System Log

Use the Log pages to view and download FortiDeceptor system logs. You can put logs locally on FortiDeceptor or on a remote log server.

Logging Levels

FortiDeceptor log level can be Emergency (reserved), Alert, Critical, Error, Warning, Information, or Debug. The following table provides example logs for each log level.

Log Level	Description	Example Log Entry
Alert	Immediate action is required.	Suspicious URL visit domain.com from 192.12.1.12 to 42.156.162.21:80.
Critical	Functionality is affected.	System database is not ready. A program should have started to rebuild it and it shall be ready after a while.
Error	An erroneous condition exists and functionality is probably affected.	Errors that occur when deleting certificates.
Warning	Functionality might be affected.	Submitted file AVSInstallPack.exe is too large: 292046088.
Information	General information about system operations.	LDAP server information that was successfully updated.
Debug	Detailed information for debugging.	Launching job for file. jobid=2726271637747836543 filename=log md5=ebe5ae2bec3b653c2970e8cec9f5f1d9 sha1=06ea6108d02513f0d278ecc8d443df86dac2885b sha256=d678da5fb9ea3ee20af779a4ae13c402585 ebb070edcf20091cb20509000f74b

Raw logs

You can download and save raw logs to the management computer by clicking Download Log. Raw logs are saved as a text file with the extension .log.gz. You can search the system log for more details.

Sample raw logs file content

itime=1535413204 date=2018-08-27 time=16:40:04 logid=0106000001 type=event subtype=system pri=debug user=system ui=system action= status=success msg=”SNMP TRAP sent out: Service=SSH AttackerIp=10.95.5.83 AttackerPort=57190 VictimIp=10.95.5.21 VictimPort=22

Operation=Established SSH connection Description=10.95.5.83 Username=NA Password=NA” itime=1535413204 date=2018-08-27 time=16:40:04 logid=0106000001 type=event subtype=system pri=debug user=system ui=system action= status=success msg=”SNMP TRAP sent out: Service=SSH AttackerIp=10.95.5.83 AttackerPort=57190 VictimIp=10.95.5.21 VictimPort=22

Operation=SSH connection closed Description=83ssh Username=83ssh Password=83ssh” itime=1535413204 date=2018-08-27 time=16:40:04 logid=0106000001 type=event subtype=system pri=debug user=system ui=system action= status=success msg=”SNMP TRAP sent out: Service=SSH AttackerIp=10.95.5.83 AttackerPort=57190 VictimIp=10.95.5.21 VictimPort=22

Operation=Authentication Failure Description=83ssh Username=83ssh Password=83ssh” itime=1535413204 date=2018-08-27 time=16:40:04 logid=0106000001 type=event subtype=system pri=debug user=system ui=system action= status=success msg=”SNMP TRAP sent out: Service=SAMBA AttackerIp=10.95.5.83 AttackerPort=NA VictimIp=10.95.5.21 VictimPort=445

Operation=Change to dir Description=/home/share/samba Username=83samba Password=83samba” itime=1535413204 date=2018-08-27 time=16:40:04 logid=0106000001 type=event subtype=system pri=debug user=system ui=system action= status=success msg=”SNMP TRAP sent out: Service=SAMBA AttackerIp=10.95.5.83 AttackerPort=NA VictimIp=10.95.5.21 VictimPort=445

Operation=Access path Description=samba Username=83samba Password=83samba” itime=1535413204 date=2018-08-27 time=16:40:04 logid=0106000001 type=event subtype=system pri=debug user=system ui=system action= status=success msg=”SNMP TRAP sent out: Service=SAMBA AttackerIp=10.95.5.83 AttackerPort=NA VictimIp=10.95.5.21 VictimPort=445

Operation=Disconnect net share Description=samba Username=83samba Password=83samba” itime=1535413201 date=2018-08-27 time=16:40:01 logid=0106000001 type=event subtype=system pri=alert user=system ui=GUI action=update status=success msg=”Service=SSH

AttackerIp=10.95.5.83 AttackerPort=57190 VictimIp=10.95.5.21 VictimPort=22 Operation=SSH connection closed Description=83ssh Username=83ssh Password=83ssh”

itime=1535413201 date=2018-08-27 time=16:40:01 logid=0106000001 type=event subtype=system pri=alert user=system ui=GUI action=update status=success msg=”Service=SSH AttackerIp=10.95.5.83 AttackerPort=57190 VictimIp=10.95.5.21 VictimPort=22

Operation=Authentication Failure Description=83ssh Username=83ssh Password=83ssh” itime=1535413198 date=2018-08-27 time=16:39:58 logid=0106000001 type=event subtype=system pri=alert user=system ui=GUI action=update status=success msg=”Service=SSH AttackerIp=10.95.5.83 AttackerPort=57190 VictimIp=10.95.5.21 VictimPort=22

Operation=Established SSH connection Description=10.95.5.83 Username=NA Password=NA” itime=1535413198 date=2018-08-27 time=16:39:58 logid=0106000001 type=event subtype=system pri=alert user=system ui=GUI action=update status=success msg=”Service=SAMBA

AttackerIp=10.95.5.83 AttackerPort=NA VictimIp=10.95.5.21 VictimPort=445

Operation=Disconnect net share Description=samba Username=83samba Password=83samba” itime=1535413197 date=2018-08-27 time=16:39:57 logid=0106000001 type=event subtype=system pri=alert user=system ui=GUI action=update status=success msg=”Service=SAMBA

AttackerIp=10.95.5.83 AttackerPort=NA VictimIp=10.95.5.21 VictimPort=445 Operation=Change to dir Description=/home/share/samba Username=83samba Password=83samba”

itime=1535413197 date=2018-08-27 time=16:39:57 logid=0106000001 type=event subtype=system pri=alert user=system ui=GUI action=update status=success msg=”Service=SAMBA

AttackerIp=10.95.5.83 AttackerPort=NA VictimIp=10.95.5.21 VictimPort=445 Operation=Access path Description=samba Username=83samba Password=83samba”

Log Categories

Log > All Events show all logs.

The following options are available:

Download Log		Download the raw log file to the management computer.
History Logs		Enable to include historical logs in Log Search.
Refresh		Refresh the log message list.
Filter		Click Filter to add search filters. You can select different categories to search the logs. Search is not case sensitive.

The following information is displayed:

#	Log number.
Date/Time	Date and time the log message was created.
Level	Level of the log message. For logging levels, see Logging Levels on page 46.
User	The user to which the log message relates. User can be a specific user or system.
Message	Detailed log message.

Log Servers

You can send FortiDeceptor logs to a remote syslog server or common event type (CEF) server. In Log > Log Servers, you can create new remote log servers, and edit and delete remote log servers. You can configure up to 30 remote log server entries.

The following options are available:

Create New	Create a log server entry.
Edit	Edit the selected log server entry.
Delete	Delete the selected log server entry.

This page displays the following information:

Name	Name of the server entry.
Server Type	Server type: syslog or CEF.
Server Address	Log server address.
Port	Log server port number.
Status	Log server status, Enabled or Disabled.

To create a server entry:

1. Go to Log > Log Servers.
2. Click Create New.
3. Configure the following settings:

Name	Name of the new server entry.
Type	Select Syslog Protocol or Common Event Format.
Log Server Address	Log server IP address or FQDN.
Port	Port number. The default port is 514.
Status	Enable or disable sending logs to the server.
Log Level	Select the logging levels to forward to the log server. For logging levels, see Logging Levels on page 46.

4. Click OK.

To edit or delete a log server

1. Go to Log > Log Servers.
2. Select an entry and click Edit or Delete.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

System Settings

Dashboard

The System Status dashboard displays widgets that provide information and enable you to configure basic system settings. All the widgets appear on a single dashboard. You can select which widgets to display and you can customize the widgets.

The following widgets are available.

System Information	Basic information about the FortiDeceptor system, such as the serial number, system up time, and license status information.
System Resources	Real-time usage status of the CPU and memory.
Top Critical Logs	The top logs that are classified as Critical.
Deception VM License	The list of VM license keys and their expiry dates.
Disk Monitor	The RAID level and status, disk usage, and disk management information.
Incidents & Events Distribution	Information about the number of incidents and events, and their level of severity.
Incidents & Events Count	Number of events occurring each day.
Decoy Distribution by OS	Number of decoys with a chart showing the OS such as Windows or Ubuntu.
Lure Distribution	Number of decoys deployed with the chart showing the type of service such as SSH, Samba, SMB, SCADA, or RDP.
Incidents Distribution by Service	Information about the number and types of incidents, such as SMB, HTTP, TCP, and so on.
Top 10 Attackers by Incidents	The top 10 attackers by the number of incidents.
Top 10 Attackers by Events	The top 10 attackers by the number of events.
Global Incidents Distribution	Displays the number of Attackers by country on a global map.
Top 10 IPS attacks	Displays the top 10 IPS attackers by the number of events.

Customizing the dashboard

You can customize the FortiDeceptor system dashboard. You can select which widgets to display and where they are located on the page.

• To add a widget, click Add Widget in the Dashboard’s floating toolbar at the bottom, and then select the widgets you want to add.
• To edit a widget, click the Edit icon in the in the widget’s title bar, change the settings, and click OK. l To move a widget, click and drag the widget’s title bar.
• To refresh a widget’s data, click Refresh in the widget’s title bar.
• To reset all widgets to their default settings, click Reset in the Dashboard’s floating toolbar at the bottom. l To hide a widget, click the Close icon in the widget’s title bar.

System Information

The System Information widget displays information about the FortiDeceptor unit and enables you to configure basic system settings.

This widget displays the following information and options.

Host Name	The name assigned to this FortiDeceptor unit. Click Change to edit the FortiDeceptor host name.
Serial Number	Serial number of this FortiDeceptor unit. The serial number is unique to the FortiDeceptor unit and does not change with firmware upgrades. The serial number is used for identification when connecting to the FortiGuard server.
System Time	The current time on the FortiDeceptor internal clock or NTP server. Click Change to configure the system time.
Firmware Version	Version and build number of the firmware installed on the FortiDeceptor unit. To update the firmware, you must download the latest version from the Fortinet Customer Service & Support portal. Click Update or UPDATE AVAILABLE and select the firmware image to load from the local hard disk or network volume.
Firmware License	To load a firmware license, click Upload License and select a license file.
System Configuration	Date and time of the last system configuration backup. Click Backup/Restore to go to the System Recovery page.
Current User	The administrator that is currently logged into the system.
Uptime	Duration that the FortiDeceptor unit has been running since it booted up.
Deception OS	Deception OS license activation and initialization status. Displays an up icon if the Deception OS is activated and initialized. Displays a Caution icon if the Deception OS is initializing or having issues. Hover the mouse pointer on the status icon to view detailed information. For more information, see Log > All Events. To go to Deception > Deception OS to see the images available on FortiDeceptor, click Update or UPDATE AVAILABLE. After purchase, download the license file from the Fortinet Customer Service & Support portal. Then click Upload License to select the license file. The system reboots and activates the newly-installed Deception OS.
FDN Download Server	Shows if the FDN download server is accessible. When the FDN download server is inaccessible, no update packages are downloaded.
Web Filtering Server	Shows if the web filtering query server is accessible.
Antivirus DB Contract	Brief information about this contract.
Antivirus Engine Contract		Brief information about this contract.
IDS Engine/DB Contract		Brief information about this contract.
Web Filtering Contract		Brief information about this contract.
ARAE Engine Contract		Brief information about this contract.
Custom VM Contract		Brief information about this contract.

System Resources

This widget displays the following information and options.

CPU Usage	Gauges the CPU percentage usage.
Memory Usage	Gauges the Memory percentage usage.
Reboot/Shutdown	Options to shut down or reboot the FortiDeceptor device.

Decoy Distribution by OS

This widget displays the following information in a pie chart.

Ubuntu	Number and percentage of Ubuntu Decoy VMs.
Windows	Number and percentage of Windows Decoy VMs.
SCADA	Number and percentage of SCADA Decoy VMs.

Hover over the pie chart to see the percentage. Click the pie chart to split out a Decoy from the pie chart.

Lure Distribution

This widget displays the number of lures deployed with the following information in a pie chart.

SSH	Number and percentage of decoy images using SSH service.
SAMBA	Number and percentage of decoy images using SAMBA service.
SMB	Number and percentage of decoy images using SMB service.
RDP	Number and percentage of decoy images using RDP service.
HTTP	Number and percentage of decoy images using HTTP service.
FTP	Number and percentage of decoy images using FTP service.
TFTP	Number and percentage of decoy images using TFTP service.
SNMP	Number and percentage of decoy images using SNMP service.
MODBUS	Number and percentage of decoy images using MODBUS service.
S7COMM		Number and percentage of decoy images using S7COMM service.
BACNET		Number and percentage of decoy images using BACNET service.
IPMI		Number and percentage of decoy images using IPMI service.
TRICONEX		Number and percentage of decoy images using TRICONEX service.
Guardian-AST		Number and percentage of decoy images using Guardian-AST service.
IEC104		Number and percentage of decoy images using IEC104 service.

Hover over the pie chart to see the percentage. Click the pie chart to split out a service from the pie chart.

Top Critical Logs

This widget displays recent critical logs including the time and a brief description of the event.

Click the edit icon to change the refresh interval and top count.

Disk Monitor

This widget is only available in hardware-based models. This widget displays the RAID level and status, disk usage, and disk management information.

This widget displays the following information.

Summary	Disk summary information including RAID level and status.
RAID Level	The RAID level.
Disk Status	The disk status.
Disk Usage	The current level of disk usage.
Disk Number	The disk number.
Disk Size	The disk size.

Basic System Settings

Change the GUI idle timeout

By default, the GUI disconnects administrative sessions if there is no activity for five minutes.

To change the idle timeout length:

1. Go to System > Settings.
2. Change the Idle timeout minutes (1 to 480 minutes).
3. Click OK.

The setting takes affect after you log out and log back in.

Microsoft Windows VM license activation

When Fortinet ships FortiDeceptor, the default Windows guest VM image is activated. The Windows VM license is in an unactivated state and need re-activation.

Log out of the unit

To log out of the unit:

1. In the FortiDeceptor banner at the top-right, click the user name and select Logout.

If you only close the browser or browse to another web site, you remain logged in until the idle timeout period elapses.

Update FortiDeceptor firmware

A best practice is to stay current on patch releases for your current major release. Only update to a new major release or version when you are looking for specific functionality in the new major release or version. For more information, see the FortiDeceptorRelease Notes or contact Technical Support.

Before any firmware update, complete the following:

• Download the FortiDeceptor firmware image and Release Notes document from the Fortinet Customer Service & Support Review the Release Notes, including the special notices, upgrade information, product integration and support, and resolved and known issues.
• Back up your configuration file. It is highly recommended that you create a system backup file and save it to your management computer. You can also schedule the system to back up system configurations to a remote server.
• Plan a maintenance window for the firmware update. If possible, consider setting up a test environment to check that the update does not negatively impact your network.

To update the FortiDeceptor firmware:

1. Go to Dashboard > System Information > Firmware Version.
2. In the System Information widget beside Firmware Version, click Update or UPDATE AVAILABLE.
3. Click Choose File and locate the firmware image on your management computer; then click Submit to start the upgrade.

Alternatively, in the AVAILABLE FIRMWARE pane Install column, click the download icon beside the firmware release you want. The system upgrades and restarts automatically.

When the update is complete, test your FortiDeceptor device to ensure that the update was successful.

Reboot or shut down the unit

To avoid potential configuration or hardware problems, always use the GUI or CLI to reboot or shut down FortiDeceptor.

To reboot the FortiDeceptor unit:

1. Go to Dashboard > System Resources.
2. Click Reboot.
3. Enter a reason for the reboot in the Reason
4. Click OK.

After reboot, the FortiDeceptor VM initialization might about 30 minutes. The Decoy VM icon in the System Information widget shows a warning sign until the process completes.

When FortiDeceptor boots or reboots, the following critical event log message is normal:

The VM system is not running and might need more time to startup. Please check system logs formore details. If needed, please reboot system.

After upgrading FortiDeceptor to a new firmware version, the system might clean up data and a Database is not ready message displays. The clean up time depends on the size of historical data.

To shut down the FortiDeceptor unit:

1. Go to Dashboard > System Resources.
2. Click Shutdown.
3. Enter a reason for the shutdown in the Reason
4. Click OK.

Back up or restore the system configuration

We recommend that yous regular maintenance includes system backups. Always backup before upgrading firmware or making major system configuration changes. Save configuration backups to a management computer in case you need to restore the system after a network event.

To back up the FortiDeceptor configuration to your local management computer:

1. Go to Dashboard > System Information > System Configuration.
2. Click Backup/Restore.
3. Click Click here to save your backup file.

To restore the FortiDeceptor configuration:

1. Go to Dashboard >System Information > System Configuration.
2. Click Backup/Restore.
3. Click Choose File and locate the backup file on your management computer.
4. Click Restore to load the backup file.
5. Click OK.

When the system configuration restore process completes, the login page appears.

When you do a system restore, all configurations are replaced with the backup data. The system reboots automatically to complete the restore. Only the backup configuration file from the previous or the same release is supported.

Network

The Network page provides interface, DNS, and routing management options.

Interfaces

To view and manage interfaces, go to Network > Interfaces.

This page displays the following information and options:

Interface	The interface name and description. Failover IP is listed under this field with the descriptor: (clusterexternal port).
port1 (administration port)	Port1 is hard-coded as the administration interface. You can enable or disable HTTP, SSH, and Telnet access rights on port1. HTTPS is enabled by default. You can use port1 for Device mode although a different, dedicated port is recommended.
port2	Decoy VM deployment.
port3	Decoy VM deployment.
port4	Decoy VM deployment.
port5/port6	Decoy VM deployment.
port7/port8	Decoy VM deployment.
IPv4	The IPv4 IP address and subnet mask of the interface.
IPv6	The IPv6 IP address and subnet mask of the interface.
Interface Status	The state of the interface: l     Interface up l Interface down l     Interface is being used by sniffer
Link Status	The link status: l Link up l Link down
Access Rights	The access rights associated with the interface. HTTPS is enabled by default on port1. You can enable HTTP, SSH, and Telnet access on port1.
Edit	Select the interface and click Edit in the toolbar to edit the interface.

To edit an interface:

1. Select the IPv4 or IPv6 address of an interface name and click Edit in the toolbar.
2. Edit the IP Address / Netmask.
3. If you want, you can change the Interface Status.
4. Click OK.

To edit administrative access:

1. Select port1 (administration port) and click Edit in the toolbar.
2. Edit the Access Rights.

HTTPS is enabled by default. You can also enable HTTP, SSH, and Telnet support.

3. If necessary, edit the IP Address / Netmask.
4. Click OK.

DNS Configuration

You can configure the primary and secondary DNS server addresses in Network > System DNS.

System Routing

Use the Network > System Routing page to manage static routes of your FortiDeceptor device.

The following options are available:

Create New	Create a new static route.
Edit	Edit the selected static route.
Delete	Delete the selected static route.

The following information is displayed:

IP/Mask		IP address and subnet mask.
Gateway		Gateway IP address.
Device		The interface associated with the static route.

To create a new static route:

1. Click Create New.
2. Enter the Destination IP address, Mask, and Gateway.
3. Select a Device (or interface).
4. Click OK.

To edit a static route:

1. Select a Static Route
2. Click Edit.
3. Edit the destination IP address and mask, gateway, and device (or interface) as required.
4. Click OK to apply the edits to the static route.

To delete a static route or routes:

1. Select one or more Static Routes.
2. Click Delete.
3. Confirm the deletion.

 

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

System

Use the System pages to manage and configure the basic system options for FortiDeceptor. This includes administrator configuration, mail server settings, and maintenance information.

The System menu provides access to the following:

Administrators	Configure administrator user accounts.
Admin Profile	Configure user profiles to define user privileges.
Certificates	Configure CA certificates.
LDAP Servers	Configure LDAP servers.
RADIUS Servers	Configure RADIUS servers.
Mail Server	Configure the mail server.
SNMP	Configure SNMP.
FortiGuard	Configure FortiGuard settings and upgradeable packages.
Settings	Configure the idle timeout or reset all widgets to their default state.
Login Disclaimer	Configure the Login Disclaimer.
Table Customization	Define columns and order of Incident and Event tables.

Administrators

Use the System > Administrators page to configure administrator user accounts.

If the user whose Admin Profile does not have Read Write privilege under System > Admin Profiles, the user can only view and edit their own information.

The following options are available:

Create New	Create a new administrator account.
Edit	Edit the selected entry.
Delete	Delete the selected entry.
Test Login	Test the selected user’s login settings. If an error occurs, a debug message appears.

The following information is displayed:

Name		The administrator account name.
Type		The administrator type: l Local

 

	l LDAP l RADIUS
Profile	The Admin Profile the user belongs to.

To create a new user:

1. Log in using an account with Read/Write access and go to System > Administrators.
2. Click Create New.
3. Configure the following:

Administrator	Name of the administrator account. The name must be 1 to 30 characters using upper-case letters, lower-case letters, numbers, or the underscore character (_).
Password, Confirm Password	Password of the account. The password must be 6 to 64 characters using upper-case letters, lower-case letters, numbers, or special characters. This field is available when Type is set to Local.
Type	Select Local, LDAP, or RADIUS.
LDAP Server	When Type is LDAP, select an LDAP Server. For more information, see LDAP Servers on page 29.
RADIUS Server	When Type is RADIUS, select a RADIUS Server. For more information, see RADIUS Servers.
Admin Profile	Select the Admin Profile.
Trusted Host 1, Trusted Host 2, Trusted Host 3	Enter up to three IPv4 trusted hosts. Only users from trusted hosts can access FortiDeceptor.
Trusted IPv6 Host 1, Trusted IPv6 Host 2, Trusted IPv6 Host 3	Enter up to three IPv6 trusted hosts. Only users from trusted hosts can access FortiDeceptor.
Comments	Enter an optional comment.

Setting trusted hosts for administrators limits what computers an administrator can use to log into FortiDeceptor. When you identify a trusted host, FortiDeceptor only accepts the administrator’s login from the configured IP address or subnet. Attempts to log in with the same credentials from another IP address or subnet are dropped.

4. Click OK.

To edit a user account:

1. Log in using an account with Read/Write access and go to System > Administrators.
2. Select and account and click Edit.

Only the admin user can edit its own settings.

You must enter the old password before you can set a new password.

3. Edit the account and click OK.

To delete one or more user accounts:

1. Log in using an account with Read/Write access and go to System > Administrators.
2. Select the user account you want to delete.
3. Click Delete and confirm that you want to delete the user.

To test LDAP or RADIUS logins:

1. Log in using an account with Read/Write access and go to System > Administrators.
2. Select an LDAP or RADIUS user to test.
3. Click Test Login.
4. Enter the user password.
5. Click OK.

If an error occurs, a debug message appears.

Admin Profiles

Use administrator profiles to control administrator access privileges to system features. When you create an administrator account, you assign a profile to the account.

You cannot modify or delete the following predefined administrator profiles:

l SuperAdmin has access to all functionality. l Read only has read-only access.

Only users with the Super Admin profile can create, edit, and delete administrator profiles. Users can create, edit, and delete administrator profiles if they have Read Write privilege in their profile.

The Menu Access section has the following settings:

None	User cannot view or make changes to that page.
Read Only	User can view but not make any change to that page, except session-related user settings such as Table Customization, Dashboard, or Attack Map filter.
Read Write	User can view and make changes to that page.

The CLI Commands section has the following settings:

None	User cannot execute CLI commands.
Execute	User can execute CLI commands.

To create an Administrator Profile:

1. Go to System > Admin Profiles.
2. Click Create New.
3. Specify the Profile Name.
4. If you wish, add a Comment.
5. Specify the privileges for Menu Access:
   • Dashboard l Dashboard
   • Deception
   • Customization l Deception OS l Deployment Network l Deployment Wizard l Decoy & Lure Status l Decoy Map
   • Whitelist
   • Incident l Analysis l Campaign l Attack Map
   • Fabric
   • FortiGate Integration l Quarantine Status l IOC Export
   • Network
   • Interfaces
   • System DNS l System Routing
   • System
   • Administrators l Admin Profiles l Certificates l LDAP Servers l RADIUS Servers l Mail Server
   • SNMP
   • FortiGuard l Settings l Login Disclaimer l System Settings l Table Customization
   • Log
   • All Events l Log Servers
6. Specify the privileges for CLI Commands:
   • Configuration l Set l Unset
   • System l Reboot l Shutdown l Reset Configuration l Factory Reset l Firmware Upgrade l Reset Widgets l IP Tables l test-network l usg-license
   • Upload VM Firmware License l Resize VM Hard Disk l Set Confirm ID for Windows VM l List VM License l Show VM Status l VM reset l DC Image Status l Set Maintainer l Set Timeout for Remote Auth l Data Purge l Log Purge l DMZ Mode
   • fdn-pkg l Utilities
   • TCP Dump
   • Trace Route
7. Click Save.

Certificates

Use this page to import, view, and delete certificates. Certificates are used for secure connection to an LDAP server, system HTTPS, and SSH services. FortiDeceptor has one default certificate firmware.

FortiDeceptor does not support generating certificates. FortiDeceptor supports importing certificates for SSH and HTTPS access using .crt, PKCS12, or .pem format.

The following options are available:

Import		Import a certificate.
Service		Configure specific certificates for HTTP and SSH servers.
View		View the selected CA certificate details.
Delete		Delete the selected certificate.

The following information is displayed:

Name	Name of the certificate.
Subject	Subject of the certificate.
Status	The certificate status, active or expired.
Service	HTTPS or SSH service that is using this certificate.

To import a certificate:

1. Go to System > Certificates.
2. Click Import.
3. Enter the Certificate Name.
4. If you want to import a password protected PKCS12 certificate, select PKCS12 Format.
5. Click Choose File and locate the certificate and key files on your management computer.
6. Click OK to import the certificate.

To view a certificate:

1. Go to System > Certificates.
2. Select a certificate and click View.

The following information is available:

Certificate Name	Name of the certificate.
Status	Certificate status.
Serial number	Certificate serial number.
Issuer	Issuer of the certificate.
Subject	Subject of the certificate.
Effective date	Date and time that the certificate became effective.
Expiration date	Date and time that the certificate expires.

To delete a CA certificate:

1. Go to System > Certificates.
2. Select the certificate you want to delete.
3. Click Delete and confirm you want to delete the certificate.

LDAP Servers

FortiDeceptor supports remote authentication of administrators using LDAP servers. To use this feature, configure the server entries in FortiDeceptor for each authentication server in your network.

If you have configured LDAP support and require users to authenticate using an LDAP server, FortiDeceptor contacts the LDAP server for authentication. To authenticate with FortiDeceptor, the user enters a user name and password. FortiDeceptor sends this user name and password to the LDAP server. If the LDAP server can authenticate the user, FortiDeceptor authenticates the user. If the LDAP server cannot authenticate the user, FortiDeceptor refuses the connection.

The following options are available:

Create New	Add an LDAP server.
Edit	Edit the selected LDAP server.
Delete	Delete the selected LDAP server.

The following information is displayed:

Name	LDAP server name.
Address	LDAP server address.
Common Name	LDAP common name.
Distinguished Name	LDAP distinguished name.
Bind Type	LDAP bind type.
Connection Type	LDAP connection type.

To create a new LDAP server:

1. Go to System > LDAP Servers.
2. Click Create New.
3. Configure the following settings:

Name	A unique name to identify the LDAP server.
Server Name/IP	IP address or FQDN of the LDAP server.
Port	The port for LDAP traffic. The default port is 389.
Common Name	Common name identifier of the LDAP server. Most LDAP servers use cn. Some servers use other common name identifiers such as uid.
Distinguished Name	Distinguished name used to look up entries on LDAP servers. The distinguished name reflects the hierarchy of LDAP database object classes above the common name identifier.
Bind Type	The type of binding for LDAP authentication: l Simple l Anonymous l Regular
Username	When the Bind Type is set to Regular, enter the user name.
Password	When the Bind Type is set to Regular, enter the password.
Enable Secure Connection	Use a secure LDAP server connection for authentication.
Protocol	When Enable Secure Connection is selected, select LDAPS or STARTTLS.
CA Certificate	When Enable Secure Connection is selected, select a CA Certificate.

4. Click OK.

RADIUS Servers

FortiDeceptor supports remote authentication of administrators using RADIUS servers. To use this feature, configure the server entries in FortiDeceptor for each authentication server in your network.

If you have configured RADIUS support and require users to authenticate using a RADIUS server, FortiDeceptor contacts the RADIUS server for authentication. To authenticate with FortiDeceptor, the user enters a user name and password. FortiDeceptor sends this user name and password to the RADIUS server. If the RADIUS server can authenticate the user, FortiDeceptor authenticates the user. If the RADIUS server cannot authenticate the user, FortiDeceptor refuses the connection.

The following options are available:

Create New		Add a RADIUS server.
Edit		Edit the selected RADIUS server.
Delete		Delete the selected RADIUS server.

The following information is displayed:

Name	RADIUS server name.
Primary Address	Primary server IP address.
Secondary Address	Secondary server IP address.
Port	Port used for RADIUS traffic. The default port is 1812.
Auth Type	The authentication type the RADIUS server requires. Select Any, PAP, CHAP, or MSv2. Any means FortiDeceptor tries all authentication types.

To add a RADIUS server:

1. Go to System > RADIUS Servers.
2. Click Create New.
3. Configure the following settings:

Name	A unique name to identify the RADIUS server.
Primary Server Name/IP	IP address or FQDN of the primary RADIUS server.
Secondary Server Name/IP	IP address or FQDN of the secondary RADIUS server.
Port	Port for RADIUS traffic. The default port is 1812.
Auth Type	Authentication type the RADIUS server requires. Select Any, PAP, CHAP, or MSv2. Any means FortiDeceptor tries all authentication types.
Primary Secret	Primary RADIUS server secret.
Secondary Secret	Secondary RADIUS server secret.
NAS IP	NAS IP address.

4. Click OK.

Mail Server

Use the System > Mail Server page to adjust mail server settings.

You can configure the following options:

Send Incidents Alerts	When enabled, FortiDeceptor sends an email alert to the ReceiverEmail List when it detects an incident.
SMTP Server Address	SMTP server address.
Port		SMTP server port number.
E-Mail Account		The mail server email account. This is the “from” address.
Login Account		The mail server login account.
Password, Confirm Password		Enter and confirm the password.
Receiver Email List		Enter one or more receiver email addresses.
Send Test Email		Send a test email to the global email list. If an error occurs, the error message appears at the top of the page and is recorded in the System Logs.

SNMP

SNMP is a method to monitor your FortiDeceptor system on your local computer. You need an SNMP agent on your computer to read the SNMP information. Using SNMP, your FortiDeceptor system monitors for system events including CPU usage, memory usage, log disk space, interface changes, and malware detection. Go to System > SNMP to configure your FortiDeceptor system’s SNMP settings.

SNMP has two parts: the SNMP agent or the device that is sending traps, and the SNMP manager that monitors those traps. The SNMP communities on the monitored FortiDeceptor are hard coded and configured in the SNMP menu.

The FortiDeceptor SNMP implementation is read-only — SNMP v1, v2c, v3 compliant SNMP manager applications, such as those on your local computer, have read-only access to FortiDeceptor system information and can receive FortiDeceptor system traps.

You can also download FortiDeceptor and Fortinet core MIB files.

Configure the SNMP agent

The SNMP agent sends SNMP traps that originate on FortiDeceptor to an external monitoring SNMP manager defined in one of the FortiDeceptor SNMP communities. Typically, an SNMP manager is an application on a local computer that can read the SNMP traps and then generate reports or graphs.

The SNMP manager can monitor FortiDeceptor to determine if it is operating properly or if critical events are occurring. The description, location, and contact information for this FortiDeceptor system is part of the information an SNMP manager collects. This information is useful if the SNMP manager is monitoring many devices, and it enables a faster response when FortiDeceptor requires attention.

To configure SNMP agents:

1. Go to System > SNMP.
2. Configure the following settings:

SNMP Agent		When enabled, the FortiDeceptor SNMP agent sends FortiDeceptor SNMP traps.
Description		Description of this FortiDeceptor to identify this unit.
Location			Location of this FortiDeceptor if it requires attention.
Contact			Contact information of the person in charge of this FortiDeceptor.
SNMP v1/v2c			Create, edit, or delete SNMP v1 and v2c communities. You can enable or disable communities in the edit page. Columns include: Community Name, Queries, Traps, Enable.
SNMP v3			Create, edit, or delete SNMP v3 entries. You can enable or disable queries in the edit page. Columns include: Username, Security Level, Notification Host, and Queries.

To create an SNMP v1/v2c community:

1. Go to System > SNMP.
2. In the SNMP v1/v2c section, click Create New.
3. Configure the following settings:

Enable	Enable the SNMP community.
Community Name	The name that identifies the SNMP community.
Hosts	The list of hosts that can use the settings in this SNMP community to monitor FortiDeceptor.
IP/Netmask	IP address and netmask of the SNMP hosts. Click Add to add additional hosts.
Queries v1, Queries v2c	Port number and if it is enabled. Enable queries for each SNMP version that FortiDeceptor uses.
Traps v1, Traps v2c	Local port number, remote port number, and if it is enabled. Enable traps for each SNMP version that FortiDeceptor uses.
SNMP Events	Events that cause FortiDeceptor to send SNMP traps to the community: l CPU usage is high l Memory is low l Log disk space is low l Incident is detected

4. Click OK.

To create an SNMP v3 user:

1. Go to System > SNMP.
2. In the SNMP v3 section, click Create New.
3. Configure the following settings:

Username	Name of the SNMPv3 user.
Security Level	Security level of the user: l None l Authentication only l Encryption and authentication
Authentication	Authentication is required when Security Level is either Authentication only or Encryption and authentication.
Method	Authentication method: l MD5 (Message Digest 5 algorithm) l SHA1 (Secure Hash algorithm)
Password	Authentication password of at least eight characters.
Encryption	Encryption is required if Security Level is Encryption and authentication.
Method	Encryption method: l DES l AES
Key	Encryption key of at least eight characters.
Notification Hosts (Traps)
IP/Netmask	IP address and netmask. Click Add to add more hosts.
Query
Port	Port number and if it is enabled.
SNMP V3 Events	SNMP events associated with that user: l CPU usage is high l Memory is low l Log disk space is low l Incident is detected

4. Click OK.

To download MIB files:

1. At the bottom of the SNMP page, select the MIB file you want to download to your management computer.

FortiGuard

1. Go to System > FortiGuard.
2. The following options and information are available:

Module Name The FortiGuard module name, including: AntiVirus Scanner, AntiVirus Extended Signature, AntiVirus Active Signature, AntiVirus Extreme Signature, IDS Engine, IDS Signature, Anti-Reconnaissance & Anti-Exploit Engine. All modules automatically install update packages when they are available on the FDN.

Current Version                   The current version of the module.

Release Time                      The time that module was released.

Last Update Time                The time that module was last updated.

Last Check Status               The status of the last update attempt.

Upload Package File            Select Browse to locate a package file on the management computer, then select Submit to upload the package file to the FortiDeceptor. When the unit has no access to the Fortinet FDN servers, the user can go to the Customer Service and Support site to download package files manually.

FortiGuard Server               Select FDN servers for package update and Web Filtering query. By default, the Location                              selection is Nearest, which means the closest FDN server according to the unit’s time zone is used. When US Region is selected, only servers inside Unite States are used.

FortiGuard Server Settings

Use override FDN         Select to enable an override FDN server, or FortiManager, to download module server to           update, then enter the server IP address or FQDN in the text box. When an download module        overridden FDN server is used, FortiGuard Server Location will be disabled. updates            Click Connect FDN Now button to schedule an immediate update check.

Connect FDN    Click the Connect FDN Now button to connect the override FDN server/Proxy. Now

FortiGuard Web Filter Settings

Use override     Select to enable an override server address for web filtering query, then enter the server address server IP address (IP address or IP address:port) or FQDN in the text box. for web filtering By default, the closest web filtering server according to the unit’s time zone is query  used. If port is not provided, target UDP port 53 will be used.

3. Click Apply to apply your changes.

Settings

Go to System > Settings to configure the idle timeout for the administrator account.

To configure idle timeout:

1. Go to System > Settings.
2. Enter a value between 1 and 480 minutes.
3. Click OK.

To reset all widgets:

You can reset all the widgets in the Dashboard by clicking the Reset button.

Login Disclaimer

Go to System > Login Disclaimer to customize the warning message, and to enable or disable the login disclaimer.

If enabled, the disclaimer appears when a user tries to log into the unit.

Table Customization

To customize the columns available for Incidents or Events:

1. Go to System > Table Customization.
2. In the Incident Columns pane, drag and drop the columns from the Available Column Headers to the Customized Column Headers and Orders.
3. In the Event Columns pane, drag and drop the columns from the Available Column Headers to the Customized Column Headers and Orders.
4. In the Table Settings pane, specify the Page Size and select the View Type.
5. Click Save.

 

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Fabric

Use the Fabric pages to manage and configure FortiGate information for integration with FortiDeceptor. This includes blocking settings and Security Fabric status information. Blocking from FortiGate is an API call from FortiDeceptor which allows instant quarantine from FortiGate once an incident is detected. The quarantined IP is under user quarantine in the FortiGate GUI.

Fabric provides access to the following pages:

FortiGate Integration	Configure the FortiGate settings for FortiDeceptor integration.
Quarantine Status	Status of blocked IP addresses.
IOC Export	Export the IOC file in CSV format for a specified time period.

FortiGate Integration

Use Fabric > FortiGate Integration to configure FortiGate settings for integration with FortiDeceptor. FortiDeceptor uses FortiGate REST APIs to make quarantine calls when decoys are accessed. Attackers are immediately quarantined on the FortiGate for further analysis.

The following options are available:

Severity level	Select the security level. The selected level and all levels above it are blocked. For example, if you select Medium, then medium, high, and critical levels are blocked. If you select Critical, then only the critical level is blocked.
Add new block configuration	Create a new FortiGate integration setting.
Update	Save the modified FortiGate integration setting to a configuration file.
Cancel	Discard current changes.
Edit	Edit the record.
Delete	Delete the record.
Test	Manually send quarantine request to the corresponding FortiGate.

The following information is displayed:

Name	Alias of the integrated FortiGate.
IP	IP address of the integrated FortiGate.
User	Username of the integrated FortiGate.
Password	Password of that username.

Fabric

Port	Port number of the integrated FortiGate REST API service. Default is 443.
Default Expiry	Default blocking time in second. Default is 3600 seconds.
Default VDOM	The default access VDOM of the integrated FortiGate.
Type	FortiGate (read-only value).
Enabled	Enable or disable the integration setting.

Quarantine Status

The Fabric > Quarantine Status page displays the status of blocked and quarantined IP addresses. It also lets you manually block or unblock devices. The following options are available:

Refresh	Refresh the page to get the latest data.
Block	Manually send a blocking request for the selected attacker IP addresses.
Unblock	Manually send an unblocking request for the selected attack IP addresses.

The following information is displayed:

Attacker IP	IP addresses of blocked attacker.
Start	Start time of blocking behavior.
End	End time of blocking behavior.
Handler Address	IP address of the integrated FortiGate.
Handler	The integrated device type.
Handle Type	Blocking type, manual, or automatic quarantine.
VDOM	VDOM of the integrated FortiGate.
Blocker Name	Alias of the FortiGate which blocks the AttackerIP address. This is the Name field in Fabric > FortiGate Integration.
Time Remaining	The remaining blocking time.
Status	Current status of the attacker.
Message	Related message for the blocking entry.

IOC Export

Use the Fabric > IOC Export page to export the IOC file in CSV format for a specified time period. The CSV file can be processed by third party Threat Intelligence Platforms. The file contains the TimeStamp, Incident time, Attacker IP, related files, and WCF (Web Content Filtering) events. You can include MD5 checksums, WCF category, and reconnaissance alerts.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Monitor Attacks

Administrators can monitor attacks in two ways:

To monitor attacks using Incident pages:

• Incident > Analysis lists incidents and related events detected by FortiDeceptor. l Incident > Campaign lists attacks and related events detected by FortiDeceptor. l Incident > Attack Map shows attacks and related events detected by FortiDeceptor.

To monitor attacks using Dashboard widgets:

• Use the Dashboard Incidents & Events Distribution See Incidents and Events Distribution on page 18. l Use the Dashboard Incidents & Events Count widget.

Analysis

Incident > Analysis lists the Incidents detected by FortiDeceptor.

To use the Analysis page:

1. Go to Incident > Analysis.
2. The Analysis page displays the list of events:

Severity		Severity of the event.
Last Activity		Date and time of the last activity.
Type		Type of event.
Attacker IP		Attacker IP mask.
Attacker User		Attacker username.
Victim IP		IP address of the victim.
Victim Port		Port of the victim.
Lure		Name of the lure service.
Decoy ID		Unique ID of the Decoy VM.
ID		ID of the incident.
Attacker Port		Port where the attack originated.
Tag Key		Unique key string for the incident.
Attacker Password		Password used by the attacker.
Start			Date and time when the attack started.

3. To refresh the data, click Refresh.
4. To download the detailed analysis report in PDF format, click Export to PDF.
5. To mark items as read, expand the incident details or click Mark all as read.

Newly-detected incidents are in bold to indicate they are unread.

6. To display specific types of events, click Show All, IPS Events Only, or Web FilterEvents Only.
7. To specify columns and table settings, use the Settings icon at the bottom right.

Campaign

Incident > Campaign lists the Attacks detected by FortiDeceptor. An Attack consists of multiple Incidents.

To use the Campaign page:

1. Go to Incident > Campaign.
2. The Campaign page displays the list of attacks:

Severity		Severity of the event.
Start		Date and time when the attack started.
Last Activity		Date and time of the last activity.
Attacker IP		IP mask of the attacker.
ID		ID of the campaign record.
Timeline		Click Timeline to see the timeline of the Attack from start to finish.
Table		Click Table to see all the Events in table view.

3. To refresh the data, click Refresh.
4. To export the data, click Export to PDF.
5. To specify columns and table settings, use the Settings icon at the bottom right.

Attack Map

Incident > Attack Map is a visual representation of the entire network showing real endpoints, Decoy VMs, and ongoing attacks.

To work with the Attack Map:

1. Go to Incident > Attack Map. l To change the display, drag items to another location. l Scroll to zoom in or out. l Click a node to see its information.
2. At the bottom of the Attack Map, use the timeline indicator to set the start and end time.
3. Click Click to begin filtering to select a different filter type and type values. Filter types include AttackerIP, Victim IP, and Decoy IP.

You can use multiple arguments with different filter types. All filter arguments and time indicator arguments are considered “AND” conditions.

4. To locate the node on the map, use the LOCATE BY IP
5. To save a snapshot of the map, click Save view .

Incidents and Events Distribution

This dashboard widget displays the number of incidents and events with the following risk level information and options.

Unknown	Incident or Event where the risk level is unknown. Entries are in grey.
Low Risk	Incident or Event where the risk level is low. Entries are in green.
Medium Risk	Incident or Event where the risk level is medium. Entries are in yellow.
High Risk	Incident or Event where the risk level is high. Entries are in orange.
Critical	Incident or Event where the risk level is critical. Entries are in red.

Hover over the pie chart to see the number of Incidents or Events and their percentage.

To customize this widget:

1. Click the edit icon to make the following changes:

l Enter a Customized Widget Title. l Change the Refresh Interval. l Select a Time Period: Last 24 Hours, Last 7 Days, or Last 4 Weeks.

Incidents and Events Count

This dashboard widget displays the number of Incidents and Events.

Event	Click Event to show or hide the number of events in the time period. Events are in blue.
Incidents	Click Incident to show or hide the number of incidents in the time period. Incidents are in orange.
Time/Date	The time or date the Incident or Event occurred.

To customize this widget:

1. Click the edit icon to make the following changes:

l Enter a Customized Widget Title. l Change the Refresh Interval. l Select a Time Period: Last 24 Hours, Last 7 Days, or Last 4 Weeks.

Top 10 Attackers by Events

This dashboard widget displays the top ten attackers by the number of events.

IP Address	IP address of the attacker.
Number of Events	Hover over an IP address to see the total number of Events.

Top 10 Attackers by Incidents

This dashboard widget displays the top ten attackers by the number of incidents.

IP Address	IP address of the attacker.
Number of Incidents	Hover over an IP address to see the total number of Incidents.

Top 10 IPS Attacks

This widget displays the top 10 IPS attacks by the number of attack events.

IPS attack name	IP address of the attacker.
Number of attack events	Hover over an IPS attack name to see the total number of attack events.

Incidents Distribution by Service

This dashboard widget displays the number of Incidents by service with the following information and options.

SSH	Number of incidents occurring on SSH service with the percentage on a pie chart.
SAMBA	Number of incidents occurring on SAMBA service with the percentage on a pie chart.
SMB	Number of incidents occurring on SMB service with the percentage on a pie chart.
RDP		Number of incidents occurring on RDP service with the percentage on a pie chart.
HTTP		Number of incidents occurring on HTTP service with the percentage on a pie chart.
FTP		Number of incidents occurring on FTP service with the percentage on a pie chart.
TFTP		Number of incidents occurring on TFTP service with the percentage on a pie chart.
SNMP		Number of incidents occurring on SNMP service with the percentage on a pie chart.
MODBUS		Number of incidents occurring on MODBUS service with the percentage on a pie chart.
S7COMM		Number of incidents occurring on S7COMM service with the percentage on a pie chart.
BACNET		Number of incidents occurring on BACNET service with the percentage on a pie chart.
IPMI		Number of incidents occurring on IPMI service with the percentage on a pie chart.
TRICONEX		Number of incidents occurring on TRICONEX service with the percentage on a pie chart.
GUARDIAN-AST		Number of incidents occurring on GUARDIAN-AST service with the percentage on a pie chart.
IEC104		Number of incidents occurring on IEC104 service with the percentage on a pie chart.

Global Attacker Distribution

This widget displays the number of Attackers by country on a global map.

 

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Deploy Decoy VM

Use the Deception pages allows you to deploy Decoy VMs on your network. When a hacker gains unauthorized access to Decoy VMs, their movements can be monitored to understand how they attack the network.

Apart from the default decoy Windows, Linux, or SCADA OS images, FortiDeceptor supports custom OS images with a purchased subscription service. You can upload your custom ISO images and install the FortiDeceptor Toolkit on the image. For instructions, click the Help icon in the toolbar and select Customization.

To use FortiDeceptor to monitor the network:

• Go to Deception > Deception OS to check the Deception OS available. See View available Deception OS on page

9. 9. l Go to Deception > Deployment Network to auto-detect or specify the network where the Decoy VMs are deployed.

• Go to Deception > Deployment Wizard to deploy the Decoy VM on the network.
• Go to Deception > Decoy & Lure Status to start or stop deployed Decoy VMs, or download the FortiDeceptor Token Package to manually install on computers. l Go to Deception > Decoy Map to see the network of Decoy VMs.
• Go to Deception > Whitelist to specify the network that is to be considered safe. This is useful if the administrator wants to log into the deployment network and not be flagged as an attacker.

View available Deception OS

The Deception > Deception OS page lists the deception OSes available for creating Decoy VMs.

Column		Description
Delete		Delete a custom OS that you have applied.
Status		Status of the Deception OS.
Name		Name of the Deception OS.
OS Type		Operating System type.
VM Type		VM type of the Deception OS endpoint.
Lures		Lures used by the Decoy VM such as SSH, SAMBA, SMB, RDP, HTTP, FTP, TFTP, SNMP, MODBUS, S7COMM, BACNET, IPMI, TRICONEX, GuardianAST, or IEC104.

Set up the Deployment Network

Use the Deception > Deployment Network page to set up a monitoring interface into a VLAN or a subnet.

To add a VLAN or subnet to FortiDeceptor:

1. Go to Deception > Deployment Network.
2. Enable Auto VLAN Detection to automatically detect the VLANs on your network.

Auto VLAN detection allows FortiDeceptor to detect the available VLANs on the deployment network interface and display them in the GUI. You can select and add the VLANs for the deployment of Decoys later.

3. Select the Detection Interface and click OK.

You can select multiple ports.

4. Click Add New VLAN/Subnet to manually add a VLAN or a subnet. Configure the following settings:

Interface	The port that connects to the VLAN or subnet.
VLAN ID	The VLAN’s unique integer ID.
Deploy Network IP/Mask	The IP address to monitor. This is useful to mask the actual IP address.
Ref	The number of objects referring to this object.
Status	Status of the IP address, such as if it is initialized.
Action	Click Edit to edit the VLAN or subnet entry. The Edit button is visible only after the entry is saved.

5. Click Save.

The network IP/mask must be an IP address and not a subnet.

You must use the following guidelines to set the network IP/mask:

• Interface name and VLAN ID must be unique among all network IP/masks.
• If VLAN ID is 0, the network IP/mask must be unique among all the network IP/masks without VLAN and all system interfaces.
• If VLAN is not 0, the network IP/mask must be unique among all subnets in the same VLAN.

Deploy Decoy VMs with the Deployment Wizard

Use the Deception > Deployment Wizard page to create and deploy Decoy VMs on your network. Decoy VMs appear as real endpoints to hackers and can collect valuable information about attacks.

To deploy Decoys on the network:

1. Go to Deception > Deployment Wizard.
2. Click + to add a Decoy VM.
3. Configure the following:

Name	Specify the name of the deployment profile. Maximum 15 characters using A-Z, a-z, 0-9, dash, or underscore. No duplicate profile names.
Available Deception OSes	Select a Deception OS.
Selected Services	Displays the selected services. You cannot edit this field.

4. For an Ubuntu VM, turn on SSH or SAMBA. For Windows, turn on RDP or SMB.

For SCADA, turn on HTTP, FTP, TFTP, SNMP, MODBUS, S7COMM, BACNET, IPMI, TRICONEX, GUARDIANAST, or IEC104.

5. Click Add Lure for the service and configure the following:

Username	Specify the username for the decoy. Maximum 19 characters using A-Z, a-z, or 0-9. Do not set the username of the lures to be the same as existing usernames in the decoy, such as administrator for RDP/SMB services on Windows, or root for SSH/SAMBA services on Linux.
Password	Specify the password for the decoy in 1-14 non-unicode characters.
Sharename	This option is only available for SAMBA (Ubuntu) or SMB (Windows). Specify a Sharename in 3-63 characters using A-Z, a-z, or 0-9.
Update or Cancel	Click Update to save the username and password. Click Cancel to discard the username and password. Click Delete to delete an existing lure.

6. To launch the decoy VM immediately, enable Launch Immediately.
7. To reset the decoy VM after it detects incidents, enable Reset Decoy and specify the Reset Interval value in seconds.
8. Click Next.
9. The Hostname can start with an English character or a digit, and must not end with a hyphen. Maximum 15 characters using A-Z, a-z, 0-9, or hyphen (case-sensitive). Other symbols, punctuation, or white space are not allowed. The Hostname cannot conflict with decoy names.
10. Click Add Interface.
11. Select the Deploy Interface. Set this to the VLAN or subnet added in Set up the Deployment Network on page 10
12. Configure the following settings in the Add Interface forDecoy pane:

Addressing Mode	Select Static or DHCP. Static allows you to configure the IP address for all the decoys. DHCP allows the decoys to receive IP address from the DHCP server. If you select DHCP, IP Count is automatically set to 1 and all other fields are not applicable.
Network Mask	This field is set automatically.
Gateway	Specify the gateway.
IP Count		Specify the number of IP addresses to be assigned, up to 16. If Addressing Mode is DHCP, IP Count is automatically set to 1.
Min		The minimum IP address in the IP range.
Max		The maximum IP address in the IP range.
IP Ranges		Specify the IP range between Min and Max.

13. Click Done.
14. To deploy the decoys on the network, click Deploy.
15. To save this as a template in Deception > Deployment Wizard, click Template.

Deploy the FortiDeceptor Token Package

Use a FortiDeceptor Token Package to add breadcrumbs on real endpoints and lure an attacker to a Decoy VM. Tokens are normally distributed within real endpoints and other IT assets on the network to maximize the deception surface.

To download a FortiDeceptor Token Package:

1. Go to Deception > Decoy & Lure Status.
2. Select the Decoy VM by clicking its checkbox.
3. To download the FortiDeceptor Token Package, click Download Package.

You can only download packages with valid IP addresses. A package must have a status of Initialized, Stopped, Running, or Failed.

To deploy or uninstall a FortiDeceptor Token Package on an existing endpoint:

1. Copy the downloaded FortiDeceptor Token Package to an endpoint such as a Windows or Linux endpoint.
2. Unzip the FortiDeceptor Token Package.
3. In the folder for the OS, such as windows or ubuntu, follow the instructions in txt to install or uninstall the Token Package.

l For Windows, open the windows folder, right-click windows_token.exe and select Run as administrator. l For Ubuntu, open Terminal and run python ./ubuntu_token.py.

When the FortiDeceptor Token Package is installed on a real Windows or Ubuntu endpoint, it increases the deception surface and lures the attacker to a Decoy VM.

Monitor Decoy & Lure Status

The Deception > Decoy & Lure Status page shows the status of the Decoys on your network.

We recommend operating Decoy VMs with the same status for expected behavior.

To view the Deception Status:

1. Go to Deception > Decoy & Lure Status.

Action	Click View detail to see the decoy’s configuration details. Click Copy to Template to duplicate the decoy as a template. Click Start or Stop to start or stop the decoy. Click Delete to delete the decoy. Click Download to download the FortiDeceptor Token Package. Click VNC to open a VNC of the decoy.
Status	The status of the decoy can be Initializing, Running, Stopped, or Cannot Start. If the Decoy VM cannot start, hover over the VM to see the reason.
Decoy Name	Name of the decoy.
OS	Operating system of the decoy.
VM	The name of the Decoy VM.
Enabled Services	The number of decoy services enabled on this VM.
IP	The IP address of the Decoy VM.
Services	List of services enabled. Hover over an icon to see a text list.
Network Type	Shows if the IP address is Static or DHCP.
DNS	DNS of the Decoy VM.
Gateway	Gateway of the Decoy VM.

To delete one or more Decoy VMs:

1. Go to Deception > Decoy & Lure Status.
2. Click Delete beside the Decoy VM.
3. Click OK.

To start one or more Decoy VM:

1. Go to Deception > Decoy & Lure Status.
2. Select one or more Decoy VMs that are stopped.
3. Click Start.

To stop one or more Decoy VMs:

1. Go to Deception > Decoy & Lure Status.
2. Select one or more Decoy VMs that are running.
3. Click Stop.

Decoy Map

Deception > Decoy Map is a visual representation of the entire network showing real endpoints and Decoy VMs. You can apply filters to focus on specific decoys.

To work with the Decoy Map:

1. Go to Deception > Decoy Map. l To change the display, drag items to another location. l Scroll to zoom in or out.

l Click a node to see its information.

2. Click Click to begin filtering to select a filter type and type values. Filter types include Decoy Name, Decoy IP, and Lure Type.

You can use multiple arguments with different filter types. All filter arguments and time indicator arguments are considered “AND” conditions.

3. To locate the node on the map, use the LOCATE BY IP
4. To save a snapshot of the map, click Save view .

Configure a Whitelist

Use the Deception > Whitelist page to add an IP address for an administrator to log into the network. User actions from a whitelisted IP address are recorded as an Event or Incident.

To add a new whitelist IP address:

1. Go to Deception > Whitelist.
2. Click Add New Whitelist IP and configure its settings:

IP Address		Specify the IP address from where the connection originates.
Source Ports		Specify the source ports from where the connection originates.
Destination Ports		Specify the destination ports on the network where the connection terminates.
Description		Specify a description. For example, you can name it as Safe_Network.
Services		Select the name of the services used to connect to the network.
Status		Select Enabled or Disabled.
Action		Click Update or Cancel.

DMZ Mode

Deploy a FortiDeceptor hardware unit or VM in the Demilitarized Zone (DMZ). You can monitor attacks on the DMZ network when FortiDeceptor is installed in the DMZ network.

Limitations of the DMZ Mode

The DMZ Mode in FortiDeceptor functions like regular mode with the following exceptions:

• When DMZ mode is enabled, the banner displays DMZ-MODE.
• In Deception > Deployment Network, Deception MonitorIP/Mask is hidden. See Set up the Deployment Network on page 10.
• In Deception > Decoy & Lure Status in the Deception Status view, the Attack Test selection is disabled.
• Decoy VMs are limited to one deploy Interface. For information about IP address range, see Deploy Decoy VMs with the Deployment Wizard on page 10.

To enable DMZ mode in the CLI:

dmz-mode -e

To disable DMZ mode in the CLI: dmz-mode -d

 

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Set up FortiDeceptor

This section explains the initial set up of FortiDeceptor.

Connect to the GUI

Use the GUI to configure and manage FortiDeceptor.

To connect to the FortiDeceptor GUI:

1. Connect the port1 (administration) interface of the device to a management computer using an Ethernet cable.
2. Configure the management computer to be on the same subnet as the internal interface of the FortiDeceptor unit:
   • Change the IP address of the management computer to 168.0.2.
   • Change the IP address of the network mask to 255.255.0.
3. Go to https://192.168.0.99.
4. Type admin in the Name field, leave the Password field blank, and click Login.

You can now proceed with configuring your FortiDeceptor unit.

Connect to the CLI

You can use CLI commands to configure and manage FortiDeceptor.

To connect to the FortiDeceptor CLI:

1. In the FortiDeceptor banner at the top, click the CLI Console

The CLI Console pane opens.

2. If necessary, click Connect and enter your username and password.

The CLI Console pane has icons to disconnect from the CLI console, clear console text, download console text, copy console text, open the CLI console in its own window, and close the console.

3. To close the CLI console, click the Close

 

Change the system hostname

The System Information widget displays the full host name. You can change the FortiDeceptor host name.

To change the host name:

1. Go to Dashboard, System Information
2. Click Change beside Host Name.
3. In the New Name field, type a new host name.

The hostname can start with a character or digit, and cannot end with a hyphen. A-Z, a-z, 0-9, or hyphen are allowed (case-sensitive). Other symbols, punctuation, or white space are not allowed.

4. Click Apply.

Change the administrator password

By default, you can log in to the GUI using admin and no password. It is highly recommended that you add a password to the admin account. For better security, regularly change the admin account password and the passwords for any other administrator accounts that you add.

To change the password of the logged in administrator:

1. In the FortiDeceptor banner at the top, click the username and select Change Password.
2. Change the password and click OK.

To change the administrator password in the Administrators page:

1. Go to System > Administrators.
2. Select an administrator and click Edit.
3. Change the password and click OK.

Configure the system time

You can change the FortiDeceptor system time in the Dashboard. You can configure the FortiDeceptor system time manually or synchronize with an NTP server.

To configure the system time:

1. Go to Dashboard, System Information
2. Click Change beside System Time.
3. Set the system time and click Apply. You might need to log in again.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Introduction

FortiDeceptor creates a network of decoy VMs to lure attackers and monitor their activities on the network. When attackers attack decoy VMs, their actions are analyzed to protect the network.

Key features of FortiDeceptor include:

• Deception OS: Windows, Linux, or SCADA OS images are available to create Decoy VMs. l Decoy VMs: Decoy VMs that behave like real endpoints can be deployed through FortiDeceptor. l Lures: Lures are services, applications, or users added to a Decoy VM to simulate a real user environment.
• FortiDeceptor Token Package: Install a FortiDeceptor Token Package to add breadcrumbs on real endpoints and lure an attacker to a Decoy VM. Tokens are normally distributed within the real endpoints and other IT assets on the network to maximize the deception surface. Use tokens to influence attackers’ lateral movements and activities. Examples of what you can use in a token include: cached credentials, database connections, network share, data files, and configuration files. l Monitor the hacker’s actions: Monitor Incidents, Events, and Campaign.
• An Event represents a single action, for example, a login-logout event on a victim host.
• An Incident represents all actions on a single victim host, for example, a login-logout, file system change, a registry modification, and a website visit on a single victim host.
• A Campaign represents the hacker’s lateral movement. All related Incidents are a Campaign. For example, an attacker logs on to a system using the credentials found on another system.
• Log Events: Log all FortiDeceptor system events.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!