There's nothing worse than remotely configuring a firewall and then loosing access once you've made your changes. Having a failsafe mechanism in place to revert to a previous config automatically will help you minimise potential issues and save you alot of stress! Luckily the FortiGate's give you a few options on how to save your running config which we'll discuss below.
Thursday, 13 March 2014
Wednesday, 5 March 2014
How-to: Configure SMS Two Factor Authentication on a FortiGate
A while ago I wrote a 'How-to' guide on the steps required to configure SMS Two Factor Authentication using a FortiAuthenticator and a FortiGate. This involved configuring the a SMS gateway on the FortiAuthenticator using HTTP and then getting the FortiGate to send authentication requests to it.
Ttoday I decided to test out this feature with my custom SMS server and initially struggled as there's no proper documentation on how it actually works, what it sends etc. Below are the steps I took and the bits of information that I gleamed during the configuration.
A little known fact is that the FortiGate can actually do two factor SMS authentication out of the box, all for free and with no licenses required! There's two ways of configuring the SMS authentication. Firstly with the prepaid FortiGuard SMS servers (preconfigured) and then with your own custom SMS server.
Ttoday I decided to test out this feature with my custom SMS server and initially struggled as there's no proper documentation on how it actually works, what it sends etc. Below are the steps I took and the bits of information that I gleamed during the configuration.
Thursday, 6 February 2014
How-to: Factory reset a FortiGate
We get dozens of FortiGates back from evaluations and the standard way of factory reseting the configuration is by running the command execute factoryreset.
This will reset the full configuration back to factory default.
The problem is that it does nothing to the flash, and sometimes clients make revision configuration saves to the flash.
This will reset the full configuration back to factory default.
The problem is that it does nothing to the flash, and sometimes clients make revision configuration saves to the flash.
How-to: Route all internet traffic through one link and all VPN traffic through another on a FortiGate
Recently one of our customers configured a FG60D with two ADSL WAN links (both on the same provider, going to the same default gateway). They wanted all internet traffic to go out through WAN1 and all RDP and VPN traffic to go out through WAN2.
The problem was when they created the policy based route (PBR) for all outbound internet via WAN1, it also sent the traffic destined for the VPN through the same interface and thus failed.
The problem was when they created the policy based route (PBR) for all outbound internet via WAN1, it also sent the traffic destined for the VPN through the same interface and thus failed.
Friday, 31 January 2014
Q&A: Do FortiFones come with power supplies?
Today I had a customer ask if the FortiFone 560i comes with a power adapter since there's no mention of it on the price-list. There is also no mention of a power adapter being supplied in the 'Quick Start Guide' either.
To clarrify, all x60i phones (260i, 360i, 460i, 560i) come with a power supply included in the box.
They all support PoE except for the 260i which can only run on the power supply.
To clarrify, all x60i phones (260i, 360i, 460i, 560i) come with a power supply included in the box.
They all support PoE except for the 260i which can only run on the power supply.
Wednesday, 22 January 2014
How-to: Create an interface usage report on a FortiAnalyzer
This quick how-to guide will go through creating a chart/report on a FortiAnalyzer to show the upload, download and total data transfers for interfaces on a FortiGate.
This config is done a FortiAnalyzer running 5.0.5.
***Updated with new CASE selector***
***Updated with new CASE selector***
Friday, 10 January 2014
How-to: Automate FortiGate configuration backups
The FortiGates don't have any backup automation abilities out of the box. Generally you'd use a FortiManager for the config, backup and control of multiple FortiGates.
I've recently setup a lab with several FortiGates for testing and wanted a simple way of backing up the configs every day so I could always revert back to a previous day quickly.
You could just backup the config before making changes, but I wanted to automate this process. Below is a quick and dirty script to automate the config backup.
A few notes to begin with; this script requires a read only user to be created on each FortiGate that have the same password. These passwords are stored in the script itself; so while it never gets transmitted in cleartext over the link, be aware that it is stored in the file. Since this is a lab and it's a readonly account I'm not too fussed. Another thing to note is that the strict host check for the SSH keys has been disabled (so you don't get a confirmation request for new IP addresses). There is a more secure way to do this without using passwords but ssh keys which I may create a blog on at a latter date.
The only dependency is that the script requires sshpass to be installed.
My guide goes through setting this all up on a Debian based Linux system (like Mint or Ubuntu). It should be fine to work on other distributions with few command changes.
I've recently setup a lab with several FortiGates for testing and wanted a simple way of backing up the configs every day so I could always revert back to a previous day quickly.
You could just backup the config before making changes, but I wanted to automate this process. Below is a quick and dirty script to automate the config backup.
A few notes to begin with; this script requires a read only user to be created on each FortiGate that have the same password. These passwords are stored in the script itself; so while it never gets transmitted in cleartext over the link, be aware that it is stored in the file. Since this is a lab and it's a readonly account I'm not too fussed. Another thing to note is that the strict host check for the SSH keys has been disabled (so you don't get a confirmation request for new IP addresses). There is a more secure way to do this without using passwords but ssh keys which I may create a blog on at a latter date.
The only dependency is that the script requires sshpass to be installed.
My guide goes through setting this all up on a Debian based Linux system (like Mint or Ubuntu). It should be fine to work on other distributions with few command changes.
Wednesday, 18 December 2013
How-to: Connect X-Lite to a FortiVoice System
X-Lite is a free SIP softphone by CounterPoint that I use for testing SIP extensions on VOIP systems. The below steps detail how you would configure a FortiVoice (formerly TalkSwitch) as well as X-Lite.
Monday, 16 December 2013
How-to: Configure DHCP Custom Options on a FortiGate
FortiGates allow you to configure upto six custom DHCP options beyond the standard default gateway, DNS, NTP and domain options.
We'll go through the steps to configure a DHCP server from scratch and configure the most commonly used options as well as a few custom ones.
We'll go through the steps to configure a DHCP server from scratch and configure the most commonly used options as well as a few custom ones.
Thursday, 21 November 2013
Unable to see any applications in 'Top Applications' on a FortiGate
Recently upon upgrading to 5.0.5 I've noticed that none of the applications are showing up correctly in the 'Top Applications' dashboard. Instead they are all showing up as 'Unknown'.
We'll go through the quick steps to re-enable Application logging so that this dashboard shows us the correct applications.
We'll go through the quick steps to re-enable Application logging so that this dashboard shows us the correct applications.
Subscribe to:
Posts (Atom)