Replacement messages list

Leave a reply

Replacement messages list

The replacement message list in System > Config > Replacement Messages.

The replacement messages list enables you to view and customize replacement messages. Use the expand arrow beside each type to display the replacement messages for that category. Select the Edit icon beside each replacement message to customize that message for your requirements.

Should you make a major error to the code, you can select the Restore Default to return to the original message and code base.

If you are viewing the replacement messages list in a VDOM, any messages that have been customized for that VDOM are displayed with a Reset icon that you can use to reset the replacement message to the global version.

For connections requiring authentication, the FortiGate unit uses HTTP to send an authentication disclaimer page for the user to accept before a security policy is in effect. Therefore, the user must initiate HTTP traffic first in order to trigger the authentication disclaimer page. Once the disclaimer is accepted, the user can send whatever traffic is allowed by the security policy.

 

Replacement message images

You can add images to replacement messages to:

  • Disclaimer pages
  • Login pages
  • Declined disclaimer pages
  • Login failed page
  • Login challenge pages
  • Keepalive pages

Image embedding is also available to the endpoint NAC download portal and recommendation portal replacement messages, as well as HTTP replacement messages.

Supported image formats are GIF, JPEG, TIFF and PNG. The maximum file size supported is 6000 bytes.

 

Adding images to replacement messages

 

To upload an image for use in a message

1. Go to System > Config > Replacement Messages.

2. Select Manage Images at the top of the page.

3. Select Create New.

4. Enter a Name for the image.

5. Select the Content Type.

6. Select Browse to locate the file and select OK.

The image that you include in a replacement message, must have the following html:

<img src=%%IMAGE: <config_image_name>%% size=<bytes> >

 

For example:

<img src=%%IMAGE: logo_hq%% size=4272>

 

Modifying replacement messages

Replacement messages can be modified to include a message or content that suits your organization.

Use the expand arrows to view the replacement message list for a given category. Messages are in HTML format. To change a replacement message, go to System > Config > Replacement Messages select the replacement message that you want to modify. At the bottom pane of the window, you can see the message on one side and the HTML code on the other side. The message view changes in real-time as you change the content.

A list of common replacement messages appears in the main window. To see the entire list and all categories of replacement messages, in the upper-right corner of the window, select Extended View.

 

Alert Mail replacement messages

The FortiGate unit adds the alert mail replacement messages listed in the following table to alert email messages sent to administrators. If you enable the option Send alert email for logs based on severity, whether or not replacement messages are sent by alert email depends on how you set the alert email in Minimum log level.

 

Authentication replacement messages

The FortiGate unit uses the text of the authentication replacement messages for various user authentication HTML pages that are displayed when a user is required to authenticate because a security policy includes at least one identity-based policy that requires firewall users to authenticate.

These replacement message pages are for authentication using HTTP and HTTPS. You cannot customize the firewall authentication messages for FTP and Telnet.

The authentication login page and the authentication disclaimer include replacement tags and controls not found on other replacement messages.

Users see the authentication login page when they use a VPN or a security policy that requires authentication. You can customize this page in the same way as you modify other replacement messages.

There are some unique requirements for these replacement messages:

  • The login page must be an HTML page containing a form with ACTION=”/” and METHOD=”POST”
  • The form must contain the following hidden controls:
  • <INPUT TYPE=”hidden” NAME=”%%MAGICID%%” VALUE=”%%MAGICVAL%%”> l  <INPUT TYPE=”hidden” NAME=”%%STATEID%%” VALUE=”%%STATEVAL%%”> l  <INPUT TYPE=”hidden” NAME=”%%REDIRID%%” VALUE=”%%PROTURI%%”>
  • The form must contain the following visible controls:
  • <INPUT TYPE=”text” NAME=”%%USERNAMEID%%” size=25>
  • <INPUT TYPE=”password” NAME=”%%PASSWORDID%%” size=25>

 

Example

The following is an example of a simple authentication page that meets the requirements listed above.

 

<HTML><HEAD><TITLE>Firewall Authentication</TITLE></HEAD>

<BODY><H4>You must authenticate to use this service.</H4>

<FORM ACTION=”/” method=”post”>

<INPUT NAME=”%%MAGICID%%” VALUE=”%%MAGICVAL%%” TYPE=”hidden”>

<TABLE ALIGN=”center” BGCOLOR=”#00cccc” BORDER=”0″ CELLPADDING=”15″ CELLSPACING=”0″ WIDTH=”320″><TBODY>

<TR><TH>Username:</TH>

<TD><INPUT NAME=”%%USERNAMEID%%” SIZE=”25″ TYPE=”text”> </TD></TR>

<TR><TH>Password:</TH>

<TD><INPUT NAME=”%%PASSWORDID%%” SIZE=”25″ TYPE=”password”> </TD></TR>

<TR><TD COLSPAN=”2″ ALIGN=”center” BGCOLOR=”#00cccc”>

<INPUT NAME=”%%STATEID%%” VALUE=”%%STATEVAL%%” TYPE=”hidden”>

<INPUT NAME=”%%REDIRID%%” VALUE=”%%PROTURI%%” TYPE=”hidden”>

<INPUT VALUE=”Continue” TYPE=”submit”> </TD></TR>

</TBODY></TABLE></FORM></BODY></HTML>

 

Captive Portal Default replacement messages

The Captive Portal Default replacement messages are used for wireless authentication only. You must have a VAP interface with the security set as captive portal to trigger these replacement messages.

 

Device Detection Portal replacement message

The FortiGate unit displays the replacement message when the FortiGate unit cannot determine the type of BYOD or handheld device is used to connect the network.

 

Email replacement messages

The FortiGate unit sends the mail replacement messages to email clients using IMAP, POP3, or SMTP when an event occurs such as antivirus blocking a file attached to an email that contains a virus. Email replacement messages are text messages.

If the FortiGate unit supports SSL content scanning and inspection these replacement messages can also be added to IMAPS, POP3S, and SMTPS email messages.

 

Endpoint Control replacement message

The FortiGate unit displays the replacement message when the FortiClient Endpoint Security software is not installed or registered correctly with the FortiGate unit.

 

FTP replacement messages

The FortiGate unit sends the FTP replacement messages listed in the table below to FTP clients when an event occurs such as antivirus blocking a file that contains a virus in an FTP session. FTP replacement messages are text messages.

 

FortiGuard Web Filtering replacement messages

The FortiGate unit sends the FortiGuard Web Filtering replacement messages listed in the table to web browsers using the HTTP protocol when FortiGuard web filtering blocks a URL, provides details about blocked HTTP 4xx and 5xx errors, and for FortiGuard overrides. FortiGuard Web Filtering replacement messages are HTTP pages.

If the FortiGate unit supports SSL content scanning and inspection and if Protocol Recognition > HTTPS Content Filtering Mode is set to Deep Scan in the antivirus profile, these replacement messages can also replace web pages downloaded using the HTTPS protocol.

 

HTTP replacement messages

The FortiGate unit sends the HTTP replacement messages listed in the following table to web browsers using the HTTP protocol when an event occurs such as antivirus blocking a file that contains a virus in an HTTP session. HTTP replacement messages are HTML pages.

If the FortiGate unit supports SSL content scanning and inspection, and if under HTTPS in the protocol option list has Enable Deep Scan enabled, these replacement messages can also replace web pages downloaded using the HTTPS protocol.

 

IM replacement messages

The FortiGate unit sends the IM replacement messages listed in to IM clients using AIM, ICQ, MSN, or Yahoo! Messenger when an event occurs such as antivirus blocking a file attached to an email that contains a virus. IM replacement messages are text messages.

 

NNTP replacement messages

The FortiGate unit sends the NNTP replacement messages listed in the following table to NNTP clients when an event occurs such as antivirus blocking a file attached to an NNTP message that contains a virus. NNTP replacement messages are text messages.

 

Spam replacement messages

The FortiGate unit adds the Spam replacement messages listed in the following table to SMTP server responses if the email message is identified as spam and the spam action is discard. If the FortiGate unit supports SSL content scanning and inspection these replacement messages can also be added to SMTPS server responses.

 

NAC quarantine replacement messages

The page that is displayed for the user depends on whether NAC quarantine blocked the user because a virus was found, a DoS sensor detected an attack, an IPS sensor detected an attack, or a DLP rule with action set to Quarantine IP address or Quarantine Interface matched a session from the user.

The default messages inform the user of why they are seeing this page and recommend they contact the system administrator. You can customize the pages as required, for example to include an email address or other contact information or if applicable a note about how long the user can expect to be blocked.

 

SSL VPN replacement message

The SSL VPN login replacement message is an HTML replacement message that formats the FortiGate SSL VPN portal login page. You can customize this replacement message according to your organization’s needs. The page is linked to FortiGate functionality and you must construct it according to the following guidelines to ensure that it will work.

  • The login page must be an HTML page containing a form with ACTION=”%%SSL_ACT%%” and METHOD=”%%SSL_METHOD%%”
  • The form must contain the %%SSL_LOGIN%% tag to provide the login form.
  • The form must contain the %%SSL_HIDDEN%% tag.

 

Web Proxy replacement messages

The FortiGate unit sends Web Proxy replacement messages listed in the table below when a web proxy event occurs that is detected and matches the web proxy configuration. These replacement messages are web pages that appear within your web browser.

The following web proxy replacement messages require an identity-based security policy so that the web proxy is successful. You can also enable FTP-over-HTTP by selecting the FTP option in System > Network > Explicit Proxy.

 

Traffic quota control replacement messages

When user traffic is going through the FortiGate unit and it is blocked by traffic shaping quota controls, users see the Traffic shaper block message or the Per IP traffic shaper block message when they attempt to connect through the FortiGate unit using HTTP.

The traffic quota HTTP pages should contain the %%QUOTA_INFO%% tag to display information about the traffic shaping quota setting that is blocking the user.

 

MM1 replacement messages

MM1 replacement messages are sent when, during MMS content scanning, FortiOS Carrier detects, for example a virus, using the MMS profile.

You must have Remove Blocked selected within the MMS profile if you want to remove the content that is intercepted during MMS scanning on the FortiGate unit.

 

MM3 replacement messages

MM3 replacement messages are sent when, during MMS content scanning, FortiOS Carrier detects, for example a virus, using the MMS profile.

You must have Remove Blocked selected within the MMS profile if you want to remove the content that is intercepted during MMS scanning on the unit.

 

MM4 replacement messages

MM4 replacement messages are sent when, during MMS content scanning, FortiOS Carrier detects, for example a virus, using the MMS profile.

 

MM7 replacement messages

MM7 replacement messages are sent when, during MMS content scanning, FortiOS Carrier detects, for example a virus, using the MMS profile.

 

MMS replacement messages

The MMS replacement message is sent when a section of an MMS message has been replaced because it contains a blocked file. This replacement message is in HTML format.

 

The message text is:

<HTML><BODY>This section of the message has been replaced because it contained a blocked file</BODY></HTML>

 

Replacement message groups

Replacement message groups enable you to view common messages in groups for large carriers. Message groups can be configured by going to Config > Replacement Message Group.

Using the defined groups, you can manage specific replacement messages from a single location, rather than searching through the entire replacement message list.

If you enable virtual domains (VDOMs) on the FortiGate unit, replacement message groups are configured separately for each virtual domain. Each virtual domain has its own default replacement message group, configured from System > Config > Replacement Messages Group.

When you modify a message in a replacement message group, a Reset icon appears beside the message in the group. You can select this Reset icon to reset the message in the replacement message group to the default version.

All MM1/4/7 notification messages for FortiOS Carrier (and MM1 retrieve-conf messages) can contain a SMIL layer and all MM4 notification messages can contain an HTML layer in the message. These layers can be used to brand messages by using logos uploaded to the FortiGate unit via the ‘Manage Images’ link found on the replacement message group configuration page.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Administration for schools

Leave a reply

Administration for schools

For system administrator in the school system it is particularly difficult to maintain a network and access to the Internet. There are potential legal liabilities if content is not properly filtered and children are allowed to view pornography and other non-productive and potentially dangerous content. For a school, too much filtering is better than too little. This section describes some basic practices administrators can employ to help maintain control without being too draconian for access to the internet.

 

Security policies

The default security policies in FortiOS allow all traffic on all ports and all IP addresses. Not the most secure. While applying UTM profiles can help to block viruses, detect attacks and prevent spam, this doesn’t provide a solid overall security option. The best approach is a layered approach; the first layer being the security policy.

When creating outbound security policies, you need to know the answer to the question “What are the students allowed to do?” The answer is surf the web, connect to FTP sites, send/receive email, and so on.

Once you know what the students need to do, you can research the software used and determine the ports the applications use. For example, if the students only require web surfing, then there are only two ports (80 – HTTP and 443 – HTTPS) needed to complete their tasks. Setting the security policies to only allow traffic through two ports (rather than all 65,000), this will significantly lower any possible exploits. By restricting the ports to known services, means stopping the use of proxy servers, as many of them operate on a non-standard port to hide their traffic from URL filtering or HTTP inspection.

 

DNS

Students should not be allowed to use whatever DNS they want. this opens another port for them to use and potentially smuggle traffic on. The best approach is to point to an internal DNS server and only allow those devices out on port 53. Its the same approach one would use for SMTP. Only allow the mail server to use port 25 since nothing else should be sending email.

If there is no internal DNS server, then the list of allowed DNS servers they can use should be restrictive. One possible exploit would be for them to set up their own DNS server at home that serves different IPs for known hosts, such as having Google.com sent back the IP for playboy.com.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Pages: 1 2 3

IP addresses for self-originated traffic

Leave a reply

IP addresses for self-originated traffic

On the FortiGate unit, there are a number of protocols and traffic that is specific to the internal workings of FortiOS. For many of these traffic sources, you can identify a specific port/IP address for this self-originating traffic. The following traffic can be configured to a specific port/IP address:

  • SNMP
  • Syslog
  • alert email
  • FortiManager connection IP
  • FortiGuard services
  • FortiAnalyzer logging
  • NTP
  • DNS
  • Authorization requests such as RADIUS
  • FSSO

Configuration of these services is performed in the CLI. In each instance, there is a command set source-ip. For example, to set the source IP of NTP to be on the DMZ1 port with an IP of 192.168.4.5, the commands are:

config system ntp

set ntpsync enable set syncinterval 5

set source-ip 192.168.4.5 end

 

To see which services are configured with source-ip settings, use the get command:

get system source-ip status

 

The output will appear similar to the sample below:

NTP: x.x.x.x DNS: x.x.x.x SNMP: x.x.x.x

Central Management: x.x.x.x

FortiGuard Updates (AV/IPS): x.x.x.x

FortiGuard Queries (WebFilter/SpamFilter): x.x.x.x


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiClient discovery and registration

Leave a reply

FortiClient discovery and registration

FortiOS provides, FortiHeartBeat, a means of allowing users running FortiClient Endpoint Control software to connect to specific interfaces when connecting to the FortiGate unit. As well as ensuring that remote or local users have FortiClient Endpoint Control software installed on their PC or mobile device.

 

FortiClient discovery

You can configure a FortiGate interface as an interface that will accept FortiClient connections. When configured, the FortiGate unit sends broadcast messages which the FortiClient software running on an end user PC is listening for.

 

To enable the broadcast message

1. Go to System > Network > Interface.

2. Edit the interface to send the broadcast messages.

3. Select FortiHeartBeat.

4. In Admission Control, select Enforce FortiHeartBeat for all FortiClients.

5. Select OK.

Once enabled, the FortiGate unit broadcasts a discovery message that includes the IP address of the interface and listening port number to the local network. All PCs running FortiClient on that network listen for this discovery message.

You also have the option of including a registration key. When the FortiClient discovers the FortiGate unit, it is prompted to enter a registration key, defined by the administrator.

 

To add a registration key

1. Go to System > Config > Advanced.

2. Select Enable Registration Key for FortiClient, and enter the key.

3. Select Apply.

Ensure you distribute the key to the users that need to connect to the FortiGate unit.

 

FortiClient Registration

On the end user side, if FortiClient has not been registered with the FortiGate unit, it is continually listening for the FortiGate discovery message. When this message is detected the un-registered client will pop-up a FortiGate Detected message. The user can choose to either register or ignore the message.

Clients that have registered with that FortiGate unit will not be listening for these messages and will not display the message again.

If you enabled the registration key, the user is prompted to enter the key before a connection can be completed.

There can be some confusion when discussing the compatibility of FortiClient with FortiGate. There is technical compatibility and licensing compatibility. FortiClient software may not be licence compatible with previous versions of FortiOS.

For instance, while FortiClient 5.2 software is technologically compatible with a FortiGate running FortiOS 5.0 firmware. A FortiGate running FortiOS 5.0 will not recognize the FortiClient 5.2 licence code. Depending on the restrictions of your particular situation, you can:

  • Use FortiClient 5.2 without licensing
  • Use FortiClient 5.0 with licensing
  • Upgrade to FortiOS firmware 5.2

 

For more information on FortiGate registration, see the FortiClient Administration Guide.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Dynamic DNS

5 Replies

Dynamic DNS

If your ISP changes your external IP address on a regular basis, and you have a static domain name, you can configure the external interface to use a dynamic DNS service to ensure external users and/or customers can always connect to your company firewall.

If you have a FortiGuard subscription, you can use FortiGuard as your DDNS server. To configure dynamic DNS in the web-based manager, go to System > Network > DNS, select Enable FortiGuard DDNS, and enter the relevant information for the interface communicating to the server, and which server to use, and relevant information.

If you do not have a FortiGuard subscription, or want to use an alternate server, you can configure dynamic DNS in the CLI use the commands below. Within the CLI you can configure a DDNS for each interface. Only the first configured port appears in the web-based manager. Additional commands vary with the DDNS server you select.

 

config system ddns

edit <instance_value>

set monitor-interface <external_interface>

set ddns-server <ddns_server_selection>

end

 

You can also use FortiGuard (when subscribed) as a DDNS as well. To configure, use the CLI commands:

config system fortiguard set ddns-server-ip

set ddns-server-port end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

DNS services

Leave a reply

DNS services

A DNS server is a public service that converts symbolic node names to IP addresses. A Domain Name System (DNS) server implements the protocol. In simple terms, it acts as a phone book for the Internet. A DNS server matches domain names with the computer IP address. This enables you to use readable locations, such as fortinet.com when browsing the Internet. FortiOS supports DNS configuration for both IPv4 and IPv6 addressing.

The FortiGate unit includes default DNS server addresses. However, these should be changed to those provided by your Internet Service Provider. The defaults are DNS proxies and are not as reliable as those from your ISP.

Within FortiOS, there are two DNS configuration options; each provide a specific service, and can work together to provide a complete DNS solution.

 

DNS settings

Basic DNS queries are configured on interfaces that connect to the Internet. When a web site is requested, for example, the FortiGate unit will look to the configured DNS servers to provide the IP address to know which server to contact to complete the transaction.

DNS server addresses are configured by going to System > Network > DNS. Here you specify the DNS server addresses. Typically, these addresses are supplied by your ISP. An additional option is available if you have local Microsoft domains on the network, by entering a domain name in the Local Domain Name field.

In a situation where all three fields are configured, the FortiGate unit will first look to the local domain. If no match is found, a request is sent to the external DNS servers.

If virtual domains are enabled, you create a DNS database in each VDOM. All of the interfaces in a VDOM share the DNS database in that VDOM.

 

Additional DNS CLI configuration

Further options are available from the CLI with the command config system dns. Within this command you can set the following commands:

  • dns-cache-limit – enables you to set how many DNS entries are stored in the cache. Entries that remain in the cache provide a quicker response to requests than going out to the Internet to get the same information.
  • dns-cache-ttl – enables you to set how long entries remain in the cache in seconds, between 60 and 86,400 (24 hours).
  • cache-notfound-responses – when enabled, any DNS requests that are returned with NOTFOUND can be stored in the cache.
  • source-ip – enables you to define a dedicated IP address for communications with the DNS server.

 

DNS server

You can also create local DNS servers for your network. Depending on your requirements, you can manually maintain your entries (master DNS server), or use it as a jumping point, where the server refers to an outside source (slave DNS server). A local master DNS server works similarly to the DNS server addresses configured in System > Network > DNS, but all entries must be added manually. This enables you to add a local DNS server to include specific URL/IP address combinations.

 

The DNS server options are not visible in the web-based manager by default. To enable the server, go to Syste> Config > Featuresand select DNS Database.

While a master DNS server is an easy method of including regularly used addresses to save on going to an outside DNS server, it is not recommended to make it the authoritative DNS server. IP addresses may change, and maintaining any type of list can quickly become labor-intensive.

A FortiGate master DNS server is best set for local services. For example, if your company has a web server on the DMZ that is accessed by internal employees as well as external users, such as customers or remote users. In this situation, the internal users when accessing the site would send a request for website.example.com, that would go out to the DNS server on the web, to return an IP address or virtual IP. With an internal DNS, the same site request is resolved internally to the internal web server IP address, minimizing inbound/outbound traffic and access time.

As a slave, DNS server, the FortiGate server refers to an external or alternate source as way to obtain the url/IP combination. This useful if there is a master DNS server for a large company where a list is maintained. Satellite offices can then connect to the master DNS server to obtain the correct addressing.

The DNS server entries does not allow CNAME entries, as per RFC 1912, section 2.4.

 

To configure a master DNS server – web-based manager

1. Go to System > Network > DNS Server, and select Create New for DNS Database.

2. Select the Type of Master.

3. Select the View as Shadow.

4. The view is the accessibility of the DNS server. Selecting Public, external users can access, or use, the DNS server. Selecting Shadow, only internal users can use it.

5. Enter the DNS Zone, for example, WebServer.

6. Enter the domain name for the zone, for example com.

7. Enter the hostname of the DNS server, for example, Corporate.

8. Enter the contact address for the administrator, for example, admin@example.com.

9. Set Authoritative to Disable.

10. Select OK.

11. Enter the DNS entries for the server by selecting Create New.

12. Select the Type, for example, Address (A).

13. Enter the Hostname, for example example.com.

14. Enter the remaining information, which varies depending on the Type selected.

15. Select OK.

 

To configure a DNS server – CLI

config system dns-database edit WebServer

set domain example.com set type master

set view shadow set ttl 86400

set primary-name corporate set contact admin@exmple.com set authoritative disable

config dns-entry edit 1

set hostname web.example.com set type A

set ip 192.168.21.12 set status enable

end end

 

Recursive DNS

You can set an option to ensure these types of DNS server is not the authoritative server. When configured, the FortiGate unit will check its internal DNS server (Master or Slave). If the request cannot be fulfilled, it will look to the external DNS servers. This is known as a split DNS configuration.

You can also have the FortiGate unit look to an internal server should the Master or Slave not fulfill the request by using the CLI commands:

config system dns-database edit example.com

set view shadow

end

 

For this behavior to work completely, for the external port, you must set the DNS query for the external interface to be recursive. This option is configured in the CLI only.

 

To set the DNS query

config system dns-server edit wan1

end

set mode recursive


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

DHCP servers and relays

1 Reply

DHCP servers and relays

Note that DHCP server options are not available in transparent mode.

A DHCP server provides an address to a client on the network, when requested, from a defined address range. An interface cannot provide both a server and a relay for connections of the same type (regular or IPsec).

However, you can configure a Regular DHCP server on an interface only if the interface is a physical interface with a static IP address. You can configure an IPsec DHCP server on an interface that has either a static or a dynamic IP address.

You can configure one or more DHCP servers on any FortiGate interface. A DHCP server dynamically assigns IP addresses to hosts on the network connected to the interface. The host computers must be configured to obtain their IP addresses using DHCP.

If an interface is connected to multiple networks via routers, you can add a DHCP server for each network. The IP range of each DHCP server must match the network address range. The routers must be configured for DHCP relay.

You can configure a FortiGate interface as a DHCP relay. The interface forwards DHCP requests from DHCP clients to an external DHCP server and returns the responses to the DHCP clients. The DHCP server must have appropriate routing so that its response packets to the DHCP clients arrive at the unit.

 

DHCP Server configuration

To add a DHCP server, go to System > Network > Interface. Edit the interface, and select Enable for the DHCP Server row.

 

DHCP Server IP                         This appears only when Mode is Relay. Enter the IP address of the DHCP

server where the FortiGate unit obtains the requested IP address.

 

Address Range

By default, the FortiGate unit assigns an address range based on the address of the interface for the complete scope of the address. For example, if the interface address is 172.20.120.230, the default range cre- ated is 172.20.120.231 to 172.20.120.254. Select the range and select Edit to adjust the range as needed, or select Create New to add a dif- ferent range.

 

Netmask      Enter the netmask of the addresses that the DHCP server assigns.

 

Default Gateway

Select to either use the same IP as the interface or select Specify and enter the IP address of the default gateway that the DHCP server assigns to DHCP clients.

 

DNS Server    Select to use the system’s DNS settings or select Specify and enter the IP address of the DNS server.

 

Advanced... (expand to reveal more options)

 

Mode    Select the type of DHCP server the FortiGate unit will be. By default, it is a server. Select Relay if needed. When Relay is selected, the above con- figuration is replaced by a field to enter the DHCP Server IP address.

 

Type   Select to use the DHCP in regular or IPsec mode.

 

MAC Address Access Con- trol List

Select to match an IP address from the DHCP server to a specific client or device using its MAC address.

 

In a typical situation, an IP address is assigned ad hoc to a client, and that assignment times out after a specific time of inactivity from the client, known as the lease time. To ensure a client or device always has the same IP address, that is, there is no lease time, use IP reservation.

 

Add from DHCP Client List      If the client is currently connected and using an IP address from the DHCP server, you can select this option to select the client from the list.

 

DHCP in IPv6

You can use DHCP with IPv6 using the CLI. To configure DHCP, ensure IPv6 is enabled by going to System > Config > Features and enable IPv6. Use the CLI command

config system dhcp6 server

For more information on the configuration options, see the CLI Reference.

 

Service

On low-end FortiGate units, a DHCP server is configured, by default on the Internal interface:

 

IP Range                                     192.168.1.110 to 192.168.1.210

Netmask                                     255.255.255.0

Default gateway                         192.168.1.99

Lease time                                 7 days

DNS Server 1                             192.168.1.99

These settings are appropriate for the default Internal interface IP address of 192.168.1.99. If you change this address to a different network, you need to change the DHCP server settings to match.

Alternatively, after the FortiGate unit assigns an address, you can go to System > Monitor > DHCP Monitor, locate the particular user. Select the check box for the user and select Add to Reserved.

 

Lease time

The lease time determines the length of time an IP address remains assigned to a client. Once the lease expires, the address is released for allocation to the next client request for an IP address The default lease time is seven days. To change the lease time, use the following CLI commands:

config system dhcp server

edit <server_entry_number>

set lease-time <seconds>

end

 

To have an unlimited lease time, set the value to zero.

 

DHCP options

When adding a DHCP server, you have the ability to include DHCP codes and options. The DHCP options are BOOTP vendor information fields that provide additional vendor-independent configuration parameters to manage the DHCP server. For example, you may need to configure a FortiGate DHCP server that gives out a separate option as well as an IP address. For example, an environment that needs to support PXE boot with Windows images.

The option numbers and codes are specific to the particular application. The documentation for the application will indicate the values to use. Option codes are represented in a option value/HEX value pairs. The option is a value 1 and 255.

You can add up to three DHCP code/option pairs per DHCP server.

 

To configure option 252 with value http://192.168.1.1/wpad.dat – CLI

config system dhcp server edit <server_entry_number>

set option1 252 687474703a2f2f3139322e3136382e312e312f777061642e646174

end

 

For detailed information about DHCP options, see RFC 2132, DHCP Options and BOOTP Vendor Extensions.

 

Exclude addresses in DHCP a range

If you have a large address range for the DHCP server, you can block a range of addresses that will not be included in the available addresses for the connecting users. To do this, go to the CLI and enter the commands:

config system dhcp server edit <server_entry_number>

config exclude-range

edit <sequence_number> set start-ip <address> set end-ip <address>

end end

end

 

DHCP Monitor

To view information about DHCP server connections, go to System > Monitor > DHCP Monitor. On this page, you can also add IP address to the reserved IP address list.

 

Breaking an address lease

Should you need to end an IP address lease, you can break the lease using the CLI. This is useful if you have limited addresses, longer lease times where leases are no longer necessary. For example, with corporate visitors.

 

To break a lease enter the CLI command:

execute dhcp lease-clear <ip_address>

 

Assigning IP address by MAC address

To prevent users in the from changing their IP addresses and causing IP address conflicts or unauthorized use of IP addresses, you can bind an IP address to a specific MAC address using DHCP.

Use the CLI to reserve an IP address for a particular client identified by its device MAC address and type of connection. The DHCP server then always assigns the reserved IP address to the client. The number of reserved addresses that you can define ranges from 10 to 200 depending on the FortiGate model.

After setting up a DHCP server on an interface by going to System > Network > Interface, select the blue arrow next to Advanced to expand the options. If you know the MAC address of the system select Create New to add it, or if the system has already connected, locate it in the list, select its check box and select Add from DHCP Client List.

You can also match an address to a MAC address in the CLI. In the example below, the IP address 10.10.10.55 for User1 is assigned to MAC address 00:09:0F:30:CA:4F.

 

config system dhcp reserved-address edit User1

set ip 10.10.10.55

set mac 00:09:0F:30:CA:4F

set type regular end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiExtender

1 Reply

FortiExtender

FortiGate units support the use of wireless, 3G and 4G modems connected to a FortiExtender which will be connected to the FortiGate unit.

 

Installing the 3G/4G modem

Remove the housing cover of the FortiExtender and use the provided USB extension cable to connect your 3G/4G modem to the device.

For more information on installing the 3G/4G modem, see the QuickStart Guide.

 

Connecting the FortiExtender unit

 

If you are using the provided PoE injector:

1. Plug the provided Ethernet cable into the Ethernet port of the FortiExtender and insert the other end of the

Ethernet cable into the AP/Bridge port on the injector, then plug the injector into an electrical outlet.

2. Connect the LAN port of the PoE injector to a FortiGate, FortiWifi, or FortiSwitch device.

 

If you are not using the PoE injector:

1. Insert the other end of the Ethernet cable into a PoE LAN port on an appropriate FortiGate, FortiWifi or FortiSwitch device.

For more information on connecting the FortiExtender unit, see the QuickStart Guide.

Once connected, your FortiGate appliance can automatically detect, connect with, and control the FortiExtender and modem via a CAPWAP tunnel.To do this, FortiExtender and FortiGate must be on the same Layer 2/3 subnet (or have DHCP relay between) and FortiGate must respond to FortiExtender’s request. In this example FortiExtender is connected to the lan interface of the FortiGate unit.

 

By default, FortiExtender is hidden and disabled.Enable it in FortiGate’s CLI:

config system global

set fortiextender enable

set wireless-cotnroller enable end

 

The control and provisioning of Wireless Access Point (CAPWAP) service must be enabled on the port to which the FortiExtender unit is connected (lan interface in this example) using the following CLI commands:

config system interface edit lan

set allowaccess capwap end

 

Once FortiExtender is discovered and authorized, a virtual WAN interface such as fext-wan1 is created on the Fortigate.

 

Configuring the FortiExtender unit

At this point, you can fully manage the FortiExtender from the FortiGate unit. To achieve this, you need to authorize the FortiExtender by going to System > Network > FortiExtender and click on Authorize. Once authorized, you can configure you device as required:

Link Status: Shows you if the link is Up or Down, click on Details to see the System and Modem Status.

IP Address: Shows you the current FortiExtender’s IP address, click on the link of the IP address to connect to the FortiExtender GUI.

OS Version: Shows the current FortiExtender’s build, click on Upgrade if you wish to upgrade the Firmware.

Configure Settings: Allows you to configure the Modem Settings, PPP Authentication, General, GSM / LTE, and CDMA.

Diagnostics: Allows you to diagnose the FortiExtender unit, you can choose a command form the existing commands and click on Run.

Existing commands are: Show device info, Show data session connection status, test connection, test disconnection, Get signal strength, AT Command.

 

Sample output of Show device info:

Manufacturer: Sierra Wireless, Incorporated

Model: AirCard 330U

Revision: SWI9200X_03.00.08.03AP R4019 CARMD-EN-10527 2011/12/07 18:43:13

IMEI: 359615040996060

IMEI SV: 7

FSN: CDU3153118210

3GPP Release 8

+GCAP: +CGSM OK

 

Modem Settings

The FortiExtender unit allows for two modes of operation for the modem; On Demand and Always Connect. In On Demand mode, the modem connects to an ISP only upon execution of the dial up operation and disconnects only upon subsequent hang up operation from the CLI.

 

Syntax

To connect, run the following CLI command:

execute extender dial <SN> // <SN> is the FortiExtender’s serial number.

 

To disconnect, run the following CLI command:

execute extender hangup <SN> // <SN> is the FortiExtender’s serial number.

 

In Always Connect mode, the modem is always connected to the internet, it can acts as a primary or backup method of connecting to the Internet.

 

By default, the Fortiextender will be in Always Connect mode once authorized.

 

Modem Settings is a matter of configuring the dialing mode. The dial mode is either Always Connect or On demand. Selecting Always Connect ensures that once the modem has connected, it remains connected to the ISP.

 

To configure the dial mode as needed – web-based manager

1. Go to System > Network > FortiExtender and click Configuring Settings.

2. Extend Modem Settings.

3. Select the Dial Mode of Always Connect or On Demand.

4. Enter the Redial Limit to 5 – Only applicable in On Demand mode.

5. If needed, enter the Quota Limit to the desired limit in Mega Byte -The recorded quota usage values are not persistent and lost upon rebooting Fortigate.

6. Select Ok.

 

Configuring the FortiGate unit

In order to allow inbound and outbound traffic through the 3G/4G modem, you need to add a security policy and, depending the scenario, a static route in the FortiGate unit.

 

Adding a policy

If your network will be using IPv4 addresses, go to Policy & Objects > Policy > IPv4 and select Create New to add a policy that allows users on the private network to access the Internet.

In the policy, set the Incoming Interface to the internal interface and the Outgoing Interface to fext-wan1 interface. You will also need to set Source Address, Destination Address, Schedule, and Service according to your network requirements.

Make sure the Action is set to ACCEPT. Turn on NAT and make sure Use Destination Interface Address is selected. Select OK.

 

Alwayson, redundant of wan1

No route required as in FortiOS 5.2.2 the routing shows only active routes. Use the following CLI command to show all routes:

get router info routing-table all

 

Sample Output

Codes: K – kernel, C – connected, S – static, R – RIP, B – BGP O – OSPF, IA – OSPF inter area

N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2

E1 – OSPF external type 1, E2 – OSPF external type 2

i – IS-IS, L1 – IS-IS level-1, L2 – IS-IS level-2, ia – IS-IS inter area

* – candidate default

S* 0.0.0.0/0 [10/0] via 172.20.120.2, wan1

C 25.49.248.0/24 is directly connected, fext-wan1

C 169.254.1.1/32 is directly connected, ssl.root is directly connected, ssl.root

C 172.20.120.0/24 is directly connected, wan1

C 192.168.1.0/24 is directly connected, lan

 

Alwayson, with select traffic going through the FortiExtender

In this scenario, a static route is required, if your network using IPv4 addresses, go to Router > Static > Static Routes or System > Network > Routing, depending on your FortiGate model, and select Create New. Set the Destination IP/Mask to 0.0.0.0/0.0.0.0, Device to fext-wan1, and set the Gateway to your gateway IP or to the next hop router, depending on your network requirements. Select OK.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!