Category Archives: FortiGate

How to see errors and discards on FortiGate interfaces

Question: How do I go about seeing interface statistics such as discards, errors etc?

I get this question a lot and figured I would make a post about it to help the masses. There is a simple way to do this. In the CLI there is a command called “fnsysctl” that you can expand upon. For example, you can type “fnsysctl ls” and get a drill down of directories. To see interface statistics you can use this command with the following expansion:

“fnsysctl ifconfig <interface name>” to see the information you are looking for. For instance, “fnsysctl ifconfig wan1”

Give it a try on your FortiGate now to see the output and learn how to use it for troubleshooting 🙂

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

How to Manage FortiSwitch from FortiGate

Leave a reply

Managing your FortiSwitch from your FortiGate is an awesome feature set that Fortinet implemented in their hardware. 5.4.1 makes it so much easier to accomplish this. Nothing sucks worse than running out of port density on your FortiGate. Now you really don’t have to worry about it (ok, you didn’t really have to before but it is neat none-the-less)

FortiGate 60E Best Distributed Firewall

Leave a reply

So, in case you guys weren’t aware, Fortinet has released their 60E. This FortiGate is an awesome device. It has a new SOC3 ASIC which sets the 60E on a whole new level. Fortinet is making their firewalls more affordable while at the same time drastically adding functionality and performance.

If you weren’t excited about the newer hardware being released then you REALLY need to look at the chart below which breaks down the performance of the device versus the industry average.

Did I mention that this device gives you SD-WAN capabilities (Software Defined). Have fun guys and dig in! By the way, I sell these things at cost soooo…

FortiGate AWS Deployment Guide

Leave a reply

Overview

This document is design to be a quick start walk-though in setting up a virtual Fortinet device utilizing the AWS services. We will start out reviewing some of the AWS concepts. If you would like to download the PDF of this guide please click FortiGate AWS Deployment Guide PDF

Amazon Virtual Private Cloud (Amazon VPC)

Amazon VPC lets you provision a logically isolated section of the Amazon Web Services (AWS) Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. You can also create a Hardware Virtual Private Network (VPN) connection between your corporate datacenter and your VPC and leverage the AWS cloud as an extension of your corporate datacenter.

You can easily customize the network configuration for your Amazon VPC. For example, you can create a public-facing subnet for your web servers that have access to the Internet, and place your backend systems such as databases or application servers in a private-facing subnet with no Internet access. You can leverage multiple layers of security, including security groups and network access control lists, to help control access to Amazon EC2 instances in each subnet.

Pages: 1 2 3 4 5 6 7 8 9 10 11 12

Policy Based IPSec and NAT

Leave a reply

Think of the little things

This is going to be a quick guide on things to check when your Policy based IPSec tunnels decide to not work properly with NAT enabled.

Have this client, they were getting ready to migrate a bunch of IPSec tunnels from one of their client’s firewalls. The firewall that was originally hosting these tunnels is a Dell Sonicwall (threw up a little in my mouth right there).

We get the tunnels loaded and all are working fine except for the ones that require NAT due to overlapping subnets.

Just a reminder boys and girls, when your settings APPEAR to be correct but things still aren’t working…..it’s going to be something simple.

It is always something simple!

When you create a phase 2 for your tunnels through the GUI certain parameters are predefined. This is fine if you are using a simple tunnel with no NAT being applied.

One of these settings is the “use-natip enabled” setting that comes swinging right out the gate. If you have never looked at your phase 2 through the CLI you wouldn’t even know this existed.

Proof is in the pudding:

There is nothing more frustrating than having your policy setup improperly (no NAT applied through policy) and the tunnel come up, but no traffic flows……but if you enable NAT in the policy all of a sudden no tunnel OR traffic.

The two conflict. So if you are doing policy based IPSec tunnels that ALSO happen to be performing NAT on the policy (which you can only enable on the policy through CLI by the way…) you are going to be in for a bad time until you turn off the NAT setting on the phase 2

In Conclusion:

I know this entire post is basically a giant run on sentence but I wanted to get it on paper as it was fresh in my head. I tend to forget things you know. By all means express your findings on these types of situations in the comments. Would love a healthy dialogue regarding these types of things! If I need to expand on anything to make it easier to understand please let me know. I am always available to answer questions.

FortiGate Connector for Cisco ACI

Leave a reply

Overview

FortiGate Connector for Cisco ACI (Application Centric Infrastructure) is the Fortinet solution to provide seamless integration between Fortinet Firewall (Fortigate) deployment with Cisco APIC (Application Policy Infrastructure Controller). This integration allows customers to perform single point of Fortigate configuration and Management operation through Cisco APIC.

While the FortiGate series of firewalls enable superb firewall services, in a data center environment, the insertion, configuration, and management of network services such as firewall can be quite complex and potentially errorprone tasks. One solution for such data center problems is Cisco’s ACI. Cisco’s ACI is a policy-based framework with integration of software and hardware in the underlying leaf-spine fabric. In Cisco ACI, the APIC is a tool used to automate service insertion and provisioning into the fabric of the network environment. Network service appliances, both physical and virtual, can be attached to ACI fabric’s leaf node through APIC. Traffic demanding certain network services is steered by APIC-managed policies to the appropriate resources. The FortiGate Connector allows FortiGates to be included amongst the list of resources that traffic can be directed to.

Licensing

FortiGate Connector for Cisco ACI is free of charge for Fortinet customers. You need to make sure that you register your FortiGate with FortiCare on support.fortinet.com.

Terms and concepts

FortiGate VDOMs

VDOM or Virtual Domain refers to a discretely administered segment on a FortiGate firewall. A FortiGate firewall that is not segmented and where a single administrator can access all of the firewall is operating in the “root” VDOM. However, it is possible to segment the FortiGate so that different administrators can access different areas of the FortiGate. Credentials for VDOM X will allow access to the resources and settings of VDOM A but no other. There will also be global resources and settings that will require credentials to the root VDOM. When setting up connectivity between Cisco APIC and the FortiGates it will be important to know which VDOMs control the needed resources.

FortiOS RESTful API

REST (sometimes spelled ReST) stands for Representational State Transfer. It is a software architectural style for the WWW. REST systems typically communication over HTTP, using HTTP verbs or commands to retrieve and send information to remote servers.

A good resource for the finer details of Fortinet’s implementation of ReST can be found at http://docs.fortinet.com/uploaded/files/1276/FortiAuthenticator_REST_API_Solution_Guide.pdf

North/South and East/West Traffic

The cardinal compass direction terms to describe traffic flow are used to differentiate between traffic within the cloud or data center and traffic going in and out of the cloud or data center.

North/South – traffic either heading into or out of a cloud or data center.
East/West – traffic that is between nodes inside the same cloud or data center.

Pages: 1 2 3 4 5 6 7 8 9 10 11

Other Security Profiles Considerations – Fortinet FortiGate

Leave a reply

Other Security Profiles considerations

The following topics are included in this section:

Profile Groups
Security Profiles and Virtual domains (VDOMs)
Conserve mode
SSL content scanning and inspection
Monitoring Security Profiles activity
Using wildcards and Perl regular expressions
Monitor interface reference

Profile Groups

One of the options when adding Security profiles to policies is the use of the Profile Groups feature. This works much the same way as an address group or a service group. You assign a selection of Security profiles to the Group and assign the group to a policy. This can be very convenient in an environment that has a large number of policies because instead of deciding each time you make a policy which Security profiles are going to be used you can have a small selection of Profile groups and every policy is assigned one of those groups. If changes need to be make, rather than going into each policy to make individual changes you only have to make changes to the group and the changes automatically propagate through to all of the policies that are using the Profile Group. It makes Security Profiles administration much simpler to implement, simpler to administrate and simpler to remember what Security Profiles features are being assigned to policies.

To refine the application of Security Profiles even further you can use the Profile Group in combination with Identity based policies and User Groups so that depending upon which User group a person belongs to that can be assigned a common set of Security profiles. A good example of this would a school environment. Staff and students are going to have significantly different permissions and restrictions associated with them. Staff will be allow access to websites that children are not (Web Filter). Staff will be allowed to transmit certain data under certain circumstances while students cannot transmit that type of data at all (DLP). Staff might have access to applications to communicate with colleagues in real time while students might be denied social networking access to get them from being distracted from their studies (Application Control). There are a number of permutations and possibilities made simpler and easier to administrate using these features together.

Page 160

Creating a new group

Security profiles that can be grouped

When setting up a Profile Group you can assign to a group, or not as you want, the following Profile types:

AntiVirus
Web Filter
Application Control
IPS
Email Filter
DLP Sensor
VoIP
ICAP

Because the Security profiles need to use one, if you are assigning a Security profile to a policy you must assign a Proxy Option profile.

Using the Web-based Manager

To keep the interface simpler and less cluttered, by default, some versions of the firmware only display a default profile for each of the profile types and a default Profile Group. By going into the Admin Settings section and enabling the display of Multiple Security Profiles the option to have multiple Profile Groups in the Web Based Manager is also enabled.

Go to Security Profiles –> Profile Group –> Profile Group
Select Create New
Give the New Profile group a name.
Select the Security Profiles.
1. Use the check-boxes to determine whether or not a particular Security profile will be assigned.
2. Use the drop-down menu to determine which Security profile will be used.
3. Select a Proxy Option profile.

The Default Proxy Option Profile will be added by default if another profile is not selected.

Select OK.

Using the CLI

In the CLI enter the commands:

config firewall profile-group

edit <profile_group_name>

set profile-protocol-options <protocol_options_name> set av-profile <name_of_av-profile> set webfilter-profile <name_of_webfilter-profile> set spamfilter-profile <name_of_spamfilter-profile> set dlp-sensor <name_of_dlp-sensor> set ips-sensor <name_of_ips-sensor> set application-list <name_of_application-list> set voip-profile <name_of_voip-profile> set icap-profile <name_of_icap-profile> set deep-inspection-options <name_of_deep-inspection-options> next

end

Adding a Profile Group to a policy

Using the CLI

Go to the Firewall policy that you wish to associate the Profile Group
1. For an Address Firewall policy: config firewall policy edit <policyID>
2. For an Identity based policy

config firewall policy

edit <policyID>

config identity-based-policy

edit <policy_id>

To assign a Profile Group to a security policy the following additional settings need to be added to the policy configuration. set utm-status enable set profile-type group set profile-group <name of the profile group> end

When adding a Profile Group to a policy there are 2 potential points of confusion:

Depending on your interpretation, there may be some confusion on the profile-type setting.
- group indicates the use of a profile group.
- single indicates the use of individual Security profiles.
In the CLI, the context, or placement in the “syntax tree” of configuration settings, can make some options available or unavailable depending on other settings.

In an Address Policy you only have to go down 2 “levels” to have the options for configuring the Profile Groups available.

When an Identity policy is being used the Profile Group options are not available at the same level. You have to go down a further 2 levels, to inside the Authentication rule that is nested within the overall umbrella of the Firewall Policy. This is where the Profile Group settings will be available to you.

Security Profiles and Virtual domains (VDOMs)

If you enable virtual domains (VDOMs) on your FortiGate unit, all Security Profiles configuration is limited to the VDOM in which you configure it.

While configuration is not shared, the various databases used by Security Profiles features are shared. The FortiGuard antivirus and IPS databases and database updates are shared. The FortiGuard web filter and spam filter features contact the FortiGuard distribution network and access the same information when checking email for spam and web site categories and classification.

Conserve mode

FortiGate units perform all Security Profiles processing in physical RAM. Since each model has a limited amount of memory, conserve mode is activated when the remaining free memory is nearly exhausted or the AV proxy has reached the maximum number of sessions it can service. While conserve mode is active, the AV proxy does not accept new sessions.

The AV proxy

Most content inspection the FortiGate unit performs requires that the files, email messages, URLs, and web pages be buffered and examined as a whole. The AV proxy performs this function, and because it may be buffering many files at the same time, it uses a significant amount of memory. Conserve mode is designed to prevent all the component features of the FortiGate unit from trying to use more memory than it has. Because the AV proxy uses so much memory, conserve mode effectively disables it in most circumstances. As a result, the content inspection features that use the AV proxy are also disabled in conserve mode.

All of the Security Profiles features use the AV proxy with the exception of IPS, application control, DoS as well as flow-based antivirus, DLP, and web filter scanning. These features continue to operate normally when the FortiGate unit enters conserve mode.

Entering and exiting conserve mode

A FortiGate unit will enter conserve mode because it is nearly out of physical memory, or because the AV proxy has reached the maximum number of sessions it can service. The memory threshold that triggers conserve mode varies by model, but it is about 20% free memory. When memory use rises to the point where less than 20% of the physical memory is free, the FortiGate unit enters conserve mode.

The FortiGate unit will leave conserve mode only when the available physical memory exceeds about 30%. When exiting conserve mode, all new sessions configured to be scanned with features requiring the AV proxy will be scanned as normal, with the exception of a unit configured with the one-shot option.

Conserve mode effects

What happens when the FortiGate unit enters conserve mode depends on how you have av-failopen configured. There are four options:

off

The off setting forces the FortiGate unit to stop all traffic that is configured for content inspection by Security Profiles features that use the AV proxy. New sessions are not allowed but current sessions continue to be processed normally unless they request more memory. Sessions requesting more memory are terminated.

For example, if a security policy is configured to use antivirus scanning, the traffic it permits is blocked while in conserve mode. A policy with IPS scanning enabled continues as normal. A policy with both IPS and antivirus scanning is blocked because antivirus scanning requires the AV proxy.

Use the off setting when security is more important than a loss of access while the problem is rectified.

pass

The pass setting allows traffic to bypass the AV proxy and continue to its destination. Since the traffic is bypassing the proxy, no Security Profiles scanning that requires the AV proxy is performed. Security Profiles scanning that does not require the AV proxy continues normally.

Use the pass setting when access is more important than security while the problem is rectified.

Pass is the default setting.

one-shot

The one-shot setting is similar to pass in that traffic is allowed when conserve mode is active. The difference is that a system configured for one-shot will force new sessions to bypass the AV proxy even after it leaves conserve mode. The FortiGate unit resumes use of the AV proxy only when the av-failopen setting is changed or the unit is restarted.

idledrop

The idledrop setting will recover memory and session space by terminating all the sessions associated with the host that has the most sessions open. The FortiGate may force this session termination a number of times, until enough memory is available to allow it to leave conserve mode.

The idledrop setting is primarily designed for situations in which malware may continue to open sessions until the AV proxy cannot accept more new sessions, triggering conserve mode. If your FortiGate unit is operating near capacity, this setting could cause the termination of valid sessions. Use this option with caution.

Configuring the av-failopen command

You can configure the av-failopen command using the CLI.

config system global set av-failopen {off | pass | one-shot | idledrop}

end

The default setting is pass.

Pages: 1 2 3

ICAP – Fortinet FortiGate

Leave a reply

ICAP

ICAP is the acronym for Internet Content Adaptation Protocol The purpose of the feature is to off load work that would normally take place on the firewall to a separate server specifically set up for the specialized processing of the incoming traffic. This takes some of the resource strain off of the FortiGate firewall leaving it to concentrate its resources on things that only it can do.

Off-loading value-added services from Web servers to ICAP servers allows those same web servers to be scaled according to raw HTTP throughput versus having to handle these extra tasks.

ICAP servers are focused on a specific function, for example:

Ad insertion
Virus scanning
Content translation
HTTP header or URL manipulation
Language translation
The Protocol
Offloading using ICAP
Configuration Settings
Example ICAP sequence
Example Scenerio

The Protocol

The protocol is a lightweight member of the TCP/IP suite of protocols. It is an Application layer protocol and its specifications are set out in RFC 3507. The default TCP that is assigned to it is 1344. Its purpose is to support HTTP content adaptation by providing simple object-based content vectoring for HTTP services. ICAP is usually used to implement virus scanning and content filters in transparent HTTP proxy caches. Content Adaptation refers to performing the particular value added service, or content manipulation, for an associated client request/response.

Essentially it allows an ICAP client, in this case the FortiGate firewall, to pass HTTP messages to an ICAP server like a remote procedure call for the purposes of some sort of transformation or other processing adaptation. Once the ICAP server has finished processing the the content, the modified content is sent back to the client.

The messages going back and forth between the client and server are typically HTTP requests or HTTP responses. While ICAP is a request/response protocol similar in semantics and usage

Page 155

to HTTP/1.1 it is not HTTP nor does it run over HTTP, as such it cannot be treated as if it were HTTP. For instance ICAP messages can not be forwarded by HTTP surrogates.

Offloading using ICAP

If you enable ICAP in a security policy, HTTP traffic intercepted by the policy is transferred to an ICAP server in the ICAP profile added to the policy. Responses from the ICAP server are returned to the FortiGate unit which forwards them to an HTTP client or server.

You can offload HTTP responses or HTTP requests (or both) to the same or different ICAP servers.

If the FortiGate unit supports HTTPS inspection, HTTPS traffic intercepted by a policy that includes an ICAP profile is also offloaded to the ICAP server in the same way as HTTP traffic.

When configuring ICAP on the FortiGate unit, you must configure an ICAP profile that contains the ICAP server information; this profile is then applied to a security policy.

Configuration Settings

There are 2 sections where ICAP is configured:

Servers

The available settings to be configured regarding the profile are

IP Type (in the GUI) or IP address version ( in the CLI)

The options for this field in the GUI are 2 radio buttons labelled “IPv4” and “IPv4”. In the CLI the approach is slightly different. There is a field “ip-version” that can be set to “4” or “6”.

IP address

depending on whether you’ve set the IP version to 4 or 6 will determine the format that the content of this field will be set into. In the GUI it looks like the same field with a different format but in the CLI it is actually 2 different fields named “ip-address” and ip6-address.

Maximum Connections

This value refers to the maximum number of concurrent connections that can be made to the ICAP server. The default setting is 100. This setting can only be configured in the CLI.

The syntax is:

config icap server edit <icap_server_name> set max-connections <integer> end

Port

this is the TCP port used for the ICAP traffic. The range can be from 1 to 65535. The default value is 1344.

Profiles

Enable Request Processing

Enabling this setting allows the ICAP server to process request messages.

If enabled this setting will also require:

Server – This is the name of the ICAP server. It is chosen from the drop down menu in the field. The servers are configure in the Security Profiles > ICAP > Server section.
Path – This is the path on the server to the processing compent. For instance if the Windows share name was “Processes” and the directory within the share was “Content-Filter” the path would be “/Processes/Content-Filter/”
On Failure – There are 2 options. You can choose by the use of radio buttons either Error or Bypass.

Enable Response Processing

Enabling this setting allows the ICAP server to process response messages.

If enabled this setting will also require:

Server – This is the name of the ICAP server. It is chosen from the drop down menu in the field. The servers are configure in the Security Profiles > ICAP > Server section.
Path – This is the path on the server to the processing compent. For instance if the Windows share name was “Processes” and the directory within the share was “Content-Filter” the path would be “/Processes/Content-Filter/”

On Failure – There are 2 options. You can choose by the use of radio buttons either Error or Bypass.

Enable Streaming Media Bypass

Enabling this setting allows streaming media to ignore offloading to the ICAP server.

Example ICAP sequence

This example is for an ICAP server performing web URL filtering on HTTP requests

A user opens a web browser and sends an HTTP request to connect to a web server.
The FortiGate unit intercepts the HTTP request and forwards it to an ICAP server.
The ICAP server receives the request and determines if the request is for URL that should be blocked or allowed.
- If the URL should be blocked the ICAP server sends a response to the FortiGate unit. The FortiGate unit returns this response to the user’s web browser. This response could be a message informing the user that their request was blocked.
- If the URL should be allowed the ICAP server sends a request to the FortiGate unit. The FortiGate unit forwards the request to the web server that the user originally attempted to connect to.
- When configuring ICAP on the FortiGate unit, you must configure an ICAP profile that contains the ICAP server information; this profile is then applied to a security policy.

Example Scenerio

Information relavent to the following example:

The ICAP server is designed to do proprietary content filtering specific to the organization so it will have to receive the messages and sent back appropriate responses.
The content filter is a required security precaution so it if the message cannot be processed it is not allowed through.
Resources on both the Fortigate and the ICAP server are considerable so the maximum connections setting will set at a double the default value to analyse the impact on performance.
The ICAP server’s IP address is 172.16.100. 55.
The path to the processing component is “/proprietary_code/content-filter/”.
Streaming media is not something that the filter considers, but is allowed through the policy so processing it would be a waste of resources.
The ICAP profile is to be added to an existing firewall policy.
It is assumed that the display of the policies has already been configured to show the column “ID”.

Enter the following to configure the ICAP server:

Go to Security Profiles > ICAP > Server.

Use the following values:

Name	content-filtration-server4
IP Type	4
IP Address	172.16.100.55
Port	1344

Use the CLI to set the max-connections value.

config icap server edit content-filtration-server4 set max-connections 200 end

Enter the following to configure the ICAP profile to then apply to a security policy:

Use the following values:

Name	Prop-Content-Filtration
Enable Request Processing	enable
Server	content-filtration-server4
Path	/proprietary_code/content-filter/
On Failure	Error
Enable Response Processing	enable
Server	content-filtration-server4
Path	/proprietary_code/content-filter/
On Failure	Error

Enable Streaming Media Bypass enable

Apply the ICAP profile to policy:

The purposes of this particular ICAP profile is to filter the content of the traffic coming through the firewall via policy ID#17

Go to Policy > Policy >
Open the existing policy ID# 17 for editing.
Go to the section Security Profiles.
Select the button next to ICAP so that it indicates that it’s status is ON.
Select the field with the profile name and use the drop down menu to select Prop-Content-Filtration.
Select OK.