Category Archives: FortiOS

File transfer protocol (FTP) session helper (ftp)

Leave a reply

File transfer protocol (FTP) session helper (ftp)

The FTP session helper monitors PORT, PASV and 227 commands and NATs the IP addresses and port numbers in the body of the FTP packets and opens ports on the FortiGate unit as required.

To accept FTP sessions you must add a security policy with service set to any or to the FTP, FTP_Put, and FTP_ GET pre-defined services (which all listen on TCP port 21).


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

DNS session helpers (dns-tcp and dns-udp)

Leave a reply

DNS session helpers (dns-tcp and dns-udp)

FortiOS includes two DNS session helpers, dns-tcp, a session helper for DNS over TCP, and dns-udp, a session helper for DNS over UDP.

To accept DNS sessions you must add a security policy with service set to any or to the DNS pre-defined service (which listens on TCP and UDP ports 53). The dns-udp session helper also listens on UDP port 53. By default the dns-tcp session helper is disabled. If needed you can use the following command to enable the dns-tcp session helper to listen for DNS sessions on TCP port 53:

config system session-helper edit 0

set name dns-tcp set port 53

set protocol 6

end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

DCE-RPC session helper (dcerpc)

Leave a reply

DCERPC session helper (dcerpc)

Distributed Computing Environment Remote Procedure Call (DCE-RPC) provides a way for a program running on one host to call procedures in a program running on another host. DCE-RPC (also called MS RPC for Microsoft RPC) is similar to ONC-RPC. Because of the large number of RPC services, for example, MAPI, the transport address of an RPC service is dynamically negotiated based on the service program’s universal unique identifier (UUID). The Endpoint Mapper (EPM) binding protocol in FortiOS maps the specific UUID to a transport address.

To accept DCE-RPC sessions you must add a security policy with service set to any or to the DEC-RPC pre- defined service (which listens on TCP and UDP ports 135). The dcerpc session helper also listens on TCP and UDP ports 135.

The session allows FortiOS to handle DCE-RPC dynamic transport address negotiation and to ensure UUID- based security policy enforcement. You can define a security policy to permit all RPC requests or to permit by specific UUID number.

In addition, because a TCP segment in a DCE-RPC stream might be fragmented, it might not include an intact RPC PDU. This fragmentation occurs in the RPC layer; so FortiOS does not support parsing fragmented packets.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Changing the session helper configuration

Leave a reply

Changing the session helper configuration

Normally you will not need to change the configuration of the session helpers. However in some cases you may need to change the protocol or port the session helper listens on.

 

Changing the protocol or port that a session helper listens on

Most session helpers are configured to listen for their sessions on the port and protocol that they typically use. If your FortiGate unit receives sessions that should be handled by a session helper on a non-standard port or protocol you can use the following procedure to change the port and protocol used by a session helper. The following example shows how to change the port that the pmap session helper listens on for Sun RPC portmapper TCP sessions. By default pmap listens on TCP port 111.

 

To change the port that the pmap session helper listens on to TCP port 112

1. Confirm that the TCP pmap session helper entry is 11 in the session-helper list:

show system session-helper 11 config system session-helper

edit 11

set name pmap set port 111 set protocol 6

next end

2. Enter the following command to change the TCP port to 112.

config system session-helper edit 11

set port 112 end

3. The pmap session helper also listens on UDP port 111. Confirm that the UDP pmap session helper entry is 12 in the session-helper list:

show system session-helper 12 config system session-helper

edit 12

set name pmap set port 111

set protocol 17 next

end

4. Enter the following command to change the UDP port to 112.

config system session-helper edit 12

set port 112 end

Use the following command to set the h323 session helper to listen for ports on the UDP protocol.

 

To change the protocol that the h323 session helper listens on

1. Confirm that the h323 session helper entry is 2 in the session-helper list:

show system session-helper 2 config system session-helper

edit 2

set name h323 set port 1720 set protocol 6

next end

2. Enter the following command to change the protocol to UDP.

config system session-helper edit 2

set protocol 17 end

 

If a session helper listens on more than one port or protocol, then multiple entries for the session helper must be added to the session helper list, one for each port and protocol combination. For example, the rtsp session helper listens on TCP ports 554, 7070, and 8554 so there are three rtsp entries in the session-helper list. If your FortiGate unit receives rtsp packets on a different TCP port (for example, 6677) you can use the following command to configure the rtsp session helper to listen on TCP port 6677.

 

To configure a session helper to listen on a new port and protocol

config system session-helper edit 0

set name rtsp set port 6677 set protocol 6 end

 

Disabling a session helper

In some cases you may need to disable a session helper. Disabling a session helper just means removing it from the session-helper list so that the session helper is not listening on a port. You can completely disable a session helper by deleting all of its entries from the session helper list. If there are multiple entries for a session helper on the list you can delete one of the entries to prevent the session helper from listening on that port.

 

To disable the mgcp session helper from listening on UDP port 2427

1. Enter the following command to find the mgcp session helper entry that listens on UDP port 2427:

show system session-helper

.

.

. edit 19

set name mgcp set port 2427 set protocol 17

next

.

.

.

 

2. Enter the following command to delete session-helper list entry number 19 to disable the mgcp session helper from listening on UDP port 2427:

config system session-helper delete 19

By default the mgcp session helper listens on UDP ports 2427 and 2727. The previous procedure shows how to disable the mgcp protocol from listening on port 2427. The following procedure completely disables the mgcp session helper by also disabling it from listening on UDP port 2727.

 

To completely disable the mgcp session helper

1. Enter the following command to find the mgcp session helper entry that listens on UDP port 2727:

show system session-helper

.

.

. edit 20

set name mgcp set port 2727 set protocol 17

next

.

.

.

2. Enter the following command to delete session-helper list entry number 20 to disable the mgcp session helper from listening on UDP port 2727:

config system session-helper delete 20


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Session helpers

Leave a reply

Session helpers

The FortiOS firewall can analyze most TCP/IP protocol traffic by comparing packet header information to security policies. This comparison determines whether to accept or deny the packet and the session that the packet belongs to.

Some protocols include information in the packet body (or payload) that must be analyzed to successfully process sessions for this protocol. For example, the SIP VoIP protocol uses TCP control packets with a standard destination port to set up SIP calls. But the packets that carry the actual conversation can use a variety of UDP protocols with a variety of source and destination port numbers. The information about the protocols and port numbers used for a SIP call is contained in the body of the SIP TCP control packets. To successfully process SIP VoIP calls, FortiOS must be able to extract information from the body of the SIP packet and use this information to allow the voice-carrying packets through the firewall.

FortiOS uses session helpers to analyze the data in the packet bodies of some protocols and adjust the firewall to allow those protocols to send packets through the firewall.

 

This section includes the topics:

  • Viewing the session helper configuration
  • Changing the session helper configuration
  • DCE-RPC session helper (dcerpc)
  • DNS session helpers (dns-tcp and dns-udp)
  • File transfer protocol (FTP) session helper (ftp)
  • H.245 session helpers (h245I and h245O)
  • H.323 and RAS session helpers (h323 and ras)
  • Media Gateway Controller Protocol (MGCP) session helper (mgcp)
  • ONC-RPC portmapper session helper (pmap)
  • PPTP session helper for PPTP traffic (pptp)
  • Remote shell session helper (rsh)
  • Real-Time Streaming Protocol (RTSP) session helper (rtsp)
  • Session Initiation Protocol (SIP) session helper (sip)
  • Trivial File Transfer Protocol (TFTP) session helper (tftp)
  • Oracle TNS listener session helper (tns)

 

Viewing the session helper configuration

You can view the session helpers enabled on your FortiGate unit in the CLI using the commands below. The following output shows the first two session helpers. The number of session helpers can vary to around 20.

show system session-helper config system session-helper

edit 1

set name pptp

set port 1723 set protocol 6

next

set name h323 set port 1720 set protocol 6

end

.

.

 

The configuration for each session helper includes the name of the session helper and the port and protocol number on which the session helper listens for sessions. Session helpers listed on protocol number 6 (TCP) or 17 (UDP). For a complete list of protocol numbers see Assigned Internet Protocol Numbers.

For example, the output above shows that FortiOS listens for PPTP packets on TCP port 1723 and H.323 packets on port TCP port 1720.

If a session helper listens on more than one port or protocol the more than one entry for the session helper appears in the config system session-helper list. For example, the pmap session helper appears twice because it listens on TCP port 111 and UDP port 111. The rsh session helper appears twice because it listens on TCP ports 514 and 512.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

L2TP configuration overview

Leave a reply

L2TP configuration overview

To configure a FortiGate unit to act as an LNS, you perform the following tasks:

  • Create an L2TP user group containing one user for each remote client.
  • Enable L2TP on the FortiGate unit and specify the range of addresses that can be assigned to remote clients when they connect.
  • Define firewall source and destination addresses to indicate where packets transported through the L2TP tunnel will originate and be delivered.
  • Create the security policy and define the scope of permitted services between the source and destination addresses.
  • Configure the remote clients.

 

Authenticating L2TP clients

L2TP clients must be authenticated before a tunnel is established. The authentication process relies on FortiGate user group definitions, which can optionally use established authentication mechanisms such as RADIUS or LDAP to authenticate L2TP clients. All L2TP clients are challenged when a connection attempt is made.

To enable authentication, you must create user accounts and a user group to identify the L2TP clients that need access to the network behind the FortiGate unit.

You can choose to use a plain text password for authentication or forward authentication requests to an external RADIUS or LDAP server. If password protection will be provided through a RADIUS or LDAP server, you must configure the FortiGate unit to forward authentication requests to the authentication server.

 

Enabling L2TP and specifying an address range

The L2TP address range specifies the range of addresses reserved for remote clients. When a remote client connects to the FortiGate unit, the client is assigned an IP address from this range. Afterward, the FortiGate unit uses the assigned address to communicate with the remote client.

The address range that you reserve can be associated with private or routable IP addresses. If you specify a private address range that matches a network behind the FortiGate unit, the assigned address will make the remote client appear to be part of the internal network.

To enable L2TP and specify the L2TP address range, use the config vpn l2tp CLI command.

The following example shows how to enable L2TP and set the L2TP address range using a starting address of 192.168.10.80 and an ending address of 192.168.10.100 for an existing group of L2TP users named L2TP_users:

config vpn l2tp

set sip 192.168.10.80 set eip 192.168.10.100 set status enable

set usrgrp L2TP_users end

 

Defining firewall source and destination addresses

Before you define the security policy, you must define the source and destination addresses of packets that are to be transported through the L2TP tunnel:

  • For the source address, enter the range of addresses that you reserved for remote L2TP clients (for example 192.168.10.[80-100]).
  • For the destination address, enter the IP addresses of the computers that the L2TP clients need to access on the private network behind the FortiGate unit (for example, 172.16.5.0/24 for a subnet, or 172.16.5.1 for a server or host, or 192.168.10.[10-15] for an IP address range).

 

To define the firewall source address

1. Go to Policy & Objects > Objects > Addresses and select Create New.

2. Select a Category.

3. In the Address Name field, type a name that represents the range of addresses that you reserved for remote clients (for example, Ext_L2TPrange).

4. In Type, select IP Range.

5. In the IP Range field, type the corresponding IP address range.

6. In Interface, select the FortiGate interface that connects to the clients.

7. This is usually the interface that connects to the Internet.

8. Select OK.

 

To define the firewall destination address

1. Go to Policy & Objects > Objects > Addresses and select Create New.

2. In the Address Name field, type a name that represents a range of IP addresses on the network behind the FortiGate unit (for example, Int_L2TPaccess).

3. In Type, select IP Range.

4. In the IP Range field, type the corresponding IP address range.

5. In Interface, select the FortiGate interface that connects to the network behind the FortiGate unit.

6. Select OK.

 

Adding the security policy

The security policy specifies the source and destination addresses that can generate traffic inside the L2TP tunnel and defines the scope of services permitted through the tunnel. If a selection of services are required, define a service group.

 

To define the traffic and services permitted inside the L2TP tunnel

1. Go to Policy & Objects > Policy > IPv4 or Policy & Objects > Policy > IPv6 and select Create New.

2. Enter these settings:

Incoming Interface Select the FortiGate interface to the Internet.
Source Address Select the name that corresponds to the address range that reserved for

L2TP clients (for example, Ext_L2TPrange).
Outgoing Interface Select the FortiGate interface to the internal (private) network.
Destination Address Select the name that corresponds to the IP addresses behind the FortiGate unit (for example, Int_L2TPaccess).
Service Select ALL, or if selected services are required instead, select the service group that you defined previously.
Action ACCEPT
 

3.

  

Select OK.

 

Configuring a Linux client

This procedure outlines how to install L2TP client software and run an L2TP tunnel on a Linux computer. Obtain an L2TP client package that meets your requirements (for example, rp-l2tp). If needed to encrypt traffic, obtain L2TP client software that supports encryption using MPPE.

To establish an L2TP tunnel with a FortiGate unit that has been set up to accept L2TP connections, you can obtain and install the client software following these guidelines:

1. If encryption is required but MPPE support is not already present in the kernel, download and install an MPPE kernel module and reboot your computer.

2. Download and install the L2TP client package.

3. Configure an L2TP connection to run the L2TP program.

4. Configure routes to determine whether all or some of your network traffic will be sent through the tunnel. You must define a route to the remote network over the L2TP link and a host route to the FortiGate unit.

5. Run l2tpd to start the tunnel.

Follow the software supplier’s documentation to complete the steps.

To configure the system, you need to know the public IP address of the FortiGate unit, and the user name and password that has been set up on the FortiGate unit to authenticate L2TP clients. Contact the FortiGate administrator if required to obtain this information.

 

Monitoring L2TP sessions

You can display a list of all active sessions and view activity by port number. By default, port 1701 is used for L2TP VPN-related communications. If required, active sessions can be stopped from this view. Use the Top Sessions Dashboard Widget.

 

Testing L2TP VPN connections

To confirm that a VPN between a local network and a dialup client has been configured correctly, at the dialup client, issue a ping command to test the connection to the local network. The VPN tunnel initializes when the dialup client attempts to connect.

 

Logging L2TP VPN events

You can configure the FortiGate unit to log VPN events. For L2TP VPNs, connection events and tunnel status (up/down) are logged.

 

To log VPN events – web-based manager

1. Go to Log & Report > Log Config > Log Settings.

2. Enable the storage of log messages to one or more locations.

3. Select Enable, and then select VPN activity event.

4. Select Apply.

 

To log VPN events – CLI

config log memory setting set diskfull overwrite set status enable

end

config log eventfilter set vpn enable

end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Configuring L2TP VPNs

Leave a reply

Configuring L2TP VPNs

This section describes how to configure a FortiGate unit to establish a Layer Two Tunneling Protocol (L2TP) tunnel with a remote dialup client. The FortiGate implementation of L2TP enables a remote dialup client to establish an L2TP tunnel with the FortiGate unit directly.

According to RFC 2661, an Access Concentrator (LAC) can establish an L2TP tunnel with an L2TP Network Server (LNS). In a typical scenario, the LAC is managed by an ISP and located on the ISP premises; the LNS is the gateway to a private network. When a remote dialup client connects to the Internet through the ISP, the ISP uses a local database to establish the identity of the caller and determine whether the caller needs access to an LNS through an L2TP tunnel. If the services registered to the caller indicate that an L2TP connection to the LNS is required, the ISP LAC attempts to establish an L2TP tunnel with the LNS.

A FortiGate unit can be configured to act as an LNS. The FortiGate implementation of L2TP enables a remote dialup client to establish an L2TP tunnel with the FortiGate unit directly, bypassing any LAC managed by an ISP. The ISP must configure its network access server to forward L2TP traffic from the remote client to the FortiGate unit directly whenever the remote client requires an L2TP connection to the FortiGate unit.

When the FortiGate unit acts as an LNS, an L2TP session and tunnel is created as soon as the remote client connects to the FortiGate unit. The FortiGate unit assigns an IP address to the client from a reserved range of IP addresses. The remote client uses the assigned IP address as its source address for the duration of the connection.

More than one L2TP session can be supported on the same tunnel. FortiGate units can be configured to authenticate remote clients using a plain text user name and password, or authentication can be forwarded to an external RADIUS or LDAP server. L2TP clients are authenticated as members of a user group.

FortiGate units support L2TP with Microsoft Point-to-Point Encryption (MPPE) encryp- tion only. Later implementations of Microsoft L2TP for Windows use IPsec and require certificates for authentication and encryption. If you want to use Microsoft L2TP with IPsec to connect to a FortiGate unit, the IPsec and certificate elements must be dis- abled on the remote client.

Traffic from the remote client must be encrypted using MPPE before it is encapsulated and routed to the FortiGate unit. Packets originating at the remote client are addressed to a computer on the private network behind the FortiGate unit. Encapsulated packets are addressed to the public interface of the FortiGate unit. See the figure below.

When the FortiGate unit receives an L2TP packet, the unit disassembles the packet and forwards the packet to the correct computer on the internal network. The security policy and protection profiles on the FortiGate unit ensure that inbound traffic is screened and processed securely.

 

L2TP encapsulation

FortiGate units cannot deliver non-IP traffic such as Frame Relay or ATM frames encapsulated in L2TP packets— FortiGate units support the IPv4 and IPv6 addressing schemes only

 

Network topology

The remote client connects to an ISP that determines whether the client requires an L2TP connection to the FortiGate unit. If an L2TP connection is required, the connection request is forwarded to the FortiGate unit directly.

 

Example L2TP configuration

 

L2TP infrastructure requirements

  • The FortiGate unit must be operating in NAT mode and have a static public IP address.
  • The ISP must configure its network access server to forward L2TP traffic from remote clients to the FortiGate unit directly.
  • The remote client must not generate non-IP traffic (Frame Relay or ATM frames).
  • The remote client includes L2TP support with MPPE encryption. If the remote client includes Microsoft L2TP with IPsec, the IPsec and certificate components must be disabled.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiGate unit as a PPTP server

1 Reply

FortiGate unit as a PPTP server

In the most common Internet scenario, the PPTP client connects to an ISP that offers PPP connections with dynamically-assigned IP addresses. The ISP forwards PPTP packets to the Internet, where they are routed to the FortiGate unit.

 

FortiGate unit as a PPTP server

 

If the FortiGate unit will act as a PPTP server, there are a number of steps to complete:

  • Configure user authentication for PPTP clients.
  • Enable PPTP.
  • Specify the range of addresses that are assigned to PPTP clients when connecting
  • Configure the security policy.

 

Configuring user authentication for PPTP clients

To enable authentication for PPTP clients, you must create user accounts and a user group to identify the PPTP clients that need access to the network behind the FortiGate unit. Within the user group, you must add a user for each PPTP client.

You can choose to use a plain text password for authentication or forward authentication requests to an external RADIUS, LDAP, or TACACS+ server. If password protection will be provided through a RADIUS, LDAP, or TACACS+ server, you must configure the FortiGate unit to forward authentication requests to the authentication server.

This example creates a basic user/password combination.

 

Configuring a user account

 

To add a local user – web-based manager

1. Go to User & Device > User > User Definition and select Create New.

2. Select Local User

3. Enter a User Name.

4. Enter a Password for the user. The password should be at least six characters.

5. Select OK.

 

To add a local user – CLI

config user local edit <username>

set type password

set passwd <password>

end

 

Configuring a user group

To ease configuration, create user groups that contain users in similar categories or departments.

 

To create a user group – web-based manager

1. Go to User & Device > User > User Group and select Create New.

2. Enter a Name for the group.

3. Select the Type of Firewall.

4. From the Available Users list, select the required users and select the right-facing arrow to add them to the

Members list.

5. Select OK.

 

To create a user group – CLI

config user group edit <group_name>

set group-type firewall set member <user_names>

end

 

Enabling PPTP and specifying the PPTP IP address range

The PPTP address range specifies the range of addresses reserved for remote PPTP clients. When a PPTP client connects to the FortiGate unit, the client is assigned an IP address from this range. Afterward, the FortiGate unit uses the assigned address to communicate with the PPTP client.

The address range that you reserve can be associated with private or routable IP addresses. If you specify a private address range that matches a network behind the FortiGate unit, the assigned address will make the PPTP client appear to be part of the internal network.

PPTP requires two IP addresses, one for each end of the tunnel. The PPTP address range is the range of addresses reserved for remote PPTP clients. When the remote PPTP client establishes a connection, the FortiGate unit assigns an IP address from the reserved range of IP addresses to the client PPTP interface or retrieves the assigned IP address from the PPTP user group. If you use the PPTP user group, you must also define the FortiGate end of the tunnel by entering the IP address of the unit in Local IP (web-based manager) or local-ip (CLI). The PPTP client uses the assigned IP address as its source address for the duration of the connection.

PPTP configuration is only available through the CLI. In the example below, PPTP is enabled with the use of an IP range of 182.168.1.1 to 192.168.1.10 for addressing and the user group is hr_staff.

The start and end IPs in the PPTP address range must be in the same 24-bit subnet, for example, 192.168.1.1 – 192.168.1.254.

config vpn pptp

set status enable set ip-mode range

set eip 192.168.1.10 set sip 192.168.1.1 set usrgrp hr_staff

end

 

In this example, PPTP is enabled with the use of a user group for addressing, where the IP address of the PPTP server is 192.168.1.2 and the user group is hr_admin.

config vpn pptp

set status enable set ip-mode range

set local-ip 192.168.2.1 set usrgrp hr_admin

end

 

Adding the security policy

The security policy specifies the source and destination addresses that can generate traffic inside the PPTP tunnel and defines the scope of services permitted through the tunnel. If a selection of services are required, define a service group.

 

To configure the firewall for the PPTP tunnel – web-based manager

1. Go to Policy & Objects > Policy > IPv4 or Policy & Objects > Policy > IPv6 and select Create New.

2. Complete the following and select OK:

Incoming Interface                   The FortiGate interface connected to the Internet.

Source Address                        Select the name that corresponds to the range of addresses that you reserved for PPTP clients.

Outgoing Interface                   The FortiGate interface connected to the internal network.

Destination Address                 Select the name that corresponds to the IP addresses behind the FortiGate unit.

Schedule                                    always

Service                                       ALL

Action                                         ACCEPT

 

To configure the firewall for the PPTP tunnel – CLI

config firewall policy or  config firewall policy6 edit 1

set srcintf <interface to internet>

set dstintf <interface to internal network>

set srcaddr <reserved_range>

set dstaddr <internal_addresses>

set action accept set schedule always set service ALL

end

 

Configuring the FortiGate unit for PPTP VPN

To arrange for PPTP packets to pass through the FortiGate unit to an external PPTP server, perform the following tasks in the order given:

  • Configure user authentication for PPTP clients.
  • Enable PPTP on the FortiGate unit and specify the range of addresses that can be assigned to PPTP clients when they connect.
  • Configure PPTP pass through on the FortiGate unit.

 

Configuring the FortiGate unit for PPTP pass through

To forward PPTP packets to a PPTP server on the network behind the FortiGate unit, you need to perform the following configuration tasks on the FortiGate unit:

  • Define a virtual IP address that points to the PPTP server.
  • Create a security policy that allows incoming PPTP packets to pass through to the PPTP server.

The address range is the external (public) ip address range which requires access to the internal PPTP server through the FortiGate virtual port-forwarding firewall.

IP addresses used in this document are fictional and follow the technical doc- umentation guidelines specific to Fortinet. Real external IP addresses are not used.

 

Configuring a virtual IP address

The virtual IP address will be the address of the PPTP server host.

 

To define a virtual IP for PPTP pass through – web-based manager

1. Go to Policy & Objects > Objects > Virtual IPs.

2. Select Create New.

3. Choose the VIP Type.

4. Enter the name of the VIP, for example, PPTP_Server.

5. Select the External Interface where the packets will be received for the PPTP server.

6. Enter the External IP Address for the VIP.

7. Select Port Forwarding.

8. Set the Protocol to TCP.

9. Enter the External Service Port of 1723, the default for PPTP.

10. Enter the Map to Port to 1723.

11. Select OK.

 

To define a virtual IP for PPTP pass through – web-based manager

config firewall vip or  config firewall vip6 edit PPTP_Server

set extintf <interface> set extip <ip_address> set portforward enable set protocol tcp

set extport 1723

set mappedport 1723

set mappedip <destination IP address range>

end

You can also use config firewall vip46 to define a virtual IP from an IPv4 address to an IPv6 address or config firewall vip64 to define a virtual IP from an IPv6 address to an IPv4 address.

 

Configuring a port-forwarding security policy

To create a port-forwarding security policy for PPTP pass through you must first create an address range reserved for the PPTP clients.

 

To create an address range – web-based manager

1. Go to Policy & Objects > Objects > Addresses and select Create New.

2. Select a Category.

3. Enter a Name for the range, for example, External_PPTP.

4. Select a Type of Subnet/IP Range.

5. Enter the IP address range.

6. Select the Interface to the Internet.

7. Select OK.

 

To create an address range – CLI

config firewall address OR config firewall address6 edit External_PPTP

end

set type ip_range

set start-ip <ip_address>

set end-ip <ip_address>

set associated-interface <internet_interface>

With the address set, you can add the security policy.

 

To add the security policy – web-based manager

1. Go to Policy & Objects > Policy > IPv4 or Policy & Objects > Policy > IPv6 and select Create New.

2. Complete the following and select OK:

Incoming Interface                   The FortiGate interface connected to the Internet.

Source Address                        Select the address range created in the previous step.

Outgoing Interface                   The FortiGate interface connected to the PPTP server.

Destination Address                 Select the VIP address created in the previous steps.

Schedule                                    always

Service                                       PPTP

Action                                         ACCEPT

 

To add the security policy – CLI

config firewall policy or  config firewall policy6 edit <policy_number>

set srcintf <interface to internet>

set dstintf <interface to PPTP server>

set srcaddr <address_range>

set dstaddr <PPTP_server_address>

set action accept set schedule always set service PPTP

end

 

Testing PPTP VPN connections

To confirm that a PPTP VPN between a local network and a dialup client has been configured correctly, at the dialup client, issue a ping command to test the connection to the local network. The PPTP VPN tunnel initializes when the dialup client attempts to connect.

 

Logging VPN events

PPTP VPN, activity is logged when enabling VPN logging. The FortiGate unit connection events and tunnel status I thi(up/down) are logged.

 

To log VPN events

1. Go to Log & Report > Log Config > Log Settings.

2. Enable the storage of log messages to one or more locations.

3. Select VPN activity event.

4. Select Apply.

 

To view event logs

1. Go to Log & Report > Event Log > VPN.

2. If the option is available from the Log Type list, select the log file from disk or memory.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!