Posts Tagged ‘Fortigate’

 

 

On the Fortigate

 
On the LAN Interface ( Gateway Address ) Enable SNMP
 

Enable SNMP with your chosen Community Name
 
 
Add the Host IP of the local N-able Agent/Server Polling the Device

In Nable

Import Following Service Templates for Fortigate

ServiceTemplateExport

ServiceTemplateExport (1)


Add a new Device via IP Address ( Category Router ) 
 
Add a Professional License so that you can query the Device using SNMP
 

Add Service templates to device

 

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

To access the Secondary unit without changing HA Primary unit , which I would advise against if you are not sure of the VPN status run the following

execute ha manage 1

Login with the credentials

Then run 

diagnose vpn ike gateway

Lists all the current VPNS

diagnose vpn tunnel stat

Check how many are up

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Fortigate

Create a new Interface under a port or an existing virtual switch where the Aruba switch uplinks to 

Enter Vlan ID and Interface IP

 

Next you will need to setup Allow Policies to allow traffic from the Vlan to the normal lan as well as internet

Aruba

Create a New Vlan with the Same ID

Add a trunk to the Uplink

Tag all the Ports with Vlan 2 that will have a phone plugged into them, Including the Trunk

Untag any ports the phone system or VOIP card might use

Attach the “voice” to the Vlan which will assign the right vlans for the phones that use LLDP 

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

On the Fortigate , Create a new Interface and assign it to the Uplink of your internet or DMZ with a Vlan ID and Enable DHCP

Create a policy to allow outbound

 

On the Switch ( ours GS752TP ) that the access points plug into,  Tag the ports with the Vlan ID you created above, where your access points plug into as all as the port for the Uplink from the Switch to the Router

On your access points  ( Ours WNDAP360 ) create a new SSID and Tag these to the new VLAN ID

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Login to Fortigate WebUI

Go to System , then Administrators, Enable Trusted Hosts for the user account and add the IP/Subnet to the allow lists ( remember to do internal as well ) 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

When a user VPN into a Fortigate Router , make sure they can access all Subnet available to the router not just the local one :

  1. Added security policy – allow from SSL VPN interface to IPsec VPN  

Name : SSL VPN to New Subnet

Incoming Interface : SSL-VPN tunnlel Interface ( ssl.root ) 

Outgoing Interface – %Interface of Site to Site VPN for Remote Site%

Source : SSL VPN Client Range / SSLVPN_Users

Destination Address : %new subnet%

Schedule : Always

Service : ALl

Action : Accept

Nat : Enabled (  to traverse IPsec VPN as local address (192.168.0.x) as opposed to SSL VPN client range (192.168.1.x) 

IP Pool Configuration : Use Dymanic IP Pool and NAT Pool for SSL VPN Clients

 

2.  Make you have DHCP NAT pool Range excluded from your onsite DHCP 

3.Added New Subnet to routing address in SSL VPN portal – tunnel mode

VPN – > SSL VPN Portals

Tunnel Mode -> Enable Split Tunnelings -> Routing Address 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

If a website a being blocked from being viewed due to Fortinet web filter with the Category 

“newly observed domain” 

This is due to URLs whose domain name is not rated and were observed for the first time in the past 30 minutes. 

You can wait 30 minutes or you can use the Web Ratings Overrides below to change the category from newly observed domain to an accepted Category like Business and Finance

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 2 votes)

Fortigate have recently released an AV update on their Fortinet which blocks websites with the following error


http://fortiguard.com/search?type=av&q=HTML%252FScrInject.B%2521tr

A few malware checks on the website shows there are no virus of malware on this site

A Support case with Fortigate there was an error in their AV database and they released an update 2 hours later

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

So you’ve just got a TPG IP Line connection and they have sent you your IP , how do you set this up on your Fortigate or other router?

They would have sent you an IP with Netmask e.g. : 210.9.x.x/30

How do you set this up on your router?

Enter the IP in the Subnet Calculator with the mask bit e.g. 30 and it will give you the range you can work from

38.242.x.x will be the network address cannot be used as it used to identify where the network starts

38.242.x.x ( +1) Will be the ISP Gateway , you need this to add a static route on the foritgate for this WAN Port

38.242.x.x ( +2) Will be the IP address you need to set on your Foritgate

 

Next you will need to add a policy to allow all outbound from Lan to the new WAN Port

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Below changes were added.

  • Added TCP 5060 for SIP(As sometimes this can be TCP/UDP) for all WANS
  • RTP port range 6200 – 6214 added for Inbound for all WANS
  • SIP domains allowed for Inbound for all WANS

SIP ALG turn off – Need to run below commands if it’s required. Best to test the phones after above changes.

http://www.3cx.com/blog/docs/disable-sip-alg-on-fortigate/

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)