Category Archives: FortiOS

SNMP

Simple Network Management Protocol (SNMP) enables you to monitor hardware on your network. You can configure the hardware, such as the FortiGate SNMP agent, to report system information and send traps (alarms or event messages) to SNMP managers. An SNMP manager, or host, is a typically a computer running an application that can read the incoming trap and event messages from the agent and send out SNMP queries to the SNMP agents. A FortiManager unit can act as an SNMP manager to one or more FortiGate units. FortiOS supports SNMP using IPv4 and IPv6 addressing.

By using an SNMP manager, you can access SNMP traps and data from any FortiGate interface or VLAN subinterface configured for SNMP management access. Part of configuring an SNMP manager is to list it as a host in a community on the FortiGate unit it will be monitoring. Otherwise, the SNMP monitor will not receive any traps from that FortiGate unit or be able to query that unit.

The FortiGate SNMP implementation is read-only. SNMP v1, v2c, and v3 compliant SNMP managers have read- only access to FortiGate system information through queries and can receive trap messages from the FortiGate unit.

To monitor FortiGate system information and receive FortiGate traps, you must first compile the Fortinet and FortiGate Management Information Base (MIB) files. A MIB is a text file that describes a list of SNMP data objects that are used by the SNMP manager. These MIBs provide information the SNMP manager needs to interpret the SNMP trap, event, and query messages sent by the FortiGate unit SNMP agent.

FortiGate core MIB files are available for download by going to System > Config > SNMP and selecting the download link on the page.

The Fortinet implementation of SNMP includes support for most of RFC 2665 (Ethernet-like MIB) and most of RFC 1213 (MIB II). For more information, see “Fortinet MIBs”. RFC support for SNMP v3 includes Architecture for SNMP Frameworks (RFC 3411), and partial support of User-based Security Model (RFC 3414).

SNMP traps alert you to events that occur such as an a full log disk or a virus detected.

SNMP fields contain information about the FortiGate unit, such as CPU usage percentage or the number of sessions. This information is useful for monitoring the condition of the unit on an ongoing basis and to provide more information when a trap occurs.

The FortiGate SNMP v3 implementation includes support for queries, traps, authentication, and privacy. Authentication and encryption are configured in the CLI. See the system snmp user command in the FortiGate CLI Reference.

SNMP configuration settings

Before a remote SNMP manager can connect to the FortiGate agent, you must configure one or more FortiGate interfaces to accept SNMP connections by going to System > Network > Interface. Select the interface and, in the Administrative Access, select SNMP.

For VDOMS, SNMP traps can only be sent on interfaces in the management VDOM. Traps cannot be sent over other interfaces outside the management VDOM.

To configure SNMP settings, go to System > Config > SNMP.

SNMP Agent Select to enable SNMP communication.

Description Enter descriptive information about the FortiGate unit. The description can be up to 35 characters.

Location Enter the physical location of the FortiGate unit. The system location description can be up to 35 characters long.

Contact Enter the contact information for the person responsible for this FortiGate unit. The contact information can be up to 35 characters.

SNMP v1/v2c section

To create a new SNMP community, see SNMP Community page.

Community Name The name to identify the community.

Queries Indicates whether queries protocols (v1 and v2c) are enabled or disabled. A green check mark indicates queries are enabled; a gray x indicates queries are disabled. If one query is disabled and another one enabled, there will still be a green check mark.

Traps

Indicates whether trap protocols (v1 and v2c) are enabled or disabled. A green check mark indicates traps are enabled; a gray x indicates traps are disabled. If one query is disabled and another one enabled, there will still be a green check mark.

Enable Select the check box to enable or disable the community.

SNMP v3 section

To create a new SNMP community, see SNMP Community pager.

User Name The name of the SNMPv3 user.

Security Level The security level of the user.

Notification Host The IP address or addresses of the host.

Queries Indicates whether queries are enabled or disabled. A green check mark indicates queries are enabled; a gray x indicates queries are disabled

New SNMP Community page

Community Name Enter a name to identify the SNMP community

Hosts (section)

IP Address

Enter the IP address and Identify the SNMP managers that can use the set- tings in this SNMP community to monitor the FortiGate unit.

You can also set the IP address to 0.0.0.0 to so that any SNMP manager can use this SNMP community.

Interface Optionally, select the name of the interface that this SNMP manager uses to connect to the FortiGate unit. You only have to select the interface if the SNMP manager is not on the same subnet as the FortiGate unit. This can occur if the SNMP manager is on the Internet or behind a router.

In virtual domain mode, the interface must belong to the management VDOM to be able to pass SNMP traps.

Delete Removes an SNMP manager from the list within the Hosts section.

Add Select to add a blank line to the Hosts list. You can add up to eight SNMP

managers to a single community.

Queries (section)

Protocol The SNMP protocol. In the v1 row, this means that the settings are for

SNMP v1. In the v2c row, this means that the settings are for SNMP v2c.

Port

Enter the port number (161 by default) that the SNMP managers in this community use for SNMP v1 and SNMP v2c queries to receive con- figuration information from the FortiGate unit. Select the Enable check box to activate queries for each SNMP version.

Note: The SNMP client software and the FortiGate unit must use the same port for queries.

Enable Select to enable that SNMP protocol.

Traps (section)

Protocol The SNMP protocol. In the v1 row, this means that the settings are for

SNMP v1. In the v2c row, this means that the settings are for SNMP v2c.

Local

Enter the remote port numbers (port 162 for each by default) that the FortiGate unit uses to send SNMP v1 or SNMP v2c traps to the SNMP man- agers in this community. Select the Enable check box to activate traps for each SNMP version.

Note: The SNMP client software and the FortiGate unit must use the same port for traps.

Remote Enter the remote port number (port 162 is default) that the FortiGate unit uses to send SNMP v1 or v2c traps to the SNMP managers in this com- munity.

Note: The SNMP client software and the FortiGate unit must use the same port for queries.

Enable Select to activate traps for each SNMP version.

SNMP Event Enable each SNMP event for which the FortiGate unit should send traps to the SNMP managers in this community.

CPU Over usage traps sensitivity is slightly reduced, by spreading values out over 8 polling cycles. This prevents sharp spikes due to CPU intensive short-term events such as changing a policy.

Power Supply Failure event trap is available only on some models.

AMC interfaces enter bypass mode event trap is available only on mod- els that support AMC modules.

Enable Select to enable the SNMP event.

Create New SNMP V3 User

User Name Enter the name of the user.

Security Level Select the type of security level the user will have.

Notification Host

Enter the IP address of the notification host. If you want to add more than one host, after entering the IP address of the first host, select the plus sign to add another host.

Enable Query Select to enable or disable the query. By default, the query is enabled.

Port Enter the port number in the field.

Events Select the SNMP events that will be associated with that user.

Gigabit interfaces

When determining the interface speed of a FortiGate unit with a 10G interface, the IF-MIB.ifSpeed may not return the correct value. IF-MIB.ifSpeed is a 32-bit gauge used to report interface speeds in bits/second and cannot convert to a 64-bit value. The 32-bit counter wrap the output too fast to be accurate.

In this case, you can use the value ifHighSpeed. It reports interface speeds in megabits/second. This ensures that 10Gb interfaces report the correct value.

SNMP agent

You need to first enter information and enable the FortiGate SNMP Agent. Enter information about the FortiGate unit to identify it so that when your SNMP manager receives traps from the FortiGate unit, you will know which unit sent the information.

To configure the SNMP agent – web-based manager

1. Go to System > Config > SNMP.

2. Select Enable for the SNMP Agent.

3. Enter a descriptive name for the agent.

4. Enter the location of the FortiGate unit.

5. Enter a contact or administrator for the SNMP Agent or FortiGate unit.

6. Select Apply.

To configure SNMP agent – CLI

config system snmp sysinfo set status enable

set contact-info <contact_information>

set description <description_of_FortiGate>

set location <FortiGate_location>

end

SNMP community

An SNMP community is a grouping of devices for network administration purposes. Within that SNMP community, devices can communicate by sending and receiving traps and other information. One device can belong to multiple communities, such as one administrator terminal monitoring both a firewall SNMP and a printer SNMP community.

Add SNMP communities to your FortiGate unit so that SNMP managers can connect to view system information and receive SNMP traps.

You can add up to three SNMP communities. Each community can have a different configuration for SNMP queries and traps. Each community can be configured to monitor the FortiGate unit for a different set of events. You can also add the IP addresses of up to 8 SNMP managers to each community.

When the FortiGate unit is in virtual domain mode, SNMP traps can only be sent on interfaces in the management virtual domain. Traps cannot be sent over other interfaces.

To add an SNMP v1/v2c community – web-based manager

1. Go to System > Config > SNMP.

2. In the SNMP v1/v2c area, select Create New.

3. Enter a Community Name.

4. Enter the IP address and Identify the SNMP managers that can use the settings in this SNMP community to monitor the FortiGate unit.

5. Select the interface if the SNMP manager is not on the same subnet as the FortiGate unit.

6. Enter the Port number that the SNMP managers in this community use for SNMP v1 and SNMP v2c queries to receive configuration information from the FortiGate unit. Select the Enable check box to activate queries for each SNMP version.

7. Enter the Local and Remote port numbers that the FortiGate unit uses to send SNMP v1 and SNMP v2c traps to the SNMP managers in this community.

8. Select the Enable check box to activate traps for each SNMP version.

9. Select OK.

To add an SNMP v1/v2c community – CLI

config system snmp community edit <index_number>

set events <events_list>

set name <community_name>

set query-v1-port <port_number>

set query-v1-status {enable | disable}

set query-v2c-port <port_number>

set query-v2c-status {enable | disable}

set status {enable | disable} set trap-v1-lport <port_number> set trap-v1-rport <port_number>

set trap-v1-status {enable | disable}

set trap-v2c-lport <port_number>

set trap-v2c-rport <port_number>

set trap-v2c-status {enable | disable}

end

To add an SNMP v3 community – web-based manager

1. Go to System > Config > SNMP.

2. In the SNMP v3 area, select Create New.

3. Enter a User Name.

4. Select a Security Level and associated authorization algorithms.

5. Enter the IP address of the Notification Host SNMP managers that can use the settings in this SNMP community to monitor the FortiGate unit.

6. Enter the Port number that the SNMP managers in this community use to receive configuration information from the FortiGate unit. Select the Enable check box to activate queries for each SNMP version.

7. Select the Enable check box to activate traps.

8. Select OK.

To add an SNMP v3 community – CLI

config system snmp user edit <index_number>

set security-level [auth-priv | auth-no-priv | no-auth-no-priv}

set queries enable

set query-port <port_number>

set notify-hosts <ip_address>

end

set events <event_selections>

Enabling on the interface

Before a remote SNMP manager can connect to the FortiGate agent, you must configure one or more FortiGate interfaces to accept SNMP connections.

To configure SNMP access – web-based manager

1. Go to System > Network > Interface.

2. Choose an interface that an SNMP manager connects to and select Edit.

3. In Administrative Access, select SNMP.

4. Select OK.

To configure SNMP access – CLI

config system interface edit <interface_name>

set allowaccess snmp

end

Fortinet MIBs

If the interface you are configuring already has protocols that are allowed access, use the command append allowaccess snmp instead, or else the other protocols will be replaced. For more information, see Adding and removing options from lists.

The FortiGate SNMP agent supports Fortinet proprietary MIBs as well as standard RFC 1213 and RFC 2665 MIBs. RFC support includes support for the parts of RFC 2665 (Ethernet-like MIB) and the parts of RFC 1213 (MIB II) that apply to FortiGate unit configuration.

There are two MIB files for FortiGate units – the Fortinet MIB, and the FortiGate MIB. The Fortinet MIB contains traps, fields and information that is common to all Fortinet products. The FortiGate MIB contains traps, fields and information that is specific to FortiGate units. Each Fortinet product has its own MIB. If you use other Fortinet products you will need to download their MIB files as well. Both MIB files are used for FortiOS and FortiOS Carrier; there are no additional traps for the Carrier version of the operating system.

The Fortinet MIB and FortiGate MIB along with the two RFC MIBs are listed in tables in this section. You can download the two FortiGate MIB files from Fortinet Customer Support. The Fortinet MIB contains information for Fortinet products in general. the Fortinet FortiGate MIB includes the system information for The FortiGate unit and version of FortiOS. Both files are required for proper SNMP data collection.

To download the MIB files, go to System > Config > SNMP and select a MIB link in the FortiGate SNMP MIB section.

Your SNMP manager may already include standard and private MIBs in a compiled database that is ready to use. You must add the Fortinet proprietary MIB to this database to have access to the Fortinet specific information.

There were major changes to the MIB files between FortiOS Carrier v3.0 and v4.0. You need to use the new MIBs for FortiOS Carrier v4.0 or you may mistakenly access the wrong traps and fields.

MIB files are updated for each version of FortiOS. When upgrading the firmware ensure that you updated the Fortinet FortiGate MIB file as well.

Fortinet MIBs

MIB file name or RFC Description

FORTINET–CORE–MIB.mib The Fortinet MIB includes all system configuration information and trap information that is common to all Fortinet products.

Your SNMP manager requires this information to monitor FortiGate unit configuration settings and receive traps from the FortiGate SNMP agent.

FORTINET–FORTIGATE– MIB.mib

The FortiGate MIB includes all system configuration information and trap information that is specific to FortiGate units.

Your SNMP manager requires this information to monitor FortiGate con- figuration settings and receive traps from the FortiGate SNMP agent. FortiManager systems require this MIB to monitor FortiGate units.

RFC–1213 (MIB II) The FortiGate SNMP agent supports MIB II groups with these exceptions.

No support for the EGP group from MIB II (RFC 1213, section 3.11 and 6.10).

Protocol statistics returned for MIB II groups (IP/ICMP/TCP/UDP/etc.) do not accurately capture all FortiGate traffic activity. More accurate inform- ation can be obtained from the information reported by the Fortinet MIB.

RFC–2665 (Ethernet-like MIB)

The FortiGate SNMP agent supports Ethernet-like MIB information. FortiGate SNMP does not support for the dot3Tests and dot3Errors groups.

SNMP get command syntax

Normally, to get configuration and status information for a FortiGate unit, an SNMP manager would use an SNMP get commands to get the information in a MIB field. The SNMP get command syntax would be similar to:

snmpget -v2c -c <community_name> <address_ipv4> {<OID> | <MIB_field>}

…where…

<community_name> is an SNMP community name added to the FortiGate configuration. You can add more than one community name to a FortiGate SNMP configuration. The most commonly used community name is public.

<address_ipv4> is the IP address of the FortiGate interface that the SNMP manager connects to.

{<OID> | <MIB_field>} is the object identifier (OID) for the MIB field or the MIB field name itself.

The SNMP get command gets firmware version running on the FortiGate unit. The community name is public. The IP address of the interface configured for SNMP management access is 10.10.10.1. The firmware version MIB field is fgSysVersion and the OID for this MIB field is 1.3.6.1.4.1.12356.101.4.1.1 The first command uses the MIB field name and the second uses the OID:

snmpget -v2c -c public 10.10.10.1 fgSysVersion.0

snmpget -v2c -c public 10.10.10.1 1.3.6.1.4.1.12356.101.4.1.1.0

The OIDs and object names used in these examples are dependent on the version of MIB and are subject to change.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Alert email

Leave a reply

Alert email

As an administrator, you want to be certain you can respond quickly to issues occurring on your network or on the FortiGate unit. Alert emails provide an efficient and direct method of notifying an administrator of events. By configuring alert messages, you can define the threshold when a problem becomes critical and needs attention. When this threshold is reached, the FortiGate unit will send an email to one or more individuals, notifying them of the issue.

In the following example, the FortiGate unit is configured to send email to two administrators (admin1 and admin2) when multiple intrusions are detected every two minutes. The FortiGate unit has its own email address on the mail server.

To configure the email service

1. Go to System > Config > Advanced.

2. In the Email Service, complete the following and select Apply:

SMTP Server Enter the address or name of the email server. For example, smt- p.example.com.

Default Reply To Enter an email address to associate with the alert email. This field is optional. If you enter an email address here, it overrides the email address entered when configuring alert email in Log & Report > Alert E-mail.

Authentication Enable authentication if required by the email server.

Security mode Choose between None, SMTPS or STARTTLS

Port 25

To configure alert email – web-based manager

1. Go to Log & Report > Log Config > Alert E-mail.

2. Enter the information:

Email from fortigate@example.com

Email to admin1@example.com admin2@example.com

3. For the Interval Time, enter 2.

4. Select Intrusion Detected.

5. Select Apply.

To configure alert email – CLI

config system email-server set port 25

set server smtp.example.com set authenticate enable

set username FortiGate

set password *************

end

config alertemail setting

set username fortigate@example.com set mailto1 admin1@example.com

set mailto2 admin2@example.com set filter category

set IPS-logs enable end

Packet Capture

Leave a reply

Packet Capture

When troubleshooting networks, it helps to look inside the header of the packets. This helps to determine if the packets, route, and destination are all what you expect. Packet capture can also be called a network tap, packet sniffing, or logic analyzing.

To use the packet capture.

1. Go to System > Network > Packet Capture.

2. Select Create New or select an existing entry if you’ve already made one that fits your needs.

3. Select the interface to monitor and select the number of packets to keep.

4. Select Enable Filters.

5. Enter the information you want to gather from the packet capture.

6. Select OK.

To run the capture, select the play button in the progress column in the packet capture list. If not active, Not Running will also appear in the column cell. The progress bar will indicate the status of the capture. You can stop and restart it at any time.

When the capture is complete, select the Download icon to save the packet capture file to your hard disk for further analysis.

Packet capture tells you what is happening on the network at a low level. This can be very useful for troubleshooting problems, such as:

finding missing traffic
seeing if sessions are setting up properly
locating ARP problems such as broadcast storm sources and causes
confirming which address a computer is using on the network if they have multiple addresses or are on multiple networks
confirming routing is working as you expect
wireless client connection problems
intermittent missing PING packets
a particular type of packet is having problems, such as UDP, which is commonly used for streaming video

If you are running a constant traffic application such as ping, packet capture can tell you if the traffic is reaching the destination, how the port enters and exits the FortiGate unit, if the ARP resolution is correct, and if the traffic is returning to the source as expected. You can also use packet switching to verify that NAT or other configuration is translating addresses or routing traffic the way that you want it to.

Before you start capturing packets, you need to have a good idea of what you are looking for. Capture is used to confirm or deny your ideas about what is happening on the network. If you try capture without a plan to narrow your search, you could end up with too much data to effectively analyze. On the other hand, you need to capture enough packets to really understand all of the patterns and behavior that you are looking for.

Monitoring

3 Replies

Monitoring

With network administration, the first step is installing and configuring the FortiGate unit to be the protector of the internal network. Once the system is running efficiently, the next step is to monitor the system and network traffic, making configuration changes as necessary when a threat or vulnerability is discovered.

This chapter discusses the various methods of monitoring both the FortiGate unit and the network traffic through a range of different tools available within FortiOS.

This section includes the topics:

Dashboard
sFlow
Monitor menus
Logging
Alert email
SNMP
SNMP get command syntax

Dashboard

The FortiOS dashboard provides a location to view real-time system information. By default, the dashboard displays the key statistics of the FortiGate unit itself, providing the memory and CPU status, as well as the health of the ports, whether they are up or down and their throughput.

Widgets

Within the dashboard is a number of smaller windows, called widgets, that provide this status information. Beyond what is visible by default, you can add a number of other widgets that display other key traffic information including application use, traffic per IP address, top attacks, traffic history and logging statistics.

You can add multiple dashboards to reflect what data you want to monitor, and add the widgets accordingly. Dashboard configuration is only available through the web-based manager. Administrators must have read and write privileges to customize and add widgets when in either menu. Administrators must have read privileges if they want to view the information.

To add a dashboard and widgets

1. Go to System > Dashboard > Status.

2. Select the Dashboard menu at the top of the window and select Add Dashboard.

3. Enter a name.

4. Select the Widget menu at the top of the window.

5. From the screen, select the type of information you want to add.

6. When done, select the X in the top right of the widget.

Dashboard widgets provide an excellent method to view real-time data about the events occurring on the

FortiGate unit and the network. For example, by adding the Network Protocol Usage widget, you can monitor the activity of various protocols over a selected span of time. Based on that information you can add or adjust traffic shaping and/or security policies to control traffic.

FortiClient software

The License Information widget includes information for the FortiClient connections. It displays the number of FortiClient connections allowed and the number of users connecting. By selecting the Details link for the number of connections, you can view more information about the connecting user, including IP address, user name, and type of operating system the user is connecting with.

Included with this information is a link for Mac and Windows. Selecting these links automatically downloads the FortiClient install file (.dmg or .exe) to the management computer.

sFlow

sFlow is a method of monitoring the traffic on your network to identify areas on the network that may impact performance and throughput. FortiOS implements sFlow version 5.

sFlow uses packet sampling to monitor network traffic. The sFlow Agent captures packet information at defined intervals and sends them to an sFlow Collector for analysis, providing real-time data analysis. The information sent is only a sampling of the data for minimal impact on network throughput and performance.

The sFlow Agent is embedded in the FortiGate unit. Once configured, the FortiGate unit sends sFlow datagrams of the sampled traffic to the sFlow Collector, also called an sFlow Analyzer. The sFlow Collector receives the datagrams, and provides real-time analysis and graphing to indicate where potential traffic issues are occurring. sFlow Collector software is available from a number of third party software vendors.

sFlow data captures only a sampling of network traffic, not all traffic like the traffic logs on the FortiGate unit. Sampling works by the sFlow Agent looking at traffic packets when they arrive on an interface. A decision is made whether the packet is dropped and allowed to be to its destination or if a copy is forwarded to the sFlow Collector. The sample used and its frequency are determined during configuration.

sFlow is not supported on virtual interfaces such as vdom link, ipsec, ssl.root or gre. The sFlow datagram sent to the Collector contains the information:

Packet header (e.g. MAC,IPv4,IPv6,IPX,AppleTalk,TCP,UDP, ICMP)
Sample process parameters (rate, pool etc.)
Input/output ports
Priority (802.1p and TOS)
VLAN (802.1Q)
Source/destination prefix
Next hop address
Source AS, Source Peer AS
Destination AS Path
Communities, local preference
User IDs (TACACS/RADIUS) for source/destination
URL associated with source/destination
Interface statistics (RFC 1573, RFC 2233, and RFC 2358)

sFlow agents can be added to any type of FortiGate interface. sFlow isn’t supported on some virtual interfaces such as VDOM link, IPsec, gre, and ssl.root.

For more information on sFlow, Collector software and sFlow MIBs, visit www.sflow.org.

Configuration

sFlow configuration is available only from the CLI. Configuration requires two steps: enabling the sFlow Agent and configuring the interface for the sampling information.

Enable sFlow

config system sflow

set collector-ip <ip_address>

set collector-port <port_number>

set source-ip <ip_address>

end

The default port for sFlow is UDP 6343. To configure in VDOM, use the commands:

config system vdom-sflow set vdom-sflow enable

set collector-ip <ip_address>

set collector-port <port_number>

set source-ip <ip_address>

end

Configure sFlow agents per interface.

config system interface edit <interface_name>

set sflow-sampler enable

set sample-rate <every_n_packets>

set sample-direction [tx | rx | both]

set polling-interval <seconds>

end

Monitor menus

The Monitor menus enable you to view session and policy information and other activity occurring on your FortiGate unit. The monitors provide the details of user activity, traffic and policy usage to show live activity. Monitors are available for DHCP, routing, security policies, traffic shaping, load balancing, security features, VPN, users, WiFi, and logging.

Logging

FortiOS provides a robust logging environment that enables you to monitor, store, and report traffic information and FortiGate events, including attempted log ins and hardware status. Depending on your requirements, you can log to a number of different hosts.

To configure logging in the web-based manager, go to Log & Report > Log Config > Log Settings. To configure logging in the CLI use the commands config log <log_location>.

For details on configuring logging see the Logging and Reporting Guide.

If you will be using several FortiGate units, you can also use a FortiAnalyzer unit for logging. For more information, see the FortiAnalyzer Administration Guide.

FortiCloud

The FortiCloud is a subscription-based hosted service. With this service, you can have centralized management, logging, and reporting capabilities available in FortiAnalyzer and FortiManager platforms, without any additional hardware to purchase, install or maintain. In most cases, FortiCloud is the recommended location for saving and viewing logs.

This service includes a full range of reporting, analysis and logging, firmware management and configuration revision history. It is hosted within the Fortinet global FortiGuard Network for maximum reliability and performance, and includes reporting, and drill-down analysis widgets makes it easy to develop custom views of network and security events.

The FortiGate unit sends log messages to the FortiCloud using TCP port 443. Configuration is available once a user account has been set up and confirmed. To enable the account on the FortiGate unit, go to System > Dashboard > Status, in the Licence Information widget select Activate, and enter the account ID.

For FortiCloud traffic, you can identify a specific port/IP address for logging traffic. Configuration of these services is performed in the CLI, using the command set source-ip. When configured, this becomes the dedicated port to send this traffic over.

For example, to set the source IP of the FortiCloud server to be on the DMZ1 port with an IP of 192.168.4.5, the commands are:

config log fortiguard setting set status enable

set source-ip 192.168.4.5 end

From the FortiGate unit, you can configure the connection and sending of log messages to be sent over an SSL tunnel to ensure log messages are sent securely. To do this, use the CLI commands to enable the encrypted connection and define the level of encryption.

config log fortiguard setting set status enable

set enc-alogorithm {default | high | low | disable}

end

FortiGate memory

Logs are saved to the internal memory by default. Inexpensive yet volatile, for basic event logs or verifying traffic, AV or spam patterns, logging to memory is a simple option. However, because logs are stored in the limited space of the internal memory, only a small amount is available for logs. As such logs can fill up and be overridden with new entries, negating the use of recursive data. This is especially true for traffic logs. Also, should the FortiGate unit be shut down or rebooted, all log information will be lost.

FortiGate hard disk

For those FortiGate units with an internal hard disk or SDHC card, you can store logs to this location. Efficient and local, the hard disk provides a convenient storage location. If you choose to store logs in this manner, remember to backup the log data regularly.

Configure log disk settings is performed in the CLI using the commands:

config log disk setting

set status enable end

Further options are available when enabled to configure log file sizes, and uploading/backup events.

As well, note that the write speeds of hard disks compared to the logging of ongoing traffic may cause the dropping such, it is recommended that traffic logging be sent to a FortiAnalyzer or other device meant to handle large volumes of data.

Syslog server

An industry standard for collecting log messages, for off-site storage. In the web-based manager, you are able to send logs to a single syslog server, however in the CLI you can configure up to three syslog servers where you can also use multiple configuration options. For example, send traffic logs to one server, antivirus logs to another.

The FortiGate unit sends Syslog traffic over UDP port 514. Note that if a secure tunnel is configured for communication to a FortiAnalyzer unit, then Syslog traffic will be sent over an IPsec connection, using UPD 500/4500, Protocol IP/50.

To configure a Syslog server in the web-based manager, go to Log & Report > Log Config > Log Settings. In the CLI use the commands:

config log syslogd setting set status enable

set server <IP address or FQDN of syslog server>

end

Further options are available when enabled to configure a different port, facility and server IP address.

For Syslog traffic, you can identify a specific port/IP address for logging traffic. Configuration of these services is performed in the CLI, using the command set source-ip. When configured, this becomes the dedicated port to send this traffic over.

For example, to set the source IP of a Syslog server to be on the DMZ1 port with an IP of 192.168.4.5, the commands are:

config log syslogd setting set status enable

set source-ip 192.168.4.5 end

FortiAnalyzer

The FortiAnalyzer family of logging, analyzing, and reporting appliances securely aggregate log data from Fortinet devices and other syslog-compatible devices. Using a comprehensive suite of easily-customized reports, users can filter and review records, including traffic, event, virus, attack, Web content, and email data, mining the data to determine your security stance and assure regulatory compliance. FortiAnalyzer also provides advanced security management functions such as quarantined file archiving, event correlation, vulnerability assessments, traffic analysis, and archiving of email, Web access, instant messaging and file transfer content.

The FortiGate unit sends log messages over UDP port 514 or OFTP (TCP 514). If a secure connection has been configured, log traffic is sent over UDP port 500/4500, Protocol IP/50.

For FortiAnalyzer traffic, you can identify a specific port/IP address for logging traffic. Configuration of these services is performed in the CLI, using the command set source-ip. When configured, this becomes the dedicated port to send this traffic over.

For example, to set the source IP of a FortiAnalyzer unit to be on port 3 with an IP of 192.168.21.12, the commands are:

config log fortiguard setting set status enable

set source-ip 192.168.21.12 end

Sending logs using a secure connection

From the FortiGate unit, you can configure the connection and sending of log messages over an SSL tunnel to ensure log messages are sent securely. To do this, use the CLI commands below to enable the encrypted connection and define the level of encryption.

You must configure the secure tunnel on both ends of the tunnel, the FortiGate unit and the FortiAnalyzer unit.

To configure a secure connection to the FortiAnalyzer unit

On the FortiAnalyzer unit, enter the commands:

config log device edit <device_name>

set secure psk

set psk <name_of_IPsec_tunnel>

set id <fortigate_device_name_on_the_fortianalyzer>

end

To configure a secure connection on the FortiGate unit

On the FortiGate CLI, enter the commands:

config log fortianalyzer setting set status enable

set server <ip_address>

set localid <name_of_IPsec_tunnel>

end

Configuring an SSL connection

An SSL connection can be configured between the two devices, and an encryption level selected. Use the CLI commands to configure the encryption connection:

config log fortianalyzer setting

set status enable

set enc-algorithm {default* | high | low | disable}

end

The default encryption automatically sets high and medium encryption algorithms. Algorithms used for high, medium, and low follows openssl definitions:

High – Key lengths larger than 128 bits, and some cipher suites with 128-bit keys.

Algorithms are: DHE-RSA-AES256-SHA:AES256-SHA: EDH-RSA-DES-CBC3-SHA: DES-CBC3-SHA:DES-CBC3- MD5:DHE-RSA-AES128-SHA:AES128-SHA

Medium – Key strengths of 128 bit encryption. Algorithms are: RC4-SHA:RC4-MD5:RC4-MD
Low – Key strengths of 64 or 56 bit encryption algorithms but excluding export cipher suites

Algorithms are: EDH-RSA-DES-CDBC-SHA; DES-CBC-SHA; DES-CBC-MD5.

If you want to use an IPsec tunnel to connect to the FortiAnalyzer unit, you need to first disable the enc-algorithm:

config log fortianalyzer setting set status enable

set enc-algorithm disable

Then set the IPsec encryption:

set encrypt enable

set psksecret <preshared_IPsec_tunnel_key>

end

Administrative domains

Leave a reply

Administrative domains

FortiManager administrative domains enable the super_admin to create groupings of devices for configured administrators to monitor and manage. FortiManager can manage a large number of Fortinet appliances. This enables administrators to maintain managed devices specific to their geographic location or business division. This also includes FortiGate units with multiple configured VDOMs.

Each administrator is tied to an administrative domain (ADOM). When that particular administrator logs in, they see only those devices or VDOMs configured for that administrator and ADOM. The one exception is the super_ admin account that can see and maintain all administrative domains and the devices within those domains.

Administrative domains are not enabled by default and enabling and configuring the domains can only be performed by the super_admin.

The maximum number of administrative domains you can add depends on the FortiManager system model. See the FortiManager Administration Guide for information on the maximums for each model.

Backup and restore configurations

Leave a reply

Backup and restore configurations

A FortiManager unit stores configuration files for backup and restore purposes. A FortiManager also enables you to save revisions of configuration files. Configuration backups occur automatically when the administrator logs out or the administrator login session expires.

FortiManager also enables you to view differences between different configurations to view where changes have been made.

Central Management FortiGuard

Leave a reply

FortiGuard

FortiManager can also connect to the FortiGuard Distribution Network (FDN) to receive push updates for IPS signatures and antivirus definitions. These updates can then be used to update multiple FortiGate units throughout an organization. By using the FortiManager as the host for updates, bandwidth use is minimized as updates are downloaded to one source instead of many.

To receive IPS and antivirus updates from FortiManager, indicate an alternate IP address on the FortiGate unit.

To configure updates from FortiManager

1. Go to System > Config > FortiGuard.

2. Select AntiVirus and IPS Options to expand the options.

3. Enable both Allow Push Update and Use override push IP.

4. Enter the IP address of the FortiManager unit.

5. Select Apply.

Central Management Firmware Updates

Leave a reply

Firmware updates

A FortiManager unit can also perform firmware updates for multiple FortiGate units, saving time rather than upgrading each FortiGate unit individually.

The FortiManager unit stores local copies of firmware images, either by downloading images from the Fortinet Distribution Network (FDN) or by accepting firmware images that are uploaded from the management computer.

If you are using the FortiManager unit to download firmware images, the FDN first validates device licenses and support contracts and then provides a list of currently available firmware images. For devices with valid Fortinet Technical Support contracts, you can download new firmware images from the FDN and the firmware release notes.

After firmware images have been either downloaded from the FDN or imported to the firmware list, you can either schedule or immediately upgrade/downgrade a device or group of device’s firmware.

See the FortiManager Administration Guide for more information on updating the FortiGate firmware using the FortiManager central management.