Posts

Last Post

FortiGate and Windows L2TP / IPsec with Split Tunneling

 Problem In some scenarios, the user does not want to install an additional VPN client on their device, but use the already built-in one from Windows. Thus, the FortiGate SSL VPN solution cannot be used. So that only systems behind the FortiGate unit are accessible, a split tunnel connection must be established. Solution The L2TP over IPsec VPN solution is used for this purpose. First an IPsec connection is established between the client and FortiGate and then an L2TP connection is established. This is authenticated via a PSK and L2TP via username and password. The following steps are necessary to implement this solution. IPsec Connection config vpn ipsec phase1-interface edit "Dialup" set type dynamic set interface " wan " set peertype any set net-device disable set proposal aes256-md5 3des-sha1 aes192-sha1 set dhgrp 2 set wizard-type dialup-windows set psksecret **** next end config vpn ipsec pha

FortiGate - Virtual Clustering

Description If several VDOMs are used in an HA cluster, it is advisable to distribute them over virtual clusters. This can increase the throughput of the VDOMs. Solution With the Virtual Cluster, the VDOMs can be distributed to the primary and the first secondary firewall. The following options are available. config global confg system ha     set vcluster2 enable      config secondary-vcluster          set priority 128          set override-wait-time 60          set monitor port1 port2          set pingserver-monitor-interface wan1      next     end next end vcluster2 : enable or disable the virtual cluster priority : set the priority of the second virtual cluster override-wait-time : Wait time after firewall is back online before failover the the former master. pingserver-monitor-interface : Use link-monitor to test if the current master can still reach all needed system. Please read the documentation for more information.

FortiGate - Netflow Configuration

Problem Internally, a SIEM solution or similar is operated and therefore all traffic coming in and out of the Internet should be sent to the logging solution. Solution About Netflow NetFlow allows you to collect IP network traffic statistics for an interface, and then export those statistics for analysis. NetFlow samplers, that sample every packet, are configured per interface. Full NetFlow is supported through the information maintained in the firewall session. Configuration The configuration differs whether VDOMs are active on the FortiGate unit or not. Without VDOM Netflow can only be configured via the CLI and consists of two parts. First, the receiver of the data must be configured globally: config system netflow set collector-ip 192.168.80.3 set collector-port 2055 set source-ip 192.168.80.254 end collector-ip : IP address of the recipient (of the SIEM solution) collector-port : Receiver UDP port (optional ; default udp/2055) source-ip : IP of the interface from which the t

FortiAuthenticator - Assing dynamic VLAN to Wifi user

Image
Problem Depending on the user or user group, a different VLAN ID is to be assigned in the WLAN.  Solution FortiAuthenticator On FortiAuthenticator, the following RADIUS attributes must be assigned either per user or per group: FortiGate In order for the FortiGate unit to accept the attributes and assign them to the user, the Dynamic VLAN assignment option must be enabled in the SSID profile. A static VLAN can be defined via the CLI if the RADIUS server does not send any attributes. config wireless-controller vap edit example-wifi set vlanid 10 next end IMPORTANT: Please make sure, that all needed VLAN interfaces are configured on all switches, routers and firewalls - as well on the FortiGate.

FortiWeb - Basic Protect Webpage

Image
Problem FortiWeb is an excellent solution to protect web applications based on HTTP/HTTPS.  The big question is how to configure the appliance for basic protection. Solution Szenario An internal web server should be accessible from the Internet. However, this is located in the LAN zone and should therefore be protected by a FortiWeb from the outside. Configuration Options You have two different Configuration Options. Decide which one fits better for you: Single Server/Server Load Balance Generally, only one server policy can be created per Virtual IP. With this limitation this method is a kind of IP to IP connection. Here you define a Virtual IP which is matched to a Server Pool. A Server Pool can have one or more Real Servers.  This means that with the Server Load Balance variant the HTTP header cannot be distinguished and the policy decision is based on IP address. Content Routing This method decides which server pool to use based on the HTTP header host field. This means that, for e

FortiADC - WebPage Compression

Image
Problem How can FortiADC be used to increase website performance? Solution Compression Offloading can be used to compress all or certain URIs or content types before they are transmitted to the client. The configuration for this is simple: URI Rule Type:   This option can be used to control whether the entries in the two tables below are understood as "include" or "exlcude". IMPORTANT:  The include or exclude option applies to the "Content Type" table as well! The name of the option is a bit misleading. No other configuration is needed. Advanced options You can use the CLI to configure advanced options: config load-balance compression     edit 1          set cpu-limit {enable |disable}          set max-cpu-usage <percent>          set min-content-length <bytes>     next end max-cpu-usage : max cpu usage for compression min-content-length : how big need the file to be for compression

FortiMail - Relay Basic Configuration

Image
  Problem Nowhere is it written exactly how FortiMail must be configured in Relay Mode to run a secure Basic Mail Server. Here is a summary of most of the settings: Solution System Network Configure your  Interfaces Be sure that you have configured an  default Gateway Port Forwarding FortiMail are able to forward Traffic from a the internet to the local LAN (DNAT). For more information:  FortiMail Doc FortiGate The FortiGate are able to send SMTP traffic through an WCCP Tunnel to the FortiMail for scanning. See for more information:  FortiDoc Configuration Set the correct  Time Zone Configure your  Password Policy Change the  Admin Ports  to non default ports If you need configure the SNMP settings Mail Settings Set the  Hostname  and the  Local domain name . Togther there are the FQDN of the FortiMail. Activate the  SMTP MA service  (use other ports for mail submiting by clients as mail transfer to other Mail servers.  FortiGuard Activate the  License Domain & User Domain Configur