Forskel mellem versioner af "Fortinet"

Fra NørderiWiki
Skift til: Navigation, Søgning
(FortiClient)
(public ip)
(8 mellemliggende versioner af den samme bruger vises ikke)
Linje 21: Linje 21:
 
http://kb.fortinet.com/kb/documentLink.do?externalID=FD34099
 
http://kb.fortinet.com/kb/documentLink.do?externalID=FD34099
  
config firewall dsntranslation
+
config firewall dnstranslation
 
     edit 1
 
     edit 1
 
         set dst 217.pp.pp.pp
 
         set dst 217.pp.pp.pp
Linje 34: Linje 34:
  
 
diagnose firewall ipgeo ip2country x.x.x.x
 
diagnose firewall ipgeo ip2country x.x.x.x
 +
 +
= Session helper =
 +
http://help.fortinet.com/fos50hlp/52data/Content/FortiOS/fortigate-system-administration-52/Session%20Helpers/session_helpers.htm
 +
 +
The FTP session helper monitors PORT, PASV and 227 commands and NATs the IP addresses and port numbers in the body of the FTP packets and opens ports on the FortiGate unit as required. To accept FTP sessions you must add a security policy with service set to any or to the FTP, FTP_Put, and FTP_GET pre-defined services (which all listen on TCP port 21).
 +
 +
Husk at ændre port hvis du kører FTP på andet end port 21:
 +
 +
config system session-helper
 +
edit 1
 +
set name ftp
 +
set port 21
 +
set protocol 6
 +
next
 +
 +
 +
= Layer-2 VPN with VxLAN over IPsec =
 +
https://kb.fortinet.com/kb/documentLink.do?externalID=FD40170
 +
 +
IP config på den ene side
 +
  
 
= Hairpin =
 
= Hairpin =
Linje 41: Linje 62:
  
 
= FortiClient =
 
= FortiClient =
 +
Gratis VPN klient og antivirus.
 +
 +
''Vulnerability Scan'': Holde programmer opdateret. Manuelt via ''Fix Now'' knappen.
 +
 +
 +
''Enforce FortiClient Compliance Check'' kræver man har 100% styr på alle devices der kræver internet forbindelse på netværket.
  
Enforce FortiClient Compliance Check kræver man har 100% styr på alle devices der kræver internet forbindelse på netværket.
+
Når så ''Enforce FortiClient Compliance Check'' er sat til, kan FortiClient hente indstillinger fra Fortigate, fx Web filter, men man skal selv trykke ''Fix non-compliant Settings'' knappen for at rette indstillinger så de passer med dem fra Fortigate.
  
 +
En work around kan være at exempt hele lan netværket.
  
FortiClient kan hente indstillinger fra Fortigate, fx Web filer, men man skal selv trykke "Fix non-compliant Settings" knappen for at rette indstillinger så de passer med dem fra Fortigate.
+
''Fix non-compliant Settings'' kommer ikke frem hvis ikke ''Enforce FortiClient Compliance Check'' er sat til.
  
 
= VDOM =
 
= VDOM =

Versionen fra 28. mar 2019, 09:06

NAT / VIP - Port forward

Lav VIPs for hver port der skal åbnes/forwardes, fx:

public.y.xxx.zz --> 192.168.1.50 (TCP: 3390 --> 3389)

Hvis der er flere porte mod samme server, kan der laves en VIP group.

Herefter er det bare at lave en policy med VIP group som destination og ALL i Service.

Se https://docs.fortinet.com/uploaded/files/1652/using-port-forwarding-on-a-FortiGate-unit.pdf


http://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-firewall/Object%20Configuration/Virtual%20IPs/Configuring%20a%20VIP%20for%20IPv4.htm


http://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-firewall/Object%20Configuration/Addresses/Addresses.htm

public ip

DNS translation http://kb.fortinet.com/kb/documentLink.do?externalID=FD34099

config firewall dnstranslation
   edit 1
       set dst 217.pp.pp.pp
       set netmask 255.255.255.255
       set src 192.168.1.100
       next
   end

GeoIP

Slå op hvilket land en IP hører til:

diagnose firewall ipgeo ip2country x.x.x.x

Session helper

http://help.fortinet.com/fos50hlp/52data/Content/FortiOS/fortigate-system-administration-52/Session%20Helpers/session_helpers.htm

The FTP session helper monitors PORT, PASV and 227 commands and NATs the IP addresses and port numbers in the body of the FTP packets and opens ports on the FortiGate unit as required. To accept FTP sessions you must add a security policy with service set to any or to the FTP, FTP_Put, and FTP_GET pre-defined services (which all listen on TCP port 21).

Husk at ændre port hvis du kører FTP på andet end port 21:

config system session-helper
edit 1
set name ftp
set port 21
set protocol 6
next


Layer-2 VPN with VxLAN over IPsec

https://kb.fortinet.com/kb/documentLink.do?externalID=FD40170

IP config på den ene side


Hairpin

http://cookbook.fortinet.com/configure-hair-pinning-fortigate/

FortiClient

Gratis VPN klient og antivirus.

Vulnerability Scan: Holde programmer opdateret. Manuelt via Fix Now knappen.


Enforce FortiClient Compliance Check kræver man har 100% styr på alle devices der kræver internet forbindelse på netværket.

Når så Enforce FortiClient Compliance Check er sat til, kan FortiClient hente indstillinger fra Fortigate, fx Web filter, men man skal selv trykke Fix non-compliant Settings knappen for at rette indstillinger så de passer med dem fra Fortigate.

En work around kan være at exempt hele lan netværket.

Fix non-compliant Settings kommer ikke frem hvis ikke Enforce FortiClient Compliance Check er sat til.

VDOM

config system global
set vdom-admin enable
end