Blogs

Realms are a feature on the FortiGate that I have written about in the past, but I never really did a detailed dive into them and how and when to use them. When a customer tells me they want to assign different policies to different users connecting to the FortiGate via VPN, my first thought is realms.  Realms allow you to define different authentication methods, assign different ranges of IP addresses, provide different customized portals (company vs D.B.A.) etc. The Recipe Create two realms; one for Corporate Users and one for Contractors. Have two separate ranges of addresses. Use Active Directory to authenticate corporate users. Use Local Users accounts to authenticate contractors. Change the default fqdn/corporate to corporate.fqdn Create policies that limit contractors to certain IP addresses on ssh and ping only.   The Ingredients Here are the ingredients for the realm configuration. Active Directory Configuration In a previous article, I wrote about using a normal u

When deploying EMS in your environment, you want to make sure the users can communicate back to EMS when connected internally as well as externally.  Is seems that there is some confusion so I decided to write this article on how I have deployed this. EMS Here we can see the hostname and the Listen on IP with the IP address of your server.   Check the Use FQDN radio button and then enter the FQDN (Fully Qualified Domain Name)  e.g.  ems.domain-name.com. You will want to enable the Remote HTTPS access and enter the necessary port. On the Pre-defined hostname you will see the actual hostname, as well as the FQDN. Enter the FQDN in the Custom Hostname section. You can add a certificate and I recommend it.  In this example, there is none. Once you fill out the information on the top screenshot, you should have the FQDN listed in the drop down.  You will want to make sure that you click the Open port 10443 in Windows Firewall. DN

Normally, I position FortiMail for anti-SPAM at customers.  However, today I decided to play with the Anti-SPAM feature on the FortiGate itself.   NOTE: You will require the UTM, Enterprise or the ala carte Email filtering license on the FortiGate. Here are the Fortinet FortiGate Bundles at time of this writing.  Check with your Fortinet Partner or Account Manager for the latest bundle features. Enabling the Features on the FortiGate Lets go to System then Feature Visibility and enable Email Filter and Email Collection Configuring the Profile Now that we have the feature enabled, you should see the option under the Security Profiles section. Once you are in the Email Filter section, you cam... Go to Security Profiles Then Email Filter Choose the default and choose Clone (Note: You can create one from scratch) In this example, we are going to choose Enable Spam Detection and Filtering on the top.  Then we are going to ad

Fortinet announced today it is opening the entire online, self-paced catalogue of advanced Network Security Expert training courses for free. Fortinet is making 24 advanced security courses available for free that cover topics ranging from Secure SD-WAN, public cloud security and secure access, among others. The majority of courses are from the official Network Security Expert Institute curriculum, which was previously available to Fortinet partners for free, but will now be open to anyone who is interested. The courses will be free for the remainder of 2020 to help address the rapidly evolving needs of organizations securing highly distributed and remote workforces. These courses also provide students and anyone looking to start a career in cybersecurity the opportunity to learn new skills or upskill. Fortinet’s NSE Institute now offers multiple levels of free training either for broad cyber awareness learning or technical upskilling. Globally, organizations have had

Although the FortGate CAN operate in transparent mode, I rarely used/use it.  Fortinet introduced VWire which is a layer 2 pair of interfaces.  These interfaces do NOT have an IP address assigned to either of them. You cannot add VLANs to virtual wire pairs. However, you can enable wildcard VLANs for a virtual wire pair. This means that all VLAN-tagged traffic can pass through the virtual wire pair if allowed by virtual wire pair firewall policies.  Essentially, it is similar to a transparent mode VDOM but better, less complex, and cleaner IMHO. Use Case: This is ONE Use Case but the possibilities are endless.  Lets say you have 20 locations and they are all connected via an MPLS circuit.  The remote sites are a hybrid of Trusted and Hostile sites meaning that they are known to have issues with Shadow IT.... (the ones NOT running FortiNAC, but that is a subject for a different post :smiling_face_with_smiling_eyes: ).  You want to make sure t

FortiSOAR™ is a holistic and enterprise-built security orchestration and security automation workbench that empowers security operation teams. FortiSOAR™ increases a team’s effectiveness by increasing efficiency, allowing for response in near real-time. In this video, you’ll see how FortiSOAR™ takes your security operation team to the next level by automating the incident response process and facilitating collaboration, behind one unified interface.

An organization's workforce is its most valuable asset. And when an employee can't work due to illness or injury, it impacts not only an organization's productivity, but also its morale. This toolkit helps both employers and employees understand the return-to-work process and provides resources to assist in getting employees back on the job quickly and smoothly. Effective return-to-work approaches can help employees work while still recuperating, protecting their earning power and boosting an organization's output. Furthermore, in many instances, work itself plays an important role in the recovery process.Learn more: https://www.dol.gov/odep/return-to-work/

When you configure a FortiGate in HA, normally, there is no way connect to the second box unless you ssh to the master and then connect via it to the secondary.  The only way to connect to the secondary box was using the following command: execute ha manage 0 %admin-account% There is another option named Reserved Management Interface .  Using this option, you can connect to each of the devices independently.  The use case for this would be to poll SNMP on each of the devices. In my example, I am using a 400E.  The 400E has a single HA interface so I am going to use port16 as the secondary HA and port15 as the management interface. On the Master Firewall Interface Configuration You will need to configure the port with the correct IP address it will use for the management config system interface edit "port15" set vdom "root" set ip 10.10.10.140 255.255.255.0 set allowaccess ping https ssh http fgfm set type physical se

Most of the documentation out there will tell you to configure a Domain Admin user to perform LDAP authentication.  When I am doing a Proof-of-Concept (PoC), and I tell a prospective customer to create me a Domain Admin user, I usually get a sigh and some evil eyes.  Sometimes this could be because a different group is required to create that user and sometimes it is a process and has regulatory impact.  Either way, I wanted to set the records straight Minimum User in AD I created a normal user named minaccess .  This user, as you can see, is ONLY a member of Domain Users . I used a user in AD to test the authentication named blevy and yes, this is a real person name Bryan Levy.  I populated my fake lab AD with people I know so that I could remember their names.  So Bryan, here is you 2 seconds of fame. As you can see, he is a member of Domain Users , IT and Professional-Services although his membership is irreleva

We recommend sending FortiGate logs to a FortiAnalyzer as it produces great reports and great, usable information.  However sometimes, you need to send logs to other platforms such as SIEMs.  When sending to a SIEM, you usually have an EPS or Event Per-Second charge, although some have moved to total amount of data.  You may want to filter some logs from being sent to a particular syslog server.   Here is a quick How-To setting up syslog-ng and FortiGate Syslog Filters. I am going to install syslog-ng on a CentOS 7 in my lab.  I always deploy the minimum install. Installing Syslog-NG This will be a brief install and not a log of customization.  Syslog-NG has a corporate edition with support.  Syslog-NG (paid and community versions) allow you to create a distributed syslog environment.  In another life, I owned an MSSP and we had an instance of syslog-ng running on our Linux firewalls and they would collect locally and forward to our SOC for

Putting together a presentation I am giving to some customers and decided I wanted to put together an article with a topic that is rarely discussed.  The FortiGate firewall can do two-factor authentication via email, and the beauty is it is included.  No additional license is required.  It is a very simple set up.  The downside to this method is similar to the SMS type OTP, if you do not have good signal, you may not get the email.  Let's get started. Configuring Email Server You can either use the Fortinet email server that comes configured or you can add your own. config system email-server set server "notification.fortinet.net" set port 465 set security smtps end You can also see this in the GUI These settings are under System then Settings Creating the User This user will need to be created on the CLI config user local edit "epass" set type password set two-factor email set email-to "manny@infosecmonkey.org" set

IPSec Remote Access VPN Naming Limitations on FortiGate There is a 15 character limit on the interface names in FortiOS.  When using IPSec for remote access VPNs, it is important to take this into account. As you can see in the screenshot above, anything that goes above 15 characters will error out. When you create a remote-access VPN using IPSec, the FortiGate will generate an interface for each remote access VPN based on the name of the VPN. As you can see above, there is a name section.  This will be the base for the interface name.  Here  is the formula                                        15 (Max Characters)  -  X  =  Y Where X is the number of  characters the name is and Y is the number of place holders you are left with.  If I base the number of my IPSec VPNs on my lab FortiGate 300E which supports 50,000 VPNs, the longer

I have been getting asked this question since this coronavirus thing started.  I decided I would address it with an article.  So the use case is:  You want to run a script after the user logs in.  This could be like mapping / mounting a share, running an application, etc. I wrote an article about packaging the FortiClient.  You can follow the same process however there is another section you need to modify. On Connect Windows Option I <on_connect> <script> <os>windows</os> <script> <script> <![CDATA[ net use x: \\10.1.1.43\home /user:mfernandez md c:\inbox copy x:\outbox\*.* c:\inbox ]]> </script> </script> </script> </on_connect> Option II I updated this to show how you can run a batch file or script file. <on_connect> <script> <os>wind

I have been playing with AWS a lot since the pandemic.  I wrote another article about adding some VIPs using Elastic IPs.  Here I will walk through deploying FAZ in my AWS lab environment. Here is my AWS environment.  Note: I am not an AWS master yet so don't flame me so bad because of my design :grinning_face: AWS Console Lets connect to your AWS console.  Once there you will need to make sure you are in the correct region.  Go to your EC2instances. Here you can see my VPCs.  I will be deploying this FAZ in VPC-A Under my EC2 tab, I can see a FortiGate and an Ubuntu Desktop I use as a jump box. Choose the Launch Instance button on the top. In the search box, type Fortinet and hit Enter You will see the following screen Choose the AWS Marketplace option Search for the BYOL option (if you are in fact bringing your license) You will get the typical Instance Type and their associated costs. Choose your instance type from the list. As you can see, I c

In this article, I discuss how to us the FortiGate and the Web-filtering profile to selectively whitelist certain YouTube channels while blocking all other YouTube channels.  I also discuss installing the CA certificate on a Windows device to use SSL decryption.  Note:  This is not a Fortinet site, it is my personal blog site.https://www.infosecmonkey.com/2020/04/20/restricting-youtube-to-specific-channels-on-fortigate-firewalls/

Team,As a proud sponsor and supporter of our military veterans, we are conducting a survey to understand the impact military service members and their families have on Fortinet’s business and culture.  Often Fortinet participates in competitive bids and government contracts, and may be asked questions about how Fortinet hires, trains, and supports veterans at Fortinet.   Answering these short questions will allow Fortinet to develop an ongoing database of metrics that can be used to analyze and improve our military programs.    You can now access the survey by visiting your NSE Institute dashboard.  Please complete this survey by end of day April 23rd.  Our veterans and our company thank you. Jay Garcia Global Veterans Program ManagerE: jaygarcia@fortinet.com M: 916.212.5017NSE Certified: Level 3  Skype: fortivets 899 Kifer Road | Sunnyvale, CA 94086 Learn more about our: Fortinet Veterans Program

Fortinet Team and FortiVet Program Employer Partners,The SHRM Foundation Veterans at Work Certificate, developed for HR professionals, hiring managers, and front-line supervisors, is a multi-faceted program from the SHRM Foundation and brought to you with generous support from Comcast NBCUniversal. Through this certificate program you will: Learn the value that skilled veterans bring to the civilian workplace Demonstrate your commitment to attract, hire and retain these talented professionals Earn 10 professional development credits toward your SHRM-CP or SHRM-SCP recertification The SHRM Foundation Veterans at Work Certificate is completely free and open to all. You do not need to be a SHRM member, and you do not need to hold a SHRM credential to earn this certificate. Ready to earn your SHRM Foundation Veterans at Work Certificate? https://shrm.org/foundation/about/Pages/Veterans-at-Work-Certificate-Program.aspx

As the global COVID-19 pandemic has curtailed our Accelerate 2020 plans in Barcelona, New York and Riviera Maya this year, I am excited to share the news that Fortinet has just announced the Accelerate 2020 conference digital edition from May 12-14, 2020. There will be 3 online events occurring at three different timezones - Americas, APAC and EMEA. This means, you can receive the information created for the in-person conferences from the comfort and safety of your own space and time.  So, grab the opportunity and register for a spot today.  And get your Accelerate conversations going here in the Fuse Community. Stay safe, sane & engaged!

Key Takeaways: Transitioning to a remote workforce has its challenges in terms of logistics to get people up and running from their home offices. Organizations also need to prioritize reducing this new attack surface by consistently protecting their users and data across all platforms. Most Fortinet customers already have many of the tools they need to implement a security architecture that can provide an efficient and secure transition to a remote workforce. If it isn’t already, your BCDR (business continuity/disaster recovery) plan should be updated with a step-by-step guide for a rapid transition to a teleworker model that can be executed to prevent business disruptions Executive Summary: Scenario: A crisis that halts/slows down business operations via: Pandemics Acts of Terror Natural Disasters Loss of critical infrastructure – water, electricity, transportation, etc. Risks of Teleworking: Exposure of data and resources to theft or malware by authorizing access from device

Whether you are upskilling, reskilling or educating yourself to help close the cybersecurity skills gap, it doesn’t matter. Fortinet has three no-cost courses available to anyone who is interested in educating themselves on potential threats and how to manage them. Free FortiGate Essentials Training Course In this new, stand-alone course, you will learn how to operate and administrate some fundamental FortiGate NGFW features. By the end of the course, you will acquire a solid understanding of how to deploy and maintain a basic network security solution. The course also covers how to enable users to remotely connect to your network in a secure way.  Using self-paced guided recordings, you will learn how to use firewall policies, user authentication, routing, and SSL VPN. You will also learn how to protect your users using web filtering and application control. Who Should Take This Course? The FortiGate Essentials Training Course will be of interest to individuals who have always th

Today’s businesses are fully aware of the consequences of a successful cyber attack, and yet they continue to struggle to put together a cyber security strategy that can deal with them effectively. And when you ask these organizations what their biggest challenge is to responding to threats in a timely manner, the most common response is likely tied to an overburdened SecOps team that cannot fully investigate every threat alert or encounter. Industry’s First On-Premise Deep Learning AI model To address these challenges, Fortinet invested and built Deep Learning models, a sophisticated form of AI that emulates the neurons found in a human brain, known as an Artificial Neural Network. After many years of training and refining, Fortinet has now developed a self-learning Deep Neural Networks (DNN) based solution named FortiAI: Virtual Security AnalystTM. FortiAI is aimed at alleviating the tedious work of studying malware characteristics to identify and classify them into threat categories

Executive Summary:   Challenge: Hiring skilled employees that can adequately protect the business from evolving threats Orchestrating point solutions together & having consistent security protections across different environments Too many alerts   Risk: Breaches caused from disgruntled ex-employees Exploitation from lack of visibility in patch management Security gaps from inconsistent security protections caused by the lack of communication between point products   What is Security Orchestration and Automation Response (SOAR): Gartner defines SOAR as “technologies that enable organizations to take inputs from a variety of sources and apply workflows aligned to processes and procedures” In layman’s term, a SOAR solution aggregate large amount of data into a single location and uses automation & orchestration to streamline processes for consistency & predictability   What is the problem FortiSOAR tries to solve: Staff shortages & evolving threa

We'd like to inform you that Accelerate 2020 Barcelona has been cancelled due to the health and safety concerns associated with the coronavirus.  What to expect; actions to take: Registration fees paid by credit card will be fully refunded over the next 5 - 7 days. All registrations will be canceled. No further action will be required. Contact your airline to cancel your flights. If you booked your hotel reservation through the Accelerate Barcelona Housing Bureau (B.Networks), be assured we are working closely with them on an action plan. Please be patient and you will be notified soon. Additional information is being prepared and will be emailed within the following days. We recognize the impact canceling an event has, and will truly miss spending time with you in Barcelona. Have any questions? please feel free to start a discussion here.

Thanks to the cloud, companies of any sizes are able to take advantage of nearly unlimited resources almost instantaneously. With the increase in cloud adoption, enterprises are also finding themselves needing to keep up with development. Automation has always been a key component in helping teams improve their operational processes. This is especially true when talking about the cloud. Not only do development team need to leverage automation, but security and networking needs to move with it. Serverless functions help leverage elastic and flexible security design that can help automate tasks on demand. Combined with FortiGate, customers can automate security threats from within their cloud infrastructure while enjoying the consistent security protections whether on premise or in the cloud.   With the introduction of VPC Port Mirroring in AWS, customers can now inspect, and mirror traffic sent to an elastic network interface (ENI). Using FortiGate with VPC Port Mirroring, AWS cust

The cliché of "threats are evolving" is unavoidable. That is because it is true. With threats constantly changing and becoming increasingly complex, organizations need a strategic vendor that can help them get not only visibility but is operationally smart.   The vendor needs to have solutions that enable organizations to operate more efficiently while navigating complexity and big data. To improve on your security strategies, companies should implement solutions that can ingest data quickly from different security solutions and categorize them into events. At the minimum, these solutions should have a way to then alert administrators to take action based on these events. The security vendor should have flexible solutions that can complement not only their solutions, but also be vendor agnostic and enable security administrators to go through logs and events, build a baseline model that will help them detect anomalies faster, continuously monitor their environment, and take auto r