Category Archives: Fortinet GURU

New FortiGate Has Arrived!!

3 Replies

Pretty stoked that my new POE FortiGate has arrived. For those of you that don’t know, I’m in the process of building my dream house and I now have a new FortiGate to power the place (and the 4 APs necessary to provide it complete coverage)…..

I will finally have extra hardware again (my old 61E) etc to start pumping out videos again. Pretty stoked!


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

New feature catalog (5.61 and 5.6)

Leave a reply

New feature catalog (5.61 and 5.6)

The following sections list all of the new features in FortiOS 5.6 and 5.6.1 organized alphabetically by subject area.

Getting Started (5.6.1)

New Getting Started features added to FortiOS 5.6.1.

VM License visibility improvement (423347)

VM License GUI items have changed as follows:

  • Added VM widget to Global > Dashboard. Includes the following:
  • License status and type. l CPU allocation usage. l License RAM usage. l VMX license information (if the VM supports VMX). l If the VM license specifies ‘unlimited’ the progress bar is blank.
  • If the VM is in evaluation mode, it is yellow (warning style) and the dashboard show evaluation days used.
  • Widget is shown by default in the dashboard of a FortiOS VM device. l Removed VM information from License widget at Global > Dashboard.
  • License info and Upload License button provided on page Global > System > FortiGuard.
  • Updated ‘Upload VM License’ page: l Added license RAM usage and VMX instance usage. l Replaced file input component.

CLI Syntax

config sys admin edit <name> config gui-dashboard edit <1> set name <name> config widget edit <2> set type {vminfo | …} <- new option set x-pos <2> set y-pos <1> set width <1> set height <1>

next

end

next

end next

Getting Started (5.6.1)

end

FortiView Dashboard Widget (434179)

Added a new widget type to the dashboard for top level FortiView. FortiView widgets have report-by, sort-by, visualization, timeframe properties, and filters subtable in the CLI.

Supported FortiViews include Source, Destination, Application, Country, Interfaces, Policy, Wifi Client, Traffic Shaper, Endpoint Vulnerability, Cloud User, Threats, VPN, Websites, and Admin and System Events.

Bubble, table, chord chart, and country visualizations are supported in the widget.

Widgets can be saved from a filtered FortiView page on to a dashboard.

Syntax

config system admin config gui-dashboard config widget set type fortiview

set report-by {source | destination | country | intfpair | srcintf | dstintf | policy | wificlient | shaper | endpoint | application | cloud | web | threat

| system | unauth | admin | vpn} set timeframe {realtime | 5min | hour | day | week} set sort-by <string>

set visualization {table | bubble | country | chord} config filters set key <filter_key> set value <filter_value>

end

end

end

end

end

Where:

l report-by = Field to aggregate the data by. l timeframe = Timeframe period of reported data. l sort-by = Field to sort the data by. l visualization = Visualization to use.

Controls added to GUI CLI console (422623)

FortiOS 5.6.1 introduces new options in the browser CLI console to export the console history. Options are now available to Clear console, Download, and Copy to clipboard.

FortiExplorer icon enhancement (423838)

FortiOS icons and colors are now exportable in the GUI shared project and FortiExplorer now uses these icons and colors. This change improves the icon colors only for the FortiExplorer GUI theme (seen only when accessing (5.6)

a web GUI page from within the FortiExplorer iOS app).

The following locations were affected: Policy List, Policy Dialogue, Address List, Address Dialogue, Virtual IP list, Virtual IP Dialogue.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

New Videos Incoming

2 Replies

Wanted everyone to know that I am still alive and well. Been moving and getting situated at the new location and just haven’t stayed disciplined enough over the past two months or so to when it comes to making video content.

Anyways, more videos should be incoming and if you have any suggestions please don’t hesitate to let me know.

I am also half tempted to start doing podcasts. Never done one but I am sure I could figure something out there.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

I love what I do

Leave a reply

Technology is amazing. It drastically reduces the size of the world. I love that I get to work with it every day. It’s just a little before 1 AM here in Montgomery, Alabama. I just finished assisting a friend in Saudi Arabia with their FortiGate issue. This friend I met through this site. Think about that for a second. Small town Alabama boy getting to meet and help people from all over the world.

It’s an amazing time we live in. Good night everyone! See you in the morning!


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiSIEM Moving CMDB to a separate Database Host

Leave a reply

Moving CMDB to a separate Database Host

It is desirable to move the CMDB (postgres) database to a separate host for the following reasons:

  1. In larger deployments, reduce the database server load on the supervisor node in order to allow more resources for application server and other backend modules
  2. Whenever high availability for CMDB data is desired, it is easier and cleaner to set up separate hosts with postgres replication that are managed separately than do this on the embedded postgres on the supervisor. This is especially true in AWS environment where AWS Postgresql Relational Database Service (RDS) is just a few clicks to set up a DB instance that replicates across availability zones and automatically does failover
Freshly Installed Supervisor

 

Install separate Postgresql DB servers or AWS RDS instance in Multi-AZ mode. Use Postgresql version 9.1 or greater. I’ll use the RDS
example in the remaining steps. For instance, let’s say the hostname of RDS in us-west-2 region is

phoenixdb.XXXXXX.us-west-2.rds.amazonaws.com on port 5432 with username ‘phoenix’, DB name ‘phoenixdb’ and password ‘YYYYYYYY’. You will need to allow super and worker nodes to be able to connect to port 5432 on the RDS service. You will have to change security groups to allow this

  1. Make sure the above RDS host is reachable from FortiSIEM supervisor
  2. Install FortiSIEM supervisor node and configure it as usual including adding a license
  3. Stop all the running services so that CMDB will not be modified further 5. Dump the CMDB data in the local postgres DB into a local file 6.  Import schema/data into the external postgres.
  4. Change phoenix_config.txt to add DB_SERVER_* info
  5. Change glassfish application server’s domain.xml to point to the external CMDB server
  6. Change phoenix_config.txt to remove checking for postgres process 10. Disable postgres from starting up

 

 

Production / Existing Supervisor
  1. Install and have the external postgres ready as described at the beginning of the previous section
  2. Take point-in-time snapshots of supervisor to revert back if you hit any issue
  3. Stop crond on super, and wait for phwatchdog to stop
  4. Stop Apache on super and all workers so that collectors start buffering events
  5. Shutdown the worker nodes while you move CMDB out
  6. Follow the instructions from “Freshly Installed Supervisor” to complete the steps
Related articles

FortiSIEM Windows Agent and Agent Manager Install

Moving CMDB to a separate Database Host

FortiSIEM Windows Agent and Agent Manager Install

FortiSIEM can discover and collect performance metrics and logs from Windows Servers in an agent less fashion via WMI. However agents are
needed when there is a need to collect richer data such as file integrity monitoring and from a large number of servers.

This section describes how to setup FortiSIEM Windows Agent and Agent Manager as part of FortiSIEM infrastructure.

 

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiWAN IPSec

Leave a reply

IPSec

IPSec Statistics reports the usages and states of your configured IPSec Security Associations (See “IPSec”). Go to Statistics > IPSec, a select bar and two statistics tables are displayed.

Selector

Select the combination of Mode and Phase 1 here, and then the statistics of related IPSec SAs are reported.

IPSec

Mode Select the mode, Tunnel mode or Transport mode, of the security associations that you ask for.
Phase 1 Name All the configured Phase 1 names of the mode you selected above are list in the drop-down menu. Select a Phase 1 name (ISAKMP SA) to display the statistics of the associated IPSec SAs (Phase 2).
Refresh Click to refresh the statistics page.

Statistics of the IPSec SAs associated to the ISAKMP SA you selected is displayed in two tables, Security Association Database and Security Policy Database.

Security Association Database

List information of each IPSec SA including local and remote IP addresses, negotiated encryption and authentication algorithms, timing and the states.

Local IP The local IP address of the IPSec SA.
Remote IP The remote IP address of the IPSec SA.
Encryption The encryption algorithm that the IPSec SA employs.
Authentication The authentication algorithm that the IPSec SA employs.
Used time (s) The past time since the IPSec SA is established.
Life time (s) The time interval (in seconds) that the secret key of the IPSec SA is valid during. For the expiration of a key, IKE Phase 2 is performed automatically to establish a new IPSec SA (a new key is negotiated). The value here is equal to value of Keylife of the correspondent Phase 2 configuration.
Change time (s) The time point that system starts to establish a new IPSec SA for replacing the current IPSec SA which is going to expire. New IPSec SA will be prepared in advance so that it takes over the expired IPSec SA in time. This value is related to Life time and determined by system.
Status States of the IPSec SA:
l larval: an IKE Phase 2 is in progress to establish an IPSec SA
l mature: the IPSec SA is established and still within validity
l dying: the IPSec SA is about to expire, and another IKE Phase 2 is in progress for taking over
l dead: the connectivity between two endpoints communicating through the IPSec SA is down; the peer is unavailable.

Traffic Statistics for Tunnel Routing and IPSec

Security Policy Database

List information of Quick Mode selector of each IPSec SA and the related time stamps.

Name The unique name of the IPSec SA (the name configured to the Phase 2)
Source[port] For IPSec in Tunnel mode, this is the Source and Source Port of the Quick Mode selector of the IPSec SA (the Source and Port configured to the Phase 2).

For IPSec in Transport mode, this is the source IP address of the

Tunnel Routing packets (GRE encapsulated), which is equal to the Local IP of the IPSec SA (the Local IP configured to the Phase 1).

Port information will not be list for this case.
Destination[port] For IPSec in Tunnel mode, this is the Destination and Destination Port of the Quick Mode selector of the IPSec SA (the Destination and Port configured to the Phase 2).

For IPSec in Transport mode, this is the destination IP address of the Tunnel Routing packets (GRE encapsulated), which is equal to the Remote IP of the IPSec SA (the Remote IP configured to the Phase 1). Port information will not be list for this case.
Protocol For IPSec in Tunnel mode, this is the Protocol of the Quick Mode selector of the IPSec SA (the Protocol configured to the Phase 2).

For IPSec in Transport mode, this is always “gre”.
Created time The time that the IPSec SA is established.
Last used time The time that the IPSec SA is applied last to a data packet.

For the details of parameters of IPSec, see “IPSec VPN in the Web UI”.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Block Specific Devices From Internet Access

4 Replies

Short video answer to a question a user sent me about the best ways to block internet traffic for specific machines and devices.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Ugh Meraki Gear

4 Replies

Please tell me the technician on  the phone for my client was incorrect when he said that Meraki is incapable of doing address translation over an IPSec tunnel when the other side is not a meraki device……That is enough to make you want to throw your head into a wall. Not sure how a vendor could release hardware that is incapable of doing basic network functions like that.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!