Fortinet Management Theory

FortiManager is an integrated platform for the centralized management of products in a Fortinet security infrastructure. A FortiManager provides centralized policy-based provisioning, configuration and update management for FortiGate (including FortiGate, FortiWiFi, and FortiGate VM), FortiCarrier, FortiSwitch, and FortiSandbox devices.

To reduce network delays and minimize external Internet usage, a FortiManager installation can also act as an on-site FortiGuard Distribution Server (FDS) for your managed devices and FortiClient agents to download updates to their virus and attack signatures, and to use the built-in web filtering and email filter services.

The FortiManager scales to manage up to 5 000 devices and virtual domains (VDOMs) from a single FortiManager interface. It is primarily designed for medium to large enterprises and managed security service providers.

Using a FortiManager device as part of an organization’s Fortinet security infrastructure can help minimize both initial deployment costs and ongoing operating expenses. It allows fast device provisioning, detailed revision tracking, and thorough auditing.

Key features of the FortiManager system

Configuration revision control and tracking

Your FortiManager unit records and maintains the history of all configuration changes made over time. Revisions can be scheduled for deployment or rolled back to a previous configuration when needed.

Centralized management

FortiManager can centrally manage the configurations of multiple devices from a single console. Configurations can then be built in a central repository and deployed to multiple devices when required.

Administrative domains

FortiManager can segregate management of large deployments by grouping devices into geographic or functional ADOMs. See Administrative Domains.

Local FortiGuard service provisioning

A FortiGate device can use the FortiManager unit for antivirus, intrusion prevention, web filtering, and email filtering to optimize performance of rating lookups, and definition and signature downloads. See FortiGuard Management.

Firmware management

FortiManager can centrally manage firmware images and schedule managed devices for upgrade.

Scripting

FortiManager supports CLI or Tcl based scripts to simplify configuration deployments. See Scripts.

Logging and reporting

FortiManager can also be used to log traffic from managed devices and generate Structured Query Language (SQL) based reports. FortiManager also integrates FortiAnalyzer logging and reporting features.

Fortinet device life cycle management

The management tasks for devices in a Fortinet security infrastructure follow a typical life cycle:

Deployment: An administrator completes configuration of the Fortinet devices in their network after initial installation.
Monitoring: The administrator monitors the status and health of devices in the security infrastructure, including resource monitoring and network usage. External threats to your network infrastructure can be monitored and alerts generated to advise.
Maintenance: The administrator performs configuration updates as needed to keep devices up-to-date.
Upgrading: Virus definitions, attack and data leak prevention signatures, web and email filtering services, and device firmware images are all kept current to provide continuous protection for devices in the security infrastructure.

Inside the FortiManager system

FortiManager is a robust system with multiple layers to allow you to effectively manage your Fortinet security infrastructure.

Device Manager tab

The Device Manager tab contains all ADOMs, and devices. You can create new ADOMs, device groups, provision and add devices, install policy packages and device settings. See Device Manager.

Policy & Objects tab

The Policy & Objects tab contains all of your global and local policy packages and objects that are applicable to all ADOMs, and configuration revisions. See Policy & Objects.

System Settings tab

The Systems Settings tab enables the configuration of system settings and monitors the operation of your FortiManager unit. See System Settings.

Inside the FortiManager device manager tab

Global ADOM layer

The global ADOM layer contains two key pieces: the global object database and all header and footer policies.

Header and footer policies are used to envelop policies within each individual ADOM. These are typically invisible to users and devices in the ADOM layer. An example of where this would be used is in a carrier environment, where the carrier would allow customer traffic to pass through their network but would not allow the customer to have access to the carrier’s network assets.

ADOM layer

The ADOM layer is where the FortiManager manages individual devices or groups of devices. It is inside this layer where policy packages and folders are created, managed and installed on managed devices. Multiple policy packages can be created here, and they can easily be copied to other ADOMs to facilitate configuration or provisioning of new devices on the network. The ADOM layer contains one common object database per ADOM, which contains information such as addresses, services, antivirus and attack definitions, and web filtering and email filter.

Device manager layer

The device manager layer records information on devices that are centrally managed by the FortiManager unit, such as the name and type of device, the specific device model, its IP address, the current firmware installed on the unit, the device’s revision history, and its real-time status.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

What’s New In FortiManager version 5.2

Leave a reply

What’s New in FortiManager version 5.2

FortiManager version 5.2 includes the following new features and enhancements. Always review all sections in the FortiManagerRelease Notes prior to upgrading your device.

FortiManager version 5.2.1

FortiManager version 5.2.1 includes the following new features and enhancements.

Toolbar buttons for the Policy section. l Install for admin with Restricted profile.
Approval matrix for Workflow.
IPv6 support for FG-FM connections. l Unify JSON APIs with XML APIs. l Added version to JSON APIs for Policy Package & Objects. l Common ADOM version for FortiOS v5.0 and v5.2.
A message is displayed when the database is upgrading or rebuilding. The message contains the estimated time to complete the action. l Optional dynamic VIP default values.

FortiManager version 5.2.0

FortiManager version 5.2.0 includes the following new features and enhancements.

Workflow mode

Workflow mode is a new global mode to define approval or notification workflow when creating and installing policy changes. Workflow mode is enabled via the CLI only. When workflow mode is enabled, the admin will have a new option in the admin profile page to approve/reject workflow requests.

For administrators with the appropriate permissions, they will be able to approve or reject any pending requests. When viewing the session list, they can choose any sessions that are pending and click the approve/reject buttons. They can add a note to the approval/rejection response. The system will send a notification to the admin that submitted the session. If the session was approved, no further action is required. If the session was rejected, the admin will need to log on and repair their changes. Once they create a session, the admin will make their repair on top of the last session changes.

When you want to start a workflow, go to the Policy & Objects tab, select the ADOM from the drop-down list, lock the ADOM, and click the Start Session button. You can then proceed to make changes to policies and objects. When you are done making changes, click the Save button and then the Submit button. Once the session is submitted, the lock is released and other administrators may initiate a session.

The session list allows user to view any pending requests for approval or active sessions. The session list displays details of each session and allows you to browse the changes performed for the selected session.

To enable and disable workflow mode:

Select the System Settings tab in the navigation pane.
Go to System Settings > Dashboard.
In the CLI Console widget type the following CLI command:

config system global set workspace-mode {workflow | disabled}

end

The FortiManager session will end and you must log back into the FortiManager system.

Advanced CLI-Only Objects menu

An advanced CLI-Only Objects menu has been added in the Device Manager and Policy & Objects tabs which allows you to configure device settings which are normally configured via the at the CLI on the device. This menu includes commands which are only available in the CLI.

VPN Monitor menu in Device Manager

A VPN monitor tree menu has been added to provide real-time VPN status information including which users are connected to the FortiGate selected. The menu contains a Central IPsec and a Central SSL-VPN monitor. For IPsec VPN, you can select to bring the tunnel up or down using the right-click menu.

FortiToken two-Factor authentication for admin log in

FortiManager now supports FortiToken two-factor authentication for administrator logon. When creating a new administrator, select Type > RADIUS, and select the FortiAuthenticator server in the RADIUS server drop-down list.

FortiToken is authenticated via FortiAuthenticator. When configured, the user will be prompted to type the FortiToken code after entering their user name and password.

Successful authentication will provide the user with permission to the FortiManager and will generate a logon event log on the FortiAuthenticator.

UUID support

In FortiOS version 5.2, a universally unique identifier (UUID) attribute has been added to some firewall objects, so that the logs can record these UUIDs to be used by a FortiManager or FortiAnalyzer unit. When installing a configuration to a FortiOS v5.2 device, a single UUID is used for the same object or policy across all managed FortiGates.

In the FortiView > Log View tab, you can select a log entry, right-click, and select Jump to Policy from the pop-up menu to view the policy associated with the log message. In the Policy & Objects tab, you can select a policy, rightclick, and select Show Matching Logs from the pop-up menu to view any logs associated with the policy.

Dynamic address group

A new option has been added to allow an address group to be a dynamic group. Group mappings can be configured for specific devices.

Dynamic mapping management improvements

The following improvements have been made to dynamic mapping management:

l Convert an address to a dynamic address l A radio button has been added to allow you to turn dynamic mapping on or off for various firewall objects. When dynamic mapping is enabled, you can view existing mappings or create a new dynamic mapping. l Dynamic address with mapping table

In dynamic address mode, the table of mappings is displayed allowing you to add, edit, or delete device mapping.

When editing a mapping, the settings are displayed in a pop-up dialog box.

Object Web-based Manager enhancements

When creating or editing objects in Policy & Objects, a dialog box is displayed similar to the policy dialog box.

Central AP management improvements

Access points that are managed by the FortiGate units managed by the FortiManager device can be configured from the All FortiAP group in the tree menu of the Device Manager tab. In FortiManager v5.2 you can now apply column filters to organize and drill down the information displayed. The right-click menu now includes options to assign a profile, create new, edit, delete, authorize, deauthorize, upgrade, restart, refresh, view clients, and view rogue APs. You can also assign tags to FortiAPs to make it easier to group and filter devices by the tags.

Improved logging of script execution

FortiManager now includes several logs for scripting functions including: creating scripts, groups, and installing scripts.

Firmware version displayed is consistent with FortiOS

FortiManager v5.2 uses the firmware naming convention ‘5.2.0’, where the first digit reflects the version, the second digit reflects the release, and the third digit reflects the patch. This change is consistent with FortiOS v5.2.0 changes. All references to the firmware version in the Web-based Manager and have been updated to this new format. Update service to FortiWeb

FortiManager v5.2 can now provide antivirus updates to FortiWeb.

FortiExtender support

When adding a FortiGate to FortiManager that is managing a FortiExtender, the FortiExtender will be available in an All FortiExtender group in the ADOM. You can authorize, deauthorize, upgrade, restart, edit, and view the status of the FortiExtender from the right-click menu.

Restricted Admin profiles

Create restricted admin profiles to allow a delegated administrator to manage their ADOM’s security profiles. You can allow the delegated administrator to make changes to the Web Filter profile, IP sensor, and Application sensor associated with their ADOM.

Flexible FortiGuard Distribution Server (FDS) override list management

The System Template now allows you to configure multiple override servers, FortiManager, and FortiGuard servers into one list. You can provide services to FortiGates using this template. When adding new servers, you can select the server type, update, rating or both. This feature allows you to manage FortiGates with different override lists.

Model device improvements

The Add Model Device option in the Device Wizard has been updated to allow you to provisioning a single device or multiple devices more efficiently. When adding a device, only the FortiGate serial number and FortiOS version are required. A new option has been added to allow you to add multiple devices by importing a Comma Separated Value (CSV) file with the required information.

Once the model device is added to FortiManager you can assign the device to an ADOM, assign a policy package, and associate it with a provisioning template. When an unregistered FortiGate with a matching serial number connects to FortiManager, you can install the model device configuration.

Enable the FortiAnalyzer feature set in the Web-based Manager

In FortiManager version 5.0.6 or earlier, the FortiAnalyzer feature set was enabled or disabled via the CLI only. In

FortiManager v5.2.0 or later, you can also enable or disable these features in the Web-based Manager. To enable the FortiAnalyzer feature set, go to System Settings > Dashboard. In the System Information widget, select [Enabled] beside FortiAnalyzerFeatures.

FortiSandbox support

FortiSandbox version 1.4 can be centrally managed by a FortiManager running version 5.2.0 or later.

Policy package locking

In FortiManager version 5.2 you can lock and edit a policy package without locking the ADOM. When the policy package is locked, other users are unable to lock the ADOM or edit the locked policy package. The policy package is edited in a private workspace. Only the policy package is in the workspace, not the object database. When locking and editing a policy package, the object database remains locked. The policy package lock status is displayed in the toolbar.

Before you can lock an ADOM or policy package, you must first enable workspace to disable concurrent ADOM access from the CLI.

When workspace is enabled, all ADOMs and policy packages are read-only. In the Device Manager tab, you can rightclick an ADOM and select Lock from the right-click menu. When the ADOM is locked you can edit the ADOM, all other administrators need to wait until you unlock the ADOM.

In the Policy & Objects tab, you can select to lock the ADOM from the toolbar. When the ADOM is locked, all policy packages and objects in that ADOM are locked and read-only to other administrators until you finish your edits and unlock the ADOM.

Policy Package locking allows you to lock a specific policy package without locking the ADOM. In the Policy & Objects tab, select the ADOM from the drop-down list, select the policy package, right-click and select Lock & Edit from the right-click menu.

When a policy package is locked, other administrators are not able to lock the ADOM in the Device Manager or Policy & Objects tabs. The policy package is displayed as locked. Other administrators can however lock and edit other policy packages in the same ADOM.

When the policy package is locked, the administrator can edit the policy package as required and access the following options in the left side tree right-click menu: Install Wizard, Export, Policy Check, Save, and Unlock. Before unlocking the policy package, select Save in the toolbar or right-click menu to save changes made to the policy package for the session.

Although another administrator can select to lock and edit an unlocked policy package, neither administrator is able to create a new policy package or edit the object database. To create a new policy package or edit the object database, the ADOM must be locked.

When an ADOM or policy package is locked, the lock is automatically released by an admin idle timeout or by closing the browser window. Any unsaved changes will be lost. Always ensure that changes are saved using the save option in the toolbar or right-click menu.

Import improvements

The following improvements have been made to the import operation:

Auto resynchronization when tunnel re-up: After changes are made to a FortiGate, when the tunnel comes back online, the changes are auto-synchronized to FortiManager. The device manager database is always in sync with the FortiGate and the out-of-sync condition has been removed.
Detect FortiGate changes that impact policy & objects: FortiManager now is able to detect when the settings were changed on the FortiGate and synchronized back to the related policy and object settings. This allows you to know when the policy package is out-of-sync with what is installed on the FortiGate. You can either re-apply the changes or modify the policy package.
Warning when overwrite an existing policy package: FortiManager now displays a warning dialog box allowing you to decide to either overwrite the policy package, cancel the import, or import the policy package under a different name.

Policy & Objects display options improvement

When importing objects or policy types, FortiManager will detect whether or not the related display option is enabled. If it is not, FortiManager will prompt the user via a dialog box to enable the display options item.

Central WiFi management improvements

The following improvements have been made to central WiFi management:

l Wireless Profiles have been renamed Custom AP Profiles l Created, edit, and delete APs l Assign AP profiles to multiple APs l Consistent replacement messages between FortiGate and FortiManager l Customize Captive Portal messages per SSID.

Central AP management improvements

Access points that are managed by the FortiGate units managed by the FortiManager device can be configured from the All FortiAP group in the tree menu of the Device Manager tab. In FortiManager v5.2.1 you can now apply column filters to organize and drill down the information displayed. The right-click menu now includes options to assign a profile, create new, edit, delete, authorize, deauthorize, upgrade, restart, refresh, view clients, and view rogue APs.

You can also assign tags to FortiAPs to make it easier to group and filter devices by the tags.

FortiManager 5.2 Administration Guide – Introduction

Leave a reply

Introduction

FortiManager Security Management appliances allow you to centrally manage any number of Fortinet Network Security devices, from several to thousands, including FortiGate, FortiWiFi, and FortiCarrier. Network administrators can better control their network by logically grouping devices into administrative domains (ADOMs), efficiently applying policies and distributing content security/firmware updates. FortiManager is one of several versatile Network Security Management Products that provide a diversity of deployment types, growth flexibility, advanced customization through APIs and simple licensing.

FortiManager features

FortiManager provides the following features:

Provides easy centralized configuration, policy-based provisioning, update management and end-to-end network monitoring for your Fortinet installation,
Segregate management of large deployments easily and securely by grouping devices and agents into geographic or functional administrative domains (ADOMs),
Reduce your management burden and operational costs with fast device and agent provisioning, detailed revision tracking, and thorough auditing capabilities,
Easily manage complex mesh and star VPN environments while leveraging FortiManager as a local distribution point for software and policy updates,
Seamless integration with FortiAnalyzer appliances provides in-depth discovery, analysis, prioritization and reporting of network security events,
Quickly create and modify policies/objects with a consolidated, drag and drop enabled, in-view editor,
Script and automate device provisioning, policy pushing, etc. with JSON APIs or build custom web portals with the

XML API, l Leverage powerful device profiles for mass provisioning and configuration of managed devices,

Centrally control firmware upgrades and content security updates from FortiGuard Center Threat Research &

Response, l Deploy with either a physical hardware appliance or virtual machine with multiple options to dynamically increase storage

FortiManager system architecture emphasizes reliability, scalability, ease of use, and easy integration with third-party systems.

FortiManager feature set

The FortiManager feature set includes the following modules:

l Device Manager l Policy & Objects l FortiGuard l System Settings

FortiManager Admin Guide Incoming

Leave a reply

Had a question come in that made me do some more follow up on some specifics regarding the FortiManager. Just realized I hadn’t added the Administrative Guides for the FortiManager to the site yet. I will be adding these later tonight when I return for the gym. God this site has a long way to go to hit the goals I have for it. Sorry for the delays!

Accidentally nuked the site for about 30 minutes

Leave a reply

If you experienced any downtime I apologize. I managed to put a character where it shouldn’t have been on the back end and it caused the site to display Server 500 errors. Everything should be back up and running now though.

FortiCarrier Troubleshooting

Leave a reply

Troubleshooting

This section offers troubleshooting options for Carrier-related issues.

This section includes:

FortiOS Carrier diagnose commands

Applying IPS signatures to IP packets within GTP-U tunnels

GTP packets are not moving along your network

FortiOS Carrier diagnose commands

This section includes diagnose commands specific to FortiOS Carrier features such as GTP.

GTP related diagnose commands

This CLI command allows you to gain information on GTP packets, logs, statistics, and other information.

diag firewall gtp <command>

apn list <gtp_profile>	The APN list entries in the specified GTP profile
auth-ggsns show <gtp_profile>	The authorized GGSNs entries for the specified GTP profile. Any GGSNs not on this list will not be recognized.
auth-sgsns show <gtp_profile>	The authorized SGSNs list entries for the specified GTP profile. Any SGSNs not on this list will not be recognized.
handover-grp show <gtp_ profile>	The handover group showing the range of allowed handover group IP addresses. The handover group acts like a whitelist of allowed GTP addresses with a default deny at the end — if the GTP address is not on the list, it is denied.
ie-remove-policy list <gtp_ profile>	List of IE policies in the IE removal policy for this GTP profile. The information displayed includes the message count for this policy, the length of the SGSN, the list of IEs, and list of SGSN IP addresses.
imsi list <gtp_profile>	IMSI filter entries for this GTP profile. The information displayed includes the message count for this filter, length of the IMSI, the length of the APN and IMSI, and of course the IMSI and APN values.
invalid-sgsns-to-long list <gtp_ profile>	List of SGSNs that do not match the filter criteria. These SGSNs will be logged.
ip-policy list <gtp_profile>	List the IP policies including message count for each policy, the action to take, the source and destination IP addresses or ranges, and masks.

Applying IPS signatures to IP packets within GTP-U tunnels

noip-policy <gtp_profile>	List the non-IP policies including the message count, which mode, the action to take, and the start and end protocols to be used by decimal number.
path {list \| flush}	Select list or flush. List the GTP related paths in FortiOS Carrier memory. Flush the GTP related paths from memory.
policy list <gtp_policy>	The GTP advanced filter policy information for this GTP profile. The information displayed for each entry includes a count for messages matching this filter, a hexidecimal mask of which message types to match, the associated flags, action to take on a match, APN selection mode, MSISDN, RAT types, RAI, ULI, and IMEI.
profile list	Displays information about the configured GTP profiles. You will not be able to see the bulk of the information if you do not log the output to a file.
runtime-stat flush	Select to flush the GTP runtime statistics from memory.
stat	Display the GTP runtime statistics — details on current GTP activity. This information includes how many tunnels are active, how many GTP profiles exist, how many IMSI filter entries, how many APN filter entries, advanced policy filter entries, IE remove policy filter entries, IP policy filter entries, clashes, and dropped packets.
tunnel {list \| flush}	Select one of list or flush. List lists all the GTP tunnels currently active. Flush clears the list of active GTP tunnels. This does not clear the clash counter displayed in the stat command.

Pages: 1 2 3 4 5

FortiCarrier – Configuring GTP

Leave a reply

Configuring GTP on FortiOS Carrier

Configuring GTP support on FortiOS Carrier involves configuring a number of areas of features. Some features require longer explanations, and have their own chapters. The other features are addressed here.

GTP support on the Carrier-enabled FortiGate unit

Configuring General Settings on the Carrier-enabled FortiGate unit

Configuring Encapsulated Filtering in FortiOS Carrier

Configuring the Protocol Anomaly feature in FortiOS Carrier

Configuring Anti-overbilling in FortiOS Carrier

Logging events on the Carrier-enabled FortiGate unit

GTP support on the Carrier-enabled FortiGate unit

The FortiCarrier unit needs to have access to all traffic entering and exiting the carrier network for scanning, filtering, and logging purposes. This promotes one of two configurations — hub and spoke, or bookend.

A hub and spoke configuration with the Carrier-enabled FortiGate unit at the hub and the other GPRS devices on the spokes is possible for smaller networks where a lower bandwidth allows you to divide one unit into multiple virtual domains to fill multiple roles on the carrier network. It can be difficult with a single FortiOS Carrier as the hub to ensure all possible entry points to the carrier network are properly protected from potential attacks such as relayed network attacks.

A bookend configuration uses two Carrier-enabled FortiGate units to protect the carrier network between them with high bandwidth traffic. One unit handles traffic from mobile stations, SGSNs, and foreign carriers. The other handles GGSN and data network traffic. Together they ensure the network is secure.

The Carrier-enabled FortiGate unit can access all traffic on the network. It can also verify traffic between devices, and verify that the proper GPRS interface is being used. For example there is no reason for a Gn interface to be used to communicate with a mobile station — the mobile station will not know what to do with the data — so that traffic is blocked.

When you are configuring your Carrier-enabled FortiGate unit’s GTP profile, you must first configure the APN. It is critical to GTP communications — no traffic will flow without the APN.

GTP support on the Carrier-enabled FortiGate unit

The Carrier-enabled FortiGate unit does more than just forward and route GTP packets over the network. It also performs:

Packet sanity checking l GTP stateful inspection l Protocol anomaly detection and prevention
HA
Virtual domain support

Packet sanity checking

The FortiOS Carrier firewall checks the following items to determine if a packet confirms to the UDP and GTP standards:

GTP release version number — must be 0, 1, or 2 l Settings of predefined bits l Protocol type l UDP packet length

If the packet in question does not confirm to the standards, the FortiOS Carrier firewall drops the packet, so that the malformed or forged traffic will not be processed.

GTP stateful inspection

Apart from the static inspection (checking the packet header), the FortiOS Carrier firewall performs stateful inspection.

Stateful inspection provides enhanced security by keeping track of communications sessions and packets over a period of time. Both incoming and outgoing packets are examined. Outgoing packets that request specific types of incoming packets are tracked; only those incoming packets constituting a proper response are allowed through the firewall.

The FortiOS Carrier firewall can also index the GTP tunnels to keep track of them.

Using the enhanced Carrier traffic policy, the FortiOS Carrier firewall can block unwanted encapsulated traffic in GTP tunnels, such as infrastructure attacks. Infrastructure attacks involve attempts by an attacker to connect to restricted machines, such as GSN devices, network management systems, or mobile stations. If these attmpts to connect are detected, they are to be flagged immediately by the firewall .

Pages: 1 2 3 4 5 6 7 8 9 10

FortiCarrier Message Flood Protection

Leave a reply

Message flood protection

The convenience offered by MM1 and MM4 messaging can be abused by users sending spam or attempting to overload the network with an excess of messages. MMS flood prevention can help prevent this type of abuse.

Overview

Setting message flood thresholds

Notifying administrators of floods

Example — three flood threshold levels with different actions for each threshold

Notifying message flood senders and receivers

Viewing DLP archived messages

Order of operations: flood checking before duplicate checking

Bypassing message flood protection based on user’s carrier endpoints

Configuring message flood detection

Sending administrator alert notifications

Pages: 1 2 3 4 5 6 7 8