Upon failure of the FGSP member that is the primary gateway for a tunnel, the upstream router will fail tunnel traffic to another FGSP member. Each eligible FGSP peer will be the primary gateway for a set of dial-up tunnels and will be on standby for the remainder of the tunnels.
Allow IPsec DPD in FGSP members to support failovers
DC1_VM1 # diagnose vpn-tunnel list-name vpn1_1 list ipsec-tunnel last-names in vd 0. DC1_VM2 # diagnose vpn-tunnel-list-name vpn1_1 list ipsec-tunnel by names in vd 0.
Standalone configuration synchronization
Unicast stand-alone configuration synchronization is supported at Layer 3, enabling peer-to-peer synchronization in cloud environments that do not support Layer 2 networking.
VRRP
VRRP domains can be created that can include multiple FortiGates and other VRRP-capable routers. FortiOS supports IPv4 and IPv6 VRRP, so that IPv4 and IPv6 VRRP virtual routers can be added to the same interface.
Basic VRRP configuration
Adding IPv4 and IPv6 virtual routers to an interface
VRRP failover
Up to two VRRP destination addresses can be configured to be monitored by the primary router. The backup router with the highest priority becomes the new primary router and takes over traffic processing.
VRRP groups
VRRP virtual MACs
Preempt mode
Single-domain VRRP example
Multi-domain VRRP example
If one of the FortiGates fails, the remaining FortiGate becomes the primary router of both VRRP domains. VRRP virtual MAC address is enabled on both FortiGates port2 interfaces so that VRRP domains use their VRRP virtual MAC addresses.
VRRP on EMAC-VLAN interfaces
Because FortiGate B has a higher priority, it is the primary device and FortiGate A is the backup.
SNMP
Interface access
MIB files
SNMP agent
SNMP v1/v2c communities
In the Queries section, enable or disable v1 and v2c queries, then enter the port numbers that SNMP managers in this community use for them. In the Trapssection, enable or disable v1 and v2c traps, then enter the local and remote port numbers that SNMP managers in this community use for them.
SNMP v3 users
Access control for SNMP
In this example, two MIB views are created and used with VDOM to control access for SNMP users and communities.
Important SNMP traps
Link Down and Link Up traps
SNMP traps and query for monitoring DHCP pool
Replacement messages
Modifying replacement messages
Replacement message images
Adding images to replacement messages
Right-click the message code where you want to add an image and select Insert Image. Edit the replacement message and include %%IMAGE:
Replacement message groups
The UTM message group includes custom email-related messages and is assigned an email filter profile. The authentication message group has a custom authentication success message that is applied to a proxy-based firewall policy that has an assigned email filter profile.
Anycast
The license information table shows the status of your FortiGate rights and provides an overview of the status of each service.
Connection and OCSP stapling
Configuring FortiGuard updates
Configuring a proxy server for FortiGuard updates
In the following example, a proxy server with IP address 10.1.1.1 is configured to listen on port TCP/3128 without authentication. In a closed network without direct Internet connection for web filtering or spam filtering, you can use FortiManager as a FortiGuard server.
Manual updates
UDP traffic cannot be routed through a proxy server, even if you are using FortiOS versions that support web filtering over port 443. In the pane that opens, click Download, locate the downloaded definitions file on your computer, and click Open.
AV and IPS manual updates
Automatic updates
Scheduled updates
Sending malware statistics to FortiGuard
Fortinet uses the malware statistics collected in this way to improve the performance of FortiGate services and to display statistics on the Fortinet support website for customers registered on FortiGate devices. Fortinet may also publish or share statistics or results derived from this malware data with various audiences.
Update server location
Filtering
Online security tools
Anycast and unicast services
Service Non-Anycast FQDN addresses Anycast Domain name FortiGuard Object download update.fortiguard.net globalupdate.fortinet.net Query service (web filtering, anti-. spam ratings) over HTTPS. FortiCloud FortiClient forticlient.fortinet.net globalfctupdate.fortinet.net FortiMobile Tokens directregistration.fortinet.com globalftm.fortinet.net EMS cloud forticlient-emsproxy.forticloud.com Service in Unicast only.
Cloud service communication statistics
When fmg-update-portis is set to 443, the update process will use port 443 to connect to the replacement update server, which is the local FortiGuard server in the FortiManager. Ignore FortiGuard services come from the server list that is the local FortiGuard server in the FortiManager, and use the traditional, non-OCSP TLS handshake.
IoT detection service
Using FortiManager as an override server for IoT query services
The proxy server can be configured in the FortiGuard settings so that all FortiGuard connections in the forticldd process can be made through the proxy server. On FortiGate A, see the forticldddebug message to see the connection to the log controller through the proxy server:.
FDS-only ISDB package in firmware images
Licensing in air-gap environments
FortiGuard in air-gapped environments, FortiGuard packages such as AntiVirus and IPS must be manually loaded into the FortiGate. Manual licensing for air-gapped environments is only supported on FortiGate hardware devices, both rugged and non-rugged models, running FortiOS 7.2.0 or later.
License expiration
For more information, see FortiGuard filter on page 1525 and DNS domain filtering based on FortiGuard category on page 1579. The CIS Compliance and Security Assessment component of the Attack Surface Security Assessment right is required to run checks with security assessment payment on all devices at Fabric Security.
Feature visibility
Certificates
Automatically provision a certificate
Click Show Details to verify that the FortiGate FQDN is in the Subject: Common Name (CN) topic of the certificate. No warnings should appear regarding untrusted certificates and the certificate path must be valid.
Generate a new certificate
When you log in to FortiGate with an administrator account, no warnings should appear regarding untrusted certificates and the certificate path must be valid.
Regenerate default certificates
Import a certificate
Local certificate
PKCS #12 certificate
Certificate
Refer to the FortiOS CLI Reference for detailed options for each certificate type (Local,CA,Remote,OSCP Server,CRL).
Generate a CSR
Certificate Name Enter the name of the certificate; so it will appear in the list of Local Certificates. Organizational unit Enter the name of the organizational unit under which the certificate will be issued.
CA certificate
Remote certificate
Certificate revocation list
Export a certificate
Uploading certificates using an API
In the HTTP request drop-down list, change the request from GETtoPOST, and enter the FortiGate's IP address and the URL of the API call. In FortiOS, go to System > Certificates and verify that the uploaded certificate is shown in the table (api_crt).
Procuring and importing a signed SSL certificate
Obtain, setup, and download an SSL certificate package from a certificate authority
Some CAs may automatically generate the CSR during the signing process or provide tools to create CSRs. In the certificate list, select the new CSR and then click Download to save the CSR to your computer.
Import the signed certificate into your FortiGate
Configure your FortiGate to use the signed certificate
Microsoft CA deep packet inspection
The FortiGate firewall uses information in the original web server certificate and then issues a new certificate signed by the Microsoft DPI certificate. The Microsoft CA root certificate is normally deployed to all client PCs in the Windows domain so that the client can complete the certificate path up to a trusted root CA.
Create a Microsoft sub CA certificate
FortiGate then sends this certificate with the issuing DPI certificate to the client's web browser when the SSL session is established. The browser verifies that the certificate was issued by a valid CA and then looks for the issuing CA for the Microsoft DPI certificate in its local trusted root CA store to complete the path to the trusted root CA.
Export the certificate and private key
Import the certificate and private key into the FortiGate
Configure a firewall policy for DPI
Verify that the sub CA certificate is being used for DPI
Administrative access using certificates
Creating certificates with XCA
XCA is an x509 certificate generation tool that handles RSA, DSA, and EC keys, as well as certificate signing requests (PKCS #10) and CRLs.
Creating the XCA database
Creating a CA certificate
This is not a comprehensive guide to its use and does not explore all the options available when creating a certificate.
Issuing a subordinate CA certificate for deep inspection
Creating a server host certificate
This certificate can be used to identify an SSL or TLS server by uploading the certificate and key pair to the server, such as when the FortiGate presents the administrative web page or for SSL VPN authentication (see Configure your .FortiGate to signed certificate on page 2802). Another use case for a server host certificate is to enable SSL server protection so that the FortiGate simulates the real server and initiates the connection (see Securing an SSL server on page 1876).
Creating a client host certificate
The FortiGate and client certificates are listed under the signing CA certificate and are ready to be exported.
Certificate formats
Enrollment over Secure Transport for automatic certificate management - NEW FortiGate supports Enrollment over Secure Transport (EST) and the RFC 7030 standards when generating a new CSR request, performing automatic renewals or manually regenerating a certificate. EST provides more security for automatic certificate management than the Simple Certificate Enrollment Protocol (SCEP), which is commonly used for certificate enrollment.
Background
The CA certificate (G_CA_Cert_1) is used to verify the remote EST answer server certificate and certificates issued by a remote PKI. 2011] __est_curl_set_auth: Warning: cert est-test101 may not have correct key usage for TLS client authentication.
Security
BIOS-level signature and file integrity checking
Level 1 Level 0
The following examples describe the different use cases when upgrading firmware and AV files on a FortiGate model that supports BIOS security levels and a FortiGate model that does not support BIOS security levels.
Upgrading on a device with BIOS security levels
When running 7.4.0 and uploading an unsigned AV engine file to System > FortiGuardpage, FortiOS is unable to verify the certificates and rejects the file. When running 7.4.0 and uploading an unsigned AV engine file to the System > FortiGuardpage, FortiOS does not verify the certificates.
Upgrading on a device without BIOS security levels
When running 7.4.0 and uploading an unsigned AV engine file to the System > FortiGuard page, FortiOS cannot verify the certificates and the file fails verification. When upgrading from 7.2.4 to 7.4.0 with an unsigned firmware image in the GUI, FortiOS cannot verify the certificates and the image fails verification.
Real-time file system integrity checking
When upgrading from 7.2.4 to 7.4.0 with a dual-signed firmware image, FortiOS verifies the certificates and accepts the image. A warning window will appear indicating that signature validation of this firmware has failed, but the user can click Continue to use the firmware.
How it works
A warning dialog appears indicating that this package file does not have a signature for validation, but the user can click OK to use the file.
Log summary
If a hash cannot be found, the file may be suspicious as it may be a new routine inserted by an attacker. If a hash does not match when the file is executed, it is an indication that it could have been modified by an attacker.
Detection examples
In the previous examples, where a mismatched or missing hash occurs, you should immediately alert technical support so they can gather information to start a forensic analysis with our internal PSIRT team. The system may block an offending binary that causes the system to malfunction, or the system may reboot to protect itself from compromise.
Configuration scripts
The script is executed immediately and the Script Execution History Table is updated, indicating whether the script ran successfully.
Workspace mode
After performing the commit, the changes are available to all other processes and are also made in the kernel. If changes are aborted, no changes are made to the current configuration or the kernel.
Custom languages
RAID
FortiGates uses SSL/TLS encryption for HTTPS and SSH management access, and SSL VPN remote access. When you establish an SSL/TLS or SSH connection, you can manage the encryption level and the codes used to verify the security level.
HTTPS access
SSH access
SSL VPN
1This figure is not available when the SSL VPN security level (algorithm) is set to high. This cipher is not available when the SSL VPN security level (algorithm) is set to medium.
Additional features
WAN optimization
Explicit FTP proxy
Explicit web proxy
SSL Server
Commands Config ssl-server-cipher-suites The config ssl-cipher-suites are only available when set ssl-algorithm manset ssl-server-algorithm is set to custom.
VoIP
SSL algorithm security level
Caution is recommended when configuring cipher ranges manually, as choosing a cipher with an incompatible version can lead to unexpected problems. The SSL algorithm security levels marked with an asterisk (*) are not supported across different FortiOS features.
Other Products
Encryption algorithm security level
Conserve mode
Proxy inspection in conserve mode
If a security policy is configured to use antivirus scanning, the traffic it allows is blocked in save mode. So a policy with only IPS scanning enabled will continue normally, but a policy with both IPS scanning and antivirus scanning is blocked because antivirus scanning requires an antivirus proxy.
Flow inspection in conserve mode
Diagnostics
Using APIs
Token-based authentication
Creating the API administrator and generating the API token
Making an API call to retrieve information from the FortiGate
General API call
Since a generic API call for address objects returns a large amount of information, it can be useful to format the API call to display certain information using the format parameter. In this example, the format parameter is used to display the name and comment for each firewall address.
Filtering an API call
The Fortinet Security Fabric provides an intelligent architecture that interconnects discrete security solutions into an integrated whole to detect, monitor, block and remediate attacks across the entire attack surface. As part of improvements to reduce memory usage, FortiGate models with 2 GB of RAM cannot be the root of the Security Fabric topology or any part of the middle tier of the topology.
Components
See Configuring FortiMail on page 2918 for more information about adding FortiMail devices to the Security Fabric. See Configuring FortiMonitor on page 2918 for more information about adding FortiMonitor devices to the Security Fabric.
Security Fabric connectors
Other Fortinet products can be added to the Security Fabric, including FortiAuthenticator, FortiToken, FortiCache and FortiSIEM. Third-party products, belonging to the Fortinet Fabric-Ready Partner Program, can be added to the Security Fabric.
System requirements
Prerequisites
Prerequisite
Configuring the root FortiGate
This back-end implementation allows the root FortiGate in the security fabric to store historical user and device information in a database on its disk. The information source for the historical data will be the user_info daemon, which would write to disk when user_info informs user_info_history that the user has logged out or that the device is no longer connected.
Adding downstream devices
On the root FortiGate, go to Security Fabric > Physical Topology and verify that the downstream FortiGate you added appears in the Security Fabric topology. A downstream device can be authorized in the FortiGate root GUI using the Firmware and Registration page (see Authorizing devices on page 2507 for more information).
CLI commands
When a device is revoked, the serial number is stored in a trusted list that can be viewed in the CLI with the show system csf command.
Desynchronizing settings
Configuring logging and analytics
Logs Sent daily chart for remote logging sources
Go to the FortiAnalyzer or Cloud Logging tab to view a daily chart of the remote logs sent. FortiAnalyzer Cloud is used in this example.
Configuring FortiAnalyzer
Click OK on the confirmation window to open a window to authorize the FortiGate on FortiAnalyzer.
Configuring cloud logging
In the Security Fabric > Fabric Connectors > Logging & Analytics card settings, FortiAnalyzer Cloud is grayed out when you do not have a FortiAnalyzer Cloud entitlement. Once you have a FortiAnalyzer Cloud entitlement, FortiAnalyzer Cloud is available and you can authenticate by the certificate.
Configuring FortiClient EMS
FortiClient EMS Cloud can only be configured if the FortiGate is registered with FortiCloud and the right to EMS Cloud has been verified. If the FortiCloud account fails the FortiClient EMS Cloud permissions check, the option cannot be selected in the FortiClient EMS connector settings.
Troubleshooting
Configure the EMS server on the desired VDOM:. root) config endpoint-control fctems-override edit 1. Enter a file name for the certificate and click Browse to select the folder where it will be located, then click Next.
Using EMS silent approval in the Security Fabric
Allowing deep inspection certificates to be synchronized to EMS and distributed to FortiClient
Before deep inspection certificate synchronization is configured, a warning message is displayed when a FortiClient endpoint accesses the Internet through FortiGate with the firewall policy that has deep inspection. The FortiClient certificate store does not have the FortiGate's CA used in the SSL/SSH profile for deep inspection.
Allowing FortiClient EMS connectors to trust EMS server certificate renewals based on the CN field
Allowing FortiClient EMS connectors to trust EMS server certificate renewals based on the CN field. If the setting is changed back to enable later, the user will need to re-approve the EMS certificate.
Synchronizing FortiClient ZTNA tags
Go to Zero Trust Tags > Zero Trust Tag Monitor to view the registered users that match the defined tag. You will see the ZTNA IP and ZTNA MAC tags synced from the FortiClient EMS.
Configuring LAN edge devices
When the FortiGate is managed in multi VDOM mode, EMS is configured in the global VDOM by default.
Configuring central management
Configuring FortiManager
If you have not yet configured the device model in FortiManager and used a pre-shared key for registration, you can enter any character for the PSK field in the execute central-mgmt command. After completing the GUI or CLI steps in FortiOS, go to FortiManager and authorize the FortiGate to complete the process.
Configuring FortiManager Cloud
