Use zones and save your sanity! This video goes into some basic zone deployment to help consolidate policy and reduce the number of interface pairs on your policy page.
One of the things that I see a lot of people doing is leaving their policies super vague. This is all fun and games in a home environment where you don’t have any critical data but if you are running your business in this manner you may have issues coming up soon. Make your policies as granular as possible so you can sleep better at night!
This video is a brief introduction on how to create a Remote Access (Split Tunnel) IPSec tunnel so that remote users can IPSec into the network and access resources.
This is a short little stream of concious video relating to how I like to configure my SOHO units (smaller units) when they are new arrivals. I cover some simple things like why I setup policies the way I do etc. If you have specific video topics you would like me to cover please let me know. I want to provide what Fortinet users want.
This is a video I created to provide guidance on how to configure a basic IPSec tunnel (route based) between two FortiGates. A more advanced video will be released that provides a more in depth look later.
A desktop FortiGate does not have the same horsepower as a full size model and sometimes traffic can cause the IPS to spike the CPU for several seconds. However IPS is still a very valuable tool for protecting your network. This client has no internal systems exposed to the Internet, so the IPS is only looking at outbound traffic.
Here was the default IPS global config on the client’s FortiGate 90D:
FortiGate90D # config ips global
FortiGate90D (global) # show
config ips global
set traffic-submit enable
end
Here are the complete IPS global options and how they were set:
FortiGate90D (global) # get
fail-open : disable
database : regular
traffic-submit : enable
anomaly-mode : continuous
session-limit-mode : heuristic
intelligent-mode : enable
socket-size : 32 (MB)
engine-count : 0
algorithm : engine-pick
sync-session-ttl : disable
cp-accel-mode : advanced
skype-client-public-ipaddr:
deep-app-insp-timeout: 86400
deep-app-insp-db-limit: 100000
exclude-signatures : industrial
IPS can usually identify an intrusion within the first 2-3 MB of data, so that 32MB setting is more than necessary. We also want to ensure that IPS doesn’t overwhelm the desktop FortiGate, so we’ll set the algorithm to low.
Here are the changes made and the resulting config:
FortiGate90D (global) # set socket-size 2
FortiGate90D (global) # set algorithm low
FortiGate90D (global) # show
config ips global
set traffic-submit enable
set socket-size 2
set algorithm low
end
FortiGate90D (global) # end
ips socket buffer size is set to 2
Finally the IPS needs to restart so that the changes take effect:
FortiGate90D # diag test application ipsmonitor 99
restarting ipsmonitor
Our monitoring now shows that the IPS engine is no longer causing as many CPU spikes as before.
Fortinet Guru article by Norris Carden, NSE4
Security Forethought
It was exhausting. A lot of fun, but Jesus it was exhausting. Only 3 days of labs but I felt like it was a lifetime. I have never learned more in such a rapid period of time than I did last week. I got back Friday and my brain is still fried. Back to work tomorrow too. Yikes.
I had some people ask me how to configure some basic OSPF on a FortiGate so I created the following how to video. Yes, I know I need to get better at explaining things in videos. I get shy though…oh wells. Check out the video below to see how to do a basic OSPF configuration on a set of FortiGates running FortiOS 5.4.1. I mention some other ways you can bring OSPF into the environment (via IPSec tunnels etc) and I will create more in-depth videos in the future that dive into the more advanced features of OSPF on the FortiGate.