Personally, I use NextDNS for that.
I have a Windows DNS server proxying to their servers, but you can also have your FortiGate connect directly there. You can set and unset anti-ad, privacy etc. blacklists in your account.
See nextdns.io
In general, don't use the web client. Its taxing on the Fortigate and purposfully limited. On the backend its just Apache Guacamole. Standup a Guacamole server and make it yourself, alot of the limitations the Fortigate has a standard Guacamole setup won't.
But honestly RDP is so efficient that I'd just use SSL-VPN with a normal RDP session on top of it.
As someone else said, the SSL VPN certs are different from the SSL MiTM inspection certs and you cannot used purchased certificates for the SSL MiTM
I use cheap Namecheap.com certs for the SSL VPN. They US$8 per year.
The SSL inspection cert, I distribute the one the FortiGate generates.
This at least gets rid of the absolutely lowest hanging fruit. But the InfoSec team at OP company sounds like they want to make it their own access point gear only. For anyone reading this in the future though - GeoIP is great and all to stop drive-by from China and North Korea and Russia is those are your concern - but rest assured it won’t stop them from using a NordVPN and “transporting” their IP to the USA if they really want in.
Have you looked at NordVPN? With the proper subscription, you can get a static IP that requires login and MFA. They have apps for the phones so they start the app when they need to access the camera system and all traffic routes through the VPN and is secure.
Most Fortinet gear - including FortiSwitches - use the industry standard Cisco pinout. 100% positive.
Options:
Had to share. https://www.amazon.com/OIKWAN-Adapter%EF%BC%8C-Essential-Accessory-Ubiquity/dp/B08F7VY86M/
Changed my life.
Are you talking about IP VPN? I am not sure what IVPN is and I can't find any Lumen services to see how they do it. If it's an IP VPN which is a kind of MPLS. I see that there is a Layer 3 device to terminate each uplink. Layer 3 devices would take it one level higher than Layer2 and VLAN 300 and 600 will no longer be visible on the LAN side. You are also showing "trunk" on the LAN side uplinking to two Layer 3 devices - does it mean you are using a subinterface, are you trying to use SVI for vlan 300 and 600?
As an example, which may not fit your setup, I add a switch when I have active/active or active/passive to deliver both circuits to each FortiGate.
If you could explain a bit more about your setup and carrier restrictions, the size of the subnet you can use, etc... I would love to help.
Buy the Forticonverter service which can convert ASA to FTNT. It’s only a few $$$ and not worth the work you need to do to reinvent the wheel…
Example of pricing for a 60f
That sounds like the re-negotiation of a new ESP child SA fails. If I remember correctly, the initial one does not include DH group (since it's derived from IKE SA negotiation). So maybe start by checking what DH group NordVPN requires for ESP ("ipsec"). If you can set that, then you will probably succeed in re-negotiating a new ESP child SA.
Also check your registry and make sure you've deleted the option "NegotiateDH2048_AES256" (reference. This is know to fuck shit up™.
Also also, consider having a look at your event log in Windows.
Event Viewer > Widnows Logs > Application > filter it for source "RasClient". I personally find the logs mostly useless, but maybe you'll be lucky this time.
That is all the guesses I can offer. Anything furher would need detailed debugging, or ideally capturing and decrypting the IKE communication. (not sure how to do that with just the windows client)
It looks like u/HappyVlane listed the command and here is a organized cheatsheet I put together for myself that might help you to find different ways of using sniffer, debug diag and more...
https://www.notion.so/stingray7/FortiGate-Troubleshooting-e7723d2b144b43a2acbb1cb29c0c9525
Sniffer shows this:
​
2022-07-28 18:48:38.574511 VPNTunnel out .y.z.15741 -> 192.168.90.50.514: udp 753
2022-07-28 18:48:38.574992 VPNTunnel out .y.z.15741 -> 192.168.90.50.514: udp 753
2022-07-28 18:48:38.699044 VPNTunnel out .y.z.15741 -> 192.168.90.50.514: udp 588
2022-07-28 18:48:38.942070 VPNTunnel out .y.z.15741 -> 192.168.90.50.514: udp 908
2022-07-28 18:48:39.184118 VPNTunnel out .y.z.15741 -> 192.168.90.50.514: udp 717
I know if some other VPNs that have worked for me (as a student) to bypass the fortigate firewalls. The VPNs were Hotspot Shield and X-VPN. Might want to take a look at blocking those too, they were the only ones that would work when I was at school.
If you cant find something from RackMountIT Just buy a shelf and velcro it down or command strip it. Something like below.
https://www.amazon.com/NavePoint-Cantilever-Server-Vented-Shelves/dp/B008LUW49G
Only allow known categories. Block unrated, newly observed, newly registered. Their vpn website isn’t going to be in FortiGuard dns filters, as a category other than these unless it’s a corporate VPN.
Legit commercial VPNs such as Nord for example, will be in Infortmation Technology, but you can block those with AppControl or the Internet Services Database, since these are all well known without deep packet inspection.
Guest lan to internet, guest users to ISDB NordVPN, action: deny
Then in your general internet rule, block Proxy application category in the AppControl profile.
At that point, you’ve done your due diligence. If they get around that - they’re smarter than what you can reasonably block on a guest uncontrolled network. Best you’re going to do is slow them down. It’s a rat race past that.
Even with dpi, what do you plan to do, to block me from using the vpn to my home FortiGate, and bypassing your web filtering that way? The connection is encrypted inside the encrypted tunnel - even your dpi isn’t going to get you the data inside the second encryption.
This isn't possible via FortiExplorer. You need console access to the box.
> I'm asking because if that's possible it would be a much easier physical connection that I could do now.
The intent is to force you to have physical access to the box. Allowing it via wireless, would inherently increase the chances of exploitation.
Other option is to have something like opengear hooked up to the console interface for remote kvm access.
I use a https://www.amazon.com/Sabrent-Converter-Prolific-Chipset-CB-DB9P/dp/B00IDSM6BW
Connect to the firewall using the following:
Setting Value Speed Baud 9600 Data Bits 8Bit Parity None Stop Bits 1 Flow Control No Hardware Flow Control Com Port The correct com-port
plug that into putty, find your com port in device manager, hit connect. Should work.
Why not use PtP radios instead of satellite? They aren't expensive and would eliminate the latency you'll see over satellite.
I've used these for short distances between buildings where we could not get permission to dig for underground cabling. They're already paired, so no setup needed. https://www.amazon.com/Cambium-Networks-Plug-n-Play-Wireless-Ethernet/dp/B074W5FCWR
Some info here https://firebase.google.com/docs/cloud-messaging/concept-options#messaging-ports-and-your-firewall as you mentioned android, assume it is not iOS as well. Look at the sessions in the cli if you want timeout info. Think the FortiGate default is 1hr idle on tcp iirc.
As others have mentioned, Domotz would be perfect for this and we do have the integration for Fortigate for config management. A few more details about this here. I'm the CM there if anyone has any questions.
Overall: Hard to say. It is not officially supported, so you're on thin ice by definition.
Practically: I've just set up a new DNS record in cloudflare, set it to "proxy" and pointed to my FGT. Results:
webmode login: works
HTTPS bookmark to a random website: works
HTTPS bookmark to FGT GUI: works
SSH bookmark (FGT CLI): works
RDP bookmark to Windows target: works
Looks promising, but I would recommend thorough testing before even thinking of commiting to this idea.
You will need to align with Cloudflare's list of supported ports. E.g. it won't work if your SSL-VPN is set to port 12443.
Another question is which source-IPs you could restrict the access to (which IPs will the traffic from Cloudflare come from?). Found this list, not sure how thorough it is.
Another potential discussion topic is a potential attack by someone also proxied through Cloudflare (if filtering access to Cloudflare IPs).
Hi! Wazuh employee here.
First of all, a brief description of Wazuh:
It's a free and open source platform used for threat prevention, detection, and response. It protects workloads across on-premises, virtualized, containerized and cloud-based environments.
Wazuh solution consists of an endpoint security agent, deployed to the monitored systems, and a management server, which collects and analyzes data gathered by the agents. Besides, Wazuh has been fully integrated with the Elastic Stack, providing a search engine and data visualization tool that allows users to navigate through their security alerts.
Finally, please remember Wazuh is an open source project so if you have any doubt about it or its configuration, you can reach us via Slack, Google Groups or Reddit!. You can take a look into them, there are several questions regarding fortinet that you may find interesting. However, feel free to ask us and we'll happy to help!
Regards, Alexis.
Tried option 1 (Allow invalid certificates) and it worked, still using proxy-based inspection.
The problem was that all the websites that had this problem had a certificate issued by https://letsencrypt.org/ and Fortinet doesn't have this CA listed as a trusted CA.
You can check this at: Security Profiles > SSL/SSH Inspection > Edit the profile you are using and click on View Trusted CA list.
Hope this helps.
Best Regards,
The ISRG Root X1 is already in Fortigate and was sometime ago there. But I dont see R3 intermediate certificate in the list of fortigate CAs. I added it manually but still getting error. Probably R3 must be hardcoded into fortigate https://letsencrypt.org/certificates/
Are you saying that the ISRG Root X1 is the old/expired root CA? Because looking at the Fortigate GUI, you can easily see that it's the X3 root CA which has expired...
​
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
It is a Fortigate problem (also Palo Alto btw.)
​
They dont need to check that old cert anymore...
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
I spotted this also, do you recommend :)
.Server Analysis VPN - Servers providing Anonymizing VPN service, such as NordVPN
I've never seen anything false positive in that malicious list. I've often setup that ISDB and others like Botnet as a source object in a deny policy on inbound (make sure you enable "match vip" in the CLI).
I will point out though that I haven't noticed much of a hit rate and most of the suspicious connections I've seen have come from legitimate other sources. I setup a honeypot for a while and majority of the sources were from legitimate VPN services, like NordVPN or Surfshark. Unfortunately, they don't seem to be included in any of the ISDBs. Your best protection strategy against log4j is really limit exposure, patch and IPS.
I've never done SPAN on FortiGates before. I would suggest not putting their device in-line if you can avoid it, to have one less point of failure; especially a device you don't manage.
This link seems to have some good info:
http://serverfault.com/questions/506239/network-tap-span-port-on-fortigate-100d-fortios-4-0mr3
You might need to play around with it first, connect your laptop up to your 'Gate and see how many SPAN dst ports you will need in your situation.
You can, however, I would recommend looking into a solution designed around log collection/archiving. The obvious recommendation would be to look into FortianAlyzer, but there are plenty of options.
If you're looking for an open-source option, check out graylog. Also, some other options here:
Thanks for the tips .. will try turning off security filters later.
Im testing the speed using my laptop plugged into the modem and then a browser to fast.com. Then same thing with the laptop plugged into one of the LAN ports.
The WAN ports is set to manual and no ppoe and shows up as 1000mb as do all the LAN interfaces.
Wanted to point out there is a Fortinet module for filebeat. It does all the parsing and mapping. With this you don't need logstash in the middle, you can go strait to elasticsearch. So fortigate syslog - filebeat - ES.
https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-fortinet.html
Can we please get a better/actual training videos?
for example - http://www.cbtnuggets.com/it-training-videos/course/checkpoint-ccsa
they do actual hands on, download trial, create virtual machines, how to setup, etc etc.
Fortinet NSE trainings are just huge marketing videos with zero useful how to guide for training Jr. Admins.
Hi u/rowankaag! Thank you! I followed the path. I only have one of these files in the folder: "/ Library/Application Support/Fortinet/FortiClient/bin/" and it's "fctservctl". Please check in the attached screenshot https://snipboard.io/GAwXVM.jpg
Let me clear things up... There is a free version and a paid version.
The paid version can be managed by a FortiGate (prior to 5.4.1) or by EMS. This version has the same features as the free version but is centrally managed.
The free version is available at http://www.forticlient.com, its free and you can use it either for AV or VPN, or both - there is a install option for it to be VPN only if you have a preferred AV product already.
What you could do, if you wanted to limit ssh access and control it, is use something like Apache Guacamole to be the middle man. You add the servers to it, either by hand or by script(add SQL records) from the AWS API's. Then you can block ssh, and have a reasonable way for people to use SSH in a controlled fashion. Also Guac can record SSH sessions and the client is HTML5.
Thanks for the inputs/feedbacks everybody.
It looks like my undertaking remains wishful thinking. I will therefore likely stick to https://vyos.io/ and ubiquiti products for the time being as the first one is open source and the latter are affordable.
Edit: Managed to get a cheap 30E and will evaluate further from there and keep vyos and ubiquiti as alternatives.
This should give you atleast an idea what Dev Tools are capable of so you aren’t starting at 0:
https://developer.mozilla.org/en-US/docs/Tools
You‘ll want to especially check „Network Monitor“ and the „Console“ Tab. First one will show you what took so long to load and the second one will show you errors that get output to console log.
Support will propably want you to provide an HAR File of a slow page load (Network Monitor Tab -> Top Right Corner „HAR“)
I'm also interested in the document. Could you please try uploading to someplace else? All I got from that website was porn ads and fake warnings about trojans and my phone being infected, and then just an error when I actually tried to get that file. :(
This place looks promising, for example.
I checked this and it appears the default "certificate-inspection" profile is unchange (correct) on our unit. I did try creating this profile from scratch but got the same result. I found that this is only affecting mail.google.com so far.
UPDATE: After further review, I have found that this bug only affects mail.google.com. I have been unable to find another website that gives certificate errors with the default certificate-inspection policy. I have tried recreating the certificate-inspection policy and using that one instead but the result is the same.
Eightwood Dual WiFi Antenna with RP-SMA Male Connector, 2.4GHz 5GHz Dual Band Antenna Magnetic Base for PCI-E WiFi Network Card USB WiFi Adapter Wireless Router https://www.amazon.com/dp/B07JVDNDCR/ref=cm_sw_r_apan_glt_fabc_FKACJ4B3DT6X9RW9YDNE
This should do the trick
Even partners have to pay for that.
A cheaper option is to buy these:
and
https://www.amazon.ca/gp/product/B08B7N7P2X/ref=dbs_a_def_rwt_hsch_vapi_taft_p1_i1
A good friend wrote this - he works for Fortinet. Pretty solid training guide.
The brackets come in the box with it so if you don't have them you'll probably need to find some generic ones that fit. Not sure if these would work and they're probably the wrong color but for example: https://www.amazon.com/RoutersWholesale-Compatible-Buffalo-TRENDnet-Products/dp/B07J4YZSYT/ref=sr_1_4?dchild=1&keywords=Rack+Bracket&qid=1617114754&sr=8-4
I always have at least one of these in my backpack at all time for situations like that. ;-)
+1 I bought ours from Amazon (and I do the same thing for the Forticare license each year) https://www.amazon.com/FORTINET-FortiGate-Network-Security-Firewall/dp/B07VYK8T56
I thought of the exact same thing! In theory it should work. But I am going to look into ProtonVPN first as mentioned elsewhere in this thread. If I can setup with FG with VPN that’d be the easiest. Haven’t had time to look into it yet though.
GeoIP is as reliable as it sounds... it’s a best guess of location, more based on registered owner, or a collection of people sharing location info publicly.
Also remember that you are ignoring VPN technologies entirely. I can be in GB a few minutes after Norway, followed by Slovenia, then USA, then Australia... all in the matter of an after lunch tea and cigarette break. (ps: I don’t live in any of those countries, but for $14.99/mo I can get a NordVPN account or something that says I do... which is where I would hack someone from given the choice... or an AWS instance in EurAsia).
I second sticking to route-based.
I've configured nearly a hundred IPsec tunnel since I became a Security Engineer, and still have not had a customer request us connectivity that would require a Policy-based VPN.
One example I could give that would favor Policy-based VPN's is in a home-usage scenario when you have a VPN Provider (such as - for example - NordVPN) and you have some traffic to hide (from ISP or parties spying on Public IP). These providers generally limit the amount of clients that may use the service in parallel.
If you were to set up the FortiGate as to be the IPsec "client", you could use the Policy-based VPN to tunnel multiple devices through the FortiGate and then through the IPsec tunnel whilst still maintaining only 1 active IPsec client: the FortiGate.
There doesn't seem to be any SKU. Here's the link to the product.
I just want the AV, IPS and etc. definitions to be updated to the most recent version available at the time of purchase. I won't even turn those features on for the wired subnets as I have extremely strict content filtering rule needs, however I may turn it on for the wireless subnet but that doesn't constitute a year's worth of subscription. Having them updated at time I get a hold of the equipment should only be the norm.
Having the ability to be able to update the firmware within 1 year from purchase should also be the norm.