SaintAndrew Knowledge

 Problem Often a company has an HQ with various external locations. The external locations sometimes have only a dynamic IP address, can arise or close very often. Depending on the situation, these are very dynamic or a company has a lot of external locations. So it is not the plan to create a separate VPN tunnel for each location. In normal operation mode only the VPN Tunnel over ISP1 should be used. If ISP1 failed the Tunnel over ISP2 should be come online. How should the VPNs be set up so that all locations can be connected to the HQ with as little effort as possible?  Solution The FortiGate in the HQ can be configured in "DialUp" mode. The external locations connect directly to the HQ via a dynamic tunnel. The required reliability is achieved via one tunnel per ISP. HQ Configuration The first thing to do is to configure the two VPN tunnels in the HQ. The following settings are necessary for this: Phase 1 config vpn ipsec phase1-interface edit "Branches_ISP1"

 Problem A FortiAnalyzer logs various FortiGates. To simplify the daily work of the administrator, he does not want to check every morning whether all FortiGates logs are really sent to the FortiAnalyzer. How can it be ensured that the FortiAnalyzer triggers an "alarm" as soon as a FortiGate does not send a log file for a certain time? Solution Create a local log entry when a device is not sending data Via the CLI you can configure if the FortiAnalyzer creates a local log entry if a device does not send log entries for a certain time. Furthermore, there are a few more helpful options which are presented here. config system locallog settings     set log-interval-dev-no-logging 15     set log-interval-disk-full 1440 set log-interval-gbday-exceeded 720 end log-interval-dev-no-logging : Interval in minute for logging the event of no logs received from a device. 0 is default and disable the log entry log-interval-disk-full : Interval in minute for logging the event of disk ful

 Problem How to forward FortiManager local Logs to an FortiAnalyzer in realtime? Solution Over GUI options it isn't possible to configure. This function is only available over CLI: config system locallog fortianalyzer settings     set status realtime     set server 192.168.1.10 end Afterwards you see an "unathorized device" in the FortiAnalyzer. Verify

 Problem We have a security fabric with two FortiGates. Each FortiGate has its own FortiAnalyzer at the site. Therefore, the logs should also be sent to the respective FortiAnalyzer. How can this be achieved? Solution Normally, the FortiAnalyzer, FortiSandbox and FortiManager settings are synchronized from the SecurityFabric root to the member FortiGates. For this reason, the GUI and CLI normally cannot be used to change these settings. To achieve this requirement, synchronization must first be turned off. This requires the following change via the CLI: config system csf     set synchronisation local end Once the setting is set to "local", the settings will no longer be synchronized - but the current values will be kept - and another FortiAnalyzer can be configured: config log fortianalyzer settings     set server 172.16.51.12 end

 Problem In today's time still rare and nevertheless there is the requirement from time to time that broadcast packets must be transported across the subnet boundary. This example shows how WoL packets can be transported across the subnet boundary. Solution The solution is quite simple. The following configuration is necessary on the Fortigate: Enable Multicast-Policy Feature config system settings     set gui-multicast-policy enable end Or over GUI Broadcast Forwarding Configuration After the Feature is enabled we need the following configuration. The easiest way is to do over CLI: config firewall multicast-address     edit Broadcast          set type broadcastmask          set subnet 255.255.255.255/32     next end config firewall multicast-policy     edit 0          set name "Forward WoL Packet"          set logtraffic enable          set srcintf "lan"          set dstintf "clients"          set srcaddr "net_192.168.10.0/24" <-- Our Su