Archive for the ‘networking’ Category

In this example Site to Site VPN between 2 Fortigate Firewalls will be created.I simulated 2 different locations using different AWS regions

 

0.PNG

 

Ireland Fortigate Setup

VPN-IPsec Tunnels-Create New

 

1.PNG

click custom

 

2.PNG

For remote gateway specify Frankfurt Fortigate FW public IP, public facing interface

method (pre-shared key),Phase 1 encryption, DH groups, local and remote network

 

3.PNG

Phase 2 authentication

 

4.PNG

 

Now create 2 IPv4 Policies:

1.To allow outgoing traffic (from local-192.168.10.0/24 to remote network (172.31.110.0/24) specified in VPN settings

2.To allow incoming traffic (from remote-172.31.110.0/24 to local-192.168.10.0/24)

I created 2 Address objects:LAN (for local network and Remote (for remote network)

Policy & Objects-Addresses-New Address

Type:subnet

Interface:Any

Creating Incoming IPV Policy (from remote to local)

Incoming interface:VPN interface

Outgoing interface:LAN insterface

Source:Remote newtork

Destination:Local network

disable nat

 

5.PNG

 

Outgoing IPv4 Policy (from local to remote network)

Incoming interface:Lan interface

Outgoing interface:VPN interface

Source:LAN network

Destination:Remote network

Disable NAT

6.PNG

 

Creating static route

Now we need to create route to remote network (172.31.110.0/24) through VPN interface

Network-Static routes-Destination

Subnet-specify subnet

Interface:VPN interface

7.PNG

 

Creating VPN connection from Frankfurt Fortigate

 

Now we need to create exactly same configuration from other side (Frankfurt Firewall).Only difference is remote peer IP and local and remote network.

-create VPN tunnel

-create incoming IP policy

-create outgoing IP policy

-create static route

 

Creating VPN tunnel

8.PNG

Local network:172.31.110.0/24

Remote network:192.168.10.0/24

 

Incoming policy

 

9.PNG

 

10.PNG

and static route to 192.168.10.0/24 through VPN interface

Now VPN conencttion should be operational

 

11.PNG

 

 

Advertisements

Blocking web pages in Fortigate

Posted: August 2, 2018 in networking

In one of previous posts we configured Proxy policy to allow all traffic in this one we’ll see how to block all social media sites or just some of them.

Security Profiles-Application Control-Social Media-Block (all social media sites will be forbidden

1.PNG

Or under same section click web filter-Enable URL filter-Wildcard-type site name with asterix as prefix (to block all subdomains)-Block

 

2.png

Under Policy & Objects Enable Web Filter or Application control and depending if default policy is modified or new one is created,from drop-down menu specify correct one

 

3.png

Site(s) should be blocked

5.PNG

In this example we’ll configure port forwarding for web site so that call to IP:8080 will be redirected to port 80 and forwarder to Windows Web Server behind Fortigate Firewall

 

3.PNG

 

I created custom VPC,created Internet Gateway (info how to create custom VPC can be found here)

Creating Fortigate “public” route

Create Route table for Fortigate “public” network, route all traffic to Internet Gateway-associate “public” subnet (192.168.10.0)

0.PNG

 

0-1.PNG

 

Creating route for “private” network

Router all traffic from “private” network (192.168.30.0) to “internal” Fortigate interface

 

0-2.PNG

 

0-3.PNG

 

Disable source-destination check on both Fortigate interfaces.

0-4.png

 

Click on interface to locate interface ID

0-5

In AWS instance go to Network Interfaces ,select interface from Action menu select Change Source/Dest/Check

 

0-6

Select Disabled

 

0-7.PNG

 

Now login to Fortigate-Policy & Objects-Virtual IPs-create new-Virtual IP

0-8.png

Mapped IP address is address of Windows Web Server

 

0.PNG

 

Now create Incoming policy

Incoming interface:External interface

Outgoing Interface:Internal interface

Destination:Virtual IP

 

0-1

 

2.PNG

 

1.PNG

Fortigate Explicit Web Proxy

Posted: July 29, 2018 in networking

System-Feature Visibility-Turn on Explicit proxy

 

2.png

 

System-Settings-Inspection Mode-Proxy

1.PNG

Go to internal interface-enable Explicit Web Proxy

3

 

If you want to change default proxy port:

Network-Explicit Proxy-Under HTTP port change port number

 

4.PNG

Policy & Objects-Proxy Policy

Type:Explicit web

Outgoing interface:Internet facing interface

Source:Internal addresses (LAN in my case)

Destination:All

Service:webproxy

 

5.PNG

Set proxy address in your browser

6.PNG

Now you should be able browsing the internet

 

In previous article we created IPSEC VPN (with shared key), now we’ll create SSL-VPN.

 

SSL VPN stands for Secure Sockets Layer virtual private network,  It is called as web based VPN or WebVPN. SSL VPN provides SSL VPN remote-access connectivity from almost any Internet-enabled location using only a web browser that natively supports SSL encryption.

Below is comparasion between IPSEC and SSL

0.PNG

 

Create Local network definition:Addresses-Create New-Address

 

1.png

 

2.PNG

There is predefined VPN range, i decided to use it

 

3.PNG

Configuring Portal

Under VPN click SSL-VPN settings-change default port 443 (i chose 444)

 

0.PNG

Click SSL-VPN Portals under VPN-under tunnel mode select ‘VPN Pool” (optionally)

5.PNG

Create policy for accessing from the outside

In this policy members of VPN users can access local network.

VPN_Users group is created in previous post

 

6-1.PNG

 

Testing access

10-1.PNG

 

Setting FortiClient

select SSL-VPN, enter Fortigate Public IP,check Customize port and type port used for portal access

14.PNG

 

 

In last post we integrated Active directory with Fortigate now we’ll map Security Group for VPN users with Fortigate groups.

User & Device-User Groups-Create New

 

1.PNG

Type Firewall-Add

 

2

Click on OU with VPN group-right click group-Add Selected

 

3.PNG

 

4.PNG

Now from VPN menu click VPN Creation Wizard

 

5.PNG

Select Fortigate “WAN” interface (outside in my case),define Pre-Shared key and select VPN group we created in previous step

 

6.PNG

Define local interface-local addresses,VPN subnet and optionally DNS server

 

7.PNG

 

8.PNG

Now create IPV4 Policy

Go to Policy & Objects > IPv4 Policy

Incoming interface is created by wizard,select source and destination

 

9.PNG

Download and install Forti Client

Once installed click Configure VPN

 

10.PNG

Select IPSec VPN specify Fortigate WAN interface Address and Pre-shared key defined in previous steps

 

11.PNG

 

12.PNG

 

 

I created 2 Organizational Units:

one for Service account-fortigate_LDAP,for searching Active Directory (service)

and one for AD group where all users who need to login to Fortigate will be put (fortigate)

 

0.png

 

User & Devices-LDAP Servers-Create New

 

1.png

Type Domain Controller IP,domain name Distinguished Name,service account username/password-Bind Type:regular

 

2.PNG

 

Now map AD group to Fortigate group:

User Groups-Create New

 

5.PNG

Click Add

 

1

 

Click on OU with our group-select it-righ click-Add Selected

 

10.PNG

 

11.PNG

Now Associate this Fortigate group to Administrator profile:

System-Administrators-Create New-Administrator

 

12.PNG

Select Match all users in remote server group-select profile and from drop-down select Fortigate user group we created earlier

1.png

 

In Admin Profiles section we can create new profiles

1.png

Now you should be able to login with Active Directory user credentials