiSandbox can accept files through any port, it is recommended to connect port 3 to a dedicated interface on your FortiGate to protect the rest of the network from threats currently being investigated by the FortiSandbox. Note too that port 1 can be

used to accept files but is generally reserved for managing the FortiSandbox.

  1. FortiSandbox port 3 must be able to connect to the Internet. On the FortiGate, go to Policy & Objects > IPv4 Policy and create a policy allowing connections from the FortiSandbox to the Internet (using the isolated interface on the FortiGate mentioned above). On FortiSandbox, network settings for port3 can be configured by going to Scan Policy > General.
  2. On the FortiSandbox, go to Network > System Routing and add static routes for port 1.
  3. On the FortiSandbox, go to Dashboard and locate the System Information Now that the FortiSandbox has Internet access, it can activate its VM licenses. Wait until a green arrow shows up beside Windows VM before continuing to the next step.
  4. On the FortiGate, go to Security Fabric > Settings. Select Enable Sandbox Inspection and select FortiSandbox Appliance. Set the IP Address and enter a Notifier Email. If you select Test Connectivity, the Status shows as Service is not configured because the FortiGate has not been authorized to connect to the FortiSandbox.

FortiSandbox Console                                                                                        Using FortiSandbox with a FortiGate

  1. On the FortiSandbox, go to Scan Input > Device. Edit the entry for the FortiGate. Under Permissions & Policy > Authorized, select the checkbox and click OK to authorize the FortiGate.
  2. On the FortiGate, go to Security Fabric > Settings and select Test Connectivity for the FortiSandbox. The Status now shows that Service is online.

Connecting to FortiSandbox Cloud

Before you can connect a FortiGate to FortiSandbox Cloud, you need an active FortiCloud account. For more information, see the FortiCloud documentation.

Once you have created a FortiCloud account, sandbox inspection should be enabled by default. To verify this, go to Security Fabric > Settings, enable Sandbox Inspection, and set to FortiSandbox Cloud.

To see the results from FortiSandbox Cloud in the FortiGate logs, go to Log & Report > Log Settings and enable Send Logs to FortiCloud and set GUI Preferences is to display logs from FortiCloud.

FortiSandbox Console

The FortiSandbox console is available at FortiView > FortiSandbox. The console displays all samples submitted for inspection. Information on the console can be filtered by checksum, file name, result, source, status, and user name.

If you right-click on an entry, you can choose to Drill Down to Details, Quarantine Source Address, or Quarantine FortiClient Device.

Information about the FortiSandbox database and sandboxing statistics are available at Security Fabric > Settings once sandbox inspection is enabled. The Advanced Threat Protection dashboard widget shows you the number of files that your FortiGate unit has uploaded or submitted to FortiSandbox.

Refer to FortiSandbox documentation for details on what you can access through the FortiSandbox GUI .

Sending Files for Sandbox Inspection

Leave a reply

Sending Files for Sandbox Inspection

Sending files to the FortiSandbox appliance or to FortiSandbox Cloud does not block files immediately. Instead, the files assist in the discovery of new threats and the creation of new signatures to be added to the global FortiGuard AntiVirus database. Files deemed malicious are also immediately added to a custom Malware Package which is downloaded by the FortiGate every two minutes for live detection.

Enable Sandbox Inspection by going to Security Fabric > Settings. You can also configure the FortiSandbox type, server, and notifier email.

To see options for sending files for sandbox inspection, go to Security Profiles > AntiVirus. There are two options for sending files: None or All Supported Files. If All Supported Files is selected, users can withhold files from being submitted for inspection by type or name pattern.

 

FortiSandbox Appliance vs FortiSandbox Cloud

1 Reply

FortiSandbox Appliance vs FortiSandbox Cloud

FortiSandbox is available as a physical or virtual appliance (FortiSandbox Appliance), or as a cloud advanced threat protection service integrated with FortiGate (FortiSandbox Cloud).

To select the settings for Sandbox Inspection, such as the FortiSandbox type, server, and notifier email, go to Security Fabric > Settings.

The table below highlights the supported features of both types of FortiSandbox:

Feature FortiSandbox Appliance (including VM) FortiSandbox Cloud
Sandbox inspection for FortiGate Yes (FortiOS 5.0.4+) Yes (FortiOS 5.2.3+)
Sandbox inspection for FortiMail Yes (FortiMail OS 5.1+) Yes (FortiMail OS 5.3+)
Sandbox inspection for FortiWeb Yes (FortiWeb OS 5.4+) Yes (FortiWeb OS 5.5.3+)
Sandbox inspection for FortiClient Yes (FortiClient 5.4+ for Windows only) No
Sandbox inspection for network share Yes No
Sandbox inspection for ICAP client Yes No
Manual File upload for analysis Yes Yes
Sniffer mode Yes Yes
File Status Feedback and Report Yes Yes
Dynamic Threat Database updates for FortiGate Yes (FortiOS 5.4+) Yes (FortiOS 5.4+)
Dynamic Threat Database updates for

FortiClient

 Yes (FortiClient 5.4 for Windows only) Yes (FortiClient 5.6+ for Windows only)

Note that FortiMail keeps its own Dynamic Threat Database. For more information, see the FortiSandbox documentation.

What is Sandbox Inspection?

Leave a reply

What is Sandbox Inspection?

Sandbox inspection is a network process that allows files to be sent to a separate device, such as FortiSandbox, to be inspected without risking network security. This allows the detection of threats which may bypass other security measures, including zero-day threats.

You can configure your FortiGate device to send suspicious files to FortiSandbox for inspection and analysis. The FortiGate queries scan results and retrieves scan details. The FortiGate can also download malware packages as a complimentary AV signature database to block future appearances of the same malware and download URL packages as complimentary web filtering black list.

When a FortiGate sends files for sandbox inspection, the FortiSandbox uses virtual machines (VMs) running different operating systems to test the file and to determine if it is malicious. If the file exhibits risky behavior, or is found to contain a virus, a new signature can be added to the FortiGuard AntiVirus signature database.

When a FortiGate learns from FortiSandbox that a terminal is infected, the administrator can push instruction for self-quarantine on a registered FortiClient host.

FortiSandbox can process multiple files simultaneously since the FortiSandbox has a VM pool. The time to process a file depends on hardware and the number of sandbox VMs used to scan the file. It can take 60 seconds to five minutes to process a file.

FortiOS 6.2 Logging and Reporting Best Practices

2 Replies

Logging and reporting

The default log device settings must be modified so that system performance is not compromised. The FortiGate unit, by default, has all logging of FortiGate features enabled, except for traffic logging. The default logging location will be either the FortiGate unit’s system memory or hard disk, depending on the model. Units with a flash disk are not recommended for disk logging.

Log management

When the FortiGate unit records FortiGate activity, valuable information is collected that provides insight into how to better protect network traffic against attacks, including misuse and abuse. There is a lot to consider before enabling logging on a FortiGate unit, such as what FortiGate activities to enable and which log device is best suited for your network’s logging needs. A plan can help you in deciding the FortiGate activities to log, a log device, as well as a backup solution in the event the log device fails.

This plan should provide you with an outline, similar to the following:

  • What FortiGate activities you want and/or need logged (for example, security features). l The logging device best suited for your network structure.
  • If you want or require archiving of log files. l Ensuring logs are not lost in the event a failure occurs.

After the plan is implemented, you need to manage the logs and be prepared to expand on your log setup when the current logging requirements are outgrown. Good log management practices help you with these tasks.

Log management practices help you to improve and manage logging requirements. Logging is an ever-expanding tool that can seem to be a daunting task to manage. The following management practices will help you when issues arise, or your logging setup needs to be expanded.

  • Revisit your plan on a yearly basis to verify that your logging needs are being met by your current log setup. For example, your company or organization may require archival logging, but not at the beginning of your network’s lifespan. Archival logs are stored on a FortiGate unit’s local hard drive, a FortiAnalyzer unit, or a FortiCloud server, in increasing order of size.
  • Configure an alert message that will notify you of activities that are important to be aware about. For example: if a branch office does not have a FortiGate administrator, you will need to know at all times that the IPsec VPN tunnel is still up and running. An alert email notification message can be configured to send only if IPsec tunnel errors occur.
  • If your organization or company uses peer-to-peer programs such as Skype or other instant messaging software, use the IM usage dashboard widget or the Executive Summary’s report widget (Top 10 Application Bandwidth Usage Per Hour Summary) to help you monitor the usage of these types of instant messaging software. These widgets can help you in determining how these applications are being used, including if there is any misuse and abuse. Their information is taken from application log messages; however, application log messages should be viewed as well since they contain the most detailed information.
  • Ensure that your backup solution is up-to-date. If you have recently expanded your log setup, you should also review your backup solution. The backup solution provides a way to ensure that all logs are not lost in the event that the log device fails or issues arise with the log device itself.
  • When downloading log messages and viewing them on a computer, the log file will be downloaded like any other file. Log file names contain their log type and date in the name, so it is recommended to create a folder in which to archive your log messages, as they can be sorted easily.

System memory and hard disks

If the FortiGate unit has a hard disk, it is enabled by default to store logs. This also means that you do not have to enable this and configure the settings for logging to the hard disk, but modify these settings so that it is configured for your network logging requirements.

If the FortiGate unit has only flash memory, disk logging is disabled by default, as it is not recommended. Constant rewrites to flash drives can reduce the lifetime and efficiency of the memory. It must be enabled in the CLI under config log disk setting.

For some low-end models, disk logging is unavailable. Check a product’s Feature Matrix for more information. In either case, Fortinet recommends using either a FortiAnalyzer unit or the FortiCloud service.