In this video, you will learn how to use a URL filter to block access to Facebook and its subdomains.
When you enable the FortiGuard Categories to allow access to a particular type of content, such as Social Networking, you can still prohibit the use of specific websites within that category.
The recipe for this video is available here.
The post Blocking Facebook (Video) appeared first on Fortinet Cookbook.
In this recipe, you will configure a site-to-site, also called gateway-to-gateway, IPsec VPN between an office with Internet access restrictions (Remote Office) and an office without these restrictions (Head Office) so that the Remote Office can access the Internet through the Head Office, avoiding the restrictions.
To bypass this restriction, this example shows how create a site-to-site VPN to connect the Remote Office FortiGate unit to the Head Office FortiGate unit, and allow Remote Office staff to transparently browse the Internet to google.com using the Head Office’s Internet connection.
Note that both FortiGates run FortiOS firmware version 5.2.2 and have static IP addresses on Internet-facing interfaces. You will also need to know the Remote Office’s gateway IP address.
1. Configuring IPsec VPN on the Head Office FortiGateIn a real world scenario, a Remote Office’s ISP or something in their local Internet may be blocking access to Google, or any other site for that matter. |
|
|
On the Head Office FortiGate, go to VPN > IPSec > Wizard. Name the VPN, select Site to Site – FortiGate, and click Next. |
|
|
Set the Remote Gateway to the Remote Office FortiGate IP address The Wizard should select the correct Outgoing Interface when you click anywhere else in the window. Depending on your configuration, you may have to manually set the outgoing interface. Select Pre-shared Key for the Authentication Method. |
|
|
Under Policy & Routing, set the Local Interface to the interface connected to the Head Office internal network. For Local Subnets, enter the subnet range of the Head Office internal network. Depending on your configuration, this may be set automatically by the wizard. For Remote Subnets, enter the subnet range of the Remote Office internal network then click Create. |
 |
|
The VPN Wizard informs you that a static route has been created, as well as two two security policies and two address objects, which are added to two address groups (also created). |
|
|
Create a security policy to allow the Remote Office to have Internet access. Go to Policy & Objects > Policy > IPv4 and select Create New. Set Incoming Interface to the VPN interface created by the VPN wizard and set Source Address to the remote office address group created by the VPN wizard. Set Outgoing Interface to the Internet-facing interface and set Destination Address to all. Enable NAT and (optionally) enforce any company security profiles. |
|
2. Adding a route on the Remote Office FortiGate |
|
|
On the Remote Office FortiGate, create a static route that forwards traffic destined for the Head Office FortiGate to the ISP’s Internet gateway. (In this example, the Head Office FortiGate IP address is 172.20.120.154 so the destination IP/Mask is 172.20.120.154/255.255.255.0 and the ISP’s gateway IP address is 10.10.20.100.) |
 |
3. Configuring IPsec VPN on the Remote Office FortiGate |
|
|
On the Remote Office FortiGate, go to VPN > IPSec > Wizard. Name the VPN, select Site to Site – FortiGate, and click Next. |
|
|
Set the Remote Gateway to the Head Office FortiGate IP address. The Wizard should select the correct Outgoing Interface. Select Pre-shared Key for the Authentication Method and enter the same Pre-shared Key as you entered in Step 1. |
|
|
Under Policy & Routing, set the Local Interface to the interface connected to the Remote Office internal network. For Local Subnets, enter the subnet range of the Remote Office internal network. For Remote Subnets, enter the subnet range of the Head Office internal network then click Create. |
 |
|
The VPN Wizard informs you that a static route has been created, as well as two address groups and two security policies. |
|
|
Allow Internet traffic from the remote office to enter the VPN tunnel. On the Remote Office FortiGate, go to Policy & Objects > Policy > IPv4. Edit the outbound security policy created by the VPN Wizard. Change the Destination Address to all so that the policy accepts Internet traffic. |
 |
4. Establishing the tunnel |
|
|
On either FortiGate, go to VPN > Monitor > IPsec Monitor. Right-click the newly created tunnel and select Bring Up. |
 |
| If the tunnel is established, the Status column will read Up on both of the FortiGates. |  |
6. Results |
|
|
With the tunnel up, you can now visit google.com without being blocked, since the Internet traffic is handled by the Head Office FortiGate and the access restrictions on the remote FortiGate have been bypassed. |
 |
For further reading, check out IPsec VPN in the web-based manager in the FortiOS 5.2 Handbook.
The post Remote browsing using site-to-site IPsec VPN appeared first on Fortinet Cookbook.
In this video, you will learn to apply a web filter quota to an IPv4 policy with user or device authentication configured.
You will set a 5 minute time limit, or quota, on visiting any websites in the General – Personal Interest category. This accommodates users by allowing them the flexibility to visit websites of a personal nature when necessary.
Before you begin, ensure you have an active FortiGuard Web Filtering License subscription.
The recipe for this video is available here.
The post Web filtering quotas (Video) appeared first on Fortinet Cookbook.
In this video, you will learn how to block access to Google services such as Gmail for consumer accounts, while still allowing access for corporate accounts.
If your organization has set up a Google corporate account to use Google service such as Gmail or Google Docs, you can block users from accessing their personal Google accounts through your network, while allowing access to the corporate accounts.
The recipe for this video is available here.
The post Blocking Google Accounts (Video) appeared first on Fortinet Cookbook.
In this example, one user is temporarily allowed to override a web filter profile to be able to access sites that would otherwise be blocked.
In this example, web filtering blocks the Bandwidth Consuming category for all users, except those who can override the filter.
1. Enabling web filtering and multiple profiles |
|
|
Go to System > Config > Features and make sure that Web Filter is turned ON. |
 |
|
Select Show More and enable Multiple Security Profiles. Apply the changes. |
 |
2. Creating a user group and two users |
|
| Go to User & Device > User > User Groups. Create a new group for users who can override web filtering (in the example, web-filter-override). |  |
| Go to User & Device > User > User Definition and create two users (in the example, ckent and bwayne). |
|
|
|
|
 |
|
| Assign ckent to the web-filter-override group, but not bwayne. |  |
3. Creating a web filter profile and override |
|
|
Go to Security Profiles > Web Filter and create a new profile (in the example, block-bandwidth-consuming). Enable FortiGuard Categories, then right-click Bandwidth Consuming and select Block. |
 |
|
Go to Security Profiles > Advanced > Web Profile Overrides and create a new override. Set Scope Range to User Group, User Group to the web-filter-override group, Original Profile to the block-bandwidth-consuming profile, and New Profile to the default profile. Set an appropriate Expires time to control how long the override can be used (in the example, 100 hours after the override is created). |
 |
4. Adding the new web filter profile to a security policy |
|
|
Go to Policy & Objects > Policy > IPv4 and edit the policy that allows connections from the internal network to the Internet. Set Source User(s) to allow both the web-filter-override group and user bwayne. Under Security Profiles, turn on Web Filter and use the new profile. |
 |
5. Results |
|
|
Browse to blip.tv, a website that is part of the Bandwidth Consuming category. Authenticate using the bwayne account. The website is blocked. |
 |
|
Go to User & Device > Monitor > Firewall and De-authenticate bwayne. Browse to blip.tv again, this time authenticating using the ckent account. You can access the website until the override expires. |
|
For further reading, check out Web Filter in the FortiOS 5.2 Handbook.
The post Overriding a web filter profile appeared first on Fortinet Cookbook.
In this example, online gaming will only be allowed from 7-11PM. This includes gaming websites, applications, and consoles.
This example assumes that a general policy allowing connections from the internal network to the Internet has already been configured.
1. Enabling application control, web filtering, and device identification |
|
| Go to System > Config > Features and enable both Application Control and Web Filter. Apply your changes. |
|
| Go to System > Network > Interfaces and edit your lan interface. Enable Detect and Identify Devices. |  |
2. Configuring application control and web filtering |
|
|
Go to Security Profiles > Application Control and edit the default policy. Under Categories, select Game, and set the category to Block. Under Options, enable Deep Inspection of Cloud Applications. |
 |
|
Go to Security Profiles > Web Filter and edit the default profile. Enable FortiGuard Categories. Expand the General Interest – Personal category and select the sub-category Games. Set this sub-category to Block. |
 |
3. Editing your general policy to block gaming |
|
|
Go to Policy & Objects > Policy > IPv4 and edit the policy that allows connections from the internal network to the Internet. Set Source Device Type to all devices types that will be allowed on your network. Do not include Gaming Consoles. Under Security Profiles, enable both Application Control and Web Filter and set both to use to default profiles. Set SSL/SSH Inspection to deep-inspection. |
 |
3. Creating a schedule for when gaming is allowed |
|
|
Go to Policy & Objects > Objects > Schedules and create a new recurring schedule. Select all Days and set Start Time to Hour 19 (7PM) and Stop Time to Hour 23 (11PM). |
 |
4. Creating a policy that allows gaming between 7-11PM |
|
|
Go to Policy & Objects > Policy > IPv4 and create a new policy that will allow devices on the LAN to have Internet access. Set Schedule to use the new schedule. |
 |
|
Go to System > Dashboard > Status and enter the following in the CLI console, substituting the ID for the new policy. This will make sure that if someone is gaming during the allowed time, their session will be blocked after 11PM. |
|
6. Ordering the policies |
|
| Go to Policy & Objects > Policy > IPv4 and order the policies so that the general policy is located below the policy that allows gaming between 7-11PM. |  |
7. Results |
|
|
During the time that gaming is blocked, attempt to browse to a gaming website, such as Yahoo Games. The site is blocked. Attempt to run an online gaming application, such Steam. The application will be unable to connect to the Internet. |
 |
|
To view information about this blocked traffic, go to System > FortiView > Applications. |
 |
|
Attempt to connect to the Internet using a gaming console. The console will be unable to connect to the Internet. |
|
| Between 7-11PM, you are able to access the website, and all gaming applications and consoles can connect to the Internet. | |
For further reading, check out the Security Profiles in the FortiOS 5.2 Handbook.
The post Restricting online gaming to evenings appeared first on Fortinet Cookbook.
In this video, you will learn how to use remote IPsec and SSL VPN tunnels to bypass internet access restrictions.
A VPN tunnel is an encrypted traffic passage between two endpoints. In this example, the VPN tunnel is between a local user running FortiClient with restricted internet access, and a remote FortiGate with unrestricted internet access. Restricted internet access will be simulated with a Web Filtering Profile that blocks google.com. You can create an SSL VPN tunnel or an IPsec VPN tunnel to connect to the remote FortiGate unit, and you will be able to bypass the web filter and browse to google.com.
The recipe for this video is available here.
The post Remote browsing with VPN (Video) appeared first on Fortinet Cookbook.
In this recipe, you will use FortiGate web filtering to ensure that SafeSearch is applied to all Google search results. You will also block access to websites in the adult/mature content FortiGuard category for all network users.
This recipe requires an active FortiGuard web filtering licence.
1. Enabling web filtering |
|
| Go to System > Config > Features and make sure that Web Filter is ON. If necessary, Apply your changes. |  |
2. Blocking the Adult/Mature Content category and enabling Safe Search |
|
|
Go to Security Profiles > Web Filter and edit the default profile. Enable FortiGuard Categories. Select the Adult/Mature Content category and set it to Block. Under Search Engines, select Enable Safe Search and Search Engine Safe Search – Google, Yahoo!, Bing, Yandex. |
 |
3. Adding web filtering to your Internet access policy |
|
|
Go to Policy & Objects > Policy > IPv4 and edit the policy that allows connections from the internal network to the Internet. Under Security Profiles, enable Web Filter and set it to use the default profile. |
 |
4. Enforcing Google SafeSearch for all traffic |
|
|
Because Google search often uses the HTTPS protocol, web filtering alone may not be able to block all adult/mature content. There are two methods that can be used to enforce Google SafeSearch for all traffic: using full SSL inspection so that encrypted traffic is fully inspected (which can cause certificate errors), or changing the DNS records to force search traffic to use forcesafesearch.google.com. |
|
Method 1: Using full SSL inspection |
|
|
Go to Policy & Objects > Policy > IPv4 and edit the policy that allows connections from the internal network to the Internet. Set SSL/SSH Inspection to use the deep-inspection profile. Using the deep-inspection profile may cause certificate errors. For information about avoiding this, see Preventing certificate warnings. |
 |
Method 2: Changing the DNS records for www.google.com |
|
|
If you wish to force Google SafeSearch for your entire network, you can set the DNS entry for www.google.com (and another other Google search domains, such as www.google.ca) to be a Canonical Name (CNAME) for forcesafesearch.google.com. This will force all search traffic to use forcesafesearch.google.com. The method for changing the DNS records using your FortiGate varies, depending on whether your FortiGate is the network’s DNS server, or if an external server is used. |
|
FortiGate is the network’s DNS server |
|
| Go to System > Config > Features and select Show More. Make sure that DNS Database is ON. If necessary, Apply your changes. |  |
| Go to System > Dashboard > Status and enter the following command into the CLI Console using your internal interface: |
|
|
Go to System > Network > DNS Servers. The new server is listed under DNS Service on Interface. |
 |
|
Under DNS Database, select Create New. Set DNS Zone as Google, Domain Name to google.com, and disable Authoritative. |
 |
|
Under DNS Entries, select Create New. Set Type to Address (A), set Hostname to www, and IP Address to 216.239.38.120 (the IP address of forcesafesearch.google.com). |
 |
|
If required, create additional DNS Database entries for other Google search domains (entry for www.google.ca shown). A list of Google search domains can be found here. |
 |
The network uses an external DNS server |
|
| Using this method will cause your FortiGate to intercept all DNS queries. Because all DNS traffic will be forwarded to the FortiGate internal DNS Service, there might be a performance impact on the FortiGate. | |
|
Go to System > Config > Features and select Show More. Make sure that DNS Database is ON. If necessary, Apply your changes. |
|
|
Go to System > Network > Interfaces and create an interface to be used for the FortiGate DNS service. Set Type to Loopback Interface and assign an IP/Network Mask (in the example, 10.10.10.10/255.255.255.255). |
 |
| Go to System > Dashboard > Status and enter the following command into the CLI Console: | config system dns-server edit dns-loopback set mode recursive end |
| Go to System > Network > DNS Servers. The new server is listed under DNS Service on Interface. |  |
|
Under DNS Database, select Create New. Set DNS Zone as Google, Domain Name to google.com, and disable Authoritative. |
|
|
Under DNS Entries, select Create New. Set Type to Address (A), set Hostname to www, and IP Address to 216.239.38.120 (the IP address of forcesafesearch.google.com). |
|
|
If required, create additional DNS Database entries for other Google search domains (entry for www.google.ca shown). A list of Google search domains can be found here. |
|
|
Go to System > Dashboard > Status and enter the following command into the CLI Console to create a new virtual IP: Set src-filter to the IP range of your internal users (in the example, 10.10.80.2-10.10.80.100), extintf to your internal interface, and mappedip to the IP address of the loopback interface. |
|
|
Go to Policy & Objects > Policy > IPv4 and create a policy to use the virtual IP to intercept DNS queries. Set the Incoming Interface to your internal interface, the Outgoing Interface to the loopback interface, Destination Address to the virtual IP, and Service to DNS. Make sure NAT is disabled. |
 |
|
Select the Global View of the policy list. Make sure that the new policy is located above the policy that allows connections from the internal network to the Internet. |
 |
Results |
|
|
If you are using full SSL inspection, go to google.com and attempt to search for adult/mature content. When the results are shown, a message appears stating that SafeSearch is turned on. This cannot be undone. If you are using Google Chrome for Internet browsing, you may need to disable SPDY protocol in order for SafeSearch to turn on automatically. |
 |
| If you have altered the DNS settings, go to google.com. A message at the top of the page states that your network has turned on SafeSearch. |  |
For further reading, check out SafeSearch and DNS Services in the FortiOS 5.2 Handbook.
The post Blocking adult/mature content with Google SafeSearch appeared first on Fortinet Cookbook.
In this episode of Fortinet Stories, Nathan gets connected to FortiGuard and finds out how easy it is to secure his network.
Recipes included in this video:
The post Fortinet Stories Episode 2: FortiGuard appeared first on Fortinet Cookbook.
In this video, you will learn how to override a website’s FortiGuard Category rating. FortiGuard Categories are up-to-date lists of websites, which you can use to easily filter certain types of content. By overriding a site’s web rating, you can block a website that is in an allowed category, or allow a website that is in a blocked category. In this example, you will create a custom category for Allowed Sites, and add the Fortinet Cookbook website to it.
The recipe for this video is available here.
The post Web rating overrides (Video) appeared first on Fortinet Cookbook.
In this video, you will use FortiGate web filtering to apply SafeSearch to all Google results and also block access to websites in the adult/mature content FortiGuard category. In order to block encrypted traffic, you will also either use full SSL inspection or change your network’s DNS settings. By doing this, you can make sure that unsuitable content is blocked for all users on your network, even Google search results.
The recipe for this video is available here.
The post Blocking adult content with SafeSearch (Video) appeared first on Fortinet Cookbook.
This recipe uses a new FortiGuard feature: the Botnet C&C (command and control) database to protect your network from Botnet C&C attacks.
For this recipe, you will create a new DNS Filter Profile called Botnet&Facebook, block access to all known C&C addresses, and block access to the Social Networking FortiGuard category. In addition, you will enhance this with a Static Domain Filter in order to block access to www.facebook.com, and all of its affiliated subdomains.
For this recipe to work, your device must be licensed for the FortiGuard Web Filtering service. DNS filtering is only available when Inspection Mode is Proxy-based.
1. Enabling the DNS Filter Security Feature |
|
|
Go to System > Feature Select, and enable DNS Filter under Security Features. Select Apply. |
 |
2. Creating the DNS Filter Profile and enabling Botnet C&C database |
|
|
Go to Security Profiles > DNS Filter, and create a new profile called Botnet&Facebook. Right-click and block the Social Networking category from the FortiGuard category based filter table. |
 |
| Under Options, enable Block DNS requests to known botnet C&C. |  |
3. Configuring Static Domain Filter in DNS Filter Profile |
|
| In the DNS Filter Profile, enable Domain Filter under Static Domain Filter. You will now be able to add domains of your choosing. |  |
|
Select Create and enter *.facebook.com. Set Type to Wildcard, and set Action to Block. Make sure Status is enabled. This will block access to Facebook, and all its other affiliated subdomains. |
 |
4. Creating a DNS Filtering firewall policy |
|
|
Go to Policy & Objects > IPv4 Policy, and create a firewall policy that allows Internet access. Set Incoming Interface to the internal interface and set Outgoing Interface to the external interface. Set Source to all and set Destination Address to all. Set Schedule to always, set Services to ALL, and make sure NAT is enabled. |
 |
| Under Security Profiles, enable DNS Filter and select the Botnet&Facebook DNS Filter profile — this will automatically enable Proxy Options. |  |
5. Results |
|
|
To confirm that the DNS Filter Profile has been added, go to Policy & Objects > IPv4 Policy. The policy will now have the DNS filter icon in the Security Profiles column. |
 |
| To confirm that the filter is working correctly, open a browser and attempt to browse to www.facebook.com. The DNS request will be blocked. |  |
|
To confirm that the known Botnet C&C feature is working correctly, browse to a known Botnet site — the example is nateve.us. Again, the DNS request will be blocked. Note that the blocked pages may look different on other web browsers. |
 |
The post Protection from Botnet C&C attacks appeared first on Fortinet Cookbook.
In this recipe, you will set up sandboxing to send suspicious files to a FortiSandbox Appliance for further inspection. The FortiSandbox scans for threats that can get past other detection methods, using Windows virtual machines (VMs) to test suspicious files in isolation from your network.
You will also configure your FortiGate to automatically receive signature updates from FortiSandbox and add the originating URL of any malicious file to a blocked URL list. Finally, you will configure FortiClient to use extended scanning that includes FortiSandbox.
1. Connecting the FortiSandbox |
|
|
Connect the FortiSandbox to your FortiGate as shown in the diagram, so that port 1 and port 3 on the FortiSandbox are on different subnets. |
 |
|
FortiSandbox port 3 is used for outgoing communication triggered by the execution of the files under analysis. It is recommended to connect this port to a dedicated interface on your FortiGate (in the example, port 15), to protect the rest of the network from threats currently being investigated by the FortiSandbox. |
|
| FortiSandbox port 3 must be able to connect to the Internet. On the FortiGate, go to Policy & Objects > IPv4 Policy and create a policy allowing connections from the FortiSandbox to the Internet (using the isolated interface on the FortiGate mentioned above). |  |
|
On the FortiSandbox, go to System > Network > Static Routing and add static routes for both port 1 and port 3. The static route for port 3 must have the Destination/IP Mask 0.0.0.0/0.0.0.0, while port 1 is assigned the Destination/IP Mask for traffic in the local network. |
 |
|
Once the FortiSandbox has access to the Internet through port 3, it will begin to activate its VM licenses. Before continuing with this recipe, wait until a green arrow shows up beside Windows VM in the FortiSandbox’s System Information widget, found at System > Status. This indicates that the VM activation process is complete. |
 |
2. Enabling Sandbox Inspection |
|
|
On the FortiGate, go to System > External Security Devices. Select Enable Sandbox Inspection and select FortiSandbox Appliance. Set the IP Address (in the example, 172.20.121.128) and enter a Notifier Email, where notifications and reports will be sent. |
 |
| If you select Test Connectivity, the Status shows as Service is not configured because the FortiGate has not been authorized to connect to the FortiSandbox. |  |
|
On the FortiSandbox, go to File-based Detection > File Input > Device. Edit the entry for the FortiGate. Under Permissions, enable Authorized. |
 |
| On the FortiGate, go to System > External Security Devices and for FortiSandbox select Test Connectivity. The Status now shows that Service is online. |  |
3. Configuring sandboxing in the default AntiVirus profile |
|
|
Go to Security Profiles > AntiVirus and edit the default profile. Under Inspection Options, enable both Send Files to FortiSandbox Appliance for Inspection and Use FortiSandbox Database. If FortiSandbox discovers a threat, it creates a signature for that file that is added to the FortiGate’s AntiVirus signature database. |
 |
4. Configuring sandboxing in the default Web Filter profile |
|
|
Go to Security Profiles > Web Filter and edit the default profile. Under Static URL Filter, enable Block malicious URLS discovered by FortiSandbox. If the FortiSandbox discovers a threat, the URL that threat came from will be added to the list of URLs that will be blocked by the FortiGate. |
 |
5. Configuring sandboxing in the default FortiClient profile |
|
|
Go to Security Profiles > FortiClient Profiles and edit the default profile. Under AntiVirus, enable Realtime Protection, then enable Scan Downloads, followed by Scan with FortiSandbox. Enter the IP of the FortiSandbox. Decide if you want to wait for FortiSandbox results before sending files to the PC running FortiClient, or if you want downloaded files to be sent at the same time as they are being scanned by FortiSandbox. Enable Use FortiSandbox signatures to make sure new virus signatures and blocked URLs from the FortiSandbox are added to FortiClient’s databases. |
 |
|
This profile will be pushed to any device running FortiClient that is registered to your FortiGate. These settings can also be configured from within FortiClient’s AntiVirus settings. |
|
6. Applying AntiVirus and Web Filter scanning to network traffic |
|
|
Go to Policy & Objects > IPv4 Policy and view the policy list. If a policy has AntiVirus and web filtering scanning applied, the profiles will be listed in the Security Profiles column. |
 |
|
If scanning needs to be added to any security policy (excluding the Implicit Deny policy) select the + button in the Security Profiles column for that policy, then select the default AntiVirus Profile, the default Web Filter Profile, the appropriate Proxy Options, and the deep-inspection profile for SSL Inspection Options (to ensure that encrypted traffic is inspected). Then select OK. |
 |
7. Results |
|
| If your FortiGate discovers a suspicious file, it will now be sent to the FortiSandbox. To view information about the files that have been sent on the FortiGate, go to FortiView > FortiSandbox to see a list of file names and current status. |  |
|
You can also view results on the FortiSandbox by going to System > Status and viewing the Scanning Statistics widget. |
 |
|
Open FortiClient using a Windows PC on the internal network. Make sure it is registered to your FortiGate. Go to AntiVirus > Realtime Protection Enabled and edit the settings. You will see that the Realtime Protection settings match the FortiClient Profile configured on the FortiGate. These settings cannot be changed using FortiClient. |
 |
| On the FortiGate, go to Monitor > FortiClient Monitor. Select the FortiClient device, then select Quarantine. |  |
|
The PC is now quarantined by FortiClient and cannot connect to the Internet or other network devices. |
 |
|
A message appears in FortiClient, telling the user to contact the system administrator. FortiClient cannot be shutdown on the PC. It can also not be uninstalled or unregistered from the FortiGate. |
 |
|
If the PC had downloaded a suspicious file that the FortiSandbox determined was malicious, quarantine would be applied automatically. The quarantine can only be released from the FortiClient Monitor on the FortiGate. |
|
The post Sandboxing with FortiSandbox and FortiClient appeared first on Fortinet Cookbook.
In this video, you will learn how to exempt specific websites from SSL Deep Inspection.
Exempting a website from SSL Inspection allows a user’s browser to access it without errors, as deep inspection can prevent certain sites from functioning, and can cause some sites to produce certificate errors. You should only exempt websites that you trust.
In this example, we’ll exempt google.ca from SSL Inspection. If you’re following along, you should try exempting your local Google search domain instead.
The recipe for this video is available here.
The post Exempting Websites from SSL Deep Inspection (Video) appeared first on Fortinet Cookbook.
This recipe explains how to use a static URL filter to block access to Facebook and its subdomains.
By using SSL inspection, you ensure that Facebook and its subdomains are also blocked when accessed through HTTPS.
Find this recipe for other FortiOS versions:
5.2 | 5.4
1. Enabling Web Filtering |
|
|
Go to System > Feature Select to enable the Web Filter feature. |
 |
2. Editing the default Web Filter profile |
|
|
Go to Security Profiles > Web Filter and edit the default Web Filter profile. To block Facebook, go to Static URL filter, select URL Filter, and then click Create. |
 |
|
Set URL to *facebook.com. Set Type to Wildcard, set Action to Block, and set Status to Enable. |
 |
3. Creating the Web filtering security policy |
|
|
Go to Policy & Objects > IPv4 Policy, and click Create New. Give the policy a name that identifies its use. Set Incoming Interface to the internal network and set Outgoing Interface to the Internet-facing interface. Enable NAT. |
 |
| Under Security Profiles, enable Web Filter and select the default web filter profile. |  |
| Enable SSL/SSH Inspection and select certificate-inspection from the dropdown menu. This allows the FortiGate to inspect and apply web filtering to HTTPS traffic. |  |
|
The new policy has to be first on the list in order to be applied to Internet traffic. Confirm this by viewing policies By Sequence. To move a policy up or down, click and drag the far-left column of the policy. |
 |
4. Results |
|
|
Visit facebook.com HTTPS is automatically applied to facebook.com, even if it is not entered in the address bar. A FortiGuard Web Page Blocked! message appears. |
 |
|
Visit a subdomain of Facebook, for example, attachments.facebook.com. A FortiGuard Web Page Blocked! message appears, blocking the subdomain. |
 |
For further reading, check out Static URL Filter in the FortiOS 5.4 Handbook.
The post Blocking Facebook with Web Filtering appeared first on Fortinet Cookbook.
In this video, you will learn how to create and order multiple security policies in the policy table, to control and limit different types of network traffic.
You will create three policies: a basic Internet access policy, which allows users in the internal network to access the internet; a restrictive Mobile policy, allowing users to access the internet with mobile devices; and an Admin access policy, allowing system administrators full unrestricted access from their PCs.
The recipe for this video is available here.
The post Basic Firewall Policies (Video) appeared first on Fortinet Cookbook.
In this video, you will learn how to block access to Facebook and its subdomains using web filtering. To do this, you will create a static URL filter for facebook.com. You will also use SSL inspection, to make sure that encrypted traffic to Facebook is also blocked.
The recipe for this video is available here.
The post Blocking Facebook with Web Filtering (Video) appeared first on Fortinet Cookbook.
In this example, you will use endpoint control on an ISFW FortiGate that is part of a Cooperative Security Fabric (CSF). To do this, you will create a FortiClient Profile that only allows traffic from compliant devices to flow through the FortiGate. The FortiClient Profile will also enforce the use of AntiVirus, Web Filtering, and Application Control, and make sure that a current version of FortiClient is used.
In the example, the ISFW FortiGate has the host name Marketing. The FortiClient Profile is applied on the Marketing FortiGate, rather than External, because the internal network connects directly to this FortiGate.
This recipe is part of the Cooperative Security Fabric collection. It can also be used as a standalone recipe.
This recipe requires both FortiOS 5.4.1 (or higher) and FortiClient 5.4.1 (or higher). If you need to upgrade, make sure to upgrade registered FortiClient endpoints to FortiClient 5.4.1 before you upgrade FortiGate.
1. Enabling endpoint control on the FortiGate |
|
| On the Marketing FortiGate, go to System > Feature Select and make sure that Endpoint Control is enabled. |  |
2. Enforcing FortiClient registration on the internal interface |
|
|
Go to Network > Interfaces and edit the interface used for the internal network. Under Administrative Access, enable FortiTelemetry. |
 |
| Under Admission Control, enable Enforce FortiTelemetry for all FortiClients. |  |
3. Configuring the FortiClient Profile |
|
| Configuring a FortiClient Profile allows you to control the security features enabled on the registered endpoint. The profile is automatically downloaded by FortiClient when it connects to the FortiGate. | |
|
Go to Security Profiles > FortiClient Profiles and edit the default profile. Set Non-compliance action to Auto-update, to make sure any non-compliant endpoints will have their configurations updated to become compliant. Enable AntiVirus, then enable both Realtime Protection and Up-do-date signatures. Enable both Web Filter and Application Firewall and select the default filters. Enable System compliance, then enable Minimum FortiClient version. Set both Windows endpoints and Mac endpoints to FortiClient 5.4.1 (or higher). |
 |
4. Setting up a compliant FortiClient device |
|
| Use a PC on the internal network that does not have FortiClient installed and attempt to connect to the Internet. A message appears stating that endpoint compliance has failed. The message also contains instructions about how to become compliant. |  |
| Install FortiClient on the PC, then go to the Compliance screen. Set up a FortiTelemetry connection to the Marketing FortiGate. |  |
| After the connection is made, the device may still appear as Non-compliant because it has to receive and apply updates from the Marketing FortiGate. |  |
5. Results |
|
| Once FortiClient shows that your device is Compliant, you are able to connect to the Internet. |  |
| On the Marketing FortiGate, go to Monitor > FortiClient Monitor. The PC is listed as a Compliant device. |  |
| On the External FortiGate, go to FortiView > Physical Topology. The PC appears connected to the Marketing FortiGate. |  |
| Go to FortiView > Logical Topology. The PC appears connected to the Marketing FortiGate. |  |
| Go to Monitor > FortiClient Monitor. Because endpoint control is applied to the Marketing FortiGate, the PC is listed as an Exempt device. |  |
The post Adding endpoint control to a security fabric appeared first on Fortinet Cookbook.
In this example, you will install two Internal Segmentation Firewalls (ISFWs) behind your External FortiGate. One of these FortiGates will be used to protect your Accounting team’s network, while the other will be used for the Marketing team. You will also enable a Cooperative Security Fabric (CSF) and use OSPF routing between these FortiGates.
This recipe is part of the Cooperative Security Fabric collection. It can also be used as a standalone recipe.
1. Configuring External to connect to Accounting |
|||||
|
In this example, the External FortiGate’s port 10 will connect to the Accounting FortiGate’s wan1. |
|||||
|
On the External FortiGate, go to Network > Interfaces and edit port 10. Set an IP/Network Mask for the interface (in the example, 192.168.10.2). Configure Administrative Access to allow FortiTelemetry, required for communication between FortiGates in the CSF. Configure other services as required. |
 |
||||
|
Go to Policy & Objects > IPv4 Policy and create a policy for traffic from the Accounting FortiGate to the Internet. Enable NAT. |
 |
||||
| Connect the FortiGates. | |||||
2. Configuring the Accounting FortiGate |
|||||
|
On the Accounting FortiGate, go to Network > Interfaces and edit wan1. Set an IP/Network Mask for the interface that is on the same subnet as the External FortiGate’s port 10 (in the example, 192.168.10.10). Configure Administrative Access to allow FortiTelemetry. |
 |
||||
|
Edit the lan interface. Set Addressing Mode to Manual and set the IP/Netmask to a private IP address (in the example, 10.10.10.1). Configure Administrative Access to allow FortiTelemetry. Under Networked Devices, enable Device Detection. |
 |
||||
|
Go to Policy & Objects > IPv4 Policy and create a policy to allow users on the Accounting network to access the Internet. Because OSPF routing will be used, make sure NAT is not enabled. |
 |
||||
3. Installing and configuring the Marketing FortiGate |
|||||
|
Connect and configure the Marketing FortiGate using the same method as the Accounting FortiGate. Make sure to include the following:
|
|||||
4. Configuring OSPF routing between the FortiGates |
|||||
|
On the External FortiGate, go to Network > OSPF. Set Router ID to 0.0.0.1 and select Apply. Expand the Advanced Options and set Default Information to Always, to make sure the default route is broadcast from External to the ISFW FortiGates. |
 |
||||
| In Areas, select Create New. Set Area to 0.0.0.0, Type to Regular, and Authentication to None. |  |
||||
|
In Networks, select Create New. Set IP/Netmask to 192.168.10.0/255.255.255.0 (the subnet that includes Accounting’s wan1) and Area to 0.0.0.0. Create a second entry with the IP/Netmask set to 192.168.200.0/255.255.255.0 (the subnet that includes Marketing’s wan1). |
 |
||||
|
On the Accounting FortiGate, configure OSPF routing as shown. The Networks in this configuration are the subnet that includes Accounting’s wan1 and the subnet for the Accounting Network. |
 |
||||
|
In the example, the Marketing FortiGate is a 90D, a model that does not support OSPF configuration using the GUI. To add OSPF routing, use the following CLI command: config router ospf
set router-id 0.0.0.3
config area
edit 0.0.0.0
next
end
config network
edit 1
set prefix 192.168.200.0/255.255.255.0
next
edit 2
set prefix 10.10.200.0/255.255.255.0
next
end
end
|
|||||
5. Enabling the Cooperative Security Fabric |
|||||
|
On the External FortiGate, go to System > Cooperative Security Fabric. Enable Cooperative Security Fabric (CSF) and set a Group name and Group password. |
 |
||||
|
On the Accounting FortiGate, go to System > Cooperative Security Fabric. Enable Cooperative Security Fabric (CSF) and enter the name and password for the fabric. Enable Connect to upstream FortiGate and enter the IP address of External port 10. |
 |
||||
|
Configure CSF on the Marketing FortiGate, using the IP address of External port 11. |
|||||
6. Results |
|||||
|
On the External FortiGate, go to FortiView > Physical Topology. This dashboard shows a visualization of all access layer devices in the Cooperative Security Fabric. |
 |
||||
|
On the External FortiGate, go to FortiView > Logical Topology. This dashboard displays information about the interface (logical or physical) that each device in the CSF is connected to. |
 |
||||
|
Go to Monitor > Routing Monitor. You will see both ISFW FortiGates listed, using OSPF routing. |
 |
||||
7. (Optional) Adding security profiles to the fabric |
|||||
|
CSF configurations allow you to distribute security functions to different FortiGates in the security fabric. For example, you may want to implement virus scanning on the External FortiGate but add application control and web filtering to the ISFW FortiGates. This results in distributed processing between the FortiGates in the CSF; reducing the load on each one. It also allows you to customize the web filtering and application control for the specific needs of the Accounting network as other internal networks may have different application control and web filtering requirements. This configuration may result in threats getting through the External FortiGate which means you should very closely limit access to the network connections between the FortiGates in the CSF. |
|||||
|
On the External FortiGate, go to Policy & Objects > IPv4 Policy and edit the policy allowing traffic from the Accounting FortiGate to the Internet. Under Security Profiles, enable AntiVirus and select the default profile. Do the same for the policy allowing traffic from the Marketing FortiGate to the Internet. |
 |
||||
|
On the Accounting FortiGates, go to Policy & Objects > IPv4 Policy and edit the policy allowing traffic from the Accounting Network to the Internet. Under Security Profiles, enable Web Filter and Application Control. Select the default profiles for both. Do the same on the Marketing FortiGate. |
 |
||||
| Another strategy you could choose is to have flow-based inspection on the External FortiGate and proxy-based inspection used by the ISFW FortiGates. For more information, see Inspecting traffic content using flow-based inspection. | |||||
The post Installing internal FortiGates and enabling a security fabric appeared first on Fortinet Cookbook.
In this video, you’ll how to install two Internal Segmentation Firewalls behind an external FortiGate. Once these FortiGates are installed, you will set-up a Cooperative Security Fabric between the FortiGates. This fabric will span across an entire network, using FortiTelemetry to link the FortiGates together to protect the network.
This video is part of the Cooperative Security Fabric collection. It can also be used as a standalone video.
The recipe for this video is available here.
The post ISFW and Cooperative Security Fabric (Video) appeared first on Fortinet Cookbook.
Watch the video
Watch the video
