How-to: Add X-Forwarded-Proto in FortiADC

The FortiADC allows you to add X-Forwarded-Proto headers to server requests using scripting.

To do this, add a new script under Server Load Balance > Scripting and create a new script with the following:

when HTTP_REQUEST{
 host = HTTP:header_get_value("Host")
 if host:lower():find("adc.fortilab.local") then
  log("found adc.fortilab.local in Host %s \n", host)
  HTTP:header_insert("X-Forwarded-Proto", "https")
 end
}

Enable the script in your virtual server by going to Server Load Balance > Virtual Server. Edit your virtual server and select the General tab and select your script.

Now when you access the web server the X-Forwarded-Proto header will be sent to the server.

How-to: Inject RADIUS logons to a FortiGate to test RSSO

This post will go through the steps required to send Logon/Logoff RADIUS accounting packets to a FortiGate and a Collector Agent to update it's RSSO table. This can be useful when integrating with third party systems where a script can be used to convert logons from multiple third party systems to a RADIUS logon to the FortiGate/Collector Agent.

Getting 'Error importing OVF' error when importing FAZ or FMG VM's in VMware Workstation

Every time I try to open an OVF of a FortiAnalyzer or FortiManager on VMWorkstation running on Linux Mint I get the following error:

Error importing OVF: Invalid target disk adapter type: pvscsi

Fortunately the fix for this is easy. Simply edit the .ovf file of the image you're trying to import and change the following highlighted value:

  <rasd:ResourceSubType>VirtualSCSI</rasd:ResourceSubType>

to this:

  <rasd:ResourceSubType>lsilogic</rasd:ResourceSubType>


Save the file and re-import the OVF and it should work now.

How-to: Block Google Translate from translating web pages

While Google Translate is a fantastic education tool it can also be used a proxy to circumnavigate web filtering policies.

I see this happen regularly in schools where web categories such as Pornography are blocked by the FortiGate web filter, but students will use Google Translate to get past this and view inappropriate web pages (albeit in a different language).

This post will go through how you can create a custom application signature to allow Google Translate to be used to translate words, but not used to translate/proxy web pages.

How-to: Create recurring scripts on a FortiGate

Not many people realise that you can create recurring scripts on the FortiGate to run any command you'd like. These can range from rebooting the FortiGate to automating backups to an external server.

In this blog we'll be creating a script to backup the FortiGate's configuration to an external FTP server every day.


config system auto-script
edit daily-backup
set interval 86400 << how often this runs in seconds (86400 is 1 day)
set repeat 0 << repeat forever
set start auto << automatically start it
set script 'execute backup full-config ftp fgt-backup.conf 192.168.1.1 username password'
end

How-to: Configure Static IP Address in TC Linux

1. Create a new file (/opt/eth0.sh) and add the interface IP details below (changing IP, broadcast, and gateway):

#!/bin/sh

ifconfig eth0 10.0.1.219 

netmask 255.255.255.0 

broadcast 10.0.1.255 up

route add default gw 10.0.1.254

2. Make the file executable

sudo chmod +x /opt/eth0.sh

3. Add this line to the end of /opt/bootload.sh

/opt/eth0.sh &

4. Add this line to the end of /opt/.filetool.lst

opt/eth0.sh

5. Save changes to disk

sudo filetool.sh -b

6. Reboot

sudo reboot

How-to: Enable DLP on a FortiMail

By default the ForitMail doesn't show the DLP options in the GUI. This can be enabled from the CLI with the following commands:

config system global
set data-loss-prevention enable
end

Once done log out and back into the FortiMail and you should now see the DLP options available:

How-to: Use the grep command on a FortiGate

Grep is a fast and easy way of filtering lots of information from the console. The FortiGate allows you to pipe grep to many commands including show, get and diagnose.

To use grep you must pipe it with the search value after a command ex: | grep <value>

There are a few options available with grep that can be seen with the -h flag. Below is a show command that's been piped with grep to display all the options available:

gate1 # show | grep -h
Usage: grep [-invfcABC] PATTERN
Options:
        -i      Ignore case distinctions
        -n      Print line number with output lines
        -v      Select non-matching lines
        -f      Print fortinet config context
        -c      Only print count of matching lines
        -A      Print NUM lines of trailing context
        -B      Print NUM lines of leading context
        -C      Print NUM lines of output context

How-to: Configure Collector mode on a FortiAnalyzer

The FortiAnalyzer allows you to aggregate logs from multiple FortiGate firewalls giving you a central console to view logs, alerts and run reports for all the FortiGates in your organisation.

 Each FortiAnalyzer can only handle a certain number of logs per second, be it the hardware or VM models. If you have dozens, hundreds or even thousands of FortiGates it would not be feasible to have all these devices send their logs to one FortiAnalyzer. Good news is that FortiAnalyzers can be configured in a 'collector' mode and deployed regionally to take the burden from your Analyzer that is doing the reporting.

One advantage of this is that FortiAnalyzer VMs that have been configured as a collector have no GB per day limitation as their standard config does. This means you'll only need a FortiAnalyzer VM BASE license for each of the remote regions.

In this example I'll configure two FortiGates and FortiAnalyzers that have been configured in collector modes. This will simulate two regions for my organisation and the firewalls within each region. The collectors will then forward their logs to the global Analyzer from where I can run reports for the entire organisation.

The FortiGates are running 5.4.0 and the FortiAnalyzers 5.2.5.

Q&A: Can you stack FortiCloud licenses to increase the duration?

Yes you can. If you add multiple FortiCloud 1 year licenses to a FortiGate, it will increase the amount of years.

It won't increase the storage space however.