Default exemptions in the SSL deep-inspection profile

June 3, 2016, 11:48 am

≫ Next: IPsec VPN Troubleshooting (Video)

≪ Previous: FortiAuthenticator certificate for SSL inspection

In the default configuration for FortiOS 5.2, several FortiGuard categories and firewall addresses appear in the Exempt from SSL Inspection list. However, if you upgrade your FortiGate to 5.2 from an earlier version, these addresses are not added to your configuration unless you perform a factory reset.

If you would like to manually add some or all of these exemptions to your configuration, the screenshots below show the complete list of the exemptions and information about the firewall addresses.

The exemption list

This image shows the Exempt from SSL Inspection list from the default 5.2 configuration.

Default firewall addresses

This image shows the Firewall Address list from the default 5.2 configuration. This includes addresses that are not part of the exemption list, such as the default addresses for SSL VPN users.

For more information about exemptions to SSL inspection, see Exempting Google from SSL inspection.

If you create a new VDOM after upgrading your FortiGate, the exemptions will appear on the VDOM.

The post Default exemptions in the SSL deep-inspection profile appeared first on Fortinet Cookbook.

↧

IPsec VPN Troubleshooting (Video)

June 13, 2016, 2:49 pm

≫ Next: FortiAuthenticator Certificate with SSL Inspection (Video)

≪ Previous: Default exemptions in the SSL deep-inspection profile

In this video, you will learn how to troubleshoot a site-to-site IPsec VPN that provides transparent communication between a Headquarters FortiGate and Branch office FortiGate. This video will show you how to diagnose common problems when your tunnel connection fails, and how to adjust your settings when the tunnel drops on and off. This video includes common Preshared Secret Key issues, Security Association or “SA” proposal errors, quick mode selector issues, and more. By the end of this tutorial you should have a better understanding of how to use these debug commands for basic troubleshooting.This video is recorded on FortiOS 5.2.6, and although the GUI options may vary, the troubleshooting tips and CLI commands are relevant for most recent builds.

The recipe for this video is available here.

Watch more videos

The post IPsec VPN Troubleshooting (Video) appeared first on Fortinet Cookbook.

↧

FortiAuthenticator Certificate with SSL Inspection (Video)

September 21, 2016, 12:03 pm

≫ Next: Social WiFi Captive Portal with FortiAuthenticator (Facebook)

≪ Previous: IPsec VPN Troubleshooting (Video)

In this example, you will create a certificate on the FortiGate, have it signed on the FortiAuthenticator, and configure the FortiGate so that the certificate can be used for SSL deep inspection of HTTPS traffic.

The recipe for this video is available here.

Watch more videos

The post FortiAuthenticator Certificate with SSL Inspection (Video) appeared first on Fortinet Cookbook.

↧

Social WiFi Captive Portal with FortiAuthenticator (Facebook)

October 14, 2015, 7:27 am

≫ Next: Preventing Data Leaks (Video)

≪ Previous: FortiAuthenticator Certificate with SSL Inspection (Video)

WiFi authentication using social media provides access control without having to manually create guest accounts.

This recipe involves configuring an API for Facebook accounts, setting up a social portal RADIUS service on the FortiAuthenticator, and configuring the FortiGate for Captive Portal access.

This recipe is similar to the Captive portal WiFi access control recipe, but involves external security mode configuration, RADIUS authentication, and does not include FortiAP registration instructions.

Note that some CLI usage is required when configuring the FortiGate.

The FortiAuthenticator has been given an example fully qualified domain name (FQDN) — fortiauthenticator.example.com.

1. Configuring the Facebook developer account API
Open a browser and log in to your Facebook account. In the URL field enter the following: https://developers.facebook.com/products/login/
Select My Apps and select Register as Developer.
Confirm your Facebook password to continue. Select that you have read and agree to the Facebook Platform and Facebook Privacy policies, and select Next to continue.
Enter your phone number and select to have your confirmation code sent to you via text (you may also choose to verify via phone call). Once received, enter the code and select Register to continue. You will now be registered as a Facebook developer.
Next, select the Website platform to add a new app. Enter a name for the website, and select Create New Facebook App ID.
Select Communication from the dropdown Category menu, and select Create App ID. Scroll down to the bottom of the page and enter the site’s URL, then select Next. Scroll back up to the top of the page, and select Skip Quick Start.
To confirm the configuration, go to Settings > Basic. From here you can see your App ID, App Secret, Display Name, and Site URL. Take note of the App ID and App Secret as they are required when configuring the Captive Portal on the FortiAuthenticator. Make sure to enter a Contact Email as it is required before you can make your application live to the public.
Next you must add the FortiAuthenticator as an OATH2 client. Go to Settings > Advanced. Under Security, enter the Server IP Whitelist. Note that the server IP whitelist must include the public IP address(es) of the FortiAuthenticator — this is the NAT IP address the FortiAuthenticator uses to reach the Internet.
Next, go to App Review and enable the application — the account needs to be made “live” before WiFi users can successfully authenticate through Facebook.
The App ID and App Secret can be accessed at any time on the Facebook developer account, but it may be a good idea to copy them to a secure location.
2. Configuring the social portal RADIUS service on FortiAuthenticator
On the FortiAuthenticator, go to Authentication > User Management > User Groups, and create a Social_Users user group. Users that log into Facebook will be placed in this group once it is added to the Captive Portal General Settings.
Go to Authentication > RADIUS Service > Clients, and create a new RADIUS client. Enter a Name for the RADIUS client (the FortiGate) and enter its IP address (in the example, 172.20.121.56). Enable the Social portal captive portal.
Enter the pre-shared Secret and set the Authentication method. The FortiGate will use this secret key in its RADIUS configuration. Add the Social_Users user group to the Realms group filter as shown. Select Save and then OK.
Next go to Authentication > Captive Portal > General and enable Social Portal. Configure the account expiry time (in the example it is set to 1 hour). Set Place registered users into a group to Social_Users. Enable the Facebook login option and add your Facebook key and Facebook secret.
3. Configuring the FortiGate authentication settings
On the FortiGate, go to User & Device > Authentication > RADIUS Servers and create the connection to the FortiAuthenticator RADIUS server, using its IP and pre-shared secret. Use the Test Connectivity option with valid credentials to test the connection.
Next, go to User & Device > User > User Groups and create a RADIUS user group called social_users. Set the Type to Firewall and add the RADIUS server to the Remote groups table.
4. Configuring the FortiGate WiFi settings
Go to WiFi & Switch Controller > WiFi Network > SSID and select the SSID interface. Under WiFi Settings, set the Security Mode to Captive Portal.
For the Authentication Portal, select External, and enter the FQDN of the FortiAuthenticator, followed by /social_login/. For this recipe, it is set to: `https://fortiauthenticator.example.com/social_login/` Set User Groups to the social_users group.
5. Configuring the FortiGate to allow access to Facebook
On the FortiGate, configure firewall addresses to allow users to access the Facebook login page. The following step can be performed in the GUI, but may take considerably longer than using the CLI. You can also copy and paste the commands below into the CLI console. Go to System > Dashboard and enter the CLI Console. Enter the following, which creates the firewall addresses and adds them to a firewall address group called Facebook_Auth: `config firewall address` `edit "FB0"` `set subnet 5.178.32.0 255.255.240.0` `next` `edit "FB1"` `set subnet 195.27.154.0 255.255.255.0` `next` `edit "FB2"` `set subnet 80.150.154.0 255.255.255.0` `next` `edit "FB3"` `set subnet 77.67.96.0 255.255.252.0` `next` `edit "FB4"` `set subnet 212.119.27.0 255.255.255.128` `next` `edit "FB5"` `set subnet 2.16.0.0 255.248.0.0` `next` `edit "FB6"` `set subnet 66.171.231.0 255.255.255.0` `next` `edit "FB7"` `set subnet 31.13.24.0 255.255.248.0` `next` `edit "FB8"` `set subnet 31.13.64.0 255.255.192.0` `next` `edit "FB9"` `set subnet 23.67.246.0 255.255.255.0` `next` `edit "akamai-subnet-23.74.8"` `set subnet 23.74.8.0 255.255.255.0` `next` `edit "akamai-subnet-23.74.9"` `set subnet 23.74.9.0 255.255.255.0` `next` `edit "external.fcgr1-1.fna.fbcdn.net" set type fqdn set fqdn "external.fcgr1-1.fna.fbcdn.net" next edit "scontent.xx.fbcdn.net" set type fqdn set fqdn "scontent.xx.fbcdn.net" next edit "akamaihd.net"` `set type fqdn` `set fqdn "akamaihd.net"` `next` `edit "channel-proxy-06-frc1.facebook.com"` `set type fqdn` `set fqdn "channel-proxy-06-frc1.facebook.com"` `next` `edit "code.jquery.com"` `set type fqdn` `set fqdn "code.jquery.com"` `next` `edit "connect.facebook.com"` `set type fqdn` `set fqdn "connect.facebook.com"` `next` `edit "fbcdn-photos-c-a.akamaihd.net"` `set type fqdn` `set fqdn "fbcdn-photos-c-a.akamaihd.net"` `next` `edit "fbcdn-profile-a.akamaihd.net"` `set type fqdn` `set fqdn "fbcdn-profile-a.akamaihd.net"` `next` `edit "fbexternal-a.akamaihd.net"` `set type fqdn` `set fqdn "fbexternal-a.akamaihd.net"` `next` `edit "fbstatic-a.akamaihd.net"` `set type fqdn` `set fqdn "fbstatic-a.akamaihd.net"` `next` `edit "m.facebook.com"` `set type fqdn` `set fqdn "m.facebook.com"` `next` `edit "ogp.me"` `set type fqdn` `set fqdn "ogp.me"` `next` `edit "s-static.ak.facebook.com"` `set type fqdn` `set fqdn "s-static.ak.facebook.com"` `next` `edit "static.ak.facebook.com"` `set type fqdn` `set fqdn "static.ak.facebook.com"` `next` `edit "static.ak.fbcdn.com"` `set type fqdn` `set fqdn "static.ak.fbcdn.com"` `next` `edit "web_ext_addr_SocialWiFi"` `set type fqdn` `set fqdn "web_ext_addr_SocialWiFi"` `next` `edit "www.facebook.com"` `set type fqdn` `set fqdn "www.facebook.com"` `next` `end` `config firewall addrgrp` `edit "Facebook_Auth"` `set member "FB0" "FB1" "FB2" "FB3" "FB4" "FB5" "FB6" "FB7" "FB8" "FB9" "akamaisubnet-23.74.8" "akamai-subnet-23.74.9" "akamaihd.net" "channel-proxy-06-frc1.facebook.com" "code.jquery.com" "connect.facebook.com" "fbcdn-photos-ca.akamaihd.net" "fbcdn-profile-a.akamaihd.net" "fbexternal-a.akamaihd.net" "fbstatic-a.akamaihd.net" "m.facebook.com" "ogp.me" "s-static.ak.facebook.com" "static.ak.facebook.com" "static.ak.fbcdn.com" "web_ext_addr_SocialWiFi" "www.facebook.com" "FortiAuthenticator"` `next` `end`
Go to Policy & Objects > Policy > IPv4 and create a policy for Facebook authentication traffic. Set Incoming Interface to the WiFi SSID interface and set Source Address to all. Set Outgoing Interface to the Internet-facing interface and set Destination Address to Facebook_Auth. Set Service to ALL and enable NAT. Configure Security Profiles accordingly. Once created, note the policy’s ID using the ID column.
Go to System > Dashboard and enter the CLI Console. Using the policy’s ID, add the following to exempt the Facebook authentication traffic policy from the captive portal: `config firewall policy` `edit <policy_id> set captive-portal-exempt enable next end` This command allows access to the external Captive Portal.
6. Configuring the FortiGate to allow access to FortiAuthenticator
On the FortiGate, go to Policy & Objects > Objects > Addresses and add the FortiAuthenticator firewall object. For Subnet/IP Range enter the IP address of the FortiAuthenticator.
Go to Policy & Objects > Policy > IPv4 and create the FortiAuthenticator access policy. Set Incoming Interface to the WiFi SSID interface and set Source Address to all. Set Outgoing Interface to the Internet-facing interface and set Destination Address to FortiAuthenticator. Set Service to ALL and enable NAT. Once created, note the policy’s ID using the ID column.
Using the policy’s ID, add the following to exempt the FortiAuthenticator access policy from the Captive Portal: `config firewall policy` `edit <policy_id> set captive-portal-exempt enable next end`
7. Results
Connect to the WiFi and attempt to browse the Internet. You will be redirected to the Captive Portal splash page. Select Facebook and you should be redirected to the Facebook login page.
Enter valid Facebook credentials and you will be redirected to the URL initially requested. You can now browse freely until the social login account expires, as configured on the FortiAuthenticator under Authentication > Captive Portal > General.
To view the authenticated user added on FortiAuthenticator, go to Authentication > User Management > Social Login Users.
You can configure Captive Portal to use other social WiFi logins: Form-based LinkedIn Google+ Twitter

The post Social WiFi Captive Portal with FortiAuthenticator (Facebook) appeared first on Fortinet Cookbook.

↧

Preventing Data Leaks (Video)

October 27, 2015, 1:42 pm

≫ Next: Managing a FortiSwitch with a FortiGate (5.2)

≪ Previous: Social WiFi Captive Portal with FortiAuthenticator (Facebook)

In this video, you will learn how to prevent files that contain sensitive information from leaving your internal network. You will create a Data Leak Prevention (or DLP) profile to block files that have a DLP watermark applied to them and block executable (.exe) files.

The recipe for this video is available here.

Watch more videos

The post Preventing Data Leaks (Video) appeared first on Fortinet Cookbook.

↧

Managing a FortiSwitch with a FortiGate (5.2)

October 7, 2015, 7:20 am

≫ Next: IPsec VPN with Native OS X Client (Video)

≪ Previous: Preventing Data Leaks (Video)

_{Find this recipe for other FortiOS versions:}
_{5.2 | 5.4}

Prerequisites

Connect a cable from the highest FortiSwitch port to an unused port on the FortiGate. For example, use port 24 on the FS-224D-POE switch.
You may need to enable the Switch Controller using the FortiGate web-based manager.
1. Go to System > Config > Features.
2. Turn on the WiFi & Switch Controller feature.
3. Select Apply.
This recipe is applicable to FortiSwitchOS 3.3.0 and above.

Procedure

From the FortiGate web-based manager:

Go to System > Network > Interfaces and edit an internal port.
Set Addressing mode to Dedicate to Extension Device.
Select OK. The FortiSwitch should now be visible
Go to WiFi & Switch Controller > Managed Devices > Managed FortiSwitch.
Right-click on the switch and select Authorize.
-> After a delay (while FortiGate processes the request), an icon with a checkmark appears in the Status column. For smaller FortiSwitch models, such as FS-108D-POE, the delay may be up to 3 minutes.

Notes

In some FortiSwitch models (such as FS-124D), the highest port is an optical interface, which requires an SFP module.
In FortiOS 5.4, additional FortiLink features include:
1. POE configuration from the FortiGate
2. Link Aggregation Group (LAG) support for Fortilink
3. Auto-detect the switch FortiLink port. Removes the restriction that only the highest port on the switch can be used for FortiLink
Refer to the document below to see the FortiSwitch and FortiGate releases that support FortiLink, and the supported FortiSwitch and FortiGate models in each release.

For additional information, see Managing FortiSwitch with a FortiGate (FortiOS 5.2), which is also available in the FortiOS 5.2 Handbook.

The post Managing a FortiSwitch with a FortiGate (5.2) appeared first on Fortinet Cookbook.

↧

IPsec VPN with Native OS X Client (Video)

September 30, 2015, 8:30 am

≫ Next: Blocking Ultrasurf

≪ Previous: Managing a FortiSwitch with a FortiGate (5.2)

In this video, you will learn how to set up IPsec VPN between a FortiGate and a MAC using the default MAC client. This VPN configuration allows Mac users to securely access an internal network, and browse the Internet through the VPN tunnel. This configuration uses a pre-shared key but other authentication options are also...

The post IPsec VPN with Native OS X Client (Video) appeared first on Fortinet Cookbook.

↧

Blocking Ultrasurf

September 30, 2015, 10:10 am

≫ Next: Social WiFi Captive Portal with FortiAuthenticator (Form-based)

≪ Previous: IPsec VPN with Native OS X Client (Video)

In this recipe, you will use antivirus scanning and application control to block network users from downloading and using Ultrasurf. As mentioned in a recent SysAdmin Note, Ultrasurf is an application that is used to bypass firewalls and browse the Internet anonymously. In order to complete the final part of this recipe, download Ultrasurf before any security...

The post Blocking Ultrasurf appeared first on Fortinet Cookbook.

↧

Social WiFi Captive Portal with FortiAuthenticator (Form-based)

October 5, 2015, 9:00 am

≫ Next: SSL VPN with certificate authentication

≪ Previous: Blocking Ultrasurf

WiFi authentication using a forms-based portal provides access control without having to manually create guest accounts. This recipe involves setting up a social portal RADIUS service on the FortiAuthenticator, and configuring the FortiGate for Captive Portal access, allowing users to log in to the WiFi network using either SMS or e-mail self-registration. This recipe is similar to the Captive portal...

The post Social WiFi Captive Portal with FortiAuthenticator (Form-based) appeared first on Fortinet Cookbook.

↧

SSL VPN with certificate authentication

September 25, 2015, 1:50 pm

≫ Next: Site-to-site IPsec VPN with Overlapping Subnets (Video)

≪ Previous: Social WiFi Captive Portal with FortiAuthenticator (Form-based)

In this recipe, you will configure an SSL VPN tunnel that requires users to authenticate using a certificate. This recipe requires that you have three certificates: CA certificate server certificate (signed by the CA certificate) user certificate (signed by the CA certificate) You will install the CA certificate and server certificate on the FortiGate. The user certificate...

The post SSL VPN with certificate authentication appeared first on Fortinet Cookbook.

↧

Site-to-site IPsec VPN with Overlapping Subnets (Video)

September 22, 2015, 10:00 am

≫ Next: SMS two-factor authentication for SSL VPN

≪ Previous: SSL VPN with certificate authentication

In this video, you will learn how to construct a site-to-site IPsec VPN connection between two networks with overlapping subnets. Without the proper configuration, connecting two networks with overlapping subnets can lead to IP conflicts and traffic errors. With the proper configuration, the FortiGate will direct traffic to the correct address on the correct network,...

The post Site-to-site IPsec VPN with Overlapping Subnets (Video) appeared first on Fortinet Cookbook.

↧

SMS two-factor authentication for SSL VPN

September 23, 2015, 8:00 am

≫ Next: Site-to-site IPsec VPN with Overlapping Subnets (Video)

≪ Previous: Site-to-site IPsec VPN with Overlapping Subnets (Video)

In this recipe, you will create an SSL VPN with two-factor authentication consisting of a username/password and an SMS token. When a user attempts to connect to this SSL VPN, they are prompted to enter their username and password. After successfully entering their credentials, they receive an SMS message on their mobile phone containing a 6-digit...

The post SMS two-factor authentication for SSL VPN appeared first on Fortinet Cookbook.

↧

Site-to-site IPsec VPN with Overlapping Subnets (Video)

September 22, 2015, 10:00 am

≫ Next: SMS two-factor authentication for SSL VPN

≪ Previous: SMS two-factor authentication for SSL VPN

↧

SMS two-factor authentication for SSL VPN

September 23, 2015, 8:00 am

≫ Next: SSL VPN with certificate authentication

≪ Previous: Site-to-site IPsec VPN with Overlapping Subnets (Video)

↧

SSL VPN with certificate authentication

September 25, 2015, 1:50 pm

≫ Next: IPsec VPN with Native OS X Client (Video)

≪ Previous: SMS two-factor authentication for SSL VPN

↧

IPsec VPN with Native OS X Client (Video)

September 30, 2015, 8:30 am

≫ Next: Blocking Ultrasurf

≪ Previous: SSL VPN with certificate authentication

↧

Blocking Ultrasurf

September 30, 2015, 10:10 am

≫ Next: Social WiFi Captive Portal with FortiAuthenticator (Form-based)

≪ Previous: IPsec VPN with Native OS X Client (Video)

↧

Social WiFi Captive Portal with FortiAuthenticator (Form-based)

October 5, 2015, 9:00 am

≫ Next: Managing a FortiSwitch with a FortiGate (5.2)

≪ Previous: Blocking Ultrasurf

↧

Managing a FortiSwitch with a FortiGate (5.2)

October 7, 2015, 7:20 am

≫ Next: Preventing Data Leaks (Video)

≪ Previous: Social WiFi Captive Portal with FortiAuthenticator (Form-based)

Manage up to 16 FortiSwitches from the FortiGate web-based manager or CLI. You can create and assign VLANs and configure port information. The connection between the FortiSwitch and the FortiGate is called a FortiLink. Find this recipe for other [glossary_exclude]FortiOS[/glossary_exclude] versions:5.2 | 5.4 Prerequisites Connect a cable from the highest FortiSwitch port to an unused port on the...

↧