PCI DSS compliance

Vulnerability Scanning has been removed (293156)

Vulnerability scanning can now be done from FortiClient.

PCI DSS Compliance Check Support (270014)

FortiOS 5.4 allows you to run a compliance check either on demand or according to a schedule that automatically checks PCI DSS compliance at the global or VDOM level. The compliance check determines whether the FortiGate is compliant with each PCI DSS requirement by displaying an ‘X’ next to the non-compliant entries in the GUI logs.

Go to System > Advanced > Compliance, turn on compliance checking and configure a daily time to run the compliance check. Or you can select Run Now to run the compliance check on demand.

Go to Log & Report > Compliance Events to view compliance checking log messages that show the results of running compliance checks.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiGate Connector for Cisco ACI

Leave a reply

Overview

FortiGate Connector for Cisco ACI (Application Centric Infrastructure) is the Fortinet solution to provide seamless integration between Fortinet Firewall (Fortigate) deployment with Cisco APIC (Application Policy Infrastructure Controller). This integration allows customers to perform single point of Fortigate configuration and Management operation through Cisco APIC.

While the FortiGate series of firewalls enable superb firewall services, in a data center environment, the insertion, configuration, and management of network services such as firewall can be quite complex and potentially errorprone tasks. One solution for such data center problems is Cisco’s ACI. Cisco’s ACI is a policy-based framework with integration of software and hardware in the underlying leaf-spine fabric. In Cisco ACI, the APIC is a tool used to automate service insertion and provisioning into the fabric of the network environment. Network service appliances, both physical and virtual, can be attached to ACI fabric’s leaf node through APIC. Traffic demanding certain network services is steered by APIC-managed policies to the appropriate resources. The FortiGate Connector allows FortiGates to be included amongst the list of resources that traffic can be directed to.

Licensing

FortiGate Connector for Cisco ACI is free of charge for Fortinet customers. You need to make sure that you register your FortiGate with FortiCare on support.fortinet.com.

Terms and concepts

FortiGate VDOMs

VDOM or Virtual Domain refers to a discretely administered segment on a FortiGate firewall. A FortiGate firewall that is not segmented and where a single administrator can access all of the firewall is operating in the “root” VDOM. However, it is possible to segment the FortiGate so that different administrators can access different areas of the FortiGate. Credentials for VDOM X will allow access to the resources and settings of VDOM A but no other. There will also be global resources and settings that will require credentials to the root VDOM. When setting up connectivity between Cisco APIC and the FortiGates it will be important to know which VDOMs control the needed resources.

FortiOS RESTful API

REST (sometimes spelled ReST) stands for Representational State Transfer. It is a software architectural style for the WWW. REST systems typically communication over HTTP, using HTTP verbs or commands to retrieve and send information to remote servers.

A good resource for the finer details of Fortinet’s implementation of ReST can be found at http://docs.fortinet.com/uploaded/files/1276/FortiAuthenticator_REST_API_Solution_Guide.pdf

North/South and East/West Traffic

The cardinal compass direction terms to describe traffic flow are used to differentiate between traffic within the cloud or data center and traffic going in and out of the cloud or data center.

North/South – traffic either heading into or out of a cloud or data center.
East/West – traffic that is between nodes inside the same cloud or data center.

Pages: 1 2 3 4 5 6 7 8 9 10 11

FortiOS 5.4.1 and FortiGate 92D

Leave a reply

As you guys know I run a FortiGate 92D at my house. I love it as the device works beautifully for my home network (which rivals some small and medium size businesses). I was about to update the box to the latest version of FortiOS (which is currently 5.4.1) and was notified by Fortinet ahead of time the following tidbit. Thank God these guys have an active voice in the community! Having the vendor active in the community helps ol scrubs like me keep things on the up and up that is for sure.

If and when you upgrade your 92D to v5.4.1, be sure to read the “Special Notices > FortiGate and FortiWiFi-92D Hardware Limitation” section of the release notes. It contains VERY important information about a new command and its behaviour. Basically, the switch chip behind port 1 to 14 is not as advanced as other models and has limitations.

As of writing this post (4:20pm June 9, 2016), an updated copy of the release notes with the above section had not been posted. It will be shortly.

FortiOS 5.4.1 Release Notes

3 Replies

Change Log

Date	Change Description
2016-06-08	Initial release.
2016-06-09	Moved 373739 from Known Issues to Resolved Issues. Added FOS-VM64, and FOS-VM64-KVM to Supported Models.

Introduction

This document provides the following information for FortiOS 5.4.1 build 1064:

l Special Notices l Upgrade Information l Product Integration and Support l Resolved Issues l Known Issues l Limitations

See the Fortinet Document Library for FortiOS documentation.

Supported models

FortiOS 5.4.1 supports the following models.

FortiGate	FG-30D, FG-30E, FG-30D-POE, FG-50E, FG-51E, FG-60D, FG-60D-POE, FG-70D, FG-70D-POE, FG-80C, FG-80CM, FG-80D, FG-90D, FGT-90D-POE, FG-92D, FG94D-POE, FG-98D-POE, FG-100D, FG-140D, FG-140D-POE, FG- 200D, FG-200DPOE, FG-240D, FG-240D-POE, FG-280D-POE, FG-300D, FG-400D, FG-500D, FG- 600C, FG-600D, FG-800C, FG-800D, FG-900D, FG-1000C, FG-1000D, FG-1200D, FG-1500D, FG-1500DT, FG-3000D, FG-3100D, FG-3200D, FG-3240C, FG-3600C, FG-3700D, FG-3700DX, FG-3810D, FG-3815D, FG-5001C, FG-5001D
FortiWiFi	FWF-30D, FWF-30E, FWF-30D-POE, FWF-50E, FWF-51E, FWF-60D, FWF-60DPOE, FWF-80CM, FWF-81CM, FWF-90D, FWF-90D-POE, FWF-92D
FortiGate Rugged	FGR-60D, FGR-90D
FortiGate VM	FG-SVM, FG-VM64, FG-VM64-AWS, FG-VM64-AWSONDEMAND, FG-VM64-HV, FG-VM64-KVM, FG-VM64-XEN , FG-VMX, FOS-VM64, FOS-VM64-KVM
FortiOS Carrier	FortiOS Carrier 5.4.1 images are delivered upon request and are not available on the customer support firmware download page.

Introduction Supported models

The following models are released on a special branch based off of FortiOS 5.4.1. As such, the System > Dashboard > Status page and the output from the get system status CLI command displays the build number.

FG-52E	is released on build 5416.
FGR-30D	is released on build 5413.
FGR-30D-A	is released on build 5413.
FGR-35D	is released on build 5413.

To confirm that you are running the proper build, the output from the get system status CLI command has a branch point field that should read 1064.

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

700 Unique Visitor Milestone!

Leave a reply

Fortinet GURU is only a few months old but we managed to attract over 700 unique visitors yesterday! This is a momentous occasion for us. We are looking to grow to 5,000 daily visits so we are definitely making excellent progress. Be sure to share Fortinet GURU on social media and spread the word!

New Features – Authentication

Leave a reply

Authentication

RADIUS Framed-IP into accounting packets (234003 189828)

RADIUS attributes, including NAS-IP-Address, Called-Station-ID, Framed-IP-Address, and Event-Timestamp, are supported.

Include RADIUS attribute CLASS in all accounting requests (290577)

RADIUS attribute CLASS in accounting requests for firewall, WiFi, and proxy authentication is now supported. RADIUS attribute CLASS is returned in Access-Accept message and it is added to all accounting requests.

Certificate–related changes (263368)

Fortinet_factory certificate has been re-signed with an expiration date of 2038 and it is used instead of fortinet_factory2, which has been removed.

Improvements and changes to per-VDOM certificates (276403 267362)

The CA and local certificate configuration is now available per-VDOM. When an admin uploads a certificate to a VDOM, it will only be accessible inside that VDOM. When an admin uploads a certificate to global, it will be accessible to all VDOMs and global.

There are factory default certificates such as Fortinet_CA_SSL, Fortinet_SSL, PositiveSSL_CA, Fortinet_Wifi, and Fortinet_Factory, these certificates are moved to per-VDOM and automatically generated when a new VDOM is created.

The Fortinet_Firmware certificate has been removed and all the attributes that use Fortinet_Firmware now use

Fortinet_Factory.

CLI Changes

Two new attributes range and source have been added: range can be global or per-VDOM, if the certificate file is imported from global, it is a global certificate. If the certificate file is imported from a VDOM, it is VDOM certificate. source can be factory, user or fortiguard:

factory: The factory certificate file with FortiOS version, this includes: Fortinet_CA_SSL, Fortinet_SSL, PositiveSSL_CA, Fortinet_Wifi, Fortinet_Factory.

user: Certificate file imported by the user.

fortiguard: Certificate file imported from FortiGuard.

config certificate local edit Fortinet_Factory

set range global/vdom

set source factory/user/fortiguard end

end

Default Root VDOM Certificates

Certificates with the same names are also available from the global configuration. These are generated with you turn on VDOMs.

Pages: 1 2

Virtual Wire Pair

2 Replies

Virtual Wire Pair

This feature (276013), available in NAT and Transparent mode, replaces the Port Pair feature available in FortiOS 5.2 in Transparent mode only. When when two physical interfaces are setup as a Virtual Wire Pair, they will have no IP addressing and are treated similar to a transparent mode VDOM. All packets accepted by one of the interfaces in a virtual wire pair can only exit the FortiGate through the other interface in the virtual wire pair and only if allowed by a virtual wire pair firewall policy. Packets arriving on other interfaces cannot be routed to the interfaces in a virtual wire pair. A FortiGate can have multiple virtual wire pairs.

You cannot add VLANs to virtual wire pairs. However, you can enable wildcard VLANs for a virtual wire pair. This means that all VLAN-tagged traffic can pass through the virtual wire pair if allowed by virtual wire pair firewall policies.

Adding a virtual wire pair

To add a virtual wire pair, go to Network > Interfaces and select Create New > Virtual Wire Pair. Select the interfaces to add to the virtual wire pair to, optionally enable Wildcard VLAN and select OK.

The virtual wire pair appears on the Interface list.

Use the following command to add a virtual wire pair from the CLI that enables the wildcard VLAN feature:

config system virtual-wire-pair edit test-VWP

set member port3 port4 set wildcard-vlan enable

end

Assigning an interface to be part of a virtual wire pairing will remove the “role” value from the interface.

Pages: 1 2

WAN link load balancing

29 Replies

WAN link load balancing

In the same way that incoming traffic can be load balanced, outgoing or WAN traffic can also be load balanced and for the same three reasons.

1. Reduce the places in the work flow where a single point of failure can bring the process to a halt.

2. Expand the capacity of the resources to handle the required workload.

3. Have it configured so that the process of balancing the workload is automatic.

Often, it can be just as important for an organizations members to be able to access the Internet as it is for the denizens of the Internet to access the Web facing resources.

There is now a WAN Load Balancing feature located in the Network section of the GUI (“WAN LLB”).

As part of the new WAN Load Balancing feature, the FortiOS 5.2 Router > Static > Settings GUI page has been removed. WAN Load Balancing should be used instead of the 5.2 ECMP Load Balancing Method settings. The 5.2 Link Health Monitor definitions are now only available from the CLI.

WAN links

The basis for the configuration of the virtual WAN link are the interfaces that comprise it. As interfaces are added to the “wan-load-balance” interface, they are added into the calculations that comprise the various algorithms used to do the load balancing.

While most of the load balancing algorithms are based on equal distribution or weighted distribution, spill over does rely on which interface is first in the sequence, so this should be kept in mind when adding the interfaces.
The interfaces in the virtual WAN link can be disabled if necessary if work needs to be done on an interface without interfering with the performance of the link.
There is no requirement that the interfaces be those labeled on the hardware as WAN interfaces.
In the GUI, to help analysis the effectiveness of the algorithm being used and its configuration, there is a graphic representation of the bandwidth usage of the link.

Load balancing algorithm

Once the interfaces involved has been configured the next step is to determine how the workload will be distributed. 5 load balancing algorithms are available to choose from.

Bandwidth

This is a very straight forward method of distributing the work load based on the amount of packets going through the interfaces. An integer value assigns a weight to each interface. These weights are used to calculate a percentage of the total bandwidth that is directed to the interface.

Example:

There are 2 interfaces
Interface #1 is assigned a weight of 5 because it is a 5 MB connection. (There is no requirement to match the weight to the capacity of the connection. It is just a simple way of optimizing the differing capacities in this case.)
Interface #2 is assigned a weight of 3 because it is a 3 MB connection.
The total weight is 8 so interface #1 gets 5/8 (63%) and interface #2 gets 3/8 (38%) of the traffic.

Sessions

The session algorithm is similar to the bandwidth algorithm in that it also uses an integer value to assign a weight to each interface. The difference is that the number of sessions connected is what is being measured and not the packets flowing through the interfaces.

Pages: 1 2 3