Fortigate Concept

-

1. Virtual IP

Mapping a specific IP address to another specific IP address is usually called Destination NAT (DNAT). When this central NAT table is not used, FortiOS calls this a Virtual IP address (VIP). DNAT, or VIP, is are used to map an external IP address to an IP address or address range. The mapping can include all TCP/UDP ports or, if port forwarding is enabled, it only refers to the specific configured ports. As the central NAT table is disabled by default, the term VIP is usually used.
VIPs are typically used to NAT external or public IP addresses to internal or private IP addresses. 


2. Profile-based NGFW vs policy-based NGFW

Profile-based mode is the traditional mode where you create a profile (antivirus, web filter, and so on) and then apply the profile to a policy.

In policy-based NGFW mode, you allow applications and URL categories to be used directly in security policies, without requiring web filter or application control profiles.

In policy-based mode:

  • Central NAT is always enabled. If no Central SNAT policy exists, you must create one. See Central SNAT for more information.
  • Pre-match rules are defined separately from security policies, and define broader rules, such as SSL inspection and user authentication.


3. Speed test

    need FortiGuard SD-WAN Network Monitor license
    In Interface page,  click button Execute Speed Test, result is added Estimated bandwidth,

4. Application ID

   Go to fortiguard.com > Thread lookup > Application Control, each application has an unique ID.

   Look for session from CLI.
   diag sys session list |  grep 11111


5. Captive Portal
     LAN interface, turn on Security Mode.
     System>Replacement Message>Login Page, to customize it.
      System>Replacement Message>Manage Images

6. Traffic shaper to prioritize cloud access traffic.
      I. Application Control profile is assign to outbound policy
      II. Security Profiles > Application Signatures, create Application Group CloudApps to include applications such as aws, salesforce and office365.
      III. Policy and Objects > Traffic shaping policy, create two policies, one for CloudApps with high-priority shared shaper and reverse shaper, one for anything else with low-priority hared shaper and reverse shaper.

7. Conserve mode
A FortiGate goes into the "conserve mode" state as a self protection measure when a memory shortage appears on the system.

 8.shaper
     I. Traffic Shapers. 
         Shared: define MAX and Guaranteed BW for each Traffic Priority classes.
         Per IP shaper: With per-IP traffic shaping, you can limit each IP address's behavior to avoid a situation where one user uses all of the available bandwidth
    II. Traffic shaping policy.
        Specific what traffic, apply shaper as Action, 

9. Cryptocurrency miner
    I. Anti-Virus profile
    II. DNS Filter
    III. Application control
    IV. IPS

10. guest access
    I. Create a new Guest Group or use default gest-group
    II Guest Management to add new guest user
    III. To authorize other people to manage guest account, create an new ministrator account such as "guestadmin", turn on "Restrict admin to guest account provisioning only", specify the the guest group to manage.
    IV. Enable Captive portal on Guest interface, set "Restricted to Groups" to Guest Group.

11. LB
   I. System > Feature Visibility > Load Balance
   II. Policy & Objects > Virtual Servers
   III. Create firewall Policy, with destination is the virtual server,  Inspection Mode is Proxy-based.

12. local DNS server
    I. System > Feature Visibility > DNS Database
    II. Network > DNS Server

13.Use Per IP Shaper to set max concurrent sessions to a host.

14. Session info:
   https://kb.fortinet.com/kb/viewContent.do?externalId=FD30042

15. External Black list
     I. Create a black list and put it on a webserver for example.
     II. Security Fabric > External Connector >Threat Feeds - IP Address
     III. Security Profile > DNS Filter, turn on External IP Block Lists , point to the black list.  
     IV. Enable DNS Filter security profile in Firewall Policy

16. DNS translation
    Security Profile > DNS Filter, turn "DNS Translation"

17. Zone
     Remove interface IP and all other reference before it can be added to a zone.

18. Session Helper. (ALG)
      show system session-helper

19. Web Profile overrides (assign different Web Filter to specific user or group or IP)

20. Web Rating overrides. (reassign URL to another category, can create a custom category)

21. Security rating.

22. Internet Service Database (ISDB) used in Firewall policy 
      Cisco equivalent: Application control. 


23. Inspection Mode: Flow-based vs Proxy-based

Proxy-based: the proxy-based inspection involves buffering traffic and examining it as a whole before determining an action. 
The process of having the whole of the data to analyze allows for the examination of more data points than the flow-based.
 
Flow-based: the flow-based inspection method examines the data packets as they pass through the Forti

===========


RPF (Reverse Path Forwarding)

There are two RPF check modes; The default, feasible path (formerly known as loose) and strict.

In Feasible Mode, the packet is accepted as long as there is one active route to the source IP through the incoming interface.

In strict mode, FortiGate checks that the best route to the source IP address is through the incoming interface. The route not only has to be active (as in the case of feasible path mode), but it also has to be the best.

Comments

Post a Comment

Popular posts from this blog

Firepower FMC and FTD troubleshooting

-
 1. Display real time log on FMC or FTD: pigtail for example: pigtail | grep 192.168.2.20                      pigtail | grep sftunnel 2. Restart communication channel manage_procs.pl run it from  the sensor only, run it from FMC will reset all sensors' channel. This scripts are nice to be used when the FMC and FTD have communication problems like heartbeats are not received, policy deployment is failing or events are not received > expert ************************************************************** NOTICE - Shell access will be deprecated in future releases          and will be replaced with a separate expert mode CLI. ************************************************************** admin@FTD:~$ sudo su Password: root@FTD:/home/admin# manage_procs.pl ****************  Configuration Utility  **************  1   Reconfigure Correlator  2   Reconfigure and flush Correlator  3    Restart Comm. channel  4   Update routes  5   Reset all routes  6   Validate Network  0   Exit *****
Read more

ASA IKEv1 VPN troubleshooting Steps and Tips

-
  1. Phase I proposal mismatch  Run show crypto isakmp sa  Initiator: MM_WAIT_MSG2 Responder: No info  Most likely this is phase1 proposal mismatch, verify IKEv1 policy, other symptoms:   Initiator log: Information Exchange processing failed All configured IKE versions failed to establish the tunnel Initiator debug: Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping Responder log: Error processing payload: Payload ID Responder debug:  All SA proposals found unacceptable 2. IKE version mismatch:  Run  show crypto isakmp sa  no info at both initiator and responder Initiator log: Removing peer from correlator table failed, no match! Reason: User Requested  All configured IKE versions failed to establish the tunnel Initiator debug: Oakley begin quick mode PHASE 1 COMPLETED IKE Initiator sending 1st QM pkt Removing peer from correlator table failed, no match! Session is being torn down. Reason: User Requested Responder log: Tunnel Rejected: Conflicting protocols specified
Read more

Firepower 2100/1100 FTD/ASA initial setup, reimage, upgrade.

-
  Chassis FXOS and FTD share same management IP (default 192.168.45.45) Chassis FXOS (192.168.45.45) and ASA ()use different management IP although on same physical interface. SSH to FXOS/FTD are on FTD CLI prompt, go to FXOS using the  connect fxos  command Console to Chassis is on FXOS CLI prompt, go to FTD using the  connect ftd  command The Firepower 1100 does not support the FXOS Firepower Chassis Manager; only a limited CLI is supported for troubleshooting purposes. The Firepower 2100 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS).  If you run ASA on Firepower 2100, ASA can be in the following modes: Appliance mode (the default after ASA 9.13)—Appliance mode lets you configure all settings in the ASA. Only advanced troubleshooting commands are available from the FXOS CLI. See the  FXOS troubleshooting guide  for more information. Firepower Chassis Manager is not supported . ciscoasa# connect fxos [admin] Connecting to fxos. Connected
Read more