X-Lite is a free SIP softphone by CounterPoint that I use for testing SIP extensions on VOIP systems. The below steps detail how you would configure a FortiVoice (formerly TalkSwitch) as well as X-Lite.
Wednesday 18 December 2013
Monday 16 December 2013
How-to: Configure DHCP Custom Options on a FortiGate
FortiGates allow you to configure upto six custom DHCP options beyond the standard default gateway, DNS, NTP and domain options.
We'll go through the steps to configure a DHCP server from scratch and configure the most commonly used options as well as a few custom ones.
We'll go through the steps to configure a DHCP server from scratch and configure the most commonly used options as well as a few custom ones.
Thursday 21 November 2013
Unable to see any applications in 'Top Applications' on a FortiGate
Recently upon upgrading to 5.0.5 I've noticed that none of the applications are showing up correctly in the 'Top Applications' dashboard. Instead they are all showing up as 'Unknown'.
We'll go through the quick steps to re-enable Application logging so that this dashboard shows us the correct applications.
We'll go through the quick steps to re-enable Application logging so that this dashboard shows us the correct applications.
Wednesday 20 November 2013
How-to: Send email alerts from a FortiGate
Sending alert emails is a useful way of keeping track of security events within your firewall without having to log into it several times a day.
With FortiOS version 5, the Alert E-Mail option has been removed from the GUI by default unless a messaging server has been configured.
With FortiOS version 5, the Alert E-Mail option has been removed from the GUI by default unless a messaging server has been configured.
Thursday 31 October 2013
How-to: Enable UTM Monitor on a FortiGate running FortiOS 5
Another feature that's been disabled by default on FortiOS 5 is the UTM Monitors. These are great monitors that quickly show you a snapshot of your AntiVirus, WebFiltering, IPS, Application Control, Email and Dataleak Prevention profiles. We'll go through how-to quickly re-enable these monitors below.
How-to: Enable disk logging on a FortiGate running FortiOS 5
By default disk logging has been disabled on FortiOS v5.0. One of the reasons this was done is because the flash memory on some devices are not designed for constant read/writes, so saving logs to it can degrade the disk (resulting in corrupted sectors). Having said that, we've got a few FortiGates that have been logging to disk for a few years now with no problems.
Tuesday 22 October 2013
How-to: Re-image a Fortigate device
Sometimes you will need to re-image a Fortigate device if you suspect that there is a corruption with the image, or if you get CRC errors upon bootup. All you need is a computer with a network card, a console cable, a TFTP program and a network cable.
Tuesday 15 October 2013
How-to: Get DropBox working on a FortiGate with SSL Deep Packet Inspection enabled
SSL Deep Packet Inspection (DPI) allows the FortiGate to decrypt and scan all HTTPS, SMTPS, POPS, IMAPS and FTPS sessions. It then re-encrypts and sends the packets off on their merry way (essentially a man in the middle attack).
I've recently enabled it in my lab and noticed that my DropBox kept on disconnecting. I suspect it's something to do with FortiGate certificate not being trusted in DropBox which would give an error.
The way I got around this is to enable the web site filter and excempt the dropbox.com domain from the webfilter (and DPI).
To set this up goto Security Policies > Web Filter > Profiles and edit the webfilter profile used in your web policy.
Next enable " and add the dropbox.com domain (simple, exempt & enabled). Click 'Apply' to save.
Now try to log back into DropBox and you should see the status come up as connected!
I've recently enabled it in my lab and noticed that my DropBox kept on disconnecting. I suspect it's something to do with FortiGate certificate not being trusted in DropBox which would give an error.
The way I got around this is to enable the web site filter and excempt the dropbox.com domain from the webfilter (and DPI).
To set this up goto Security Policies > Web Filter > Profiles and edit the webfilter profile used in your web policy.
Next enable " and add the dropbox.com domain (simple, exempt & enabled). Click 'Apply' to save.
Now try to log back into DropBox and you should see the status come up as connected!
Monday 14 October 2013
How-to: Block anonymous FTP uploads on a FortiGate
Recently I've had a customer ask how they can block FTP PUT's on their FTP server for all anonymous (unauthenticated) users, but allow FTP GET's for any user (ie: only let authenticated users upload files, but let anyone download them).
They control this access via the FTP server's account credentials, but wanted to see if the FortiGate could add another level of protection (incase their FTP server got hacked).
This was accomplished by creating some custom IPS signatures.
They control this access via the FTP server's account credentials, but wanted to see if the FortiGate could add another level of protection (incase their FTP server got hacked).
This was accomplished by creating some custom IPS signatures.
Wednesday 9 October 2013
Q&A: How many FortiManager licenses do you require for a FortiGate in a HA pair?
A: You'll only need to license for one device, including any VDOMs.
For example, we have 2x FG1000C's with 100 VDOMs in a HA pair.
The FortiManager will only need to be licensed for 100 devices as the HA pair count as one.
Monday 30 September 2013
How-to: Configure SMS Two Factor Authentication with FortiAuthenticator and FortiGate SSL VPN
Recently I've been doing some tests with the FortiAuthenticator using FortiMobile tokens. I decided to test out the SMS Gateway feature for sending two-factor one time passwords (OTP) straight to mobiles via SMS (something I generally don't recommend but thought it would be cool to test).
Below is the config I used to setup the FortiAuthenticator to send an OTP via SMS to my moblie for SSL VPN logins.
Below is the config I used to setup the FortiAuthenticator to send an OTP via SMS to my moblie for SSL VPN logins.
Monday 13 May 2013
FortiGate EAL4/CC Certification
CC have released a Maintenance Report to update the hardware list that is EAL4 certified with FortiOS 4.0MR3.
This means that the current devices CC/EAL4 certified are as follows:
This means that the current devices CC/EAL4 certified are as follows:
Thursday 9 May 2013
How-to: Clear a session on a FortiGate
Sometimes it can be really useful to clear specific sessions on a FortiGate to help with troubleshooting.
This is especially useful when you've made a change to the config, test it out but you don't get the result you expected. Usually this is because the firewall is still using an existing session that was using the old config. An example of this would be changing the UTM policies.
This is especially useful when you've made a change to the config, test it out but you don't get the result you expected. Usually this is because the firewall is still using an existing session that was using the old config. An example of this would be changing the UTM policies.
How-to: Display open ports with linux
To list all open ports on a linux box use the '-ant' option.
root@bt:~# netstat -ant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:7337 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:6001 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:6002 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:6003 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 172.16.0.3:22 10.242.2.6:1763 ESTABLISHED
tcp6 0 0 ::1:7337 :::* LISTEN
tcp6 0 0 :::5901 :::* LISTEN
tcp6 0 0 :::5902 :::* LISTEN
tcp6 0 0 :::5903 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
Unable to select different UTM policies in FortiOS 5.0
*Updated for 5.0.7*
I've decided to upgrade one of our FG80's to FortiOS 5.0 to give it a run. Once the upgrades were complete I factory reset the device to start fresh.
One of the first things I noticed was that there was no way for me to select a different UTM profile!
I've decided to upgrade one of our FG80's to FortiOS 5.0 to give it a run. Once the upgrades were complete I factory reset the device to start fresh.
One of the first things I noticed was that there was no way for me to select a different UTM profile!
Unable to change HA mode from Standalone on a FortiGate
Today while setting up two devices in HA I noticed that each time I changed the mode from 'Standalone' to 'Active-Passive' or 'Active-Active', the config would always revert backto 'Standalone' after I applied the change.
Subscribe to:
Posts (Atom)