Fortinet
Her er lidt tekniske tips til Fortigate fra Fortinet.
Indholdsfortegnelse
- 1 Port forward - NAT / VIP
- 2 Firewall sikkerheds tips
- 3 SSL VPN
- 4 Policy route
- 5 Public IP DNS translation
- 6 FortiSwitch
- 7 HA Cluster
- 8 Små tips
- 9 Session helper
- 10 VPN - Flere phase 2
- 11 Layer-2 VPN with VxLAN over IPsec - Extend LAN over IPsec
- 12 Gemme config / revert
- 13 Hairpin
- 14 FortiClient
- 15 Traffic Shaping
- 16 VDOM
- 17 DNS server
Port forward - NAT / VIP
Lav VIPs for hver port der skal åbnes/forwardes, fx:
public.y.xxx.zz --> 192.168.1.50 (TCP: 3390 --> 3389)
Hvis der er flere porte mod samme server, kan der laves en VIP group.
Herefter skal der laves en policy med VIP group som destination og ALL i Service.
Se mere her:
https://docs.fortinet.com/uploaded/files/1652/using-port-forwarding-on-a-FortiGate-unit.pdf
http://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-firewall/Object%20Configuration/Virtual%20IPs/Configuring%20a%20VIP%20for%20IPv4.htm
http://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-firewall/Object%20Configuration/Addresses/Addresses.htm
Firewall sikkerheds tips
- Hold firewall opdateret. Se Technical Tip: Recommended Release for FortiOS for anbefalet software version.
- Opsæt blokering af kendte dårlige forbindelser, se Reddit tråd. Se herunder også.
- Opsæt IP Reputation Filtering
Indgående trafik
- Begræns indgående firewall åbninger så meget som muligt.
- Tag FMG Access fra på WAN port/interface. Hvis ikke i brug.
- Benyt mulighed for kun at åbne for bestemte IP'er, lande eller internet services (ISDB).
- Opsæt IPS på services, fx webservere. Men begræns scanning kun til de services der er i brug. Fx ingen grund til at scanne HTTP på en mail server.
- Block alt trafik fra botnet, malicious, phishing, spam, Tor exit node og proxy servere med ISDB:
config firewall internet-service-group edit "UnwantedConnectionsFromWAN" set direction destination set member 3080383 11337935 3211457 3014850 3145920 2818243 12779753 next end
Udgående
- Bloker alt trafik til botnet, malicious, phishing, spam, Tor exit node og proxy servere med ISDB. Se herunder.
- Bloker alt SMB trafik!
- Opsæt Web og DNS filter.
- Block RFC1918 networks on WAN
- Opsæt App control - https://www.fortiguard.com/appcontrol
config firewall internet-service-group edit "UnwantedConnectionsToWAN" set direction destination set member 3080383 11337935 3211457 3014850 3145920 2818238 12779753 next end
Opsæt Web filter blokering:
Proxy Avoidance Malicious Websites Phishing Spam URLs Dynamic DNS Newly Observed Domain Newly Registered Domain
SSL VPN
Forholdsvist simpelt at sætte op, da man kan bruge standard opsætning og så ændre firewall policy hvis man vil styre hvilke brugere der kan tilgå hvilke interne enheder.
Frarådes at bruges!
Policy route
Fx have anden route for en bestemt enhed, via en anden VPN forbindelse.
Public IP DNS translation
DNS translation http://kb.fortinet.com/kb/documentLink.do?externalID=FD34099
config firewall dnstranslation edit 1 set dst 217.pp.pp.pp set netmask 255.255.255.255 set src 192.168.1.100 next end
FortiSwitch
Spanning Tree og Loop Guard
Spanning Tree er sat til som standard på FortiSwitch, og det sikre til en hvis grad mod loops af andre switche.
Men Loop Guard skal sættes på for at forhindre loops ved "endpoints". Eller hvis man tager Spanning Tree fra.
loop-guard-timeout XX
Sætter hvor mange minutter der skal gå før porten åbnes igen og der tjekkes for loop igen. Standard er 45 minutter. Måske en god ide at sætte lidt ned til fx 10 - 20 minutter. Hvis der forsat er loop lukkes porten med det samme igen.
Med STP og Loop Guard, så kommer der ikke loops selvom fx 2 "dumme" switche længere ude laver loop.
Sikkerhed
Flytte mgmt til vlan
Vlan opsætning
Native VLAN = Tag indgående pakker med dette VLAN. Og udgående pakker med dette VLAN tag, sendes ud uden vlan tag.
Allowed VLAN = The allowed VLAN list for each port specifies the VLAN tag values for which the port can transmit or receive packets. For a tagged packet arriving at an ingress port, the tag value must match a VLAN on the allowed VLAN list or the native VLAN. At an egress port, the packet tag must match the native VLAN or a VLAN on the allowed VLAN list.
Untagged = Udgående pakker med fra dette VLAN udsendes uden vlan-tag.
The untagged VLAN list on a port specifies the VLAN tag values for which the port will transmit packets without the VLAN tag. Any VLAN in the untagged VLAN list must also be a member of the allowed VLAN list.
Local managed:
Opsætning af VLANs på porte: Switch -> Interface -> Physical
Opsætning af MGMT vlan er under:
System -> Network -> Interface -> VLAN
diagnose switch vlan list
FortiLink - Managed by Fortigate
HA Cluster
Start med at læse her ang. opsætning:
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/581221/fgcp-ha
Styring af hvem der er primær enhed
override disable er standard.
Hvis man gerne vil have at den ene enhed altid er primær (når denne er tændt), skal set ha override enable sættes op.
Dette giver dog dobbelt failover når den primær enhed kommer op igen.
Læs mere:
- https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restoring-HA-master-role-after-a-failover-using/ta-p/197460
- http://myitmicroblog.blogspot.com/2018/11/what-should-you-know-about-ha-override.html?m=1
- https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-HA-Primary-unit-selection-process-when/ta-p/249745
Små tips
GeoIP
Slå op hvilket land en IP hører til:
diagnose firewall ipgeo ip2country x.x.x.x
Fiber SFP
Auto negotiation virker ikke nødvendigvis, sæt til fast hastighed eller Auto-1G. Kan være forskel på SFP moduler.
Session helper
The FTP session helper monitors PORT, PASV and 227 commands and NATs the IP addresses and port numbers in the body of the FTP packets and opens ports on the FortiGate unit as required. To accept FTP sessions you must add a security policy with service set to any or to the FTP, FTP_Put, and FTP_GET pre-defined services (which all listen on TCP port 21).
Husk at ændre port hvis du kører FTP på andet end port 21:
config system session-helper edit 1 set name ftp set port 21 set protocol 6 next
VPN - Flere phase 2
Flere phase 2 subnets.
Husk at tjekke static routes, og firewall, om alle netværk er tilladt.
Layer-2 VPN with VxLAN over IPsec - Extend LAN over IPsec
Technical Note: Building a Layer-2 VPN with VxLAN over IPsec
VXLAN Encapsulation in FortiGate
https://kb.fortinet.com/kb/documentLink.do?externalID=FD47557 Wire pair
Notes: Husk det er L2, så IP opsætning er ikke nødvendigt på interfaces/soft switch. Men hvis den ene side skal have IP, hvis man fx vil udvide LAN over IPsec, så skal IP sættes på soft switchen, og ikke det fysiske interface. Og kun på den ene side af tunnelen.
interface der meldes i switch må ikke have ip opsætning eller bruges af firewall regler.
Først opsættes VPN med encapsulation vxlan. Derefter skal der laves en software switch der binder VPN forbindelsen sammen med en fysisk port. Og så laves der firewall regler mellem interfaces i switchen.
Fortigate 1:
config vpn ipsec phase1-interface edit "VXLAN-IPSec-VPN" set interface "wan" set peertype any set proposal aes128-sha1 set encapsulation vxlan set remote-gw 4.3.2.1 set psksecret KEY next config vpn ipsec phase2-interface edit "VXLAN-IPSec-VPN" set phase1name "VXLAN-IPSec-VPN" set proposal aes128-sha1 next end config system switch-interface edit "soft_switch" set member "port2" "VXLAN-IPSec-VPN" set intra-switch-policy explicit // (optional) next end config firewall policy //Hvis du har brugt intra-switch-policy explicit på switch. edit 1 set srcintf "port2" set dstintf "VXLAN-IPSec-VPN" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next edit 2 set srcintf "VXLAN-IPSec-VPN" set dstintf "port2" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next end config system interface //Hvis det lokale interface skal have IP opsætning, så sættes IP indstilling på switchen i stedet for interface. edit "soft_switch" set ip 192.168.1.1 255.255.255.0 set type switch set device-identification enable set role lan next
Fortigate 2:
config vpn ipsec phase1-interface edit "VXLAN-IPSec-VPN" set interface "wan" set peertype any set proposal aes128-sha1 set encapsulation vxlan set remote-gw 1.2.3.4 set psksecret KEY next config vpn ipsec phase2-interface edit "VXLAN-IPSec-VPN" set phase1name "VXLAN-IPSec-VPN" set proposal aes128-sha1 next end config system switch-interface edit "soft_switch" set member "port2" "VXLAN-IPSec-VPN" set intra-switch-policy explicit // (optional) next end config firewall policy //Hvis du har brugt intra-switch-policy explicit på switch. edit 1 set srcintf "port2" set dstintf "VXLAN-IPSec-VPN" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next edit 2 set srcintf "VXLAN-IPSec-VPN" set dstintf "port2" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next end
Gemme config / revert
https://kb.fortinet.com/kb/documentLink.do?externalID=FD30912
execute cfg save
Config går automatisk tilbage, hvis det ikke bliver gemt inden for den opsatte tid:
config system global set cfg-save revert set cfg-revert-timeout xxx
Husk!
execute cfg save
Hairpin
http://cookbook.fortinet.com/configure-hair-pinning-fortigate/
FortiClient
Gratis VPN klient, Windows download: https://links.fortinet.com/forticlient/win/vpnagent
Traffic Shaping
"When setting the guaranteed bandwidth, ensure that the value is significantly less than the interface's bandwidth capacity. Otherwise, the interface will allow very little or no other traffic to pass through, potentially causing unwanted latency." Means that if you have a 100Mbps connection , please make sure the traffic shaper is no more then 70-80% of that bandwidth. In your case, you want to use 50% of the bandwidth which is ok.
This guide is because , beside the forwarded traffic you may also have management traffic, witch will take priority .
"Does that mean if I set guaranteed-bandwidth to 50 Mbps, and we have a 100 Mbps connection, then other traffic can't use more than 50 Mbps even if the shaped traffic is not used?" If you set guaranteed-bandwidth to 50Mbps, that traffic will use maximum 50Mbps and will be prioritized over the non shaped traffic. If your prioritized bandwidth will be , for example, 30Mbps at some point, the rest of the traffic will use the remaining 70Mbps . When your prioritized will increase to 50 Mbps, the other traffic will be reduces to use the remaining bandwidth .
On other words, the management traffic and shaped traffic will be processed first. The remaining bandwidth will be for the rest of the traffic. Management traffic means traffic used by the Fortigate to function , for example traffic used to login to Fortigate GUI or CLI.
https://www.fortinetguru.com/2019/10/traffic-shaping/
Reverse for at limit download fra internet til en klient. Src: klienten Dst: All (internet)
Reverse direction traffic shaping
Shaping på firewall policy (Kun CLI, men vises i GUI når opsat):
config firewall policy edit 1 set name "LAN to WAN" set traffic-shaper "Name" # Upload fra klienten. set traffic-shaper-reverse "Name" # Download til klienten.
Kan også sættes på selve interface porten. Husk det gælder for alle enheder til sammen.
config system interface edit lan set inbandwidth 30000 # "Upload", ind på porten set outbandwidth 30000 # "Download", ud af porten
Begrænse web server
VDOM
config system global set vdom-admin enable end