Forskel mellem versioner af "Fortinet"

Fra NørderiWiki
Skift til: Navigation, Søgning
m (Layer-2 VPN with VxLAN over IPsec)
(Layer-2 VPN with VxLAN over IPsec - Extend LAN over IPsec)
Linje 51: Linje 51:
  
 
= Layer-2 VPN with VxLAN over IPsec - Extend LAN over IPsec =
 
= Layer-2 VPN with VxLAN over IPsec - Extend LAN over IPsec =
https://kb.fortinet.com/kb/documentLink.do?externalID=FD40170
+
[https://kb.fortinet.com/kb/documentLink.do?externalID=FD40170 Technical Note: Building a Layer-2 VPN with VxLAN over IPsec]
http://www.mirazon.com/vxlan-encapsulation-fortigate/
+
 
 +
[http://www.mirazon.com/vxlan-encapsulation-fortigate/ VXLAN Encapsulation in FortiGate]
  
 
Notes:
 
Notes:
 
Husk det er L2, så IP opsætning er ikke nødvendigt på interfaces/soft switch.
 
Husk det er L2, så IP opsætning er ikke nødvendigt på interfaces/soft switch.
 
Men hvis den ene side skal have IP, hvis man fx vil udvide LAN over IPsec, så skal IP sættes på soft switchen, og ikke det fysiske interface. Og kun på den ene side af tunnelen.
 
Men hvis den ene side skal have IP, hvis man fx vil udvide LAN over IPsec, så skal IP sættes på soft switchen, og ikke det fysiske interface. Og kun på den ene side af tunnelen.
 +
 +
Fortigate 1:
 +
<pre>
 +
config vpn ipsec phase1-interface
 +
    edit "VXLAN-IPSec-VPN"
 +
        set interface "wan"
 +
        set peertype any
 +
        set proposal aes128-sha1
 +
        set encapsulation vxlan
 +
        set remote-gw 4.3.2.1
 +
        set psksecret KEY
 +
    next
 +
 +
config vpn ipsec phase2-interface
 +
    edit "VXLAN-IPSec-VPN"
 +
        set phase1name "VXLAN-IPSec-VPN"
 +
        set proposal aes128-sha1
 +
    next
 +
end
 +
 +
config system switch-interface
 +
    edit "soft_switch"
 +
        set member "port2" "VXLAN-IPSec-VPN"
 +
        set intra-switch-policy explicit  // (optional)
 +
    next
 +
end
 +
 +
 +
config firewall policy //Hvis du har brugt intra-switch-policy explicit på switch.
 +
    edit 1
 +
        set srcintf "port2"
 +
        set dstintf "VXLAN-IPSec-VPN"
 +
        set srcaddr "all"
 +
        set dstaddr "all"
 +
        set action accept
 +
        set schedule "always"
 +
        set service "ALL"
 +
    next
 +
    edit 2
 +
        set srcintf "VXLAN-IPSec-VPN"
 +
        set dstintf "port2"
 +
        set srcaddr "all"
 +
        set dstaddr "all"
 +
        set action accept
 +
        set schedule "always"
 +
        set service "ALL"
 +
    next
 +
end
 +
 +
 +
 +
config system interface //Hvis det lokale interface skal have IP opsætning, så sættes IP indstilling på switchen i stedet for interface.
 +
    edit "soft_switch"
 +
        set ip 192.168.1.1 255.255.255.0
 +
        set type switch
 +
        set device-identification enable
 +
        set role lan
 +
    next
 +
 +
 +
 +
</pre>
 +
 +
 +
Fortigate 2:
 +
<pre>
 +
config vpn ipsec phase1-interface
 +
    edit "VXLAN-IPSec-VPN"
 +
        set interface "wan"
 +
        set peertype any
 +
        set proposal aes128-sha1
 +
        set encapsulation vxlan
 +
        set remote-gw 1.2.3.4
 +
        set psksecret KEY
 +
    next
 +
 +
config vpn ipsec phase2-interface
 +
    edit "VXLAN-IPSec-VPN"
 +
        set phase1name "VXLAN-IPSec-VPN"
 +
        set proposal aes128-sha1
 +
    next
 +
end
 +
 +
 +
config system switch-interface
 +
    edit "soft_switch"
 +
        set member "port2" "VXLAN-IPSec-VPN"
 +
        set intra-switch-policy explicit  // (optional)
 +
    next
 +
end
 +
 +
config firewall policy //Hvis du har brugt intra-switch-policy explicit på switch.
 +
    edit 1
 +
        set srcintf "port2"
 +
        set dstintf "VXLAN-IPSec-VPN"
 +
        set srcaddr "all"
 +
        set dstaddr "all"
 +
        set action accept
 +
        set schedule "always"
 +
        set service "ALL"
 +
    next
 +
    edit 2
 +
        set srcintf "VXLAN-IPSec-VPN"
 +
        set dstintf "port2"
 +
        set srcaddr "all"
 +
        set dstaddr "all"
 +
        set action accept
 +
        set schedule "always"
 +
        set service "ALL"
 +
    next
 +
end
 +
 +
 +
</pre>
  
 
= Gemme config =
 
= Gemme config =

Versionen fra 13. jun 2019, 07:08

NAT / VIP - Port forward

Lav VIPs for hver port der skal åbnes/forwardes, fx:

public.y.xxx.zz --> 192.168.1.50 (TCP: 3390 --> 3389)

Hvis der er flere porte mod samme server, kan der laves en VIP group.

Herefter er det bare at lave en policy med VIP group som destination og ALL i Service.

Se https://docs.fortinet.com/uploaded/files/1652/using-port-forwarding-on-a-FortiGate-unit.pdf


http://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-firewall/Object%20Configuration/Virtual%20IPs/Configuring%20a%20VIP%20for%20IPv4.htm


http://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-firewall/Object%20Configuration/Addresses/Addresses.htm

public ip

DNS translation http://kb.fortinet.com/kb/documentLink.do?externalID=FD34099 

config firewall dnstranslation
   edit 1
       set dst 217.pp.pp.pp
       set netmask 255.255.255.255
       set src 192.168.1.100
       next
   end

GeoIP

Slå op hvilket land en IP hører til:

diagnose firewall ipgeo ip2country x.x.x.x

Session helper

http://help.fortinet.com/fos50hlp/52data/Content/FortiOS/fortigate-system-administration-52/Session%20Helpers/session_helpers.htm

The FTP session helper monitors PORT, PASV and 227 commands and NATs the IP addresses and port numbers in the body of the FTP packets and opens ports on the FortiGate unit as required. To accept FTP sessions you must add a security policy with service set to any or to the FTP, FTP_Put, and FTP_GET pre-defined services (which all listen on TCP port 21).

Husk at ændre port hvis du kører FTP på andet end port 21: 

config system session-helper
edit 1
set name ftp
set port 21
set protocol 6
next


Layer-2 VPN with VxLAN over IPsec - Extend LAN over IPsec

Technical Note: Building a Layer-2 VPN with VxLAN over IPsec

VXLAN Encapsulation in FortiGate

Notes: Husk det er L2, så IP opsætning er ikke nødvendigt på interfaces/soft switch. Men hvis den ene side skal have IP, hvis man fx vil udvide LAN over IPsec, så skal IP sættes på soft switchen, og ikke det fysiske interface. Og kun på den ene side af tunnelen.

Fortigate 1: 

config vpn ipsec phase1-interface
    edit "VXLAN-IPSec-VPN"
        set interface "wan"
        set peertype any
        set proposal aes128-sha1
        set encapsulation vxlan
        set remote-gw 4.3.2.1
        set psksecret KEY
    next

config vpn ipsec phase2-interface
    edit "VXLAN-IPSec-VPN"
        set phase1name "VXLAN-IPSec-VPN"
        set proposal aes128-sha1
    next
end

config system switch-interface
    edit "soft_switch"
        set member "port2" "VXLAN-IPSec-VPN"
        set intra-switch-policy explicit   // (optional)
    next
end


config firewall policy //Hvis du har brugt intra-switch-policy explicit på switch.
    edit 1
        set srcintf "port2"
        set dstintf "VXLAN-IPSec-VPN"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 2
        set srcintf "VXLAN-IPSec-VPN"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end



config system interface //Hvis det lokale interface skal have IP opsætning, så sættes IP indstilling på switchen i stedet for interface.
    edit "soft_switch"
        set ip 192.168.1.1 255.255.255.0
        set type switch
        set device-identification enable
        set role lan
    next


Fortigate 2: 

config vpn ipsec phase1-interface
    edit "VXLAN-IPSec-VPN"
        set interface "wan"
        set peertype any
        set proposal aes128-sha1
        set encapsulation vxlan
        set remote-gw 1.2.3.4
        set psksecret KEY
    next

config vpn ipsec phase2-interface
    edit "VXLAN-IPSec-VPN"
        set phase1name "VXLAN-IPSec-VPN"
        set proposal aes128-sha1
    next
end


config system switch-interface
    edit "soft_switch"
        set member "port2" "VXLAN-IPSec-VPN"
        set intra-switch-policy explicit   // (optional)
    next
end

config firewall policy //Hvis du har brugt intra-switch-policy explicit på switch.
    edit 1
        set srcintf "port2"
        set dstintf "VXLAN-IPSec-VPN"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 2
        set srcintf "VXLAN-IPSec-VPN"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end

Gemme config

https://kb.fortinet.com/kb/documentLink.do?externalID=FD30912 

execute cfg save


Hairpin

http://cookbook.fortinet.com/configure-hair-pinning-fortigate/

FortiClient

Gratis VPN klient og antivirus.

Vulnerability Scan: Holde programmer opdateret. Manuelt via Fix Now knappen.


Enforce FortiClient Compliance Check kræver man har 100% styr på alle devices der kræver internet forbindelse på netværket.

Når så Enforce FortiClient Compliance Check er sat til, kan FortiClient hente indstillinger fra Fortigate, fx Web filter, men man skal selv trykke Fix non-compliant Settings knappen for at rette indstillinger så de passer med dem fra Fortigate.

En work around kan være at exempt hele lan netværket.

Fix non-compliant Settings kommer ikke frem hvis ikke Enforce FortiClient Compliance Check er sat til.

VDOM

config system global
set vdom-admin enable
end
Hentet fra "https://wiki.kvig.dk/index.php?title=Fortinet&oldid=3880"